diff options
| author | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2014-01-30 13:52:13 +0100 |
|---|---|---|
| committer | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2014-01-30 16:23:04 +0100 |
| commit | 9449f151d0ccf3ac755d5f2bd9b4057ae2b03157 (patch) | |
| tree | ada21dc6aa0b146c62a7561a08fb51fe4a8922ee /mDNSResponder/mDNSCore | |
| parent | DHCPCD(8): Add MASTER_ONLY option (diff) | |
| download | rtems-libbsd-9449f151d0ccf3ac755d5f2bd9b4057ae2b03157.tar.bz2 | |
mDNS: Import
The sources can be obtained via:
http://opensource.apple.com/tarballs/mDNSResponder/mDNSResponder-544.tar.gz
Diffstat (limited to 'mDNSResponder/mDNSCore')
| -rw-r--r-- | mDNSResponder/mDNSCore/CryptoAlg.c | 280 | ||||
| -rw-r--r-- | mDNSResponder/mDNSCore/CryptoAlg.h | 61 | ||||
| -rw-r--r-- | mDNSResponder/mDNSCore/DNSCommon.c | 4319 | ||||
| -rw-r--r-- | mDNSResponder/mDNSCore/DNSCommon.h | 315 | ||||
| -rw-r--r-- | mDNSResponder/mDNSCore/DNSDigest.c | 1567 | ||||
| -rw-r--r-- | mDNSResponder/mDNSCore/Implementer Notes.txt | 66 | ||||
| -rw-r--r-- | mDNSResponder/mDNSCore/anonymous.c | 597 | ||||
| -rw-r--r-- | mDNSResponder/mDNSCore/anonymous.h | 31 | ||||
| -rw-r--r-- | mDNSResponder/mDNSCore/dnsproxy.c | 836 | ||||
| -rw-r--r-- | mDNSResponder/mDNSCore/dnsproxy.h | 30 | ||||
| -rw-r--r-- | mDNSResponder/mDNSCore/dnssec.c | 4111 | ||||
| -rw-r--r-- | mDNSResponder/mDNSCore/dnssec.h | 157 | ||||
| -rwxr-xr-x | mDNSResponder/mDNSCore/mDNS.c | 15034 | ||||
| -rwxr-xr-x | mDNSResponder/mDNSCore/mDNSDebug.h | 166 | ||||
| -rwxr-xr-x | mDNSResponder/mDNSCore/mDNSEmbeddedAPI.h | 3586 | ||||
| -rw-r--r-- | mDNSResponder/mDNSCore/nsec.c | 1266 | ||||
| -rw-r--r-- | mDNSResponder/mDNSCore/nsec.h | 33 | ||||
| -rw-r--r-- | mDNSResponder/mDNSCore/nsec3.c | 769 | ||||
| -rw-r--r-- | mDNSResponder/mDNSCore/nsec3.h | 28 | ||||
| -rwxr-xr-x | mDNSResponder/mDNSCore/uDNS.c | 5995 | ||||
| -rwxr-xr-x | mDNSResponder/mDNSCore/uDNS.h | 151 |
21 files changed, 39398 insertions, 0 deletions
diff --git a/mDNSResponder/mDNSCore/CryptoAlg.c b/mDNSResponder/mDNSCore/CryptoAlg.c new file mode 100644 index 00000000..38533fc8 --- /dev/null +++ b/mDNSResponder/mDNSCore/CryptoAlg.c @@ -0,0 +1,280 @@ +/* -*- Mode: C; tab-width: 4 -*- + * + * Copyright (c) 2011 Apple Computer, Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// *************************************************************************** +// CryptoAlg.c: +// Interface to DNSSEC cryptographic algorithms. The crypto support itself is +// provided by the platform and the functions in this file just provide an +// interface to access them in a more generic way. +// *************************************************************************** + +#include "mDNSEmbeddedAPI.h" +#include "CryptoAlg.h" + +AlgFuncs *DigestAlgFuncs[DIGEST_TYPE_MAX]; +AlgFuncs *CryptoAlgFuncs[CRYPTO_ALG_MAX]; +AlgFuncs *EncAlgFuncs[ENC_ALG_MAX]; + +mDNSexport mStatus DigestAlgInit(mDNSu8 digestType, AlgFuncs *func) +{ + if (digestType >= DIGEST_TYPE_MAX) + { + LogMsg("DigestAlgInit: digestType %d exceeds bounds", digestType); + return mStatus_BadParamErr; + } + // As digestTypes may not be consecutive, check for specific digest types + // that we support + if (digestType != SHA1_DIGEST_TYPE && + digestType != SHA256_DIGEST_TYPE) + { + LogMsg("DigestAlgInit: digestType %d not supported", digestType); + return mStatus_BadParamErr; + } + DigestAlgFuncs[digestType] = func; + return mStatus_NoError; +} + +mDNSexport mStatus CryptoAlgInit(mDNSu8 alg, AlgFuncs *func) +{ + if (alg >= CRYPTO_ALG_MAX) + { + LogMsg("CryptoAlgInit: alg %d exceeds bounds", alg); + return mStatus_BadParamErr; + } + // As algs may not be consecutive, check for specific algorithms + // that we support + if (alg != CRYPTO_RSA_SHA1 && alg != CRYPTO_RSA_SHA256 && alg != CRYPTO_RSA_SHA512 && + alg != CRYPTO_DSA_NSEC3_SHA1 && alg != CRYPTO_RSA_NSEC3_SHA1) + { + LogMsg("CryptoAlgInit: alg %d not supported", alg); + return mStatus_BadParamErr; + } + + CryptoAlgFuncs[alg] = func; + return mStatus_NoError; +} + +mDNSexport mStatus EncAlgInit(mDNSu8 alg, AlgFuncs *func) +{ + if (alg >= ENC_ALG_MAX) + { + LogMsg("EncAlgInit: alg %d exceeds bounds", alg); + return mStatus_BadParamErr; + } + + // As algs may not be consecutive, check for specific algorithms + // that we support + if (alg != ENC_BASE32 && alg != ENC_BASE64) + { + LogMsg("EncAlgInit: alg %d not supported", alg); + return mStatus_BadParamErr; + } + + EncAlgFuncs[alg] = func; + return mStatus_NoError; +} + +mDNSexport AlgContext *AlgCreate(AlgType type, mDNSu8 alg) +{ + AlgFuncs *func = mDNSNULL; + AlgContext *ctx; + + if (type == CRYPTO_ALG) + { + if (alg >= CRYPTO_ALG_MAX) return mDNSNULL; + func = CryptoAlgFuncs[alg]; + } + else if (type == DIGEST_ALG) + { + if (alg >= DIGEST_TYPE_MAX) return mDNSNULL; + func = DigestAlgFuncs[alg]; + } + else if (type == ENC_ALG) + { + if (alg >= ENC_ALG_MAX) return mDNSNULL; + func = EncAlgFuncs[alg]; + } + + if (!func) + { + // If there is no support from the platform, this case can happen. + LogInfo("AlgCreate: func is NULL"); + return mDNSNULL; + } + + if (func->Create) + { + mStatus err; + ctx = mDNSPlatformMemAllocate(sizeof(AlgContext)); + if (!ctx) return mDNSNULL; + // Create expects ctx->alg to be initialized + ctx->alg = alg; + err = func->Create(ctx); + if (err == mStatus_NoError) + { + ctx->type = type; + return ctx; + } + mDNSPlatformMemFree(ctx); + } + return mDNSNULL; +} + +mDNSexport mStatus AlgDestroy(AlgContext *ctx) +{ + AlgFuncs *func = mDNSNULL; + + if (ctx->type == CRYPTO_ALG) + func = CryptoAlgFuncs[ctx->alg]; + else if (ctx->type == DIGEST_ALG) + func = DigestAlgFuncs[ctx->alg]; + else if (ctx->type == ENC_ALG) + func = EncAlgFuncs[ctx->alg]; + + if (!func) + { + LogMsg("AlgDestroy: ERROR!! func is NULL"); + mDNSPlatformMemFree(ctx); + return mStatus_BadParamErr; + } + + if (func->Destroy) + func->Destroy(ctx); + + mDNSPlatformMemFree(ctx); + return mStatus_NoError; +} + +mDNSexport mDNSu32 AlgLength(AlgContext *ctx) +{ + AlgFuncs *func = mDNSNULL; + + if (ctx->type == CRYPTO_ALG) + func = CryptoAlgFuncs[ctx->alg]; + else if (ctx->type == DIGEST_ALG) + func = DigestAlgFuncs[ctx->alg]; + else if (ctx->type == ENC_ALG) + func = EncAlgFuncs[ctx->alg]; + + // This should never happen as AlgCreate would have failed + if (!func) + { + LogMsg("AlgLength: ERROR!! func is NULL"); + return 0; + } + + if (func->Length) + return (func->Length(ctx)); + else + return 0; +} + +mDNSexport mStatus AlgAdd(AlgContext *ctx, const void *data, mDNSu32 len) +{ + AlgFuncs *func = mDNSNULL; + + if (ctx->type == CRYPTO_ALG) + func = CryptoAlgFuncs[ctx->alg]; + else if (ctx->type == DIGEST_ALG) + func = DigestAlgFuncs[ctx->alg]; + else if (ctx->type == ENC_ALG) + func = EncAlgFuncs[ctx->alg]; + + // This should never happen as AlgCreate would have failed + if (!func) + { + LogMsg("AlgAdd: ERROR!! func is NULL"); + return mStatus_BadParamErr; + } + + if (func->Add) + return (func->Add(ctx, data, len)); + else + return mStatus_BadParamErr; +} + +mDNSexport mStatus AlgVerify(AlgContext *ctx, mDNSu8 *key, mDNSu32 keylen, mDNSu8 *signature, mDNSu32 siglen) +{ + AlgFuncs *func = mDNSNULL; + + if (ctx->type == CRYPTO_ALG) + func = CryptoAlgFuncs[ctx->alg]; + else if (ctx->type == DIGEST_ALG) + func = DigestAlgFuncs[ctx->alg]; + else if (ctx->type == ENC_ALG) + func = EncAlgFuncs[ctx->alg]; + + // This should never happen as AlgCreate would have failed + if (!func) + { + LogMsg("AlgVerify: ERROR!! func is NULL"); + return mStatus_BadParamErr; + } + + if (func->Verify) + return (func->Verify(ctx, key, keylen, signature, siglen)); + else + return mStatus_BadParamErr; +} + +mDNSexport mDNSu8* AlgEncode(AlgContext *ctx) +{ + AlgFuncs *func = mDNSNULL; + + if (ctx->type == CRYPTO_ALG) + func = CryptoAlgFuncs[ctx->alg]; + else if (ctx->type == DIGEST_ALG) + func = DigestAlgFuncs[ctx->alg]; + else if (ctx->type == ENC_ALG) + func = EncAlgFuncs[ctx->alg]; + + // This should never happen as AlgCreate would have failed + if (!func) + { + LogMsg("AlgEncode: ERROR!! func is NULL"); + return mDNSNULL; + } + + if (func->Encode) + return (func->Encode(ctx)); + else + return mDNSNULL; +} + +mDNSexport mStatus AlgFinal(AlgContext *ctx, void *data, mDNSu32 len) +{ + AlgFuncs *func = mDNSNULL; + + if (ctx->type == CRYPTO_ALG) + func = CryptoAlgFuncs[ctx->alg]; + else if (ctx->type == DIGEST_ALG) + func = DigestAlgFuncs[ctx->alg]; + else if (ctx->type == ENC_ALG) + func = EncAlgFuncs[ctx->alg]; + + // This should never happen as AlgCreate would have failed + if (!func) + { + LogMsg("AlgEncode: ERROR!! func is NULL"); + return mDNSNULL; + } + + if (func->Final) + return (func->Final(ctx, data, len)); + else + return mStatus_BadParamErr; +} diff --git a/mDNSResponder/mDNSCore/CryptoAlg.h b/mDNSResponder/mDNSCore/CryptoAlg.h new file mode 100644 index 00000000..6cb3dc9d --- /dev/null +++ b/mDNSResponder/mDNSCore/CryptoAlg.h @@ -0,0 +1,61 @@ +/* -*- Mode: C; tab-width: 4 -*- + * + * Copyright (c) 2011 Apple Computer, Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef __CRYPTO_ALG_H +#define __CRYPTO_ALG_H + +typedef enum +{ + CRYPTO_ALG, + DIGEST_ALG, + ENC_ALG, +} AlgType; + +typedef struct +{ + void *context; + AlgType type; + mDNSu8 alg; +} AlgContext; + +typedef struct +{ + mStatus (*Create)(AlgContext *ctx); + mStatus (*Destroy)(AlgContext *ctx); + mDNSu32 (*Length)(AlgContext *ctx); + mStatus (*Add)(AlgContext *ctx, const void *data, mDNSu32 len); + // Verify the ctx using the key and compare it against signature/siglen + mStatus (*Verify)(AlgContext *ctx, mDNSu8 *key, mDNSu32 keylen, mDNSu8 *signature, mDNSu32 siglen); + // Encode the data and return the encoded data + mDNSu8* (*Encode)(AlgContext *ctx); + // Return the finalized data in data whose length is len (used by hash algorithms) + mStatus (*Final)(AlgContext *ctx, void *data, mDNSu32 len); +} AlgFuncs; + +mDNSexport mStatus DigestAlgInit(mDNSu8 digestType, AlgFuncs *func); +mDNSexport mStatus CryptoAlgInit(mDNSu8 algType, AlgFuncs *func); +mDNSexport mStatus EncAlgInit(mDNSu8 algType, AlgFuncs *func); + + +extern AlgContext *AlgCreate(AlgType type, mDNSu8 alg); +extern mStatus AlgDestroy(AlgContext *ctx); +extern mDNSu32 AlgLength(AlgContext *ctx); +extern mStatus AlgAdd(AlgContext *ctx, const void *data, mDNSu32 len); +extern mStatus AlgVerify(AlgContext *ctx, mDNSu8 *key, mDNSu32 keylen, mDNSu8 *signature, mDNSu32 siglen); +extern mDNSu8* AlgEncode(AlgContext *ctx); +extern mStatus AlgFinal(AlgContext *ctx, void *data, mDNSu32 len); + +#endif // __CRYPTO_ALG_H diff --git a/mDNSResponder/mDNSCore/DNSCommon.c b/mDNSResponder/mDNSCore/DNSCommon.c new file mode 100644 index 00000000..947607cf --- /dev/null +++ b/mDNSResponder/mDNSCore/DNSCommon.c @@ -0,0 +1,4319 @@ +/* -*- Mode: C; tab-width: 4 -*- + * + * Copyright (c) 2002-2013 Apple Computer, Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// Set mDNS_InstantiateInlines to tell mDNSEmbeddedAPI.h to instantiate inline functions, if necessary +#define mDNS_InstantiateInlines 1 +#include "DNSCommon.h" +#include "CryptoAlg.h" +#include "anonymous.h" + +// Disable certain benign warnings with Microsoft compilers +#if (defined(_MSC_VER)) +// Disable "conditional expression is constant" warning for debug macros. +// Otherwise, this generates warnings for the perfectly natural construct "while(1)" +// If someone knows a variant way of writing "while(1)" that doesn't generate warning messages, please let us know + #pragma warning(disable:4127) +// Disable "array is too small to include a terminating null character" warning +// -- domain labels have an initial length byte, not a terminating null character + #pragma warning(disable:4295) +#endif + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - Program Constants +#endif + +mDNSexport const mDNSInterfaceID mDNSInterface_Any = 0; +mDNSexport const mDNSInterfaceID mDNSInterfaceMark = (mDNSInterfaceID)-1; +mDNSexport const mDNSInterfaceID mDNSInterface_LocalOnly = (mDNSInterfaceID)-2; +mDNSexport const mDNSInterfaceID mDNSInterface_Unicast = (mDNSInterfaceID)-3; +mDNSexport const mDNSInterfaceID mDNSInterface_P2P = (mDNSInterfaceID)-4; +mDNSexport const mDNSInterfaceID uDNSInterfaceMark = (mDNSInterfaceID)-5; + +// Note: Microsoft's proposed "Link Local Multicast Name Resolution Protocol" (LLMNR) is essentially a limited version of +// Multicast DNS, using the same packet formats, naming syntax, and record types as Multicast DNS, but on a different UDP +// port and multicast address, which means it won't interoperate with the existing installed base of Multicast DNS responders. +// LLMNR uses IPv4 multicast address 224.0.0.252, IPv6 multicast address FF02::0001:0003, and UDP port 5355. +// Uncomment the appropriate lines below to build a special Multicast DNS responder for testing interoperability +// with Microsoft's LLMNR client code. + +#define DiscardPortAsNumber 9 +#define SSHPortAsNumber 22 +#define UnicastDNSPortAsNumber 53 +#define SSDPPortAsNumber 1900 +#define IPSECPortAsNumber 4500 +#define NSIPCPortAsNumber 5030 // Port used for dnsextd to talk to local nameserver bound to loopback +#define NATPMPAnnouncementPortAsNumber 5350 +#define NATPMPPortAsNumber 5351 +#define DNSEXTPortAsNumber 5352 // Port used for end-to-end DNS operations like LLQ, Updates with Leases, etc. +#define MulticastDNSPortAsNumber 5353 +#define LoopbackIPCPortAsNumber 5354 +//#define MulticastDNSPortAsNumber 5355 // LLMNR +#define PrivateDNSPortAsNumber 5533 + +mDNSexport const mDNSIPPort DiscardPort = { { DiscardPortAsNumber >> 8, DiscardPortAsNumber & 0xFF } }; +mDNSexport const mDNSIPPort SSHPort = { { SSHPortAsNumber >> 8, SSHPortAsNumber & 0xFF } }; +mDNSexport const mDNSIPPort UnicastDNSPort = { { UnicastDNSPortAsNumber >> 8, UnicastDNSPortAsNumber & 0xFF } }; +mDNSexport const mDNSIPPort SSDPPort = { { SSDPPortAsNumber >> 8, SSDPPortAsNumber & 0xFF } }; +mDNSexport const mDNSIPPort IPSECPort = { { IPSECPortAsNumber >> 8, IPSECPortAsNumber & 0xFF } }; +mDNSexport const mDNSIPPort NSIPCPort = { { NSIPCPortAsNumber >> 8, NSIPCPortAsNumber & 0xFF } }; +mDNSexport const mDNSIPPort NATPMPAnnouncementPort = { { NATPMPAnnouncementPortAsNumber >> 8, NATPMPAnnouncementPortAsNumber & 0xFF } }; +mDNSexport const mDNSIPPort NATPMPPort = { { NATPMPPortAsNumber >> 8, NATPMPPortAsNumber & 0xFF } }; +mDNSexport const mDNSIPPort DNSEXTPort = { { DNSEXTPortAsNumber >> 8, DNSEXTPortAsNumber & 0xFF } }; +mDNSexport const mDNSIPPort MulticastDNSPort = { { MulticastDNSPortAsNumber >> 8, MulticastDNSPortAsNumber & 0xFF } }; +mDNSexport const mDNSIPPort LoopbackIPCPort = { { LoopbackIPCPortAsNumber >> 8, LoopbackIPCPortAsNumber & 0xFF } }; +mDNSexport const mDNSIPPort PrivateDNSPort = { { PrivateDNSPortAsNumber >> 8, PrivateDNSPortAsNumber & 0xFF } }; + +mDNSexport const OwnerOptData zeroOwner = { 0, 0, { { 0 } }, { { 0 } }, { { 0 } } }; + +mDNSexport const mDNSIPPort zeroIPPort = { { 0 } }; +mDNSexport const mDNSv4Addr zerov4Addr = { { 0 } }; +mDNSexport const mDNSv6Addr zerov6Addr = { { 0 } }; +mDNSexport const mDNSEthAddr zeroEthAddr = { { 0 } }; +mDNSexport const mDNSv4Addr onesIPv4Addr = { { 255, 255, 255, 255 } }; +mDNSexport const mDNSv6Addr onesIPv6Addr = { { 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255 } }; +mDNSexport const mDNSEthAddr onesEthAddr = { { 255, 255, 255, 255, 255, 255 } }; +mDNSexport const mDNSAddr zeroAddr = { mDNSAddrType_None, {{{ 0 }}} }; + +mDNSexport const mDNSv4Addr AllDNSAdminGroup = { { 239, 255, 255, 251 } }; +mDNSexport const mDNSv4Addr AllHosts_v4 = { { 224, 0, 0, 1 } }; // For NAT-PMP & PCP Annoucements +mDNSexport const mDNSv6Addr AllHosts_v6 = { { 0xFF,0x02,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x01 } }; +mDNSexport const mDNSv6Addr NDP_prefix = { { 0xFF,0x02,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x01, 0xFF,0x00,0x00,0xFB } }; // FF02:0:0:0:0:1:FF00::/104 +mDNSexport const mDNSEthAddr AllHosts_v6_Eth = { { 0x33, 0x33, 0x00, 0x00, 0x00, 0x01 } }; +mDNSexport const mDNSAddr AllDNSLinkGroup_v4 = { mDNSAddrType_IPv4, { { { 224, 0, 0, 251 } } } }; +//mDNSexport const mDNSAddr AllDNSLinkGroup_v4 = { mDNSAddrType_IPv4, { { { 224, 0, 0, 252 } } } }; // LLMNR +mDNSexport const mDNSAddr AllDNSLinkGroup_v6 = { mDNSAddrType_IPv6, { { { 0xFF,0x02,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0xFB } } } }; +//mDNSexport const mDNSAddr AllDNSLinkGroup_v6 = { mDNSAddrType_IPv6, { { { 0xFF,0x02,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00, 0x00,0x01,0x00,0x03 } } } }; // LLMNR + +mDNSexport const mDNSOpaque16 zeroID = { { 0, 0 } }; +mDNSexport const mDNSOpaque16 onesID = { { 255, 255 } }; +mDNSexport const mDNSOpaque16 QueryFlags = { { kDNSFlag0_QR_Query | kDNSFlag0_OP_StdQuery, 0 } }; +mDNSexport const mDNSOpaque16 uQueryFlags = { { kDNSFlag0_QR_Query | kDNSFlag0_OP_StdQuery | kDNSFlag0_RD, 0 } }; +mDNSexport const mDNSOpaque16 DNSSecQFlags = { { kDNSFlag0_QR_Query | kDNSFlag0_OP_StdQuery | kDNSFlag0_RD, kDNSFlag1_CD } }; +mDNSexport const mDNSOpaque16 ResponseFlags = { { kDNSFlag0_QR_Response | kDNSFlag0_OP_StdQuery | kDNSFlag0_AA, 0 } }; +mDNSexport const mDNSOpaque16 UpdateReqFlags = { { kDNSFlag0_QR_Query | kDNSFlag0_OP_Update, 0 } }; +mDNSexport const mDNSOpaque16 UpdateRespFlags = { { kDNSFlag0_QR_Response | kDNSFlag0_OP_Update, 0 } }; + +mDNSexport const mDNSOpaque64 zeroOpaque64 = { { 0 } }; + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - General Utility Functions +#endif + +// return true for RFC1918 private addresses +mDNSexport mDNSBool mDNSv4AddrIsRFC1918(const mDNSv4Addr * const addr) +{ + return ((addr->b[0] == 10) || // 10/8 prefix + (addr->b[0] == 172 && (addr->b[1] & 0xF0) == 16) || // 172.16/12 + (addr->b[0] == 192 && addr->b[1] == 168)); // 192.168/16 +} + +mDNSexport void mDNSAddrMapIPv4toIPv6(mDNSv4Addr* in, mDNSv6Addr* out) +{ + out->l[0] = 0; + out->l[1] = 0; + out->w[4] = 0; + out->w[5] = 0xffff; + out->b[12] = in->b[0]; + out->b[13] = in->b[1]; + out->b[14] = in->b[2]; + out->b[15] = in->b[3]; +} + +mDNSexport mDNSBool mDNSAddrIPv4FromMappedIPv6(mDNSv6Addr *in, mDNSv4Addr* out) +{ + if (in->l[0] != 0 || in->l[1] != 0 || in->w[4] != 0 || in->w[5] != 0xffff) + return mDNSfalse; + + out->NotAnInteger = in->l[3]; + return mDNStrue; +} + +mDNSexport NetworkInterfaceInfo *GetFirstActiveInterface(NetworkInterfaceInfo *intf) +{ + while (intf && !intf->InterfaceActive) intf = intf->next; + return(intf); +} + +mDNSexport mDNSInterfaceID GetNextActiveInterfaceID(const NetworkInterfaceInfo *intf) +{ + const NetworkInterfaceInfo *next = GetFirstActiveInterface(intf->next); + if (next) return(next->InterfaceID);else return(mDNSNULL); +} + +mDNSexport mDNSu32 NumCacheRecordsForInterfaceID(const mDNS *const m, mDNSInterfaceID id) +{ + mDNSu32 slot, used = 0; + CacheGroup *cg; + const CacheRecord *rr; + FORALL_CACHERECORDS(slot, cg, rr) + { + if (rr->resrec.InterfaceID == id) + used++; + } + return(used); +} + +mDNSexport char *DNSTypeName(mDNSu16 rrtype) +{ + switch (rrtype) + { + case kDNSType_A: return("Addr"); + case kDNSType_NS: return("NS"); + case kDNSType_CNAME: return("CNAME"); + case kDNSType_SOA: return("SOA"); + case kDNSType_NULL: return("NULL"); + case kDNSType_PTR: return("PTR"); + case kDNSType_HINFO: return("HINFO"); + case kDNSType_TXT: return("TXT"); + case kDNSType_AAAA: return("AAAA"); + case kDNSType_SRV: return("SRV"); + case kDNSType_OPT: return("OPT"); + case kDNSType_NSEC: return("NSEC"); + case kDNSType_NSEC3: return("NSEC3"); + case kDNSType_NSEC3PARAM: return("NSEC3PARAM"); + case kDNSType_TSIG: return("TSIG"); + case kDNSType_RRSIG: return("RRSIG"); + case kDNSType_DNSKEY: return("DNSKEY"); + case kDNSType_DS: return("DS"); + case kDNSQType_ANY: return("ANY"); + default: { + static char buffer[16]; + mDNS_snprintf(buffer, sizeof(buffer), "TYPE%d", rrtype); + return(buffer); + } + } +} + +mDNSlocal char *DNSSECAlgName(mDNSu8 alg) +{ + switch (alg) + { + case CRYPTO_RSA_SHA1: return "RSA_SHA1"; + case CRYPTO_DSA_NSEC3_SHA1: return "DSA_NSEC3_SHA1"; + case CRYPTO_RSA_NSEC3_SHA1: return "RSA_NSEC3_SHA1"; + case CRYPTO_RSA_SHA256: return "RSA_SHA256"; + case CRYPTO_RSA_SHA512: return "RSA_SHA512"; + default: { + static char algbuffer[16]; + mDNS_snprintf(algbuffer, sizeof(algbuffer), "ALG%d", alg); + return(algbuffer); + } + } +} + +mDNSlocal char *DNSSECDigestName(mDNSu8 digest) +{ + switch (digest) + { + case SHA1_DIGEST_TYPE: return "SHA1"; + case SHA256_DIGEST_TYPE: return "SHA256"; + default: + { + static char digbuffer[16]; + mDNS_snprintf(digbuffer, sizeof(digbuffer), "DIG%d", digest); + return(digbuffer); + } + } +} + +mDNSexport mDNSu32 swap32(mDNSu32 x) +{ + mDNSu8 *ptr = (mDNSu8 *)&x; + return (mDNSu32)((mDNSu32)ptr[0] << 24 | (mDNSu32)ptr[1] << 16 | (mDNSu32)ptr[2] << 8 | ptr[3]); +} + +mDNSexport mDNSu16 swap16(mDNSu16 x) +{ + mDNSu8 *ptr = (mDNSu8 *)&x; + return (mDNSu16)((mDNSu16)ptr[0] << 8 | ptr[1]); +} + +// RFC 4034 Appendix B: Get the keyid of a DNS KEY. It is not transmitted +// explicitly on the wire. +// +// Note: This just helps narrow down the list of keys to look at. It is possible +// for two DNS keys to have the same ID i.e., key ID is not a unqiue tag. We ignore +// MD5 keys. +// +// 1st argument - the RDATA part of the DNSKEY RR +// 2nd argument - the RDLENGTH +// +mDNSlocal mDNSu32 keytag(mDNSu8 *key, mDNSu32 keysize) +{ + unsigned long ac; + unsigned int i; + + for (ac = 0, i = 0; i < keysize; ++i) + ac += (i & 1) ? key[i] : key[i] << 8; + ac += (ac >> 16) & 0xFFFF; + return ac & 0xFFFF; +} + +mDNSexport int baseEncode(char *buffer, int blen, const mDNSu8 *data, int len, int encAlg) +{ + AlgContext *ctx; + mDNSu8 *outputBuffer; + int length; + + ctx = AlgCreate(ENC_ALG, encAlg); + if (!ctx) + { + LogMsg("baseEncode: AlgCreate failed\n"); + return 0; + } + AlgAdd(ctx, data, len); + outputBuffer = AlgEncode(ctx); + length = 0; + if (outputBuffer) + { + // Note: don't include any spaces in the format string below. This + // is also used by NSEC3 code for proving non-existence where it + // needs the base32 encoding without any spaces etc. + length = mDNS_snprintf(buffer, blen, "%s", outputBuffer); + } + AlgDestroy(ctx); + return length; +} + +mDNSlocal void PrintTypeBitmap(const mDNSu8 *bmap, int bitmaplen, char *const buffer, mDNSu32 length) +{ + int win, wlen, type; + + while (bitmaplen > 0) + { + int i; + + if (bitmaplen < 3) + { + LogMsg("PrintTypeBitmap: malformed bitmap, bitmaplen %d short", bitmaplen); + break; + } + + win = *bmap++; + wlen = *bmap++; + bitmaplen -= 2; + if (bitmaplen < wlen || wlen < 1 || wlen > 32) + { + LogInfo("PrintTypeBitmap: malformed nsec, bitmaplen %d wlen %d", bitmaplen, wlen); + break; + } + if (win < 0 || win >= 256) + { + LogInfo("PrintTypeBitmap: malformed nsec, bad window win %d", win); + break; + } + type = win * 256; + for (i = 0; i < wlen * 8; i++) + { + if (bmap[i>>3] & (128 >> (i&7))) + length += mDNS_snprintf(buffer+length, (MaxMsg - 1) - length, "%s ", DNSTypeName(type + i)); + } + bmap += wlen; + bitmaplen -= wlen; + } +} + +// Parse the fields beyond the base header. NSEC3 should have been validated. +mDNSexport void NSEC3Parse(const ResourceRecord *const rr, mDNSu8 **salt, int *hashLength, mDNSu8 **nxtName, int *bitmaplen, mDNSu8 **bitmap) +{ + const RDataBody2 *const rdb = (RDataBody2 *)rr->rdata->u.data; + rdataNSEC3 *nsec3 = (rdataNSEC3 *)rdb->data; + mDNSu8 *p = (mDNSu8 *)&nsec3->salt; + int hlen; + + if (salt) + { + if (nsec3->saltLength) + *salt = p; + else + *salt = mDNSNULL; + } + p += nsec3->saltLength; + // p is pointing at hashLength + hlen = (int)*p; + if (hashLength) + *hashLength = hlen; + p++; + if (nxtName) + *nxtName = p; + p += hlen; + if (bitmaplen) + *bitmaplen = rr->rdlength - (int)(p - rdb->data); + if (bitmap) + *bitmap = p; +} + +// Note slight bug: this code uses the rdlength from the ResourceRecord object, to display +// the rdata from the RDataBody object. Sometimes this could be the wrong length -- but as +// long as this routine is only used for debugging messages, it probably isn't a big problem. +mDNSexport char *GetRRDisplayString_rdb(const ResourceRecord *const rr, const RDataBody *const rd1, char *const buffer) +{ + const RDataBody2 *const rd = (RDataBody2 *)rd1; + #define RemSpc (MaxMsg-1-length) + char *ptr = buffer; + mDNSu32 length = mDNS_snprintf(buffer, MaxMsg-1, "%4d %##s %s ", rr->rdlength, rr->name->c, DNSTypeName(rr->rrtype)); + if (rr->RecordType == kDNSRecordTypePacketNegative) return(buffer); + if (!rr->rdlength) { mDNS_snprintf(buffer+length, RemSpc, "<< ZERO RDATA LENGTH >>"); return(buffer); } + + switch (rr->rrtype) + { + case kDNSType_A: mDNS_snprintf(buffer+length, RemSpc, "%.4a", &rd->ipv4); break; + + case kDNSType_NS: // Same as PTR + case kDNSType_CNAME: // Same as PTR + case kDNSType_PTR: mDNS_snprintf(buffer+length, RemSpc, "%##s", rd->name.c); break; + + case kDNSType_SOA: mDNS_snprintf(buffer+length, RemSpc, "%##s %##s %d %d %d %d %d", + rd->soa.mname.c, rd->soa.rname.c, + rd->soa.serial, rd->soa.refresh, rd->soa.retry, rd->soa.expire, rd->soa.min); + break; + + case kDNSType_HINFO: // Display this the same as TXT (show all constituent strings) + case kDNSType_TXT: { + const mDNSu8 *t = rd->txt.c; + while (t < rd->txt.c + rr->rdlength) + { + length += mDNS_snprintf(buffer+length, RemSpc, "%s%#s", t > rd->txt.c ? "¦" : "", t); + t += 1 + t[0]; + } + } break; + + case kDNSType_AAAA: mDNS_snprintf(buffer+length, RemSpc, "%.16a", &rd->ipv6); break; + case kDNSType_SRV: mDNS_snprintf(buffer+length, RemSpc, "%u %u %u %##s", + rd->srv.priority, rd->srv.weight, mDNSVal16(rd->srv.port), rd->srv.target.c); break; + + case kDNSType_OPT: { + const rdataOPT *opt; + const rdataOPT *const end = (const rdataOPT *)&rd->data[rr->rdlength]; + length += mDNS_snprintf(buffer+length, RemSpc, "Max %d", rr->rrclass); + for (opt = &rd->opt[0]; opt < end; opt++) + { + switch(opt->opt) + { + case kDNSOpt_LLQ: + length += mDNS_snprintf(buffer+length, RemSpc, " Vers %d", opt->u.llq.vers); + length += mDNS_snprintf(buffer+length, RemSpc, " Op %d", opt->u.llq.llqOp); + length += mDNS_snprintf(buffer+length, RemSpc, " Err/Port %d", opt->u.llq.err); + length += mDNS_snprintf(buffer+length, RemSpc, " ID %08X%08X", opt->u.llq.id.l[0], opt->u.llq.id.l[1]); + length += mDNS_snprintf(buffer+length, RemSpc, " Lease %d", opt->u.llq.llqlease); + break; + case kDNSOpt_Lease: + length += mDNS_snprintf(buffer+length, RemSpc, " Lease %d", opt->u.updatelease); + break; + case kDNSOpt_Owner: + length += mDNS_snprintf(buffer+length, RemSpc, " Vers %d", opt->u.owner.vers); + length += mDNS_snprintf(buffer+length, RemSpc, " Seq %3d", (mDNSu8)opt->u.owner.seq); // Display as unsigned + length += mDNS_snprintf(buffer+length, RemSpc, " MAC %.6a", opt->u.owner.HMAC.b); + if (opt->optlen >= DNSOpt_OwnerData_ID_Wake_Space-4) + { + length += mDNS_snprintf(buffer+length, RemSpc, " I-MAC %.6a", opt->u.owner.IMAC.b); + if (opt->optlen > DNSOpt_OwnerData_ID_Wake_Space-4) + length += mDNS_snprintf(buffer+length, RemSpc, " Password %.6a", opt->u.owner.password.b); + } + break; + case kDNSOpt_Trace: + length += mDNS_snprintf(buffer+length, RemSpc, " Platform %d", opt->u.tracer.platf); + length += mDNS_snprintf(buffer+length, RemSpc, " mDNSVers %d", opt->u.tracer.mDNSv); + break; + default: + length += mDNS_snprintf(buffer+length, RemSpc, " Unknown %d", opt->opt); + break; + } + } + } + break; + + case kDNSType_NSEC: { + domainname *next = (domainname *)rd->data; + int len, bitmaplen; + mDNSu8 *bmap; + len = DomainNameLength(next); + bitmaplen = rr->rdlength - len; + bmap = (mDNSu8 *)((mDNSu8 *)next + len); + + if (UNICAST_NSEC(rr)) + length += mDNS_snprintf(buffer+length, RemSpc, "%##s ", next->c); + PrintTypeBitmap(bmap, bitmaplen, buffer, length); + + } + break; + case kDNSType_NSEC3: { + rdataNSEC3 *nsec3 = (rdataNSEC3 *)rd->data; + const mDNSu8 *p = (mDNSu8 *)&nsec3->salt; + int hashLength, bitmaplen, i; + + length += mDNS_snprintf(buffer+length, RemSpc, "\t%s %d %d ", + DNSSECDigestName(nsec3->alg), nsec3->flags, swap16(nsec3->iterations)); + + if (!nsec3->saltLength) + { + length += mDNS_snprintf(buffer+length, RemSpc, "-"); + } + else + { + for (i = 0; i < nsec3->saltLength; i++) + { + length += mDNS_snprintf(buffer+length, RemSpc, "%x", p[i]); + } + } + + // put a space at the end + length += mDNS_snprintf(buffer+length, RemSpc, " "); + + p += nsec3->saltLength; + // p is pointing at hashLength + hashLength = (int)*p++; + + length += baseEncode(buffer + length, RemSpc, p, hashLength, ENC_BASE32); + + // put a space at the end + length += mDNS_snprintf(buffer+length, RemSpc, " "); + + p += hashLength; + bitmaplen = rr->rdlength - (int)(p - rd->data); + PrintTypeBitmap(p, bitmaplen, buffer, length); + } + break; + case kDNSType_RRSIG: { + rdataRRSig *rrsig = (rdataRRSig *)rd->data; + mDNSu8 expTimeBuf[64]; + mDNSu8 inceptTimeBuf[64]; + unsigned long inceptClock; + unsigned long expClock; + int len; + + expClock = (unsigned long)swap32(rrsig->sigExpireTime); + mDNSPlatformFormatTime(expClock, expTimeBuf, sizeof(expTimeBuf)); + + inceptClock = (unsigned long)swap32(rrsig->sigInceptTime); + mDNSPlatformFormatTime(inceptClock, inceptTimeBuf, sizeof(inceptTimeBuf)); + + length += mDNS_snprintf(buffer+length, RemSpc, "\t%s %s %d %d %s %s %d %##s ", + DNSTypeName(swap16(rrsig->typeCovered)), DNSSECAlgName(rrsig->alg), rrsig->labels, swap32(rrsig->origTTL), + expTimeBuf, inceptTimeBuf, swap16(rrsig->keyTag), ((domainname *)(&rrsig->signerName))->c); + + len = DomainNameLength((domainname *)&rrsig->signerName); + length += baseEncode(buffer + length, RemSpc, (const mDNSu8 *)(rd->data + len + RRSIG_FIXED_SIZE), + rr->rdlength - (len + RRSIG_FIXED_SIZE), ENC_BASE64); + } + break; + case kDNSType_DNSKEY: { + rdataDNSKey *rrkey = (rdataDNSKey *)rd->data; + length += mDNS_snprintf(buffer+length, RemSpc, "\t%d %d %s %u ", swap16(rrkey->flags), rrkey->proto, + DNSSECAlgName(rrkey->alg), (unsigned int)keytag((mDNSu8 *)rrkey, rr->rdlength)); + length += baseEncode(buffer + length, RemSpc, (const mDNSu8 *)(rd->data + DNSKEY_FIXED_SIZE), + rr->rdlength - DNSKEY_FIXED_SIZE, ENC_BASE64); + } + break; + case kDNSType_DS: { + mDNSu8 *p; + int i; + rdataDS *rrds = (rdataDS *)rd->data; + + length += mDNS_snprintf(buffer+length, RemSpc, "\t%s\t%d\t%s ", DNSSECAlgName(rrds->alg), swap16(rrds->keyTag), + DNSSECDigestName(rrds->digestType)); + + p = (mDNSu8 *)(rd->data + DS_FIXED_SIZE); + for (i = 0; i < (rr->rdlength - DS_FIXED_SIZE); i++) + { + length += mDNS_snprintf(buffer+length, RemSpc, "%x", p[i]); + } + } + break; + + default: mDNS_snprintf(buffer+length, RemSpc, "RDLen %d: %s", rr->rdlength, rd->data); + // Really should scan buffer to check if text is valid UTF-8 and only replace with dots if not + for (ptr = buffer; *ptr; ptr++) if (*ptr < ' ') *ptr = '.'; + break; + } + return(buffer); +} + +// See comments in mDNSEmbeddedAPI.h +#if _PLATFORM_HAS_STRONG_PRNG_ +#define mDNSRandomNumber mDNSPlatformRandomNumber +#else +mDNSlocal mDNSu32 mDNSRandomFromSeed(mDNSu32 seed) +{ + return seed * 21 + 1; +} + +mDNSlocal mDNSu32 mDNSMixRandomSeed(mDNSu32 seed, mDNSu8 iteration) +{ + return iteration ? mDNSMixRandomSeed(mDNSRandomFromSeed(seed), --iteration) : seed; +} + +mDNSlocal mDNSu32 mDNSRandomNumber() +{ + static mDNSBool seeded = mDNSfalse; + static mDNSu32 seed = 0; + if (!seeded) + { + seed = mDNSMixRandomSeed(mDNSPlatformRandomSeed(), 100); + seeded = mDNStrue; + } + return (seed = mDNSRandomFromSeed(seed)); +} +#endif // ! _PLATFORM_HAS_STRONG_PRNG_ + +mDNSexport mDNSu32 mDNSRandom(mDNSu32 max) // Returns pseudo-random result from zero to max inclusive +{ + mDNSu32 ret = 0; + mDNSu32 mask = 1; + + while (mask < max) mask = (mask << 1) | 1; + + do ret = mDNSRandomNumber() & mask; + while (ret > max); + + return ret; +} + +mDNSexport mDNSBool mDNSSameAddress(const mDNSAddr *ip1, const mDNSAddr *ip2) +{ + if (ip1->type == ip2->type) + { + switch (ip1->type) + { + case mDNSAddrType_None: return(mDNStrue); // Empty addresses have no data and are therefore always equal + case mDNSAddrType_IPv4: return (mDNSBool)(mDNSSameIPv4Address(ip1->ip.v4, ip2->ip.v4)); + case mDNSAddrType_IPv6: return (mDNSBool)(mDNSSameIPv6Address(ip1->ip.v6, ip2->ip.v6)); + } + } + return(mDNSfalse); +} + +mDNSexport mDNSBool mDNSAddrIsDNSMulticast(const mDNSAddr *ip) +{ + switch(ip->type) + { + case mDNSAddrType_IPv4: return (mDNSBool)(mDNSSameIPv4Address(ip->ip.v4, AllDNSLinkGroup_v4.ip.v4)); + case mDNSAddrType_IPv6: return (mDNSBool)(mDNSSameIPv6Address(ip->ip.v6, AllDNSLinkGroup_v6.ip.v6)); + default: return(mDNSfalse); + } +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - Domain Name Utility Functions +#endif + +mDNSexport mDNSBool SameDomainLabel(const mDNSu8 *a, const mDNSu8 *b) +{ + int i; + const int len = *a++; + + if (len > MAX_DOMAIN_LABEL) + { debugf("Malformed label (too long)"); return(mDNSfalse); } + + if (len != *b++) return(mDNSfalse); + for (i=0; i<len; i++) + { + mDNSu8 ac = *a++; + mDNSu8 bc = *b++; + if (mDNSIsUpperCase(ac)) ac += 'a' - 'A'; + if (mDNSIsUpperCase(bc)) bc += 'a' - 'A'; + if (ac != bc) return(mDNSfalse); + } + return(mDNStrue); +} + +mDNSexport mDNSBool SameDomainName(const domainname *const d1, const domainname *const d2) +{ + const mDNSu8 * a = d1->c; + const mDNSu8 * b = d2->c; + const mDNSu8 *const max = d1->c + MAX_DOMAIN_NAME; // Maximum that's valid + + while (*a || *b) + { + if (a + 1 + *a >= max) + { debugf("Malformed domain name (more than 256 characters)"); return(mDNSfalse); } + if (!SameDomainLabel(a, b)) return(mDNSfalse); + a += 1 + *a; + b += 1 + *b; + } + + return(mDNStrue); +} + +mDNSexport mDNSBool SameDomainNameCS(const domainname *const d1, const domainname *const d2) +{ + mDNSu16 l1 = DomainNameLength(d1); + mDNSu16 l2 = DomainNameLength(d2); + return(l1 <= MAX_DOMAIN_NAME && l1 == l2 && mDNSPlatformMemSame(d1, d2, l1)); +} + +mDNSexport mDNSBool IsLocalDomain(const domainname *d) +{ + // Domains that are defined to be resolved via link-local multicast are: + // local., 254.169.in-addr.arpa., and {8,9,A,B}.E.F.ip6.arpa. + static const domainname *nL = (const domainname*)"\x5" "local"; + static const domainname *nR = (const domainname*)"\x3" "254" "\x3" "169" "\x7" "in-addr" "\x4" "arpa"; + static const domainname *n8 = (const domainname*)"\x1" "8" "\x1" "e" "\x1" "f" "\x3" "ip6" "\x4" "arpa"; + static const domainname *n9 = (const domainname*)"\x1" "9" "\x1" "e" "\x1" "f" "\x3" "ip6" "\x4" "arpa"; + static const domainname *nA = (const domainname*)"\x1" "a" "\x1" "e" "\x1" "f" "\x3" "ip6" "\x4" "arpa"; + static const domainname *nB = (const domainname*)"\x1" "b" "\x1" "e" "\x1" "f" "\x3" "ip6" "\x4" "arpa"; + + const domainname *d1, *d2, *d3, *d4, *d5; // Top-level domain, second-level domain, etc. + d1 = d2 = d3 = d4 = d5 = mDNSNULL; + while (d->c[0]) + { + d5 = d4; d4 = d3; d3 = d2; d2 = d1; d1 = d; + d = (const domainname*)(d->c + 1 + d->c[0]); + } + + if (d1 && SameDomainName(d1, nL)) return(mDNStrue); + if (d4 && SameDomainName(d4, nR)) return(mDNStrue); + if (d5 && SameDomainName(d5, n8)) return(mDNStrue); + if (d5 && SameDomainName(d5, n9)) return(mDNStrue); + if (d5 && SameDomainName(d5, nA)) return(mDNStrue); + if (d5 && SameDomainName(d5, nB)) return(mDNStrue); + return(mDNSfalse); +} + +mDNSexport const mDNSu8 *LastLabel(const domainname *d) +{ + const mDNSu8 *p = d->c; + while (d->c[0]) + { + p = d->c; + d = (const domainname*)(d->c + 1 + d->c[0]); + } + return(p); +} + +// Returns length of a domain name INCLUDING the byte for the final null label +// e.g. for the root label "." it returns one +// For the FQDN "com." it returns 5 (length byte, three data bytes, final zero) +// Legal results are 1 (just root label) to 256 (MAX_DOMAIN_NAME) +// If the given domainname is invalid, result is 257 (MAX_DOMAIN_NAME+1) +mDNSexport mDNSu16 DomainNameLengthLimit(const domainname *const name, const mDNSu8 *limit) +{ + const mDNSu8 *src = name->c; + while (src < limit && *src <= MAX_DOMAIN_LABEL) + { + if (*src == 0) return((mDNSu16)(src - name->c + 1)); + src += 1 + *src; + } + return(MAX_DOMAIN_NAME+1); +} + +// CompressedDomainNameLength returns the length of a domain name INCLUDING the byte +// for the final null label, e.g. for the root label "." it returns one. +// E.g. for the FQDN "foo.com." it returns 9 +// (length, three data bytes, length, three more data bytes, final zero). +// In the case where a parent domain name is provided, and the given name is a child +// of that parent, CompressedDomainNameLength returns the length of the prefix portion +// of the child name, plus TWO bytes for the compression pointer. +// E.g. for the name "foo.com." with parent "com.", it returns 6 +// (length, three data bytes, two-byte compression pointer). +mDNSexport mDNSu16 CompressedDomainNameLength(const domainname *const name, const domainname *parent) +{ + const mDNSu8 *src = name->c; + if (parent && parent->c[0] == 0) parent = mDNSNULL; + while (*src) + { + if (*src > MAX_DOMAIN_LABEL) return(MAX_DOMAIN_NAME+1); + if (parent && SameDomainName((const domainname *)src, parent)) return((mDNSu16)(src - name->c + 2)); + src += 1 + *src; + if (src - name->c >= MAX_DOMAIN_NAME) return(MAX_DOMAIN_NAME+1); + } + return((mDNSu16)(src - name->c + 1)); +} + +// CountLabels() returns number of labels in name, excluding final root label +// (e.g. for "apple.com." CountLabels returns 2.) +mDNSexport int CountLabels(const domainname *d) +{ + int count = 0; + const mDNSu8 *ptr; + for (ptr = d->c; *ptr; ptr = ptr + ptr[0] + 1) count++; + return count; +} + +// SkipLeadingLabels skips over the first 'skip' labels in the domainname, +// returning a pointer to the suffix with 'skip' labels removed. +mDNSexport const domainname *SkipLeadingLabels(const domainname *d, int skip) +{ + while (skip > 0 && d->c[0]) { d = (const domainname *)(d->c + 1 + d->c[0]); skip--; } + return(d); +} + +// AppendLiteralLabelString appends a single label to an existing (possibly empty) domainname. +// The C string contains the label as-is, with no escaping, etc. +// Any dots in the name are literal dots, not label separators +// If successful, AppendLiteralLabelString returns a pointer to the next unused byte +// in the domainname bufer (i.e. the next byte after the terminating zero). +// If unable to construct a legal domain name (i.e. label more than 63 bytes, or total more than 256 bytes) +// AppendLiteralLabelString returns mDNSNULL. +mDNSexport mDNSu8 *AppendLiteralLabelString(domainname *const name, const char *cstr) +{ + mDNSu8 * ptr = name->c + DomainNameLength(name) - 1; // Find end of current name + const mDNSu8 *const lim1 = name->c + MAX_DOMAIN_NAME - 1; // Limit of how much we can add (not counting final zero) + const mDNSu8 *const lim2 = ptr + 1 + MAX_DOMAIN_LABEL; + const mDNSu8 *const lim = (lim1 < lim2) ? lim1 : lim2; + mDNSu8 *lengthbyte = ptr++; // Record where the length is going to go + + while (*cstr && ptr < lim) *ptr++ = (mDNSu8)*cstr++; // Copy the data + *lengthbyte = (mDNSu8)(ptr - lengthbyte - 1); // Fill in the length byte + *ptr++ = 0; // Put the null root label on the end + if (*cstr) return(mDNSNULL); // Failure: We didn't successfully consume all input + else return(ptr); // Success: return new value of ptr +} + +// AppendDNSNameString appends zero or more labels to an existing (possibly empty) domainname. +// The C string is in conventional DNS syntax: +// Textual labels, escaped as necessary using the usual DNS '\' notation, separated by dots. +// If successful, AppendDNSNameString returns a pointer to the next unused byte +// in the domainname bufer (i.e. the next byte after the terminating zero). +// If unable to construct a legal domain name (i.e. label more than 63 bytes, or total more than 256 bytes) +// AppendDNSNameString returns mDNSNULL. +mDNSexport mDNSu8 *AppendDNSNameString(domainname *const name, const char *cstring) +{ + const char *cstr = cstring; + mDNSu8 * ptr = name->c + DomainNameLength(name) - 1; // Find end of current name + const mDNSu8 *const lim = name->c + MAX_DOMAIN_NAME - 1; // Limit of how much we can add (not counting final zero) + while (*cstr && ptr < lim) // While more characters, and space to put them... + { + mDNSu8 *lengthbyte = ptr++; // Record where the length is going to go + if (*cstr == '.') { LogMsg("AppendDNSNameString: Illegal empty label in name \"%s\"", cstring); return(mDNSNULL); } + while (*cstr && *cstr != '.' && ptr < lim) // While we have characters in the label... + { + mDNSu8 c = (mDNSu8)*cstr++; // Read the character + if (c == '\\') // If escape character, check next character + { + c = (mDNSu8)*cstr++; // Assume we'll just take the next character + if (mDNSIsDigit(cstr[-1]) && mDNSIsDigit(cstr[0]) && mDNSIsDigit(cstr[1])) + { // If three decimal digits, + int v0 = cstr[-1] - '0'; // then interpret as three-digit decimal + int v1 = cstr[ 0] - '0'; + int v2 = cstr[ 1] - '0'; + int val = v0 * 100 + v1 * 10 + v2; + if (val <= 255) { c = (mDNSu8)val; cstr += 2; } // If valid three-digit decimal value, use it + } + } + *ptr++ = c; // Write the character + } + if (*cstr) cstr++; // Skip over the trailing dot (if present) + if (ptr - lengthbyte - 1 > MAX_DOMAIN_LABEL) // If illegal label, abort + return(mDNSNULL); + *lengthbyte = (mDNSu8)(ptr - lengthbyte - 1); // Fill in the length byte + } + + *ptr++ = 0; // Put the null root label on the end + if (*cstr) return(mDNSNULL); // Failure: We didn't successfully consume all input + else return(ptr); // Success: return new value of ptr +} + +// AppendDomainLabel appends a single label to a name. +// If successful, AppendDomainLabel returns a pointer to the next unused byte +// in the domainname bufer (i.e. the next byte after the terminating zero). +// If unable to construct a legal domain name (i.e. label more than 63 bytes, or total more than 256 bytes) +// AppendDomainLabel returns mDNSNULL. +mDNSexport mDNSu8 *AppendDomainLabel(domainname *const name, const domainlabel *const label) +{ + int i; + mDNSu8 *ptr = name->c + DomainNameLength(name) - 1; + + // Check label is legal + if (label->c[0] > MAX_DOMAIN_LABEL) return(mDNSNULL); + + // Check that ptr + length byte + data bytes + final zero does not exceed our limit + if (ptr + 1 + label->c[0] + 1 > name->c + MAX_DOMAIN_NAME) return(mDNSNULL); + + for (i=0; i<=label->c[0]; i++) *ptr++ = label->c[i]; // Copy the label data + *ptr++ = 0; // Put the null root label on the end + return(ptr); +} + +mDNSexport mDNSu8 *AppendDomainName(domainname *const name, const domainname *const append) +{ + mDNSu8 * ptr = name->c + DomainNameLength(name) - 1; // Find end of current name + const mDNSu8 *const lim = name->c + MAX_DOMAIN_NAME - 1; // Limit of how much we can add (not counting final zero) + const mDNSu8 * src = append->c; + while (src[0]) + { + int i; + if (ptr + 1 + src[0] > lim) return(mDNSNULL); + for (i=0; i<=src[0]; i++) *ptr++ = src[i]; + *ptr = 0; // Put the null root label on the end + src += i; + } + return(ptr); +} + +// MakeDomainLabelFromLiteralString makes a single domain label from a single literal C string (with no escaping). +// If successful, MakeDomainLabelFromLiteralString returns mDNStrue. +// If unable to convert the whole string to a legal domain label (i.e. because length is more than 63 bytes) then +// MakeDomainLabelFromLiteralString makes a legal domain label from the first 63 bytes of the string and returns mDNSfalse. +// In some cases silently truncated oversized names to 63 bytes is acceptable, so the return result may be ignored. +// In other cases silent truncation may not be acceptable, so in those cases the calling function needs to check the return result. +mDNSexport mDNSBool MakeDomainLabelFromLiteralString(domainlabel *const label, const char *cstr) +{ + mDNSu8 * ptr = label->c + 1; // Where we're putting it + const mDNSu8 *const limit = label->c + 1 + MAX_DOMAIN_LABEL; // The maximum we can put + while (*cstr && ptr < limit) *ptr++ = (mDNSu8)*cstr++; // Copy the label + label->c[0] = (mDNSu8)(ptr - label->c - 1); // Set the length byte + return(*cstr == 0); // Return mDNStrue if we successfully consumed all input +} + +// MakeDomainNameFromDNSNameString makes a native DNS-format domainname from a C string. +// The C string is in conventional DNS syntax: +// Textual labels, escaped as necessary using the usual DNS '\' notation, separated by dots. +// If successful, MakeDomainNameFromDNSNameString returns a pointer to the next unused byte +// in the domainname bufer (i.e. the next byte after the terminating zero). +// If unable to construct a legal domain name (i.e. label more than 63 bytes, or total more than 256 bytes) +// MakeDomainNameFromDNSNameString returns mDNSNULL. +mDNSexport mDNSu8 *MakeDomainNameFromDNSNameString(domainname *const name, const char *cstr) +{ + name->c[0] = 0; // Make an empty domain name + return(AppendDNSNameString(name, cstr)); // And then add this string to it +} + +mDNSexport char *ConvertDomainLabelToCString_withescape(const domainlabel *const label, char *ptr, char esc) +{ + const mDNSu8 * src = label->c; // Domain label we're reading + const mDNSu8 len = *src++; // Read length of this (non-null) label + const mDNSu8 *const end = src + len; // Work out where the label ends + if (len > MAX_DOMAIN_LABEL) return(mDNSNULL); // If illegal label, abort + while (src < end) // While we have characters in the label + { + mDNSu8 c = *src++; + if (esc) + { + if (c == '.' || c == esc) // If character is a dot or the escape character + *ptr++ = esc; // Output escape character + else if (c <= ' ') // If non-printing ascii, + { // Output decimal escape sequence + *ptr++ = esc; + *ptr++ = (char) ('0' + (c / 100) ); + *ptr++ = (char) ('0' + (c / 10) % 10); + c = (mDNSu8)('0' + (c ) % 10); + } + } + *ptr++ = (char)c; // Copy the character + } + *ptr = 0; // Null-terminate the string + return(ptr); // and return +} + +// Note: To guarantee that there will be no possible overrun, cstr must be at least MAX_ESCAPED_DOMAIN_NAME (1009 bytes) +mDNSexport char *ConvertDomainNameToCString_withescape(const domainname *const name, char *ptr, char esc) +{ + const mDNSu8 *src = name->c; // Domain name we're reading + const mDNSu8 *const max = name->c + MAX_DOMAIN_NAME; // Maximum that's valid + + if (*src == 0) *ptr++ = '.'; // Special case: For root, just write a dot + + while (*src) // While more characters in the domain name + { + if (src + 1 + *src >= max) return(mDNSNULL); + ptr = ConvertDomainLabelToCString_withescape((const domainlabel *)src, ptr, esc); + if (!ptr) return(mDNSNULL); + src += 1 + *src; + *ptr++ = '.'; // Write the dot after the label + } + + *ptr++ = 0; // Null-terminate the string + return(ptr); // and return +} + +// RFC 1034 rules: +// Host names must start with a letter, end with a letter or digit, +// and have as interior characters only letters, digits, and hyphen. +// This was subsequently modified in RFC 1123 to allow the first character to be either a letter or a digit + +mDNSexport void ConvertUTF8PstringToRFC1034HostLabel(const mDNSu8 UTF8Name[], domainlabel *const hostlabel) +{ + const mDNSu8 * src = &UTF8Name[1]; + const mDNSu8 *const end = &UTF8Name[1] + UTF8Name[0]; + mDNSu8 * ptr = &hostlabel->c[1]; + const mDNSu8 *const lim = &hostlabel->c[1] + MAX_DOMAIN_LABEL; + while (src < end) + { + // Delete apostrophes from source name + if (src[0] == '\'') { src++; continue; } // Standard straight single quote + if (src + 2 < end && src[0] == 0xE2 && src[1] == 0x80 && src[2] == 0x99) + { src += 3; continue; } // Unicode curly apostrophe + if (ptr < lim) + { + if (mDNSValidHostChar(*src, (ptr > &hostlabel->c[1]), (src < end-1))) *ptr++ = *src; + else if (ptr > &hostlabel->c[1] && ptr[-1] != '-') *ptr++ = '-'; + } + src++; + } + while (ptr > &hostlabel->c[1] && ptr[-1] == '-') ptr--; // Truncate trailing '-' marks + hostlabel->c[0] = (mDNSu8)(ptr - &hostlabel->c[1]); +} + +#define ValidTransportProtocol(X) ( (X)[0] == 4 && (X)[1] == '_' && \ + ((((X)[2] | 0x20) == 'u' && ((X)[3] | 0x20) == 'd') || (((X)[2] | 0x20) == 't' && ((X)[3] | 0x20) == 'c')) && \ + ((X)[4] | 0x20) == 'p') + +mDNSexport mDNSu8 *ConstructServiceName(domainname *const fqdn, + const domainlabel *name, const domainname *type, const domainname *const domain) +{ + int i, len; + mDNSu8 *dst = fqdn->c; + const mDNSu8 *src; + const char *errormsg; +#if APPLE_OSX_mDNSResponder + mDNSBool loggedUnderscore = mDNSfalse; + static char typeBuf[MAX_ESCAPED_DOMAIN_NAME]; +#endif + + // In the case where there is no name (and ONLY in that case), + // a single-label subtype is allowed as the first label of a three-part "type" + if (!name && type) + { + const mDNSu8 *s0 = type->c; + if (s0[0] && s0[0] < 0x40) // If legal first label (at least one character, and no more than 63) + { + const mDNSu8 * s1 = s0 + 1 + s0[0]; + if (s1[0] && s1[0] < 0x40) // and legal second label (at least one character, and no more than 63) + { + const mDNSu8 *s2 = s1 + 1 + s1[0]; + if (s2[0] && s2[0] < 0x40 && s2[1+s2[0]] == 0) // and we have three and only three labels + { + static const mDNSu8 SubTypeLabel[5] = mDNSSubTypeLabel; + src = s0; // Copy the first label + len = *src; + for (i=0; i <= len; i++) *dst++ = *src++; + for (i=0; i < (int)sizeof(SubTypeLabel); i++) *dst++ = SubTypeLabel[i]; + type = (const domainname *)s1; + + // Special support to enable the DNSServiceBrowse call made by Bonjour Browser + // For these queries, we retract the "._sub" we just added between the subtype and the main type + // Remove after Bonjour Browser is updated to use DNSServiceQueryRecord instead of DNSServiceBrowse + if (SameDomainName((domainname*)s0, (const domainname*)"\x09_services\x07_dns-sd\x04_udp")) + dst -= sizeof(SubTypeLabel); + } + } + } + } + + if (name && name->c[0]) + { + src = name->c; // Put the service name into the domain name + len = *src; + if (len >= 0x40) { errormsg = "Service instance name too long"; goto fail; } + for (i=0; i<=len; i++) *dst++ = *src++; + } + else + name = (domainlabel*)""; // Set this up to be non-null, to avoid errors if we have to call LogMsg() below + + src = type->c; // Put the service type into the domain name + len = *src; + if (len < 2 || len > 16) + { + LogMsg("Bad service type in %#s.%##s%##s Application protocol name must be underscore plus 1-15 characters. " + "See <http://www.dns-sd.org/ServiceTypes.html>", name->c, type->c, domain->c); +#if APPLE_OSX_mDNSResponder + ConvertDomainNameToCString(type, typeBuf); + mDNSASLLog(mDNSNULL, "serviceType.nameTooLong", "noop", typeBuf, ""); +#endif + } + if (len < 2 || len >= 0x40 || (len > 16 && !SameDomainName(domain, &localdomain))) return(mDNSNULL); + if (src[1] != '_') { errormsg = "Application protocol name must begin with underscore"; goto fail; } + for (i=2; i<=len; i++) + { + // Letters and digits are allowed anywhere + if (mDNSIsLetter(src[i]) || mDNSIsDigit(src[i])) continue; + // Hyphens are only allowed as interior characters + // Underscores are not supposed to be allowed at all, but for backwards compatibility with some old products we do allow them, + // with the same rule as hyphens + if ((src[i] == '-' || src[i] == '_') && i > 2 && i < len) + { +#if APPLE_OSX_mDNSResponder + if (src[i] == '_' && loggedUnderscore == mDNSfalse) + { + ConvertDomainNameToCString(type, typeBuf); + mDNSASLLog(mDNSNULL, "serviceType.nameWithUnderscore", "noop", typeBuf, ""); + loggedUnderscore = mDNStrue; + } +#endif + continue; + } + errormsg = "Application protocol name must contain only letters, digits, and hyphens"; +#if APPLE_OSX_mDNSResponder + { + ConvertDomainNameToCString(type, typeBuf); + mDNSASLLog(mDNSNULL, "serviceType.nameWithIllegalCharacters", "noop", typeBuf, ""); + } +#endif + goto fail; + } + for (i=0; i<=len; i++) *dst++ = *src++; + + len = *src; + if (!ValidTransportProtocol(src)) { errormsg = "Transport protocol name must be _udp or _tcp"; goto fail; } + for (i=0; i<=len; i++) *dst++ = *src++; + + if (*src) { errormsg = "Service type must have only two labels"; goto fail; } + + *dst = 0; + if (!domain->c[0]) { errormsg = "Service domain must be non-empty"; goto fail; } + if (SameDomainName(domain, (const domainname*)"\x05" "local" "\x04" "arpa")) + { errormsg = "Illegal domain \"local.arpa.\" Use \"local.\" (or empty string)"; goto fail; } + dst = AppendDomainName(fqdn, domain); + if (!dst) { errormsg = "Service domain too long"; goto fail; } + return(dst); + +fail: + LogMsg("ConstructServiceName: %s: %#s.%##s%##s", errormsg, name->c, type->c, domain->c); + return(mDNSNULL); +} + +// A service name has the form: instance.application-protocol.transport-protocol.domain +// DeconstructServiceName is currently fairly forgiving: It doesn't try to enforce character +// set or length limits for the protocol names, and the final domain is allowed to be empty. +// However, if the given FQDN doesn't contain at least three labels, +// DeconstructServiceName will reject it and return mDNSfalse. +mDNSexport mDNSBool DeconstructServiceName(const domainname *const fqdn, + domainlabel *const name, domainname *const type, domainname *const domain) +{ + int i, len; + const mDNSu8 *src = fqdn->c; + const mDNSu8 *max = fqdn->c + MAX_DOMAIN_NAME; + mDNSu8 *dst; + + dst = name->c; // Extract the service name + len = *src; + if (!len) { debugf("DeconstructServiceName: FQDN empty!"); return(mDNSfalse); } + if (len >= 0x40) { debugf("DeconstructServiceName: Instance name too long"); return(mDNSfalse); } + for (i=0; i<=len; i++) *dst++ = *src++; + + dst = type->c; // Extract the service type + len = *src; + if (!len) { debugf("DeconstructServiceName: FQDN contains only one label!"); return(mDNSfalse); } + if (len >= 0x40) { debugf("DeconstructServiceName: Application protocol name too long"); return(mDNSfalse); } + if (src[1] != '_') { debugf("DeconstructServiceName: No _ at start of application protocol"); return(mDNSfalse); } + for (i=0; i<=len; i++) *dst++ = *src++; + + len = *src; + if (!len) { debugf("DeconstructServiceName: FQDN contains only two labels!"); return(mDNSfalse); } + if (!ValidTransportProtocol(src)) + { debugf("DeconstructServiceName: Transport protocol must be _udp or _tcp"); return(mDNSfalse); } + for (i=0; i<=len; i++) *dst++ = *src++; + *dst++ = 0; // Put terminator on the end of service type + + dst = domain->c; // Extract the service domain + while (*src) + { + len = *src; + if (len >= 0x40) + { debugf("DeconstructServiceName: Label in service domain too long"); return(mDNSfalse); } + if (src + 1 + len + 1 >= max) + { debugf("DeconstructServiceName: Total service domain too long"); return(mDNSfalse); } + for (i=0; i<=len; i++) *dst++ = *src++; + } + *dst++ = 0; // Put the null root label on the end + + return(mDNStrue); +} + +mDNSexport mStatus DNSNameToLowerCase(domainname *d, domainname *result) +{ + const mDNSu8 *a = d->c; + mDNSu8 *b = result->c; + const mDNSu8 *const max = d->c + MAX_DOMAIN_NAME; + int i, len; + + while (*a) + { + if (a + 1 + *a >= max) + { + LogMsg("DNSNameToLowerCase: ERROR!! Malformed Domain name"); + return mStatus_BadParamErr; + } + len = *a++; + *b++ = len; + for (i = 0; i < len; i++) + { + mDNSu8 ac = *a++; + if (mDNSIsUpperCase(ac)) ac += 'a' - 'A'; + *b++ = ac; + } + } + *b = 0; + + return mStatus_NoError; +} + +mDNSexport const mDNSu8 *NSEC3HashName(const domainname *name, rdataNSEC3 *nsec3, const mDNSu8 *AnonData, int AnonDataLen, + const mDNSu8 hash[NSEC3_MAX_HASH_LEN], int *dlen) +{ + AlgContext *ctx; + int i; + domainname lname; + mDNSu8 *p = (mDNSu8 *)&nsec3->salt; + const mDNSu8 *digest; + int digestlen; + mDNSBool first = mDNStrue; + + if (DNSNameToLowerCase((domainname *)name, &lname) != mStatus_NoError) + { + LogMsg("NSEC3HashName: ERROR!! DNSNameToLowerCase failed"); + return mDNSNULL; + } + + digest = lname.c; + digestlen = DomainNameLength(&lname); + + // Note that it is "i <=". The first iteration is for digesting the name and salt. + // The iteration count does not include that. + for (i = 0; i <= swap16(nsec3->iterations); i++) + { + ctx = AlgCreate(DIGEST_ALG, nsec3->alg); + if (!ctx) + { + LogMsg("NSEC3HashName: ERROR!! Cannot allocate context"); + return mDNSNULL; + } + + AlgAdd(ctx, digest, digestlen); + if (nsec3->saltLength) + AlgAdd(ctx, p, nsec3->saltLength); + if (AnonDataLen) + AlgAdd(ctx, AnonData, AnonDataLen); + if (first) + { + first = mDNSfalse; + digest = hash; + digestlen = AlgLength(ctx); + } + AlgFinal(ctx, (void *)digest, digestlen); + AlgDestroy(ctx); + } + *dlen = digestlen; + return digest; +} + +// Notes on UTF-8: +// 0xxxxxxx represents a 7-bit ASCII value from 0x00 to 0x7F +// 10xxxxxx is a continuation byte of a multi-byte character +// 110xxxxx is the first byte of a 2-byte character (11 effective bits; values 0x 80 - 0x 800-1) +// 1110xxxx is the first byte of a 3-byte character (16 effective bits; values 0x 800 - 0x 10000-1) +// 11110xxx is the first byte of a 4-byte character (21 effective bits; values 0x 10000 - 0x 200000-1) +// 111110xx is the first byte of a 5-byte character (26 effective bits; values 0x 200000 - 0x 4000000-1) +// 1111110x is the first byte of a 6-byte character (31 effective bits; values 0x4000000 - 0x80000000-1) +// +// UTF-16 surrogate pairs are used in UTF-16 to encode values larger than 0xFFFF. +// Although UTF-16 surrogate pairs are not supposed to appear in legal UTF-8, we want to be defensive +// about that too. (See <http://www.unicode.org/faq/utf_bom.html#34>, "What are surrogates?") +// The first of pair is a UTF-16 value in the range 0xD800-0xDBFF (11101101 1010xxxx 10xxxxxx in UTF-8), +// and the second is a UTF-16 value in the range 0xDC00-0xDFFF (11101101 1011xxxx 10xxxxxx in UTF-8). + +mDNSexport mDNSu32 TruncateUTF8ToLength(mDNSu8 *string, mDNSu32 length, mDNSu32 max) +{ + if (length > max) + { + mDNSu8 c1 = string[max]; // First byte after cut point + mDNSu8 c2 = (max+1 < length) ? string[max+1] : (mDNSu8)0xB0; // Second byte after cut point + length = max; // Trim length down + while (length > 0) + { + // Check if the byte right after the chop point is a UTF-8 continuation byte, + // or if the character right after the chop point is the second of a UTF-16 surrogate pair. + // If so, then we continue to chop more bytes until we get to a legal chop point. + mDNSBool continuation = ((c1 & 0xC0) == 0x80); + mDNSBool secondsurrogate = (c1 == 0xED && (c2 & 0xF0) == 0xB0); + if (!continuation && !secondsurrogate) break; + c2 = c1; + c1 = string[--length]; + } + // Having truncated characters off the end of our string, also cut off any residual white space + while (length > 0 && string[length-1] <= ' ') length--; + } + return(length); +} + +// Returns true if a rich text label ends in " (nnn)", or if an RFC 1034 +// name ends in "-nnn", where n is some decimal number. +mDNSexport mDNSBool LabelContainsSuffix(const domainlabel *const name, const mDNSBool RichText) +{ + mDNSu16 l = name->c[0]; + + if (RichText) + { + if (l < 4) return mDNSfalse; // Need at least " (2)" + if (name->c[l--] != ')') return mDNSfalse; // Last char must be ')' + if (!mDNSIsDigit(name->c[l])) return mDNSfalse; // Preceeded by a digit + l--; + while (l > 2 && mDNSIsDigit(name->c[l])) l--; // Strip off digits + return (name->c[l] == '(' && name->c[l - 1] == ' '); + } + else + { + if (l < 2) return mDNSfalse; // Need at least "-2" + if (!mDNSIsDigit(name->c[l])) return mDNSfalse; // Last char must be a digit + l--; + while (l > 2 && mDNSIsDigit(name->c[l])) l--; // Strip off digits + return (name->c[l] == '-'); + } +} + +// removes an auto-generated suffix (appended on a name collision) from a label. caller is +// responsible for ensuring that the label does indeed contain a suffix. returns the number +// from the suffix that was removed. +mDNSexport mDNSu32 RemoveLabelSuffix(domainlabel *name, mDNSBool RichText) +{ + mDNSu32 val = 0, multiplier = 1; + + // Chop closing parentheses from RichText suffix + if (RichText && name->c[0] >= 1 && name->c[name->c[0]] == ')') name->c[0]--; + + // Get any existing numerical suffix off the name + while (mDNSIsDigit(name->c[name->c[0]])) + { val += (name->c[name->c[0]] - '0') * multiplier; multiplier *= 10; name->c[0]--; } + + // Chop opening parentheses or dash from suffix + if (RichText) + { + if (name->c[0] >= 2 && name->c[name->c[0]] == '(' && name->c[name->c[0]-1] == ' ') name->c[0] -= 2; + } + else + { + if (name->c[0] >= 1 && name->c[name->c[0]] == '-') name->c[0] -= 1; + } + + return(val); +} + +// appends a numerical suffix to a label, with the number following a whitespace and enclosed +// in parentheses (rich text) or following two consecutive hyphens (RFC 1034 domain label). +mDNSexport void AppendLabelSuffix(domainlabel *const name, mDNSu32 val, const mDNSBool RichText) +{ + mDNSu32 divisor = 1, chars = 2; // Shortest possible RFC1034 name suffix is 2 characters ("-2") + if (RichText) chars = 4; // Shortest possible RichText suffix is 4 characters (" (2)") + + // Truncate trailing spaces from RichText names + if (RichText) while (name->c[name->c[0]] == ' ') name->c[0]--; + + while (divisor < 0xFFFFFFFFUL/10 && val >= divisor * 10) { divisor *= 10; chars++; } + + name->c[0] = (mDNSu8) TruncateUTF8ToLength(name->c+1, name->c[0], MAX_DOMAIN_LABEL - chars); + + if (RichText) { name->c[++name->c[0]] = ' '; name->c[++name->c[0]] = '('; } + else { name->c[++name->c[0]] = '-'; } + + while (divisor) + { + name->c[++name->c[0]] = (mDNSu8)('0' + val / divisor); + val %= divisor; + divisor /= 10; + } + + if (RichText) name->c[++name->c[0]] = ')'; +} + +mDNSexport void IncrementLabelSuffix(domainlabel *name, mDNSBool RichText) +{ + mDNSu32 val = 0; + + if (LabelContainsSuffix(name, RichText)) + val = RemoveLabelSuffix(name, RichText); + + // If no existing suffix, start by renaming "Foo" as "Foo (2)" or "Foo-2" as appropriate. + // If existing suffix in the range 2-9, increment it. + // If we've had ten conflicts already, there are probably too many hosts trying to use the same name, + // so add a random increment to improve the chances of finding an available name next time. + if (val == 0) val = 2; + else if (val < 10) val++; + else val += 1 + mDNSRandom(99); + + AppendLabelSuffix(name, val, RichText); +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - Resource Record Utility Functions +#endif + +// Set up a AuthRecord with sensible default values. +// These defaults may be overwritten with new values before mDNS_Register is called +mDNSexport void mDNS_SetupResourceRecord(AuthRecord *rr, RData *RDataStorage, mDNSInterfaceID InterfaceID, + mDNSu16 rrtype, mDNSu32 ttl, mDNSu8 RecordType, AuthRecType artype, mDNSRecordCallback Callback, void *Context) +{ + // + // LocalOnly auth record can be created with LocalOnly InterfaceID or a valid InterfaceID. + // Most of the applications normally create with LocalOnly InterfaceID and we store them as + // such, so that we can deliver the response to questions that specify LocalOnly InterfaceID. + // LocalOnly resource records can also be created with valid InterfaceID which happens today + // when we create LocalOnly records for /etc/hosts. + + if (InterfaceID == mDNSInterface_LocalOnly && artype != AuthRecordLocalOnly) + { + LogMsg("mDNS_SetupResourceRecord: ERROR!! Mismatch LocalOnly record InterfaceID %p called with artype %d", InterfaceID, artype); + return; + } + else if (InterfaceID == mDNSInterface_P2P && artype != AuthRecordP2P) + { + LogMsg("mDNS_SetupResourceRecord: ERROR!! Mismatch P2P record InterfaceID %p called with artype %d", InterfaceID, artype); + return; + } + else if (!InterfaceID && (artype == AuthRecordP2P || artype == AuthRecordLocalOnly)) + { + LogMsg("mDNS_SetupResourceRecord: ERROR!! Mismatch InterfaceAny record InterfaceID %p called with artype %d", InterfaceID, artype); + return; + } + + // Don't try to store a TTL bigger than we can represent in platform time units + if (ttl > 0x7FFFFFFFUL / mDNSPlatformOneSecond) + ttl = 0x7FFFFFFFUL / mDNSPlatformOneSecond; + else if (ttl == 0) // And Zero TTL is illegal + ttl = DefaultTTLforRRType(rrtype); + + // Field Group 1: The actual information pertaining to this resource record + rr->resrec.RecordType = RecordType; + rr->resrec.InterfaceID = InterfaceID; + rr->resrec.name = &rr->namestorage; + rr->resrec.rrtype = rrtype; + rr->resrec.rrclass = kDNSClass_IN; + rr->resrec.rroriginalttl = ttl; + rr->resrec.rDNSServer = mDNSNULL; + rr->resrec.AnonInfo = mDNSNULL; +// rr->resrec.rdlength = MUST set by client and/or in mDNS_Register_internal +// rr->resrec.rdestimate = set in mDNS_Register_internal +// rr->resrec.rdata = MUST be set by client + + if (RDataStorage) + rr->resrec.rdata = RDataStorage; + else + { + rr->resrec.rdata = &rr->rdatastorage; + rr->resrec.rdata->MaxRDLength = sizeof(RDataBody); + } + + // Field Group 2: Persistent metadata for Authoritative Records + rr->Additional1 = mDNSNULL; + rr->Additional2 = mDNSNULL; + rr->DependentOn = mDNSNULL; + rr->RRSet = mDNSNULL; + rr->RecordCallback = Callback; + rr->RecordContext = Context; + + rr->AutoTarget = Target_Manual; + rr->AllowRemoteQuery = mDNSfalse; + rr->ForceMCast = mDNSfalse; + + rr->WakeUp = zeroOwner; + rr->AddressProxy = zeroAddr; + rr->TimeRcvd = 0; + rr->TimeExpire = 0; + rr->ARType = artype; + rr->AuthFlags = 0; + + // Field Group 3: Transient state for Authoritative Records (set in mDNS_Register_internal) + // Field Group 4: Transient uDNS state for Authoritative Records (set in mDNS_Register_internal) + + // For now, until the uDNS code is fully integrated, it's helpful to zero the uDNS state fields here too, just in case + // (e.g. uDNS_RegisterService short-circuits the usual mDNS_Register_internal record registration calls, so a bunch + // of fields don't get set up properly. In particular, if we don't zero rr->QueuedRData then the uDNS code crashes.) + rr->state = regState_Zero; + rr->uselease = 0; + rr->expire = 0; + rr->Private = 0; + rr->updateid = zeroID; + rr->zone = rr->resrec.name; + rr->nta = mDNSNULL; + rr->tcp = mDNSNULL; + rr->OrigRData = 0; + rr->OrigRDLen = 0; + rr->InFlightRData = 0; + rr->InFlightRDLen = 0; + rr->QueuedRData = 0; + rr->QueuedRDLen = 0; + mDNSPlatformMemZero(&rr->NATinfo, sizeof(rr->NATinfo)); + rr->SRVChanged = mDNSfalse; + rr->mState = mergeState_Zero; + + rr->namestorage.c[0] = 0; // MUST be set by client before calling mDNS_Register() +} + +mDNSexport void mDNS_SetupQuestion(DNSQuestion *const q, const mDNSInterfaceID InterfaceID, const domainname *const name, + const mDNSu16 qtype, mDNSQuestionCallback *const callback, void *const context) +{ + q->InterfaceID = InterfaceID; + q->flags = 0; + q->Target = zeroAddr; + AssignDomainName(&q->qname, name); + q->qtype = qtype; + q->qclass = kDNSClass_IN; + q->LongLived = (qtype == kDNSType_PTR); + q->ExpectUnique = (qtype != kDNSType_PTR); + q->ForceMCast = mDNSfalse; + q->ReturnIntermed = mDNSfalse; + q->SuppressUnusable = mDNSfalse; + q->SearchListIndex = 0; + q->AppendSearchDomains = 0; + q->RetryWithSearchDomains = mDNSfalse; + q->TimeoutQuestion = 0; + q->WakeOnResolve = 0; + q->UseBackgroundTrafficClass = mDNSfalse; + q->ValidationRequired = 0; + q->ValidatingResponse = 0; + q->ProxyQuestion = 0; + q->qnameOrig = mDNSNULL; + q->AnonInfo = mDNSNULL; + q->pid = mDNSPlatformGetPID(); + q->DisallowPID = mDNSfalse; + q->ServiceID = -1; + q->QuestionCallback = callback; + q->QuestionContext = context; +} + +mDNSexport mDNSu32 RDataHashValue(const ResourceRecord *const rr) +{ + int len = rr->rdlength; + const RDataBody2 *const rdb = (RDataBody2 *)rr->rdata->u.data; + const mDNSu8 *ptr = rdb->data; + mDNSu32 sum = 0; + + switch(rr->rrtype) + { + case kDNSType_NS: + case kDNSType_MD: + case kDNSType_MF: + case kDNSType_CNAME: + case kDNSType_MB: + case kDNSType_MG: + case kDNSType_MR: + case kDNSType_PTR: + case kDNSType_NSAP_PTR: + case kDNSType_DNAME: return DomainNameHashValue(&rdb->name); + + case kDNSType_SOA: return rdb->soa.serial + + rdb->soa.refresh + + rdb->soa.retry + + rdb->soa.expire + + rdb->soa.min + + DomainNameHashValue(&rdb->soa.mname) + + DomainNameHashValue(&rdb->soa.rname); + + case kDNSType_MX: + case kDNSType_AFSDB: + case kDNSType_RT: + case kDNSType_KX: return DomainNameHashValue(&rdb->mx.exchange); + + case kDNSType_MINFO: + case kDNSType_RP: return DomainNameHashValue(&rdb->rp.mbox) + DomainNameHashValue(&rdb->rp.txt); + + case kDNSType_PX: return DomainNameHashValue(&rdb->px.map822) + DomainNameHashValue(&rdb->px.mapx400); + + case kDNSType_SRV: return DomainNameHashValue(&rdb->srv.target); + + case kDNSType_OPT: return 0; // OPT is a pseudo-RR container structure; makes no sense to compare + + case kDNSType_NSEC: { + int dlen; + dlen = DomainNameLength((domainname *)rdb->data); + sum = DomainNameHashValue((domainname *)rdb->data); + ptr += dlen; + len -= dlen; + /* FALLTHROUGH */ + } + + default: + { + int i; + for (i=0; i+1 < len; i+=2) + { + sum += (((mDNSu32)(ptr[i])) << 8) | ptr[i+1]; + sum = (sum<<3) | (sum>>29); + } + if (i < len) + { + sum += ((mDNSu32)(ptr[i])) << 8; + } + return(sum); + } + } +} + +// r1 has to be a full ResourceRecord including rrtype and rdlength +// r2 is just a bare RDataBody, which MUST be the same rrtype and rdlength as r1 +mDNSexport mDNSBool SameRDataBody(const ResourceRecord *const r1, const RDataBody *const r2, DomainNameComparisonFn *samename) +{ + const RDataBody2 *const b1 = (RDataBody2 *)r1->rdata->u.data; + const RDataBody2 *const b2 = (RDataBody2 *)r2; + switch(r1->rrtype) + { + case kDNSType_NS: + case kDNSType_MD: + case kDNSType_MF: + case kDNSType_CNAME: + case kDNSType_MB: + case kDNSType_MG: + case kDNSType_MR: + case kDNSType_PTR: + case kDNSType_NSAP_PTR: + case kDNSType_DNAME: return(SameDomainName(&b1->name, &b2->name)); + + case kDNSType_SOA: return (mDNSBool)( b1->soa.serial == b2->soa.serial && + b1->soa.refresh == b2->soa.refresh && + b1->soa.retry == b2->soa.retry && + b1->soa.expire == b2->soa.expire && + b1->soa.min == b2->soa.min && + samename(&b1->soa.mname, &b2->soa.mname) && + samename(&b1->soa.rname, &b2->soa.rname)); + + case kDNSType_MX: + case kDNSType_AFSDB: + case kDNSType_RT: + case kDNSType_KX: return (mDNSBool)( b1->mx.preference == b2->mx.preference && + samename(&b1->mx.exchange, &b2->mx.exchange)); + + case kDNSType_MINFO: + case kDNSType_RP: return (mDNSBool)( samename(&b1->rp.mbox, &b2->rp.mbox) && + samename(&b1->rp.txt, &b2->rp.txt)); + + case kDNSType_PX: return (mDNSBool)( b1->px.preference == b2->px.preference && + samename(&b1->px.map822, &b2->px.map822) && + samename(&b1->px.mapx400, &b2->px.mapx400)); + + case kDNSType_SRV: return (mDNSBool)( b1->srv.priority == b2->srv.priority && + b1->srv.weight == b2->srv.weight && + mDNSSameIPPort(b1->srv.port, b2->srv.port) && + samename(&b1->srv.target, &b2->srv.target)); + + case kDNSType_OPT: return mDNSfalse; // OPT is a pseudo-RR container structure; makes no sense to compare + case kDNSType_NSEC: { + // If the "nxt" name changes in case, we want to delete the old + // and store just the new one. If the caller passes in SameDomainCS for "samename", + // we would return "false" when the only change between the two rdata is the case + // change in "nxt". + // + // Note: rdlength of both the RData are same (ensured by the caller) and hence we can + // use just r1->rdlength below + + int dlen1 = DomainNameLength((domainname *)b1->data); + int dlen2 = DomainNameLength((domainname *)b2->data); + return (mDNSBool)(dlen1 == dlen2 && + samename((domainname *)b1->data, (domainname *)b2->data) && + mDNSPlatformMemSame(b1->data + dlen1, b2->data + dlen2, r1->rdlength - dlen1)); + } + + default: return(mDNSPlatformMemSame(b1->data, b2->data, r1->rdlength)); + } +} + +mDNSexport mDNSBool BitmapTypeCheck(mDNSu8 *bmap, int bitmaplen, mDNSu16 type) +{ + int win, wlen; + int wintype; + + // The window that this type belongs to. NSEC has 256 windows that + // comprises of 256 types. + wintype = type >> 8; + + while (bitmaplen > 0) + { + if (bitmaplen < 3) + { + LogInfo("BitmapTypeCheck: malformed nsec, bitmaplen %d short", bitmaplen); + return mDNSfalse; + } + + win = *bmap++; + wlen = *bmap++; + bitmaplen -= 2; + if (bitmaplen < wlen || wlen < 1 || wlen > 32) + { + LogInfo("BitmapTypeCheck: malformed nsec, bitmaplen %d wlen %d, win %d", bitmaplen, wlen, win); + return mDNSfalse; + } + if (win < 0 || win >= 256) + { + LogInfo("BitmapTypeCheck: malformed nsec, wlen %d", wlen); + return mDNSfalse; + } + if (win == wintype) + { + // First byte in the window serves 0 to 7, the next one serves 8 to 15 and so on. + // Calculate the right byte offset first. + int boff = (type & 0xff ) >> 3; + if (wlen <= boff) + return mDNSfalse; + // The last three bits values 0 to 7 corresponds to bit positions + // within the byte. + return (bmap[boff] & (0x80 >> (type & 7))); + } + else + { + // If the windows are ordered, then we could check to see + // if wintype > win and then return early. + bmap += wlen; + bitmaplen -= wlen; + } + } + return mDNSfalse; +} + +// Don't call this function if the resource record is not NSEC. It will return false +// which means that the type does not exist. +mDNSexport mDNSBool RRAssertsExistence(const ResourceRecord *const rr, mDNSu16 type) +{ + const RDataBody2 *const rdb = (RDataBody2 *)rr->rdata->u.data; + mDNSu8 *nsec = (mDNSu8 *)rdb->data; + int len, bitmaplen; + mDNSu8 *bmap; + + if (rr->rrtype != kDNSType_NSEC) return mDNSfalse; + + len = DomainNameLength((domainname *)nsec); + + bitmaplen = rr->rdlength - len; + bmap = nsec + len; + return (BitmapTypeCheck(bmap, bitmaplen, type)); +} + +// Don't call this function if the resource record is not NSEC. It will return false +// which means that the type exists. +mDNSexport mDNSBool RRAssertsNonexistence(const ResourceRecord *const rr, mDNSu16 type) +{ + if (rr->rrtype != kDNSType_NSEC) return mDNSfalse; + + return !RRAssertsExistence(rr, type); +} + +// Checks whether the RRSIG or NSEC record answers the question "q". +mDNSlocal mDNSBool DNSSECRecordAnswersQuestion(const ResourceRecord *const rr, const DNSQuestion *const q, mDNSBool *checkType) +{ + *checkType = mDNStrue; + + // This function is called for all questions and as long as the type matches, + // return true. For the types (RRSIG and NSEC) that are specifically checked in + // this function, returning true still holds good. + if (q->qtype == rr->rrtype) + return mDNStrue; + + // For DS and DNSKEY questions, the types should match i.e., don't answer using CNAME + // records as it answers any question type. + // + // - DS record comes from the parent zone where CNAME record cannot coexist and hence + // cannot possibly answer it. + // + // - For DNSKEY, one could potentially follow CNAME but there could be a DNSKEY at + // the "qname" itself. To keep it simple, we don't follow CNAME. + + if ((q->qtype == kDNSType_DS || q->qtype == kDNSType_DNSKEY) && (q->qtype != rr->rrtype)) + { + debugf("DNSSECRecordAnswersQuestion: %d type resource record matched question %##s (%s), ignoring", rr->rrtype, + q->qname.c, DNSTypeName(q->qtype)); + return mDNSfalse; + } + + // If we are validating a response using DNSSEC, we might already have the records + // for the "q->qtype" in the cache but we issued a query with DO bit set + // to get the RRSIGs e.g., if you have two questions one of which does not require + // DNSSEC validation. When the RRSIG is added to the cache, we need to deliver + // the response to the question. The RRSIG type won't match the q->qtype and hence + // we need to bypass the check in that case. + if (rr->rrtype == kDNSType_RRSIG && q->ValidatingResponse) + { + const RDataBody2 *const rdb = (RDataBody2 *)rr->rdata->u.data; + rdataRRSig *rrsig = (rdataRRSig *)rdb->data; + mDNSu16 typeCovered = swap16(rrsig->typeCovered); + debugf("DNSSECRecordAnswersQuestion: Matching RRSIG typeCovered %s", DNSTypeName(typeCovered)); + if (typeCovered != kDNSType_CNAME && typeCovered != q->qtype) + { + debugf("DNSSECRecordAnswersQuestion: RRSIG did not match question %##s (%s)", q->qname.c, + DNSTypeName(q->qtype)); + return mDNSfalse; + } + LogInfo("DNSSECRecordAnswersQuestion: RRSIG matched question %##s (%s)", q->qname.c, + DNSTypeName(q->qtype)); + *checkType = mDNSfalse; + return mDNStrue; + } + // If the NSEC record asserts the non-existence of a name looked up by the question, we would + // typically answer that e.g., the bitmap asserts that q->qtype does not exist. If we have + // to prove the non-existence as required by ValidatingResponse and ValidationRequired question, + // then we should not answer that as it may not be the right one always. We may need more than + // one NSEC to prove the non-existence. + if (rr->rrtype == kDNSType_NSEC && DNSSECQuestion(q)) + { + debugf("DNSSECRecordAnswersQuestion: Question %##s (%s) matched record %##s (NSEC)", q->qname.c, + DNSTypeName(q->qtype), rr->name->c); + return mDNSfalse; + } + return mDNStrue; +} + +// ResourceRecordAnswersQuestion returns mDNStrue if the given resource record is a valid answer to the given question. +// SameNameRecordAnswersQuestion is the same, except it skips the expensive SameDomainName() call. +// SameDomainName() is generally cheap when the names don't match, but expensive when they do match, +// because it has to check all the way to the end of the names to be sure. +// In cases where we know in advance that the names match it's especially advantageous to skip the +// SameDomainName() call because that's precisely the time when it's most expensive and least useful. + +mDNSexport mDNSBool SameNameRecordAnswersQuestion(const ResourceRecord *const rr, const DNSQuestion *const q) +{ + mDNSBool checkType = mDNStrue; + + // LocalOnly/P2P questions can be answered with AuthRecordAny in this function. LocalOnly/P2P records + // are handled in LocalOnlyRecordAnswersQuestion + if ((rr->InterfaceID == mDNSInterface_LocalOnly) || (rr->InterfaceID == mDNSInterface_P2P)) + { + LogMsg("SameNameRecordAnswersQuestion: ERROR!! called with LocalOnly ResourceRecord %p, Question %p", rr->InterfaceID, q->InterfaceID); + return mDNSfalse; + } + if (QuerySuppressed(q)) + return mDNSfalse; + + if (rr->InterfaceID && + q->InterfaceID && q->InterfaceID != mDNSInterface_LocalOnly && + rr->InterfaceID != q->InterfaceID) return(mDNSfalse); + + // Resource record received via unicast, the resolver group ID should match ? + if (!rr->InterfaceID) + { + mDNSu16 idr = (rr->rDNSServer ? rr->rDNSServer->resGroupID : 0); + mDNSu16 idq = (q->qDNSServer ? q->qDNSServer->resGroupID : 0); + if (idr != idq) return(mDNSfalse); + if (!DNSSECRecordAnswersQuestion(rr, q, &checkType)) return mDNSfalse; + } + + // If ResourceRecord received via multicast, but question was unicast, then shouldn't use record to answer this question + if (rr->InterfaceID && !mDNSOpaque16IsZero(q->TargetQID)) return(mDNSfalse); + + // CNAME answers question of any type and a negative cache record should not prevent us from querying other + // valid types at the same name. + if (rr->rrtype == kDNSType_CNAME && rr->RecordType == kDNSRecordTypePacketNegative && rr->rrtype != q->qtype) + return mDNSfalse; + + // RR type CNAME matches any query type. QTYPE ANY matches any RR type. QCLASS ANY matches any RR class. + if (checkType && !RRTypeAnswersQuestionType(rr,q->qtype)) return(mDNSfalse); + if (rr->rrclass != q->qclass && q->qclass != kDNSQClass_ANY) return(mDNSfalse); + +#if APPLE_OSX_mDNSResponder + if (!mDNSPlatformValidRecordForQuestion(rr, q)) + return mDNSfalse; +#endif // APPLE_OSX_mDNSResponder + + if (!AnonInfoAnswersQuestion(rr, q)) + return mDNSfalse; + + return(mDNStrue); +} + +mDNSexport mDNSBool ResourceRecordAnswersQuestion(const ResourceRecord *const rr, const DNSQuestion *const q) +{ + if (!SameNameRecordAnswersQuestion(rr, q)) + return mDNSfalse; + + return(rr->namehash == q->qnamehash && SameDomainName(rr->name, &q->qname)); +} + +// We have a separate function to handle LocalOnly AuthRecords because they can be created with +// a valid InterfaceID (e.g., scoped /etc/hosts) and can be used to answer unicast questions unlike +// multicast resource records (which has a valid InterfaceID) which can't be used to answer +// unicast questions. ResourceRecordAnswersQuestion/SameNameRecordAnswersQuestion can't tell whether +// a resource record is multicast or LocalOnly by just looking at the ResourceRecord because +// LocalOnly records are truly identified by ARType in the AuthRecord. As P2P and LocalOnly record +// are kept in the same hash table, we use the same function to make it easy for the callers when +// they walk the hash table to answer LocalOnly/P2P questions +// +mDNSexport mDNSBool LocalOnlyRecordAnswersQuestion(AuthRecord *const ar, const DNSQuestion *const q) +{ + ResourceRecord *rr = &ar->resrec; + + // mDNSInterface_Any questions can be answered with LocalOnly/P2P records in this function. AuthRecord_Any + // records are handled in ResourceRecordAnswersQuestion/SameNameRecordAnswersQuestion + if (RRAny(ar)) + { + LogMsg("LocalOnlyRecordAnswersQuestion: ERROR!! called with regular AuthRecordAny %##s", rr->name->c); + return mDNSfalse; + } + + // Questions with mDNSInterface_LocalOnly InterfaceID should be answered with all resource records that are + // *local* to the machine. These include resource records that have InterfaceID set to mDNSInterface_LocalOnly, + // mDNSInterface_Any and any other real InterfaceID. Hence, LocalOnly questions should not be checked against + // the InterfaceID in the resource record. + // + // mDNSInterface_Unicast does not indicate any scope and hence treat them like mDNSInterface_Any. + + if (rr->InterfaceID && + q->InterfaceID && q->InterfaceID != mDNSInterface_LocalOnly && q->InterfaceID != mDNSInterface_Unicast && + rr->InterfaceID != q->InterfaceID) return(mDNSfalse); + + // Entries in /etc/hosts are added as LocalOnly resource records. The LocalOnly resource records + // may have a scope e.g., fe80::1%en0. The question may be scoped or not: the InterfaceID may be set + // to mDNSInterface_Any, mDNSInterface_LocalOnly or a real InterfaceID (scoped). + // + // 1) Question: Any, LocalOnly Record: no scope. This question should be answered with this record. + // + // 2) Question: Any, LocalOnly Record: scoped. This question should be answered with the record because + // traditionally applications never specify scope e.g., getaddrinfo, but need to be able + // to get to /etc/hosts entries. + // + // 3) Question: Scoped (LocalOnly or InterfaceID), LocalOnly Record: no scope. This is the inverse of (2). + // If we register a LocalOnly record, we need to answer a LocalOnly question. If the /etc/hosts has a + // non scoped entry, it may not make sense to answer a scoped question. But we can't tell these two + // cases apart. As we currently answer LocalOnly question with LocalOnly record, we continue to do so. + // + // 4) Question: Scoped (LocalOnly or InterfaceID), LocalOnly Record: scoped. LocalOnly questions should be + // answered with any resource record where as if it has a valid InterfaceID, the scope should match. + // + // (1) and (2) is bypassed because we check for a non-NULL InterfaceID above. For (3), the InterfaceID is NULL + // and hence bypassed above. For (4) we bypassed LocalOnly questions and checked the scope of the record + // against the question. + // + // For P2P, InterfaceIDs of the question and the record should match. + + // If ResourceRecord received via multicast, but question was unicast, then shouldn't use record to answer this question. + // LocalOnly authoritative answers are exempt. LocalOnly authoritative answers are used for /etc/host entries. + // We don't want a local process to be able to create a fake LocalOnly address record for "www.bigbank.com" which would then + // cause other applications (e.g. Safari) to connect to the wrong address. The rpc to register records filters out records + // with names that don't end in local and have mDNSInterface_LocalOnly set. + // + // Note: The check is bypassed for LocalOnly and for P2P it is not needed as only .local records are registered and for + // a question to match its names, it also has to end in .local and that question can't be a unicast question (See + // Question_uDNS macro and its usage). As P2P does not enforce .local only registrations we still make this check + // and also makes it future proof. + + if (ar->ARType != AuthRecordLocalOnly && rr->InterfaceID && !mDNSOpaque16IsZero(q->TargetQID)) return(mDNSfalse); + + // RR type CNAME matches any query type. QTYPE ANY matches any RR type. QCLASS ANY matches any RR class. + if (!RRTypeAnswersQuestionType(rr,q->qtype)) return(mDNSfalse); + if (rr->rrclass != q->qclass && q->qclass != kDNSQClass_ANY) return(mDNSfalse); + + if (!AnonInfoAnswersQuestion(rr, q)) + return mDNSfalse; + + return(rr->namehash == q->qnamehash && SameDomainName(rr->name, &q->qname)); +} + +mDNSexport mDNSBool AnyTypeRecordAnswersQuestion(const ResourceRecord *const rr, const DNSQuestion *const q) +{ + // LocalOnly/P2P questions can be answered with AuthRecordAny in this function. LocalOnly/P2P records + // are handled in LocalOnlyRecordAnswersQuestion + if ((rr->InterfaceID == mDNSInterface_LocalOnly) || (rr->InterfaceID == mDNSInterface_P2P)) + { + LogMsg("AnyTypeRecordAnswersQuestion: ERROR!! called with LocalOnly ResourceRecord %p, Question %p", rr->InterfaceID, q->InterfaceID); + return mDNSfalse; + } + if (rr->InterfaceID && + q->InterfaceID && q->InterfaceID != mDNSInterface_LocalOnly && + rr->InterfaceID != q->InterfaceID) return(mDNSfalse); + + // Resource record received via unicast, the resolver group ID should match ? + // Note that Auth Records are normally setup with NULL InterfaceID and + // both the DNSServers are assumed to be NULL in that case + if (!rr->InterfaceID) + { + mDNSu16 idr = (rr->rDNSServer ? rr->rDNSServer->resGroupID : 0); + mDNSu16 idq = (q->qDNSServer ? q->qDNSServer->resGroupID : 0); + if (idr != idq) return(mDNSfalse); + } + + // If ResourceRecord received via multicast, but question was unicast, then shouldn't use record to answer this question + if (rr->InterfaceID && !mDNSOpaque16IsZero(q->TargetQID)) return(mDNSfalse); + + if (rr->rrclass != q->qclass && q->qclass != kDNSQClass_ANY) return(mDNSfalse); + + if (!AnonInfoAnswersQuestion(rr, q)) + return mDNSfalse; + + return(rr->namehash == q->qnamehash && SameDomainName(rr->name, &q->qname)); +} + +// This is called with both unicast resource record and multicast resource record. The question that +// received the unicast response could be the regular unicast response from a DNS server or a response +// to a mDNS QU query. The main reason we need this function is that we can't compare DNSServers between the +// question and the resource record because the resource record is not completely initialized in +// mDNSCoreReceiveResponse when this function is called. +mDNSexport mDNSBool ResourceRecordAnswersUnicastResponse(const ResourceRecord *const rr, const DNSQuestion *const q) +{ + mDNSBool checkType = mDNStrue; + + if (QuerySuppressed(q)) + return mDNSfalse; + + // For resource records created using multicast, the InterfaceIDs have to match + if (rr->InterfaceID && + q->InterfaceID && rr->InterfaceID != q->InterfaceID) return(mDNSfalse); + + // If ResourceRecord received via multicast, but question was unicast, then shouldn't use record to answer this question. + if (rr->InterfaceID && !mDNSOpaque16IsZero(q->TargetQID)) return(mDNSfalse); + + if (!DNSSECRecordAnswersQuestion(rr, q, &checkType)) return mDNSfalse; + + // RR type CNAME matches any query type. QTYPE ANY matches any RR type. QCLASS ANY matches any RR class. + if (checkType && !RRTypeAnswersQuestionType(rr,q->qtype)) return(mDNSfalse); + + if (rr->rrclass != q->qclass && q->qclass != kDNSQClass_ANY) return(mDNSfalse); + + return(rr->namehash == q->qnamehash && SameDomainName(rr->name, &q->qname)); +} + +mDNSexport mDNSu16 GetRDLength(const ResourceRecord *const rr, mDNSBool estimate) +{ + const RDataBody2 *const rd = (RDataBody2 *)rr->rdata->u.data; + const domainname *const name = estimate ? rr->name : mDNSNULL; + if (rr->rrclass == kDNSQClass_ANY) return(rr->rdlength); // Used in update packets to mean "Delete An RRset" (RFC 2136) + else switch (rr->rrtype) + { + case kDNSType_A: return(sizeof(rd->ipv4)); + + case kDNSType_NS: + case kDNSType_CNAME: + case kDNSType_PTR: + case kDNSType_DNAME: return(CompressedDomainNameLength(&rd->name, name)); + + case kDNSType_SOA: return (mDNSu16)(CompressedDomainNameLength(&rd->soa.mname, name) + + CompressedDomainNameLength(&rd->soa.rname, name) + + 5 * sizeof(mDNSOpaque32)); + + case kDNSType_NULL: + case kDNSType_TSIG: + case kDNSType_TXT: + case kDNSType_X25: + case kDNSType_ISDN: + case kDNSType_LOC: + case kDNSType_DHCID: return(rr->rdlength); // Not self-describing, so have to just trust rdlength + + case kDNSType_HINFO: return (mDNSu16)(2 + (int)rd->data[0] + (int)rd->data[1 + (int)rd->data[0]]); + + case kDNSType_MX: + case kDNSType_AFSDB: + case kDNSType_RT: + case kDNSType_KX: return (mDNSu16)(2 + CompressedDomainNameLength(&rd->mx.exchange, name)); + + case kDNSType_RP: return (mDNSu16)(CompressedDomainNameLength(&rd->rp.mbox, name) + + CompressedDomainNameLength(&rd->rp.txt, name)); + + case kDNSType_PX: return (mDNSu16)(2 + CompressedDomainNameLength(&rd->px.map822, name) + + CompressedDomainNameLength(&rd->px.mapx400, name)); + + case kDNSType_AAAA: return(sizeof(rd->ipv6)); + + case kDNSType_SRV: return (mDNSu16)(6 + CompressedDomainNameLength(&rd->srv.target, name)); + + case kDNSType_OPT: return(rr->rdlength); + + case kDNSType_NSEC: { + domainname *next = (domainname *)rd->data; + int dlen = DomainNameLength(next); + // + if (UNICAST_NSEC(rr)) + return (mDNSu16)(CompressedDomainNameLength(next, name) + rr->rdlength - dlen); + else + return (mDNSu16)((estimate ? 2 : dlen) + rr->rdlength - dlen); + } + + default: debugf("Warning! Don't know how to get length of resource type %d", rr->rrtype); + return(rr->rdlength); + } +} + +// When a local client registers (or updates) a record, we use this routine to do some simple validation checks +// to help reduce the risk of bogus malformed data on the network +mDNSexport mDNSBool ValidateRData(const mDNSu16 rrtype, const mDNSu16 rdlength, const RData *const rd) +{ + mDNSu16 len; + + switch(rrtype) + { + case kDNSType_A: return(rdlength == sizeof(mDNSv4Addr)); + + case kDNSType_NS: // Same as PTR + case kDNSType_MD: // Same as PTR + case kDNSType_MF: // Same as PTR + case kDNSType_CNAME: // Same as PTR + //case kDNSType_SOA not checked + case kDNSType_MB: // Same as PTR + case kDNSType_MG: // Same as PTR + case kDNSType_MR: // Same as PTR + //case kDNSType_NULL not checked (no specified format, so always valid) + //case kDNSType_WKS not checked + case kDNSType_PTR: len = DomainNameLengthLimit(&rd->u.name, rd->u.data + rdlength); + return(len <= MAX_DOMAIN_NAME && rdlength == len); + + case kDNSType_HINFO: // Same as TXT (roughly) + case kDNSType_MINFO: // Same as TXT (roughly) + case kDNSType_TXT: if (!rdlength) return(mDNSfalse); // TXT record has to be at least one byte (RFC 1035) + { + const mDNSu8 *ptr = rd->u.txt.c; + const mDNSu8 *end = rd->u.txt.c + rdlength; + while (ptr < end) ptr += 1 + ptr[0]; + return (ptr == end); + } + + case kDNSType_AAAA: return(rdlength == sizeof(mDNSv6Addr)); + + case kDNSType_MX: // Must be at least two-byte preference, plus domainname + // Call to DomainNameLengthLimit() implicitly enforces both requirements for us + len = DomainNameLengthLimit(&rd->u.mx.exchange, rd->u.data + rdlength); + return(len <= MAX_DOMAIN_NAME && rdlength == 2+len); + + case kDNSType_SRV: // Must be at least priority+weight+port, plus domainname + // Call to DomainNameLengthLimit() implicitly enforces both requirements for us + len = DomainNameLengthLimit(&rd->u.srv.target, rd->u.data + rdlength); + return(len <= MAX_DOMAIN_NAME && rdlength == 6+len); + + //case kDNSType_NSEC not checked + + default: return(mDNStrue); // Allow all other types without checking + } +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - DNS Message Creation Functions +#endif + +mDNSexport void InitializeDNSMessage(DNSMessageHeader *h, mDNSOpaque16 id, mDNSOpaque16 flags) +{ + h->id = id; + h->flags = flags; + h->numQuestions = 0; + h->numAnswers = 0; + h->numAuthorities = 0; + h->numAdditionals = 0; +} + +mDNSexport const mDNSu8 *FindCompressionPointer(const mDNSu8 *const base, const mDNSu8 *const end, const mDNSu8 *const domname) +{ + const mDNSu8 *result = end - *domname - 1; + + if (*domname == 0) return(mDNSNULL); // There's no point trying to match just the root label + + // This loop examines each possible starting position in packet, starting end of the packet and working backwards + while (result >= base) + { + // If the length byte and first character of the label match, then check further to see + // if this location in the packet will yield a useful name compression pointer. + if (result[0] == domname[0] && result[1] == domname[1]) + { + const mDNSu8 *name = domname; + const mDNSu8 *targ = result; + while (targ + *name < end) + { + // First see if this label matches + int i; + const mDNSu8 *pointertarget; + for (i=0; i <= *name; i++) if (targ[i] != name[i]) break; + if (i <= *name) break; // If label did not match, bail out + targ += 1 + *name; // Else, did match, so advance target pointer + name += 1 + *name; // and proceed to check next label + if (*name == 0 && *targ == 0) return(result); // If no more labels, we found a match! + if (*name == 0) break; // If no more labels to match, we failed, so bail out + + // The label matched, so now follow the pointer (if appropriate) and then see if the next label matches + if (targ[0] < 0x40) continue; // If length value, continue to check next label + if (targ[0] < 0xC0) break; // If 40-BF, not valid + if (targ+1 >= end) break; // Second byte not present! + pointertarget = base + (((mDNSu16)(targ[0] & 0x3F)) << 8) + targ[1]; + if (targ < pointertarget) break; // Pointertarget must point *backwards* in the packet + if (pointertarget[0] >= 0x40) break; // Pointertarget must point to a valid length byte + targ = pointertarget; + } + } + result--; // We failed to match at this search position, so back up the tentative result pointer and try again + } + return(mDNSNULL); +} + +// Put a string of dot-separated labels as length-prefixed labels +// domainname is a fully-qualified name (i.e. assumed to be ending in a dot, even if it doesn't) +// msg points to the message we're building (pass mDNSNULL if we don't want to use compression pointers) +// end points to the end of the message so far +// ptr points to where we want to put the name +// limit points to one byte past the end of the buffer that we must not overrun +// domainname is the name to put +mDNSexport mDNSu8 *putDomainNameAsLabels(const DNSMessage *const msg, + mDNSu8 *ptr, const mDNSu8 *const limit, const domainname *const name) +{ + const mDNSu8 *const base = (const mDNSu8 *)msg; + const mDNSu8 * np = name->c; + const mDNSu8 *const max = name->c + MAX_DOMAIN_NAME; // Maximum that's valid + const mDNSu8 * pointer = mDNSNULL; + const mDNSu8 *const searchlimit = ptr; + + if (!ptr) { LogMsg("putDomainNameAsLabels %##s ptr is null", name->c); return(mDNSNULL); } + + if (!*np) // If just writing one-byte root label, make sure we have space for that + { + if (ptr >= limit) return(mDNSNULL); + } + else // else, loop through writing labels and/or a compression offset + { + do { + if (*np > MAX_DOMAIN_LABEL) + { LogMsg("Malformed domain name %##s (label more than 63 bytes)", name->c); return(mDNSNULL); } + + // This check correctly allows for the final trailing root label: + // e.g. + // Suppose our domain name is exactly 256 bytes long, including the final trailing root label. + // Suppose np is now at name->c[249], and we're about to write our last non-null label ("local"). + // We know that max will be at name->c[256] + // That means that np + 1 + 5 == max - 1, so we (just) pass the "if" test below, write our + // six bytes, then exit the loop, write the final terminating root label, and the domain + // name we've written is exactly 256 bytes long, exactly at the correct legal limit. + // If the name is one byte longer, then we fail the "if" test below, and correctly bail out. + if (np + 1 + *np >= max) + { LogMsg("Malformed domain name %##s (more than 256 bytes)", name->c); return(mDNSNULL); } + + if (base) pointer = FindCompressionPointer(base, searchlimit, np); + if (pointer) // Use a compression pointer if we can + { + const mDNSu16 offset = (mDNSu16)(pointer - base); + if (ptr+2 > limit) return(mDNSNULL); // If we don't have two bytes of space left, give up + *ptr++ = (mDNSu8)(0xC0 | (offset >> 8)); + *ptr++ = (mDNSu8)( offset & 0xFF); + return(ptr); + } + else // Else copy one label and try again + { + int i; + mDNSu8 len = *np++; + // If we don't at least have enough space for this label *plus* a terminating zero on the end, give up + if (ptr + 1 + len >= limit) return(mDNSNULL); + *ptr++ = len; + for (i=0; i<len; i++) *ptr++ = *np++; + } + } while (*np); // While we've got characters remaining in the name, continue + } + + *ptr++ = 0; // Put the final root label + return(ptr); +} + +mDNSlocal mDNSu8 *putVal16(mDNSu8 *ptr, mDNSu16 val) +{ + ptr[0] = (mDNSu8)((val >> 8 ) & 0xFF); + ptr[1] = (mDNSu8)((val ) & 0xFF); + return ptr + sizeof(mDNSOpaque16); +} + +mDNSlocal mDNSu8 *putVal32(mDNSu8 *ptr, mDNSu32 val) +{ + ptr[0] = (mDNSu8)((val >> 24) & 0xFF); + ptr[1] = (mDNSu8)((val >> 16) & 0xFF); + ptr[2] = (mDNSu8)((val >> 8) & 0xFF); + ptr[3] = (mDNSu8)((val ) & 0xFF); + return ptr + sizeof(mDNSu32); +} + +// Copy the RDATA information. The actual in memory storage for the data might be bigger than what the rdlength +// says. Hence, the only way to copy out the data from a resource record is to use putRData. +// msg points to the message we're building (pass mDNSNULL for "msg" if we don't want to use compression pointers) +mDNSexport mDNSu8 *putRData(const DNSMessage *const msg, mDNSu8 *ptr, const mDNSu8 *const limit, const ResourceRecord *const rr) +{ + const RDataBody2 *const rdb = (RDataBody2 *)rr->rdata->u.data; + switch (rr->rrtype) + { + case kDNSType_A: if (rr->rdlength != 4) + { debugf("putRData: Illegal length %d for kDNSType_A", rr->rdlength); return(mDNSNULL); } + if (ptr + 4 > limit) return(mDNSNULL); + *ptr++ = rdb->ipv4.b[0]; + *ptr++ = rdb->ipv4.b[1]; + *ptr++ = rdb->ipv4.b[2]; + *ptr++ = rdb->ipv4.b[3]; + return(ptr); + + case kDNSType_NS: + case kDNSType_CNAME: + case kDNSType_PTR: + case kDNSType_DNAME: return(putDomainNameAsLabels(msg, ptr, limit, &rdb->name)); + + case kDNSType_SOA: ptr = putDomainNameAsLabels(msg, ptr, limit, &rdb->soa.mname); + if (!ptr) return(mDNSNULL); + ptr = putDomainNameAsLabels(msg, ptr, limit, &rdb->soa.rname); + if (!ptr || ptr + 20 > limit) return(mDNSNULL); + ptr = putVal32(ptr, rdb->soa.serial); + ptr = putVal32(ptr, rdb->soa.refresh); + ptr = putVal32(ptr, rdb->soa.retry); + ptr = putVal32(ptr, rdb->soa.expire); + ptr = putVal32(ptr, rdb->soa.min); + return(ptr); + + case kDNSType_NULL: + case kDNSType_HINFO: + case kDNSType_TSIG: + case kDNSType_TXT: + case kDNSType_X25: + case kDNSType_ISDN: + case kDNSType_LOC: + case kDNSType_DHCID: if (ptr + rr->rdlength > limit) return(mDNSNULL); + mDNSPlatformMemCopy(ptr, rdb->data, rr->rdlength); + return(ptr + rr->rdlength); + + case kDNSType_MX: + case kDNSType_AFSDB: + case kDNSType_RT: + case kDNSType_KX: if (ptr + 3 > limit) return(mDNSNULL); + ptr = putVal16(ptr, rdb->mx.preference); + return(putDomainNameAsLabels(msg, ptr, limit, &rdb->mx.exchange)); + + case kDNSType_RP: ptr = putDomainNameAsLabels(msg, ptr, limit, &rdb->rp.mbox); + if (!ptr) return(mDNSNULL); + ptr = putDomainNameAsLabels(msg, ptr, limit, &rdb->rp.txt); + return(ptr); + + case kDNSType_PX: if (ptr + 5 > limit) return(mDNSNULL); + ptr = putVal16(ptr, rdb->px.preference); + ptr = putDomainNameAsLabels(msg, ptr, limit, &rdb->px.map822); + if (!ptr) return(mDNSNULL); + ptr = putDomainNameAsLabels(msg, ptr, limit, &rdb->px.mapx400); + return(ptr); + + case kDNSType_AAAA: if (rr->rdlength != sizeof(rdb->ipv6)) + { debugf("putRData: Illegal length %d for kDNSType_AAAA", rr->rdlength); return(mDNSNULL); } + if (ptr + sizeof(rdb->ipv6) > limit) return(mDNSNULL); + mDNSPlatformMemCopy(ptr, &rdb->ipv6, sizeof(rdb->ipv6)); + return(ptr + sizeof(rdb->ipv6)); + + case kDNSType_SRV: if (ptr + 7 > limit) return(mDNSNULL); + *ptr++ = (mDNSu8)(rdb->srv.priority >> 8); + *ptr++ = (mDNSu8)(rdb->srv.priority & 0xFF); + *ptr++ = (mDNSu8)(rdb->srv.weight >> 8); + *ptr++ = (mDNSu8)(rdb->srv.weight & 0xFF); + *ptr++ = rdb->srv.port.b[0]; + *ptr++ = rdb->srv.port.b[1]; + return(putDomainNameAsLabels(msg, ptr, limit, &rdb->srv.target)); + + case kDNSType_OPT: { + int len = 0; + const rdataOPT *opt; + const rdataOPT *const end = (const rdataOPT *)&rr->rdata->u.data[rr->rdlength]; + for (opt = &rr->rdata->u.opt[0]; opt < end; opt++) + len += DNSOpt_Data_Space(opt); + if (ptr + len > limit) + { + LogMsg("ERROR: putOptRData - out of space"); + return mDNSNULL; + } + for (opt = &rr->rdata->u.opt[0]; opt < end; opt++) + { + const int space = DNSOpt_Data_Space(opt); + ptr = putVal16(ptr, opt->opt); + ptr = putVal16(ptr, (mDNSu16)space - 4); + switch (opt->opt) + { + case kDNSOpt_LLQ: + ptr = putVal16(ptr, opt->u.llq.vers); + ptr = putVal16(ptr, opt->u.llq.llqOp); + ptr = putVal16(ptr, opt->u.llq.err); + mDNSPlatformMemCopy(ptr, opt->u.llq.id.b, 8); // 8-byte id + ptr += 8; + ptr = putVal32(ptr, opt->u.llq.llqlease); + break; + case kDNSOpt_Lease: + ptr = putVal32(ptr, opt->u.updatelease); + break; + case kDNSOpt_Owner: + *ptr++ = opt->u.owner.vers; + *ptr++ = opt->u.owner.seq; + mDNSPlatformMemCopy(ptr, opt->u.owner.HMAC.b, 6); // 6-byte Host identifier + ptr += 6; + if (space >= DNSOpt_OwnerData_ID_Wake_Space) + { + mDNSPlatformMemCopy(ptr, opt->u.owner.IMAC.b, 6); // 6-byte interface MAC + ptr += 6; + if (space > DNSOpt_OwnerData_ID_Wake_Space) + { + mDNSPlatformMemCopy(ptr, opt->u.owner.password.b, space - DNSOpt_OwnerData_ID_Wake_Space); + ptr += space - DNSOpt_OwnerData_ID_Wake_Space; + } + } + break; + case kDNSOpt_Trace: + *ptr++ = opt->u.tracer.platf; + ptr = putVal32(ptr, opt->u.tracer.mDNSv); + break; + } + } + return ptr; + } + + case kDNSType_NSEC: { + // For NSEC records, rdlength represents the exact number of bytes + // of in memory storage. + int len = rr->rdlength; + mDNSu8 *nsec = (mDNSu8 *)rdb->data; + domainname *name = (domainname *)nsec; + int dlen; + + dlen = DomainNameLength(name); + len -= dlen; + nsec += dlen; + // This function is called when we are sending a NSEC record as part of mDNS, + // or to copy the data to any other buffer needed which could be a mDNS or uDNS + // NSEC record. The only time compression is used that when we are sending it + // in mDNS (indicated by non-NULL "msg") and hence we handle mDNS case + // separately. + if (!UNICAST_NSEC(rr)) + { + mDNSu8 *save = ptr; + int i, j, wlen; + wlen = *(nsec + 1); + nsec += 2; // Skip the window number and len + len -= 2; + + // For our simplified use of NSEC synthetic records: + // + // nextname is always the record's own name, + // the block number is always 0, + // the count byte is a value in the range 1-32, + // followed by the 1-32 data bytes + // + // Note: When we send the NSEC record in mDNS, the window size is set to 32. + // We need to find out what the last non-NULL byte is. If we are copying out + // from an RDATA, we have the right length. As we need to handle both the case, + // we loop to find the right value instead of blindly using len to copy. + + for (i=wlen; i>0; i--) if (nsec[i-1]) break; + + ptr = putDomainNameAsLabels(msg, ptr, limit, rr->name); + if (!ptr) { LogInfo("putRData: Can't put name, Length %d, record %##s", limit - save, rr->name->c); return(mDNSNULL); } + if (i) // Only put a block if at least one type exists for this name + { + if (ptr + 2 + i > limit) { LogInfo("putRData: Can't put window, Length %d, i %d, record %##s", limit - ptr, i, rr->name->c); return(mDNSNULL); } + *ptr++ = 0; + *ptr++ = (mDNSu8)i; + for (j=0; j<i; j++) *ptr++ = nsec[j]; + } + return ptr; + } + else + { + int win, wlen; + + // Sanity check whether the bitmap is good + while (len) + { + if (len < 3) + { LogMsg("putRData: invalid length %d", len); return mDNSNULL; } + + win = *nsec++; + wlen = *nsec++; + len -= 2; + if (len < wlen || wlen < 1 || wlen > 32) + { LogMsg("putRData: invalid window length %d", wlen); return mDNSNULL; } + if (win < 0 || win >= 256) + { LogMsg("putRData: invalid window %d", win); return mDNSNULL; } + + nsec += wlen; + len -= wlen; + } + if (ptr + rr->rdlength > limit) { LogMsg("putRData: NSEC rdlength beyond limit %##s (%s), ptr %p, rdlength %d, limit %p", rr->name->c, DNSTypeName(rr->rrtype), ptr, rr->rdlength, limit); return(mDNSNULL);} + + // No compression allowed for "nxt", just copy the data. + mDNSPlatformMemCopy(ptr, rdb->data, rr->rdlength); + return(ptr + rr->rdlength); + } + } + + default: debugf("putRData: Warning! Writing unknown resource type %d as raw data", rr->rrtype); + if (ptr + rr->rdlength > limit) return(mDNSNULL); + mDNSPlatformMemCopy(ptr, rdb->data, rr->rdlength); + return(ptr + rr->rdlength); + } +} + +#define IsUnicastUpdate(X) (!mDNSOpaque16IsZero((X)->h.id) && ((X)->h.flags.b[0] & kDNSFlag0_OP_Mask) == kDNSFlag0_OP_Update) + +mDNSexport mDNSu8 *PutResourceRecordTTLWithLimit(DNSMessage *const msg, mDNSu8 *ptr, mDNSu16 *count, ResourceRecord *rr, mDNSu32 ttl, const mDNSu8 *limit) +{ + mDNSu8 *endofrdata; + mDNSu16 actualLength; + // When sending SRV to conventional DNS server (i.e. in DNS update requests) we should not do name compression on the rdata (RFC 2782) + const DNSMessage *const rdatacompressionbase = (IsUnicastUpdate(msg) && rr->rrtype == kDNSType_SRV) ? mDNSNULL : msg; + + if (rr->RecordType == kDNSRecordTypeUnregistered) + { + LogMsg("PutResourceRecordTTLWithLimit ERROR! Attempt to put kDNSRecordTypeUnregistered %##s (%s)", rr->name->c, DNSTypeName(rr->rrtype)); + return(ptr); + } + + if (!ptr) + { + LogMsg("PutResourceRecordTTLWithLimit ptr is null %##s (%s)", rr->name->c, DNSTypeName(rr->rrtype)); + return(mDNSNULL); + } + + ptr = putDomainNameAsLabels(msg, ptr, limit, rr->name); + // If we're out-of-space, return mDNSNULL + if (!ptr || ptr + 10 >= limit) + { + LogInfo("PutResourceRecordTTLWithLimit: can't put name, out of space %##s (%s), ptr %p, limit %p", rr->name->c, + DNSTypeName(rr->rrtype), ptr, limit); + return(mDNSNULL); + } + ptr[0] = (mDNSu8)(rr->rrtype >> 8); + ptr[1] = (mDNSu8)(rr->rrtype & 0xFF); + ptr[2] = (mDNSu8)(rr->rrclass >> 8); + ptr[3] = (mDNSu8)(rr->rrclass & 0xFF); + ptr[4] = (mDNSu8)((ttl >> 24) & 0xFF); + ptr[5] = (mDNSu8)((ttl >> 16) & 0xFF); + ptr[6] = (mDNSu8)((ttl >> 8) & 0xFF); + ptr[7] = (mDNSu8)( ttl & 0xFF); + // ptr[8] and ptr[9] filled in *after* we find out how much space the rdata takes + + endofrdata = putRData(rdatacompressionbase, ptr+10, limit, rr); + if (!endofrdata) + { + LogInfo("PutResourceRecordTTLWithLimit: Ran out of space in PutResourceRecord for %##s (%s), ptr %p, limit %p", rr->name->c, + DNSTypeName(rr->rrtype), ptr+10, limit); + return(mDNSNULL); + } + + // Go back and fill in the actual number of data bytes we wrote + // (actualLength can be less than rdlength when domain name compression is used) + actualLength = (mDNSu16)(endofrdata - ptr - 10); + ptr[8] = (mDNSu8)(actualLength >> 8); + ptr[9] = (mDNSu8)(actualLength & 0xFF); + + if (count) (*count)++; + else LogMsg("PutResourceRecordTTL: ERROR: No target count to update for %##s (%s)", rr->name->c, DNSTypeName(rr->rrtype)); + return(endofrdata); +} + +mDNSlocal mDNSu8 *putEmptyResourceRecord(DNSMessage *const msg, mDNSu8 *ptr, const mDNSu8 *const limit, mDNSu16 *count, const AuthRecord *rr) +{ + ptr = putDomainNameAsLabels(msg, ptr, limit, rr->resrec.name); + if (!ptr || ptr + 10 > limit) return(mDNSNULL); // If we're out-of-space, return mDNSNULL + ptr[0] = (mDNSu8)(rr->resrec.rrtype >> 8); // Put type + ptr[1] = (mDNSu8)(rr->resrec.rrtype & 0xFF); + ptr[2] = (mDNSu8)(rr->resrec.rrclass >> 8); // Put class + ptr[3] = (mDNSu8)(rr->resrec.rrclass & 0xFF); + ptr[4] = ptr[5] = ptr[6] = ptr[7] = 0; // TTL is zero + ptr[8] = ptr[9] = 0; // RDATA length is zero + (*count)++; + return(ptr + 10); +} + +mDNSexport mDNSu8 *putQuestion(DNSMessage *const msg, mDNSu8 *ptr, const mDNSu8 *const limit, const domainname *const name, mDNSu16 rrtype, mDNSu16 rrclass) +{ + ptr = putDomainNameAsLabels(msg, ptr, limit, name); + if (!ptr || ptr+4 >= limit) return(mDNSNULL); // If we're out-of-space, return mDNSNULL + ptr[0] = (mDNSu8)(rrtype >> 8); + ptr[1] = (mDNSu8)(rrtype & 0xFF); + ptr[2] = (mDNSu8)(rrclass >> 8); + ptr[3] = (mDNSu8)(rrclass & 0xFF); + msg->h.numQuestions++; + return(ptr+4); +} + +// for dynamic updates +mDNSexport mDNSu8 *putZone(DNSMessage *const msg, mDNSu8 *ptr, mDNSu8 *limit, const domainname *zone, mDNSOpaque16 zoneClass) +{ + ptr = putDomainNameAsLabels(msg, ptr, limit, zone); + if (!ptr || ptr + 4 > limit) return mDNSNULL; // If we're out-of-space, return NULL + *ptr++ = (mDNSu8)(kDNSType_SOA >> 8); + *ptr++ = (mDNSu8)(kDNSType_SOA & 0xFF); + *ptr++ = zoneClass.b[0]; + *ptr++ = zoneClass.b[1]; + msg->h.mDNS_numZones++; + return ptr; +} + +// for dynamic updates +mDNSexport mDNSu8 *putPrereqNameNotInUse(const domainname *const name, DNSMessage *const msg, mDNSu8 *const ptr, mDNSu8 *const end) +{ + AuthRecord prereq; + mDNS_SetupResourceRecord(&prereq, mDNSNULL, mDNSInterface_Any, kDNSQType_ANY, kStandardTTL, 0, AuthRecordAny, mDNSNULL, mDNSNULL); + AssignDomainName(&prereq.namestorage, name); + prereq.resrec.rrtype = kDNSQType_ANY; + prereq.resrec.rrclass = kDNSClass_NONE; + return putEmptyResourceRecord(msg, ptr, end, &msg->h.mDNS_numPrereqs, &prereq); +} + +// for dynamic updates +mDNSexport mDNSu8 *putDeletionRecord(DNSMessage *msg, mDNSu8 *ptr, ResourceRecord *rr) +{ + // deletion: specify record w/ TTL 0, class NONE + const mDNSu16 origclass = rr->rrclass; + rr->rrclass = kDNSClass_NONE; + ptr = PutResourceRecordTTLJumbo(msg, ptr, &msg->h.mDNS_numUpdates, rr, 0); + rr->rrclass = origclass; + return ptr; +} + +// for dynamic updates +mDNSexport mDNSu8 *putDeletionRecordWithLimit(DNSMessage *msg, mDNSu8 *ptr, ResourceRecord *rr, mDNSu8 *limit) +{ + // deletion: specify record w/ TTL 0, class NONE + const mDNSu16 origclass = rr->rrclass; + rr->rrclass = kDNSClass_NONE; + ptr = PutResourceRecordTTLWithLimit(msg, ptr, &msg->h.mDNS_numUpdates, rr, 0, limit); + rr->rrclass = origclass; + return ptr; +} + +mDNSexport mDNSu8 *putDeleteRRSetWithLimit(DNSMessage *msg, mDNSu8 *ptr, const domainname *name, mDNSu16 rrtype, mDNSu8 *limit) +{ + mDNSu16 class = kDNSQClass_ANY; + + ptr = putDomainNameAsLabels(msg, ptr, limit, name); + if (!ptr || ptr + 10 >= limit) return mDNSNULL; // If we're out-of-space, return mDNSNULL + ptr[0] = (mDNSu8)(rrtype >> 8); + ptr[1] = (mDNSu8)(rrtype & 0xFF); + ptr[2] = (mDNSu8)(class >> 8); + ptr[3] = (mDNSu8)(class & 0xFF); + ptr[4] = ptr[5] = ptr[6] = ptr[7] = 0; // zero ttl + ptr[8] = ptr[9] = 0; // zero rdlength/rdata + + msg->h.mDNS_numUpdates++; + return ptr + 10; +} + +// for dynamic updates +mDNSexport mDNSu8 *putDeleteAllRRSets(DNSMessage *msg, mDNSu8 *ptr, const domainname *name) +{ + const mDNSu8 *limit = msg->data + AbsoluteMaxDNSMessageData; + mDNSu16 class = kDNSQClass_ANY; + mDNSu16 rrtype = kDNSQType_ANY; + + ptr = putDomainNameAsLabels(msg, ptr, limit, name); + if (!ptr || ptr + 10 >= limit) return mDNSNULL; // If we're out-of-space, return mDNSNULL + ptr[0] = (mDNSu8)(rrtype >> 8); + ptr[1] = (mDNSu8)(rrtype & 0xFF); + ptr[2] = (mDNSu8)(class >> 8); + ptr[3] = (mDNSu8)(class & 0xFF); + ptr[4] = ptr[5] = ptr[6] = ptr[7] = 0; // zero ttl + ptr[8] = ptr[9] = 0; // zero rdlength/rdata + + msg->h.mDNS_numUpdates++; + return ptr + 10; +} + +// for dynamic updates +mDNSexport mDNSu8 *putUpdateLease(DNSMessage *msg, mDNSu8 *end, mDNSu32 lease) +{ + AuthRecord rr; + mDNS_SetupResourceRecord(&rr, mDNSNULL, mDNSInterface_Any, kDNSType_OPT, kStandardTTL, kDNSRecordTypeKnownUnique, AuthRecordAny, mDNSNULL, mDNSNULL); + rr.resrec.rrclass = NormalMaxDNSMessageData; + rr.resrec.rdlength = sizeof(rdataOPT); // One option in this OPT record + rr.resrec.rdestimate = sizeof(rdataOPT); + rr.resrec.rdata->u.opt[0].opt = kDNSOpt_Lease; + rr.resrec.rdata->u.opt[0].u.updatelease = lease; + end = PutResourceRecordTTLJumbo(msg, end, &msg->h.numAdditionals, &rr.resrec, 0); + if (!end) { LogMsg("ERROR: putUpdateLease - PutResourceRecordTTL"); return mDNSNULL; } + return end; +} + +// for dynamic updates +mDNSexport mDNSu8 *putUpdateLeaseWithLimit(DNSMessage *msg, mDNSu8 *end, mDNSu32 lease, mDNSu8 *limit) +{ + AuthRecord rr; + mDNS_SetupResourceRecord(&rr, mDNSNULL, mDNSInterface_Any, kDNSType_OPT, kStandardTTL, kDNSRecordTypeKnownUnique, AuthRecordAny, mDNSNULL, mDNSNULL); + rr.resrec.rrclass = NormalMaxDNSMessageData; + rr.resrec.rdlength = sizeof(rdataOPT); // One option in this OPT record + rr.resrec.rdestimate = sizeof(rdataOPT); + rr.resrec.rdata->u.opt[0].opt = kDNSOpt_Lease; + rr.resrec.rdata->u.opt[0].u.updatelease = lease; + end = PutResourceRecordTTLWithLimit(msg, end, &msg->h.numAdditionals, &rr.resrec, 0, limit); + if (!end) { LogMsg("ERROR: putUpdateLease - PutResourceRecordTTLWithLimit"); return mDNSNULL; } + return end; +} + +mDNSexport mDNSu8 *putDNSSECOption(DNSMessage *msg, mDNSu8 *end, mDNSu8 *limit) +{ + AuthRecord rr; + mDNSu32 ttl = 0; + + mDNS_SetupResourceRecord(&rr, mDNSNULL, mDNSInterface_Any, kDNSType_OPT, kStandardTTL, kDNSRecordTypeKnownUnique, AuthRecordAny, mDNSNULL, mDNSNULL); + // It is still not clear what the right size is. We will have to fine tune this once we do + // a lot of testing with DNSSEC. + rr.resrec.rrclass = 4096; + rr.resrec.rdlength = 0; + rr.resrec.rdestimate = 0; + // set the DO bit + ttl |= 0x8000; + end = PutResourceRecordTTLWithLimit(msg, end, &msg->h.numAdditionals, &rr.resrec, ttl, limit); + if (!end) { LogMsg("ERROR: putUpdateLease - PutResourceRecordTTLWithLimit"); return mDNSNULL; } + return end; +} + +mDNSexport mDNSu8 *putHINFO(const mDNS *const m, DNSMessage *const msg, mDNSu8 *end, DomainAuthInfo *authInfo, mDNSu8 *limit) +{ + if (authInfo && authInfo->AutoTunnel) + { + AuthRecord hinfo; + mDNSu8 *h = hinfo.rdatastorage.u.data; + mDNSu16 len = 2 + m->HIHardware.c[0] + m->HISoftware.c[0]; + mDNSu8 *newptr; + mDNS_SetupResourceRecord(&hinfo, mDNSNULL, mDNSInterface_Any, kDNSType_HINFO, 0, kDNSRecordTypeUnique, AuthRecordAny, mDNSNULL, mDNSNULL); + AppendDomainLabel(&hinfo.namestorage, &m->hostlabel); + AppendDomainName (&hinfo.namestorage, &authInfo->domain); + hinfo.resrec.rroriginalttl = 0; + mDNSPlatformMemCopy(h, &m->HIHardware, 1 + (mDNSu32)m->HIHardware.c[0]); + h += 1 + (int)h[0]; + mDNSPlatformMemCopy(h, &m->HISoftware, 1 + (mDNSu32)m->HISoftware.c[0]); + hinfo.resrec.rdlength = len; + hinfo.resrec.rdestimate = len; + newptr = PutResourceRecordTTLWithLimit(msg, end, &msg->h.numAdditionals, &hinfo.resrec, 0, limit); + return newptr; + } + else + return end; +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - DNS Message Parsing Functions +#endif + +mDNSexport mDNSu32 DomainNameHashValue(const domainname *const name) +{ + mDNSu32 sum = 0; + const mDNSu8 *c; + + for (c = name->c; c[0] != 0 && c[1] != 0; c += 2) + { + sum += ((mDNSIsUpperCase(c[0]) ? c[0] + 'a' - 'A' : c[0]) << 8) | + (mDNSIsUpperCase(c[1]) ? c[1] + 'a' - 'A' : c[1]); + sum = (sum<<3) | (sum>>29); + } + if (c[0]) sum += ((mDNSIsUpperCase(c[0]) ? c[0] + 'a' - 'A' : c[0]) << 8); + return(sum); +} + +mDNSexport void SetNewRData(ResourceRecord *const rr, RData *NewRData, mDNSu16 rdlength) +{ + domainname *target; + if (NewRData) + { + rr->rdata = NewRData; + rr->rdlength = rdlength; + } + // Must not try to get target pointer until after updating rr->rdata + target = GetRRDomainNameTarget(rr); + rr->rdlength = GetRDLength(rr, mDNSfalse); + rr->rdestimate = GetRDLength(rr, mDNStrue); + rr->rdatahash = target ? DomainNameHashValue(target) : RDataHashValue(rr); +} + +mDNSexport const mDNSu8 *skipDomainName(const DNSMessage *const msg, const mDNSu8 *ptr, const mDNSu8 *const end) +{ + mDNSu16 total = 0; + + if (ptr < (mDNSu8*)msg || ptr >= end) + { debugf("skipDomainName: Illegal ptr not within packet boundaries"); return(mDNSNULL); } + + while (1) // Read sequence of labels + { + const mDNSu8 len = *ptr++; // Read length of this label + if (len == 0) return(ptr); // If length is zero, that means this name is complete + switch (len & 0xC0) + { + case 0x00: if (ptr + len >= end) // Remember: expect at least one more byte for the root label + { debugf("skipDomainName: Malformed domain name (overruns packet end)"); return(mDNSNULL); } + if (total + 1 + len >= MAX_DOMAIN_NAME) // Remember: expect at least one more byte for the root label + { debugf("skipDomainName: Malformed domain name (more than 256 characters)"); return(mDNSNULL); } + ptr += len; + total += 1 + len; + break; + + case 0x40: debugf("skipDomainName: Extended EDNS0 label types 0x%X not supported", len); return(mDNSNULL); + case 0x80: debugf("skipDomainName: Illegal label length 0x%X", len); return(mDNSNULL); + case 0xC0: return(ptr+1); + } + } +} + +// Routine to fetch an FQDN from the DNS message, following compression pointers if necessary. +mDNSexport const mDNSu8 *getDomainName(const DNSMessage *const msg, const mDNSu8 *ptr, const mDNSu8 *const end, + domainname *const name) +{ + const mDNSu8 *nextbyte = mDNSNULL; // Record where we got to before we started following pointers + mDNSu8 *np = name->c; // Name pointer + const mDNSu8 *const limit = np + MAX_DOMAIN_NAME; // Limit so we don't overrun buffer + + if (ptr < (mDNSu8*)msg || ptr >= end) + { debugf("getDomainName: Illegal ptr not within packet boundaries"); return(mDNSNULL); } + + *np = 0; // Tentatively place the root label here (may be overwritten if we have more labels) + + while (1) // Read sequence of labels + { + const mDNSu8 len = *ptr++; // Read length of this label + if (len == 0) break; // If length is zero, that means this name is complete + switch (len & 0xC0) + { + int i; + mDNSu16 offset; + + case 0x00: if (ptr + len >= end) // Remember: expect at least one more byte for the root label + { debugf("getDomainName: Malformed domain name (overruns packet end)"); return(mDNSNULL); } + if (np + 1 + len >= limit) // Remember: expect at least one more byte for the root label + { debugf("getDomainName: Malformed domain name (more than 256 characters)"); return(mDNSNULL); } + *np++ = len; + for (i=0; i<len; i++) *np++ = *ptr++; + *np = 0; // Tentatively place the root label here (may be overwritten if we have more labels) + break; + + case 0x40: debugf("getDomainName: Extended EDNS0 label types 0x%X not supported in name %##s", len, name->c); + return(mDNSNULL); + + case 0x80: debugf("getDomainName: Illegal label length 0x%X in domain name %##s", len, name->c); return(mDNSNULL); + + case 0xC0: offset = (mDNSu16)((((mDNSu16)(len & 0x3F)) << 8) | *ptr++); + if (!nextbyte) nextbyte = ptr; // Record where we got to before we started following pointers + ptr = (mDNSu8 *)msg + offset; + if (ptr < (mDNSu8*)msg || ptr >= end) + { debugf("getDomainName: Illegal compression pointer not within packet boundaries"); return(mDNSNULL); } + if (*ptr & 0xC0) + { debugf("getDomainName: Compression pointer must point to real label"); return(mDNSNULL); } + break; + } + } + + if (nextbyte) return(nextbyte); + else return(ptr); +} + +mDNSexport const mDNSu8 *skipResourceRecord(const DNSMessage *msg, const mDNSu8 *ptr, const mDNSu8 *end) +{ + mDNSu16 pktrdlength; + + ptr = skipDomainName(msg, ptr, end); + if (!ptr) { debugf("skipResourceRecord: Malformed RR name"); return(mDNSNULL); } + + if (ptr + 10 > end) { debugf("skipResourceRecord: Malformed RR -- no type/class/ttl/len!"); return(mDNSNULL); } + pktrdlength = (mDNSu16)((mDNSu16)ptr[8] << 8 | ptr[9]); + ptr += 10; + if (ptr + pktrdlength > end) { debugf("skipResourceRecord: RDATA exceeds end of packet"); return(mDNSNULL); } + + return(ptr + pktrdlength); +} + +// Sanity check whether the NSEC/NSEC3 bitmap is good +mDNSlocal mDNSu8 *SanityCheckBitMap(const mDNSu8 *bmap, const mDNSu8 *end, int len) +{ + int win, wlen; + + while (bmap < end) + { + if (len < 3) + { + LogInfo("SanityCheckBitMap: invalid length %d", len); + return mDNSNULL; + } + + win = *bmap++; + wlen = *bmap++; + len -= 2; + if (len < wlen || wlen < 1 || wlen > 32) + { + LogInfo("SanityCheckBitMap: invalid window length %d", wlen); + return mDNSNULL; + } + if (win < 0 || win >= 256) + { + LogInfo("SanityCheckBitMap: invalid window %d", win); + return mDNSNULL; + } + + bmap += wlen; + len -= wlen; + } + return (mDNSu8 *)bmap; +} + +// This function is called with "msg" when we receive a DNS message and needs to parse a single resource record +// pointed to by "ptr". Some resource records like SOA, SRV are converted to host order and also expanded +// (domainnames are expanded to 255 bytes) when stored in memory. +// +// This function can also be called with "NULL" msg to parse a single resource record pointed to by ptr. +// The caller can do this only if the names in the resource records are compressed and validity of the +// resource record has already been done before. DNSSEC currently uses it this way. +mDNSexport mDNSBool SetRData(const DNSMessage *const msg, const mDNSu8 *ptr, const mDNSu8 *end, + LargeCacheRecord *const largecr, mDNSu16 rdlength) +{ + CacheRecord *const rr = &largecr->r; + RDataBody2 *const rdb = (RDataBody2 *)rr->smallrdatastorage.data; + + switch (rr->resrec.rrtype) + { + case kDNSType_A: + if (rdlength != sizeof(mDNSv4Addr)) + goto fail; + rdb->ipv4.b[0] = ptr[0]; + rdb->ipv4.b[1] = ptr[1]; + rdb->ipv4.b[2] = ptr[2]; + rdb->ipv4.b[3] = ptr[3]; + break; + + case kDNSType_NS: + case kDNSType_MD: + case kDNSType_MF: + case kDNSType_CNAME: + case kDNSType_MB: + case kDNSType_MG: + case kDNSType_MR: + case kDNSType_PTR: + case kDNSType_NSAP_PTR: + case kDNSType_DNAME: + if (msg) + { + ptr = getDomainName(msg, ptr, end, &rdb->name); + } + else + { + AssignDomainName(&rdb->name, (domainname *)ptr); + ptr += DomainNameLength(&rdb->name); + } + if (ptr != end) + { + debugf("SetRData: Malformed CNAME/PTR RDATA name"); + goto fail; + } + break; + + case kDNSType_SOA: + if (msg) + { + ptr = getDomainName(msg, ptr, end, &rdb->soa.mname); + } + else + { + AssignDomainName(&rdb->soa.mname, (domainname *)ptr); + ptr += DomainNameLength(&rdb->soa.mname); + } + if (!ptr) + { + debugf("SetRData: Malformed SOA RDATA mname"); + goto fail; + } + if (msg) + { + ptr = getDomainName(msg, ptr, end, &rdb->soa.rname); + } + else + { + AssignDomainName(&rdb->soa.rname, (domainname *)ptr); + ptr += DomainNameLength(&rdb->soa.rname); + } + if (!ptr) + { + debugf("SetRData: Malformed SOA RDATA rname"); + goto fail; + } + if (ptr + 0x14 != end) + { + debugf("SetRData: Malformed SOA RDATA"); + goto fail; + } + rdb->soa.serial = (mDNSs32) ((mDNSs32)ptr[0x00] << 24 | (mDNSs32)ptr[0x01] << 16 | (mDNSs32)ptr[0x02] << 8 | ptr[0x03]); + rdb->soa.refresh = (mDNSu32) ((mDNSu32)ptr[0x04] << 24 | (mDNSu32)ptr[0x05] << 16 | (mDNSu32)ptr[0x06] << 8 | ptr[0x07]); + rdb->soa.retry = (mDNSu32) ((mDNSu32)ptr[0x08] << 24 | (mDNSu32)ptr[0x09] << 16 | (mDNSu32)ptr[0x0A] << 8 | ptr[0x0B]); + rdb->soa.expire = (mDNSu32) ((mDNSu32)ptr[0x0C] << 24 | (mDNSu32)ptr[0x0D] << 16 | (mDNSu32)ptr[0x0E] << 8 | ptr[0x0F]); + rdb->soa.min = (mDNSu32) ((mDNSu32)ptr[0x10] << 24 | (mDNSu32)ptr[0x11] << 16 | (mDNSu32)ptr[0x12] << 8 | ptr[0x13]); + break; + + case kDNSType_NULL: + case kDNSType_HINFO: + case kDNSType_TXT: + case kDNSType_X25: + case kDNSType_ISDN: + case kDNSType_LOC: + case kDNSType_DHCID: + rr->resrec.rdlength = rdlength; + mDNSPlatformMemCopy(rdb->data, ptr, rdlength); + break; + + case kDNSType_MX: + case kDNSType_AFSDB: + case kDNSType_RT: + case kDNSType_KX: + // Preference + domainname + if (rdlength < 3) + goto fail; + rdb->mx.preference = (mDNSu16)((mDNSu16)ptr[0] << 8 | ptr[1]); + ptr += 2; + if (msg) + { + ptr = getDomainName(msg, ptr, end, &rdb->mx.exchange); + } + else + { + AssignDomainName(&rdb->mx.exchange, (domainname *)ptr); + ptr += DomainNameLength(&rdb->mx.exchange); + } + if (ptr != end) + { + debugf("SetRData: Malformed MX name"); + goto fail; + } + break; + + case kDNSType_MINFO: + case kDNSType_RP: + // Domainname + domainname + if (msg) + { + ptr = getDomainName(msg, ptr, end, &rdb->rp.mbox); + } + else + { + AssignDomainName(&rdb->rp.mbox, (domainname *)ptr); + ptr += DomainNameLength(&rdb->rp.mbox); + } + if (!ptr) + { + debugf("SetRData: Malformed RP mbox"); + goto fail; + } + if (msg) + { + ptr = getDomainName(msg, ptr, end, &rdb->rp.txt); + } + else + { + AssignDomainName(&rdb->rp.txt, (domainname *)ptr); + ptr += DomainNameLength(&rdb->rp.txt); + } + if (ptr != end) + { + debugf("SetRData: Malformed RP txt"); + goto fail; + } + break; + + case kDNSType_PX: + // Preference + domainname + domainname + if (rdlength < 4) + goto fail; + rdb->px.preference = (mDNSu16)((mDNSu16)ptr[0] << 8 | ptr[1]); + ptr += 2; + if (msg) + { + ptr = getDomainName(msg, ptr, end, &rdb->px.map822); + } + else + { + AssignDomainName(&rdb->px.map822, (domainname *)ptr); + ptr += DomainNameLength(&rdb->px.map822); + } + if (!ptr) + { + debugf("SetRData: Malformed PX map822"); + goto fail; + } + if (msg) + { + ptr = getDomainName(msg, ptr, end, &rdb->px.mapx400); + } + else + { + AssignDomainName(&rdb->px.mapx400, (domainname *)ptr); + ptr += DomainNameLength(&rdb->px.mapx400); + } + if (ptr != end) + { + debugf("SetRData: Malformed PX mapx400"); + goto fail; + } + break; + + case kDNSType_AAAA: + if (rdlength != sizeof(mDNSv6Addr)) + goto fail; + mDNSPlatformMemCopy(&rdb->ipv6, ptr, sizeof(rdb->ipv6)); + break; + + case kDNSType_SRV: + // Priority + weight + port + domainname + if (rdlength < 7) + goto fail; + rdb->srv.priority = (mDNSu16)((mDNSu16)ptr[0] << 8 | ptr[1]); + rdb->srv.weight = (mDNSu16)((mDNSu16)ptr[2] << 8 | ptr[3]); + rdb->srv.port.b[0] = ptr[4]; + rdb->srv.port.b[1] = ptr[5]; + ptr += 6; + if (msg) + { + ptr = getDomainName(msg, ptr, end, &rdb->srv.target); + } + else + { + AssignDomainName(&rdb->srv.target, (domainname *)ptr); + ptr += DomainNameLength(&rdb->srv.target); + } + if (ptr != end) + { + debugf("SetRData: Malformed SRV RDATA name"); + goto fail; + } + break; + + case kDNSType_NAPTR: + { + int savelen, len; + domainname name; + const mDNSu8 *orig = ptr; + + // Make sure the data is parseable and within the limits. DNSSEC code looks at + // the domain name in the end for a valid domainname. + // + // Fixed length: Order, preference (4 bytes) + // Variable length: flags, service, regexp, domainname + + if (rdlength < 8) + goto fail; + // Order, preference. + ptr += 4; + // Parse flags, Service and Regexp + // length in the first byte does not include the length byte itself + len = *ptr + 1; + ptr += len; + if (ptr >= end) + { + LogInfo("SetRData: Malformed NAPTR flags"); + goto fail; + } + + // Service + len = *ptr + 1; + ptr += len; + if (ptr >= end) + { + LogInfo("SetRData: Malformed NAPTR service"); + goto fail; + } + + // Regexp + len = *ptr + 1; + ptr += len; + if (ptr >= end) + { + LogInfo("SetRData: Malformed NAPTR regexp"); + goto fail; + } + + savelen = ptr - orig; + + // RFC 2915 states that name compression is not allowed for this field. But RFC 3597 + // states that for NAPTR we should decompress. We make sure that we store the full + // name rather than the compressed name + if (msg) + { + ptr = getDomainName(msg, ptr, end, &name); + } + else + { + AssignDomainName(&name, (domainname *)ptr); + ptr += DomainNameLength(&name); + } + if (ptr != end) + { + LogInfo("SetRData: Malformed NAPTR RDATA name"); + goto fail; + } + + rr->resrec.rdlength = savelen + DomainNameLength(&name); + // The uncompressed size should not exceed the limits + if (rr->resrec.rdlength > MaximumRDSize) + { + LogInfo("SetRData: Malformed NAPTR rdlength %d, rr->resrec.rdlength %d, " + "bmaplen %d, name %##s", rdlength, rr->resrec.rdlength, name.c); + goto fail; + } + mDNSPlatformMemCopy(rdb->data, orig, savelen); + AssignDomainName((domainname *)(rdb->data + savelen), &name); + break; + } + case kDNSType_OPT: { + mDNSu8 *dataend = rr->resrec.rdata->u.data; + rdataOPT *opt = rr->resrec.rdata->u.opt; + rr->resrec.rdlength = 0; + while (ptr < end && (mDNSu8 *)(opt+1) < &dataend[MaximumRDSize]) + { + const rdataOPT *const currentopt = opt; + if (ptr + 4 > end) { LogInfo("SetRData: OPT RDATA ptr + 4 > end"); goto fail; } + opt->opt = (mDNSu16)((mDNSu16)ptr[0] << 8 | ptr[1]); + opt->optlen = (mDNSu16)((mDNSu16)ptr[2] << 8 | ptr[3]); + ptr += 4; + if (ptr + opt->optlen > end) { LogInfo("SetRData: ptr + opt->optlen > end"); goto fail; } + switch (opt->opt) + { + case kDNSOpt_LLQ: + if (opt->optlen == DNSOpt_LLQData_Space - 4) + { + opt->u.llq.vers = (mDNSu16)((mDNSu16)ptr[0] << 8 | ptr[1]); + opt->u.llq.llqOp = (mDNSu16)((mDNSu16)ptr[2] << 8 | ptr[3]); + opt->u.llq.err = (mDNSu16)((mDNSu16)ptr[4] << 8 | ptr[5]); + mDNSPlatformMemCopy(opt->u.llq.id.b, ptr+6, 8); + opt->u.llq.llqlease = (mDNSu32) ((mDNSu32)ptr[14] << 24 | (mDNSu32)ptr[15] << 16 | (mDNSu32)ptr[16] << 8 | ptr[17]); + if (opt->u.llq.llqlease > 0x70000000UL / mDNSPlatformOneSecond) + opt->u.llq.llqlease = 0x70000000UL / mDNSPlatformOneSecond; + opt++; + } + break; + case kDNSOpt_Lease: + if (opt->optlen == DNSOpt_LeaseData_Space - 4) + { + opt->u.updatelease = (mDNSu32) ((mDNSu32)ptr[0] << 24 | (mDNSu32)ptr[1] << 16 | (mDNSu32)ptr[2] << 8 | ptr[3]); + if (opt->u.updatelease > 0x70000000UL / mDNSPlatformOneSecond) + opt->u.updatelease = 0x70000000UL / mDNSPlatformOneSecond; + opt++; + } + break; + case kDNSOpt_Owner: + if (ValidOwnerLength(opt->optlen)) + { + opt->u.owner.vers = ptr[0]; + opt->u.owner.seq = ptr[1]; + mDNSPlatformMemCopy(opt->u.owner.HMAC.b, ptr+2, 6); // 6-byte MAC address + mDNSPlatformMemCopy(opt->u.owner.IMAC.b, ptr+2, 6); // 6-byte MAC address + opt->u.owner.password = zeroEthAddr; + if (opt->optlen >= DNSOpt_OwnerData_ID_Wake_Space-4) + { + mDNSPlatformMemCopy(opt->u.owner.IMAC.b, ptr+8, 6); // 6-byte MAC address + // This mDNSPlatformMemCopy is safe because the ValidOwnerLength(opt->optlen) check above + // ensures that opt->optlen is no more than DNSOpt_OwnerData_ID_Wake_PW6_Space - 4 + if (opt->optlen > DNSOpt_OwnerData_ID_Wake_Space-4) + mDNSPlatformMemCopy(opt->u.owner.password.b, ptr+14, opt->optlen - (DNSOpt_OwnerData_ID_Wake_Space-4)); + } + opt++; + } + break; + case kDNSOpt_Trace: + if (opt->optlen == DNSOpt_TraceData_Space - 4) + { + opt->u.tracer.platf = ptr[0]; + opt->u.tracer.mDNSv = (mDNSu32) ((mDNSu32)ptr[1] << 24 | (mDNSu32)ptr[2] << 16 | (mDNSu32)ptr[3] << 8 | ptr[4]); + opt++; + } + break; + } + ptr += currentopt->optlen; + } + rr->resrec.rdlength = (mDNSu16)((mDNSu8*)opt - rr->resrec.rdata->u.data); + if (ptr != end) { LogInfo("SetRData: Malformed OptRdata"); goto fail; } + break; + } + + case kDNSType_NSEC: { + domainname name; + int len = rdlength; + int bmaplen, dlen; + const mDNSu8 *orig = ptr; + const mDNSu8 *bmap; + + if (msg) + { + ptr = getDomainName(msg, ptr, end, &name); + } + else + { + AssignDomainName(&name, (domainname *)ptr); + ptr += DomainNameLength(&name); + } + if (!ptr) + { + LogInfo("SetRData: Malformed NSEC nextname"); + goto fail; + } + + dlen = DomainNameLength(&name); + + // Multicast NSECs use name compression for this field unlike the unicast case which + // does not use compression. And multicast case always succeeds in compression. So, + // the rdlength includes only the compressed space in that case. So, can't + // use the DomainNameLength of name to reduce the length here. + len -= (ptr - orig); + bmaplen = len; // Save the length of the bitmap + bmap = ptr; + ptr = SanityCheckBitMap(bmap, end, len); + if (!ptr) + goto fail; + if (ptr != end) + { + LogInfo("SetRData: Malformed NSEC length not right"); + goto fail; + } + + // Initialize the right length here. When we call SetNewRData below which in turn calls + // GetRDLength and for NSEC case, it assumes that rdlength is intitialized + rr->resrec.rdlength = DomainNameLength(&name) + bmaplen; + + // Do we have space after the name expansion ? + if (rr->resrec.rdlength > MaximumRDSize) + { + LogInfo("SetRData: Malformed NSEC rdlength %d, rr->resrec.rdlength %d, " + "bmaplen %d, name %##s", rdlength, rr->resrec.rdlength, name.c); + goto fail; + } + AssignDomainName((domainname *)rdb->data, &name); + mDNSPlatformMemCopy(rdb->data + dlen, bmap, bmaplen); + break; + } + case kDNSType_NSEC3: + { + rdataNSEC3 *nsec3 = (rdataNSEC3 *)ptr; + mDNSu8 *p = (mDNSu8 *)&nsec3->salt; + int hashLength, bitmaplen; + + if (rdlength < NSEC3_FIXED_SIZE + 1) + { + LogInfo("SetRData: NSEC3 too small length %d", rdlength); + goto fail; + } + if (nsec3->alg != SHA1_DIGEST_TYPE) + { + LogInfo("SetRData: nsec3 alg %d not supported", nsec3->alg); + goto fail; + } + if (swap16(nsec3->iterations) > NSEC3_MAX_ITERATIONS) + { + LogInfo("SetRData: nsec3 iteration count %d too big", swap16(nsec3->iterations)); + goto fail; + } + p += nsec3->saltLength; + // There should at least be one byte beyond saltLength + if (p >= end) + { + LogInfo("SetRData: nsec3 too small, at saltlength %d, p %p, end %p", nsec3->saltLength, p, end); + goto fail; + } + // p is pointing at hashLength + hashLength = (int)*p++; + if (!hashLength) + { + LogInfo("SetRData: hashLength zero"); + goto fail; + } + p += hashLength; + if (p > end) + { + LogInfo("SetRData: nsec3 too small, at hashLength %d, p %p, end %p", hashLength, p, end); + goto fail; + } + + bitmaplen = rdlength - (int)(p - ptr); + p = SanityCheckBitMap(p, end, bitmaplen); + if (!p) + goto fail; + rr->resrec.rdlength = rdlength; + mDNSPlatformMemCopy(rdb->data, ptr, rdlength); + break; + } + case kDNSType_TKEY: + case kDNSType_TSIG: + { + domainname name; + int dlen, rlen; + + // The name should not be compressed. But we take the conservative approach + // and uncompress the name before we store it. + if (msg) + { + ptr = getDomainName(msg, ptr, end, &name); + } + else + { + AssignDomainName(&name, (domainname *)ptr); + ptr += DomainNameLength(&name); + } + if (!ptr) + { + LogInfo("SetRData: Malformed name for TSIG/TKEY type %d", rr->resrec.rrtype); + goto fail; + } + dlen = DomainNameLength(&name); + rlen = end - ptr; + rr->resrec.rdlength = dlen + rlen; + AssignDomainName((domainname *)rdb->data, &name); + mDNSPlatformMemCopy(rdb->data + dlen, ptr, rlen); + break; + } + case kDNSType_RRSIG: + { + const mDNSu8 *sig = ptr + RRSIG_FIXED_SIZE; + const mDNSu8 *orig = sig; + domainname name; + if (rdlength < RRSIG_FIXED_SIZE + 1) + { + LogInfo("SetRData: RRSIG too small length %d", rdlength); + goto fail; + } + if (msg) + { + sig = getDomainName(msg, sig, end, &name); + } + else + { + AssignDomainName(&name, (domainname *)sig); + sig += DomainNameLength(&name); + } + if (!sig) + { + LogInfo("SetRData: Malformed RRSIG record"); + goto fail; + } + + if ((sig - orig) != DomainNameLength(&name)) + { + LogInfo("SetRData: Malformed RRSIG record, signer name compression"); + goto fail; + } + // Just ensure that we have at least one byte of the signature + if (sig + 1 >= end) + { + LogInfo("SetRData: Not enough bytes for signature type %d", rr->resrec.rrtype); + goto fail; + } + rr->resrec.rdlength = rdlength; + mDNSPlatformMemCopy(rdb->data, ptr, rdlength); + break; + } + case kDNSType_DNSKEY: + { + if (rdlength < DNSKEY_FIXED_SIZE + 1) + { + LogInfo("SetRData: DNSKEY too small length %d", rdlength); + goto fail; + } + rr->resrec.rdlength = rdlength; + mDNSPlatformMemCopy(rdb->data, ptr, rdlength); + break; + } + case kDNSType_DS: + { + if (rdlength < DS_FIXED_SIZE + 1) + { + LogInfo("SetRData: DS too small length %d", rdlength); + goto fail; + } + rr->resrec.rdlength = rdlength; + mDNSPlatformMemCopy(rdb->data, ptr, rdlength); + break; + } + default: + debugf("SetRData: Warning! Reading resource type %d (%s) as opaque data", + rr->resrec.rrtype, DNSTypeName(rr->resrec.rrtype)); + // Note: Just because we don't understand the record type, that doesn't + // mean we fail. The DNS protocol specifies rdlength, so we can + // safely skip over unknown records and ignore them. + // We also grab a binary copy of the rdata anyway, since the caller + // might know how to interpret it even if we don't. + rr->resrec.rdlength = rdlength; + mDNSPlatformMemCopy(rdb->data, ptr, rdlength); + break; + } + return mDNStrue; +fail: + return mDNSfalse; +} + +mDNSexport const mDNSu8 *GetLargeResourceRecord(mDNS *const m, const DNSMessage *const msg, const mDNSu8 *ptr, + const mDNSu8 *end, const mDNSInterfaceID InterfaceID, mDNSu8 RecordType, LargeCacheRecord *const largecr) +{ + CacheRecord *const rr = &largecr->r; + mDNSu16 pktrdlength; + + if (largecr == &m->rec && m->rec.r.resrec.RecordType) + { + LogMsg("GetLargeResourceRecord: m->rec appears to be already in use for %s", CRDisplayString(m, &m->rec.r)); +#if ForceAlerts + *(long*)0 = 0; +#endif + } + + rr->next = mDNSNULL; + rr->resrec.name = &largecr->namestorage; + + rr->NextInKAList = mDNSNULL; + rr->TimeRcvd = m ? m->timenow : 0; + rr->DelayDelivery = 0; + rr->NextRequiredQuery = m ? m->timenow : 0; // Will be updated to the real value when we call SetNextCacheCheckTimeForRecord() + rr->LastUsed = m ? m->timenow : 0; + rr->CRActiveQuestion = mDNSNULL; + rr->UnansweredQueries = 0; + rr->LastUnansweredTime= 0; +#if ENABLE_MULTI_PACKET_QUERY_SNOOPING + rr->MPUnansweredQ = 0; + rr->MPLastUnansweredQT= 0; + rr->MPUnansweredKA = 0; + rr->MPExpectingKA = mDNSfalse; +#endif + rr->NextInCFList = mDNSNULL; + + rr->resrec.InterfaceID = InterfaceID; + rr->resrec.rDNSServer = mDNSNULL; + + ptr = getDomainName(msg, ptr, end, &largecr->namestorage); // Will bail out correctly if ptr is NULL + if (!ptr) { debugf("GetLargeResourceRecord: Malformed RR name"); return(mDNSNULL); } + rr->resrec.namehash = DomainNameHashValue(rr->resrec.name); + + if (ptr + 10 > end) { debugf("GetLargeResourceRecord: Malformed RR -- no type/class/ttl/len!"); return(mDNSNULL); } + + rr->resrec.rrtype = (mDNSu16) ((mDNSu16)ptr[0] << 8 | ptr[1]); + rr->resrec.rrclass = (mDNSu16)(((mDNSu16)ptr[2] << 8 | ptr[3]) & kDNSClass_Mask); + rr->resrec.rroriginalttl = (mDNSu32) ((mDNSu32)ptr[4] << 24 | (mDNSu32)ptr[5] << 16 | (mDNSu32)ptr[6] << 8 | ptr[7]); + if (rr->resrec.rroriginalttl > 0x70000000UL / mDNSPlatformOneSecond && (mDNSs32)rr->resrec.rroriginalttl != -1) + rr->resrec.rroriginalttl = 0x70000000UL / mDNSPlatformOneSecond; + // Note: We don't have to adjust m->NextCacheCheck here -- this is just getting a record into memory for + // us to look at. If we decide to copy it into the cache, then we'll update m->NextCacheCheck accordingly. + pktrdlength = (mDNSu16)((mDNSu16)ptr[8] << 8 | ptr[9]); + + // If mDNS record has cache-flush bit set, we mark it unique + // For uDNS records, all are implicitly deemed unique (a single DNS server is always + // authoritative for the entire RRSet), unless this is a truncated response + if (ptr[2] & (kDNSClass_UniqueRRSet >> 8) || (!InterfaceID && !(msg->h.flags.b[0] & kDNSFlag0_TC))) + RecordType |= kDNSRecordTypePacketUniqueMask; + ptr += 10; + if (ptr + pktrdlength > end) { debugf("GetLargeResourceRecord: RDATA exceeds end of packet"); return(mDNSNULL); } + end = ptr + pktrdlength; // Adjust end to indicate the end of the rdata for this resource record + + rr->resrec.rdata = (RData*)&rr->smallrdatastorage; + rr->resrec.rdata->MaxRDLength = MaximumRDSize; + + if (pktrdlength > MaximumRDSize) + { + LogInfo("GetLargeResourceRecord: %s rdata size (%d) exceeds storage (%d)", + DNSTypeName(rr->resrec.rrtype), pktrdlength, rr->resrec.rdata->MaxRDLength); + goto fail; + } + + if (!RecordType) LogMsg("GetLargeResourceRecord: No RecordType for %##s", rr->resrec.name->c); + + // IMPORTANT: Any record type we understand and unpack into a structure containing domainnames needs to have corresponding + // cases in SameRDataBody() and RDataHashValue() to do a semantic comparison (or checksum) of the structure instead of a blind + // bitwise memory compare (or sum). This is because a domainname is a fixed size structure holding variable-length data. + // Any bytes past the logical end of the name are undefined, and a blind bitwise memory compare may indicate that + // two domainnames are different when semantically they are the same name and it's only the unused bytes that differ. + if (rr->resrec.rrclass == kDNSQClass_ANY && pktrdlength == 0) // Used in update packets to mean "Delete An RRset" (RFC 2136) + rr->resrec.rdlength = 0; + else if (!SetRData(msg, ptr, end, largecr, pktrdlength)) + goto fail; + + SetNewRData(&rr->resrec, mDNSNULL, 0); // Sets rdlength, rdestimate, rdatahash for us + + // Success! Now fill in RecordType to show this record contains valid data + rr->resrec.RecordType = RecordType; + return(end); + +fail: + // If we were unable to parse the rdata in this record, we indicate that by + // returing a 'kDNSRecordTypePacketNegative' record with rdlength set to zero + rr->resrec.RecordType = kDNSRecordTypePacketNegative; + rr->resrec.rdlength = 0; + rr->resrec.rdestimate = 0; + rr->resrec.rdatahash = 0; + return(end); +} + +mDNSexport const mDNSu8 *skipQuestion(const DNSMessage *msg, const mDNSu8 *ptr, const mDNSu8 *end) +{ + ptr = skipDomainName(msg, ptr, end); + if (!ptr) { debugf("skipQuestion: Malformed domain name in DNS question section"); return(mDNSNULL); } + if (ptr+4 > end) { debugf("skipQuestion: Malformed DNS question section -- no query type and class!"); return(mDNSNULL); } + return(ptr+4); +} + +mDNSexport const mDNSu8 *getQuestion(const DNSMessage *msg, const mDNSu8 *ptr, const mDNSu8 *end, const mDNSInterfaceID InterfaceID, + DNSQuestion *question) +{ + mDNSPlatformMemZero(question, sizeof(*question)); + question->InterfaceID = InterfaceID; + if (!InterfaceID) question->TargetQID = onesID; // In DNSQuestions we use TargetQID as the indicator of whether it's unicast or multicast + ptr = getDomainName(msg, ptr, end, &question->qname); + if (!ptr) { debugf("Malformed domain name in DNS question section"); return(mDNSNULL); } + if (ptr+4 > end) { debugf("Malformed DNS question section -- no query type and class!"); return(mDNSNULL); } + + question->qnamehash = DomainNameHashValue(&question->qname); + question->qtype = (mDNSu16)((mDNSu16)ptr[0] << 8 | ptr[1]); // Get type + question->qclass = (mDNSu16)((mDNSu16)ptr[2] << 8 | ptr[3]); // and class + return(ptr+4); +} + +mDNSexport const mDNSu8 *LocateAnswers(const DNSMessage *const msg, const mDNSu8 *const end) +{ + int i; + const mDNSu8 *ptr = msg->data; + for (i = 0; i < msg->h.numQuestions && ptr; i++) ptr = skipQuestion(msg, ptr, end); + return(ptr); +} + +mDNSexport const mDNSu8 *LocateAuthorities(const DNSMessage *const msg, const mDNSu8 *const end) +{ + int i; + const mDNSu8 *ptr = LocateAnswers(msg, end); + for (i = 0; i < msg->h.numAnswers && ptr; i++) ptr = skipResourceRecord(msg, ptr, end); + return(ptr); +} + +mDNSexport const mDNSu8 *LocateAdditionals(const DNSMessage *const msg, const mDNSu8 *const end) +{ + int i; + const mDNSu8 *ptr = LocateAuthorities(msg, end); + for (i = 0; i < msg->h.numAuthorities; i++) ptr = skipResourceRecord(msg, ptr, end); + return (ptr); +} + +mDNSexport const mDNSu8 *LocateOptRR(const DNSMessage *const msg, const mDNSu8 *const end, int minsize) +{ + int i; + const mDNSu8 *ptr = LocateAdditionals(msg, end); + + // Locate the OPT record. + // According to RFC 2671, "One OPT pseudo-RR can be added to the additional data section of either a request or a response." + // This implies that there may be *at most* one OPT record per DNS message, in the Additional Section, + // but not necessarily the *last* entry in the Additional Section. + for (i = 0; ptr && i < msg->h.numAdditionals; i++) + { + if (ptr + DNSOpt_Header_Space + minsize <= end && // Make sure we have 11+minsize bytes of data + ptr[0] == 0 && // Name must be root label + ptr[1] == (kDNSType_OPT >> 8 ) && // rrtype OPT + ptr[2] == (kDNSType_OPT & 0xFF) && + ((mDNSu16)ptr[9] << 8 | (mDNSu16)ptr[10]) >= (mDNSu16)minsize) + return(ptr); + else + ptr = skipResourceRecord(msg, ptr, end); + } + return(mDNSNULL); +} + +// On success, GetLLQOptData returns pointer to storage within shared "m->rec"; +// it is caller's responsibilty to clear m->rec.r.resrec.RecordType after use +// Note: An OPT RDataBody actually contains one or more variable-length rdataOPT objects packed together +// The code that currently calls this assumes there's only one, instead of iterating through the set +mDNSexport const rdataOPT *GetLLQOptData(mDNS *const m, const DNSMessage *const msg, const mDNSu8 *const end) +{ + const mDNSu8 *ptr = LocateOptRR(msg, end, DNSOpt_LLQData_Space); + if (ptr) + { + ptr = GetLargeResourceRecord(m, msg, ptr, end, 0, kDNSRecordTypePacketAdd, &m->rec); + if (ptr && m->rec.r.resrec.RecordType != kDNSRecordTypePacketNegative) return(&m->rec.r.resrec.rdata->u.opt[0]); + } + return(mDNSNULL); +} + +// Get the lease life of records in a dynamic update +// returns 0 on error or if no lease present +mDNSexport mDNSu32 GetPktLease(mDNS *m, DNSMessage *msg, const mDNSu8 *end) +{ + mDNSu32 result = 0; + const mDNSu8 *ptr = LocateOptRR(msg, end, DNSOpt_LeaseData_Space); + if (ptr) ptr = GetLargeResourceRecord(m, msg, ptr, end, 0, kDNSRecordTypePacketAdd, &m->rec); + if (ptr && m->rec.r.resrec.rdlength >= DNSOpt_LeaseData_Space && m->rec.r.resrec.rdata->u.opt[0].opt == kDNSOpt_Lease) + result = m->rec.r.resrec.rdata->u.opt[0].u.updatelease; + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + return(result); +} + +mDNSlocal const mDNSu8 *DumpRecords(mDNS *const m, const DNSMessage *const msg, const mDNSu8 *ptr, const mDNSu8 *const end, int count, char *label) +{ + int i; + LogMsg("%2d %s", count, label); + for (i = 0; i < count && ptr; i++) + { + // This puts a LargeCacheRecord on the stack instead of using the shared m->rec storage, + // but since it's only used for debugging (and probably only on OS X, not on + // embedded systems) putting a 9kB object on the stack isn't a big problem. + LargeCacheRecord largecr; + ptr = GetLargeResourceRecord(m, msg, ptr, end, mDNSInterface_Any, kDNSRecordTypePacketAns, &largecr); + if (ptr) LogMsg("%2d TTL%8d %s", i, largecr.r.resrec.rroriginalttl, CRDisplayString(m, &largecr.r)); + } + if (!ptr) LogMsg("DumpRecords: ERROR: Premature end of packet data"); + return(ptr); +} + +#define DNS_OP_Name(X) ( \ + (X) == kDNSFlag0_OP_StdQuery ? "" : \ + (X) == kDNSFlag0_OP_Iquery ? "Iquery " : \ + (X) == kDNSFlag0_OP_Status ? "Status " : \ + (X) == kDNSFlag0_OP_Unused3 ? "Unused3 " : \ + (X) == kDNSFlag0_OP_Notify ? "Notify " : \ + (X) == kDNSFlag0_OP_Update ? "Update " : "?? " ) + +#define DNS_RC_Name(X) ( \ + (X) == kDNSFlag1_RC_NoErr ? "NoErr" : \ + (X) == kDNSFlag1_RC_FormErr ? "FormErr" : \ + (X) == kDNSFlag1_RC_ServFail ? "ServFail" : \ + (X) == kDNSFlag1_RC_NXDomain ? "NXDomain" : \ + (X) == kDNSFlag1_RC_NotImpl ? "NotImpl" : \ + (X) == kDNSFlag1_RC_Refused ? "Refused" : \ + (X) == kDNSFlag1_RC_YXDomain ? "YXDomain" : \ + (X) == kDNSFlag1_RC_YXRRSet ? "YXRRSet" : \ + (X) == kDNSFlag1_RC_NXRRSet ? "NXRRSet" : \ + (X) == kDNSFlag1_RC_NotAuth ? "NotAuth" : \ + (X) == kDNSFlag1_RC_NotZone ? "NotZone" : "??" ) + +// Note: DumpPacket expects the packet header fields in host byte order, not network byte order +mDNSexport void DumpPacket(mDNS *const m, mStatus status, mDNSBool sent, char *transport, + const mDNSAddr *srcaddr, mDNSIPPort srcport, + const mDNSAddr *dstaddr, mDNSIPPort dstport, const DNSMessage *const msg, const mDNSu8 *const end) +{ + mDNSBool IsUpdate = ((msg->h.flags.b[0] & kDNSFlag0_OP_Mask) == kDNSFlag0_OP_Update); + const mDNSu8 *ptr = msg->data; + int i; + DNSQuestion q; + char tbuffer[64], sbuffer[64], dbuffer[64] = ""; + if (!status) tbuffer[mDNS_snprintf(tbuffer, sizeof(tbuffer), sent ? "Sent" : "Received" )] = 0; + else tbuffer[mDNS_snprintf(tbuffer, sizeof(tbuffer), "ERROR %d %sing", status, sent ? "Send" : "Receive")] = 0; + if (sent) sbuffer[mDNS_snprintf(sbuffer, sizeof(sbuffer), "port " )] = 0; + else sbuffer[mDNS_snprintf(sbuffer, sizeof(sbuffer), "%#a:", srcaddr)] = 0; + if (dstaddr || !mDNSIPPortIsZero(dstport)) + dbuffer[mDNS_snprintf(dbuffer, sizeof(dbuffer), " to %#a:%d", dstaddr, mDNSVal16(dstport))] = 0; + + LogMsg("-- %s %s DNS %s%s (flags %02X%02X) RCODE: %s (%d) %s%s%s%s%s%sID: %d %d bytes from %s%d%s%s --", + tbuffer, transport, + DNS_OP_Name(msg->h.flags.b[0] & kDNSFlag0_OP_Mask), + msg->h.flags.b[0] & kDNSFlag0_QR_Response ? "Response" : "Query", + msg->h.flags.b[0], msg->h.flags.b[1], + DNS_RC_Name(msg->h.flags.b[1] & kDNSFlag1_RC_Mask), + msg->h.flags.b[1] & kDNSFlag1_RC_Mask, + msg->h.flags.b[0] & kDNSFlag0_AA ? "AA " : "", + msg->h.flags.b[0] & kDNSFlag0_TC ? "TC " : "", + msg->h.flags.b[0] & kDNSFlag0_RD ? "RD " : "", + msg->h.flags.b[1] & kDNSFlag1_RA ? "RA " : "", + msg->h.flags.b[1] & kDNSFlag1_AD ? "AD " : "", + msg->h.flags.b[1] & kDNSFlag1_CD ? "CD " : "", + mDNSVal16(msg->h.id), + end - msg->data, + sbuffer, mDNSVal16(srcport), dbuffer, + (msg->h.flags.b[0] & kDNSFlag0_TC) ? " (truncated)" : "" + ); + + LogMsg("%2d %s", msg->h.numQuestions, IsUpdate ? "Zone" : "Questions"); + for (i = 0; i < msg->h.numQuestions && ptr; i++) + { + ptr = getQuestion(msg, ptr, end, mDNSInterface_Any, &q); + if (ptr) LogMsg("%2d %##s %s", i, q.qname.c, DNSTypeName(q.qtype)); + } + ptr = DumpRecords(m, msg, ptr, end, msg->h.numAnswers, IsUpdate ? "Prerequisites" : "Answers"); + ptr = DumpRecords(m, msg, ptr, end, msg->h.numAuthorities, IsUpdate ? "Updates" : "Authorities"); + ptr = DumpRecords(m, msg, ptr, end, msg->h.numAdditionals, "Additionals"); + LogMsg("--------------"); +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - Packet Sending Functions +#endif + +// Stub definition of TCPSocket_struct so we can access flags field. (Rest of TCPSocket_struct is platform-dependent.) +struct TCPSocket_struct { TCPSocketFlags flags; /* ... */ }; + +struct UDPSocket_struct +{ + mDNSIPPort port; // MUST BE FIRST FIELD -- mDNSCoreReceive expects every UDPSocket_struct to begin with mDNSIPPort port +}; + +// Note: When we sign a DNS message using DNSDigest_SignMessage(), the current real-time clock value is used, which +// is why we generally defer signing until we send the message, to ensure the signature is as fresh as possible. +mDNSexport mStatus mDNSSendDNSMessage(mDNS *const m, DNSMessage *const msg, mDNSu8 *end, + mDNSInterfaceID InterfaceID, UDPSocket *src, const mDNSAddr *dst, + mDNSIPPort dstport, TCPSocket *sock, DomainAuthInfo *authInfo, + mDNSBool useBackgroundTrafficClass) +{ + mStatus status = mStatus_NoError; + const mDNSu16 numAdditionals = msg->h.numAdditionals; + mDNSu8 *newend; + mDNSu8 *limit = msg->data + AbsoluteMaxDNSMessageData; + +#if APPLE_OSX_mDNSResponder + // maintain outbound packet statistics + if (mDNSOpaque16IsZero(msg->h.id)) + m->MulticastPacketsSent++; + else + m->UnicastPacketsSent++; +#endif // APPLE_OSX_mDNSResponder + + // Zero-length message data is okay (e.g. for a DNS Update ack, where all we need is an ID and an error code + if (end < msg->data || end - msg->data > AbsoluteMaxDNSMessageData) + { + LogMsg("mDNSSendDNSMessage: invalid message %p %p %d", msg->data, end, end - msg->data); + return mStatus_BadParamErr; + } + + newend = putHINFO(m, msg, end, authInfo, limit); + if (!newend) LogMsg("mDNSSendDNSMessage: putHINFO failed msg %p end %p, limit %p", msg->data, end, limit); // Not fatal + else end = newend; + + // Put all the integer values in IETF byte-order (MSB first, LSB second) + SwapDNSHeaderBytes(msg); + + if (authInfo) DNSDigest_SignMessage(msg, &end, authInfo, 0); // DNSDigest_SignMessage operates on message in network byte order + if (!end) { LogMsg("mDNSSendDNSMessage: DNSDigest_SignMessage failed"); status = mStatus_NoMemoryErr; } + else + { + // Send the packet on the wire + if (!sock) + status = mDNSPlatformSendUDP(m, msg, end, InterfaceID, src, dst, dstport, useBackgroundTrafficClass); + else + { + mDNSu16 msglen = (mDNSu16)(end - (mDNSu8 *)msg); + mDNSu8 lenbuf[2] = { (mDNSu8)(msglen >> 8), (mDNSu8)(msglen & 0xFF) }; + char *buf; + long nsent; + + // Try to send them in one packet if we can allocate enough memory + buf = mDNSPlatformMemAllocate(msglen + 2); + if (buf) + { + buf[0] = lenbuf[0]; + buf[1] = lenbuf[1]; + mDNSPlatformMemCopy(buf+2, msg, msglen); + nsent = mDNSPlatformWriteTCP(sock, buf, msglen+2); + if (nsent != (msglen + 2)) + { + LogMsg("mDNSSendDNSMessage: write message failed %d/%d", nsent, msglen); + status = mStatus_ConnFailed; + } + mDNSPlatformMemFree(buf); + } + else + { + nsent = mDNSPlatformWriteTCP(sock, (char*)lenbuf, 2); + if (nsent != 2) + { + LogMsg("mDNSSendDNSMessage: write msg length failed %d/%d", nsent, 2); + status = mStatus_ConnFailed; + } + else + { + nsent = mDNSPlatformWriteTCP(sock, (char *)msg, msglen); + if (nsent != msglen) + { + LogMsg("mDNSSendDNSMessage: write msg body failed %d/%d", nsent, msglen); + status = mStatus_ConnFailed; + } + } + } + } + } + + // Swap the integer values back the way they were (remember that numAdditionals may have been changed by putHINFO and/or SignMessage) + SwapDNSHeaderBytes(msg); + + // Dump the packet with the HINFO and TSIG + if (mDNS_PacketLoggingEnabled && !mDNSOpaque16IsZero(msg->h.id)) + DumpPacket(m, status, mDNStrue, sock && (sock->flags & kTCPSocketFlags_UseTLS) ? "TLS" : sock ? "TCP" : "UDP", mDNSNULL, src ? src->port : MulticastDNSPort, dst, dstport, msg, end); + + // put the number of additionals back the way it was + msg->h.numAdditionals = numAdditionals; + + return(status); +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - RR List Management & Task Management +#endif + +mDNSexport void mDNS_Lock_(mDNS *const m, const char * const functionname) +{ + // MUST grab the platform lock FIRST! + mDNSPlatformLock(m); + + // Normally, mDNS_reentrancy is zero and so is mDNS_busy + // However, when we call a client callback mDNS_busy is one, and we increment mDNS_reentrancy too + // If that client callback does mDNS API calls, mDNS_reentrancy and mDNS_busy will both be one + // If mDNS_busy != mDNS_reentrancy that's a bad sign + if (m->mDNS_busy != m->mDNS_reentrancy) + { + LogMsg("%s: mDNS_Lock: Locking failure! mDNS_busy (%ld) != mDNS_reentrancy (%ld)", functionname, m->mDNS_busy, m->mDNS_reentrancy); +#if ForceAlerts + *(long*)0 = 0; +#endif + } + + // If this is an initial entry into the mDNSCore code, set m->timenow + // else, if this is a re-entrant entry into the mDNSCore code, m->timenow should already be set + if (m->mDNS_busy == 0) + { + if (m->timenow) + LogMsg("%s: mDNS_Lock: m->timenow already set (%ld/%ld)", functionname, m->timenow, mDNS_TimeNow_NoLock(m)); + m->timenow = mDNS_TimeNow_NoLock(m); + if (m->timenow == 0) m->timenow = 1; + } + else if (m->timenow == 0) + { + LogMsg("%s: mDNS_Lock: m->mDNS_busy is %ld but m->timenow not set", functionname, m->mDNS_busy); + m->timenow = mDNS_TimeNow_NoLock(m); + if (m->timenow == 0) m->timenow = 1; + } + + if (m->timenow_last - m->timenow > 0) + { + m->timenow_adjust += m->timenow_last - m->timenow; + LogMsg("%s: mDNSPlatformRawTime went backwards by %ld ticks; setting correction factor to %ld", functionname, m->timenow_last - m->timenow, m->timenow_adjust); + m->timenow = m->timenow_last; + } + m->timenow_last = m->timenow; + + // Increment mDNS_busy so we'll recognise re-entrant calls + m->mDNS_busy++; +} + +mDNSlocal AuthRecord *AnyLocalRecordReady(const mDNS *const m) +{ + AuthRecord *rr; + for (rr = m->NewLocalRecords; rr; rr = rr->next) + if (LocalRecordReady(rr)) return rr; + return mDNSNULL; +} + +mDNSlocal mDNSs32 GetNextScheduledEvent(const mDNS *const m) +{ + mDNSs32 e = m->timenow + 0x78000000; + if (m->mDNSPlatformStatus != mStatus_NoError) return(e); + if (m->NewQuestions) + { + if (m->NewQuestions->DelayAnswering) e = m->NewQuestions->DelayAnswering; + else return(m->timenow); + } + if (m->NewLocalOnlyQuestions) return(m->timenow); + if (m->NewLocalRecords && AnyLocalRecordReady(m)) return(m->timenow); + if (m->NewLocalOnlyRecords) return(m->timenow); + if (m->SPSProxyListChanged) return(m->timenow); + if (m->LocalRemoveEvents) return(m->timenow); + +#ifndef UNICAST_DISABLED + if (e - m->NextuDNSEvent > 0) e = m->NextuDNSEvent; + if (e - m->NextScheduledNATOp > 0) e = m->NextScheduledNATOp; + if (m->NextSRVUpdate && e - m->NextSRVUpdate > 0) e = m->NextSRVUpdate; +#endif + + if (e - m->NextCacheCheck > 0) e = m->NextCacheCheck; + if (e - m->NextScheduledSPS > 0) e = m->NextScheduledSPS; + if (e - m->NextScheduledKA > 0) e = m->NextScheduledKA; + + // NextScheduledSPRetry only valid when DelaySleep not set + if (!m->DelaySleep && m->SleepLimit && e - m->NextScheduledSPRetry > 0) e = m->NextScheduledSPRetry; + if (m->DelaySleep && e - m->DelaySleep > 0) e = m->DelaySleep; + + if (m->SuppressSending) + { + if (e - m->SuppressSending > 0) e = m->SuppressSending; + } + else + { + if (e - m->NextScheduledQuery > 0) e = m->NextScheduledQuery; + if (e - m->NextScheduledProbe > 0) e = m->NextScheduledProbe; + if (e - m->NextScheduledResponse > 0) e = m->NextScheduledResponse; + } + if (e - m->NextScheduledStopTime > 0) e = m->NextScheduledStopTime; + return(e); +} + +mDNSexport void ShowTaskSchedulingError(mDNS *const m) +{ + AuthRecord *rr; + mDNS_Lock(m); + + LogMsg("Task Scheduling Error: Continuously busy for more than a second"); + + // Note: To accurately diagnose *why* we're busy, the debugging code here needs to mirror the logic in GetNextScheduledEvent above + + if (m->NewQuestions && (!m->NewQuestions->DelayAnswering || m->timenow - m->NewQuestions->DelayAnswering >= 0)) + LogMsg("Task Scheduling Error: NewQuestion %##s (%s)", + m->NewQuestions->qname.c, DNSTypeName(m->NewQuestions->qtype)); + + if (m->NewLocalOnlyQuestions) + LogMsg("Task Scheduling Error: NewLocalOnlyQuestions %##s (%s)", + m->NewLocalOnlyQuestions->qname.c, DNSTypeName(m->NewLocalOnlyQuestions->qtype)); + + if (m->NewLocalRecords) + { + rr = AnyLocalRecordReady(m); + if (rr) LogMsg("Task Scheduling Error: NewLocalRecords %s", ARDisplayString(m, rr)); + } + + if (m->NewLocalOnlyRecords) LogMsg("Task Scheduling Error: NewLocalOnlyRecords"); + + if (m->SPSProxyListChanged) LogMsg("Task Scheduling Error: SPSProxyListChanged"); + if (m->LocalRemoveEvents) LogMsg("Task Scheduling Error: LocalRemoveEvents"); + + if (m->timenow - m->NextScheduledEvent >= 0) + LogMsg("Task Scheduling Error: m->NextScheduledEvent %d", m->timenow - m->NextScheduledEvent); + +#ifndef UNICAST_DISABLED + if (m->timenow - m->NextuDNSEvent >= 0) + LogMsg("Task Scheduling Error: m->NextuDNSEvent %d", m->timenow - m->NextuDNSEvent); + if (m->timenow - m->NextScheduledNATOp >= 0) + LogMsg("Task Scheduling Error: m->NextScheduledNATOp %d", m->timenow - m->NextScheduledNATOp); + if (m->NextSRVUpdate && m->timenow - m->NextSRVUpdate >= 0) + LogMsg("Task Scheduling Error: m->NextSRVUpdate %d", m->timenow - m->NextSRVUpdate); +#endif + + if (m->timenow - m->NextCacheCheck >= 0) + LogMsg("Task Scheduling Error: m->NextCacheCheck %d", m->timenow - m->NextCacheCheck); + if (m->timenow - m->NextScheduledSPS >= 0) + LogMsg("Task Scheduling Error: m->NextScheduledSPS %d", m->timenow - m->NextScheduledSPS); + if (m->timenow - m->NextScheduledKA >= 0) + LogMsg("Task Scheduling Error: m->NextScheduledKA %d", m->timenow - m->NextScheduledKA); + if (!m->DelaySleep && m->SleepLimit && m->timenow - m->NextScheduledSPRetry >= 0) + LogMsg("Task Scheduling Error: m->NextScheduledSPRetry %d", m->timenow - m->NextScheduledSPRetry); + if (m->DelaySleep && m->timenow - m->DelaySleep >= 0) + LogMsg("Task Scheduling Error: m->DelaySleep %d", m->timenow - m->DelaySleep); + + if (m->SuppressSending && m->timenow - m->SuppressSending >= 0) + LogMsg("Task Scheduling Error: m->SuppressSending %d", m->timenow - m->SuppressSending); + if (m->timenow - m->NextScheduledQuery >= 0) + LogMsg("Task Scheduling Error: m->NextScheduledQuery %d", m->timenow - m->NextScheduledQuery); + if (m->timenow - m->NextScheduledProbe >= 0) + LogMsg("Task Scheduling Error: m->NextScheduledProbe %d", m->timenow - m->NextScheduledProbe); + if (m->timenow - m->NextScheduledResponse >= 0) + LogMsg("Task Scheduling Error: m->NextScheduledResponse %d", m->timenow - m->NextScheduledResponse); + + mDNS_Unlock(m); +} + +mDNSexport void mDNS_Unlock_(mDNS *const m, const char * const functionname) +{ + // Decrement mDNS_busy + m->mDNS_busy--; + + // Check for locking failures + if (m->mDNS_busy != m->mDNS_reentrancy) + { + LogMsg("%s: mDNS_Unlock: Locking failure! mDNS_busy (%ld) != mDNS_reentrancy (%ld)", functionname, m->mDNS_busy, m->mDNS_reentrancy); +#if ForceAlerts + *(long*)0 = 0; +#endif + } + + // If this is a final exit from the mDNSCore code, set m->NextScheduledEvent and clear m->timenow + if (m->mDNS_busy == 0) + { + m->NextScheduledEvent = GetNextScheduledEvent(m); + if (m->timenow == 0) LogMsg("%s: mDNS_Unlock: ERROR! m->timenow aready zero", functionname); + m->timenow = 0; + } + + // MUST release the platform lock LAST! + mDNSPlatformUnlock(m); +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - Specialized mDNS version of vsnprintf +#endif + +static const struct mDNSprintf_format +{ + unsigned leftJustify : 1; + unsigned forceSign : 1; + unsigned zeroPad : 1; + unsigned havePrecision : 1; + unsigned hSize : 1; + unsigned lSize : 1; + char altForm; + char sign; // +, - or space + unsigned int fieldWidth; + unsigned int precision; +} mDNSprintf_format_default = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; + +mDNSexport mDNSu32 mDNS_vsnprintf(char *sbuffer, mDNSu32 buflen, const char *fmt, va_list arg) +{ + mDNSu32 nwritten = 0; + int c; + if (buflen == 0) return(0); + buflen--; // Pre-reserve one space in the buffer for the terminating null + if (buflen == 0) goto exit; + + for (c = *fmt; c != 0; c = *++fmt) + { + if (c != '%') + { + *sbuffer++ = (char)c; + if (++nwritten >= buflen) goto exit; + } + else + { + unsigned int i=0, j; + // The mDNS Vsprintf Argument Conversion Buffer is used as a temporary holding area for + // generating decimal numbers, hexdecimal numbers, IP addresses, domain name strings, etc. + // The size needs to be enough for a 256-byte domain name plus some error text. + #define mDNS_VACB_Size 300 + char mDNS_VACB[mDNS_VACB_Size]; + #define mDNS_VACB_Lim (&mDNS_VACB[mDNS_VACB_Size]) + #define mDNS_VACB_Remain(s) ((mDNSu32)(mDNS_VACB_Lim - s)) + char *s = mDNS_VACB_Lim, *digits; + struct mDNSprintf_format F = mDNSprintf_format_default; + + while (1) // decode flags + { + c = *++fmt; + if (c == '-') F.leftJustify = 1; + else if (c == '+') F.forceSign = 1; + else if (c == ' ') F.sign = ' '; + else if (c == '#') F.altForm++; + else if (c == '0') F.zeroPad = 1; + else break; + } + + if (c == '*') // decode field width + { + int f = va_arg(arg, int); + if (f < 0) { f = -f; F.leftJustify = 1; } + F.fieldWidth = (unsigned int)f; + c = *++fmt; + } + else + { + for (; c >= '0' && c <= '9'; c = *++fmt) + F.fieldWidth = (10 * F.fieldWidth) + (c - '0'); + } + + if (c == '.') // decode precision + { + if ((c = *++fmt) == '*') + { F.precision = va_arg(arg, unsigned int); c = *++fmt; } + else for (; c >= '0' && c <= '9'; c = *++fmt) + F.precision = (10 * F.precision) + (c - '0'); + F.havePrecision = 1; + } + + if (F.leftJustify) F.zeroPad = 0; + +conv: + switch (c) // perform appropriate conversion + { + unsigned long n; + case 'h': F.hSize = 1; c = *++fmt; goto conv; + case 'l': // fall through + case 'L': F.lSize = 1; c = *++fmt; goto conv; + case 'd': + case 'i': if (F.lSize) n = (unsigned long)va_arg(arg, long); + else n = (unsigned long)va_arg(arg, int); + if (F.hSize) n = (short) n; + if ((long) n < 0) { n = (unsigned long)-(long)n; F.sign = '-'; } + else if (F.forceSign) F.sign = '+'; + goto decimal; + case 'u': if (F.lSize) n = va_arg(arg, unsigned long); + else n = va_arg(arg, unsigned int); + if (F.hSize) n = (unsigned short) n; + F.sign = 0; + goto decimal; +decimal: if (!F.havePrecision) + { + if (F.zeroPad) + { + F.precision = F.fieldWidth; + if (F.sign) --F.precision; + } + if (F.precision < 1) F.precision = 1; + } + if (F.precision > mDNS_VACB_Size - 1) + F.precision = mDNS_VACB_Size - 1; + for (i = 0; n; n /= 10, i++) *--s = (char)(n % 10 + '0'); + for (; i < F.precision; i++) *--s = '0'; + if (F.sign) { *--s = F.sign; i++; } + break; + + case 'o': if (F.lSize) n = va_arg(arg, unsigned long); + else n = va_arg(arg, unsigned int); + if (F.hSize) n = (unsigned short) n; + if (!F.havePrecision) + { + if (F.zeroPad) F.precision = F.fieldWidth; + if (F.precision < 1) F.precision = 1; + } + if (F.precision > mDNS_VACB_Size - 1) + F.precision = mDNS_VACB_Size - 1; + for (i = 0; n; n /= 8, i++) *--s = (char)(n % 8 + '0'); + if (F.altForm && i && *s != '0') { *--s = '0'; i++; } + for (; i < F.precision; i++) *--s = '0'; + break; + + case 'a': { + unsigned char *a = va_arg(arg, unsigned char *); + if (!a) { static char emsg[] = "<<NULL>>"; s = emsg; i = sizeof(emsg)-1; } + else + { + s = mDNS_VACB; // Adjust s to point to the start of the buffer, not the end + if (F.altForm) + { + mDNSAddr *ip = (mDNSAddr*)a; + switch (ip->type) + { + case mDNSAddrType_IPv4: F.precision = 4; a = (unsigned char *)&ip->ip.v4; break; + case mDNSAddrType_IPv6: F.precision = 16; a = (unsigned char *)&ip->ip.v6; break; + default: F.precision = 0; break; + } + } + if (F.altForm && !F.precision) + i = mDNS_snprintf(mDNS_VACB, sizeof(mDNS_VACB), "«ZERO ADDRESS»"); + else switch (F.precision) + { + case 4: i = mDNS_snprintf(mDNS_VACB, sizeof(mDNS_VACB), "%d.%d.%d.%d", + a[0], a[1], a[2], a[3]); break; + case 6: i = mDNS_snprintf(mDNS_VACB, sizeof(mDNS_VACB), "%02X:%02X:%02X:%02X:%02X:%02X", + a[0], a[1], a[2], a[3], a[4], a[5]); break; + case 16: i = mDNS_snprintf(mDNS_VACB, sizeof(mDNS_VACB), + "%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X", + a[0x0], a[0x1], a[0x2], a[0x3], a[0x4], a[0x5], a[0x6], a[0x7], + a[0x8], a[0x9], a[0xA], a[0xB], a[0xC], a[0xD], a[0xE], a[0xF]); break; + default: i = mDNS_snprintf(mDNS_VACB, sizeof(mDNS_VACB), "%s", "<< ERROR: Must specify" + " address size (i.e. %.4a=IPv4, %.6a=Ethernet, %.16a=IPv6) >>"); break; + } + } + } + break; + + case 'p': F.havePrecision = F.lSize = 1; + F.precision = sizeof(void*) * 2; // 8 characters on 32-bit; 16 characters on 64-bit + case 'X': digits = "0123456789ABCDEF"; + goto hexadecimal; + case 'x': digits = "0123456789abcdef"; +hexadecimal: if (F.lSize) n = va_arg(arg, unsigned long); + else n = va_arg(arg, unsigned int); + if (F.hSize) n = (unsigned short) n; + if (!F.havePrecision) + { + if (F.zeroPad) + { + F.precision = F.fieldWidth; + if (F.altForm) F.precision -= 2; + } + if (F.precision < 1) F.precision = 1; + } + if (F.precision > mDNS_VACB_Size - 1) + F.precision = mDNS_VACB_Size - 1; + for (i = 0; n; n /= 16, i++) *--s = digits[n % 16]; + for (; i < F.precision; i++) *--s = '0'; + if (F.altForm) { *--s = (char)c; *--s = '0'; i += 2; } + break; + + case 'c': *--s = (char)va_arg(arg, int); i = 1; break; + + case 's': s = va_arg(arg, char *); + if (!s) { static char emsg[] = "<<NULL>>"; s = emsg; i = sizeof(emsg)-1; } + else switch (F.altForm) + { + case 0: i=0; + if (!F.havePrecision) // C string + while (s[i]) i++; + else + { + while ((i < F.precision) && s[i]) i++; + // Make sure we don't truncate in the middle of a UTF-8 character + // If last character we got was any kind of UTF-8 multi-byte character, + // then see if we have to back up. + // This is not as easy as the similar checks below, because + // here we can't assume it's safe to examine the *next* byte, so we + // have to confine ourselves to working only backwards in the string. + j = i; // Record where we got to + // Now, back up until we find first non-continuation-char + while (i>0 && (s[i-1] & 0xC0) == 0x80) i--; + // Now s[i-1] is the first non-continuation-char + // and (j-i) is the number of continuation-chars we found + if (i>0 && (s[i-1] & 0xC0) == 0xC0) // If we found a start-char + { + i--; // Tentatively eliminate this start-char as well + // Now (j-i) is the number of characters we're considering eliminating. + // To be legal UTF-8, the start-char must contain (j-i) one-bits, + // followed by a zero bit. If we shift it right by (7-(j-i)) bits + // (with sign extension) then the result has to be 0xFE. + // If this is right, then we reinstate the tentatively eliminated bytes. + if (((j-i) < 7) && (((s[i] >> (7-(j-i))) & 0xFF) == 0xFE)) i = j; + } + } + break; + case 1: i = (unsigned char) *s++; break; // Pascal string + case 2: { // DNS label-sequence name + unsigned char *a = (unsigned char *)s; + s = mDNS_VACB; // Adjust s to point to the start of the buffer, not the end + if (*a == 0) *s++ = '.'; // Special case for root DNS name + while (*a) + { + char buf[63*4+1]; + if (*a > 63) + { s += mDNS_snprintf(s, mDNS_VACB_Remain(s), "<<INVALID LABEL LENGTH %u>>", *a); break; } + if (s + *a >= &mDNS_VACB[254]) + { s += mDNS_snprintf(s, mDNS_VACB_Remain(s), "<<NAME TOO LONG>>"); break; } + // Need to use ConvertDomainLabelToCString to do proper escaping here, + // so it's clear what's a literal dot and what's a label separator + ConvertDomainLabelToCString((domainlabel*)a, buf); + s += mDNS_snprintf(s, mDNS_VACB_Remain(s), "%s.", buf); + a += 1 + *a; + } + i = (mDNSu32)(s - mDNS_VACB); + s = mDNS_VACB; // Reset s back to the start of the buffer + break; + } + } + // Make sure we don't truncate in the middle of a UTF-8 character (see similar comment below) + if (F.havePrecision && i > F.precision) + { i = F.precision; while (i>0 && (s[i] & 0xC0) == 0x80) i--;} + break; + + case 'n': s = va_arg(arg, char *); + if (F.hSize) *(short *) s = (short)nwritten; + else if (F.lSize) *(long *) s = (long)nwritten; + else *(int *) s = (int)nwritten; + continue; + + default: s = mDNS_VACB; + i = mDNS_snprintf(mDNS_VACB, sizeof(mDNS_VACB), "<<UNKNOWN FORMAT CONVERSION CODE %%%c>>", c); + + case '%': *sbuffer++ = (char)c; + if (++nwritten >= buflen) goto exit; + break; + } + + if (i < F.fieldWidth && !F.leftJustify) // Pad on the left + do { + *sbuffer++ = ' '; + if (++nwritten >= buflen) goto exit; + } while (i < --F.fieldWidth); + + // Make sure we don't truncate in the middle of a UTF-8 character. + // Note: s[i] is the first eliminated character; i.e. the next character *after* the last character of the + // allowed output. If s[i] is a UTF-8 continuation character, then we've cut a unicode character in half, + // so back up 'i' until s[i] is no longer a UTF-8 continuation character. (if the input was proprly + // formed, s[i] will now be the UTF-8 start character of the multi-byte character we just eliminated). + if (i > buflen - nwritten) + { i = buflen - nwritten; while (i>0 && (s[i] & 0xC0) == 0x80) i--;} + for (j=0; j<i; j++) *sbuffer++ = *s++; // Write the converted result + nwritten += i; + if (nwritten >= buflen) goto exit; + + for (; i < F.fieldWidth; i++) // Pad on the right + { + *sbuffer++ = ' '; + if (++nwritten >= buflen) goto exit; + } + } + } +exit: + *sbuffer++ = 0; + return(nwritten); +} + +mDNSexport mDNSu32 mDNS_snprintf(char *sbuffer, mDNSu32 buflen, const char *fmt, ...) +{ + mDNSu32 length; + + va_list ptr; + va_start(ptr,fmt); + length = mDNS_vsnprintf(sbuffer, buflen, fmt, ptr); + va_end(ptr); + + return(length); +} diff --git a/mDNSResponder/mDNSCore/DNSCommon.h b/mDNSResponder/mDNSCore/DNSCommon.h new file mode 100644 index 00000000..b92f5a9a --- /dev/null +++ b/mDNSResponder/mDNSCore/DNSCommon.h @@ -0,0 +1,315 @@ +/* -*- Mode: C; tab-width: 4 -*- + * + * Copyright (c) 2002-2003 Apple Computer, Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef __DNSCOMMON_H_ +#define __DNSCOMMON_H_ + +#include "mDNSEmbeddedAPI.h" + +#ifdef __cplusplus +extern "C" { +#endif + +//************************************************************************************************************* +// Macros + +// Note: The C preprocessor stringify operator ('#') makes a string from its argument, without macro expansion +// e.g. If "version" is #define'd to be "4", then STRINGIFY_AWE(version) will return the string "version", not "4" +// To expand "version" to its value before making the string, use STRINGIFY(version) instead +#define STRINGIFY_ARGUMENT_WITHOUT_EXPANSION(s) # s +#define STRINGIFY(s) STRINGIFY_ARGUMENT_WITHOUT_EXPANSION(s) + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - DNS Protocol Constants +#endif + +typedef enum +{ + kDNSFlag0_QR_Mask = 0x80, // Query or response? + kDNSFlag0_QR_Query = 0x00, + kDNSFlag0_QR_Response = 0x80, + + kDNSFlag0_OP_Mask = 0x78, // Operation type + kDNSFlag0_OP_StdQuery = 0x00, + kDNSFlag0_OP_Iquery = 0x08, + kDNSFlag0_OP_Status = 0x10, + kDNSFlag0_OP_Unused3 = 0x18, + kDNSFlag0_OP_Notify = 0x20, + kDNSFlag0_OP_Update = 0x28, + + kDNSFlag0_QROP_Mask = kDNSFlag0_QR_Mask | kDNSFlag0_OP_Mask, + + kDNSFlag0_AA = 0x04, // Authoritative Answer? + kDNSFlag0_TC = 0x02, // Truncated? + kDNSFlag0_RD = 0x01, // Recursion Desired? + kDNSFlag1_RA = 0x80, // Recursion Available? + + kDNSFlag1_Zero = 0x40, // Reserved; must be zero + kDNSFlag1_AD = 0x20, // Authentic Data [RFC 2535] + kDNSFlag1_CD = 0x10, // Checking Disabled [RFC 2535] + + kDNSFlag1_RC_Mask = 0x0F, // Response code + kDNSFlag1_RC_NoErr = 0x00, + kDNSFlag1_RC_FormErr = 0x01, + kDNSFlag1_RC_ServFail = 0x02, + kDNSFlag1_RC_NXDomain = 0x03, + kDNSFlag1_RC_NotImpl = 0x04, + kDNSFlag1_RC_Refused = 0x05, + kDNSFlag1_RC_YXDomain = 0x06, + kDNSFlag1_RC_YXRRSet = 0x07, + kDNSFlag1_RC_NXRRSet = 0x08, + kDNSFlag1_RC_NotAuth = 0x09, + kDNSFlag1_RC_NotZone = 0x0A +} DNS_Flags; + +typedef enum +{ + TSIG_ErrBadSig = 16, + TSIG_ErrBadKey = 17, + TSIG_ErrBadTime = 18 +} TSIG_ErrorCode; + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - General Utility Functions +#endif + +extern NetworkInterfaceInfo *GetFirstActiveInterface(NetworkInterfaceInfo *intf); +extern mDNSInterfaceID GetNextActiveInterfaceID(const NetworkInterfaceInfo *intf); + +extern mDNSu32 mDNSRandom(mDNSu32 max); // Returns pseudo-random result from zero to max inclusive + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - Domain Name Utility Functions +#endif + +#define mDNSSubTypeLabel "\x04_sub" + +#define mDNSIsDigit(X) ((X) >= '0' && (X) <= '9') +#define mDNSIsUpperCase(X) ((X) >= 'A' && (X) <= 'Z') +#define mDNSIsLowerCase(X) ((X) >= 'a' && (X) <= 'z') +#define mDNSIsLetter(X) (mDNSIsUpperCase(X) || mDNSIsLowerCase(X)) + +#define mDNSValidHostChar(X, notfirst, notlast) (mDNSIsLetter(X) || mDNSIsDigit(X) || ((notfirst) && (notlast) && (X) == '-') ) + +extern mDNSu16 CompressedDomainNameLength(const domainname *const name, const domainname *parent); +extern int CountLabels(const domainname *d); +extern const domainname *SkipLeadingLabels(const domainname *d, int skip); + +extern mDNSu32 TruncateUTF8ToLength(mDNSu8 *string, mDNSu32 length, mDNSu32 max); +extern mDNSBool LabelContainsSuffix(const domainlabel *const name, const mDNSBool RichText); +extern mDNSu32 RemoveLabelSuffix(domainlabel *name, mDNSBool RichText); +extern void AppendLabelSuffix(domainlabel *const name, mDNSu32 val, const mDNSBool RichText); +#define ValidateDomainName(N) (DomainNameLength(N) <= MAX_DOMAIN_NAME) + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - Resource Record Utility Functions +#endif + +// IdenticalResourceRecord returns true if two resources records have +// the same name, type, class, and identical rdata (InterfaceID and TTL may differ) + +// IdenticalSameNameRecord is the same, except it skips the expensive SameDomainName() check, +// which is at its most expensive and least useful in cases where we know in advance that the names match + +// Note: The dominant use of IdenticalResourceRecord is from ProcessQuery(), handling known-answer lists. In this case +// it's common to have a whole bunch or records with exactly the same name (e.g. "_http._tcp.local") but different RDATA. +// The SameDomainName() check is expensive when the names match, and in this case *all* the names match, so we +// used to waste a lot of CPU time verifying that the names match, only then to find that the RDATA is different. +// We observed mDNSResponder spending 30% of its total CPU time on this single task alone. +// By swapping the checks so that we check the RDATA first, we can quickly detect when it's different +// (99% of the time) and then bail out before we waste time on the expensive SameDomainName() check. + +#define IdenticalResourceRecord(r1,r2) ( \ + (r1)->rrtype == (r2)->rrtype && \ + (r1)->rrclass == (r2)->rrclass && \ + (r1)->namehash == (r2)->namehash && \ + (r1)->rdlength == (r2)->rdlength && \ + (r1)->rdatahash == (r2)->rdatahash && \ + SameRDataBody((r1), &(r2)->rdata->u, SameDomainName) && \ + SameDomainName((r1)->name, (r2)->name)) + +#define IdenticalSameNameRecord(r1,r2) ( \ + (r1)->rrtype == (r2)->rrtype && \ + (r1)->rrclass == (r2)->rrclass && \ + (r1)->rdlength == (r2)->rdlength && \ + (r1)->rdatahash == (r2)->rdatahash && \ + SameRDataBody((r1), &(r2)->rdata->u, SameDomainName)) + +// A given RRType answers a QuestionType if RRType is CNAME, or types match, or QuestionType is ANY, +// or the RRType is NSEC and positively asserts the nonexistence of the type being requested +#define RRTypeAnswersQuestionType(R,Q) ((R)->rrtype == kDNSType_CNAME || (R)->rrtype == (Q) || (Q) == kDNSQType_ANY || RRAssertsNonexistence((R),(Q))) +// Unicast NSEC records have the NSEC bit set whereas the multicast NSEC ones don't +#define UNICAST_NSEC(rr) ((rr)->rrtype == kDNSType_NSEC && RRAssertsExistence((rr), kDNSType_NSEC)) + +extern mDNSu32 RDataHashValue(const ResourceRecord *const rr); +extern mDNSBool SameRDataBody(const ResourceRecord *const r1, const RDataBody *const r2, DomainNameComparisonFn *samename); +extern mDNSBool SameNameRecordAnswersQuestion(const ResourceRecord *const rr, const DNSQuestion *const q); +extern mDNSBool ResourceRecordAnswersQuestion(const ResourceRecord *const rr, const DNSQuestion *const q); +extern mDNSBool AnyTypeRecordAnswersQuestion (const ResourceRecord *const rr, const DNSQuestion *const q); +extern mDNSBool ResourceRecordAnswersUnicastResponse(const ResourceRecord *const rr, const DNSQuestion *const q); +extern mDNSBool LocalOnlyRecordAnswersQuestion(AuthRecord *const rr, const DNSQuestion *const q); +extern mDNSu16 GetRDLength(const ResourceRecord *const rr, mDNSBool estimate); +extern mDNSBool ValidateRData(const mDNSu16 rrtype, const mDNSu16 rdlength, const RData *const rd); +extern mStatus DNSNameToLowerCase(domainname *d, domainname *result); + +#define GetRRDomainNameTarget(RR) ( \ + ((RR)->rrtype == kDNSType_NS || (RR)->rrtype == kDNSType_CNAME || (RR)->rrtype == kDNSType_PTR || (RR)->rrtype == kDNSType_DNAME) ? &(RR)->rdata->u.name : \ + ((RR)->rrtype == kDNSType_MX || (RR)->rrtype == kDNSType_AFSDB || (RR)->rrtype == kDNSType_RT || (RR)->rrtype == kDNSType_KX ) ? &(RR)->rdata->u.mx.exchange : \ + ((RR)->rrtype == kDNSType_SRV ) ? &(RR)->rdata->u.srv.target : mDNSNULL ) + +#define LocalRecordReady(X) ((X)->resrec.RecordType != kDNSRecordTypeUnique) + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - DNS Message Creation Functions +#endif + +extern void InitializeDNSMessage(DNSMessageHeader *h, mDNSOpaque16 id, mDNSOpaque16 flags); +extern const mDNSu8 *FindCompressionPointer(const mDNSu8 *const base, const mDNSu8 *const end, const mDNSu8 *const domname); +extern mDNSu8 *putDomainNameAsLabels(const DNSMessage *const msg, mDNSu8 *ptr, const mDNSu8 *const limit, const domainname *const name); +extern mDNSu8 *putRData(const DNSMessage *const msg, mDNSu8 *ptr, const mDNSu8 *const limit, const ResourceRecord *const rr); + +// If we have a single large record to put in the packet, then we allow the packet to be up to 9K bytes, +// but in the normal case we try to keep the packets below 1500 to avoid IP fragmentation on standard Ethernet + +#define AllowedRRSpace(msg) (((msg)->h.numAnswers || (msg)->h.numAuthorities || (msg)->h.numAdditionals) ? NormalMaxDNSMessageData : AbsoluteMaxDNSMessageData) + +extern mDNSu8 *PutResourceRecordTTLWithLimit(DNSMessage *const msg, mDNSu8 *ptr, mDNSu16 *count, ResourceRecord *rr, mDNSu32 ttl, const mDNSu8 *limit); + +#define PutResourceRecordTTL(msg, ptr, count, rr, ttl) \ + PutResourceRecordTTLWithLimit((msg), (ptr), (count), (rr), (ttl), (msg)->data + AllowedRRSpace(msg)) + +#define PutResourceRecordTTLJumbo(msg, ptr, count, rr, ttl) \ + PutResourceRecordTTLWithLimit((msg), (ptr), (count), (rr), (ttl), (msg)->data + AbsoluteMaxDNSMessageData) + +#define PutResourceRecord(MSG, P, C, RR) PutResourceRecordTTL((MSG), (P), (C), (RR), (RR)->rroriginalttl) + +// The PutRR_OS variants assume a local variable 'm', put build the packet at m->omsg, +// and assume local variables 'OwnerRecordSpace' & 'TraceRecordSpace' indicating how many bytes (if any) to reserve to add an OWNER/TRACER option at the end +#define PutRR_OS_TTL(ptr, count, rr, ttl) \ + PutResourceRecordTTLWithLimit(&m->omsg, (ptr), (count), (rr), (ttl), m->omsg.data + AllowedRRSpace(&m->omsg) - OwnerRecordSpace - TraceRecordSpace) + +#define PutRR_OS(P, C, RR) PutRR_OS_TTL((P), (C), (RR), (RR)->rroriginalttl) + +extern mDNSu8 *putQuestion(DNSMessage *const msg, mDNSu8 *ptr, const mDNSu8 *const limit, const domainname *const name, mDNSu16 rrtype, mDNSu16 rrclass); +extern mDNSu8 *putZone(DNSMessage *const msg, mDNSu8 *ptr, mDNSu8 *limit, const domainname *zone, mDNSOpaque16 zoneClass); +extern mDNSu8 *putPrereqNameNotInUse(const domainname *const name, DNSMessage *const msg, mDNSu8 *const ptr, mDNSu8 *const end); +extern mDNSu8 *putDeletionRecord(DNSMessage *msg, mDNSu8 *ptr, ResourceRecord *rr); +extern mDNSu8 *putDeletionRecordWithLimit(DNSMessage *msg, mDNSu8 *ptr, ResourceRecord *rr, mDNSu8 *limit); +extern mDNSu8 *putDeleteRRSetWithLimit(DNSMessage *msg, mDNSu8 *ptr, const domainname *name, mDNSu16 rrtype, mDNSu8 *limit); +extern mDNSu8 *putDeleteAllRRSets(DNSMessage *msg, mDNSu8 *ptr, const domainname *name); +extern mDNSu8 *putUpdateLease(DNSMessage *msg, mDNSu8 *end, mDNSu32 lease); +extern mDNSu8 *putUpdateLeaseWithLimit(DNSMessage *msg, mDNSu8 *ptr, mDNSu32 lease, mDNSu8 *limit); + +extern mDNSu8 *putHINFO(const mDNS *const m, DNSMessage *const msg, mDNSu8 *ptr, DomainAuthInfo *authInfo, mDNSu8 *limit); +extern mDNSu8 *putDNSSECOption(DNSMessage *msg, mDNSu8 *end, mDNSu8 *limit); +extern int baseEncode(char *buffer, int blen, const mDNSu8 *data, int len, int encAlg); +extern void NSEC3Parse(const ResourceRecord *const rr, mDNSu8 **salt, int *hashLength, mDNSu8 **nxtName, int *bitmaplen, mDNSu8 **bitmap); + +extern const mDNSu8 *NSEC3HashName(const domainname *name, rdataNSEC3 *nsec3, const mDNSu8 *AnonData, int AnonDataLen, + const mDNSu8 hash[NSEC3_MAX_HASH_LEN], int *dlen); + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - DNS Message Parsing Functions +#endif + +#define AuthHashSlot(X) (DomainNameHashValue(X) % AUTH_HASH_SLOTS) +#define HashSlot(X) (DomainNameHashValue(X) % CACHE_HASH_SLOTS) +extern mDNSu32 DomainNameHashValue(const domainname *const name); +extern void SetNewRData(ResourceRecord *const rr, RData *NewRData, mDNSu16 rdlength); +extern const mDNSu8 *skipDomainName(const DNSMessage *const msg, const mDNSu8 *ptr, const mDNSu8 *const end); +extern const mDNSu8 *getDomainName(const DNSMessage *const msg, const mDNSu8 *ptr, const mDNSu8 *const end, + domainname *const name); +extern const mDNSu8 *skipResourceRecord(const DNSMessage *msg, const mDNSu8 *ptr, const mDNSu8 *end); +extern const mDNSu8 *GetLargeResourceRecord(mDNS *const m, const DNSMessage * const msg, const mDNSu8 *ptr, + const mDNSu8 * end, const mDNSInterfaceID InterfaceID, mDNSu8 RecordType, LargeCacheRecord *const largecr); +extern mDNSBool SetRData(const DNSMessage *const msg, const mDNSu8 *ptr, const mDNSu8 *end, + LargeCacheRecord *const largecr, mDNSu16 rdlength); +extern const mDNSu8 *skipQuestion(const DNSMessage *msg, const mDNSu8 *ptr, const mDNSu8 *end); +extern const mDNSu8 *getQuestion(const DNSMessage *msg, const mDNSu8 *ptr, const mDNSu8 *end, const mDNSInterfaceID InterfaceID, + DNSQuestion *question); +extern const mDNSu8 *LocateAnswers(const DNSMessage *const msg, const mDNSu8 *const end); +extern const mDNSu8 *LocateAuthorities(const DNSMessage *const msg, const mDNSu8 *const end); +extern const mDNSu8 *LocateAdditionals(const DNSMessage *const msg, const mDNSu8 *const end); +extern const mDNSu8 *LocateOptRR(const DNSMessage *const msg, const mDNSu8 *const end, int minsize); +extern const rdataOPT *GetLLQOptData(mDNS *const m, const DNSMessage *const msg, const mDNSu8 *const end); +extern mDNSu32 GetPktLease(mDNS *m, DNSMessage *msg, const mDNSu8 *end); +extern void DumpPacket(mDNS *const m, mStatus status, mDNSBool sent, char *transport, + const mDNSAddr *srcaddr, mDNSIPPort srcport, + const mDNSAddr *dstaddr, mDNSIPPort dstport, const DNSMessage *const msg, const mDNSu8 *const end); +extern mDNSBool RRAssertsNonexistence(const ResourceRecord *const rr, mDNSu16 type); +extern mDNSBool RRAssertsExistence(const ResourceRecord *const rr, mDNSu16 type); +extern mDNSBool BitmapTypeCheck(mDNSu8 *bmap, int bitmaplen, mDNSu16 type); + +extern mDNSu16 swap16(mDNSu16 x); +extern mDNSu32 swap32(mDNSu32 x); + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - Packet Sending Functions +#endif + +extern mStatus mDNSSendDNSMessage(mDNS *const m, DNSMessage *const msg, mDNSu8 *end, + mDNSInterfaceID InterfaceID, UDPSocket *src, const mDNSAddr *dst, + mDNSIPPort dstport, TCPSocket *sock, DomainAuthInfo *authInfo, + mDNSBool useBackgroundTrafficClass); + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - RR List Management & Task Management +#endif + +extern void ShowTaskSchedulingError(mDNS *const m); +extern void mDNS_Lock_(mDNS *const m, const char * const functionname); +extern void mDNS_Unlock_(mDNS *const m, const char * const functionname); + +#if defined(_WIN32) + #define __func__ __FUNCTION__ +#endif + +#define mDNS_Lock(X) mDNS_Lock_((X), __func__) + +#define mDNS_Unlock(X) mDNS_Unlock_((X), __func__) + +#define mDNS_CheckLock(X) { if ((X)->mDNS_busy != (X)->mDNS_reentrancy+1) \ + LogMsg("%s: Lock not held! mDNS_busy (%ld) mDNS_reentrancy (%ld)", __func__, (X)->mDNS_busy, (X)->mDNS_reentrancy); } + +#define mDNS_DropLockBeforeCallback() do { m->mDNS_reentrancy++; \ + if (m->mDNS_busy != m->mDNS_reentrancy) LogMsg("%s: Locking Failure! mDNS_busy (%ld) != mDNS_reentrancy (%ld)", __func__, m->mDNS_busy, m->mDNS_reentrancy); \ +} while (0) + +#define mDNS_ReclaimLockAfterCallback() do { \ + if (m->mDNS_busy != m->mDNS_reentrancy) LogMsg("%s: Unlocking Failure! mDNS_busy (%ld) != mDNS_reentrancy (%ld)", __func__, m->mDNS_busy, m->mDNS_reentrancy); \ + m->mDNS_reentrancy--; } while (0) + +#ifdef __cplusplus +} +#endif + +#endif // __DNSCOMMON_H_ diff --git a/mDNSResponder/mDNSCore/DNSDigest.c b/mDNSResponder/mDNSCore/DNSDigest.c new file mode 100644 index 00000000..33798d38 --- /dev/null +++ b/mDNSResponder/mDNSCore/DNSDigest.c @@ -0,0 +1,1567 @@ +/* -*- Mode: C; tab-width: 4 -*- + * + * Copyright (c) 2002-2011 Apple Computer, Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +#ifdef __cplusplus +extern "C" { +#endif + +#include "mDNSEmbeddedAPI.h" +#include "DNSCommon.h" + +// Disable certain benign warnings with Microsoft compilers +#if (defined(_MSC_VER)) +// Disable "conditional expression is constant" warning for debug macros. +// Otherwise, this generates warnings for the perfectly natural construct "while(1)" +// If someone knows a variant way of writing "while(1)" that doesn't generate warning messages, please let us know + #pragma warning(disable:4127) +#endif + + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - Byte Swapping Functions +#endif + +mDNSlocal mDNSu16 NToH16(mDNSu8 * bytes) +{ + return (mDNSu16)((mDNSu16)bytes[0] << 8 | (mDNSu16)bytes[1]); +} + +mDNSlocal mDNSu32 NToH32(mDNSu8 * bytes) +{ + return (mDNSu32)((mDNSu32) bytes[0] << 24 | (mDNSu32) bytes[1] << 16 | (mDNSu32) bytes[2] << 8 | (mDNSu32)bytes[3]); +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - MD5 Hash Functions +#endif + + +/* The source for the has is derived CommonCrypto files CommonDigest.h, md32_common.h, md5_locl.h, md5_locl.h, and openssl/md5.h. + * The following changes have been made to the original sources: + * replaced CC_LONG w/ mDNSu32 + * replaced CC_MD5* with MD5* + * replaced CC_LONG w/ mDNSu32, removed conditional #defines from md5.h + * removed extern decls for MD5_Init/Update/Final from CommonDigest.h + * removed APPLE_COMMON_DIGEST specific #defines from md5_locl.h + * + * Note: machine archetecure specific conditionals from the original sources are turned off, but are left in the code + * to aid in platform-specific optimizations and debugging. + * Sources originally distributed under the following license headers: + * CommonDigest.h - APSL + * + * md32_Common.h + * ==================================================================== + * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + * + * md5_dgst.c, md5_locl.h + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + * Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + * + */ + +//from CommonDigest.h + + + +// from openssl/md5.h + +#define MD5_CBLOCK 64 +#define MD5_LBLOCK (MD5_CBLOCK/4) +#define MD5_DIGEST_LENGTH 16 + +void MD5_Transform(MD5_CTX *c, const unsigned char *b); + +// From md5_locl.h + +#ifndef MD5_LONG_LOG2 +#define MD5_LONG_LOG2 2 /* default to 32 bits */ +#endif + +#ifdef MD5_ASM +# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__) +# define md5_block_host_order md5_block_asm_host_order +# elif defined(__sparc) && defined(OPENSSL_SYS_ULTRASPARC) +void md5_block_asm_data_order_aligned (MD5_CTX *c, const mDNSu32 *p,int num); +# define HASH_BLOCK_DATA_ORDER_ALIGNED md5_block_asm_data_order_aligned +# endif +#endif + +void md5_block_host_order (MD5_CTX *c, const void *p,int num); +void md5_block_data_order (MD5_CTX *c, const void *p,int num); + +#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__) +/* + * *_block_host_order is expected to handle aligned data while + * *_block_data_order - unaligned. As algorithm and host (x86) + * are in this case of the same "endianness" these two are + * otherwise indistinguishable. But normally you don't want to + * call the same function because unaligned access in places + * where alignment is expected is usually a "Bad Thing". Indeed, + * on RISCs you get punished with BUS ERROR signal or *severe* + * performance degradation. Intel CPUs are in turn perfectly + * capable of loading unaligned data without such drastic side + * effect. Yes, they say it's slower than aligned load, but no + * exception is generated and therefore performance degradation + * is *incomparable* with RISCs. What we should weight here is + * costs of unaligned access against costs of aligning data. + * According to my measurements allowing unaligned access results + * in ~9% performance improvement on Pentium II operating at + * 266MHz. I won't be surprised if the difference will be higher + * on faster systems:-) + * + * <appro@fy.chalmers.se> + */ +#define md5_block_data_order md5_block_host_order +#endif + +#define DATA_ORDER_IS_LITTLE_ENDIAN + +#define HASH_LONG mDNSu32 +#define HASH_LONG_LOG2 MD5_LONG_LOG2 +#define HASH_CTX MD5_CTX +#define HASH_CBLOCK MD5_CBLOCK +#define HASH_LBLOCK MD5_LBLOCK + +#define HASH_UPDATE MD5_Update +#define HASH_TRANSFORM MD5_Transform +#define HASH_FINAL MD5_Final + +#define HASH_MAKE_STRING(c,s) do { \ + unsigned long ll; \ + ll=(c)->A; HOST_l2c(ll,(s)); \ + ll=(c)->B; HOST_l2c(ll,(s)); \ + ll=(c)->C; HOST_l2c(ll,(s)); \ + ll=(c)->D; HOST_l2c(ll,(s)); \ +} while (0) +#define HASH_BLOCK_HOST_ORDER md5_block_host_order +#if !defined(L_ENDIAN) || defined(md5_block_data_order) +#define HASH_BLOCK_DATA_ORDER md5_block_data_order +/* + * Little-endians (Intel and Alpha) feel better without this. + * It looks like memcpy does better job than generic + * md5_block_data_order on copying-n-aligning input data. + * But frankly speaking I didn't expect such result on Alpha. + * On the other hand I've got this with egcs-1.0.2 and if + * program is compiled with another (better?) compiler it + * might turn out other way around. + * + * <appro@fy.chalmers.se> + */ +#endif + + +// from md32_common.h + +/* + * This is a generic 32 bit "collector" for message digest algorithms. + * Whenever needed it collects input character stream into chunks of + * 32 bit values and invokes a block function that performs actual hash + * calculations. + * + * Porting guide. + * + * Obligatory macros: + * + * DATA_ORDER_IS_BIG_ENDIAN or DATA_ORDER_IS_LITTLE_ENDIAN + * this macro defines byte order of input stream. + * HASH_CBLOCK + * size of a unit chunk HASH_BLOCK operates on. + * HASH_LONG + * has to be at lest 32 bit wide, if it's wider, then + * HASH_LONG_LOG2 *has to* be defined along + * HASH_CTX + * context structure that at least contains following + * members: + * typedef struct { + * ... + * HASH_LONG Nl,Nh; + * HASH_LONG data[HASH_LBLOCK]; + * int num; + * ... + * } HASH_CTX; + * HASH_UPDATE + * name of "Update" function, implemented here. + * HASH_TRANSFORM + * name of "Transform" function, implemented here. + * HASH_FINAL + * name of "Final" function, implemented here. + * HASH_BLOCK_HOST_ORDER + * name of "block" function treating *aligned* input message + * in host byte order, implemented externally. + * HASH_BLOCK_DATA_ORDER + * name of "block" function treating *unaligned* input message + * in original (data) byte order, implemented externally (it + * actually is optional if data and host are of the same + * "endianess"). + * HASH_MAKE_STRING + * macro convering context variables to an ASCII hash string. + * + * Optional macros: + * + * B_ENDIAN or L_ENDIAN + * defines host byte-order. + * HASH_LONG_LOG2 + * defaults to 2 if not states otherwise. + * HASH_LBLOCK + * assumed to be HASH_CBLOCK/4 if not stated otherwise. + * HASH_BLOCK_DATA_ORDER_ALIGNED + * alternative "block" function capable of treating + * aligned input message in original (data) order, + * implemented externally. + * + * MD5 example: + * + * #define DATA_ORDER_IS_LITTLE_ENDIAN + * + * #define HASH_LONG mDNSu32 + * #define HASH_LONG_LOG2 mDNSu32_LOG2 + * #define HASH_CTX MD5_CTX + * #define HASH_CBLOCK MD5_CBLOCK + * #define HASH_LBLOCK MD5_LBLOCK + * #define HASH_UPDATE MD5_Update + * #define HASH_TRANSFORM MD5_Transform + * #define HASH_FINAL MD5_Final + * #define HASH_BLOCK_HOST_ORDER md5_block_host_order + * #define HASH_BLOCK_DATA_ORDER md5_block_data_order + * + * <appro@fy.chalmers.se> + */ + +#if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN) +#error "DATA_ORDER must be defined!" +#endif + +#ifndef HASH_CBLOCK +#error "HASH_CBLOCK must be defined!" +#endif +#ifndef HASH_LONG +#error "HASH_LONG must be defined!" +#endif +#ifndef HASH_CTX +#error "HASH_CTX must be defined!" +#endif + +#ifndef HASH_UPDATE +#error "HASH_UPDATE must be defined!" +#endif +#ifndef HASH_TRANSFORM +#error "HASH_TRANSFORM must be defined!" +#endif +#ifndef HASH_FINAL +#error "HASH_FINAL must be defined!" +#endif + +#ifndef HASH_BLOCK_HOST_ORDER +#error "HASH_BLOCK_HOST_ORDER must be defined!" +#endif + +#if 0 +/* + * Moved below as it's required only if HASH_BLOCK_DATA_ORDER_ALIGNED + * isn't defined. + */ +#ifndef HASH_BLOCK_DATA_ORDER +#error "HASH_BLOCK_DATA_ORDER must be defined!" +#endif +#endif + +#ifndef HASH_LBLOCK +#define HASH_LBLOCK (HASH_CBLOCK/4) +#endif + +#ifndef HASH_LONG_LOG2 +#define HASH_LONG_LOG2 2 +#endif + +/* + * Engage compiler specific rotate intrinsic function if available. + */ +#undef ROTATE +#ifndef PEDANTIC +# if 0 /* defined(_MSC_VER) */ +# define ROTATE(a,n) _lrotl(a,n) +# elif defined(__MWERKS__) +# if defined(__POWERPC__) +# define ROTATE(a,n) (unsigned MD32_REG_T)__rlwinm((int)a,n,0,31) +# elif defined(__MC68K__) +/* Motorola specific tweak. <appro@fy.chalmers.se> */ +# define ROTATE(a,n) (n<24 ? __rol(a,n) : __ror(a,32-n)) +# else +# define ROTATE(a,n) __rol(a,n) +# endif +# elif defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) +/* + * Some GNU C inline assembler templates. Note that these are + * rotates by *constant* number of bits! But that's exactly + * what we need here... + * + * <appro@fy.chalmers.se> + */ +/* + * LLVM is more strict about compatibility of types between input & output constraints, + * but we want these to be rotations of 32 bits, not 64, so we explicitly drop the + * most significant bytes by casting to an unsigned int. + */ +# if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__) +# define ROTATE(a,n) ({ register unsigned int ret; \ + asm ( \ + "roll %1,%0" \ + : "=r" (ret) \ + : "I" (n), "0" ((unsigned int)a) \ + : "cc"); \ + ret; \ + }) +# elif defined(__powerpc) || defined(__ppc) +# define ROTATE(a,n) ({ register unsigned int ret; \ + asm ( \ + "rlwinm %0,%1,%2,0,31" \ + : "=r" (ret) \ + : "r" (a), "I" (n)); \ + ret; \ + }) +# endif +# endif + +/* + * Engage compiler specific "fetch in reverse byte order" + * intrinsic function if available. + */ +# if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) +/* some GNU C inline assembler templates by <appro@fy.chalmers.se> */ +# if (defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)) && !defined(I386_ONLY) +# define BE_FETCH32(a) ({ register unsigned int l=(a); \ + asm ( \ + "bswapl %0" \ + : "=r" (l) : "0" (l)); \ + l; \ + }) +# elif defined(__powerpc) +# define LE_FETCH32(a) ({ register unsigned int l; \ + asm ( \ + "lwbrx %0,0,%1" \ + : "=r" (l) \ + : "r" (a)); \ + l; \ + }) + +# elif defined(__sparc) && defined(OPENSSL_SYS_ULTRASPARC) +# define LE_FETCH32(a) ({ register unsigned int l; \ + asm ( \ + "lda [%1]#ASI_PRIMARY_LITTLE,%0" \ + : "=r" (l) \ + : "r" (a)); \ + l; \ + }) +# endif +# endif +#endif /* PEDANTIC */ + +#if HASH_LONG_LOG2==2 /* Engage only if sizeof(HASH_LONG)== 4 */ +/* A nice byte order reversal from Wei Dai <weidai@eskimo.com> */ +#ifdef ROTATE +/* 5 instructions with rotate instruction, else 9 */ +#define REVERSE_FETCH32(a,l) ( \ + l=*(const HASH_LONG *)(a), \ + ((ROTATE(l,8)&0x00FF00FF)|(ROTATE((l&0x00FF00FF),24))) \ + ) +#else +/* 6 instructions with rotate instruction, else 8 */ +#define REVERSE_FETCH32(a,l) ( \ + l=*(const HASH_LONG *)(a), \ + l=(((l>>8)&0x00FF00FF)|((l&0x00FF00FF)<<8)), \ + ROTATE(l,16) \ + ) +/* + * Originally the middle line started with l=(((l&0xFF00FF00)>>8)|... + * It's rewritten as above for two reasons: + * - RISCs aren't good at long constants and have to explicitely + * compose 'em with several (well, usually 2) instructions in a + * register before performing the actual operation and (as you + * already realized:-) having same constant should inspire the + * compiler to permanently allocate the only register for it; + * - most modern CPUs have two ALUs, but usually only one has + * circuitry for shifts:-( this minor tweak inspires compiler + * to schedule shift instructions in a better way... + * + * <appro@fy.chalmers.se> + */ +#endif +#endif + +#ifndef ROTATE +#define ROTATE(a,n) (((a)<<(n))|(((a)&0xffffffff)>>(32-(n)))) +#endif + +/* + * Make some obvious choices. E.g., HASH_BLOCK_DATA_ORDER_ALIGNED + * and HASH_BLOCK_HOST_ORDER ought to be the same if input data + * and host are of the same "endianess". It's possible to mask + * this with blank #define HASH_BLOCK_DATA_ORDER though... + * + * <appro@fy.chalmers.se> + */ +#if defined(B_ENDIAN) +# if defined(DATA_ORDER_IS_BIG_ENDIAN) +# if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED) && HASH_LONG_LOG2==2 +# define HASH_BLOCK_DATA_ORDER_ALIGNED HASH_BLOCK_HOST_ORDER +# endif +# elif defined(DATA_ORDER_IS_LITTLE_ENDIAN) +# ifndef HOST_FETCH32 +# ifdef LE_FETCH32 +# define HOST_FETCH32(p,l) LE_FETCH32(p) +# elif defined(REVERSE_FETCH32) +# define HOST_FETCH32(p,l) REVERSE_FETCH32(p,l) +# endif +# endif +# endif +#elif defined(L_ENDIAN) +# if defined(DATA_ORDER_IS_LITTLE_ENDIAN) +# if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED) && HASH_LONG_LOG2==2 +# define HASH_BLOCK_DATA_ORDER_ALIGNED HASH_BLOCK_HOST_ORDER +# endif +# elif defined(DATA_ORDER_IS_BIG_ENDIAN) +# ifndef HOST_FETCH32 +# ifdef BE_FETCH32 +# define HOST_FETCH32(p,l) BE_FETCH32(p) +# elif defined(REVERSE_FETCH32) +# define HOST_FETCH32(p,l) REVERSE_FETCH32(p,l) +# endif +# endif +# endif +#endif + +#if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED) +#ifndef HASH_BLOCK_DATA_ORDER +#error "HASH_BLOCK_DATA_ORDER must be defined!" +#endif +#endif + +// None of the invocations of the following macros actually use the result, +// so cast them to void to avoid any compiler warnings/errors about not using +// the result (e.g. when using clang). +// If the resultant values need to be used at some point, these must be changed. +#define HOST_c2l(c,l) ((void)_HOST_c2l(c,l)) +#define HOST_l2c(l,c) ((void)_HOST_l2c(l,c)) + +#if defined(DATA_ORDER_IS_BIG_ENDIAN) + +#define _HOST_c2l(c,l) (l =(((unsigned long)(*((c)++)))<<24), \ + l|=(((unsigned long)(*((c)++)))<<16), \ + l|=(((unsigned long)(*((c)++)))<< 8), \ + l|=(((unsigned long)(*((c)++))) ), \ + l) +#define HOST_p_c2l(c,l,n) { \ + switch (n) { \ + case 0: l =((unsigned long)(*((c)++)))<<24; \ + case 1: l|=((unsigned long)(*((c)++)))<<16; \ + case 2: l|=((unsigned long)(*((c)++)))<< 8; \ + case 3: l|=((unsigned long)(*((c)++))); \ + } } +#define HOST_p_c2l_p(c,l,sc,len) { \ + switch (sc) { \ + case 0: l =((unsigned long)(*((c)++)))<<24; \ + if (--len == 0) break; \ + case 1: l|=((unsigned long)(*((c)++)))<<16; \ + if (--len == 0) break; \ + case 2: l|=((unsigned long)(*((c)++)))<< 8; \ + } } +/* NOTE the pointer is not incremented at the end of this */ +#define HOST_c2l_p(c,l,n) { \ + l=0; (c)+=n; \ + switch (n) { \ + case 3: l =((unsigned long)(*(--(c))))<< 8; \ + case 2: l|=((unsigned long)(*(--(c))))<<16; \ + case 1: l|=((unsigned long)(*(--(c))))<<24; \ + } } +#define _HOST_l2c(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \ + *((c)++)=(unsigned char)(((l)>>16)&0xff), \ + *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ + *((c)++)=(unsigned char)(((l) )&0xff), \ + l) + +#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN) + +#define _HOST_c2l(c,l) (l =(((unsigned long)(*((c)++))) ), \ + l|=(((unsigned long)(*((c)++)))<< 8), \ + l|=(((unsigned long)(*((c)++)))<<16), \ + l|=(((unsigned long)(*((c)++)))<<24), \ + l) +#define HOST_p_c2l(c,l,n) { \ + switch (n) { \ + case 0: l =((unsigned long)(*((c)++))); \ + case 1: l|=((unsigned long)(*((c)++)))<< 8; \ + case 2: l|=((unsigned long)(*((c)++)))<<16; \ + case 3: l|=((unsigned long)(*((c)++)))<<24; \ + } } +#define HOST_p_c2l_p(c,l,sc,len) { \ + switch (sc) { \ + case 0: l =((unsigned long)(*((c)++))); \ + if (--len == 0) break; \ + case 1: l|=((unsigned long)(*((c)++)))<< 8; \ + if (--len == 0) break; \ + case 2: l|=((unsigned long)(*((c)++)))<<16; \ + } } +/* NOTE the pointer is not incremented at the end of this */ +#define HOST_c2l_p(c,l,n) { \ + l=0; (c)+=n; \ + switch (n) { \ + case 3: l =((unsigned long)(*(--(c))))<<16; \ + case 2: l|=((unsigned long)(*(--(c))))<< 8; \ + case 1: l|=((unsigned long)(*(--(c)))); \ + } } +#define _HOST_l2c(l,c) (*((c)++)=(unsigned char)(((l) )&0xff), \ + *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ + *((c)++)=(unsigned char)(((l)>>16)&0xff), \ + *((c)++)=(unsigned char)(((l)>>24)&0xff), \ + l) + +#endif + +/* + * Time for some action:-) + */ + +int HASH_UPDATE (HASH_CTX *c, const void *data_, unsigned long len) +{ + const unsigned char *data=(const unsigned char *)data_; + register HASH_LONG * p; + register unsigned long l; + int sw,sc,ew,ec; + + if (len==0) return 1; + + l=(c->Nl+(len<<3))&0xffffffffL; + /* 95-05-24 eay Fixed a bug with the overflow handling, thanks to + * Wei Dai <weidai@eskimo.com> for pointing it out. */ + if (l < c->Nl) /* overflow */ + c->Nh++; + c->Nh+=(len>>29); + c->Nl=l; + + if (c->num != 0) + { + p=c->data; + sw=c->num>>2; + sc=c->num&0x03; + + if ((c->num+len) >= HASH_CBLOCK) + { + l=p[sw]; HOST_p_c2l(data,l,sc); p[sw++]=l; + for (; sw<HASH_LBLOCK; sw++) + { + HOST_c2l(data,l); p[sw]=l; + } + HASH_BLOCK_HOST_ORDER (c,p,1); + len-=(HASH_CBLOCK-c->num); + c->num=0; + /* drop through and do the rest */ + } + else + { + c->num+=len; + if ((sc+len) < 4) /* ugly, add char's to a word */ + { + l=p[sw]; HOST_p_c2l_p(data,l,sc,len); p[sw]=l; + } + else + { + ew=(c->num>>2); + ec=(c->num&0x03); + if (sc) + l=p[sw]; + HOST_p_c2l(data,l,sc); + p[sw++]=l; + for (; sw < ew; sw++) + { + HOST_c2l(data,l); p[sw]=l; + } + if (ec) + { + HOST_c2l_p(data,l,ec); p[sw]=l; + } + } + return 1; + } + } + + sw=(int)(len/HASH_CBLOCK); + if (sw > 0) + { +#if defined(HASH_BLOCK_DATA_ORDER_ALIGNED) + /* + * Note that HASH_BLOCK_DATA_ORDER_ALIGNED gets defined + * only if sizeof(HASH_LONG)==4. + */ + if ((((unsigned long)data)%4) == 0) + { + /* data is properly aligned so that we can cast it: */ + HASH_BLOCK_DATA_ORDER_ALIGNED (c,(HASH_LONG *)data,sw); + sw*=HASH_CBLOCK; + data+=sw; + len-=sw; + } + else +#if !defined(HASH_BLOCK_DATA_ORDER) + while (sw--) + { + mDNSPlatformMemCopy(p=c->data,data,HASH_CBLOCK); + HASH_BLOCK_DATA_ORDER_ALIGNED(c,p,1); + data+=HASH_CBLOCK; + len-=HASH_CBLOCK; + } +#endif +#endif +#if defined(HASH_BLOCK_DATA_ORDER) + { + HASH_BLOCK_DATA_ORDER(c,data,sw); + sw*=HASH_CBLOCK; + data+=sw; + len-=sw; + } +#endif + } + + if (len!=0) + { + p = c->data; + c->num = (int)len; + ew=(int)(len>>2); /* words to copy */ + ec=(int)(len&0x03); + for (; ew; ew--,p++) + { + HOST_c2l(data,l); *p=l; + } + HOST_c2l_p(data,l,ec); + *p=l; + } + return 1; +} + + +void HASH_TRANSFORM (HASH_CTX *c, const unsigned char *data) +{ +#if defined(HASH_BLOCK_DATA_ORDER_ALIGNED) + if ((((unsigned long)data)%4) == 0) + /* data is properly aligned so that we can cast it: */ + HASH_BLOCK_DATA_ORDER_ALIGNED (c,(HASH_LONG *)data,1); + else +#if !defined(HASH_BLOCK_DATA_ORDER) + { + mDNSPlatformMemCopy(c->data,data,HASH_CBLOCK); + HASH_BLOCK_DATA_ORDER_ALIGNED (c,c->data,1); + } +#endif +#endif +#if defined(HASH_BLOCK_DATA_ORDER) + HASH_BLOCK_DATA_ORDER (c,data,1); +#endif +} + + +int HASH_FINAL (unsigned char *md, HASH_CTX *c) +{ + register HASH_LONG *p; + register unsigned long l; + register int i,j; + static const unsigned char end[4]={0x80,0x00,0x00,0x00}; + const unsigned char *cp=end; + + /* c->num should definitly have room for at least one more byte. */ + p=c->data; + i=c->num>>2; + j=c->num&0x03; + +#if 0 + /* purify often complains about the following line as an + * Uninitialized Memory Read. While this can be true, the + * following p_c2l macro will reset l when that case is true. + * This is because j&0x03 contains the number of 'valid' bytes + * already in p[i]. If and only if j&0x03 == 0, the UMR will + * occur but this is also the only time p_c2l will do + * l= *(cp++) instead of l|= *(cp++) + * Many thanks to Alex Tang <altitude@cic.net> for pickup this + * 'potential bug' */ +#ifdef PURIFY + if (j==0) p[i]=0; /* Yeah, but that's not the way to fix it:-) */ +#endif + l=p[i]; +#else + l = (j==0) ? 0 : p[i]; +#endif + HOST_p_c2l(cp,l,j); p[i++]=l; /* i is the next 'undefined word' */ + + if (i>(HASH_LBLOCK-2)) /* save room for Nl and Nh */ + { + if (i<HASH_LBLOCK) p[i]=0; + HASH_BLOCK_HOST_ORDER (c,p,1); + i=0; + } + for (; i<(HASH_LBLOCK-2); i++) + p[i]=0; + +#if defined(DATA_ORDER_IS_BIG_ENDIAN) + p[HASH_LBLOCK-2]=c->Nh; + p[HASH_LBLOCK-1]=c->Nl; +#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN) + p[HASH_LBLOCK-2]=c->Nl; + p[HASH_LBLOCK-1]=c->Nh; +#endif + HASH_BLOCK_HOST_ORDER (c,p,1); + +#ifndef HASH_MAKE_STRING +#error "HASH_MAKE_STRING must be defined!" +#else + HASH_MAKE_STRING(c,md); +#endif + + c->num=0; + /* clear stuff, HASH_BLOCK may be leaving some stuff on the stack + * but I'm not worried :-) + OPENSSL_cleanse((void *)c,sizeof(HASH_CTX)); + */ + return 1; +} + +#ifndef MD32_REG_T +#define MD32_REG_T long +/* + * This comment was originaly written for MD5, which is why it + * discusses A-D. But it basically applies to all 32-bit digests, + * which is why it was moved to common header file. + * + * In case you wonder why A-D are declared as long and not + * as mDNSu32. Doing so results in slight performance + * boost on LP64 architectures. The catch is we don't + * really care if 32 MSBs of a 64-bit register get polluted + * with eventual overflows as we *save* only 32 LSBs in + * *either* case. Now declaring 'em long excuses the compiler + * from keeping 32 MSBs zeroed resulting in 13% performance + * improvement under SPARC Solaris7/64 and 5% under AlphaLinux. + * Well, to be honest it should say that this *prevents* + * performance degradation. + * <appro@fy.chalmers.se> + * Apparently there're LP64 compilers that generate better + * code if A-D are declared int. Most notably GCC-x86_64 + * generates better code. + * <appro@fy.chalmers.se> + */ +#endif + + +// from md5_locl.h (continued) + +/* + #define F(x,y,z) (((x) & (y)) | ((~(x)) & (z))) + #define G(x,y,z) (((x) & (z)) | ((y) & (~(z)))) + */ + +/* As pointed out by Wei Dai <weidai@eskimo.com>, the above can be + * simplified to the code below. Wei attributes these optimizations + * to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel. + */ +#define F(b,c,d) ((((c) ^ (d)) & (b)) ^ (d)) +#define G(b,c,d) ((((b) ^ (c)) & (d)) ^ (c)) +#define H(b,c,d) ((b) ^ (c) ^ (d)) +#define I(b,c,d) (((~(d)) | (b)) ^ (c)) + +#define R0(a,b,c,d,k,s,t) { \ + a+=((k)+(t)+F((b),(c),(d))); \ + a=ROTATE(a,s); \ + a+=b; }; \ + +#define R1(a,b,c,d,k,s,t) { \ + a+=((k)+(t)+G((b),(c),(d))); \ + a=ROTATE(a,s); \ + a+=b; }; + +#define R2(a,b,c,d,k,s,t) { \ + a+=((k)+(t)+H((b),(c),(d))); \ + a=ROTATE(a,s); \ + a+=b; }; + +#define R3(a,b,c,d,k,s,t) { \ + a+=((k)+(t)+I((b),(c),(d))); \ + a=ROTATE(a,s); \ + a+=b; }; + +// from md5_dgst.c + + +/* Implemented from RFC1321 The MD5 Message-Digest Algorithm + */ + +#define INIT_DATA_A (unsigned long)0x67452301L +#define INIT_DATA_B (unsigned long)0xefcdab89L +#define INIT_DATA_C (unsigned long)0x98badcfeL +#define INIT_DATA_D (unsigned long)0x10325476L + +int MD5_Init(MD5_CTX *c) +{ + c->A=INIT_DATA_A; + c->B=INIT_DATA_B; + c->C=INIT_DATA_C; + c->D=INIT_DATA_D; + c->Nl=0; + c->Nh=0; + c->num=0; + return 1; +} + +#ifndef md5_block_host_order +void md5_block_host_order (MD5_CTX *c, const void *data, int num) +{ + const mDNSu32 *X=(const mDNSu32 *)data; + register unsigned MD32_REG_T A,B,C,D; + + A=c->A; + B=c->B; + C=c->C; + D=c->D; + + for (; num--; X+=HASH_LBLOCK) + { + /* Round 0 */ + R0(A,B,C,D,X[ 0], 7,0xd76aa478L); + R0(D,A,B,C,X[ 1],12,0xe8c7b756L); + R0(C,D,A,B,X[ 2],17,0x242070dbL); + R0(B,C,D,A,X[ 3],22,0xc1bdceeeL); + R0(A,B,C,D,X[ 4], 7,0xf57c0fafL); + R0(D,A,B,C,X[ 5],12,0x4787c62aL); + R0(C,D,A,B,X[ 6],17,0xa8304613L); + R0(B,C,D,A,X[ 7],22,0xfd469501L); + R0(A,B,C,D,X[ 8], 7,0x698098d8L); + R0(D,A,B,C,X[ 9],12,0x8b44f7afL); + R0(C,D,A,B,X[10],17,0xffff5bb1L); + R0(B,C,D,A,X[11],22,0x895cd7beL); + R0(A,B,C,D,X[12], 7,0x6b901122L); + R0(D,A,B,C,X[13],12,0xfd987193L); + R0(C,D,A,B,X[14],17,0xa679438eL); + R0(B,C,D,A,X[15],22,0x49b40821L); + /* Round 1 */ + R1(A,B,C,D,X[ 1], 5,0xf61e2562L); + R1(D,A,B,C,X[ 6], 9,0xc040b340L); + R1(C,D,A,B,X[11],14,0x265e5a51L); + R1(B,C,D,A,X[ 0],20,0xe9b6c7aaL); + R1(A,B,C,D,X[ 5], 5,0xd62f105dL); + R1(D,A,B,C,X[10], 9,0x02441453L); + R1(C,D,A,B,X[15],14,0xd8a1e681L); + R1(B,C,D,A,X[ 4],20,0xe7d3fbc8L); + R1(A,B,C,D,X[ 9], 5,0x21e1cde6L); + R1(D,A,B,C,X[14], 9,0xc33707d6L); + R1(C,D,A,B,X[ 3],14,0xf4d50d87L); + R1(B,C,D,A,X[ 8],20,0x455a14edL); + R1(A,B,C,D,X[13], 5,0xa9e3e905L); + R1(D,A,B,C,X[ 2], 9,0xfcefa3f8L); + R1(C,D,A,B,X[ 7],14,0x676f02d9L); + R1(B,C,D,A,X[12],20,0x8d2a4c8aL); + /* Round 2 */ + R2(A,B,C,D,X[ 5], 4,0xfffa3942L); + R2(D,A,B,C,X[ 8],11,0x8771f681L); + R2(C,D,A,B,X[11],16,0x6d9d6122L); + R2(B,C,D,A,X[14],23,0xfde5380cL); + R2(A,B,C,D,X[ 1], 4,0xa4beea44L); + R2(D,A,B,C,X[ 4],11,0x4bdecfa9L); + R2(C,D,A,B,X[ 7],16,0xf6bb4b60L); + R2(B,C,D,A,X[10],23,0xbebfbc70L); + R2(A,B,C,D,X[13], 4,0x289b7ec6L); + R2(D,A,B,C,X[ 0],11,0xeaa127faL); + R2(C,D,A,B,X[ 3],16,0xd4ef3085L); + R2(B,C,D,A,X[ 6],23,0x04881d05L); + R2(A,B,C,D,X[ 9], 4,0xd9d4d039L); + R2(D,A,B,C,X[12],11,0xe6db99e5L); + R2(C,D,A,B,X[15],16,0x1fa27cf8L); + R2(B,C,D,A,X[ 2],23,0xc4ac5665L); + /* Round 3 */ + R3(A,B,C,D,X[ 0], 6,0xf4292244L); + R3(D,A,B,C,X[ 7],10,0x432aff97L); + R3(C,D,A,B,X[14],15,0xab9423a7L); + R3(B,C,D,A,X[ 5],21,0xfc93a039L); + R3(A,B,C,D,X[12], 6,0x655b59c3L); + R3(D,A,B,C,X[ 3],10,0x8f0ccc92L); + R3(C,D,A,B,X[10],15,0xffeff47dL); + R3(B,C,D,A,X[ 1],21,0x85845dd1L); + R3(A,B,C,D,X[ 8], 6,0x6fa87e4fL); + R3(D,A,B,C,X[15],10,0xfe2ce6e0L); + R3(C,D,A,B,X[ 6],15,0xa3014314L); + R3(B,C,D,A,X[13],21,0x4e0811a1L); + R3(A,B,C,D,X[ 4], 6,0xf7537e82L); + R3(D,A,B,C,X[11],10,0xbd3af235L); + R3(C,D,A,B,X[ 2],15,0x2ad7d2bbL); + R3(B,C,D,A,X[ 9],21,0xeb86d391L); + + A = c->A += A; + B = c->B += B; + C = c->C += C; + D = c->D += D; + } +} +#endif + +#ifndef md5_block_data_order +#ifdef X +#undef X +#endif +void md5_block_data_order (MD5_CTX *c, const void *data_, int num) +{ + const unsigned char *data=data_; + register unsigned MD32_REG_T A,B,C,D,l; +#ifndef MD32_XARRAY + /* See comment in crypto/sha/sha_locl.h for details. */ + unsigned MD32_REG_T XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, + XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15; +# define X(i) XX ## i +#else + mDNSu32 XX[MD5_LBLOCK]; +# define X(i) XX[i] +#endif + + A=c->A; + B=c->B; + C=c->C; + D=c->D; + + for (; num--;) + { + HOST_c2l(data,l); X( 0)=l; HOST_c2l(data,l); X( 1)=l; + /* Round 0 */ + R0(A,B,C,D,X( 0), 7,0xd76aa478L); HOST_c2l(data,l); X( 2)=l; + R0(D,A,B,C,X( 1),12,0xe8c7b756L); HOST_c2l(data,l); X( 3)=l; + R0(C,D,A,B,X( 2),17,0x242070dbL); HOST_c2l(data,l); X( 4)=l; + R0(B,C,D,A,X( 3),22,0xc1bdceeeL); HOST_c2l(data,l); X( 5)=l; + R0(A,B,C,D,X( 4), 7,0xf57c0fafL); HOST_c2l(data,l); X( 6)=l; + R0(D,A,B,C,X( 5),12,0x4787c62aL); HOST_c2l(data,l); X( 7)=l; + R0(C,D,A,B,X( 6),17,0xa8304613L); HOST_c2l(data,l); X( 8)=l; + R0(B,C,D,A,X( 7),22,0xfd469501L); HOST_c2l(data,l); X( 9)=l; + R0(A,B,C,D,X( 8), 7,0x698098d8L); HOST_c2l(data,l); X(10)=l; + R0(D,A,B,C,X( 9),12,0x8b44f7afL); HOST_c2l(data,l); X(11)=l; + R0(C,D,A,B,X(10),17,0xffff5bb1L); HOST_c2l(data,l); X(12)=l; + R0(B,C,D,A,X(11),22,0x895cd7beL); HOST_c2l(data,l); X(13)=l; + R0(A,B,C,D,X(12), 7,0x6b901122L); HOST_c2l(data,l); X(14)=l; + R0(D,A,B,C,X(13),12,0xfd987193L); HOST_c2l(data,l); X(15)=l; + R0(C,D,A,B,X(14),17,0xa679438eL); + R0(B,C,D,A,X(15),22,0x49b40821L); + /* Round 1 */ + R1(A,B,C,D,X( 1), 5,0xf61e2562L); + R1(D,A,B,C,X( 6), 9,0xc040b340L); + R1(C,D,A,B,X(11),14,0x265e5a51L); + R1(B,C,D,A,X( 0),20,0xe9b6c7aaL); + R1(A,B,C,D,X( 5), 5,0xd62f105dL); + R1(D,A,B,C,X(10), 9,0x02441453L); + R1(C,D,A,B,X(15),14,0xd8a1e681L); + R1(B,C,D,A,X( 4),20,0xe7d3fbc8L); + R1(A,B,C,D,X( 9), 5,0x21e1cde6L); + R1(D,A,B,C,X(14), 9,0xc33707d6L); + R1(C,D,A,B,X( 3),14,0xf4d50d87L); + R1(B,C,D,A,X( 8),20,0x455a14edL); + R1(A,B,C,D,X(13), 5,0xa9e3e905L); + R1(D,A,B,C,X( 2), 9,0xfcefa3f8L); + R1(C,D,A,B,X( 7),14,0x676f02d9L); + R1(B,C,D,A,X(12),20,0x8d2a4c8aL); + /* Round 2 */ + R2(A,B,C,D,X( 5), 4,0xfffa3942L); + R2(D,A,B,C,X( 8),11,0x8771f681L); + R2(C,D,A,B,X(11),16,0x6d9d6122L); + R2(B,C,D,A,X(14),23,0xfde5380cL); + R2(A,B,C,D,X( 1), 4,0xa4beea44L); + R2(D,A,B,C,X( 4),11,0x4bdecfa9L); + R2(C,D,A,B,X( 7),16,0xf6bb4b60L); + R2(B,C,D,A,X(10),23,0xbebfbc70L); + R2(A,B,C,D,X(13), 4,0x289b7ec6L); + R2(D,A,B,C,X( 0),11,0xeaa127faL); + R2(C,D,A,B,X( 3),16,0xd4ef3085L); + R2(B,C,D,A,X( 6),23,0x04881d05L); + R2(A,B,C,D,X( 9), 4,0xd9d4d039L); + R2(D,A,B,C,X(12),11,0xe6db99e5L); + R2(C,D,A,B,X(15),16,0x1fa27cf8L); + R2(B,C,D,A,X( 2),23,0xc4ac5665L); + /* Round 3 */ + R3(A,B,C,D,X( 0), 6,0xf4292244L); + R3(D,A,B,C,X( 7),10,0x432aff97L); + R3(C,D,A,B,X(14),15,0xab9423a7L); + R3(B,C,D,A,X( 5),21,0xfc93a039L); + R3(A,B,C,D,X(12), 6,0x655b59c3L); + R3(D,A,B,C,X( 3),10,0x8f0ccc92L); + R3(C,D,A,B,X(10),15,0xffeff47dL); + R3(B,C,D,A,X( 1),21,0x85845dd1L); + R3(A,B,C,D,X( 8), 6,0x6fa87e4fL); + R3(D,A,B,C,X(15),10,0xfe2ce6e0L); + R3(C,D,A,B,X( 6),15,0xa3014314L); + R3(B,C,D,A,X(13),21,0x4e0811a1L); + R3(A,B,C,D,X( 4), 6,0xf7537e82L); + R3(D,A,B,C,X(11),10,0xbd3af235L); + R3(C,D,A,B,X( 2),15,0x2ad7d2bbL); + R3(B,C,D,A,X( 9),21,0xeb86d391L); + + A = c->A += A; + B = c->B += B; + C = c->C += C; + D = c->D += D; + } +} +#endif + + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - base64 -> binary conversion +#endif + +static const char Base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; +static const char Pad64 = '='; + + +#define mDNSisspace(x) (x == '\t' || x == '\n' || x == '\v' || x == '\f' || x == '\r' || x == ' ') + +mDNSlocal const char *mDNSstrchr(const char *s, int c) +{ + while (1) + { + if (c == *s) return s; + if (!*s) return mDNSNULL; + s++; + } +} + +// skips all whitespace anywhere. +// converts characters, four at a time, starting at (or after) +// src from base - 64 numbers into three 8 bit bytes in the target area. +// it returns the number of data bytes stored at the target, or -1 on error. +// adapted from BIND sources + +mDNSlocal mDNSs32 DNSDigest_Base64ToBin(const char *src, mDNSu8 *target, mDNSu32 targsize) +{ + int tarindex, state, ch; + const char *pos; + + state = 0; + tarindex = 0; + + while ((ch = *src++) != '\0') { + if (mDNSisspace(ch)) /* Skip whitespace anywhere. */ + continue; + + if (ch == Pad64) + break; + + pos = mDNSstrchr(Base64, ch); + if (pos == 0) /* A non-base64 character. */ + return (-1); + + switch (state) { + case 0: + if (target) { + if ((mDNSu32)tarindex >= targsize) + return (-1); + target[tarindex] = (mDNSu8)((pos - Base64) << 2); + } + state = 1; + break; + case 1: + if (target) { + if ((mDNSu32)tarindex + 1 >= targsize) + return (-1); + target[tarindex] |= (pos - Base64) >> 4; + target[tarindex+1] = (mDNSu8)(((pos - Base64) & 0x0f) << 4); + } + tarindex++; + state = 2; + break; + case 2: + if (target) { + if ((mDNSu32)tarindex + 1 >= targsize) + return (-1); + target[tarindex] |= (pos - Base64) >> 2; + target[tarindex+1] = (mDNSu8)(((pos - Base64) & 0x03) << 6); + } + tarindex++; + state = 3; + break; + case 3: + if (target) { + if ((mDNSu32)tarindex >= targsize) + return (-1); + target[tarindex] |= (pos - Base64); + } + tarindex++; + state = 0; + break; + default: + return -1; + } + } + + /* + * We are done decoding Base-64 chars. Let's see if we ended + * on a byte boundary, and/or with erroneous trailing characters. + */ + + if (ch == Pad64) { /* We got a pad char. */ + ch = *src++; /* Skip it, get next. */ + switch (state) { + case 0: /* Invalid = in first position */ + case 1: /* Invalid = in second position */ + return (-1); + + case 2: /* Valid, means one byte of info */ + /* Skip any number of spaces. */ + for ((void)mDNSNULL; ch != '\0'; ch = *src++) + if (!mDNSisspace(ch)) + break; + /* Make sure there is another trailing = sign. */ + if (ch != Pad64) + return (-1); + ch = *src++; /* Skip the = */ + /* Fall through to "single trailing =" case. */ + /* FALLTHROUGH */ + + case 3: /* Valid, means two bytes of info */ + /* + * We know this char is an =. Is there anything but + * whitespace after it? + */ + for ((void)mDNSNULL; ch != '\0'; ch = *src++) + if (!mDNSisspace(ch)) + return (-1); + + /* + * Now make sure for cases 2 and 3 that the "extra" + * bits that slopped past the last full byte were + * zeros. If we don't check them, they become a + * subliminal channel. + */ + if (target && target[tarindex] != 0) + return (-1); + } + } else { + /* + * We ended by seeing the end of the string. Make sure we + * have no partial bytes lying around. + */ + if (state != 0) + return (-1); + } + + return (tarindex); +} + + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - API exported to mDNS Core +#endif + +// Constants +#define HMAC_IPAD 0x36 +#define HMAC_OPAD 0x5c +#define MD5_LEN 16 + +#define HMAC_MD5_AlgName (*(const domainname*) "\010" "hmac-md5" "\007" "sig-alg" "\003" "reg" "\003" "int") + +// Adapted from Appendix, RFC 2104 +mDNSlocal void DNSDigest_ConstructHMACKey(DomainAuthInfo *info, const mDNSu8 *key, mDNSu32 len) +{ + MD5_CTX k; + mDNSu8 buf[MD5_LEN]; + int i; + + // If key is longer than HMAC_LEN reset it to MD5(key) + if (len > HMAC_LEN) + { + MD5_Init(&k); + MD5_Update(&k, key, len); + MD5_Final(buf, &k); + key = buf; + len = MD5_LEN; + } + + // store key in pads + mDNSPlatformMemZero(info->keydata_ipad, HMAC_LEN); + mDNSPlatformMemZero(info->keydata_opad, HMAC_LEN); + mDNSPlatformMemCopy(info->keydata_ipad, key, len); + mDNSPlatformMemCopy(info->keydata_opad, key, len); + + // XOR key with ipad and opad values + for (i = 0; i < HMAC_LEN; i++) + { + info->keydata_ipad[i] ^= HMAC_IPAD; + info->keydata_opad[i] ^= HMAC_OPAD; + } + +} + +mDNSexport mDNSs32 DNSDigest_ConstructHMACKeyfromBase64(DomainAuthInfo *info, const char *b64key) +{ + mDNSu8 keybuf[1024]; + mDNSs32 keylen = DNSDigest_Base64ToBin(b64key, keybuf, sizeof(keybuf)); + if (keylen < 0) return(keylen); + DNSDigest_ConstructHMACKey(info, keybuf, (mDNSu32)keylen); + return(keylen); +} + +mDNSexport void DNSDigest_SignMessage(DNSMessage *msg, mDNSu8 **end, DomainAuthInfo *info, mDNSu16 tcode) +{ + AuthRecord tsig; + mDNSu8 *rdata, *const countPtr = (mDNSu8 *)&msg->h.numAdditionals; // Get existing numAdditionals value + mDNSu32 utc32; + mDNSu8 utc48[6]; + mDNSu8 digest[MD5_LEN]; + mDNSu8 *ptr = *end; + mDNSu32 len; + mDNSOpaque16 buf; + MD5_CTX c; + mDNSu16 numAdditionals = (mDNSu16)((mDNSu16)countPtr[0] << 8 | countPtr[1]); + + // Init MD5 context, digest inner key pad and message + MD5_Init(&c); + MD5_Update(&c, info->keydata_ipad, HMAC_LEN); + MD5_Update(&c, (mDNSu8 *)msg, (unsigned long)(*end - (mDNSu8 *)msg)); + + // Construct TSIG RR, digesting variables as apporpriate + mDNS_SetupResourceRecord(&tsig, mDNSNULL, 0, kDNSType_TSIG, 0, kDNSRecordTypeKnownUnique, AuthRecordAny, mDNSNULL, mDNSNULL); + + // key name + AssignDomainName(&tsig.namestorage, &info->keyname); + MD5_Update(&c, info->keyname.c, DomainNameLength(&info->keyname)); + + // class + tsig.resrec.rrclass = kDNSQClass_ANY; + buf = mDNSOpaque16fromIntVal(kDNSQClass_ANY); + MD5_Update(&c, buf.b, sizeof(mDNSOpaque16)); + + // ttl + tsig.resrec.rroriginalttl = 0; + MD5_Update(&c, (mDNSu8 *)&tsig.resrec.rroriginalttl, sizeof(tsig.resrec.rroriginalttl)); + + // alg name + AssignDomainName(&tsig.resrec.rdata->u.name, &HMAC_MD5_AlgName); + len = DomainNameLength(&HMAC_MD5_AlgName); + rdata = tsig.resrec.rdata->u.data + len; + MD5_Update(&c, HMAC_MD5_AlgName.c, len); + + // time + // get UTC (universal time), convert to 48-bit unsigned in network byte order + utc32 = (mDNSu32)mDNSPlatformUTC(); + if (utc32 == (unsigned)-1) { LogMsg("ERROR: DNSDigest_SignMessage - mDNSPlatformUTC returned bad time -1"); *end = mDNSNULL; } + utc48[0] = 0; + utc48[1] = 0; + utc48[2] = (mDNSu8)((utc32 >> 24) & 0xff); + utc48[3] = (mDNSu8)((utc32 >> 16) & 0xff); + utc48[4] = (mDNSu8)((utc32 >> 8) & 0xff); + utc48[5] = (mDNSu8)( utc32 & 0xff); + + mDNSPlatformMemCopy(rdata, utc48, 6); + rdata += 6; + MD5_Update(&c, utc48, 6); + + // 300 sec is fudge recommended in RFC 2485 + rdata[0] = (mDNSu8)((300 >> 8) & 0xff); + rdata[1] = (mDNSu8)( 300 & 0xff); + MD5_Update(&c, rdata, sizeof(mDNSOpaque16)); + rdata += sizeof(mDNSOpaque16); + + // digest error (tcode) and other data len (zero) - we'll add them to the rdata later + buf.b[0] = (mDNSu8)((tcode >> 8) & 0xff); + buf.b[1] = (mDNSu8)( tcode & 0xff); + MD5_Update(&c, buf.b, sizeof(mDNSOpaque16)); // error + buf.NotAnInteger = 0; + MD5_Update(&c, buf.b, sizeof(mDNSOpaque16)); // other data len + + // finish the message & tsig var hash + MD5_Final(digest, &c); + + // perform outer MD5 (outer key pad, inner digest) + MD5_Init(&c); + MD5_Update(&c, info->keydata_opad, HMAC_LEN); + MD5_Update(&c, digest, MD5_LEN); + MD5_Final(digest, &c); + + // set remaining rdata fields + rdata[0] = (mDNSu8)((MD5_LEN >> 8) & 0xff); + rdata[1] = (mDNSu8)( MD5_LEN & 0xff); + rdata += sizeof(mDNSOpaque16); + mDNSPlatformMemCopy(rdata, digest, MD5_LEN); // MAC + rdata += MD5_LEN; + rdata[0] = msg->h.id.b[0]; // original ID + rdata[1] = msg->h.id.b[1]; + rdata[2] = (mDNSu8)((tcode >> 8) & 0xff); + rdata[3] = (mDNSu8)( tcode & 0xff); + rdata[4] = 0; // other data len + rdata[5] = 0; + rdata += 6; + + tsig.resrec.rdlength = (mDNSu16)(rdata - tsig.resrec.rdata->u.data); + *end = PutResourceRecordTTLJumbo(msg, ptr, &numAdditionals, &tsig.resrec, 0); + if (!*end) { LogMsg("ERROR: DNSDigest_SignMessage - could not put TSIG"); *end = mDNSNULL; return; } + + // Write back updated numAdditionals value + countPtr[0] = (mDNSu8)(numAdditionals >> 8); + countPtr[1] = (mDNSu8)(numAdditionals & 0xFF); +} + +mDNSexport mDNSBool DNSDigest_VerifyMessage(DNSMessage *msg, mDNSu8 *end, LargeCacheRecord * lcr, DomainAuthInfo *info, mDNSu16 * rcode, mDNSu16 * tcode) +{ + mDNSu8 * ptr = (mDNSu8*) &lcr->r.resrec.rdata->u.data; + mDNSs32 now; + mDNSs32 then; + mDNSu8 thisDigest[MD5_LEN]; + mDNSu8 thatDigest[MD5_LEN]; + mDNSOpaque16 buf; + mDNSu8 utc48[6]; + mDNSs32 delta; + mDNSu16 fudge; + domainname * algo; + MD5_CTX c; + mDNSBool ok = mDNSfalse; + + // We only support HMAC-MD5 for now + + algo = (domainname*) ptr; + + if (!SameDomainName(algo, &HMAC_MD5_AlgName)) + { + LogMsg("ERROR: DNSDigest_VerifyMessage - TSIG algorithm not supported: %##s", algo->c); + *rcode = kDNSFlag1_RC_NotAuth; + *tcode = TSIG_ErrBadKey; + ok = mDNSfalse; + goto exit; + } + + ptr += DomainNameLength(algo); + + // Check the times + + now = mDNSPlatformUTC(); + if (now == -1) + { + LogMsg("ERROR: DNSDigest_VerifyMessage - mDNSPlatformUTC returned bad time -1"); + *rcode = kDNSFlag1_RC_NotAuth; + *tcode = TSIG_ErrBadTime; + ok = mDNSfalse; + goto exit; + } + + // Get the 48 bit time field, skipping over the first word + + utc48[0] = *ptr++; + utc48[1] = *ptr++; + utc48[2] = *ptr++; + utc48[3] = *ptr++; + utc48[4] = *ptr++; + utc48[5] = *ptr++; + + then = (mDNSs32)NToH32(utc48 + sizeof(mDNSu16)); + + fudge = NToH16(ptr); + + ptr += sizeof(mDNSu16); + + delta = (now > then) ? now - then : then - now; + + if (delta > fudge) + { + LogMsg("ERROR: DNSDigest_VerifyMessage - time skew > %d", fudge); + *rcode = kDNSFlag1_RC_NotAuth; + *tcode = TSIG_ErrBadTime; + ok = mDNSfalse; + goto exit; + } + + // MAC size + + ptr += sizeof(mDNSu16); + + // MAC + + mDNSPlatformMemCopy(thatDigest, ptr, MD5_LEN); + + // Init MD5 context, digest inner key pad and message + + MD5_Init(&c); + MD5_Update(&c, info->keydata_ipad, HMAC_LEN); + MD5_Update(&c, (mDNSu8*) msg, (unsigned long)(end - (mDNSu8*) msg)); + + // Key name + + MD5_Update(&c, lcr->r.resrec.name->c, DomainNameLength(lcr->r.resrec.name)); + + // Class name + + buf = mDNSOpaque16fromIntVal(lcr->r.resrec.rrclass); + MD5_Update(&c, buf.b, sizeof(mDNSOpaque16)); + + // TTL + + MD5_Update(&c, (mDNSu8*) &lcr->r.resrec.rroriginalttl, sizeof(lcr->r.resrec.rroriginalttl)); + + // Algorithm + + MD5_Update(&c, algo->c, DomainNameLength(algo)); + + // Time + + MD5_Update(&c, utc48, 6); + + // Fudge + + buf = mDNSOpaque16fromIntVal(fudge); + MD5_Update(&c, buf.b, sizeof(mDNSOpaque16)); + + // Digest error and other data len (both zero) - we'll add them to the rdata later + + buf.NotAnInteger = 0; + MD5_Update(&c, buf.b, sizeof(mDNSOpaque16)); // error + MD5_Update(&c, buf.b, sizeof(mDNSOpaque16)); // other data len + + // Finish the message & tsig var hash + + MD5_Final(thisDigest, &c); + + // perform outer MD5 (outer key pad, inner digest) + + MD5_Init(&c); + MD5_Update(&c, info->keydata_opad, HMAC_LEN); + MD5_Update(&c, thisDigest, MD5_LEN); + MD5_Final(thisDigest, &c); + + if (!mDNSPlatformMemSame(thisDigest, thatDigest, MD5_LEN)) + { + LogMsg("ERROR: DNSDigest_VerifyMessage - bad signature"); + *rcode = kDNSFlag1_RC_NotAuth; + *tcode = TSIG_ErrBadSig; + ok = mDNSfalse; + goto exit; + } + + // set remaining rdata fields + ok = mDNStrue; + +exit: + + return ok; +} + + +#ifdef __cplusplus +} +#endif diff --git a/mDNSResponder/mDNSCore/Implementer Notes.txt b/mDNSResponder/mDNSCore/Implementer Notes.txt new file mode 100644 index 00000000..60c9b3ae --- /dev/null +++ b/mDNSResponder/mDNSCore/Implementer Notes.txt @@ -0,0 +1,66 @@ +February 2002: + +The mDNSResponder code has a slight architectural change to improve +efficiency. + +The mDNSResponder code previously called ScheduleNextTask() after every +operation, to calculate the time at which it needed to be called back to +perform its next timed operation. When the workload is light, and +protocol operations are rare and far apart, this makes sense. + +However, on networks where there is a lot of mDNS traffic (or the CPU is +slow), this leads to the following anomolous behaviour: mDNSResponder +spends a lot of CPU time working out what to do next, when what it needs +to do next should be obvious: Finish processing the big backlog of +packets that have been received. + +To remedy this, mDNSResponder now only executes ScheduleNextTask() when +there is no other obvious work waiting to be done. However, the +mDNSResponder code does not have direct access to this knowledge. Only +the platform layer below knows whether there are packets waiting to be +processed. Only the client layer above knows whether it is in the +process of performing a long sequence of back-to-back mDNS API calls. + +This means that the new architecture places an additional responsibility +on the client layer and/or platform support layer. As long as they have +immediate work to do, they should call the appropriate mDNSCore routines +to accomplish that work. With each call, mDNSCore will do only what it +immediately has to do to satisfy the call. Any optional work will be +deferred. As soon as there is no more immediate work to do, the calling +layer MUST call mDNS_Execute(). Failure to call mDNS_Execute() will lead +to unreliable or incorrect operation. + +The value returned from mDNS_Execute() is the next time (in absolute +platform time units) at which mDNS_Execute() MUST be called again to +perform its next necessary operation (e.g. transmitting its next +scheduled query packet, etc.) Note that the time returned is an absolute +time, not the time *interval* between now and the next required call. +For OS APIs that work in terms of intervals instead of absolute times, +mDNSPlatformTimeNow() must be subtracted from the absolute time to get +the interval between now and the next event. + +In a single-threaded application using a blocking select() call as its +main synchronization point, this means that you should call +mDNS_Execute() before calling select(), and the timeout value you pass +to select() MUST NOT be larger than that indicated by the result +returned from mDNS_Execute(). After the blocking select() call returns, +you should do whatever work you have to do, and then, if mDNS packets +were received, or mDNS API calls were made, be sure to call +mDNS_Execute() again, and if necessary adjust your timeout value +accordingly, before going back into the select() call. + +In an asynchronous or interrupt-driven application, there are three +places that should call mDNS_Execute(): + +1. After delivering received packets, the platform support layer should +call mDNS_Execute(), and use the value returned to set the platform +callback timer to fire at the indicated time. + +2. After making any mDNS API call or series of calls, the client layer +should call mDNS_Execute(), and use the value returned to set the +platform callback timer to fire at the indicated time. + +3. When the platform callback timer fires, it should call mDNS_Execute() +(to allow mDNSCore to perform its necessary work) and then the timer +routine use the result returned to reset itself to fire at the right +time for the next scheduled event. diff --git a/mDNSResponder/mDNSCore/anonymous.c b/mDNSResponder/mDNSCore/anonymous.c new file mode 100644 index 00000000..94b102ec --- /dev/null +++ b/mDNSResponder/mDNSCore/anonymous.c @@ -0,0 +1,597 @@ +/* -*- Mode: C; tab-width: 4 -*- + * + * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "mDNSEmbeddedAPI.h" +#include "CryptoAlg.h" +#include "anonymous.h" +#include "DNSCommon.h" + +// Define ANONYMOUS_DISABLED to remove all the anonymous functionality +// and use the stub functions implemented later in this file. + +#ifndef ANONYMOUS_DISABLED + +#define ANON_NSEC3_ITERATIONS 1 + +mDNSlocal mDNSBool InitializeNSEC3Record(ResourceRecord *rr, const mDNSu8 *AnonData, int len, mDNSu32 salt) +{ + const mDNSu8 *ptr; + rdataNSEC3 *nsec3 = (rdataNSEC3 *)rr->rdata->u.data; + mDNSu8 *tmp, *nxt; + unsigned short iter = ANON_NSEC3_ITERATIONS; + int hlen; + const mDNSu8 hashName[NSEC3_MAX_HASH_LEN]; + + // Construct the RDATA first and construct the owner name based on that. + ptr = (const mDNSu8 *)&salt; + debugf("InitializeNSEC3Record: %x%x%x%x, name %##s", ptr[0], ptr[1], ptr[2], ptr[3], rr->name->c); + + // Set the RDATA + nsec3->alg = SHA1_DIGEST_TYPE; + nsec3->flags = 0; + nsec3->iterations = swap16(iter); + nsec3->saltLength = 4; + tmp = (mDNSu8 *)&nsec3->salt; + *tmp++ = ptr[0]; + *tmp++ = ptr[1]; + *tmp++ = ptr[2]; + *tmp++ = ptr[3]; + + // hashLength, nxt, bitmap + *tmp++ = SHA1_HASH_LENGTH; // hash length + nxt = tmp; + tmp += SHA1_HASH_LENGTH; + *tmp++ = 0; // window number + *tmp++ = NSEC_MCAST_WINDOW_SIZE; // window length + mDNSPlatformMemZero(tmp, NSEC_MCAST_WINDOW_SIZE); + tmp[kDNSType_PTR >> 3] |= 128 >> (kDNSType_PTR & 7); + + // Hash the base service name + salt + AnonData + if (!NSEC3HashName(rr->name, nsec3, AnonData, len, hashName, &hlen)) + { + LogMsg("InitializeNSEC3Record: NSEC3HashName failed for ##s", rr->name->c); + return mDNSfalse; + } + if (hlen != SHA1_HASH_LENGTH) + { + LogMsg("InitializeNSEC3Record: hlen wrong %d", hlen); + return mDNSfalse; + } + mDNSPlatformMemCopy(nxt, hashName, hlen); + + return mDNStrue; +} + +mDNSlocal ResourceRecord *ConstructNSEC3Record(const domainname *service, const mDNSu8 *AnonData, int len, mDNSu32 salt) +{ + ResourceRecord *rr; + int dlen; + domainname *name; + + // We are just allocating an RData which has StandardAuthRDSize + if (StandardAuthRDSize < MCAST_NSEC3_RDLENGTH) + { + LogMsg("ConstructNSEC3Record: StandardAuthRDSize %d smaller than MCAST_NSEC3_RDLENGTH %d", StandardAuthRDSize, MCAST_NSEC3_RDLENGTH); + return mDNSNULL; + } + + dlen = DomainNameLength(service); + + // Allocate space for the name and RData. + rr = mDNSPlatformMemAllocate(sizeof(ResourceRecord) + dlen + sizeof(RData)); + if (!rr) + return mDNSNULL; + name = (domainname *)((mDNSu8 *)rr + sizeof(ResourceRecord)); + rr->RecordType = kDNSRecordTypePacketAuth; + rr->InterfaceID = mDNSInterface_Any; + rr->name = (const domainname *)name; + rr->rrtype = kDNSType_NSEC3; + rr->rrclass = kDNSClass_IN; + rr->rroriginalttl = kStandardTTL; + rr->rDNSServer = mDNSNULL; + rr->rdlength = MCAST_NSEC3_RDLENGTH; + rr->rdestimate = MCAST_NSEC3_RDLENGTH; + rr->rdata = (RData *)((mDNSu8 *)rr->name + dlen); + + AssignDomainName(name, service); + if (!InitializeNSEC3Record(rr, AnonData, len, salt)) + { + mDNSPlatformMemFree(rr); + return mDNSNULL; + } + return rr; +} + +mDNSlocal ResourceRecord *CopyNSEC3ResourceRecord(AnonymousInfo *si, const ResourceRecord *rr) +{ + int len; + domainname *name; + ResourceRecord *nsec3rr; + + if (rr->rdlength < MCAST_NSEC3_RDLENGTH) + { + LogMsg("CopyNSEC3ResourceRecord: rdlength %d smaller than MCAST_NSEC3_RDLENGTH %d", rr->rdlength, MCAST_NSEC3_RDLENGTH); + return mDNSNULL; + } + // Allocate space for the name and the rdata along with the ResourceRecord + len = DomainNameLength(rr->name); + nsec3rr = mDNSPlatformMemAllocate(sizeof(ResourceRecord) + len + sizeof(RData)); + if (!nsec3rr) + return mDNSNULL; + + *nsec3rr = *rr; + name = (domainname *)((mDNSu8 *)nsec3rr + sizeof(ResourceRecord)); + nsec3rr->name = (const domainname *)name; + AssignDomainName(name, rr->name); + + nsec3rr->rdata = (RData *)((mDNSu8 *)nsec3rr->name + len); + mDNSPlatformMemCopy(nsec3rr->rdata->u.data, rr->rdata->u.data, rr->rdlength); + + si->nsec3RR = nsec3rr; + + return nsec3rr; +} + +// When a service is started or a browse is started with the Anonymous data, we allocate a new random +// number and based on that allocate a new NSEC3 resource record whose hash is a function of random number (salt) and +// the anonymous data. +// +// If we receive a packet with the NSEC3 option, we need to cache that along with the resource record so that we can +// check against the question to see whether it answers them or not. In that case, we pass the "rr" that we received. +mDNSexport AnonymousInfo *AllocateAnonInfo(const domainname *service, const mDNSu8 *data, int len, const ResourceRecord *rr) +{ + AnonymousInfo *ai; + ai = (AnonymousInfo *)mDNSPlatformMemAllocate(sizeof(AnonymousInfo)); + if (!ai) + { + return mDNSNULL; + } + mDNSPlatformMemZero(ai, sizeof(AnonymousInfo)); + if (rr) + { + if (!CopyNSEC3ResourceRecord(ai, rr)) + { + mDNSPlatformMemFree(ai); + return mDNSNULL; + } + return ai; + } + ai->salt = mDNSRandom(0xFFFFFFFF); + ai->AnonData = mDNSPlatformMemAllocate(len); + if (!ai->AnonData) + { + mDNSPlatformMemFree(ai); + return mDNSNULL; + } + ai->AnonDataLen = len; + mDNSPlatformMemCopy(ai->AnonData, data, len); + ai->nsec3RR = ConstructNSEC3Record(service, data, len, ai->salt); + if (!ai->nsec3RR) + { + mDNSPlatformMemFree(ai); + return mDNSNULL; + } + return ai; +} + +mDNSexport void FreeAnonInfo(AnonymousInfo *ai) +{ + if (ai->nsec3RR) + mDNSPlatformMemFree(ai->nsec3RR); + if (ai->AnonData) + mDNSPlatformMemFree(ai->AnonData); + mDNSPlatformMemFree(ai); +} + +mDNSexport void ReInitAnonInfo(AnonymousInfo **AnonInfo, const domainname *name) +{ + if (*AnonInfo) + { + AnonymousInfo *ai = *AnonInfo; + *AnonInfo = AllocateAnonInfo(name, ai->AnonData, ai->AnonDataLen, mDNSNULL); + if (!(*AnonInfo)) + *AnonInfo = ai; + else + FreeAnonInfo(ai); + } +} + +// This function should be used only if you know that the question and +// the resource record belongs to the same set. The main usage is +// in ProcessQuery where we find the question to be part of the same +// set as the resource record, but it needs the AnonData to be +// initialized so that it can walk the cache records to see if they +// answer the question. +mDNSexport void SetAnonData(DNSQuestion *q, ResourceRecord *rr, mDNSBool ForQuestion) +{ + if (!q->AnonInfo || !rr->AnonInfo) + { + LogMsg("SetAnonData: question %##s(%p), rr %##s(%p), NULL", q->qname.c, q->AnonInfo, rr->name->c, rr->AnonInfo); + return; + } + + debugf("SetAnonData: question %##s(%p), rr %##s(%p)", q->qname.c, q->AnonInfo, rr->name->c, rr->AnonInfo); + if (ForQuestion) + { + if (!q->AnonInfo->AnonData) + { + q->AnonInfo->AnonData = mDNSPlatformMemAllocate(rr->AnonInfo->AnonDataLen); + if (!q->AnonInfo->AnonData) + return; + } + mDNSPlatformMemCopy(q->AnonInfo->AnonData, rr->AnonInfo->AnonData, rr->AnonInfo->AnonDataLen); + q->AnonInfo->AnonDataLen = rr->AnonInfo->AnonDataLen; + } + else + { + if (!rr->AnonInfo->AnonData) + { + rr->AnonInfo->AnonData = mDNSPlatformMemAllocate(q->AnonInfo->AnonDataLen); + if (!rr->AnonInfo->AnonData) + return; + } + mDNSPlatformMemCopy(rr->AnonInfo->AnonData, q->AnonInfo->AnonData, q->AnonInfo->AnonDataLen); + rr->AnonInfo->AnonDataLen = q->AnonInfo->AnonDataLen; + } +} + +// returns -1 if the caller should ignore the result +// returns 1 if the record answers the question +// returns 0 if the record does not answer the question +mDNSexport int AnonInfoAnswersQuestion(const ResourceRecord *const rr, const DNSQuestion *const q) +{ + mDNSexport mDNS mDNSStorage; + ResourceRecord *nsec3RR; + int i; + AnonymousInfo *qai, *rai; + mDNSu8 *AnonData; + int AnonDataLen; + rdataNSEC3 *nsec3; + int hlen; + const mDNSu8 hashName[NSEC3_MAX_HASH_LEN]; + int nxtLength; + mDNSu8 *nxtName; + + debugf("AnonInfoAnswersQuestion: question qname %##s", q->qname.c); + + // Currently only PTR records can have anonymous information + if (q->qtype != kDNSType_PTR) + { + return -1; + } + + // We allow anonymous questions to be answered by both normal services (without the + // anonymous information) and anonymous services that are part of the same set. And + // normal questions discover normal services and all anonymous services. + // + // The three cases have been enumerated clearly even though they all behave the + // same way. + if (!q->AnonInfo) + { + debugf("AnonInfoAnswersQuestion: not a anonymous type question"); + if (!rr->AnonInfo) + { + // case 1 + return -1; + } + else + { + // case 2 + debugf("AnonInfoAnswersQuestion: Question %##s not answered using anonymous record %##s", q->qname.c, rr->name->c); + return -1; + } + } + else + { + // case 3 + if (!rr->AnonInfo) + { + debugf("AnonInfoAnswersQuestion: not a anonymous type record"); + return -1; + } + } + + // case 4: We have the anonymous information both in the question and the record. We need + // two sets of information to validate. + // + // 1) Anonymous data that identifies the set/group + // 2) NSEC3 record that contains the hash and the salt + // + // If the question is a remote one, it does not have the anonymous information to validate (just + // the NSEC3 record) and hence the anonymous data should come from the local resource record. If the + // question is local, it can come from either of them and if there is a mismatch between the + // question and record, it won't validate. + + qai = q->AnonInfo; + rai = rr->AnonInfo; + + if (qai->AnonData && rai->AnonData) + { + // Before a cache record is created, if there is a matching question i.e., part + // of the same set, then when the cache is created we also set the anonymous + // information. Otherwise, the cache record contains just the NSEC3 record and we + // won't be here for that case. + // + // It is also possible that a local question is matched against the local AuthRecord + // as that is also the case for which the AnonData would be non-NULL for both. + // We match questions against AuthRecords (rather than the cache) for LocalOnly case and + // to see whether a .local query should be suppressed or not. The latter never happens + // because PTR queries are never suppressed. + + // If they don't belong to the same anonymous set, then no point in validating. + if ((qai->AnonDataLen != rai->AnonDataLen) || + mDNSPlatformMemCmp(qai->AnonData, rai->AnonData, qai->AnonDataLen) != 0) + { + debugf("AnonInfoAnswersQuestion: AnonData mis-match for record %s question %##s ", + RRDisplayString(&mDNSStorage, rr), q->qname.c); + return 0; + } + // AnonData matches i.e they belong to the same group and the same service. + LogInfo("AnonInfoAnswersQuestion: Answering qname %##s, rname %##s, without validation", q->qname.c, + rr->name->c); + return 1; + } + else + { + debugf("AnonInfoAnswersQuestion: question %p, record %p", qai->AnonData, rai->AnonData); + } + + if (qai->AnonData) + { + // If there is AnonData, then this is a local question. The + // NSEC3 RR comes from the resource record which could be part + // of the cache or local auth record. The cache entry could + // be from a remote host or created when we heard our own + // announcements. In any case, we use that to see if it matches + // the question. + AnonData = qai->AnonData; + AnonDataLen = qai->AnonDataLen; + nsec3RR = rai->nsec3RR; + } + else + { + // Remote question or hearing our own question back + AnonData = rai->AnonData; + AnonDataLen = rai->AnonDataLen; + nsec3RR = qai->nsec3RR; + } + + if (!AnonData || !nsec3RR) + { + // AnonData can be NULL for the cache entry and if we are hearing our own question back, AnonData is NULL for + // that too and we can end up here for that case. + debugf("AnonInfoAnswersQuestion: AnonData %p or nsec3RR %p, NULL for question %##s, record %s", AnonData, nsec3RR, + q->qname.c, RRDisplayString(&mDNSStorage, rr)); + return 0; + } + debugf("AnonInfoAnswersQuestion: Validating question %##s, ResourceRecord %s", q->qname.c, RRDisplayString(&mDNSStorage, nsec3RR)); + + + nsec3 = (rdataNSEC3 *)nsec3RR->rdata->u.data; + + if (!NSEC3HashName(nsec3RR->name, nsec3, AnonData, AnonDataLen, hashName, &hlen)) + { + LogMsg("AnonInfoAnswersQuestion: NSEC3HashName failed for ##s", nsec3RR->name->c); + return mDNSfalse; + } + if (hlen != SHA1_HASH_LENGTH) + { + LogMsg("AnonInfoAnswersQuestion: hlen wrong %d", hlen); + return mDNSfalse; + } + + NSEC3Parse(nsec3RR, mDNSNULL, &nxtLength, &nxtName, mDNSNULL, mDNSNULL); + + if (hlen != nxtLength) + { + LogMsg("AnonInfoAnswersQuestion: ERROR!! hlen %d not same as nxtLength %d", hlen, nxtLength); + return mDNSfalse; + } + + for (i = 0; i < nxtLength; i++) + { + if (nxtName[i] != hashName[i]) + { + debugf("AnonInfoAnswersQuestion: mismatch output %x, digest %x, i %d", nxtName[i+1], hashName[i], i); + return 0; + } + } + LogInfo("AnonInfoAnswersQuestion: ResourceRecord %s matched question %##s (%s)", RRDisplayString(&mDNSStorage, nsec3RR), q->qname.c, DNSTypeName(q->qtype)); + return 1; +} + +// Find a matching NSEC3 record for the name. We parse the questions and the records in the packet in order. +// Similarly we also parse the NSEC3 records in order and this mapping to the questions and records +// respectively. +mDNSlocal CacheRecord *FindMatchingNSEC3ForName(mDNS *const m, CacheRecord **nsec3, const domainname *name) +{ + CacheRecord *cr; + CacheRecord **prev = nsec3; + + (void) m; + + for (cr = *nsec3; cr; cr = cr->next) + { + if (SameDomainName(cr->resrec.name, name)) + { + debugf("FindMatchingNSEC3ForName: NSEC3 record %s matched %##s", CRDisplayString(m, cr), name->c); + *prev = cr->next; + cr->next = mDNSNULL; + return cr; + } + prev = &cr->next; + } + return mDNSNULL; +} + +mDNSexport void InitializeAnonInfoForQuestion(mDNS *const m, CacheRecord **McastNSEC3Records, DNSQuestion *q) +{ + CacheRecord *nsec3CR; + + if (q->qtype != kDNSType_PTR) + return; + + nsec3CR = FindMatchingNSEC3ForName(m, McastNSEC3Records, &q->qname); + if (nsec3CR) + { + q->AnonInfo = AllocateAnonInfo(mDNSNULL, mDNSNULL, 0, &nsec3CR->resrec); + if (q->AnonInfo) + { + debugf("InitializeAnonInfoForQuestion: Found a matching NSEC3 record %s, for %##s (%s)", + RRDisplayString(m, q->AnonInfo->nsec3RR), q->qname.c, DNSTypeName(q->qtype)); + } + ReleaseCacheRecord(m, nsec3CR); + } +} + +mDNSexport void InitializeAnonInfoForCR(mDNS *const m, CacheRecord **McastNSEC3Records, CacheRecord *cr) +{ + CacheRecord *nsec3CR; + + if (!(*McastNSEC3Records)) + return; + + // If already initialized or not a PTR type, we don't have to do anything + if (cr->resrec.AnonInfo || cr->resrec.rrtype != kDNSType_PTR) + return; + + nsec3CR = FindMatchingNSEC3ForName(m, McastNSEC3Records, cr->resrec.name); + if (nsec3CR) + { + cr->resrec.AnonInfo = AllocateAnonInfo(mDNSNULL, mDNSNULL, 0, &nsec3CR->resrec); + if (cr->resrec.AnonInfo) + { + debugf("InitializeAnonInfoForCR: Found a matching NSEC3 record %s, for %##s (%s)", + RRDisplayString(m, cr->resrec.AnonInfo->nsec3RR), cr->resrec.name->c, + DNSTypeName(cr->resrec.rrtype)); + } + ReleaseCacheRecord(m, nsec3CR); + } +} + +mDNSexport mDNSBool IdenticalAnonInfo(AnonymousInfo *a1, AnonymousInfo *a2) +{ + // if a1 is NULL and a2 is not NULL AND vice-versa + // return false as there is a change. + if ((a1 != mDNSNULL) != (a2 != mDNSNULL)) + return mDNSfalse; + + // Both could be NULL or non-NULL + if (a1 && a2) + { + // The caller already verified that the owner name is the same. + // Check whether the RData is same. + if (!IdenticalSameNameRecord(a1->nsec3RR, a2->nsec3RR)) + { + debugf("IdenticalAnonInfo: nsec3RR mismatch"); + return mDNSfalse; + } + } + return mDNStrue; +} + +mDNSexport void CopyAnonInfoForCR(mDNS *const m, CacheRecord *crto, CacheRecord *crfrom) +{ + AnonymousInfo *aifrom = crfrom->resrec.AnonInfo; + AnonymousInfo *aito = crto->resrec.AnonInfo; + + (void) m; + + if (!aifrom) + return; + + if (aito) + { + crto->resrec.AnonInfo = aifrom; + FreeAnonInfo(aito); + crfrom->resrec.AnonInfo = mDNSNULL; + } + else + { + FreeAnonInfo(aifrom); + crfrom->resrec.AnonInfo = mDNSNULL; + } +} + +#else // !ANONYMOUS_DISABLED + +mDNSexport void ReInitAnonInfo(AnonymousInfo **si, const domainname *name) +{ + (void)si; + (void)name; +} + +mDNSexport AnonymousInfo * AllocateAnonInfo(const domainname *service, const mDNSu8 *AnonData, int len, const ResourceRecord *rr) +{ + (void)service; + (void)AnonData; + (void)len; + (void)rr; + + return mDNSNULL; +} + +mDNSexport void FreeAnonInfo(AnonymousInfo *ai) +{ + (void)ai; +} + +mDNSexport void SetAnonData(DNSQuestion *q, ResourceRecord *rr, mDNSBool ForQuestion) +{ + (void)q; + (void)rr; + (void)ForQuestion; +} + +mDNSexport int AnonInfoAnswersQuestion(const ResourceRecord *const rr, const DNSQuestion *const q) +{ + (void)rr; + (void)q; + + return mDNSfalse; +} + +mDNSexport void InitializeAnonInfoForQuestion(mDNS *const m, CacheRecord **McastNSEC3Records, DNSQuestion *q) +{ + (void)m; + (void)McastNSEC3Records; + (void)q; +} + +mDNSexport void InitializeAnonInfoForCR(mDNS *const m, CacheRecord **McastNSEC3Records, CacheRecord *cr) +{ + (void)m; + (void)McastNSEC3Records; + (void)cr; +} + +mDNSexport void CopyAnonInfoForCR(mDNS *const m, CacheRecord *crto, CacheRecord *crfrom) +{ + (void)m; + (void)crto; + (void)crfrom; +} + +mDNSexport mDNSBool IdenticalAnonInfo(AnonymousInfo *a1, AnonymousInfo *a2) +{ + (void)a1; + (void)a2; + + return mDNStrue; +} + +#endif // !ANONYMOUS_DISABLED diff --git a/mDNSResponder/mDNSCore/anonymous.h b/mDNSResponder/mDNSCore/anonymous.h new file mode 100644 index 00000000..2f2b4f8c --- /dev/null +++ b/mDNSResponder/mDNSCore/anonymous.h @@ -0,0 +1,31 @@ +/* -*- Mode: C; tab-width: 4 -*- + * + * Copyright (c) 2012 Apple Computer, Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef __ANONYMOUS_H_ +#define __ANONYMOUS_H_ + +extern void ReInitAnonInfo(AnonymousInfo **si, const domainname *name); +extern AnonymousInfo *AllocateAnonInfo(const domainname *service, const mDNSu8 *AnonData, int len, const ResourceRecord *rr); +extern void FreeAnonInfo(AnonymousInfo *ai); +extern void SetAnonData(DNSQuestion *q, ResourceRecord *rr, mDNSBool ForQuestion); +extern int AnonInfoAnswersQuestion(const ResourceRecord *const rr, const DNSQuestion *const q); +extern void InitializeAnonInfoForCR(mDNS *const m, CacheRecord **McastNSEC3Records, CacheRecord *cr); +extern void InitializeAnonInfoForQuestion(mDNS *const m, CacheRecord **McastNSEC3Records, DNSQuestion *q); +extern void CopyAnonInfoForCR(mDNS *const m, CacheRecord *crto, CacheRecord *crfrom); +extern mDNSBool IdenticalAnonInfo(AnonymousInfo *a1, AnonymousInfo *a2); + +#endif diff --git a/mDNSResponder/mDNSCore/dnsproxy.c b/mDNSResponder/mDNSCore/dnsproxy.c new file mode 100644 index 00000000..11bacc10 --- /dev/null +++ b/mDNSResponder/mDNSCore/dnsproxy.c @@ -0,0 +1,836 @@ +/* -*- Mode: C; tab-width: 4 -*- + * + * Copyright (c) 2011 Apple Computer, Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "dnsproxy.h" + +#ifndef UNICAST_DISABLED + +// Implementation Notes +// +// DNS Proxy listens on port 53 (UDPv4v6 & TCPv4v6) for DNS queries. It handles only +// the "Query" opcode of the DNS protocol described in RFC 1035. For all other opcodes, it returns +// "Not Implemented" error. The platform interface mDNSPlatformInitDNSProxySkts +// sets up the sockets and whenever it receives a packet, it calls ProxyTCPCallback or ProxyUDPCallback +// defined here. For TCP socket, the platform does the "accept" and only sends the received packets +// on the newly accepted socket. A single UDP socket (per address family) is used to send/recv +// requests/responses from all clients. For TCP, there is one socket per request. Hence, there is some +// extra state that needs to be disposed at the end. +// +// When a DNS request is received, ProxyCallbackCommon checks for malformed packet etc. and also checks +// for duplicates, before creating DNSProxyClient state and starting a question with the "core" +// (mDNS_StartQuery). When the callback for the question happens, it gathers all the necessary +// resource records, constructs a response and sends it back to the client. +// +// - Question callback is called with only one resource record at a time. We need all the resource +// records to construct the response. Hence, we lookup all the records ourselves. +// +// - The response may not fit the client's buffer size. In that case, we need to set the truncate bit +// and the client would retry using TCP. +// +// - The client may have set the DNSSEC OK bit in the EDNS0 option and that means we also have to +// return the RRSIGs or the NSEC records with the RRSIGs in the Additional section. We need to +// ask the "core" to fetch the DNSSEC records and do the validation if the CD bit is not set. +// +// Once the response is sent to the client, the client state is disposed. When there is no response +// from the "core", it eventually times out and we will not find any answers in the cache and we send a +// "NXDomain" response back. Thus, we don't need any special timers to reap the client state in the case +// of errors. + +typedef struct DNSProxyClient_struct DNSProxyClient; + +struct DNSProxyClient_struct { + + DNSProxyClient *next; + mDNSAddr addr; // Client's IP address + mDNSIPPort port; // Client's port number + mDNSOpaque16 msgid; // DNS msg id + mDNSInterfaceID interfaceID; // Interface on which we received the request + void *socket; // Return socket + mDNSBool tcp; // TCP or UDP ? + mDNSOpaque16 requestFlags; // second 16 bit word in the DNSMessageHeader of the request + mDNSu8 *optRR; // EDNS0 option + mDNSu16 optLen; // Total Length of the EDNS0 option + mDNSu16 rcvBufSize; // How much can the client receive ? + mDNSBool DNSSECOK; // DNSSEC OK ? + void *context; // Platform context to be disposed if non-NULL + domainname qname; // q->qname can't be used for duplicate check + DNSQuestion q; // as it can change underneath us for CNAMEs +}; + +#define MIN_DNS_MESSAGE_SIZE 512 +DNSProxyClient *DNSProxyClients; + +mDNSlocal void FreeDNSProxyClient(DNSProxyClient *pc) +{ + if (pc->optRR) + mDNSPlatformMemFree(pc->optRR); + mDNSPlatformMemFree(pc); +} + +mDNSlocal mDNSBool ParseEDNS0(DNSProxyClient *pc, const mDNSu8 *ptr, int length, const mDNSu8 *limit) +{ + mDNSu16 rrtype, rrclass; + mDNSu8 rcode, version; + mDNSu16 flag; + + if (ptr + length > limit) + { + LogInfo("ParseEDNS0: Not enough space in the packet"); + return mDNSfalse; + } + // Skip the root label + ptr++; + rrtype = (mDNSu16) ((mDNSu16)ptr[0] << 8 | ptr[1]); + if (rrtype != kDNSType_OPT) + { + LogInfo("ParseEDNS0: Not the right type %d", rrtype); + return mDNSfalse; + } + rrclass = (mDNSu16) ((mDNSu16)ptr[2] << 8 | ptr[3]); + rcode = ptr[4]; + version = ptr[5]; + flag = (mDNSu16) ((mDNSu16)ptr[6] << 8 | ptr[7]); + + debugf("rrtype is %s, length is %d, rcode %d, version %d, flag 0x%x", DNSTypeName(rrtype), rrclass, rcode, version, flag); + pc->rcvBufSize = rrclass; + pc->DNSSECOK = ptr[6] & 0x80; + + return mDNStrue; +} + +mDNSexport mDNSu8 *DNSProxySetAttributes(DNSQuestion *q, DNSMessageHeader *h, DNSMessage *msg, mDNSu8 *ptr, mDNSu8 *limit) +{ + DNSProxyClient *pc = (DNSProxyClient *)q->QuestionContext; + + (void) msg; + + h->flags = pc->requestFlags; + if (pc->optRR) + { + if (ptr + pc->optLen > limit) + { + LogInfo("DNSProxySetAttributes: Cannot set EDNS0 option start %p, OptLen %d, end %p", ptr, pc->optLen, limit); + return ptr; + } + h->numAdditionals++; + mDNSPlatformMemCopy(ptr, pc->optRR, pc->optLen); + ptr += pc->optLen; + } + return ptr; +} + +mDNSlocal mDNSu8 *AddEDNS0Option(mDNS *const m, mDNSu8 *ptr, mDNSu8 *limit) +{ + int len = 4096; + + if (ptr + 11 > limit) + { + LogInfo("AddEDNS0Option: not enough space"); + return mDNSNULL; + } + m->omsg.h.numAdditionals++; + ptr[0] = 0; + ptr[1] = (mDNSu8) (kDNSType_OPT >> 8); + ptr[2] = (mDNSu8) (kDNSType_OPT & 0xFF); + ptr[3] = (mDNSu8) (len >> 8); + ptr[4] = (mDNSu8) (len & 0xFF); + ptr[5] = 0; // rcode + ptr[6] = 0; // version + ptr[7] = 0; + ptr[8] = 0; // flags + ptr[9] = 0; // rdlength + ptr[10] = 0; // rdlength + + debugf("AddEDNS0 option"); + + return (ptr + 11); +} + +// Currently RD and CD bit should be copied if present in the request or cleared if +// not present in the request. RD bit is normally set in the response and hence the +// cache reflects the right value. CD bit behaves differently. If the CD bit is set +// the first time, the cache retains it, if it is present in response (assuming the +// upstream server does it right). Next time through we should not use the cached +// value of the CD bit blindly. It depends on whether it was in the request or not. +mDNSlocal mDNSOpaque16 SetResponseFlags(DNSProxyClient *pc, const mDNSOpaque16 responseFlags) +{ + mDNSOpaque16 rFlags = responseFlags; + + if (pc->requestFlags.b[0] & kDNSFlag0_RD) + rFlags.b[0] |= kDNSFlag0_RD; + else + rFlags.b[0] &= ~kDNSFlag0_RD; + + if (pc->requestFlags.b[1] & kDNSFlag1_CD) + rFlags.b[1] |= kDNSFlag1_CD; + else + rFlags.b[1] &= ~kDNSFlag1_CD; + + return rFlags; +} + +mDNSlocal mDNSu8 *AddResourceRecords(mDNS *const m, DNSProxyClient *pc, mDNSu8 **prevptr, mStatus *error) +{ + mDNSu32 slot; + CacheGroup *cg; + CacheRecord *cr; + int len = sizeof(DNSMessageHeader); + mDNSu8 *orig = m->omsg.data; + mDNSBool first = mDNStrue; + mDNSu8 *ptr = mDNSNULL; + mDNSs32 now; + mDNSs32 ttl; + CacheRecord *nsec = mDNSNULL; + CacheRecord *soa = mDNSNULL; + CacheRecord *cname = mDNSNULL; + mDNSu8 *limit; + + *error = mStatus_NoError; + *prevptr = mDNSNULL; + + mDNS_Lock(m); + now = m->timenow; + mDNS_Unlock(m); + + if (!pc->tcp) + { + if (!pc->rcvBufSize) + { + limit = m->omsg.data + MIN_DNS_MESSAGE_SIZE; + } + else + { + limit = (pc->rcvBufSize > AbsoluteMaxDNSMessageData ? m->omsg.data + AbsoluteMaxDNSMessageData : m->omsg.data + pc->rcvBufSize); + } + } + else + { + // For TCP, limit is not determined by EDNS0 but by 16 bit rdlength field and + // AbsoluteMaxDNSMessageData is smaller than 64k. + limit = m->omsg.data + AbsoluteMaxDNSMessageData; + } + LogInfo("AddResourceRecords: Limit is %d", limit - m->omsg.data); + + if (!SameDomainName(&pc->qname, &pc->q.qname)) + { + AssignDomainName(&pc->q.qname, &pc->qname); + pc->q.qnamehash = DomainNameHashValue(&pc->q.qname); + } + +again: + nsec = soa = cname = mDNSNULL; + slot = HashSlot(&pc->q.qname); + + cg = CacheGroupForName(m, slot, pc->q.qnamehash, &pc->q.qname); + if (!cg) + { + LogInfo("AddResourceRecords: CacheGroup not found"); + *error = mStatus_NoSuchRecord; + return mDNSNULL; + } + // Set ValidatingResponse so that you can get RRSIGs also matching + // the question + if (pc->DNSSECOK) + pc->q.ValidatingResponse = 1; + for (cr = cg->members; cr; cr = cr->next) + { + if (SameNameRecordAnswersQuestion(&cr->resrec, &pc->q)) + { + if (first) + { + // If this is the first time, initialize the header and the question. + // This code needs to be here so that we can use the responseFlags from the + // cache record + mDNSOpaque16 responseFlags = SetResponseFlags(pc, cr->responseFlags); + InitializeDNSMessage(&m->omsg.h, pc->msgid, responseFlags); + ptr = putQuestion(&m->omsg, m->omsg.data, m->omsg.data + AbsoluteMaxDNSMessageData, &pc->qname, pc->q.qtype, pc->q.qclass); + if (!ptr) + { + LogInfo("AddResourceRecords: putQuestion NULL for %##s (%s)", &pc->qname.c, DNSTypeName(pc->q.qtype)); + return mDNSNULL; + } + first = mDNSfalse; + } + // - For NegativeAnswers there is nothing to add + // - If DNSSECOK is set, we also automatically lookup the RRSIGs which + // will also be returned. If the client is explicitly looking up + // a DNSSEC record (e.g., DNSKEY, DS) we should return the response. + // DNSSECOK bit only influences whether we add the RRSIG or not. + if (cr->resrec.RecordType != kDNSRecordTypePacketNegative) + { + LogInfo("AddResourceRecords: Answering question with %s", CRDisplayString(m, cr)); + ttl = cr->resrec.rroriginalttl - (now - cr->TimeRcvd) / mDNSPlatformOneSecond; + ptr = PutResourceRecordTTLWithLimit(&m->omsg, ptr, &m->omsg.h.numAnswers, &cr->resrec, ttl, limit); + if (!ptr) + { + *prevptr = orig; + return mDNSNULL; + } + len += (ptr - orig); + orig = ptr; + } + // If we have nsecs (wildcard expanded answer or negative response), add them + // in the additional section below if the DNSSECOK bit is set + if (pc->DNSSECOK && cr->nsec) + { + LogInfo("AddResourceRecords: nsec set for %s", CRDisplayString(m ,cr)); + nsec = cr->nsec; + } + if (cr->soa) + { + LogInfo("AddResourceRecords: soa set for %s", CRDisplayString(m ,cr)); + soa = cr->soa; + } + // If we are using CNAME to answer a question and CNAME is not the type we + // are looking for, note down the CNAME record so that we can follow them + // later. Before we follow the CNAME, print the RRSIGs and any nsec (wildcard + // expanded) if any. + if ((pc->q.qtype != cr->resrec.rrtype) && cr->resrec.rrtype == kDNSType_CNAME) + { + LogInfo("AddResourceRecords: cname set for %s", CRDisplayString(m ,cr)); + cname = cr; + } + } + } + // Along with the nsec records, we also cache the SOA record. For non-DNSSEC question, we need + // to send the SOA back. Normally we either cache the SOA record (non-DNSSEC question) pointed + // to by "cr->soa" or the NSEC/SOA records along with their RRSIGs (DNSSEC question) pointed to + // by "cr->nsec". Two cases: + // + // - if we issue a DNSSEC question followed by non-DNSSEC question for the same name, + // we only have the nsec records and we need to filter the SOA record alone for the + // non-DNSSEC questions. + // + // - if we issue a non-DNSSEC question followed by DNSSEC question for the same name, + // the "core" flushes the cache entry and re-issue the question with EDNS0/DOK bit and + // in this case we return all the DNSSEC records we have. + for (; nsec; nsec = nsec->next) + { + if (!pc->DNSSECOK && DNSSECRecordType(nsec->resrec.rrtype)) + continue; + LogInfo("AddResourceRecords:NSEC Answering question with %s", CRDisplayString(m, nsec)); + ttl = nsec->resrec.rroriginalttl - (now - nsec->TimeRcvd) / mDNSPlatformOneSecond; + ptr = PutResourceRecordTTLWithLimit(&m->omsg, ptr, &m->omsg.h.numAuthorities, &nsec->resrec, ttl, limit); + if (!ptr) + { + *prevptr = orig; + return mDNSNULL; + } + len += (ptr - orig); + orig = ptr; + } + if (soa) + { + LogInfo("AddResourceRecords: SOA Answering question with %s", CRDisplayString(m, soa)); + ptr = PutResourceRecordTTLWithLimit(&m->omsg, ptr, &m->omsg.h.numAuthorities, &soa->resrec, soa->resrec.rroriginalttl, limit); + if (!ptr) + { + *prevptr = orig; + return mDNSNULL; + } + len += (ptr - orig); + orig = ptr; + } + if (cname) + { + AssignDomainName(&pc->q.qname, &cname->resrec.rdata->u.name); + pc->q.qnamehash = DomainNameHashValue(&pc->q.qname); + goto again; + } + if (!ptr) + { + LogInfo("AddResourceRecords: Did not find any valid ResourceRecords"); + *error = mStatus_NoSuchRecord; + return mDNSNULL; + } + if (pc->rcvBufSize) + { + ptr = AddEDNS0Option(m, ptr, limit); + if (!ptr) + { + *prevptr = orig; + return mDNSNULL; + } + len += (ptr - orig); + orig = ptr; + } + LogInfo("AddResourceRecord: Added %d bytes to the packet", len); + return ptr; +} + +mDNSlocal void ProxyClientCallback(mDNS *const m, DNSQuestion *question, const ResourceRecord *const answer, QC_result AddRecord) +{ + DNSProxyClient *pc = question->QuestionContext; + DNSProxyClient **ppc = &DNSProxyClients; + mDNSu8 *ptr; + mDNSu8 *prevptr; + mStatus error; + + if (!AddRecord) + return; + + LogInfo("ProxyClientCallback: ResourceRecord %s", RRDisplayString(m, answer)); + + // We asked for validation and not timed out yet, then wait for the DNSSEC result. + // We have to set the AD bit in the response if it is secure which can't be done + // till we get the DNSSEC result back (indicated by QC_dnssec). + if (question->ValidationRequired) + { + mDNSs32 now; + + mDNS_Lock(m); + now = m->timenow; + mDNS_Unlock(m); + if (((now - question->StopTime) < 0) && AddRecord != QC_dnssec) + { + LogInfo("ProxyClientCallback: No DNSSEC answer yet for Question %##s (%s), AddRecord %d, answer %s", question->qname.c, + DNSTypeName(question->qtype), AddRecord, RRDisplayString(m, answer)); + return; + } + } + + if (answer->RecordType != kDNSRecordTypePacketNegative) + { + if (answer->rrtype != question->qtype) + { + // Wait till we get called for the real response + LogInfo("ProxyClientCallback: Received %s, not answering yet", RRDisplayString(m, answer)); + return; + } + } + ptr = AddResourceRecords(m, pc, &prevptr, &error); + if (!ptr) + { + LogInfo("ProxyClientCallback: AddResourceRecords NULL for %##s (%s)", &pc->qname.c, DNSTypeName(pc->q.qtype)); + if (error == mStatus_NoError && prevptr) + { + // No space to add the record. Set the Truncate bit for UDP. + // + // TBD: For TCP, we need to send the rest of the data. But finding out what is left + // is harder. We should allocate enough buffer in the first place to send all + // of the data. + if (!pc->tcp) + { + m->omsg.h.flags.b[0] |= kDNSFlag0_TC; + ptr = prevptr; + } + else + { + LogInfo("ProxyClientCallback: ERROR!! Not enough space to return in TCP for %##s (%s)", &pc->qname.c, DNSTypeName(pc->q.qtype)); + ptr = prevptr; + } + } + else + { + mDNSOpaque16 flags = { { kDNSFlag0_QR_Response | kDNSFlag0_OP_StdQuery, kDNSFlag1_RC_ServFail } }; + // We could not find the record for some reason. Return a response, so that the client + // is not waiting forever. + LogInfo("ProxyClientCallback: No response"); + if (!mDNSOpaque16IsZero(pc->q.responseFlags)) + flags = pc->q.responseFlags; + InitializeDNSMessage(&m->omsg.h, pc->msgid, flags); + ptr = putQuestion(&m->omsg, m->omsg.data, m->omsg.data + AbsoluteMaxDNSMessageData, &pc->qname, pc->q.qtype, pc->q.qclass); + if (!ptr) + { + LogInfo("ProxyClientCallback: putQuestion NULL for %##s (%s)", &pc->qname.c, DNSTypeName(pc->q.qtype)); + goto done; + } + } + } + if (question->ValidationRequired) + { + if (question->ValidationState == DNSSECValDone && question->ValidationStatus == DNSSEC_Secure) + { + LogInfo("ProxyClientCallback: Setting AD bit for Question %##s (%s)", question->qname.c, DNSTypeName(question->qtype)); + m->omsg.h.flags.b[1] |= kDNSFlag1_AD; + } + else + { + // If some external resolver sets the AD bit and we did not validate the response securely, don't set + // the AD bit. It is possible that we did not see all the records that the upstream resolver saw or + // a buggy implementation somewhere. + if (m->omsg.h.flags.b[1] & kDNSFlag1_AD) + { + LogInfo("ProxyClientCallback: AD bit set in the response for response that was not validated locally %##s (%s)", + question->qname.c, DNSTypeName(question->qtype)); + m->omsg.h.flags.b[1] &= ~kDNSFlag1_AD; + } + } + } + + if (!pc->tcp) + { + mDNSSendDNSMessage(m, &m->omsg, ptr, mDNSInterface_Any, (UDPSocket *)pc->socket, &pc->addr, pc->port, mDNSNULL, mDNSNULL, mDNSfalse); + } + else + { + mDNSSendDNSMessage(m, &m->omsg, ptr, mDNSInterface_Any, mDNSNULL, &pc->addr, pc->port, (TCPSocket *)pc->socket, mDNSNULL, mDNSfalse); + } + +done: + mDNS_StopQuery(m, question); + + while (*ppc && *ppc != pc) + ppc=&(*ppc)->next; + if (!*ppc) + { + LogMsg("ProxyClientCallback: question %##s (%s) not found", question->qname.c, DNSTypeName(question->qtype)); + return; + } + *ppc = pc->next; + mDNSPlatformDisposeProxyContext(pc->context); + FreeDNSProxyClient(pc); +} + +mDNSlocal void SendError(mDNS *const m, void *socket, void *const pkt, const mDNSu8 *const end, const mDNSAddr *dstaddr, + const mDNSIPPort dstport, const mDNSInterfaceID InterfaceID, mDNSBool tcp, void *context, mDNSu8 rcode) +{ + int pktlen = (int)(end - (mDNSu8 *)pkt); + DNSMessage *msg = (DNSMessage *)pkt; + + (void) InterfaceID; + + // RFC 1035 requires that we copy the question back and RFC 2136 is okay with sending nothing + // in the body or send back whatever we get for updates. It is easy to return whatever we get + // in the question back to the responder. We return as much as we can fit in our standard + // output packet. + if (pktlen > AbsoluteMaxDNSMessageData) + pktlen = AbsoluteMaxDNSMessageData; + + mDNSPlatformMemCopy(&m->omsg.h, &msg->h, sizeof(DNSMessageHeader)); + m->omsg.h.flags.b[0] |= kDNSFlag0_QR_Response; + m->omsg.h.flags.b[1] = rcode; + mDNSPlatformMemCopy(m->omsg.data, (mDNSu8 *)&msg->h.numQuestions, pktlen); + if (!tcp) + { + mDNSSendDNSMessage(m, &m->omsg, (mDNSu8 *)&m->omsg + pktlen, mDNSInterface_Any, socket, dstaddr, dstport, mDNSNULL, mDNSNULL, + mDNSfalse); + } + else + { + mDNSSendDNSMessage(m, &m->omsg, (mDNSu8 *)&m->omsg + pktlen, mDNSInterface_Any, mDNSNULL, dstaddr, dstport, (TCPSocket *)socket, + mDNSNULL, mDNSfalse); + } + mDNSPlatformDisposeProxyContext(context); +} + +mDNSlocal DNSQuestion *IsDuplicateClient(const mDNS *const m, const mDNSAddr *const addr, const mDNSIPPort port, const mDNSOpaque16 id, + const DNSQuestion *const question) +{ + DNSProxyClient *pc; + + (void) m; // unused + + for (pc = DNSProxyClients; pc; pc = pc->next) + { + if (mDNSSameAddress(&pc->addr, addr) && + mDNSSameIPPort(pc->port, port) && + mDNSSameOpaque16(pc->msgid, id) && + pc->q.qtype == question->qtype && + pc->q.qclass == question->qclass && + SameDomainName(&pc->qname, &question->qname)) + { + LogInfo("IsDuplicateClient: Found a duplicate client in the list"); + return(&pc->q); + } + } + return(mDNSNULL); +} + +mDNSlocal mDNSBool CheckDNSProxyIpIntf(const mDNS *const m, mDNSInterfaceID InterfaceID) +{ + int i; + mDNSu32 ip_ifindex = (mDNSu32)(unsigned long)InterfaceID; + + LogInfo("CheckDNSProxyIpIntf: Stored Input Interface List: [%d] [%d] [%d] [%d] [%d]", m->dp_ipintf[0], m->dp_ipintf[1], m->dp_ipintf[2], + m->dp_ipintf[3], m->dp_ipintf[4]); + + for (i = 0; i < MaxIp; i++) + { + if (ip_ifindex == m->dp_ipintf[i]) + return mDNStrue; + } + return mDNSfalse; + +} + +mDNSlocal void ProxyCallbackCommon(mDNS *const m, void *socket, void *const pkt, const mDNSu8 *const end, const mDNSAddr *const srcaddr, + const mDNSIPPort srcport, const mDNSAddr *dstaddr, const mDNSIPPort dstport, const mDNSInterfaceID InterfaceID, mDNSBool tcp, void *context) +{ + DNSMessage *msg = (DNSMessage *)pkt; + mDNSu8 QR_OP; + const mDNSu8 *ptr; + DNSQuestion q, *qptr; + DNSProxyClient *pc; + const mDNSu8 *optRR; + int optLen = 0; + DNSProxyClient **ppc = &DNSProxyClients; + + (void) dstaddr; + (void) dstport; + + debugf("ProxyCallbackCommon: DNS Query coming from InterfaceID %p", InterfaceID); + // Ignore if the DNS Query is not from a Valid Input InterfaceID + if (!CheckDNSProxyIpIntf(m, InterfaceID)) + return; + + if ((unsigned)(end - (mDNSu8 *)pkt) < sizeof(DNSMessageHeader)) + { + debugf("ProxyCallbackCommon: DNS Message from %#a:%d to %#a:%d length %d too short", srcaddr, mDNSVal16(srcport), dstaddr, mDNSVal16(dstport), end - (mDNSu8 *)pkt); + return; + } + + QR_OP = (mDNSu8)(msg->h.flags.b[0] & kDNSFlag0_QROP_Mask); + if (QR_OP != kDNSFlag0_QR_Query) + { + LogInfo("ProxyCallbackCommon: Not a query(%d) for pkt from %#a:%d", QR_OP, srcaddr, mDNSVal16(srcport)); + SendError(m, socket, pkt, end, srcaddr, srcport, InterfaceID, tcp, context, kDNSFlag1_RC_NotImpl); + return; + } + + // Read the integer parts which are in IETF byte-order (MSB first, LSB second) + ptr = (mDNSu8 *)&msg->h.numQuestions; + msg->h.numQuestions = (mDNSu16)((mDNSu16)ptr[0] << 8 | ptr[1]); + msg->h.numAnswers = (mDNSu16)((mDNSu16)ptr[2] << 8 | ptr[3]); + msg->h.numAuthorities = (mDNSu16)((mDNSu16)ptr[4] << 8 | ptr[5]); + msg->h.numAdditionals = (mDNSu16)((mDNSu16)ptr[6] << 8 | ptr[7]); + + if (msg->h.numQuestions != 1 || msg->h.numAnswers || msg->h.numAuthorities) + { + LogInfo("ProxyCallbackCommon: Malformed pkt from %#a:%d, Q:%d, An:%d, Au:%d", srcaddr, mDNSVal16(srcport), + msg->h.numQuestions, msg->h.numAnswers, msg->h.numAuthorities); + SendError(m, socket, pkt, end, srcaddr, srcport, InterfaceID, tcp, context, kDNSFlag1_RC_FormErr); + return; + } + ptr = msg->data; + ptr = getQuestion(msg, ptr, end, InterfaceID, &q); + if (!ptr) + { + LogInfo("ProxyCallbackCommon: Question cannot be parsed for pkt from %#a:%d", srcaddr, mDNSVal16(srcport)); + SendError(m, socket, pkt, end, srcaddr, srcport, InterfaceID, tcp, context, kDNSFlag1_RC_FormErr); + return; + } + else + { + LogInfo("ProxyCallbackCommon: Question %##s (%s)", q.qname.c, DNSTypeName(q.qtype)); + } + ptr = LocateOptRR(msg, end, 0); + if (ptr) + { + optRR = ptr; + ptr = skipResourceRecord(msg, ptr, end); + // Be liberal and ignore the EDNS0 option if we can't parse it properly + if (!ptr) + { + LogInfo("ProxyCallbackCommon: EDNS0 cannot be parsed for pkt from %#a:%d, ignoring", srcaddr, mDNSVal16(srcport)); + } + else + { + optLen = ptr - optRR; + LogInfo("ProxyCallbackCommon: EDNS0 opt length %d present in Question %##s (%s)", optLen, q.qname.c, DNSTypeName(q.qtype)); + } + } + else + { + LogInfo("ProxyCallbackCommon: EDNS0 opt not present in Question %##s (%s), ptr %p", q.qname.c, DNSTypeName(q.qtype), ptr); + } + + qptr = IsDuplicateClient(m, srcaddr, srcport, msg->h.id, &q); + if (qptr) + { + LogInfo("ProxyCallbackCommon: Found a duplicate for pkt from %#a:%d, ignoring this", srcaddr, mDNSVal16(srcport)); + return; + } + pc = mDNSPlatformMemAllocate(sizeof(DNSProxyClient)); + if (!pc) + { + LogMsg("ProxyCallbackCommon: Memory failure for pkt from %#a:%d, ignoring this", srcaddr, mDNSVal16(srcport)); + return; + } + mDNSPlatformMemZero(pc, sizeof(DNSProxyClient)); + pc->addr = *srcaddr; + pc->port = srcport; + pc->msgid = msg->h.id; + pc->interfaceID = InterfaceID; // input interface + pc->socket = socket; + pc->tcp = tcp; + pc->requestFlags = msg->h.flags; + pc->context = context; + AssignDomainName(&pc->qname, &q.qname); + if (optRR) + { + if (!ParseEDNS0(pc, optRR, optLen, end)) + { + LogInfo("ProxyCallbackCommon: Invalid EDNS0 option for pkt from %#a:%d, ignoring this", srcaddr, mDNSVal16(srcport)); + } + else + { + pc->optRR = mDNSPlatformMemAllocate(optLen); + if (!pc->optRR) + { + LogMsg("ProxyCallbackCommon: Memory failure for pkt from %#a:%d, ignoring this", srcaddr, mDNSVal16(srcport)); + FreeDNSProxyClient(pc); + return; + } + mDNSPlatformMemCopy(pc->optRR, optRR, optLen); + pc->optLen = optLen; + } + } + + debugf("ProxyCallbackCommon: DNS Query forwarding to interface index %d", m->dp_opintf); + mDNS_SetupQuestion(&pc->q, (mDNSInterfaceID)(unsigned long)m->dp_opintf, &q.qname, q.qtype, ProxyClientCallback, pc); + pc->q.TimeoutQuestion = 1; + // Even though we don't care about intermediate responses, set ReturnIntermed so that + // we get the negative responses + pc->q.ReturnIntermed = mDNStrue; + pc->q.ProxyQuestion = mDNStrue; + pc->q.ProxyDNSSECOK = pc->DNSSECOK; + pc->q.responseFlags = zeroID; + if (pc->DNSSECOK) + { + if (!(msg->h.flags.b[1] & kDNSFlag1_CD) && pc->q.qtype != kDNSType_RRSIG && pc->q.qtype != kDNSQType_ANY) + { + LogInfo("ProxyCallbackCommon: Setting Validation required bit for %#a:%d, validating %##s (%s)", srcaddr, mDNSVal16(srcport), + q.qname.c, DNSTypeName(q.qtype)); + pc->q.ValidationRequired = DNSSEC_VALIDATION_SECURE; + } + else + { + LogInfo("ProxyCallbackCommon: CD bit not set OR not a valid type for %#a:%d, not validating %##s (%s)", srcaddr, mDNSVal16(srcport), + q.qname.c, DNSTypeName(q.qtype)); + } + } + else + { + LogInfo("ProxyCallbackCommon: DNSSEC OK bit not set for %#a:%d, not validating %##s (%s)", srcaddr, mDNSVal16(srcport), + q.qname.c, DNSTypeName(q.qtype)); + } + + while (*ppc) + ppc = &((*ppc)->next); + *ppc = pc; + + mDNS_StartQuery(m, &pc->q); +} + +mDNSexport void ProxyUDPCallback(mDNS *const m, void *socket, void *const pkt, const mDNSu8 *const end, const mDNSAddr *const srcaddr, + const mDNSIPPort srcport, const mDNSAddr *dstaddr, const mDNSIPPort dstport, const mDNSInterfaceID InterfaceID, void *context) +{ + LogInfo("ProxyUDPCallback: DNS Message from %#a:%d to %#a:%d length %d", srcaddr, mDNSVal16(srcport), dstaddr, mDNSVal16(dstport), end - (mDNSu8 *)pkt); + ProxyCallbackCommon(m, socket, pkt, end, srcaddr, srcport, dstaddr, dstport, InterfaceID, mDNSfalse, context); +} + +mDNSexport void ProxyTCPCallback(mDNS *const m, void *socket, void *const pkt, const mDNSu8 *const end, const mDNSAddr *const srcaddr, + const mDNSIPPort srcport, const mDNSAddr *dstaddr, const mDNSIPPort dstport, const mDNSInterfaceID InterfaceID, void *context) +{ + LogInfo("ProxyTCPCallback: DNS Message from %#a:%d to %#a:%d length %d", srcaddr, mDNSVal16(srcport), dstaddr, mDNSVal16(dstport), end - (mDNSu8 *)pkt); + // If the connection was closed from the other side, locate the client + // state and free it. + if ((end - (mDNSu8 *)pkt) == 0) + { + DNSProxyClient **ppc = &DNSProxyClients; + DNSProxyClient **prevpc; + + prevpc = ppc; + while (*ppc && (*ppc)->socket != socket) + { + prevpc = ppc; + ppc=&(*ppc)->next; + } + if (!*ppc) + { + mDNSPlatformDisposeProxyContext(socket); + LogMsg("ProxyTCPCallback: socket cannot be found"); + return; + } + *prevpc = (*ppc)->next; + LogInfo("ProxyTCPCallback: free"); + mDNSPlatformDisposeProxyContext(socket); + FreeDNSProxyClient(*ppc); + return; + } + ProxyCallbackCommon(m, socket, pkt, end, srcaddr, srcport, dstaddr, dstport, InterfaceID, mDNStrue, context); +} + +mDNSexport void DNSProxyInit(mDNS *const m, mDNSu32 IpIfArr[MaxIp], mDNSu32 OpIf) +{ + int i; + + // Store DNSProxy Interface fields in mDNS struct + for (i = 0; i < MaxIp; i++) + m->dp_ipintf[i] = IpIfArr[i]; + m->dp_opintf = OpIf; + + LogInfo("DNSProxyInit Storing interface list: Input [%d, %d, %d, %d, %d] Output [%d]", m->dp_ipintf[0], + m->dp_ipintf[1], m->dp_ipintf[2], m->dp_ipintf[3], m->dp_ipintf[4], m->dp_opintf); +} + +mDNSexport void DNSProxyTerminate(mDNS *const m) +{ + int i; + + // Clear DNSProxy Interface fields from mDNS struct + for (i = 0; i < MaxIp; i++) + m->dp_ipintf[i] = 0; + m->dp_opintf = 0; + + LogInfo("DNSProxyTerminate Cleared interface list: Input [%d, %d, %d, %d, %d] Output [%d]", m->dp_ipintf[0], + m->dp_ipintf[1], m->dp_ipintf[2], m->dp_ipintf[3], m->dp_ipintf[4], m->dp_opintf); +} +#else // UNICAST_DISABLED + +mDNSexport void ProxyUDPCallback(mDNS *const m, void *socket, void *const pkt, const mDNSu8 *const end, const mDNSAddr *const srcaddr, const mDNSIPPort srcport, const mDNSAddr *dstaddr, const mDNSIPPort dstport, const mDNSInterfaceID InterfaceID, void *context) +{ + (void) m; + (void) socket; + (void) pkt; + (void) end; + (void) srcaddr; + (void) srcport; + (void) dstaddr; + (void) dstport; + (void) InterfaceID; + (void) context; +} + +mDNSexport void ProxyTCPCallback(mDNS *const m, void *socket, void *const pkt, const mDNSu8 *const end, const mDNSAddr *const srcaddr, const mDNSIPPort srcport, const mDNSAddr *dstaddr, const mDNSIPPort dstport, const mDNSInterfaceID InterfaceID, void *context) +{ + (void) m; + (void) socket; + (void) pkt; + (void) end; + (void) srcaddr; + (void) srcport; + (void) dstaddr; + (void) dstport; + (void) InterfaceID; + (void) context; +} + +mDNSexport void DNSProxyInit(mDNS *const m, mDNSu32 IpIfArr[MaxIp], mDNSu32 OpIf) +{ + (void) m; + (void) IpIfArr; + (void) OpIf; +} +extern void DNSProxyTerminate(mDNS *const m) +{ + (void) m; +} + + +#endif // UNICAST_DISABLED diff --git a/mDNSResponder/mDNSCore/dnsproxy.h b/mDNSResponder/mDNSCore/dnsproxy.h new file mode 100644 index 00000000..ed46a125 --- /dev/null +++ b/mDNSResponder/mDNSCore/dnsproxy.h @@ -0,0 +1,30 @@ +/* -*- Mode: C; tab-width: 4 -*- + * + * Copyright (c) 2011 Apple Computer, Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef __DNS_PROXY_H +#define __DNS_PROXY_H + +#include "mDNSEmbeddedAPI.h" +#include "DNSCommon.h" + +extern void ProxyUDPCallback(mDNS *const m, void *socket, void *const pkt, const mDNSu8 *const end, const mDNSAddr *const srcaddr, + const mDNSIPPort srcport, const mDNSAddr *dstaddr, const mDNSIPPort dstport, const mDNSInterfaceID InterfaceID, void *context); +extern void ProxyTCPCallback(mDNS *const m, void *socket, void *const pkt, const mDNSu8 *const end, const mDNSAddr *const srcaddr, + const mDNSIPPort srcport, const mDNSAddr *dstaddr, const mDNSIPPort dstport, const mDNSInterfaceID InterfaceID, void *context); +extern void DNSProxyInit(mDNS *const m, mDNSu32 IpIfArr[MaxIp], mDNSu32 OpIf); +extern void DNSProxyTerminate(mDNS *const m); + +#endif // __DNS_PROXY_H diff --git a/mDNSResponder/mDNSCore/dnssec.c b/mDNSResponder/mDNSCore/dnssec.c new file mode 100644 index 00000000..c83b8413 --- /dev/null +++ b/mDNSResponder/mDNSCore/dnssec.c @@ -0,0 +1,4111 @@ +/* -*- Mode: C; tab-width: 4 -*- + * + * Copyright (c) 2011 Apple Computer, Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "mDNSEmbeddedAPI.h" +#include "DNSSECSupport.h" +#include "DNSCommon.h" +#include "dnssec.h" +#include "CryptoAlg.h" +#include "nsec.h" +#include "nsec3.h" + +// Define DNSSEC_DISABLED to remove all the DNSSEC functionality +// and use the stub functions implemented later in this file. + +#ifndef DNSSEC_DISABLED + +//#define DNSSEC_DEBUG + +#ifdef DNSSEC_DEBUG +#define debugdnssec LogMsg +#else +#define debugdnssec debug_noop +#endif +// +// Implementation Notes +// +// The entry point to DNSSEC Verification is VerifySignature. This function is called from the "core" when +// the answer delivered to the application needs DNSSEC validation. If a question needs DNSSEC +// validation, "ValidationRequired" would be set. As we need to issue more queries to validate the +// original question, we create another question as part of the verification process (question is part of +// DNSSECVerifier). This question sets "ValidatingResponse" to distinguish itself from the original +// question. Without this, it will be a duplicate and never sent out. The "core" almost treats both the +// types identically (like adding EDNS0 option with DO bit etc.) except for a few differences. When RRSIGs +// are added to the cache, "ValidatingResponse" question gets called back as long as the typeCovered matches +// the question's qtype. See the comment in DNSSECRecordAnswersQuestion for the details. The other big +// difference is that "ValidationRequired" question kicks off the verification process by calling into +// "VerifySignature" whereas ValidationResponse don't do that as it gets callback for its questions. +// +// VerifySignature does not retain the original question that started the verification process. It just +// remembers the name and the type. It takes a snapshot of the cache at that instance which will be +// verified using DNSSEC. If the cache changes subsequently e.g., network change etc., it will be detected +// when the validation is completed. If there is a change, it will be revalidated. +// +// The verification flow looks like this: +// +// VerifySignature -> StartDNSSECVerification - GetAllRRSetsForVerification -> FinishDNSSECVerification -> VerifySignature +// +// Verification is a recursive process. It stops when we find a trust anchor or if we have recursed too deep. +// +// If the original question resulted in NODATA/NXDOMAIN error, there should have been NSECs as part of the response. +// These nsecs are cached along with the negative cache record. These are validated using ValidateWithNSECS called +// from Verifysignature. +// +// The flow in this case looks like this: +// +// VerifySignature -> ValidateWithNSECS -> {NoDataProof, NameErrorProof} -> VerifyNSECS -> StartDNSSECVerification +// +// Once the DNSSEC verification is started, it is similar to the previous flow described above. When the verification +// is done, DNSSECPositiveValidationCB or DNSSECNegativeValidationCB will be called which will then deliver the +// validation results to the original question that started the validation. +// +// Insecure proofs are done when the verification ends up bogus. The flow would look like this +// +// VerifySignature -> StartDNSSECVerification - GetAllRRSetsForVerification -> FinishDNSSECVerification -> DNSSECValidationCB +// {DNSSECPositiveValidationCB, DNSSECNegativeValidationCB} -> ProveInsecure -> VerifySignaure -> +// +// ProveInsecure finds the break in trust in a top-down fashion. +// +// Forward declaration +mDNSlocal void VerifySigCallback(mDNS *const m, DNSQuestion *question, const ResourceRecord *const answer, QC_result AddRecord); +mDNSlocal mStatus TrustedKey(mDNS *const m, DNSSECVerifier *dv); +mDNSlocal mDNSBool TrustedKeyPresent(mDNS *const m, DNSSECVerifier *dv); +mDNSlocal mStatus ValidateDS(DNSSECVerifier *dv); +mDNSlocal void DNSSECNegativeValidationCB(mDNS *const m, DNSSECVerifier *dv, CacheGroup *cg, ResourceRecord *answer, DNSSECStatus status); +mDNSlocal RRVerifier* CopyRRVerifier(RRVerifier *from); + +// Currently we use this to convert a RRVerifier to resource record so that we can +// use the standard DNS utility functions +LargeCacheRecord largerec; + +// Verification is a recursive process. We arbitrarily limit to 10 just to be cautious which should be +// removed in the future. +#define MAX_RECURSE_COUNT 10 + +// TTL (in seconds) when the DNSSEC status is Bogus +#define RR_BOGUS_TTL 60 + +// RFC 4034 Appendix B: Get the keyid of a DNS KEY. It is not transmitted +// explicitly on the wire. +// +// Note: This just helps narrow down the list of keys to look at. It is possible +// for two DNS keys to have the same ID i.e., key ID is not a unqiue tag +// +// 1st argument - the RDATA part of the DNSKEY RR +// 2nd argument - the RDLENGTH +// +mDNSlocal mDNSu32 keytag(mDNSu8 *key, mDNSu32 keysize) +{ + unsigned long ac; + unsigned int i; + + // DST_ALG_RSAMD5 will be rejected automatically as the keytag + // is calculated wrongly + + for (ac = 0, i = 0; i < keysize; ++i) + ac += (i & 1) ? key[i] : key[i] << 8; + ac += (ac >> 16) & 0xFFFF; + return ac & 0xFFFF; +} + +mDNSexport int DNSMemCmp(const mDNSu8 *const m1, const mDNSu8 *const m2, int len) +{ + int res; + + res = mDNSPlatformMemCmp(m1, m2, len); + if (res != 0) + return (res < 0 ? -1 : 1); + return 0; +} + +// RFC 4034: +// +// Section 6.1: +// +// For the purposes of DNS security, owner names are ordered by treating +// individual labels as unsigned left-justified octet strings. The +// absence of a octet sorts before a zero value octet, and uppercase +// US-ASCII letters are treated as if they were lowercase US-ASCII +// letters. +// +// To compute the canonical ordering of a set of DNS names, start by +// sorting the names according to their most significant (rightmost) +// labels. For names in which the most significant label is identical, +// continue sorting according to their next most significant label, and +// so forth. +// +// Returns 0 if the names are same +// Returns -1 if d1 < d2 +// Returns 1 if d1 > d2 +// +// subdomain is set if there is at least one label match (starting from the end) +// and d1 has more labels than d2 e.g., a.b.com is a subdomain of b.com +// +mDNSexport int DNSSECCanonicalOrder(const domainname *const d1, const domainname *const d2, int *subdomain) +{ + int count, c1, c2; + int i, skip1, skip2; + + c1 = CountLabels(d1); + skip1 = c1 - 1; + c2 = CountLabels(d2); + skip2 = c2 - 1; + + if (subdomain) *subdomain = 0; + + // Compare as many labels as possible starting from the rightmost + count = c1 < c2 ? c1 : c2; + for (i = count; i > 0; i--) + { + mDNSu8 *a, *b; + int j, len, lena, lenb; + + a = (mDNSu8 *)SkipLeadingLabels(d1, skip1); + b = (mDNSu8 *)SkipLeadingLabels(d2, skip2); + lena = *a; + lenb = *b; + // Compare label by label. Note that "z" > "yak" because z > y, but z < za + // (lena - lenb check below) because 'za' has two characters. Hence compare the + // letters first and then compare the length of the label at the end. + len = lena < lenb ? lena : lenb; + a++; b++; + for (j = 0; j < len; j++) + { + mDNSu8 ac = *a++; + mDNSu8 bc = *b++; + if (mDNSIsUpperCase(ac)) ac += 'a' - 'A'; + if (mDNSIsUpperCase(bc)) bc += 'a' - 'A'; + if (ac != bc) + { + verbosedebugf("DNSSECCanonicalOrder: returning ac %c, bc %c", ac, bc); + return ((ac < bc) ? -1 : 1); + } + } + if ((lena - lenb) != 0) + { + verbosedebugf("DNSSECCanonicalOrder: returning lena %d lenb %d", lena, lenb); + return ((lena < lenb) ? -1 : 1); + } + + // Continue with the next label + skip1--; + skip2--; + } + // We have compared label by label. Both of them are same if we are here. + // + // Two possibilities. + // + // 1) Both names have same number of labels. In that case, return zero. + // 2) The number of labels is not same. As zero label sorts before, names + // with more number of labels is greater. + + // a.b.com is a subdomain of b.com + if ((c1 > c2) && subdomain) + *subdomain = 1; + + verbosedebugf("DNSSECCanonicalOrder: returning c1 %d c2 %d\n", c1, c2); + if (c1 != c2) + return ((c1 < c2) ? -1 : 1); + else + return 0; +} + +// Initialize the question enough so that it can be answered from the cache using SameNameRecordAnswersQuestion or +// ResourceRecordAnswersQuestion. +mDNSexport void InitializeQuestion(mDNS *const m, DNSQuestion *question, mDNSInterfaceID InterfaceID, const domainname *qname, + mDNSu16 qtype, mDNSQuestionCallback *callback, void *context) +{ + debugf("InitializeQuestion: Called for %##s (%s)", qname->c, DNSTypeName(qtype)); + + if (question->ThisQInterval != -1) mDNS_StopQuery(m, question); + + mDNS_SetupQuestion(question, InterfaceID, qname, qtype, callback, context); + question->qnamehash = DomainNameHashValue(qname); + question->ValidatingResponse = mDNStrue; + + // Need to hold the lock, as GetServerForQuestion (its callers) references m->timenow. + mDNS_Lock(m); + // We need to set the DNS server appropriately to match the question against the cache record. + // Though not all callers of this function need it, we always do it to keep it simple. + SetValidDNSServers(m, question); + question->qDNSServer = GetServerForQuestion(m, question); + mDNS_Unlock(m); + + // Make it look like unicast + question->TargetQID = onesID; + question->TimeoutQuestion = 1; + question->ReturnIntermed = 1; + // SetupQuestion sets LongLived if qtype == PTR + question->LongLived = 0; +} + +mDNSexport DNSSECVerifier *AllocateDNSSECVerifier(mDNS *const m, const domainname *name, mDNSu16 rrtype, mDNSInterfaceID InterfaceID, + mDNSu8 ValidationRequired, DNSSECVerifierCallback dvcallback, mDNSQuestionCallback qcallback) +{ + DNSSECVerifier *dv; + + dv = (DNSSECVerifier *)mDNSPlatformMemAllocate(sizeof(DNSSECVerifier)); + if (!dv) { LogMsg("AllocateDNSSECVerifier: ERROR!! memory alloc failed"); return mDNSNULL; } + mDNSPlatformMemZero(dv, sizeof(*dv)); + + LogDNSSEC("AllocateDNSSECVerifier called %p", dv); + + // Remember the question's name and type so that when we are done processing all + // the verifications, we can trace the original question back + AssignDomainName(&dv->origName, name); + dv->origType = rrtype; + dv->InterfaceID = InterfaceID; + dv->DVCallback = dvcallback; + dv->q.ThisQInterval = -1; + ResetAuthChain(dv); + // These two are used for Insecure proof if we end up doing it. + // -Value of ValidationRequired so that we know whether this is a secure or insecure validation + // -InsecureProofDone tells us whether the proof has been done or not + dv->ValidationRequired = ValidationRequired; + dv->InsecureProofDone = 0; + dv->NumPackets = 0; + mDNS_Lock(m); + dv->StartTime = m->timenow; + mDNS_Unlock(m); + // The verifier's question has to be initialized as some of the callers assume it + InitializeQuestion(m, &dv->q, InterfaceID, name, rrtype, qcallback, dv); + return dv; +} + +mDNSlocal AuthChain *AuthChainCopy(AuthChain *ae) +{ + RRVerifier *rvfrom, **rvto; + AuthChain **prev = mDNSNULL; + AuthChain *retac = mDNSNULL; + AuthChain *ac; + + + while (ae) + { + ac = mDNSPlatformMemAllocate(sizeof(AuthChain)); + if (!ac) + { + LogMsg("AuthChainCopy: AuthChain alloc failure"); + return mDNSfalse; + } + + ac->next = mDNSNULL; + + if (!retac) + retac = ac; + + rvfrom = ae->rrset; + rvto = &ac->rrset; + while (rvfrom) + { + *rvto = CopyRRVerifier(rvfrom); + rvfrom = rvfrom->next; + rvto = &((*rvto)->next); + } + + rvfrom = ae->rrsig; + rvto = &ac->rrsig; + while (rvfrom) + { + *rvto = CopyRRVerifier(rvfrom); + rvfrom = rvfrom->next; + rvto = &((*rvto)->next); + } + + rvfrom = ae->key; + rvto = &ac->key; + while (rvfrom) + { + *rvto = CopyRRVerifier(rvfrom); + rvfrom = rvfrom->next; + rvto = &((*rvto)->next); + } + + if (prev) + { + *prev = ac; + } + prev = &(ac->next); + ae = ae->next; + } + return retac; +} + +mDNSlocal void FreeDNSSECAuthChainInfo(AuthChain *ac) +{ + RRVerifier *rrset; + RRVerifier *next; + AuthChain *acnext; + + LogDNSSEC("FreeDNSSECAuthChainInfo: called"); + + while (ac) + { + acnext = ac->next; + rrset = ac->rrset; + while (rrset) + { + next = rrset->next; + mDNSPlatformMemFree(rrset); + rrset = next; + } + ac->rrset = mDNSNULL; + + rrset = ac->rrsig; + while (rrset) + { + next = rrset->next; + mDNSPlatformMemFree(rrset); + rrset = next; + } + ac->rrsig = mDNSNULL; + + rrset = ac->key; + while (rrset) + { + next = rrset->next; + mDNSPlatformMemFree(rrset); + rrset = next; + } + ac->key = mDNSNULL; + + mDNSPlatformMemFree(ac); + ac = acnext; + } +} + +mDNSlocal void FreeDNSSECAuthChain(DNSSECVerifier *dv) +{ + if (dv->ac) + { + FreeDNSSECAuthChainInfo(dv->ac); + // if someone reuses the "dv", it will be initialized properly + ResetAuthChain(dv); + } + if (dv->saveac) + { + FreeDNSSECAuthChainInfo(dv->saveac); + dv->saveac = mDNSNULL; + } +} + +mDNSlocal void FreeAuthChain(mDNS *const m, void *context) +{ + AuthChain *ac = (AuthChain *)context; + (void) m; // unused + + FreeDNSSECAuthChainInfo(ac); +} + +mDNSlocal void FreeDNSSECVerifierRRSets(DNSSECVerifier *dv) +{ + RRVerifier *rrset; + RRVerifier *next; + + //debugdnssec("FreeDNSSECVerifierRRSets called %p", dv); + rrset = dv->rrset; + while (rrset) + { + next = rrset->next; + mDNSPlatformMemFree(rrset); + rrset = next; + } + dv->rrset = mDNSNULL; + + rrset = dv->rrsig; + while (rrset) + { + next = rrset->next; + mDNSPlatformMemFree(rrset); + rrset = next; + } + dv->rrsig = mDNSNULL; + + rrset = dv->key; + while (rrset) + { + next = rrset->next; + mDNSPlatformMemFree(rrset); + rrset = next; + } + dv->key = mDNSNULL; + + rrset = dv->rrsigKey; + while (rrset) + { + next = rrset->next; + mDNSPlatformMemFree(rrset); + rrset = next; + } + dv->rrsigKey = mDNSNULL; + + rrset = dv->ds; + while (rrset) + { + next = rrset->next; + mDNSPlatformMemFree(rrset); + rrset = next; + } + dv->ds = mDNSNULL; + rrset = dv->pendingNSEC; + while (rrset) + { + next = rrset->next; + mDNSPlatformMemFree(rrset); + rrset = next; + } + dv->pendingNSEC = mDNSNULL; +} + +mDNSexport void FreeDNSSECVerifier(mDNS *const m, DNSSECVerifier *dv) +{ + LogDNSSEC("FreeDNSSECVerifier called %p", dv); + if (dv->q.ThisQInterval != -1) + mDNS_StopQuery(m, &dv->q); + FreeDNSSECVerifierRRSets(dv); + if (dv->ctx) + AlgDestroy(dv->ctx); + if (dv->ac || dv->saveac) + FreeDNSSECAuthChain(dv); + if (dv->parent) + { + LogDNSSEC("FreeDNSSECVerifier freeing parent %p", dv->parent); + FreeDNSSECVerifier(m, dv->parent); + } + mDNSPlatformMemFree(dv); +} + +mDNSlocal RRVerifier* CopyRRVerifier(RRVerifier *from) +{ + RRVerifier *r; + + r = mDNSPlatformMemAllocate(sizeof (RRVerifier) + from->rdlength); + if (!r) + { + LogMsg("CopyRRVerifier: memory failure"); + return mDNSNULL; + } + mDNSPlatformMemCopy(r, from, sizeof(RRVerifier)); + r->next = mDNSNULL; + r->rdata = (mDNSu8*) ((mDNSu8 *)r + sizeof(RRVerifier)); + mDNSPlatformMemCopy(r->rdata, from->rdata, r->rdlength); + return r; +} + +mDNSexport RRVerifier* AllocateRRVerifier(const ResourceRecord *const rr, mStatus *status) +{ + RRVerifier *r; + + r = mDNSPlatformMemAllocate(sizeof (RRVerifier) + rr->rdlength); + if (!r) + { + LogMsg("AllocateRRVerifier: memory failure"); + *status = mStatus_NoMemoryErr; + return mDNSNULL; + } + r->next = mDNSNULL; + r->rrtype = rr->rrtype; + r->rrclass = rr->rrclass; + r->rroriginalttl = rr->rroriginalttl; + r->rdlength = rr->rdlength; + r->namehash = rr->namehash; + r->rdatahash = rr->rdatahash; + AssignDomainName(&r->name, rr->name); + r->rdata = (mDNSu8*) ((mDNSu8 *)r + sizeof(RRVerifier)); + + // When we parsed the DNS response in GeLargeResourceRecord, for some records, we parse them into + // host order so that the rest of the code does not have to bother with converting from network order + // to host order. For signature verification, we need them back in network order. For DNSSEC records + // like DNSKEY and DS, we just copy over the data both in GetLargeResourceRecord and putRData. + + if (!putRData(mDNSNULL, r->rdata, r->rdata + rr->rdlength, rr)) + { + LogMsg("AllocateRRVerifier: putRData failed"); + *status = mStatus_BadParamErr; + return mDNSNULL; + } + *status = mStatus_NoError; + return r; +} + +mDNSexport mStatus AddRRSetToVerifier(DNSSECVerifier *dv, const ResourceRecord *const rr, RRVerifier *rv, RRVerifierSet set) +{ + RRVerifier *r; + RRVerifier **v; + mStatus status; + + if (!rv) + { + r = AllocateRRVerifier(rr, &status); + if (!r) return status; + } + else + r = rv; + + switch (set) + { + case RRVS_rr: + v = &dv->rrset; + break; + case RRVS_rrsig: + v = &dv->rrsig; + break; + case RRVS_key: + v = &dv->key; + break; + case RRVS_rrsig_key: + v = &dv->rrsigKey; + break; + case RRVS_ds: + v = &dv->ds; + break; + default: + LogMsg("AddRRSetToVerifier: ERROR!! default case %d", set); + return mStatus_BadParamErr; + } + while (*v) + v = &(*v)->next; + *v = r; + return mStatus_NoError; +} + +// Validate the RRSIG. "type" tells which RRSIG that we are supposed to validate. We fetch RRSIG for +// the rrset (type is RRVS_rrsig) and RRSIG for the key (type is RRVS_rrsig_key). +mDNSexport void ValidateRRSIG(DNSSECVerifier *dv, RRVerifierSet type, const ResourceRecord *const rr) +{ + RRVerifier *rv; + mDNSu32 currentTime; + rdataRRSig *rrsigRData = (rdataRRSig *)((mDNSu8 *)rr->rdata + sizeofRDataHeader); + + if (type == RRVS_rrsig) + { + rv = dv->rrset; + } + else if (type == RRVS_rrsig_key) + { + rv = dv->key; + } + else + { + LogMsg("ValidateRRSIG: ERROR!! type not valid %d", type); + return; + } + + // RFC 4035: + // For each authoritative RRset in a signed zone, there MUST be at least + // one RRSIG record that meets the following requirements: + // + // RRSet is defined by same name, class and type + // + // 1. The RRSIG RR and the RRset MUST have the same owner name and the same class. + if (!SameDomainName(&rv->name, rr->name) || (rr->rrclass != rv->rrclass)) + { + debugdnssec("ValidateRRSIG: name mismatch or class mismatch"); + return; + } + + // 2. The RRSIG RR's Type Covered field MUST equal the RRset's type. + if ((swap16(rrsigRData->typeCovered)) != rv->rrtype) + { + debugdnssec("ValidateRRSIG: typeCovered mismatch rrsig %d, rr type %d", swap16(rrsigRData->typeCovered), rv->rrtype); + return; + } + + // 3. The number of labels in the RRset owner name MUST be greater than or equal + // to the value in the RRSIG RR's Labels field. + if (rrsigRData->labels > CountLabels(&rv->name)) + { + debugdnssec("ValidateRRSIG: labels count problem rrsig %d, rr %d", rrsigRData->labels, CountLabels(&rv->name)); + return; + } + + // 4. The RRSIG RR's Signer's Name field MUST be the name of the zone that contains + // the RRset. For a stub resolver, this can't be done in a secure way. Hence we + // do it this way (discussed in dnsext mailing list) + switch (rv->rrtype) + { + case kDNSType_NS: + case kDNSType_SOA: + case kDNSType_DNSKEY: + //Signed by the owner + if (!SameDomainName(&rv->name, (domainname *)&rrsigRData->signerName)) + { + debugdnssec("ValidateRRSIG: Signer Name does not match the record name for %s", DNSTypeName(rv->rrtype)); + return; + } + break; + case kDNSType_DS: + // Should be signed by the parent + if (SameDomainName(&rv->name, (domainname *)&rrsigRData->signerName)) + { + debugdnssec("ValidateRRSIG: Signer Name matches the record name for %s", DNSTypeName(rv->rrtype)); + return; + } + // FALLTHROUGH + default: + { + int c1 = CountLabels(&rv->name); + int c2 = CountLabels((domainname *)&rrsigRData->signerName); + if (c1 < c2) + { + debugdnssec("ValidateRRSIG: Signer Name not a subdomain label count %d < %d ", c1, c2); + return; + } + domainname *d = (domainname *)SkipLeadingLabels(&rv->name, c1 - c2); + if (!SameDomainName(d, (domainname *)&rrsigRData->signerName)) + { + debugdnssec("ValidateRRSIG: Signer Name not a subdomain"); + return; + } + break; + } + } + + // 5. The validator's notion of the current time MUST be less than or equal to the + // time listed in the RRSIG RR's Expiration field. + // + // 6. The validator's notion of the current time MUST be greater than or equal to the + // time listed in the RRSIG RR's Inception field. + currentTime = mDNSPlatformUTC(); + + if (DNS_SERIAL_LT(swap32(rrsigRData->sigExpireTime), currentTime)) + { + LogDNSSEC("ValidateRRSIG: Expired: currentTime %d, ExpireTime %d", (int)currentTime, + swap32((int)rrsigRData->sigExpireTime)); + return; + } + if (DNS_SERIAL_LT(currentTime, swap32(rrsigRData->sigInceptTime))) + { + LogDNSSEC("ValidateRRSIG: Future: currentTime %d, InceptTime %d", (int)currentTime, + swap32((int)rrsigRData->sigInceptTime)); + return; + } + + if (AddRRSetToVerifier(dv, rr, mDNSNULL, type) != mStatus_NoError) + { + LogMsg("ValidateRRSIG: ERROR!! cannot allocate RRSet"); + return; + } +} + +mDNSlocal mStatus CheckRRSIGForRRSet(mDNS *const m, DNSSECVerifier *dv, CacheRecord **negcr) +{ + mDNSu32 slot; + CacheGroup *cg; + CacheRecord *cr; + RRVerifier *rv; + mDNSBool expectRRSIG = mDNSfalse; + + *negcr = mDNSNULL; + if (!dv->rrset) + { + LogMsg("CheckRRSIGForRRSet: ERROR!! rrset NULL for origName %##s (%s)", dv->origName.c, + DNSTypeName(dv->origType)); + return mStatus_BadParamErr; + } + + rv = dv->rrset; + slot = HashSlot(&rv->name); + cg = CacheGroupForName(m, slot, rv->namehash, &rv->name); + if (!cg) + { + debugdnssec("CheckRRSIGForRRSet: cg null"); + return mStatus_NoSuchRecord; + } + + for (cr=cg->members; cr; cr=cr->next) + { + debugdnssec("CheckRRSIGForRRSet: checking the validity of rrsig"); + if (cr->resrec.rrtype != kDNSType_RRSIG) + { + // Check to see if we should expect RRSIGs for the type that we are looking for. + // We would expect RRSIGs, if we had previously issued the question with the + // EDNS0/DOK bit set. + if (cr->resrec.rrtype == dv->rrset->rrtype) + { + expectRRSIG = cr->CRDNSSECQuestion; + LogDNSSEC("CheckRRSIGForRRSet: %s RRSIG for %s", (expectRRSIG ? "Expecting" : "Not Expecting"), CRDisplayString(m, cr)); + } + continue; + } + if (cr->resrec.RecordType == kDNSRecordTypePacketNegative) + { + if (!(*negcr)) + { + LogDNSSEC("CheckRRSIGForRRSet: Negative cache record %s encountered for %##s (%s)", CRDisplayString(m, cr), + rv->name.c, DNSTypeName(rv->rrtype)); + *negcr = cr; + } + else + { + LogMsg("CheckRRSIGForRRSet: ERROR!! Negative cache record %s already set for %##s (%s)", CRDisplayString(m, cr), + rv->name.c, DNSTypeName(rv->rrtype)); + } + continue; + } + ValidateRRSIG(dv, RRVS_rrsig, &cr->resrec); + } + if (*negcr && dv->rrsig) + { + // Encountered both RRSIG and negative CR + LogMsg("CheckRRSIGForRRSet: ERROR!! Encountered negative cache record %s and RRSIG for %##s (%s)", + CRDisplayString(m, *negcr), rv->name.c, DNSTypeName(rv->rrtype)); + return mStatus_BadParamErr; + } + // If we can't find RRSIGs, but we find a negative response then we need to validate that + // which the caller will do it. Otherwise, if we should be expecting RRSIGs to be in the + // cache already, then return error. + if (dv->rrsig || *negcr) + return mStatus_NoError; + else if (expectRRSIG) + return mStatus_BadParamErr; + else + return mStatus_NoSuchRecord; +} + +mDNSlocal void CheckOneKeyForRRSIG(DNSSECVerifier *dv, const ResourceRecord *const rr) +{ + rdataRRSig *rrsig; + + if (!dv->rrsig) + { + LogMsg("CheckOneKeyForRRSIG: ERROR!! rrsig NULL"); + return; + } + rrsig = (rdataRRSig *)dv->rrsig->rdata; + if (!SameDomainName((domainname *)&rrsig->signerName, rr->name)) + { + debugdnssec("CheckOneKeyForRRSIG: name mismatch"); + return; + } + + // We store all the keys including the ZSK and KSK and use them appropriately + // later + if (AddRRSetToVerifier(dv, rr, mDNSNULL, RRVS_key) != mStatus_NoError) + { + LogMsg("CheckOneKeyForRRSIG: ERROR!! cannot allocate RRSet"); + return; + } +} + +mDNSlocal mStatus CheckKeyForRRSIG(mDNS *const m, DNSSECVerifier *dv, CacheRecord **negcr) +{ + mDNSu32 slot; + mDNSu32 namehash; + CacheGroup *cg; + CacheRecord *cr; + rdataRRSig *rrsig; + domainname *name; + + *negcr = mDNSNULL; + if (!dv->rrsig) + { + LogMsg("CheckKeyForRRSIG: ERROR!! rrsig NULL"); + return mStatus_BadParamErr; + } + + // Signer name should be the same on all rrsig ?? + rrsig = (rdataRRSig *)dv->rrsig->rdata; + name = (domainname *)&rrsig->signerName; + + slot = HashSlot(name); + namehash = DomainNameHashValue(name); + cg = CacheGroupForName(m, slot, namehash, name); + if (!cg) + { + debugdnssec("CheckKeyForRRSIG: cg null for %##s", name->c); + return mStatus_NoSuchRecord; + } + + for (cr=cg->members; cr; cr=cr->next) + { + if (cr->resrec.rrtype != kDNSType_DNSKEY) continue; + if (cr->resrec.RecordType == kDNSRecordTypePacketNegative) + { + if (!(*negcr)) + { + LogDNSSEC("CheckKeyForRRSIG: Negative cache record %s encountered for %##s (DNSKEY)", CRDisplayString(m, cr), + name->c); + *negcr = cr; + } + else + { + LogMsg("CheckKeyForRRSIG: ERROR!! Negative cache record %s already set for %##s (DNSKEY)", CRDisplayString(m, cr), + name->c); + } + continue; + } + debugdnssec("CheckKeyForRRSIG: checking the validity of key record"); + CheckOneKeyForRRSIG(dv, &cr->resrec); + } + if (*negcr && dv->key) + { + // Encountered both RRSIG and negative CR + LogMsg("CheckKeyForRRSIG: ERROR!! Encountered negative cache record %s and DNSKEY for %##s", + CRDisplayString(m, *negcr), name->c); + return mStatus_BadParamErr; + } + if (dv->key || *negcr) + return mStatus_NoError; + else + return mStatus_NoSuchRecord; +} + +mDNSlocal void CheckOneRRSIGForKey(DNSSECVerifier *dv, const ResourceRecord *const rr) +{ + rdataRRSig *rrsig; + if (!dv->rrsig) + { + LogMsg("CheckOneRRSIGForKey: ERROR!! rrsig NULL"); + return; + } + rrsig = (rdataRRSig *)dv->rrsig->rdata; + if (!SameDomainName((domainname *)&rrsig->signerName, rr->name)) + { + debugdnssec("CheckOneRRSIGForKey: name mismatch"); + return; + } + ValidateRRSIG(dv, RRVS_rrsig_key, rr); +} + +mDNSlocal mStatus CheckRRSIGForKey(mDNS *const m, DNSSECVerifier *dv, CacheRecord **negcr) +{ + mDNSu32 slot; + mDNSu32 namehash; + CacheGroup *cg; + CacheRecord *cr; + rdataRRSig *rrsig; + domainname *name; + mDNSBool expectRRSIG = mDNSfalse; + + *negcr = mDNSNULL; + if (!dv->rrsig) + { + LogMsg("CheckRRSIGForKey: ERROR!! rrsig NULL"); + return mStatus_BadParamErr; + } + if (!dv->key) + { + LogMsg("CheckRRSIGForKey: ERROR!! key NULL"); + return mStatus_BadParamErr; + } + rrsig = (rdataRRSig *)dv->rrsig->rdata; + name = (domainname *)&rrsig->signerName; + + slot = HashSlot(name); + namehash = DomainNameHashValue(name); + cg = CacheGroupForName(m, slot, namehash, name); + if (!cg) + { + debugdnssec("CheckRRSIGForKey: cg null %##s", name->c); + return mStatus_NoSuchRecord; + } + for (cr=cg->members; cr; cr=cr->next) + { + if (cr->resrec.rrtype != kDNSType_RRSIG) + { + // Check to see if we should expect RRSIGs for the DNSKEY record that we are + // looking for. We would expect RRSIGs, if we had previously issued the question + // with the EDNS0/DOK bit set. + if (cr->resrec.rrtype == kDNSType_DNSKEY) + { + expectRRSIG = cr->CRDNSSECQuestion; + LogDNSSEC("CheckRRSIGForKey: %s RRSIG for %s", (expectRRSIG ? "Expecting" : "Not Expecting"), CRDisplayString(m, cr)); + } + continue; + } + if (cr->resrec.RecordType == kDNSRecordTypePacketNegative) + { + if (!(*negcr)) + { + LogDNSSEC("CheckRRSIGForKey: Negative cache record %s encountered for %##s (RRSIG)", CRDisplayString(m, cr), + name->c); + *negcr = cr; + } + else + { + LogMsg("CheckRRSIGForKey: ERROR!! Negative cache record %s already set for %##s (RRSIG)", CRDisplayString(m, cr), + name->c); + } + continue; + } + debugdnssec("CheckRRSIGForKey: checking the validity of rrsig"); + CheckOneRRSIGForKey(dv, &cr->resrec); + } + if (*negcr && dv->rrsigKey) + { + // Encountered both RRSIG and negative CR + LogMsg("CheckRRSIGForKey: ERROR!! Encountered negative cache record %s and DNSKEY for %##s", + CRDisplayString(m, *negcr), name->c); + return mStatus_BadParamErr; + } + // If we can't find RRSIGs, but we find a negative response then we need to validate that + // which the caller will do it. Finally, make sure that we are not expecting RRSIGS. + if (dv->rrsigKey || *negcr) + return mStatus_NoError; + else if (expectRRSIG) + return mStatus_BadParamErr; + else + return mStatus_NoSuchRecord; +} + +mDNSlocal void CheckOneDSForKey(DNSSECVerifier *dv, const ResourceRecord *const rr) +{ + mDNSu16 tag; + rdataDS *DS; + RRVerifier *keyv; + rdataDNSKey *key; + rdataRRSig *rrsig; + + if (!dv->rrsig) + { + LogMsg("CheckOneDSForKey: ERROR!! rrsig NULL"); + return; + } + rrsig = (rdataRRSig *)dv->rrsig->rdata; + DS = (rdataDS *)((mDNSu8 *)rr->rdata + sizeofRDataHeader); + + if (!SameDomainName((domainname *)&rrsig->signerName, rr->name)) + { + debugdnssec("CheckOneDSForKey: name mismatch"); + return; + } + for (keyv = dv->key; keyv; keyv = keyv->next) + { + key = (rdataDNSKey *)keyv->rdata; + tag = (mDNSu16)keytag((mDNSu8 *)key, keyv->rdlength); + if (tag != swap16(DS->keyTag)) + { + debugdnssec("CheckOneDSForKey: keyTag mismatch keyTag %d, DStag %d", tag, swap16(DS->keyTag)); + continue; + } + if (key->alg != DS->alg) + { + debugdnssec("CheckOneDSForKey: alg mismatch key alg%d, DS alg %d", key->alg, swap16(DS->alg)); + continue; + } + if (AddRRSetToVerifier(dv, rr, mDNSNULL, RRVS_ds) != mStatus_NoError) + { + debugdnssec("CheckOneDSForKey: cannot allocate RRSet"); + } + } +} + +mDNSlocal mStatus CheckDSForKey(mDNS *const m, DNSSECVerifier *dv, CacheRecord **negcr) +{ + mDNSu32 slot; + mDNSu32 namehash; + CacheGroup *cg; + CacheRecord *cr; + rdataRRSig *rrsig; + domainname *name; + + *negcr = mDNSNULL; + if (!dv->rrsig) + { + LogMsg("CheckDSForKey: ERROR!! rrsig NULL"); + return mStatus_BadParamErr; + } + if (!dv->key) + { + LogMsg("CheckDSForKey: ERROR!! key NULL"); + return mStatus_BadParamErr; + } + rrsig = (rdataRRSig *)dv->rrsig->rdata; + name = (domainname *)&rrsig->signerName; + slot = HashSlot(name); + namehash = DomainNameHashValue(name); + cg = CacheGroupForName(m, slot, namehash, name); + if (!cg) + { + debugdnssec("CheckDSForKey: cg null for %s", name->c); + return mStatus_NoSuchRecord; + } + for (cr=cg->members; cr; cr=cr->next) + { + if (cr->resrec.rrtype != kDNSType_DS) continue; + if (cr->resrec.RecordType == kDNSRecordTypePacketNegative) + { + if (!(*negcr)) + { + LogDNSSEC("CheckDSForKey: Negative cache record %s encountered for %##s (DS)", CRDisplayString(m, cr), + name->c); + *negcr = cr; + } + else + { + LogMsg("CheckDSForKey: ERROR!! Negative cache record %s already set for %##s (DS)", CRDisplayString(m, cr), + name->c); + } + continue; + } + CheckOneDSForKey(dv, &cr->resrec); + } + if (*negcr && dv->ds) + { + // Encountered both RRSIG and negative CR + LogMsg("CheckDSForKey: ERROR!! Encountered negative cache record %s and DS for %##s", + CRDisplayString(m, *negcr), name->c); + return mStatus_BadParamErr; + } + if (dv->ds || *negcr) + return mStatus_NoError; + else + return mStatus_NoSuchRecord; + return (dv->ds ? mStatus_NoError : mStatus_NoSuchRecord); +} + +// It returns mDNStrue if we have all the rrsets for verification and mDNSfalse otherwise. +mDNSlocal mDNSBool GetAllRRSetsForVerification(mDNS *const m, DNSSECVerifier *dv) +{ + mStatus err; + CacheRecord *negcr; + rdataRRSig *rrsig; + + if (!dv->rrset) + { + LogMsg("GetAllRRSetsForVerification: ERROR!! rrset NULL"); + dv->DVCallback(m, dv, DNSSEC_Bogus); + return mDNSfalse; + } + + if (dv->next == RRVS_done) return mDNStrue; + + debugdnssec("GetAllRRSetsForVerification: next %d", dv->next); + switch (dv->next) + { + case RRVS_rrsig: + // If we can't find the RRSIG for the rrset, re-issue the query. + // + // NOTE: It is possible that the cache might answer partially e.g., RRSIGs match qtype but the + // whole set is not there. In that case the validation will fail. Ideally we should flush the + // cache and reissue the query (TBD). + err = CheckRRSIGForRRSet(m, dv, &negcr); + if (err != mStatus_NoSuchRecord && err != mStatus_NoError) + { + dv->DVCallback(m, dv, DNSSEC_Bogus); + return mDNSfalse; + } + // Need to initialize the question as if we end up in ValidateWithNSECS below, the nsec proofs + // looks in "dv->q" for the proof. Note that we have to use currQtype as the response could be + // a CNAME and dv->rrset->rrtype would be set to CNAME and not the original question type that + // resulted in CNAME. + InitializeQuestion(m, &dv->q, dv->InterfaceID, &dv->rrset->name, dv->currQtype, VerifySigCallback, dv); + // We may not have the NSECS if the previous query was a non-DNSSEC query + if (negcr && negcr->nsec) + { + ValidateWithNSECS(m, dv, negcr); + return mDNSfalse; + } + + dv->next = RRVS_key; + if (!dv->rrsig) + { + // We already found the rrset to verify. Ideally we should just issue the query for the RRSIG. Unfortunately, + // that does not work well as the response may not contain the RRSIG whose typeCovered matches the + // rrset->rrtype (recursive server returns what is in its cache). Hence, we send the original query with the + // DO bit set again to get the RRSIG. Normally this would happen if there was question which did not require + // DNSSEC validation (ValidationRequied = 0) populated the cache and later when the ValidationRequired question + // comes along, we need to get the RRSIGs. If we started off with ValidationRequired question we would have + // already set the DO bit and not able to get RRSIGs e.g., bad CPE device, we would reissue the query here + // again once more. + // + // Also, if it is a wildcard expanded answer, we need to issue the query with the original type for it to + // elicit the right NSEC records. Just querying for RRSIG alone is not sufficient. + // + // Note: For this to work, the core needs to deliver RRSIGs when they are added to the cache even if the + // "qtype" is not RRSIG. + debugdnssec("GetAllRRSetsForVerification: Fetching RRSIGS for RRSET"); + dv->NumPackets++; + mDNS_StartQuery(m, &dv->q); + return mDNSfalse; + } + // if we found the RRSIG, then fall through to find the DNSKEY + case RRVS_key: + err = CheckKeyForRRSIG(m, dv, &negcr); + if (err != mStatus_NoSuchRecord && err != mStatus_NoError) + { + dv->DVCallback(m, dv, DNSSEC_Bogus); + return mDNSfalse; + } + // Need to initialize the question as if we end up in ValidateWithNSECS below, the nsec proofs + // looks in "dv->q" for the proof. + rrsig = (rdataRRSig *)dv->rrsig->rdata; + InitializeQuestion(m, &dv->q, dv->InterfaceID, (domainname *)&rrsig->signerName, kDNSType_DNSKEY, VerifySigCallback, dv); + // We may not have the NSECS if the previous query was a non-DNSSEC query + if (negcr && negcr->nsec) + { + ValidateWithNSECS(m, dv, negcr); + return mDNSfalse; + } + + dv->next = RRVS_rrsig_key; + if (!dv->key) + { + debugdnssec("GetAllRRSetsForVerification: Fetching DNSKEY for RRSET"); + dv->NumPackets++; + mDNS_StartQuery(m, &dv->q); + return mDNSfalse; + } + // if we found the DNSKEY, then fall through to find the RRSIG for the DNSKEY + case RRVS_rrsig_key: + err = CheckRRSIGForKey(m, dv, &negcr); + // if we are falling through, then it is okay if we don't find the record + if (err != mStatus_NoSuchRecord && err != mStatus_NoError) + { + dv->DVCallback(m, dv, DNSSEC_Bogus); + return mDNSfalse; + } + // Need to initialize the question as if we end up in ValidateWithNSECS below, the nsec proofs + // looks in "dv->q" for the proof. + rrsig = (rdataRRSig *)dv->rrsig->rdata; + InitializeQuestion(m, &dv->q, dv->InterfaceID, (domainname *)&rrsig->signerName, kDNSType_DNSKEY, VerifySigCallback, dv); + // We may not have the NSECS if the previous query was a non-DNSSEC query + if (negcr && negcr->nsec) + { + ValidateWithNSECS(m, dv, negcr); + return mDNSfalse; + } + dv->next = RRVS_ds; + debugdnssec("GetAllRRSetsForVerification: RRVS_rrsig_key %p", dv->rrsigKey); + if (!dv->rrsigKey) + { + debugdnssec("GetAllRRSetsForVerification: Fetching RRSIGS for DNSKEY"); + dv->NumPackets++; + mDNS_StartQuery(m, &dv->q); + return mDNSfalse; + } + // if we found RRSIG for the DNSKEY, then fall through to find the DS + case RRVS_ds: + { + domainname *qname; + rrsig = (rdataRRSig *)dv->rrsig->rdata; + qname = (domainname *)&rrsig->signerName; + + err = CheckDSForKey(m, dv, &negcr); + if (err != mStatus_NoSuchRecord && err != mStatus_NoError) + { + dv->DVCallback(m, dv, DNSSEC_Bogus); + return mDNSfalse; + } + // Need to initialize the question as if we end up in ValidateWithNSECS below, the nsec proofs + // looks in "dv->q" for the proof. + InitializeQuestion(m, &dv->q, dv->InterfaceID, qname, kDNSType_DS, VerifySigCallback, dv); + // We may not have the NSECS if the previous query was a non-DNSSEC query + if (negcr && negcr->nsec) + { + ValidateWithNSECS(m, dv, negcr); + return mDNSfalse; + } + dv->next = RRVS_done; + // If we have a trust anchor, then don't bother looking up the DS record + if (!dv->ds && !TrustedKeyPresent(m, dv)) + { + // There is no DS for the root. Hence, if we don't have the trust + // anchor for root, just fail. + if (SameDomainName(qname, (const domainname *)"\000")) + { + LogDNSSEC("GetAllRRSetsForVerification: Reached root"); + dv->DVCallback(m, dv, DNSSEC_Bogus); + return mDNSfalse; + } + debugdnssec("GetAllRRSetsForVerification: Fetching DS"); + dv->NumPackets++; + mDNS_StartQuery(m, &dv->q); + return mDNSfalse; + } + else + { + debugdnssec("GetAllRRSetsForVerification: Skipped fetching the DS"); + return mDNStrue; + } + } + default: + LogMsg("GetAllRRSetsForVerification: ERROR!! unknown next %d", dv->next); + dv->DVCallback(m, dv, DNSSEC_Bogus); + return mDNSfalse; + } +} + +#ifdef DNSSEC_DEBUG +mDNSlocal void PrintFixedSignInfo(rdataRRSig *rrsig, domainname *signerName, int sigNameLen, mDNSu8 *fixedPart, int fixedPartLen) +{ + int j; + char buf[RRSIG_FIXED_SIZE *3 + 1]; // 3 bytes count for %2x + 1 and the one byte for null at the end + char sig[sigNameLen * 3 + 1]; + char fp[fixedPartLen * 3 + 1]; + int length; + + length = 0; + for (j = 0; j < RRSIG_FIXED_SIZE; j++) + length += mDNS_snprintf(buf+length, sizeof(buf) - length - 1, "%2x ", ((mDNSu8 *)rrsig)[j]); + LogMsg("RRSIG(%d) %s", RRSIG_FIXED_SIZE, buf); + + + length = 0; + for (j = 0; j < sigNameLen; j++) + length += mDNS_snprintf(sig+length, sizeof(sig) - length - 1, "%2x ", signerName->c[j]); + LogMsg("SIGNAME(%d) %s", sigNameLen, sig); + + length = 0; + for (j = 0; j < fixedPartLen; j++) + length += mDNS_snprintf(fp+length, sizeof(fp) - length - 1, "%2x ", fixedPart[j]); + LogMsg("fixedPart(%d) %s", fixedPartLen, fp); +} + +mDNSlocal void PrintVarSignInfo(mDNSu16 rdlen, mDNSu8 *rdata) +{ + unsigned int j; + mDNSu8 *r; + unsigned int blen = swap16(rdlen); + char buf[blen * 3 + 1]; // 3 bytes count for %2x + 1 and the one byte for null at the end + int length; + + length = 0; + + r = (mDNSu8 *)&rdlen; + for (j = 0; j < sizeof(mDNSu16); j++) + length += mDNS_snprintf(buf+length, sizeof(buf) - length - 1, "%2x ", r[j]); + LogMsg("RDLENGTH(%d) %s", sizeof(mDNSu16), buf); + + length = 0; + for (j = 0; j < blen; j++) + length += mDNS_snprintf(buf+length, sizeof(buf) - length - 1, "%2x ", rdata[j]); + LogMsg("RDATA(%d) %s", blen, buf); +} +#else +mDNSlocal void PrintVarSignInfo(mDNSu16 rdlen, mDNSu8 *rdata) +{ + (void)rdlen; + (void)rdata; +} +mDNSlocal void PrintFixedSignInfo(rdataRRSig *rrsig, domainname *signerName, int sigNameLen, mDNSu8 *fixedPart, int fixedPartLen) +{ + (void)rrsig; + (void)signerName; + (void)sigNameLen; + (void)fixedPart; + (void)fixedPartLen; +} +#endif + +// Used for RDATA comparison +typedef struct +{ + mDNSu16 rdlength; + mDNSu16 rrtype; + mDNSu8 *rdata; +} rdataComp; + +mDNSlocal int rdata_compare(mDNSu8 *const rdata1, mDNSu8 *const rdata2, int rdlen1, int rdlen2) +{ + int len; + int ret; + + len = (rdlen1 < rdlen2) ? rdlen1 : rdlen2; + + ret = DNSMemCmp(rdata1, rdata2, len); + if (ret != 0) return ret; + + // RDATA is same at this stage. Consider them equal if they are of same length. Otherwise + // decide based on their lengths. + return ((rdlen1 == rdlen2) ? 0 : (rdlen1 < rdlen2) ? -1 : 1); +} + +mDNSlocal int name_compare(mDNSu8 *const rdata1, mDNSu8 *const rdata2, int rdlen1, int rdlen2) +{ + domainname *n1 = (domainname *)rdata1; + domainname *n2 = (domainname *)rdata2; + mDNSu8 *a = n1->c; + mDNSu8 *b = n2->c; + int count, c1, c2; + int i, j, len; + + c1 = CountLabels(n1); + c2 = CountLabels(n2); + + count = c1 < c2 ? c1 : c2; + + // We can't use SameDomainName as we need to know exactly which is greater/smaller + // for sorting purposes. Hence, we need to compare label by label + for (i = 0; i < count; i++) + { + // Are the lengths same ? + if (*a != *b) + { + debugdnssec("compare_name: returning c1 %d, c2 %d", *a, *b); + return ((*a < *b) ? -1 : 1); + } + len = *a; + rdlen1 -= (len + 1); + rdlen2 -= (len + 1); + if (rdlen1 < 0 || rdlen2 < 0) + { + LogMsg("name_compare: ERROR!! not enough data rdlen1 %d, rdlen2 %d", rdlen1, rdlen2); + return -1; + } + a++; b++; + for (j = 0; j < len; j++) + { + mDNSu8 ac = *a++; + mDNSu8 bc = *b++; + if (mDNSIsUpperCase(ac)) ac += 'a' - 'A'; + if (mDNSIsUpperCase(bc)) bc += 'a' - 'A'; + if (ac != bc) + { + debugdnssec("compare_name: returning ac %c, bc %c", ac, bc); + return ((ac < bc) ? -1 : 1); + } + } + } + + return 0; +} + +mDNSlocal int srv_compare(rdataComp *const r1, rdataComp *const r2) +{ + int res; + int length1, length2; + + length1 = r1->rdlength; + length2 = r2->rdlength; + // We should have at least priority, weight, port plus 1 byte + if (length1 < 7 || length2 < 7) + { + LogMsg("srv_compare: ERROR!! Length smaller than 7 bytes"); + return -1; + } + // Compare priority, weight and port + res = DNSMemCmp(r1->rdata, r2->rdata, 6); + if (res != 0) return res; + length1 -= 6; + length2 -= 6; + return (name_compare(r1->rdata + 6, r2->rdata + 6, length1, length2)); +} + +mDNSlocal int tsig_compare(rdataComp *const r1, rdataComp *const r2) +{ + int offset1, offset2; + int length1, length2; + int res, dlen; + + offset1 = offset2 = 0; + length1 = r1->rdlength; + length2 = r2->rdlength; + + // we should have at least one byte to start with + if (length1 < 1 || length2 < 1) + { + LogMsg("sig_compare: Length smaller than 18 bytes"); + return -1; + } + + res = name_compare(r1->rdata, r2->rdata, length1, length2); + if (res != 0) return res; + + dlen = DomainNameLength((domainname *)r1->rdata); + offset1 += dlen; + offset2 += dlen; + length1 -= dlen; + length2 -= dlen; + + if (length1 <= 1 || length2 <= 1) + { + LogMsg("tsig_compare: data too small to compare length1 %d, length2 %d", length1, length2); + return -1; + } + + return (rdata_compare(r1->rdata + offset1, r2->rdata + offset2, length1, length2)); +} + +// Compares types that conform to : <length><Value> +mDNSlocal int lenval_compare(mDNSu8 *d1, mDNSu8 *d2, int *len1, int *len2, int rem1, int rem2) +{ + int len; + int res; + + if (rem1 <= 1 || rem2 <= 1) + { + LogMsg("lenval_compare: data too small to compare length1 %d, length2 %d", rem1, rem2); + return -1; + } + *len1 = (int)d1[0]; + *len2 = (int)d2[0]; + len = (*len1 < *len2 ? *len1 : *len2); + res = DNSMemCmp(d1, d2, len + 1); + return res; +} + +// RFC 2915: Order (2) Preference(2) and variable length: Flags Service Regexp Replacement +mDNSlocal int naptr_compare(rdataComp *const r1, rdataComp *const r2) +{ + mDNSu8 *d1 = r1->rdata; + mDNSu8 *d2 = r2->rdata; + int len1, len2, res; + int length1, length2; + + length1 = r1->rdlength; + length2 = r2->rdlength; + + // Order, Preference plus at least 1 byte + if (length1 < 5 || length2 < 5) + { + LogMsg("naptr_compare: Length smaller than 18 bytes"); + return -1; + } + // Compare order and preference + res = DNSMemCmp(d1, d2, 4); + if (res != 0) return res; + + d1 += 4; + d2 += 4; + length1 -= 4; + length2 -= 4; + + // Compare Flags (including the length byte) + res = lenval_compare(d1, d2, &len1, &len2, length1, length2); + if (res != 0) return res; + d1 += (len1 + 1); + d2 += (len2 + 1); + length1 -= (len1 + 1); + length2 -= (len2 + 1); + + // Compare Service (including the length byte) + res = lenval_compare(d1, d2, &len1, &len2, length1, length2); + if (res != 0) return res; + d1 += (len1 + 1); + d2 += (len2 + 1); + length1 -= (len1 + 1); + length2 -= (len2 + 1); + + // Compare regexp (including the length byte) + res = lenval_compare(d1, d2, &len1, &len2, length1, length2); + if (res != 0) return res; + d1 += (len1 + 1); + d2 += (len2 + 1); + length1 -= (len1 + 1); + length2 -= (len2 + 1); + + // Compare Replacement + return name_compare(d1, d2, length1, length2); +} + +// RFC 1035: MINFO: Two domain names +// RFC 1183: RP: Two domain names +mDNSlocal int dom2_compare(mDNSu8 *d1, mDNSu8 *d2, int length1, int length2) +{ + int res, dlen; + + // We need at least one byte to start with + if (length1 < 1 || length2 < 1) + { + LogMsg("dom2_compare:1: data too small length1 %d, length2 %d", length1, length2); + return -1; + } + res = name_compare(d1, d2, length1, length2); + if (res != 0) return res; + dlen = DomainNameLength((domainname *)d1); + + length1 -= dlen; + length2 -= dlen; + // We need at least one byte to start with + if (length1 < 1 || length2 < 1) + { + LogMsg("dom2_compare:2: data too small length1 %d, length2 %d", length1, length2); + return -1; + } + + d1 += dlen; + d2 += dlen; + + return name_compare(d1, d2, length1, length2); +} + +// MX : preference (2 bytes), domainname +mDNSlocal int mx_compare(rdataComp *const r1, rdataComp *const r2) +{ + int res; + int length1, length2; + + length1 = r1->rdlength; + length2 = r2->rdlength; + + // We need at least two bytes + 1 extra byte for the domainname to start with + if (length1 < 3 || length2 < 3) + { + LogMsg("mx_compare: data too small length1 %d, length2 %d", length1, length2); + return -1; + } + + res = DNSMemCmp(r1->rdata, r2->rdata, 2); + if (res != 0) return res; + length1 -= 2; + length2 -= 2; + return name_compare(r1->rdata + 2, r2->rdata + 2, length1, length2); +} + +// RFC 2163 (PX) : preference (2 bytes), map822. mapx400 (domainnames) +mDNSlocal int px_compare(rdataComp *const r1, rdataComp *const r2) +{ + int res; + + // We need at least two bytes + 1 extra byte for the domainname to start with + if (r1->rdlength < 3 || r2->rdlength < 3) + { + LogMsg("px_compare: data too small length1 %d, length2 %d", r1->rdlength, r2->rdlength); + return -1; + } + + res = DNSMemCmp(r1->rdata, r2->rdata, 2); + if (res != 0) return res; + + return dom2_compare(r1->rdata + 2, r2->rdata + 2, r1->rdlength - 2, r2->rdlength - 2); +} + +mDNSlocal int soa_compare(rdataComp *r1, rdataComp *r2) +{ + int res, dlen; + int offset1, offset2; + int length1, length2; + + length1 = r1->rdlength; + length2 = r2->rdlength; + offset1 = offset2 = 0; + + // We need at least 20 bytes plus 1 byte for each domainname + if (length1 < 22 || length2 < 22) + { + LogMsg("soa_compare:1: data too small length1 %d, length2 %d", length1, length2); + return -1; + } + + // There are two domainnames followed by 20 bytes of serial, refresh, retry, expire and min + // Compare the names and then the rest of the bytes + + res = name_compare(r1->rdata, r2->rdata, length1, length2); + if (res != 0) return res; + + dlen = DomainNameLength((domainname *)r1->rdata); + + length1 -= dlen; + length2 -= dlen; + if (length1 < 1 || length2 < 1) + { + LogMsg("soa_compare:2: data too small length1 %d, length2 %d", length1, length2); + return -1; + } + offset1 += dlen; + offset2 += dlen; + + res = name_compare(r1->rdata + offset1, r2->rdata + offset2, length1, length2); + if (res != 0) return res; + + dlen = DomainNameLength((domainname *)r1->rdata); + length1 -= dlen; + length2 -= dlen; + if (length1 < 20 || length2 < 20) + { + LogMsg("soa_compare:3: data too small length1 %d, length2 %d", length1, length2); + return -1; + } + offset1 += dlen; + offset2 += dlen; + + return (rdata_compare(r1->rdata + offset1, r2->rdata + offset2, length1, length2)); +} + +// RFC 4034 Section 6.0 states that: +// +// A canonical RR form and ordering within an RRset are required in order to +// construct and verify RRSIG RRs. +// +// This function is called to order within an RRset. We can't just do a memcmp as +// as stated in 6.3. This function is responsible for the third bullet in 6.2, where +// the RDATA has to be converted to lower case if it has domain names. +mDNSlocal int RDATACompare(const void *rdata1, const void *rdata2) +{ + rdataComp *r1 = (rdataComp *)rdata1; + rdataComp *r2 = (rdataComp *)rdata2; + + if (r1->rrtype != r2->rrtype) + { + LogMsg("RDATACompare: ERROR!! comparing rdata of wrong types type1: %d, type2: %d", r1->rrtype, r2->rrtype); + return -1; + } + switch (r1->rrtype) + { + case kDNSType_A: // 1. Address Record + case kDNSType_NULL: // 10 NULL RR + case kDNSType_WKS: // 11 Well-known-service + case kDNSType_HINFO: // 13 Host information + case kDNSType_TXT: // 16 Arbitrary text string + case kDNSType_X25: // 19 X_25 calling address + case kDNSType_ISDN: // 20 ISDN calling address + case kDNSType_NSAP: // 22 NSAP address + case kDNSType_KEY: // 25 Security key + case kDNSType_GPOS: // 27 Geographical position (withdrawn) + case kDNSType_AAAA: // 28 IPv6 Address + case kDNSType_LOC: // 29 Location Information + case kDNSType_EID: // 31 Endpoint identifier + case kDNSType_NIMLOC: // 32 Nimrod Locator + case kDNSType_ATMA: // 34 ATM Address + case kDNSType_CERT: // 37 Certification record + case kDNSType_A6: // 38 IPv6 Address (deprecated) + case kDNSType_SINK: // 40 Kitchen sink (experimental) + case kDNSType_OPT: // 41 EDNS0 option (meta-RR) + case kDNSType_APL: // 42 Address Prefix List + case kDNSType_DS: // 43 Delegation Signer + case kDNSType_SSHFP: // 44 SSH Key Fingerprint + case kDNSType_IPSECKEY: // 45 IPSECKEY + case kDNSType_RRSIG: // 46 RRSIG + case kDNSType_NSEC: // 47 Denial of Existence + case kDNSType_DNSKEY: // 48 DNSKEY + case kDNSType_DHCID: // 49 DHCP Client Identifier + case kDNSType_NSEC3: // 50 Hashed Authenticated Denial of Existence + case kDNSType_NSEC3PARAM: // 51 Hashed Authenticated Denial of Existence + case kDNSType_HIP: // 55 Host Identity Protocol + case kDNSType_SPF: // 99 Sender Policy Framework for E-Mail + default: + return rdata_compare(r1->rdata, r2->rdata, r1->rdlength, r2->rdlength); + case kDNSType_NS: // 2 Name Server + case kDNSType_MD: // 3 Mail Destination + case kDNSType_MF: // 4 Mail Forwarder + case kDNSType_CNAME: // 5 Canonical Name + case kDNSType_MB: // 7 Mailbox + case kDNSType_MG: // 8 Mail Group + case kDNSType_MR: // 9 Mail Rename + case kDNSType_PTR: // 12 Domain name pointer + case kDNSType_NSAP_PTR: // 23 Reverse NSAP lookup (deprecated) + case kDNSType_DNAME: // 39 Non-terminal DNAME (for IPv6) + return name_compare(r1->rdata, r2->rdata, r1->rdlength, r2->rdlength); + case kDNSType_SRV: // 33 Service record + return srv_compare(r1, r2); + case kDNSType_SOA: // 6 Start of Authority + return soa_compare(r1, r2); + + case kDNSType_RP: // 17 Responsible person + case kDNSType_MINFO: // 14 Mailbox information + return dom2_compare(r1->rdata, r2->rdata, r1->rdlength, r2->rdlength); + case kDNSType_MX: // 15 Mail Exchanger + case kDNSType_AFSDB: // 18 AFS cell database + case kDNSType_RT: // 21 Router + case kDNSType_KX: // 36 Key Exchange + return mx_compare(r1, r2); + case kDNSType_PX: // 26 X.400 mail mapping + return px_compare(r1, r2); + case kDNSType_NAPTR: // 35 Naming Authority PoinTeR + return naptr_compare(r1, r2); + case kDNSType_TKEY: // 249 Transaction key + case kDNSType_TSIG: // 250 Transaction signature + // TSIG and TKEY have a domainname followed by data + return tsig_compare(r1, r2); + // TBD: We are comparing them as opaque types, perhaps not right + case kDNSType_SIG: // 24 Security signature + case kDNSType_NXT: // 30 Next domain (security) + LogMsg("RDATACompare: WARNING!! explicit support has not been added, using default"); + return rdata_compare(r1->rdata, r2->rdata, r1->rdlength, r2->rdlength); + } +} + + + +// RFC 4034 section 6.2 requirement for verifying signature. +// +// 3. if the type of the RR is NS, MD, MF, CNAME, SOA, MB, MG, MR, PTR, +// HINFO, MINFO, MX, HINFO, RP, AFSDB, RT, SIG, PX, NXT, NAPTR, KX, +// SRV, DNAME, A6, RRSIG, or NSEC, all uppercase US-ASCII letters in +// the DNS names contained within the RDATA are replaced by the +// corresponding lowercase US-ASCII letters; +// +// NSEC and HINFO is not needed as per dnssec-bis update. RRSIG is done elsewhere +// as part of signature verification +mDNSlocal void ConvertRDATAToCanonical(mDNSu16 rrtype, mDNSu16 rdlength, mDNSu8 *rdata) +{ + domainname name; + int len; + mDNSu8 *origRdata = rdata; + + // Ensure that we have at least one byte of data to examine and modify. + + if (!rdlength) { LogMsg("ConvertRDATAToCanonical: rdlength zero for rrtype %s", DNSTypeName(rrtype)); return; } + + switch (rrtype) + { + // Not adding suppot for A6 as it is deprecated + case kDNSType_A6: // 38 IPv6 Address (deprecated) + default: + debugdnssec("ConvertRDATAToCanonical: returning from default %s", DNSTypeName(rrtype)); + return; + case kDNSType_NS: // 2 Name Server + case kDNSType_MD: // 3 Mail Destination + case kDNSType_MF: // 4 Mail Forwarder + case kDNSType_CNAME: // 5 Canonical Name + case kDNSType_MB: // 7 Mailbox + case kDNSType_MG: // 8 Mail Group + case kDNSType_MR: // 9 Mail Rename + case kDNSType_PTR: // 12 Domain name pointer + case kDNSType_DNAME: // 39 Non-terminal DNAME (for IPv6) + case kDNSType_NXT: // 30 Next domain (security) + + // TSIG and TKEY are not mentioned in RFC 4034, but we just leave it here + case kDNSType_TSIG: // 250 Transaction signature + case kDNSType_TKEY: // 249 Transaction key + + if (DNSNameToLowerCase((domainname *)rdata, &name) != mStatus_NoError) + { + LogMsg("ConvertRDATAToCanonical: ERROR!! DNSNameToLowerCase failed"); + return; + } + AssignDomainName((domainname *)rdata, &name); + return; + case kDNSType_MX: // 15 Mail Exchanger + case kDNSType_AFSDB: // 18 AFS cell database + case kDNSType_RT: // 21 Router + case kDNSType_KX: // 36 Key Exchange + + // format: preference - 2 bytes, followed by name + // Ensure that we have at least 3 bytes (preference + 1 byte for the domain name) + if (rdlength <= 3) + { + LogMsg("ConvertRDATAToCanonical:MX: rdlength %d for rrtype %s too small", rdlength, DNSTypeName(rrtype)); + return; + } + if (DNSNameToLowerCase((domainname *)(rdata + 2), &name) != mStatus_NoError) + { + LogMsg("ConvertRDATAToCanonical: MX: ERROR!! DNSNameToLowerCase failed"); + return; + } + AssignDomainName((domainname *)(rdata + 2), &name); + return; + case kDNSType_SRV: // 33 Service record + // format : priority, weight and port - 6 bytes, followed by name + if (rdlength <= 7) + { + LogMsg("ConvertRDATAToCanonical:SRV: rdlength %d for rrtype %s too small", rdlength, DNSTypeName(rrtype)); + return; + } + if (DNSNameToLowerCase((domainname *)(rdata + 6), &name) != mStatus_NoError) + { + LogMsg("ConvertRDATAToCanonical: SRV: ERROR!! DNSNameToLowerCase failed"); + return; + } + AssignDomainName((domainname *)(rdata + 6), &name); + return; + case kDNSType_PX: // 26 X.400 mail mapping + if (rdlength <= 3) + { + LogMsg("ConvertRDATAToCanonical:PX: rdlength %d for rrtype %s too small", rdlength, DNSTypeName(rrtype)); + return; + } + // Preference followed by two domain names + rdata += 2; + /* FALLTHROUGH */ + case kDNSType_RP: // 17 Responsible person + case kDNSType_SOA: // 6 Start of Authority + case kDNSType_MINFO: // 14 Mailbox information + if (DNSNameToLowerCase((domainname *)rdata, &name) != mStatus_NoError) + { + LogMsg("ConvertRDATAToCanonical: SOA1: ERROR!! DNSNameToLowerCase failed"); + return; + } + + AssignDomainName((domainname *)rdata, &name); + len = DomainNameLength((domainname *)rdata); + if (rdlength <= len + 1) + { + LogMsg("ConvertRDATAToCanonical:RP: rdlength %d for rrtype %s too small", rdlength, DNSTypeName(rrtype)); + return; + } + rdata += len; + + if (DNSNameToLowerCase((domainname *)rdata, &name) != mStatus_NoError) + { + LogMsg("ConvertRDATAToCanonical: SOA2: ERROR!! DNSNameToLowerCase failed"); + return; + } + AssignDomainName((domainname *)rdata, &name); + return; + case kDNSType_NAPTR: // 35 Naming Authority Pointer + // order and preference + rdata += 4; + // Flags (including the length byte) + rdata += (((int) rdata[0]) + 1); + // Service (including the length byte) + rdata += (((int) rdata[0]) + 1); + // regexp (including the length byte) + rdata += (((int) rdata[0]) + 1); + + // Replacement field is a domainname. If we have at least one more byte, then we are okay. + if ((origRdata + rdlength) < rdata + 1) + { + LogMsg("ConvertRDATAToCanonical:NAPTR: origRdata %p, rdlength %d, rdata %p for rrtype %s too small", origRdata, rdlength, rdata, DNSTypeName(rrtype)); + return; + } + if (DNSNameToLowerCase((domainname *)rdata, &name) != mStatus_NoError) + { + LogMsg("ConvertRDATAToCanonical: NAPTR2: ERROR!! DNSNameToLowerCase failed"); + return; + } + AssignDomainName((domainname *)rdata, &name); + case kDNSType_SIG: // 24 Security signature + // format: <18 bytes> <domainname> <data> + if (rdlength <= 19) + { + LogMsg("ConvertRDATAToCanonical:SIG: rdlength %d for rrtype %s too small", rdlength, DNSTypeName(rrtype)); + return; + } + // Preference followed by two domain names + rdata += 18; + if (DNSNameToLowerCase((domainname *)rdata, &name) != mStatus_NoError) + { + LogMsg("ConvertRDATAToCanonical: SIG: ERROR!! DNSNameToLowerCase failed"); + return; + } + AssignDomainName((domainname *)rdata, &name); + return; + } +} + +mDNSlocal mDNSBool ValidateSignatureWithKey(DNSSECVerifier *dv, RRVerifier *rrset, RRVerifier *keyv, RRVerifier *sig) +{ + domainname name; + domainname signerName; + int labels; + mDNSu8 fixedPart[MAX_DOMAIN_NAME + 8]; // domainname + type + class + ttl + int fixedPartLen; + RRVerifier *tmp; + int nrrsets; + rdataComp *ptr, *start, *p; + rdataRRSig *rrsig; + rdataDNSKey *key; + int i; + int sigNameLen; + mDNSu16 temp; + mStatus algRet; + + + key = (rdataDNSKey *)keyv->rdata; + rrsig = (rdataRRSig *)sig->rdata; + + LogDNSSEC("ValidateSignatureWithKey: Validating signature with key with tag %d", (mDNSu16)keytag((mDNSu8 *)key, keyv->rdlength)); + + if (DNSNameToLowerCase((domainname *)&rrsig->signerName, &signerName) != mStatus_NoError) + { + LogMsg("ValidateSignatureWithKey: ERROR!! cannot convert signer name to lower case"); + return mDNSfalse; + } + + if (DNSNameToLowerCase((domainname *)&rrset->name, &name) != mStatus_NoError) + { + LogMsg("ValidateSignatureWithKey: ERROR!! cannot convert rrset name to lower case"); + return mDNSfalse; + } + + sigNameLen = DomainNameLength(&signerName); + labels = CountLabels(&name); + // RFC 4034: RRSIG validation + // + // signature = sign(RRSIG_RDATA | RR(1) | RR(2)... ) + // + // where RRSIG_RDATA excludes the signature and signer name in canonical form + + if (dv->ctx) AlgDestroy(dv->ctx); + dv->ctx = AlgCreate(CRYPTO_ALG, rrsig->alg); + if (!dv->ctx) + { + LogDNSSEC("ValidateSignatureWithKey: ERROR!! No algorithm support for %d", rrsig->alg); + return mDNSfalse; + } + AlgAdd(dv->ctx, (const mDNSu8 *)rrsig, RRSIG_FIXED_SIZE); + AlgAdd(dv->ctx, signerName.c, sigNameLen); + + if (labels - rrsig->labels > 0) + { + domainname *d; + LogDNSSEC("ValidateSignatureWithKey: ====splitting labels %d, rrsig->labels %d====", labels,rrsig->labels); + d = (domainname *)SkipLeadingLabels(&name, labels - rrsig->labels); + fixedPart[0] = 1; + fixedPart[1] = '*'; + AssignDomainName((domainname *)(fixedPart + 2), d); + fixedPartLen = DomainNameLength(d) + 2; + // See RFC 4034 section 3.1.3. If you are looking up *.example.com, + // the labels count in the RRSIG is 2, but this is not considered as + // a wildcard answer + if (name.c[0] != 1 || name.c[1] != '*') + { + LogDNSSEC("ValidateSignatureWithKey: Wildcard exapnded answer for %##s (%s)", dv->origName.c, DNSTypeName(dv->origType)); + dv->flags |= WILDCARD_PROVES_ANSWER_EXPANDED; + dv->wildcardName = (domainname *)SkipLeadingLabels(&dv->origName, labels - rrsig->labels); + if (!dv->wildcardName) return mDNSfalse; + } + } + else + { + debugdnssec("ValidateSignatureWithKey: assigning domainname"); + AssignDomainName((domainname *)fixedPart, &name); + fixedPartLen = DomainNameLength(&name); + } + temp = swap16(rrset->rrtype); + mDNSPlatformMemCopy(fixedPart + fixedPartLen, (mDNSu8 *)&temp, sizeof(rrset->rrtype)); + fixedPartLen += sizeof(rrset->rrtype); + temp = swap16(rrset->rrclass); + mDNSPlatformMemCopy(fixedPart + fixedPartLen, (mDNSu8 *)&temp, sizeof(rrset->rrclass)); + fixedPartLen += sizeof(rrset->rrclass); + mDNSPlatformMemCopy(fixedPart + fixedPartLen, (mDNSu8 *)&rrsig->origTTL, sizeof(rrsig->origTTL)); + fixedPartLen += sizeof(rrsig->origTTL); + + + for (tmp = rrset, nrrsets = 0; tmp; tmp = tmp->next) + nrrsets++; + + tmp = rrset; + start = ptr = mDNSPlatformMemAllocate(nrrsets * sizeof (rdataComp)); + debugdnssec("ValidateSignatureWithKey: start %p, nrrsets %d", start, nrrsets); + if (ptr) + { + // Need to initialize for failure case below + mDNSPlatformMemZero(ptr, nrrsets * (sizeof (rdataComp))); + while (tmp) + { + ptr->rdlength = tmp->rdlength; + ptr->rrtype = tmp->rrtype; + if (ptr->rdlength) + { + ptr->rdata = mDNSPlatformMemAllocate(ptr->rdlength); + if (ptr->rdata) + { + mDNSPlatformMemCopy(ptr->rdata, tmp->rdata, tmp->rdlength); + } + else + { + for (i = 0; i < nrrsets; i++) + if (start[i].rdata) mDNSPlatformMemFree(start[i].rdata); + mDNSPlatformMemFree(start); + LogMsg("ValidateSignatureWithKey:1: ERROR!! RDATA memory alloation failure"); + return mDNSfalse; + } + } + ptr++; + tmp = tmp->next; + } + } + else + { + LogMsg("ValidateSignatureWithKey:2: ERROR!! RDATA memory alloation failure"); + return mDNSfalse; + } + + PrintFixedSignInfo(rrsig, &signerName, sigNameLen, fixedPart, fixedPartLen); + + mDNSPlatformQsort(start, nrrsets, sizeof(rdataComp), RDATACompare); + for (p = start, i = 0; i < nrrsets; p++, i++) + { + int rdlen; + + // The array is sorted and hence checking adjacent entries for duplicate is sufficient + if (i > 0) + { + rdataComp *q = p - 1; + if (!RDATACompare((void *)p, (void *)q)) continue; + } + + // Add the fixed part + AlgAdd(dv->ctx, (const mDNSu8 *)fixedPart, fixedPartLen); + + // Add the rdlength + rdlen = swap16(p->rdlength); + AlgAdd(dv->ctx, (const mDNSu8 *)&rdlen, sizeof(mDNSu16)); + + ConvertRDATAToCanonical(p->rrtype, p->rdlength, p->rdata); + + PrintVarSignInfo(rdlen, p->rdata); + AlgAdd(dv->ctx, (const mDNSu8 *)p->rdata, p->rdlength); + } + // free the memory as we don't need it anymore + for (i = 0; i < nrrsets; i++) + if (start[i].rdata) mDNSPlatformMemFree(start[i].rdata); + mDNSPlatformMemFree(start); + + algRet = AlgVerify(dv->ctx, (mDNSu8 *)&key->data, keyv->rdlength - DNSKEY_FIXED_SIZE, (mDNSu8 *)(sig->rdata + sigNameLen + RRSIG_FIXED_SIZE), sig->rdlength - RRSIG_FIXED_SIZE - sigNameLen); + AlgDestroy(dv->ctx); + dv->ctx = mDNSNULL; + if (algRet != mStatus_NoError) + { + LogDNSSEC("ValidateSignatureWithKey: AlgVerify failed for %##s (%s)", dv->origName.c, DNSTypeName(dv->origType)); + // Reset the state if we set any above. + if (dv->flags & WILDCARD_PROVES_ANSWER_EXPANDED) + { + dv->flags &= ~WILDCARD_PROVES_ANSWER_EXPANDED; + dv->wildcardName = mDNSNULL; + } + return mDNSfalse; + } + return mDNStrue; +} + +// Walk all the keys and for each key walk all the RRSIGS that signs the original rrset +mDNSlocal mStatus ValidateSignature(DNSSECVerifier *dv, RRVerifier **resultKey, RRVerifier **resultRRSIG) +{ + RRVerifier *rrset; + RRVerifier *keyv; + RRVerifier *rrsigv; + RRVerifier *sig; + rdataDNSKey *key; + rdataRRSig *rrsig; + mDNSu16 tag; + + rrset = dv->rrset; + sig = dv->rrsig; + + for (keyv = dv->key; keyv; keyv = keyv->next) + { + key = (rdataDNSKey *)keyv->rdata; + tag = (mDNSu16)keytag((mDNSu8 *)key, keyv->rdlength); + for (rrsigv = sig; rrsigv; rrsigv = rrsigv->next) + { + rrsig = (rdataRRSig *)rrsigv->rdata; + // 7. The RRSIG RR's Signer's Name, Algorithm, and Key Tag fields MUST match the owner + // name, algorithm, and key tag for some DNSKEY RR in the zone's apex DNSKEY RRset. + if (!SameDomainName((domainname *)&rrsig->signerName, &keyv->name)) + { + debugdnssec("ValidateSignature: name mismatch"); + continue; + } + if (key->alg != rrsig->alg) + { + debugdnssec("ValidateSignature: alg mismatch"); + continue; + } + if (tag != swap16(rrsig->keyTag)) + { + debugdnssec("ValidateSignature: keyTag mismatch rrsig tag %d(0x%x), keyTag %d(0x%x)", swap16(rrsig->keyTag), + swap16(rrsig->keyTag), tag, tag); + continue; + } + // 8. The matching DNSKEY RR MUST be present in the zone's apex DNSKEY RRset, and MUST + // have the Zone Flag bit (DNSKEY RDATA Flag bit 7) set. + if (!((swap16(key->flags)) & DNSKEY_ZONE_SIGN_KEY)) + { + debugdnssec("ValidateSignature: ZONE flag bit not set"); + continue; + } + debugdnssec("ValidateSignature:Found a key and RRSIG tag: %d", tag); + if (ValidateSignatureWithKey(dv, rrset, keyv, rrsigv)) + { + LogDNSSEC("ValidateSignature: Validated successfully with key tag %d", tag); + *resultKey = keyv; + *resultRRSIG = rrsigv; + return mStatus_NoError; + } + } + } + *resultKey = mDNSNULL; + *resultRRSIG = mDNSNULL; + return mStatus_NoSuchRecord; +} + +mDNSlocal mDNSBool ValidateSignatureWithKeyForAllRRSigs(DNSSECVerifier *dv, RRVerifier *rrset, RRVerifier *keyv, RRVerifier *sig) +{ + rdataRRSig *rrsig; + mDNSu16 tag; + + while (sig) + { + rrsig = (rdataRRSig *)sig->rdata; + tag = (mDNSu16)keytag(keyv->rdata, keyv->rdlength); + if (tag == swap16(rrsig->keyTag)) + { + if (ValidateSignatureWithKey(dv, rrset, keyv, sig)) + { + LogDNSSEC("ValidateSignatureWithKeyForAllRRSigs: Validated"); + return mDNStrue; + } + } + sig = sig->next; + } + return mDNSfalse; +} + +mDNSlocal mStatus ValidateDS(DNSSECVerifier *dv) +{ + mDNSu8 *digest; + int digestLen; + domainname name; + rdataRRSig *rrsig; + rdataDS *ds; + rdataDNSKey *key; + RRVerifier *keyv; + RRVerifier *dsv; + mStatus algRet; + + rrsig = (rdataRRSig *)dv->rrsig->rdata; + + // Walk all the DS Records to see if we have a matching DNS KEY record that verifies + // the hash. If we find one, verify that this key was used to sign the KEY rrsets in + // this zone. Loop till we find one. + for (dsv = dv->ds; dsv; dsv = dsv->next) + { + ds = (rdataDS *)dsv->rdata; + if ((ds->digestType != SHA1_DIGEST_TYPE) && (ds->digestType != SHA256_DIGEST_TYPE)) + { + LogDNSSEC("ValidateDS: Unsupported digest %d", ds->digestType); + return mStatus_BadParamErr; + } + else debugdnssec("ValidateDS: digest type %d", ds->digestType); + for (keyv = dv->key; keyv; keyv = keyv->next) + { + key = (rdataDNSKey *)keyv->rdata; + mDNSu16 tag = (mDNSu16)keytag((mDNSu8 *)key, keyv->rdlength); + if (tag != swap16(ds->keyTag)) + { + debugdnssec("ValidateDS:Not a valid keytag %d", tag); + continue; + } + + if (DNSNameToLowerCase((domainname *)&rrsig->signerName, &name) != mStatus_NoError) + { + LogMsg("ValidateDS: ERROR!! cannot convert to lower case"); + continue; + } + + if (dv->ctx) AlgDestroy(dv->ctx); + dv->ctx = AlgCreate(DIGEST_ALG, ds->digestType); + if (!dv->ctx) + { + LogMsg("ValidateDS: ERROR!! Cannot allocate context"); + continue; + } + digest = (mDNSu8 *)&ds->digest; + digestLen = dsv->rdlength - DS_FIXED_SIZE; + + AlgAdd(dv->ctx, name.c, DomainNameLength(&name)); + AlgAdd(dv->ctx, (const mDNSu8 *)key, keyv->rdlength); + + algRet = AlgVerify(dv->ctx, mDNSNULL, 0, digest, digestLen); + AlgDestroy(dv->ctx); + dv->ctx = mDNSNULL; + if (algRet == mStatus_NoError) + { + LogDNSSEC("ValidateDS: DS Validated Successfully, need to verify the key %d", tag); + // We found the DNS KEY that is authenticated by the DS in our parent zone. Check to see if this key + // was used to sign the DNS KEY RRSET. If so, then the keys in our DNS KEY RRSET are valid + if (ValidateSignatureWithKeyForAllRRSigs(dv, dv->key, keyv, dv->rrsigKey)) + { + LogDNSSEC("ValidateDS: DS Validated Successfully %d", tag); + return mStatus_NoError; + } + } + } + } + return mStatus_NoSuchRecord; +} + +mDNSlocal mDNSBool UnlinkRRVerifier(DNSSECVerifier *dv, RRVerifier *elem, RRVerifierSet set) +{ + RRVerifier **v; + + switch (set) + { + case RRVS_rr: + v = &dv->rrset; + break; + case RRVS_rrsig: + v = &dv->rrsig; + break; + case RRVS_key: + v = &dv->key; + break; + case RRVS_rrsig_key: + v = &dv->rrsigKey; + break; + case RRVS_ds: + v = &dv->ds; + break; + default: + LogMsg("UnlinkRRVerifier: ERROR!! default case %d", set); + return mDNSfalse; + } + while (*v && *v != elem) + v = &(*v)->next; + if (!(*v)) + { + LogMsg("UnlinkRRVerifier: ERROR!! cannot find element in set %d", set); + return mDNSfalse; + } + *v = elem->next; // Cut this record from the list + elem->next = mDNSNULL; + return mDNStrue; +} + +// This can link a single AuthChain element or a list of AuthChain elements to +// DNSSECVerifier. The latter happens when we have multiple NSEC proofs and +// we gather up all the proofs in one place. +mDNSexport void AuthChainLink(DNSSECVerifier *dv, AuthChain *ae) +{ + AuthChain *head; + + LogDNSSEC("AuthChainLink: called"); + + head = ae; + // Get to the last element + while (ae->next) + ae = ae->next; + *(dv->actail) = head; // Append this record to tail of auth chain + dv->actail = &(ae->next); // Advance tail pointer +} + +mDNSlocal mDNSBool AuthChainAdd(DNSSECVerifier *dv, RRVerifier *resultKey, RRVerifier *resultRRSig) +{ + AuthChain *ae; + rdataDNSKey *key; + mDNSu16 tag; + + if (!dv->rrset || !resultKey || !resultRRSig) + { + LogMsg("AuthChainAdd: ERROR!! input argument NULL"); + return mDNSfalse; + } + + // Unlink resultKey and resultRRSig and store as part of AuthChain + if (!UnlinkRRVerifier(dv, resultKey, RRVS_key)) + { + LogMsg("AuthChainAdd: ERROR!! cannot unlink key"); + return mDNSfalse; + } + if (!UnlinkRRVerifier(dv, resultRRSig, RRVS_rrsig)) + { + LogMsg("AuthChainAdd: ERROR!! cannot unlink rrsig"); + return mDNSfalse; + } + + ae = mDNSPlatformMemAllocate(sizeof(AuthChain)); + if (!ae) + { + LogMsg("AuthChainAdd: AuthChain alloc failure"); + return mDNSfalse; + } + + ae->next = mDNSNULL; + ae->rrset = dv->rrset; + dv->rrset = mDNSNULL; + + ae->rrsig = resultRRSig; + ae->key = resultKey; + + key = (rdataDNSKey *)resultKey->rdata; + tag = (mDNSu16)keytag((mDNSu8 *)key, resultKey->rdlength); + LogDNSSEC("AuthChainAdd: inserting AuthChain element with rrset %##s (%s), DNSKEY tag %d", ae->rrset->name.c, DNSTypeName(ae->rrset->rrtype), tag); + + AuthChainLink(dv, ae); + return mDNStrue; +} + +// RFC 4035: Section 5.3.3 +// +// If the resolver accepts the RRset as authentic, the validator MUST set the TTL of +// the RRSIG RR and each RR in the authenticated RRset to a value no greater than the +// minimum of: +// +// o the RRset's TTL as received in the response; +// +// o the RRSIG RR's TTL as received in the response; +// +// o the value in the RRSIG RR's Original TTL field; and +// +// o the difference of the RRSIG RR's Signature Expiration time and the +// current time. +mDNSlocal void SetTTLRRSet(mDNS *const m, DNSSECVerifier *dv, DNSSECStatus status) +{ + DNSQuestion question; + CacheRecord *rr; + RRVerifier *rrsigv; + rdataRRSig *rrsig; + mDNSu32 slot; + CacheGroup *cg; + int sigNameLen, len; + mDNSu8 *ptr; + mDNSu32 rrTTL, rrsigTTL, rrsigOrigTTL, rrsigTimeTTL; + domainname *qname; + mDNSu16 qtype; + CacheRecord *rrsigRR; + mDNSs32 now; + + debugdnssec("SetTTLRRSet called"); + + if (status == DNSSEC_Insecure || status == DNSSEC_Indeterminate) + { + LogDNSSEC("SetTTLRRSET: not setting ttl for status %s", DNSSECStatusName(status)); + return; + } + + mDNS_Lock(m); + now = m->timenow; + mDNS_Unlock(m); + + mDNSPlatformMemZero(&question, sizeof(DNSQuestion)); + rrTTL = rrsigTTL = rrsigOrigTTL = rrsigTimeTTL = 0; + + // 1. Locate the rrset name and get its TTL (take the first one as a representative + // of the rrset). Ideally, we should set the TTL on the first validation. Instead, + // we do it whenever we validate which happens whenever a ValidationRequired question + // finishes validation. + qname = &dv->origName; + qtype = dv->origType; + + question.ThisQInterval = -1; + InitializeQuestion(m, &question, dv->InterfaceID, qname, qtype, mDNSNULL, mDNSNULL); + slot = HashSlot(&question.qname); + cg = CacheGroupForName(m, slot, question.qnamehash, &question.qname); + + if (!cg) + { + LogMsg("SetTTLRRSet cg NULL for %##s (%s)", dv->origName.c, DNSTypeName(dv->origType)); + return; + } + + for (rr = cg->members; rr; rr = rr->next) + if (SameNameRecordAnswersQuestion(&rr->resrec, &question)) + { + // originalttl is never touched. The actual TTL is derived based on when it was + // received. + rrTTL = rr->resrec.rroriginalttl - (now - rr->TimeRcvd)/mDNSPlatformOneSecond; + break; + } + + // Should we check to see if it matches the record in dv->ac->rrset ? + if (!rr) + { + LogMsg("SetTTLRRSet: ERROR!! cannot locate main rrset for %##s (%s)", qname->c, DNSTypeName(qtype)); + return; + } + + + // 2. Get the RRSIG ttl. For NSEC records we need to get the NSEC record's TTL as + // the negative cache record that we created may not be right. + + if (dv->ac && dv->ac->rrsig) + { + rrsigv = dv->ac->rrsig; + rrsig = (rdataRRSig *)rrsigv->rdata; + sigNameLen = DomainNameLength((domainname *)&rrsig->signerName); + // pointer to signature and the length + ptr = (mDNSu8 *)(rrsigv->rdata + sigNameLen + RRSIG_FIXED_SIZE); + len = rrsigv->rdlength - RRSIG_FIXED_SIZE - sigNameLen; + } + else + { + rrsigv = mDNSNULL; + rrsig = mDNSNULL; + ptr = mDNSNULL; + sigNameLen = len = 0; + } + + rrsigRR = mDNSNULL; + if (rr->resrec.RecordType == kDNSRecordTypePacketNegative && status == DNSSEC_Secure) + { + CacheRecord *ncr; + rrTTL = 0; + for (ncr = rr->nsec; ncr; ncr = ncr->next) + { + if (ncr->resrec.rrtype == kDNSType_NSEC || ncr->resrec.rrtype == kDNSType_NSEC3) + { + rrTTL = ncr->resrec.rroriginalttl - (now - ncr->TimeRcvd)/mDNSPlatformOneSecond; + debugdnssec("SetTTLRRSet: NSEC TTL %u", rrTTL); + } + // Note: we can't use dv->origName here as the NSEC record's RRSIG may not match + // the original name + if (rrsigv && ncr->resrec.rrtype == kDNSType_RRSIG && SameDomainName(ncr->resrec.name, &rrsigv->name)) + { + RDataBody2 *rdb = (RDataBody2 *)ncr->resrec.rdata->u.data; + rdataRRSig *sig = (rdataRRSig *)rdb->data; + if (rrsigv->rdlength != ncr->resrec.rdlength) + { + debugdnssec("SetTTLRRSet length mismatch"); + continue; + } + if (mDNSPlatformMemSame(sig, rrsig, rrsigv->rdlength)) + { + mDNSu32 remain = (now - ncr->TimeRcvd)/mDNSPlatformOneSecond; + rrsigTTL = ncr->resrec.rroriginalttl - remain; + rrsigOrigTTL = swap32(rrsig->origTTL) - remain; + rrsigTimeTTL = swap32(rrsig->sigExpireTime) - swap32(rrsig->sigInceptTime); + } + } + if (rrTTL && (!rrsigv || rrsigTTL)) break; + } + } + else if (rrsigv) + { + // Look for the matching RRSIG so that we can get its TTL + for (rr = cg ? cg->members : mDNSNULL; rr; rr=rr->next) + if (rr->resrec.rrtype == kDNSType_RRSIG && SameDomainName(rr->resrec.name, &rrsigv->name)) + { + RDataBody2 *rdb = (RDataBody2 *)rr->resrec.rdata->u.data; + rdataRRSig *sig = (rdataRRSig *)rdb->data; + if (rrsigv->rdlength != rr->resrec.rdlength) + { + debugdnssec("SetTTLRRSet length mismatch"); + continue; + } + if (mDNSPlatformMemSame(sig, rrsig, rrsigv->rdlength)) + { + mDNSu32 remain = (now - rr->TimeRcvd)/mDNSPlatformOneSecond; + rrsigTTL = rr->resrec.rroriginalttl - remain; + rrsigOrigTTL = swap32(rrsig->origTTL) - remain; + rrsigTimeTTL = swap32(rrsig->sigExpireTime) - swap32(rrsig->sigInceptTime); + rrsigRR = rr; + break; + } + } + } + + // It is possible that there are no RRSIGs and in that case it is not an error + // to find the rrsigTTL. + if (!rrTTL || (rrsigv && (!rrsigTTL || !rrsigOrigTTL || !rrsigTimeTTL))) + { + LogDNSSEC("SetTTLRRSet: ERROR!! Bad TTL rrtl %u, rrsigTTL %u, rrsigOrigTTL %u, rrsigTimeTTL %u for %##s (%s)", + rrTTL, rrsigTTL, rrsigOrigTTL, rrsigTimeTTL, qname->c, DNSTypeName(qtype)); + return; + } + LogDNSSEC("SetTTLRRSet: TTL rrtl %u, rrsigTTL %u, rrsigOrigTTL %u, rrsigTimeTTL %u for %##s (%s)", + rrTTL, rrsigTTL, rrsigOrigTTL, rrsigTimeTTL, qname->c, DNSTypeName(qtype)); + + if (status == DNSSEC_Bogus) + { + rrTTL = RR_BOGUS_TTL; + LogDNSSEC("SetTTLRRSet: setting to bogus TTL %d", rrTTL); + } + + if (rrsigv) + { + if (rrsigTTL < rrTTL) + rrTTL = rrsigTTL; + if (rrsigOrigTTL < rrTTL) + rrTTL = rrsigOrigTTL; + if (rrsigTimeTTL < rrTTL) + rrTTL = rrsigTimeTTL; + } + + // Set the rrsig's TTL. For NSEC records, rrsigRR is NULL which means it expires when + // the negative cache record expires. + if (rrsigRR) + { + rrsigRR->resrec.rroriginalttl = rrTTL; + rrsigRR->TimeRcvd = now; + rrsigRR->UnansweredQueries = 0; + } + + // Find the RRset and set its TTL + for (rr = cg ? cg->members : mDNSNULL; rr; rr=rr->next) + { + if (SameNameRecordAnswersQuestion(&rr->resrec, &question)) + { + LogDNSSEC("SetTTLRRSet: Setting the TTL %d for %s, question %##s (%s)", rrTTL, CRDisplayString(m, rr), + question.qname.c, DNSTypeName(rr->resrec.rrtype)); + rr->resrec.rroriginalttl = rrTTL; + rr->TimeRcvd = now; + rr->UnansweredQueries = 0; + SetNextCacheCheckTimeForRecord(m, rr); + } + } +} + +mDNSlocal void FinishDNSSECVerification(mDNS *const m, DNSSECVerifier *dv) +{ + RRVerifier *resultKey; + RRVerifier *resultRRSig; + + LogDNSSEC("FinishDNSSECVerification: all rdata sets available for sig verification for %##s (%s)", + dv->origName.c, DNSTypeName(dv->origType)); + + mDNS_StopQuery(m, &dv->q); + if (ValidateSignature(dv, &resultKey, &resultRRSig) == mStatus_NoError) + { + rdataDNSKey *key; + mDNSu16 tag; + key = (rdataDNSKey *)resultKey->rdata; + tag = (mDNSu16)keytag((mDNSu8 *)key, resultKey->rdlength); + + LogDNSSEC("FinishDNSSECVerification: RRSIG validated by DNSKEY tag %d, %##s (%s)", tag, dv->rrset->name.c, + DNSTypeName(dv->rrset->rrtype)); + + if (TrustedKey(m, dv) == mStatus_NoError) + { + // Need to call this after we called TrustedKey, as AuthChainAdd + // unlinks the resultKey and resultRRSig + if (!AuthChainAdd(dv, resultKey, resultRRSig)) + { + dv->DVCallback(m, dv, DNSSEC_Bogus); + return; + } + // The callback will be called when NSEC verification is done. + if ((dv->flags & WILDCARD_PROVES_ANSWER_EXPANDED)) + { + WildcardAnswerProof(m, dv); + return; + } + else + { + dv->DVCallback(m, dv, DNSSEC_Secure); + return; + } + } + if (!ValidateDS(dv)) + { + // Need to call this after we called ValidateDS, as AuthChainAdd + // unlinks the resultKey and resultRRSig + if (!AuthChainAdd(dv, resultKey, resultRRSig)) + { + dv->DVCallback(m, dv, DNSSEC_Bogus); + return; + } + FreeDNSSECVerifierRRSets(dv); + dv->recursed++; + if (dv->recursed < MAX_RECURSE_COUNT) + { + LogDNSSEC("FinishDNSSECVerification: Recursion level %d for %##s (%s)", dv->recursed, dv->origName.c, + DNSTypeName(dv->origType)); + VerifySignature(m, dv, &dv->q); + return; + } + } + else + { + LogDNSSEC("FinishDNSSECVerification: ValidateDS failed %##s (%s)", dv->rrset->name.c, DNSTypeName(dv->rrset->rrtype)); + dv->DVCallback(m, dv, DNSSEC_Bogus); + return; + } + } + else + { + LogDNSSEC("FinishDNSSECVerification: Could not validate the rrset %##s (%s)", dv->origName.c, DNSTypeName(dv->origType)); + dv->DVCallback(m, dv, DNSSEC_Bogus); + return; + } +} + +mDNSexport void StartDNSSECVerification(mDNS *const m, void *context) +{ + mDNSBool done; + DNSSECVerifier *dv = (DNSSECVerifier *)context; + + done = GetAllRRSetsForVerification(m, dv); + if (done) + { + if (dv->next != RRVS_done) + LogMsg("StartDNSSECVerification: ERROR!! dv->next is not done"); + else + LogDNSSEC("StartDNSSECVerification: all rdata sets available for sig verification"); + FinishDNSSECVerification(m, dv); + return; + } + else debugdnssec("StartDNSSECVerification: all rdata sets not available for sig verification next %d", dv->next); +} + +mDNSexport char *DNSSECStatusName(DNSSECStatus status) +{ + switch (status) + { + case DNSSEC_Secure: return "Secure"; + case DNSSEC_Insecure: return "Insecure"; + case DNSSEC_Indeterminate: return "Indeterminate"; + case DNSSEC_Bogus: return "Bogus"; + default: return "Invalid"; + } +} + +// We could not use GenerateNegativeResponse as it assumes m->CurrentQuestion to be set. Even if +// we change that, we needs to fix its callers and so on. It is much simpler to call the callback. +mDNSlocal void DeliverDNSSECStatus(mDNS *const m, DNSSECVerifier *dv, ResourceRecord *answer, DNSSECStatus status) +{ + + // Can't use m->CurrentQuestion as it may already be in use + if (m->ValidationQuestion) + LogMsg("DeliverDNSSECStatus: ERROR!! m->ValidationQuestion already set: %##s (%s)", + m->ValidationQuestion->qname.c, DNSTypeName(m->ValidationQuestion->qtype)); + + BumpDNSSECStats(m, kStatsActionSet, kStatsTypeStatus, status); + BumpDNSSECStats(m, kStatsActionSet, kStatsTypeExtraPackets, dv->NumPackets); + mDNS_Lock(m); + BumpDNSSECStats(m, kStatsActionSet, kStatsTypeLatency, m->timenow - dv->StartTime); + mDNS_Unlock(m); + + m->ValidationQuestion = m->Questions; + while (m->ValidationQuestion && m->ValidationQuestion != m->NewQuestions) + { + DNSQuestion *q = m->ValidationQuestion; + + if (q->ValidatingResponse || !q->ValidationRequired || + (q->ValidationState != DNSSECValInProgress) || !ResourceRecordAnswersQuestion(answer, q)) + { + m->ValidationQuestion = q->next; + continue; + } + + q->ValidationState = DNSSECValDone; + q->ValidationStatus = status; + + MakeNegativeCacheRecord(m, &largerec.r, &q->qname, q->qnamehash, q->qtype, q->qclass, 60, mDNSInterface_Any, mDNSNULL); + if (q->qtype == answer->rrtype || status != DNSSEC_Secure) + { + LogDNSSEC("DeliverDNSSECStatus: Generating dnssec status %s for %##s (%s)", DNSSECStatusName(status), + q->qname.c, DNSTypeName(q->qtype)); + if (q->QuestionCallback) + { + if (q->DNSSECAuthInfo) + FreeDNSSECAuthChainInfo((AuthChain *)q->DNSSECAuthInfo); + q->DNSSECAuthInfo = AuthChainCopy(dv->ac); + q->DAIFreeCallback = FreeAuthChain; + q->QuestionCallback(m, q, &largerec.r.resrec, QC_dnssec); + } + } + else if (FollowCNAME(q, answer, QC_add)) + { + LogDNSSEC("DeliverDNSSECStatus: Following CNAME dnssec status %s for %##s (%s)", DNSSECStatusName(status), + q->qname.c, DNSTypeName(q->qtype)); + mDNS_Lock(m); + AnswerQuestionByFollowingCNAME(m, q, answer); + mDNS_Unlock(m); + } + + if (m->ValidationQuestion == q) // If m->ValidationQuestion was not auto-advanced, do it ourselves now + m->ValidationQuestion = q->next; + } + m->ValidationQuestion = mDNSNULL; +} + +// There is no work to be done if we could not validate DNSSEC (as the actual response for +// the query has already been delivered) except in the case of CNAMEs where we did not follow +// CNAMEs until we finished the DNSSEC processing. +mDNSlocal void DNSSECNoResponse(mDNS *const m, DNSSECVerifier *dv) +{ + CacheGroup *cg; + CacheRecord *cr; + mDNSu32 slot, namehash; + ResourceRecord *answer = mDNSNULL; + + LogDNSSEC("DNSSECNoResponse: called"); + + if (dv->ValidationRequired != DNSSEC_VALIDATION_SECURE_OPTIONAL) + { + LogMsg("DNSSECNoResponse: ERROR!! ValidationRequired incorrect %d", dv->ValidationRequired); + return; + } + + BumpDNSSECStats(m, kStatsActionSet, kStatsTypeStatus, DNSSEC_NoResponse); + + slot = HashSlot(&dv->origName); + namehash = DomainNameHashValue(&dv->origName); + + cg = CacheGroupForName(m, (const mDNSu32)slot, namehash, &dv->origName); + if (!cg) + { + LogDNSSEC("DNSSECNoResponse: cg NULL for %##s (%s)", dv->origName.c, DNSTypeName(dv->origType)); + goto done; + } + + InitializeQuestion(m, &dv->q, dv->InterfaceID, &dv->origName, dv->origType, mDNSNULL, mDNSNULL); + + // We don't have to reset ValidatingResponse (unlike in DeliverDNSSECStatus) as there are no + // RRSIGs that can match the original question + for (cr = cg->members; cr; cr = cr->next) + { + if (SameNameRecordAnswersQuestion(&cr->resrec, &dv->q)) + { + answer = &cr->resrec; + break; + } + } + + // It is not an error for things to disappear underneath + if (!answer) + { + LogDNSSEC("DNSSECNoResponse: answer NULL for %##s, %s", dv->origName.c, DNSTypeName(dv->origType)); + goto done; + } + if (answer->rrtype == kDNSType_RRSIG) + { + LogDNSSEC("DNSSECNoResponse: RRSIG present for %##s, %s", dv->origName.c, DNSTypeName(dv->origType)); + goto done; + } + + // Can't use m->CurrentQuestion as it may already be in use + if (m->ValidationQuestion) + LogMsg("DNSSECNoResponse: ERROR!! m->ValidationQuestion already set: %##s (%s)", + m->ValidationQuestion->qname.c, DNSTypeName(m->ValidationQuestion->qtype)); + + m->ValidationQuestion = m->Questions; + while (m->ValidationQuestion && m->ValidationQuestion != m->NewQuestions) + { + DNSQuestion *q = m->ValidationQuestion; + + if (q->ValidatingResponse || !q->ValidationRequired || + (q->ValidationState != DNSSECValInProgress) || !ResourceRecordAnswersQuestion(answer, q)) + { + m->ValidationQuestion = q->next; + continue; + } + + // If we could not validate e.g., zone was not signed or bad delegation etc., + // disable validation. Ideally, for long outstanding questions, we should try again when + // we switch networks. But for now, keep it simple. + // + // Note: If we followed a CNAME with no dnssec protection, it is even more important that + // we disable validation as we don't want to deliver a "secure" dnssec response later e.g., + // it is possible that the CNAME is not secure but the address records are secure. In this + // case, we don't want to deliver the secure response later as we followed a CNAME that was + // not protected with DNSSEC. + + q->ValidationRequired = 0; + q->ValidationState = DNSSECValNotRequired; + + if (FollowCNAME(q, answer, QC_add)) + { + LogDNSSEC("DNSSECNoResponse: Following CNAME for %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + + mDNS_Lock(m); + AnswerQuestionByFollowingCNAME(m, q, answer); + mDNS_Unlock(m); + } + + if (m->ValidationQuestion == q) // If m->ValidationQuestion was not auto-advanced, do it ourselves now + m->ValidationQuestion = q->next; + } + m->ValidationQuestion = mDNSNULL; + +done: + FreeDNSSECVerifier(m, dv); +} + +mDNSlocal void DNSSECPositiveValidationCB(mDNS *const m, DNSSECVerifier *dv, CacheGroup *cg, ResourceRecord *answer, DNSSECStatus status) +{ + RRVerifier *rrset; + RRVerifier *rv; + CacheRecord *cr; + mDNSu16 rrtype, rrclass; + CacheRecord *const lrr = &largerec.r; + + LogDNSSEC("DNSSECPositiveValidationCB: called %s for %##s (%s)", DNSSECStatusName(status), dv->origName.c, DNSTypeName(dv->origType)); + + // + // 1. Check to see if the rrset that was validated is the same as in cache. If they are not same, + // this validation result is not valid. When the rrset changed while the validation was in + // progress, the act of delivering the changed rrset again should have kicked off another + // verification. + // + // 2. Walk the question list to find the matching question. The original question that started + // the DNSSEC verification may or may not be there. As long as there is a matching question + // and waiting for the response, deliver the response. + // + // 3. If we are answering with CNAME, it is time to follow the CNAME if the response is secure + + if (!dv->ac || status == DNSSEC_Insecure) + { + // For Insecure status, the auth chain contains information about the trust + // chain starting from the known trust anchor. The rrsets are not related to + // the origName like in Bogus or Secure. + if (!answer) + LogMsg("DNSSECPositiveValidationCB: ERROR: answer NULL"); + } + else + { + if (!dv->ac->rrset) + { + LogMsg("DNSSECPositiveValidationCB: ERROR!! Validated RRSET NULL"); + goto done; + } + + rrset = dv->ac->rrset; + rrtype = rrset->rrtype; + rrclass = rrset->rrclass; + + lrr->resrec.name = &largerec.namestorage; + + for (rv = dv->ac->rrset; rv; rv = rv->next) + rv->found = 0; + + // Check to see if we can find all the elements in the rrset + for (cr = cg ? cg->members : mDNSNULL; cr; cr = cr->next) + { + if (cr->resrec.rrtype == rrtype && cr->resrec.rrclass == rrclass) + { + for (rv = dv->ac->rrset; rv; rv = rv->next) + { + if (rv->rdlength == cr->resrec.rdlength && rv->rdatahash == cr->resrec.rdatahash) + { + lrr->resrec.namehash = rv->namehash; + lrr->resrec.rrtype = rv->rrtype; + lrr->resrec.rrclass = rv->rrclass; + lrr->resrec.rdata = (RData*)&lrr->smallrdatastorage; + lrr->resrec.rdata->MaxRDLength = MaximumRDSize; + + // Convert the "rdata" to a suitable form before we can call SameRDataBody which expects + // some of the resource records in host order and also domainnames fully expanded. We + // converted the resource records into network order for verification purpose and hence + // need to convert them back again before comparing them. + if (!SetRData(mDNSNULL, rv->rdata, rv->rdata + rv->rdlength, &largerec, rv->rdlength)) + { + LogMsg("DNSSECPositiveValidationCB: SetRData failed for %##s (%s)", rv->name.c, DNSTypeName(rv->rrtype)); + } + else if (SameRDataBody(&cr->resrec, &lrr->resrec.rdata->u, SameDomainName)) + { + answer = &cr->resrec; + rv->found = 1; + break; + } + } + } + if (!rv) + { + // The validated rrset does not have the element in the cache, re-validate + LogDNSSEC("DNSSECPositiveValidationCB: CacheRecord %s, not found in the validated set", CRDisplayString(m, cr)); + goto done; + } + } + } + // Check to see if we have elements that were not in the cache + for (rv = dv->ac->rrset; rv; rv = rv->next) + { + if (!rv->found) + { + // We had more elements in the validated set, re-validate + LogDNSSEC("DNSSECPositiveValidationCB: Record %##s (%s) not found in the cache", rv->name.c, DNSTypeName(rv->rrtype)); + goto done; + } + } + } + + // It is not an error for things to disappear underneath + if (!answer) + { + LogDNSSEC("DNSSECPositiveValidationCB: answer NULL for %##s, %s", dv->origName.c, DNSTypeName(dv->origType)); + goto done; + } + + DeliverDNSSECStatus(m, dv, answer, status); + SetTTLRRSet(m, dv, status); + +done: + FreeDNSSECVerifier(m, dv); +} + +mDNSlocal void DNSSECNegativeValidationCB(mDNS *const m, DNSSECVerifier *dv, CacheGroup *cg, ResourceRecord *answer, DNSSECStatus status) +{ + RRVerifier *rv; + CacheRecord *cr; + mDNSu16 rrtype, rrclass; + AuthChain *ac; + + LogDNSSEC("DNSSECNegativeValidationCB: called %s for %##s (%s)", DNSSECStatusName(status), dv->origName.c, DNSTypeName(dv->origType)); + + if (dv->parent) + { + // When NSEC/NSEC3s validation is completed, it calls the parent's DVCallback with the + // parent DNSSECVerifier which is the original one that started the verification. It itself + // should not have a parent. If the NSEC/NSEC3 validation results in another NSEC/NSEC3 + // validation, it should chain up via the dv->parent all the way to the top. + LogMsg("DNSSECNegativeValidationCB: ERROR!! dv->parent is set for %##s (%s)", dv->origName.c, DNSTypeName(dv->origType)); + goto done; + } + + // 1. Locate the negative cache record and check the cached NSEC/NSEC3 records to see if it matches the + // NSEC/NSEC3s that were valiated. If the cached NSEC/NSEC3s changed while the validation was in progress, + // we ignore the validation results. + // + // 2. Walk the question list to find the matching question. The original question that started + // the DNSSEC verification may or may not be there. As long as there is a matching question + // and waiting for the response, deliver the response. + // + if (!dv->ac || status == DNSSEC_Insecure) + { + // For Insecure status, the auth chain contains information about the trust + // chain starting from the known trust anchor. The rrsets are not related to + // the origName like in Bogus or Secure. + if (!answer) + LogMsg("DNSSECNegativeValidationCB: ERROR: answer NULL"); + } + else + { + if (!dv->ac->rrset) + { + LogMsg("DNSSECNegativeValidationCB: ERROR!! Validated RRSET NULL"); + goto done; + } + + rrtype = dv->origType; + rrclass = dv->ac->rrset->rrclass; + + for (ac = dv->ac; ac; ac = ac->next) + { + for (rv = ac->rrset; rv; rv = rv->next) + { + if (rv->rrtype == kDNSType_NSEC || rv->rrtype == kDNSType_NSEC3) + { + LogDNSSEC("DNSSECNegativeValidationCB: Record %p %##s (%s) marking zero", rv, rv->name.c, DNSTypeName(rv->rrtype)); + rv->found = 0; + } + } + } + + // Check to see if we can find all the elements in the rrset + for (cr = cg->members; cr; cr = cr->next) + { + if (cr->resrec.RecordType == kDNSRecordTypePacketNegative && + cr->resrec.rrtype == rrtype && cr->resrec.rrclass == rrclass) + { + CacheRecord *ncr; + for (ncr = cr->nsec; ncr; ncr = ncr->next) + { + // We have RRSIGs for the NSECs cached there too + if (ncr->resrec.rrtype != kDNSType_NSEC && ncr->resrec.rrtype != kDNSType_NSEC3) + continue; + for (ac = dv->ac; ac; ac = ac->next) + { + for (rv = ac->rrset; rv; rv = rv->next) + { + if ((rv->rrtype == kDNSType_NSEC || rv->rrtype == kDNSType_NSEC3) && rv->rdlength == ncr->resrec.rdlength && + rv->rdatahash == ncr->resrec.rdatahash) + { + if (SameDomainName(ncr->resrec.name, &rv->name) && + SameRDataBody(&ncr->resrec, (const RDataBody *)rv->rdata, SameDomainName)) + { + LogDNSSEC("DNSSECNegativeValidationCB: Record %p %##s (%s) marking one", rv, rv->name.c, DNSTypeName(rv->rrtype)); + answer = &cr->resrec; + rv->found = 1; + break; + } + } + } + if (rv) + break; + } + } + if (!rv) + { + // The validated rrset does not have the element in the cache, re-validate + LogDNSSEC("DNSSECNegativeValidationCB: CacheRecord %s, not found in the validated set", CRDisplayString(m, cr)); + goto done; + } + } + } + // Check to see if we have elements that were not in the cache + for (ac = dv->ac; ac; ac = ac->next) + { + for (rv = ac->rrset; rv; rv = rv->next) + { + if (rv->rrtype == kDNSType_NSEC || rv->rrtype == kDNSType_NSEC3) + { + if (!rv->found) + { + // We had more elements in the validated set, re-validate + LogDNSSEC("DNSSECNegativeValidationCB: Record %p %##s (%s) not found in the cache", rv, rv->name.c, DNSTypeName(rv->rrtype)); + goto done; + } + rv->found = 0; + } + } + } + } + + // It is not an error for things to disappear underneath + if (!answer) + { + LogDNSSEC("DNSSECNegativeValidationCB: answer NULL for %##s, %s", dv->origName.c, DNSTypeName(dv->origType)); + goto done; + } + + DeliverDNSSECStatus(m, dv, answer, status); + SetTTLRRSet(m, dv, status); + +done: + FreeDNSSECVerifier(m, dv); +} + +mDNSlocal void DNSSECValidationCB(mDNS *const m, DNSSECVerifier *dv, DNSSECStatus status) +{ + mDNSu32 slot, namehash; + CacheGroup *cg; + CacheRecord *cr; + + LogDNSSEC("DNSSECValidationCB: called %s for %##s (%s)", DNSSECStatusName(status), dv->origName.c, DNSTypeName(dv->origType)); + + // Currently, if we receive anything other than secure, we abort DNSSEC validation for + // the optional case. + if (dv->ValidationRequired == DNSSEC_VALIDATION_SECURE_OPTIONAL && status != DNSSEC_Secure) + { + DNSSECNoResponse(m, dv); + return; + } + + if (dv->ValidationRequired == DNSSEC_VALIDATION_SECURE && !dv->InsecureProofDone && status == DNSSEC_Bogus) + { + dv->InsecureProofDone = 1; + ProveInsecure(m, dv, mDNSNULL, mDNSNULL); + return; + } + slot = HashSlot(&dv->origName); + namehash = DomainNameHashValue(&dv->origName); + + cg = CacheGroupForName(m, (const mDNSu32)slot, namehash, &dv->origName); + if (!cg) + { + LogDNSSEC("DNSSECValidationCB: cg NULL for %##s (%s)", dv->origName.c, DNSTypeName(dv->origType)); + FreeDNSSECVerifier(m, dv); + return; + } + InitializeQuestion(m, &dv->q, dv->InterfaceID, &dv->origName, dv->origType, mDNSNULL, mDNSNULL); + // Need to be reset ValidatingResponse as we are looking for the cache record that would answer + // the original question + dv->q.ValidatingResponse = mDNSfalse; + for (cr = cg->members; cr; cr = cr->next) + { + if (SameNameRecordAnswersQuestion(&cr->resrec, &dv->q)) + { + if (cr->resrec.RecordType == kDNSRecordTypePacketNegative) + DNSSECNegativeValidationCB(m, dv, cg, &cr->resrec, status); + else + DNSSECPositiveValidationCB(m, dv, cg, &cr->resrec, status); + return; + } + } +} + +mDNSexport void VerifySignature(mDNS *const m, DNSSECVerifier *dv, DNSQuestion *q) +{ + mDNSu32 slot = HashSlot(&q->qname); + CacheGroup *const cg = CacheGroupForName(m, slot, q->qnamehash, &q->qname); + CacheRecord *rr; + mDNSBool first = mDNSfalse; + static mDNSBool TrustAnchorsUpdated = mDNSfalse; + + LogDNSSEC("VerifySignature called for %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + if (!TrustAnchorsUpdated) + { + TrustAnchorsUpdated = mDNStrue; + UpdateTrustAnchors(m); + } + if (!dv) + { + first = mDNStrue; + if (!q->qDNSServer || q->qDNSServer->cellIntf) + { + LogDNSSEC("VerifySignature: Disabled"); + return; + } + // We assume that the verifier's question has been initialized here so that ValidateWithNSECS below + // knows what it has prove the non-existence of. + dv = AllocateDNSSECVerifier(m, &q->qname, q->qtype, q->InterfaceID, q->ValidationRequired, DNSSECValidationCB, VerifySigCallback); + if (!dv) + { + LogMsg("VerifySignature: ERROR!! memory alloc failed"); + return; + } + } + + // If we find a CNAME response to the question, remember what qtype + // caused the CNAME response. origType is not sufficient as we + // recursively validate the response and origType is initialized above + // the first time this function is called. + dv->currQtype = q->qtype; + + // Walk the cache and get all the rrsets for verification. + for (rr = cg ? cg->members : mDNSNULL; rr; rr=rr->next) + if (SameNameRecordAnswersQuestion(&rr->resrec, q)) + { + // We also get called for RRSIGs which matches qtype. We don't need that here as we are + // building rrset for matching q->qname. Checking for RRSIG type is important as otherwise + // we would miss the CNAME answering any qtype. + if (rr->resrec.rrtype == kDNSType_RRSIG && rr->resrec.rrtype != q->qtype) + { + LogDNSSEC("VerifySignature: Question %##s (%s) answered with RRSIG record %s, not using it", q->qname.c, DNSTypeName(q->qtype), CRDisplayString(m, rr)); + continue; + } + + // See DNSSECRecordAnswersQuestion: This should never happen. NSEC records are + // answered directly only when the qtype is NSEC. Otherwise, NSEC records are + // used only for denial of existence and hence should go through negative cache + // entry. + if (rr->resrec.rrtype == kDNSType_NSEC && q->qtype != kDNSType_NSEC) + { + LogMsg("VerifySignature: ERROR!! Question %##s (%s) answered using NSEC record %s", q->qname.c, DNSTypeName(q->qtype), CRDisplayString(m, rr)); + continue; + } + + // We might get a NSEC response when we first send the query out from the "core" for ValidationRequired + // questions. Later as part of validating the response, we might get a NSEC response. + if (rr->resrec.RecordType == kDNSRecordTypePacketNegative && DNSSECQuestion(q)) + { + // If we can't find the NSEC, we can't validate. This can happens if we are + // behind a non-DNSSEC aware CPE/server. + if (!rr->nsec) + { + LogDNSSEC("VerifySignature: No nsecs found for %s", CRDisplayString(m, rr)); + dv->DVCallback(m, dv, DNSSEC_Bogus); + return; + } + ValidateWithNSECS(m, dv, rr); + return; + } + + if (AddRRSetToVerifier(dv, &rr->resrec, mDNSNULL, RRVS_rr) != mStatus_NoError) + { + dv->DVCallback(m, dv, DNSSEC_Bogus); + return; + } + } + if (!dv->rrset) + { + LogMsg("VerifySignature: rrset mDNSNULL for %##s (%s)", dv->origName.c, DNSTypeName(dv->origType)); + dv->DVCallback(m, dv, DNSSEC_Bogus); + return; + } + dv->next = RRVS_rrsig; + // Delay this so that the mDNS "core" can deliver all the results before + // we can deliver the dnssec result + if (first) + { + mDNSPlatformDispatchAsync(m, dv, StartDNSSECVerification); + } + else + { + StartDNSSECVerification(m, dv); + } +} + +mDNSlocal mDNSBool TrustedKeyPresent(mDNS *const m, DNSSECVerifier *dv) +{ + rdataRRSig *rrsig; + rdataDS *ds; + rdataDNSKey *key; + TrustAnchor *ta; + RRVerifier *keyv; + + rrsig = (rdataRRSig *)dv->rrsig->rdata; + + // Walk all our trusted DS Records to see if we have a matching DNS KEY record that verifies + // the hash. If we find one, verify that this key was used to sign the KEY rrsets in + // this zone. Loop till we find one. + for (ta = m->TrustAnchors; ta; ta = ta->next) + { + ds = (rdataDS *)&ta->rds; + if ((ds->digestType != SHA1_DIGEST_TYPE) && (ds->digestType != SHA256_DIGEST_TYPE)) + { + LogMsg("TrustedKeyPresent: Unsupported digest %d", ds->digestType); + continue; + } + else + { + debugdnssec("TrustedKeyPresent: digest type %d", ds->digestType); + } + for (keyv = dv->key; keyv; keyv = keyv->next) + { + key = (rdataDNSKey *)keyv->rdata; + mDNSu16 tag = (mDNSu16)keytag((mDNSu8 *)key, keyv->rdlength); + if (tag != ds->keyTag) + { + debugdnssec("TrustedKeyPresent:Not a valid keytag %d", tag); + continue; + } + if (!SameDomainName(&keyv->name, &ta->zone)) + { + debugdnssec("TrustedKeyPresent: domainame mismatch key %##s, ta %##s", keyv->name.c, ta->zone.c); + continue; + } + return mDNStrue; + } + } + return mDNSfalse; +} + +mDNSlocal mStatus TrustedKey(mDNS *const m, DNSSECVerifier *dv) +{ + mDNSu8 *digest; + int digestLen; + domainname name; + rdataRRSig *rrsig; + rdataDS *ds; + rdataDNSKey *key; + TrustAnchor *ta; + RRVerifier *keyv; + mStatus algRet; + mDNSu32 currTime = mDNSPlatformUTC(); + + rrsig = (rdataRRSig *)dv->rrsig->rdata; + + // Walk all our trusted DS Records to see if we have a matching DNS KEY record that verifies + // the hash. If we find one, verify that this key was used to sign the KEY rrsets in + // this zone. Loop till we find one. + for (ta = m->TrustAnchors; ta; ta = ta->next) + { + ds = (rdataDS *)&ta->rds; + if ((ds->digestType != SHA1_DIGEST_TYPE) && (ds->digestType != SHA256_DIGEST_TYPE)) + { + LogMsg("TrustedKey: Unsupported digest %d", ds->digestType); + continue; + } + else + { + debugdnssec("TrustedKey: Zone %##s, digest type %d, tag %d", ta->zone.c, ds->digestType, ds->keyTag); + } + for (keyv = dv->key; keyv; keyv = keyv->next) + { + key = (rdataDNSKey *)keyv->rdata; + mDNSu16 tag = (mDNSu16)keytag((mDNSu8 *)key, keyv->rdlength); + if (tag != ds->keyTag) + { + debugdnssec("TrustedKey:Not a valid keytag %d", tag); + continue; + } + if (!SameDomainName(&keyv->name, &ta->zone)) + { + debugdnssec("TrustedKey: domainame mismatch key %##s, ta %##s", keyv->name.c, ta->zone.c); + continue; + } + if (DNS_SERIAL_LT(ta->validUntil, currTime)) + { + LogDNSSEC("TrustedKey: Expired: currentTime %d, ExpireTime %d", (int)currTime, ta->validUntil); + continue; + } + if (DNS_SERIAL_LT(currTime, ta->validFrom)) + { + LogDNSSEC("TrustedKey: Future: currentTime %d, InceptTime %d", (int)currTime, ta->validFrom); + continue; + } + + if (DNSNameToLowerCase((domainname *)&rrsig->signerName, &name) != mStatus_NoError) + { + LogMsg("TrustedKey: ERROR!! cannot convert to lower case"); + continue; + } + + if (dv->ctx) AlgDestroy(dv->ctx); + dv->ctx = AlgCreate(DIGEST_ALG, ds->digestType); + if (!dv->ctx) + { + LogMsg("TrustedKey: ERROR!! No digest support"); + continue; + } + digest = ds->digest; + digestLen = ta->digestLen; + + AlgAdd(dv->ctx, name.c, DomainNameLength(&name)); + AlgAdd(dv->ctx, (const mDNSu8 *)key, keyv->rdlength); + + algRet = AlgVerify(dv->ctx, mDNSNULL, 0, digest, digestLen); + AlgDestroy(dv->ctx); + dv->ctx = mDNSNULL; + if (algRet == mStatus_NoError) + { + LogDNSSEC("TrustedKey: DS Validated Successfully, need to verify the key %d", tag); + // We found the DNS KEY that is authenticated by the DS in our parent zone. Check to see if this key + // was used to sign the DNS KEY RRSET. If so, then the keys in our DNS KEY RRSET are valid + if (ValidateSignatureWithKeyForAllRRSigs(dv, dv->key, keyv, dv->rrsigKey)) + { + LogDNSSEC("TrustedKey: DS Validated Successfully %d", tag); + return mStatus_NoError; + } + } + } + } + return mStatus_NoSuchRecord; +} + +mDNSlocal CacheRecord* NegativeCacheRecordForRR(mDNS *const m, const ResourceRecord *const rr) +{ + mDNSu32 slot; + mDNSu32 namehash; + CacheGroup *cg; + CacheRecord *cr; + + slot = HashSlot(rr->name); + namehash = DomainNameHashValue(rr->name); + cg = CacheGroupForName(m, slot, namehash, rr->name); + if (!cg) + { + LogMsg("NegativeCacheRecordForRR: cg null %##s", rr->name->c); + return mDNSNULL; + } + for (cr=cg->members; cr; cr=cr->next) + { + if (cr->resrec.RecordType == kDNSRecordTypePacketNegative && (&cr->resrec == rr)) + return cr; + } + return mDNSNULL; +} + +mDNSlocal void VerifySigCallback(mDNS *const m, DNSQuestion *question, const ResourceRecord *const answer, QC_result AddRecord) +{ + DNSSECVerifier *dv = (DNSSECVerifier *)question->QuestionContext; + mDNSu16 rrtype; + CacheRecord *negcr; + + debugdnssec("VerifySigCallback: AddRecord %d, dv %p", AddRecord, dv); + + if (!AddRecord) + return; + + // After the first ADD event, we should ideally stop the question. If we don't stop + // the question, we might get more callbacks and that can cause problems. For example, + // in the first callback, we could start a insecure proof and while that is in progress, + // if we get more callbacks, we will try to start another insecure proof. As we already + // started an insecure proof, we won't start another but terminate the verification + // process where we free the current DNSSECVerifier while the first insecure proof is + // still referencing it. + // + // But there are cases below which might return if we have not received the right answer + // yet e.g., no RRSIGs. In that case if the question is stopped, we will never get any + // callbacks again and also we leak "dv". Hence it is important that we either process + // the result or wait for more results. Note that the question eventually times out + // and cleans up the "dv" i.e., we don't wait forever. + + if (!answer) + { + LogDNSSEC("VerifySigCallback: Question %##s (%s) no dnssec response", question->qname.c, DNSTypeName(question->qtype)); + mDNS_StopQuery(m, question); + dv->DVCallback(m, dv, DNSSEC_Bogus); + return; + } + + LogDNSSEC("VerifySigCallback(%p): Called with record %s for question %##s (%s)", dv, RRDisplayString(m, answer), question->qname.c, + DNSTypeName(question->qtype)); + mDNS_Lock(m); + if ((m->timenow - question->StopTime) >= 0) + { + mDNS_Unlock(m); + LogDNSSEC("VerifySigCallback: Question %##s (%s) timed out", question->qname.c, DNSTypeName(question->qtype)); + mDNS_StopQuery(m, question); + dv->DVCallback(m, dv, DNSSEC_Bogus); + return; + } + mDNS_Unlock(m); + + if (answer->RecordType == kDNSRecordTypePacketNegative) + { + CacheRecord *cr; + LogDNSSEC("VerifySigCallback: Received a negative answer with record %s, AddRecord %d", + RRDisplayString(m, answer), AddRecord); + mDNS_StopQuery(m, question); + cr = NegativeCacheRecordForRR(m, answer); + if (cr && cr->nsec) + { + ValidateWithNSECS(m, dv, cr); + } + else + { + + LogDNSSEC("VerifySigCallback: Missing record (%s) Negative Cache Record %p", RRDisplayString(m, answer), cr); + dv->DVCallback(m, dv, DNSSEC_Bogus); + } + return; + } + + if (!dv->rrset) + { + LogMsg("VerifySigCallback: ERROR!! rrset NULL"); + mDNS_StopQuery(m, question); + dv->DVCallback(m, dv, DNSSEC_Bogus); + return; + } + + rrtype = answer->rrtype; + // Check whether we got any answers for the question. If there are no answers, we + // can't do the verification. + // + // We need to look at the whole rrset for verifying the signatures. This callback gets + // called back for each record in the rrset sequentially and we won't know when to start the + // verification. Hence, we look for all the records in the rrset ourselves using the + // CheckXXX function below. The caller has to ensure that all the records in the rrset are + // added to the cache before calling this callback which happens naturally because all + // unicast records are marked for DelayDelivery and hence added to the cache before the + // callback is done. + // + // We also need the RRSIGs for the rrset to do the validation. It is possible that the + // cache contains RRSIG records but it may not be a valid record when we filter them + // in CheckXXX function. For example, some application can query for RRSIG records which + // might come back with a partial set of RRSIG records from the recursive server and + // they may not be the right ones for the current validation. In this case, we still + // need to send the query out to get the right RRSIGs but the "core" should not answer + // this query with the same records that we checked and found them to be unusable. + // + // We handle this in two ways: + // + // 1) AnswerNewQuestion always sends the "ValidatingResponse" query out bypassing the cache. + // + // 2) DNSSECRecordAnswersQuestion does not answer a question with RRSIGs matching the + // same name as the query until the typeCovered also matches the query's type. + // + // NOTE: We use "next - 1" as next always points to what we are going to fetch next and not the one + // we are fetching currently + switch(dv->next - 1) + { + case RRVS_rr: + // Verification always starts at RRVS_rrsig (which means dv->next points at RRVS_key) as verification does + // not begin until we have the main rrset. + LogDNSSEC("VerifySigCallback: ERROR!! rrset %##s dv->next is RRVS_rr", dv->rrset->name.c); + return; + case RRVS_rrsig: + // We can get called back with rrtype matching qtype as new records are added to the cache + // triggered by other questions. This could potentially mean that the rrset that is being + // validated by this "dv" whose rrsets were initialized at the beginning of the verification + // may not be the right one. If this case happens, we will detect this at the end of validation + // and throw away the validation results. This should not be a common case. + if (rrtype != kDNSType_RRSIG) + { + LogDNSSEC("VerifySigCallback: RRVS_rrsig called with %s", RRDisplayString(m, answer)); + return; + } + mDNS_StopQuery(m, question); + if (CheckRRSIGForRRSet(m, dv, &negcr) != mStatus_NoError) + { + LogDNSSEC("VerifySigCallback: Unable to find RRSIG for %##s (%s), question %##s", dv->rrset->name.c, + DNSTypeName(dv->rrset->rrtype), question->qname.c); + dv->DVCallback(m, dv, DNSSEC_Bogus); + return; + } + break; + case RRVS_key: + // We are waiting for the DNSKEY record and hence dv->key should be NULL. If RRSIGs are being + // returned first, ignore them for now. + if (dv->key) + LogDNSSEC("VerifySigCallback: ERROR!! RRVS_key dv->key non-NULL for %##s", question->qname.c); + if (rrtype == kDNSType_RRSIG) + { + LogDNSSEC("VerifySigCallback: RRVS_key rrset type %s, %##s received before DNSKEY", DNSTypeName(rrtype), question->qname.c); + return; + } + if (rrtype != question->qtype) + { + LogDNSSEC("VerifySigCallback: ERROR!! RRVS_key rrset type %s, %##s not matching qtype %d", DNSTypeName(rrtype), question->qname.c, + question->qtype); + return; + } + mDNS_StopQuery(m, question); + if (CheckKeyForRRSIG(m, dv, &negcr) != mStatus_NoError) + { + LogDNSSEC("VerifySigCallback: Unable to find DNSKEY for %##s (%s), question %##s", dv->rrset->name.c, + DNSTypeName(dv->rrset->rrtype), question->qname.c); + dv->DVCallback(m, dv, DNSSEC_Bogus); + return; + } + break; + case RRVS_rrsig_key: + // If we are in RRVS_rrsig_key, it means that we already found the relevant DNSKEYs (dv->key should be non-NULL). + // If DNSKEY record is being returned i.e., it means it is being added to the cache, then it can't be in our + // list. + if (!dv->key) + LogDNSSEC("VerifySigCallback: ERROR!! RRVS_rrsig_key dv->key NULL for %##s", question->qname.c); + if (rrtype == question->qtype) + { + LogDNSSEC("VerifySigCallback: RRVS_rrsig_key rrset type %s, %##s", DNSTypeName(rrtype), question->qname.c); + CheckOneKeyForRRSIG(dv, answer); + return; + } + if (rrtype != kDNSType_RRSIG) + { + LogDNSSEC("VerifySigCallback: RRVS_rrsig_key rrset type %s, %##s not matching qtype %d", DNSTypeName(rrtype), question->qname.c, + question->qtype); + return; + } + mDNS_StopQuery(m, question); + if (CheckRRSIGForKey(m, dv, &negcr) != mStatus_NoError) + { + LogDNSSEC("VerifySigCallback: Unable to find RRSIG for %##s (%s), question %##s", dv->rrset->name.c, + DNSTypeName(dv->rrset->rrtype), question->qname.c); + dv->DVCallback(m, dv, DNSSEC_Bogus); + return; + } + break; + case RRVS_ds: + if (rrtype == question->qtype) + { + LogDNSSEC("VerifySigCallback: RRVS_ds rrset type %s, %##s", DNSTypeName(rrtype), question->qname.c); + } + else + { + LogDNSSEC("VerifySigCallback: RRVS_ds rrset type %s, %##s received before DS", DNSTypeName(rrtype), question->qname.c); + } + mDNS_StopQuery(m, question); + // It is not an error if we don't find the DS record as we could have + // a trusted key. Or this is not a secure delegation which will be handled + // below. + if (CheckDSForKey(m, dv, &negcr) != mStatus_NoError) + { + LogDNSSEC("VerifySigCallback: Unable find DS for %##s (%s), question %##s", dv->rrset->name.c, + DNSTypeName(dv->rrset->rrtype), question->qname.c); + } + // dv->next is already at RRVS_done, so if we "break" from here, we will end up + // in FinishDNSSECVerification. We should not do that if we receive a negative + // response. For all other cases above, GetAllRRSetsForVerification handles + // negative cache record + if (negcr) + { + if (!negcr->nsec) + { + LogDNSSEC("VerifySigCallback: No nsec records for %##s (DS)", dv->ds->name.c); + dv->DVCallback(m, dv, DNSSEC_Bogus); + return; + } + ValidateWithNSECS(m, dv, negcr); + return; + } + break; + default: + LogDNSSEC("VerifySigCallback: ERROR!! default case rrset %##s question %##s", dv->rrset->name.c, question->qname.c); + mDNS_StopQuery(m, question); + dv->DVCallback(m, dv, DNSSEC_Bogus); + return; + } + if (dv->next != RRVS_done) + { + mDNSBool done = GetAllRRSetsForVerification(m, dv); + if (done) + { + if (dv->next != RRVS_done) + LogMsg("VerifySigCallback ERROR!! dv->next is not done"); + else + LogDNSSEC("VerifySigCallback: all rdata sets available for sig verification"); + } + else + { + LogDNSSEC("VerifySigCallback: all rdata sets not available for sig verification"); + return; + } + } + FinishDNSSECVerification(m, dv); +} + +mDNSlocal TrustAnchor *FindTrustAnchor(mDNS *const m, const domainname *const name) +{ + TrustAnchor *ta; + TrustAnchor *matchTA = mDNSNULL; + TrustAnchor *rootTA = mDNSNULL; + int currmatch = 0; + int match; + mDNSu32 currTime = mDNSPlatformUTC(); + + for (ta = m->TrustAnchors; ta; ta = ta->next) + { + if (DNS_SERIAL_LT(ta->validUntil, currTime)) + { + LogDNSSEC("FindTrustAnchor: Expired: currentTime %d, ExpireTime %d", (int)currTime, ta->validUntil); + continue; + } + if (DNS_SERIAL_LT(currTime, ta->validFrom)) + { + LogDNSSEC("FindTrustAnchor: Future: currentTime %d, InceptTime %d", (int)currTime, ta->validFrom); + continue; + } + + if (SameDomainName((const domainname *)"\000", &ta->zone)) + rootTA = ta; + + match = CountLabelsMatch(&ta->zone, name); + if (match > currmatch) + { + currmatch = match; + matchTA = ta; + } + } + if (matchTA) + { + LogDNSSEC("FindTrustAnhcor: matched %##s", matchTA->zone.c); + return matchTA; + } + else if (rootTA) + { + LogDNSSEC("FindTrustAnhcor: matched rootTA %##s", rootTA->zone.c); + return rootTA; + } + else + { + LogDNSSEC("FindTrustAnhcor: No Trust Anchor"); + return mDNSNULL; + } +} + +mDNSlocal void DeliverInsecureProofResultAsync(mDNS *const m, void *context) +{ + InsecureContext *ic = (InsecureContext *)context; + ic->dv->DVCallback(m, ic->dv, ic->status); + if (ic->q.ThisQInterval != -1) + { + LogMsg("DeliverInsecureProofResultAsync: ERROR!! Question %##s (%s) not stopped already", ic->q.qname.c, DNSTypeName(ic->q.qtype)); + mDNS_StopQuery(m, &ic->q); + } + mDNSPlatformMemFree(ic); +} + +mDNSlocal void DeliverInsecureProofResult(mDNS *const m, InsecureContext *ic, DNSSECStatus status) +{ + // If the status is Bogus, restore the original auth chain before the insecure + // proof. + if (status == DNSSEC_Bogus) + { + LogDNSSEC("DeliverInsecureProofResult: Restoring the auth chain"); + if (ic->dv->ac) + { + FreeDNSSECAuthChainInfo(ic->dv->ac); + } + ResetAuthChain(ic->dv); + ic->dv->ac = ic->dv->saveac; + if (ic->dv->ac) + { + AuthChain *tmp = ic->dv->ac; + AuthChain **tail = &tmp->next; + while (tmp->next) + { + tail = &tmp->next; + tmp = tmp->next; + } + ic->dv->actail = tail; + } + ic->dv->saveac = mDNSNULL; + } + else if (ic->dv->saveac) + { + FreeDNSSECAuthChainInfo(ic->dv->saveac); + ic->dv->saveac = mDNSNULL; + } + ic->status = status; + // Stop the question before we schedule the block so that we don't receive additional + // callbacks again. Once the block runs, it will free the "ic" and you can't + // have another block queued up. This can happen if we receive a callback after we + // queue the block below. + if (ic->q.ThisQInterval != -1) + mDNS_StopQuery(m, &ic->q); + mDNSPlatformDispatchAsync(m, ic, DeliverInsecureProofResultAsync); +} + +mDNSlocal mDNSBool AlgorithmSupported(rdataDS *ds) +{ + switch(ds->digestType) + { + case SHA1_DIGEST_TYPE: + case SHA256_DIGEST_TYPE: + break; + default: + LogDNSSEC("AlgorithmSupported: Unsupported digest %d", ds->digestType); + return mDNSfalse; + } + + switch(ds->alg) + { + case CRYPTO_RSA_NSEC3_SHA1: + case CRYPTO_RSA_SHA1: + case CRYPTO_RSA_SHA256: + case CRYPTO_RSA_SHA512: + return mDNStrue; + default: + LogDNSSEC("AlgorithmSupported: Unsupported algorithm %d", ds->alg); + return mDNSfalse; + } +} + +// Note: This function is called when DNSSEC results are delivered (from DeliverDNSSECStatus) and we can't deliver DNSSEC result +// again within this function as "m->ValidationQuestion" is already in use. Hence we should dispatch off the delivery of insecure +// results asynchronously. +// +// Insecure proof callback can deliver either insecure or bogus, but never secure result. +mDNSlocal void ProveInsecureCallback(mDNS *const m, DNSQuestion *question, const ResourceRecord *const answer, QC_result AddRecord) +{ + InsecureContext *ic = (InsecureContext *)question->QuestionContext; + DNSSECVerifier *pdv = ic->dv; + AuthChain *ac; + + (void) answer; + + if (!AddRecord) + return; + + mDNS_Lock(m); + if ((m->timenow - question->StopTime) >= 0) + { + mDNS_Unlock(m); + LogDNSSEC("ProveInsecureCallback: Question %##s (%s) timed out", question->qname.c, DNSTypeName(question->qtype)); + DeliverInsecureProofResult(m, ic, DNSSEC_Bogus); + return; + } + mDNS_Unlock(m); + + // We only need to handle the actual DNSSEC results and the ones that are secure. Anything else results in + // bogus. + if (AddRecord != QC_dnssec) + { + LogDNSSEC("ProveInsecureCallback: Question %##s (%s), AddRecord %d, answer %s", question->qname.c, + DNSTypeName(question->qtype), AddRecord, RRDisplayString(m, answer)); + return; + } + + LogDNSSEC("ProveInsecureCallback: ic %p Question %##s (%s), DNSSEC status %s", ic, question->qname.c, DNSTypeName(question->qtype), + DNSSECStatusName(question->ValidationStatus)); + + // Insecure is delivered for NSEC3 OptOut + if (question->ValidationStatus != DNSSEC_Secure && question->ValidationStatus != DNSSEC_Insecure) + { + LogDNSSEC("ProveInsecureCallback: Question %##s (%s) returned DNSSEC status %s", question->qname.c, + DNSTypeName(question->qtype), DNSSECStatusName(question->ValidationStatus)); + goto done; + } + ac = (AuthChain *)question->DNSSECAuthInfo; + if (!ac) + { + LogDNSSEC("ProveInsecureCallback: ac NULL for question %##s, %s", question->qname.c, DNSTypeName(question->qtype)); + goto done; + } + if (!ac->rrset) + { + LogDNSSEC("ProveInsecureCallback: ac->rrset NULL for question %##s, %s", question->qname.c, DNSTypeName(question->qtype)); + goto done; + } + if (ac->rrset->rrtype != kDNSType_DS && ac->rrset->rrtype != kDNSType_NSEC && ac->rrset->rrtype != kDNSType_NSEC3) + { + LogDNSSEC("ProveInsecureCallback: ac->rrset->rrtype %##s (%s) not handled", ac->rrset->name.c, + DNSTypeName(ac->rrset->rrtype)); + goto done; + } + AuthChainLink(pdv, ac); + question->DNSSECAuthInfo = mDNSNULL; + if (ac->rrset->rrtype == kDNSType_DS) + { + rdataDS *ds = (rdataDS *)ac->rrset->rdata; + + // If the delegation is secure, but the underlying zone is signed with an unsupported + // algorithm, then we can't verify it. Deliver insecure in that case. + if (!AlgorithmSupported(ds)) + { + LogDNSSEC("ProveInsecureCallback: Unsupported algorithm %d or digest %d", ds->alg, ds->digestType); + DeliverInsecureProofResult(m, ic, DNSSEC_Insecure); + return; + } + + // If the delegation is secure and the name that we queried for is same as the original + // name that started the insecure proof, then something is not right. We started the + // insecure proof e.g., the zone is not signed, but we are able to validate a DS for + // the same name which implies that the zone is signed (whose algorithm we support) and + // we should not have started the insecurity proof in the first place. + if (SameDomainName(&question->qname, &pdv->origName)) + { + LogDNSSEC("ProveInsecureCallback: Insecure proof reached original name %##s, error", question->qname.c); + DeliverInsecureProofResult(m, ic, DNSSEC_Bogus); + return; + } + + LogDNSSEC("ProveInsecureCallback: Trying one more level down"); + ProveInsecure(m, pdv, ic, mDNSNULL); + } + else if (ac->rrset->rrtype == kDNSType_NSEC || ac->rrset->rrtype == kDNSType_NSEC3) + { + CacheRecord *cr; + + if (ac->rrset->rrtype == kDNSType_NSEC) + cr = NSECRecordIsDelegation(m, &question->qname, question->qtype); + else + cr = NSEC3RecordIsDelegation(m, &question->qname, question->qtype); + if (cr) + { + LogDNSSEC("ProveInsecureCallback: Non-existence proved and %s is a delegation for %##s (%s)", CRDisplayString(m, cr), + question->qname.c, DNSTypeName(question->qtype)); + DeliverInsecureProofResult(m, ic, DNSSEC_Insecure); + return; + } + // Could be a ENT. Go one more level down to see whether it is a secure delegation or not. + if (!SameDomainName(&question->qname, &pdv->origName)) + { + LogDNSSEC("ProveInsecureCallback: Not a delegation %##s (%s), go one more level down", question->qname.c, DNSTypeName(question->qtype)); + ProveInsecure(m, pdv, ic, mDNSNULL); + } + else + { + // Secure denial of existence and the name matches the original query. This means we should have + // received an NSEC (if the type does not exist) or signed records (if the name and type exists) + // and verified it successfully instead of starting the insecure proof. This could happen e.g., + // Wildcard expanded answer received without NSEC/NSEC3s etc. Also, is it possible that the + // zone went from unsigned to signed in a short time ? For now, we return bogus. + LogDNSSEC("ProveInsecureCallback: Not a delegation %##s (%s), but reached original name", question->qname.c, + DNSTypeName(question->qtype)); + DeliverInsecureProofResult(m, ic, DNSSEC_Bogus); + } + } + return; +done: + DeliverInsecureProofResult(m, ic, DNSSEC_Bogus); +} + +// We return Insecure if we don't have a trust anchor or we have a trust anchor and +// can prove that the delegation is not secure (and hence can't establish the trust +// chain) or the delegation is possibly secure but we don't have the algorithm support +// to prove that. +mDNSexport void ProveInsecure(mDNS *const m, DNSSECVerifier *dv, InsecureContext *ic, domainname *trigger) +{ + TrustAnchor *ta; + domainname *sname; + + if (ic == mDNSNULL) + { + ic = (InsecureContext *)mDNSPlatformMemAllocate(sizeof(InsecureContext)); + if (!ic) + { + LogMsg("mDNSPlatformMemAllocate: ERROR!! memory alloc failed for ic"); + return; + } + + // Save the AuthInfo while we are proving insecure. We don't want to mix up + // the auth chain for Bogus and Insecure. If we prove it to be insecure, we + // will add the chain corresponding to the insecure proof. Otherwise, we will + // restore this chain. + if (dv->ac) + { + if (!dv->saveac) + { + LogDNSSEC("ProveInsecure: saving authinfo"); + } + else + { + LogDNSSEC("ProveInsecure: ERROR!! authinfo already set"); + FreeDNSSECAuthChainInfo(dv->saveac); + } + dv->saveac = dv->ac; + ResetAuthChain(dv); + } + ic->dv = dv; + ic->q.ThisQInterval = -1; + + if (trigger) + { + LogDNSSEC("ProveInsecure: Setting Trigger %##s", trigger->c); + ic->triggerLabelCount = CountLabels(trigger); + } + else + { + LogDNSSEC("ProveInsecure: No Trigger"); + ic->triggerLabelCount = CountLabels(&dv->origName); + } + + ta = FindTrustAnchor(m, &dv->origName); + if (!ta) + { + LogDNSSEC("ProveInsecure: TrustAnchor NULL"); + DeliverInsecureProofResult(m, ic, DNSSEC_Insecure); + return; + } + // We want to skip the labels that is already matched by the trust anchor so + // that the first query starts just below the trust anchor + ic->skip = CountLabels(&dv->origName) - CountLabels(&ta->zone); + if (!ic->skip) + { + LogDNSSEC("ProveInsecure: origName %##s, skip is zero", dv->origName.c); + DeliverInsecureProofResult(m, ic, DNSSEC_Bogus); + return; + } + } + // Look for the DS record starting just below the trust anchor. + // + // 1. If we find an NSEC record, then see if it is a delegation. If it is, then + // we are done. Otherwise, go down one more level. + // + // 2. If we find a DS record and no algorithm support, return "insecure". Otherwise, go + // down one more level. + // + sname = (domainname *)SkipLeadingLabels(&dv->origName, (ic->skip ? ic->skip - 1 : 0)); + if (!sname) + { + LogDNSSEC("ProveInsecure: sname NULL, origName %##s, skip %d", dv->origName.c, ic->skip); + DeliverInsecureProofResult(m, ic, DNSSEC_Bogus); + return; + } + + // Insecurity proof is started during the normal bottom-up validation when we have a break in the trust + // chain e.g., we get NSEC/NSEC3s when looking up a DS record. Insecurity proof is top-down looking + // for a break in the trust chain. If we have already tried the validation (before the insecurity + // proof started) for this "sname", then don't bother with the proof. This happens sometimes, when + // we can't prove whether a zone is insecurely delegated or not. For example, if we are looking up + // host1.secure-nods.secure.example and when we encounter secure-nods, there is no DS record in the + // parent. We start the insecurity proof remembering that "secure-nods.secure.example" is the trigger + // point. As part of the proof we reach "secure-nods.secure.example". Even though secure.example + // prove that the name "secure-nods.secure.example/DS" does not exist, it can't prove that it is a + // delegation. So, we continue one more level down to host1.secure-nods.secure.example and we + // realize that we already tried the validation and hence abort here. + + if (CountLabels(sname) > ic->triggerLabelCount) + { + LogDNSSEC("ProveInsecure: Beyond the trigger current name %##s, origName %##s", sname->c, dv->origName.c); + DeliverInsecureProofResult(m, ic, DNSSEC_Bogus); + return; + } + + LogDNSSEC("ProveInsecure: OrigName %##s (%s), Current %##s", dv->origName.c, DNSTypeName(dv->origType), sname->c); + ic->skip--; + InitializeQuestion(m, &ic->q, dv->InterfaceID, sname, kDNSType_DS, ProveInsecureCallback, ic); + ic->q.ValidationRequired = DNSSEC_VALIDATION_INSECURE; + ic->q.ValidatingResponse = 0; + ic->q.DNSSECAuthInfo = mDNSNULL; + mDNS_StartQuery(m, &ic->q); +} + +mDNSexport void BumpDNSSECStats(mDNS *const m, DNSSECStatsAction action, DNSSECStatsType type, mDNSu32 value) +{ + switch (type) + { + case kStatsTypeMemoryUsage: + if (action == kStatsActionIncrement) + { + m->DNSSECStats.TotalMemUsed += value; + } + else if (action == kStatsActionDecrement) + { + m->DNSSECStats.TotalMemUsed -= value; + } + break; + case kStatsTypeLatency: + if (action == kStatsActionSet) + { + if (value <= 4) + { + m->DNSSECStats.Latency0++; + } + else if (value <= 9) + { + m->DNSSECStats.Latency5++; + } + else if (value <= 19) + { + m->DNSSECStats.Latency10++; + } + else if (value <= 49) + { + m->DNSSECStats.Latency20++; + } + else if (value <= 99) + { + m->DNSSECStats.Latency50++; + } + else + { + m->DNSSECStats.Latency100++; + } + } + break; + case kStatsTypeExtraPackets: + if (action == kStatsActionSet) + { + if (value <= 2) + { + m->DNSSECStats.ExtraPackets0++; + } + else if (value <= 6) + { + m->DNSSECStats.ExtraPackets3++; + } + else if (value <= 9) + { + m->DNSSECStats.ExtraPackets7++; + } + else + { + m->DNSSECStats.ExtraPackets10++; + } + } + break; + case kStatsTypeStatus: + if (action == kStatsActionSet) + { + switch(value) + { + case DNSSEC_Secure: + m->DNSSECStats.SecureStatus++; + break; + case DNSSEC_Insecure: + m->DNSSECStats.InsecureStatus++; + break; + case DNSSEC_Indeterminate: + m->DNSSECStats.IndeterminateStatus++; + break; + case DNSSEC_Bogus: + m->DNSSECStats.BogusStatus++; + break; + case DNSSEC_NoResponse: + m->DNSSECStats.NoResponseStatus++; + break; + default: + LogMsg("BumpDNSSECStats: unknown status %d", value); + } + } + break; + case kStatsTypeMsgSize: + if (action == kStatsActionSet) + { + if (value <= 1024) + { + m->DNSSECStats.MsgSize0++; + } + else if (value <= 2048) + { + m->DNSSECStats.MsgSize1++; + } + else + { + m->DNSSECStats.MsgSize2++; + } + } + break; + case kStatsTypeProbe: + if (action == kStatsActionIncrement) + { + m->DNSSECStats.NumProbesSent += value; + } + break; + default: + LogMsg("BumpDNSSECStats: unknown type %d", type); + } + return; +} + +#else // !DNSSEC_DISABLED + +mDNSexport void VerifySignature(mDNS *const m, DNSSECVerifier *dv, DNSQuestion *q) +{ + (void)m; + (void)dv; + (void)q; +} + +mDNSexport void BumpDNSSECStats(mDNS *const m, DNSSECStatsAction action, DNSSECStatsType type, mDNSu32 value) +{ + (void)m; + (void)action; + (void)type; + (void)value; +} + +mDNSexport void InitializeQuestion(mDNS *const m, DNSQuestion *question, mDNSInterfaceID InterfaceID, const domainname *qname, mDNSu16 qtype, mDNSQuestionCallback *callback, void *context) +{ + (void) m; + (void) question; + (void) InterfaceID; + (void) qname; + (void) qtype; + (void) callback; + (void) context; +} + +mDNSexport char *DNSSECStatusName(DNSSECStatus status) +{ + (void) status; + + return mDNSNULL; +} + +#endif // !DNSSEC_DISABLED diff --git a/mDNSResponder/mDNSCore/dnssec.h b/mDNSResponder/mDNSCore/dnssec.h new file mode 100644 index 00000000..1a8d9535 --- /dev/null +++ b/mDNSResponder/mDNSCore/dnssec.h @@ -0,0 +1,157 @@ +/* -*- Mode: C; tab-width: 4 -*- + * + * Copyright (c) 2011 Apple Computer, Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef __DNSSEC_H +#define __DNSSEC_H + +#include "CryptoAlg.h" +#include "mDNSDebug.h" + +typedef enum +{ + RRVS_rr, RRVS_rrsig, RRVS_key, RRVS_rrsig_key, RRVS_ds, RRVS_done, +} RRVerifierSet; + +typedef struct RRVerifier_struct RRVerifier; +typedef struct DNSSECVerifier_struct DNSSECVerifier; +typedef struct AuthChain_struct AuthChain; +typedef struct InsecureContext_struct InsecureContext; + +struct RRVerifier_struct +{ + RRVerifier *next; + mDNSu16 rrtype; + mDNSu16 rrclass; + mDNSu32 rroriginalttl; + mDNSu16 rdlength; + mDNSu16 found; + mDNSu32 namehash; + mDNSu32 rdatahash; + domainname name; + mDNSu8 *rdata; +}; + +// Each AuthChain element has one rrset (with multiple resource records of same type), rrsig and key +// that validates the rrset. +struct AuthChain_struct +{ + AuthChain *next; // Next element in the chain + RRVerifier *rrset; // RRSET that is authenticated + RRVerifier *rrsig; // Signature for that RRSET + RRVerifier *key; // Public key for that RRSET +}; + +#define ResetAuthChain(dv) { \ + (dv)->ac = mDNSNULL; \ + (dv)->actail = &((dv)->ac); \ +} + +typedef void DNSSECVerifierCallback (mDNS *const m, DNSSECVerifier *dv, DNSSECStatus status); +// +// When we do a validation for a question, there might be additional validations that needs to be done e.g., +// wildcard expanded answer. It is also possible that in the case of nsec we need to prove both that a wildcard +// does not apply and the closest encloser proves that name does not exist. We identify these with the following +// flags. +// +// Note: In the following, by "marking the validation", we mean that as part of validation we need to prove +// the ones that are marked with. +// +// A wildcard may be used to answer a question. In that case, we need to verify that the right wildcard was +// used in answering the question. This is done by marking the validation with WILDCARD_PROVES_ANSWER_EXPANDED. +// +// Sometimes we get a NXDOMAIN response. In this case, we may have a wildcard where we need to prove +// that the wildcard proves that the name does not exist. This is done by marking the validation with +// WILDCARD_PROVES_NONAME_EXISTS. +// +// In the case of NODATA error, sometimes the name may exist but the query type does not exist. This is done by +// marking the validation with NSEC_PROVES_NOTYPE_EXISTS. +// +// In both NXDOMAIN and NODATA proofs, we may have to prove that the NAME does not exist. This is done by marking +// the validation with NSEC_PROVES_NONAME_EXISTS. +// +#define WILDCARD_PROVES_ANSWER_EXPANDED 0x00000001 +#define WILDCARD_PROVES_NONAME_EXISTS 0x00000002 +#define NSEC_PROVES_NOTYPE_EXISTS 0x00000004 +#define NSEC_PROVES_NONAME_EXISTS 0x00000008 +#define NSEC3_OPT_OUT 0x00000010 // OptOut was set in NSEC3 + +struct DNSSECVerifier_struct +{ + domainname origName; // Original question name that needs verification + mDNSu16 origType; // Original question type corresponding to origName + mDNSu16 currQtype; // Current question type that is being verified + mDNSInterfaceID InterfaceID; // InterfaceID of the question + DNSQuestion q; + mDNSu8 recursed; // Number of times recursed during validation + mDNSu8 ValidationRequired; // Copy of the question's ValidationRequired status + mDNSu8 InsecureProofDone; + mDNSu8 NumPackets; // Number of packets that we send on the wire for DNSSEC verification. + mDNSs32 StartTime; // Time the DNSSEC verification starts + mDNSu32 flags; + RRVerifierSet next; + domainname *wildcardName; // set if the answer is wildcard expanded + RRVerifier *pendingNSEC; + DNSSECVerifierCallback *DVCallback; + DNSSECVerifier *parent; + RRVerifier *rrset; // rrset for which we have to verify + RRVerifier *rrsig; // RRSIG for rrset + RRVerifier *key; // DNSKEY for rrset + RRVerifier *rrsigKey; // RRSIG for DNSKEY + RRVerifier *ds; // DS for DNSKEY set in parent zone + AuthChain *saveac; + AuthChain *ac; + AuthChain **actail; + AlgContext *ctx; +}; + + +struct InsecureContext_struct +{ + DNSSECVerifier *dv; // dv for which we are doing the insecure proof + mDNSu8 skip; // labels to skip for forming the name from origName + DNSSECStatus status; // status to deliver when done + mDNSu8 triggerLabelCount; // Label count of the name that triggered the insecure proof + DNSQuestion q; +}; + +#define LogDNSSEC LogOperation + +#define DNS_SERIAL_GT(a, b) ((int)((a) - (b)) > 0) +#define DNS_SERIAL_LT(a, b) ((int)((a) - (b)) < 0) + +extern void StartDNSSECVerification(mDNS *const m, void *context); +extern RRVerifier* AllocateRRVerifier(const ResourceRecord *const rr, mStatus *status); +extern mStatus AddRRSetToVerifier(DNSSECVerifier *dv, const ResourceRecord *const rr, RRVerifier *rv, RRVerifierSet set); +extern void VerifySignature(mDNS *const m, DNSSECVerifier *dv, DNSQuestion *q); +extern void FreeDNSSECVerifier(mDNS *const m, DNSSECVerifier *dv); +extern DNSSECVerifier *AllocateDNSSECVerifier(mDNS *const m, const domainname *name, mDNSu16 rrtype, mDNSInterfaceID InterfaceID, + mDNSu8 ValidationRequired, DNSSECVerifierCallback dvcallback, mDNSQuestionCallback qcallback); +extern void InitializeQuestion(mDNS *const m, DNSQuestion *question, mDNSInterfaceID InterfaceID, const domainname *qname, + mDNSu16 qtype, mDNSQuestionCallback *callback, void *context); +extern void ValidateRRSIG(DNSSECVerifier *dv, RRVerifierSet type, const ResourceRecord *const rr); +extern void AuthChainLink(DNSSECVerifier *dv, AuthChain *ae); +extern mStatus DNSNameToLowerCase(domainname *d, domainname *result); +extern int DNSMemCmp(const mDNSu8 *const m1, const mDNSu8 *const m2, int len); +extern int DNSSECCanonicalOrder(const domainname *const d1, const domainname *const d2, int *subdomain); +extern void ProveInsecure(mDNS *const m, DNSSECVerifier *dv, InsecureContext *ic, domainname *trigger); +extern void BumpDNSSECStats(mDNS *const m, DNSSECStatsAction action, DNSSECStatsType type, mDNSu32 value); +extern char *DNSSECStatusName(DNSSECStatus status); + +// DNSSECProbe belongs in DNSSECSupport.h but then we don't want to expose yet another plaform specific dnssec file +// to other platforms where dnssec is not supported. +extern void DNSSECProbe(mDNS *const m); + +#endif // __DNSSEC_H diff --git a/mDNSResponder/mDNSCore/mDNS.c b/mDNSResponder/mDNSCore/mDNS.c new file mode 100755 index 00000000..71c7a395 --- /dev/null +++ b/mDNSResponder/mDNSCore/mDNS.c @@ -0,0 +1,15034 @@ +/* -*- Mode: C; tab-width: 4 -*- + * + * Copyright (c) 2002-2013 Apple Computer, Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This code is completely 100% portable C. It does not depend on any external header files + * from outside the mDNS project -- all the types it expects to find are defined right here. + * + * The previous point is very important: This file does not depend on any external + * header files. It should compile on *any* platform that has a C compiler, without + * making *any* assumptions about availability of so-called "standard" C functions, + * routines, or types (which may or may not be present on any given platform). + */ + +#include "DNSCommon.h" // Defines general DNS untility routines +#include "uDNS.h" // Defines entry points into unicast-specific routines +#include "nsec.h" +#include "dnssec.h" +#include "anonymous.h" + +// Disable certain benign warnings with Microsoft compilers +#if (defined(_MSC_VER)) +// Disable "conditional expression is constant" warning for debug macros. +// Otherwise, this generates warnings for the perfectly natural construct "while(1)" +// If someone knows a variant way of writing "while(1)" that doesn't generate warning messages, please let us know + #pragma warning(disable:4127) + +// Disable "assignment within conditional expression". +// Other compilers understand the convention that if you place the assignment expression within an extra pair +// of parentheses, this signals to the compiler that you really intended an assignment and no warning is necessary. +// The Microsoft compiler doesn't understand this convention, so in the absense of any other way to signal +// to the compiler that the assignment is intentional, we have to just turn this warning off completely. + #pragma warning(disable:4706) +#endif + +#include "dns_sd.h" // for kDNSServiceFlags* definitions + +#if APPLE_OSX_mDNSResponder + +#include <WebFilterDNS/WebFilterDNS.h> + +#if !NO_WCF +WCFConnection *WCFConnectionNew(void) __attribute__((weak_import)); +void WCFConnectionDealloc(WCFConnection* c) __attribute__((weak_import)); + +// Do we really need to define a macro for "if"? +#define CHECK_WCF_FUNCTION(X) if (X) +#endif // ! NO_WCF + +#else + +#define NO_WCF 1 +#endif // APPLE_OSX_mDNSResponder + +// Forward declarations +mDNSlocal void BeginSleepProcessing(mDNS *const m); +mDNSlocal void RetrySPSRegistrations(mDNS *const m); +mDNSlocal void SendWakeup(mDNS *const m, mDNSInterfaceID InterfaceID, mDNSEthAddr *EthAddr, mDNSOpaque48 *password); +mDNSlocal mDNSBool CacheRecordRmvEventsForQuestion(mDNS *const m, DNSQuestion *q); +mDNSlocal mDNSBool LocalRecordRmvEventsForQuestion(mDNS *const m, DNSQuestion *q); +mDNSlocal void mDNS_PurgeForQuestion(mDNS *const m, DNSQuestion *q); +mDNSlocal void CheckForDNSSECRecords(mDNS *const m, DNSQuestion *q); +mDNSlocal void mDNS_SendKeepalives(mDNS *const m); +mDNSlocal void mDNS_ExtractKeepaliveInfo(AuthRecord *ar, mDNSu32 *timeout, mDNSAddr *laddr, mDNSAddr *raddr, mDNSEthAddr *eth, + mDNSu32 *seq, mDNSu32 *ack, mDNSIPPort *lport, mDNSIPPort *rport, mDNSu16 *win); + +mDNSlocal void AdvertiseAllInterfaceRecords(mDNS *const m); +mDNSlocal void DeadvertiseAllInterfaceRecords(mDNS *const m); +mDNSlocal void FreeNSECRecords(mDNS *const m, CacheRecord *NSECRecords); +mDNSlocal void mDNSParseNSEC3Records(mDNS *const m, const DNSMessage *const response, const mDNSu8 *end, + const mDNSInterfaceID InterfaceID, CacheRecord **NSEC3Records); + + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - Program Constants +#endif + +// To Turn OFF mDNS_Tracer set MDNS_TRACER to 0 or undef it +#define MDNS_TRACER 1 + +#define NO_HINFO 1 + +// Any records bigger than this are considered 'large' records +#define SmallRecordLimit 1024 + +#define kMaxUpdateCredits 10 +#define kUpdateCreditRefreshInterval (mDNSPlatformOneSecond * 6) + +// define special NR_AnswerTo values +#define NR_AnswerMulticast (mDNSu8*)~0 +#define NR_AnswerUnicast (mDNSu8*)~1 + +// Defined to set the kDNSQClass_UnicastResponse bit in the first four query packets. +// else, it's just set it the first query. +#define mDNS_REQUEST_UNICAST_RESPONSE 0 + +// The code (see SendQueries() and BuildQuestion()) needs to have the +// RequestUnicast value set to a value one greater than the number of times you want the query +// sent with the "request unicast response" (QU) bit set. +#define SET_QU_IN_FIRST_QUERY 2 +#define SET_QU_IN_FIRST_FOUR_QUERIES 5 + + +mDNSexport const char *const mDNS_DomainTypeNames[] = +{ + "b._dns-sd._udp.", // Browse + "db._dns-sd._udp.", // Default Browse + "lb._dns-sd._udp.", // Automatic Browse + "r._dns-sd._udp.", // Registration + "dr._dns-sd._udp." // Default Registration +}; + +#ifdef UNICAST_DISABLED +#define uDNS_IsActiveQuery(q, u) mDNSfalse +#endif + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - General Utility Functions +#endif + +// Returns true if this is a unique, authoritative LocalOnly record that answers questions of type +// A, AAAA , CNAME, or PTR. The caller should answer the question with this record and not send out +// the question on the wire if LocalOnlyRecordAnswersQuestion() also returns true. +// Main use is to handle /etc/hosts records and the LocalOnly PTR records created for localhost. +#define UniqueLocalOnlyRecord(rr) ((rr)->ARType == AuthRecordLocalOnly && \ + (rr)->resrec.RecordType & kDNSRecordTypeUniqueMask && \ + ((rr)->resrec.rrtype == kDNSType_A || (rr)->resrec.rrtype == kDNSType_AAAA || \ + (rr)->resrec.rrtype == kDNSType_CNAME || \ + (rr)->resrec.rrtype == kDNSType_PTR)) + +mDNSlocal void SetNextQueryStopTime(mDNS *const m, const DNSQuestion *const q) +{ + mDNS_CheckLock(m); + +#if ForceAlerts + if (m->mDNS_busy != m->mDNS_reentrancy+1) *(long*)0 = 0; +#endif + + if (m->NextScheduledStopTime - q->StopTime > 0) + m->NextScheduledStopTime = q->StopTime; +} + +mDNSexport void SetNextQueryTime(mDNS *const m, const DNSQuestion *const q) +{ + mDNS_CheckLock(m); + +#if ForceAlerts + if (m->mDNS_busy != m->mDNS_reentrancy+1) *(long*)0 = 0; +#endif + + if (ActiveQuestion(q)) + { + // Depending on whether this is a multicast or unicast question we want to set either: + // m->NextScheduledQuery = NextQSendTime(q) or + // m->NextuDNSEvent = NextQSendTime(q) + mDNSs32 *const timer = mDNSOpaque16IsZero(q->TargetQID) ? &m->NextScheduledQuery : &m->NextuDNSEvent; + if (*timer - NextQSendTime(q) > 0) + *timer = NextQSendTime(q); + } +} + +mDNSlocal void ReleaseAuthEntity(AuthHash *r, AuthEntity *e) +{ +#if APPLE_OSX_mDNSResponder && MACOSX_MDNS_MALLOC_DEBUGGING >= 1 + unsigned int i; + for (i=0; i<sizeof(*e); i++) ((char*)e)[i] = 0xFF; +#endif + e->next = r->rrauth_free; + r->rrauth_free = e; + r->rrauth_totalused--; +} + +mDNSlocal void ReleaseAuthGroup(AuthHash *r, AuthGroup **cp) +{ + AuthEntity *e = (AuthEntity *)(*cp); + LogMsg("ReleaseAuthGroup: Releasing AuthGroup %##s", (*cp)->name->c); + if ((*cp)->rrauth_tail != &(*cp)->members) + LogMsg("ERROR: (*cp)->members == mDNSNULL but (*cp)->rrauth_tail != &(*cp)->members)"); + if ((*cp)->name != (domainname*)((*cp)->namestorage)) mDNSPlatformMemFree((*cp)->name); + (*cp)->name = mDNSNULL; + *cp = (*cp)->next; // Cut record from list + ReleaseAuthEntity(r, e); +} + +mDNSlocal AuthEntity *GetAuthEntity(AuthHash *r, const AuthGroup *const PreserveAG) +{ + AuthEntity *e = mDNSNULL; + + if (r->rrauth_lock) { LogMsg("GetFreeCacheRR ERROR! Cache already locked!"); return(mDNSNULL); } + r->rrauth_lock = 1; + + if (!r->rrauth_free) + { + // We allocate just one AuthEntity at a time because we need to be able + // free them all individually which normally happens when we parse /etc/hosts into + // AuthHash where we add the "new" entries and discard (free) the already added + // entries. If we allocate as chunks, we can't free them individually. + AuthEntity *storage = mDNSPlatformMemAllocate(sizeof(AuthEntity)); + storage->next = mDNSNULL; + r->rrauth_free = storage; + } + + // If we still have no free records, recycle all the records we can. + // Enumerating the entire auth is moderately expensive, so when we do it, we reclaim all the records we can in one pass. + if (!r->rrauth_free) + { + mDNSu32 oldtotalused = r->rrauth_totalused; + mDNSu32 slot; + for (slot = 0; slot < AUTH_HASH_SLOTS; slot++) + { + AuthGroup **cp = &r->rrauth_hash[slot]; + while (*cp) + { + if ((*cp)->members || (*cp)==PreserveAG) cp=&(*cp)->next; + else ReleaseAuthGroup(r, cp); + } + } + LogInfo("GetAuthEntity: Recycled %d records to reduce auth cache from %d to %d", + oldtotalused - r->rrauth_totalused, oldtotalused, r->rrauth_totalused); + } + + if (r->rrauth_free) // If there are records in the free list, take one + { + e = r->rrauth_free; + r->rrauth_free = e->next; + if (++r->rrauth_totalused >= r->rrauth_report) + { + LogInfo("RR Auth now using %ld objects", r->rrauth_totalused); + if (r->rrauth_report < 100) r->rrauth_report += 10; + else if (r->rrauth_report < 1000) r->rrauth_report += 100; + else r->rrauth_report += 1000; + } + mDNSPlatformMemZero(e, sizeof(*e)); + } + + r->rrauth_lock = 0; + + return(e); +} + +mDNSexport AuthGroup *AuthGroupForName(AuthHash *r, const mDNSu32 slot, const mDNSu32 namehash, const domainname *const name) +{ + AuthGroup *ag; + for (ag = r->rrauth_hash[slot]; ag; ag=ag->next) + if (ag->namehash == namehash && SameDomainName(ag->name, name)) + break; + return(ag); +} + +mDNSexport AuthGroup *AuthGroupForRecord(AuthHash *r, const mDNSu32 slot, const ResourceRecord *const rr) +{ + return(AuthGroupForName(r, slot, rr->namehash, rr->name)); +} + +mDNSlocal AuthGroup *GetAuthGroup(AuthHash *r, const mDNSu32 slot, const ResourceRecord *const rr) +{ + mDNSu16 namelen = DomainNameLength(rr->name); + AuthGroup *ag = (AuthGroup*)GetAuthEntity(r, mDNSNULL); + if (!ag) { LogMsg("GetAuthGroup: Failed to allocate memory for %##s", rr->name->c); return(mDNSNULL); } + ag->next = r->rrauth_hash[slot]; + ag->namehash = rr->namehash; + ag->members = mDNSNULL; + ag->rrauth_tail = &ag->members; + ag->NewLocalOnlyRecords = mDNSNULL; + if (namelen > sizeof(ag->namestorage)) + ag->name = mDNSPlatformMemAllocate(namelen); + else + ag->name = (domainname*)ag->namestorage; + if (!ag->name) + { + LogMsg("GetAuthGroup: Failed to allocate name storage for %##s", rr->name->c); + ReleaseAuthEntity(r, (AuthEntity*)ag); + return(mDNSNULL); + } + AssignDomainName(ag->name, rr->name); + + if (AuthGroupForRecord(r, slot, rr)) LogMsg("GetAuthGroup: Already have AuthGroup for %##s", rr->name->c); + r->rrauth_hash[slot] = ag; + if (AuthGroupForRecord(r, slot, rr) != ag) LogMsg("GetAuthGroup: Not finding AuthGroup for %##s", rr->name->c); + + return(ag); +} + +// Returns the AuthGroup in which the AuthRecord was inserted +mDNSexport AuthGroup *InsertAuthRecord(mDNS *const m, AuthHash *r, AuthRecord *rr) +{ + AuthGroup *ag; + const mDNSu32 slot = AuthHashSlot(rr->resrec.name); + ag = AuthGroupForRecord(r, slot, &rr->resrec); + if (!ag) ag = GetAuthGroup(r, slot, &rr->resrec); // If we don't have a AuthGroup for this name, make one now + if (ag) + { + LogInfo("InsertAuthRecord: inserting auth record %s from table", ARDisplayString(m, rr)); + *(ag->rrauth_tail) = rr; // Append this record to tail of cache slot list + ag->rrauth_tail = &(rr->next); // Advance tail pointer + } + return ag; +} + +mDNSexport AuthGroup *RemoveAuthRecord(mDNS *const m, AuthHash *r, AuthRecord *rr) +{ + AuthGroup *a; + AuthGroup **ag = &a; + AuthRecord **rp; + const mDNSu32 slot = AuthHashSlot(rr->resrec.name); + + a = AuthGroupForRecord(r, slot, &rr->resrec); + if (!a) { LogMsg("RemoveAuthRecord: ERROR!! AuthGroup not found for %s", ARDisplayString(m, rr)); return mDNSNULL; } + rp = &(*ag)->members; + while (*rp) + { + if (*rp != rr) + rp=&(*rp)->next; + else + { + // We don't break here, so that we can set the tail below without tracking "prev" pointers + + LogInfo("RemoveAuthRecord: removing auth record %s from table", ARDisplayString(m, rr)); + *rp = (*rp)->next; // Cut record from list + } + } + // TBD: If there are no more members, release authgroup ? + (*ag)->rrauth_tail = rp; + return a; +} + +mDNSexport CacheGroup *CacheGroupForName(const mDNS *const m, const mDNSu32 slot, const mDNSu32 namehash, const domainname *const name) +{ + CacheGroup *cg; + for (cg = m->rrcache_hash[slot]; cg; cg=cg->next) + if (cg->namehash == namehash && SameDomainName(cg->name, name)) + break; + return(cg); +} + +mDNSlocal CacheGroup *CacheGroupForRecord(const mDNS *const m, const mDNSu32 slot, const ResourceRecord *const rr) +{ + return(CacheGroupForName(m, slot, rr->namehash, rr->name)); +} + +mDNSexport mDNSBool mDNS_AddressIsLocalSubnet(mDNS *const m, const mDNSInterfaceID InterfaceID, const mDNSAddr *addr, mDNSBool *myself) +{ + NetworkInterfaceInfo *intf; + + if (addr->type == mDNSAddrType_IPv4) + { + // Normally we resist touching the NotAnInteger fields, but here we're doing tricky bitwise masking so we make an exception + if (mDNSv4AddressIsLinkLocal(&addr->ip.v4)) return(mDNStrue); + for (intf = m->HostInterfaces; intf; intf = intf->next) + if (intf->ip.type == addr->type && intf->InterfaceID == InterfaceID && intf->McastTxRx) + if (((intf->ip.ip.v4.NotAnInteger ^ addr->ip.v4.NotAnInteger) & intf->mask.ip.v4.NotAnInteger) == 0) + { + if (myself) + { + if (mDNSSameIPv4Address(intf->ip.ip.v4, addr->ip.v4)) + *myself = mDNStrue; + else + *myself = mDNSfalse; + if (*myself) + debugf("mDNS_AddressIsLocalSubnet: IPv4 %#a returning true", addr); + else + debugf("mDNS_AddressIsLocalSubnet: IPv4 %#a returning false", addr); + } + return(mDNStrue); + } + } + + if (addr->type == mDNSAddrType_IPv6) + { + for (intf = m->HostInterfaces; intf; intf = intf->next) + if (intf->ip.type == addr->type && intf->InterfaceID == InterfaceID && intf->McastTxRx) + if ((((intf->ip.ip.v6.l[0] ^ addr->ip.v6.l[0]) & intf->mask.ip.v6.l[0]) == 0) && + (((intf->ip.ip.v6.l[1] ^ addr->ip.v6.l[1]) & intf->mask.ip.v6.l[1]) == 0) && + (((intf->ip.ip.v6.l[2] ^ addr->ip.v6.l[2]) & intf->mask.ip.v6.l[2]) == 0) && + (((intf->ip.ip.v6.l[3] ^ addr->ip.v6.l[3]) & intf->mask.ip.v6.l[3]) == 0)) + { + if (myself) + { + if (mDNSSameIPv6Address(intf->ip.ip.v6, addr->ip.v6)) + *myself = mDNStrue; + else + *myself = mDNSfalse; + if (*myself) + debugf("mDNS_AddressIsLocalSubnet: IPv6 %#a returning true", addr); + else + debugf("mDNS_AddressIsLocalSubnet: IPv6 %#a returning false", addr); + } + return(mDNStrue); + } + } + + return(mDNSfalse); +} + +mDNSlocal NetworkInterfaceInfo *FirstInterfaceForID(mDNS *const m, const mDNSInterfaceID InterfaceID) +{ + NetworkInterfaceInfo *intf = m->HostInterfaces; + while (intf && intf->InterfaceID != InterfaceID) intf = intf->next; + return(intf); +} + +mDNSlocal NetworkInterfaceInfo *FirstIPv4LLInterfaceForID(mDNS *const m, const mDNSInterfaceID InterfaceID) +{ + NetworkInterfaceInfo *intf; + + if (!InterfaceID) + return mDNSNULL; + + // Note: We don't check for InterfaceActive, as the active interface could be IPv6 and + // we still want to find the first IPv4 Link-Local interface + for (intf = m->HostInterfaces; intf; intf = intf->next) + { + if (intf->InterfaceID == InterfaceID && + intf->ip.type == mDNSAddrType_IPv4 && mDNSv4AddressIsLinkLocal(&intf->ip.ip.v4)) + { + debugf("FirstIPv4LLInterfaceForID: found LL interface with address %.4a", &intf->ip.ip.v4); + return intf; + } + } + return (mDNSNULL); +} + +mDNSexport char *InterfaceNameForID(mDNS *const m, const mDNSInterfaceID InterfaceID) +{ + NetworkInterfaceInfo *intf = FirstInterfaceForID(m, InterfaceID); + return(intf ? intf->ifname : mDNSNULL); +} + +// Caller should hold the lock +mDNSlocal void GenerateNegativeResponse(mDNS *const m, QC_result qc) +{ + DNSQuestion *q; + if (!m->CurrentQuestion) { LogMsg("GenerateNegativeResponse: ERROR!! CurrentQuestion not set"); return; } + q = m->CurrentQuestion; + LogInfo("GenerateNegativeResponse: Generating negative response for question %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + + MakeNegativeCacheRecord(m, &m->rec.r, &q->qname, q->qnamehash, q->qtype, q->qclass, 60, mDNSInterface_Any, mDNSNULL); + // We need to force the response through in the following cases + // + // a) SuppressUnusable questions that are suppressed + // b) Append search domains and retry the question + // + // The question may not have set Intermediates in which case we don't deliver negative responses. So, to force + // through we use "QC_forceresponse". + AnswerCurrentQuestionWithResourceRecord(m, &m->rec.r, qc); + if (m->CurrentQuestion == q) { q->ThisQInterval = 0; } // Deactivate this question + // Don't touch the question after this + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it +} + +mDNSexport void AnswerQuestionByFollowingCNAME(mDNS *const m, DNSQuestion *q, ResourceRecord *rr) +{ + const mDNSBool selfref = SameDomainName(&q->qname, &rr->rdata->u.name); + if (q->CNAMEReferrals >= 10 || selfref) + LogMsg("AnswerQuestionByFollowingCNAME: %p %##s (%s) NOT following CNAME referral %d%s for %s", + q, q->qname.c, DNSTypeName(q->qtype), q->CNAMEReferrals, selfref ? " (Self-Referential)" : "", RRDisplayString(m, rr)); + else + { + const mDNSu32 c = q->CNAMEReferrals + 1; // Stash a copy of the new q->CNAMEReferrals value + UDPSocket *sock = q->LocalSocket; + mDNSOpaque16 id = q->TargetQID; + + // if there is a message waiting at the socket, we want to process that instead + // of throwing it away. If we have a CNAME response that answers + // both A and AAAA question and while answering it we don't want to throw + // away the response where the actual addresses are present. + if (mDNSPlatformPeekUDP(m, q->LocalSocket)) + { + LogInfo("AnswerQuestionByFollowingCNAME: Preserving UDP socket for %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + q->LocalSocket = mDNSNULL; + } + else + { + sock = mDNSNULL; + } + + // The SameDomainName check above is to ignore bogus CNAME records that point right back at + // themselves. Without that check we can get into a case where we have two duplicate questions, + // A and B, and when we stop question A, UpdateQuestionDuplicates copies the value of CNAMEReferrals + // from A to B, and then A is re-appended to the end of the list as a duplicate of B (because + // the target name is still the same), and then when we stop question B, UpdateQuestionDuplicates + // copies the B's value of CNAMEReferrals back to A, and we end up not incrementing CNAMEReferrals + // for either of them. This is not a problem for CNAME loops of two or more records because in + // those cases the newly re-appended question A has a different target name and therefore cannot be + // a duplicate of any other question ('B') which was itself a duplicate of the previous question A. + + // Right now we just stop and re-use the existing query. If we really wanted to be 100% perfect, + // and track CNAMEs coming and going, we should really create a subordinate query here, + // which we would subsequently cancel and retract if the CNAME referral record were removed. + // In reality this is such a corner case we'll ignore it until someone actually needs it. + + LogInfo("AnswerQuestionByFollowingCNAME: %p %##s (%s) following CNAME referral %d for %s", + q, q->qname.c, DNSTypeName(q->qtype), q->CNAMEReferrals, RRDisplayString(m, rr)); + + mDNS_StopQuery_internal(m, q); // Stop old query + AssignDomainName(&q->qname, &rr->rdata->u.name); // Update qname + q->qnamehash = DomainNameHashValue(&q->qname); // and namehash + // If a unicast query results in a CNAME that points to a .local, we need to re-try + // this as unicast. Setting the mDNSInterface_Unicast tells mDNS_StartQuery_internal + // to try this as unicast query even though it is a .local name + if (!mDNSOpaque16IsZero(q->TargetQID) && IsLocalDomain(&q->qname)) + { + LogInfo("AnswerQuestionByFollowingCNAME: Resolving a .local CNAME %p %##s (%s) Record %s", + q, q->qname.c, DNSTypeName(q->qtype), RRDisplayString(m, rr)); + q->InterfaceID = mDNSInterface_Unicast; + } + mDNS_StartQuery_internal(m, q); // start new query + // Record how many times we've done this. We need to do this *after* mDNS_StartQuery_internal, + // because mDNS_StartQuery_internal re-initializes CNAMEReferrals to zero + q->CNAMEReferrals = c; + if (sock) + { + // We have a message waiting and that should answer this question. + if (q->LocalSocket) + mDNSPlatformUDPClose(q->LocalSocket); + q->LocalSocket = sock; + q->TargetQID = id; + } + } +} + +// For a single given DNSQuestion pointed to by CurrentQuestion, deliver an add/remove result for the single given AuthRecord +// Note: All the callers should use the m->CurrentQuestion to see if the question is still valid or not +mDNSlocal void AnswerLocalQuestionWithLocalAuthRecord(mDNS *const m, AuthRecord *rr, QC_result AddRecord) +{ + DNSQuestion *q = m->CurrentQuestion; + mDNSBool followcname; + + if (!q) + { + LogMsg("AnswerLocalQuestionWithLocalAuthRecord: ERROR!! CurrentQuestion NULL while answering with %s", ARDisplayString(m, rr)); + return; + } + + followcname = FollowCNAME(q, &rr->resrec, AddRecord); + + // We should not be delivering results for record types Unregistered, Deregistering, and (unverified) Unique + if (!(rr->resrec.RecordType & kDNSRecordTypeActiveMask)) + { + LogMsg("AnswerLocalQuestionWithLocalAuthRecord: *NOT* delivering %s event for local record type %X %s", + AddRecord ? "Add" : "Rmv", rr->resrec.RecordType, ARDisplayString(m, rr)); + return; + } + + // Indicate that we've given at least one positive answer for this record, so we should be prepared to send a goodbye for it + if (AddRecord) rr->AnsweredLocalQ = mDNStrue; + mDNS_DropLockBeforeCallback(); // Allow client to legally make mDNS API calls from the callback + if (q->QuestionCallback && !q->NoAnswer) + { + q->CurrentAnswers += AddRecord ? 1 : -1; + if (UniqueLocalOnlyRecord(rr)) + { + if (!followcname || q->ReturnIntermed) + { + // Don't send this packet on the wire as we answered from /etc/hosts + q->ThisQInterval = 0; + q->LOAddressAnswers += AddRecord ? 1 : -1; + q->QuestionCallback(m, q, &rr->resrec, AddRecord); + } + mDNS_ReclaimLockAfterCallback(); // Decrement mDNS_reentrancy to block mDNS API calls again + // The callback above could have caused the question to stop. Detect that + // using m->CurrentQuestion + if (followcname && m->CurrentQuestion == q) + AnswerQuestionByFollowingCNAME(m, q, &rr->resrec); + return; + } + else + { + q->QuestionCallback(m, q, &rr->resrec, AddRecord); + } + } + mDNS_ReclaimLockAfterCallback(); // Decrement mDNS_reentrancy to block mDNS API calls again +} + +mDNSlocal void AnswerInterfaceAnyQuestionsWithLocalAuthRecord(mDNS *const m, AuthRecord *rr, QC_result AddRecord) +{ + if (m->CurrentQuestion) + LogMsg("AnswerInterfaceAnyQuestionsWithLocalAuthRecord: ERROR m->CurrentQuestion already set: %##s (%s)", + m->CurrentQuestion->qname.c, DNSTypeName(m->CurrentQuestion->qtype)); + m->CurrentQuestion = m->Questions; + while (m->CurrentQuestion && m->CurrentQuestion != m->NewQuestions) + { + mDNSBool answered; + DNSQuestion *q = m->CurrentQuestion; + if (RRAny(rr)) + answered = ResourceRecordAnswersQuestion(&rr->resrec, q); + else + answered = LocalOnlyRecordAnswersQuestion(rr, q); + if (answered) + AnswerLocalQuestionWithLocalAuthRecord(m, rr, AddRecord); // MUST NOT dereference q again + if (m->CurrentQuestion == q) // If m->CurrentQuestion was not auto-advanced, do it ourselves now + m->CurrentQuestion = q->next; + } + m->CurrentQuestion = mDNSNULL; +} + +// When a new local AuthRecord is created or deleted, AnswerAllLocalQuestionsWithLocalAuthRecord() +// delivers the appropriate add/remove events to listening questions: +// 1. It runs though all our LocalOnlyQuestions delivering answers as appropriate, +// stopping if it reaches a NewLocalOnlyQuestion -- brand-new questions are handled by AnswerNewLocalOnlyQuestion(). +// 2. If the AuthRecord is marked mDNSInterface_LocalOnly or mDNSInterface_P2P, then it also runs though +// our main question list, delivering answers to mDNSInterface_Any questions as appropriate, +// stopping if it reaches a NewQuestion -- brand-new questions are handled by AnswerNewQuestion(). +// +// AnswerAllLocalQuestionsWithLocalAuthRecord is used by the m->NewLocalRecords loop in mDNS_Execute(), +// and by mDNS_Deregister_internal() + +mDNSlocal void AnswerAllLocalQuestionsWithLocalAuthRecord(mDNS *const m, AuthRecord *rr, QC_result AddRecord) +{ + if (m->CurrentQuestion) + LogMsg("AnswerAllLocalQuestionsWithLocalAuthRecord ERROR m->CurrentQuestion already set: %##s (%s)", + m->CurrentQuestion->qname.c, DNSTypeName(m->CurrentQuestion->qtype)); + + m->CurrentQuestion = m->LocalOnlyQuestions; + while (m->CurrentQuestion && m->CurrentQuestion != m->NewLocalOnlyQuestions) + { + mDNSBool answered; + DNSQuestion *q = m->CurrentQuestion; + // We are called with both LocalOnly/P2P record or a regular AuthRecord + if (RRAny(rr)) + answered = ResourceRecordAnswersQuestion(&rr->resrec, q); + else + answered = LocalOnlyRecordAnswersQuestion(rr, q); + if (answered) + AnswerLocalQuestionWithLocalAuthRecord(m, rr, AddRecord); // MUST NOT dereference q again + if (m->CurrentQuestion == q) // If m->CurrentQuestion was not auto-advanced, do it ourselves now + m->CurrentQuestion = q->next; + } + + m->CurrentQuestion = mDNSNULL; + + // If this AuthRecord is marked LocalOnly or P2P, then we want to deliver it to all local 'mDNSInterface_Any' questions + if (rr->ARType == AuthRecordLocalOnly || rr->ARType == AuthRecordP2P) + AnswerInterfaceAnyQuestionsWithLocalAuthRecord(m, rr, AddRecord); + +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - Resource Record Utility Functions +#endif + +#define RRTypeIsAddressType(T) ((T) == kDNSType_A || (T) == kDNSType_AAAA) + +#define ResourceRecordIsValidAnswer(RR) ( ((RR)->resrec.RecordType & kDNSRecordTypeActiveMask) && \ + ((RR)->Additional1 == mDNSNULL || ((RR)->Additional1->resrec.RecordType & kDNSRecordTypeActiveMask)) && \ + ((RR)->Additional2 == mDNSNULL || ((RR)->Additional2->resrec.RecordType & kDNSRecordTypeActiveMask)) && \ + ((RR)->DependentOn == mDNSNULL || ((RR)->DependentOn->resrec.RecordType & kDNSRecordTypeActiveMask)) ) + +#define ResourceRecordIsValidInterfaceAnswer(RR, INTID) \ + (ResourceRecordIsValidAnswer(RR) && \ + ((RR)->resrec.InterfaceID == mDNSInterface_Any || (RR)->resrec.InterfaceID == (INTID))) + +#define DefaultProbeCountForTypeUnique ((mDNSu8)3) +#define DefaultProbeCountForRecordType(X) ((X) == kDNSRecordTypeUnique ? DefaultProbeCountForTypeUnique : (mDNSu8)0) + +// See RFC 6762: "8.3 Announcing" +// "The Multicast DNS responder MUST send at least two unsolicited responses, one second apart." +// Send 4, which is really 8 since we send on both IPv4 and IPv6. +#define InitialAnnounceCount ((mDNSu8)4) + +// For goodbye packets we set the count to 3, and for wakeups we set it to 18 +// (which will be up to 15 wakeup attempts over the course of 30 seconds, +// and then if the machine fails to wake, 3 goodbye packets). +#define GoodbyeCount ((mDNSu8)3) +#define WakeupCount ((mDNSu8)18) +#define MAX_PROBE_RESTARTS ((mDNSu8)20) + +// Number of wakeups we send if WakeOnResolve is set in the question +#define InitialWakeOnResolveCount ((mDNSu8)3) + +// Note that the announce intervals use exponential backoff, doubling each time. The probe intervals do not. +// This means that because the announce interval is doubled after sending the first packet, the first +// observed on-the-wire inter-packet interval between announcements is actually one second. +// The half-second value here may be thought of as a conceptual (non-existent) half-second delay *before* the first packet is sent. +#define DefaultProbeIntervalForTypeUnique (mDNSPlatformOneSecond/4) +#define DefaultAnnounceIntervalForTypeShared (mDNSPlatformOneSecond/2) +#define DefaultAnnounceIntervalForTypeUnique (mDNSPlatformOneSecond/2) + +#define DefaultAPIntervalForRecordType(X) ((X) &kDNSRecordTypeActiveSharedMask ? DefaultAnnounceIntervalForTypeShared : \ + (X) &kDNSRecordTypeUnique ? DefaultProbeIntervalForTypeUnique : \ + (X) &kDNSRecordTypeActiveUniqueMask ? DefaultAnnounceIntervalForTypeUnique : 0) + +#define TimeToAnnounceThisRecord(RR,time) ((RR)->AnnounceCount && (time) - ((RR)->LastAPTime + (RR)->ThisAPInterval) >= 0) +#define TimeToSendThisRecord(RR,time) ((TimeToAnnounceThisRecord(RR,time) || (RR)->ImmedAnswer) && ResourceRecordIsValidAnswer(RR)) +#define TicksTTL(RR) ((mDNSs32)(RR)->resrec.rroriginalttl * mDNSPlatformOneSecond) +#define RRExpireTime(RR) ((RR)->TimeRcvd + TicksTTL(RR)) + +// Adjustment factor to avoid race condition (used for unicast cache entries) : +// Suppose real record has TTL of 3600, and our local caching server has held it for 3500 seconds, so it returns an aged TTL of 100. +// If we do our normal refresh at 80% of the TTL, our local caching server will return 20 seconds, so we'll do another +// 80% refresh after 16 seconds, and then the server will return 4 seconds, and so on, in the fashion of Zeno's paradox. +// To avoid this, we extend the record's effective TTL to give it a little extra grace period. +// We adjust the 100 second TTL to 127. This means that when we do our 80% query at 102 seconds, +// the cached copy at our local caching server will already have expired, so the server will be forced +// to fetch a fresh copy from the authoritative server, and then return a fresh record with the full TTL of 3600 seconds. + +#define RRAdjustTTL(ttl) ((ttl) + ((ttl)/4) + 2) +#define RRUnadjustedTTL(ttl) ((((ttl) - 2) * 4) / 5) + +#define MaxUnansweredQueries 4 + +// SameResourceRecordSignature returns true if two resources records have the same name, type, and class, and may be sent +// (or were received) on the same interface (i.e. if *both* records specify an interface, then it has to match). +// TTL and rdata may differ. +// This is used for cache flush management: +// When sending a unique record, all other records matching "SameResourceRecordSignature" must also be sent +// When receiving a unique record, all old cache records matching "SameResourceRecordSignature" are flushed + +// SameResourceRecordNameClassInterface is functionally the same as SameResourceRecordSignature, except rrtype does not have to match + +#define SameResourceRecordSignature(A,B) (A)->resrec.rrtype == (B)->resrec.rrtype && SameResourceRecordNameClassInterface((A),(B)) + +mDNSlocal mDNSBool SameResourceRecordNameClassInterface(const AuthRecord *const r1, const AuthRecord *const r2) +{ + if (!r1) { LogMsg("SameResourceRecordSignature ERROR: r1 is NULL"); return(mDNSfalse); } + if (!r2) { LogMsg("SameResourceRecordSignature ERROR: r2 is NULL"); return(mDNSfalse); } + if (r1->resrec.InterfaceID && + r2->resrec.InterfaceID && + r1->resrec.InterfaceID != r2->resrec.InterfaceID) return(mDNSfalse); + return (mDNSBool)( + r1->resrec.rrclass == r2->resrec.rrclass && + r1->resrec.namehash == r2->resrec.namehash && + SameDomainName(r1->resrec.name, r2->resrec.name)); +} + +// PacketRRMatchesSignature behaves as SameResourceRecordSignature, except that types may differ if our +// authoratative record is unique (as opposed to shared). For unique records, we are supposed to have +// complete ownership of *all* types for this name, so *any* record type with the same name is a conflict. +// In addition, when probing we send our questions with the wildcard type kDNSQType_ANY, +// so a response of any type should match, even if it is not actually the type the client plans to use. + +// For now, to make it easier to avoid false conflicts, we treat SPS Proxy records like shared records, +// and require the rrtypes to match for the rdata to be considered potentially conflicting +mDNSlocal mDNSBool PacketRRMatchesSignature(const CacheRecord *const pktrr, const AuthRecord *const authrr) +{ + if (!pktrr) { LogMsg("PacketRRMatchesSignature ERROR: pktrr is NULL"); return(mDNSfalse); } + if (!authrr) { LogMsg("PacketRRMatchesSignature ERROR: authrr is NULL"); return(mDNSfalse); } + if (pktrr->resrec.InterfaceID && + authrr->resrec.InterfaceID && + pktrr->resrec.InterfaceID != authrr->resrec.InterfaceID) return(mDNSfalse); + if (!(authrr->resrec.RecordType & kDNSRecordTypeUniqueMask) || authrr->WakeUp.HMAC.l[0]) + if (pktrr->resrec.rrtype != authrr->resrec.rrtype) return(mDNSfalse); + return (mDNSBool)( + pktrr->resrec.rrclass == authrr->resrec.rrclass && + pktrr->resrec.namehash == authrr->resrec.namehash && + SameDomainName(pktrr->resrec.name, authrr->resrec.name)); +} + +// CacheRecord *ka is the CacheRecord from the known answer list in the query. +// This is the information that the requester believes to be correct. +// AuthRecord *rr is the answer we are proposing to give, if not suppressed. +// This is the information that we believe to be correct. +// We've already determined that we plan to give this answer on this interface +// (either the record is non-specific, or it is specific to this interface) +// so now we just need to check the name, type, class, rdata and TTL. +mDNSlocal mDNSBool ShouldSuppressKnownAnswer(const CacheRecord *const ka, const AuthRecord *const rr) +{ + // If RR signature is different, or data is different, then don't suppress our answer + if (!IdenticalResourceRecord(&ka->resrec, &rr->resrec)) return(mDNSfalse); + + // If the requester's indicated TTL is less than half the real TTL, + // we need to give our answer before the requester's copy expires. + // If the requester's indicated TTL is at least half the real TTL, + // then we can suppress our answer this time. + // If the requester's indicated TTL is greater than the TTL we believe, + // then that's okay, and we don't need to do anything about it. + // (If two responders on the network are offering the same information, + // that's okay, and if they are offering the information with different TTLs, + // the one offering the lower TTL should defer to the one offering the higher TTL.) + return (mDNSBool)(ka->resrec.rroriginalttl >= rr->resrec.rroriginalttl / 2); +} + +mDNSlocal void SetNextAnnounceProbeTime(mDNS *const m, const AuthRecord *const rr) +{ + if (rr->resrec.RecordType == kDNSRecordTypeUnique) + { + if ((rr->LastAPTime + rr->ThisAPInterval) - m->timenow > mDNSPlatformOneSecond * 10) + { + LogMsg("SetNextAnnounceProbeTime: ProbeCount %d Next in %d %s", rr->ProbeCount, (rr->LastAPTime + rr->ThisAPInterval) - m->timenow, ARDisplayString(m, rr)); + LogMsg("SetNextAnnounceProbeTime: m->SuppressProbes %d m->timenow %d diff %d", m->SuppressProbes, m->timenow, m->SuppressProbes - m->timenow); + } + if (m->NextScheduledProbe - (rr->LastAPTime + rr->ThisAPInterval) >= 0) + m->NextScheduledProbe = (rr->LastAPTime + rr->ThisAPInterval); + // Some defensive code: + // If (rr->LastAPTime + rr->ThisAPInterval) happens to be far in the past, we don't want to allow + // NextScheduledProbe to be set excessively in the past, because that can cause bad things to happen. + // See: <rdar://problem/7795434> mDNS: Sometimes advertising stops working and record interval is set to zero + if (m->NextScheduledProbe - m->timenow < 0) + m->NextScheduledProbe = m->timenow; + } + else if (rr->AnnounceCount && (ResourceRecordIsValidAnswer(rr) || rr->resrec.RecordType == kDNSRecordTypeDeregistering)) + { + if (m->NextScheduledResponse - (rr->LastAPTime + rr->ThisAPInterval) >= 0) + m->NextScheduledResponse = (rr->LastAPTime + rr->ThisAPInterval); + } +} + +mDNSlocal void InitializeLastAPTime(mDNS *const m, AuthRecord *const rr) +{ + // For reverse-mapping Sleep Proxy PTR records, probe interval is one second + rr->ThisAPInterval = rr->AddressProxy.type ? mDNSPlatformOneSecond : DefaultAPIntervalForRecordType(rr->resrec.RecordType); + + // * If this is a record type that's going to probe, then we use the m->SuppressProbes time. + // * Otherwise, if it's not going to probe, but m->SuppressProbes is set because we have other + // records that are going to probe, then we delay its first announcement so that it will + // go out synchronized with the first announcement for the other records that *are* probing. + // This is a minor performance tweak that helps keep groups of related records synchronized together. + // The addition of "interval / 2" is to make sure that, in the event that any of the probes are + // delayed by a few milliseconds, this announcement does not inadvertently go out *before* the probing is complete. + // When the probing is complete and those records begin to announce, these records will also be picked up and accelerated, + // because they will meet the criterion of being at least half-way to their scheduled announcement time. + // * If it's not going to probe and m->SuppressProbes is not already set then we should announce immediately. + + if (rr->ProbeCount) + { + // If we have no probe suppression time set, or it is in the past, set it now + if (m->SuppressProbes == 0 || m->SuppressProbes - m->timenow < 0) + { + // To allow us to aggregate probes when a group of services are registered together, + // the first probe is delayed 1/4 second. This means the common-case behaviour is: + // 1/4 second wait; probe + // 1/4 second wait; probe + // 1/4 second wait; probe + // 1/4 second wait; announce (i.e. service is normally announced exactly one second after being registered) + m->SuppressProbes = NonZeroTime(m->timenow + DefaultProbeIntervalForTypeUnique/2 + mDNSRandom(DefaultProbeIntervalForTypeUnique/2)); + + // If we already have a *probe* scheduled to go out sooner, then use that time to get better aggregation + if (m->SuppressProbes - m->NextScheduledProbe >= 0) + m->SuppressProbes = NonZeroTime(m->NextScheduledProbe); + if (m->SuppressProbes - m->timenow < 0) // Make sure we don't set m->SuppressProbes excessively in the past + m->SuppressProbes = m->timenow; + + // If we already have a *query* scheduled to go out sooner, then use that time to get better aggregation + if (m->SuppressProbes - m->NextScheduledQuery >= 0) + m->SuppressProbes = NonZeroTime(m->NextScheduledQuery); + if (m->SuppressProbes - m->timenow < 0) // Make sure we don't set m->SuppressProbes excessively in the past + m->SuppressProbes = m->timenow; + + // except... don't expect to be able to send before the m->SuppressSending timer fires + if (m->SuppressSending && m->SuppressProbes - m->SuppressSending < 0) + m->SuppressProbes = NonZeroTime(m->SuppressSending); + + if (m->SuppressProbes - m->timenow > mDNSPlatformOneSecond * 8) + { + LogMsg("InitializeLastAPTime ERROR m->SuppressProbes %d m->NextScheduledProbe %d m->NextScheduledQuery %d m->SuppressSending %d %d", + m->SuppressProbes - m->timenow, + m->NextScheduledProbe - m->timenow, + m->NextScheduledQuery - m->timenow, + m->SuppressSending, + m->SuppressSending - m->timenow); + m->SuppressProbes = NonZeroTime(m->timenow + DefaultProbeIntervalForTypeUnique/2 + mDNSRandom(DefaultProbeIntervalForTypeUnique/2)); + } + } + rr->LastAPTime = m->SuppressProbes - rr->ThisAPInterval; + } + else if (m->SuppressProbes && m->SuppressProbes - m->timenow >= 0) + rr->LastAPTime = m->SuppressProbes - rr->ThisAPInterval + DefaultProbeIntervalForTypeUnique * DefaultProbeCountForTypeUnique + rr->ThisAPInterval / 2; + else + rr->LastAPTime = m->timenow - rr->ThisAPInterval; + + // For reverse-mapping Sleep Proxy PTR records we don't want to start probing instantly -- we + // wait one second to give the client a chance to go to sleep, and then start our ARP/NDP probing. + // After three probes one second apart with no answer, we conclude the client is now sleeping + // and we can begin broadcasting our announcements to take over ownership of that IP address. + // If we don't wait for the client to go to sleep, then when the client sees our ARP Announcements there's a risk + // (depending on the OS and networking stack it's using) that it might interpret it as a conflict and change its IP address. + if (rr->AddressProxy.type) + rr->LastAPTime = m->timenow; + + // Set LastMCTime to now, to inhibit multicast responses + // (no need to send additional multicast responses when we're announcing anyway) + rr->LastMCTime = m->timenow; + rr->LastMCInterface = mDNSInterfaceMark; + + SetNextAnnounceProbeTime(m, rr); +} + +mDNSlocal const domainname *SetUnicastTargetToHostName(mDNS *const m, AuthRecord *rr) +{ + const domainname *target; + if (rr->AutoTarget) + { + // For autotunnel services pointing at our IPv6 ULA we don't need or want a NAT mapping, but for all other + // advertised services referencing our uDNS hostname, we want NAT mappings automatically created as appropriate, + // with the port number in our advertised SRV record automatically tracking the external mapped port. + DomainAuthInfo *AuthInfo = GetAuthInfoForName_internal(m, rr->resrec.name); + if (!AuthInfo || !AuthInfo->AutoTunnel) rr->AutoTarget = Target_AutoHostAndNATMAP; + } + + target = GetServiceTarget(m, rr); + if (!target || target->c[0] == 0) + { + // defer registration until we've got a target + LogInfo("SetUnicastTargetToHostName No target for %s", ARDisplayString(m, rr)); + rr->state = regState_NoTarget; + return mDNSNULL; + } + else + { + LogInfo("SetUnicastTargetToHostName target %##s for resource record %s", target->c, ARDisplayString(m,rr)); + return target; + } +} + +// Right now this only applies to mDNS (.local) services where the target host is always m->MulticastHostname +// Eventually we should unify this with GetServiceTarget() in uDNS.c +mDNSlocal void SetTargetToHostName(mDNS *const m, AuthRecord *const rr) +{ + domainname *const target = GetRRDomainNameTarget(&rr->resrec); + const domainname *newname = &m->MulticastHostname; + + if (!target) LogInfo("SetTargetToHostName: Don't know how to set the target of rrtype %s", DNSTypeName(rr->resrec.rrtype)); + + if (!(rr->ForceMCast || rr->ARType == AuthRecordLocalOnly || rr->ARType == AuthRecordP2P || IsLocalDomain(&rr->namestorage))) + { + const domainname *const n = SetUnicastTargetToHostName(m, rr); + if (n) newname = n; + else { target->c[0] = 0; SetNewRData(&rr->resrec, mDNSNULL, 0); return; } + } + + if (target && SameDomainName(target, newname)) + debugf("SetTargetToHostName: Target of %##s is already %##s", rr->resrec.name->c, target->c); + + if (target && !SameDomainName(target, newname)) + { + AssignDomainName(target, newname); + SetNewRData(&rr->resrec, mDNSNULL, 0); // Update rdlength, rdestimate, rdatahash + + // If we're in the middle of probing this record, we need to start again, + // because changing its rdata may change the outcome of the tie-breaker. + // (If the record type is kDNSRecordTypeUnique (unconfirmed unique) then DefaultProbeCountForRecordType is non-zero.) + rr->ProbeCount = DefaultProbeCountForRecordType(rr->resrec.RecordType); + + // If we've announced this record, we really should send a goodbye packet for the old rdata before + // changing to the new rdata. However, in practice, we only do SetTargetToHostName for unique records, + // so when we announce them we'll set the kDNSClass_UniqueRRSet and clear any stale data that way. + if (rr->RequireGoodbye && rr->resrec.RecordType == kDNSRecordTypeShared) + debugf("Have announced shared record %##s (%s) at least once: should have sent a goodbye packet before updating", + rr->resrec.name->c, DNSTypeName(rr->resrec.rrtype)); + + rr->AnnounceCount = InitialAnnounceCount; + rr->RequireGoodbye = mDNSfalse; + rr->ProbeRestartCount = 0; + InitializeLastAPTime(m, rr); + } +} + +mDNSlocal void AcknowledgeRecord(mDNS *const m, AuthRecord *const rr) +{ + if (rr->RecordCallback) + { + // CAUTION: MUST NOT do anything more with rr after calling rr->Callback(), because the client's callback function + // is allowed to do anything, including starting/stopping queries, registering/deregistering records, etc. + rr->Acknowledged = mDNStrue; + mDNS_DropLockBeforeCallback(); // Allow client to legally make mDNS API calls from the callback + rr->RecordCallback(m, rr, mStatus_NoError); + mDNS_ReclaimLockAfterCallback(); // Decrement mDNS_reentrancy to block mDNS API calls again + } +} + +mDNSexport void ActivateUnicastRegistration(mDNS *const m, AuthRecord *const rr) +{ + // Make sure that we don't activate the SRV record and associated service records, if it is in + // NoTarget state. First time when a service is being instantiated, SRV record may be in NoTarget state. + // We should not activate any of the other reords (PTR, TXT) that are part of the service. When + // the target becomes available, the records will be reregistered. + if (rr->resrec.rrtype != kDNSType_SRV) + { + AuthRecord *srvRR = mDNSNULL; + if (rr->resrec.rrtype == kDNSType_PTR) + srvRR = rr->Additional1; + else if (rr->resrec.rrtype == kDNSType_TXT) + srvRR = rr->DependentOn; + if (srvRR) + { + if (srvRR->resrec.rrtype != kDNSType_SRV) + { + LogMsg("ActivateUnicastRegistration: ERROR!! Resource record %s wrong, expecting SRV type", ARDisplayString(m, srvRR)); + } + else + { + LogInfo("ActivateUnicastRegistration: Found Service Record %s in state %d for %##s (%s)", + ARDisplayString(m, srvRR), srvRR->state, rr->resrec.name->c, DNSTypeName(rr->resrec.rrtype)); + rr->state = srvRR->state; + } + } + } + + if (rr->state == regState_NoTarget) + { + LogInfo("ActivateUnicastRegistration record %s in regState_NoTarget, not activating", ARDisplayString(m, rr)); + return; + } + // When we wake up from sleep, we call ActivateUnicastRegistration. It is possible that just before we went to sleep, + // the service/record was being deregistered. In that case, we should not try to register again. For the cases where + // the records are deregistered due to e.g., no target for the SRV record, we would have returned from above if it + // was already in NoTarget state. If it was in the process of deregistration but did not complete fully before we went + // to sleep, then it is okay to start in Pending state as we will go back to NoTarget state if we don't have a target. + if (rr->resrec.RecordType == kDNSRecordTypeDeregistering) + { + LogInfo("ActivateUnicastRegistration: Resource record %s, current state %d, moving to DeregPending", ARDisplayString(m, rr), rr->state); + rr->state = regState_DeregPending; + } + else + { + LogInfo("ActivateUnicastRegistration: Resource record %s, current state %d, moving to Pending", ARDisplayString(m, rr), rr->state); + rr->state = regState_Pending; + } + rr->ProbeCount = 0; + rr->ProbeRestartCount = 0; + rr->AnnounceCount = 0; + rr->ThisAPInterval = INIT_RECORD_REG_INTERVAL; + rr->LastAPTime = m->timenow - rr->ThisAPInterval; + rr->expire = 0; // Forget about all the leases, start fresh + rr->uselease = mDNStrue; + rr->updateid = zeroID; + rr->SRVChanged = mDNSfalse; + rr->updateError = mStatus_NoError; + // RestartRecordGetZoneData calls this function whenever a new interface gets registered with core. + // The records might already be registered with the server and hence could have NAT state. + if (rr->NATinfo.clientContext) + { + mDNS_StopNATOperation_internal(m, &rr->NATinfo); + rr->NATinfo.clientContext = mDNSNULL; + } + if (rr->nta) { CancelGetZoneData(m, rr->nta); rr->nta = mDNSNULL; } + if (rr->tcp) { DisposeTCPConn(rr->tcp); rr->tcp = mDNSNULL; } + if (m->NextuDNSEvent - (rr->LastAPTime + rr->ThisAPInterval) >= 0) + m->NextuDNSEvent = (rr->LastAPTime + rr->ThisAPInterval); +} + +// Two records qualify to be local duplicates if: +// (a) the RecordTypes are the same, or +// (b) one is Unique and the other Verified +// (c) either is in the process of deregistering +#define RecordLDT(A,B) ((A)->resrec.RecordType == (B)->resrec.RecordType || \ + ((A)->resrec.RecordType | (B)->resrec.RecordType) == (kDNSRecordTypeUnique | kDNSRecordTypeVerified) || \ + ((A)->resrec.RecordType == kDNSRecordTypeDeregistering || (B)->resrec.RecordType == kDNSRecordTypeDeregistering)) + +#define RecordIsLocalDuplicate(A,B) \ + ((A)->resrec.InterfaceID == (B)->resrec.InterfaceID && RecordLDT((A),(B)) && IdenticalResourceRecord(& (A)->resrec, & (B)->resrec)) + +mDNSlocal AuthRecord *CheckAuthIdenticalRecord(AuthHash *r, AuthRecord *rr) +{ + AuthGroup *a; + AuthGroup **ag = &a; + AuthRecord **rp; + const mDNSu32 slot = AuthHashSlot(rr->resrec.name); + + a = AuthGroupForRecord(r, slot, &rr->resrec); + if (!a) return mDNSNULL; + rp = &(*ag)->members; + while (*rp) + { + if (!RecordIsLocalDuplicate(*rp, rr)) + rp=&(*rp)->next; + else + { + if ((*rp)->resrec.RecordType == kDNSRecordTypeDeregistering) + { + (*rp)->AnnounceCount = 0; + rp=&(*rp)->next; + } + else return *rp; + } + } + return (mDNSNULL); +} + +mDNSlocal mDNSBool CheckAuthRecordConflict(AuthHash *r, AuthRecord *rr) +{ + AuthGroup *a; + AuthGroup **ag = &a; + AuthRecord **rp; + const mDNSu32 slot = AuthHashSlot(rr->resrec.name); + + a = AuthGroupForRecord(r, slot, &rr->resrec); + if (!a) return mDNSfalse; + rp = &(*ag)->members; + while (*rp) + { + const AuthRecord *s1 = rr->RRSet ? rr->RRSet : rr; + const AuthRecord *s2 = (*rp)->RRSet ? (*rp)->RRSet : *rp; + if (s1 != s2 && SameResourceRecordSignature((*rp), rr) && !IdenticalSameNameRecord(&(*rp)->resrec, &rr->resrec)) + return mDNStrue; + else + rp=&(*rp)->next; + } + return (mDNSfalse); +} + +// checks to see if "rr" is already present +mDNSlocal AuthRecord *CheckAuthSameRecord(AuthHash *r, AuthRecord *rr) +{ + AuthGroup *a; + AuthGroup **ag = &a; + AuthRecord **rp; + const mDNSu32 slot = AuthHashSlot(rr->resrec.name); + + a = AuthGroupForRecord(r, slot, &rr->resrec); + if (!a) return mDNSNULL; + rp = &(*ag)->members; + while (*rp) + { + if (*rp != rr) + rp=&(*rp)->next; + else + { + return *rp; + } + } + return (mDNSNULL); +} + + +mDNSlocal void DecrementAutoTargetServices(mDNS *const m, AuthRecord *const rr) +{ + if (!AuthRecord_uDNS(rr) && rr->resrec.rrtype == kDNSType_SRV && rr->AutoTarget == Target_AutoHost) + { + m->AutoTargetServices--; + LogInfo("DecrementAutoTargetServices: AutoService Record %s, AutoTargetServices %d", ARDisplayString(m, rr), m->AutoTargetServices); + if (!m->AutoTargetServices) + DeadvertiseAllInterfaceRecords(m); + } +} + +mDNSlocal void IncrementAutoTargetServices(mDNS *const m, AuthRecord *const rr) +{ + if (!AuthRecord_uDNS(rr) && rr->resrec.rrtype == kDNSType_SRV && rr->AutoTarget == Target_AutoHost) + { + int count = m->AutoTargetServices; + + // Bump up before calling AdvertiseAllInterfaceRecords. AdvertiseInterface + // returns without doing anything if the count is zero. + m->AutoTargetServices++; + LogInfo("IncrementAutoTargetServices: AutoService Record %s, AutoTargetServices %d", ARDisplayString(m, rr), m->AutoTargetServices); + if (!count) + AdvertiseAllInterfaceRecords(m); + } +} + +mDNSlocal void getKeepaliveRaddr(mDNS *const m, AuthRecord *rr, mDNSAddr *raddr) +{ + mDNSAddr laddr; + mDNSEthAddr eth; + mDNSIPPort lport, rport; + mDNSu32 timeout, seq, ack; + mDNSu16 win; + + if (mDNS_KeepaliveRecord(&rr->resrec)) + { + mDNS_ExtractKeepaliveInfo(rr, &timeout, &laddr, raddr, ð, &seq, &ack, &lport, &rport, &win); + if (!timeout || mDNSAddressIsZero(&laddr) || mDNSAddressIsZero(raddr) || mDNSIPPortIsZero(lport) || mDNSIPPortIsZero(rport)) + { + LogMsg("getKeepaliveRaddr: not a valid record %s for keepalive %#a:%d %#a:%d", ARDisplayString(m, rr), &laddr, lport.NotAnInteger, raddr, rport.NotAnInteger); + return; + } + } +} + +// Exported so uDNS.c can call this +mDNSexport mStatus mDNS_Register_internal(mDNS *const m, AuthRecord *const rr) +{ + domainname *target = GetRRDomainNameTarget(&rr->resrec); + AuthRecord *r; + AuthRecord **p = &m->ResourceRecords; + AuthRecord **d = &m->DuplicateRecords; + + if ((mDNSs32)rr->resrec.rroriginalttl <= 0) + { LogMsg("mDNS_Register_internal: TTL %X should be 1 - 0x7FFFFFFF %s", rr->resrec.rroriginalttl, ARDisplayString(m, rr)); return(mStatus_BadParamErr); } + + if (!rr->resrec.RecordType) + { LogMsg("mDNS_Register_internal: RecordType must be non-zero %s", ARDisplayString(m, rr)); return(mStatus_BadParamErr); } + + if (m->ShutdownTime) + { LogMsg("mDNS_Register_internal: Shutting down, can't register %s", ARDisplayString(m, rr)); return(mStatus_ServiceNotRunning); } + + if (m->DivertMulticastAdvertisements && !AuthRecord_uDNS(rr)) + { + mDNSInterfaceID previousID = rr->resrec.InterfaceID; + if (rr->resrec.InterfaceID == mDNSInterface_Any || rr->resrec.InterfaceID == mDNSInterface_P2P) + { + rr->resrec.InterfaceID = mDNSInterface_LocalOnly; + rr->ARType = AuthRecordLocalOnly; + } + if (rr->resrec.InterfaceID != mDNSInterface_LocalOnly) + { + NetworkInterfaceInfo *intf = FirstInterfaceForID(m, rr->resrec.InterfaceID); + if (intf && !intf->Advertise) { rr->resrec.InterfaceID = mDNSInterface_LocalOnly; rr->ARType = AuthRecordLocalOnly; } + } + if (rr->resrec.InterfaceID != previousID) + LogInfo("mDNS_Register_internal: Diverting record to local-only %s", ARDisplayString(m, rr)); + } + + if (RRLocalOnly(rr)) + { + if (CheckAuthSameRecord(&m->rrauth, rr)) + { + LogMsg("mDNS_Register_internal: ERROR!! Tried to register LocalOnly AuthRecord %p %##s (%s) that's already in the list", + rr, rr->resrec.name->c, DNSTypeName(rr->resrec.rrtype)); + return(mStatus_AlreadyRegistered); + } + } + else + { + while (*p && *p != rr) p=&(*p)->next; + if (*p) + { + LogMsg("mDNS_Register_internal: ERROR!! Tried to register AuthRecord %p %##s (%s) that's already in the list", + rr, rr->resrec.name->c, DNSTypeName(rr->resrec.rrtype)); + return(mStatus_AlreadyRegistered); + } + } + + while (*d && *d != rr) d=&(*d)->next; + if (*d) + { + LogMsg("mDNS_Register_internal: ERROR!! Tried to register AuthRecord %p %##s (%s) that's already in the Duplicate list", + rr, rr->resrec.name->c, DNSTypeName(rr->resrec.rrtype)); + return(mStatus_AlreadyRegistered); + } + + if (rr->DependentOn) + { + if (rr->resrec.RecordType == kDNSRecordTypeUnique) + rr->resrec.RecordType = kDNSRecordTypeVerified; + else + { + LogMsg("mDNS_Register_internal: ERROR! %##s (%s): rr->DependentOn && RecordType != kDNSRecordTypeUnique", + rr->resrec.name->c, DNSTypeName(rr->resrec.rrtype)); + return(mStatus_Invalid); + } + if (!(rr->DependentOn->resrec.RecordType & (kDNSRecordTypeUnique | kDNSRecordTypeVerified | kDNSRecordTypeKnownUnique))) + { + LogMsg("mDNS_Register_internal: ERROR! %##s (%s): rr->DependentOn->RecordType bad type %X", + rr->resrec.name->c, DNSTypeName(rr->resrec.rrtype), rr->DependentOn->resrec.RecordType); + return(mStatus_Invalid); + } + } + + // If this resource record is referencing a specific interface, make sure it exists. + // Skip checks for LocalOnly and P2P as they are not valid InterfaceIDs. Also, for scoped + // entries in /etc/hosts skip that check as that interface may not be valid at this time. + if (rr->resrec.InterfaceID && rr->ARType != AuthRecordLocalOnly && rr->ARType != AuthRecordP2P) + { + NetworkInterfaceInfo *intf = FirstInterfaceForID(m, rr->resrec.InterfaceID); + if (!intf) + { + debugf("mDNS_Register_internal: Bogus InterfaceID %p in resource record", rr->resrec.InterfaceID); + return(mStatus_BadReferenceErr); + } + } + + rr->next = mDNSNULL; + + // Field Group 1: The actual information pertaining to this resource record + // Set up by client prior to call + + // Field Group 2: Persistent metadata for Authoritative Records +// rr->Additional1 = set to mDNSNULL in mDNS_SetupResourceRecord; may be overridden by client +// rr->Additional2 = set to mDNSNULL in mDNS_SetupResourceRecord; may be overridden by client +// rr->DependentOn = set to mDNSNULL in mDNS_SetupResourceRecord; may be overridden by client +// rr->RRSet = set to mDNSNULL in mDNS_SetupResourceRecord; may be overridden by client +// rr->Callback = already set in mDNS_SetupResourceRecord +// rr->Context = already set in mDNS_SetupResourceRecord +// rr->RecordType = already set in mDNS_SetupResourceRecord +// rr->HostTarget = set to mDNSfalse in mDNS_SetupResourceRecord; may be overridden by client +// rr->AllowRemoteQuery = set to mDNSfalse in mDNS_SetupResourceRecord; may be overridden by client + // Make sure target is not uninitialized data, or we may crash writing debugging log messages + if (rr->AutoTarget && target) target->c[0] = 0; + + // Field Group 3: Transient state for Authoritative Records + rr->Acknowledged = mDNSfalse; + rr->ProbeCount = DefaultProbeCountForRecordType(rr->resrec.RecordType); + rr->ProbeRestartCount = 0; + rr->AnnounceCount = InitialAnnounceCount; + rr->RequireGoodbye = mDNSfalse; + rr->AnsweredLocalQ = mDNSfalse; + rr->IncludeInProbe = mDNSfalse; + rr->ImmedUnicast = mDNSfalse; + rr->SendNSECNow = mDNSNULL; + rr->ImmedAnswer = mDNSNULL; + rr->ImmedAdditional = mDNSNULL; + rr->SendRNow = mDNSNULL; + rr->v4Requester = zerov4Addr; + rr->v6Requester = zerov6Addr; + rr->NextResponse = mDNSNULL; + rr->NR_AnswerTo = mDNSNULL; + rr->NR_AdditionalTo = mDNSNULL; + if (!rr->AutoTarget) InitializeLastAPTime(m, rr); +// rr->LastAPTime = Set for us in InitializeLastAPTime() +// rr->LastMCTime = Set for us in InitializeLastAPTime() +// rr->LastMCInterface = Set for us in InitializeLastAPTime() + rr->NewRData = mDNSNULL; + rr->newrdlength = 0; + rr->UpdateCallback = mDNSNULL; + rr->UpdateCredits = kMaxUpdateCredits; + rr->NextUpdateCredit = 0; + rr->UpdateBlocked = 0; + + // For records we're holding as proxy (except reverse-mapping PTR records) two announcements is sufficient + if (rr->WakeUp.HMAC.l[0] && !rr->AddressProxy.type) rr->AnnounceCount = 2; + + // Field Group 4: Transient uDNS state for Authoritative Records + rr->state = regState_Zero; + rr->uselease = 0; + rr->expire = 0; + rr->Private = 0; + rr->updateid = zeroID; + rr->updateIntID = zeroOpaque64; + rr->zone = rr->resrec.name; + rr->nta = mDNSNULL; + rr->tcp = mDNSNULL; + rr->OrigRData = 0; + rr->OrigRDLen = 0; + rr->InFlightRData = 0; + rr->InFlightRDLen = 0; + rr->QueuedRData = 0; + rr->QueuedRDLen = 0; + //mDNSPlatformMemZero(&rr->NATinfo, sizeof(rr->NATinfo)); + // We should be recording the actual internal port for this service record here. Once we initiate our NAT mapping + // request we'll subsequently overwrite srv.port with the allocated external NAT port -- potentially multiple + // times with different values if the external NAT port changes during the lifetime of the service registration. + //if (rr->resrec.rrtype == kDNSType_SRV) rr->NATinfo.IntPort = rr->resrec.rdata->u.srv.port; + +// rr->resrec.interface = already set in mDNS_SetupResourceRecord +// rr->resrec.name->c = MUST be set by client +// rr->resrec.rrtype = already set in mDNS_SetupResourceRecord +// rr->resrec.rrclass = already set in mDNS_SetupResourceRecord +// rr->resrec.rroriginalttl = already set in mDNS_SetupResourceRecord +// rr->resrec.rdata = MUST be set by client, unless record type is CNAME or PTR and rr->HostTarget is set + + // BIND named (name daemon) doesn't allow TXT records with zero-length rdata. This is strictly speaking correct, + // since RFC 1035 specifies a TXT record as "One or more <character-string>s", not "Zero or more <character-string>s". + // Since some legacy apps try to create zero-length TXT records, we'll silently correct it here. + if (rr->resrec.rrtype == kDNSType_TXT && rr->resrec.rdlength == 0) { rr->resrec.rdlength = 1; rr->resrec.rdata->u.txt.c[0] = 0; } + + if (rr->AutoTarget) + { + SetTargetToHostName(m, rr); // Also sets rdlength and rdestimate for us, and calls InitializeLastAPTime(); +#ifndef UNICAST_DISABLED + // If we have no target record yet, SetTargetToHostName will set rr->state == regState_NoTarget + // In this case we leave the record half-formed in the list, and later we'll remove it from the list and re-add it properly. + if (rr->state == regState_NoTarget) + { + // Initialize the target so that we don't crash while logging etc. + domainname *tar = GetRRDomainNameTarget(&rr->resrec); + if (tar) tar->c[0] = 0; + LogInfo("mDNS_Register_internal: record %s in NoTarget state", ARDisplayString(m, rr)); + } +#endif + } + else + { + rr->resrec.rdlength = GetRDLength(&rr->resrec, mDNSfalse); + rr->resrec.rdestimate = GetRDLength(&rr->resrec, mDNStrue); + } + + if (!ValidateDomainName(rr->resrec.name)) + { LogMsg("Attempt to register record with invalid name: %s", ARDisplayString(m, rr)); return(mStatus_Invalid); } + + // Don't do this until *after* we've set rr->resrec.rdlength + if (!ValidateRData(rr->resrec.rrtype, rr->resrec.rdlength, rr->resrec.rdata)) + { LogMsg("Attempt to register record with invalid rdata: %s", ARDisplayString(m, rr)); return(mStatus_Invalid); } + + rr->resrec.namehash = DomainNameHashValue(rr->resrec.name); + rr->resrec.rdatahash = target ? DomainNameHashValue(target) : RDataHashValue(&rr->resrec); + + if (RRLocalOnly(rr)) + { + // If this is supposed to be unique, make sure we don't have any name conflicts. + // If we found a conflict, we may still want to insert the record in the list but mark it appropriately + // (kDNSRecordTypeDeregistering) so that we deliver RMV events to the application. But this causes more + // complications and not clear whether there are any benefits. See rdar:9304275 for details. + // Hence, just bail out. + if (rr->resrec.RecordType & kDNSRecordTypeUniqueMask) + { + if (CheckAuthRecordConflict(&m->rrauth, rr)) + { + LogInfo("mDNS_Register_internal: Name conflict %s (%p), InterfaceID %p", ARDisplayString(m, rr), rr, rr->resrec.InterfaceID); + return mStatus_NameConflict; + } + } + } + + // For uDNS records, we don't support duplicate checks at this time. +#ifndef UNICAST_DISABLED + if (AuthRecord_uDNS(rr)) + { + if (!m->NewLocalRecords) m->NewLocalRecords = rr; + // When we called SetTargetToHostName, it may have caused mDNS_Register_internal to be re-entered, appending new + // records to the list, so we now need to update p to advance to the new end to the list before appending our new record. + // Note that for AutoTunnel this should never happen, but this check makes the code future-proof. + while (*p) p=&(*p)->next; + *p = rr; + if (rr->resrec.RecordType == kDNSRecordTypeUnique) rr->resrec.RecordType = kDNSRecordTypeVerified; + rr->ProbeCount = 0; + rr->ProbeRestartCount = 0; + rr->AnnounceCount = 0; + if (rr->state != regState_NoTarget) ActivateUnicastRegistration(m, rr); + return(mStatus_NoError); // <--- Note: For unicast records, code currently bails out at this point + } +#endif + + // Now that we've finished building our new record, make sure it's not identical to one we already have + if (RRLocalOnly(rr)) + { + rr->ProbeCount = 0; + rr->ProbeRestartCount = 0; + rr->AnnounceCount = 0; + r = CheckAuthIdenticalRecord(&m->rrauth, rr); + } + else + { + for (r = m->ResourceRecords; r; r=r->next) + if (RecordIsLocalDuplicate(r, rr)) + { + if (r->resrec.RecordType == kDNSRecordTypeDeregistering) r->AnnounceCount = 0; + else break; + } + } + + if (r) + { + debugf("mDNS_Register_internal:Adding to duplicate list %s", ARDisplayString(m,rr)); + *d = rr; + // If the previous copy of this record is already verified unique, + // then indicate that we should move this record promptly to kDNSRecordTypeUnique state. + // Setting ProbeCount to zero will cause SendQueries() to advance this record to + // kDNSRecordTypeVerified state and call the client callback at the next appropriate time. + if (rr->resrec.RecordType == kDNSRecordTypeUnique && r->resrec.RecordType == kDNSRecordTypeVerified) + rr->ProbeCount = 0; + } + else + { + debugf("mDNS_Register_internal: Adding to active record list %s", ARDisplayString(m,rr)); + if (RRLocalOnly(rr)) + { + AuthGroup *ag; + ag = InsertAuthRecord(m, &m->rrauth, rr); + if (ag && !ag->NewLocalOnlyRecords) { + m->NewLocalOnlyRecords = mDNStrue; + ag->NewLocalOnlyRecords = rr; + } + // No probing for LocalOnly records, Acknowledge them right away + if (rr->resrec.RecordType == kDNSRecordTypeUnique) rr->resrec.RecordType = kDNSRecordTypeVerified; + AcknowledgeRecord(m, rr); + return(mStatus_NoError); + } + else + { + if (!m->NewLocalRecords) m->NewLocalRecords = rr; + *p = rr; + } + } + + // If this is a keepalive record, fetch the MAC address of the remote host. + // This is used by the in-NIC proxy to send the keepalive packets. + if (mDNS_KeepaliveRecord(&rr->resrec)) + { + // Set the record type to known unique to prevent probing keep alive records. + // Also make sure we do not announce the keepalive records. + rr->resrec.RecordType = kDNSRecordTypeKnownUnique; + rr->AnnounceCount = 0; + mDNSAddr raddr; + getKeepaliveRaddr(m, rr, &raddr); + // This is an asynchronous call. Once the remote MAC address is available, helper will schedule an + // asynchronous task to update the resource record + mDNSPlatformGetRemoteMacAddr(m, &raddr); + } + + if (!AuthRecord_uDNS(rr)) // This check is superfluous, given that for unicast records we (currently) bail out above + { + // We have inserted the record in the list. See if we have to advertise the A/AAAA,HINFO,PTR records. + IncrementAutoTargetServices(m, rr); + // For records that are not going to probe, acknowledge them right away + if (rr->resrec.RecordType != kDNSRecordTypeUnique && rr->resrec.RecordType != kDNSRecordTypeDeregistering) + AcknowledgeRecord(m, rr); + + // Adding a record may affect whether or not we should sleep + mDNS_UpdateAllowSleep(m); + } + + return(mStatus_NoError); +} + +mDNSlocal void RecordProbeFailure(mDNS *const m, const AuthRecord *const rr) +{ + m->ProbeFailTime = m->timenow; + m->NumFailedProbes++; + // If we've had fifteen or more probe failures, rate-limit to one every five seconds. + // If a bunch of hosts have all been configured with the same name, then they'll all + // conflict and run through the same series of names: name-2, name-3, name-4, etc., + // up to name-10. After that they'll start adding random increments in the range 1-100, + // so they're more likely to branch out in the available namespace and settle on a set of + // unique names quickly. If after five more tries the host is still conflicting, then we + // may have a serious problem, so we start rate-limiting so we don't melt down the network. + if (m->NumFailedProbes >= 15) + { + m->SuppressProbes = NonZeroTime(m->timenow + mDNSPlatformOneSecond * 5); + LogMsg("Excessive name conflicts (%lu) for %##s (%s); rate limiting in effect", + m->NumFailedProbes, rr->resrec.name->c, DNSTypeName(rr->resrec.rrtype)); + } +} + +mDNSlocal void CompleteRDataUpdate(mDNS *const m, AuthRecord *const rr) +{ + RData *OldRData = rr->resrec.rdata; + mDNSu16 OldRDLen = rr->resrec.rdlength; + SetNewRData(&rr->resrec, rr->NewRData, rr->newrdlength); // Update our rdata + rr->NewRData = mDNSNULL; // Clear the NewRData pointer ... + if (rr->UpdateCallback) + rr->UpdateCallback(m, rr, OldRData, OldRDLen); // ... and let the client know +} + +// Note: mDNS_Deregister_internal can call a user callback, which may change the record list and/or question list. +// Any code walking either list must use the CurrentQuestion and/or CurrentRecord mechanism to protect against this. +// Exported so uDNS.c can call this +mDNSexport mStatus mDNS_Deregister_internal(mDNS *const m, AuthRecord *const rr, mDNS_Dereg_type drt) +{ + AuthRecord *r2; + mDNSu8 RecordType = rr->resrec.RecordType; + AuthRecord **p = &m->ResourceRecords; // Find this record in our list of active records + mDNSBool dupList = mDNSfalse; + + if (RRLocalOnly(rr)) + { + AuthGroup *a; + AuthGroup **ag = &a; + AuthRecord **rp; + const mDNSu32 slot = AuthHashSlot(rr->resrec.name); + + a = AuthGroupForRecord(&m->rrauth, slot, &rr->resrec); + if (!a) return mDNSfalse; + rp = &(*ag)->members; + while (*rp && *rp != rr) rp=&(*rp)->next; + p = rp; + } + else + { + while (*p && *p != rr) p=&(*p)->next; + } + + if (*p) + { + // We found our record on the main list. See if there are any duplicates that need special handling. + if (drt == mDNS_Dereg_conflict) // If this was a conflict, see that all duplicates get the same treatment + { + // Scan for duplicates of rr, and mark them for deregistration at the end of this routine, after we've finished + // deregistering rr. We need to do this scan *before* we give the client the chance to free and reuse the rr memory. + for (r2 = m->DuplicateRecords; r2; r2=r2->next) if (RecordIsLocalDuplicate(r2, rr)) r2->ProbeCount = 0xFF; + } + else + { + // Before we delete the record (and potentially send a goodbye packet) + // first see if we have a record on the duplicate list ready to take over from it. + AuthRecord **d = &m->DuplicateRecords; + while (*d && !RecordIsLocalDuplicate(*d, rr)) d=&(*d)->next; + if (*d) + { + AuthRecord *dup = *d; + debugf("mDNS_Register_internal: Duplicate record %p taking over from %p %##s (%s)", + dup, rr, rr->resrec.name->c, DNSTypeName(rr->resrec.rrtype)); + *d = dup->next; // Cut replacement record from DuplicateRecords list + if (RRLocalOnly(rr)) + { + dup->next = mDNSNULL; + if (!InsertAuthRecord(m, &m->rrauth, dup)) LogMsg("mDNS_Deregister_internal: ERROR!! cannot insert %s", ARDisplayString(m, dup)); + } + else + { + dup->next = rr->next; // And then... + rr->next = dup; // ... splice it in right after the record we're about to delete + } + dup->resrec.RecordType = rr->resrec.RecordType; + dup->ProbeCount = rr->ProbeCount; + dup->ProbeRestartCount = rr->ProbeRestartCount; + dup->AnnounceCount = rr->AnnounceCount; + dup->RequireGoodbye = rr->RequireGoodbye; + dup->AnsweredLocalQ = rr->AnsweredLocalQ; + dup->ImmedAnswer = rr->ImmedAnswer; + dup->ImmedUnicast = rr->ImmedUnicast; + dup->ImmedAdditional = rr->ImmedAdditional; + dup->v4Requester = rr->v4Requester; + dup->v6Requester = rr->v6Requester; + dup->ThisAPInterval = rr->ThisAPInterval; + dup->LastAPTime = rr->LastAPTime; + dup->LastMCTime = rr->LastMCTime; + dup->LastMCInterface = rr->LastMCInterface; + dup->Private = rr->Private; + dup->state = rr->state; + rr->RequireGoodbye = mDNSfalse; + rr->AnsweredLocalQ = mDNSfalse; + } + } + } + else + { + // We didn't find our record on the main list; try the DuplicateRecords list instead. + p = &m->DuplicateRecords; + while (*p && *p != rr) p=&(*p)->next; + // If we found our record on the duplicate list, then make sure we don't send a goodbye for it + if (*p) + { + // Duplicate records are not used for sending wakeups or goodbyes. Hence, deregister them + // immediately. When there is a conflict, we deregister all the conflicting duplicate records + // also that have been marked above in this function. In that case, we come here and if we don't + // deregister (unilink from the DuplicateRecords list), we will be recursing infinitely. Hence, + // clear the HMAC which will cause it to deregister. See <rdar://problem/10380988> for + // details. + rr->WakeUp.HMAC = zeroEthAddr; + rr->RequireGoodbye = mDNSfalse; + rr->resrec.RecordType = kDNSRecordTypeDeregistering; + dupList = mDNStrue; + } + if (*p) debugf("mDNS_Deregister_internal: Deleting DuplicateRecord %p %##s (%s)", + rr, rr->resrec.name->c, DNSTypeName(rr->resrec.rrtype)); + } + + if (!*p) + { + // No need to log an error message if we already know this is a potentially repeated deregistration + if (drt != mDNS_Dereg_repeat) + LogMsg("mDNS_Deregister_internal: Record %p not found in list %s", rr, ARDisplayString(m,rr)); + return(mStatus_BadReferenceErr); + } + + // If this is a shared record and we've announced it at least once, + // we need to retract that announcement before we delete the record + + // If this is a record (including mDNSInterface_LocalOnly records) for which we've given local-only answers then + // it's tempting to just do "AnswerAllLocalQuestionsWithLocalAuthRecord(m, rr, mDNSfalse)" here, but that would not not be safe. + // The AnswerAllLocalQuestionsWithLocalAuthRecord routine walks the question list invoking client callbacks, using the "m->CurrentQuestion" + // mechanism to cope with the client callback modifying the question list while that's happening. + // However, mDNS_Deregister could have been called from a client callback (e.g. from the domain enumeration callback FoundDomain) + // which means that the "m->CurrentQuestion" mechanism is already in use to protect that list, so we can't use it twice. + // More generally, if we invoke callbacks from within a client callback, then those callbacks could deregister other + // records, thereby invoking yet more callbacks, without limit. + // The solution is to defer delivering the "Remove" events until mDNS_Execute time, just like we do for sending + // actual goodbye packets. + +#ifndef UNICAST_DISABLED + if (AuthRecord_uDNS(rr)) + { + if (rr->RequireGoodbye) + { + if (rr->tcp) { DisposeTCPConn(rr->tcp); rr->tcp = mDNSNULL; } + rr->resrec.RecordType = kDNSRecordTypeDeregistering; + m->LocalRemoveEvents = mDNStrue; + uDNS_DeregisterRecord(m, rr); + // At this point unconditionally we bail out + // Either uDNS_DeregisterRecord will have completed synchronously, and called CompleteDeregistration, + // which calls us back here with RequireGoodbye set to false, or it will have initiated the deregistration + // process and will complete asynchronously. Either way we don't need to do anything more here. + return(mStatus_NoError); + } + // Sometimes the records don't complete proper deregistration i.e., don't wait for a response + // from the server. In that case, if the records have been part of a group update, clear the + // state here. Some recors e.g., AutoTunnel gets reused without ever being completely initialized + rr->updateid = zeroID; + + // We defer cleaning up NAT state only after sending goodbyes. This is important because + // RecordRegistrationGotZoneData guards against creating NAT state if clientContext is non-NULL. + // This happens today when we turn on/off interface where we get multiple network transitions + // and RestartRecordGetZoneData triggers re-registration of the resource records even though + // they may be in Registered state which causes NAT information to be setup multiple times. Defering + // the cleanup here keeps clientContext non-NULL and hence prevents that. Note that cleaning up + // NAT state here takes care of the case where we did not send goodbyes at all. + if (rr->NATinfo.clientContext) + { + mDNS_StopNATOperation_internal(m, &rr->NATinfo); + rr->NATinfo.clientContext = mDNSNULL; + } + if (rr->nta) { CancelGetZoneData(m, rr->nta); rr->nta = mDNSNULL; } + if (rr->tcp) { DisposeTCPConn(rr->tcp); rr->tcp = mDNSNULL; } + } +#endif // UNICAST_DISABLED + + if (RecordType == kDNSRecordTypeUnregistered) + LogMsg("mDNS_Deregister_internal: %s already marked kDNSRecordTypeUnregistered", ARDisplayString(m, rr)); + else if (RecordType == kDNSRecordTypeDeregistering) + { + LogMsg("mDNS_Deregister_internal: %s already marked kDNSRecordTypeDeregistering", ARDisplayString(m, rr)); + return(mStatus_BadReferenceErr); + } + + // <rdar://problem/7457925> Local-only questions don't get remove events for unique records + // We may want to consider changing this code so that we generate local-only question "rmv" + // events (and maybe goodbye packets too) for unique records as well as for shared records + // Note: If we change the logic for this "if" statement, need to ensure that the code in + // CompleteDeregistration() sets the appropriate state variables to gaurantee that "else" + // clause will execute here and the record will be cut from the list. + if (rr->WakeUp.HMAC.l[0] || + (RecordType == kDNSRecordTypeShared && (rr->RequireGoodbye || rr->AnsweredLocalQ))) + { + verbosedebugf("mDNS_Deregister_internal: Starting deregistration for %s", ARDisplayString(m, rr)); + rr->resrec.RecordType = kDNSRecordTypeDeregistering; + rr->resrec.rroriginalttl = 0; + rr->AnnounceCount = rr->WakeUp.HMAC.l[0] ? WakeupCount : (drt == mDNS_Dereg_rapid) ? 1 : GoodbyeCount; + rr->ThisAPInterval = mDNSPlatformOneSecond * 2; + rr->LastAPTime = m->timenow - rr->ThisAPInterval; + m->LocalRemoveEvents = mDNStrue; + if (m->NextScheduledResponse - (m->timenow + mDNSPlatformOneSecond/10) >= 0) + m->NextScheduledResponse = (m->timenow + mDNSPlatformOneSecond/10); + } + else + { + if (!dupList && RRLocalOnly(rr)) + { + AuthGroup *ag = RemoveAuthRecord(m, &m->rrauth, rr); + if (ag->NewLocalOnlyRecords == rr) ag->NewLocalOnlyRecords = rr->next; + } + else + { + *p = rr->next; // Cut this record from the list + if (m->NewLocalRecords == rr) m->NewLocalRecords = rr->next; + DecrementAutoTargetServices(m, rr); + } + // If someone is about to look at this, bump the pointer forward + if (m->CurrentRecord == rr) m->CurrentRecord = rr->next; + rr->next = mDNSNULL; + + // Should we generate local remove events here? + // i.e. something like: + // if (rr->AnsweredLocalQ) { AnswerAllLocalQuestionsWithLocalAuthRecord(m, rr, mDNSfalse); rr->AnsweredLocalQ = mDNSfalse; } + + verbosedebugf("mDNS_Deregister_internal: Deleting record for %s", ARDisplayString(m, rr)); + rr->resrec.RecordType = kDNSRecordTypeUnregistered; + + if ((drt == mDNS_Dereg_conflict || drt == mDNS_Dereg_repeat) && RecordType == kDNSRecordTypeShared) + debugf("mDNS_Deregister_internal: Cannot have a conflict on a shared record! %##s (%s)", + rr->resrec.name->c, DNSTypeName(rr->resrec.rrtype)); + + // If we have an update queued up which never executed, give the client a chance to free that memory + if (rr->NewRData) CompleteRDataUpdate(m, rr); // Update our rdata, clear the NewRData pointer, and return memory to the client + + + // CAUTION: MUST NOT do anything more with rr after calling rr->Callback(), because the client's callback function + // is allowed to do anything, including starting/stopping queries, registering/deregistering records, etc. + // In this case the likely client action to the mStatus_MemFree message is to free the memory, + // so any attempt to touch rr after this is likely to lead to a crash. + if (drt != mDNS_Dereg_conflict) + { + mDNS_DropLockBeforeCallback(); // Allow client to legally make mDNS API calls from the callback + LogInfo("mDNS_Deregister_internal: mStatus_MemFree for %s", ARDisplayString(m, rr)); + if (rr->RecordCallback) + rr->RecordCallback(m, rr, mStatus_MemFree); // MUST NOT touch rr after this + mDNS_ReclaimLockAfterCallback(); // Decrement mDNS_reentrancy to block mDNS API calls again + } + else + { + RecordProbeFailure(m, rr); + mDNS_DropLockBeforeCallback(); // Allow client to legally make mDNS API calls from the callback + if (rr->RecordCallback) + rr->RecordCallback(m, rr, mStatus_NameConflict); // MUST NOT touch rr after this + mDNS_ReclaimLockAfterCallback(); // Decrement mDNS_reentrancy to block mDNS API calls again + // Now that we've finished deregistering rr, check our DuplicateRecords list for any that we marked previously. + // Note that with all the client callbacks going on, by the time we get here all the + // records we marked may have been explicitly deregistered by the client anyway. + r2 = m->DuplicateRecords; + while (r2) + { + if (r2->ProbeCount != 0xFF) + { + r2 = r2->next; + } + else + { + mDNS_Deregister_internal(m, r2, mDNS_Dereg_conflict); + // As this is a duplicate record, it will be unlinked from the list + // immediately + r2 = m->DuplicateRecords; + } + } + } + } + mDNS_UpdateAllowSleep(m); + return(mStatus_NoError); +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - Packet Sending Functions +#endif + +mDNSlocal void AddRecordToResponseList(AuthRecord ***nrpp, AuthRecord *rr, AuthRecord *add) +{ + if (rr->NextResponse == mDNSNULL && *nrpp != &rr->NextResponse) + { + **nrpp = rr; + // NR_AdditionalTo must point to a record with NR_AnswerTo set (and not NR_AdditionalTo) + // If 'add' does not meet this requirement, then follow its NR_AdditionalTo pointer to a record that does + // The referenced record will definitely be acceptable (by recursive application of this rule) + if (add && add->NR_AdditionalTo) add = add->NR_AdditionalTo; + rr->NR_AdditionalTo = add; + *nrpp = &rr->NextResponse; + } + debugf("AddRecordToResponseList: %##s (%s) already in list", rr->resrec.name->c, DNSTypeName(rr->resrec.rrtype)); +} + +mDNSlocal void AddAdditionalsToResponseList(mDNS *const m, AuthRecord *ResponseRecords, AuthRecord ***nrpp, const mDNSInterfaceID InterfaceID) +{ + AuthRecord *rr, *rr2; + for (rr=ResponseRecords; rr; rr=rr->NextResponse) // For each record we plan to put + { + // (Note: This is an "if", not a "while". If we add a record, we'll find it again + // later in the "for" loop, and we will follow further "additional" links then.) + if (rr->Additional1 && ResourceRecordIsValidInterfaceAnswer(rr->Additional1, InterfaceID)) + AddRecordToResponseList(nrpp, rr->Additional1, rr); + + if (rr->Additional2 && ResourceRecordIsValidInterfaceAnswer(rr->Additional2, InterfaceID)) + AddRecordToResponseList(nrpp, rr->Additional2, rr); + + // For SRV records, automatically add the Address record(s) for the target host + if (rr->resrec.rrtype == kDNSType_SRV) + { + for (rr2=m->ResourceRecords; rr2; rr2=rr2->next) // Scan list of resource records + if (RRTypeIsAddressType(rr2->resrec.rrtype) && // For all address records (A/AAAA) ... + ResourceRecordIsValidInterfaceAnswer(rr2, InterfaceID) && // ... which are valid for answer ... + rr->resrec.rdatahash == rr2->resrec.namehash && // ... whose name is the name of the SRV target + SameDomainName(&rr->resrec.rdata->u.srv.target, rr2->resrec.name)) + AddRecordToResponseList(nrpp, rr2, rr); + } + else if (RRTypeIsAddressType(rr->resrec.rrtype)) // For A or AAAA, put counterpart as additional + { + for (rr2=m->ResourceRecords; rr2; rr2=rr2->next) // Scan list of resource records + if (RRTypeIsAddressType(rr2->resrec.rrtype) && // For all address records (A/AAAA) ... + ResourceRecordIsValidInterfaceAnswer(rr2, InterfaceID) && // ... which are valid for answer ... + rr->resrec.namehash == rr2->resrec.namehash && // ... and have the same name + SameDomainName(rr->resrec.name, rr2->resrec.name)) + AddRecordToResponseList(nrpp, rr2, rr); + } + else if (rr->resrec.rrtype == kDNSType_PTR) // For service PTR, see if we want to add DeviceInfo record + { + if (ResourceRecordIsValidInterfaceAnswer(&m->DeviceInfo, InterfaceID) && + SameDomainLabel(rr->resrec.rdata->u.name.c, m->DeviceInfo.resrec.name->c)) + AddRecordToResponseList(nrpp, &m->DeviceInfo, rr); + } + } +} + +mDNSlocal int AnonInfoSpace(AnonymousInfo *info) +{ + ResourceRecord *rr = info->nsec3RR; + + // 2 bytes for compressed name + type (2) class (2) TTL (4) rdlength (2) rdata (n) + return (2 + 10 + rr->rdlength); +} + +mDNSlocal void SendDelayedUnicastResponse(mDNS *const m, const mDNSAddr *const dest, const mDNSInterfaceID InterfaceID) +{ + AuthRecord *rr; + AuthRecord *ResponseRecords = mDNSNULL; + AuthRecord **nrp = &ResponseRecords; + NetworkInterfaceInfo *intf = FirstInterfaceForID(m, InterfaceID); + int AnoninfoSpace = 0; + + // Make a list of all our records that need to be unicast to this destination + for (rr = m->ResourceRecords; rr; rr=rr->next) + { + // If we find we can no longer unicast this answer, clear ImmedUnicast + if (rr->ImmedAnswer == mDNSInterfaceMark || + mDNSSameIPv4Address(rr->v4Requester, onesIPv4Addr) || + mDNSSameIPv6Address(rr->v6Requester, onesIPv6Addr) ) + rr->ImmedUnicast = mDNSfalse; + + if (rr->ImmedUnicast && rr->ImmedAnswer == InterfaceID) + { + if ((dest->type == mDNSAddrType_IPv4 && mDNSSameIPv4Address(rr->v4Requester, dest->ip.v4)) || + (dest->type == mDNSAddrType_IPv6 && mDNSSameIPv6Address(rr->v6Requester, dest->ip.v6))) + { + rr->ImmedAnswer = mDNSNULL; // Clear the state fields + rr->ImmedUnicast = mDNSfalse; + rr->v4Requester = zerov4Addr; + rr->v6Requester = zerov6Addr; + + // Only sent records registered for P2P over P2P interfaces + if (intf && !mDNSPlatformValidRecordForInterface(rr, intf)) + { + LogInfo("SendDelayedUnicastResponse: Not sending %s, on %s", ARDisplayString(m, rr), InterfaceNameForID(m, InterfaceID)); + continue; + } + + if (rr->NextResponse == mDNSNULL && nrp != &rr->NextResponse) // rr->NR_AnswerTo + { + rr->NR_AnswerTo = NR_AnswerMulticast; + *nrp = rr; + nrp = &rr->NextResponse; + } + } + } + } + + AddAdditionalsToResponseList(m, ResponseRecords, &nrp, InterfaceID); + + while (ResponseRecords) + { + mDNSu8 *responseptr = m->omsg.data; + mDNSu8 *newptr; + InitializeDNSMessage(&m->omsg.h, zeroID, ResponseFlags); + + // Put answers in the packet + while (ResponseRecords && ResponseRecords->NR_AnswerTo) + { + rr = ResponseRecords; + if (rr->resrec.AnonInfo) + { + AnoninfoSpace += AnonInfoSpace(rr->resrec.AnonInfo); + rr->resrec.AnonInfo->SendNow = mDNSInterfaceMark; + } + if (rr->resrec.RecordType & kDNSRecordTypeUniqueMask) + rr->resrec.rrclass |= kDNSClass_UniqueRRSet; // Temporarily set the cache flush bit so PutResourceRecord will set it + + // Retract the limit by AnoninfoSpace which we need to put the AnoInfo option. + newptr = PutResourceRecordTTLWithLimit(&m->omsg, responseptr, &m->omsg.h.numAnswers, &rr->resrec, rr->resrec.rroriginalttl, + m->omsg.data + (AllowedRRSpace(&m->omsg) - AnoninfoSpace)); + + rr->resrec.rrclass &= ~kDNSClass_UniqueRRSet; // Make sure to clear cache flush bit back to normal state + if (!newptr && m->omsg.h.numAnswers) + { + break; // If packet full, send it now + } + if (newptr) responseptr = newptr; + ResponseRecords = rr->NextResponse; + rr->NextResponse = mDNSNULL; + rr->NR_AnswerTo = mDNSNULL; + rr->NR_AdditionalTo = mDNSNULL; + rr->RequireGoodbye = mDNStrue; + } + + // We have reserved the space for AnonInfo option. PutResourceRecord uses the + // standard limit (AllowedRRSpace) and we should have space now. + for (rr = m->ResourceRecords; rr; rr=rr->next) + { + if (rr->resrec.AnonInfo && rr->resrec.AnonInfo->SendNow == mDNSInterfaceMark) + { + ResourceRecord *nsec3RR = rr->resrec.AnonInfo->nsec3RR; + + newptr = PutResourceRecord(&m->omsg, responseptr, &m->omsg.h.numAuthorities, nsec3RR); + if (newptr) + { + responseptr = newptr; + debugf("SendDelayedUnicastResponse: Added NSEC3 Record %s on %p", RRDisplayString(m, nsec3RR), intf->InterfaceID); + } + else + { + // We allocated space and we should not fail. Don't break, we need to clear the SendNow flag. + LogMsg("SendDelayedUnicastResponse: ERROR!! Cannot Add NSEC3 Record %s on %p", RRDisplayString(m, nsec3RR), intf->InterfaceID); + } + rr->resrec.AnonInfo->SendNow = mDNSNULL; + } + } + + // Add additionals, if there's space + while (ResponseRecords && !ResponseRecords->NR_AnswerTo) + { + rr = ResponseRecords; + if (rr->resrec.RecordType & kDNSRecordTypeUniqueMask) + rr->resrec.rrclass |= kDNSClass_UniqueRRSet; // Temporarily set the cache flush bit so PutResourceRecord will set it + newptr = PutResourceRecord(&m->omsg, responseptr, &m->omsg.h.numAdditionals, &rr->resrec); + rr->resrec.rrclass &= ~kDNSClass_UniqueRRSet; // Make sure to clear cache flush bit back to normal state + + if (newptr) responseptr = newptr; + if (newptr && m->omsg.h.numAnswers) rr->RequireGoodbye = mDNStrue; + else if (rr->resrec.RecordType & kDNSRecordTypeUniqueMask) rr->ImmedAnswer = mDNSInterfaceMark; + ResponseRecords = rr->NextResponse; + rr->NextResponse = mDNSNULL; + rr->NR_AnswerTo = mDNSNULL; + rr->NR_AdditionalTo = mDNSNULL; + } + + if (m->omsg.h.numAnswers) + mDNSSendDNSMessage(m, &m->omsg, responseptr, InterfaceID, mDNSNULL, dest, MulticastDNSPort, mDNSNULL, mDNSNULL, mDNSfalse); + } +} + +// CompleteDeregistration guarantees that on exit the record will have been cut from the m->ResourceRecords list +// and the client's mStatus_MemFree callback will have been invoked +mDNSexport void CompleteDeregistration(mDNS *const m, AuthRecord *rr) +{ + LogInfo("CompleteDeregistration: called for Resource record %s", ARDisplayString(m, rr)); + // Clearing rr->RequireGoodbye signals mDNS_Deregister_internal() that + // it should go ahead and immediately dispose of this registration + rr->resrec.RecordType = kDNSRecordTypeShared; + rr->RequireGoodbye = mDNSfalse; + rr->WakeUp.HMAC = zeroEthAddr; + if (rr->AnsweredLocalQ) { AnswerAllLocalQuestionsWithLocalAuthRecord(m, rr, mDNSfalse); rr->AnsweredLocalQ = mDNSfalse; } + mDNS_Deregister_internal(m, rr, mDNS_Dereg_normal); // Don't touch rr after this +} + +// DiscardDeregistrations is used on shutdown and sleep to discard (forcibly and immediately) +// any deregistering records that remain in the m->ResourceRecords list. +// DiscardDeregistrations calls mDNS_Deregister_internal which can call a user callback, +// which may change the record list and/or question list. +// Any code walking either list must use the CurrentQuestion and/or CurrentRecord mechanism to protect against this. +mDNSlocal void DiscardDeregistrations(mDNS *const m) +{ + if (m->CurrentRecord) + LogMsg("DiscardDeregistrations ERROR m->CurrentRecord already set %s", ARDisplayString(m, m->CurrentRecord)); + m->CurrentRecord = m->ResourceRecords; + + while (m->CurrentRecord) + { + AuthRecord *rr = m->CurrentRecord; + if (!AuthRecord_uDNS(rr) && rr->resrec.RecordType == kDNSRecordTypeDeregistering) + CompleteDeregistration(m, rr); // Don't touch rr after this + else + m->CurrentRecord = rr->next; + } +} + +mDNSlocal mStatus GetLabelDecimalValue(const mDNSu8 *const src, mDNSu8 *dst) +{ + int i, val = 0; + if (src[0] < 1 || src[0] > 3) return(mStatus_Invalid); + for (i=1; i<=src[0]; i++) + { + if (src[i] < '0' || src[i] > '9') return(mStatus_Invalid); + val = val * 10 + src[i] - '0'; + } + if (val > 255) return(mStatus_Invalid); + *dst = (mDNSu8)val; + return(mStatus_NoError); +} + +mDNSlocal mStatus GetIPv4FromName(mDNSAddr *const a, const domainname *const name) +{ + int skip = CountLabels(name) - 6; + if (skip < 0) { LogMsg("GetIPFromName: Need six labels in IPv4 reverse mapping name %##s", name); return mStatus_Invalid; } + if (GetLabelDecimalValue(SkipLeadingLabels(name, skip+3)->c, &a->ip.v4.b[0]) || + GetLabelDecimalValue(SkipLeadingLabels(name, skip+2)->c, &a->ip.v4.b[1]) || + GetLabelDecimalValue(SkipLeadingLabels(name, skip+1)->c, &a->ip.v4.b[2]) || + GetLabelDecimalValue(SkipLeadingLabels(name, skip+0)->c, &a->ip.v4.b[3])) return mStatus_Invalid; + a->type = mDNSAddrType_IPv4; + return(mStatus_NoError); +} + +#define HexVal(X) ( ((X) >= '0' && (X) <= '9') ? ((X) - '0' ) : \ + ((X) >= 'A' && (X) <= 'F') ? ((X) - 'A' + 10) : \ + ((X) >= 'a' && (X) <= 'f') ? ((X) - 'a' + 10) : -1) + +mDNSlocal mStatus GetIPv6FromName(mDNSAddr *const a, const domainname *const name) +{ + int i, h, l; + const domainname *n; + + int skip = CountLabels(name) - 34; + if (skip < 0) { LogMsg("GetIPFromName: Need 34 labels in IPv6 reverse mapping name %##s", name); return mStatus_Invalid; } + + n = SkipLeadingLabels(name, skip); + for (i=0; i<16; i++) + { + if (n->c[0] != 1) return mStatus_Invalid; + l = HexVal(n->c[1]); + n = (const domainname *)(n->c + 2); + + if (n->c[0] != 1) return mStatus_Invalid; + h = HexVal(n->c[1]); + n = (const domainname *)(n->c + 2); + + if (l<0 || h<0) return mStatus_Invalid; + a->ip.v6.b[15-i] = (mDNSu8)((h << 4) | l); + } + + a->type = mDNSAddrType_IPv6; + return(mStatus_NoError); +} + +mDNSlocal mDNSs32 ReverseMapDomainType(const domainname *const name) +{ + int skip = CountLabels(name) - 2; + if (skip >= 0) + { + const domainname *suffix = SkipLeadingLabels(name, skip); + if (SameDomainName(suffix, (const domainname*)"\x7" "in-addr" "\x4" "arpa")) return mDNSAddrType_IPv4; + if (SameDomainName(suffix, (const domainname*)"\x3" "ip6" "\x4" "arpa")) return mDNSAddrType_IPv6; + } + return(mDNSAddrType_None); +} + +mDNSlocal void SendARP(mDNS *const m, const mDNSu8 op, const AuthRecord *const rr, + const mDNSv4Addr *const spa, const mDNSEthAddr *const tha, const mDNSv4Addr *const tpa, const mDNSEthAddr *const dst) +{ + int i; + mDNSu8 *ptr = m->omsg.data; + NetworkInterfaceInfo *intf = FirstInterfaceForID(m, rr->resrec.InterfaceID); + if (!intf) { LogMsg("SendARP: No interface with InterfaceID %p found %s", rr->resrec.InterfaceID, ARDisplayString(m,rr)); return; } + + // 0x00 Destination address + for (i=0; i<6; i++) *ptr++ = dst->b[i]; + + // 0x06 Source address (Note: Since we don't currently set the BIOCSHDRCMPLT option, BPF will fill in the real interface address for us) + for (i=0; i<6; i++) *ptr++ = intf->MAC.b[0]; + + // 0x0C ARP Ethertype (0x0806) + *ptr++ = 0x08; *ptr++ = 0x06; + + // 0x0E ARP header + *ptr++ = 0x00; *ptr++ = 0x01; // Hardware address space; Ethernet = 1 + *ptr++ = 0x08; *ptr++ = 0x00; // Protocol address space; IP = 0x0800 + *ptr++ = 6; // Hardware address length + *ptr++ = 4; // Protocol address length + *ptr++ = 0x00; *ptr++ = op; // opcode; Request = 1, Response = 2 + + // 0x16 Sender hardware address (our MAC address) + for (i=0; i<6; i++) *ptr++ = intf->MAC.b[i]; + + // 0x1C Sender protocol address + for (i=0; i<4; i++) *ptr++ = spa->b[i]; + + // 0x20 Target hardware address + for (i=0; i<6; i++) *ptr++ = tha->b[i]; + + // 0x26 Target protocol address + for (i=0; i<4; i++) *ptr++ = tpa->b[i]; + + // 0x2A Total ARP Packet length 42 bytes + mDNSPlatformSendRawPacket(m->omsg.data, ptr, rr->resrec.InterfaceID); +} + +mDNSlocal mDNSu16 CheckSum(const void *const data, mDNSs32 length, mDNSu32 sum) +{ + const mDNSu16 *ptr = data; + while (length > 0) { length -= 2; sum += *ptr++; } + sum = (sum & 0xFFFF) + (sum >> 16); + sum = (sum & 0xFFFF) + (sum >> 16); + return(sum != 0xFFFF ? sum : 0); +} + +mDNSlocal mDNSu16 IPv6CheckSum(const mDNSv6Addr *const src, const mDNSv6Addr *const dst, const mDNSu8 protocol, const void *const data, const mDNSu32 length) +{ + IPv6PseudoHeader ph; + ph.src = *src; + ph.dst = *dst; + ph.len.b[0] = length >> 24; + ph.len.b[1] = length >> 16; + ph.len.b[2] = length >> 8; + ph.len.b[3] = length; + ph.pro.b[0] = 0; + ph.pro.b[1] = 0; + ph.pro.b[2] = 0; + ph.pro.b[3] = protocol; + return CheckSum(&ph, sizeof(ph), CheckSum(data, length, 0)); +} + +mDNSlocal void SendNDP(mDNS *const m, const mDNSu8 op, const mDNSu8 flags, const AuthRecord *const rr, + const mDNSv6Addr *const spa, const mDNSEthAddr *const tha, const mDNSv6Addr *const tpa, const mDNSEthAddr *const dst) +{ + int i; + mDNSOpaque16 checksum; + mDNSu8 *ptr = m->omsg.data; + // Some recipient hosts seem to ignore Neighbor Solicitations if the IPv6-layer destination address is not the + // appropriate IPv6 solicited node multicast address, so we use that IPv6-layer destination address, even though + // at the Ethernet-layer we unicast the packet to the intended target, to avoid wasting network bandwidth. + const mDNSv6Addr mc = { { 0xFF,0x02,0x00,0x00, 0,0,0,0, 0,0,0,1, 0xFF,tpa->b[0xD],tpa->b[0xE],tpa->b[0xF] } }; + const mDNSv6Addr *const v6dst = (op == NDP_Sol) ? &mc : tpa; + NetworkInterfaceInfo *intf = FirstInterfaceForID(m, rr->resrec.InterfaceID); + if (!intf) { LogMsg("SendNDP: No interface with InterfaceID %p found %s", rr->resrec.InterfaceID, ARDisplayString(m,rr)); return; } + + // 0x00 Destination address + for (i=0; i<6; i++) *ptr++ = dst->b[i]; + // Right now we only send Neighbor Solicitations to verify whether the host we're proxying for has gone to sleep yet. + // Since we know who we're looking for, we send it via Ethernet-layer unicast, rather than bothering every host on the + // link with a pointless link-layer multicast. + // Should we want to send traditional Neighbor Solicitations in the future, where we really don't know in advance what + // Ethernet-layer address we're looking for, we'll need to send to the appropriate Ethernet-layer multicast address: + // *ptr++ = 0x33; + // *ptr++ = 0x33; + // *ptr++ = 0xFF; + // *ptr++ = tpa->b[0xD]; + // *ptr++ = tpa->b[0xE]; + // *ptr++ = tpa->b[0xF]; + + // 0x06 Source address (Note: Since we don't currently set the BIOCSHDRCMPLT option, BPF will fill in the real interface address for us) + for (i=0; i<6; i++) *ptr++ = (tha ? *tha : intf->MAC).b[i]; + + // 0x0C IPv6 Ethertype (0x86DD) + *ptr++ = 0x86; *ptr++ = 0xDD; + + // 0x0E IPv6 header + *ptr++ = 0x60; *ptr++ = 0x00; *ptr++ = 0x00; *ptr++ = 0x00; // Version, Traffic Class, Flow Label + *ptr++ = 0x00; *ptr++ = 0x20; // Length + *ptr++ = 0x3A; // Protocol == ICMPv6 + *ptr++ = 0xFF; // Hop Limit + + // 0x16 Sender IPv6 address + for (i=0; i<16; i++) *ptr++ = spa->b[i]; + + // 0x26 Destination IPv6 address + for (i=0; i<16; i++) *ptr++ = v6dst->b[i]; + + // 0x36 NDP header + *ptr++ = op; // 0x87 == Neighbor Solicitation, 0x88 == Neighbor Advertisement + *ptr++ = 0x00; // Code + *ptr++ = 0x00; *ptr++ = 0x00; // Checksum placeholder (0x38, 0x39) + *ptr++ = flags; + *ptr++ = 0x00; *ptr++ = 0x00; *ptr++ = 0x00; + + if (op == NDP_Sol) // Neighbor Solicitation. The NDP "target" is the address we seek. + { + // 0x3E NDP target. + for (i=0; i<16; i++) *ptr++ = tpa->b[i]; + // 0x4E Source Link-layer Address + // <http://www.ietf.org/rfc/rfc2461.txt> + // MUST NOT be included when the source IP address is the unspecified address. + // Otherwise, on link layers that have addresses this option MUST be included + // in multicast solicitations and SHOULD be included in unicast solicitations. + if (!mDNSIPv6AddressIsZero(*spa)) + { + *ptr++ = NDP_SrcLL; // Option Type 1 == Source Link-layer Address + *ptr++ = 0x01; // Option length 1 (in units of 8 octets) + for (i=0; i<6; i++) *ptr++ = (tha ? *tha : intf->MAC).b[i]; + } + } + else // Neighbor Advertisement. The NDP "target" is the address we're giving information about. + { + // 0x3E NDP target. + for (i=0; i<16; i++) *ptr++ = spa->b[i]; + // 0x4E Target Link-layer Address + *ptr++ = NDP_TgtLL; // Option Type 2 == Target Link-layer Address + *ptr++ = 0x01; // Option length 1 (in units of 8 octets) + for (i=0; i<6; i++) *ptr++ = (tha ? *tha : intf->MAC).b[i]; + } + + // 0x4E or 0x56 Total NDP Packet length 78 or 86 bytes + m->omsg.data[0x13] = ptr - &m->omsg.data[0x36]; // Compute actual length + checksum.NotAnInteger = ~IPv6CheckSum(spa, v6dst, 0x3A, &m->omsg.data[0x36], m->omsg.data[0x13]); + m->omsg.data[0x38] = checksum.b[0]; + m->omsg.data[0x39] = checksum.b[1]; + + mDNSPlatformSendRawPacket(m->omsg.data, ptr, rr->resrec.InterfaceID); +} + +mDNSlocal void SetupTracerOpt(const mDNS *const m, rdataOPT *const Trace) +{ + mDNSu32 DNS_VERS = _DNS_SD_H; + Trace->u.tracer.platf = m->mDNS_plat; + Trace->u.tracer.mDNSv = DNS_VERS; + + Trace->opt = kDNSOpt_Trace; + Trace->optlen = DNSOpt_TraceData_Space - 4; +} + +mDNSlocal void SetupOwnerOpt(const mDNS *const m, const NetworkInterfaceInfo *const intf, rdataOPT *const owner) +{ + owner->u.owner.vers = 0; + owner->u.owner.seq = m->SleepSeqNum; + owner->u.owner.HMAC = m->PrimaryMAC; + owner->u.owner.IMAC = intf->MAC; + owner->u.owner.password = zeroEthAddr; + + // Don't try to compute the optlen until *after* we've set up the data fields + // Right now the DNSOpt_Owner_Space macro does not depend on the owner->u.owner being set up correctly, but in the future it might + owner->opt = kDNSOpt_Owner; + owner->optlen = DNSOpt_Owner_Space(&m->PrimaryMAC, &intf->MAC) - 4; +} + +mDNSlocal void GrantUpdateCredit(AuthRecord *rr) +{ + if (++rr->UpdateCredits >= kMaxUpdateCredits) rr->NextUpdateCredit = 0; + else rr->NextUpdateCredit = NonZeroTime(rr->NextUpdateCredit + kUpdateCreditRefreshInterval); +} + +mDNSlocal mDNSBool ShouldSendGoodbyesBeforeSleep(mDNS *const m, const NetworkInterfaceInfo *intf, AuthRecord *rr) +{ + // If there are no sleep proxies, we set the state to SleepState_Sleeping explicitly + // and hence there is no need to check for Transfering state. But if we have sleep + // proxies and partially sending goodbyes for some records, we will be in Transfering + // state and hence need to make sure that we send goodbyes in that case too. Checking whether + // we are not awake handles both cases. + if ((rr->AuthFlags & AuthFlagsWakeOnly) && (m->SleepState != SleepState_Awake)) + { + debugf("ShouldSendGoodbyesBeforeSleep: marking for goodbye", ARDisplayString(m, rr)); + return mDNStrue; + } + + if (m->SleepState != SleepState_Sleeping) + return mDNSfalse; + + // If we are going to sleep and in SleepState_Sleeping, SendGoodbyes on the interface tell you + // whether you can send goodbyes or not. + if (!intf->SendGoodbyes) + { + debugf("ShouldSendGoodbyesBeforeSleep: not sending goodbye %s, int %p", ARDisplayString(m, rr), intf->InterfaceID); + return mDNSfalse; + } + else + { + debugf("ShouldSendGoodbyesBeforeSleep: sending goodbye %s, int %p", ARDisplayString(m, rr), intf->InterfaceID); + return mDNStrue; + } +} + +// Note about acceleration of announcements to facilitate automatic coalescing of +// multiple independent threads of announcements into a single synchronized thread: +// The announcements in the packet may be at different stages of maturity; +// One-second interval, two-second interval, four-second interval, and so on. +// After we've put in all the announcements that are due, we then consider +// whether there are other nearly-due announcements that are worth accelerating. +// To be eligible for acceleration, a record MUST NOT be older (further along +// its timeline) than the most mature record we've already put in the packet. +// In other words, younger records can have their timelines accelerated to catch up +// with their elder bretheren; this narrows the age gap and helps them eventually get in sync. +// Older records cannot have their timelines accelerated; this would just widen +// the gap between them and their younger bretheren and get them even more out of sync. + +// Note: SendResponses calls mDNS_Deregister_internal which can call a user callback, which may change +// the record list and/or question list. +// Any code walking either list must use the CurrentQuestion and/or CurrentRecord mechanism to protect against this. +mDNSlocal void SendResponses(mDNS *const m) +{ + int pktcount = 0; + AuthRecord *rr, *r2; + mDNSs32 maxExistingAnnounceInterval = 0; + const NetworkInterfaceInfo *intf = GetFirstActiveInterface(m->HostInterfaces); + + m->NextScheduledResponse = m->timenow + 0x78000000; + + if (m->SleepState == SleepState_Transferring) RetrySPSRegistrations(m); + + for (rr = m->ResourceRecords; rr; rr=rr->next) + if (rr->ImmedUnicast) + { + mDNSAddr v4 = { mDNSAddrType_IPv4, {{{0}}} }; + mDNSAddr v6 = { mDNSAddrType_IPv6, {{{0}}} }; + v4.ip.v4 = rr->v4Requester; + v6.ip.v6 = rr->v6Requester; + if (!mDNSIPv4AddressIsZero(rr->v4Requester)) SendDelayedUnicastResponse(m, &v4, rr->ImmedAnswer); + if (!mDNSIPv6AddressIsZero(rr->v6Requester)) SendDelayedUnicastResponse(m, &v6, rr->ImmedAnswer); + if (rr->ImmedUnicast) + { + LogMsg("SendResponses: ERROR: rr->ImmedUnicast still set: %s", ARDisplayString(m, rr)); + rr->ImmedUnicast = mDNSfalse; + } + } + + // *** + // *** 1. Setup: Set the SendRNow and ImmedAnswer fields to indicate which interface(s) the records need to be sent on + // *** + + // Run through our list of records, and decide which ones we're going to announce on all interfaces + for (rr = m->ResourceRecords; rr; rr=rr->next) + { + while (rr->NextUpdateCredit && m->timenow - rr->NextUpdateCredit >= 0) GrantUpdateCredit(rr); + if (TimeToAnnounceThisRecord(rr, m->timenow)) + { + if (rr->resrec.RecordType == kDNSRecordTypeDeregistering) + { + if (!rr->WakeUp.HMAC.l[0]) + { + if (rr->AnnounceCount) rr->ImmedAnswer = mDNSInterfaceMark; // Send goodbye packet on all interfaces + } + else + { + LogSPS("SendResponses: Sending wakeup %2d for %.6a %s", rr->AnnounceCount-3, &rr->WakeUp.IMAC, ARDisplayString(m, rr)); + SendWakeup(m, rr->resrec.InterfaceID, &rr->WakeUp.IMAC, &rr->WakeUp.password); + for (r2 = rr; r2; r2=r2->next) + if (r2->AnnounceCount && r2->resrec.InterfaceID == rr->resrec.InterfaceID && mDNSSameEthAddress(&r2->WakeUp.IMAC, &rr->WakeUp.IMAC) && + !mDNSSameEthAddress(&zeroEthAddr, &r2->WakeUp.HMAC)) + { + // For now we only want to send a single Unsolicited Neighbor Advertisement restoring the address to the original + // owner, because these packets can cause some IPv6 stacks to falsely conclude that there's an address conflict. + if (r2->AddressProxy.type == mDNSAddrType_IPv6 && r2->AnnounceCount == WakeupCount) + { + LogSPS("NDP Announcement %2d Releasing traffic for H-MAC %.6a I-MAC %.6a %s", + r2->AnnounceCount-3, &r2->WakeUp.HMAC, &r2->WakeUp.IMAC, ARDisplayString(m,r2)); + SendNDP(m, NDP_Adv, NDP_Override, r2, &r2->AddressProxy.ip.v6, &r2->WakeUp.IMAC, &AllHosts_v6, &AllHosts_v6_Eth); + } + r2->LastAPTime = m->timenow; + // After 15 wakeups without success (maybe host has left the network) send three goodbyes instead + if (--r2->AnnounceCount <= GoodbyeCount) r2->WakeUp.HMAC = zeroEthAddr; + } + } + } + else if (ResourceRecordIsValidAnswer(rr)) + { + if (rr->AddressProxy.type) + { + if (!mDNSSameEthAddress(&zeroEthAddr, &rr->WakeUp.HMAC)) + { + rr->AnnounceCount--; + rr->ThisAPInterval *= 2; + rr->LastAPTime = m->timenow; + if (rr->AddressProxy.type == mDNSAddrType_IPv4) + { + LogSPS("ARP Announcement %2d Capturing traffic for H-MAC %.6a I-MAC %.6a %s", + rr->AnnounceCount, &rr->WakeUp.HMAC, &rr->WakeUp.IMAC, ARDisplayString(m,rr)); + SendARP(m, 1, rr, &rr->AddressProxy.ip.v4, &zeroEthAddr, &rr->AddressProxy.ip.v4, &onesEthAddr); + } + else if (rr->AddressProxy.type == mDNSAddrType_IPv6) + { + LogSPS("NDP Announcement %2d Capturing traffic for H-MAC %.6a I-MAC %.6a %s", + rr->AnnounceCount, &rr->WakeUp.HMAC, &rr->WakeUp.IMAC, ARDisplayString(m,rr)); + SendNDP(m, NDP_Adv, NDP_Override, rr, &rr->AddressProxy.ip.v6, mDNSNULL, &AllHosts_v6, &AllHosts_v6_Eth); + } + } + } + else + { + rr->ImmedAnswer = mDNSInterfaceMark; // Send on all interfaces + if (maxExistingAnnounceInterval < rr->ThisAPInterval) + maxExistingAnnounceInterval = rr->ThisAPInterval; + if (rr->UpdateBlocked) rr->UpdateBlocked = 0; + } + } + } + } + + // Any interface-specific records we're going to send are marked as being sent on all appropriate interfaces (which is just one) + // Eligible records that are more than half-way to their announcement time are accelerated + for (rr = m->ResourceRecords; rr; rr=rr->next) + if ((rr->resrec.InterfaceID && rr->ImmedAnswer) || + (rr->ThisAPInterval <= maxExistingAnnounceInterval && + TimeToAnnounceThisRecord(rr, m->timenow + rr->ThisAPInterval/2) && + !rr->AddressProxy.type && // Don't include ARP Annoucements when considering which records to accelerate + ResourceRecordIsValidAnswer(rr))) + rr->ImmedAnswer = mDNSInterfaceMark; // Send on all interfaces + + // When sending SRV records (particularly when announcing a new service) automatically add related Address record(s) as additionals + // Note: Currently all address records are interface-specific, so it's safe to set ImmedAdditional to their InterfaceID, + // which will be non-null. If by some chance there is an address record that's not interface-specific (should never happen) + // then all that means is that it won't get sent -- which would not be the end of the world. + for (rr = m->ResourceRecords; rr; rr=rr->next) + { + if (rr->ImmedAnswer && rr->resrec.rrtype == kDNSType_SRV) + for (r2=m->ResourceRecords; r2; r2=r2->next) // Scan list of resource records + if (RRTypeIsAddressType(r2->resrec.rrtype) && // For all address records (A/AAAA) ... + ResourceRecordIsValidAnswer(r2) && // ... which are valid for answer ... + rr->LastMCTime - r2->LastMCTime >= 0 && // ... which we have not sent recently ... + rr->resrec.rdatahash == r2->resrec.namehash && // ... whose name is the name of the SRV target + SameDomainName(&rr->resrec.rdata->u.srv.target, r2->resrec.name) && + (rr->ImmedAnswer == mDNSInterfaceMark || rr->ImmedAnswer == r2->resrec.InterfaceID)) + r2->ImmedAdditional = r2->resrec.InterfaceID; // ... then mark this address record for sending too + // We also make sure we send the DeviceInfo TXT record too, if necessary + // We check for RecordType == kDNSRecordTypeShared because we don't want to tag the + // DeviceInfo TXT record onto a goodbye packet (RecordType == kDNSRecordTypeDeregistering). + if (rr->ImmedAnswer && rr->resrec.RecordType == kDNSRecordTypeShared && rr->resrec.rrtype == kDNSType_PTR) + if (ResourceRecordIsValidAnswer(&m->DeviceInfo) && SameDomainLabel(rr->resrec.rdata->u.name.c, m->DeviceInfo.resrec.name->c)) + { + if (!m->DeviceInfo.ImmedAnswer) m->DeviceInfo.ImmedAnswer = rr->ImmedAnswer; + else m->DeviceInfo.ImmedAnswer = mDNSInterfaceMark; + } + } + + // If there's a record which is supposed to be unique that we're going to send, then make sure that we give + // the whole RRSet as an atomic unit. That means that if we have any other records with the same name/type/class + // then we need to mark them for sending too. Otherwise, if we set the kDNSClass_UniqueRRSet bit on a + // record, then other RRSet members that have not been sent recently will get flushed out of client caches. + // -- If a record is marked to be sent on a certain interface, make sure the whole set is marked to be sent on that interface + // -- If any record is marked to be sent on all interfaces, make sure the whole set is marked to be sent on all interfaces + for (rr = m->ResourceRecords; rr; rr=rr->next) + if (rr->resrec.RecordType & kDNSRecordTypeUniqueMask) + { + if (rr->ImmedAnswer) // If we're sending this as answer, see that its whole RRSet is similarly marked + { + for (r2 = m->ResourceRecords; r2; r2=r2->next) + if (ResourceRecordIsValidAnswer(r2)) + if (r2->ImmedAnswer != mDNSInterfaceMark && + r2->ImmedAnswer != rr->ImmedAnswer && SameResourceRecordSignature(r2, rr)) + r2->ImmedAnswer = !r2->ImmedAnswer ? rr->ImmedAnswer : mDNSInterfaceMark; + } + else if (rr->ImmedAdditional) // If we're sending this as additional, see that its whole RRSet is similarly marked + { + for (r2 = m->ResourceRecords; r2; r2=r2->next) + if (ResourceRecordIsValidAnswer(r2)) + if (r2->ImmedAdditional != rr->ImmedAdditional && SameResourceRecordSignature(r2, rr)) + r2->ImmedAdditional = rr->ImmedAdditional; + } + } + + // Now set SendRNow state appropriately + for (rr = m->ResourceRecords; rr; rr=rr->next) + { + if (rr->ImmedAnswer == mDNSInterfaceMark) // Sending this record on all appropriate interfaces + { + rr->SendRNow = !intf ? mDNSNULL : (rr->resrec.InterfaceID) ? rr->resrec.InterfaceID : intf->InterfaceID; + rr->ImmedAdditional = mDNSNULL; // No need to send as additional if sending as answer + rr->LastMCTime = m->timenow; + rr->LastMCInterface = rr->ImmedAnswer; + // If we're announcing this record, and it's at least half-way to its ordained time, then consider this announcement done + if (TimeToAnnounceThisRecord(rr, m->timenow + rr->ThisAPInterval/2)) + { + rr->AnnounceCount--; + if (rr->resrec.RecordType != kDNSRecordTypeDeregistering) + rr->ThisAPInterval *= 2; + rr->LastAPTime = m->timenow; + debugf("Announcing %##s (%s) %d", rr->resrec.name->c, DNSTypeName(rr->resrec.rrtype), rr->AnnounceCount); + } + } + else if (rr->ImmedAnswer) // Else, just respond to a single query on single interface: + { + rr->SendRNow = rr->ImmedAnswer; // Just respond on that interface + rr->ImmedAdditional = mDNSNULL; // No need to send as additional too + rr->LastMCTime = m->timenow; + rr->LastMCInterface = rr->ImmedAnswer; + } + SetNextAnnounceProbeTime(m, rr); + //if (rr->SendRNow) LogMsg("%-15.4a %s", &rr->v4Requester, ARDisplayString(m, rr)); + } + + // *** + // *** 2. Loop through interface list, sending records as appropriate + // *** + + while (intf) + { + int OwnerRecordSpace = (m->AnnounceOwner && intf->MAC.l[0]) ? DNSOpt_Header_Space + DNSOpt_Owner_Space(&m->PrimaryMAC, &intf->MAC) : 0; + int TraceRecordSpace = (mDNS_McastTracingEnabled && MDNS_TRACER) ? DNSOpt_Header_Space + DNSOpt_TraceData_Space : 0; + int numDereg = 0; + int numAnnounce = 0; + int numAnswer = 0; + int AnoninfoSpace = 0; + mDNSu8 *responseptr = m->omsg.data; + mDNSu8 *newptr; + InitializeDNSMessage(&m->omsg.h, zeroID, ResponseFlags); + + // First Pass. Look for: + // 1. Deregistering records that need to send their goodbye packet + // 2. Updated records that need to retract their old data + // 3. Answers and announcements we need to send + for (rr = m->ResourceRecords; rr; rr=rr->next) + { + + // Skip this interface if the record InterfaceID is *Any and the record is not + // appropriate for the interface type. + if ((rr->SendRNow == intf->InterfaceID) && + ((rr->resrec.InterfaceID == mDNSInterface_Any) && !mDNSPlatformValidRecordForInterface(rr, intf))) + { + LogInfo("SendResponses: Not sending %s, on %s", ARDisplayString(m, rr), InterfaceNameForID(m, rr->SendRNow)); + rr->SendRNow = GetNextActiveInterfaceID(intf); + } + else if (rr->SendRNow == intf->InterfaceID) + { + RData *OldRData = rr->resrec.rdata; + mDNSu16 oldrdlength = rr->resrec.rdlength; + mDNSu8 active = (mDNSu8) + (rr->resrec.RecordType != kDNSRecordTypeDeregistering && !ShouldSendGoodbyesBeforeSleep(m, intf, rr)); + newptr = mDNSNULL; + if (rr->NewRData && active) + { + // See if we should send a courtesy "goodbye" for the old data before we replace it. + if (ResourceRecordIsValidAnswer(rr) && rr->resrec.RecordType == kDNSRecordTypeShared && rr->RequireGoodbye) + { + newptr = PutRR_OS_TTL(responseptr, &m->omsg.h.numAnswers, &rr->resrec, 0); + if (newptr) { responseptr = newptr; numDereg++; rr->RequireGoodbye = mDNSfalse; } + else continue; // If this packet is already too full to hold the goodbye for this record, skip it for now and we'll retry later + } + SetNewRData(&rr->resrec, rr->NewRData, rr->newrdlength); + } + + if (rr->resrec.AnonInfo) + { + int tmp = AnonInfoSpace(rr->resrec.AnonInfo); + + AnoninfoSpace += tmp; + // Adjust OwnerRecordSpace/TraceRecordSpace which is used by PutRR_OS_TTL below so that + // we have space to put in the NSEC3 record in the authority section. + OwnerRecordSpace += tmp; + TraceRecordSpace += tmp; + } + + if (rr->resrec.RecordType & kDNSRecordTypeUniqueMask) + rr->resrec.rrclass |= kDNSClass_UniqueRRSet; // Temporarily set the cache flush bit so PutResourceRecord will set it + newptr = PutRR_OS_TTL(responseptr, &m->omsg.h.numAnswers, &rr->resrec, active ? rr->resrec.rroriginalttl : 0); + rr->resrec.rrclass &= ~kDNSClass_UniqueRRSet; // Make sure to clear cache flush bit back to normal state + if (newptr) + { + responseptr = newptr; + rr->RequireGoodbye = active; + if (rr->resrec.RecordType == kDNSRecordTypeDeregistering) numDereg++; + else if (rr->LastAPTime == m->timenow) numAnnounce++;else numAnswer++; + } + + if (rr->NewRData && active) + SetNewRData(&rr->resrec, OldRData, oldrdlength); + + // The first time through (pktcount==0), if this record is verified unique + // (i.e. typically A, AAAA, SRV, TXT and reverse-mapping PTR), set the flag to add an NSEC too. + if (!pktcount && active && (rr->resrec.RecordType & kDNSRecordTypeActiveUniqueMask) && !rr->SendNSECNow) + rr->SendNSECNow = mDNSInterfaceMark; + + if (newptr) // If succeeded in sending, advance to next interface + { + if (rr->resrec.AnonInfo) + { + debugf("SendResponses: Marking %s, OwnerRecordSpace %d, TraceRecordSpace %d, limit %p", ARDisplayString(m, rr), OwnerRecordSpace, + TraceRecordSpace, m->omsg.data + AllowedRRSpace(&m->omsg) - OwnerRecordSpace - TraceRecordSpace); + rr->resrec.AnonInfo->SendNow = intf->InterfaceID; + } + + // If sending on all interfaces, go to next interface; else we're finished now + if (rr->ImmedAnswer == mDNSInterfaceMark && rr->resrec.InterfaceID == mDNSInterface_Any) + rr->SendRNow = GetNextActiveInterfaceID(intf); + else + rr->SendRNow = mDNSNULL; + } + } + } + + // Get the reserved space back + OwnerRecordSpace -= AnoninfoSpace; + TraceRecordSpace -= AnoninfoSpace; + newptr = responseptr; + for (rr = m->ResourceRecords; rr; rr=rr->next) + { + if (rr->resrec.AnonInfo && rr->resrec.AnonInfo->SendNow == intf->InterfaceID) + { + ResourceRecord *nsec3RR = rr->resrec.AnonInfo->nsec3RR; + + newptr = PutRR_OS_TTL(newptr, &m->omsg.h.numAuthorities, nsec3RR, nsec3RR->rroriginalttl); + if (newptr) + { + responseptr = newptr; + debugf("SendResponses: Added NSEC3 %s, OwnerRecordSpace %d, TraceRecordSpace %d, limit %p", ARDisplayString(m, rr), OwnerRecordSpace, + TraceRecordSpace, m->omsg.data + AllowedRRSpace(&m->omsg) - OwnerRecordSpace - TraceRecordSpace); + } + else + { + LogMsg("SendResponses: Cannot add NSEC3 %s, OwnerRecordSpace %d, TraceRecordSpace %d, limit %p", ARDisplayString(m, rr), OwnerRecordSpace, + TraceRecordSpace, m->omsg.data + AllowedRRSpace(&m->omsg) - OwnerRecordSpace - TraceRecordSpace); + } + rr->resrec.AnonInfo->SendNow = mDNSNULL; + } + } + // Second Pass. Add additional records, if there's space. + newptr = responseptr; + for (rr = m->ResourceRecords; rr; rr=rr->next) + if (rr->ImmedAdditional == intf->InterfaceID) + if (ResourceRecordIsValidAnswer(rr)) + { + // If we have at least one answer already in the packet, then plan to add additionals too + mDNSBool SendAdditional = (m->omsg.h.numAnswers > 0); + + // If we're not planning to send any additionals, but this record is a unique one, then + // make sure we haven't already sent any other members of its RRSet -- if we have, then they + // will have had the cache flush bit set, so now we need to finish the job and send the rest. + if (!SendAdditional && (rr->resrec.RecordType & kDNSRecordTypeUniqueMask)) + { + const AuthRecord *a; + for (a = m->ResourceRecords; a; a=a->next) + if (a->LastMCTime == m->timenow && + a->LastMCInterface == intf->InterfaceID && + SameResourceRecordSignature(a, rr)) { SendAdditional = mDNStrue; break; } + } + if (!SendAdditional) // If we don't want to send this after all, + rr->ImmedAdditional = mDNSNULL; // then cancel its ImmedAdditional field + else if (newptr) // Else, try to add it if we can + { + // The first time through (pktcount==0), if this record is verified unique + // (i.e. typically A, AAAA, SRV, TXT and reverse-mapping PTR), set the flag to add an NSEC too. + if (!pktcount && (rr->resrec.RecordType & kDNSRecordTypeActiveUniqueMask) && !rr->SendNSECNow) + rr->SendNSECNow = mDNSInterfaceMark; + + if (rr->resrec.RecordType & kDNSRecordTypeUniqueMask) + rr->resrec.rrclass |= kDNSClass_UniqueRRSet; // Temporarily set the cache flush bit so PutResourceRecord will set it + newptr = PutRR_OS(newptr, &m->omsg.h.numAdditionals, &rr->resrec); + rr->resrec.rrclass &= ~kDNSClass_UniqueRRSet; // Make sure to clear cache flush bit back to normal state + if (newptr) + { + responseptr = newptr; + rr->ImmedAdditional = mDNSNULL; + rr->RequireGoodbye = mDNStrue; + // If we successfully put this additional record in the packet, we record LastMCTime & LastMCInterface. + // This matters particularly in the case where we have more than one IPv6 (or IPv4) address, because otherwise, + // when we see our own multicast with the cache flush bit set, if we haven't set LastMCTime, then we'll get + // all concerned and re-announce our record again to make sure it doesn't get flushed from peer caches. + rr->LastMCTime = m->timenow; + rr->LastMCInterface = intf->InterfaceID; + } + } + } + + // Third Pass. Add NSEC records, if there's space. + // When we're generating an NSEC record in response to a specify query for that type + // (recognized by rr->SendNSECNow == intf->InterfaceID) we should really put the NSEC in the Answer Section, + // not Additional Section, but for now it's easier to handle both cases in this Additional Section loop here. + for (rr = m->ResourceRecords; rr; rr=rr->next) + if (rr->SendNSECNow == mDNSInterfaceMark || rr->SendNSECNow == intf->InterfaceID) + { + AuthRecord nsec; + mDNSu8 *ptr; + int len; + mDNS_SetupResourceRecord(&nsec, mDNSNULL, mDNSInterface_Any, kDNSType_NSEC, rr->resrec.rroriginalttl, kDNSRecordTypeUnique, AuthRecordAny, mDNSNULL, mDNSNULL); + nsec.resrec.rrclass |= kDNSClass_UniqueRRSet; + AssignDomainName(&nsec.namestorage, rr->resrec.name); + ptr = nsec.rdatastorage.u.data; + len = DomainNameLength(rr->resrec.name); + // We have a nxt name followed by window number, window length and a window bitmap + nsec.resrec.rdlength = len + 2 + NSEC_MCAST_WINDOW_SIZE; + if (nsec.resrec.rdlength <= StandardAuthRDSize) + { + mDNSPlatformMemZero(ptr, nsec.resrec.rdlength); + AssignDomainName((domainname *)ptr, rr->resrec.name); + ptr += len; + *ptr++ = 0; // window number + *ptr++ = NSEC_MCAST_WINDOW_SIZE; // window length + for (r2 = m->ResourceRecords; r2; r2=r2->next) + if (ResourceRecordIsValidAnswer(r2) && SameResourceRecordNameClassInterface(r2, rr)) + { + if (r2->resrec.rrtype >= kDNSQType_ANY) { LogMsg("SendResponses: Can't create NSEC for record %s", ARDisplayString(m, r2)); break; } + else ptr[r2->resrec.rrtype >> 3] |= 128 >> (r2->resrec.rrtype & 7); + } + newptr = responseptr; + if (!r2) // If we successfully built our NSEC record, add it to the packet now + { + newptr = PutRR_OS(responseptr, &m->omsg.h.numAdditionals, &nsec.resrec); + if (newptr) responseptr = newptr; + } + } + else LogMsg("SendResponses: not enough space (%d) in authrecord for nsec", nsec.resrec.rdlength); + + // If we successfully put the NSEC record, clear the SendNSECNow flag + // If we consider this NSEC optional, then we unconditionally clear the SendNSECNow flag, even if we fail to put this additional record + if (newptr || rr->SendNSECNow == mDNSInterfaceMark) + { + rr->SendNSECNow = mDNSNULL; + // Run through remainder of list clearing SendNSECNow flag for all other records which would generate the same NSEC + for (r2 = rr->next; r2; r2=r2->next) + if (SameResourceRecordNameClassInterface(r2, rr)) + if (r2->SendNSECNow == mDNSInterfaceMark || r2->SendNSECNow == intf->InterfaceID) + r2->SendNSECNow = mDNSNULL; + } + } + + if (m->omsg.h.numAnswers || m->omsg.h.numAdditionals) + { + // If we have data to send, add OWNER/TRACER/OWNER+TRACER option if necessary, then send packet + if (OwnerRecordSpace || TraceRecordSpace) + { + AuthRecord opt; + mDNS_SetupResourceRecord(&opt, mDNSNULL, mDNSInterface_Any, kDNSType_OPT, kStandardTTL, kDNSRecordTypeKnownUnique, AuthRecordAny, mDNSNULL, mDNSNULL); + opt.resrec.rrclass = NormalMaxDNSMessageData; + opt.resrec.rdlength = sizeof(rdataOPT); + opt.resrec.rdestimate = sizeof(rdataOPT); + if (OwnerRecordSpace && TraceRecordSpace) + { + opt.resrec.rdlength += sizeof(rdataOPT); // Two options in this OPT record + opt.resrec.rdestimate += sizeof(rdataOPT); + SetupOwnerOpt(m, intf, &opt.resrec.rdata->u.opt[0]); + SetupTracerOpt(m, &opt.resrec.rdata->u.opt[1]); + } + else if (OwnerRecordSpace) + { + SetupOwnerOpt(m, intf, &opt.resrec.rdata->u.opt[0]); + } + else if (TraceRecordSpace) + { + SetupTracerOpt(m, &opt.resrec.rdata->u.opt[0]); + } + newptr = PutResourceRecord(&m->omsg, responseptr, &m->omsg.h.numAdditionals, &opt.resrec); + if (newptr) + { + responseptr = newptr; + LogInfo("SendResponses put %s %s: %s %s", OwnerRecordSpace ? "OWNER" : "", TraceRecordSpace ? "TRACER" : "", intf->ifname, ARDisplayString(m, &opt)); + } + else if (m->omsg.h.numAnswers + m->omsg.h.numAuthorities + m->omsg.h.numAdditionals == 1) + { + LogInfo("SendResponses: No space in packet for %s %s OPT record (%d/%d/%d/%d) %s", OwnerRecordSpace ? "OWNER" : "", TraceRecordSpace ? "TRACER" : "", + m->omsg.h.numQuestions, m->omsg.h.numAnswers, m->omsg.h.numAuthorities, m->omsg.h.numAdditionals, ARDisplayString(m, &opt)); + } + else + { + LogMsg("SendResponses: How did we fail to have space for %s %s OPT record (%d/%d/%d/%d) %s", OwnerRecordSpace ? "OWNER" : "", TraceRecordSpace ? "TRACER" : "", + m->omsg.h.numQuestions, m->omsg.h.numAnswers, m->omsg.h.numAuthorities, m->omsg.h.numAdditionals, ARDisplayString(m, &opt)); + } + } + + debugf("SendResponses: Sending %d Deregistration%s, %d Announcement%s, %d Answer%s, %d Additional%s on %p", + numDereg, numDereg == 1 ? "" : "s", + numAnnounce, numAnnounce == 1 ? "" : "s", + numAnswer, numAnswer == 1 ? "" : "s", + m->omsg.h.numAdditionals, m->omsg.h.numAdditionals == 1 ? "" : "s", intf->InterfaceID); + + if (intf->IPv4Available) mDNSSendDNSMessage(m, &m->omsg, responseptr, intf->InterfaceID, mDNSNULL, &AllDNSLinkGroup_v4, MulticastDNSPort, mDNSNULL, mDNSNULL, mDNSfalse); + if (intf->IPv6Available) mDNSSendDNSMessage(m, &m->omsg, responseptr, intf->InterfaceID, mDNSNULL, &AllDNSLinkGroup_v6, MulticastDNSPort, mDNSNULL, mDNSNULL, mDNSfalse); + if (!m->SuppressSending) m->SuppressSending = NonZeroTime(m->timenow + (mDNSPlatformOneSecond+9)/10); + if (++pktcount >= 1000) { LogMsg("SendResponses exceeded loop limit %d: giving up", pktcount); break; } + // There might be more things to send on this interface, so go around one more time and try again. + } + else // Nothing more to send on this interface; go to next + { + const NetworkInterfaceInfo *next = GetFirstActiveInterface(intf->next); + #if MDNS_DEBUGMSGS && 0 + const char *const msg = next ? "SendResponses: Nothing more on %p; moving to %p" : "SendResponses: Nothing more on %p"; + debugf(msg, intf, next); + #endif + intf = next; + pktcount = 0; // When we move to a new interface, reset packet count back to zero -- NSEC generation logic uses it + } + } + + // *** + // *** 3. Cleanup: Now that everything is sent, call client callback functions, and reset state variables + // *** + + if (m->CurrentRecord) + LogMsg("SendResponses ERROR m->CurrentRecord already set %s", ARDisplayString(m, m->CurrentRecord)); + m->CurrentRecord = m->ResourceRecords; + while (m->CurrentRecord) + { + rr = m->CurrentRecord; + m->CurrentRecord = rr->next; + + if (rr->SendRNow) + { + if (rr->ARType != AuthRecordLocalOnly && rr->ARType != AuthRecordP2P) + LogMsg("SendResponses: No active interface %p to send: %p %02X %s", rr->SendRNow, rr->resrec.InterfaceID, rr->resrec.RecordType, ARDisplayString(m, rr)); + rr->SendRNow = mDNSNULL; + } + + if (rr->ImmedAnswer || rr->resrec.RecordType == kDNSRecordTypeDeregistering) + { + if (rr->NewRData) CompleteRDataUpdate(m, rr); // Update our rdata, clear the NewRData pointer, and return memory to the client + + if (rr->resrec.RecordType == kDNSRecordTypeDeregistering && rr->AnnounceCount == 0) + { + // For Unicast, when we get the response from the server, we will call CompleteDeregistration + if (!AuthRecord_uDNS(rr)) CompleteDeregistration(m, rr); // Don't touch rr after this + } + else + { + rr->ImmedAnswer = mDNSNULL; + rr->ImmedUnicast = mDNSfalse; + rr->v4Requester = zerov4Addr; + rr->v6Requester = zerov6Addr; + } + } + } + verbosedebugf("SendResponses: Next in %ld ticks", m->NextScheduledResponse - m->timenow); +} + +// Calling CheckCacheExpiration() is an expensive operation because it has to look at the entire cache, +// so we want to be lazy about how frequently we do it. +// 1. If a cache record is currently referenced by *no* active questions, +// then we don't mind expiring it up to a minute late (who will know?) +// 2. Else, if a cache record is due for some of its final expiration queries, +// we'll allow them to be late by up to 2% of the TTL +// 3. Else, if a cache record has completed all its final expiration queries without success, +// and is expiring, and had an original TTL more than ten seconds, we'll allow it to be one second late +// 4. Else, it is expiring and had an original TTL of ten seconds or less (includes explicit goodbye packets), +// so allow at most 1/10 second lateness +// 5. For records with rroriginalttl set to zero, that means we really want to delete them immediately +// (we have a new record with DelayDelivery set, waiting for the old record to go away before we can notify clients). +#define CacheCheckGracePeriod(RR) ( \ + ((RR)->CRActiveQuestion == mDNSNULL ) ? (60 * mDNSPlatformOneSecond) : \ + ((RR)->UnansweredQueries < MaxUnansweredQueries) ? (TicksTTL(rr)/50) : \ + ((RR)->resrec.rroriginalttl > 10 ) ? (mDNSPlatformOneSecond) : \ + ((RR)->resrec.rroriginalttl > 0 ) ? (mDNSPlatformOneSecond/10) : 0) + +#define NextCacheCheckEvent(RR) ((RR)->NextRequiredQuery + CacheCheckGracePeriod(RR)) + +mDNSexport void ScheduleNextCacheCheckTime(mDNS *const m, const mDNSu32 slot, const mDNSs32 event) +{ + if (m->rrcache_nextcheck[slot] - event > 0) + m->rrcache_nextcheck[slot] = event; + if (m->NextCacheCheck - event > 0) + m->NextCacheCheck = event; +} + +// Note: MUST call SetNextCacheCheckTimeForRecord any time we change: +// rr->TimeRcvd +// rr->resrec.rroriginalttl +// rr->UnansweredQueries +// rr->CRActiveQuestion +mDNSexport void SetNextCacheCheckTimeForRecord(mDNS *const m, CacheRecord *const rr) +{ + rr->NextRequiredQuery = RRExpireTime(rr); + + // If we have an active question, then see if we want to schedule a refresher query for this record. + // Usually we expect to do four queries, at 80-82%, 85-87%, 90-92% and then 95-97% of the TTL. + if (rr->CRActiveQuestion && rr->UnansweredQueries < MaxUnansweredQueries) + { + rr->NextRequiredQuery -= TicksTTL(rr)/20 * (MaxUnansweredQueries - rr->UnansweredQueries); + rr->NextRequiredQuery += mDNSRandom((mDNSu32)TicksTTL(rr)/50); + verbosedebugf("SetNextCacheCheckTimeForRecord: NextRequiredQuery in %ld sec CacheCheckGracePeriod %d ticks for %s", + (rr->NextRequiredQuery - m->timenow) / mDNSPlatformOneSecond, CacheCheckGracePeriod(rr), CRDisplayString(m,rr)); + } + ScheduleNextCacheCheckTime(m, HashSlot(rr->resrec.name), NextCacheCheckEvent(rr)); +} + +#define kMinimumReconfirmTime ((mDNSu32)mDNSPlatformOneSecond * 5) +#define kDefaultReconfirmTimeForWake ((mDNSu32)mDNSPlatformOneSecond * 5) +#define kDefaultReconfirmTimeForNoAnswer ((mDNSu32)mDNSPlatformOneSecond * 5) +#define kDefaultReconfirmTimeForFlappingInterface ((mDNSu32)mDNSPlatformOneSecond * 5) + +mDNSexport mStatus mDNS_Reconfirm_internal(mDNS *const m, CacheRecord *const rr, mDNSu32 interval) +{ + if (interval < kMinimumReconfirmTime) + interval = kMinimumReconfirmTime; + if (interval > 0x10000000) // Make sure interval doesn't overflow when we multiply by four below + interval = 0x10000000; + + // If the expected expiration time for this record is more than interval+33%, then accelerate its expiration + if (RRExpireTime(rr) - m->timenow > (mDNSs32)((interval * 4) / 3)) + { + // Add a 33% random amount to the interval, to avoid synchronization between multiple hosts + // For all the reconfirmations in a given batch, we want to use the same random value + // so that the reconfirmation questions can be grouped into a single query packet + if (!m->RandomReconfirmDelay) m->RandomReconfirmDelay = 1 + mDNSRandom(0x3FFFFFFF); + interval += m->RandomReconfirmDelay % ((interval/3) + 1); + rr->TimeRcvd = m->timenow - (mDNSs32)interval * 3; + rr->resrec.rroriginalttl = (interval * 4 + mDNSPlatformOneSecond - 1) / mDNSPlatformOneSecond; + SetNextCacheCheckTimeForRecord(m, rr); + } + debugf("mDNS_Reconfirm_internal:%6ld ticks to go for %s %p", + RRExpireTime(rr) - m->timenow, CRDisplayString(m, rr), rr->CRActiveQuestion); + return(mStatus_NoError); +} + +// BuildQuestion puts a question into a DNS Query packet and if successful, updates the value of queryptr. +// It also appends to the list of known answer records that need to be included, +// and updates the forcast for the size of the known answer section. +mDNSlocal mDNSBool BuildQuestion(mDNS *const m, DNSMessage *query, mDNSu8 **queryptr, DNSQuestion *q, + CacheRecord ***kalistptrptr, mDNSu32 *answerforecast) +{ + mDNSBool ucast = (q->LargeAnswers || q->RequestUnicast) && m->CanReceiveUnicastOn5353; + mDNSu16 ucbit = (mDNSu16)(ucast ? kDNSQClass_UnicastResponse : 0); + const mDNSu8 *const limit = query->data + NormalMaxDNSMessageData; + mDNSu8 anoninfo_space = q->AnonInfo ? AnonInfoSpace(q->AnonInfo) : 0; + mDNSu8 *newptr = putQuestion(query, *queryptr, limit - *answerforecast - anoninfo_space, &q->qname, q->qtype, (mDNSu16)(q->qclass | ucbit)); + if (!newptr) + { + debugf("BuildQuestion: No more space in this packet for question %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + return(mDNSfalse); + } + else + { + mDNSu32 forecast = *answerforecast + anoninfo_space; + const mDNSu32 slot = HashSlot(&q->qname); + const CacheGroup *const cg = CacheGroupForName(m, slot, q->qnamehash, &q->qname); + CacheRecord *rr; + CacheRecord **ka = *kalistptrptr; // Make a working copy of the pointer we're going to update + + for (rr = cg ? cg->members : mDNSNULL; rr; rr=rr->next) // If we have a resource record in our cache, + if (rr->resrec.InterfaceID == q->SendQNow && // received on this interface + !(rr->resrec.RecordType & kDNSRecordTypeUniqueMask) && // which is a shared (i.e. not unique) record type + rr->NextInKAList == mDNSNULL && ka != &rr->NextInKAList && // which is not already in the known answer list + rr->resrec.rdlength <= SmallRecordLimit && // which is small enough to sensibly fit in the packet + SameNameRecordAnswersQuestion(&rr->resrec, q) && // which answers our question + rr->TimeRcvd + TicksTTL(rr)/2 - m->timenow > // and its half-way-to-expiry time is at least 1 second away + mDNSPlatformOneSecond) // (also ensures we never include goodbye records with TTL=1) + { + // We don't want to include unique records in the Known Answer section. The Known Answer section + // is intended to suppress floods of shared-record replies from many other devices on the network. + // That concept really does not apply to unique records, and indeed if we do send a query for + // which we have a unique record already in our cache, then including that unique record as a + // Known Answer, so as to suppress the only answer we were expecting to get, makes little sense. + + *ka = rr; // Link this record into our known answer chain + ka = &rr->NextInKAList; + // We forecast: compressed name (2) type (2) class (2) TTL (4) rdlength (2) rdata (n) + forecast += 12 + rr->resrec.rdestimate; + // If we're trying to put more than one question in this packet, and it doesn't fit + // then undo that last question and try again next time + if (query->h.numQuestions > 1 && newptr + forecast >= limit) + { + query->h.numQuestions--; + debugf("BuildQuestion: Retracting question %##s (%s) new forecast total %d, total questions %d", + q->qname.c, DNSTypeName(q->qtype), newptr + forecast - query->data, query->h.numQuestions); + ka = *kalistptrptr; // Go back to where we started and retract these answer records + while (*ka) { CacheRecord *c = *ka; *ka = mDNSNULL; ka = &c->NextInKAList; } + return(mDNSfalse); // Return false, so we'll try again in the next packet + } + } + + // Success! Update our state pointers, increment UnansweredQueries as appropriate, and return + *queryptr = newptr; // Update the packet pointer + *answerforecast = forecast; // Update the forecast + *kalistptrptr = ka; // Update the known answer list pointer + if (ucast) q->ExpectUnicastResp = NonZeroTime(m->timenow); + + for (rr = cg ? cg->members : mDNSNULL; rr; rr=rr->next) // For every resource record in our cache, + if (rr->resrec.InterfaceID == q->SendQNow && // received on this interface + rr->NextInKAList == mDNSNULL && ka != &rr->NextInKAList && // which is not in the known answer list + SameNameRecordAnswersQuestion(&rr->resrec, q)) // which answers our question + { + rr->UnansweredQueries++; // indicate that we're expecting a response + rr->LastUnansweredTime = m->timenow; + SetNextCacheCheckTimeForRecord(m, rr); + } + + return(mDNStrue); + } +} + +// When we have a query looking for a specified name, but there appear to be no answers with +// that name, ReconfirmAntecedents() is called with depth=0 to start the reconfirmation process +// for any records in our cache that reference the given name (e.g. PTR and SRV records). +// For any such cache record we find, we also recursively call ReconfirmAntecedents() for *its* name. +// We increment depth each time we recurse, to guard against possible infinite loops, with a limit of 5. +// A typical reconfirmation scenario might go like this: +// Depth 0: Name "myhost.local" has no address records +// Depth 1: SRV "My Service._example._tcp.local." refers to "myhost.local"; may be stale +// Depth 2: PTR "_example._tcp.local." refers to "My Service"; may be stale +// Depth 3: PTR "_services._dns-sd._udp.local." refers to "_example._tcp.local."; may be stale +// Currently depths 4 and 5 are not expected to occur; if we did get to depth 5 we'd reconfim any records we +// found referring to the given name, but not recursively descend any further reconfirm *their* antecedents. +mDNSlocal void ReconfirmAntecedents(mDNS *const m, const domainname *const name, const mDNSu32 namehash, const int depth) +{ + mDNSu32 slot; + CacheGroup *cg; + CacheRecord *cr; + debugf("ReconfirmAntecedents (depth=%d) for %##s", depth, name->c); + FORALL_CACHERECORDS(slot, cg, cr) + { + domainname *crtarget = GetRRDomainNameTarget(&cr->resrec); + if (crtarget && cr->resrec.rdatahash == namehash && SameDomainName(crtarget, name)) + { + LogInfo("ReconfirmAntecedents: Reconfirming (depth=%d) %s", depth, CRDisplayString(m, cr)); + mDNS_Reconfirm_internal(m, cr, kDefaultReconfirmTimeForNoAnswer); + if (depth < 5) + ReconfirmAntecedents(m, cr->resrec.name, cr->resrec.namehash, depth+1); + } + } +} + +// If we get no answer for a AAAA query, then before doing an automatic implicit ReconfirmAntecedents +// we check if we have an address record for the same name. If we do have an IPv4 address for a given +// name but not an IPv6 address, that's okay (it just means the device doesn't do IPv6) so the failure +// to get a AAAA response is not grounds to doubt the PTR/SRV chain that lead us to that name. +mDNSlocal const CacheRecord *CacheHasAddressTypeForName(mDNS *const m, const domainname *const name, const mDNSu32 namehash) +{ + CacheGroup *const cg = CacheGroupForName(m, HashSlot(name), namehash, name); + const CacheRecord *cr = cg ? cg->members : mDNSNULL; + while (cr && !RRTypeIsAddressType(cr->resrec.rrtype)) cr=cr->next; + return(cr); +} + + +mDNSlocal const CacheRecord *FindSPSInCache1(mDNS *const m, const DNSQuestion *const q, const CacheRecord *const c0, const CacheRecord *const c1) +{ +#ifndef SPC_DISABLED + CacheGroup *const cg = CacheGroupForName(m, HashSlot(&q->qname), q->qnamehash, &q->qname); + const CacheRecord *cr, *bestcr = mDNSNULL; + mDNSu32 bestmetric = 1000000; + for (cr = cg ? cg->members : mDNSNULL; cr; cr=cr->next) + if (cr->resrec.rrtype == kDNSType_PTR && cr->resrec.rdlength >= 6) // If record is PTR type, with long enough name, + if (cr != c0 && cr != c1) // that's not one we've seen before, + if (SameNameRecordAnswersQuestion(&cr->resrec, q)) // and answers our browse query, + if (!IdenticalSameNameRecord(&cr->resrec, &m->SPSRecords.RR_PTR.resrec)) // and is not our own advertised service... + { + mDNSu32 metric = SPSMetric(cr->resrec.rdata->u.name.c); + if (bestmetric > metric) { bestmetric = metric; bestcr = cr; } + } + return(bestcr); +#else // SPC_DISABLED + (void) m; + (void) q; + (void) c0; + (void) c1; + (void) c1; + return mDNSNULL; +#endif // SPC_DISABLED +} + +mDNSlocal void CheckAndSwapSPS(const CacheRecord *sps1, const CacheRecord *sps2) +{ + const CacheRecord *swap_sps; + mDNSu32 metric1, metric2; + + if (!sps1 || !sps2) return; + metric1 = SPSMetric(sps1->resrec.rdata->u.name.c); + metric2 = SPSMetric(sps2->resrec.rdata->u.name.c); + if (!SPSFeatures(sps1->resrec.rdata->u.name.c) && SPSFeatures(sps2->resrec.rdata->u.name.c) && (metric2 >= metric1)) + { + swap_sps = sps1; + sps1 = sps2; + sps2 = swap_sps; + } +} + +mDNSlocal void ReorderSPSByFeature(const CacheRecord *sps[3]) +{ + CheckAndSwapSPS(sps[0], sps[1]); + CheckAndSwapSPS(sps[0], sps[2]); + CheckAndSwapSPS(sps[1], sps[2]); +} + + +// Finds the three best Sleep Proxies we currently have in our cache +mDNSexport void FindSPSInCache(mDNS *const m, const DNSQuestion *const q, const CacheRecord *sps[3]) +{ + sps[0] = FindSPSInCache1(m, q, mDNSNULL, mDNSNULL); + sps[1] = !sps[0] ? mDNSNULL : FindSPSInCache1(m, q, sps[0], mDNSNULL); + sps[2] = !sps[1] ? mDNSNULL : FindSPSInCache1(m, q, sps[0], sps[1]); + + // SPS is already sorted by metric. We want to move the entries to the beginning of the array + // only if they have equally good metric and support features. + ReorderSPSByFeature(sps); +} + +// Only DupSuppressInfos newer than the specified 'time' are allowed to remain active +mDNSlocal void ExpireDupSuppressInfo(DupSuppressInfo ds[DupSuppressInfoSize], mDNSs32 time) +{ + int i; + for (i=0; i<DupSuppressInfoSize; i++) if (ds[i].Time - time < 0) ds[i].InterfaceID = mDNSNULL; +} + +mDNSlocal void ExpireDupSuppressInfoOnInterface(DupSuppressInfo ds[DupSuppressInfoSize], mDNSs32 time, mDNSInterfaceID InterfaceID) +{ + int i; + for (i=0; i<DupSuppressInfoSize; i++) if (ds[i].InterfaceID == InterfaceID && ds[i].Time - time < 0) ds[i].InterfaceID = mDNSNULL; +} + +mDNSlocal mDNSBool SuppressOnThisInterface(const DupSuppressInfo ds[DupSuppressInfoSize], const NetworkInterfaceInfo * const intf) +{ + int i; + mDNSBool v4 = !intf->IPv4Available; // If this interface doesn't do v4, we don't need to find a v4 duplicate of this query + mDNSBool v6 = !intf->IPv6Available; // If this interface doesn't do v6, we don't need to find a v6 duplicate of this query + for (i=0; i<DupSuppressInfoSize; i++) + if (ds[i].InterfaceID == intf->InterfaceID) + { + if (ds[i].Type == mDNSAddrType_IPv4) v4 = mDNStrue; + else if (ds[i].Type == mDNSAddrType_IPv6) v6 = mDNStrue; + if (v4 && v6) return(mDNStrue); + } + return(mDNSfalse); +} + +mDNSlocal int RecordDupSuppressInfo(DupSuppressInfo ds[DupSuppressInfoSize], mDNSs32 Time, mDNSInterfaceID InterfaceID, mDNSs32 Type) +{ + int i, j; + + // See if we have this one in our list somewhere already + for (i=0; i<DupSuppressInfoSize; i++) if (ds[i].InterfaceID == InterfaceID && ds[i].Type == Type) break; + + // If not, find a slot we can re-use + if (i >= DupSuppressInfoSize) + { + i = 0; + for (j=1; j<DupSuppressInfoSize && ds[i].InterfaceID; j++) + if (!ds[j].InterfaceID || ds[j].Time - ds[i].Time < 0) + i = j; + } + + // Record the info about this query we saw + ds[i].Time = Time; + ds[i].InterfaceID = InterfaceID; + ds[i].Type = Type; + + return(i); +} + +mDNSlocal void mDNSSendWakeOnResolve(mDNS *const m, DNSQuestion *q) +{ + int len, i, cnt; + mDNSInterfaceID InterfaceID = q->InterfaceID; + domainname *d = &q->qname; + + // We can't send magic packets without knowing which interface to send it on. + if (InterfaceID == mDNSInterface_Any || InterfaceID == mDNSInterface_LocalOnly || InterfaceID == mDNSInterface_P2P) + { + LogMsg("mDNSSendWakeOnResolve: ERROR!! Invalid InterfaceID %p for question %##s", InterfaceID, q->qname.c); + return; + } + + // Split MAC@IPAddress and pass them separately + len = d->c[0]; + i = 1; + cnt = 0; + for (i = 1; i < len; i++) + { + if (d->c[i] == '@') + { + char EthAddr[18]; // ethernet adddress : 12 bytes + 5 ":" + 1 NULL byte + char IPAddr[47]; // Max IP address len: 46 bytes (IPv6) + 1 NULL byte + if (cnt != 5) + { + LogMsg("mDNSSendWakeOnResolve: ERROR!! Malformed Ethernet address %##s, cnt %d", q->qname.c, cnt); + return; + } + if ((i - 1) > (int) (sizeof(EthAddr) - 1)) + { + LogMsg("mDNSSendWakeOnResolve: ERROR!! Malformed Ethernet address %##s, length %d", q->qname.c, i - 1); + return; + } + if ((len - i) > (int)(sizeof(IPAddr) - 1)) + { + LogMsg("mDNSSendWakeOnResolve: ERROR!! Malformed IP address %##s, length %d", q->qname.c, len - i); + return; + } + mDNSPlatformMemCopy(EthAddr, &d->c[1], i - 1); + EthAddr[i - 1] = 0; + mDNSPlatformMemCopy(IPAddr, &d->c[i + 1], len - i); + IPAddr[len - i] = 0; + m->mDNSStats.WakeOnResolves++; + mDNSPlatformSendWakeupPacket(m, InterfaceID, EthAddr, IPAddr, InitialWakeOnResolveCount - q->WakeOnResolveCount); + return; + } + else if (d->c[i] == ':') + cnt++; + } + LogMsg("mDNSSendWakeOnResolve: ERROR!! Malformed WakeOnResolve name %##s", q->qname.c); +} + + +mDNSlocal mDNSBool AccelerateThisQuery(mDNS *const m, DNSQuestion *q) +{ + // If more than 90% of the way to the query time, we should unconditionally accelerate it + if (TimeToSendThisQuestion(q, m->timenow + q->ThisQInterval/10)) + return(mDNStrue); + + // If half-way to next scheduled query time, only accelerate if it will add less than 512 bytes to the packet + if (TimeToSendThisQuestion(q, m->timenow + q->ThisQInterval/2)) + { + // We forecast: qname (n) type (2) class (2) + mDNSu32 forecast = (mDNSu32)DomainNameLength(&q->qname) + 4; + const mDNSu32 slot = HashSlot(&q->qname); + const CacheGroup *const cg = CacheGroupForName(m, slot, q->qnamehash, &q->qname); + const CacheRecord *rr; + for (rr = cg ? cg->members : mDNSNULL; rr; rr=rr->next) // If we have a resource record in our cache, + if (rr->resrec.rdlength <= SmallRecordLimit && // which is small enough to sensibly fit in the packet + SameNameRecordAnswersQuestion(&rr->resrec, q) && // which answers our question + rr->TimeRcvd + TicksTTL(rr)/2 - m->timenow >= 0 && // and it is less than half-way to expiry + rr->NextRequiredQuery - (m->timenow + q->ThisQInterval) > 0) // and we'll ask at least once again before NextRequiredQuery + { + // We forecast: compressed name (2) type (2) class (2) TTL (4) rdlength (2) rdata (n) + forecast += 12 + rr->resrec.rdestimate; + if (forecast >= 512) return(mDNSfalse); // If this would add 512 bytes or more to the packet, don't accelerate + } + return(mDNStrue); + } + + return(mDNSfalse); +} + +// How Standard Queries are generated: +// 1. The Question Section contains the question +// 2. The Additional Section contains answers we already know, to suppress duplicate responses + +// How Probe Queries are generated: +// 1. The Question Section contains queries for the name we intend to use, with QType=ANY because +// if some other host is already using *any* records with this name, we want to know about it. +// 2. The Authority Section contains the proposed values we intend to use for one or more +// of our records with that name (analogous to the Update section of DNS Update packets) +// because if some other host is probing at the same time, we each want to know what the other is +// planning, in order to apply the tie-breaking rule to see who gets to use the name and who doesn't. + +mDNSlocal void SendQueries(mDNS *const m) +{ + mDNSu32 slot; + CacheGroup *cg; + CacheRecord *cr; + AuthRecord *ar; + int pktcount = 0; + DNSQuestion *q; + // For explanation of maxExistingQuestionInterval logic, see comments for maxExistingAnnounceInterval + mDNSs32 maxExistingQuestionInterval = 0; + const NetworkInterfaceInfo *intf = GetFirstActiveInterface(m->HostInterfaces); + CacheRecord *KnownAnswerList = mDNSNULL; + + // 1. If time for a query, work out what we need to do + + // We're expecting to send a query anyway, so see if any expiring cache records are close enough + // to their NextRequiredQuery to be worth batching them together with this one + FORALL_CACHERECORDS(slot, cg, cr) + { + if (cr->CRActiveQuestion && cr->UnansweredQueries < MaxUnansweredQueries) + { + if (m->timenow + TicksTTL(cr)/50 - cr->NextRequiredQuery >= 0) + { + debugf("Sending %d%% cache expiration query for %s", 80 + 5 * cr->UnansweredQueries, CRDisplayString(m, cr)); + q = cr->CRActiveQuestion; + ExpireDupSuppressInfoOnInterface(q->DupSuppress, m->timenow - TicksTTL(cr)/20, cr->resrec.InterfaceID); + // For uDNS queries (TargetQID non-zero) we adjust LastQTime, + // and bump UnansweredQueries so that we don't spin trying to send the same cache expiration query repeatedly + if (q->Target.type) + { + q->SendQNow = mDNSInterfaceMark; // If targeted query, mark it + } + else if (!mDNSOpaque16IsZero(q->TargetQID)) + { + q->LastQTime = m->timenow - q->ThisQInterval; + cr->UnansweredQueries++; + m->mDNSStats.CacheRefreshQueries++; + } + else if (q->SendQNow == mDNSNULL) + { + q->SendQNow = cr->resrec.InterfaceID; + } + else if (q->SendQNow != cr->resrec.InterfaceID) + { + q->SendQNow = mDNSInterfaceMark; + } + + // Indicate that this question was marked for sending + // to update an existing cached answer record. + // The browse throttling logic below uses this to determine + // if the query should be sent. + if (mDNSOpaque16IsZero(q->TargetQID)) + q->CachedAnswerNeedsUpdate = mDNStrue; + } + } + } + + // Scan our list of questions to see which: + // *WideArea* queries need to be sent + // *unicast* queries need to be sent + // *multicast* queries we're definitely going to send + if (m->CurrentQuestion) + LogMsg("SendQueries ERROR m->CurrentQuestion already set: %##s (%s)", m->CurrentQuestion->qname.c, DNSTypeName(m->CurrentQuestion->qtype)); + m->CurrentQuestion = m->Questions; + while (m->CurrentQuestion && m->CurrentQuestion != m->NewQuestions) + { + q = m->CurrentQuestion; + if (q->Target.type && (q->SendQNow || TimeToSendThisQuestion(q, m->timenow))) + { + mDNSu8 *qptr = m->omsg.data; + const mDNSu8 *const limit = m->omsg.data + sizeof(m->omsg.data); + + // If we fail to get a new on-demand socket (should only happen cases of the most extreme resource exhaustion), we'll try again next time + if (!q->LocalSocket) q->LocalSocket = mDNSPlatformUDPSocket(m, zeroIPPort); + if (q->LocalSocket) + { + InitializeDNSMessage(&m->omsg.h, q->TargetQID, QueryFlags); + qptr = putQuestion(&m->omsg, qptr, limit, &q->qname, q->qtype, q->qclass); + mDNSSendDNSMessage(m, &m->omsg, qptr, mDNSInterface_Any, q->LocalSocket, &q->Target, q->TargetPort, mDNSNULL, mDNSNULL, q->UseBackgroundTrafficClass); + q->ThisQInterval *= QuestionIntervalStep; + } + if (q->ThisQInterval > MaxQuestionInterval) + q->ThisQInterval = MaxQuestionInterval; + q->LastQTime = m->timenow; + q->LastQTxTime = m->timenow; + q->RecentAnswerPkts = 0; + q->SendQNow = mDNSNULL; + q->ExpectUnicastResp = NonZeroTime(m->timenow); + } + else if (mDNSOpaque16IsZero(q->TargetQID) && !q->Target.type && TimeToSendThisQuestion(q, m->timenow)) + { + //LogInfo("Time to send %##s (%s) %d", q->qname.c, DNSTypeName(q->qtype), m->timenow - NextQSendTime(q)); + q->SendQNow = mDNSInterfaceMark; // Mark this question for sending on all interfaces + if (maxExistingQuestionInterval < q->ThisQInterval) + maxExistingQuestionInterval = q->ThisQInterval; + } + // If m->CurrentQuestion wasn't modified out from under us, advance it now + // We can't do this at the start of the loop because uDNS_CheckCurrentQuestion() depends on having + // m->CurrentQuestion point to the right question + if (q == m->CurrentQuestion) m->CurrentQuestion = m->CurrentQuestion->next; + } + while (m->CurrentQuestion) + { + LogInfo("SendQueries question loop 1: Skipping NewQuestion %##s (%s)", m->CurrentQuestion->qname.c, DNSTypeName(m->CurrentQuestion->qtype)); + m->CurrentQuestion = m->CurrentQuestion->next; + } + m->CurrentQuestion = mDNSNULL; + + // Scan our list of questions + // (a) to see if there are any more that are worth accelerating, and + // (b) to update the state variables for *all* the questions we're going to send + // Note: Don't set NextScheduledQuery until here, because uDNS_CheckCurrentQuestion in the loop above can add new questions to the list, + // which causes NextScheduledQuery to get (incorrectly) set to m->timenow. Setting it here is the right place, because the very + // next thing we do is scan the list and call SetNextQueryTime() for every question we find, so we know we end up with the right value. + m->NextScheduledQuery = m->timenow + 0x78000000; + for (q = m->Questions; q && q != m->NewQuestions; q=q->next) + { + if (mDNSOpaque16IsZero(q->TargetQID) + && (q->SendQNow || (!q->Target.type && ActiveQuestion(q) && q->ThisQInterval <= maxExistingQuestionInterval && AccelerateThisQuery(m,q)))) + { + // If at least halfway to next query time, advance to next interval + // If less than halfway to next query time, then + // treat this as logically a repeat of the last transmission, without advancing the interval + if (m->timenow - (q->LastQTime + (q->ThisQInterval/2)) >= 0) + { + // If we have reached the answer threshold for this question, + // don't send it again until MaxQuestionInterval unless: + // one of its cached answers needs to be refreshed, + // or it's the initial query for a kDNSServiceFlagsThresholdFinder mode browse. + if (q->BrowseThreshold + && (q->CurrentAnswers >= q->BrowseThreshold) + && (q->CachedAnswerNeedsUpdate == mDNSfalse) + && !((q->flags & kDNSServiceFlagsThresholdFinder) && (q->ThisQInterval == InitialQuestionInterval))) + { + q->SendQNow = mDNSNULL; + q->ThisQInterval = MaxQuestionInterval; + q->LastQTime = m->timenow; + q->RequestUnicast = 0; + LogInfo("SendQueries: (%s) %##s reached threshold of %d answers", + DNSTypeName(q->qtype), q->qname.c, q->BrowseThreshold); + } + else + { + // Mark this question for sending on all interfaces + q->SendQNow = mDNSInterfaceMark; + q->ThisQInterval *= QuestionIntervalStep; + } + + debugf("SendQueries: %##s (%s) next interval %d seconds RequestUnicast = %d", + q->qname.c, DNSTypeName(q->qtype), q->ThisQInterval / InitialQuestionInterval, q->RequestUnicast); + + if (q->ThisQInterval >= QuestionIntervalThreshold) + { + q->ThisQInterval = MaxQuestionInterval; + } + else if (q->CurrentAnswers == 0 && q->ThisQInterval == InitialQuestionInterval * QuestionIntervalStep3 && !q->RequestUnicast && + !(RRTypeIsAddressType(q->qtype) && CacheHasAddressTypeForName(m, &q->qname, q->qnamehash))) + { + // Generally don't need to log this. + // It's not especially noteworthy if a query finds no results -- this usually happens for domain + // enumeration queries in the LL subdomain (e.g. "db._dns-sd._udp.0.0.254.169.in-addr.arpa") + // and when there simply happen to be no instances of the service the client is looking + // for (e.g. iTunes is set to look for RAOP devices, and the current network has none). + debugf("SendQueries: Zero current answers for %##s (%s); will reconfirm antecedents", + q->qname.c, DNSTypeName(q->qtype)); + // Sending third query, and no answers yet; time to begin doubting the source + ReconfirmAntecedents(m, &q->qname, q->qnamehash, 0); + } + } + + // Mark for sending. (If no active interfaces, then don't even try.) + q->SendOnAll = (q->SendQNow == mDNSInterfaceMark); + if (q->SendOnAll) + { + q->SendQNow = !intf ? mDNSNULL : (q->InterfaceID) ? q->InterfaceID : intf->InterfaceID; + q->LastQTime = m->timenow; + } + + // If we recorded a duplicate suppression for this question less than half an interval ago, + // then we consider it recent enough that we don't need to do an identical query ourselves. + ExpireDupSuppressInfo(q->DupSuppress, m->timenow - q->ThisQInterval/2); + + q->LastQTxTime = m->timenow; + q->RecentAnswerPkts = 0; + if (q->RequestUnicast) q->RequestUnicast--; + } + // For all questions (not just the ones we're sending) check what the next scheduled event will be + // We don't need to consider NewQuestions here because for those we'll set m->NextScheduledQuery in AnswerNewQuestion + SetNextQueryTime(m,q); + } + + // 2. Scan our authoritative RR list to see what probes we might need to send + + m->NextScheduledProbe = m->timenow + 0x78000000; + + if (m->CurrentRecord) + LogMsg("SendQueries ERROR m->CurrentRecord already set %s", ARDisplayString(m, m->CurrentRecord)); + m->CurrentRecord = m->ResourceRecords; + while (m->CurrentRecord) + { + ar = m->CurrentRecord; + m->CurrentRecord = ar->next; + if (!AuthRecord_uDNS(ar) && ar->resrec.RecordType == kDNSRecordTypeUnique) // For all records that are still probing... + { + // 1. If it's not reached its probe time, just make sure we update m->NextScheduledProbe correctly + if (m->timenow - (ar->LastAPTime + ar->ThisAPInterval) < 0) + { + SetNextAnnounceProbeTime(m, ar); + } + // 2. else, if it has reached its probe time, mark it for sending and then update m->NextScheduledProbe correctly + else if (ar->ProbeCount) + { + if (ar->AddressProxy.type == mDNSAddrType_IPv4) + { + LogSPS("SendQueries ARP Probe %d %s %s", ar->ProbeCount, InterfaceNameForID(m, ar->resrec.InterfaceID), ARDisplayString(m,ar)); + SendARP(m, 1, ar, &zerov4Addr, &zeroEthAddr, &ar->AddressProxy.ip.v4, &ar->WakeUp.IMAC); + } + else if (ar->AddressProxy.type == mDNSAddrType_IPv6) + { + LogSPS("SendQueries NDP Probe %d %s %s", ar->ProbeCount, InterfaceNameForID(m, ar->resrec.InterfaceID), ARDisplayString(m,ar)); + // IPv6 source = zero + // No target hardware address + // IPv6 target address is address we're probing + // Ethernet destination address is Ethernet interface address of the Sleep Proxy client we're probing + SendNDP(m, NDP_Sol, 0, ar, &zerov6Addr, mDNSNULL, &ar->AddressProxy.ip.v6, &ar->WakeUp.IMAC); + } + // Mark for sending. (If no active interfaces, then don't even try.) + ar->SendRNow = (!intf || ar->WakeUp.HMAC.l[0]) ? mDNSNULL : ar->resrec.InterfaceID ? ar->resrec.InterfaceID : intf->InterfaceID; + ar->LastAPTime = m->timenow; + // When we have a late conflict that resets a record to probing state we use a special marker value greater + // than DefaultProbeCountForTypeUnique. Here we detect that state and reset ar->ProbeCount back to the right value. + if (ar->ProbeCount > DefaultProbeCountForTypeUnique) + ar->ProbeCount = DefaultProbeCountForTypeUnique; + ar->ProbeCount--; + SetNextAnnounceProbeTime(m, ar); + if (ar->ProbeCount == 0) + { + // If this is the last probe for this record, then see if we have any matching records + // on our duplicate list which should similarly have their ProbeCount cleared to zero... + AuthRecord *r2; + for (r2 = m->DuplicateRecords; r2; r2=r2->next) + if (r2->resrec.RecordType == kDNSRecordTypeUnique && RecordIsLocalDuplicate(r2, ar)) + r2->ProbeCount = 0; + // ... then acknowledge this record to the client. + // We do this optimistically, just as we're about to send the third probe. + // This helps clients that both advertise and browse, and want to filter themselves + // from the browse results list, because it helps ensure that the registration + // confirmation will be delivered 1/4 second *before* the browse "add" event. + // A potential downside is that we could deliver a registration confirmation and then find out + // moments later that there's a name conflict, but applications have to be prepared to handle + // late conflicts anyway (e.g. on connection of network cable, etc.), so this is nothing new. + if (!ar->Acknowledged) AcknowledgeRecord(m, ar); + } + } + // else, if it has now finished probing, move it to state Verified, + // and update m->NextScheduledResponse so it will be announced + else + { + if (!ar->Acknowledged) AcknowledgeRecord(m, ar); // Defensive, just in case it got missed somehow + ar->resrec.RecordType = kDNSRecordTypeVerified; + ar->ThisAPInterval = DefaultAnnounceIntervalForTypeUnique; + ar->LastAPTime = m->timenow - DefaultAnnounceIntervalForTypeUnique; + SetNextAnnounceProbeTime(m, ar); + } + } + } + m->CurrentRecord = m->DuplicateRecords; + while (m->CurrentRecord) + { + ar = m->CurrentRecord; + m->CurrentRecord = ar->next; + if (ar->resrec.RecordType == kDNSRecordTypeUnique && ar->ProbeCount == 0 && !ar->Acknowledged) + AcknowledgeRecord(m, ar); + } + + // 3. Now we know which queries and probes we're sending, + // go through our interface list sending the appropriate queries on each interface + while (intf) + { + int OwnerRecordSpace = (m->AnnounceOwner && intf->MAC.l[0]) ? DNSOpt_Header_Space + DNSOpt_Owner_Space(&m->PrimaryMAC, &intf->MAC) : 0; + int TraceRecordSpace = (mDNS_McastTracingEnabled && MDNS_TRACER) ? DNSOpt_Header_Space + DNSOpt_TraceData_Space : 0; + mDNSu8 *queryptr = m->omsg.data; + mDNSBool useBackgroundTrafficClass = mDNSfalse; // set if we should use background traffic class + + InitializeDNSMessage(&m->omsg.h, zeroID, QueryFlags); + if (KnownAnswerList) verbosedebugf("SendQueries: KnownAnswerList set... Will continue from previous packet"); + if (!KnownAnswerList) + { + // Start a new known-answer list + CacheRecord **kalistptr = &KnownAnswerList; + mDNSu32 answerforecast = OwnerRecordSpace + TraceRecordSpace; // Start by assuming we'll need at least enough space to put the Owner+Tracer Option + + // Put query questions in this packet + for (q = m->Questions; q && q != m->NewQuestions; q=q->next) + { + if (mDNSOpaque16IsZero(q->TargetQID) && (q->SendQNow == intf->InterfaceID)) + { + mDNSBool Suppress = mDNSfalse; + debugf("SendQueries: %s question for %##s (%s) at %d forecast total %d", + SuppressOnThisInterface(q->DupSuppress, intf) ? "Suppressing" : "Putting ", + q->qname.c, DNSTypeName(q->qtype), queryptr - m->omsg.data, queryptr + answerforecast - m->omsg.data); + + // If interface is P2P type, verify that query should be sent over it. + if (!mDNSPlatformValidQuestionForInterface(q, intf)) + { + LogInfo("SendQueries: Not sending (%s) %##s on %s", DNSTypeName(q->qtype), q->qname.c, InterfaceNameForID(m, intf->InterfaceID)); + q->SendQNow = (q->InterfaceID || !q->SendOnAll) ? mDNSNULL : GetNextActiveInterfaceID(intf); + } + // If we're suppressing this question, or we successfully put it, update its SendQNow state + else if ((Suppress = SuppressOnThisInterface(q->DupSuppress, intf)) || + BuildQuestion(m, &m->omsg, &queryptr, q, &kalistptr, &answerforecast)) + { + // We successfully added the question to the packet. Make sure that + // we also send the NSEC3 record if required. BuildQuestion accounted for + // the space. + // + // Note: We don't suppress anonymous questions and hence Suppress should always + // be zero. + + if (Suppress) + m->mDNSStats.DupQuerySuppressions++; + + if (!Suppress && q->AnonInfo) + { + debugf("SendQueries: marking for question %##s, Suppress %d", q->qname.c, Suppress); + q->AnonInfo->SendNow = intf->InterfaceID; + } + q->SendQNow = (q->InterfaceID || !q->SendOnAll) ? mDNSNULL : GetNextActiveInterfaceID(intf); + if (q->WakeOnResolveCount) + { + mDNSSendWakeOnResolve(m, q); + q->WakeOnResolveCount--; + } + + // use brackground traffic class if any included question requires it + if (q->UseBackgroundTrafficClass) + { + useBackgroundTrafficClass = mDNStrue; + } + } + } + } + + // Put probe questions in this packet + for (ar = m->ResourceRecords; ar; ar=ar->next) + if (ar->SendRNow == intf->InterfaceID) + { + mDNSBool ucast = (ar->ProbeCount >= DefaultProbeCountForTypeUnique-1) && m->CanReceiveUnicastOn5353; + mDNSu16 ucbit = (mDNSu16)(ucast ? kDNSQClass_UnicastResponse : 0); + const mDNSu8 *const limit = m->omsg.data + (m->omsg.h.numQuestions ? NormalMaxDNSMessageData : AbsoluteMaxDNSMessageData); + // We forecast: compressed name (2) type (2) class (2) TTL (4) rdlength (2) rdata (n) + mDNSu32 forecast = answerforecast + 12 + ar->resrec.rdestimate; + mDNSu8 *newptr = putQuestion(&m->omsg, queryptr, limit - forecast, ar->resrec.name, kDNSQType_ANY, (mDNSu16)(ar->resrec.rrclass | ucbit)); + if (newptr) + { + queryptr = newptr; + answerforecast = forecast; + ar->SendRNow = (ar->resrec.InterfaceID) ? mDNSNULL : GetNextActiveInterfaceID(intf); + ar->IncludeInProbe = mDNStrue; + verbosedebugf("SendQueries: Put Question %##s (%s) probecount %d", + ar->resrec.name->c, DNSTypeName(ar->resrec.rrtype), ar->ProbeCount); + } + } + } + + // Put our known answer list (either new one from this question or questions, or remainder of old one from last time) + while (KnownAnswerList) + { + CacheRecord *ka = KnownAnswerList; + mDNSu32 SecsSinceRcvd = ((mDNSu32)(m->timenow - ka->TimeRcvd)) / mDNSPlatformOneSecond; + mDNSu8 *newptr = PutResourceRecordTTLWithLimit(&m->omsg, queryptr, &m->omsg.h.numAnswers, &ka->resrec, ka->resrec.rroriginalttl - SecsSinceRcvd, + m->omsg.data + NormalMaxDNSMessageData - OwnerRecordSpace - TraceRecordSpace); + if (newptr) + { + verbosedebugf("SendQueries: Put %##s (%s) at %d - %d", + ka->resrec.name->c, DNSTypeName(ka->resrec.rrtype), queryptr - m->omsg.data, newptr - m->omsg.data); + queryptr = newptr; + KnownAnswerList = ka->NextInKAList; + ka->NextInKAList = mDNSNULL; + } + else + { + // If we ran out of space and we have more than one question in the packet, that's an error -- + // we shouldn't have put more than one question if there was a risk of us running out of space. + if (m->omsg.h.numQuestions > 1) + LogMsg("SendQueries: Put %d answers; No more space for known answers", m->omsg.h.numAnswers); + m->omsg.h.flags.b[0] |= kDNSFlag0_TC; + break; + } + } + + for (ar = m->ResourceRecords; ar; ar=ar->next) + { + if (ar->IncludeInProbe) + { + mDNSu8 *newptr = PutResourceRecord(&m->omsg, queryptr, &m->omsg.h.numAuthorities, &ar->resrec); + ar->IncludeInProbe = mDNSfalse; + if (newptr) queryptr = newptr; + else LogMsg("SendQueries: How did we fail to have space for the Update record %s", ARDisplayString(m,ar)); + } + } + + for (q = m->Questions; q; q = q->next) + { + if (q->AnonInfo && q->AnonInfo->SendNow == intf->InterfaceID) + { + mDNSu8 *newptr = PutResourceRecord(&m->omsg, queryptr, &m->omsg.h.numAuthorities, q->AnonInfo->nsec3RR); + if (newptr) + { + debugf("SendQueries: Added NSEC3 record %s on InterfaceID %p", RRDisplayString(m, q->AnonInfo->nsec3RR), intf->InterfaceID); + queryptr = newptr; + } + else + { + LogMsg("SendQueries: ERROR!! Cannot add NSEC3 record %s on InterfaceID %p", RRDisplayString(m, q->AnonInfo->nsec3RR), intf->InterfaceID); + } + q->AnonInfo->SendNow = mDNSNULL; + } + } + + if (queryptr > m->omsg.data) + { + // If we have data to send, add OWNER/TRACER/OWNER+TRACER option if necessary, then send packet + if (OwnerRecordSpace || TraceRecordSpace) + { + AuthRecord opt; + mDNS_SetupResourceRecord(&opt, mDNSNULL, mDNSInterface_Any, kDNSType_OPT, kStandardTTL, kDNSRecordTypeKnownUnique, AuthRecordAny, mDNSNULL, mDNSNULL); + opt.resrec.rrclass = NormalMaxDNSMessageData; + opt.resrec.rdlength = sizeof(rdataOPT); + opt.resrec.rdestimate = sizeof(rdataOPT); + if (OwnerRecordSpace && TraceRecordSpace) + { + opt.resrec.rdlength += sizeof(rdataOPT); // Two options in this OPT record + opt.resrec.rdestimate += sizeof(rdataOPT); + SetupOwnerOpt(m, intf, &opt.resrec.rdata->u.opt[0]); + SetupTracerOpt(m, &opt.resrec.rdata->u.opt[1]); + } + else if (OwnerRecordSpace) + { + SetupOwnerOpt(m, intf, &opt.resrec.rdata->u.opt[0]); + } + else if (TraceRecordSpace) + { + SetupTracerOpt(m, &opt.resrec.rdata->u.opt[0]); + } + LogInfo("SendQueries putting %s %s: %s %s", OwnerRecordSpace ? "OWNER" : "", TraceRecordSpace ? "TRACER" : "", intf->ifname, ARDisplayString(m, &opt)); + queryptr = PutResourceRecordTTLWithLimit(&m->omsg, queryptr, &m->omsg.h.numAdditionals, + &opt.resrec, opt.resrec.rroriginalttl, m->omsg.data + AbsoluteMaxDNSMessageData); + if (!queryptr) + { + LogMsg("SendQueries: How did we fail to have space for %s %s OPT record (%d/%d/%d/%d) %s", OwnerRecordSpace ? "OWNER" : "", TraceRecordSpace ? "TRACER" : "", + m->omsg.h.numQuestions, m->omsg.h.numAnswers, m->omsg.h.numAuthorities, m->omsg.h.numAdditionals, ARDisplayString(m, &opt)); + } + if (queryptr > m->omsg.data + NormalMaxDNSMessageData) + { + if (m->omsg.h.numQuestions != 1 || m->omsg.h.numAnswers != 0 || m->omsg.h.numAuthorities != 1 || m->omsg.h.numAdditionals != 1) + LogMsg("SendQueries: Why did we generate oversized packet with %s %s OPT record %p %p %p (%d/%d/%d/%d) %s", OwnerRecordSpace ? "OWNER" : "", + TraceRecordSpace ? "TRACER" : "", m->omsg.data, m->omsg.data + NormalMaxDNSMessageData, queryptr, m->omsg.h.numQuestions, m->omsg.h.numAnswers, + m->omsg.h.numAuthorities, m->omsg.h.numAdditionals, ARDisplayString(m, &opt)); + } + } + + if ((m->omsg.h.flags.b[0] & kDNSFlag0_TC) && m->omsg.h.numQuestions > 1) + LogMsg("SendQueries: Should not have more than one question (%d) in a truncated packet", m->omsg.h.numQuestions); + debugf("SendQueries: Sending %d Question%s %d Answer%s %d Update%s on %p", + m->omsg.h.numQuestions, m->omsg.h.numQuestions == 1 ? "" : "s", + m->omsg.h.numAnswers, m->omsg.h.numAnswers == 1 ? "" : "s", + m->omsg.h.numAuthorities, m->omsg.h.numAuthorities == 1 ? "" : "s", intf->InterfaceID); + if (intf->IPv4Available) mDNSSendDNSMessage(m, &m->omsg, queryptr, intf->InterfaceID, mDNSNULL, &AllDNSLinkGroup_v4, MulticastDNSPort, mDNSNULL, mDNSNULL, useBackgroundTrafficClass); + if (intf->IPv6Available) mDNSSendDNSMessage(m, &m->omsg, queryptr, intf->InterfaceID, mDNSNULL, &AllDNSLinkGroup_v6, MulticastDNSPort, mDNSNULL, mDNSNULL, useBackgroundTrafficClass); + if (!m->SuppressSending) m->SuppressSending = NonZeroTime(m->timenow + (mDNSPlatformOneSecond+9)/10); + if (++pktcount >= 1000) + { LogMsg("SendQueries exceeded loop limit %d: giving up", pktcount); break; } + // There might be more records left in the known answer list, or more questions to send + // on this interface, so go around one more time and try again. + } + else // Nothing more to send on this interface; go to next + { + const NetworkInterfaceInfo *next = GetFirstActiveInterface(intf->next); + #if MDNS_DEBUGMSGS && 0 + const char *const msg = next ? "SendQueries: Nothing more on %p; moving to %p" : "SendQueries: Nothing more on %p"; + debugf(msg, intf, next); + #endif + intf = next; + } + } + + // 4. Final housekeeping + + // 4a. Debugging check: Make sure we announced all our records + for (ar = m->ResourceRecords; ar; ar=ar->next) + if (ar->SendRNow) + { + if (ar->ARType != AuthRecordLocalOnly && ar->ARType != AuthRecordP2P) + LogMsg("SendQueries: No active interface %p to send probe: %p %s", ar->SendRNow, ar->resrec.InterfaceID, ARDisplayString(m, ar)); + ar->SendRNow = mDNSNULL; + } + + // 4b. When we have lingering cache records that we're keeping around for a few seconds in the hope + // that their interface which went away might come back again, the logic will want to send queries + // for those records, but we can't because their interface isn't here any more, so to keep the + // state machine ticking over we just pretend we did so. + // If the interface does not come back in time, the cache record will expire naturally + FORALL_CACHERECORDS(slot, cg, cr) + { + if (cr->CRActiveQuestion && cr->UnansweredQueries < MaxUnansweredQueries) + { + if (m->timenow + TicksTTL(cr)/50 - cr->NextRequiredQuery >= 0) + { + cr->UnansweredQueries++; + cr->CRActiveQuestion->SendQNow = mDNSNULL; + SetNextCacheCheckTimeForRecord(m, cr); + } + } + } + + // 4c. Debugging check: Make sure we sent all our planned questions + // Do this AFTER the lingering cache records check above, because that will prevent spurious warnings for questions + // we legitimately couldn't send because the interface is no longer available + for (q = m->Questions; q; q=q->next) + { + if (q->SendQNow) + { + DNSQuestion *x; + for (x = m->NewQuestions; x; x=x->next) if (x == q) break; // Check if this question is a NewQuestion + LogMsg("SendQueries: No active interface %p to send %s question: %p %##s (%s)", q->SendQNow, x ? "new" : "old", q->InterfaceID, q->qname.c, DNSTypeName(q->qtype)); + q->SendQNow = mDNSNULL; + } + q->CachedAnswerNeedsUpdate = mDNSfalse; + } +} + +mDNSlocal void SendWakeup(mDNS *const m, mDNSInterfaceID InterfaceID, mDNSEthAddr *EthAddr, mDNSOpaque48 *password) +{ + int i, j; + mDNSu8 *ptr = m->omsg.data; + NetworkInterfaceInfo *intf = FirstInterfaceForID(m, InterfaceID); + if (!intf) { LogMsg("SendARP: No interface with InterfaceID %p found", InterfaceID); return; } + + // 0x00 Destination address + for (i=0; i<6; i++) *ptr++ = EthAddr->b[i]; + + // 0x06 Source address (Note: Since we don't currently set the BIOCSHDRCMPLT option, BPF will fill in the real interface address for us) + for (i=0; i<6; i++) *ptr++ = intf->MAC.b[0]; + + // 0x0C Ethertype (0x0842) + *ptr++ = 0x08; + *ptr++ = 0x42; + + // 0x0E Wakeup sync sequence + for (i=0; i<6; i++) *ptr++ = 0xFF; + + // 0x14 Wakeup data + for (j=0; j<16; j++) for (i=0; i<6; i++) *ptr++ = EthAddr->b[i]; + + // 0x74 Password + for (i=0; i<6; i++) *ptr++ = password->b[i]; + + mDNSPlatformSendRawPacket(m->omsg.data, ptr, InterfaceID); + + // For Ethernet switches that don't flood-foward packets with unknown unicast destination MAC addresses, + // broadcast is the only reliable way to get a wakeup packet to the intended target machine. + // For 802.11 WPA networks, where a sleeping target machine may have missed a broadcast/multicast + // key rotation, unicast is the only way to get a wakeup packet to the intended target machine. + // So, we send one of each, unicast first, then broadcast second. + for (i=0; i<6; i++) m->omsg.data[i] = 0xFF; + mDNSPlatformSendRawPacket(m->omsg.data, ptr, InterfaceID); +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - RR List Management & Task Management +#endif + +// Whenever a question is answered, reset its state so that we don't query +// the network repeatedly. This happens first time when we answer the question and +// and later when we refresh the cache. +mDNSlocal void ResetQuestionState(mDNS *const m, DNSQuestion *q) +{ + q->LastQTime = m->timenow; + q->LastQTxTime = m->timenow; + q->RecentAnswerPkts = 0; + q->ThisQInterval = MaxQuestionInterval; + q->RequestUnicast = 0; + // Reset unansweredQueries so that we don't penalize this server later when we + // start sending queries when the cache expires. + q->unansweredQueries = 0; + debugf("ResetQuestionState: Set MaxQuestionInterval for %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); +} + +// Note: AnswerCurrentQuestionWithResourceRecord can call a user callback, which may change the record list and/or question list. +// Any code walking either list must use the m->CurrentQuestion (and possibly m->CurrentRecord) mechanism to protect against this. +// In fact, to enforce this, the routine will *only* answer the question currently pointed to by m->CurrentQuestion, +// which will be auto-advanced (possibly to NULL) if the client callback cancels the question. +mDNSexport void AnswerCurrentQuestionWithResourceRecord(mDNS *const m, CacheRecord *const rr, const QC_result AddRecord) +{ + DNSQuestion *const q = m->CurrentQuestion; + mDNSBool followcname = FollowCNAME(q, &rr->resrec, AddRecord); + + verbosedebugf("AnswerCurrentQuestionWithResourceRecord:%4lu %s TTL %d %s", + q->CurrentAnswers, AddRecord ? "Add" : "Rmv", rr->resrec.rroriginalttl, CRDisplayString(m, rr)); + + // When the response for the question was validated, the entire rrset was validated. If we deliver + // a RMV for a single record in the rrset, we invalidate the response. If we deliver another add + // in the future, we will do the revalidation again. + // + // Also, if we deliver an ADD for a negative cache record and it has no NSEC/NSEC3, the ValidationStatus needs + // to be reset. This happens normally when we deliver a "secure" negative response followed by an insecure + // negative response which can happen e.g., when disconnecting from network that leads to a negative response + // due to no DNS servers. As we don't deliver RMVs for negative responses that were delivered before, we need + // to do it on the next ADD of a negative cache record. This ADD could be the result of a timeout, no DNS servers + // etc. in which case we need to reset the state to make sure we don't deliver them as secure. If this is + // a real negative response, we would reset the state here and validate the results at the end of this function. + // or the real response again if we purge the cache. + if (q->ValidationRequired && ((AddRecord == QC_rmv) || + (rr->resrec.RecordType == kDNSRecordTypePacketNegative && (AddRecord == QC_add)))) + { + q->ValidationStatus = 0; + q->ValidationState = DNSSECValRequired; + } + + // Normally we don't send out the unicast query if we have answered using our local only auth records e.g., /etc/hosts. + // But if the query for "A" record has a local answer but query for "AAAA" record has no local answer, we might + // send the AAAA query out which will come back with CNAME and will also answer the "A" query. To prevent that, + // we check to see if that query already has a unique local answer. + if (q->LOAddressAnswers) + { + LogInfo("AnswerCurrentQuestionWithResourceRecord: Question %p %##s (%s) not answering with record %s due to " + "LOAddressAnswers %d", q, q->qname.c, DNSTypeName(q->qtype), ARDisplayString(m, rr), + q->LOAddressAnswers); + return; + } + + if (QuerySuppressed(q)) + { + // If the query is suppressed, then we don't want to answer from the cache. But if this query is + // supposed to time out, we still want to callback the clients. We do this only for TimeoutQuestions + // that are timing out, which we know are answered with negative cache record when timing out. + if (!q->TimeoutQuestion || rr->resrec.RecordType != kDNSRecordTypePacketNegative || (m->timenow - q->StopTime < 0)) + return; + } + + // Note: Use caution here. In the case of records with rr->DelayDelivery set, AnswerCurrentQuestionWithResourceRecord(... mDNStrue) + // may be called twice, once when the record is received, and again when it's time to notify local clients. + // If any counters or similar are added here, care must be taken to ensure that they are not double-incremented by this. + + rr->LastUsed = m->timenow; + if (AddRecord == QC_add && !q->DuplicateOf && rr->CRActiveQuestion != q) + { + if (!rr->CRActiveQuestion) m->rrcache_active++; // If not previously active, increment rrcache_active count + debugf("AnswerCurrentQuestionWithResourceRecord: Updating CRActiveQuestion from %p to %p for cache record %s, CurrentAnswer %d", + rr->CRActiveQuestion, q, CRDisplayString(m,rr), q->CurrentAnswers); + rr->CRActiveQuestion = q; // We know q is non-null + SetNextCacheCheckTimeForRecord(m, rr); + } + + // If this is: + // (a) a no-cache add, where we've already done at least one 'QM' query, or + // (b) a normal add, where we have at least one unique-type answer, + // then there's no need to keep polling the network. + // (If we have an answer in the cache, then we'll automatically ask again in time to stop it expiring.) + // We do this for mDNS questions and uDNS one-shot questions, but not for + // uDNS LongLived questions, because that would mess up our LLQ lease renewal timing. + if ((AddRecord == QC_addnocache && !q->RequestUnicast) || + (AddRecord == QC_add && (q->ExpectUnique || (rr->resrec.RecordType & kDNSRecordTypePacketUniqueMask)))) + if (ActiveQuestion(q) && (mDNSOpaque16IsZero(q->TargetQID) || !q->LongLived)) + { + ResetQuestionState(m, q); + } + + if (rr->DelayDelivery) return; // We'll come back later when CacheRecordDeferredAdd() calls us + + // Only deliver negative answers if client has explicitly requested them except when we are forcing a negative response + // for the purpose of retrying search domains/timeout OR the question is suppressed + if (rr->resrec.RecordType == kDNSRecordTypePacketNegative || (q->qtype != kDNSType_NSEC && RRAssertsNonexistence(&rr->resrec, q->qtype))) + if (!AddRecord || (AddRecord != QC_suppressed && AddRecord != QC_forceresponse && !q->ReturnIntermed)) return; + + // For CNAME results to non-CNAME questions, only inform the client if they explicitly requested that + if (q->QuestionCallback && !q->NoAnswer && (!followcname || q->ReturnIntermed)) + { + mDNS_DropLockBeforeCallback(); // Allow client (and us) to legally make mDNS API calls + if (q->qtype != kDNSType_NSEC && RRAssertsNonexistence(&rr->resrec, q->qtype)) + { + CacheRecord neg; + MakeNegativeCacheRecord(m, &neg, &q->qname, q->qnamehash, q->qtype, q->qclass, 1, rr->resrec.InterfaceID, q->qDNSServer); + q->QuestionCallback(m, q, &neg.resrec, AddRecord); + } + else + q->QuestionCallback(m, q, &rr->resrec, AddRecord); + mDNS_ReclaimLockAfterCallback(); // Decrement mDNS_reentrancy to block mDNS API calls again + } + // If this is an "Add" operation and this question needs validation, validate the response. + // In the case of negative responses, extra care should be taken. Negative cache records are + // used for many purposes. For example, + // + // 1) Suppressing questions (SuppressUnusable) + // 2) Timeout questions + // 3) The name does not exist + // 4) No DNS servers are available and we need a quick response for the application + // + // (1) and (2) are handled by "QC_add" check as AddRecord would be "QC_forceresponse" or "QC_suppressed" + // in that case. For (3), it is possible that we don't get nsecs back but we still need to call + // VerifySignature so that we can deliver the appropriate DNSSEC result. There is no point in verifying + // signature for (4) and hence the explicit check for q->qDNSServer. + // + if (m->CurrentQuestion == q && (AddRecord == QC_add) && !q->ValidatingResponse && q->ValidationRequired && + q->ValidationState == DNSSECValRequired && q->qDNSServer) + { + q->ValidationState = DNSSECValInProgress; + // Treat it as callback call as that's what dnssec code expects + mDNS_DropLockBeforeCallback(); // Allow client (and us) to legally make mDNS API calls + VerifySignature(m, mDNSNULL, q); + mDNS_ReclaimLockAfterCallback(); // Decrement mDNS_reentrancy to block mDNS API calls again + return; + } + + // Note: Proceed with caution here because client callback function is allowed to do anything, + // including starting/stopping queries, registering/deregistering records, etc. + // + // If we get a CNAME back while we are validating the response (i.e., CNAME for DS, DNSKEY, RRSIG), + // don't follow them. If it is a ValidationRequired question, wait for the CNAME to be validated + // first before following it + if (!ValidatingQuestion(q) && followcname && m->CurrentQuestion == q) + AnswerQuestionByFollowingCNAME(m, q, &rr->resrec); +} + +mDNSlocal void CacheRecordDeferredAdd(mDNS *const m, CacheRecord *rr) +{ + rr->DelayDelivery = 0; + if (m->CurrentQuestion) + LogMsg("CacheRecordDeferredAdd ERROR m->CurrentQuestion already set: %##s (%s)", + m->CurrentQuestion->qname.c, DNSTypeName(m->CurrentQuestion->qtype)); + m->CurrentQuestion = m->Questions; + while (m->CurrentQuestion && m->CurrentQuestion != m->NewQuestions) + { + DNSQuestion *q = m->CurrentQuestion; + if (ResourceRecordAnswersQuestion(&rr->resrec, q)) + AnswerCurrentQuestionWithResourceRecord(m, rr, QC_add); + if (m->CurrentQuestion == q) // If m->CurrentQuestion was not auto-advanced, do it ourselves now + m->CurrentQuestion = q->next; + } + m->CurrentQuestion = mDNSNULL; +} + +mDNSlocal mDNSs32 CheckForSoonToExpireRecords(mDNS *const m, const domainname *const name, const mDNSu32 namehash, const mDNSu32 slot, mDNSBool *purge) +{ + const mDNSs32 threshhold = m->timenow + mDNSPlatformOneSecond; // See if there are any records expiring within one second + const mDNSs32 start = m->timenow - 0x10000000; + mDNSs32 delay = start; + CacheGroup *cg = CacheGroupForName(m, slot, namehash, name); + const CacheRecord *rr; + + if (purge) + *purge = mDNSfalse; + for (rr = cg ? cg->members : mDNSNULL; rr; rr=rr->next) + { + // If there are records that will expire soon, there are cases that need delayed + // delivery of events: + // + // 1) A new cache entry is about to be added as a replacement. The caller needs to + // deliver a RMV (for the current old entry) followed by ADD (for the new entry). + // It needs to schedule the timer for the next cache expiry (ScheduleNextCacheCheckTime), + // so that the cache entry can be purged (purging causes the RMV followed by ADD) + // + // 2) A new question is about to be answered and the caller needs to know whether it's + // scheduling should be delayed so that the question is not answered with this record. + // Instead of delivering an ADD (old entry) followed by RMV (old entry) and another ADD + // (new entry), a single ADD can be delivered by delaying the scheduling of the question + // immediately. + // + // When the unicast cache record is created, it's TTL has been extended beyond its value + // given in the resource record (See RRAdjustTTL). If it is in the "extended" time, the + // cache is already expired and we set "purge" to indicate that. When "purge" is set, the + // return value of the function should be ignored by the callers. + // + // Note: For case (1), "purge" argument is NULL and hence the following checks are skipped. + // It is okay to skip in that case because the cache records have been set to expire almost + // immediately and the extended time does not apply. + // + // Also, if there is already an active question we don't try to optimize as purging the cache + // would end up delivering RMV for the active question and hence we avoid that. + + if (purge && !rr->resrec.InterfaceID && !rr->CRActiveQuestion && rr->resrec.rroriginalttl) + { + mDNSu32 uTTL = RRUnadjustedTTL(rr->resrec.rroriginalttl); + if (m->timenow - (rr->TimeRcvd + ((mDNSs32)uTTL * mDNSPlatformOneSecond)) >= 0) + { + LogInfo("CheckForSoonToExpireRecords: %s: rroriginalttl %u, unadjustedTTL %u, currentTTL %u", + CRDisplayString(m, rr), rr->resrec.rroriginalttl, uTTL, (m->timenow - rr->TimeRcvd)/mDNSPlatformOneSecond); + *purge = mDNStrue; + continue; + } + } + if (threshhold - RRExpireTime(rr) >= 0) // If we have records about to expire within a second + { + if (delay - RRExpireTime(rr) < 0) // then delay until after they've been deleted + delay = RRExpireTime(rr); + } + } + if (delay - start > 0) + return(NonZeroTime(delay)); + else + return(0); +} + +// CacheRecordAdd is only called from CreateNewCacheEntry, *never* directly as a result of a client API call. +// If new questions are created as a result of invoking client callbacks, they will be added to +// the end of the question list, and m->NewQuestions will be set to indicate the first new question. +// rr is a new CacheRecord just received into our cache +// (kDNSRecordTypePacketAns/PacketAnsUnique/PacketAdd/PacketAddUnique). +// Note: CacheRecordAdd calls AnswerCurrentQuestionWithResourceRecord which can call a user callback, +// which may change the record list and/or question list. +// Any code walking either list must use the CurrentQuestion and/or CurrentRecord mechanism to protect against this. +mDNSlocal void CacheRecordAdd(mDNS *const m, CacheRecord *rr) +{ + DNSQuestion *q; + + // We stop when we get to NewQuestions -- if we increment their CurrentAnswers/LargeAnswers/UniqueAnswers + // counters here we'll end up double-incrementing them when we do it again in AnswerNewQuestion(). + for (q = m->Questions; q && q != m->NewQuestions; q=q->next) + { + if (ResourceRecordAnswersQuestion(&rr->resrec, q)) + { + // If this question is one that's actively sending queries, and it's received ten answers within one + // second of sending the last query packet, then that indicates some radical network topology change, + // so reset its exponential backoff back to the start. We must be at least at the eight-second interval + // to do this. If we're at the four-second interval, or less, there's not much benefit accelerating + // because we will anyway send another query within a few seconds. The first reset query is sent out + // randomized over the next four seconds to reduce possible synchronization between machines. + if (q->LastAnswerPktNum != m->PktNum) + { + q->LastAnswerPktNum = m->PktNum; + if (mDNSOpaque16IsZero(q->TargetQID) && ActiveQuestion(q) && ++q->RecentAnswerPkts >= 10 && + q->ThisQInterval > InitialQuestionInterval * QuestionIntervalStep3 && m->timenow - q->LastQTxTime < mDNSPlatformOneSecond) + { + LogMsg("CacheRecordAdd: %##s (%s) got immediate answer burst (%d); restarting exponential backoff sequence (%d)", + q->qname.c, DNSTypeName(q->qtype), q->RecentAnswerPkts, q->ThisQInterval); + q->LastQTime = m->timenow - InitialQuestionInterval + (mDNSs32)mDNSRandom((mDNSu32)mDNSPlatformOneSecond*4); + q->ThisQInterval = InitialQuestionInterval; + SetNextQueryTime(m,q); + } + } + verbosedebugf("CacheRecordAdd %p %##s (%s) %lu %#a:%d question %p", rr, rr->resrec.name->c, + DNSTypeName(rr->resrec.rrtype), rr->resrec.rroriginalttl, rr->resrec.rDNSServer ? + &rr->resrec.rDNSServer->addr : mDNSNULL, mDNSVal16(rr->resrec.rDNSServer ? + rr->resrec.rDNSServer->port : zeroIPPort), q); + q->CurrentAnswers++; + + q->unansweredQueries = 0; + if (rr->resrec.rdlength > SmallRecordLimit) q->LargeAnswers++; + if (rr->resrec.RecordType & kDNSRecordTypePacketUniqueMask) q->UniqueAnswers++; + if (q->CurrentAnswers > 4000) + { + static int msgcount = 0; + if (msgcount++ < 10) + LogMsg("CacheRecordAdd: %##s (%s) has %d answers; shedding records to resist DOS attack", + q->qname.c, DNSTypeName(q->qtype), q->CurrentAnswers); + rr->resrec.rroriginalttl = 0; + rr->UnansweredQueries = MaxUnansweredQueries; + } + } + } + + if (!rr->DelayDelivery) + { + if (m->CurrentQuestion) + LogMsg("CacheRecordAdd ERROR m->CurrentQuestion already set: %##s (%s)", m->CurrentQuestion->qname.c, DNSTypeName(m->CurrentQuestion->qtype)); + m->CurrentQuestion = m->Questions; + while (m->CurrentQuestion && m->CurrentQuestion != m->NewQuestions) + { + q = m->CurrentQuestion; + if (ResourceRecordAnswersQuestion(&rr->resrec, q)) + AnswerCurrentQuestionWithResourceRecord(m, rr, QC_add); + if (m->CurrentQuestion == q) // If m->CurrentQuestion was not auto-advanced, do it ourselves now + m->CurrentQuestion = q->next; + } + m->CurrentQuestion = mDNSNULL; + } + + SetNextCacheCheckTimeForRecord(m, rr); +} + +// NoCacheAnswer is only called from mDNSCoreReceiveResponse, *never* directly as a result of a client API call. +// If new questions are created as a result of invoking client callbacks, they will be added to +// the end of the question list, and m->NewQuestions will be set to indicate the first new question. +// rr is a new CacheRecord just received from the wire (kDNSRecordTypePacketAns/AnsUnique/Add/AddUnique) +// but we don't have any place to cache it. We'll deliver question 'add' events now, but we won't have any +// way to deliver 'remove' events in future, nor will we be able to include this in known-answer lists, +// so we immediately bump ThisQInterval up to MaxQuestionInterval to avoid pounding the network. +// Note: NoCacheAnswer calls AnswerCurrentQuestionWithResourceRecord which can call a user callback, +// which may change the record list and/or question list. +// Any code walking either list must use the CurrentQuestion and/or CurrentRecord mechanism to protect against this. +mDNSlocal void NoCacheAnswer(mDNS *const m, CacheRecord *rr) +{ + LogMsg("No cache space: Delivering non-cached result for %##s", m->rec.r.resrec.name->c); + if (m->CurrentQuestion) + LogMsg("NoCacheAnswer ERROR m->CurrentQuestion already set: %##s (%s)", m->CurrentQuestion->qname.c, DNSTypeName(m->CurrentQuestion->qtype)); + m->CurrentQuestion = m->Questions; + // We do this for *all* questions, not stopping when we get to m->NewQuestions, + // since we're not caching the record and we'll get no opportunity to do this later + while (m->CurrentQuestion) + { + DNSQuestion *q = m->CurrentQuestion; + if (ResourceRecordAnswersQuestion(&rr->resrec, q)) + AnswerCurrentQuestionWithResourceRecord(m, rr, QC_addnocache); // QC_addnocache means "don't expect remove events for this" + if (m->CurrentQuestion == q) // If m->CurrentQuestion was not auto-advanced, do it ourselves now + m->CurrentQuestion = q->next; + } + m->CurrentQuestion = mDNSNULL; +} + +// CacheRecordRmv is only called from CheckCacheExpiration, which is called from mDNS_Execute. +// Note that CacheRecordRmv is *only* called for records that are referenced by at least one active question. +// If new questions are created as a result of invoking client callbacks, they will be added to +// the end of the question list, and m->NewQuestions will be set to indicate the first new question. +// rr is an existing cache CacheRecord that just expired and is being deleted +// (kDNSRecordTypePacketAns/PacketAnsUnique/PacketAdd/PacketAddUnique). +// Note: CacheRecordRmv calls AnswerCurrentQuestionWithResourceRecord which can call a user callback, +// which may change the record list and/or question list. +// Any code walking either list must use the CurrentQuestion and/or CurrentRecord mechanism to protect against this. +mDNSlocal void CacheRecordRmv(mDNS *const m, CacheRecord *rr) +{ + if (m->CurrentQuestion) + LogMsg("CacheRecordRmv ERROR m->CurrentQuestion already set: %##s (%s)", + m->CurrentQuestion->qname.c, DNSTypeName(m->CurrentQuestion->qtype)); + m->CurrentQuestion = m->Questions; + + // We stop when we get to NewQuestions -- for new questions their CurrentAnswers/LargeAnswers/UniqueAnswers counters + // will all still be zero because we haven't yet gone through the cache counting how many answers we have for them. + while (m->CurrentQuestion && m->CurrentQuestion != m->NewQuestions) + { + DNSQuestion *q = m->CurrentQuestion; + // When a question enters suppressed state, we generate RMV events and generate a negative + // response. A cache may be present that answers this question e.g., cache entry generated + // before the question became suppressed. We need to skip the suppressed questions here as + // the RMV event has already been generated. + if (!QuerySuppressed(q) && ResourceRecordAnswersQuestion(&rr->resrec, q)) + { + verbosedebugf("CacheRecordRmv %p %s", rr, CRDisplayString(m, rr)); + q->FlappingInterface1 = mDNSNULL; + q->FlappingInterface2 = mDNSNULL; + + if (q->CurrentAnswers == 0) + LogMsg("CacheRecordRmv ERROR!!: How can CurrentAnswers already be zero for %p %##s (%s) DNSServer %#a:%d", + q, q->qname.c, DNSTypeName(q->qtype), q->qDNSServer ? &q->qDNSServer->addr : mDNSNULL, + mDNSVal16(q->qDNSServer ? q->qDNSServer->port : zeroIPPort)); + else + { + q->CurrentAnswers--; + if (rr->resrec.rdlength > SmallRecordLimit) q->LargeAnswers--; + if (rr->resrec.RecordType & kDNSRecordTypePacketUniqueMask) q->UniqueAnswers--; + } + + // If we have dropped below the answer threshold for this mDNS question, + // restart the queries at InitialQuestionInterval. + if (mDNSOpaque16IsZero(q->TargetQID) && (q->BrowseThreshold > 0) && (q->CurrentAnswers < q->BrowseThreshold)) + { + q->ThisQInterval = InitialQuestionInterval; + q->LastQTime = m->timenow - q->ThisQInterval; + SetNextQueryTime(m,q); + LogInfo("CacheRecordRmv: (%s) %##s dropped below threshold of %d answers", + DNSTypeName(q->qtype), q->qname.c, q->BrowseThreshold); + } + if (rr->resrec.rdata->MaxRDLength) // Never generate "remove" events for negative results + { + if (q->CurrentAnswers == 0) + { + LogInfo("CacheRecordRmv: Last answer for %##s (%s) expired from cache; will reconfirm antecedents", + q->qname.c, DNSTypeName(q->qtype)); + ReconfirmAntecedents(m, &q->qname, q->qnamehash, 0); + } + AnswerCurrentQuestionWithResourceRecord(m, rr, QC_rmv); + } + } + if (m->CurrentQuestion == q) // If m->CurrentQuestion was not auto-advanced, do it ourselves now + m->CurrentQuestion = q->next; + } + m->CurrentQuestion = mDNSNULL; +} + +mDNSlocal void ReleaseCacheEntity(mDNS *const m, CacheEntity *e) +{ +#if APPLE_OSX_mDNSResponder && MACOSX_MDNS_MALLOC_DEBUGGING >= 1 + unsigned int i; + for (i=0; i<sizeof(*e); i++) ((char*)e)[i] = 0xFF; +#endif + e->next = m->rrcache_free; + m->rrcache_free = e; + m->rrcache_totalused--; +} + +mDNSlocal void ReleaseCacheGroup(mDNS *const m, CacheGroup **cp) +{ + CacheEntity *e = (CacheEntity *)(*cp); + //LogMsg("ReleaseCacheGroup: Releasing CacheGroup for %p, %##s", (*cp)->name->c, (*cp)->name->c); + if ((*cp)->rrcache_tail != &(*cp)->members) + LogMsg("ERROR: (*cp)->members == mDNSNULL but (*cp)->rrcache_tail != &(*cp)->members)"); + //if ((*cp)->name != (domainname*)((*cp)->namestorage)) + // LogMsg("ReleaseCacheGroup: %##s, %p %p", (*cp)->name->c, (*cp)->name, (domainname*)((*cp)->namestorage)); + if ((*cp)->name != (domainname*)((*cp)->namestorage)) mDNSPlatformMemFree((*cp)->name); + (*cp)->name = mDNSNULL; + *cp = (*cp)->next; // Cut record from list + ReleaseCacheEntity(m, e); +} + +mDNSlocal void ReleaseAdditionalCacheRecords(mDNS *const m, CacheRecord **rp) +{ + while (*rp) + { + CacheRecord *rr = *rp; + *rp = (*rp)->next; // Cut record from list + if (rr->resrec.rdata && rr->resrec.rdata != (RData*)&rr->smallrdatastorage) + { + mDNSPlatformMemFree(rr->resrec.rdata); + rr->resrec.rdata = mDNSNULL; + } + // NSEC or SOA records that are not added to the CacheGroup do not share the name + // of the CacheGroup. + if (rr->resrec.name) + { + debugf("ReleaseAdditionalCacheRecords: freeing cached record %##s (%s)", rr->resrec.name->c, DNSTypeName(rr->resrec.rrtype)); + mDNSPlatformMemFree((void *)rr->resrec.name); + rr->resrec.name = mDNSNULL; + } + // Don't count the NSEC3 records used by anonymous browse/reg + if (!rr->resrec.InterfaceID) + { + m->rrcache_totalused_unicast -= rr->resrec.rdlength; + if (DNSSECRecordType(rr->resrec.rrtype)) + BumpDNSSECStats(m, kStatsActionDecrement, kStatsTypeMemoryUsage, rr->resrec.rdlength); + } + ReleaseCacheEntity(m, (CacheEntity *)rr); + } +} + +mDNSexport void ReleaseCacheRecord(mDNS *const m, CacheRecord *r) +{ + CacheGroup *cg; + const mDNSu32 slot = HashSlot(r->resrec.name); + + //LogMsg("ReleaseCacheRecord: Releasing %s", CRDisplayString(m, r)); + if (r->resrec.rdata && r->resrec.rdata != (RData*)&r->smallrdatastorage) mDNSPlatformMemFree(r->resrec.rdata); + r->resrec.rdata = mDNSNULL; + + cg = CacheGroupForRecord(m, slot, &r->resrec); + + if (!cg) + { + // It is okay to have this printed for NSEC/NSEC3s + LogInfo("ReleaseCacheRecord: ERROR!! cg NULL for %##s (%s)", r->resrec.name->c, DNSTypeName(r->resrec.rrtype)); + } + // When NSEC records are not added to the cache, it is usually cached at the "nsec" list + // of the CacheRecord. But sometimes they may be freed without adding to the "nsec" list + // (which is handled below) and in that case it should be freed here. + if (r->resrec.name && cg && r->resrec.name != cg->name) + { + debugf("ReleaseCacheRecord: freeing %##s (%s)", r->resrec.name->c, DNSTypeName(r->resrec.rrtype)); + mDNSPlatformMemFree((void *)r->resrec.name); + } + r->resrec.name = mDNSNULL; + + if (r->resrec.AnonInfo) + { + debugf("ReleaseCacheRecord: freeing AnonInfo for %##s (%s)", r->resrec.name->c, DNSTypeName(r->resrec.rrtype)); + FreeAnonInfo((void *)r->resrec.AnonInfo); + } + r->resrec.AnonInfo = mDNSNULL; + + if (!r->resrec.InterfaceID) + { + m->rrcache_totalused_unicast -= r->resrec.rdlength; + if (DNSSECRecordType(r->resrec.rrtype)) + BumpDNSSECStats(m, kStatsActionDecrement, kStatsTypeMemoryUsage, r->resrec.rdlength); + } + + ReleaseAdditionalCacheRecords(m, &r->nsec); + ReleaseAdditionalCacheRecords(m, &r->soa); + + ReleaseCacheEntity(m, (CacheEntity *)r); +} + +// Note: We want to be careful that we deliver all the CacheRecordRmv calls before delivering +// CacheRecordDeferredAdd calls. The in-order nature of the cache lists ensures that all +// callbacks for old records are delivered before callbacks for newer records. +mDNSlocal void CheckCacheExpiration(mDNS *const m, const mDNSu32 slot, CacheGroup *const cg) +{ + CacheRecord **rp = &cg->members; + + if (m->lock_rrcache) { LogMsg("CheckCacheExpiration ERROR! Cache already locked!"); return; } + m->lock_rrcache = 1; + + while (*rp) + { + CacheRecord *const rr = *rp; + mDNSs32 event = RRExpireTime(rr); + if (m->timenow - event >= 0) // If expired, delete it + { + *rp = rr->next; // Cut it from the list + + verbosedebugf("CheckCacheExpiration: Deleting%7d %7d %p %s", + m->timenow - rr->TimeRcvd, rr->resrec.rroriginalttl, rr->CRActiveQuestion, CRDisplayString(m, rr)); + if (rr->CRActiveQuestion) // If this record has one or more active questions, tell them it's going away + { + DNSQuestion *q = rr->CRActiveQuestion; + // When a cache record is about to expire, we expect to do four queries at 80-82%, 85-87%, 90-92% and + // then 95-97% of the TTL. If the DNS server does not respond, then we will remove the cache entry + // before we pick a new DNS server. As the question interval is set to MaxQuestionInterval, we may + // not send out a query anytime soon. Hence, we need to reset the question interval. If this is + // a normal deferred ADD case, then AnswerCurrentQuestionWithResourceRecord will reset it to + // MaxQuestionInterval. If we have inactive questions referring to negative cache entries, + // don't ressurect them as they will deliver duplicate "No such Record" ADD events + if (!mDNSOpaque16IsZero(q->TargetQID) && !q->LongLived && ActiveQuestion(q)) + { + q->ThisQInterval = InitialQuestionInterval; + q->LastQTime = m->timenow - q->ThisQInterval; + SetNextQueryTime(m, q); + } + CacheRecordRmv(m, rr); + m->rrcache_active--; + } + ReleaseCacheRecord(m, rr); + } + else // else, not expired; see if we need to query + { + // If waiting to delay delivery, do nothing until then + if (rr->DelayDelivery && rr->DelayDelivery - m->timenow > 0) + event = rr->DelayDelivery; + else + { + if (rr->DelayDelivery) CacheRecordDeferredAdd(m, rr); + if (rr->CRActiveQuestion && rr->UnansweredQueries < MaxUnansweredQueries) + { + if (m->timenow - rr->NextRequiredQuery < 0) // If not yet time for next query + event = NextCacheCheckEvent(rr); // then just record when we want the next query + else // else trigger our question to go out now + { + // Set NextScheduledQuery to timenow so that SendQueries() will run. + // SendQueries() will see that we have records close to expiration, and send FEQs for them. + m->NextScheduledQuery = m->timenow; + // After sending the query we'll increment UnansweredQueries and call SetNextCacheCheckTimeForRecord(), + // which will correctly update m->NextCacheCheck for us. + event = m->timenow + 0x3FFFFFFF; + } + } + } + verbosedebugf("CheckCacheExpiration:%6d %5d %s", + (event - m->timenow) / mDNSPlatformOneSecond, CacheCheckGracePeriod(rr), CRDisplayString(m, rr)); + if (m->rrcache_nextcheck[slot] - event > 0) + m->rrcache_nextcheck[slot] = event; + rp = &rr->next; + } + } + if (cg->rrcache_tail != rp) verbosedebugf("CheckCacheExpiration: Updating CacheGroup tail from %p to %p", cg->rrcache_tail, rp); + cg->rrcache_tail = rp; + m->lock_rrcache = 0; +} + +// "LORecord" includes both LocalOnly and P2P record. This function assumes m->CurrentQuestion is pointing to "q". +// +// If "CheckOnly" is set to "true", the question won't be answered but just check to see if there is an answer and +// returns true if there is an answer. +// +// If "CheckOnly" is set to "false", the question will be answered if there is a LocalOnly/P2P record and +// returns true to indicate the same. +mDNSlocal mDNSBool AnswerQuestionWithLORecord(mDNS *const m, DNSQuestion *q, mDNSBool checkOnly) +{ + mDNSu32 slot; + AuthRecord *lr; + AuthGroup *ag; + + if (m->CurrentRecord) + LogMsg("AnswerQuestionWithLORecord ERROR m->CurrentRecord already set %s", ARDisplayString(m, m->CurrentRecord)); + + slot = AuthHashSlot(&q->qname); + ag = AuthGroupForName(&m->rrauth, slot, q->qnamehash, &q->qname); + if (ag) + { + m->CurrentRecord = ag->members; + while (m->CurrentRecord && m->CurrentRecord != ag->NewLocalOnlyRecords) + { + AuthRecord *rr = m->CurrentRecord; + m->CurrentRecord = rr->next; + // + // If the question is mDNSInterface_LocalOnly, all records local to the machine should be used + // to answer the query. This is handled in AnswerNewLocalOnlyQuestion. + // + // We handle mDNSInterface_Any and scoped questions here. See LocalOnlyRecordAnswersQuestion for more + // details on how we handle this case. For P2P we just handle "Interface_Any" questions. For LocalOnly + // we handle both mDNSInterface_Any and scoped questions. + + if (rr->ARType == AuthRecordLocalOnly || (rr->ARType == AuthRecordP2P && q->InterfaceID == mDNSInterface_Any)) + if (LocalOnlyRecordAnswersQuestion(rr, q)) + { + if (checkOnly) + { + LogInfo("AnswerQuestionWithLORecord: question %##s (%s) answered by %s", q->qname.c, DNSTypeName(q->qtype), + ARDisplayString(m, rr)); + m->CurrentRecord = mDNSNULL; + return mDNStrue; + } + AnswerLocalQuestionWithLocalAuthRecord(m, rr, mDNStrue); + if (m->CurrentQuestion != q) + break; // If callback deleted q, then we're finished here + } + } + } + m->CurrentRecord = mDNSNULL; + + if (m->CurrentQuestion != q) + { + LogInfo("AnswerQuestionWithLORecord: Question deleted while while answering LocalOnly record answers"); + return mDNStrue; + } + + if (q->LOAddressAnswers) + { + LogInfo("AnswerQuestionWithLORecord: Question %p %##s (%s) answered using local auth records LOAddressAnswers %d", + q, q->qname.c, DNSTypeName(q->qtype), q->LOAddressAnswers); + return mDNStrue; + } + + // Before we go check the cache and ship this query on the wire, we have to be sure that there are + // no local records that could possibly answer this question. As we did not check the NewLocalRecords, we + // need to just peek at them to see whether it will answer this question. If it would answer, pretend + // that we answered. AnswerAllLocalQuestionsWithLocalAuthRecord will answer shortly. This happens normally + // when we add new /etc/hosts entries and restart the question. It is a new question and also a new record. + if (ag) + { + lr = ag->NewLocalOnlyRecords; + while (lr) + { + if (UniqueLocalOnlyRecord(lr) && LocalOnlyRecordAnswersQuestion(lr, q)) + { + LogInfo("AnswerQuestionWithLORecord: Question %p %##s (%s) will be answered using new local auth records " + " LOAddressAnswers %d", q, q->qname.c, DNSTypeName(q->qtype), q->LOAddressAnswers); + return mDNStrue; + } + lr = lr->next; + } + } + return mDNSfalse; +} + +// Today, we suppress questions (not send them on the wire) for several reasons e.g., +// AAAA query is suppressed because no IPv6 capability or PID is not allowed to make +// DNS requests. We need to temporarily suspend the suppress status so that we can +// deliver a negative response (AnswerCurrentQuestionWithResourceRecord does not answer +// suppressed questions) and reset it back. In the future, if there are other +// reasons for suppressing the query, this function should be updated. +mDNSlocal void AnswerSuppressedQuestion(mDNS *const m, DNSQuestion *q) +{ + mDNSBool SuppressQuery = q->SuppressQuery; + mDNSBool DisallowPID = q->DisallowPID; + + // make sure that QuerySuppressed() returns false + q->SuppressQuery = mDNSfalse; + q->DisallowPID = mDNSfalse; + + GenerateNegativeResponse(m, QC_suppressed); + + q->SuppressQuery = SuppressQuery; + q->DisallowPID = DisallowPID; +} + +mDNSlocal void AnswerNewQuestion(mDNS *const m) +{ + mDNSBool ShouldQueryImmediately = mDNStrue; + DNSQuestion *const q = m->NewQuestions; // Grab the question we're going to answer + mDNSu32 slot = HashSlot(&q->qname); + CacheGroup *const cg = CacheGroupForName(m, slot, q->qnamehash, &q->qname); + mDNSBool AnsweredFromCache = mDNSfalse; + + verbosedebugf("AnswerNewQuestion: Answering %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + + if (cg) CheckCacheExpiration(m, slot, cg); + if (m->NewQuestions != q) { LogInfo("AnswerNewQuestion: Question deleted while doing CheckCacheExpiration"); goto exit; } + m->NewQuestions = q->next; + // Advance NewQuestions to the next *after* calling CheckCacheExpiration, because if we advance it first + // then CheckCacheExpiration may give this question add/remove callbacks, and it's not yet ready for that. + // + // Also, CheckCacheExpiration() calls CacheRecordDeferredAdd() and CacheRecordRmv(), which invoke + // client callbacks, which may delete their own or any other question. Our mechanism for detecting + // whether our current m->NewQuestions question got deleted by one of these callbacks is to store the + // value of m->NewQuestions in 'q' before calling CheckCacheExpiration(), and then verify afterwards + // that they're still the same. If m->NewQuestions has changed (because mDNS_StopQuery_internal + // advanced it), that means the question was deleted, so we no longer need to worry about answering + // it (and indeed 'q' is now a dangling pointer, so dereferencing it at all would be bad, and the + // values we computed for slot and cg are now stale and relate to a question that no longer exists). + // + // We can't use the usual m->CurrentQuestion mechanism for this because CacheRecordDeferredAdd() and + // CacheRecordRmv() both use that themselves when walking the list of (non-new) questions generating callbacks. + // Fortunately mDNS_StopQuery_internal auto-advances both m->CurrentQuestion *AND* m->NewQuestions when + // deleting a question, so luckily we have an easy alternative way of detecting if our question got deleted. + + if (m->lock_rrcache) LogMsg("AnswerNewQuestion ERROR! Cache already locked!"); + // This should be safe, because calling the client's question callback may cause the + // question list to be modified, but should not ever cause the rrcache list to be modified. + // If the client's question callback deletes the question, then m->CurrentQuestion will + // be advanced, and we'll exit out of the loop + m->lock_rrcache = 1; + if (m->CurrentQuestion) + LogMsg("AnswerNewQuestion ERROR m->CurrentQuestion already set: %##s (%s)", + m->CurrentQuestion->qname.c, DNSTypeName(m->CurrentQuestion->qtype)); + m->CurrentQuestion = q; // Indicate which question we're answering, so we'll know if it gets deleted + + if (q->NoAnswer == NoAnswer_Fail) + { + LogMsg("AnswerNewQuestion: NoAnswer_Fail %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + MakeNegativeCacheRecord(m, &m->rec.r, &q->qname, q->qnamehash, q->qtype, q->qclass, 60, mDNSInterface_Any, q->qDNSServer); + q->NoAnswer = NoAnswer_Normal; // Temporarily turn off answer suppression + AnswerCurrentQuestionWithResourceRecord(m, &m->rec.r, QC_addnocache); + // Don't touch the question if it has been stopped already + if (m->CurrentQuestion == q) q->NoAnswer = NoAnswer_Fail; // Restore NoAnswer state + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + } + + if (m->CurrentQuestion != q) + { + LogInfo("AnswerNewQuestion: Question deleted while generating NoAnswer_Fail response"); + goto exit; + } + + // See if we want to tell it about LocalOnly/P2P records. If we answered them using LocalOnly + // or P2P record, then we are done. + if (AnswerQuestionWithLORecord(m, q, mDNSfalse)) + goto exit; + + // If we are not supposed to answer this question, generate a negative response. + // Temporarily suspend the SuppressQuery so that AnswerCurrentQuestionWithResourceRecord can answer the question + // + // If it is a question trying to validate some response, it already checked the cache for a response. If it still + // reissues a question it means it could not find the RRSIGs. So, we need to bypass the cache check and send + // the question out. + if (QuerySuppressed(q)) + { + AnswerSuppressedQuestion(m, q); + } + else if (!q->ValidatingResponse) + { + CacheRecord *rr; + for (rr = cg ? cg->members : mDNSNULL; rr; rr=rr->next) + if (SameNameRecordAnswersQuestion(&rr->resrec, q)) + { + // SecsSinceRcvd is whole number of elapsed seconds, rounded down + mDNSu32 SecsSinceRcvd = ((mDNSu32)(m->timenow - rr->TimeRcvd)) / mDNSPlatformOneSecond; + if (rr->resrec.rroriginalttl <= SecsSinceRcvd) + { + LogMsg("AnswerNewQuestion: How is rr->resrec.rroriginalttl %lu <= SecsSinceRcvd %lu for %s %d %d", + rr->resrec.rroriginalttl, SecsSinceRcvd, CRDisplayString(m, rr), m->timenow, rr->TimeRcvd); + continue; // Go to next one in loop + } + + // If this record set is marked unique, then that means we can reasonably assume we have the whole set + // -- we don't need to rush out on the network and query immediately to see if there are more answers out there + if ((rr->resrec.RecordType & kDNSRecordTypePacketUniqueMask) || (q->ExpectUnique)) + ShouldQueryImmediately = mDNSfalse; + q->CurrentAnswers++; + if (rr->resrec.rdlength > SmallRecordLimit) q->LargeAnswers++; + if (rr->resrec.RecordType & kDNSRecordTypePacketUniqueMask) q->UniqueAnswers++; + AnsweredFromCache = mDNStrue; + AnswerCurrentQuestionWithResourceRecord(m, rr, QC_add); + if (m->CurrentQuestion != q) break; // If callback deleted q, then we're finished here + } + else if (RRTypeIsAddressType(rr->resrec.rrtype) && RRTypeIsAddressType(q->qtype)) + ShouldQueryImmediately = mDNSfalse; + } + // We don't use LogInfo for this "Question deleted" message because it happens so routinely that + // it's not remotely remarkable, and therefore unlikely to be of much help tracking down bugs. + if (m->CurrentQuestion != q) { debugf("AnswerNewQuestion: Question deleted while giving cache answers"); goto exit; } + + // Neither a local record nor a cache entry could answer this question. If this question need to be retried + // with search domains, generate a negative response which will now retry after appending search domains. + // If the query was suppressed above, we already generated a negative response. When it gets unsuppressed, + // we will retry with search domains. + if (!QuerySuppressed(q) && !AnsweredFromCache && q->RetryWithSearchDomains) + { + LogInfo("AnswerNewQuestion: Generating response for retrying with search domains %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + GenerateNegativeResponse(m, QC_forceresponse); + } + + if (m->CurrentQuestion != q) { debugf("AnswerNewQuestion: Question deleted while giving negative answer"); goto exit; } + + // Note: When a query gets suppressed or retried with search domains, we de-activate the question. + // Hence we don't execute the following block of code for those cases. + if (ShouldQueryImmediately && ActiveQuestion(q)) + { + debugf("AnswerNewQuestion: ShouldQueryImmediately %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + q->ThisQInterval = InitialQuestionInterval; + q->LastQTime = m->timenow - q->ThisQInterval; + if (mDNSOpaque16IsZero(q->TargetQID)) // For mDNS, spread packets to avoid a burst of simultaneous queries + { + // Compute random delay in the range 1-6 seconds, then divide by 50 to get 20-120ms + if (!m->RandomQueryDelay) + m->RandomQueryDelay = (mDNSPlatformOneSecond + mDNSRandom(mDNSPlatformOneSecond*5) - 1) / 50 + 1; + q->LastQTime += m->RandomQueryDelay; + } + } + + // IN ALL CASES make sure that m->NextScheduledQuery is set appropriately. + // In cases where m->NewQuestions->DelayAnswering is set, we may have delayed generating our + // answers for this question until *after* its scheduled transmission time, in which case + // m->NextScheduledQuery may now be set to 'never', and in that case -- even though we're *not* doing + // ShouldQueryImmediately -- we still need to make sure we set m->NextScheduledQuery correctly. + SetNextQueryTime(m,q); + +exit: + m->CurrentQuestion = mDNSNULL; + m->lock_rrcache = 0; +} + +// When a NewLocalOnlyQuestion is created, AnswerNewLocalOnlyQuestion runs though our ResourceRecords delivering any +// appropriate answers, stopping if it reaches a NewLocalOnlyRecord -- these will be handled by AnswerAllLocalQuestionsWithLocalAuthRecord +mDNSlocal void AnswerNewLocalOnlyQuestion(mDNS *const m) +{ + mDNSu32 slot; + AuthGroup *ag; + DNSQuestion *q = m->NewLocalOnlyQuestions; // Grab the question we're going to answer + m->NewLocalOnlyQuestions = q->next; // Advance NewLocalOnlyQuestions to the next (if any) + + debugf("AnswerNewLocalOnlyQuestion: Answering %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + + if (m->CurrentQuestion) + LogMsg("AnswerNewLocalOnlyQuestion ERROR m->CurrentQuestion already set: %##s (%s)", + m->CurrentQuestion->qname.c, DNSTypeName(m->CurrentQuestion->qtype)); + m->CurrentQuestion = q; // Indicate which question we're answering, so we'll know if it gets deleted + + if (m->CurrentRecord) + LogMsg("AnswerNewLocalOnlyQuestion ERROR m->CurrentRecord already set %s", ARDisplayString(m, m->CurrentRecord)); + + // 1. First walk the LocalOnly records answering the LocalOnly question + // 2. As LocalOnly questions should also be answered by any other Auth records local to the machine, + // walk the ResourceRecords list delivering the answers + slot = AuthHashSlot(&q->qname); + ag = AuthGroupForName(&m->rrauth, slot, q->qnamehash, &q->qname); + if (ag) + { + m->CurrentRecord = ag->members; + while (m->CurrentRecord && m->CurrentRecord != ag->NewLocalOnlyRecords) + { + AuthRecord *rr = m->CurrentRecord; + m->CurrentRecord = rr->next; + if (LocalOnlyRecordAnswersQuestion(rr, q)) + { + AnswerLocalQuestionWithLocalAuthRecord(m, rr, mDNStrue); + if (m->CurrentQuestion != q) break; // If callback deleted q, then we're finished here + } + } + } + + if (m->CurrentQuestion == q) + { + m->CurrentRecord = m->ResourceRecords; + + while (m->CurrentRecord && m->CurrentRecord != m->NewLocalRecords) + { + AuthRecord *rr = m->CurrentRecord; + m->CurrentRecord = rr->next; + if (ResourceRecordAnswersQuestion(&rr->resrec, q)) + { + AnswerLocalQuestionWithLocalAuthRecord(m, rr, mDNStrue); + if (m->CurrentQuestion != q) break; // If callback deleted q, then we're finished here + } + } + } + + m->CurrentQuestion = mDNSNULL; + m->CurrentRecord = mDNSNULL; +} + +mDNSlocal CacheEntity *GetCacheEntity(mDNS *const m, const CacheGroup *const PreserveCG) +{ + CacheEntity *e = mDNSNULL; + + if (m->lock_rrcache) { LogMsg("GetFreeCacheRR ERROR! Cache already locked!"); return(mDNSNULL); } + m->lock_rrcache = 1; + + // If we have no free records, ask the client layer to give us some more memory + if (!m->rrcache_free && m->MainCallback) + { + if (m->rrcache_totalused != m->rrcache_size) + LogMsg("GetFreeCacheRR: count mismatch: m->rrcache_totalused %lu != m->rrcache_size %lu", + m->rrcache_totalused, m->rrcache_size); + + // We don't want to be vulnerable to a malicious attacker flooding us with an infinite + // number of bogus records so that we keep growing our cache until the machine runs out of memory. + // To guard against this, if our cache grows above 512kB (approx 3168 records at 164 bytes each), + // and we're actively using less than 1/32 of that cache, then we purge all the unused records + // and recycle them, instead of allocating more memory. + if (m->rrcache_size > 5000 && m->rrcache_size / 32 > m->rrcache_active) + LogInfo("Possible denial-of-service attack in progress: m->rrcache_size %lu; m->rrcache_active %lu", + m->rrcache_size, m->rrcache_active); + else + { + mDNS_DropLockBeforeCallback(); // Allow client to legally make mDNS API calls from the callback + m->MainCallback(m, mStatus_GrowCache); + mDNS_ReclaimLockAfterCallback(); // Decrement mDNS_reentrancy to block mDNS API calls again + } + } + + // If we still have no free records, recycle all the records we can. + // Enumerating the entire cache is moderately expensive, so when we do it, we reclaim all the records we can in one pass. + if (!m->rrcache_free) + { + mDNSu32 oldtotalused = m->rrcache_totalused; + mDNSu32 slot; + for (slot = 0; slot < CACHE_HASH_SLOTS; slot++) + { + CacheGroup **cp = &m->rrcache_hash[slot]; + while (*cp) + { + CacheRecord **rp = &(*cp)->members; + while (*rp) + { + // Records that answer still-active questions are not candidates for recycling + // Records that are currently linked into the CacheFlushRecords list may not be recycled, or we'll crash + if ((*rp)->CRActiveQuestion || (*rp)->NextInCFList) + rp=&(*rp)->next; + else + { + CacheRecord *rr = *rp; + *rp = (*rp)->next; // Cut record from list + ReleaseCacheRecord(m, rr); + } + } + if ((*cp)->rrcache_tail != rp) + verbosedebugf("GetFreeCacheRR: Updating rrcache_tail[%lu] from %p to %p", slot, (*cp)->rrcache_tail, rp); + (*cp)->rrcache_tail = rp; + if ((*cp)->members || (*cp)==PreserveCG) cp=&(*cp)->next; + else ReleaseCacheGroup(m, cp); + } + } + LogInfo("GetCacheEntity recycled %d records to reduce cache from %d to %d", + oldtotalused - m->rrcache_totalused, oldtotalused, m->rrcache_totalused); + } + + if (m->rrcache_free) // If there are records in the free list, take one + { + e = m->rrcache_free; + m->rrcache_free = e->next; + if (++m->rrcache_totalused >= m->rrcache_report) + { + LogInfo("RR Cache now using %ld objects", m->rrcache_totalused); + if (m->rrcache_report < 100) m->rrcache_report += 10; + else if (m->rrcache_report < 1000) m->rrcache_report += 100; + else m->rrcache_report += 1000; + } + mDNSPlatformMemZero(e, sizeof(*e)); + } + + m->lock_rrcache = 0; + + return(e); +} + +mDNSlocal CacheRecord *GetCacheRecord(mDNS *const m, CacheGroup *cg, mDNSu16 RDLength) +{ + CacheRecord *r = (CacheRecord *)GetCacheEntity(m, cg); + if (r) + { + r->resrec.rdata = (RData*)&r->smallrdatastorage; // By default, assume we're usually going to be using local storage + if (RDLength > InlineCacheRDSize) // If RDLength is too big, allocate extra storage + { + r->resrec.rdata = (RData*)mDNSPlatformMemAllocate(sizeofRDataHeader + RDLength); + if (r->resrec.rdata) r->resrec.rdata->MaxRDLength = r->resrec.rdlength = RDLength; + else { ReleaseCacheEntity(m, (CacheEntity*)r); r = mDNSNULL; } + } + } + return(r); +} + +mDNSlocal CacheGroup *GetCacheGroup(mDNS *const m, const mDNSu32 slot, const ResourceRecord *const rr) +{ + mDNSu16 namelen = DomainNameLength(rr->name); + CacheGroup *cg = (CacheGroup*)GetCacheEntity(m, mDNSNULL); + if (!cg) { LogMsg("GetCacheGroup: Failed to allocate memory for %##s", rr->name->c); return(mDNSNULL); } + cg->next = m->rrcache_hash[slot]; + cg->namehash = rr->namehash; + cg->members = mDNSNULL; + cg->rrcache_tail = &cg->members; + if (namelen > sizeof(cg->namestorage)) + cg->name = mDNSPlatformMemAllocate(namelen); + else + cg->name = (domainname*)cg->namestorage; + if (!cg->name) + { + LogMsg("GetCacheGroup: Failed to allocate name storage for %##s", rr->name->c); + ReleaseCacheEntity(m, (CacheEntity*)cg); + return(mDNSNULL); + } + AssignDomainName(cg->name, rr->name); + + if (CacheGroupForRecord(m, slot, rr)) LogMsg("GetCacheGroup: Already have CacheGroup for %##s", rr->name->c); + m->rrcache_hash[slot] = cg; + if (CacheGroupForRecord(m, slot, rr) != cg) LogMsg("GetCacheGroup: Not finding CacheGroup for %##s", rr->name->c); + + return(cg); +} + +mDNSexport void mDNS_PurgeCacheResourceRecord(mDNS *const m, CacheRecord *rr) +{ + mDNS_CheckLock(m); + + // Make sure we mark this record as thoroughly expired -- we don't ever want to give + // a positive answer using an expired record (e.g. from an interface that has gone away). + // We don't want to clear CRActiveQuestion here, because that would leave the record subject to + // summary deletion without giving the proper callback to any questions that are monitoring it. + // By setting UnansweredQueries to MaxUnansweredQueries we ensure it won't trigger any further expiration queries. + rr->TimeRcvd = m->timenow - mDNSPlatformOneSecond * 60; + rr->UnansweredQueries = MaxUnansweredQueries; + rr->resrec.rroriginalttl = 0; + SetNextCacheCheckTimeForRecord(m, rr); +} + +mDNSexport mDNSs32 mDNS_TimeNow(const mDNS *const m) +{ + mDNSs32 time; + mDNSPlatformLock(m); + if (m->mDNS_busy) + { + LogMsg("mDNS_TimeNow called while holding mDNS lock. This is incorrect. Code protected by lock should just use m->timenow."); + if (!m->timenow) LogMsg("mDNS_TimeNow: m->mDNS_busy is %ld but m->timenow not set", m->mDNS_busy); + } + + if (m->timenow) time = m->timenow; + else time = mDNS_TimeNow_NoLock(m); + mDNSPlatformUnlock(m); + return(time); +} + +// To avoid pointless CPU thrash, we use SetSPSProxyListChanged(X) to record the last interface that +// had its Sleep Proxy client list change, and defer to actual BPF reconfiguration to mDNS_Execute(). +// (GetNextScheduledEvent() returns "now" when m->SPSProxyListChanged is set) +#define SetSPSProxyListChanged(X) do { \ + if (m->SPSProxyListChanged && m->SPSProxyListChanged != (X)) mDNSPlatformUpdateProxyList(m, m->SPSProxyListChanged); \ + m->SPSProxyListChanged = (X); } while(0) + +// Called from mDNS_Execute() to expire stale proxy records +mDNSlocal void CheckProxyRecords(mDNS *const m, AuthRecord *list) +{ + m->CurrentRecord = list; + while (m->CurrentRecord) + { + AuthRecord *rr = m->CurrentRecord; + if (rr->resrec.RecordType != kDNSRecordTypeDeregistering && rr->WakeUp.HMAC.l[0]) + { + // If m->SPSSocket is NULL that means we're not acting as a sleep proxy any more, + // so we need to cease proxying for *all* records we may have, expired or not. + if (m->SPSSocket && m->timenow - rr->TimeExpire < 0) // If proxy record not expired yet, update m->NextScheduledSPS + { + if (m->NextScheduledSPS - rr->TimeExpire > 0) + m->NextScheduledSPS = rr->TimeExpire; + } + else // else proxy record expired, so remove it + { + LogSPS("CheckProxyRecords: Removing %d H-MAC %.6a I-MAC %.6a %d %s", + m->ProxyRecords, &rr->WakeUp.HMAC, &rr->WakeUp.IMAC, rr->WakeUp.seq, ARDisplayString(m, rr)); + SetSPSProxyListChanged(rr->resrec.InterfaceID); + mDNS_Deregister_internal(m, rr, mDNS_Dereg_normal); + // Don't touch rr after this -- memory may have been free'd + } + } + // Mustn't advance m->CurrentRecord until *after* mDNS_Deregister_internal, because + // new records could have been added to the end of the list as a result of that call. + if (m->CurrentRecord == rr) // If m->CurrentRecord was not advanced for us, do it now + m->CurrentRecord = rr->next; + } +} + +mDNSlocal void CheckRmvEventsForLocalRecords(mDNS *const m) +{ + while (m->CurrentRecord) + { + AuthRecord *rr = m->CurrentRecord; + if (rr->AnsweredLocalQ && rr->resrec.RecordType == kDNSRecordTypeDeregistering) + { + debugf("CheckRmvEventsForLocalRecords: Generating local RMV events for %s", ARDisplayString(m, rr)); + rr->resrec.RecordType = kDNSRecordTypeShared; + AnswerAllLocalQuestionsWithLocalAuthRecord(m, rr, mDNSfalse); + if (m->CurrentRecord == rr) // If rr still exists in list, restore its state now + { + rr->resrec.RecordType = kDNSRecordTypeDeregistering; + rr->AnsweredLocalQ = mDNSfalse; + // SendResponses normally calls CompleteDeregistration after sending goodbyes. + // For LocalOnly records, we don't do that and hence we need to do that here. + if (RRLocalOnly(rr)) CompleteDeregistration(m, rr); + } + } + if (m->CurrentRecord == rr) // If m->CurrentRecord was not auto-advanced, do it ourselves now + m->CurrentRecord = rr->next; + } +} + +mDNSlocal void TimeoutQuestions(mDNS *const m) +{ + m->NextScheduledStopTime = m->timenow + 0x3FFFFFFF; + if (m->CurrentQuestion) + LogMsg("TimeoutQuestions ERROR m->CurrentQuestion already set: %##s (%s)", m->CurrentQuestion->qname.c, + DNSTypeName(m->CurrentQuestion->qtype)); + m->CurrentQuestion = m->Questions; + while (m->CurrentQuestion) + { + DNSQuestion *const q = m->CurrentQuestion; + if (q->StopTime) + { + if (!q->TimeoutQuestion) + LogMsg("TimeoutQuestions: ERROR!! TimeoutQuestion not set, but StopTime set for %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + + if (m->timenow - q->StopTime >= 0) + { + LogInfo("TimeoutQuestions: question %p %##s timed out, time %d", q, q->qname.c, m->timenow - q->StopTime); + GenerateNegativeResponse(m, QC_forceresponse); + if (m->CurrentQuestion == q) q->StopTime = 0; + } + else + { + if (m->NextScheduledStopTime - q->StopTime > 0) + m->NextScheduledStopTime = q->StopTime; + } + } + // If m->CurrentQuestion wasn't modified out from under us, advance it now + // We can't do this at the start of the loop because GenerateNegativeResponse + // depends on having m->CurrentQuestion point to the right question + if (m->CurrentQuestion == q) + m->CurrentQuestion = q->next; + } + m->CurrentQuestion = mDNSNULL; +} + +mDNSlocal void mDNSCoreFreeProxyRR(mDNS *const m) +{ + AuthRecord *rrPtr = m->SPSRRSet, *rrNext = mDNSNULL; + LogSPS("%s : Freeing stored sleep proxy A/AAAA records", __func__); + while (rrPtr) + { + rrNext = rrPtr->next; + mDNSPlatformMemFree(rrPtr); + rrPtr = rrNext; + } + m->SPSRRSet = mDNSNULL; +} + +mDNSexport mDNSs32 mDNS_Execute(mDNS *const m) +{ + mDNS_Lock(m); // Must grab lock before trying to read m->timenow + +#if APPLE_OSX_mDNSResponder + mDNSLogStatistics(m); +#endif // APPLE_OSX_mDNSResponder + + if (m->timenow - m->NextScheduledEvent >= 0) + { + int i; + AuthRecord *head, *tail; + mDNSu32 slot; + AuthGroup *ag; + + verbosedebugf("mDNS_Execute"); + + if (m->CurrentQuestion) + LogMsg("mDNS_Execute: ERROR m->CurrentQuestion already set: %##s (%s)", + m->CurrentQuestion->qname.c, DNSTypeName(m->CurrentQuestion->qtype)); + + if (m->CurrentRecord) + LogMsg("mDNS_Execute: ERROR m->CurrentRecord already set: %s", ARDisplayString(m, m->CurrentRecord)); + + // 1. If we're past the probe suppression time, we can clear it + if (m->SuppressProbes && m->timenow - m->SuppressProbes >= 0) m->SuppressProbes = 0; + + // 2. If it's been more than ten seconds since the last probe failure, we can clear the counter + if (m->NumFailedProbes && m->timenow - m->ProbeFailTime >= mDNSPlatformOneSecond * 10) m->NumFailedProbes = 0; + + // 3. Purge our cache of stale old records + if (m->rrcache_size && m->timenow - m->NextCacheCheck >= 0) + { + mDNSu32 numchecked = 0; + m->NextCacheCheck = m->timenow + 0x3FFFFFFF; + for (slot = 0; slot < CACHE_HASH_SLOTS; slot++) + { + if (m->timenow - m->rrcache_nextcheck[slot] >= 0) + { + CacheGroup **cp = &m->rrcache_hash[slot]; + m->rrcache_nextcheck[slot] = m->timenow + 0x3FFFFFFF; + while (*cp) + { + debugf("m->NextCacheCheck %4d Slot %3d %##s", numchecked, slot, *cp ? (*cp)->name : (domainname*)"\x04NULL"); + numchecked++; + CheckCacheExpiration(m, slot, *cp); + if ((*cp)->members) cp=&(*cp)->next; + else ReleaseCacheGroup(m, cp); + } + } + // Even if we didn't need to actually check this slot yet, still need to + // factor its nextcheck time into our overall NextCacheCheck value + if (m->NextCacheCheck - m->rrcache_nextcheck[slot] > 0) + m->NextCacheCheck = m->rrcache_nextcheck[slot]; + } + debugf("m->NextCacheCheck %4d checked, next in %d", numchecked, m->NextCacheCheck - m->timenow); + } + + if (m->timenow - m->NextScheduledSPS >= 0) + { + m->NextScheduledSPS = m->timenow + 0x3FFFFFFF; + CheckProxyRecords(m, m->DuplicateRecords); // Clear m->DuplicateRecords first, then m->ResourceRecords + CheckProxyRecords(m, m->ResourceRecords); + } + + SetSPSProxyListChanged(mDNSNULL); // Perform any deferred BPF reconfiguration now + + // Check to see if we need to send any keepalives. Do this after we called CheckProxyRecords above + // as records could have expired during that check + if (m->timenow - m->NextScheduledKA >= 0) + { + m->NextScheduledKA = m->timenow + 0x3FFFFFFF; + mDNS_SendKeepalives(m); + } + + // Clear AnnounceOwner if necessary. (Do this *before* SendQueries() and SendResponses().) + if (m->AnnounceOwner && m->timenow - m->AnnounceOwner >= 0) + { + m->AnnounceOwner = 0; + } + + if (m->DelaySleep && m->timenow - m->DelaySleep >= 0) + { + m->DelaySleep = 0; + if (m->SleepState == SleepState_Transferring) + { + LogSPS("Re-sleep delay passed; now checking for Sleep Proxy Servers"); + BeginSleepProcessing(m); + } + } + + // 4. See if we can answer any of our new local questions from the cache + for (i=0; m->NewQuestions && i<1000; i++) + { + if (m->NewQuestions->DelayAnswering && m->timenow - m->NewQuestions->DelayAnswering < 0) break; + AnswerNewQuestion(m); + } + if (i >= 1000) LogMsg("mDNS_Execute: AnswerNewQuestion exceeded loop limit"); + + // Make sure we deliver *all* local RMV events, and clear the corresponding rr->AnsweredLocalQ flags, *before* + // we begin generating *any* new ADD events in the m->NewLocalOnlyQuestions and m->NewLocalRecords loops below. + for (i=0; i<1000 && m->LocalRemoveEvents; i++) + { + m->LocalRemoveEvents = mDNSfalse; + m->CurrentRecord = m->ResourceRecords; + CheckRmvEventsForLocalRecords(m); + // Walk the LocalOnly records and deliver the RMV events + for (slot = 0; slot < AUTH_HASH_SLOTS; slot++) + for (ag = m->rrauth.rrauth_hash[slot]; ag; ag = ag->next) + { + m->CurrentRecord = ag->members; + if (m->CurrentRecord) CheckRmvEventsForLocalRecords(m); + } + } + + if (i >= 1000) LogMsg("mDNS_Execute: m->LocalRemoveEvents exceeded loop limit"); + + for (i=0; m->NewLocalOnlyQuestions && i<1000; i++) AnswerNewLocalOnlyQuestion(m); + if (i >= 1000) LogMsg("mDNS_Execute: AnswerNewLocalOnlyQuestion exceeded loop limit"); + + head = tail = mDNSNULL; + for (i=0; i<1000 && m->NewLocalRecords && m->NewLocalRecords != head; i++) + { + AuthRecord *rr = m->NewLocalRecords; + m->NewLocalRecords = m->NewLocalRecords->next; + if (LocalRecordReady(rr)) + { + debugf("mDNS_Execute: Delivering Add event with LocalAuthRecord %s", ARDisplayString(m, rr)); + AnswerAllLocalQuestionsWithLocalAuthRecord(m, rr, mDNStrue); + } + else if (!rr->next) + { + // If we have just one record that is not ready, we don't have to unlink and + // reinsert. As the NewLocalRecords will be NULL for this case, the loop will + // terminate and set the NewLocalRecords to rr. + debugf("mDNS_Execute: Just one LocalAuthRecord %s, breaking out of the loop early", ARDisplayString(m, rr)); + if (head != mDNSNULL || m->NewLocalRecords != mDNSNULL) + LogMsg("mDNS_Execute: ERROR!!: head %p, NewLocalRecords %p", head, m->NewLocalRecords); + + head = rr; + } + else + { + AuthRecord **p = &m->ResourceRecords; // Find this record in our list of active records + debugf("mDNS_Execute: Skipping LocalAuthRecord %s", ARDisplayString(m, rr)); + // if this is the first record we are skipping, move to the end of the list. + // if we have already skipped records before, append it at the end. + while (*p && *p != rr) p=&(*p)->next; + if (*p) *p = rr->next; // Cut this record from the list + else { LogMsg("mDNS_Execute: ERROR!! Cannot find record %s in ResourceRecords list", ARDisplayString(m, rr)); break; } + if (!head) + { + while (*p) p=&(*p)->next; + *p = rr; + head = tail = rr; + } + else + { + tail->next = rr; + tail = rr; + } + rr->next = mDNSNULL; + } + } + m->NewLocalRecords = head; + debugf("mDNS_Execute: Setting NewLocalRecords to %s", (head ? ARDisplayString(m, head) : "NULL")); + + if (i >= 1000) LogMsg("mDNS_Execute: m->NewLocalRecords exceeded loop limit"); + + // Check to see if we have any new LocalOnly/P2P records to examine for delivering + // to our local questions + if (m->NewLocalOnlyRecords) + { + m->NewLocalOnlyRecords = mDNSfalse; + for (slot = 0; slot < AUTH_HASH_SLOTS; slot++) + for (ag = m->rrauth.rrauth_hash[slot]; ag; ag = ag->next) + { + for (i=0; i<100 && ag->NewLocalOnlyRecords; i++) + { + AuthRecord *rr = ag->NewLocalOnlyRecords; + ag->NewLocalOnlyRecords = ag->NewLocalOnlyRecords->next; + // LocalOnly records should always be ready as they never probe + if (LocalRecordReady(rr)) + { + debugf("mDNS_Execute: Delivering Add event with LocalAuthRecord %s", ARDisplayString(m, rr)); + AnswerAllLocalQuestionsWithLocalAuthRecord(m, rr, mDNStrue); + } + else LogMsg("mDNS_Execute: LocalOnlyRecord %s not ready", ARDisplayString(m, rr)); + } + // We limit about 100 per AuthGroup that can be serviced at a time + if (i >= 100) LogMsg("mDNS_Execute: ag->NewLocalOnlyRecords exceeded loop limit"); + } + } + + // 5. See what packets we need to send + if (m->mDNSPlatformStatus != mStatus_NoError || (m->SleepState == SleepState_Sleeping)) + DiscardDeregistrations(m); + if (m->mDNSPlatformStatus == mStatus_NoError && (m->SuppressSending == 0 || m->timenow - m->SuppressSending >= 0)) + { + // If the platform code is ready, and we're not suppressing packet generation right now + // then send our responses, probes, and questions. + // We check the cache first, because there might be records close to expiring that trigger questions to refresh them. + // We send queries next, because there might be final-stage probes that complete their probing here, causing + // them to advance to announcing state, and we want those to be included in any announcements we send out. + // Finally, we send responses, including the previously mentioned records that just completed probing. + m->SuppressSending = 0; + + // 6. Send Query packets. This may cause some probing records to advance to announcing state + if (m->timenow - m->NextScheduledQuery >= 0 || m->timenow - m->NextScheduledProbe >= 0) SendQueries(m); + if (m->timenow - m->NextScheduledQuery >= 0) + { + DNSQuestion *q; + LogMsg("mDNS_Execute: SendQueries didn't send all its queries (%d - %d = %d) will try again in one second", + m->timenow, m->NextScheduledQuery, m->timenow - m->NextScheduledQuery); + m->NextScheduledQuery = m->timenow + mDNSPlatformOneSecond; + for (q = m->Questions; q && q != m->NewQuestions; q=q->next) + if (ActiveQuestion(q) && m->timenow - NextQSendTime(q) >= 0) + LogMsg("mDNS_Execute: SendQueries didn't send %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + } + if (m->timenow - m->NextScheduledProbe >= 0) + { + LogMsg("mDNS_Execute: SendQueries didn't send all its probes (%d - %d = %d) will try again in one second", + m->timenow, m->NextScheduledProbe, m->timenow - m->NextScheduledProbe); + m->NextScheduledProbe = m->timenow + mDNSPlatformOneSecond; + } + + // 7. Send Response packets, including probing records just advanced to announcing state + if (m->timenow - m->NextScheduledResponse >= 0) SendResponses(m); + if (m->timenow - m->NextScheduledResponse >= 0) + { + LogMsg("mDNS_Execute: SendResponses didn't send all its responses; will try again in one second"); + m->NextScheduledResponse = m->timenow + mDNSPlatformOneSecond; + } + } + + // Clear RandomDelay values, ready to pick a new different value next time + m->RandomQueryDelay = 0; + m->RandomReconfirmDelay = 0; + + if (m->NextScheduledStopTime && m->timenow - m->NextScheduledStopTime >= 0) TimeoutQuestions(m); +#ifndef UNICAST_DISABLED + if (m->NextSRVUpdate && m->timenow - m->NextSRVUpdate >= 0) UpdateAllSRVRecords(m); + if (m->timenow - m->NextScheduledNATOp >= 0) CheckNATMappings(m); + if (m->timenow - m->NextuDNSEvent >= 0) uDNS_Tasks(m); +#endif + } + + // Note about multi-threaded systems: + // On a multi-threaded system, some other thread could run right after the mDNS_Unlock(), + // performing mDNS API operations that change our next scheduled event time. + // + // On multi-threaded systems (like the current Windows implementation) that have a single main thread + // calling mDNS_Execute() (and other threads allowed to call mDNS API routines) it is the responsibility + // of the mDNSPlatformUnlock() routine to signal some kind of stateful condition variable that will + // signal whatever blocking primitive the main thread is using, so that it will wake up and execute one + // more iteration of its loop, and immediately call mDNS_Execute() again. The signal has to be stateful + // in the sense that if the main thread has not yet entered its blocking primitive, then as soon as it + // does, the state of the signal will be noticed, causing the blocking primitive to return immediately + // without blocking. This avoids the race condition between the signal from the other thread arriving + // just *before* or just *after* the main thread enters the blocking primitive. + // + // On multi-threaded systems (like the current Mac OS 9 implementation) that are entirely timer-driven, + // with no main mDNS_Execute() thread, it is the responsibility of the mDNSPlatformUnlock() routine to + // set the timer according to the m->NextScheduledEvent value, and then when the timer fires, the timer + // callback function should call mDNS_Execute() (and ignore the return value, which may already be stale + // by the time it gets to the timer callback function). + + mDNS_Unlock(m); // Calling mDNS_Unlock is what gives m->NextScheduledEvent its new value + return(m->NextScheduledEvent); +} + +#ifndef UNICAST_DISABLED +mDNSlocal void SuspendLLQs(mDNS *m) +{ + DNSQuestion *q; + for (q = m->Questions; q; q = q->next) + if (ActiveQuestion(q) && !mDNSOpaque16IsZero(q->TargetQID) && q->LongLived && q->state == LLQ_Established) + { q->ReqLease = 0; sendLLQRefresh(m, q); } +} +#endif // UNICAST_DISABLED + +mDNSlocal mDNSBool QuestionHasLocalAnswers(mDNS *const m, DNSQuestion *q) +{ + AuthRecord *rr; + mDNSu32 slot; + AuthGroup *ag; + + slot = AuthHashSlot(&q->qname); + ag = AuthGroupForName(&m->rrauth, slot, q->qnamehash, &q->qname); + if (ag) + { + for (rr = ag->members; rr; rr=rr->next) + // Filter the /etc/hosts records - LocalOnly, Unique, A/AAAA/CNAME + if (UniqueLocalOnlyRecord(rr) && LocalOnlyRecordAnswersQuestion(rr, q)) + { + LogInfo("QuestionHasLocalAnswers: Question %p %##s (%s) has local answer %s", q, q->qname.c, DNSTypeName(q->qtype), ARDisplayString(m, rr)); + return mDNStrue; + } + } + return mDNSfalse; +} + +// ActivateUnicastQuery() is called from three places: +// 1. When a new question is created +// 2. On wake from sleep +// 3. When the DNS configuration changes +// In case 1 we don't want to mess with our established ThisQInterval and LastQTime (ScheduleImmediately is false) +// In cases 2 and 3 we do want to cause the question to be resent immediately (ScheduleImmediately is true) +mDNSlocal void ActivateUnicastQuery(mDNS *const m, DNSQuestion *const question, mDNSBool ScheduleImmediately) +{ + // For now this AutoTunnel stuff is specific to Mac OS X. + // In the future, if there's demand, we may see if we can abstract it out cleanly into the platform layer +#if APPLE_OSX_mDNSResponder + // Even though BTMM client tunnels are only useful for AAAA queries, we need to treat v4 and v6 queries equally. + // Otherwise we can get the situation where the A query completes really fast (with an NXDOMAIN result) and the + // caller then gives up waiting for the AAAA result while we're still in the process of setting up the tunnel. + // To level the playing field, we block both A and AAAA queries while tunnel setup is in progress, and then + // returns results for both at the same time. If we are looking for the _autotunnel6 record, then skip this logic + // as this would trigger looking up _autotunnel6._autotunnel6 and end up failing the original query. + + if (RRTypeIsAddressType(question->qtype) && PrivateQuery(question) && + !SameDomainLabel(question->qname.c, (const mDNSu8 *)"\x0c_autotunnel6")&& question->QuestionCallback != AutoTunnelCallback) + { + question->NoAnswer = NoAnswer_Suspended; + AddNewClientTunnel(m, question); + return; + } +#endif // APPLE_OSX_mDNSResponder + + if (!question->DuplicateOf) + { + debugf("ActivateUnicastQuery: %##s %s%s%s", + question->qname.c, DNSTypeName(question->qtype), PrivateQuery(question) ? " (Private)" : "", ScheduleImmediately ? " ScheduleImmediately" : ""); + question->CNAMEReferrals = 0; + if (question->nta) { CancelGetZoneData(m, question->nta); question->nta = mDNSNULL; } + if (question->LongLived) + { + question->state = LLQ_InitialRequest; + question->id = zeroOpaque64; + question->servPort = zeroIPPort; + if (question->tcp) { DisposeTCPConn(question->tcp); question->tcp = mDNSNULL; } + } + // If the question has local answers, then we don't want answers from outside + if (ScheduleImmediately && !QuestionHasLocalAnswers(m, question)) + { + question->ThisQInterval = InitialQuestionInterval; + question->LastQTime = m->timenow - question->ThisQInterval; + SetNextQueryTime(m, question); + } + } +} + +// Caller should hold the lock +mDNSexport void mDNSCoreRestartAddressQueries(mDNS *const m, mDNSBool SearchDomainsChanged, FlushCache flushCacheRecords, + CallbackBeforeStartQuery BeforeStartCallback, void *context) +{ + DNSQuestion *q; + DNSQuestion *restart = mDNSNULL; + + mDNS_CheckLock(m); + + // 1. Flush the cache records + if (flushCacheRecords) flushCacheRecords(m); + + // 2. Even though we may have purged the cache records above, before it can generate RMV event + // we are going to stop the question. Hence we need to deliver the RMV event before we + // stop the question. + // + // CurrentQuestion is used by RmvEventsForQuestion below. While delivering RMV events, the + // application callback can potentially stop the current question (detected by CurrentQuestion) or + // *any* other question which could be the next one that we may process here. RestartQuestion + // points to the "next" question which will be automatically advanced in mDNS_StopQuery_internal + // if the "next" question is stopped while the CurrentQuestion is stopped + + if (m->RestartQuestion) + LogMsg("mDNSCoreRestartAddressQueries: ERROR!! m->RestartQuestion already set: %##s (%s)", + m->RestartQuestion->qname.c, DNSTypeName(m->RestartQuestion->qtype)); + + m->RestartQuestion = m->Questions; + while (m->RestartQuestion) + { + q = m->RestartQuestion; + m->RestartQuestion = q->next; + // GetZoneData questions are referenced by other questions (original query that started the GetZoneData + // question) through their "nta" pointer. Normally when the original query stops, it stops the + // GetZoneData question and also frees the memory (See CancelGetZoneData). If we stop the GetZoneData + // question followed by the original query that refers to this GetZoneData question, we will end up + // freeing the GetZoneData question and then start the "freed" question at the end. + + if (IsGetZoneDataQuestion(q)) + { + DNSQuestion *refq = q->next; + LogInfo("mDNSCoreRestartAddressQueries: Skipping GetZoneDataQuestion %p %##s (%s)", q, q->qname.c, DNSTypeName(q->qtype)); + // debug stuff, we just try to find the referencing question and don't do much with it + while (refq) + { + if (q == &refq->nta->question) + { + LogInfo("mDNSCoreRestartAddressQueries: Question %p %##s (%s) referring to GetZoneDataQuestion %p, not stopping", refq, refq->qname.c, DNSTypeName(refq->qtype), q); + } + refq = refq->next; + } + continue; + } + + // This function is called when /etc/hosts changes and that could affect A, AAAA and CNAME queries + if (q->qtype != kDNSType_A && q->qtype != kDNSType_AAAA && q->qtype != kDNSType_CNAME) continue; + + // If the search domains did not change, then we restart all the queries. Otherwise, only + // for queries for which we "might" have appended search domains ("might" because we may + // find results before we apply search domains even though AppendSearchDomains is set to 1) + if (!SearchDomainsChanged || q->AppendSearchDomains) + { + // NOTE: CacheRecordRmvEventsForQuestion will not generate RMV events for queries that have non-zero + // LOAddressAnswers. Hence it is important that we call CacheRecordRmvEventsForQuestion before + // LocalRecordRmvEventsForQuestion (which decrements LOAddressAnswers). Let us say that + // /etc/hosts has an A Record for web.apple.com. Any queries for web.apple.com will be answered locally. + // But this can't prevent a CNAME/AAAA query to not to be sent on the wire. When it is sent on the wire, + // it could create cache entries. When we are restarting queries, we can't deliver the cache RMV events + // for the original query using these cache entries as ADDs were never delivered using these cache + // entries and hence this order is needed. + + // If the query is suppressed, the RMV events won't be delivered + if (!CacheRecordRmvEventsForQuestion(m, q)) { LogInfo("mDNSCoreRestartAddressQueries: Question deleted while delivering Cache Record RMV events"); continue; } + + // SuppressQuery status does not affect questions that are answered using local records + if (!LocalRecordRmvEventsForQuestion(m, q)) { LogInfo("mDNSCoreRestartAddressQueries: Question deleted while delivering Local Record RMV events"); continue; } + + LogInfo("mDNSCoreRestartAddressQueries: Stop question %p %##s (%s), AppendSearchDomains %d, qnameOrig %p", q, + q->qname.c, DNSTypeName(q->qtype), q->AppendSearchDomains, q->qnameOrig); + mDNS_StopQuery_internal(m, q); + // Reset state so that it looks like it was in the beginning i.e it should look at /etc/hosts, cache + // and then search domains should be appended. At the beginning, qnameOrig was NULL. + if (q->qnameOrig) + { + LogInfo("mDNSCoreRestartAddressQueries: qnameOrig %##s", q->qnameOrig); + AssignDomainName(&q->qname, q->qnameOrig); + mDNSPlatformMemFree(q->qnameOrig); + q->qnameOrig = mDNSNULL; + q->RetryWithSearchDomains = ApplySearchDomainsFirst(q) ? 1 : 0; + } + q->SearchListIndex = 0; + q->next = restart; + restart = q; + } + } + + // 3. Callback before we start the query + if (BeforeStartCallback) BeforeStartCallback(m, context); + + // 4. Restart all the stopped queries + while (restart) + { + q = restart; + restart = restart->next; + q->next = mDNSNULL; + LogInfo("mDNSCoreRestartAddressQueries: Start question %p %##s (%s)", q, q->qname.c, DNSTypeName(q->qtype)); + mDNS_StartQuery_internal(m, q); + } +} + +mDNSexport void mDNSCoreRestartQueries(mDNS *const m) +{ + DNSQuestion *q; + +#ifndef UNICAST_DISABLED + // Retrigger all our uDNS questions + if (m->CurrentQuestion) + LogMsg("mDNSCoreRestartQueries: ERROR m->CurrentQuestion already set: %##s (%s)", + m->CurrentQuestion->qname.c, DNSTypeName(m->CurrentQuestion->qtype)); + m->CurrentQuestion = m->Questions; + while (m->CurrentQuestion) + { + q = m->CurrentQuestion; + m->CurrentQuestion = m->CurrentQuestion->next; + if (!mDNSOpaque16IsZero(q->TargetQID) && ActiveQuestion(q)) ActivateUnicastQuery(m, q, mDNStrue); + } +#endif + + // Retrigger all our mDNS questions + for (q = m->Questions; q; q=q->next) // Scan our list of questions + mDNSCoreRestartQuestion(m, q); +} + +// restart question if it's multicast and currently active +mDNSexport void mDNSCoreRestartQuestion(mDNS *const m, DNSQuestion *q) +{ + if (mDNSOpaque16IsZero(q->TargetQID) && ActiveQuestion(q)) + { + q->ThisQInterval = InitialQuestionInterval; // MUST be > zero for an active question +#if mDNS_REQUEST_UNICAST_RESPONSE + q->RequestUnicast = SET_QU_IN_FIRST_FOUR_QUERIES; +#else // mDNS_REQUEST_UNICAST_RESPONSE + q->RequestUnicast = SET_QU_IN_FIRST_QUERY; +#endif // mDNS_REQUEST_UNICAST_RESPONSE + q->LastQTime = m->timenow - q->ThisQInterval; + q->RecentAnswerPkts = 0; + ExpireDupSuppressInfo(q->DupSuppress, m->timenow); + m->NextScheduledQuery = m->timenow; + } +} + +// restart the probe/announce cycle for multicast record +mDNSexport void mDNSCoreRestartRegistration(mDNS *const m, AuthRecord *rr, int announceCount) +{ + if (!AuthRecord_uDNS(rr)) + { + if (rr->resrec.RecordType == kDNSRecordTypeVerified && !rr->DependentOn) rr->resrec.RecordType = kDNSRecordTypeUnique; + rr->ProbeCount = DefaultProbeCountForRecordType(rr->resrec.RecordType); + + // announceCount < 0 indicates default announce count should be used + if (announceCount < 0) + announceCount = InitialAnnounceCount; + if (rr->AnnounceCount < announceCount) + rr->AnnounceCount = announceCount; + + if (mDNS_KeepaliveRecord(&rr->resrec)) + rr->AnnounceCount = 0; // Do not announce keepalive records + else + rr->AnnounceCount = InitialAnnounceCount; + rr->SendNSECNow = mDNSNULL; + InitializeLastAPTime(m, rr); + } +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - Power Management (Sleep/Wake) +#endif + +mDNSexport void mDNS_UpdateAllowSleep(mDNS *const m) +{ +#ifndef IDLESLEEPCONTROL_DISABLED + mDNSBool allowSleep = mDNStrue; + char reason[128]; + + reason[0] = 0; + + if (m->SystemSleepOnlyIfWakeOnLAN) + { + // Don't sleep if we are a proxy for any services + if (m->ProxyRecords) + { + allowSleep = mDNSfalse; + mDNS_snprintf(reason, sizeof(reason), "sleep proxy for %d records", m->ProxyRecords); + LogInfo("mDNS_UpdateAllowSleep: Sleep disabled because we are proxying %d records", m->ProxyRecords); + } + + if (allowSleep && mDNSCoreHaveAdvertisedMulticastServices(m)) + { + // Scan the list of active interfaces + NetworkInterfaceInfo *intf; + for (intf = GetFirstActiveInterface(m->HostInterfaces); intf; intf = GetFirstActiveInterface(intf->next)) + { + if (intf->McastTxRx && !intf->Loopback && !mDNSPlatformInterfaceIsD2D(intf->InterfaceID)) + { + // Disallow sleep if this interface doesn't support NetWake + if (!intf->NetWake) + { + allowSleep = mDNSfalse; + mDNS_snprintf(reason, sizeof(reason), "%s does not support NetWake", intf->ifname); + LogInfo("mDNS_UpdateAllowSleep: Sleep disabled because %s does not support NetWake", intf->ifname); + break; + } + + // Disallow sleep if there is no sleep proxy server + const CacheRecord *cr = FindSPSInCache1(m, &intf->NetWakeBrowse, mDNSNULL, mDNSNULL); + if ( cr == mDNSNULL) + { + allowSleep = mDNSfalse; + mDNS_snprintf(reason, sizeof(reason), "No sleep proxy server on %s", intf->ifname); + LogInfo("mDNS_UpdateAllowSleep: Sleep disabled because %s has no sleep proxy server", intf->ifname); + break; + } + else if (m->SPSType != 0) + { + mDNSu32 mymetric = LocalSPSMetric(m); + mDNSu32 metric = SPSMetric(cr->resrec.rdata->u.name.c); + if (metric >= mymetric) + { + allowSleep = mDNSfalse; + mDNS_snprintf(reason, sizeof(reason), "No sleep proxy server with better metric on %s", intf->ifname); + LogInfo("mDNS_UpdateAllowSleep: Sleep disabled because %s has no sleep proxy server with a better metric", intf->ifname); + break; + } + } + } + } + } + } + + // Call the platform code to enable/disable sleep + mDNSPlatformSetAllowSleep(m, allowSleep, reason); +#else + (void) m; +#endif /* !defined(IDLESLEEPCONTROL_DISABLED) */ +} + +mDNSlocal mDNSBool mDNSUpdateOkToSend(mDNS *const m, AuthRecord *rr, NetworkInterfaceInfo *const intf, mDNSu32 scopeid) +{ + // If it is not a uDNS record, check to see if the updateid is zero. "updateid" is cleared when we have + // sent the resource record on all the interfaces. If the update id is not zero, check to see if it is time + // to send. + if (AuthRecord_uDNS(rr) || (rr->AuthFlags & AuthFlagsWakeOnly) || mDNSOpaque16IsZero(rr->updateid) || + m->timenow - (rr->LastAPTime + rr->ThisAPInterval) < 0) + { + return mDNSfalse; + } + + // If we have a pending registration for "scopeid", it is ok to send the update on that interface. + // If the scopeid is too big to check for validity, we don't check against updateIntID. When + // we successfully update on all the interfaces (with whatever set in "rr->updateIntID"), we clear + // updateid and we should have returned from above. + // + // Note: scopeid is the same as intf->InterfaceID. It is passed in so that we don't have to call the + // platform function to extract the value from "intf" everytime. + + if ((scopeid >= (sizeof(rr->updateIntID) * mDNSNBBY) || bit_get_opaque64(rr->updateIntID, scopeid)) && + (!rr->resrec.InterfaceID || rr->resrec.InterfaceID == intf->InterfaceID)) + return mDNStrue; + + return mDNSfalse; +} + +mDNSexport void UpdateRMACCallback(mDNS *const m, void *context) +{ + IPAddressMACMapping *addrmap = (IPAddressMACMapping *)context ; + m->CurrentRecord = m->ResourceRecords; + + if (!addrmap) + { + LogMsg("UpdateRMACCallback: Address mapping is NULL"); + return; + } + + while (m->CurrentRecord) + { + AuthRecord *rr = m->CurrentRecord; + // If this is a keepalive record and the remote IP address matches, update the RData + if (mDNS_KeepaliveRecord(&rr->resrec)) + { + mDNSAddr raddr; + getKeepaliveRaddr(m, rr, &raddr); + if (mDNSSameAddress(&raddr, &addrmap->ipaddr)) + { + UpdateKeepaliveRData(m, rr, mDNSNULL, mDNStrue, (char *)(addrmap->ethaddr)); + } + } + m->CurrentRecord = rr->next; + } + + if (addrmap) + { + mDNSPlatformMemFree(addrmap); + } +} + +mDNSexport mStatus UpdateKeepaliveRData(mDNS *const m, AuthRecord *rr, NetworkInterfaceInfo *const intf, mDNSBool updateMac, char *ethAddr) +{ + mDNSu16 newrdlength; + mDNSAddr laddr, raddr; + mDNSEthAddr eth; + mDNSIPPort lport, rport; + mDNSu32 timeout, seq, ack; + mDNSu16 win; + UTF8str255 txt; + int rdsize; + RData *newrd; + mDNSTCPInfo mti; + mStatus ret; + + // Note: If we fail to update the DNS NULL record with additional information in this function, it will be registered + // with the SPS like any other record. SPS will not send keepalives if it does not have additional information. + mDNS_ExtractKeepaliveInfo(rr, &timeout, &laddr, &raddr, ð, &seq, &ack, &lport, &rport, &win); + if (!timeout || mDNSAddressIsZero(&laddr) || mDNSAddressIsZero(&raddr) || mDNSIPPortIsZero(lport) || + mDNSIPPortIsZero(rport)) + { + LogMsg("UpdateKeepaliveRData: not a valid record %s for keepalive %#a:%d %#a:%d", ARDisplayString(m, rr), &laddr, lport.NotAnInteger, &raddr, rport.NotAnInteger); + return mStatus_UnknownErr; + } + + if (updateMac) + { + if (laddr.type == mDNSAddrType_IPv4) + newrdlength = mDNS_snprintf((char *)&txt.c[1], sizeof(txt.c) - 1, "t=%d i=%d c=%d h=%#a d=%#a l=%u r=%u m=%s", timeout, kKeepaliveRetryInterval, kKeepaliveRetryCount, &laddr, &raddr, mDNSVal16(lport), mDNSVal16(rport), ethAddr); + else + newrdlength = mDNS_snprintf((char *)&txt.c[1], sizeof(txt.c) - 1, "t=%d i=%d c=%d H=%#a D=%#a l=%u r=%u m=%s", timeout, kKeepaliveRetryInterval, kKeepaliveRetryCount, &laddr, &raddr, mDNSVal16(lport), mDNSVal16(rport), ethAddr); + + } + else + { + // If this keepalive packet would be sent on a different interface than the current one that we are processing + // now, then we don't update the DNS NULL record. But we do not prevent it from registering with the SPS. When SPS sees + // this DNS NULL record, it does not send any keepalives as it does not have all the information + mDNSPlatformMemZero(&mti, sizeof (mDNSTCPInfo)); + ret = mDNSPlatformRetrieveTCPInfo(m, &laddr, &lport, &raddr, &rport, &mti); + if (ret != mStatus_NoError) + { + LogMsg("mDNSPlatformRetrieveTCPInfo: mDNSPlatformRetrieveTCPInfo failed %d", ret); + return ret; + } + if ((intf != mDNSNULL) && (mti.IntfId != intf->InterfaceID)) + { + LogInfo("mDNSPlatformRetrieveTCPInfo: InterfaceID mismatch mti.IntfId = %p InterfaceID = %p", mti.IntfId, intf->InterfaceID); + return mStatus_BadParamErr; + } + + if (laddr.type == mDNSAddrType_IPv4) + newrdlength = mDNS_snprintf((char *)&txt.c[1], sizeof(txt.c) - 1, "t=%d i=%d c=%d h=%#a d=%#a l=%u r=%u m=%.6a s=%u a=%u w=%u", timeout, kKeepaliveRetryInterval, kKeepaliveRetryCount, &laddr, &raddr, mDNSVal16(lport), mDNSVal16(rport), ð, mti.seq, mti.ack, mti.window); + else + newrdlength = mDNS_snprintf((char *)&txt.c[1], sizeof(txt.c) - 1, "t=%d i=%d c=%d H=%#a D=%#a l=%u r=%u m=%.6a s=%u a=%u w=%u", timeout, kKeepaliveRetryInterval, kKeepaliveRetryCount, &laddr, &raddr, mDNSVal16(lport), mDNSVal16(rport), ð, mti.seq, mti.ack, mti.window); + } + + // Did we insert a null byte at the end ? + if (newrdlength == (sizeof(txt.c) - 1)) + { + LogMsg("UpdateKeepaliveRData: could not allocate memory %s", ARDisplayString(m, rr)); + return mStatus_NoMemoryErr; + } + + // Include the length for the null byte at the end + txt.c[0] = newrdlength + 1; + // Account for the first length byte and the null byte at the end + newrdlength += 2; + + rdsize = newrdlength > sizeof(RDataBody) ? newrdlength : sizeof(RDataBody); + newrd = mDNSPlatformMemAllocate(sizeof(RData) - sizeof(RDataBody) + rdsize); + if (!newrd) { LogMsg("UpdateKeepaliveRData: ptr NULL"); return mStatus_NoMemoryErr; } + + newrd->MaxRDLength = (mDNSu16) rdsize; + mDNSPlatformMemCopy(&newrd->u, txt.c, newrdlength); + + // If we are updating the record for the first time, rdata points to rdatastorage as the rdata memory + // was allocated as part of the AuthRecord itself. We allocate memory when we update the AuthRecord. + // If the resource record has data that we allocated in a previous pass (to update MAC address), + // free that memory here before copying in the new data. + if ( rr->resrec.rdata != &rr->rdatastorage) + { + mDNSPlatformMemFree(rr->resrec.rdata); + LogSPS("UpdateKeepaliveRData: Freed allocated memory for keep alive packet: %s ", ARDisplayString(m, rr)); + } + SetNewRData(&rr->resrec, newrd, newrdlength); // Update our rdata + + LogSPS("UpdateKeepaliveRData: successfully updated the record %s", ARDisplayString(m, rr)); + return mStatus_NoError; +} + +mDNSlocal void SendSPSRegistrationForOwner(mDNS *const m, NetworkInterfaceInfo *const intf, const mDNSOpaque16 id, const OwnerOptData *const owner) +{ + const int optspace = DNSOpt_Header_Space + DNSOpt_LeaseData_Space + DNSOpt_Owner_Space(&m->PrimaryMAC, &intf->MAC); + const int sps = intf->NextSPSAttempt / 3; + AuthRecord *rr; + mDNSOpaque16 msgid; + mDNSu32 scopeid; + + scopeid = mDNSPlatformInterfaceIndexfromInterfaceID(m, intf->InterfaceID, mDNStrue); + if (!intf->SPSAddr[sps].type) + { + intf->NextSPSAttemptTime = m->timenow + mDNSPlatformOneSecond; + if (m->NextScheduledSPRetry - intf->NextSPSAttemptTime > 0) + m->NextScheduledSPRetry = intf->NextSPSAttemptTime; + LogSPS("SendSPSRegistration: %s SPS %d (%d) %##s not yet resolved", intf->ifname, intf->NextSPSAttempt, sps, intf->NetWakeResolve[sps].qname.c); + goto exit; + } + + // Mark our mDNS records (not unicast records) for transfer to SPS + if (mDNSOpaque16IsZero(id)) + { + // We may have to register this record over multiple interfaces and we don't want to + // overwrite the id. We send the registration over interface X with id "IDX" and before + // we get a response, we overwrite with id "IDY" for interface Y and we won't accept responses + // for "IDX". Hence, we want to use the same ID across all interfaces. + // + // In the case of sleep proxy server transfering its records when it goes to sleep, the owner + // option check below will set the same ID across the records from the same owner. Records + // with different owner option gets different ID. + msgid = mDNS_NewMessageID(m); + for (rr = m->ResourceRecords; rr; rr=rr->next) + { + if (!(rr->AuthFlags & AuthFlagsWakeOnly) && rr->resrec.RecordType > kDNSRecordTypeDeregistering) + { + if (rr->resrec.InterfaceID == intf->InterfaceID || (!rr->resrec.InterfaceID && (rr->ForceMCast || IsLocalDomain(rr->resrec.name)))) + { + if (mDNSPlatformMemSame(owner, &rr->WakeUp, sizeof(*owner))) + { + rr->SendRNow = mDNSInterfaceMark; // mark it now + // When we are registering on the first interface, rr->updateid is zero in which case + // initialize with the new ID. For subsequent interfaces, we want to use the same ID. + // At the end, all the updates sent across all the interfaces with the same ID. + if (mDNSOpaque16IsZero(rr->updateid)) + rr->updateid = msgid; + else + msgid = rr->updateid; + } + } + } + } + } + else + msgid = id; + + while (1) + { + mDNSu8 *p = m->omsg.data; + // To comply with RFC 2782, PutResourceRecord suppresses name compression for SRV records in unicast updates. + // For now we follow that same logic for SPS registrations too. + // If we decide to compress SRV records in SPS registrations in the future, we can achieve that by creating our + // initial DNSMessage with h.flags set to zero, and then update it to UpdateReqFlags right before sending the packet. + InitializeDNSMessage(&m->omsg.h, msgid, UpdateReqFlags); + + for (rr = m->ResourceRecords; rr; rr=rr->next) + if (rr->SendRNow || mDNSUpdateOkToSend(m, rr, intf, scopeid)) + { + if (mDNSPlatformMemSame(owner, &rr->WakeUp, sizeof(*owner))) + { + mDNSu8 *newptr; + const mDNSu8 *const limit = m->omsg.data + (m->omsg.h.mDNS_numUpdates ? NormalMaxDNSMessageData : AbsoluteMaxDNSMessageData) - optspace; + + // If we can't update the keepalive record, don't send it + if (mDNS_KeepaliveRecord(&rr->resrec) && (UpdateKeepaliveRData(m, rr, intf, mDNSfalse, mDNSNULL) != mStatus_NoError)) + { + if (scopeid < (sizeof(rr->updateIntID) * mDNSNBBY)) + { + bit_clr_opaque64(rr->updateIntID, scopeid); + } + rr->SendRNow = mDNSNULL; + continue; + } + + if (rr->resrec.RecordType & kDNSRecordTypeUniqueMask) + rr->resrec.rrclass |= kDNSClass_UniqueRRSet; // Temporarily set the 'unique' bit so PutResourceRecord will set it + newptr = PutResourceRecordTTLWithLimit(&m->omsg, p, &m->omsg.h.mDNS_numUpdates, &rr->resrec, rr->resrec.rroriginalttl, limit); + rr->resrec.rrclass &= ~kDNSClass_UniqueRRSet; // Make sure to clear 'unique' bit back to normal state + if (!newptr) + LogSPS("SendSPSRegistration put %s FAILED %d/%d %s", intf->ifname, p - m->omsg.data, limit - m->omsg.data, ARDisplayString(m, rr)); + else + { + LogSPS("SendSPSRegistration put %s 0x%x 0x%x (updateid %d) %s", intf->ifname, rr->updateIntID.l[1], rr->updateIntID.l[0], mDNSVal16(m->omsg.h.id), ARDisplayString(m, rr)); + rr->SendRNow = mDNSNULL; + rr->ThisAPInterval = mDNSPlatformOneSecond; + rr->LastAPTime = m->timenow; + // should be initialized above + if (mDNSOpaque16IsZero(rr->updateid)) LogMsg("SendSPSRegistration: ERROR!! rr %s updateid is zero", ARDisplayString(m, rr)); + if (m->NextScheduledResponse - (rr->LastAPTime + rr->ThisAPInterval) >= 0) + m->NextScheduledResponse = (rr->LastAPTime + rr->ThisAPInterval); + p = newptr; + } + } + } + + if (!m->omsg.h.mDNS_numUpdates) break; + else + { + AuthRecord opt; + mDNS_SetupResourceRecord(&opt, mDNSNULL, mDNSInterface_Any, kDNSType_OPT, kStandardTTL, kDNSRecordTypeKnownUnique, AuthRecordAny, mDNSNULL, mDNSNULL); + opt.resrec.rrclass = NormalMaxDNSMessageData; + opt.resrec.rdlength = sizeof(rdataOPT) * 2; // Two options in this OPT record + opt.resrec.rdestimate = sizeof(rdataOPT) * 2; + opt.resrec.rdata->u.opt[0].opt = kDNSOpt_Lease; + opt.resrec.rdata->u.opt[0].optlen = DNSOpt_LeaseData_Space - 4; + opt.resrec.rdata->u.opt[0].u.updatelease = DEFAULT_UPDATE_LEASE; + if (!owner->HMAC.l[0]) // If no owner data, + SetupOwnerOpt(m, intf, &opt.resrec.rdata->u.opt[1]); // use our own interface information + else // otherwise, use the owner data we were given + { + opt.resrec.rdata->u.opt[1].u.owner = *owner; + opt.resrec.rdata->u.opt[1].opt = kDNSOpt_Owner; + opt.resrec.rdata->u.opt[1].optlen = DNSOpt_Owner_Space(&owner->HMAC, &owner->IMAC) - 4; + } + LogSPS("SendSPSRegistration put %s %s", intf->ifname, ARDisplayString(m, &opt)); + p = PutResourceRecordTTLWithLimit(&m->omsg, p, &m->omsg.h.numAdditionals, &opt.resrec, opt.resrec.rroriginalttl, m->omsg.data + AbsoluteMaxDNSMessageData); + if (!p) + LogMsg("SendSPSRegistration: Failed to put OPT record (%d updates) %s", m->omsg.h.mDNS_numUpdates, ARDisplayString(m, &opt)); + else + { + mStatus err; + + LogSPS("SendSPSRegistration: Sending Update %s %d (%d) id %5d with %d records %d bytes to %#a:%d", intf->ifname, intf->NextSPSAttempt, sps, + mDNSVal16(m->omsg.h.id), m->omsg.h.mDNS_numUpdates, p - m->omsg.data, &intf->SPSAddr[sps], mDNSVal16(intf->SPSPort[sps])); + // if (intf->NextSPSAttempt < 5) m->omsg.h.flags = zeroID; // For simulating packet loss + err = mDNSSendDNSMessage(m, &m->omsg, p, intf->InterfaceID, mDNSNULL, &intf->SPSAddr[sps], intf->SPSPort[sps], mDNSNULL, mDNSNULL, mDNSfalse); + if (err) LogSPS("SendSPSRegistration: mDNSSendDNSMessage err %d", err); + if (err && intf->SPSAddr[sps].type == mDNSAddrType_IPv4 && intf->NetWakeResolve[sps].ThisQInterval == -1) + { + LogSPS("SendSPSRegistration %d %##s failed to send to IPv4 address; will try IPv6 instead", sps, intf->NetWakeResolve[sps].qname.c); + intf->NetWakeResolve[sps].qtype = kDNSType_AAAA; + mDNS_StartQuery_internal(m, &intf->NetWakeResolve[sps]); + return; + } + } + } + } + + intf->NextSPSAttemptTime = m->timenow + mDNSPlatformOneSecond * 10; // If successful, update NextSPSAttemptTime + +exit: + if (mDNSOpaque16IsZero(id) && intf->NextSPSAttempt < 8) intf->NextSPSAttempt++; +} + +mDNSlocal mDNSBool RecordIsFirstOccurrenceOfOwner(mDNS *const m, const AuthRecord *const rr) +{ + AuthRecord *ar; + for (ar = m->ResourceRecords; ar && ar != rr; ar=ar->next) + if (mDNSPlatformMemSame(&rr->WakeUp, &ar->WakeUp, sizeof(rr->WakeUp))) return mDNSfalse; + return mDNStrue; +} + +mDNSlocal void mDNSCoreStoreProxyRR(mDNS *const m, const mDNSInterfaceID InterfaceID, AuthRecord *const rr) +{ + AuthRecord *newRR = mDNSPlatformMemAllocate(sizeof(AuthRecord)); + + if (newRR == mDNSNULL) + { + LogSPS("%s : could not allocate memory for new resource record", __func__); + return; + } + + mDNSPlatformMemZero(newRR, sizeof(AuthRecord)); + mDNS_SetupResourceRecord(newRR, mDNSNULL, InterfaceID, rr->resrec.rrtype, + rr->resrec.rroriginalttl, rr->resrec.RecordType, + rr->ARType, mDNSNULL, mDNSNULL); + + AssignDomainName(&newRR->namestorage, &rr->namestorage); + newRR->resrec.rdlength = DomainNameLength(rr->resrec.name); + newRR->resrec.namehash = DomainNameHashValue(newRR->resrec.name); + newRR->resrec.rrclass = rr->resrec.rrclass; + + if (rr->resrec.rrtype == kDNSType_A) + { + newRR->resrec.rdata->u.ipv4 = rr->resrec.rdata->u.ipv4; + } + else if (rr->resrec.rrtype == kDNSType_AAAA) + { + newRR->resrec.rdata->u.ipv6 = rr->resrec.rdata->u.ipv6; + } + SetNewRData(&newRR->resrec, mDNSNULL, 0); + + // Insert the new node at the head of the list. + newRR->next = m->SPSRRSet; + m->SPSRRSet = newRR; + LogSPS("%s : Storing proxy record : %s ", __func__, ARDisplayString(m, rr)); +} + +// Some records are interface specific and some are not. The ones that are supposed to be registered +// on multiple interfaces need to be initialized with all the valid interfaces on which it will be sent. +// updateIntID bit field tells us on which interfaces we need to register this record. When we get an +// ack from the sleep proxy server, we clear the interface bit. This way, we know when a record completes +// registration on all the interfaces +mDNSlocal void SPSInitRecordsBeforeUpdate(mDNS *const m, mDNSOpaque64 updateIntID, mDNSBool *WakeOnlyService) +{ + AuthRecord *ar; + LogSPS("SPSInitRecordsBeforeUpdate: UpdateIntID 0x%x 0x%x", updateIntID.l[1], updateIntID.l[0]); + + *WakeOnlyService = mDNSfalse; + + // Before we store the A and AAAA records that we are going to register with the sleep proxy, + // make sure that the old sleep proxy records are removed. + mDNSCoreFreeProxyRR(m); + + // For records that are registered only on a specific interface, mark only that bit as it will + // never be registered on any other interface. For others, it should be sent on all interfaces. + for (ar = m->ResourceRecords; ar; ar=ar->next) + { + ar->updateIntID = zeroOpaque64; + ar->updateid = zeroID; + if (AuthRecord_uDNS(ar)) + { + continue; + } + if (ar->AuthFlags & AuthFlagsWakeOnly) + { + if (ar->resrec.RecordType == kDNSRecordTypeShared && ar->RequireGoodbye) + { + ar->ImmedAnswer = mDNSInterfaceMark; + *WakeOnlyService = mDNStrue; + continue; + } + } + if (!ar->resrec.InterfaceID) + { + LogSPS("Setting scopeid (ALL) 0x%x 0x%x for %s", updateIntID.l[1], updateIntID.l[0], ARDisplayString(m, ar)); + ar->updateIntID = updateIntID; + } + else + { + // Filter records that belong to interfaces that we won't register the records on. UpdateIntID captures + // exactly this. + mDNSu32 scopeid = mDNSPlatformInterfaceIndexfromInterfaceID(m, ar->resrec.InterfaceID, mDNStrue); + if ((scopeid < (sizeof(updateIntID) * mDNSNBBY)) && bit_get_opaque64(updateIntID, scopeid)) + { + bit_set_opaque64(ar->updateIntID, scopeid); + LogSPS("SPSInitRecordsBeforeUpdate: Setting scopeid(%d) 0x%x 0x%x for %s", scopeid, ar->updateIntID.l[1], + ar->updateIntID.l[0], ARDisplayString(m, ar)); + } + else + { + LogSPS("SPSInitRecordsBeforeUpdate: scopeid %d beyond range or not valid for SPS registration", scopeid); + } + } + // Store the A and AAAA records that we registered with the sleep proxy. + // We will use this to prevent spurious name conflicts that may occur when we wake up + if (ar->resrec.rrtype == kDNSType_A || ar->resrec.rrtype == kDNSType_AAAA) + { + mDNSCoreStoreProxyRR(m, ar->resrec.InterfaceID, ar); + } + } +} + +mDNSlocal void SendSPSRegistration(mDNS *const m, NetworkInterfaceInfo *const intf, const mDNSOpaque16 id) +{ + AuthRecord *ar; + OwnerOptData owner = zeroOwner; + + SendSPSRegistrationForOwner(m, intf, id, &owner); + + for (ar = m->ResourceRecords; ar; ar=ar->next) + { + if (!mDNSPlatformMemSame(&owner, &ar->WakeUp, sizeof(owner)) && RecordIsFirstOccurrenceOfOwner(m, ar)) + { + owner = ar->WakeUp; + SendSPSRegistrationForOwner(m, intf, id, &owner); + } + } +} + +// RetrySPSRegistrations is called from SendResponses, with the lock held +mDNSlocal void RetrySPSRegistrations(mDNS *const m) +{ + AuthRecord *rr; + NetworkInterfaceInfo *intf; + + // First make sure none of our interfaces' NextSPSAttemptTimes are inadvertently set to m->timenow + mDNSPlatformOneSecond * 10 + for (intf = GetFirstActiveInterface(m->HostInterfaces); intf; intf = GetFirstActiveInterface(intf->next)) + if (intf->NextSPSAttempt && intf->NextSPSAttemptTime == m->timenow + mDNSPlatformOneSecond * 10) + intf->NextSPSAttemptTime++; + + // Retry any record registrations that are due + for (rr = m->ResourceRecords; rr; rr=rr->next) + if (!AuthRecord_uDNS(rr) && !mDNSOpaque16IsZero(rr->updateid) && m->timenow - (rr->LastAPTime + rr->ThisAPInterval) >= 0) + { + for (intf = GetFirstActiveInterface(m->HostInterfaces); intf; intf = GetFirstActiveInterface(intf->next)) + { + // If we still have registrations pending on this interface, send it now + mDNSu32 scopeid = mDNSPlatformInterfaceIndexfromInterfaceID(m, intf->InterfaceID, mDNStrue); + if ((scopeid >= (sizeof(rr->updateIntID) * mDNSNBBY) || bit_get_opaque64(rr->updateIntID, scopeid)) && + (!rr->resrec.InterfaceID || rr->resrec.InterfaceID == intf->InterfaceID)) + { + LogSPS("RetrySPSRegistrations: 0x%x 0x%x (updateid %d) %s", rr->updateIntID.l[1], rr->updateIntID.l[0], mDNSVal16(rr->updateid), ARDisplayString(m, rr)); + SendSPSRegistration(m, intf, rr->updateid); + } + } + } + + // For interfaces where we did an SPS registration attempt, increment intf->NextSPSAttempt + for (intf = GetFirstActiveInterface(m->HostInterfaces); intf; intf = GetFirstActiveInterface(intf->next)) + if (intf->NextSPSAttempt && intf->NextSPSAttemptTime == m->timenow + mDNSPlatformOneSecond * 10 && intf->NextSPSAttempt < 8) + intf->NextSPSAttempt++; +} + +mDNSlocal void NetWakeResolve(mDNS *const m, DNSQuestion *question, const ResourceRecord *const answer, QC_result AddRecord) +{ + NetworkInterfaceInfo *intf = (NetworkInterfaceInfo *)question->QuestionContext; + int sps = (int)(question - intf->NetWakeResolve); + (void)m; // Unused + LogSPS("NetWakeResolve: SPS: %d Add: %d %s", sps, AddRecord, RRDisplayString(m, answer)); + + if (!AddRecord) return; // Don't care about REMOVE events + if (answer->rrtype != question->qtype) return; // Don't care about CNAMEs + + // if (answer->rrtype == kDNSType_AAAA && sps == 0) return; // To test failing to resolve sleep proxy's address + + if (answer->rrtype == kDNSType_SRV) + { + // 1. Got the SRV record; now look up the target host's IP address + mDNS_StopQuery(m, question); + intf->SPSPort[sps] = answer->rdata->u.srv.port; + AssignDomainName(&question->qname, &answer->rdata->u.srv.target); + question->qtype = kDNSType_A; + mDNS_StartQuery(m, question); + } + else if (answer->rrtype == kDNSType_A && answer->rdlength == sizeof(mDNSv4Addr)) + { + // 2. Got an IPv4 address for the target host; record address and initiate an SPS registration if appropriate + mDNS_StopQuery(m, question); + question->ThisQInterval = -1; + intf->SPSAddr[sps].type = mDNSAddrType_IPv4; + intf->SPSAddr[sps].ip.v4 = answer->rdata->u.ipv4; + mDNS_Lock(m); + if (sps == intf->NextSPSAttempt/3) SendSPSRegistration(m, intf, zeroID); // If we're ready for this result, use it now + mDNS_Unlock(m); + } + else if (answer->rrtype == kDNSType_A && answer->rdlength == 0) + { + // 3. Got negative response -- target host apparently has IPv6 disabled -- so try looking up the target host's IPv4 address(es) instead + mDNS_StopQuery(m, question); + LogSPS("NetWakeResolve: SPS %d %##s has no IPv4 address, will try IPv6 instead", sps, question->qname.c); + question->qtype = kDNSType_AAAA; + mDNS_StartQuery(m, question); + } + else if (answer->rrtype == kDNSType_AAAA && answer->rdlength == sizeof(mDNSv6Addr) && mDNSv6AddressIsLinkLocal(&answer->rdata->u.ipv6)) + { + // 4. Got the target host's IPv6 link-local address; record address and initiate an SPS registration if appropriate + mDNS_StopQuery(m, question); + question->ThisQInterval = -1; + intf->SPSAddr[sps].type = mDNSAddrType_IPv6; + intf->SPSAddr[sps].ip.v6 = answer->rdata->u.ipv6; + mDNS_Lock(m); + if (sps == intf->NextSPSAttempt/3) SendSPSRegistration(m, intf, zeroID); // If we're ready for this result, use it now + mDNS_Unlock(m); + } +} + +mDNSexport mDNSBool mDNSCoreHaveAdvertisedMulticastServices(mDNS *const m) +{ + AuthRecord *rr; + for (rr = m->ResourceRecords; rr; rr=rr->next) + if (mDNS_KeepaliveRecord(&rr->resrec) || (rr->resrec.rrtype == kDNSType_SRV && !AuthRecord_uDNS(rr) && !mDNSSameIPPort(rr->resrec.rdata->u.srv.port, DiscardPort))) + return mDNStrue; + return mDNSfalse; +} + +#ifdef APPLE_OSX_mDNSResponder +// This function is used only in the case of local NIC proxy. For external +// sleep proxy server, we do this in SPSInitRecordsBeforeUpdate when we +// walk the resource records. +mDNSlocal void SendGoodbyesForWakeOnlyService(mDNS *const m, mDNSBool *WakeOnlyService) +{ + AuthRecord *rr; + + *WakeOnlyService = mDNSfalse; + + // Mark all the records we need to deregister and send them + for (rr = m->ResourceRecords; rr; rr=rr->next) + { + if ((rr->AuthFlags & AuthFlagsWakeOnly) && + rr->resrec.RecordType == kDNSRecordTypeShared && rr->RequireGoodbye) + { + rr->ImmedAnswer = mDNSInterfaceMark; + *WakeOnlyService = mDNStrue; + } + } +} +#endif // APPLE_OSx_mDNSResponder + +mDNSlocal void SendSleepGoodbyes(mDNS *const m, mDNSBool AllInterfaces, mDNSBool unicast) +{ + AuthRecord *rr; + m->SleepState = SleepState_Sleeping; + + // If AllInterfaces is not set, the caller has already marked it appropriately + // on which interfaces this should be sent. + if (AllInterfaces) + { + NetworkInterfaceInfo *intf; + for (intf = GetFirstActiveInterface(m->HostInterfaces); intf; intf = GetFirstActiveInterface(intf->next)) + { + intf->SendGoodbyes = 1; + } + } + if (unicast) + { +#ifndef UNICAST_DISABLED + SleepRecordRegistrations(m); // If we have no SPS, need to deregister our uDNS records +#endif /* UNICAST_DISABLED */ + } + + // Mark all the records we need to deregister and send them + for (rr = m->ResourceRecords; rr; rr=rr->next) + if (rr->resrec.RecordType == kDNSRecordTypeShared && rr->RequireGoodbye) + rr->ImmedAnswer = mDNSInterfaceMark; + SendResponses(m); +} + +/* + * This function attempts to detect if multiple interfaces are on the same subnet. + * It makes this determination based only on the IPv4 Addresses and subnet masks. + * IPv6 link local addresses that are configured by default on all interfaces make + * it hard to make this determination + * + * The 'real' fix for this would be to send out multicast packets over one interface + * and conclude that multiple interfaces are on the same subnet only if these packets + * are seen on other interfaces on the same system + */ +mDNSlocal mDNSBool skipSameSubnetRegistration(mDNS *const m, mDNSInterfaceID *regID, mDNSu32 count, mDNSInterfaceID intfid) +{ + NetworkInterfaceInfo *intf; + NetworkInterfaceInfo *newIntf; + mDNSu32 i; + + for (newIntf = FirstInterfaceForID(m, intfid); newIntf; newIntf = newIntf->next) + { + if ((newIntf->InterfaceID != intfid) || + (newIntf->ip.type != mDNSAddrType_IPv4)) + { + continue; + } + for ( i = 0; i < count; i++) + { + for (intf = FirstInterfaceForID(m, regID[i]); intf; intf = intf->next) + { + if ((intf->InterfaceID != regID[i]) || + (intf->ip.type != mDNSAddrType_IPv4)) + { + continue; + } + if ((intf->ip.ip.v4.NotAnInteger & intf->mask.ip.v4.NotAnInteger) == (newIntf->ip.ip.v4.NotAnInteger & newIntf->mask.ip.v4.NotAnInteger)) + { + LogSPS("%s : Already registered for the same subnet (IPv4) for interface %s", __func__, intf->ifname); + return (mDNStrue); + } + } + } + } + return (mDNSfalse); +} + +mDNSlocal void DoKeepaliveCallbacks(mDNS *m) +{ + // Loop through the keepalive records and callback with an error + m->CurrentRecord = m->ResourceRecords; + while (m->CurrentRecord) + { + AuthRecord *const rr = m->CurrentRecord; + if ((mDNS_KeepaliveRecord(&rr->resrec)) && (rr->resrec.RecordType != kDNSRecordTypeDeregistering)) + { + LogSPS("DoKeepaliveCallbacks: Invoking the callback for %s", ARDisplayString(m, rr)); + if (rr->RecordCallback) + rr->RecordCallback(m, rr, mStatus_BadStateErr); + } + if (m->CurrentRecord == rr) // If m->CurrentRecord was not advanced for us, do it now + m->CurrentRecord = rr->next; + } +} + +// BeginSleepProcessing is called, with the lock held, from either mDNS_Execute or mDNSCoreMachineSleep +mDNSlocal void BeginSleepProcessing(mDNS *const m) +{ + mDNSBool SendGoodbyes = mDNStrue; + mDNSBool WakeOnlyService = mDNSfalse; + mDNSBool invokeKACallback = mDNStrue; + const CacheRecord *sps[3] = { mDNSNULL }; + mDNSOpaque64 updateIntID = zeroOpaque64; + mDNSInterfaceID registeredIntfIDS[128]; + mDNSu32 registeredCount = 0; + int skippedRegistrations = 0; + + m->NextScheduledSPRetry = m->timenow; + + if (!m->SystemWakeOnLANEnabled) LogSPS("BeginSleepProcessing: m->SystemWakeOnLANEnabled is false"); + else if (!mDNSCoreHaveAdvertisedMulticastServices(m)) LogSPS("BeginSleepProcessing: No advertised services"); + else // If we have at least one advertised service + { + NetworkInterfaceInfo *intf; + + // Clear out the SCDynamic entry that stores the external SPS information + mDNSPlatformClearSPSMACAddr(); + + for (intf = GetFirstActiveInterface(m->HostInterfaces); intf; intf = GetFirstActiveInterface(intf->next)) + { + // Intialize it to false. These values make sense only when SleepState is set to Sleeping. + intf->SendGoodbyes = 0; + + // If it is not multicast capable, we could not have possibly discovered sleep proxy + // servers. + if (!intf->McastTxRx || mDNSPlatformInterfaceIsD2D(intf->InterfaceID)) + { + LogSPS("BeginSleepProcessing: %-6s Ignoring for registrations", intf->ifname); + continue; + } + + // If we are not capable of WOMP, then don't register with sleep proxy. + // + // Note: If we are not NetWake capable, we don't browse for the sleep proxy server. + // We might find sleep proxy servers in the cache and start a resolve on them. + // But then if the interface goes away, we won't stop these questions because + // mDNS_DeactivateNetWake_internal assumes that a browse has been started for it + // to stop both the browse and resolve questions. + if (!intf->NetWake) + { + LogSPS("BeginSleepProcessing: %-6s not capable of magic packet wakeup", intf->ifname); + intf->SendGoodbyes = 1; + skippedRegistrations++; + continue; + } + + // Check if we have already registered with a sleep proxy for this subnet + if (skipSameSubnetRegistration(m, registeredIntfIDS, registeredCount, intf->InterfaceID)) + { + LogSPS("%s : Skipping sleep proxy registration on %s", __func__, intf->ifname); + continue; + } + +#if APPLE_OSX_mDNSResponder + else if (SupportsInNICProxy(intf)) + { + if (ActivateLocalProxy(m, intf) == mStatus_NoError) + { + SendGoodbyesForWakeOnlyService(m, &WakeOnlyService); + SendGoodbyes = mDNSfalse; + invokeKACallback = mDNSfalse; + LogSPS("BeginSleepProcessing: %-6s using local proxy", intf->ifname); + // This will leave m->SleepState set to SleepState_Transferring, + // which is okay because with no outstanding resolves, or updates in flight, + // mDNSCoreReadyForSleep() will conclude correctly that all the updates have already completed + + registeredIntfIDS[registeredCount] = intf->InterfaceID; + registeredCount++; + } + } +#endif // APPLE_OSX_mDNSResponder + else + { +#if APPLE_OSX_mDNSResponder + // If on battery, do not attempt to offload to external sleep proxies + if (m->SystemWakeOnLANEnabled == mDNS_WakeOnBattery) + { + LogSPS("BegingSleepProcessing: Not connected to AC power - Not registering with an external sleep proxy."); + return; + } +#endif // APPLE_OSX_mDNSResponder + FindSPSInCache(m, &intf->NetWakeBrowse, sps); + if (!sps[0]) LogSPS("BeginSleepProcessing: %-6s %#a No Sleep Proxy Server found (Next Browse Q in %d, interval %d)", + intf->ifname, &intf->ip, NextQSendTime(&intf->NetWakeBrowse) - m->timenow, intf->NetWakeBrowse.ThisQInterval); + else + { + int i; + mDNSu32 scopeid; + SendGoodbyes = mDNSfalse; + intf->NextSPSAttempt = 0; + intf->NextSPSAttemptTime = m->timenow + mDNSPlatformOneSecond; + + scopeid = mDNSPlatformInterfaceIndexfromInterfaceID(m, intf->InterfaceID, mDNStrue); + // Now we know for sure that we have to wait for registration to complete on this interface. + if (scopeid < (sizeof(updateIntID) * mDNSNBBY)) + bit_set_opaque64(updateIntID, scopeid); + + // Don't need to set m->NextScheduledSPRetry here because we already set "m->NextScheduledSPRetry = m->timenow" above + for (i=0; i<3; i++) + { +#if ForceAlerts + if (intf->SPSAddr[i].type) + { LogMsg("BeginSleepProcessing: %s %d intf->SPSAddr[i].type %d", intf->ifname, i, intf->SPSAddr[i].type); *(long*)0 = 0; } + if (intf->NetWakeResolve[i].ThisQInterval >= 0) + { LogMsg("BeginSleepProcessing: %s %d intf->NetWakeResolve[i].ThisQInterval %d", intf->ifname, i, intf->NetWakeResolve[i].ThisQInterval); *(long*)0 = 0; } +#endif + intf->SPSAddr[i].type = mDNSAddrType_None; + if (intf->NetWakeResolve[i].ThisQInterval >= 0) mDNS_StopQuery(m, &intf->NetWakeResolve[i]); + intf->NetWakeResolve[i].ThisQInterval = -1; + if (sps[i]) + { + LogSPS("BeginSleepProcessing: %-6s Found Sleep Proxy Server %d TTL %d %s", intf->ifname, i, sps[i]->resrec.rroriginalttl, CRDisplayString(m, sps[i])); + mDNS_SetupQuestion(&intf->NetWakeResolve[i], intf->InterfaceID, &sps[i]->resrec.rdata->u.name, kDNSType_SRV, NetWakeResolve, intf); + intf->NetWakeResolve[i].ReturnIntermed = mDNStrue; + mDNS_StartQuery_internal(m, &intf->NetWakeResolve[i]); + + // If we are registering with a Sleep Proxy for a new subnet, add it to our list + registeredIntfIDS[registeredCount] = intf->InterfaceID; + registeredCount++; + } + } + } + } + } + } + + // If we have at least one interface on which we are registering with an external sleep proxy, + // initialize all the records appropriately. + if (!mDNSOpaque64IsZero(&updateIntID)) + SPSInitRecordsBeforeUpdate(m, updateIntID, &WakeOnlyService); + + // Call the applicaitons that registered a keepalive record to inform them that we failed to offload + // the records to a sleep proxy. + if (invokeKACallback) + { + LogSPS("BeginSleepProcessing: Did not register with an in-NIC proxy - invoking the callbacks for KA records"); + DoKeepaliveCallbacks(m); + } + + // SendSleepGoodbyes last two arguments control whether we send goodbyes on all + // interfaces and also deregister unicast registrations. + // + // - If there are no sleep proxy servers, then send goodbyes on all interfaces + // for both multicast and unicast. + // + // - If we skipped registrations on some interfaces, then we have already marked + // them appropriately above. We don't need to send goodbyes for unicast as + // we have registered with at least one sleep proxy. + // + // - If we are not planning to send any goodbyes, then check for WakeOnlyServices. + // + // Note: If we are planning to send goodbyes, we mark the record with mDNSInterfaceAny + // and call SendResponses which inturn calls ShouldSendGoodbyesBeforeSleep which looks + // at WakeOnlyServices first. + if (SendGoodbyes) + { + LogSPS("BeginSleepProcessing: Not registering with Sleep Proxy Server"); + SendSleepGoodbyes(m, mDNStrue, mDNStrue); + } + else if (skippedRegistrations) + { + LogSPS("BeginSleepProcessing: Not registering with Sleep Proxy Server on all interfaces"); + SendSleepGoodbyes(m, mDNSfalse, mDNSfalse); + } + else if (WakeOnlyService) + { + // If we saw WakeOnly service above, send the goodbyes now. + LogSPS("BeginSleepProcessing: Sending goodbyes for WakeOnlyServices"); + SendResponses(m); + } +} + +// Call mDNSCoreMachineSleep(m, mDNStrue) when the machine is about to go to sleep. +// Call mDNSCoreMachineSleep(m, mDNSfalse) when the machine is has just woken up. +// Normally, the platform support layer below mDNSCore should call this, not the client layer above. +mDNSexport void mDNSCoreMachineSleep(mDNS *const m, mDNSBool sleep) +{ + AuthRecord *rr; + + LogSPS("%s (old state %d) at %ld", sleep ? "Sleeping" : "Waking", m->SleepState, m->timenow); + + if (sleep && !m->SleepState) // Going to sleep + { + mDNS_Lock(m); + // If we're going to sleep, need to stop advertising that we're a Sleep Proxy Server + if (m->SPSSocket) + { + mDNSu8 oldstate = m->SPSState; + mDNS_DropLockBeforeCallback(); // mDNS_DeregisterService expects to be called without the lock held, so we emulate that here + m->SPSState = 2; +#ifndef SPC_DISABLED + if (oldstate == 1) mDNS_DeregisterService(m, &m->SPSRecords); +#else + (void)oldstate; +#endif + mDNS_ReclaimLockAfterCallback(); + } + + m->SleepState = SleepState_Transferring; + if (m->SystemWakeOnLANEnabled && m->DelaySleep) + { + // If we just woke up moments ago, allow ten seconds for networking to stabilize before going back to sleep + LogSPS("mDNSCoreMachineSleep: Re-sleeping immediately after waking; will delay for %d ticks", m->DelaySleep - m->timenow); + m->SleepLimit = NonZeroTime(m->DelaySleep + mDNSPlatformOneSecond * 10); + } + else + { + m->DelaySleep = 0; + m->SleepLimit = NonZeroTime(m->timenow + mDNSPlatformOneSecond * 10); + m->mDNSStats.Sleeps++; + BeginSleepProcessing(m); + } + +#ifndef UNICAST_DISABLED + SuspendLLQs(m); +#endif +#if APPLE_OSX_mDNSResponder + RemoveAutoTunnel6Record(m); +#endif + LogSPS("mDNSCoreMachineSleep: m->SleepState %d (%s) seq %d", m->SleepState, + m->SleepState == SleepState_Transferring ? "Transferring" : + m->SleepState == SleepState_Sleeping ? "Sleeping" : "?", m->SleepSeqNum); + mDNS_Unlock(m); + } + else if (!sleep) // Waking up + { + mDNSu32 slot; + CacheGroup *cg; + CacheRecord *cr; + NetworkInterfaceInfo *intf; + mDNSs32 currtime, diff; + + mDNS_Lock(m); + // Reset SleepLimit back to 0 now that we're awake again. + m->SleepLimit = 0; + + // If we were previously sleeping, but now we're not, increment m->SleepSeqNum to indicate that we're entering a new period of wakefulness + if (m->SleepState != SleepState_Awake) + { + m->SleepState = SleepState_Awake; + m->SleepSeqNum++; + // If the machine wakes and then immediately tries to sleep again (e.g. a maintenance wake) + // then we enforce a minimum delay of 16 seconds before we begin sleep processing. + // This is to allow time for the Ethernet link to come up, DHCP to get an address, mDNS to issue queries, etc., + // before we make our determination of whether there's a Sleep Proxy out there we should register with. + m->DelaySleep = NonZeroTime(m->timenow + mDNSPlatformOneSecond * 16); + } + + if (m->SPSState == 3) + { + m->SPSState = 0; + mDNSCoreBeSleepProxyServer_internal(m, m->SPSType, m->SPSPortability, m->SPSMarginalPower, m->SPSTotalPower, m->SPSFeatureFlags); + } + m->mDNSStats.Wakes++; + + // ... and the same for NextSPSAttempt + for (intf = GetFirstActiveInterface(m->HostInterfaces); intf; intf = GetFirstActiveInterface(intf->next)) intf->NextSPSAttempt = -1; + + // Restart unicast and multicast queries + mDNSCoreRestartQueries(m); + + // and reactivtate service registrations + m->NextSRVUpdate = NonZeroTime(m->timenow + mDNSPlatformOneSecond); + LogInfo("mDNSCoreMachineSleep waking: NextSRVUpdate in %d %d", m->NextSRVUpdate - m->timenow, m->timenow); + + // 2. Re-validate our cache records + currtime = mDNSPlatformUTC(); + +#if APPLE_OSX_mDNSResponder + // start time of this statistics gathering interval + m->StatStartTime = currtime; +#endif // APPLE_OSX_mDNSResponder + + diff = currtime - m->TimeSlept; + FORALL_CACHERECORDS(slot, cg, cr) + { + // Temporary fix: For unicast cache records, look at how much time we slept. + // Adjust the RecvTime by the amount of time we slept so that we age the + // cache record appropriately. If it is expired already, purge. If there + // is a network change that happens after the wakeup, we might purge the + // cache anyways and this helps only in the case where there are no network + // changes across sleep/wakeup transition. + // + // Note: If there is a network/DNS server change that already happened and + // these cache entries are already refreshed and we are getting a delayed + // wake up notification, we might adjust the TimeRcvd based on the time slept + // now which can cause the cache to purge pre-maturely. As this is not a very + // common case, this should happen rarely. + if (!cr->resrec.InterfaceID) + { + if (diff > 0) + { + mDNSu32 uTTL = RRUnadjustedTTL(cr->resrec.rroriginalttl); + const mDNSs32 remain = uTTL - (m->timenow - cr->TimeRcvd) / mDNSPlatformOneSecond; + + // -if we have slept longer than the remaining TTL, purge and start fresh. + // -if we have been sleeping for a long time, we could reduce TimeRcvd below by + // a sufficiently big value which could cause the value to go into the future + // because of the signed comparison of time. For this to happen, we should have been + // sleeping really long (~24 days). For now, we want to be conservative and flush even + // if we have slept for more than two days. + + if (diff >= remain || diff > (2 * 24 * 3600)) + { + LogInfo("mDNSCoreMachineSleep: %s: Purging cache entry SleptTime %d, Remaining TTL %d", + CRDisplayString(m, cr), diff, remain); + mDNS_PurgeCacheResourceRecord(m, cr); + continue; + } + cr->TimeRcvd -= (diff * mDNSPlatformOneSecond); + if (m->timenow - (cr->TimeRcvd + ((mDNSs32)uTTL * mDNSPlatformOneSecond)) >= 0) + { + LogInfo("mDNSCoreMachineSleep: %s: Purging after adjusting the remaining TTL %d by %d seconds", + CRDisplayString(m, cr), remain, diff); + mDNS_PurgeCacheResourceRecord(m, cr); + } + else + { + LogInfo("mDNSCoreMachineSleep: %s: Adjusted the remain ttl %u by %d seconds", CRDisplayString(m, cr), remain, diff); + } + } + } + else + { + mDNS_Reconfirm_internal(m, cr, kDefaultReconfirmTimeForWake); + } + } + + // 3. Retrigger probing and announcing for all our authoritative records + for (rr = m->ResourceRecords; rr; rr=rr->next) + { + if (AuthRecord_uDNS(rr)) + { + ActivateUnicastRegistration(m, rr); + } + else + { + mDNSCoreRestartRegistration(m, rr, -1); + } + } + + // 4. Refresh NAT mappings + // We don't want to have to assume that all hardware can necessarily keep accurate + // track of passage of time while asleep, so on wake we refresh our NAT mappings. + // We typically wake up with no interfaces active, so there's no need to rush to try to find our external address. + // But if we do get a network configuration change, mDNSMacOSXNetworkChanged will call uDNS_SetupDNSConfig, which + // will call mDNS_SetPrimaryInterfaceInfo, which will call RecreateNATMappings to refresh them, potentially sooner + // than five seconds from now. + LogInfo("mDNSCoreMachineSleep: recreating NAT mappings in 5 seconds"); + RecreateNATMappings(m, mDNSPlatformOneSecond * 5); + mDNS_Unlock(m); + } +} + +mDNSexport mDNSBool mDNSCoreReadyForSleep(mDNS *m, mDNSs32 now) +{ + DNSQuestion *q; + AuthRecord *rr; + NetworkInterfaceInfo *intf; + + mDNS_Lock(m); + + if (m->DelaySleep) goto notready; + + // If we've not hit the sleep limit time, and it's not time for our next retry, we can skip these checks + if (m->SleepLimit - now > 0 && m->NextScheduledSPRetry - now > 0) goto notready; + + m->NextScheduledSPRetry = now + 0x40000000UL; + + // See if we might need to retransmit any lost Sleep Proxy Registrations + for (intf = GetFirstActiveInterface(m->HostInterfaces); intf; intf = GetFirstActiveInterface(intf->next)) + if (intf->NextSPSAttempt >= 0) + { + if (now - intf->NextSPSAttemptTime >= 0) + { + LogSPS("mDNSCoreReadyForSleep: retrying for %s SPS %d try %d", + intf->ifname, intf->NextSPSAttempt/3, intf->NextSPSAttempt); + SendSPSRegistration(m, intf, zeroID); + // Don't need to "goto notready" here, because if we do still have record registrations + // that have not been acknowledged yet, we'll catch that in the record list scan below. + } + else + if (m->NextScheduledSPRetry - intf->NextSPSAttemptTime > 0) + m->NextScheduledSPRetry = intf->NextSPSAttemptTime; + } + + // Scan list of interfaces, and see if we're still waiting for any sleep proxy resolves to complete + for (intf = GetFirstActiveInterface(m->HostInterfaces); intf; intf = GetFirstActiveInterface(intf->next)) + { + int sps = (intf->NextSPSAttempt == 0) ? 0 : (intf->NextSPSAttempt-1)/3; + if (intf->NetWakeResolve[sps].ThisQInterval >= 0) + { + LogSPS("mDNSCoreReadyForSleep: waiting for SPS Resolve %s %##s (%s)", + intf->ifname, intf->NetWakeResolve[sps].qname.c, DNSTypeName(intf->NetWakeResolve[sps].qtype)); + goto spsnotready; + } + } + + // Scan list of registered records + for (rr = m->ResourceRecords; rr; rr = rr->next) + if (!AuthRecord_uDNS(rr)) + if (!mDNSOpaque64IsZero(&rr->updateIntID)) + { LogSPS("mDNSCoreReadyForSleep: waiting for SPS updateIntID 0x%x 0x%x (updateid %d) %s", rr->updateIntID.l[1], rr->updateIntID.l[0], mDNSVal16(rr->updateid), ARDisplayString(m,rr)); goto spsnotready; } + + // Scan list of private LLQs, and make sure they've all completed their handshake with the server + for (q = m->Questions; q; q = q->next) + if (!mDNSOpaque16IsZero(q->TargetQID) && q->LongLived && q->ReqLease == 0 && q->tcp) + { + LogSPS("mDNSCoreReadyForSleep: waiting for LLQ %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + goto notready; + } + + // Scan list of registered records + for (rr = m->ResourceRecords; rr; rr = rr->next) + if (AuthRecord_uDNS(rr)) + { + if (rr->state == regState_Refresh && rr->tcp) + { LogSPS("mDNSCoreReadyForSleep: waiting for Record updateIntID 0x%x 0x%x (updateid %d) %s", rr->updateIntID.l[1], rr->updateIntID.l[0], mDNSVal16(rr->updateid), ARDisplayString(m,rr)); goto notready; } + #if APPLE_OSX_mDNSResponder + if (!RecordReadyForSleep(m, rr)) { LogSPS("mDNSCoreReadyForSleep: waiting for %s", ARDisplayString(m, rr)); goto notready; } + #endif + } + + mDNS_Unlock(m); + return mDNStrue; + +spsnotready: + + // If we failed to complete sleep proxy registration within ten seconds, we give up on that + // and allow up to ten seconds more to complete wide-area deregistration instead + if (now - m->SleepLimit >= 0) + { + LogMsg("Failed to register with SPS, now sending goodbyes"); + + for (intf = GetFirstActiveInterface(m->HostInterfaces); intf; intf = GetFirstActiveInterface(intf->next)) + if (intf->NetWakeBrowse.ThisQInterval >= 0) + { + LogSPS("ReadyForSleep mDNS_DeactivateNetWake %s %##s (%s)", + intf->ifname, intf->NetWakeResolve[0].qname.c, DNSTypeName(intf->NetWakeResolve[0].qtype)); + mDNS_DeactivateNetWake_internal(m, intf); + } + + for (rr = m->ResourceRecords; rr; rr = rr->next) + if (!AuthRecord_uDNS(rr)) + if (!mDNSOpaque64IsZero(&rr->updateIntID)) + { + LogSPS("ReadyForSleep clearing updateIntID 0x%x 0x%x (updateid %d) for %s", rr->updateIntID.l[1], rr->updateIntID.l[0], mDNSVal16(rr->updateid), ARDisplayString(m, rr)); + rr->updateIntID = zeroOpaque64; + } + + // We'd really like to allow up to ten seconds more here, + // but if we don't respond to the sleep notification within 30 seconds + // we'll be put back to sleep forcibly without the chance to schedule the next maintenance wake. + // Right now we wait 16 sec after wake for all the interfaces to come up, then we wait up to 10 seconds + // more for SPS resolves and record registrations to complete, which puts us at 26 seconds. + // If we allow just one more second to send our goodbyes, that puts us at 27 seconds. + m->SleepLimit = now + mDNSPlatformOneSecond * 1; + + SendSleepGoodbyes(m, mDNStrue, mDNStrue); + } + +notready: + mDNS_Unlock(m); + return mDNSfalse; +} + +mDNSexport mDNSs32 mDNSCoreIntervalToNextWake(mDNS *const m, mDNSs32 now) +{ + AuthRecord *ar; + + // Even when we have no wake-on-LAN-capable interfaces, or we failed to find a sleep proxy, or we have other + // failure scenarios, we still want to wake up in at most 120 minutes, to see if the network environment has changed. + // E.g. we might wake up and find no wireless network because the base station got rebooted just at that moment, + // and if that happens we don't want to just give up and go back to sleep and never try again. + mDNSs32 e = now + (120 * 60 * mDNSPlatformOneSecond); // Sleep for at most 120 minutes + + NATTraversalInfo *nat; + for (nat = m->NATTraversals; nat; nat=nat->next) + if (nat->Protocol && nat->ExpiryTime && nat->ExpiryTime - now > mDNSPlatformOneSecond*4) + { + mDNSs32 t = nat->ExpiryTime - (nat->ExpiryTime - now) / 10; // Wake up when 90% of the way to the expiry time + if (e - t > 0) e = t; + LogSPS("ComputeWakeTime: %p %s Int %5d Ext %5d Err %d Retry %5d Interval %5d Expire %5d Wake %5d", + nat, nat->Protocol == NATOp_MapTCP ? "TCP" : "UDP", + mDNSVal16(nat->IntPort), mDNSVal16(nat->ExternalPort), nat->Result, + nat->retryPortMap ? (nat->retryPortMap - now) / mDNSPlatformOneSecond : 0, + nat->retryInterval / mDNSPlatformOneSecond, + nat->ExpiryTime ? (nat->ExpiryTime - now) / mDNSPlatformOneSecond : 0, + (t - now) / mDNSPlatformOneSecond); + } + + // This loop checks both the time we need to renew wide-area registrations, + // and the time we need to renew Sleep Proxy registrations + for (ar = m->ResourceRecords; ar; ar = ar->next) + if (ar->expire && ar->expire - now > mDNSPlatformOneSecond*4) + { + mDNSs32 t = ar->expire - (ar->expire - now) / 10; // Wake up when 90% of the way to the expiry time + if (e - t > 0) e = t; + LogSPS("ComputeWakeTime: %p Int %7d Next %7d Expire %7d Wake %7d %s", + ar, ar->ThisAPInterval / mDNSPlatformOneSecond, + (ar->LastAPTime + ar->ThisAPInterval - now) / mDNSPlatformOneSecond, + ar->expire ? (ar->expire - now) / mDNSPlatformOneSecond : 0, + (t - now) / mDNSPlatformOneSecond, ARDisplayString(m, ar)); + } + + return(e - now); +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - Packet Reception Functions +#endif + +#define MustSendRecord(RR) ((RR)->NR_AnswerTo || (RR)->NR_AdditionalTo) + +mDNSlocal mDNSu8 *GenerateUnicastResponse(const DNSMessage *const query, const mDNSu8 *const end, + const mDNSInterfaceID InterfaceID, mDNSBool LegacyQuery, DNSMessage *const response, AuthRecord *ResponseRecords) +{ + mDNSu8 *responseptr = response->data; + const mDNSu8 *const limit = response->data + sizeof(response->data); + const mDNSu8 *ptr = query->data; + AuthRecord *rr; + mDNSu32 maxttl = 0x70000000; + int i; + + // Initialize the response fields so we can answer the questions + InitializeDNSMessage(&response->h, query->h.id, ResponseFlags); + + // *** + // *** 1. Write out the list of questions we are actually going to answer with this packet + // *** + if (LegacyQuery) + { + maxttl = kStaticCacheTTL; + for (i=0; i<query->h.numQuestions; i++) // For each question... + { + DNSQuestion q; + ptr = getQuestion(query, ptr, end, InterfaceID, &q); // get the question... + if (!ptr) return(mDNSNULL); + + for (rr=ResponseRecords; rr; rr=rr->NextResponse) // and search our list of proposed answers + { + if (rr->NR_AnswerTo == ptr) // If we're going to generate a record answering this question + { // then put the question in the question section + responseptr = putQuestion(response, responseptr, limit, &q.qname, q.qtype, q.qclass); + if (!responseptr) { debugf("GenerateUnicastResponse: Ran out of space for questions!"); return(mDNSNULL); } + break; // break out of the ResponseRecords loop, and go on to the next question + } + } + } + + if (response->h.numQuestions == 0) { LogMsg("GenerateUnicastResponse: ERROR! Why no questions?"); return(mDNSNULL); } + } + + // *** + // *** 2. Write Answers + // *** + for (rr=ResponseRecords; rr; rr=rr->NextResponse) + if (rr->NR_AnswerTo) + { + mDNSu8 *p = PutResourceRecordTTL(response, responseptr, &response->h.numAnswers, &rr->resrec, + maxttl < rr->resrec.rroriginalttl ? maxttl : rr->resrec.rroriginalttl); + if (p) responseptr = p; + else { debugf("GenerateUnicastResponse: Ran out of space for answers!"); response->h.flags.b[0] |= kDNSFlag0_TC; } + } + + // *** + // *** 3. Write Additionals + // *** + for (rr=ResponseRecords; rr; rr=rr->NextResponse) + if (rr->NR_AdditionalTo && !rr->NR_AnswerTo) + { + mDNSu8 *p = PutResourceRecordTTL(response, responseptr, &response->h.numAdditionals, &rr->resrec, + maxttl < rr->resrec.rroriginalttl ? maxttl : rr->resrec.rroriginalttl); + if (p) responseptr = p; + else debugf("GenerateUnicastResponse: No more space for additionals"); + } + + return(responseptr); +} + +// AuthRecord *our is our Resource Record +// CacheRecord *pkt is the Resource Record from the response packet we've witnessed on the network +// Returns 0 if there is no conflict +// Returns +1 if there was a conflict and we won +// Returns -1 if there was a conflict and we lost and have to rename +mDNSlocal int CompareRData(const AuthRecord *const our, const CacheRecord *const pkt) +{ + mDNSu8 ourdata[256], *ourptr = ourdata, *ourend; + mDNSu8 pktdata[256], *pktptr = pktdata, *pktend; + if (!our) { LogMsg("CompareRData ERROR: our is NULL"); return(+1); } + if (!pkt) { LogMsg("CompareRData ERROR: pkt is NULL"); return(+1); } + + ourend = putRData(mDNSNULL, ourdata, ourdata + sizeof(ourdata), &our->resrec); + pktend = putRData(mDNSNULL, pktdata, pktdata + sizeof(pktdata), &pkt->resrec); + while (ourptr < ourend && pktptr < pktend && *ourptr == *pktptr) { ourptr++; pktptr++; } + if (ourptr >= ourend && pktptr >= pktend) return(0); // If data identical, not a conflict + + if (ourptr >= ourend) return(-1); // Our data ran out first; We lost + if (pktptr >= pktend) return(+1); // Packet data ran out first; We won + if (*pktptr > *ourptr) return(-1); // Our data is numerically lower; We lost + if (*pktptr < *ourptr) return(+1); // Packet data is numerically lower; We won + + LogMsg("CompareRData ERROR: Invalid state"); + return(-1); +} + +// See if we have an authoritative record that's identical to this packet record, +// whose canonical DependentOn record is the specified master record. +// The DependentOn pointer is typically used for the TXT record of service registrations +// It indicates that there is no inherent conflict detection for the TXT record +// -- it depends on the SRV record to resolve name conflicts +// If we find any identical ResourceRecords in our authoritative list, then follow their DependentOn +// pointer chain (if any) to make sure we reach the canonical DependentOn record +// If the record has no DependentOn, then just return that record's pointer +// Returns NULL if we don't have any local RRs that are identical to the one from the packet +mDNSlocal mDNSBool MatchDependentOn(const mDNS *const m, const CacheRecord *const pktrr, const AuthRecord *const master) +{ + const AuthRecord *r1; + for (r1 = m->ResourceRecords; r1; r1=r1->next) + { + if (IdenticalResourceRecord(&r1->resrec, &pktrr->resrec)) + { + const AuthRecord *r2 = r1; + while (r2->DependentOn) r2 = r2->DependentOn; + if (r2 == master) return(mDNStrue); + } + } + for (r1 = m->DuplicateRecords; r1; r1=r1->next) + { + if (IdenticalResourceRecord(&r1->resrec, &pktrr->resrec)) + { + const AuthRecord *r2 = r1; + while (r2->DependentOn) r2 = r2->DependentOn; + if (r2 == master) return(mDNStrue); + } + } + return(mDNSfalse); +} + +// Find the canonical RRSet pointer for this RR received in a packet. +// If we find any identical AuthRecord in our authoritative list, then follow its RRSet +// pointers (if any) to make sure we return the canonical member of this name/type/class +// Returns NULL if we don't have any local RRs that are identical to the one from the packet +mDNSlocal const AuthRecord *FindRRSet(const mDNS *const m, const CacheRecord *const pktrr) +{ + const AuthRecord *rr; + for (rr = m->ResourceRecords; rr; rr=rr->next) + { + if (IdenticalResourceRecord(&rr->resrec, &pktrr->resrec)) + { + while (rr->RRSet && rr != rr->RRSet) rr = rr->RRSet; + return(rr); + } + } + return(mDNSNULL); +} + +// PacketRRConflict is called when we've received an RR (pktrr) which has the same name +// as one of our records (our) but different rdata. +// 1. If our record is not a type that's supposed to be unique, we don't care. +// 2a. If our record is marked as dependent on some other record for conflict detection, ignore this one. +// 2b. If the packet rr exactly matches one of our other RRs, and *that* record's DependentOn pointer +// points to our record, ignore this conflict (e.g. the packet record matches one of our +// TXT records, and that record is marked as dependent on 'our', its SRV record). +// 3. If we have some *other* RR that exactly matches the one from the packet, and that record and our record +// are members of the same RRSet, then this is not a conflict. +mDNSlocal mDNSBool PacketRRConflict(const mDNS *const m, const AuthRecord *const our, const CacheRecord *const pktrr) +{ + // If not supposed to be unique, not a conflict + if (!(our->resrec.RecordType & kDNSRecordTypeUniqueMask)) return(mDNSfalse); + + // If a dependent record, not a conflict + if (our->DependentOn || MatchDependentOn(m, pktrr, our)) return(mDNSfalse); + else + { + // If the pktrr matches a member of ourset, not a conflict + const AuthRecord *ourset = our->RRSet ? our->RRSet : our; + const AuthRecord *pktset = FindRRSet(m, pktrr); + if (pktset == ourset) return(mDNSfalse); + + // For records we're proxying, where we don't know the full + // relationship between the records, having any matching record + // in our AuthRecords list is sufficient evidence of non-conflict + if (our->WakeUp.HMAC.l[0] && pktset) return(mDNSfalse); + } + + // Okay, this is a conflict + return(mDNStrue); +} + +// Note: ResolveSimultaneousProbe calls mDNS_Deregister_internal which can call a user callback, which may change +// the record list and/or question list. +// Any code walking either list must use the CurrentQuestion and/or CurrentRecord mechanism to protect against this. +mDNSlocal void ResolveSimultaneousProbe(mDNS *const m, const DNSMessage *const query, const mDNSu8 *const end, + DNSQuestion *q, AuthRecord *our) +{ + int i; + const mDNSu8 *ptr = LocateAuthorities(query, end); + mDNSBool FoundUpdate = mDNSfalse; + + for (i = 0; i < query->h.numAuthorities; i++) + { + ptr = GetLargeResourceRecord(m, query, ptr, end, q->InterfaceID, kDNSRecordTypePacketAuth, &m->rec); + if (!ptr) break; + if (m->rec.r.resrec.RecordType != kDNSRecordTypePacketNegative && ResourceRecordAnswersQuestion(&m->rec.r.resrec, q)) + { + FoundUpdate = mDNStrue; + if (PacketRRConflict(m, our, &m->rec.r)) + { + int result = (int)our->resrec.rrclass - (int)m->rec.r.resrec.rrclass; + if (!result) result = (int)our->resrec.rrtype - (int)m->rec.r.resrec.rrtype; + if (!result) result = CompareRData(our, &m->rec.r); + if (result) + { + const char *const msg = (result < 0) ? "lost:" : (result > 0) ? "won: " : "tie: "; + LogMsg("ResolveSimultaneousProbe: %p Pkt Record: %08lX %s", q->InterfaceID, m->rec.r.resrec.rdatahash, CRDisplayString(m, &m->rec.r)); + LogMsg("ResolveSimultaneousProbe: %p Our Record %d %s %08lX %s", our->resrec.InterfaceID, our->ProbeCount, msg, our->resrec.rdatahash, ARDisplayString(m, our)); + } + // If we lost the tie-break for simultaneous probes, we don't immediately give up, because we might be seeing stale packets on the network. + // Instead we pause for one second, to give the other host (if real) a chance to establish its name, and then try probing again. + // If there really is another live host out there with the same name, it will answer our probes and we'll then rename. + if (result < 0) + { + m->SuppressProbes = NonZeroTime(m->timenow + mDNSPlatformOneSecond); + our->ProbeCount = DefaultProbeCountForTypeUnique; + our->AnnounceCount = InitialAnnounceCount; + InitializeLastAPTime(m, our); + goto exit; + } + } +#if 0 + else + { + LogMsg("ResolveSimultaneousProbe: %p Pkt Record: %08lX %s", q->InterfaceID, m->rec.r.resrec.rdatahash, CRDisplayString(m, &m->rec.r)); + LogMsg("ResolveSimultaneousProbe: %p Our Record %d ign: %08lX %s", our->resrec.InterfaceID, our->ProbeCount, our->resrec.rdatahash, ARDisplayString(m, our)); + } +#endif + } + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + } + if (!FoundUpdate) + LogInfo("ResolveSimultaneousProbe: %##s (%s): No Update Record found", our->resrec.name->c, DNSTypeName(our->resrec.rrtype)); +exit: + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it +} + +mDNSlocal CacheRecord *FindIdenticalRecordInCache(const mDNS *const m, const ResourceRecord *const pktrr) +{ + mDNSu32 slot = HashSlot(pktrr->name); + CacheGroup *cg = CacheGroupForRecord(m, slot, pktrr); + CacheRecord *rr; + mDNSBool match; + for (rr = cg ? cg->members : mDNSNULL; rr; rr=rr->next) + { + if (!pktrr->InterfaceID) + { + mDNSu16 id1 = (pktrr->rDNSServer ? pktrr->rDNSServer->resGroupID : 0); + mDNSu16 id2 = (rr->resrec.rDNSServer ? rr->resrec.rDNSServer->resGroupID : 0); + match = (id1 == id2); + } + else match = (pktrr->InterfaceID == rr->resrec.InterfaceID); + + if (match && IdenticalSameNameRecord(pktrr, &rr->resrec)) break; + } + return(rr); +} +mDNSlocal void DeregisterProxyRecord(mDNS *const m, AuthRecord *const rr) +{ + rr->WakeUp.HMAC = zeroEthAddr; // Clear HMAC so that mDNS_Deregister_internal doesn't waste packets trying to wake this host + rr->RequireGoodbye = mDNSfalse; // and we don't want to send goodbye for it + mDNS_Deregister_internal(m, rr, mDNS_Dereg_normal); + SetSPSProxyListChanged(m->rec.r.resrec.InterfaceID); +} + +mDNSlocal void ClearKeepaliveProxyRecords(mDNS *const m, const OwnerOptData *const owner, AuthRecord *const thelist, const mDNSInterfaceID InterfaceID) +{ + if (m->CurrentRecord) + LogMsg("ClearIdenticalProxyRecords ERROR m->CurrentRecord already set %s", ARDisplayString(m, m->CurrentRecord)); + m->CurrentRecord = thelist; + + // Normally, the RDATA of the keepalive record will be different each time and hence we always + // clean up the keepalive record. + while (m->CurrentRecord) + { + AuthRecord *const rr = m->CurrentRecord; + if (InterfaceID == rr->resrec.InterfaceID && mDNSSameEthAddress(&owner->HMAC, &rr->WakeUp.HMAC)) + { + if (mDNS_KeepaliveRecord(&m->rec.r.resrec)) + { + LogSPS("ClearKeepaliveProxyRecords: Removing %3d H-MAC %.6a I-MAC %.6a %d %d %s", + m->ProxyRecords, &rr->WakeUp.HMAC, &rr->WakeUp.IMAC, rr->WakeUp.seq, owner->seq, ARDisplayString(m, rr)); + DeregisterProxyRecord(m, rr); + } + } + // Mustn't advance m->CurrentRecord until *after* mDNS_Deregister_internal, because + // new records could have been added to the end of the list as a result of that call. + if (m->CurrentRecord == rr) // If m->CurrentRecord was not advanced for us, do it now + m->CurrentRecord = rr->next; + } +} + +// Called from mDNSCoreReceiveUpdate when we get a sleep proxy registration request, +// to check our lists and discard any stale duplicates of this record we already have +mDNSlocal void ClearIdenticalProxyRecords(mDNS *const m, const OwnerOptData *const owner, AuthRecord *const thelist) +{ + if (m->CurrentRecord) + LogMsg("ClearIdenticalProxyRecords ERROR m->CurrentRecord already set %s", ARDisplayString(m, m->CurrentRecord)); + m->CurrentRecord = thelist; + while (m->CurrentRecord) + { + AuthRecord *const rr = m->CurrentRecord; + if (m->rec.r.resrec.InterfaceID == rr->resrec.InterfaceID && mDNSSameEthAddress(&owner->HMAC, &rr->WakeUp.HMAC)) + if (IdenticalResourceRecord(&rr->resrec, &m->rec.r.resrec)) + { + LogSPS("ClearIdenticalProxyRecords: Removing %3d H-MAC %.6a I-MAC %.6a %d %d %s", + m->ProxyRecords, &rr->WakeUp.HMAC, &rr->WakeUp.IMAC, rr->WakeUp.seq, owner->seq, ARDisplayString(m, rr)); + DeregisterProxyRecord(m, rr); + } + // Mustn't advance m->CurrentRecord until *after* mDNS_Deregister_internal, because + // new records could have been added to the end of the list as a result of that call. + if (m->CurrentRecord == rr) // If m->CurrentRecord was not advanced for us, do it now + m->CurrentRecord = rr->next; + } +} + +// Called from ProcessQuery when we get an mDNS packet with an owner record in it +mDNSlocal void ClearProxyRecords(mDNS *const m, const OwnerOptData *const owner, AuthRecord *const thelist) +{ + if (m->CurrentRecord) + LogMsg("ClearProxyRecords ERROR m->CurrentRecord already set %s", ARDisplayString(m, m->CurrentRecord)); + m->CurrentRecord = thelist; + while (m->CurrentRecord) + { + AuthRecord *const rr = m->CurrentRecord; + if (m->rec.r.resrec.InterfaceID == rr->resrec.InterfaceID && mDNSSameEthAddress(&owner->HMAC, &rr->WakeUp.HMAC)) + if (owner->seq != rr->WakeUp.seq || m->timenow - rr->TimeRcvd > mDNSPlatformOneSecond * 60) + { + if (rr->AddressProxy.type == mDNSAddrType_IPv6) + { + // We don't do this here because we know that the host is waking up at this point, so we don't send + // Unsolicited Neighbor Advertisements -- even Neighbor Advertisements agreeing with what the host should be + // saying itself -- because it can cause some IPv6 stacks to falsely conclude that there's an address conflict. + #if MDNS_USE_Unsolicited_Neighbor_Advertisements + LogSPS("NDP Announcement -- Releasing traffic for H-MAC %.6a I-MAC %.6a %s", + &rr->WakeUp.HMAC, &rr->WakeUp.IMAC, ARDisplayString(m,rr)); + SendNDP(m, NDP_Adv, NDP_Override, rr, &rr->AddressProxy.ip.v6, &rr->WakeUp.IMAC, &AllHosts_v6, &AllHosts_v6_Eth); + #endif + } + LogSPS("ClearProxyRecords: Removing %3d AC %2d %02X H-MAC %.6a I-MAC %.6a %d %d %s", + m->ProxyRecords, rr->AnnounceCount, rr->resrec.RecordType, + &rr->WakeUp.HMAC, &rr->WakeUp.IMAC, rr->WakeUp.seq, owner->seq, ARDisplayString(m, rr)); + if (rr->resrec.RecordType == kDNSRecordTypeDeregistering) rr->resrec.RecordType = kDNSRecordTypeShared; + rr->WakeUp.HMAC = zeroEthAddr; // Clear HMAC so that mDNS_Deregister_internal doesn't waste packets trying to wake this host + rr->RequireGoodbye = mDNSfalse; // and we don't want to send goodbye for it, since real host is now back and functional + mDNS_Deregister_internal(m, rr, mDNS_Dereg_normal); + SetSPSProxyListChanged(m->rec.r.resrec.InterfaceID); + } + // Mustn't advance m->CurrentRecord until *after* mDNS_Deregister_internal, because + // new records could have been added to the end of the list as a result of that call. + if (m->CurrentRecord == rr) // If m->CurrentRecord was not advanced for us, do it now + m->CurrentRecord = rr->next; + } +} + +// ProcessQuery examines a received query to see if we have any answers to give +mDNSlocal mDNSu8 *ProcessQuery(mDNS *const m, const DNSMessage *const query, const mDNSu8 *const end, + const mDNSAddr *srcaddr, const mDNSInterfaceID InterfaceID, mDNSBool LegacyQuery, mDNSBool QueryWasMulticast, + mDNSBool QueryWasLocalUnicast, DNSMessage *const response) +{ + mDNSBool FromLocalSubnet = srcaddr && mDNS_AddressIsLocalSubnet(m, InterfaceID, srcaddr, mDNSNULL); + AuthRecord *ResponseRecords = mDNSNULL; + AuthRecord **nrp = &ResponseRecords; + +#if POOF_ENABLED + CacheRecord *ExpectedAnswers = mDNSNULL; // Records in our cache we expect to see updated + CacheRecord **eap = &ExpectedAnswers; +#endif // POOF_ENABLED + + DNSQuestion *DupQuestions = mDNSNULL; // Our questions that are identical to questions in this packet + DNSQuestion **dqp = &DupQuestions; + mDNSs32 delayresponse = 0; + mDNSBool SendLegacyResponse = mDNSfalse; + const mDNSu8 *ptr; + mDNSu8 *responseptr = mDNSNULL; + AuthRecord *rr; + int i; + CacheRecord *McastNSEC3Records = mDNSNULL; + + // *** + // *** 1. Look in Additional Section for an OPT record + // *** + ptr = LocateOptRR(query, end, DNSOpt_OwnerData_ID_Space); + if (ptr) + { + ptr = GetLargeResourceRecord(m, query, ptr, end, InterfaceID, kDNSRecordTypePacketAdd, &m->rec); + if (ptr && m->rec.r.resrec.RecordType != kDNSRecordTypePacketNegative && m->rec.r.resrec.rrtype == kDNSType_OPT) + { + const rdataOPT *opt; + const rdataOPT *const e = (const rdataOPT *)&m->rec.r.resrec.rdata->u.data[m->rec.r.resrec.rdlength]; + // Find owner sub-option(s). We verify that the MAC is non-zero, otherwise we could inadvertently + // delete all our own AuthRecords (which are identified by having zero MAC tags on them). + for (opt = &m->rec.r.resrec.rdata->u.opt[0]; opt < e; opt++) + if (opt->opt == kDNSOpt_Owner && opt->u.owner.vers == 0 && opt->u.owner.HMAC.l[0]) + { + ClearProxyRecords(m, &opt->u.owner, m->DuplicateRecords); + ClearProxyRecords(m, &opt->u.owner, m->ResourceRecords); + } + } + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + } + + // + // Look in Authority Section for NSEC3 record + // + + mDNSParseNSEC3Records(m, query, end, InterfaceID, &McastNSEC3Records); + + // *** + // *** 2. Parse Question Section and mark potential answers + // *** + ptr = query->data; + for (i=0; i<query->h.numQuestions; i++) // For each question... + { + mDNSBool QuestionNeedsMulticastResponse; + int NumAnswersForThisQuestion = 0; + AuthRecord *NSECAnswer = mDNSNULL; + DNSQuestion pktq, *q; + ptr = getQuestion(query, ptr, end, InterfaceID, &pktq); // get the question... + if (!ptr) goto exit; + + pktq.AnonInfo = mDNSNULL; + if (McastNSEC3Records) + InitializeAnonInfoForQuestion(m, &McastNSEC3Records, &pktq); + // The only queries that *need* a multicast response are: + // * Queries sent via multicast + // * from port 5353 + // * that don't have the kDNSQClass_UnicastResponse bit set + // These queries need multicast responses because other clients will: + // * suppress their own identical questions when they see these questions, and + // * expire their cache records if they don't see the expected responses + // For other queries, we may still choose to send the occasional multicast response anyway, + // to keep our neighbours caches warm, and for ongoing conflict detection. + QuestionNeedsMulticastResponse = QueryWasMulticast && !LegacyQuery && !(pktq.qclass & kDNSQClass_UnicastResponse); + + if (pktq.qclass & kDNSQClass_UnicastResponse) + m->mDNSStats.UnicastBitInQueries++; + else + m->mDNSStats.NormalQueries++; + + // Clear the UnicastResponse flag -- don't want to confuse the rest of the code that follows later + pktq.qclass &= ~kDNSQClass_UnicastResponse; + + // Note: We use the m->CurrentRecord mechanism here because calling ResolveSimultaneousProbe + // can result in user callbacks which may change the record list and/or question list. + // Also note: we just mark potential answer records here, without trying to build the + // "ResponseRecords" list, because we don't want to risk user callbacks deleting records + // from that list while we're in the middle of trying to build it. + if (m->CurrentRecord) + LogMsg("ProcessQuery ERROR m->CurrentRecord already set %s", ARDisplayString(m, m->CurrentRecord)); + m->CurrentRecord = m->ResourceRecords; + while (m->CurrentRecord) + { + rr = m->CurrentRecord; + m->CurrentRecord = rr->next; + if (AnyTypeRecordAnswersQuestion(&rr->resrec, &pktq) && (QueryWasMulticast || QueryWasLocalUnicast || rr->AllowRemoteQuery)) + { + m->mDNSStats.MatchingAnswersForQueries++; + if (RRTypeAnswersQuestionType(&rr->resrec, pktq.qtype)) + { + if (rr->resrec.RecordType == kDNSRecordTypeUnique) + ResolveSimultaneousProbe(m, query, end, &pktq, rr); + else if (ResourceRecordIsValidAnswer(rr)) + { + NumAnswersForThisQuestion++; + // As we have verified this question to be part of the same subset, + // set the anonymous data which is needed below when walk the cache + // records to see what answers we should be expecting. The cache records + // may cache only the nsec3RR and not the anonymous data itself. + if (pktq.AnonInfo && rr->resrec.AnonInfo) + SetAnonData(&pktq, &rr->resrec, mDNStrue); + + // Note: We should check here if this is a probe-type query, and if so, generate an immediate + // unicast answer back to the source, because timeliness in answering probes is important. + + // Notes: + // NR_AnswerTo pointing into query packet means "answer via immediate legacy unicast" (may *also* choose to multicast) + // NR_AnswerTo == NR_AnswerUnicast means "answer via delayed unicast" (to modern querier; may promote to multicast instead) + // NR_AnswerTo == NR_AnswerMulticast means "definitely answer via multicast" (can't downgrade to unicast later) + // If we're not multicasting this record because the kDNSQClass_UnicastResponse bit was set, + // but the multicast querier is not on a matching subnet (e.g. because of overlaid subnets on one link) + // then we'll multicast it anyway (if we unicast, the receiver will ignore it because it has an apparently non-local source) + if (QuestionNeedsMulticastResponse || (!FromLocalSubnet && QueryWasMulticast && !LegacyQuery)) + { + // We only mark this question for sending if it is at least one second since the last time we multicast it + // on this interface. If it is more than a second, or LastMCInterface is different, then we may multicast it. + // This is to guard against the case where someone blasts us with queries as fast as they can. + if (m->timenow - (rr->LastMCTime + mDNSPlatformOneSecond) >= 0 || + (rr->LastMCInterface != mDNSInterfaceMark && rr->LastMCInterface != InterfaceID)) + rr->NR_AnswerTo = NR_AnswerMulticast; + } + else if (!rr->NR_AnswerTo) rr->NR_AnswerTo = LegacyQuery ? ptr : NR_AnswerUnicast; + } + } + else if ((rr->resrec.RecordType & kDNSRecordTypeActiveUniqueMask) && ResourceRecordIsValidAnswer(rr)) + { + // If we don't have any answers for this question, but we do own another record with the same name, + // then we'll want to mark it to generate an NSEC record on this interface + if (!NSECAnswer) NSECAnswer = rr; + } + } + } + + if (NumAnswersForThisQuestion == 0 && NSECAnswer) + { + NumAnswersForThisQuestion++; + NSECAnswer->SendNSECNow = InterfaceID; + m->NextScheduledResponse = m->timenow; + } + + // If we couldn't answer this question, someone else might be able to, + // so use random delay on response to reduce collisions + if (NumAnswersForThisQuestion == 0) delayresponse = mDNSPlatformOneSecond; // Divided by 50 = 20ms + + if (query->h.flags.b[0] & kDNSFlag0_TC) + m->mDNSStats.KnownAnswerMultiplePkts++; +#if ENABLE_MULTI_PACKET_QUERY_SNOOPING + if (QuestionNeedsMulticastResponse) +#else + // We only do the following accelerated cache expiration and duplicate question suppression processing + // for non-truncated multicast queries with multicast responses. + // For any query generating a unicast response we don't do this because we can't assume we will see the response. + // For truncated queries we don't do this because a response we're expecting might be suppressed by a subsequent + // known-answer packet, and when there's packet loss we can't safely assume we'll receive *all* known-answer packets. + if (QuestionNeedsMulticastResponse && !(query->h.flags.b[0] & kDNSFlag0_TC)) +#endif + { +#if POOF_ENABLED + const mDNSu32 slot = HashSlot(&pktq.qname); + CacheGroup *cg = CacheGroupForName(m, slot, pktq.qnamehash, &pktq.qname); + CacheRecord *cr; + + // Make a list indicating which of our own cache records we expect to see updated as a result of this query + // Note: Records larger than 1K are not habitually multicast, so don't expect those to be updated +#if ENABLE_MULTI_PACKET_QUERY_SNOOPING + if (!(query->h.flags.b[0] & kDNSFlag0_TC)) +#endif // ENABLE_MULTI_PACKET_QUERY_SNOOPING + for (cr = cg ? cg->members : mDNSNULL; cr; cr=cr->next) + if (SameNameRecordAnswersQuestion(&cr->resrec, &pktq) && cr->resrec.rdlength <= SmallRecordLimit) + if (!cr->NextInKAList && eap != &cr->NextInKAList) + { + *eap = cr; + eap = &cr->NextInKAList; +#if ENABLE_MULTI_PACKET_QUERY_SNOOPING + if (cr->MPUnansweredQ == 0 || m->timenow - cr->MPLastUnansweredQT >= mDNSPlatformOneSecond) + { + // Although MPUnansweredQ is only really used for multi-packet query processing, + // we increment it for both single-packet and multi-packet queries, so that it stays in sync + // with the MPUnansweredKA value, which by necessity is incremented for both query types. + cr->MPUnansweredQ++; + cr->MPLastUnansweredQT = m->timenow; + cr->MPExpectingKA = mDNStrue; + } +#endif // ENABLE_MULTI_PACKET_QUERY_SNOOPING + } +#endif // POOF_ENABLED + + // Check if this question is the same as any of mine. + // We only do this for non-truncated queries. Right now it would be too complicated to try + // to keep track of duplicate suppression state between multiple packets, especially when we + // can't guarantee to receive all of the Known Answer packets that go with a particular query. +#if ENABLE_MULTI_PACKET_QUERY_SNOOPING + if (!(query->h.flags.b[0] & kDNSFlag0_TC)) +#endif + // For anonymous question, the duplicate suppressesion should happen if the + // question belongs in the same group. As the group is expected to be + // small, we don't do the optimization for now. + if (!pktq.AnonInfo) + { + for (q = m->Questions; q; q=q->next) + if (!q->Target.type && ActiveQuestion(q) && m->timenow - q->LastQTxTime > mDNSPlatformOneSecond / 4) + if (!q->InterfaceID || q->InterfaceID == InterfaceID) + if (q->NextInDQList == mDNSNULL && dqp != &q->NextInDQList) + if (q->qtype == pktq.qtype && + q->qclass == pktq.qclass && + q->qnamehash == pktq.qnamehash && SameDomainName(&q->qname, &pktq.qname)) + { *dqp = q; dqp = &q->NextInDQList; } + } + } + if (pktq.AnonInfo) + { + FreeAnonInfo(pktq.AnonInfo); + } + } + + // *** + // *** 3. Now we can safely build the list of marked answers + // *** + for (rr = m->ResourceRecords; rr; rr=rr->next) // Now build our list of potential answers + if (rr->NR_AnswerTo) // If we marked the record... + AddRecordToResponseList(&nrp, rr, mDNSNULL); // ... add it to the list + + // *** + // *** 4. Add additional records + // *** + AddAdditionalsToResponseList(m, ResponseRecords, &nrp, InterfaceID); + + // *** + // *** 5. Parse Answer Section and cancel any records disallowed by Known-Answer list + // *** + for (i=0; i<query->h.numAnswers; i++) // For each record in the query's answer section... + { + // Get the record... + CacheRecord *ourcacherr; + ptr = GetLargeResourceRecord(m, query, ptr, end, InterfaceID, kDNSRecordTypePacketAns, &m->rec); + if (!ptr) goto exit; + if (m->rec.r.resrec.RecordType != kDNSRecordTypePacketNegative) + { + // See if this Known-Answer suppresses any of our currently planned answers + for (rr=ResponseRecords; rr; rr=rr->NextResponse) + { + if (MustSendRecord(rr) && ShouldSuppressKnownAnswer(&m->rec.r, rr)) + { + m->mDNSStats.KnownAnswerSuppressions++; + rr->NR_AnswerTo = mDNSNULL; + rr->NR_AdditionalTo = mDNSNULL; + } + } + + // See if this Known-Answer suppresses any previously scheduled answers (for multi-packet KA suppression) + for (rr=m->ResourceRecords; rr; rr=rr->next) + { + // If we're planning to send this answer on this interface, and only on this interface, then allow KA suppression + if (rr->ImmedAnswer == InterfaceID && ShouldSuppressKnownAnswer(&m->rec.r, rr)) + { + if (srcaddr->type == mDNSAddrType_IPv4) + { + if (mDNSSameIPv4Address(rr->v4Requester, srcaddr->ip.v4)) rr->v4Requester = zerov4Addr; + } + else if (srcaddr->type == mDNSAddrType_IPv6) + { + if (mDNSSameIPv6Address(rr->v6Requester, srcaddr->ip.v6)) rr->v6Requester = zerov6Addr; + } + if (mDNSIPv4AddressIsZero(rr->v4Requester) && mDNSIPv6AddressIsZero(rr->v6Requester)) + { + m->mDNSStats.KnownAnswerSuppressions++; + rr->ImmedAnswer = mDNSNULL; + rr->ImmedUnicast = mDNSfalse; + #if MDNS_LOG_ANSWER_SUPPRESSION_TIMES + LogMsg("Suppressed after%4d: %s", m->timenow - rr->ImmedAnswerMarkTime, ARDisplayString(m, rr)); + #endif + } + } + } + + ourcacherr = FindIdenticalRecordInCache(m, &m->rec.r.resrec); + + #if ENABLE_MULTI_PACKET_QUERY_SNOOPING + // See if this Known-Answer suppresses any answers we were expecting for our cache records. We do this always, + // even if the TC bit is not set (the TC bit will *not* be set in the *last* packet of a multi-packet KA list). + if (ourcacherr && ourcacherr->MPExpectingKA && m->timenow - ourcacherr->MPLastUnansweredQT < mDNSPlatformOneSecond) + { + ourcacherr->MPUnansweredKA++; + ourcacherr->MPExpectingKA = mDNSfalse; + } + #endif + +#if POOF_ENABLED + // Having built our ExpectedAnswers list from the questions in this packet, we then remove + // any records that are suppressed by the Known Answer list in this packet. + eap = &ExpectedAnswers; + while (*eap) + { + CacheRecord *cr = *eap; + if (cr->resrec.InterfaceID == InterfaceID && IdenticalResourceRecord(&m->rec.r.resrec, &cr->resrec)) + { *eap = cr->NextInKAList; cr->NextInKAList = mDNSNULL; } + else eap = &cr->NextInKAList; + } +#endif // POOF_ENABLED + + // See if this Known-Answer is a surprise to us. If so, we shouldn't suppress our own query. + if (!ourcacherr) + { + dqp = &DupQuestions; + while (*dqp) + { + DNSQuestion *q = *dqp; + if (ResourceRecordAnswersQuestion(&m->rec.r.resrec, q)) + { *dqp = q->NextInDQList; q->NextInDQList = mDNSNULL; } + else dqp = &q->NextInDQList; + } + } + } + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + } + + // *** + // *** 6. Cancel any additionals that were added because of now-deleted records + // *** + for (rr=ResponseRecords; rr; rr=rr->NextResponse) + if (rr->NR_AdditionalTo && !MustSendRecord(rr->NR_AdditionalTo)) + { rr->NR_AnswerTo = mDNSNULL; rr->NR_AdditionalTo = mDNSNULL; } + + // *** + // *** 7. Mark the send flags on the records we plan to send + // *** + for (rr=ResponseRecords; rr; rr=rr->NextResponse) + { + if (rr->NR_AnswerTo) + { + mDNSBool SendMulticastResponse = mDNSfalse; // Send modern multicast response + mDNSBool SendUnicastResponse = mDNSfalse; // Send modern unicast response (not legacy unicast response) + +#if !TARGET_OS_EMBEDDED + // always honor kDNSQClass_UnicastResponse in embedded environment to increase reliability + // in high multicast packet loss environments. + + // If it's been one TTL/4 since we multicast this, then send a multicast response + // for conflict detection, etc. + if (m->timenow - (rr->LastMCTime + TicksTTL(rr)/4) >= 0) + { + SendMulticastResponse = mDNStrue; + // If this record was marked for modern (delayed) unicast response, then mark it as promoted to + // multicast response instead (don't want to end up ALSO setting SendUnicastResponse in the check below). + // If this record was marked for legacy unicast response, then we mustn't change the NR_AnswerTo value. + if (rr->NR_AnswerTo == NR_AnswerUnicast) + { + m->mDNSStats.UnicastDemotedToMulticast++; + rr->NR_AnswerTo = NR_AnswerMulticast; + } + } +#endif // !TARGET_OS_EMBEDDED + + // If the client insists on a multicast response, then we'd better send one + if (rr->NR_AnswerTo == NR_AnswerMulticast) + { + m->mDNSStats.MulticastResponses++; + SendMulticastResponse = mDNStrue; + } + else if (rr->NR_AnswerTo == NR_AnswerUnicast) + { + m->mDNSStats.UnicastResponses++; + SendUnicastResponse = mDNStrue; + } + else if (rr->NR_AnswerTo) + { + SendLegacyResponse = mDNStrue; + } + + + if (SendMulticastResponse || SendUnicastResponse) + { +#if MDNS_LOG_ANSWER_SUPPRESSION_TIMES + rr->ImmedAnswerMarkTime = m->timenow; +#endif + m->NextScheduledResponse = m->timenow; + // If we're already planning to send this on another interface, just send it on all interfaces + if (rr->ImmedAnswer && rr->ImmedAnswer != InterfaceID) + rr->ImmedAnswer = mDNSInterfaceMark; + else + { + rr->ImmedAnswer = InterfaceID; // Record interface to send it on + if (SendUnicastResponse) rr->ImmedUnicast = mDNStrue; + if (srcaddr->type == mDNSAddrType_IPv4) + { + if (mDNSIPv4AddressIsZero(rr->v4Requester)) rr->v4Requester = srcaddr->ip.v4; + else if (!mDNSSameIPv4Address(rr->v4Requester, srcaddr->ip.v4)) rr->v4Requester = onesIPv4Addr; + } + else if (srcaddr->type == mDNSAddrType_IPv6) + { + if (mDNSIPv6AddressIsZero(rr->v6Requester)) rr->v6Requester = srcaddr->ip.v6; + else if (!mDNSSameIPv6Address(rr->v6Requester, srcaddr->ip.v6)) rr->v6Requester = onesIPv6Addr; + } + } + } + // If TC flag is set, it means we should expect that additional known answers may be coming in another packet, + // so we allow roughly half a second before deciding to reply (we've observed inter-packet delays of 100-200ms on 802.11) + // else, if record is a shared one, spread responses over 100ms to avoid implosion of simultaneous responses + // else, for a simple unique record reply, we can reply immediately; no need for delay + if (query->h.flags.b[0] & kDNSFlag0_TC) delayresponse = mDNSPlatformOneSecond * 20; // Divided by 50 = 400ms + else if (rr->resrec.RecordType == kDNSRecordTypeShared) delayresponse = mDNSPlatformOneSecond; // Divided by 50 = 20ms + } + else if (rr->NR_AdditionalTo && rr->NR_AdditionalTo->NR_AnswerTo == NR_AnswerMulticast) + { + // Since additional records are an optimization anyway, we only ever send them on one interface at a time + // If two clients on different interfaces do queries that invoke the same optional additional answer, + // then the earlier client is out of luck + rr->ImmedAdditional = InterfaceID; + // No need to set m->NextScheduledResponse here + // We'll send these additional records when we send them, or not, as the case may be + } + } + + // *** + // *** 8. If we think other machines are likely to answer these questions, set our packet suppression timer + // *** + if (delayresponse && (!m->SuppressSending || (m->SuppressSending - m->timenow) < (delayresponse + 49) / 50)) + { +#if MDNS_LOG_ANSWER_SUPPRESSION_TIMES + mDNSs32 oldss = m->SuppressSending; + if (oldss && delayresponse) + LogMsg("Current SuppressSending delay%5ld; require%5ld", m->SuppressSending - m->timenow, (delayresponse + 49) / 50); +#endif + // Pick a random delay: + // We start with the base delay chosen above (typically either 1 second or 20 seconds), + // and add a random value in the range 0-5 seconds (making 1-6 seconds or 20-25 seconds). + // This is an integer value, with resolution determined by the platform clock rate. + // We then divide that by 50 to get the delay value in ticks. We defer the division until last + // to get better results on platforms with coarse clock granularity (e.g. ten ticks per second). + // The +49 before dividing is to ensure we round up, not down, to ensure that even + // on platforms where the native clock rate is less than fifty ticks per second, + // we still guarantee that the final calculated delay is at least one platform tick. + // We want to make sure we don't ever allow the delay to be zero ticks, + // because if that happens we'll fail the Bonjour Conformance Test. + // Our final computed delay is 20-120ms for normal delayed replies, + // or 400-500ms in the case of multi-packet known-answer lists. + m->SuppressSending = m->timenow + (delayresponse + (mDNSs32)mDNSRandom((mDNSu32)mDNSPlatformOneSecond*5) + 49) / 50; + if (m->SuppressSending == 0) m->SuppressSending = 1; +#if MDNS_LOG_ANSWER_SUPPRESSION_TIMES + if (oldss && delayresponse) + LogMsg("Set SuppressSending to %5ld", m->SuppressSending - m->timenow); +#endif + } + + // *** + // *** 9. If query is from a legacy client, or from a new client requesting a unicast reply, then generate a unicast response too + // *** + if (SendLegacyResponse) + responseptr = GenerateUnicastResponse(query, end, InterfaceID, LegacyQuery, response, ResponseRecords); + +exit: + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + + // *** + // *** 10. Finally, clear our link chains ready for use next time + // *** + while (ResponseRecords) + { + rr = ResponseRecords; + ResponseRecords = rr->NextResponse; + rr->NextResponse = mDNSNULL; + rr->NR_AnswerTo = mDNSNULL; + rr->NR_AdditionalTo = mDNSNULL; + } + +#if POOF_ENABLED + while (ExpectedAnswers) + { + CacheRecord *cr = ExpectedAnswers; + ExpectedAnswers = cr->NextInKAList; + cr->NextInKAList = mDNSNULL; + + // For non-truncated queries, we can definitively say that we should expect + // to be seeing a response for any records still left in the ExpectedAnswers list + if (!(query->h.flags.b[0] & kDNSFlag0_TC)) + if (cr->UnansweredQueries == 0 || m->timenow - cr->LastUnansweredTime >= mDNSPlatformOneSecond) + { + cr->UnansweredQueries++; + cr->LastUnansweredTime = m->timenow; +#if ENABLE_MULTI_PACKET_QUERY_SNOOPING + if (cr->UnansweredQueries > 1) + debugf("ProcessQuery: (!TC) UAQ %lu MPQ %lu MPKA %lu %s", + cr->UnansweredQueries, cr->MPUnansweredQ, cr->MPUnansweredKA, CRDisplayString(m, cr)); +#endif // ENABLE_MULTI_PACKET_QUERY_SNOOPING + SetNextCacheCheckTimeForRecord(m, cr); + } + + // If we've seen multiple unanswered queries for this record, + // then mark it to expire in five seconds if we don't get a response by then. + if (cr->UnansweredQueries >= MaxUnansweredQueries) + { +#if ENABLE_MULTI_PACKET_QUERY_SNOOPING + // Only show debugging message if this record was not about to expire anyway + if (RRExpireTime(cr) - m->timenow > 4 * mDNSPlatformOneSecond) + debugf("ProcessQuery: (Max) UAQ %lu MPQ %lu MPKA %lu mDNS_Reconfirm() for %s", + cr->UnansweredQueries, cr->MPUnansweredQ, cr->MPUnansweredKA, CRDisplayString(m, cr)); +#endif // ENABLE_MULTI_PACKET_QUERY_SNOOPING + m->mDNSStats.PoofCacheDeletions++; + mDNS_Reconfirm_internal(m, cr, kDefaultReconfirmTimeForNoAnswer); + } +#if ENABLE_MULTI_PACKET_QUERY_SNOOPING + // Make a guess, based on the multi-packet query / known answer counts, whether we think we + // should have seen an answer for this. (We multiply MPQ by 4 and MPKA by 5, to allow for + // possible packet loss of up to 20% of the additional KA packets.) + else if (cr->MPUnansweredQ * 4 > cr->MPUnansweredKA * 5 + 8) + { + // We want to do this conservatively. + // If there are so many machines on the network that they have to use multi-packet known-answer lists, + // then we don't want them to all hit the network simultaneously with their final expiration queries. + // By setting the record to expire in four minutes, we achieve two things: + // (a) the 90-95% final expiration queries will be less bunched together + // (b) we allow some time for us to witness enough other failed queries that we don't have to do our own + mDNSu32 remain = (mDNSu32)(RRExpireTime(cr) - m->timenow) / 4; + if (remain > 240 * (mDNSu32)mDNSPlatformOneSecond) + remain = 240 * (mDNSu32)mDNSPlatformOneSecond; + + // Only show debugging message if this record was not about to expire anyway + if (RRExpireTime(cr) - m->timenow > 4 * mDNSPlatformOneSecond) + debugf("ProcessQuery: (MPQ) UAQ %lu MPQ %lu MPKA %lu mDNS_Reconfirm() for %s", + cr->UnansweredQueries, cr->MPUnansweredQ, cr->MPUnansweredKA, CRDisplayString(m, cr)); + + if (remain <= 60 * (mDNSu32)mDNSPlatformOneSecond) + cr->UnansweredQueries++; // Treat this as equivalent to one definite unanswered query + cr->MPUnansweredQ = 0; // Clear MPQ/MPKA statistics + cr->MPUnansweredKA = 0; + cr->MPExpectingKA = mDNSfalse; + + if (remain < kDefaultReconfirmTimeForNoAnswer) + remain = kDefaultReconfirmTimeForNoAnswer; + mDNS_Reconfirm_internal(m, cr, remain); + } +#endif // ENABLE_MULTI_PACKET_QUERY_SNOOPING + } +#endif // POOF_ENABLED + + while (DupQuestions) + { + DNSQuestion *q = DupQuestions; + DupQuestions = q->NextInDQList; + q->NextInDQList = mDNSNULL; + i = RecordDupSuppressInfo(q->DupSuppress, m->timenow, InterfaceID, srcaddr->type); + debugf("ProcessQuery: Recorded DSI for %##s (%s) on %p/%s %d", q->qname.c, DNSTypeName(q->qtype), InterfaceID, + srcaddr->type == mDNSAddrType_IPv4 ? "v4" : "v6", i); + } + + if (McastNSEC3Records) + { + debugf("ProcessQuery: McastNSEC3Records not used"); + FreeNSECRecords(m, McastNSEC3Records); + } + + return(responseptr); +} + +mDNSlocal void mDNSCoreReceiveQuery(mDNS *const m, const DNSMessage *const msg, const mDNSu8 *const end, + const mDNSAddr *srcaddr, const mDNSIPPort srcport, const mDNSAddr *dstaddr, mDNSIPPort dstport, + const mDNSInterfaceID InterfaceID) +{ + mDNSu8 *responseend = mDNSNULL; + mDNSBool QueryWasLocalUnicast = srcaddr && dstaddr && + !mDNSAddrIsDNSMulticast(dstaddr) && mDNS_AddressIsLocalSubnet(m, InterfaceID, srcaddr, mDNSNULL); + + if (!InterfaceID && dstaddr && mDNSAddrIsDNSMulticast(dstaddr)) + { + LogMsg("Ignoring Query from %#-15a:%-5d to %#-15a:%-5d on 0x%p with " + "%2d Question%s %2d Answer%s %2d Authorit%s %2d Additional%s %d bytes (Multicast, but no InterfaceID)", + srcaddr, mDNSVal16(srcport), dstaddr, mDNSVal16(dstport), InterfaceID, + msg->h.numQuestions, msg->h.numQuestions == 1 ? ", " : "s,", + msg->h.numAnswers, msg->h.numAnswers == 1 ? ", " : "s,", + msg->h.numAuthorities, msg->h.numAuthorities == 1 ? "y, " : "ies,", + msg->h.numAdditionals, msg->h.numAdditionals == 1 ? " " : "s", end - msg->data); + return; + } + + verbosedebugf("Received Query from %#-15a:%-5d to %#-15a:%-5d on 0x%p with " + "%2d Question%s %2d Answer%s %2d Authorit%s %2d Additional%s %d bytes", + srcaddr, mDNSVal16(srcport), dstaddr, mDNSVal16(dstport), InterfaceID, + msg->h.numQuestions, msg->h.numQuestions == 1 ? ", " : "s,", + msg->h.numAnswers, msg->h.numAnswers == 1 ? ", " : "s,", + msg->h.numAuthorities, msg->h.numAuthorities == 1 ? "y, " : "ies,", + msg->h.numAdditionals, msg->h.numAdditionals == 1 ? " " : "s", end - msg->data); + + responseend = ProcessQuery(m, msg, end, srcaddr, InterfaceID, + !mDNSSameIPPort(srcport, MulticastDNSPort), mDNSAddrIsDNSMulticast(dstaddr), QueryWasLocalUnicast, &m->omsg); + + if (responseend) // If responseend is non-null, that means we built a unicast response packet + { + debugf("Unicast Response: %d Question%s, %d Answer%s, %d Additional%s to %#-15a:%d on %p/%ld", + m->omsg.h.numQuestions, m->omsg.h.numQuestions == 1 ? "" : "s", + m->omsg.h.numAnswers, m->omsg.h.numAnswers == 1 ? "" : "s", + m->omsg.h.numAdditionals, m->omsg.h.numAdditionals == 1 ? "" : "s", + srcaddr, mDNSVal16(srcport), InterfaceID, srcaddr->type); + mDNSSendDNSMessage(m, &m->omsg, responseend, InterfaceID, mDNSNULL, srcaddr, srcport, mDNSNULL, mDNSNULL, mDNSfalse); + } +} + +#if 0 +mDNSlocal mDNSBool TrustedSource(const mDNS *const m, const mDNSAddr *const srcaddr) +{ + DNSServer *s; + (void)m; // Unused + (void)srcaddr; // Unused + for (s = m->DNSServers; s; s = s->next) + if (mDNSSameAddress(srcaddr, &s->addr)) return(mDNStrue); + return(mDNSfalse); +} +#endif + +struct UDPSocket_struct +{ + mDNSIPPort port; // MUST BE FIRST FIELD -- mDNSCoreReceive expects every UDPSocket_struct to begin with mDNSIPPort port +}; + +mDNSlocal DNSQuestion *ExpectingUnicastResponseForQuestion(const mDNS *const m, const mDNSIPPort port, const mDNSOpaque16 id, const DNSQuestion *const question, mDNSBool tcp) +{ + DNSQuestion *q; + for (q = m->Questions; q; q=q->next) + { + if (!tcp && !q->LocalSocket) continue; + if (mDNSSameIPPort(tcp ? q->tcpSrcPort : q->LocalSocket->port, port) && + mDNSSameOpaque16(q->TargetQID, id) && + q->qtype == question->qtype && + q->qclass == question->qclass && + q->qnamehash == question->qnamehash && + SameDomainName(&q->qname, &question->qname)) + return(q); + } + return(mDNSNULL); +} + +// This function is called when we receive a unicast response. This could be the case of a unicast response from the +// DNS server or a response to the QU query. Hence, the cache record's InterfaceId can be both NULL or non-NULL (QU case) +mDNSlocal DNSQuestion *ExpectingUnicastResponseForRecord(mDNS *const m, + const mDNSAddr *const srcaddr, const mDNSBool SrcLocal, const mDNSIPPort port, const mDNSOpaque16 id, const CacheRecord *const rr, mDNSBool tcp) +{ + DNSQuestion *q; + (void)id; + (void)srcaddr; + + for (q = m->Questions; q; q=q->next) + { + if (!q->DuplicateOf && ResourceRecordAnswersUnicastResponse(&rr->resrec, q)) + { + if (!mDNSOpaque16IsZero(q->TargetQID)) + { + debugf("ExpectingUnicastResponseForRecord msg->h.id %d q->TargetQID %d for %s", mDNSVal16(id), mDNSVal16(q->TargetQID), CRDisplayString(m, rr)); + + if (mDNSSameOpaque16(q->TargetQID, id)) + { + mDNSIPPort srcp; + if (!tcp) + { + srcp = q->LocalSocket ? q->LocalSocket->port : zeroIPPort; + } + else + { + srcp = q->tcpSrcPort; + } + if (mDNSSameIPPort(srcp, port)) return(q); + + // if (mDNSSameAddress(srcaddr, &q->Target)) return(mDNStrue); + // if (q->LongLived && mDNSSameAddress(srcaddr, &q->servAddr)) return(mDNStrue); Shouldn't need this now that we have LLQType checking + // if (TrustedSource(m, srcaddr)) return(mDNStrue); + LogInfo("WARNING: Ignoring suspect uDNS response for %##s (%s) [q->Target %#a:%d] from %#a:%d %s", + q->qname.c, DNSTypeName(q->qtype), &q->Target, mDNSVal16(srcp), srcaddr, mDNSVal16(port), CRDisplayString(m, rr)); + return(mDNSNULL); + } + } + else + { + if (SrcLocal && q->ExpectUnicastResp && (mDNSu32)(m->timenow - q->ExpectUnicastResp) < (mDNSu32)(mDNSPlatformOneSecond*2)) + return(q); + } + } + } + return(mDNSNULL); +} + +// Return a pointer to the primary service name, skipping subtype name if present. +mDNSlocal const domainname *getPrimaryServiceName(const domainname *domainName) +{ + const domainname *primaryName = domainName; + const domainname *subName = SkipLeadingLabels(domainName, 1); + + if (SameDomainLabel(subName->c, (const mDNSu8 *)mDNSSubTypeLabel)) + { + // skip "<sub type name>._sub" portion of name + primaryName = SkipLeadingLabels(domainName, 2); + debugf("getPrimaryServiceName: returning %##s for _sub type", primaryName); + } + + return primaryName; +} + +// This function is not called if the packet is from us, which implies that we accept all multicast packets coming from us. +mDNSlocal mDNSBool ExpectingMulticastResponseForRecord(mDNS *const m, CacheRecord *rr, const mDNSAddr *srcaddr, mDNSBool recordAccepted, + CacheRecord **McastNSEC3Records) +{ + DNSQuestion *q; + + // Accept A and AAAA if we accepted something before in the same packet as most likely related to the + // service records that we may have accepted. + if (recordAccepted && (rr->resrec.rrtype == kDNSType_A || rr->resrec.rrtype == kDNSType_AAAA)) + { + LogInfo("ExpectingMulticastResponseForRecord:A:AAAA: accepting %s, from %#a due to same packet %d", CRDisplayString(m, rr), srcaddr, m->PktNum); + return mDNStrue; + } + for (q = m->Questions; q; q=q->next) + { + if (!q->DuplicateOf && mDNSOpaque16IsZero(q->TargetQID)) + { + mDNSBool ret; + // 1. If a resource record answers question, cache it. This also will cache NSECs if it asserts + // non-existence of q->qtype. If we have any matching NSEC3 Records for the question, send + // it along with the resource record. Do it only for questions that are expecting to + // discover only its peers (q->AnonInfo not NULL) + if (q->AnonInfo && McastNSEC3Records && !rr->resrec.AnonInfo) + { + InitializeAnonInfoForCR(m, McastNSEC3Records, rr); + } + ret = ResourceRecordAnswersQuestion(&rr->resrec, q); + if (ret) + { + // The record and the question belong to the same subset. Set the + // anonymous data in the cache record. + if (q->AnonInfo && rr->resrec.AnonInfo) + { + SetAnonData(q, &rr->resrec, mDNSfalse); + } + LogInfo("ExpectingMulticastResponseForRecord: Name and Type match, accepting %s, from %#a", CRDisplayString(m, rr), srcaddr); + if (rr->resrec.rrtype == kDNSType_NSEC) + LogInfo("ExpectingMulticastResponseForRecord: record %s, question %##s (%s)", CRDisplayString(m, rr), q->qname.c, DNSTypeName(q->qtype)); + return mDNStrue; + } + if (rr->resrec.rrtype == kDNSType_SRV || rr->resrec.rrtype == kDNSType_TXT) + { + // Point to the service type in the record name + const domainname *name = SkipLeadingLabels(rr->resrec.name, 1); + + // If question is for a sub type, just compare against the primary service type + const domainname *primaryName = getPrimaryServiceName(&q->qname); + + // 2. If the SRV or TXT record matches the service name, then cache it. If the TXT or SRV record is + // before the PTR record in the packet, PTR record may not be in the cache yet and hence the logic + // in (3) below will fail to cache it. + if (q->qtype == kDNSType_PTR && name && SameDomainName(primaryName, name)) + { + LogInfo("ExpectingMulticastResponseForRecord: Accepting %s due to PTR match, question %##s from %#a, pktnum %d", + CRDisplayString(m, rr), q->qname.c, srcaddr, m->PktNum); + return mDNStrue; + } + + if (name) + { + const mDNSu32 slot = HashSlot(name); + const mDNSu32 namehash = DomainNameHashValue(name); + CacheGroup *cg = CacheGroupForName(m, slot, namehash, name); + CacheRecord *cr; + + // 3. Same as in (2), but look in the cache in case we don't have the PTR question. + + for (cr = cg ? cg->members : mDNSNULL; cr; cr=cr->next) + { + if (cr->resrec.rrtype == kDNSType_PTR) + { + primaryName = getPrimaryServiceName(cr->resrec.name); + + if (SameDomainName(primaryName, name)) + { + LogInfo("ExpectingMulticastResponseForRecord: accepting %s, from %#a, pktnum %d", + CRDisplayString(m, rr), srcaddr, m->PktNum); + return mDNStrue; + } + } + } + } + } + } + } + debugf("ExpectingMulticastResponseForRecord: discarding %s, from %#a, pktnum %d", CRDisplayString(m, rr), srcaddr, m->PktNum); + return(mDNSfalse); +} + +// Certain data types need more space for in-memory storage than their in-packet rdlength would imply +// Currently this applies only to rdata types containing more than one domainname, +// or types where the domainname is not the last item in the structure. +mDNSlocal mDNSu16 GetRDLengthMem(const ResourceRecord *const rr) +{ + switch (rr->rrtype) + { + case kDNSType_SOA: return sizeof(rdataSOA); + case kDNSType_RP: return sizeof(rdataRP); + case kDNSType_PX: return sizeof(rdataPX); + default: return rr->rdlength; + } +} + +mDNSexport CacheRecord *CreateNewCacheEntry(mDNS *const m, const mDNSu32 slot, CacheGroup *cg, mDNSs32 delay, mDNSBool Add, const mDNSAddr *sourceAddress) +{ + CacheRecord *rr = mDNSNULL; + mDNSu16 RDLength = GetRDLengthMem(&m->rec.r.resrec); + + if (!m->rec.r.resrec.InterfaceID) debugf("CreateNewCacheEntry %s", CRDisplayString(m, &m->rec.r)); + + //if (RDLength > InlineCacheRDSize) + // LogInfo("Rdata len %4d > InlineCacheRDSize %d %s", RDLength, InlineCacheRDSize, CRDisplayString(m, &m->rec.r)); + + if (!cg) cg = GetCacheGroup(m, slot, &m->rec.r.resrec); // If we don't have a CacheGroup for this name, make one now + if (cg) rr = GetCacheRecord(m, cg, RDLength); // Make a cache record, being careful not to recycle cg + if (!rr) NoCacheAnswer(m, &m->rec.r); + else + { + RData *saveptr = rr->resrec.rdata; // Save the rr->resrec.rdata pointer + *rr = m->rec.r; // Block copy the CacheRecord object + rr->resrec.rdata = saveptr; // Restore rr->resrec.rdata after the structure assignment + rr->resrec.name = cg->name; // And set rr->resrec.name to point into our CacheGroup header + + // We need to add the anonymous info before we call CacheRecordAdd so that + // if it finds a matching question with this record, it bumps up the counters like + // CurrentAnswers etc. Otherwise, when a cache entry gets removed, CacheRecordRmv + // will complain. + if (m->rec.r.resrec.AnonInfo) + { + rr->resrec.AnonInfo = m->rec.r.resrec.AnonInfo; + m->rec.r.resrec.AnonInfo = mDNSNULL; + } + rr->DelayDelivery = delay; + + // If this is an oversized record with external storage allocated, copy rdata to external storage + if (rr->resrec.rdata == (RData*)&rr->smallrdatastorage && RDLength > InlineCacheRDSize) + LogMsg("rr->resrec.rdata == &rr->rdatastorage but length > InlineCacheRDSize %##s", m->rec.r.resrec.name->c); + else if (rr->resrec.rdata != (RData*)&rr->smallrdatastorage && RDLength <= InlineCacheRDSize) + LogMsg("rr->resrec.rdata != &rr->rdatastorage but length <= InlineCacheRDSize %##s", m->rec.r.resrec.name->c); + if (RDLength > InlineCacheRDSize) + mDNSPlatformMemCopy(rr->resrec.rdata, m->rec.r.resrec.rdata, sizeofRDataHeader + RDLength); + + rr->next = mDNSNULL; // Clear 'next' pointer + rr->nsec = mDNSNULL; + rr->soa = mDNSNULL; + + if (sourceAddress) + rr->sourceAddress = *sourceAddress; + + if (!rr->resrec.InterfaceID) + { + m->rrcache_totalused_unicast += rr->resrec.rdlength; + if (DNSSECRecordType(rr->resrec.rrtype)) + BumpDNSSECStats(m, kStatsActionIncrement, kStatsTypeMemoryUsage, rr->resrec.rdlength); + } + + if (Add) + { + *(cg->rrcache_tail) = rr; // Append this record to tail of cache slot list + cg->rrcache_tail = &(rr->next); // Advance tail pointer + CacheRecordAdd(m, rr); // CacheRecordAdd calls SetNextCacheCheckTimeForRecord(m, rr); for us + } + else + { + // Can't use the "cg->name" if we are not adding to the cache as the + // CacheGroup may be released anytime if it is empty + domainname *name = mDNSPlatformMemAllocate(DomainNameLength(cg->name)); + if (name) + { + AssignDomainName(name, cg->name); + rr->resrec.name = name; + } + else + { + ReleaseCacheRecord(m, rr); + NoCacheAnswer(m, &m->rec.r); + rr = mDNSNULL; + } + } + } + return(rr); +} + +mDNSlocal void RefreshCacheRecord(mDNS *const m, CacheRecord *rr, mDNSu32 ttl) +{ + rr->TimeRcvd = m->timenow; + rr->resrec.rroriginalttl = ttl; + rr->UnansweredQueries = 0; +#if ENABLE_MULTI_PACKET_QUERY_SNOOPING + rr->MPUnansweredQ = 0; + rr->MPUnansweredKA = 0; + rr->MPExpectingKA = mDNSfalse; +#endif + SetNextCacheCheckTimeForRecord(m, rr); +} + +mDNSexport void GrantCacheExtensions(mDNS *const m, DNSQuestion *q, mDNSu32 lease) +{ + CacheRecord *rr; + const mDNSu32 slot = HashSlot(&q->qname); + CacheGroup *cg = CacheGroupForName(m, slot, q->qnamehash, &q->qname); + for (rr = cg ? cg->members : mDNSNULL; rr; rr=rr->next) + if (rr->CRActiveQuestion == q) + { + //LogInfo("GrantCacheExtensions: new lease %d / %s", lease, CRDisplayString(m, rr)); + RefreshCacheRecord(m, rr, lease); + } +} + +mDNSlocal mDNSu32 GetEffectiveTTL(const uDNS_LLQType LLQType, mDNSu32 ttl) // TTL in seconds +{ + if (LLQType == uDNS_LLQ_Entire) ttl = kLLQ_DefLease; + else if (LLQType == uDNS_LLQ_Events) + { + // If the TTL is -1 for uDNS LLQ event packet, that means "remove" + if (ttl == 0xFFFFFFFF) ttl = 0; + else ttl = kLLQ_DefLease; + } + else // else not LLQ (standard uDNS response) + { + // The TTL is already capped to a maximum value in GetLargeResourceRecord, but just to be extra safe we + // also do this check here to make sure we can't get overflow below when we add a quarter to the TTL + if (ttl > 0x60000000UL / mDNSPlatformOneSecond) ttl = 0x60000000UL / mDNSPlatformOneSecond; + + ttl = RRAdjustTTL(ttl); + + // For mDNS, TTL zero means "delete this record" + // For uDNS, TTL zero means: this data is true at this moment, but don't cache it. + // For the sake of network efficiency, we impose a minimum effective TTL of 15 seconds. + // This means that we'll do our 80, 85, 90, 95% queries at 12.00, 12.75, 13.50, 14.25 seconds + // respectively, and then if we get no response, delete the record from the cache at 15 seconds. + // This gives the server up to three seconds to respond between when we send our 80% query at 12 seconds + // and when we delete the record at 15 seconds. Allowing cache lifetimes less than 15 seconds would + // (with the current code) result in the server having even less than three seconds to respond + // before we deleted the record and reported a "remove" event to any active questions. + // Furthermore, with the current code, if we were to allow a TTL of less than 2 seconds + // then things really break (e.g. we end up making a negative cache entry). + // In the future we may want to revisit this and consider properly supporting non-cached (TTL=0) uDNS answers. + if (ttl < 15) ttl = 15; + } + + return ttl; +} + +// When the response does not match the question directly, we still want to cache them sometimes. The current response is +// in m->rec. +mDNSlocal mDNSBool IsResponseAcceptable(mDNS *const m, const CacheRecord *crlist, DNSQuestion *q, mDNSBool *nseclist) +{ + CacheRecord *const newcr = &m->rec.r; + ResourceRecord *rr = &newcr->resrec; + const CacheRecord *cr; + + *nseclist = mDNSfalse; + for (cr = crlist; cr != (CacheRecord*)1; cr = cr->NextInCFList) + { + domainname *target = GetRRDomainNameTarget(&cr->resrec); + // When we issue a query for A record, the response might contain both a CNAME and A records. Only the CNAME would + // match the question and we already created a cache entry in the previous pass of this loop. Now when we process + // the A record, it does not match the question because the record name here is the CNAME. Hence we try to + // match with the previous records to make it an AcceptableResponse. We have to be careful about setting the + // DNSServer value that we got in the previous pass. This can happen for other record types like SRV also. + + if (target && cr->resrec.rdatahash == rr->namehash && SameDomainName(target, rr->name)) + { + LogInfo("IsResponseAcceptable: Found a matching entry for %##s in the CacheFlushRecords %s", rr->name->c, CRDisplayString(m, cr)); + return (mDNStrue); + } + } + + // Either the question requires validation or we are validating a response with DNSSEC in which case + // we need to accept the RRSIGs also so that we can validate the response. It is also possible that + // we receive NSECs for our query which does not match the qname and we need to cache in that case + // too. nseclist is set if they have to be cached as part of the negative cache record. + if (q && DNSSECQuestion(q)) + { + mDNSBool same = SameDomainName(&q->qname, rr->name); + if (same && (q->qtype == rr->rrtype || rr->rrtype == kDNSType_CNAME)) + { + LogInfo("IsResponseAcceptable: Accepting, same name and qtype %s, CR %s", DNSTypeName(q->qtype), + CRDisplayString(m, newcr)); + return mDNStrue; + } + // We cache RRSIGS if it covers the question type or NSEC. If it covers a NSEC, + // "nseclist" is set + if (rr->rrtype == kDNSType_RRSIG) + { + RDataBody2 *const rdb = (RDataBody2 *)newcr->smallrdatastorage.data; + rdataRRSig *rrsig = &rdb->rrsig; + mDNSu16 typeCovered = swap16(rrsig->typeCovered); + + // Note the ordering. If we are looking up the NSEC record, then the RRSIG's typeCovered + // would match the qtype and they are cached normally as they are not used to prove the + // non-existence of any name. In that case, it is like any other normal dnssec validation + // and hence nseclist should not be set. + + if (same && ((typeCovered == q->qtype) || (typeCovered == kDNSType_CNAME))) + { + LogInfo("IsResponseAcceptable: Accepting RRSIG %s matches question type %s", CRDisplayString(m, newcr), + DNSTypeName(q->qtype)); + return mDNStrue; + } + else if (typeCovered == kDNSType_NSEC || typeCovered == kDNSType_NSEC3) + { + LogInfo("IsResponseAcceptable: Accepting RRSIG %s matches %s type (nseclist = 1)", CRDisplayString(m, newcr), DNSTypeName(typeCovered)); + *nseclist = mDNStrue; + return mDNStrue; + } + else if (typeCovered == kDNSType_SOA) + { + LogInfo("IsResponseAcceptable: Accepting RRSIG %s matches SOA type (nseclist = 1)", CRDisplayString(m, newcr)); + *nseclist = mDNStrue; + return mDNStrue; + } + else return mDNSfalse; + } + if (rr->rrtype == kDNSType_NSEC) + { + if (!UNICAST_NSEC(rr)) + { + LogMsg("IsResponseAcceptable: ERROR!! Not a unicast NSEC %s", CRDisplayString(m, newcr)); + return mDNSfalse; + } + LogInfo("IsResponseAcceptable: Accepting NSEC %s (nseclist = 1)", CRDisplayString(m, newcr)); + *nseclist = mDNStrue; + return mDNStrue; + } + if (rr->rrtype == kDNSType_SOA) + { + LogInfo("IsResponseAcceptable: Accepting SOA %s (nseclist = 1)", CRDisplayString(m, newcr)); + *nseclist = mDNStrue; + return mDNStrue; + } + else if (rr->rrtype == kDNSType_NSEC3) + { + LogInfo("IsResponseAcceptable: Accepting NSEC3 %s (nseclist = 1)", CRDisplayString(m, newcr)); + *nseclist = mDNStrue; + return mDNStrue; + } + } + return mDNSfalse; +} + +mDNSlocal void FreeNSECRecords(mDNS *const m, CacheRecord *NSECRecords) +{ + CacheRecord *rp, *next; + + for (rp = NSECRecords; rp; rp = next) + { + next = rp->next; + ReleaseCacheRecord(m, rp); + } +} + +// If we received zero DNSSEC records even when the DO/EDNS0 bit was set, we need to provide this +// information to ValidatingResponse question to indicate the DNSSEC status to the application +mDNSlocal void mDNSCoreReceiveNoDNSSECAnswers(mDNS *const m, const DNSMessage *const response, const mDNSu8 *end, const mDNSAddr *dstaddr, + mDNSIPPort dstport, const mDNSInterfaceID InterfaceID) +{ + int i; + const mDNSu8 *ptr = response->data; + + for (i = 0; i < response->h.numQuestions && ptr && ptr < end; i++) + { + DNSQuestion pktq; + DNSQuestion *qptr = mDNSNULL; + ptr = getQuestion(response, ptr, end, InterfaceID, &pktq); + if (ptr && (qptr = ExpectingUnicastResponseForQuestion(m, dstport, response->h.id, &pktq, !dstaddr)) && + qptr->ValidatingResponse) + { + DNSQuestion *next, *q; + + if (qptr->DuplicateOf) + LogMsg("mDNSCoreReceiveNoDNSSECAnswers: ERROR!! qptr %##s (%s) Duplicate question matching response", qptr->qname.c, DNSTypeName(qptr->qtype)); + + // Be careful to call the callback for duplicate questions first and then the original + // question. If we called the callback on the original question, it could stop and + // a duplicate question would become the original question. + mDNS_DropLockBeforeCallback(); // Allow client (and us) to legally make mDNS API calls + for (q = qptr->next ; q && q != m->NewQuestions; q = next) + { + next = q->next; + if (q->DuplicateOf == qptr) + { + if (q->ValidatingResponse) + LogInfo("mDNSCoreReceiveNoDNSSECAnswers: qptr %##s (%s) Duplicate question found", q->qname.c, DNSTypeName(q->qtype)); + else + LogMsg("mDNSCoreReceiveNoDNSSECAnswers: ERROR!! qptr %##s (%s) Duplicate question not ValidatingResponse", q->qname.c, DNSTypeName(q->qtype)); + if (q->QuestionCallback) + q->QuestionCallback(m, q, mDNSNULL, QC_nodnssec); + } + } + if (qptr->QuestionCallback) + qptr->QuestionCallback(m, qptr, mDNSNULL, QC_nodnssec); + mDNS_ReclaimLockAfterCallback(); // Decrement mDNS_reentrancy to block mDNS API calls again + } + } +} + +mDNSlocal void mDNSCoreReceiveNoUnicastAnswers(mDNS *const m, const DNSMessage *const response, const mDNSu8 *end, const mDNSAddr *dstaddr, + mDNSIPPort dstport, const mDNSInterfaceID InterfaceID, uDNS_LLQType LLQType, mDNSu8 rcode, CacheRecord *NSECRecords) +{ + int i; + const mDNSu8 *ptr = response->data; + CacheRecord *SOARecord = mDNSNULL; + + for (i = 0; i < response->h.numQuestions && ptr && ptr < end; i++) + { + DNSQuestion q; + DNSQuestion *qptr = mDNSNULL; + ptr = getQuestion(response, ptr, end, InterfaceID, &q); + if (ptr && (qptr = ExpectingUnicastResponseForQuestion(m, dstport, response->h.id, &q, !dstaddr))) + { + CacheRecord *rr, *neg = mDNSNULL; + mDNSu32 slot = HashSlot(&q.qname); + CacheGroup *cg = CacheGroupForName(m, slot, q.qnamehash, &q.qname); + for (rr = cg ? cg->members : mDNSNULL; rr; rr=rr->next) + if (SameNameRecordAnswersQuestion(&rr->resrec, qptr)) + { + // 1. If we got a fresh answer to this query, then don't need to generate a negative entry + if (RRExpireTime(rr) - m->timenow > 0) break; + // 2. If we already had a negative entry, keep track of it so we can resurrect it instead of creating a new one + if (rr->resrec.RecordType == kDNSRecordTypePacketNegative) neg = rr; + } + // When we're doing parallel unicast and multicast queries for dot-local names (for supporting Microsoft + // Active Directory sites) we don't want to waste memory making negative cache entries for all the unicast answers. + // Otherwise we just fill up our cache with negative entries for just about every single multicast name we ever look up + // (since the Microsoft Active Directory server is going to assert that pretty much every single multicast name doesn't exist). + // This is not only a waste of memory, but there's also the problem of those negative entries confusing us later -- e.g. we + // suppress sending our mDNS query packet because we think we already have a valid (negative) answer to that query in our cache. + // The one exception is that we *DO* want to make a negative cache entry for "local. SOA", for the (common) case where we're + // *not* on a Microsoft Active Directory network, and there is no authoritative server for "local". Note that this is not + // in conflict with the mDNS spec, because that spec says, "Multicast DNS Zones have no SOA record," so it's okay to cache + // negative answers for "local. SOA" from a uDNS server, because the mDNS spec already says that such records do not exist :-) + // + // By suppressing negative responses, it might take longer to timeout a .local question as it might be expecting a + // response e.g., we deliver a positive "A" response and suppress negative "AAAA" response and the upper layer may + // be waiting longer to get the AAAA response before returning the "A" response to the application. To handle this + // case without creating the negative cache entries, we generate a negative response and let the layer above us + // do the appropriate thing. This negative response is also needed for appending new search domains. + if (!InterfaceID && q.qtype != kDNSType_SOA && IsLocalDomain(&q.qname)) + { + if (!rr) + { + LogInfo("mDNSCoreReceiveNoUnicastAnswers: Generate negative response for %##s (%s)", q.qname.c, DNSTypeName(q.qtype)); + m->CurrentQuestion = qptr; + // We are not creating a cache record in this case, we need to pass back + // the error we got so that the proxy code can return the right one to + // the application + if (qptr->ProxyQuestion) + qptr->responseFlags = response->h.flags; + GenerateNegativeResponse(m, QC_forceresponse); + m->CurrentQuestion = mDNSNULL; + } + else + { + LogInfo("mDNSCoreReceiveNoUnicastAnswers: Skipping check and not creating a negative cache entry for %##s (%s)", q.qname.c, DNSTypeName(q.qtype)); + } + } + else + { + if (!rr) + { + // We start off assuming a negative caching TTL of 60 seconds + // but then look to see if we can find an SOA authority record to tell us a better value we should be using + mDNSu32 negttl = 60; + int repeat = 0; + const domainname *name = &q.qname; + mDNSu32 hash = q.qnamehash; + + // Special case for our special Microsoft Active Directory "local SOA" check. + // Some cheap home gateways don't include an SOA record in the authority section when + // they send negative responses, so we don't know how long to cache the negative result. + // Because we don't want to keep hitting the root name servers with our query to find + // if we're on a network using Microsoft Active Directory using "local" as a private + // internal top-level domain, we make sure to cache the negative result for at least one day. + if (q.qtype == kDNSType_SOA && SameDomainName(&q.qname, &localdomain)) negttl = 60 * 60 * 24; + + // If we're going to make (or update) a negative entry, then look for the appropriate TTL from the SOA record + if (response->h.numAuthorities && (ptr = LocateAuthorities(response, end)) != mDNSNULL) + { + ptr = GetLargeResourceRecord(m, response, ptr, end, InterfaceID, kDNSRecordTypePacketAuth, &m->rec); + if (ptr && m->rec.r.resrec.RecordType != kDNSRecordTypePacketNegative && m->rec.r.resrec.rrtype == kDNSType_SOA) + { + const mDNSu32 s = HashSlot(m->rec.r.resrec.name); + CacheGroup *cgSOA = CacheGroupForRecord(m, s, &m->rec.r.resrec); + const rdataSOA *const soa = (const rdataSOA *)m->rec.r.resrec.rdata->u.data; + mDNSu32 ttl_s = soa->min; + // We use the lesser of the SOA.MIN field and the SOA record's TTL, *except* + // for the SOA record for ".", where the record is reported as non-cacheable + // (TTL zero) for some reason, so in this case we just take the SOA record's TTL as-is + if (ttl_s > m->rec.r.resrec.rroriginalttl && m->rec.r.resrec.name->c[0]) + ttl_s = m->rec.r.resrec.rroriginalttl; + if (negttl < ttl_s) negttl = ttl_s; + + // Create the SOA record as we may have to return this to the questions + // that we are acting as a proxy for currently or in the future. + SOARecord = CreateNewCacheEntry(m, s, cgSOA, 1, mDNSfalse, mDNSNULL); + + // Special check for SOA queries: If we queried for a.b.c.d.com, and got no answer, + // with an Authority Section SOA record for d.com, then this is a hint that the authority + // is d.com, and consequently SOA records b.c.d.com and c.d.com don't exist either. + // To do this we set the repeat count so the while loop below will make a series of negative cache entries for us + // + // For ProxyQuestions, we don't do this as we need to create additional SOA records to cache them + // along with the negative cache record. For simplicity, we don't create the additional records. + if (!qptr->ProxyQuestion && q.qtype == kDNSType_SOA) + { + int qcount = CountLabels(&q.qname); + int scount = CountLabels(m->rec.r.resrec.name); + if (qcount - 1 > scount) + if (SameDomainName(SkipLeadingLabels(&q.qname, qcount - scount), m->rec.r.resrec.name)) + repeat = qcount - 1 - scount; + } + } + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + } + + // If we already had a negative entry in the cache, then we double our existing negative TTL. This is to avoid + // the case where the record doesn't exist (e.g. particularly for things like our lb._dns-sd._udp.<domain> query), + // and the server returns no SOA record (or an SOA record with a small MIN TTL) so we assume a TTL + // of 60 seconds, and we end up polling the server every minute for a record that doesn't exist. + // With this fix in place, when this happens, we double the effective TTL each time (up to one hour), + // so that we back off our polling rate and don't keep hitting the server continually. + if (neg) + { + if (negttl < neg->resrec.rroriginalttl * 2) + negttl = neg->resrec.rroriginalttl * 2; + if (negttl > 3600) + negttl = 3600; + } + + negttl = GetEffectiveTTL(LLQType, negttl); // Add 25% grace period if necessary + + // If we already had a negative cache entry just update it, else make one or more new negative cache entries. + if (neg) + { + LogInfo("mDNSCoreReceiveNoUnicastAnswers: Renewing negative TTL from %d to %d %s", neg->resrec.rroriginalttl, negttl, CRDisplayString(m, neg)); + RefreshCacheRecord(m, neg, negttl); + // When we created the cache for the first time and answered the question, the question's + // interval was set to MaxQuestionInterval. If the cache is about to expire and we are resending + // the queries, the interval should still be at MaxQuestionInterval. If the query is being + // restarted (setting it to InitialQuestionInterval) for other reasons e.g., wakeup, + // we should reset its question interval here to MaxQuestionInterval. + ResetQuestionState(m, qptr); + if (DNSSECQuestion(qptr)) + neg->CRDNSSECQuestion = 1; + // Update the NSEC records again. + // TBD: Need to purge and revalidate if the cached NSECS and the new set are not same. + if (NSECRecords) + { + if (!AddNSECSForCacheRecord(m, NSECRecords, neg, rcode)) + { + // We might just have an SOA record for zones that are not signed and hence don't log + // this as an error + LogInfo("mDNSCoreReceiveNoUnicastAnswers: AddNSECSForCacheRecord failed to add NSEC for negcr %s during refresh", CRDisplayString(m, neg)); + FreeNSECRecords(m, NSECRecords); + neg->CRDNSSECQuestion = 0; + } + NSECRecords = mDNSNULL; + } + if (SOARecord) + { + if (neg->soa) + ReleaseCacheRecord(m, neg->soa); + neg->soa = SOARecord; + SOARecord = mDNSNULL; + } + } + else while (1) + { + CacheRecord *negcr; + debugf("mDNSCoreReceiveNoUnicastAnswers making negative cache entry TTL %d for %##s (%s)", negttl, name->c, DNSTypeName(q.qtype)); + MakeNegativeCacheRecord(m, &m->rec.r, name, hash, q.qtype, q.qclass, negttl, mDNSInterface_Any, qptr->qDNSServer); + m->rec.r.responseFlags = response->h.flags; + // We create SOA records above which might create new cache groups. Earlier + // in the function we looked up the cache group for the name and it could have + // been NULL. If we pass NULL cg to new cache entries that we create below, + // it will create additional cache groups for the same name. To avoid that, + // look up the cache group again to re-initialize cg again. + cg = CacheGroupForName(m, slot, hash, name); + if (NSECRecords && DNSSECQuestion(qptr)) + { + // Create the cache entry with delay and then add the NSEC records + // to it and add it immediately. + negcr = CreateNewCacheEntry(m, slot, cg, 1, mDNStrue, mDNSNULL); + if (negcr) + { + negcr->CRDNSSECQuestion = 0; + if (!AddNSECSForCacheRecord(m, NSECRecords, negcr, rcode)) + { + LogInfo("mDNSCoreReceiveNoUnicastAnswers: AddNSECSForCacheRecord failed to add NSEC for negcr %s", + CRDisplayString(m, negcr)); + FreeNSECRecords(m, NSECRecords); + } + else + { + negcr->CRDNSSECQuestion = 1; + LogInfo("mDNSCoreReceiveNoUnicastAnswers: AddNSECSForCacheRecord added neg NSEC for %s", CRDisplayString(m, negcr)); + } + NSECRecords = mDNSNULL; + negcr->DelayDelivery = 0; + CacheRecordDeferredAdd(m, negcr); + } + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + break; + } + else + { + // Need to add with a delay so that we can tag the SOA record + negcr = CreateNewCacheEntry(m, slot, cg, 1, mDNStrue, mDNSNULL); + if (negcr) + { + negcr->CRDNSSECQuestion = 0; + if (DNSSECQuestion(qptr)) + negcr->CRDNSSECQuestion = 1; + negcr->DelayDelivery = 0; + + if (SOARecord) + { + if (negcr->soa) + ReleaseCacheRecord(m, negcr->soa); + negcr->soa = SOARecord; + SOARecord = mDNSNULL; + } + CacheRecordDeferredAdd(m, negcr); + } + } + m->rec.r.responseFlags = zeroID; + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + if (!repeat) break; + repeat--; + name = (const domainname *)(name->c + 1 + name->c[0]); + hash = DomainNameHashValue(name); + slot = HashSlot(name); + cg = CacheGroupForName(m, slot, hash, name); + } + } + } + } + } + if (NSECRecords) { LogInfo("mDNSCoreReceiveNoUnicastAnswers: NSECRecords not used"); FreeNSECRecords(m, NSECRecords); } + if (SOARecord) { LogInfo("mDNSCoreReceiveNoUnicastAnswers: SOARecord not used"); ReleaseCacheRecord(m, SOARecord); } +} + +mDNSlocal void mDNSCorePrintStoredProxyRecords(mDNS *const m) +{ + AuthRecord *rrPtr = mDNSNULL; + LogSPS("Stored Proxy records :"); + for (rrPtr = m->SPSRRSet; rrPtr; rrPtr = rrPtr->next) + { + LogSPS("%s", ARDisplayString(m, rrPtr)); + } +} + +mDNSlocal mDNSBool mDNSCoreRegisteredProxyRecord(mDNS *const m, AuthRecord *rr) +{ + AuthRecord *rrPtr = mDNSNULL; + + for (rrPtr = m->SPSRRSet; rrPtr; rrPtr = rrPtr->next) + { + if (IdenticalResourceRecord(&rrPtr->resrec, &rr->resrec)) + { + LogSPS("mDNSCoreRegisteredProxyRecord: Ignoring packet registered with sleep proxy : %s ", ARDisplayString(m, rr)); + return mDNStrue; + } + } + mDNSCorePrintStoredProxyRecords(m); + return mDNSfalse; +} + +mDNSlocal CacheRecord* mDNSCoreReceiveCacheCheck(mDNS *const m, const DNSMessage *const response, uDNS_LLQType LLQType, + const mDNSu32 slot, CacheGroup *cg, DNSQuestion *unicastQuestion, CacheRecord ***cfp, CacheRecord **NSECCachePtr, + mDNSInterfaceID InterfaceID) +{ + CacheRecord *rr; + CacheRecord **cflocal = *cfp; + + for (rr = cg ? cg->members : mDNSNULL; rr; rr=rr->next) + { + mDNSBool match; + // Resource record received via unicast, the resGroupID should match ? + if (!InterfaceID) + { + mDNSu16 id1 = (rr->resrec.rDNSServer ? rr->resrec.rDNSServer->resGroupID : 0); + mDNSu16 id2 = (m->rec.r.resrec.rDNSServer ? m->rec.r.resrec.rDNSServer->resGroupID : 0); + match = (id1 == id2); + } + else + match = (rr->resrec.InterfaceID == InterfaceID); + // If we found this exact resource record, refresh its TTL + if (match && IdenticalSameNameRecord(&m->rec.r.resrec, &rr->resrec)) + { + if (m->rec.r.resrec.rdlength > InlineCacheRDSize) + verbosedebugf("mDNSCoreReceiveCacheCheck: Found record size %5d interface %p already in cache: %s", + m->rec.r.resrec.rdlength, InterfaceID, CRDisplayString(m, &m->rec.r)); + + if (m->rec.r.resrec.RecordType & kDNSRecordTypePacketUniqueMask) + { + // If this packet record has the kDNSClass_UniqueRRSet flag set, then add it to our cache flushing list + if (rr->NextInCFList == mDNSNULL && *cfp != &rr->NextInCFList && LLQType != uDNS_LLQ_Events) + { + *cflocal = rr; + cflocal = &rr->NextInCFList; + *cflocal = (CacheRecord*)1; + *cfp = &rr->NextInCFList; + } + + // If this packet record is marked unique, and our previous cached copy was not, then fix it + if (!(rr->resrec.RecordType & kDNSRecordTypePacketUniqueMask)) + { + DNSQuestion *q; + for (q = m->Questions; q; q=q->next) + { + if (ResourceRecordAnswersQuestion(&rr->resrec, q)) + q->UniqueAnswers++; + } + rr->resrec.RecordType = m->rec.r.resrec.RecordType; + } + } + + if (!SameRDataBody(&m->rec.r.resrec, &rr->resrec.rdata->u, SameDomainNameCS)) + { + // If the rdata of the packet record differs in name capitalization from the record in our cache + // then mDNSPlatformMemSame will detect this. In this case, throw the old record away, so that clients get + // a 'remove' event for the record with the old capitalization, and then an 'add' event for the new one. + // <rdar://problem/4015377> mDNS -F returns the same domain multiple times with different casing + rr->resrec.rroriginalttl = 0; + rr->TimeRcvd = m->timenow; + rr->UnansweredQueries = MaxUnansweredQueries; + SetNextCacheCheckTimeForRecord(m, rr); + LogInfo("mDNSCoreReceiveCacheCheck: Discarding due to domainname case change old: %s", CRDisplayString(m, rr)); + LogInfo("mDNSCoreReceiveCacheCheck: Discarding due to domainname case change new: %s", CRDisplayString(m, &m->rec.r)); + LogInfo("mDNSCoreReceiveCacheCheck: Discarding due to domainname case change in %d slot %3d in %d %d", + NextCacheCheckEvent(rr) - m->timenow, slot, m->rrcache_nextcheck[slot] - m->timenow, m->NextCacheCheck - m->timenow); + // DO NOT break out here -- we want to continue as if we never found it + } + else if (!IdenticalAnonInfo(m->rec.r.resrec.AnonInfo, rr->resrec.AnonInfo)) + { + // If the NSEC3 record changed, a few possibilities + // + // 1) the peer reinitialized e.g., after network change and still part of the + // same set. + // 2) the peer went to a different set but we did not see the goodbyes. If we just + // update the nsec3 record, it would be incorrect. Flush the cache so that we + // can deliver a RMV followed by ADD. + // 3) if the peer is ourselves and we see the goodbye when moving to a different set + // and so we flush the cache and create a new cache record with the new set information. + // Now we move back to the original set. In this case, we can't just update the + // NSEC3 record alone. We need to flush so that we can deliver an RMV followed by ADD + // when we create the new cache entry. + // + // Note: For case (1), we could avoid flushing the cache but we can't tell the difference + // from the other cases. + rr->resrec.rroriginalttl = 0; + rr->TimeRcvd = m->timenow; + rr->UnansweredQueries = MaxUnansweredQueries; + SetNextCacheCheckTimeForRecord(m, rr); + LogInfo("mDNSCoreReceiveCacheCheck: AnonInfo changed for %s", CRDisplayString(m, rr)); + // DO NOT break out here -- we want to continue as if we never found it. When we return + // from this function, we will create a new cache entry with the new NSEC3 record + } + else if (m->rec.r.resrec.rroriginalttl > 0) + { + DNSQuestion *q; + + m->mDNSStats.CacheRefreshed++; + + if (rr->resrec.rroriginalttl == 0) debugf("uDNS rescuing %s", CRDisplayString(m, rr)); + RefreshCacheRecord(m, rr, m->rec.r.resrec.rroriginalttl); + rr->responseFlags = response->h.flags; + + // If we may have NSEC records returned with the answer (which we don't know yet as it + // has not been processed), we need to cache them along with the first cache + // record in the list that answers the question so that it can be used for validation + // later. The "type" check below is to make sure that we cache on the cache record + // that would answer the question. It is possible that we might cache additional things + // e.g., MX question might cache A records also, and we want to cache the NSEC on + // the record that answers the question. + if (response->h.numAnswers && unicastQuestion && unicastQuestion->qtype == rr->resrec.rrtype + && !(*NSECCachePtr)) + { + LogInfo("mDNSCoreReceiveCacheCheck: rescuing RR %s", CRDisplayString(m, rr)); + *NSECCachePtr = rr; + } + // We have to reset the question interval to MaxQuestionInterval so that we don't keep + // polling the network once we get a valid response back. For the first time when a new + // cache entry is created, AnswerCurrentQuestionWithResourceRecord does that. + // Subsequently, if we reissue questions from within the mDNSResponder e.g., DNS server + // configuration changed, without flushing the cache, we reset the question interval here. + // Currently, we do this for for both multicast and unicast questions as long as the record + // type is unique. For unicast, resource record is always unique and for multicast it is + // true for records like A etc. but not for PTR. + if (rr->resrec.RecordType & kDNSRecordTypePacketUniqueMask) + { + for (q = m->Questions; q; q=q->next) + { + if (!q->DuplicateOf && !q->LongLived && + ActiveQuestion(q) && ResourceRecordAnswersQuestion(&rr->resrec, q)) + { + ResetQuestionState(m, q); + debugf("mDNSCoreReceiveCacheCheck: Set MaxQuestionInterval for %p %##s (%s)", q, q->qname.c, DNSTypeName(q->qtype)); + break; // Why break here? Aren't there other questions we might want to look at?-- SC July 2010 + } + } + } + break; + } + else + { + + // If the packet TTL is zero, that means we're deleting this record. + // To give other hosts on the network a chance to protest, we push the deletion + // out one second into the future. Also, we set UnansweredQueries to MaxUnansweredQueries. + // Otherwise, we'll do final queries for this record at 80% and 90% of its apparent + // lifetime (800ms and 900ms from now) which is a pointless waste of network bandwidth. + // If record's current expiry time is more than a second from now, we set it to expire in one second. + // If the record is already going to expire in less than one second anyway, we leave it alone -- + // we don't want to let the goodbye packet *extend* the record's lifetime in our cache. + debugf("DE for %s", CRDisplayString(m, rr)); + if (RRExpireTime(rr) - m->timenow > mDNSPlatformOneSecond) + { + rr->resrec.rroriginalttl = 1; + rr->TimeRcvd = m->timenow; + rr->UnansweredQueries = MaxUnansweredQueries; + SetNextCacheCheckTimeForRecord(m, rr); + } + break; + } + } + } + return rr; +} + +mDNSlocal void mDNSParseNSEC3Records(mDNS *const m, const DNSMessage *const response, const mDNSu8 *end, + const mDNSInterfaceID InterfaceID, CacheRecord **NSEC3Records) +{ + const mDNSu8 *ptr = response->data; + CacheRecord *rr; + int i; + + if (!response->h.numAuthorities) + return; + ptr = LocateAuthorities(response, end); + if (!ptr) + { + LogInfo("mDNSParseNSEC3Records: ERROR can't locate authorities"); + return; + } + for (i = 0; i < response->h.numAuthorities && ptr && ptr < end; i++) + { + mDNSu32 slot; + CacheGroup *cg; + + ptr = GetLargeResourceRecord(m, response, ptr, end, InterfaceID, kDNSRecordTypePacketAuth, &m->rec); + if (!ptr || m->rec.r.resrec.RecordType == kDNSRecordTypePacketNegative || m->rec.r.resrec.rrtype != kDNSType_NSEC3) + { + debugf("mDNSParseNSEC3Records: ptr %p, Record %s, ignoring", ptr, CRDisplayString(m, &m->rec.r)); + m->rec.r.resrec.RecordType = 0; + continue; + } + slot = HashSlot(m->rec.r.resrec.name); + cg = CacheGroupForRecord(m, slot, &m->rec.r.resrec); + // Create the cache entry but don't add it to the cache it. We need + // to cache this along with the main cache record. + rr = CreateNewCacheEntry(m, slot, cg, 0, mDNSfalse, mDNSNULL); + if (rr) + { + debugf("mDNSParseNSEC3Records: %s", CRDisplayString(m, rr)); + *NSEC3Records = rr; + NSEC3Records = &rr->next; + } + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + } +} + +mDNSlocal void mDNSCoreResetRecord(mDNS *const m) +{ + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + if (m->rec.r.resrec.AnonInfo) + { + FreeAnonInfo(m->rec.r.resrec.AnonInfo); + m->rec.r.resrec.AnonInfo = mDNSNULL; + } +} + +#define DEVICE_INFO_RECORD_LABELS 4 + +// Determine if the record is an instance of _device-info._tcp.local. +mDNSlocal mDNSBool IsDeviceInfoRecord(const domainname *d) +{ + const domainname *afterInstance; + + if (CountLabels(d) != DEVICE_INFO_RECORD_LABELS) + return mDNSfalse; + + // skip the instance name + afterInstance = SkipLeadingLabels(d, 1); + if (SameDomainName(afterInstance, &LocalDeviceInfoName)) + return mDNStrue; + + return mDNSfalse; +} + +// Note: mDNSCoreReceiveResponse calls mDNS_Deregister_internal which can call a user callback, which may change +// the record list and/or question list. +// Any code walking either list must use the CurrentQuestion and/or CurrentRecord mechanism to protect against this. +// InterfaceID non-NULL tells us the interface this multicast response was received on +// InterfaceID NULL tells us this was a unicast response +// dstaddr NULL tells us we received this over an outgoing TCP connection we made +mDNSlocal void mDNSCoreReceiveResponse(mDNS *const m, + const DNSMessage *const response, const mDNSu8 *end, + const mDNSAddr *srcaddr, const mDNSIPPort srcport, const mDNSAddr *dstaddr, mDNSIPPort dstport, + const mDNSInterfaceID InterfaceID) +{ + int i; + mDNSBool myself; + mDNSBool ResponseMCast = dstaddr && mDNSAddrIsDNSMulticast(dstaddr); + mDNSBool ResponseSrcLocal = !srcaddr || mDNS_AddressIsLocalSubnet(m, InterfaceID, srcaddr, &myself); + DNSQuestion *llqMatch = mDNSNULL; + DNSQuestion *unicastQuestion = mDNSNULL; + uDNS_LLQType LLQType = uDNS_recvLLQResponse(m, response, end, srcaddr, srcport, &llqMatch); + + // "(CacheRecord*)1" is a special (non-zero) end-of-list marker + // We use this non-zero marker so that records in our CacheFlushRecords list will always have NextInCFList + // set non-zero, and that tells GetCacheEntity() that they're not, at this moment, eligible for recycling. + CacheRecord *CacheFlushRecords = (CacheRecord*)1; + CacheRecord **cfp = &CacheFlushRecords; + CacheRecord *NSECRecords = mDNSNULL; + CacheRecord *NSECCachePtr = mDNSNULL; + CacheRecord **nsecp = &NSECRecords; + CacheRecord *McastNSEC3Records = mDNSNULL; + mDNSBool nseclist; + mDNSu8 rcode = '\0'; + mDNSBool rrsigsCreated = mDNSfalse; + mDNSBool DNSSECQuestion = mDNSfalse; + mDNSBool recordAccepted = mDNSfalse; + NetworkInterfaceInfo *llintf = FirstIPv4LLInterfaceForID(m, InterfaceID); + + // All records in a DNS response packet are treated as equally valid statements of truth. If we want + // to guard against spoof responses, then the only credible protection against that is cryptographic + // security, e.g. DNSSEC., not worring about which section in the spoof packet contained the record + int firstauthority = response->h.numAnswers; + int firstadditional = firstauthority + response->h.numAuthorities; + int totalrecords = firstadditional + response->h.numAdditionals; + const mDNSu8 *ptr = response->data; + DNSServer *uDNSServer = mDNSNULL; + + debugf("Received Response from %#-15a addressed to %#-15a on %p with " + "%2d Question%s %2d Answer%s %2d Authorit%s %2d Additional%s %d bytes LLQType %d", + srcaddr, dstaddr, InterfaceID, + response->h.numQuestions, response->h.numQuestions == 1 ? ", " : "s,", + response->h.numAnswers, response->h.numAnswers == 1 ? ", " : "s,", + response->h.numAuthorities, response->h.numAuthorities == 1 ? "y, " : "ies,", + response->h.numAdditionals, response->h.numAdditionals == 1 ? " " : "s", end - response->data, LLQType); + + // According to RFC 2181 <http://www.ietf.org/rfc/rfc2181.txt> + // When a DNS client receives a reply with TC + // set, it should ignore that response, and query again, using a + // mechanism, such as a TCP connection, that will permit larger replies. + // It feels wrong to be throwing away data after the network went to all the trouble of delivering it to us, but + // delivering some records of the RRSet first and then the remainder a couple of milliseconds later was causing + // failures in our Microsoft Active Directory client, which expects to get the entire set of answers at once. + // <rdar://problem/6690034> Can't bind to Active Directory + // In addition, if the client immediately canceled its query after getting the initial partial response, then we'll + // abort our TCP connection, and not complete the operation, and end up with an incomplete RRSet in our cache. + // Next time there's a query for this RRSet we'll see answers in our cache, and assume we have the whole RRSet already, + // and not even do the TCP query. + // Accordingly, if we get a uDNS reply with kDNSFlag0_TC set, we bail out and wait for the TCP response containing the entire RRSet. + if (!InterfaceID && (response->h.flags.b[0] & kDNSFlag0_TC)) return; + + if (LLQType == uDNS_LLQ_Ignore) return; + + // 1. We ignore questions (if any) in mDNS response packets + // 2. If this is an LLQ response, we handle it much the same + // 3. If we get a uDNS UDP response with the TC (truncated) bit set, then we can't treat this + // answer as being the authoritative complete RRSet, and respond by deleting all other + // matching cache records that don't appear in this packet. + // Otherwise, this is a authoritative uDNS answer, so arrange for any stale records to be purged + if (ResponseMCast || LLQType == uDNS_LLQ_Events || (response->h.flags.b[0] & kDNSFlag0_TC)) + ptr = LocateAnswers(response, end); + // Otherwise, for one-shot queries, any answers in our cache that are not also contained + // in this response packet are immediately deemed to be invalid. + else + { + mDNSBool failure, returnEarly; + rcode = (mDNSu8)(response->h.flags.b[1] & kDNSFlag1_RC_Mask); + failure = !(rcode == kDNSFlag1_RC_NoErr || rcode == kDNSFlag1_RC_NXDomain || rcode == kDNSFlag1_RC_NotAuth); + returnEarly = mDNSfalse; + // We could possibly combine this with the similar loop at the end of this function -- + // instead of tagging cache records here and then rescuing them if we find them in the answer section, + // we could instead use the "m->PktNum" mechanism to tag each cache record with the packet number in + // which it was received (or refreshed), and then at the end if we find any cache records which + // answer questions in this packet's question section, but which aren't tagged with this packet's + // packet number, then we deduce they are old and delete them + for (i = 0; i < response->h.numQuestions && ptr && ptr < end; i++) + { + DNSQuestion q, *qptr = mDNSNULL; + ptr = getQuestion(response, ptr, end, InterfaceID, &q); + if (ptr && (qptr = ExpectingUnicastResponseForQuestion(m, dstport, response->h.id, &q, !dstaddr))) + { + if (!failure) + { + CacheRecord *rr; + // Remember the unicast question that we found, which we use to make caching + // decisions later on in this function + const mDNSu32 slot = HashSlot(&q.qname); + CacheGroup *cg = CacheGroupForName(m, slot, q.qnamehash, &q.qname); + if (!mDNSOpaque16IsZero(response->h.id)) + { + unicastQuestion = qptr; + if (qptr->qDNSServer && DNSSECQuestion(qptr)) + { + LogInfo("mDNSCoreReceiveResponse: Setting aware for %##s (%s) on %#a", qptr->qname.c, + DNSTypeName(qptr->qtype), &qptr->qDNSServer->addr); + qptr->qDNSServer->DNSSECAware = mDNStrue; + qptr->qDNSServer->req_DO = mDNStrue; + } + if (qptr->ValidatingResponse) + DNSSECQuestion = mDNStrue; + } + for (rr = cg ? cg->members : mDNSNULL; rr; rr=rr->next) + if (SameNameRecordAnswersQuestion(&rr->resrec, qptr)) + { + debugf("uDNS marking %p %##s (%s) %p %s", q.InterfaceID, q.qname.c, DNSTypeName(q.qtype), + rr->resrec.InterfaceID, CRDisplayString(m, rr)); + // Don't want to disturb rroriginalttl here, because code below might need it for the exponential backoff doubling algorithm + rr->TimeRcvd = m->timenow - TicksTTL(rr) - 1; + rr->UnansweredQueries = MaxUnansweredQueries; + rr->CRDNSSECQuestion = 0; + if (unicastQuestion && DNSSECQuestion(unicastQuestion)) + { + LogInfo("mDNSCoreReceiveResponse: CRDNSSECQuestion set for record %s, question %##s (%s)", CRDisplayString(m, rr), + unicastQuestion->qname.c, DNSTypeName(unicastQuestion->qtype)); + rr->CRDNSSECQuestion = 1; + } + } + } + else + { + if (qptr) + { + // If we recv any error from the DNSServer for a DNSSEC Query and if we know that the server + // is not DNSSEC aware, stop doing DNSSEC for that DNSServer. Note that by setting the + // req_DO to false here, the next retransmission for this question will turn off validation + // and hence retransmit without the EDNS0/DOK option. + if (DNSSECOptionalQuestion(qptr) && qptr->qDNSServer && !qptr->qDNSServer->DNSSECAware) + { + LogInfo("mDNSCoreReceiveResponse: Server %p responded with code %d to DNSSEC Query %##s (%s), clear DO flag", + qptr->qDNSServer, rcode, q.qname.c, DNSTypeName(q.qtype)); + qptr->qDNSServer->req_DO = mDNSfalse; + } + // For Unicast DNS Queries, penalize the DNSServer + else + { + LogInfo("mDNSCoreReceiveResponse: Server %p responded with code %d to query %##s (%s)", + qptr->qDNSServer, rcode, q.qname.c, DNSTypeName(q.qtype)); + PenalizeDNSServer(m, qptr, response->h.flags); + } + } + returnEarly = mDNStrue; + } + } + } + if (returnEarly) + { + LogInfo("Ignoring %2d Answer%s %2d Authorit%s %2d Additional%s", + response->h.numAnswers, response->h.numAnswers == 1 ? ", " : "s,", + response->h.numAuthorities, response->h.numAuthorities == 1 ? "y, " : "ies,", + response->h.numAdditionals, response->h.numAdditionals == 1 ? "" : "s"); + // not goto exit because we won't have any CacheFlushRecords and we do not want to + // generate negative cache entries (we want to query the next server) + return; + } + if (unicastQuestion && DNSSECQuestion(unicastQuestion)) + { + BumpDNSSECStats(m, kStatsActionSet, kStatsTypeMsgSize, (end - response->data)); + } + } + + // Parse the NSEC3 records from the Authority section before we process + // the Answer section so that we can cache them along with the proper + // cache records we create. + if (mDNSOpaque16IsZero(response->h.id)) + mDNSParseNSEC3Records(m, response, end, InterfaceID, &McastNSEC3Records); + + for (i = 0; i < totalrecords && ptr && ptr < end; i++) + { + // All responses sent via LL multicast are acceptable for caching + // All responses received over our outbound TCP connections are acceptable for caching + mDNSBool AcceptableResponse = ResponseMCast || !dstaddr || LLQType; + // (Note that just because we are willing to cache something, that doesn't necessarily make it a trustworthy answer + // to any specific question -- any code reading records from the cache needs to make that determination for itself.) + + const mDNSu8 RecordType = + (i < firstauthority ) ? (mDNSu8)kDNSRecordTypePacketAns : + (i < firstadditional) ? (mDNSu8)kDNSRecordTypePacketAuth : (mDNSu8)kDNSRecordTypePacketAdd; + ptr = GetLargeResourceRecord(m, response, ptr, end, InterfaceID, RecordType, &m->rec); + if (!ptr) goto exit; // Break out of the loop and clean up our CacheFlushRecords list before exiting + + if (m->rec.r.resrec.RecordType == kDNSRecordTypePacketNegative) + { + mDNSCoreResetRecord(m); + continue; + } + + // We have already parsed the NSEC3 records and cached them approrpriately for + // multicast responses. + if (mDNSOpaque16IsZero(response->h.id) && m->rec.r.resrec.rrtype == kDNSType_NSEC3) + { + mDNSCoreResetRecord(m); + continue; + } + // Don't want to cache OPT or TSIG pseudo-RRs + if (m->rec.r.resrec.rrtype == kDNSType_TSIG) + { + mDNSCoreResetRecord(m); + continue; + } + if (m->rec.r.resrec.rrtype == kDNSType_OPT) + { + const rdataOPT *opt; + const rdataOPT *const e = (const rdataOPT *)&m->rec.r.resrec.rdata->u.data[m->rec.r.resrec.rdlength]; + // Find owner sub-option(s). We verify that the MAC is non-zero, otherwise we could inadvertently + // delete all our own AuthRecords (which are identified by having zero MAC tags on them). + for (opt = &m->rec.r.resrec.rdata->u.opt[0]; opt < e; opt++) + if (opt->opt == kDNSOpt_Owner && opt->u.owner.vers == 0 && opt->u.owner.HMAC.l[0]) + { + ClearProxyRecords(m, &opt->u.owner, m->DuplicateRecords); + ClearProxyRecords(m, &opt->u.owner, m->ResourceRecords); + } + mDNSCoreResetRecord(m); + continue; + } + // if a CNAME record points to itself, then don't add it to the cache + if ((m->rec.r.resrec.rrtype == kDNSType_CNAME) && SameDomainName(m->rec.r.resrec.name, &m->rec.r.resrec.rdata->u.name)) + { + LogInfo("mDNSCoreReceiveResponse: CNAME loop domain name %##s", m->rec.r.resrec.name->c); + mDNSCoreResetRecord(m); + continue; + } + + // When we receive uDNS LLQ responses, we assume a long cache lifetime -- + // In the case of active LLQs, we'll get remove events when the records actually do go away + // In the case of polling LLQs, we assume the record remains valid until the next poll + if (!mDNSOpaque16IsZero(response->h.id)) + m->rec.r.resrec.rroriginalttl = GetEffectiveTTL(LLQType, m->rec.r.resrec.rroriginalttl); + + // If response was not sent via LL multicast, + // then see if it answers a recent query of ours, which would also make it acceptable for caching. + if (!ResponseMCast) + { + if (LLQType) + { + // For Long Lived queries that are both sent over UDP and Private TCP, LLQType is set. + // Even though it is AcceptableResponse, we need a matching DNSServer pointer for the + // queries to get ADD/RMV events. To lookup the question, we can't use + // ExpectingUnicastResponseForRecord as the port numbers don't match. uDNS_recvLLQRespose + // has already matched the question using the 64 bit Id in the packet and we use that here. + + if (llqMatch != mDNSNULL) m->rec.r.resrec.rDNSServer = uDNSServer = llqMatch->qDNSServer; + + // If this is a DNSSEC question that is also LongLived, don't accept records from the + // Additional/Authority section blindly. We need to go through IsAcceptableResponse below + // so that NSEC/NSEC3 record are cached in the nseclist if we accept them. This can happen + // for both negative responses and wildcard expanded positive responses as both of come + // back with NSEC/NSEC3s. + if (unicastQuestion && DNSSECQuestion(unicastQuestion)) + AcceptableResponse = mDNSfalse; + } + else if (!AcceptableResponse || !dstaddr) + { + // For responses that come over TCP (Responses that can't fit within UDP) or TLS (Private queries + // that are not long lived e.g., AAAA lookup in a Private domain), it is indicated by !dstaddr. + // Even though it is AcceptableResponse, we still need a DNSServer pointer for the resource records that + // we create. + + if (!mDNSOpaque16IsZero(response->h.id)) + { + DNSQuestion *q = ExpectingUnicastResponseForRecord(m, srcaddr, ResponseSrcLocal, dstport, response->h.id, &m->rec.r, !dstaddr); + + // Initialize the DNS server on the resource record which will now filter what questions we answer with + // this record. + // + // We could potentially lookup the DNS server based on the source address, but that may not work always + // and that's why ExpectingUnicastResponseForRecord does not try to verify whether the response came + // from the DNS server that queried. We follow the same logic here. If we can find a matching quetion based + // on the "id" and "source port", then this response answers the question and assume the response + // came from the same DNS server that we sent the query to. + + if (q != mDNSNULL) + { + AcceptableResponse = mDNStrue; + if (!InterfaceID) + { + debugf("mDNSCoreReceiveResponse: InterfaceID %p %##s (%s)", q->InterfaceID, q->qname.c, DNSTypeName(q->qtype)); + m->rec.r.resrec.rDNSServer = uDNSServer = q->qDNSServer; + } + else + LogInfo("mDNSCoreReceiveResponse: InterfaceID %p %##s (%s)", q->InterfaceID, q->qname.c, DNSTypeName(q->qtype)); + } + else + { + // If we can't find a matching question, we need to see whether we have seen records earlier that matched + // the question. The code below does that. So, make this record unacceptable for now + if (!InterfaceID) + { + debugf("mDNSCoreReceiveResponse: Can't find question for record name %##s", m->rec.r.resrec.name->c); + AcceptableResponse = mDNSfalse; + } + } + } + else if (ExpectingMulticastResponseForRecord(m, &m->rec.r, srcaddr, recordAccepted, &McastNSEC3Records)) + { + recordAccepted = mDNStrue; + AcceptableResponse = mDNStrue; + LogInfo("mDNSCoreReceiveResponse: Accepting record in response to QU question %s, InterfaceID %p", CRDisplayString(m, &m->rec.r), + InterfaceID); + } + else if (IsDeviceInfoRecord(m->rec.r.resrec.name)) + { + recordAccepted = mDNStrue; + AcceptableResponse = mDNStrue; + LogInfo("mDNSCoreReceiveResponse: Accepting _device-info record %s, InterfaceID %p", + CRDisplayString(m, &m->rec.r), InterfaceID); + } + } + } + else if (llintf && llintf->IgnoreIPv4LL && m->rec.r.resrec.rrtype == kDNSType_A) + { + CacheRecord *const rr = &m->rec.r; + RDataBody2 *const rdb = (RDataBody2 *)rr->smallrdatastorage.data; + + // If we are supposed to ignore link-local addresses on this interface, drop + // all "A" records that have link-local address in them. + if (mDNSv4AddressIsLinkLocal(&rdb->ipv4)) + { + LogInfo("mDNSResponder: Dropping LinkLocal packet %s", CRDisplayString(m, &m->rec.r)); + mDNSCoreResetRecord(m); + continue; + } + } + + // 1. Check that this packet resource record does not conflict with any of ours + if (mDNSOpaque16IsZero(response->h.id) && m->rec.r.resrec.rrtype != kDNSType_NSEC) + { + if (m->CurrentRecord) + LogMsg("mDNSCoreReceiveResponse ERROR m->CurrentRecord already set %s", ARDisplayString(m, m->CurrentRecord)); + m->CurrentRecord = m->ResourceRecords; + while (m->CurrentRecord) + { + AuthRecord *rr = m->CurrentRecord; + m->CurrentRecord = rr->next; + // We accept all multicast responses, and unicast responses resulting from queries we issued + // For other unicast responses, this code accepts them only for responses with an + // (apparently) local source address that pertain to a record of our own that's in probing state + if (!AcceptableResponse && !(ResponseSrcLocal && rr->resrec.RecordType == kDNSRecordTypeUnique)) continue; + + if (PacketRRMatchesSignature(&m->rec.r, rr)) // If interface, name, type (if shared record) and class match... + { + // ... check to see if type and rdata are identical + if (IdenticalSameNameRecord(&m->rec.r.resrec, &rr->resrec)) + { + // If the RR in the packet is identical to ours, just check they're not trying to lower the TTL on us + if (m->rec.r.resrec.rroriginalttl >= rr->resrec.rroriginalttl/2 || m->SleepState) + { + // If we were planning to send on this -- and only this -- interface, then we don't need to any more + if (rr->ImmedAnswer == InterfaceID) { rr->ImmedAnswer = mDNSNULL; rr->ImmedUnicast = mDNSfalse; } + } + else + { + if (rr->ImmedAnswer == mDNSNULL) { rr->ImmedAnswer = InterfaceID; m->NextScheduledResponse = m->timenow; } + else if (rr->ImmedAnswer != InterfaceID) { rr->ImmedAnswer = mDNSInterfaceMark; m->NextScheduledResponse = m->timenow; } + } + } + // else, the packet RR has different type or different rdata -- check to see if this is a conflict + else if (m->rec.r.resrec.rroriginalttl > 0 && PacketRRConflict(m, rr, &m->rec.r)) + { + LogInfo("mDNSCoreReceiveResponse: Pkt Record: %08lX %s", m->rec.r.resrec.rdatahash, CRDisplayString(m, &m->rec.r)); + LogInfo("mDNSCoreReceiveResponse: Our Record: %08lX %s", rr->resrec.rdatahash, ARDisplayString(m, rr)); + + // If this record is marked DependentOn another record for conflict detection purposes, + // then *that* record has to be bumped back to probing state to resolve the conflict + if (rr->DependentOn) + { + while (rr->DependentOn) rr = rr->DependentOn; + LogInfo("mDNSCoreReceiveResponse: Dep Record: %08lX %s", rr->resrec.rdatahash, ARDisplayString(m, rr)); + } + + // If we've just whacked this record's ProbeCount, don't need to do it again + if (rr->ProbeCount > DefaultProbeCountForTypeUnique) + LogInfo("mDNSCoreReceiveResponse: Already reset to Probing: %s", ARDisplayString(m, rr)); + else if (rr->ProbeCount == DefaultProbeCountForTypeUnique) + LogMsg("mDNSCoreReceiveResponse: Ignoring response received before we even began probing: %s", ARDisplayString(m, rr)); + else + { + LogMsg("mDNSCoreReceiveResponse: Received from %#a:%d %s", srcaddr, mDNSVal16(srcport), CRDisplayString(m, &m->rec.r)); + // If we'd previously verified this record, put it back to probing state and try again + if (rr->resrec.RecordType == kDNSRecordTypeVerified) + { + LogMsg("mDNSCoreReceiveResponse: Resetting to Probing: %s", ARDisplayString(m, rr)); + rr->resrec.RecordType = kDNSRecordTypeUnique; + // We set ProbeCount to one more than the usual value so we know we've already touched this record. + // This is because our single probe for "example-name.local" could yield a response with (say) two A records and + // three AAAA records in it, and we don't want to call RecordProbeFailure() five times and count that as five conflicts. + // This special value is recognised and reset to DefaultProbeCountForTypeUnique in SendQueries(). + rr->ProbeCount = DefaultProbeCountForTypeUnique + 1; + rr->AnnounceCount = InitialAnnounceCount; + InitializeLastAPTime(m, rr); + RecordProbeFailure(m, rr); // Repeated late conflicts also cause us to back off to the slower probing rate + } + // If we're probing for this record, we just failed + else if (rr->resrec.RecordType == kDNSRecordTypeUnique) + { + // Before we call deregister, check if this is a packet we registered with the sleep proxy. + if (!mDNSCoreRegisteredProxyRecord(m, rr)) + { + LogMsg("mDNSCoreReceiveResponse: ProbeCount %d; will deregister %s", rr->ProbeCount, ARDisplayString(m, rr)); + + m->mDNSStats.NameConflicts++; + mDNS_Deregister_internal(m, rr, mDNS_Dereg_conflict); + } + } + // We assumed this record must be unique, but we were wrong. (e.g. There are two mDNSResponders on the + // same machine giving different answers for the reverse mapping record, or there are two machines on the + // network using the same IP address.) This is simply a misconfiguration, and there's nothing we can do + // to fix it -- e.g. it's not our job to be trying to change the machine's IP address. We just discard our + // record to avoid continued conflicts (as we do for a conflict on our Unique records) and get on with life. + else if (rr->resrec.RecordType == kDNSRecordTypeKnownUnique) + { + LogMsg("mDNSCoreReceiveResponse: Unexpected conflict discarding %s", ARDisplayString(m, rr)); + m->mDNSStats.KnownUniqueNameConflicts++; + mDNS_Deregister_internal(m, rr, mDNS_Dereg_conflict); + } + else + LogMsg("mDNSCoreReceiveResponse: Unexpected record type %X %s", rr->resrec.RecordType, ARDisplayString(m, rr)); + } + } + // Else, matching signature, different type or rdata, but not a considered a conflict. + // If the packet record has the cache-flush bit set, then we check to see if we + // have any record(s) of the same type that we should re-assert to rescue them + // (see note about "multi-homing and bridged networks" at the end of this function). + else if (m->rec.r.resrec.rrtype == rr->resrec.rrtype) + if ((m->rec.r.resrec.RecordType & kDNSRecordTypePacketUniqueMask) && m->timenow - rr->LastMCTime > mDNSPlatformOneSecond/2) + { rr->ImmedAnswer = mDNSInterfaceMark; m->NextScheduledResponse = m->timenow; } + } + } + } + + nseclist = mDNSfalse; + if (!AcceptableResponse) + { + AcceptableResponse = IsResponseAcceptable(m, CacheFlushRecords, unicastQuestion, &nseclist); + if (AcceptableResponse) m->rec.r.resrec.rDNSServer = uDNSServer; + } + + // 2. See if we want to add this packet resource record to our cache + // We only try to cache answers if we have a cache to put them in + // Also, we ignore any apparent attempts at cache poisoning unicast to us that do not answer any outstanding active query + if (!AcceptableResponse) LogInfo("mDNSCoreReceiveResponse ignoring %s", CRDisplayString(m, &m->rec.r)); + if (m->rrcache_size && AcceptableResponse) + { + const mDNSu32 slot = HashSlot(m->rec.r.resrec.name); + CacheGroup *cg = CacheGroupForRecord(m, slot, &m->rec.r.resrec); + CacheRecord *rr = mDNSNULL; + + if (McastNSEC3Records) + InitializeAnonInfoForCR(m, &McastNSEC3Records, &m->rec.r); + + // 2a. Check if this packet resource record is already in our cache. + // + // If this record should go in the nseclist, don't look in the cache for updating it. + // They are supposed to be cached under the "nsec" field of the cache record for + // validation. Just create the cache record. + if (!nseclist) + { + rr = mDNSCoreReceiveCacheCheck(m, response, LLQType, slot, cg, unicastQuestion, &cfp, &NSECCachePtr, InterfaceID); + } + + // If mDNSOppCaching is set (which affects only multicast), enable opportunistic caching in which case we cache + // everything that was received over multicast. Otherwise, we are selective about the caching. + // + // Cache everything that is from ourselves (that's how we answer any questions looking for them). Otherwise call + // ExpectingMulticastResponseForRecord which decides whether to cache this record or not. + // + if (!m->mDNSOppCaching && !rr && !myself && mDNSOpaque16IsZero(response->h.id)) + { + if (!ExpectingMulticastResponseForRecord(m, &m->rec.r, srcaddr, recordAccepted, &McastNSEC3Records)) + { + //LogMsg("mDNSCoreReceiveResponse: discarding %s", CRDisplayString(m, &m->rec.r)); + mDNSCoreResetRecord(m); + continue; + } + else + { + recordAccepted = mDNStrue; + } + } + + + // If packet resource record not in our cache, add it now + // (unless it is just a deletion of a record we never had, in which case we don't care) + if (!rr && m->rec.r.resrec.rroriginalttl > 0) + { + const mDNSBool AddToCFList = (m->rec.r.resrec.RecordType & kDNSRecordTypePacketUniqueMask) && (LLQType != uDNS_LLQ_Events); + mDNSs32 delay; + + if (AddToCFList) + delay = NonZeroTime(m->timenow + mDNSPlatformOneSecond); + else + delay = CheckForSoonToExpireRecords(m, m->rec.r.resrec.name, m->rec.r.resrec.namehash, slot, mDNSNULL); + + // If unique, assume we may have to delay delivery of this 'add' event. + // Below, where we walk the CacheFlushRecords list, we either call CacheRecordDeferredAdd() + // to immediately to generate answer callbacks, or we call ScheduleNextCacheCheckTime() + // to schedule an mDNS_Execute task at the appropriate time. + rr = CreateNewCacheEntry(m, slot, cg, delay, !nseclist, srcaddr); + if (rr) + { + rr->responseFlags = response->h.flags; + // If we are not creating signatures, then we need to inform DNSSEC so that + // it does not wait forever. Don't do this if we got NSEC records + // as it indicates that this name does not exist. + if (rr->resrec.rrtype == kDNSType_RRSIG && !nseclist) + { + rrsigsCreated = mDNStrue; + } + // Remember whether we created a cache record in response to a DNSSEC question. + // This helps DNSSEC code not to reissue the question to fetch the DNSSEC records. + rr->CRDNSSECQuestion = 0; + if (unicastQuestion && DNSSECQuestion(unicastQuestion)) + { + LogInfo("mDNSCoreReceiveResponse: CRDNSSECQuestion set for new record %s, question %##s (%s)", CRDisplayString(m, rr), + unicastQuestion->qname.c, DNSTypeName(unicastQuestion->qtype)); + rr->CRDNSSECQuestion = 1; + } + // NSEC/NSEC3 records and its signatures are cached with the negative cache entry + // which we should be creating below. It is also needed in the wildcard + // expanded answer case and in that case it is cached along with the answer. + if (nseclist) + { + rr->TimeRcvd = m->timenow; + *nsecp = rr; + nsecp = &rr->next; + } + else if (AddToCFList) + { + *cfp = rr; + cfp = &rr->NextInCFList; + *cfp = (CacheRecord*)1; + } + else if (rr->DelayDelivery) + { + ScheduleNextCacheCheckTime(m, slot, rr->DelayDelivery); + } + } + } + else + { + if (rr && rr->resrec.AnonInfo && m->rec.r.resrec.AnonInfo) + { + CopyAnonInfoForCR(m, rr, &m->rec.r); + } + } + } + mDNSCoreResetRecord(m); + } + +exit: + mDNSCoreResetRecord(m); + + // If we've just received one or more records with their cache flush bits set, + // then scan that cache slot to see if there are any old stale records we need to flush + while (CacheFlushRecords != (CacheRecord*)1) + { + CacheRecord *r1 = CacheFlushRecords, *r2; + const mDNSu32 slot = HashSlot(r1->resrec.name); + const CacheGroup *cg = CacheGroupForRecord(m, slot, &r1->resrec); + CacheFlushRecords = CacheFlushRecords->NextInCFList; + r1->NextInCFList = mDNSNULL; + + // Look for records in the cache with the same signature as this new one with the cache flush + // bit set, and either (a) if they're fresh, just make sure the whole RRSet has the same TTL + // (as required by DNS semantics) or (b) if they're old, mark them for deletion in one second. + // We make these TTL adjustments *only* for records that still have *more* than one second + // remaining to live. Otherwise, a record that we tagged for deletion half a second ago + // (and now has half a second remaining) could inadvertently get its life extended, by either + // (a) if we got an explicit goodbye packet half a second ago, the record would be considered + // "fresh" and would be incorrectly resurrected back to the same TTL as the rest of the RRSet, + // or (b) otherwise, the record would not be fully resurrected, but would be reset to expire + // in one second, thereby inadvertently delaying its actual expiration, instead of hastening it. + // If this were to happen repeatedly, the record's expiration could be deferred indefinitely. + // To avoid this, we need to ensure that the cache flushing operation will only act to + // *decrease* a record's remaining lifetime, never *increase* it. + for (r2 = cg ? cg->members : mDNSNULL; r2; r2=r2->next) + { + mDNSu16 id1; + mDNSu16 id2; + if (!r1->resrec.InterfaceID) + { + id1 = (r1->resrec.rDNSServer ? r1->resrec.rDNSServer->resGroupID : 0); + id2 = (r2->resrec.rDNSServer ? r2->resrec.rDNSServer->resGroupID : 0); + } + else + { + id1 = id2 = 0; + } + // When we receive new RRSIGs e.g., for DNSKEY record, we should not flush the old + // RRSIGS e.g., for TXT record. To do so, we need to look at the typeCovered field of + // the new RRSIG that we received. Process only if the typeCovered matches. + if ((r1->resrec.rrtype == r2->resrec.rrtype) && (r1->resrec.rrtype == kDNSType_RRSIG)) + { + rdataRRSig *rrsig1 = (rdataRRSig *)(((RDataBody2 *)(r1->resrec.rdata->u.data))->data); + rdataRRSig *rrsig2 = (rdataRRSig *)(((RDataBody2 *)(r2->resrec.rdata->u.data))->data); + if (swap16(rrsig1->typeCovered) != swap16(rrsig2->typeCovered)) + { + debugf("mDNSCoreReceiveResponse: Received RRSIG typeCovered %s, found %s, not processing", + DNSTypeName(swap16(rrsig1->typeCovered)), DNSTypeName(swap16(rrsig2->typeCovered))); + continue; + } + } + + // For Unicast (null InterfaceID) the resolver IDs should also match + if ((r1->resrec.InterfaceID == r2->resrec.InterfaceID) && + (r1->resrec.InterfaceID || (id1 == id2)) && + r1->resrec.rrtype == r2->resrec.rrtype && + r1->resrec.rrclass == r2->resrec.rrclass) + { + // If record is recent, just ensure the whole RRSet has the same TTL (as required by DNS semantics) + // else, if record is old, mark it to be flushed + if (m->timenow - r2->TimeRcvd < mDNSPlatformOneSecond && RRExpireTime(r2) - m->timenow > mDNSPlatformOneSecond) + { + // If we find mismatched TTLs in an RRSet, correct them. + // We only do this for records with a TTL of 2 or higher. It's possible to have a + // goodbye announcement with the cache flush bit set (or a case-change on record rdata, + // which we treat as a goodbye followed by an addition) and in that case it would be + // inappropriate to synchronize all the other records to a TTL of 0 (or 1). + // We suppress the message for the specific case of correcting from 240 to 60 for type TXT, + // because certain early Bonjour devices are known to have this specific mismatch, and + // there's no point filling syslog with messages about something we already know about. + // We also don't log this for uDNS responses, since a caching name server is obliged + // to give us an aged TTL to correct for how long it has held the record, + // so our received TTLs are expected to vary in that case + if (r2->resrec.rroriginalttl != r1->resrec.rroriginalttl && r1->resrec.rroriginalttl > 1) + { + if (!(r2->resrec.rroriginalttl == 240 && r1->resrec.rroriginalttl == 60 && r2->resrec.rrtype == kDNSType_TXT) && + mDNSOpaque16IsZero(response->h.id)) + LogInfo("Correcting TTL from %4d to %4d for %s", + r2->resrec.rroriginalttl, r1->resrec.rroriginalttl, CRDisplayString(m, r2)); + r2->resrec.rroriginalttl = r1->resrec.rroriginalttl; + } + r2->TimeRcvd = m->timenow; + } + else // else, if record is old, mark it to be flushed + { + verbosedebugf("Cache flush new %p age %d expire in %d %s", r1, m->timenow - r1->TimeRcvd, RRExpireTime(r1) - m->timenow, CRDisplayString(m, r1)); + verbosedebugf("Cache flush old %p age %d expire in %d %s", r2, m->timenow - r2->TimeRcvd, RRExpireTime(r2) - m->timenow, CRDisplayString(m, r2)); + // We set stale records to expire in one second. + // This gives the owner a chance to rescue it if necessary. + // This is important in the case of multi-homing and bridged networks: + // Suppose host X is on Ethernet. X then connects to an AirPort base station, which happens to be + // bridged onto the same Ethernet. When X announces its AirPort IP address with the cache-flush bit + // set, the AirPort packet will be bridged onto the Ethernet, and all other hosts on the Ethernet + // will promptly delete their cached copies of the (still valid) Ethernet IP address record. + // By delaying the deletion by one second, we give X a change to notice that this bridging has + // happened, and re-announce its Ethernet IP address to rescue it from deletion from all our caches. + + // We set UnansweredQueries to MaxUnansweredQueries to avoid expensive and unnecessary + // final expiration queries for this record. + + // If a record is deleted twice, first with an explicit DE record, then a second time by virtue of the cache + // flush bit on the new record replacing it, then we allow the record to be deleted immediately, without the usual + // one-second grace period. This improves responsiveness for mDNS_Update(), as used for things like iChat status updates. + // <rdar://problem/5636422> Updating TXT records is too slow + // We check for "rroriginalttl == 1" because we want to include records tagged by the "packet TTL is zero" check above, + // which sets rroriginalttl to 1, but not records tagged by the rdata case-change check, which sets rroriginalttl to 0. + if (r2->TimeRcvd == m->timenow && r2->resrec.rroriginalttl == 1 && r2->UnansweredQueries == MaxUnansweredQueries) + { + LogInfo("Cache flush for DE record %s", CRDisplayString(m, r2)); + r2->resrec.rroriginalttl = 0; + } + else if (RRExpireTime(r2) - m->timenow > mDNSPlatformOneSecond) + { + // We only set a record to expire in one second if it currently has *more* than a second to live + // If it's already due to expire in a second or less, we just leave it alone + r2->resrec.rroriginalttl = 1; + r2->UnansweredQueries = MaxUnansweredQueries; + r2->TimeRcvd = m->timenow - 1; + // We use (m->timenow - 1) instead of m->timenow, because we use that to identify records + // that we marked for deletion via an explicit DE record + } + } + SetNextCacheCheckTimeForRecord(m, r2); + } + } + + if (r1->DelayDelivery) // If we were planning to delay delivery of this record, see if we still need to + { + // If we had a unicast question for this response with at least one positive answer and we + // have NSECRecords, it is most likely a wildcard expanded answer. Cache the NSEC and its + // signatures along with the cache record which will be used for validation later. If + // we rescued a few records earlier in this function, then NSECCachePtr would be set. In that + // use that instead. + if (response->h.numAnswers && unicastQuestion && NSECRecords) + { + if (!NSECCachePtr) + { + LogInfo("mDNSCoreReceiveResponse: Updating NSECCachePtr to %s", CRDisplayString(m, r1)); + NSECCachePtr = r1; + } + // Note: We need to do this before we call CacheRecordDeferredAdd as this + // might start the verification process which needs these NSEC records + if (!AddNSECSForCacheRecord(m, NSECRecords, NSECCachePtr, rcode)) + { + LogInfo("mDNSCoreReceiveResponse: AddNSECSForCacheRecord failed to add NSEC for %s", CRDisplayString(m, NSECCachePtr)); + FreeNSECRecords(m, NSECRecords); + } + NSECRecords = mDNSNULL; + NSECCachePtr = mDNSNULL; + } + r1->DelayDelivery = CheckForSoonToExpireRecords(m, r1->resrec.name, r1->resrec.namehash, slot, mDNSNULL); + // If no longer delaying, deliver answer now, else schedule delivery for the appropriate time + if (!r1->DelayDelivery) CacheRecordDeferredAdd(m, r1); + else ScheduleNextCacheCheckTime(m, slot, r1->DelayDelivery); + } + } + + // If we have not consumed the NSEC records yet e.g., just refreshing the cache, + // update them now for future validations. + if (NSECRecords && NSECCachePtr) + { + LogInfo("mDNSCoreReceieveResponse: Updating NSEC records in %s", CRDisplayString(m, NSECCachePtr)); + if (!AddNSECSForCacheRecord(m, NSECRecords, NSECCachePtr, rcode)) + { + LogInfo("mDNSCoreReceiveResponse: AddNSECSForCacheRecord failed to add NSEC for %s", CRDisplayString(m, NSECCachePtr)); + FreeNSECRecords(m, NSECRecords); + } + NSECRecords = mDNSNULL; + NSECCachePtr = mDNSNULL; + } + + // If there is at least one answer and we did not create RRSIGs and there was a + // ValidatingResponse question waiting for this response, give a hint that no RRSIGs + // were created. We don't need to give a hint: + // + // - if we have no answers, the mDNSCoreReceiveNoUnicastAnswers below should + // generate a negative response + // + // - if we have NSECRecords, it means we might have a potential proof for + // non-existence of name that we are looking for + // + if (response->h.numAnswers && !rrsigsCreated && DNSSECQuestion && !NSECRecords) + mDNSCoreReceiveNoDNSSECAnswers(m, response, end, dstaddr, dstport, InterfaceID); + + // See if we need to generate negative cache entries for unanswered unicast questions + mDNSCoreReceiveNoUnicastAnswers(m, response, end, dstaddr, dstport, InterfaceID, LLQType, rcode, NSECRecords); + + if (McastNSEC3Records) + { + debugf("mDNSCoreReceiveResponse: McastNSEC3Records not used"); + FreeNSECRecords(m, McastNSEC3Records); + } +} + +// ScheduleWakeup causes all proxy records with WakeUp.HMAC matching mDNSEthAddr 'e' to be deregistered, causing +// multiple wakeup magic packets to be sent if appropriate, and all records to be ultimately freed after a few seconds. +// ScheduleWakeup is called on mDNS record conflicts, ARP conflicts, NDP conflicts, or reception of trigger traffic +// that warrants waking the sleeping host. +// ScheduleWakeup must be called with the lock held (ScheduleWakeupForList uses mDNS_Deregister_internal) + +mDNSlocal void ScheduleWakeupForList(mDNS *const m, mDNSInterfaceID InterfaceID, mDNSEthAddr *e, AuthRecord *const thelist) +{ + // We need to use the m->CurrentRecord mechanism here when dealing with DuplicateRecords list as + // mDNS_Deregister_internal deregisters duplicate records immediately as they are not used + // to send wakeups or goodbyes. See the comment in that function for more details. To keep it + // simple, we use the same mechanism for both lists. + if (!e->l[0]) + { + LogMsg("ScheduleWakeupForList ERROR: Target HMAC is zero"); + return; + } + m->CurrentRecord = thelist; + while (m->CurrentRecord) + { + AuthRecord *const rr = m->CurrentRecord; + if (rr->resrec.InterfaceID == InterfaceID && rr->resrec.RecordType != kDNSRecordTypeDeregistering && mDNSSameEthAddress(&rr->WakeUp.HMAC, e)) + { + LogInfo("ScheduleWakeupForList: Scheduling wakeup packets for %s", ARDisplayString(m, rr)); + mDNS_Deregister_internal(m, rr, mDNS_Dereg_normal); + } + if (m->CurrentRecord == rr) // If m->CurrentRecord was not advanced for us, do it now + m->CurrentRecord = rr->next; + } +} + +mDNSlocal void ScheduleWakeup(mDNS *const m, mDNSInterfaceID InterfaceID, mDNSEthAddr *e) +{ + if (!e->l[0]) { LogMsg("ScheduleWakeup ERROR: Target HMAC is zero"); return; } + ScheduleWakeupForList(m, InterfaceID, e, m->DuplicateRecords); + ScheduleWakeupForList(m, InterfaceID, e, m->ResourceRecords); +} + +mDNSlocal void SPSRecordCallback(mDNS *const m, AuthRecord *const ar, mStatus result) +{ + if (result && result != mStatus_MemFree) + LogInfo("SPS Callback %d %s", result, ARDisplayString(m, ar)); + + if (result == mStatus_NameConflict) + { + mDNS_Lock(m); + LogMsg("%-7s Conflicting mDNS -- waking %.6a %s", InterfaceNameForID(m, ar->resrec.InterfaceID), &ar->WakeUp.HMAC, ARDisplayString(m, ar)); + if (ar->WakeUp.HMAC.l[0]) + { + SendWakeup(m, ar->resrec.InterfaceID, &ar->WakeUp.IMAC, &ar->WakeUp.password); // Send one wakeup magic packet + ScheduleWakeup(m, ar->resrec.InterfaceID, &ar->WakeUp.HMAC); // Schedule all other records with the same owner to be woken + } + mDNS_Unlock(m); + } + + if (result == mStatus_NameConflict || result == mStatus_MemFree) + { + m->ProxyRecords--; + mDNSPlatformMemFree(ar); + mDNS_UpdateAllowSleep(m); + } +} + +mDNSlocal mDNSu8 *GetValueForMACAddr(mDNSu8 *ptr, mDNSu8 *limit, mDNSEthAddr *eth) +{ + int i; + mDNSs8 hval = 0; + int colons = 0; + mDNSu8 val = 0; + + for (i = 0; ptr < limit && *ptr != ' ' && i < 17; i++, ptr++) + { + hval = HexVal(*ptr); + if (hval != -1) + { + val <<= 4; + val |= hval; + } + else if (*ptr == ':') + { + eth->b[colons] = val; + colons++; + val = 0; + } + } + if (colons != 5) + { + LogMsg("GetValueForMACAddr: Address malformed colons %d", colons); + return mDNSNULL; + } + eth->b[colons] = val; + return ptr; +} + +mDNSlocal mDNSu8 *GetValueForIPv6Addr(mDNSu8 *ptr, mDNSu8 *limit, mDNSv6Addr *v6) +{ + int hval; + int value; + int numBytes; + int digitsProcessed; + int zeroFillStart; + int numColons; + mDNSu8 v6addr[16]; + + // RFC 3513: Section 2.2 specifies IPv6 presentation format. The following parsing + // handles both (1) and (2) and does not handle embedded IPv4 addresses. + // + // First forms a address in "v6addr", then expands to fill the zeroes in and returns + // the result in "v6" + + numColons = numBytes = value = digitsProcessed = zeroFillStart = 0; + while (ptr < limit && *ptr != ' ') + { + hval = HexVal(*ptr); + if (hval != -1) + { + value <<= 4; + value |= hval; + digitsProcessed = 1; + } + else if (*ptr == ':') + { + if (!digitsProcessed) + { + // If we have already seen a "::", we should not see one more. Handle the special + // case of "::" + if (numColons) + { + // if we never filled any bytes and the next character is space (we have reached the end) + // we are done + if (!numBytes && (ptr + 1) < limit && *(ptr + 1) == ' ') + { + mDNSPlatformMemZero(v6->b, 16); + return ptr + 1; + } + LogMsg("GetValueForIPv6Addr: zeroFillStart non-zero %d", zeroFillStart); + return mDNSNULL; + } + + // We processed "::". We need to fill zeroes later. For now, mark the + // point where we will start filling zeroes from. + zeroFillStart = numBytes; + numColons++; + } + else if ((ptr + 1) < limit && *(ptr + 1) == ' ') + { + // We have a trailing ":" i.e., no more characters after ":" + LogMsg("GetValueForIPv6Addr: Trailing colon"); + return mDNSNULL; + } + else + { + // For a fully expanded IPv6 address, we fill the 14th and 15th byte outside of this while + // loop below as there is no ":" at the end. Hence, the last two bytes that can possibly + // filled here is 12 and 13. + if (numBytes > 13) { LogMsg("GetValueForIPv6Addr:1: numBytes is %d", numBytes); return mDNSNULL; } + + v6addr[numBytes++] = (mDNSu8) ((value >> 8) & 0xFF); + v6addr[numBytes++] = (mDNSu8) (value & 0xFF); + digitsProcessed = value = 0; + + // Make sure that we did not fill the 13th and 14th byte above + if (numBytes > 14) { LogMsg("GetValueForIPv6Addr:2: numBytes is %d", numBytes); return mDNSNULL; } + } + } + ptr++; + } + + // We should be processing the last set of bytes following the last ":" here + if (!digitsProcessed) + { + LogMsg("GetValueForIPv6Addr: no trailing bytes after colon, numBytes is %d", numBytes); + return mDNSNULL; + } + + if (numBytes > 14) { LogMsg("GetValueForIPv6Addr:3: numBytes is %d", numBytes); return mDNSNULL; } + v6addr[numBytes++] = (mDNSu8) ((value >> 8) & 0xFF); + v6addr[numBytes++] = (mDNSu8) (value & 0xFF); + + if (zeroFillStart) + { + int i, j, n; + for (i = 0; i < zeroFillStart; i++) + v6->b[i] = v6addr[i]; + for (j = i, n = 0; n < 16 - numBytes; j++, n++) + v6->b[j] = 0; + for (; j < 16; i++, j++) + v6->b[j] = v6addr[i]; + } + else if (numBytes == 16) + mDNSPlatformMemCopy(v6->b, v6addr, 16); + else + { + LogMsg("GetValueForIPv6addr: Not enough bytes for IPv6 address, numBytes is %d", numBytes); + return mDNSNULL; + } + return ptr; +} + +mDNSlocal mDNSu8 *GetValueForIPv4Addr(mDNSu8 *ptr, mDNSu8 *limit, mDNSv4Addr *v4) +{ + mDNSu32 val; + int dots = 0; + val = 0; + + for ( ; ptr < limit && *ptr != ' '; ptr++) + { + if (*ptr >= '0' && *ptr <= '9') + val = val * 10 + *ptr - '0'; + else if (*ptr == '.') + { + v4->b[dots++] = val; + val = 0; + } + else + { + // We have a zero at the end and if we reached that, then we are done. + if (*ptr == 0 && ptr == limit - 1 && dots == 3) + { + v4->b[dots] = val; + return ptr + 1; + } + else { LogMsg("GetValueForIPv4Addr: something wrong ptr(%p) %c, limit %p, dots %d", ptr, *ptr, limit, dots); return mDNSNULL; } + } + } + if (dots != 3) { LogMsg("GetValueForIPv4Addr: Address malformed dots %d", dots); return mDNSNULL; } + v4->b[dots] = val; + return ptr; +} + +mDNSlocal mDNSu8 *GetValueForKeepalive(mDNSu8 *ptr, mDNSu8 *limit, mDNSu32 *value) +{ + mDNSu32 val; + + val = 0; + for ( ; ptr < limit && *ptr != ' '; ptr++) + { + if (*ptr < '0' || *ptr > '9') + { + // We have a zero at the end and if we reached that, then we are done. + if (*ptr == 0 && ptr == limit - 1) + { + *value = val; + return ptr + 1; + } + else { LogMsg("GetValueForKeepalive: *ptr %d, ptr %p, limit %p, ptr +1 %d", *ptr, ptr, limit, *(ptr + 1)); return mDNSNULL; } + } + val = val * 10 + *ptr - '0'; + } + *value = val; + return ptr; +} + +mDNSlocal void mDNS_ExtractKeepaliveInfo(AuthRecord *ar, mDNSu32 *timeout, mDNSAddr *laddr, mDNSAddr *raddr, mDNSEthAddr *eth, mDNSu32 *seq, + mDNSu32 *ack, mDNSIPPort *lport, mDNSIPPort *rport, mDNSu16 *win) +{ + if (ar->resrec.rrtype != kDNSType_NULL) + return; + + if (mDNS_KeepaliveRecord(&ar->resrec)) + { + int len = ar->resrec.rdlength; + mDNSu8 *ptr = &ar->resrec.rdata->u.txt.c[1]; + mDNSu8 *limit = ptr + len - 1; // Exclude the first byte that is the length + mDNSu32 value = 0; + + while (ptr < limit) + { + mDNSu8 param = *ptr; + ptr += 2; // Skip the letter and the "=" + if (param == 'h') + { + laddr->type = mDNSAddrType_IPv4; + ptr = GetValueForIPv4Addr(ptr, limit, &laddr->ip.v4); + } + else if (param == 'd') + { + raddr->type = mDNSAddrType_IPv4; + ptr = GetValueForIPv4Addr(ptr, limit, &raddr->ip.v4); + } + if (param == 'H') + { + laddr->type = mDNSAddrType_IPv6; + ptr = GetValueForIPv6Addr(ptr, limit, &laddr->ip.v6); + } + else if (param == 'D') + { + raddr->type = mDNSAddrType_IPv6; + ptr = GetValueForIPv6Addr(ptr, limit, &raddr->ip.v6); + } + else if (param == 'm') + { + ptr = GetValueForMACAddr(ptr, limit, eth); + } + else + { + ptr = GetValueForKeepalive(ptr, limit, &value); + } + if (!ptr) { LogMsg("mDNS_ExtractKeepaliveInfo: Cannot parse\n"); return; } + + // Extract everything in network order so that it is easy for sending a keepalive and also + // for matching incoming TCP packets + switch (param) + { + case 't': + *timeout = value; + //if (*timeout < 120) *timeout = 120; + break; + case 'h': + case 'H': + case 'd': + case 'D': + case 'm': + case 'i': + case 'c': + break; + case 'l': + lport->NotAnInteger = swap16((mDNSu16)value); + break; + case 'r': + rport->NotAnInteger = swap16((mDNSu16)value); + break; + case 's': + *seq = swap32(value); + break; + case 'a': + *ack = swap32(value); + break; + case 'w': + *win = swap16((mDNSu16)value); + break; + default: + LogMsg("mDNS_ExtractKeepaliveInfo: unknown value %c\n", param); + ptr = limit; + break; + } + ptr++; // skip the space + } + } +} + +// Matches the proxied auth records to the incoming TCP packet and returns the match and its sequence and ack in "rseq" and "rack" so that +// the clients need not retrieve this information from the auth record again. +mDNSlocal AuthRecord* mDNS_MatchKeepaliveInfo(mDNS *const m, const mDNSAddr* pladdr, const mDNSAddr* praddr, const mDNSIPPort plport, + const mDNSIPPort prport, mDNSu32 *rseq, mDNSu32 *rack) +{ + AuthRecord *ar; + mDNSAddr laddr, raddr; + mDNSEthAddr eth; + mDNSIPPort lport, rport; + mDNSu32 timeout, seq, ack; + mDNSu16 win; + + for (ar = m->ResourceRecords; ar; ar=ar->next) + { + timeout = seq = ack = 0; + win = 0; + laddr = raddr = zeroAddr; + lport = rport = zeroIPPort; + + if (!ar->WakeUp.HMAC.l[0]) continue; + + mDNS_ExtractKeepaliveInfo(ar, &timeout, &laddr, &raddr, ð, &seq, &ack, &lport, &rport, &win); + + // Did we parse correctly ? + if (!timeout || mDNSAddressIsZero(&laddr) || mDNSAddressIsZero(&raddr) || !seq || !ack || mDNSIPPortIsZero(lport) || mDNSIPPortIsZero(rport) || !win) + { + debugf("mDNS_MatchKeepaliveInfo: not a valid record %s for keepalive", ARDisplayString(m, ar)); + continue; + } + + debugf("mDNS_MatchKeepaliveInfo: laddr %#a pladdr %#a, raddr %#a praddr %#a, lport %d plport %d, rport %d prport %d", + &laddr, pladdr, &raddr, praddr, mDNSVal16(lport), mDNSVal16(plport), mDNSVal16(rport), mDNSVal16(prport)); + + // Does it match the incoming TCP packet ? + if (mDNSSameAddress(&laddr, pladdr) && mDNSSameAddress(&raddr, praddr) && mDNSSameIPPort(lport, plport) && mDNSSameIPPort(rport, prport)) + { + // returning in network order + *rseq = seq; + *rack = ack; + return ar; + } + } + return mDNSNULL; +} + +mDNSlocal void mDNS_SendKeepalives(mDNS *const m) +{ + AuthRecord *ar; + + for (ar = m->ResourceRecords; ar; ar=ar->next) + { + mDNSu32 timeout, seq, ack; + mDNSu16 win; + mDNSAddr laddr, raddr; + mDNSEthAddr eth; + mDNSIPPort lport, rport; + + timeout = seq = ack = 0; + win = 0; + + laddr = raddr = zeroAddr; + lport = rport = zeroIPPort; + + if (!ar->WakeUp.HMAC.l[0]) continue; + + mDNS_ExtractKeepaliveInfo(ar, &timeout, &laddr, &raddr, ð, &seq, &ack, &lport, &rport, &win); + + if (!timeout || mDNSAddressIsZero(&laddr) || mDNSAddressIsZero(&raddr) || !seq || !ack || mDNSIPPortIsZero(lport) || mDNSIPPortIsZero(rport) || !win) + { + debugf("mDNS_SendKeepalives: not a valid record %s for keepalive", ARDisplayString(m, ar)); + continue; + } + LogMsg("mDNS_SendKeepalives: laddr %#a raddr %#a lport %d rport %d", &laddr, &raddr, mDNSVal16(lport), mDNSVal16(rport)); + + // When we receive a proxy update, we set KATimeExpire to zero so that we always send a keepalive + // immediately (to detect any potential problems). After that we always set it to a non-zero value. + if (!ar->KATimeExpire || (m->timenow - ar->KATimeExpire >= 0)) + { + mDNSPlatformSendKeepalive(&laddr, &raddr, &lport, &rport, seq, ack, win); + ar->KATimeExpire = NonZeroTime(m->timenow + timeout * mDNSPlatformOneSecond); + } + if (m->NextScheduledKA - ar->KATimeExpire > 0) + m->NextScheduledKA = ar->KATimeExpire; + } +} + +mDNSlocal void mDNS_SendKeepaliveACK(mDNS *const m, AuthRecord *ar) +{ + if (ar != mDNSNULL) + { + LogInfo("mDNS_SendKeepalivesACK: AuthRecord is NULL"); + return; + } + mDNSu32 timeout, seq, ack; + mDNSu16 win; + mDNSAddr laddr, raddr; + mDNSEthAddr eth; + mDNSIPPort lport, rport; + + timeout = seq = ack = 0; + win = 0; + + laddr = raddr = zeroAddr; + lport = rport = zeroIPPort; + + mDNS_ExtractKeepaliveInfo(ar, &timeout, &laddr, &raddr, ð, &seq, &ack, &lport, &rport, &win); + + if (!timeout || mDNSAddressIsZero(&laddr) || mDNSAddressIsZero(&raddr) || !seq || !ack || mDNSIPPortIsZero(lport) || mDNSIPPortIsZero(rport) || !win) + { + LogInfo("mDNS_SendKeepaliveACK: not a valid record %s for keepalive", ARDisplayString(m, ar)); + return; + } + LogMsg("mDNS_SendKeepaliveACK: laddr %#a raddr %#a lport %d rport %d", &laddr, &raddr, mDNSVal16(lport), mDNSVal16(rport)); + mDNSPlatformSendKeepalive(&laddr, &raddr, &lport, &rport, seq, ack, win); +} + +mDNSlocal void mDNSCoreReceiveUpdate(mDNS *const m, + const DNSMessage *const msg, const mDNSu8 *end, + const mDNSAddr *srcaddr, const mDNSIPPort srcport, const mDNSAddr *dstaddr, mDNSIPPort dstport, + const mDNSInterfaceID InterfaceID) +{ + int i; + AuthRecord opt; + mDNSu8 *p = m->omsg.data; + OwnerOptData owner = zeroOwner; // Need to zero this, so we'll know if this Update packet was missing its Owner option + mDNSu32 updatelease = 0; + const mDNSu8 *ptr; + + LogSPS("Received Update from %#-15a:%-5d to %#-15a:%-5d on 0x%p with " + "%2d Question%s %2d Answer%s %2d Authorit%s %2d Additional%s %d bytes", + srcaddr, mDNSVal16(srcport), dstaddr, mDNSVal16(dstport), InterfaceID, + msg->h.numQuestions, msg->h.numQuestions == 1 ? ", " : "s,", + msg->h.numAnswers, msg->h.numAnswers == 1 ? ", " : "s,", + msg->h.numAuthorities, msg->h.numAuthorities == 1 ? "y, " : "ies,", + msg->h.numAdditionals, msg->h.numAdditionals == 1 ? " " : "s", end - msg->data); + + if (!InterfaceID || !m->SPSSocket || !mDNSSameIPPort(dstport, m->SPSSocket->port)) return; + + if (mDNS_PacketLoggingEnabled) + DumpPacket(m, mStatus_NoError, mDNSfalse, "UDP", srcaddr, srcport, dstaddr, dstport, msg, end); + + ptr = LocateOptRR(msg, end, DNSOpt_LeaseData_Space + DNSOpt_OwnerData_ID_Space); + if (ptr) + { + ptr = GetLargeResourceRecord(m, msg, ptr, end, 0, kDNSRecordTypePacketAdd, &m->rec); + if (ptr && m->rec.r.resrec.RecordType != kDNSRecordTypePacketNegative && m->rec.r.resrec.rrtype == kDNSType_OPT) + { + const rdataOPT *o; + const rdataOPT *const e = (const rdataOPT *)&m->rec.r.resrec.rdata->u.data[m->rec.r.resrec.rdlength]; + for (o = &m->rec.r.resrec.rdata->u.opt[0]; o < e; o++) + { + if (o->opt == kDNSOpt_Lease) updatelease = o->u.updatelease; + else if (o->opt == kDNSOpt_Owner && o->u.owner.vers == 0) owner = o->u.owner; + } + } + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + } + + InitializeDNSMessage(&m->omsg.h, msg->h.id, UpdateRespFlags); + + if (!updatelease || !owner.HMAC.l[0]) + { + static int msgs = 0; + if (msgs < 100) + { + msgs++; + LogMsg("Refusing sleep proxy registration from %#a:%d:%s%s", srcaddr, mDNSVal16(srcport), + !updatelease ? " No lease" : "", !owner.HMAC.l[0] ? " No owner" : ""); + } + m->omsg.h.flags.b[1] |= kDNSFlag1_RC_FormErr; + } + else if (m->ProxyRecords + msg->h.mDNS_numUpdates > MAX_PROXY_RECORDS) + { + static int msgs = 0; + if (msgs < 100) + { + msgs++; + LogMsg("Refusing sleep proxy registration from %#a:%d: Too many records %d + %d = %d > %d", srcaddr, mDNSVal16(srcport), + m->ProxyRecords, msg->h.mDNS_numUpdates, m->ProxyRecords + msg->h.mDNS_numUpdates, MAX_PROXY_RECORDS); + } + m->omsg.h.flags.b[1] |= kDNSFlag1_RC_Refused; + } + else + { + LogSPS("Received Update for H-MAC %.6a I-MAC %.6a Password %.6a seq %d", &owner.HMAC, &owner.IMAC, &owner.password, owner.seq); + + if (updatelease > 24 * 60 * 60) + updatelease = 24 * 60 * 60; + + if (updatelease > 0x40000000UL / mDNSPlatformOneSecond) + updatelease = 0x40000000UL / mDNSPlatformOneSecond; + + ptr = LocateAuthorities(msg, end); + + // Clear any stale TCP keepalive records that may exist + ClearKeepaliveProxyRecords(m, &owner, m->DuplicateRecords, InterfaceID); + ClearKeepaliveProxyRecords(m, &owner, m->ResourceRecords, InterfaceID); + + for (i = 0; i < msg->h.mDNS_numUpdates && ptr && ptr < end; i++) + { + ptr = GetLargeResourceRecord(m, msg, ptr, end, InterfaceID, kDNSRecordTypePacketAuth, &m->rec); + if (ptr && m->rec.r.resrec.RecordType != kDNSRecordTypePacketNegative) + { + mDNSu16 RDLengthMem = GetRDLengthMem(&m->rec.r.resrec); + AuthRecord *ar = mDNSPlatformMemAllocate(sizeof(AuthRecord) - sizeof(RDataBody) + RDLengthMem); + if (!ar) + { + m->omsg.h.flags.b[1] |= kDNSFlag1_RC_Refused; + break; + } + else + { + mDNSu8 RecordType = m->rec.r.resrec.RecordType & kDNSRecordTypePacketUniqueMask ? kDNSRecordTypeUnique : kDNSRecordTypeShared; + m->rec.r.resrec.rrclass &= ~kDNSClass_UniqueRRSet; + // All stale keepalive records have been flushed prior to this loop. + if (!mDNS_KeepaliveRecord(&m->rec.r.resrec)) + { + ClearIdenticalProxyRecords(m, &owner, m->DuplicateRecords); // Make sure we don't have any old stale duplicates of this record + ClearIdenticalProxyRecords(m, &owner, m->ResourceRecords); + } + mDNS_SetupResourceRecord(ar, mDNSNULL, InterfaceID, m->rec.r.resrec.rrtype, m->rec.r.resrec.rroriginalttl, RecordType, AuthRecordAny, SPSRecordCallback, ar); + AssignDomainName(&ar->namestorage, m->rec.r.resrec.name); + ar->resrec.rdlength = GetRDLength(&m->rec.r.resrec, mDNSfalse); + ar->resrec.rdata->MaxRDLength = RDLengthMem; + mDNSPlatformMemCopy(ar->resrec.rdata->u.data, m->rec.r.resrec.rdata->u.data, RDLengthMem); + ar->ForceMCast = mDNStrue; + ar->WakeUp = owner; + if (m->rec.r.resrec.rrtype == kDNSType_PTR) + { + mDNSs32 t = ReverseMapDomainType(m->rec.r.resrec.name); + if (t == mDNSAddrType_IPv4) GetIPv4FromName(&ar->AddressProxy, m->rec.r.resrec.name); + else if (t == mDNSAddrType_IPv6) GetIPv6FromName(&ar->AddressProxy, m->rec.r.resrec.name); + debugf("mDNSCoreReceiveUpdate: PTR %d %d %#a %s", t, ar->AddressProxy.type, &ar->AddressProxy, ARDisplayString(m, ar)); + if (ar->AddressProxy.type) SetSPSProxyListChanged(InterfaceID); + } + ar->TimeRcvd = m->timenow; + ar->TimeExpire = m->timenow + updatelease * mDNSPlatformOneSecond; + if (m->NextScheduledSPS - ar->TimeExpire > 0) + m->NextScheduledSPS = ar->TimeExpire; + ar->KATimeExpire = 0; + mDNS_Register_internal(m, ar); + + m->ProxyRecords++; + mDNS_UpdateAllowSleep(m); + LogSPS("SPS Registered %4d %X %s", m->ProxyRecords, RecordType, ARDisplayString(m,ar)); + } + } + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + } + + if (m->omsg.h.flags.b[1] & kDNSFlag1_RC_Mask) + { + LogMsg("Refusing sleep proxy registration from %#a:%d: Out of memory", srcaddr, mDNSVal16(srcport)); + ClearProxyRecords(m, &owner, m->DuplicateRecords); + ClearProxyRecords(m, &owner, m->ResourceRecords); + } + else + { + mDNS_SetupResourceRecord(&opt, mDNSNULL, mDNSInterface_Any, kDNSType_OPT, kStandardTTL, kDNSRecordTypeKnownUnique, AuthRecordAny, mDNSNULL, mDNSNULL); + opt.resrec.rrclass = NormalMaxDNSMessageData; + opt.resrec.rdlength = sizeof(rdataOPT); // One option in this OPT record + opt.resrec.rdestimate = sizeof(rdataOPT); + opt.resrec.rdata->u.opt[0].opt = kDNSOpt_Lease; + opt.resrec.rdata->u.opt[0].u.updatelease = updatelease; + p = PutResourceRecordTTLWithLimit(&m->omsg, p, &m->omsg.h.numAdditionals, &opt.resrec, opt.resrec.rroriginalttl, m->omsg.data + AbsoluteMaxDNSMessageData); + } + } + + if (p) mDNSSendDNSMessage(m, &m->omsg, p, InterfaceID, m->SPSSocket, srcaddr, srcport, mDNSNULL, mDNSNULL, mDNSfalse); + mDNS_SendKeepalives(m); +} + +mDNSlocal void mDNSCoreReceiveUpdateR(mDNS *const m, const DNSMessage *const msg, const mDNSu8 *end, const mDNSAddr *srcaddr, const mDNSInterfaceID InterfaceID) +{ + if (InterfaceID) + { + mDNSu32 updatelease = 60 * 60; // If SPS fails to indicate lease time, assume one hour + const mDNSu8 *ptr = LocateOptRR(msg, end, DNSOpt_LeaseData_Space); + if (ptr) + { + ptr = GetLargeResourceRecord(m, msg, ptr, end, 0, kDNSRecordTypePacketAdd, &m->rec); + if (ptr && m->rec.r.resrec.RecordType != kDNSRecordTypePacketNegative && m->rec.r.resrec.rrtype == kDNSType_OPT) + { + const rdataOPT *o; + const rdataOPT *const e = (const rdataOPT *)&m->rec.r.resrec.rdata->u.data[m->rec.r.resrec.rdlength]; + for (o = &m->rec.r.resrec.rdata->u.opt[0]; o < e; o++) + if (o->opt == kDNSOpt_Lease) + { + updatelease = o->u.updatelease; + LogSPS("Sleep Proxy granted lease time %4d seconds, updateid %d, InterfaceID %p", updatelease, mDNSVal16(msg->h.id), InterfaceID); + } + } + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + } + + if (m->CurrentRecord) + LogMsg("mDNSCoreReceiveUpdateR ERROR m->CurrentRecord already set %s", ARDisplayString(m, m->CurrentRecord)); + m->CurrentRecord = m->ResourceRecords; + while (m->CurrentRecord) + { + AuthRecord *const rr = m->CurrentRecord; + if (rr->resrec.InterfaceID == InterfaceID || (!rr->resrec.InterfaceID && (rr->ForceMCast || IsLocalDomain(rr->resrec.name)))) + if (mDNSSameOpaque16(rr->updateid, msg->h.id)) + { + // We successfully completed this record's registration on this "InterfaceID". Clear that bit. + // Clear the updateid when we are done sending on all interfaces. + mDNSu32 scopeid = mDNSPlatformInterfaceIndexfromInterfaceID(m, InterfaceID, mDNStrue); + if (scopeid < (sizeof(rr->updateIntID) * mDNSNBBY)) + bit_clr_opaque64(rr->updateIntID, scopeid); + if (mDNSOpaque64IsZero(&rr->updateIntID)) + rr->updateid = zeroID; + rr->expire = NonZeroTime(m->timenow + updatelease * mDNSPlatformOneSecond); + LogSPS("Sleep Proxy %s record %5d 0x%x 0x%x (%d) %s", rr->WakeUp.HMAC.l[0] ? "transferred" : "registered", updatelease, rr->updateIntID.l[1], rr->updateIntID.l[0], mDNSVal16(rr->updateid), ARDisplayString(m,rr)); + if (rr->WakeUp.HMAC.l[0]) + { + rr->WakeUp.HMAC = zeroEthAddr; // Clear HMAC so that mDNS_Deregister_internal doesn't waste packets trying to wake this host + rr->RequireGoodbye = mDNSfalse; // and we don't want to send goodbye for it + mDNS_Deregister_internal(m, rr, mDNS_Dereg_normal); + } + } + // Mustn't advance m->CurrentRecord until *after* mDNS_Deregister_internal, because + // new records could have been added to the end of the list as a result of that call. + if (m->CurrentRecord == rr) // If m->CurrentRecord was not advanced for us, do it now + m->CurrentRecord = rr->next; + } + + // Update the dynamic store with the IP Address and MAC address of the sleep proxy + char *ifname = InterfaceNameForID(m, InterfaceID); + mDNSAddr spsaddr; + mDNSPlatformMemCopy(&spsaddr, srcaddr, sizeof (mDNSAddr)); + mDNSPlatformStoreSPSMACAddr(&spsaddr, ifname); + } + // If we were waiting to go to sleep, then this SPS registration or wide-area record deletion + // may have been the thing we were waiting for, so schedule another check to see if we can sleep now. + if (m->SleepLimit) m->NextScheduledSPRetry = m->timenow; +} + +mDNSexport void MakeNegativeCacheRecord(mDNS *const m, CacheRecord *const cr, + const domainname *const name, const mDNSu32 namehash, const mDNSu16 rrtype, const mDNSu16 rrclass, mDNSu32 ttl_seconds, mDNSInterfaceID InterfaceID, DNSServer *dnsserver) +{ + if (cr == &m->rec.r && m->rec.r.resrec.RecordType) + { + LogMsg("MakeNegativeCacheRecord: m->rec appears to be already in use for %s", CRDisplayString(m, &m->rec.r)); +#if ForceAlerts + *(long*)0 = 0; +#endif + } + + // Create empty resource record + cr->resrec.RecordType = kDNSRecordTypePacketNegative; + cr->resrec.InterfaceID = InterfaceID; + cr->resrec.rDNSServer = dnsserver; + cr->resrec.name = name; // Will be updated to point to cg->name when we call CreateNewCacheEntry + cr->resrec.rrtype = rrtype; + cr->resrec.rrclass = rrclass; + cr->resrec.rroriginalttl = ttl_seconds; + cr->resrec.rdlength = 0; + cr->resrec.rdestimate = 0; + cr->resrec.namehash = namehash; + cr->resrec.rdatahash = 0; + cr->resrec.rdata = (RData*)&cr->smallrdatastorage; + cr->resrec.rdata->MaxRDLength = 0; + + cr->NextInKAList = mDNSNULL; + cr->TimeRcvd = m->timenow; + cr->DelayDelivery = 0; + cr->NextRequiredQuery = m->timenow; + cr->LastUsed = m->timenow; + cr->CRActiveQuestion = mDNSNULL; + cr->UnansweredQueries = 0; + cr->LastUnansweredTime = 0; +#if ENABLE_MULTI_PACKET_QUERY_SNOOPING + cr->MPUnansweredQ = 0; + cr->MPLastUnansweredQT = 0; + cr->MPUnansweredKA = 0; + cr->MPExpectingKA = mDNSfalse; +#endif + cr->NextInCFList = mDNSNULL; + cr->nsec = mDNSNULL; + cr->soa = mDNSNULL; + cr->CRDNSSECQuestion = 0; + // Initialize to the basic one and the caller can set it to more + // specific based on the response if any + cr->responseFlags = ResponseFlags; +} + +mDNSexport void mDNSCoreReceive(mDNS *const m, void *const pkt, const mDNSu8 *const end, + const mDNSAddr *const srcaddr, const mDNSIPPort srcport, const mDNSAddr *dstaddr, const mDNSIPPort dstport, + const mDNSInterfaceID InterfaceID) +{ + mDNSInterfaceID ifid = InterfaceID; + DNSMessage *msg = (DNSMessage *)pkt; + const mDNSu8 StdQ = kDNSFlag0_QR_Query | kDNSFlag0_OP_StdQuery; + const mDNSu8 StdR = kDNSFlag0_QR_Response | kDNSFlag0_OP_StdQuery; + const mDNSu8 UpdQ = kDNSFlag0_QR_Query | kDNSFlag0_OP_Update; + const mDNSu8 UpdR = kDNSFlag0_QR_Response | kDNSFlag0_OP_Update; + mDNSu8 QR_OP; + mDNSu8 *ptr = mDNSNULL; + mDNSBool TLS = (dstaddr == (mDNSAddr *)1); // For debug logs: dstaddr = 0 means TCP; dstaddr = 1 means TLS + if (TLS) dstaddr = mDNSNULL; + +#ifndef UNICAST_DISABLED + if (mDNSSameAddress(srcaddr, &m->Router)) + { +#ifdef _LEGACY_NAT_TRAVERSAL_ + if (mDNSSameIPPort(srcport, SSDPPort) || (m->SSDPSocket && mDNSSameIPPort(dstport, m->SSDPSocket->port))) + { + mDNS_Lock(m); + LNT_ConfigureRouterInfo(m, InterfaceID, pkt, (mDNSu16)(end - (mDNSu8 *)pkt)); + mDNS_Unlock(m); + return; + } +#endif + if (mDNSSameIPPort(srcport, NATPMPPort)) + { + mDNS_Lock(m); + uDNS_ReceiveNATPacket(m, InterfaceID, pkt, (mDNSu16)(end - (mDNSu8 *)pkt)); + mDNS_Unlock(m); + return; + } + } +#ifdef _LEGACY_NAT_TRAVERSAL_ + else if (m->SSDPSocket && mDNSSameIPPort(dstport, m->SSDPSocket->port)) { debugf("Ignoring SSDP response from %#a:%d", srcaddr, mDNSVal16(srcport)); return; } +#endif + +#endif + if ((unsigned)(end - (mDNSu8 *)pkt) < sizeof(DNSMessageHeader)) + { + LogMsg("DNS Message from %#a:%d to %#a:%d length %d too short", srcaddr, mDNSVal16(srcport), dstaddr, mDNSVal16(dstport), end - (mDNSu8 *)pkt); + return; + } + QR_OP = (mDNSu8)(msg->h.flags.b[0] & kDNSFlag0_QROP_Mask); + // Read the integer parts which are in IETF byte-order (MSB first, LSB second) + ptr = (mDNSu8 *)&msg->h.numQuestions; + msg->h.numQuestions = (mDNSu16)((mDNSu16)ptr[0] << 8 | ptr[1]); + msg->h.numAnswers = (mDNSu16)((mDNSu16)ptr[2] << 8 | ptr[3]); + msg->h.numAuthorities = (mDNSu16)((mDNSu16)ptr[4] << 8 | ptr[5]); + msg->h.numAdditionals = (mDNSu16)((mDNSu16)ptr[6] << 8 | ptr[7]); + + if (!m) { LogMsg("mDNSCoreReceive ERROR m is NULL"); return; } + + // We use zero addresses and all-ones addresses at various places in the code to indicate special values like "no address" + // If we accept and try to process a packet with zero or all-ones source address, that could really mess things up + if (srcaddr && !mDNSAddressIsValid(srcaddr)) { debugf("mDNSCoreReceive ignoring packet from %#a", srcaddr); return; } + + mDNS_Lock(m); + m->PktNum++; + if (mDNSOpaque16IsZero(msg->h.id)) + { + m->MPktNum++; +#if APPLE_OSX_mDNSResponder + // Track the number of multicast packets received from a source outside our subnet. + // Check the destination address to avoid accounting for spurious packets that + // comes in with message id zero. + if (!mDNS_AddressIsLocalSubnet(m, InterfaceID, srcaddr, mDNSNULL) && + mDNSAddressIsAllDNSLinkGroup(dstaddr)) + { + m->RemoteSubnet++; + } +#endif // #if APPLE_OSX_mDNSResponder + } + +#ifndef UNICAST_DISABLED + if (!dstaddr || (!mDNSAddressIsAllDNSLinkGroup(dstaddr) && (QR_OP == StdR || QR_OP == UpdR))) + if (!mDNSOpaque16IsZero(msg->h.id)) // uDNS_ReceiveMsg only needs to get real uDNS responses, not "QU" mDNS responses + { + ifid = mDNSInterface_Any; + if (mDNS_PacketLoggingEnabled) + DumpPacket(m, mStatus_NoError, mDNSfalse, TLS ? "TLS" : !dstaddr ? "TCP" : "UDP", srcaddr, srcport, dstaddr, dstport, msg, end); + uDNS_ReceiveMsg(m, msg, end, srcaddr, srcport); + // Note: mDNSCore also needs to get access to received unicast responses + } +#endif + if (QR_OP == StdQ) mDNSCoreReceiveQuery (m, msg, end, srcaddr, srcport, dstaddr, dstport, ifid); + else if (QR_OP == StdR) mDNSCoreReceiveResponse(m, msg, end, srcaddr, srcport, dstaddr, dstport, ifid); + else if (QR_OP == UpdQ) mDNSCoreReceiveUpdate (m, msg, end, srcaddr, srcport, dstaddr, dstport, InterfaceID); + else if (QR_OP == UpdR) mDNSCoreReceiveUpdateR (m, msg, end, srcaddr, InterfaceID); + else + { + LogMsg("Unknown DNS packet type %02X%02X from %#-15a:%-5d to %#-15a:%-5d length %d on %p (ignored)", + msg->h.flags.b[0], msg->h.flags.b[1], srcaddr, mDNSVal16(srcport), dstaddr, mDNSVal16(dstport), end - (mDNSu8 *)pkt, InterfaceID); + if (mDNS_LoggingEnabled) + { + int i = 0; + while (i<end - (mDNSu8 *)pkt) + { + char buffer[128]; + char *p = buffer + mDNS_snprintf(buffer, sizeof(buffer), "%04X", i); + do if (i<end - (mDNSu8 *)pkt) p += mDNS_snprintf(p, sizeof(buffer), " %02X", ((mDNSu8 *)pkt)[i]);while (++i & 15); + LogInfo("%s", buffer); + } + } + } + // Packet reception often causes a change to the task list: + // 1. Inbound queries can cause us to need to send responses + // 2. Conflicing response packets received from other hosts can cause us to need to send defensive responses + // 3. Other hosts announcing deletion of shared records can cause us to need to re-assert those records + // 4. Response packets that answer questions may cause our client to issue new questions + mDNS_Unlock(m); +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - Searcher Functions +#endif + +// Targets are considered the same if both queries are untargeted, or +// if both are targeted to the same address+port +// (If Target address is zero, TargetPort is undefined) +#define SameQTarget(A,B) (((A)->Target.type == mDNSAddrType_None && (B)->Target.type == mDNSAddrType_None) || \ + (mDNSSameAddress(& (A)->Target, & (B)->Target) && mDNSSameIPPort((A)->TargetPort, (B)->TargetPort))) + +// Note: We explicitly disallow making a public query be a duplicate of a private one. This is to avoid the +// circular deadlock where a client does a query for something like "dns-sd -Q _dns-query-tls._tcp.company.com SRV" +// and we have a key for company.com, so we try to locate the private query server for company.com, which necessarily entails +// doing a standard DNS query for the _dns-query-tls._tcp SRV record for company.com. If we make the latter (public) query +// a duplicate of the former (private) query, then it will block forever waiting for an answer that will never come. +// +// We keep SuppressUnusable questions separate so that we can return a quick response to them and not get blocked behind +// the queries that are not marked SuppressUnusable. But if the query is not suppressed, they are treated the same as +// non-SuppressUnusable questions. This should be fine as the goal of SuppressUnusable is to return quickly only if it +// is suppressed. If it is not suppressed, we do try all the DNS servers for valid answers like any other question. +// The main reason for this design is that cache entries point to a *single* question and that question is responsible +// for keeping the cache fresh as long as it is active. Having multiple active question for a single cache entry +// breaks this design principle. +// + +// If IsLLQ(Q) is true, it means the question is both: +// (a) long-lived and +// (b) being performed by a unicast DNS long-lived query (either full LLQ, or polling) +// for multicast questions, we don't want to treat LongLived as anything special +#define IsLLQ(Q) ((Q)->LongLived && !mDNSOpaque16IsZero((Q)->TargetQID)) + +mDNSlocal DNSQuestion *FindDuplicateQuestion(const mDNS *const m, const DNSQuestion *const question) +{ + DNSQuestion *q; + // Note: A question can only be marked as a duplicate of one that occurs *earlier* in the list. + // This prevents circular references, where two questions are each marked as a duplicate of the other. + // Accordingly, we break out of the loop when we get to 'question', because there's no point searching + // further in the list. + for (q = m->Questions; q && q != question; q=q->next) // Scan our list for another question + if (q->InterfaceID == question->InterfaceID && // with the same InterfaceID, + SameQTarget(q, question) && // and same unicast/multicast target settings + q->qtype == question->qtype && // type, + q->qclass == question->qclass && // class, + IsLLQ(q) == IsLLQ(question) && // and long-lived status matches + (!q->AuthInfo || question->AuthInfo) && // to avoid deadlock, don't make public query dup of a private one + (q->AnonInfo == question->AnonInfo) && // Anonymous query not a dup of normal query + (q->SuppressQuery == question->SuppressQuery) && // Questions that are suppressed/not suppressed + (q->ValidationRequired == question->ValidationRequired) && // Questions that require DNSSEC validation + (q->ValidatingResponse == question->ValidatingResponse) && // Questions that are validating responses using DNSSEC + (q->DisallowPID == question->DisallowPID) && // Disallowing a PID should not affect a PID that is allowed + (q->BrowseThreshold == question->BrowseThreshold) && // browse thresholds must match + q->qnamehash == question->qnamehash && + SameDomainName(&q->qname, &question->qname)) // and name + return(q); + return(mDNSNULL); +} + +// This is called after a question is deleted, in case other identical questions were being suppressed as duplicates +mDNSlocal void UpdateQuestionDuplicates(mDNS *const m, DNSQuestion *const question) +{ + DNSQuestion *q; + DNSQuestion *first = mDNSNULL; + + // This is referring to some other question as duplicate. No other question can refer to this + // question as a duplicate. + if (question->DuplicateOf) + { + LogInfo("UpdateQuestionDuplicates: question %p %##s (%s) duplicate of %p %##s (%s)", + question, question->qname.c, DNSTypeName(question->qtype), + question->DuplicateOf, question->DuplicateOf->qname.c, DNSTypeName(question->DuplicateOf->qtype)); + return; + } + + for (q = m->Questions; q; q=q->next) // Scan our list of questions + if (q->DuplicateOf == question) // To see if any questions were referencing this as their duplicate + { + q->DuplicateOf = first; + if (!first) + { + first = q; + // If q used to be a duplicate, but now is not, + // then inherit the state from the question that's going away + q->LastQTime = question->LastQTime; + q->ThisQInterval = question->ThisQInterval; + q->ExpectUnicastResp = question->ExpectUnicastResp; + q->LastAnswerPktNum = question->LastAnswerPktNum; + q->RecentAnswerPkts = question->RecentAnswerPkts; + q->RequestUnicast = question->RequestUnicast; + q->LastQTxTime = question->LastQTxTime; + q->CNAMEReferrals = question->CNAMEReferrals; + q->nta = question->nta; + q->servAddr = question->servAddr; + q->servPort = question->servPort; + q->qDNSServer = question->qDNSServer; + q->validDNSServers = question->validDNSServers; + q->unansweredQueries = question->unansweredQueries; + q->noServerResponse = question->noServerResponse; + q->triedAllServersOnce = question->triedAllServersOnce; + + q->TargetQID = question->TargetQID; + if (q->LocalSocket) + { + mDNSPlatformUDPClose(q->LocalSocket); + } + + q->LocalSocket = question->LocalSocket; + + q->state = question->state; + // q->tcp = question->tcp; + q->ReqLease = question->ReqLease; + q->expire = question->expire; + q->ntries = question->ntries; + q->id = question->id; + + question->LocalSocket = mDNSNULL; + question->nta = mDNSNULL; // If we've got a GetZoneData in progress, transfer it to the newly active question + // question->tcp = mDNSNULL; + + if (q->LocalSocket) + debugf("UpdateQuestionDuplicates transferred LocalSocket pointer for %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + + if (q->nta) + { + LogInfo("UpdateQuestionDuplicates transferred nta pointer for %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + q->nta->ZoneDataContext = q; + } + + // Need to work out how to safely transfer this state too -- appropriate context pointers need to be updated or the code will crash + if (question->tcp) LogInfo("UpdateQuestionDuplicates did not transfer tcp pointer"); + + if (question->state == LLQ_Established) + { + LogInfo("UpdateQuestionDuplicates transferred LLQ state for %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + question->state = 0; // Must zero question->state, or mDNS_StopQuery_internal will clean up and cancel our LLQ from the server + } + + SetNextQueryTime(m,q); + } + } +} + +mDNSexport McastResolver *mDNS_AddMcastResolver(mDNS *const m, const domainname *d, const mDNSInterfaceID interface, mDNSu32 timeout) +{ + McastResolver **p = &m->McastResolvers; + McastResolver *tmp = mDNSNULL; + + if (!d) d = (const domainname *)""; + + LogInfo("mDNS_AddMcastResolver: Adding %##s, InterfaceID %p, timeout %u", d->c, interface, timeout); + + mDNS_CheckLock(m); + + while (*p) // Check if we already have this {interface, domain} tuple registered + { + if ((*p)->interface == interface && SameDomainName(&(*p)->domain, d)) + { + if (!((*p)->flags & DNSServer_FlagDelete)) LogMsg("Note: Mcast Resolver domain %##s (%p) registered more than once", d->c, interface); + (*p)->flags &= ~DNSServer_FlagDelete; + tmp = *p; + *p = tmp->next; + tmp->next = mDNSNULL; + } + else + p=&(*p)->next; + } + + if (tmp) *p = tmp; // move to end of list, to ensure ordering from platform layer + else + { + // allocate, add to list + *p = mDNSPlatformMemAllocate(sizeof(**p)); + if (!*p) LogMsg("mDNS_AddMcastResolver: ERROR!! - malloc"); + else + { + (*p)->interface = interface; + (*p)->flags = DNSServer_FlagNew; + (*p)->timeout = timeout; + AssignDomainName(&(*p)->domain, d); + (*p)->next = mDNSNULL; + } + } + return(*p); +} + +mDNSinline mDNSs32 PenaltyTimeForServer(mDNS *m, DNSServer *server) +{ + mDNSs32 ptime = 0; + if (server->penaltyTime != 0) + { + ptime = server->penaltyTime - m->timenow; + if (ptime < 0) + { + // This should always be a positive value between 0 and DNSSERVER_PENALTY_TIME + // If it does not get reset in ResetDNSServerPenalties for some reason, we do it + // here + LogMsg("PenaltyTimeForServer: PenaltyTime negative %d, (server penaltyTime %d, timenow %d) resetting the penalty", + ptime, server->penaltyTime, m->timenow); + server->penaltyTime = 0; + ptime = 0; + } + } + return ptime; +} + +//Checks to see whether the newname is a better match for the name, given the best one we have +//seen so far (given in bestcount). +//Returns -1 if the newname is not a better match +//Returns 0 if the newname is the same as the old match +//Returns 1 if the newname is a better match +mDNSlocal int BetterMatchForName(const domainname *name, int namecount, const domainname *newname, int newcount, + int bestcount) +{ + // If the name contains fewer labels than the new server's domain or the new name + // contains fewer labels than the current best, then it can't possibly be a better match + if (namecount < newcount || newcount < bestcount) return -1; + + // If there is no match, return -1 and the caller will skip this newname for + // selection + // + // If we find a match and the number of labels is the same as bestcount, then + // we return 0 so that the caller can do additional logic to pick one of + // the best based on some other factors e.g., penaltyTime + // + // If we find a match and the number of labels is more than bestcount, then we + // return 1 so that the caller can pick this over the old one. + // + // Note: newcount can either be equal or greater than bestcount beause of the + // check above. + + if (SameDomainName(SkipLeadingLabels(name, namecount - newcount), newname)) + return bestcount == newcount ? 0 : 1; + else + return -1; +} + +// Normally, we have McastResolvers for .local, in-addr.arpa and ip6.arpa. But there +// can be queries that can forced to multicast (ForceMCast) even though they don't end in these +// names. In that case, we give a default timeout of 5 seconds +#define DEFAULT_MCAST_TIMEOUT 5 +mDNSlocal mDNSu32 GetTimeoutForMcastQuestion(mDNS *m, DNSQuestion *question) +{ + McastResolver *curmatch = mDNSNULL; + int bestmatchlen = -1, namecount = CountLabels(&question->qname); + McastResolver *curr; + int bettermatch, currcount; + for (curr = m->McastResolvers; curr; curr = curr->next) + { + currcount = CountLabels(&curr->domain); + bettermatch = BetterMatchForName(&question->qname, namecount, &curr->domain, currcount, bestmatchlen); + // Take the first best match. If there are multiple equally good matches (bettermatch = 0), we take + // the timeout value from the first one + if (bettermatch == 1) + { + curmatch = curr; + bestmatchlen = currcount; + } + } + LogInfo("GetTimeoutForMcastQuestion: question %##s curmatch %p, Timeout %d", question->qname.c, curmatch, + curmatch ? curmatch->timeout : DEFAULT_MCAST_TIMEOUT); + return ( curmatch ? curmatch->timeout : DEFAULT_MCAST_TIMEOUT); +} + +// Returns true if it is a Domain Enumeration Query +mDNSexport mDNSBool DomainEnumQuery(const domainname *qname) +{ + const mDNSu8 *mDNS_DEQLabels[] = { (const mDNSu8 *)"\001b", (const mDNSu8 *)"\002db", (const mDNSu8 *)"\002lb", + (const mDNSu8 *)"\001r", (const mDNSu8 *)"\002dr", (const mDNSu8 *)mDNSNULL, }; + const domainname *d = qname; + const mDNSu8 *label; + int i = 0; + + // We need at least 3 labels (DEQ prefix) + one more label to make a meaningful DE query + if (CountLabels(qname) < 4) { debugf("DomainEnumQuery: question %##s, not enough labels", qname->c); return mDNSfalse; } + + label = (const mDNSu8 *)d; + while (mDNS_DEQLabels[i] != (const mDNSu8 *)mDNSNULL) + { + if (SameDomainLabel(mDNS_DEQLabels[i], label)) {debugf("DomainEnumQuery: DEQ %##s, label1 match", qname->c); break;} + i++; + } + if (mDNS_DEQLabels[i] == (const mDNSu8 *)mDNSNULL) + { + debugf("DomainEnumQuery: Not a DEQ %##s, label1 mismatch", qname->c); + return mDNSfalse; + } + debugf("DomainEnumQuery: DEQ %##s, label1 match", qname->c); + + // CountLabels already verified the number of labels + d = (const domainname *)(d->c + 1 + d->c[0]); // Second Label + label = (const mDNSu8 *)d; + if (!SameDomainLabel(label, (const mDNSu8 *)"\007_dns-sd")) + { + debugf("DomainEnumQuery: Not a DEQ %##s, label2 mismatch", qname->c); + return(mDNSfalse); + } + debugf("DomainEnumQuery: DEQ %##s, label2 match", qname->c); + + d = (const domainname *)(d->c + 1 + d->c[0]); // Third Label + label = (const mDNSu8 *)d; + if (!SameDomainLabel(label, (const mDNSu8 *)"\004_udp")) + { + debugf("DomainEnumQuery: Not a DEQ %##s, label3 mismatch", qname->c); + return(mDNSfalse); + } + debugf("DomainEnumQuery: DEQ %##s, label3 match", qname->c); + + debugf("DomainEnumQuery: Question %##s is a Domain Enumeration query", qname->c); + + return mDNStrue; +} + +// Note: InterfaceID is the InterfaceID of the question +mDNSlocal mDNSBool DNSServerMatch(DNSServer *d, mDNSInterfaceID InterfaceID, mDNSs32 ServiceID) +{ + // 1) Unscoped questions (NULL InterfaceID) should consider *only* unscoped DNSServers ( DNSServer + // with "scoped" set to kScopeNone) + // + // 2) Scoped questions (non-NULL InterfaceID) should consider *only* scoped DNSServers (DNSServer + // with "scoped" set to kScopeInterfaceId) and their InterfaceIDs should match. + // + // 3) Scoped questions (non-zero ServiceID) should consider *only* scoped DNSServers (DNSServer + // with "scoped" set to kScopeServiceID) and their ServiceIDs should match. + // + // The first condition in the "if" statement checks to see if both the question and the DNSServer are + // unscoped. The question is unscoped only if InterfaceID is zero and ServiceID is -1. + // + // If the first condition fails, following are the possible cases (the notes below are using + // InterfaceID for discussion and the same holds good for ServiceID): + // + // - DNSServer is not scoped, InterfaceID is not NULL - we should skip the current DNSServer entry + // as scoped questions should not pick non-scoped DNSServer entry (Refer to (2) above). + // + // - DNSServer is scoped, InterfaceID is NULL - we should skip the current DNSServer entry as + // unscoped question should not match scoped DNSServer (Refer to (1) above). The InterfaceID check + // would fail in this case. + // + // - DNSServer is scoped and InterfaceID is not NULL - the InterfaceID of the question and the DNSServer + // should match (Refer to (2) above). + // + // Note: mDNSInterface_Unicast is used only by .local unicast questions and are treated as unscoped. + // If a question is scoped both to InterfaceID and ServiceID, the question will be scoped to InterfaceID. + + if (((d->scoped == kScopeNone) && ((!InterfaceID && ServiceID == -1) || InterfaceID == mDNSInterface_Unicast)) || + ((d->scoped == kScopeInterfaceID) && d->interface == InterfaceID) || + ((d->scoped == kScopeServiceID) && d->serviceID == ServiceID)) + { + return mDNStrue; + } + return mDNSfalse; +} + +// Sets all the Valid DNS servers for a question +mDNSexport mDNSu32 SetValidDNSServers(mDNS *m, DNSQuestion *question) +{ + int bestmatchlen = -1, namecount = CountLabels(&question->qname); + DNSServer *curr; + int bettermatch, currcount; + int index = 0; + mDNSu32 timeout = 0; + mDNSBool DEQuery; + + question->validDNSServers = zeroOpaque64; + DEQuery = DomainEnumQuery(&question->qname); + for (curr = m->DNSServers; curr; curr = curr->next) + { + debugf("SetValidDNSServers: Parsing DNS server Address %#a (Domain %##s), Scope: %d", &curr->addr, curr->domain.c, curr->scoped); + // skip servers that will soon be deleted + if (curr->flags & DNSServer_FlagDelete) + { + debugf("SetValidDNSServers: Delete set for index %d, DNS server %#a (Domain %##s), scoped %d", index, &curr->addr, curr->domain.c, curr->scoped); + continue; + } + + // This happens normally when you unplug the interface where we reset the interfaceID to mDNSInterface_Any for all + // the DNS servers whose scope match the interfaceID. Few seconds later, we also receive the updated DNS configuration. + // But any questions that has mDNSInterface_Any scope that are started/restarted before we receive the update + // (e.g., CheckSuppressUnusableQuestions is called when interfaces are deregistered with the core) should not + // match the scoped entries by mistake. + // + // Note: DNS configuration change will help pick the new dns servers but currently it does not affect the timeout + + if (curr->scoped && curr->interface == mDNSInterface_Any) + { + debugf("SetValidDNSServers: Scoped DNS server %#a (Domain %##s) with Interface Any", &curr->addr, curr->domain.c); + continue; + } + + currcount = CountLabels(&curr->domain); + if ((!DEQuery || !curr->cellIntf) && DNSServerMatch(curr, question->InterfaceID, question->ServiceID)) + { + bettermatch = BetterMatchForName(&question->qname, namecount, &curr->domain, currcount, bestmatchlen); + + // If we found a better match (bettermatch == 1) then clear all the bits + // corresponding to the old DNSServers that we have may set before and start fresh. + // If we find an equal match, then include that DNSServer also by setting the corresponding + // bit + if ((bettermatch == 1) || (bettermatch == 0)) + { + bestmatchlen = currcount; + if (bettermatch) + { + debugf("SetValidDNSServers: Resetting all the bits"); + question->validDNSServers = zeroOpaque64; + timeout = 0; + } + debugf("SetValidDNSServers: question %##s Setting the bit for DNS server Address %#a (Domain %##s), Scoped:%d index %d," + " Timeout %d, interface %p", question->qname.c, &curr->addr, curr->domain.c, curr->scoped, index, curr->timeout, + curr->interface); + timeout += curr->timeout; + if (DEQuery) + debugf("DomainEnumQuery: Question %##s, DNSServer %#a, cell %d", question->qname.c, &curr->addr, curr->cellIntf); + bit_set_opaque64(question->validDNSServers, index); + } + } + index++; + } + question->noServerResponse = 0; + + debugf("SetValidDNSServers: ValidDNSServer bits 0x%x%x for question %p %##s (%s)", + question->validDNSServers.l[1], question->validDNSServers.l[0], question, question->qname.c, DNSTypeName(question->qtype)); + // If there are no matching resolvers, then use the default timeout value. + // For ProxyQuestion, shorten the timeout so that dig does not timeout on us in case of no response. + return ((question->ProxyQuestion || question->ValidatingResponse) ? DEFAULT_UDNSSEC_TIMEOUT : timeout ? timeout : DEFAULT_UDNS_TIMEOUT); +} + +// Get the Best server that matches a name. If you find penalized servers, look for the one +// that will come out of the penalty box soon +mDNSlocal DNSServer *GetBestServer(mDNS *m, const domainname *name, mDNSInterfaceID InterfaceID, mDNSs32 ServiceID, mDNSOpaque64 validBits, + int *selected, mDNSBool nameMatch) +{ + DNSServer *curmatch = mDNSNULL; + int bestmatchlen = -1, namecount = name ? CountLabels(name) : 0; + DNSServer *curr; + mDNSs32 bestPenaltyTime, currPenaltyTime; + int bettermatch, currcount; + int index = 0; + int currindex = -1; + + debugf("GetBestServer: ValidDNSServer bits 0x%x%x", validBits.l[1], validBits.l[0]); + bestPenaltyTime = DNSSERVER_PENALTY_TIME + 1; + for (curr = m->DNSServers; curr; curr = curr->next) + { + // skip servers that will soon be deleted + if (curr->flags & DNSServer_FlagDelete) + { + debugf("GetBestServer: Delete set for index %d, DNS server %#a (Domain %##s), scoped %d", index, &curr->addr, curr->domain.c, curr->scoped); + continue; + } + + // Check if this is a valid DNSServer + if (!bit_get_opaque64(validBits, index)) + { + debugf("GetBestServer: continuing for index %d", index); + index++; + continue; + } + + currcount = CountLabels(&curr->domain); + currPenaltyTime = PenaltyTimeForServer(m, curr); + + debugf("GetBestServer: Address %#a (Domain %##s), PenaltyTime(abs) %d, PenaltyTime(rel) %d", + &curr->addr, curr->domain.c, curr->penaltyTime, currPenaltyTime); + + // If there are multiple best servers for a given question, we will pick the first one + // if none of them are penalized. If some of them are penalized in that list, we pick + // the least penalized one. BetterMatchForName walks through all best matches and + // "currPenaltyTime < bestPenaltyTime" check lets us either pick the first best server + // in the list when there are no penalized servers and least one among them + // when there are some penalized servers. + + if (DNSServerMatch(curr, InterfaceID, ServiceID)) + { + + // If we know that all the names are already equally good matches, then skip calling BetterMatchForName. + // This happens when we initially walk all the DNS servers and set the validity bit on the question. + // Actually we just need PenaltyTime match, but for the sake of readability we just skip the expensive + // part and still do some redundant steps e.g., InterfaceID match + + if (nameMatch) + bettermatch = BetterMatchForName(name, namecount, &curr->domain, currcount, bestmatchlen); + else + bettermatch = 0; + + // If we found a better match (bettermatch == 1) then we don't need to + // compare penalty times. But if we found an equal match, then we compare + // the penalty times to pick a better match + + if ((bettermatch == 1) || ((bettermatch == 0) && currPenaltyTime < bestPenaltyTime)) + { + currindex = index; + curmatch = curr; + bestmatchlen = currcount; + bestPenaltyTime = currPenaltyTime; + } + } + index++; + } + if (selected) *selected = currindex; + return curmatch; +} + +// Look up a DNS Server, matching by name and InterfaceID +mDNSlocal DNSServer *GetServerForName(mDNS *m, const domainname *name, mDNSInterfaceID InterfaceID, mDNSs32 ServiceID) +{ + DNSServer *curmatch = mDNSNULL; + char *ifname = mDNSNULL; // for logging purposes only + mDNSOpaque64 allValid; + + if ((InterfaceID == mDNSInterface_Unicast) || (InterfaceID == mDNSInterface_LocalOnly)) + InterfaceID = mDNSNULL; + + if (InterfaceID) ifname = InterfaceNameForID(m, InterfaceID); + + // By passing in all ones, we make sure that every DNS server is considered + allValid.l[0] = allValid.l[1] = 0xFFFFFFFF; + + curmatch = GetBestServer(m, name, InterfaceID, ServiceID, allValid, mDNSNULL, mDNStrue); + + if (curmatch != mDNSNULL) + LogInfo("GetServerForName: DNS server %#a:%d (Penalty Time Left %d) (Scope %s:%p) found for name %##s", &curmatch->addr, + mDNSVal16(curmatch->port), (curmatch->penaltyTime ? (curmatch->penaltyTime - m->timenow) : 0), ifname ? ifname : "None", + InterfaceID, name); + else + LogInfo("GetServerForName: no DNS server (Scope %s:%p) found for name %##s", ifname ? ifname : "None", InterfaceID, name); + + return(curmatch); +} + +// Look up a DNS Server for a question within its valid DNSServer bits +mDNSexport DNSServer *GetServerForQuestion(mDNS *m, DNSQuestion *question) +{ + DNSServer *curmatch = mDNSNULL; + char *ifname = mDNSNULL; // for logging purposes only + mDNSInterfaceID InterfaceID = question->InterfaceID; + const domainname *name = &question->qname; + int currindex; + + if ((InterfaceID == mDNSInterface_Unicast) || (InterfaceID == mDNSInterface_LocalOnly)) + InterfaceID = mDNSNULL; + + if (InterfaceID) + ifname = InterfaceNameForID(m, InterfaceID); + + if (!mDNSOpaque64IsZero(&question->validDNSServers)) + { + curmatch = GetBestServer(m, name, InterfaceID, question->ServiceID, question->validDNSServers, &currindex, mDNSfalse); + if (currindex != -1) + bit_clr_opaque64(question->validDNSServers, currindex); + } + + if (curmatch != mDNSNULL) + { + LogInfo("GetServerForQuestion: %p DNS server (%p) %#a:%d (Penalty Time Left %d) (Scope %s:%p:%d) found for name %##s (%s)", + question, curmatch, &curmatch->addr, mDNSVal16(curmatch->port), + (curmatch->penaltyTime ? (curmatch->penaltyTime - m->timenow) : 0), ifname ? ifname : "None", + InterfaceID, question->ServiceID, name, DNSTypeName(question->qtype)); + } + else + { + LogInfo("GetServerForQuestion: %p no DNS server (Scope %s:%p:%d) found for name %##s (%s)", + question, ifname ? ifname : "None", InterfaceID, question->ServiceID, name, DNSTypeName(question->qtype)); + } + + return(curmatch); +} + + +#define ValidQuestionTarget(Q) (((Q)->Target.type == mDNSAddrType_IPv4 || (Q)->Target.type == mDNSAddrType_IPv6) && \ + (mDNSSameIPPort((Q)->TargetPort, UnicastDNSPort) || mDNSSameIPPort((Q)->TargetPort, MulticastDNSPort))) + +// Called in normal client context (lock not held) +mDNSlocal void LLQNATCallback(mDNS *m, NATTraversalInfo *n) +{ + DNSQuestion *q; + mDNS_Lock(m); + LogInfo("LLQNATCallback external address:port %.4a:%u, NAT result %d", &n->ExternalAddress, mDNSVal16(n->ExternalPort), n->Result); + n->clientContext = mDNSNULL; // we received at least one callback since starting this NAT-T + for (q = m->Questions; q; q=q->next) + if (ActiveQuestion(q) && !mDNSOpaque16IsZero(q->TargetQID) && q->LongLived) + startLLQHandshake(m, q); // If ExternalPort is zero, will do StartLLQPolling instead +#if APPLE_OSX_mDNSResponder + UpdateAutoTunnelDomainStatuses(m); +#endif + mDNS_Unlock(m); +} + +mDNSlocal mDNSBool IsPrivateDomain(mDNS *const m, DNSQuestion *q) +{ + DomainAuthInfo *AuthInfo; + // Skip Private domains as we have special addresses to get the hosts in the Private domain + AuthInfo = GetAuthInfoForName_internal(m, &q->qname); + if (AuthInfo && !AuthInfo->deltime && AuthInfo->AutoTunnel) + { + debugf("IsPrivateDomain: %##s true", q->qname.c); + return mDNStrue; + } + else + { + debugf("IsPrivateDomain: %##s false", q->qname.c); + return mDNSfalse; + } +} + +// This function takes the DNSServer as a separate argument because sometimes the +// caller has not yet assigned the DNSServer, but wants to evaluate the SuppressQuery +// status before switching to it. +mDNSlocal mDNSBool ShouldSuppressUnicastQuery(mDNS *const m, DNSQuestion *q, DNSServer *d) +{ + // Some callers don't check for the qtype + if (q->qtype != kDNSType_A && q->qtype != kDNSType_AAAA) + { + LogInfo("ShouldSuppressUnicastQuery: Query not suppressed for %##s, qtype %s, not A/AAAA type", q->qname.c, DNSTypeName(q->qtype)); + return mDNSfalse; + } + + // Private domains are exempted irrespective of what the DNSServer says + if (IsPrivateDomain(m, q)) + { + LogInfo("ShouldSuppressUnicastQuery: Query not suppressed for %##s, qtype %s, Private Domain", q->qname.c, DNSTypeName(q->qtype)); + return mDNSfalse; + } + + if (!d) + { + LogInfo("ShouldSuppressUnicastQuery: Query suppressed for %##s, qtype %s, as the DNS server is NULL", q->qname.c, DNSTypeName(q->qtype)); + return mDNStrue; + } + + // Check if the DNS Configuration allows A/AAAA queries to be sent + if ((q->qtype == kDNSType_A) && (d->req_A)) + { + LogInfo("ShouldSuppressUnicastQuery: Query not suppressed for %##s, qtype %s, DNSServer %##s %#a:%d allows A queries", q->qname.c, + DNSTypeName(q->qtype), d->domain.c, &d->addr, mDNSVal16(d->port)); + return mDNSfalse; + } + if ((q->qtype == kDNSType_AAAA) && (d->req_AAAA)) + { + LogInfo("ShouldSuppressUnicastQuery: Query not suppressed for %##s, qtype %s, DNSServer %##s %#a:%d allows AAAA queries", q->qname.c, + DNSTypeName(q->qtype), d->domain.c, &d->addr, mDNSVal16(d->port)); + return mDNSfalse; + } + + LogInfo("ShouldSuppressUnicastQuery: Query suppressed for %##s, qtype %s, since DNS Configuration does not allow (req_A is %s and req_AAAA is %s)", + q->qname.c, DNSTypeName(q->qtype), d->req_A ? "true" : "false", d->req_AAAA ? "true" : "false"); + + return mDNStrue; +} + +mDNSlocal mDNSBool ShouldSuppressDotLocalQuery(mDNS *const m, DNSQuestion *q) +{ + NetworkInterfaceInfo *intf; + AuthRecord *rr; + mDNSBool ret; + + // Check to see if there is at least one interface other than loopback and don't suppress + // .local questions if you find one. If we have at least one interface, it means that + // we can send unicast queries for the .local name and we don't want to suppress + // multicast in that case as upper layers don't know how to handle if we return a + // negative response for multicast followed by a positive response for unicast. + // + // Note: we used to check for multicast capable interfaces instead of just any interface + // present. That did not work in the case where we have a valid interface for unicast + // but not multicast capable e.g., cellular, as we ended up delivering a negative response + // first and the upper layer did not wait for the positive response that came later. + for (intf = m->HostInterfaces; intf; intf = intf->next) + { + if (intf->InterfaceActive && !intf->Loopback) + { + LogInfo("ShouldSuppressDotLocalQuery: Found interface %s, not suppressing", intf->ifname); + return mDNSfalse; + } + } + + // 1. If we find a LocalOnly or P2P record answering this question, then don't suppress it. + // Set m->CurrentQuestion as it is required by AnswerQuestionWithLORecord. + m->CurrentQuestion = q; + ret = AnswerQuestionWithLORecord(m, q, mDNStrue); + m->CurrentQuestion = mDNSNULL; + + if (ret) + { + LogInfo("ShouldSuppressDotLocalQuery: Found LocalOnly record for %##s (%s), not suppressing", q->qname.c, + DNSTypeName(q->qtype)); + return mDNSfalse; + } + + // 2. If we find a local AuthRecord answering this question, then don't suppress it. + for (rr = m->ResourceRecords; rr; rr = rr->next) + { + if (ResourceRecordAnswersQuestion(&rr->resrec, q)) + { + LogInfo("ShouldSuppressDotLocalQuery: Found resource record %s for %##s (%s) not suppressing", ARDisplayString(m, rr), + q->qname.c, DNSTypeName(q->qtype)); + return mDNSfalse; + } + } + return mDNStrue; +} + +mDNSlocal mDNSBool ShouldSuppressQuery(mDNS *const m, DNSQuestion *q) +{ + if (q->qtype != kDNSType_A && q->qtype != kDNSType_AAAA) + { + LogInfo("ShouldSuppressQuery: Query not suppressed for %##s, qtype %s, not A/AAAA type", q->qname.c, DNSTypeName(q->qtype)); + return mDNSfalse; + } + + // We still want the ability to be able to listen to the local services and hence + // don't fail .local query if we have local records that can potentially answer + // the question. + if (q->InterfaceID != mDNSInterface_Unicast && IsLocalDomain(&q->qname)) + { + if (!ShouldSuppressDotLocalQuery(m, q)) + { + LogInfo("ShouldSuppressQuery: Query not suppressed for %##s, qtype %s, Local question", q->qname.c, DNSTypeName(q->qtype)); + return mDNSfalse; + } + else + { + LogInfo("ShouldSuppressQuery: Query suppressed for %##s, qtype %s, Local question", q->qname.c, DNSTypeName(q->qtype)); + return mDNStrue; + } + } + + return (ShouldSuppressUnicastQuery(m, q, q->qDNSServer)); +} + +mDNSlocal void CacheRecordRmvEventsForCurrentQuestion(mDNS *const m, DNSQuestion *q) +{ + CacheRecord *rr; + mDNSu32 slot; + CacheGroup *cg; + + slot = HashSlot(&q->qname); + cg = CacheGroupForName(m, slot, q->qnamehash, &q->qname); + for (rr = cg ? cg->members : mDNSNULL; rr; rr=rr->next) + { + // Don't deliver RMV events for negative records + if (rr->resrec.RecordType == kDNSRecordTypePacketNegative) + { + LogInfo("CacheRecordRmvEventsForCurrentQuestion: CacheRecord %s Suppressing RMV events for question %p %##s (%s), CRActiveQuestion %p, CurrentAnswers %d", + CRDisplayString(m, rr), q, q->qname.c, DNSTypeName(q->qtype), rr->CRActiveQuestion, q->CurrentAnswers); + continue; + } + + if (SameNameRecordAnswersQuestion(&rr->resrec, q)) + { + LogInfo("CacheRecordRmvEventsForCurrentQuestion: Calling AnswerCurrentQuestionWithResourceRecord (RMV) for question %##s using resource record %s LocalAnswers %d", + q->qname.c, CRDisplayString(m, rr), q->LOAddressAnswers); + + q->CurrentAnswers--; + if (rr->resrec.rdlength > SmallRecordLimit) q->LargeAnswers--; + if (rr->resrec.RecordType & kDNSRecordTypePacketUniqueMask) q->UniqueAnswers--; + + if (rr->CRActiveQuestion == q) + { + DNSQuestion *qptr; + // If this was the active question for this cache entry, it was the one that was + // responsible for keeping the cache entry fresh when the cache entry was reaching + // its expiry. We need to handover the responsibility to someone else. Otherwise, + // when the cache entry is about to expire, we won't find an active question + // (pointed by CRActiveQuestion) to refresh the cache. + for (qptr = m->Questions; qptr; qptr=qptr->next) + if (qptr != q && ActiveQuestion(qptr) && ResourceRecordAnswersQuestion(&rr->resrec, qptr)) + break; + + if (qptr) + LogInfo("CacheRecordRmvEventsForCurrentQuestion: Updating CRActiveQuestion to %p for cache record %s, " + "Original question CurrentAnswers %d, new question CurrentAnswers %d, SuppressUnusable %d, SuppressQuery %d", + qptr, CRDisplayString(m,rr), q->CurrentAnswers, qptr->CurrentAnswers, qptr->SuppressUnusable, qptr->SuppressQuery); + + rr->CRActiveQuestion = qptr; // Question used to be active; new value may or may not be null + if (!qptr) m->rrcache_active--; // If no longer active, decrement rrcache_active count + } + AnswerCurrentQuestionWithResourceRecord(m, rr, QC_rmv); + if (m->CurrentQuestion != q) break; // If callback deleted q, then we're finished here + } + } +} + +mDNSlocal mDNSBool IsQuestionNew(mDNS *const m, DNSQuestion *question) +{ + DNSQuestion *q; + for (q = m->NewQuestions; q; q = q->next) + if (q == question) return mDNStrue; + return mDNSfalse; +} + +mDNSlocal mDNSBool LocalRecordRmvEventsForQuestion(mDNS *const m, DNSQuestion *q) +{ + AuthRecord *rr; + mDNSu32 slot; + AuthGroup *ag; + + if (m->CurrentQuestion) + LogMsg("LocalRecordRmvEventsForQuestion: ERROR m->CurrentQuestion already set: %##s (%s)", + m->CurrentQuestion->qname.c, DNSTypeName(m->CurrentQuestion->qtype)); + + if (IsQuestionNew(m, q)) + { + LogInfo("LocalRecordRmvEventsForQuestion: New Question %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + return mDNStrue; + } + m->CurrentQuestion = q; + slot = AuthHashSlot(&q->qname); + ag = AuthGroupForName(&m->rrauth, slot, q->qnamehash, &q->qname); + if (ag) + { + for (rr = ag->members; rr; rr=rr->next) + // Filter the /etc/hosts records - LocalOnly, Unique, A/AAAA/CNAME + if (UniqueLocalOnlyRecord(rr) && LocalOnlyRecordAnswersQuestion(rr, q)) + { + LogInfo("LocalRecordRmvEventsForQuestion: Delivering possible Rmv events with record %s", + ARDisplayString(m, rr)); + if (q->CurrentAnswers <= 0 || q->LOAddressAnswers <= 0) + { + LogMsg("LocalRecordRmvEventsForQuestion: ERROR!! CurrentAnswers or LOAddressAnswers is zero %p %##s" + " (%s) CurrentAnswers %d, LOAddressAnswers %d", q, q->qname.c, DNSTypeName(q->qtype), + q->CurrentAnswers, q->LOAddressAnswers); + continue; + } + AnswerLocalQuestionWithLocalAuthRecord(m, rr, QC_rmv); // MUST NOT dereference q again + if (m->CurrentQuestion != q) { m->CurrentQuestion = mDNSNULL; return mDNSfalse; } + } + } + m->CurrentQuestion = mDNSNULL; + return mDNStrue; +} + +// Returns false if the question got deleted while delivering the RMV events +// The caller should handle the case +mDNSlocal mDNSBool CacheRecordRmvEventsForQuestion(mDNS *const m, DNSQuestion *q) +{ + if (m->CurrentQuestion) + LogMsg("CacheRecordRmvEventsForQuestion: ERROR m->CurrentQuestion already set: %##s (%s)", + m->CurrentQuestion->qname.c, DNSTypeName(m->CurrentQuestion->qtype)); + + // If it is a new question, we have not delivered any ADD events yet. So, don't deliver RMV events. + // If this question was answered using local auth records, then you can't deliver RMVs using cache + if (!IsQuestionNew(m, q) && !q->LOAddressAnswers) + { + m->CurrentQuestion = q; + CacheRecordRmvEventsForCurrentQuestion(m, q); + if (m->CurrentQuestion != q) { m->CurrentQuestion = mDNSNULL; return mDNSfalse; } + m->CurrentQuestion = mDNSNULL; + } + else { LogInfo("CacheRecordRmvEventsForQuestion: Question %p %##s (%s) is a new question", q, q->qname.c, DNSTypeName(q->qtype)); } + return mDNStrue; +} + +mDNSlocal void SuppressStatusChanged(mDNS *const m, DNSQuestion *q, DNSQuestion **restart) +{ + // NOTE: CacheRecordRmvEventsForQuestion will not generate RMV events for queries that have non-zero + // LOddressAnswers. Hence it is important that we call CacheRecordRmvEventsForQuestion before + // LocalRecordRmvEventsForQuestion (which decrements LOAddressAnswers) + if (q->SuppressQuery) + { + q->SuppressQuery = mDNSfalse; + if (!CacheRecordRmvEventsForQuestion(m, q)) + { + LogInfo("SuppressStatusChanged: Question deleted while delivering RMV events from cache"); + return; + } + q->SuppressQuery = mDNStrue; + } + + // SuppressUnusable does not affect questions that are answered from the local records (/etc/hosts) + // and SuppressQuery status does not mean anything for these questions. As we are going to stop the + // question below, we need to deliver the RMV events so that the ADDs that will be delivered during + // the restart will not be a duplicate ADD + if (!LocalRecordRmvEventsForQuestion(m, q)) + { + LogInfo("SuppressStatusChanged: Question deleted while delivering RMV events from Local AuthRecords"); + return; + } + + // There are two cases here. + // + // 1. Previously it was suppressed and now it is not suppressed, restart the question so + // that it will start as a new question. Note that we can't just call ActivateUnicastQuery + // because when we get the response, if we had entries in the cache already, it will not answer + // this question if the cache entry did not change. Hence, we need to restart + // the query so that it can be answered from the cache. + // + // 2. Previously it was not suppressed and now it is suppressed. We need to restart the questions + // so that we redo the duplicate checks in mDNS_StartQuery_internal. A SuppressUnusable question + // is a duplicate of non-SuppressUnusable question if it is not suppressed (SuppressQuery is false). + // A SuppressUnusable question is not a duplicate of non-SuppressUnusable question if it is suppressed + // (SuppressQuery is true). The reason for this is that when a question is suppressed, we want an + // immediate response and not want to be blocked behind a question that is querying DNS servers. When + // the question is not suppressed, we don't want two active questions sending packets on the wire. + // This affects both efficiency and also the current design where there is only one active question + // pointed to from a cache entry. + // + // We restart queries in a two step process by first calling stop and build a temporary list which we + // will restart at the end. The main reason for the two step process is to handle duplicate questions. + // If there are duplicate questions, calling stop inherits the values from another question on the list (which + // will soon become the real question) including q->ThisQInterval which might be zero if it was + // suppressed before. At the end when we have restarted all questions, none of them is active as each + // inherits from one another and we need to reactivate one of the questions here which is a little hacky. + // + // It is much cleaner and less error prone to build a list of questions and restart at the end. + + LogInfo("SuppressStatusChanged: Stop question %p %##s (%s)", q, q->qname.c, DNSTypeName(q->qtype)); + mDNS_StopQuery_internal(m, q); + q->next = *restart; + *restart = q; +} + +// The caller should hold the lock +mDNSexport void CheckSuppressUnusableQuestions(mDNS *const m) +{ + DNSQuestion *q; + DNSQuestion *restart = mDNSNULL; + + // We look through all questions including new questions. During network change events, + // we potentially restart questions here in this function that ends up as new questions, + // which may be suppressed at this instance. Before it is handled we get another network + // event that changes the status e.g., address becomes available. If we did not process + // new questions, we would never change its SuppressQuery status. + // + // CurrentQuestion is used by RmvEventsForQuestion below. While delivering RMV events, the + // application callback can potentially stop the current question (detected by CurrentQuestion) or + // *any* other question which could be the next one that we may process here. RestartQuestion + // points to the "next" question which will be automatically advanced in mDNS_StopQuery_internal + // if the "next" question is stopped while the CurrentQuestion is stopped + if (m->RestartQuestion) + LogMsg("CheckSuppressUnusableQuestions: ERROR!! m->RestartQuestion already set: %##s (%s)", + m->RestartQuestion->qname.c, DNSTypeName(m->RestartQuestion->qtype)); + m->RestartQuestion = m->Questions; + while (m->RestartQuestion) + { + q = m->RestartQuestion; + m->RestartQuestion = q->next; + if (q->SuppressUnusable) + { + mDNSBool old = q->SuppressQuery; + q->SuppressQuery = ShouldSuppressQuery(m, q); + if (q->SuppressQuery != old) + { + // Previously it was not suppressed, Generate RMV events for the ADDs that we might have delivered before + // followed by a negative cache response. Temporarily turn off suppression so that + // AnswerCurrentQuestionWithResourceRecord can answer the question + SuppressStatusChanged(m, q, &restart); + } + } + } + while (restart) + { + q = restart; + restart = restart->next; + q->next = mDNSNULL; + LogInfo("CheckSuppressUnusableQuestions: Start question %p %##s (%s)", q, q->qname.c, DNSTypeName(q->qtype)); + mDNS_StartQuery_internal(m, q); + } +} + +mDNSlocal void RestartUnicastQuestions(mDNS *const m) +{ + DNSQuestion *q; + DNSQuestion *restart = mDNSNULL; + + if (m->RestartQuestion) + LogMsg("RestartUnicastQuestions: ERROR!! m->RestartQuestion already set: %##s (%s)", + m->RestartQuestion->qname.c, DNSTypeName(m->RestartQuestion->qtype)); + m->RestartQuestion = m->Questions; + while (m->RestartQuestion) + { + q = m->RestartQuestion; + m->RestartQuestion = q->next; + if (q->Restart) + { + if (mDNSOpaque16IsZero(q->TargetQID)) + LogMsg("RestartUnicastQuestions: ERROR!! Restart set for multicast question %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + + q->Restart = 0; + SuppressStatusChanged(m, q, &restart); + } + } + while (restart) + { + q = restart; + restart = restart->next; + q->next = mDNSNULL; + LogInfo("RestartUnicastQuestions: Start question %p %##s (%s)", q, q->qname.c, DNSTypeName(q->qtype)); + mDNS_StartQuery_internal(m, q); + } +} + + +// ValidateParameters() is called by mDNS_StartQuery_internal() to check the client parameters of +// DNS Question that are already set by the client before calling mDNS_StartQuery() +mDNSlocal mStatus ValidateParameters(mDNS *const m, DNSQuestion *const question) +{ + + if (question->Target.type && !ValidQuestionTarget(question)) + { + LogMsg("ValidateParameters: Warning! Target.type = %ld port = %u (Client forgot to initialize before calling mDNS_StartQuery? for question %##s)", + question->Target.type, mDNSVal16(question->TargetPort), question->qname.c); + question->Target.type = mDNSAddrType_None; + } + + // If no question->Target specified, clear TargetPort + if (!question->Target.type) + question->TargetPort = zeroIPPort; + + if (!ValidateDomainName(&question->qname)) + { + LogMsg("ValidateParameters: Attempt to start query with invalid qname %##s (%s)", question->qname.c, DNSTypeName(question->qtype)); + return(mStatus_Invalid); + } + + // If this question is referencing a specific interface, verify it exists + if (question->InterfaceID && question->InterfaceID != mDNSInterface_LocalOnly && question->InterfaceID != mDNSInterface_Unicast && question->InterfaceID != mDNSInterface_P2P) + { + NetworkInterfaceInfo *intf = FirstInterfaceForID(m, question->InterfaceID); + if (!intf) + LogMsg("ValidateParameters: Note: InterfaceID %p for question %##s (%s) not currently found in active interface list", + question->InterfaceID, question->qname.c, DNSTypeName(question->qtype)); + } + + return(mStatus_NoError); +} + +// InitDNSConfig() is called by InitCommonState() to initialize the DNS configuration of the Question. +// These are a subset of the internal uDNS fields. Must be done before ShouldSuppressQuery() & mDNS_PurgeForQuestion() +mDNSlocal void InitDNSConfig(mDNS *const m, DNSQuestion *const question) +{ + // First reset all DNS Configuration + question->qDNSServer = mDNSNULL; + question->validDNSServers = zeroOpaque64; + question->triedAllServersOnce = 0; + question->noServerResponse = 0; + question->StopTime = 0; + + // Need not initialize the DNS Configuration for Local Only OR P2P Questions + if (question->InterfaceID == mDNSInterface_LocalOnly || question->InterfaceID == mDNSInterface_P2P) + return; + // Proceed to initialize DNS Configuration (some are set in SetValidDNSServers()) + if (!mDNSOpaque16IsZero(question->TargetQID)) + { + mDNSu32 timeout = SetValidDNSServers(m, question); + // We set the timeout whenever mDNS_StartQuery_internal is called. This means if we have + // a networking change/search domain change that calls this function again we keep + // reinitializing the timeout value which means it may never timeout. If this becomes + // a common case in the future, we can easily fix this by adding extra state that + // indicates that we have already set the StopTime. + // + // Note that we set the timeout for all questions. If this turns out to be a duplicate, + // it gets a full timeout value even if the original question times out earlier. + if (question->TimeoutQuestion) + { + question->StopTime = NonZeroTime(m->timenow + timeout * mDNSPlatformOneSecond); + LogInfo("InitDNSConfig: Setting StopTime on question %p %##s (%s)", question, question->qname.c, DNSTypeName(question->qtype)); + } + + question->qDNSServer = GetServerForQuestion(m, question); + LogInfo("InitDNSConfig: question %p %##s (%s) Timeout %d, DNS Server %#a:%d", + question, question->qname.c, DNSTypeName(question->qtype), timeout, + question->qDNSServer ? &question->qDNSServer->addr : mDNSNULL, + mDNSVal16(question->qDNSServer ? question->qDNSServer->port : zeroIPPort)); + } + else + { + if (question->TimeoutQuestion) + question->StopTime = NonZeroTime(m->timenow + GetTimeoutForMcastQuestion(m, question) * mDNSPlatformOneSecond); + } + // Set StopTime here since it is a part of DNS Configuration + if (question->StopTime) + SetNextQueryStopTime(m, question); + // SetNextQueryTime() need not be initialized for LocalOnly OR P2P Questions since those questions + // will never be transmitted on the wire. Hence we call SetNextQueryTime() here. + SetNextQueryTime(m,question); +} + +// InitCommonState() is called by mDNS_StartQuery_internal() to initialize the common(uDNS/mDNS) internal +// state fields of the DNS Question. These are independent of the Client layer. +mDNSlocal mDNSBool InitCommonState(mDNS *const m, DNSQuestion *const question) +{ + mDNSBool purge; + int i; + + // Note: In the case where we already have the answer to this question in our cache, that may be all the client + // wanted, and they may immediately cancel their question. In this case, sending an actual query on the wire would + // be a waste. For that reason, we schedule our first query to go out in half a second (InitialQuestionInterval). + // If AnswerNewQuestion() finds that we have *no* relevant answers currently in our cache, then it will accelerate + // that to go out immediately. + question->next = mDNSNULL; + // ThisQInterval should be initialized before any memory allocations occur. If malloc + // debugging is turned on within mDNSResponder (see mDNSDebug.h for details) it validates + // the question list to check if ThisQInterval is negative which means the question has been + // stopped and can't be on the list. The question is already on the list and ThisQInterval + // can be negative if the caller just stopped it and starting it again. Hence, it always has to + // be initialized. CheckForSoonToExpireRecords below prints the cache records when logging is + // turned ON which can allocate memory e.g., base64 encoding, in the case of DNSSEC. + question->ThisQInterval = InitialQuestionInterval; // MUST be > zero for an active question + question->qnamehash = DomainNameHashValue(&question->qname); + question->DelayAnswering = CheckForSoonToExpireRecords(m, &question->qname, question->qnamehash, HashSlot(&question->qname), &purge); + question->LastQTime = m->timenow; + question->ExpectUnicastResp = 0; + question->LastAnswerPktNum = m->PktNum; + question->RecentAnswerPkts = 0; + question->CurrentAnswers = 0; + +#if APPLE_OSX_mDNSResponder + +// Initial browse threshold used by Finder. +#define mDNSFinderBrowseThreshold 20 + + // Set the threshold at which we move to a passive browse state, + // not actively sending queries. + if (question->flags & kDNSServiceFlagsThresholdOne) + question->BrowseThreshold = 1; + else if (question->flags & kDNSServiceFlagsThresholdFinder) + question->BrowseThreshold = mDNSFinderBrowseThreshold; + else + question->BrowseThreshold = 0; + +#else // APPLE_OSX_mDNSResponder + question->BrowseThreshold = 0; +#endif // APPLE_OSX_mDNSResponder + question->CachedAnswerNeedsUpdate = mDNSfalse; + + question->LargeAnswers = 0; + question->UniqueAnswers = 0; + question->LOAddressAnswers = 0; + question->FlappingInterface1 = mDNSNULL; + question->FlappingInterface2 = mDNSNULL; + + question->ServiceID = mDNSPlatformGetServiceID(m, question); + + InitDNSConfig(m, question); + + question->AuthInfo = GetAuthInfoForQuestion(m, question); + question->SuppressQuery = 0; + if (question->SuppressUnusable) + question->SuppressQuery = ShouldSuppressQuery(m, question); + + // If ServiceID is 0 or the policy disallows making DNS requests, + // set DisallowPID + question->DisallowPID = (question->ServiceID == 0 || (mDNSPlatformAllowPID(m, question) == 0)); + if (question->DisallowPID) + { + LogInfo("InitCommonState: Query suppressed for %##s (%s), PID %d/ServiceID %d not allowed", question->qname.c, + DNSTypeName(question->qtype), question->pid, question->ServiceID); + } + + question->NextInDQList = mDNSNULL; + question->SendQNow = mDNSNULL; + question->SendOnAll = mDNSfalse; + +#if mDNS_REQUEST_UNICAST_RESPONSE + question->RequestUnicast = SET_QU_IN_FIRST_FOUR_QUERIES; +#else // mDNS_REQUEST_UNICAST_RESPONSE + question->RequestUnicast = SET_QU_IN_FIRST_QUERY; +#endif // mDNS_REQUEST_UNICAST_RESPONSE + +#if APPLE_OSX_mDNSResponder + // Request unicast response for first 4 queries to increase + // reliability in an environment with high multicast packet loss. + // Must set to one more than the number of unicast queries you want, since SendQueries() + // decrements it before calling BuildQuestion() which acts on it. + if (question->flags & kDNSServiceFlagsUnicastResponse) + { + question->RequestUnicast = SET_QU_IN_FIRST_FOUR_QUERIES; + LogInfo("InitCommonState: setting RequestUnicast = %d for %##s (%s)", question->RequestUnicast, question->qname.c, + DNSTypeName(question->qtype)); + } + else if (question->flags & kDNSServiceFlagsThresholdFinder) + { + // always send one request with QU bit set when kDNSServiceFlagsThresholdFinder is set +#if mDNS_REQUEST_UNICAST_RESPONSE + question->RequestUnicast = SET_QU_IN_FIRST_FOUR_QUERIES; +#else // mDNS_REQUEST_UNICAST_RESPONSE + question->RequestUnicast = SET_QU_IN_FIRST_QUERY; +#endif // mDNS_REQUEST_UNICAST_RESPONSE + + LogInfo("InitCommonState: kDNSServiceFlagsThresholdFinder set, setting RequestUnicast = %d for %##s (%s)", + question->RequestUnicast, question->qname.c, DNSTypeName(question->qtype)); + } +#endif // APPLE_OSX_mDNSResponder + + question->LastQTxTime = m->timenow; + question->CNAMEReferrals = 0; + + question->WakeOnResolveCount = 0; + if (question->WakeOnResolve) + { + question->WakeOnResolveCount = InitialWakeOnResolveCount; + purge = mDNStrue; + } + + for (i=0; i<DupSuppressInfoSize; i++) + question->DupSuppress[i].InterfaceID = mDNSNULL; + + question->Restart = 0; + + debugf("InitCommonState: Question %##s (%s) Interface %p Now %d Send in %d Answer in %d (%p) %s (%p)", + question->qname.c, DNSTypeName(question->qtype), question->InterfaceID, m->timenow, + NextQSendTime(question) - m->timenow, + question->DelayAnswering ? question->DelayAnswering - m->timenow : 0, + question, question->DuplicateOf ? "duplicate of" : "not duplicate", question->DuplicateOf); + + if (question->DelayAnswering) + LogInfo("InitCommonState: Delaying answering for %d ticks while cache stabilizes for %##s (%s)", + question->DelayAnswering - m->timenow, question->qname.c, DNSTypeName(question->qtype)); + + return(purge); +} + +// Excludes the DNS Config fields which are already handled by InitDNSConfig() +mDNSlocal void InitWABState(DNSQuestion *const question) +{ + // We'll create our question->LocalSocket on demand, if needed. + // We won't need one for duplicate questions, or from questions answered immediately out of the cache. + // We also don't need one for LLQs because (when we're using NAT) we want them all to share a single + // NAT mapping for receiving inbound add/remove events. + question->LocalSocket = mDNSNULL; + question->unansweredQueries = 0; + question->nta = mDNSNULL; + question->servAddr = zeroAddr; + question->servPort = zeroIPPort; + question->tcp = mDNSNULL; + question->NoAnswer = NoAnswer_Normal; +} + +mDNSlocal void InitLLQNATState(mDNS *const m) +{ + // If we don't have our NAT mapping active, start it now + if (!m->LLQNAT.clientCallback) + { + m->LLQNAT.Protocol = NATOp_MapUDP; + m->LLQNAT.IntPort = m->UnicastPort4; + m->LLQNAT.RequestedPort = m->UnicastPort4; + m->LLQNAT.clientCallback = LLQNATCallback; + m->LLQNAT.clientContext = (void*)1; // Means LLQ NAT Traversal just started + mDNS_StartNATOperation_internal(m, &m->LLQNAT); + } +} + +mDNSlocal void InitLLQState(DNSQuestion *const question) +{ + question->state = LLQ_InitialRequest; + question->ReqLease = 0; + question->expire = 0; + question->ntries = 0; + question->id = zeroOpaque64; +} + +// InitDNSSECProxyState() is called by mDNS_StartQuery_internal() to initialize +// DNSSEC & DNS Proxy fields of the DNS Question. +mDNSlocal void InitDNSSECProxyState(mDNS *const m, DNSQuestion *const question) +{ + (void) m; + + // DNS server selection affects DNSSEC. Turn off validation if req_DO is not set + // or the request is going over cellular interface. + // + // Note: This needs to be done here before we call FindDuplicateQuestion as it looks + // at ValidationRequired setting also. + if (question->qDNSServer) + { + if (question->qDNSServer->cellIntf) + { + LogInfo("InitDNSSECProxyState: Turning off validation for %##s (%s); going over cell", question->qname.c, DNSTypeName(question->qtype)); + question->ValidationRequired = mDNSfalse; + } + if (DNSSECOptionalQuestion(question) && !(question->qDNSServer->req_DO)) + { + LogInfo("InitDNSSECProxyState: Turning off validation for %##s (%s); req_DO false", + question->qname.c, DNSTypeName(question->qtype)); + question->ValidationRequired = DNSSEC_VALIDATION_NONE; + } + } + question->ValidationState = (question->ValidationRequired ? DNSSECValRequired : DNSSECValNotRequired); + question->ValidationStatus = 0; + question->responseFlags = zeroID; +} + +// Once the question is completely initialized including the duplicate logic, this function +// is called to finalize the unicast question which requires flushing the cache if needed, +// activating the query etc. +mDNSlocal void FinalizeUnicastQuestion(mDNS *const m, DNSQuestion *question, mDNSBool purge) +{ + // Ensure DNS related info of duplicate question is same as the orig question + if (question->DuplicateOf) + { + question->validDNSServers = question->DuplicateOf->validDNSServers; + question->qDNSServer = question->DuplicateOf->qDNSServer; + LogInfo("FinalizeUnicastQuestion: Duplicate question %p (%p) %##s (%s), DNS Server %#a:%d", + question, question->DuplicateOf, question->qname.c, DNSTypeName(question->qtype), + question->qDNSServer ? &question->qDNSServer->addr : mDNSNULL, + mDNSVal16(question->qDNSServer ? question->qDNSServer->port : zeroIPPort)); + } + + ActivateUnicastQuery(m, question, mDNSfalse); + + // If purge was set above, flush the cache. Need to do this after we set the + // DNS server on the question + if (purge) + { + question->DelayAnswering = 0; + mDNS_PurgeForQuestion(m, question); + } + else if (!question->DuplicateOf && DNSSECQuestion(question)) + { + // For DNSSEC questions, we need to have the RRSIGs also for verification. + CheckForDNSSECRecords(m, question); + } + if (question->LongLived) + { + // Unlike other initializations, InitLLQNATState should be done after + // we determine that it is a unicast question. LongLived is set for + // both multicast and unicast browse questions but we should initialize + // the LLQ NAT state only for unicast. Otherwise we will unnecessarily + // start the NAT traversal that is not needed. + InitLLQNATState(m); +#if APPLE_OSX_mDNSResponder + UpdateAutoTunnelDomainStatuses(m); +#endif + } +} + +mDNSexport mStatus mDNS_StartQuery_internal(mDNS *const m, DNSQuestion *const question) +{ + DNSQuestion **q; + mStatus vStatus; + mDNSBool purge; + + // First check for cache space (can't do queries if there is no cache space allocated) + if (m->rrcache_size == 0) + return(mStatus_NoCache); + + vStatus = ValidateParameters(m, question); + if (vStatus) + return(vStatus); + + question->TargetQID = +#ifndef UNICAST_DISABLED + (question->Target.type || Question_uDNS(question)) ? mDNS_NewMessageID(m) : +#endif // UNICAST_DISABLED + zeroID; + debugf("mDNS_StartQuery_internal: %##s (%s)", question->qname.c, DNSTypeName(question->qtype)); + + // Note: It important that new questions are appended at the *end* of the list, not prepended at the start + q = &m->Questions; + if (question->InterfaceID == mDNSInterface_LocalOnly || question->InterfaceID == mDNSInterface_P2P) + q = &m->LocalOnlyQuestions; + while (*q && *q != question) + q=&(*q)->next; + + if (*q) + { + LogMsg("mDNS_StartQuery_internal: Error! Tried to add a question %##s (%s) %p that's already in the active list", + question->qname.c, DNSTypeName(question->qtype), question); + return(mStatus_AlreadyRegistered); + } + *q = question; + + + // Intialize the question. The only ordering constraint we have today is that + // InitDNSSECProxyState should be called after the DNS server is selected (in + // InitCommonState -> InitDNSConfig) as DNS server selection affects DNSSEC + // validation. + + purge = InitCommonState(m, question); + InitWABState(question); + InitLLQState(question); + InitDNSSECProxyState(m, question); + + // FindDuplicateQuestion should be called last after all the intialization + // as the duplicate logic could be potentially based on any field in the + // question. + question->DuplicateOf = FindDuplicateQuestion(m, question); + if (question->DuplicateOf) + question->AuthInfo = question->DuplicateOf->AuthInfo; + + if (question->InterfaceID == mDNSInterface_LocalOnly || question->InterfaceID == mDNSInterface_P2P) + { + if (!m->NewLocalOnlyQuestions) + m->NewLocalOnlyQuestions = question; + } + else + { + if (!m->NewQuestions) + m->NewQuestions = question; + + // If the question's id is non-zero, then it's Wide Area + // MUST NOT do this Wide Area setup until near the end of + // mDNS_StartQuery_internal -- this code may itself issue queries (e.g. SOA, + // NS, etc.) and if we haven't finished setting up our own question and setting + // m->NewQuestions if necessary then we could end up recursively re-entering + // this routine with the question list data structures in an inconsistent state. + if (!mDNSOpaque16IsZero(question->TargetQID)) + { + FinalizeUnicastQuestion(m, question, purge); + } + else + { + if (purge) + { + LogInfo("mDNS_StartQuery_internal: Purging for %##s", question->qname.c); + mDNS_PurgeForQuestion(m, question); + } + } + } + + return(mStatus_NoError); +} + +// CancelGetZoneData is an internal routine (i.e. must be called with the lock already held) +mDNSexport void CancelGetZoneData(mDNS *const m, ZoneData *nta) +{ + debugf("CancelGetZoneData %##s (%s)", nta->question.qname.c, DNSTypeName(nta->question.qtype)); + // This function may be called anytime to free the zone information.The question may or may not have stopped. + // If it was already stopped, mDNS_StopQuery_internal would have set q->ThisQInterval to -1 and should not + // call it again + if (nta->question.ThisQInterval != -1) + { + mDNS_StopQuery_internal(m, &nta->question); + if (nta->question.ThisQInterval != -1) + LogMsg("CancelGetZoneData: Question %##s (%s) ThisQInterval %d not -1", nta->question.qname.c, DNSTypeName(nta->question.qtype), nta->question.ThisQInterval); + } + mDNSPlatformMemFree(nta); +} + +mDNSexport mStatus mDNS_StopQuery_internal(mDNS *const m, DNSQuestion *const question) +{ + const mDNSu32 slot = HashSlot(&question->qname); + CacheGroup *cg = CacheGroupForName(m, slot, question->qnamehash, &question->qname); + CacheRecord *rr; + DNSQuestion **qp = &m->Questions; + + //LogInfo("mDNS_StopQuery_internal %##s (%s)", question->qname.c, DNSTypeName(question->qtype)); + + if (question->InterfaceID == mDNSInterface_LocalOnly || question->InterfaceID == mDNSInterface_P2P) qp = &m->LocalOnlyQuestions; + while (*qp && *qp != question) qp=&(*qp)->next; + if (*qp) *qp = (*qp)->next; + else + { +#if !ForceAlerts + if (question->ThisQInterval >= 0) // Only log error message if the query was supposed to be active +#endif + LogMsg("mDNS_StopQuery_internal: Question %##s (%s) not found in active list", + question->qname.c, DNSTypeName(question->qtype)); +#if ForceAlerts + *(long*)0 = 0; +#endif + return(mStatus_BadReferenceErr); + } + + // Take care to cut question from list *before* calling UpdateQuestionDuplicates + UpdateQuestionDuplicates(m, question); + // But don't trash ThisQInterval until afterwards. + question->ThisQInterval = -1; + + // If there are any cache records referencing this as their active question, then see if there is any + // other question that is also referencing them, else their CRActiveQuestion needs to get set to NULL. + for (rr = cg ? cg->members : mDNSNULL; rr; rr=rr->next) + { + if (rr->CRActiveQuestion == question) + { + DNSQuestion *q; + // Checking for ActiveQuestion filters questions that are suppressed also + // as suppressed questions are not active + for (q = m->Questions; q; q=q->next) // Scan our list of questions + if (ActiveQuestion(q) && ResourceRecordAnswersQuestion(&rr->resrec, q)) + break; + if (q) + debugf("mDNS_StopQuery_internal: Updating CRActiveQuestion to %p for cache record %s, Original question CurrentAnswers %d, new question " + "CurrentAnswers %d, SuppressQuery %d", q, CRDisplayString(m,rr), question->CurrentAnswers, q->CurrentAnswers, q->SuppressQuery); + rr->CRActiveQuestion = q; // Question used to be active; new value may or may not be null + if (!q) m->rrcache_active--; // If no longer active, decrement rrcache_active count + } + } + + // If we just deleted the question that CacheRecordAdd() or CacheRecordRmv() is about to look at, + // bump its pointer forward one question. + if (m->CurrentQuestion == question) + { + debugf("mDNS_StopQuery_internal: Just deleted the currently active question: %##s (%s)", + question->qname.c, DNSTypeName(question->qtype)); + m->CurrentQuestion = question->next; + } + + if (m->NewQuestions == question) + { + debugf("mDNS_StopQuery_internal: Just deleted a new question that wasn't even answered yet: %##s (%s)", + question->qname.c, DNSTypeName(question->qtype)); + m->NewQuestions = question->next; + } + + if (m->NewLocalOnlyQuestions == question) m->NewLocalOnlyQuestions = question->next; + + if (m->RestartQuestion == question) + { + LogMsg("mDNS_StopQuery_internal: Just deleted the current restart question: %##s (%s)", + question->qname.c, DNSTypeName(question->qtype)); + m->RestartQuestion = question->next; + } + + if (m->ValidationQuestion == question) + { + LogInfo("mDNS_StopQuery_internal: Just deleted the current Validation question: %##s (%s)", + question->qname.c, DNSTypeName(question->qtype)); + m->ValidationQuestion = question->next; + } + + // Take care not to trash question->next until *after* we've updated m->CurrentQuestion and m->NewQuestions + question->next = mDNSNULL; + + // LogMsg("mDNS_StopQuery_internal: Question %##s (%s) removed", question->qname.c, DNSTypeName(question->qtype)); + + // And finally, cancel any associated GetZoneData operation that's still running. + // Must not do this until last, because there's a good chance the GetZoneData question is the next in the list, + // so if we delete it earlier in this routine, we could find that our "question->next" pointer above is already + // invalid before we even use it. By making sure that we update m->CurrentQuestion and m->NewQuestions if necessary + // *first*, then they're all ready to be updated a second time if necessary when we cancel our GetZoneData query. + if (question->tcp) { DisposeTCPConn(question->tcp); question->tcp = mDNSNULL; } + if (question->LocalSocket) { mDNSPlatformUDPClose(question->LocalSocket); question->LocalSocket = mDNSNULL; } + if (!mDNSOpaque16IsZero(question->TargetQID) && question->LongLived) + { + // Scan our list to see if any more wide-area LLQs remain. If not, stop our NAT Traversal. + DNSQuestion *q; + for (q = m->Questions; q; q=q->next) + if (!mDNSOpaque16IsZero(q->TargetQID) && q->LongLived) break; + if (!q) + { + if (!m->LLQNAT.clientCallback) // Should never happen, but just in case... + { + LogMsg("mDNS_StopQuery ERROR LLQNAT.clientCallback NULL"); + } + else + { + LogInfo("Stopping LLQNAT"); + mDNS_StopNATOperation_internal(m, &m->LLQNAT); + m->LLQNAT.clientCallback = mDNSNULL; // Means LLQ NAT Traversal not running + } + } + + // If necessary, tell server it can delete this LLQ state + if (question->state == LLQ_Established) + { + question->ReqLease = 0; + sendLLQRefresh(m, question); + // If we need need to make a TCP connection to cancel the LLQ, that's going to take a little while. + // We clear the tcp->question backpointer so that when the TCP connection completes, it doesn't + // crash trying to access our cancelled question, but we don't cancel the TCP operation itself -- + // we let that run out its natural course and complete asynchronously. + if (question->tcp) + { + question->tcp->question = mDNSNULL; + question->tcp = mDNSNULL; + } + } +#if APPLE_OSX_mDNSResponder + UpdateAutoTunnelDomainStatuses(m); +#endif + } + // wait until we send the refresh above which needs the nta + if (question->nta) { CancelGetZoneData(m, question->nta); question->nta = mDNSNULL; } + + if (question->ValidationRequired && question->DNSSECAuthInfo) + { + LogInfo("mDNS_StopQuery_internal: freeing DNSSECAuthInfo %##s", question->qname.c); + question->DAIFreeCallback(m, question->DNSSECAuthInfo); + question->DNSSECAuthInfo = mDNSNULL; + } + if (question->AnonInfo) + { + FreeAnonInfo(question->AnonInfo); + question->AnonInfo = mDNSNULL; + } + + return(mStatus_NoError); +} + +mDNSexport mStatus mDNS_StartQuery(mDNS *const m, DNSQuestion *const question) +{ + mStatus status; + mDNS_Lock(m); + status = mDNS_StartQuery_internal(m, question); + mDNS_Unlock(m); + return(status); +} + +mDNSexport mStatus mDNS_StopQuery(mDNS *const m, DNSQuestion *const question) +{ + mStatus status; + mDNS_Lock(m); + status = mDNS_StopQuery_internal(m, question); + mDNS_Unlock(m); + return(status); +} + +// Note that mDNS_StopQueryWithRemoves() does not currently implement the full generality of the other APIs +// Specifically, question callbacks invoked as a result of this call cannot themselves make API calls. +// We invoke the callback without using mDNS_DropLockBeforeCallback/mDNS_ReclaimLockAfterCallback +// specifically to catch and report if the client callback does try to make API calls +mDNSexport mStatus mDNS_StopQueryWithRemoves(mDNS *const m, DNSQuestion *const question) +{ + mStatus status; + DNSQuestion *qq; + mDNS_Lock(m); + + // Check if question is new -- don't want to give remove events for a question we haven't even answered yet + for (qq = m->NewQuestions; qq; qq=qq->next) if (qq == question) break; + + status = mDNS_StopQuery_internal(m, question); + if (status == mStatus_NoError && !qq) + { + const CacheRecord *rr; + const mDNSu32 slot = HashSlot(&question->qname); + CacheGroup *const cg = CacheGroupForName(m, slot, question->qnamehash, &question->qname); + LogInfo("Generating terminal removes for %##s (%s)", question->qname.c, DNSTypeName(question->qtype)); + for (rr = cg ? cg->members : mDNSNULL; rr; rr=rr->next) + if (rr->resrec.RecordType != kDNSRecordTypePacketNegative && SameNameRecordAnswersQuestion(&rr->resrec, question)) + { + // Don't use mDNS_DropLockBeforeCallback() here, since we don't allow API calls + if (question->QuestionCallback) + question->QuestionCallback(m, question, &rr->resrec, mDNSfalse); + } + } + mDNS_Unlock(m); + return(status); +} + +mDNSexport mStatus mDNS_Reconfirm(mDNS *const m, CacheRecord *const cr) +{ + mStatus status; + mDNS_Lock(m); + status = mDNS_Reconfirm_internal(m, cr, kDefaultReconfirmTimeForNoAnswer); + if (status == mStatus_NoError) ReconfirmAntecedents(m, cr->resrec.name, cr->resrec.namehash, 0); + mDNS_Unlock(m); + return(status); +} + +mDNSexport mStatus mDNS_ReconfirmByValue(mDNS *const m, ResourceRecord *const rr) +{ + mStatus status = mStatus_BadReferenceErr; + CacheRecord *cr; + mDNS_Lock(m); + cr = FindIdenticalRecordInCache(m, rr); + debugf("mDNS_ReconfirmByValue: %p %s", cr, RRDisplayString(m, rr)); + if (cr) status = mDNS_Reconfirm_internal(m, cr, kDefaultReconfirmTimeForNoAnswer); + if (status == mStatus_NoError) ReconfirmAntecedents(m, cr->resrec.name, cr->resrec.namehash, 0); + mDNS_Unlock(m); + return(status); +} + +mDNSlocal mStatus mDNS_StartBrowse_internal(mDNS *const m, DNSQuestion *const question, + const domainname *const srv, const domainname *const domain, + const mDNSu8 *anondata, const mDNSInterfaceID InterfaceID, mDNSu32 flags, + mDNSBool ForceMCast, mDNSBool useBackgroundTrafficClass, + mDNSQuestionCallback *Callback, void *Context) +{ + question->InterfaceID = InterfaceID; + question->flags = flags; + question->Target = zeroAddr; + question->qtype = kDNSType_PTR; + question->qclass = kDNSClass_IN; + question->LongLived = mDNStrue; + question->ExpectUnique = mDNSfalse; + question->ForceMCast = ForceMCast; + question->ReturnIntermed = mDNSfalse; + question->SuppressUnusable = mDNSfalse; + question->SearchListIndex = 0; + question->AppendSearchDomains = 0; + question->RetryWithSearchDomains = mDNSfalse; + question->TimeoutQuestion = 0; + question->WakeOnResolve = 0; + question->UseBackgroundTrafficClass = useBackgroundTrafficClass; + question->ValidationRequired = 0; + question->ValidatingResponse = 0; + question->ProxyQuestion = 0; + question->qnameOrig = mDNSNULL; + question->AnonInfo = mDNSNULL; + question->QuestionCallback = Callback; + question->QuestionContext = Context; + + if (!ConstructServiceName(&question->qname, mDNSNULL, srv, domain)) + return(mStatus_BadParamErr); + + if (anondata) + { + question->AnonInfo = AllocateAnonInfo(&question->qname, anondata, mDNSPlatformStrLen(anondata), mDNSNULL); + if (!question->AnonInfo) + return(mStatus_BadParamErr); + } + + return(mDNS_StartQuery_internal(m, question)); +} + +mDNSexport mStatus mDNS_StartBrowse(mDNS *const m, DNSQuestion *const question, + const domainname *const srv, const domainname *const domain, + const mDNSu8 *anondata, const mDNSInterfaceID InterfaceID, mDNSu32 flags, + mDNSBool ForceMCast, mDNSBool useBackgroundTrafficClass, + mDNSQuestionCallback *Callback, void *Context) +{ + mStatus status; + mDNS_Lock(m); + status = mDNS_StartBrowse_internal(m, question, srv, domain, anondata, InterfaceID, flags, ForceMCast, useBackgroundTrafficClass, Callback, Context); + mDNS_Unlock(m); + return(status); +} + +mDNSlocal mDNSBool MachineHasActiveIPv6(mDNS *const m) +{ + NetworkInterfaceInfo *intf; + for (intf = m->HostInterfaces; intf; intf = intf->next) + if (intf->ip.type == mDNSAddrType_IPv6) return(mDNStrue); + return(mDNSfalse); +} + +mDNSlocal void FoundServiceInfoSRV(mDNS *const m, DNSQuestion *question, const ResourceRecord *const answer, QC_result AddRecord) +{ + ServiceInfoQuery *query = (ServiceInfoQuery *)question->QuestionContext; + mDNSBool PortChanged = !mDNSSameIPPort(query->info->port, answer->rdata->u.srv.port); + if (!AddRecord) return; + if (answer->rrtype != kDNSType_SRV) return; + + query->info->port = answer->rdata->u.srv.port; + + // If this is our first answer, then set the GotSRV flag and start the address query + if (!query->GotSRV) + { + query->GotSRV = mDNStrue; + query->qAv4.InterfaceID = answer->InterfaceID; + AssignDomainName(&query->qAv4.qname, &answer->rdata->u.srv.target); + query->qAv6.InterfaceID = answer->InterfaceID; + AssignDomainName(&query->qAv6.qname, &answer->rdata->u.srv.target); + mDNS_StartQuery(m, &query->qAv4); + // Only do the AAAA query if this machine actually has IPv6 active + if (MachineHasActiveIPv6(m)) mDNS_StartQuery(m, &query->qAv6); + } + // If this is not our first answer, only re-issue the address query if the target host name has changed + else if ((query->qAv4.InterfaceID != query->qSRV.InterfaceID && query->qAv4.InterfaceID != answer->InterfaceID) || + !SameDomainName(&query->qAv4.qname, &answer->rdata->u.srv.target)) + { + mDNS_StopQuery(m, &query->qAv4); + if (query->qAv6.ThisQInterval >= 0) mDNS_StopQuery(m, &query->qAv6); + if (SameDomainName(&query->qAv4.qname, &answer->rdata->u.srv.target) && !PortChanged) + { + // If we get here, it means: + // 1. This is not our first SRV answer + // 2. The interface ID is different, but the target host and port are the same + // This implies that we're seeing the exact same SRV record on more than one interface, so we should + // make our address queries at least as broad as the original SRV query so that we catch all the answers. + query->qAv4.InterfaceID = query->qSRV.InterfaceID; // Will be mDNSInterface_Any, or a specific interface + query->qAv6.InterfaceID = query->qSRV.InterfaceID; + } + else + { + query->qAv4.InterfaceID = answer->InterfaceID; + AssignDomainName(&query->qAv4.qname, &answer->rdata->u.srv.target); + query->qAv6.InterfaceID = answer->InterfaceID; + AssignDomainName(&query->qAv6.qname, &answer->rdata->u.srv.target); + } + debugf("FoundServiceInfoSRV: Restarting address queries for %##s (%s)", query->qAv4.qname.c, DNSTypeName(query->qAv4.qtype)); + mDNS_StartQuery(m, &query->qAv4); + // Only do the AAAA query if this machine actually has IPv6 active + if (MachineHasActiveIPv6(m)) mDNS_StartQuery(m, &query->qAv6); + } + else if (query->ServiceInfoQueryCallback && query->GotADD && query->GotTXT && PortChanged) + { + if (++query->Answers >= 100) + debugf("**** WARNING **** Have given %lu answers for %##s (SRV) %##s %u", + query->Answers, query->qSRV.qname.c, answer->rdata->u.srv.target.c, + mDNSVal16(answer->rdata->u.srv.port)); + query->ServiceInfoQueryCallback(m, query); + } + // CAUTION: MUST NOT do anything more with query after calling query->Callback(), because the client's + // callback function is allowed to do anything, including deleting this query and freeing its memory. +} + +mDNSlocal void FoundServiceInfoTXT(mDNS *const m, DNSQuestion *question, const ResourceRecord *const answer, QC_result AddRecord) +{ + ServiceInfoQuery *query = (ServiceInfoQuery *)question->QuestionContext; + if (!AddRecord) return; + if (answer->rrtype != kDNSType_TXT) return; + if (answer->rdlength > sizeof(query->info->TXTinfo)) return; + + query->GotTXT = mDNStrue; + query->info->TXTlen = answer->rdlength; + query->info->TXTinfo[0] = 0; // In case answer->rdlength is zero + mDNSPlatformMemCopy(query->info->TXTinfo, answer->rdata->u.txt.c, answer->rdlength); + + verbosedebugf("FoundServiceInfoTXT: %##s GotADD=%d", query->info->name.c, query->GotADD); + + // CAUTION: MUST NOT do anything more with query after calling query->Callback(), because the client's + // callback function is allowed to do anything, including deleting this query and freeing its memory. + if (query->ServiceInfoQueryCallback && query->GotADD) + { + if (++query->Answers >= 100) + debugf("**** WARNING **** have given %lu answers for %##s (TXT) %#s...", + query->Answers, query->qSRV.qname.c, answer->rdata->u.txt.c); + query->ServiceInfoQueryCallback(m, query); + } +} + +mDNSlocal void FoundServiceInfo(mDNS *const m, DNSQuestion *question, const ResourceRecord *const answer, QC_result AddRecord) +{ + ServiceInfoQuery *query = (ServiceInfoQuery *)question->QuestionContext; + //LogInfo("FoundServiceInfo %d %s", AddRecord, RRDisplayString(m, answer)); + if (!AddRecord) return; + + if (answer->rrtype == kDNSType_A) + { + query->info->ip.type = mDNSAddrType_IPv4; + query->info->ip.ip.v4 = answer->rdata->u.ipv4; + } + else if (answer->rrtype == kDNSType_AAAA) + { + query->info->ip.type = mDNSAddrType_IPv6; + query->info->ip.ip.v6 = answer->rdata->u.ipv6; + } + else + { + debugf("FoundServiceInfo: answer %##s type %d (%s) unexpected", answer->name->c, answer->rrtype, DNSTypeName(answer->rrtype)); + return; + } + + query->GotADD = mDNStrue; + query->info->InterfaceID = answer->InterfaceID; + + verbosedebugf("FoundServiceInfo v%ld: %##s GotTXT=%d", query->info->ip.type, query->info->name.c, query->GotTXT); + + // CAUTION: MUST NOT do anything more with query after calling query->Callback(), because the client's + // callback function is allowed to do anything, including deleting this query and freeing its memory. + if (query->ServiceInfoQueryCallback && query->GotTXT) + { + if (++query->Answers >= 100) + debugf(answer->rrtype == kDNSType_A ? + "**** WARNING **** have given %lu answers for %##s (A) %.4a" : + "**** WARNING **** have given %lu answers for %##s (AAAA) %.16a", + query->Answers, query->qSRV.qname.c, &answer->rdata->u.data); + query->ServiceInfoQueryCallback(m, query); + } +} + +// On entry, the client must have set the name and InterfaceID fields of the ServiceInfo structure +// If the query is not interface-specific, then InterfaceID may be zero +// Each time the Callback is invoked, the remainder of the fields will have been filled in +// In addition, InterfaceID will be updated to give the interface identifier corresponding to that response +mDNSexport mStatus mDNS_StartResolveService(mDNS *const m, + ServiceInfoQuery *query, ServiceInfo *info, mDNSServiceInfoQueryCallback *Callback, void *Context) +{ + mStatus status; + mDNS_Lock(m); + + query->qSRV.ThisQInterval = -1; // So that mDNS_StopResolveService() knows whether to cancel this question + query->qSRV.InterfaceID = info->InterfaceID; + query->qSRV.flags = 0; + query->qSRV.Target = zeroAddr; + AssignDomainName(&query->qSRV.qname, &info->name); + query->qSRV.qtype = kDNSType_SRV; + query->qSRV.qclass = kDNSClass_IN; + query->qSRV.LongLived = mDNSfalse; + query->qSRV.ExpectUnique = mDNStrue; + query->qSRV.ForceMCast = mDNSfalse; + query->qSRV.ReturnIntermed = mDNSfalse; + query->qSRV.SuppressUnusable = mDNSfalse; + query->qSRV.SearchListIndex = 0; + query->qSRV.AppendSearchDomains = 0; + query->qSRV.RetryWithSearchDomains = mDNSfalse; + query->qSRV.TimeoutQuestion = 0; + query->qSRV.WakeOnResolve = 0; + query->qSRV.UseBackgroundTrafficClass = mDNSfalse; + query->qSRV.ValidationRequired = 0; + query->qSRV.ValidatingResponse = 0; + query->qSRV.ProxyQuestion = 0; + query->qSRV.qnameOrig = mDNSNULL; + query->qSRV.AnonInfo = mDNSNULL; + query->qSRV.QuestionCallback = FoundServiceInfoSRV; + query->qSRV.QuestionContext = query; + + query->qTXT.ThisQInterval = -1; // So that mDNS_StopResolveService() knows whether to cancel this question + query->qTXT.InterfaceID = info->InterfaceID; + query->qTXT.flags = 0; + query->qTXT.Target = zeroAddr; + AssignDomainName(&query->qTXT.qname, &info->name); + query->qTXT.qtype = kDNSType_TXT; + query->qTXT.qclass = kDNSClass_IN; + query->qTXT.LongLived = mDNSfalse; + query->qTXT.ExpectUnique = mDNStrue; + query->qTXT.ForceMCast = mDNSfalse; + query->qTXT.ReturnIntermed = mDNSfalse; + query->qTXT.SuppressUnusable = mDNSfalse; + query->qTXT.SearchListIndex = 0; + query->qTXT.AppendSearchDomains = 0; + query->qTXT.RetryWithSearchDomains = mDNSfalse; + query->qTXT.TimeoutQuestion = 0; + query->qTXT.WakeOnResolve = 0; + query->qTXT.UseBackgroundTrafficClass = mDNSfalse; + query->qTXT.ValidationRequired = 0; + query->qTXT.ValidatingResponse = 0; + query->qTXT.ProxyQuestion = 0; + query->qTXT.qnameOrig = mDNSNULL; + query->qTXT.AnonInfo = mDNSNULL; + query->qTXT.QuestionCallback = FoundServiceInfoTXT; + query->qTXT.QuestionContext = query; + + query->qAv4.ThisQInterval = -1; // So that mDNS_StopResolveService() knows whether to cancel this question + query->qAv4.InterfaceID = info->InterfaceID; + query->qAv4.flags = 0; + query->qAv4.Target = zeroAddr; + query->qAv4.qname.c[0] = 0; + query->qAv4.qtype = kDNSType_A; + query->qAv4.qclass = kDNSClass_IN; + query->qAv4.LongLived = mDNSfalse; + query->qAv4.ExpectUnique = mDNStrue; + query->qAv4.ForceMCast = mDNSfalse; + query->qAv4.ReturnIntermed = mDNSfalse; + query->qAv4.SuppressUnusable = mDNSfalse; + query->qAv4.SearchListIndex = 0; + query->qAv4.AppendSearchDomains = 0; + query->qAv4.RetryWithSearchDomains = mDNSfalse; + query->qAv4.TimeoutQuestion = 0; + query->qAv4.WakeOnResolve = 0; + query->qAv4.UseBackgroundTrafficClass = mDNSfalse; + query->qAv4.ValidationRequired = 0; + query->qAv4.ValidatingResponse = 0; + query->qAv4.ProxyQuestion = 0; + query->qAv4.qnameOrig = mDNSNULL; + query->qAv4.AnonInfo = mDNSNULL; + query->qAv4.QuestionCallback = FoundServiceInfo; + query->qAv4.QuestionContext = query; + + query->qAv6.ThisQInterval = -1; // So that mDNS_StopResolveService() knows whether to cancel this question + query->qAv6.InterfaceID = info->InterfaceID; + query->qAv6.flags = 0; + query->qAv6.Target = zeroAddr; + query->qAv6.qname.c[0] = 0; + query->qAv6.qtype = kDNSType_AAAA; + query->qAv6.qclass = kDNSClass_IN; + query->qAv6.LongLived = mDNSfalse; + query->qAv6.ExpectUnique = mDNStrue; + query->qAv6.ForceMCast = mDNSfalse; + query->qAv6.ReturnIntermed = mDNSfalse; + query->qAv6.SuppressUnusable = mDNSfalse; + query->qAv6.SearchListIndex = 0; + query->qAv6.AppendSearchDomains = 0; + query->qAv6.RetryWithSearchDomains = mDNSfalse; + query->qAv6.TimeoutQuestion = 0; + query->qAv6.UseBackgroundTrafficClass = mDNSfalse; + query->qAv6.ValidationRequired = 0; + query->qAv6.ValidatingResponse = 0; + query->qAv6.ProxyQuestion = 0; + query->qAv6.qnameOrig = mDNSNULL; + query->qAv6.AnonInfo = mDNSNULL; + query->qAv6.QuestionCallback = FoundServiceInfo; + query->qAv6.QuestionContext = query; + + query->GotSRV = mDNSfalse; + query->GotTXT = mDNSfalse; + query->GotADD = mDNSfalse; + query->Answers = 0; + + query->info = info; + query->ServiceInfoQueryCallback = Callback; + query->ServiceInfoQueryContext = Context; + +// info->name = Must already be set up by client +// info->interface = Must already be set up by client + info->ip = zeroAddr; + info->port = zeroIPPort; + info->TXTlen = 0; + + // We use mDNS_StartQuery_internal here because we're already holding the lock + status = mDNS_StartQuery_internal(m, &query->qSRV); + if (status == mStatus_NoError) status = mDNS_StartQuery_internal(m, &query->qTXT); + if (status != mStatus_NoError) mDNS_StopResolveService(m, query); + + mDNS_Unlock(m); + return(status); +} + +mDNSexport void mDNS_StopResolveService (mDNS *const m, ServiceInfoQuery *q) +{ + mDNS_Lock(m); + // We use mDNS_StopQuery_internal here because we're already holding the lock + if (q->qSRV.ThisQInterval >= 0) mDNS_StopQuery_internal(m, &q->qSRV); + if (q->qTXT.ThisQInterval >= 0) mDNS_StopQuery_internal(m, &q->qTXT); + if (q->qAv4.ThisQInterval >= 0) mDNS_StopQuery_internal(m, &q->qAv4); + if (q->qAv6.ThisQInterval >= 0) mDNS_StopQuery_internal(m, &q->qAv6); + mDNS_Unlock(m); +} + +mDNSexport mStatus mDNS_GetDomains(mDNS *const m, DNSQuestion *const question, mDNS_DomainType DomainType, const domainname *dom, + const mDNSInterfaceID InterfaceID, mDNSQuestionCallback *Callback, void *Context) +{ + question->InterfaceID = InterfaceID; + question->flags = 0; + question->Target = zeroAddr; + question->qtype = kDNSType_PTR; + question->qclass = kDNSClass_IN; + question->LongLived = mDNSfalse; + question->ExpectUnique = mDNSfalse; + question->ForceMCast = mDNSfalse; + question->ReturnIntermed = mDNSfalse; + question->SuppressUnusable = mDNSfalse; + question->SearchListIndex = 0; + question->AppendSearchDomains = 0; + question->RetryWithSearchDomains = mDNSfalse; + question->TimeoutQuestion = 0; + question->WakeOnResolve = 0; + question->UseBackgroundTrafficClass = mDNSfalse; + question->ValidationRequired = 0; + question->ValidatingResponse = 0; + question->ProxyQuestion = 0; + question->qnameOrig = mDNSNULL; + question->AnonInfo = mDNSNULL; + question->pid = mDNSPlatformGetPID(); + question->QuestionCallback = Callback; + question->QuestionContext = Context; + if (DomainType > mDNS_DomainTypeMax) return(mStatus_BadParamErr); + if (!MakeDomainNameFromDNSNameString(&question->qname, mDNS_DomainTypeNames[DomainType])) return(mStatus_BadParamErr); + if (!dom) dom = &localdomain; + if (!AppendDomainName(&question->qname, dom)) return(mStatus_BadParamErr); + return(mDNS_StartQuery(m, question)); +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - Responder Functions +#endif + +mDNSexport mStatus mDNS_Register(mDNS *const m, AuthRecord *const rr) +{ + mStatus status; + mDNS_Lock(m); + status = mDNS_Register_internal(m, rr); + mDNS_Unlock(m); + return(status); +} + +mDNSexport mStatus mDNS_Update(mDNS *const m, AuthRecord *const rr, mDNSu32 newttl, + const mDNSu16 newrdlength, RData *const newrdata, mDNSRecordUpdateCallback *Callback) +{ + if (!ValidateRData(rr->resrec.rrtype, newrdlength, newrdata)) + { + LogMsg("Attempt to update record with invalid rdata: %s", GetRRDisplayString_rdb(&rr->resrec, &newrdata->u, m->MsgBuffer)); + return(mStatus_Invalid); + } + + mDNS_Lock(m); + + // If TTL is unspecified, leave TTL unchanged + if (newttl == 0) newttl = rr->resrec.rroriginalttl; + + // If we already have an update queued up which has not gone through yet, give the client a chance to free that memory + if (rr->NewRData) + { + RData *n = rr->NewRData; + rr->NewRData = mDNSNULL; // Clear the NewRData pointer ... + if (rr->UpdateCallback) + rr->UpdateCallback(m, rr, n, rr->newrdlength); // ...and let the client free this memory, if necessary + } + + rr->NewRData = newrdata; + rr->newrdlength = newrdlength; + rr->UpdateCallback = Callback; + +#ifndef UNICAST_DISABLED + if (rr->ARType != AuthRecordLocalOnly && rr->ARType != AuthRecordP2P && !IsLocalDomain(rr->resrec.name)) + { + mStatus status = uDNS_UpdateRecord(m, rr); + // The caller frees the memory on error, don't retain stale pointers + if (status != mStatus_NoError) { rr->NewRData = mDNSNULL; rr->newrdlength = 0; } + mDNS_Unlock(m); + return(status); + } +#endif + + if (RRLocalOnly(rr) || (rr->resrec.rroriginalttl == newttl && + rr->resrec.rdlength == newrdlength && mDNSPlatformMemSame(rr->resrec.rdata->u.data, newrdata->u.data, newrdlength))) + CompleteRDataUpdate(m, rr); + else + { + rr->AnnounceCount = InitialAnnounceCount; + InitializeLastAPTime(m, rr); + while (rr->NextUpdateCredit && m->timenow - rr->NextUpdateCredit >= 0) GrantUpdateCredit(rr); + if (!rr->UpdateBlocked && rr->UpdateCredits) rr->UpdateCredits--; + if (!rr->NextUpdateCredit) rr->NextUpdateCredit = NonZeroTime(m->timenow + kUpdateCreditRefreshInterval); + if (rr->AnnounceCount > rr->UpdateCredits + 1) rr->AnnounceCount = (mDNSu8)(rr->UpdateCredits + 1); + if (rr->UpdateCredits <= 5) + { + mDNSu32 delay = 6 - rr->UpdateCredits; // Delay 1 second, then 2, then 3, etc. up to 6 seconds maximum + if (!rr->UpdateBlocked) rr->UpdateBlocked = NonZeroTime(m->timenow + (mDNSs32)delay * mDNSPlatformOneSecond); + rr->ThisAPInterval *= 4; + rr->LastAPTime = rr->UpdateBlocked - rr->ThisAPInterval; + LogMsg("Excessive update rate for %##s; delaying announcement by %ld second%s", + rr->resrec.name->c, delay, delay > 1 ? "s" : ""); + } + rr->resrec.rroriginalttl = newttl; + } + + mDNS_Unlock(m); + return(mStatus_NoError); +} + +// Note: mDNS_Deregister calls mDNS_Deregister_internal which can call a user callback, which may change +// the record list and/or question list. +// Any code walking either list must use the CurrentQuestion and/or CurrentRecord mechanism to protect against this. +mDNSexport mStatus mDNS_Deregister(mDNS *const m, AuthRecord *const rr) +{ + mStatus status; + mDNS_Lock(m); + status = mDNS_Deregister_internal(m, rr, mDNS_Dereg_normal); + mDNS_Unlock(m); + return(status); +} + +// Circular reference: AdvertiseInterface references mDNS_HostNameCallback, which calls mDNS_SetFQDN, which call AdvertiseInterface +mDNSlocal void mDNS_HostNameCallback(mDNS *const m, AuthRecord *const rr, mStatus result); + +mDNSlocal NetworkInterfaceInfo *FindFirstAdvertisedInterface(mDNS *const m) +{ + NetworkInterfaceInfo *intf; + for (intf = m->HostInterfaces; intf; intf = intf->next) + if (intf->Advertise) break; + return(intf); +} + +mDNSlocal void AdvertiseInterface(mDNS *const m, NetworkInterfaceInfo *set) +{ + char buffer[MAX_REVERSE_MAPPING_NAME]; + NetworkInterfaceInfo *primary; + + if (!set->McastTxRx) + { + LogInfo("AdvertiseInterface: Returning, not multicast capable %s", set->ifname); + return; + } +#if TARGET_OS_EMBEDDED + if (!m->AutoTargetServices) + { + LogInfo("AdvertiseInterface: Returning due to AutoTargetServices zero for %s", set->ifname); + return; + } +#endif + + primary = FindFirstAdvertisedInterface(m); + if (!primary) primary = set; // If no existing advertised interface, this new NetworkInterfaceInfo becomes our new primary + + // If interface is marked as a direct link, we can assume the address record is unique + // and does not need to go through the probe phase of the probe/announce packet sequence. + mDNSu8 recordType = (set->DirectLink ? kDNSRecordTypeKnownUnique : kDNSRecordTypeUnique); + + if (set->DirectLink) + LogInfo("AdvertiseInterface: Marking address record as kDNSRecordTypeKnownUnique for %s", set->ifname); + + // Send dynamic update for non-linklocal IPv4 Addresses + mDNS_SetupResourceRecord(&set->RR_A, mDNSNULL, set->InterfaceID, kDNSType_A, kHostNameTTL, recordType, AuthRecordAny, mDNS_HostNameCallback, set); + mDNS_SetupResourceRecord(&set->RR_PTR, mDNSNULL, set->InterfaceID, kDNSType_PTR, kHostNameTTL, kDNSRecordTypeKnownUnique, AuthRecordAny, mDNSNULL, mDNSNULL); + mDNS_SetupResourceRecord(&set->RR_HINFO, mDNSNULL, set->InterfaceID, kDNSType_HINFO, kHostNameTTL, kDNSRecordTypeUnique, AuthRecordAny, mDNSNULL, mDNSNULL); + +#if ANSWER_REMOTE_HOSTNAME_QUERIES + set->RR_A.AllowRemoteQuery = mDNStrue; + set->RR_PTR.AllowRemoteQuery = mDNStrue; + set->RR_HINFO.AllowRemoteQuery = mDNStrue; +#endif + // 1. Set up Address record to map from host name ("foo.local.") to IP address + // 2. Set up reverse-lookup PTR record to map from our address back to our host name + AssignDomainName(&set->RR_A.namestorage, &m->MulticastHostname); + if (set->ip.type == mDNSAddrType_IPv4) + { + set->RR_A.resrec.rrtype = kDNSType_A; + set->RR_A.resrec.rdata->u.ipv4 = set->ip.ip.v4; + // Note: This is reverse order compared to a normal dotted-decimal IP address, so we can't use our customary "%.4a" format code + mDNS_snprintf(buffer, sizeof(buffer), "%d.%d.%d.%d.in-addr.arpa.", + set->ip.ip.v4.b[3], set->ip.ip.v4.b[2], set->ip.ip.v4.b[1], set->ip.ip.v4.b[0]); + } + else if (set->ip.type == mDNSAddrType_IPv6) + { + int i; + set->RR_A.resrec.rrtype = kDNSType_AAAA; + set->RR_A.resrec.rdata->u.ipv6 = set->ip.ip.v6; + for (i = 0; i < 16; i++) + { + static const char hexValues[] = "0123456789ABCDEF"; + buffer[i * 4 ] = hexValues[set->ip.ip.v6.b[15 - i] & 0x0F]; + buffer[i * 4 + 1] = '.'; + buffer[i * 4 + 2] = hexValues[set->ip.ip.v6.b[15 - i] >> 4]; + buffer[i * 4 + 3] = '.'; + } + mDNS_snprintf(&buffer[64], sizeof(buffer)-64, "ip6.arpa."); + } + + MakeDomainNameFromDNSNameString(&set->RR_PTR.namestorage, buffer); + set->RR_PTR.AutoTarget = Target_AutoHost; // Tell mDNS that the target of this PTR is to be kept in sync with our host name + set->RR_PTR.ForceMCast = mDNStrue; // This PTR points to our dot-local name, so don't ever try to write it into a uDNS server + + set->RR_A.RRSet = &primary->RR_A; // May refer to self + + mDNS_Register_internal(m, &set->RR_A); + mDNS_Register_internal(m, &set->RR_PTR); + +#if APPLE_OSX_mDNSResponder + // must be after the mDNS_Register_internal() calls so that records have complete rdata fields, etc + D2D_start_advertising_interface(set); +#endif // APPLE_OSX_mDNSResponder + + if (!NO_HINFO && m->HIHardware.c[0] > 0 && m->HISoftware.c[0] > 0 && m->HIHardware.c[0] + m->HISoftware.c[0] <= 254) + { + mDNSu8 *p = set->RR_HINFO.resrec.rdata->u.data; + AssignDomainName(&set->RR_HINFO.namestorage, &m->MulticastHostname); + set->RR_HINFO.DependentOn = &set->RR_A; + mDNSPlatformMemCopy(p, &m->HIHardware, 1 + (mDNSu32)m->HIHardware.c[0]); + p += 1 + (int)p[0]; + mDNSPlatformMemCopy(p, &m->HISoftware, 1 + (mDNSu32)m->HISoftware.c[0]); + mDNS_Register_internal(m, &set->RR_HINFO); + } + else + { + debugf("Not creating HINFO record: platform support layer provided no information"); + set->RR_HINFO.resrec.RecordType = kDNSRecordTypeUnregistered; + } +} + +mDNSlocal void DeadvertiseInterface(mDNS *const m, NetworkInterfaceInfo *set) +{ + NetworkInterfaceInfo *intf; + + // If we still have address records referring to this one, update them + NetworkInterfaceInfo *primary = FindFirstAdvertisedInterface(m); + AuthRecord *A = primary ? &primary->RR_A : mDNSNULL; + for (intf = m->HostInterfaces; intf; intf = intf->next) + if (intf->RR_A.RRSet == &set->RR_A) + intf->RR_A.RRSet = A; + + // Unregister these records. + // When doing the mDNS_Exit processing, we first call DeadvertiseInterface for each interface, so by the time the platform + // support layer gets to call mDNS_DeregisterInterface, the address and PTR records have already been deregistered for it. + // Also, in the event of a name conflict, one or more of our records will have been forcibly deregistered. + // To avoid unnecessary and misleading warning messages, we check the RecordType before calling mDNS_Deregister_internal(). + if (set->RR_A.resrec.RecordType) mDNS_Deregister_internal(m, &set->RR_A, mDNS_Dereg_normal); + if (set->RR_PTR.resrec.RecordType) mDNS_Deregister_internal(m, &set->RR_PTR, mDNS_Dereg_normal); + if (set->RR_HINFO.resrec.RecordType) mDNS_Deregister_internal(m, &set->RR_HINFO, mDNS_Dereg_normal); + +#if APPLE_OSX_mDNSResponder + D2D_stop_advertising_interface(set); +#endif // APPLE_OSX_mDNSResponder + +} + +mDNSlocal void AdvertiseAllInterfaceRecords(mDNS *const m) +{ + NetworkInterfaceInfo *intf; + for (intf = m->HostInterfaces; intf; intf = intf->next) + { + if (intf->Advertise) + { + LogInfo("AdvertiseInterface: Advertising for ifname %s", intf->ifname); + AdvertiseInterface(m, intf); + } + } +} + +mDNSlocal void DeadvertiseAllInterfaceRecords(mDNS *const m) +{ +#if TARGET_OS_EMBEDDED + NetworkInterfaceInfo *intf; + for (intf = m->HostInterfaces; intf; intf = intf->next) + { + if (intf->Advertise) + { + LogInfo("DeadvertiseInterface: Deadvertising for ifname %s", intf->ifname); + DeadvertiseInterface(m, intf); + } + } +#else + (void) m; //unused +#endif +} + +mDNSexport void mDNS_SetFQDN(mDNS *const m) +{ + domainname newmname; + NetworkInterfaceInfo *intf; + AuthRecord *rr; + newmname.c[0] = 0; + + if (!AppendDomainLabel(&newmname, &m->hostlabel)) { LogMsg("ERROR: mDNS_SetFQDN: Cannot create MulticastHostname"); return; } + if (!AppendLiteralLabelString(&newmname, "local")) { LogMsg("ERROR: mDNS_SetFQDN: Cannot create MulticastHostname"); return; } + + mDNS_Lock(m); + + if (SameDomainNameCS(&m->MulticastHostname, &newmname)) debugf("mDNS_SetFQDN - hostname unchanged"); + else + { + AssignDomainName(&m->MulticastHostname, &newmname); + + // 1. Stop advertising our address records on all interfaces + for (intf = m->HostInterfaces; intf; intf = intf->next) + if (intf->Advertise) DeadvertiseInterface(m, intf); + + // 2. Start advertising our address records using the new name + for (intf = m->HostInterfaces; intf; intf = intf->next) + if (intf->Advertise) AdvertiseInterface(m, intf); + } + + // 3. Make sure that any AutoTarget SRV records (and the like) get updated + for (rr = m->ResourceRecords; rr; rr=rr->next) if (rr->AutoTarget) SetTargetToHostName(m, rr); + for (rr = m->DuplicateRecords; rr; rr=rr->next) if (rr->AutoTarget) SetTargetToHostName(m, rr); + + mDNS_Unlock(m); +} + +mDNSlocal void mDNS_HostNameCallback(mDNS *const m, AuthRecord *const rr, mStatus result) +{ + (void)rr; // Unused parameter + + #if MDNS_DEBUGMSGS + { + char *msg = "Unknown result"; + if (result == mStatus_NoError) msg = "Name registered"; + else if (result == mStatus_NameConflict) msg = "Name conflict"; + debugf("mDNS_HostNameCallback: %##s (%s) %s (%ld)", rr->resrec.name->c, DNSTypeName(rr->resrec.rrtype), msg, result); + } + #endif + + if (result == mStatus_NoError) + { + // Notify the client that the host name is successfully registered + if (m->MainCallback) + m->MainCallback(m, mStatus_NoError); + } + else if (result == mStatus_NameConflict) + { + domainlabel oldlabel = m->hostlabel; + + // 1. First give the client callback a chance to pick a new name + if (m->MainCallback) + m->MainCallback(m, mStatus_NameConflict); + + // 2. If the client callback didn't do it, add (or increment) an index ourselves + // This needs to be case-INSENSITIVE compare, because we need to know that the name has been changed so as to + // remedy the conflict, and a name that differs only in capitalization will just suffer the exact same conflict again. + if (SameDomainLabel(m->hostlabel.c, oldlabel.c)) + IncrementLabelSuffix(&m->hostlabel, mDNSfalse); + + // 3. Generate the FQDNs from the hostlabel, + // and make sure all SRV records, etc., are updated to reference our new hostname + mDNS_SetFQDN(m); + LogMsg("Local Hostname %#s.local already in use; will try %#s.local instead", oldlabel.c, m->hostlabel.c); + } + else if (result == mStatus_MemFree) + { + // .local hostnames do not require goodbyes - we ignore the MemFree (which is sent directly by + // mDNS_Deregister_internal), and allow the caller to deallocate immediately following mDNS_DeadvertiseInterface + debugf("mDNS_HostNameCallback: MemFree (ignored)"); + } + else + LogMsg("mDNS_HostNameCallback: Unknown error %d for registration of record %s", result, rr->resrec.name->c); +} + +mDNSlocal void UpdateInterfaceProtocols(mDNS *const m, NetworkInterfaceInfo *active) +{ + NetworkInterfaceInfo *intf; + active->IPv4Available = mDNSfalse; + active->IPv6Available = mDNSfalse; + for (intf = m->HostInterfaces; intf; intf = intf->next) + if (intf->InterfaceID == active->InterfaceID) + { + if (intf->ip.type == mDNSAddrType_IPv4 && intf->McastTxRx) active->IPv4Available = mDNStrue; + if (intf->ip.type == mDNSAddrType_IPv6 && intf->McastTxRx) active->IPv6Available = mDNStrue; + } +} + +mDNSlocal void RestartRecordGetZoneData(mDNS * const m) +{ + AuthRecord *rr; + LogInfo("RestartRecordGetZoneData: ResourceRecords"); + for (rr = m->ResourceRecords; rr; rr=rr->next) + if (AuthRecord_uDNS(rr) && rr->state != regState_NoTarget) + { + debugf("RestartRecordGetZoneData: StartGetZoneData for %##s", rr->resrec.name->c); + // Zero out the updateid so that if we have a pending response from the server, it won't + // be accepted as a valid response. If we accept the response, we might free the new "nta" + if (rr->nta) { rr->updateid = zeroID; CancelGetZoneData(m, rr->nta); } + rr->nta = StartGetZoneData(m, rr->resrec.name, ZoneServiceUpdate, RecordRegistrationGotZoneData, rr); + } +} + +mDNSlocal void InitializeNetWakeState(mDNS *const m, NetworkInterfaceInfo *set) +{ + int i; + // We initialize ThisQInterval to -1 indicating that the question has not been started + // yet. If the question (browse) is started later during interface registration, it will + // be stopped during interface deregistration. We can't sanity check to see if the + // question has been stopped or not before initializing it to -1 because we need to + // initialize it to -1 the very first time. + + set->NetWakeBrowse.ThisQInterval = -1; + for (i=0; i<3; i++) + { + set->NetWakeResolve[i].ThisQInterval = -1; + set->SPSAddr[i].type = mDNSAddrType_None; + } + set->NextSPSAttempt = -1; + set->NextSPSAttemptTime = m->timenow; +} + +mDNSexport void mDNS_ActivateNetWake_internal(mDNS *const m, NetworkInterfaceInfo *set) +{ + NetworkInterfaceInfo *p = m->HostInterfaces; + while (p && p != set) p=p->next; + if (!p) { LogMsg("mDNS_ActivateNetWake_internal: NetworkInterfaceInfo %p not found in active list", set); return; } + + if (set->InterfaceActive) + { + LogSPS("ActivateNetWake for %s (%#a)", set->ifname, &set->ip); + mDNS_StartBrowse_internal(m, &set->NetWakeBrowse, &SleepProxyServiceType, &localdomain, mDNSNULL, set->InterfaceID, 0, mDNSfalse, mDNSfalse, m->SPSBrowseCallback, set); + } +} + +mDNSexport void mDNS_DeactivateNetWake_internal(mDNS *const m, NetworkInterfaceInfo *set) +{ + NetworkInterfaceInfo *p = m->HostInterfaces; + while (p && p != set) p=p->next; + if (!p) { LogMsg("mDNS_DeactivateNetWake_internal: NetworkInterfaceInfo %p not found in active list", set); return; } + + // Note: We start the browse only if the interface is NetWake capable and we use this to + // stop the resolves also. Hence, the resolves should not be started without the browse + // being started i.e, resolves should not happen unless NetWake capable which is + // guaranteed by BeginSleepProcessing. + if (set->NetWakeBrowse.ThisQInterval >= 0) + { + int i; + LogSPS("DeactivateNetWake for %s (%#a)", set->ifname, &set->ip); + + // Stop our browse and resolve operations + mDNS_StopQuery_internal(m, &set->NetWakeBrowse); + for (i=0; i<3; i++) if (set->NetWakeResolve[i].ThisQInterval >= 0) mDNS_StopQuery_internal(m, &set->NetWakeResolve[i]); + + // Make special call to the browse callback to let it know it can to remove all records for this interface + if (m->SPSBrowseCallback) + { + mDNS_DropLockBeforeCallback(); // Allow client to legally make mDNS API calls from the callback + m->SPSBrowseCallback(m, &set->NetWakeBrowse, mDNSNULL, mDNSfalse); + mDNS_ReclaimLockAfterCallback(); // Decrement mDNS_reentrancy to block mDNS API calls again + } + + // Reset our variables back to initial state, so we're ready for when NetWake is turned back on + // (includes resetting NetWakeBrowse.ThisQInterval back to -1) + InitializeNetWakeState(m, set); + } +} + +mDNSexport mStatus mDNS_RegisterInterface(mDNS *const m, NetworkInterfaceInfo *set, mDNSBool flapping) +{ + AuthRecord *rr; + mDNSBool FirstOfType = mDNStrue; + NetworkInterfaceInfo **p = &m->HostInterfaces; + + if (!set->InterfaceID) + { LogMsg("mDNS_RegisterInterface: Error! Tried to register a NetworkInterfaceInfo %#a with zero InterfaceID", &set->ip); return(mStatus_Invalid); } + + if (!mDNSAddressIsValidNonZero(&set->mask)) + { LogMsg("mDNS_RegisterInterface: Error! Tried to register a NetworkInterfaceInfo %#a with invalid mask %#a", &set->ip, &set->mask); return(mStatus_Invalid); } + + mDNS_Lock(m); + + // Assume this interface will be active now, unless we find a duplicate already in the list + set->InterfaceActive = mDNStrue; + set->IPv4Available = (mDNSu8)(set->ip.type == mDNSAddrType_IPv4 && set->McastTxRx); + set->IPv6Available = (mDNSu8)(set->ip.type == mDNSAddrType_IPv6 && set->McastTxRx); + + InitializeNetWakeState(m, set); + + // Scan list to see if this InterfaceID is already represented + while (*p) + { + if (*p == set) + { + LogMsg("mDNS_RegisterInterface: Error! Tried to register a NetworkInterfaceInfo that's already in the list"); + mDNS_Unlock(m); + return(mStatus_AlreadyRegistered); + } + + if ((*p)->InterfaceID == set->InterfaceID) + { + // This InterfaceID already represented by a different interface in the list, so mark this instance inactive for now + set->InterfaceActive = mDNSfalse; + if (set->ip.type == (*p)->ip.type) FirstOfType = mDNSfalse; + if (set->ip.type == mDNSAddrType_IPv4 && set->McastTxRx) (*p)->IPv4Available = mDNStrue; + if (set->ip.type == mDNSAddrType_IPv6 && set->McastTxRx) (*p)->IPv6Available = mDNStrue; + } + + p=&(*p)->next; + } + + set->next = mDNSNULL; + *p = set; + + if (set->Advertise) + AdvertiseInterface(m, set); + + LogInfo("mDNS_RegisterInterface: InterfaceID %p %s (%#a) %s", set->InterfaceID, set->ifname, &set->ip, + set->InterfaceActive ? + "not represented in list; marking active and retriggering queries" : + "already represented in list; marking inactive for now"); + + if (set->NetWake) mDNS_ActivateNetWake_internal(m, set); + + // In early versions of OS X the IPv6 address remains on an interface even when the interface is turned off, + // giving the false impression that there's an active representative of this interface when there really isn't. + // Therefore, when registering an interface, we want to re-trigger our questions and re-probe our Resource Records, + // even if we believe that we previously had an active representative of this interface. + if (set->McastTxRx && (FirstOfType || set->InterfaceActive)) + { + DNSQuestion *q; + // Normally, after an interface comes up, we pause half a second before beginning probing. + // This is to guard against cases where there's rapid interface changes, where we could be confused by + // seeing packets we ourselves sent just moments ago (perhaps when this interface had a different address) + // which are then echoed back after a short delay by some Ethernet switches and some 802.11 base stations. + // We don't want to do a probe, and then see a stale echo of an announcement we ourselves sent, + // and think it's a conflicting answer to our probe. + // In the case of a flapping interface, we pause for five seconds, and reduce the announcement count to one packet. + const mDNSs32 probedelay = flapping ? mDNSPlatformOneSecond * 5 : mDNSPlatformOneSecond / 2; + const mDNSu8 numannounce = flapping ? (mDNSu8)1 : InitialAnnounceCount; + + // Use a small amount of randomness: + // In the case of a network administrator turning on an Ethernet hub so that all the + // connected machines establish link at exactly the same time, we don't want them all + // to go and hit the network with identical queries at exactly the same moment. + // We set a random delay of up to InitialQuestionInterval (1/3 second). + // We must *never* set m->SuppressSending to more than that (or set it repeatedly in a way + // that causes mDNSResponder to remain in a prolonged state of SuppressSending, because + // suppressing packet sending for more than about 1/3 second can cause protocol correctness + // to start to break down (e.g. we don't answer probes fast enough, and get name conflicts). + // See <rdar://problem/4073853> mDNS: m->SuppressSending set too enthusiastically + if (!m->SuppressSending) m->SuppressSending = m->timenow + (mDNSs32)mDNSRandom((mDNSu32)InitialQuestionInterval); + + if (flapping) + { + LogMsg("mDNS_RegisterInterface: Frequent transitions for interface %s (%#a)", set->ifname, &set->ip); + m->mDNSStats.InterfaceUpFlap++; + } + + LogInfo("mDNS_RegisterInterface: %s (%#a) probedelay %d", set->ifname, &set->ip, probedelay); + if (m->SuppressProbes == 0 || + m->SuppressProbes - NonZeroTime(m->timenow + probedelay) < 0) + m->SuppressProbes = NonZeroTime(m->timenow + probedelay); + + // Include OWNER option in packets for 60 seconds after connecting to the network. Setting + // it here also handles the wake up case as the network link comes UP after waking causing + // us to reconnect to the network. If we do this as part of the wake up code, it is possible + // that the network link comes UP after 60 seconds and we never set the OWNER option + m->AnnounceOwner = NonZeroTime(m->timenow + 60 * mDNSPlatformOneSecond); + LogInfo("mDNS_RegisterInterface: Setting AnnounceOwner"); + + m->mDNSStats.InterfaceUp++; + for (q = m->Questions; q; q=q->next) // Scan our list of questions + { + if (mDNSOpaque16IsZero(q->TargetQID)) + { + if (!q->InterfaceID || q->InterfaceID == set->InterfaceID) // If non-specific Q, or Q on this specific interface, + { // then reactivate this question + // If flapping, delay between first and second queries is nine seconds instead of one second + mDNSBool dodelay = flapping && (q->FlappingInterface1 == set->InterfaceID || q->FlappingInterface2 == set->InterfaceID); + mDNSs32 initial = dodelay ? InitialQuestionInterval * QuestionIntervalStep2 : InitialQuestionInterval; + mDNSs32 qdelay = dodelay ? mDNSPlatformOneSecond * 5 : 0; + if (dodelay) LogInfo("No cache records expired for %##s (%s); okay to delay questions a little", q->qname.c, DNSTypeName(q->qtype)); + + if (!q->ThisQInterval || q->ThisQInterval > initial) + { + q->ThisQInterval = initial; + +#if mDNS_REQUEST_UNICAST_RESPONSE + q->RequestUnicast = SET_QU_IN_FIRST_FOUR_QUERIES; +#else // mDNS_REQUEST_UNICAST_RESPONSE + q->RequestUnicast = SET_QU_IN_FIRST_QUERY; +#endif // mDNS_REQUEST_UNICAST_RESPONSE + + } + q->LastQTime = m->timenow - q->ThisQInterval + qdelay; + q->RecentAnswerPkts = 0; + // Change the salt + ReInitAnonInfo(&q->AnonInfo, &q->qname); + SetNextQueryTime(m,q); + } + } + } + + // For all our non-specific authoritative resource records (and any dormant records specific to this interface) + // we now need them to re-probe if necessary, and then re-announce. + for (rr = m->ResourceRecords; rr; rr=rr->next) + { + if (!rr->resrec.InterfaceID || rr->resrec.InterfaceID == set->InterfaceID) + { + // Change the salt + ReInitAnonInfo(&rr->resrec.AnonInfo, rr->resrec.name); + mDNSCoreRestartRegistration(m, rr, numannounce); + } + } +#if APPLE_OSX_mDNSResponder && !TARGET_OS_IPHONE + DNSSECProbe(m); +#endif + } + + RestartRecordGetZoneData(m); + + mDNS_UpdateAllowSleep(m); + + mDNS_Unlock(m); + return(mStatus_NoError); +} + +// Note: mDNS_DeregisterInterface calls mDNS_Deregister_internal which can call a user callback, which may change +// the record list and/or question list. +// Any code walking either list must use the CurrentQuestion and/or CurrentRecord mechanism to protect against this. +mDNSexport void mDNS_DeregisterInterface(mDNS *const m, NetworkInterfaceInfo *set, mDNSBool flapping) +{ + NetworkInterfaceInfo **p = &m->HostInterfaces; + mDNSBool revalidate = mDNSfalse; + + mDNS_Lock(m); + + // Find this record in our list + while (*p && *p != set) p=&(*p)->next; + if (!*p) { debugf("mDNS_DeregisterInterface: NetworkInterfaceInfo not found in list"); mDNS_Unlock(m); return; } + + mDNS_DeactivateNetWake_internal(m, set); + + // Unlink this record from our list + *p = (*p)->next; + set->next = mDNSNULL; + + if (!set->InterfaceActive) + { + // If this interface not the active member of its set, update the v4/v6Available flags for the active member + NetworkInterfaceInfo *intf; + for (intf = m->HostInterfaces; intf; intf = intf->next) + if (intf->InterfaceActive && intf->InterfaceID == set->InterfaceID) + UpdateInterfaceProtocols(m, intf); + } + else + { + NetworkInterfaceInfo *intf = FirstInterfaceForID(m, set->InterfaceID); + if (intf) + { + LogInfo("mDNS_DeregisterInterface: Another representative of InterfaceID %p %s (%#a) exists;" + " making it active", set->InterfaceID, set->ifname, &set->ip); + if (intf->InterfaceActive) + LogMsg("mDNS_DeregisterInterface: ERROR intf->InterfaceActive already set for %s (%#a)", set->ifname, &set->ip); + intf->InterfaceActive = mDNStrue; + UpdateInterfaceProtocols(m, intf); + + if (intf->NetWake) mDNS_ActivateNetWake_internal(m, intf); + + // See if another representative *of the same type* exists. If not, we mave have gone from + // dual-stack to v6-only (or v4-only) so we need to reconfirm which records are still valid. + for (intf = m->HostInterfaces; intf; intf = intf->next) + if (intf->InterfaceID == set->InterfaceID && intf->ip.type == set->ip.type) + break; + if (!intf) revalidate = mDNStrue; + } + else + { + mDNSu32 slot; + CacheGroup *cg; + CacheRecord *rr; + DNSQuestion *q; + + LogInfo("mDNS_DeregisterInterface: Last representative of InterfaceID %p %s (%#a) deregistered;" + " marking questions etc. dormant", set->InterfaceID, set->ifname, &set->ip); + + m->mDNSStats.InterfaceDown++; + + if (set->McastTxRx && flapping) + { + LogMsg("DeregisterInterface: Frequent transitions for interface %s (%#a)", set->ifname, &set->ip); + m->mDNSStats.InterfaceDownFlap++; + } + + // 1. Deactivate any questions specific to this interface, and tag appropriate questions + // so that mDNS_RegisterInterface() knows how swiftly it needs to reactivate them + for (q = m->Questions; q; q=q->next) + { + if (q->InterfaceID == set->InterfaceID) q->ThisQInterval = 0; + if (!q->InterfaceID || q->InterfaceID == set->InterfaceID) + { + q->FlappingInterface2 = q->FlappingInterface1; + q->FlappingInterface1 = set->InterfaceID; // Keep history of the last two interfaces to go away + } + } + + // 2. Flush any cache records received on this interface + revalidate = mDNSfalse; // Don't revalidate if we're flushing the records + FORALL_CACHERECORDS(slot, cg, rr) + { + if (rr->resrec.InterfaceID == set->InterfaceID) + { + // If this interface is deemed flapping, + // postpone deleting the cache records in case the interface comes back again + if (set->McastTxRx && flapping) + { + // For a flapping interface we want these record to go away after 30 seconds + mDNS_Reconfirm_internal(m, rr, kDefaultReconfirmTimeForFlappingInterface); + // We set UnansweredQueries = MaxUnansweredQueries so we don't waste time doing any queries for them -- + // if the interface does come back, any relevant questions will be reactivated anyway + rr->UnansweredQueries = MaxUnansweredQueries; + } + else + { + mDNS_PurgeCacheResourceRecord(m, rr); + } + } + } + } + } + + // If we were advertising on this interface, deregister those address and reverse-lookup records now + if (set->Advertise) DeadvertiseInterface(m, set); + + // If we have any cache records received on this interface that went away, then re-verify them. + // In some versions of OS X the IPv6 address remains on an interface even when the interface is turned off, + // giving the false impression that there's an active representative of this interface when there really isn't. + // Don't need to do this when shutting down, because *all* interfaces are about to go away + if (revalidate && !m->ShutdownTime) + { + mDNSu32 slot; + CacheGroup *cg; + CacheRecord *rr; + FORALL_CACHERECORDS(slot, cg, rr) + if (rr->resrec.InterfaceID == set->InterfaceID) + mDNS_Reconfirm_internal(m, rr, kDefaultReconfirmTimeForFlappingInterface); + } + + mDNS_UpdateAllowSleep(m); + + mDNS_Unlock(m); +} + +mDNSlocal void SetAnonInfoSRS(ServiceRecordSet *sr, int NumSubTypes) +{ + int i, len; + + if (!sr->AnonData) + return; + + len = mDNSPlatformStrLen(sr->AnonData); + if (sr->RR_PTR.resrec.AnonInfo) + { + LogMsg("SetAnonInfoSRS: Freeing AnonInfo for PTR record %##s, should have been freed already", sr->RR_PTR.resrec.name->c); + FreeAnonInfo(sr->RR_PTR.resrec.AnonInfo); + } + sr->RR_PTR.resrec.AnonInfo = AllocateAnonInfo(sr->RR_PTR.resrec.name, sr->AnonData, len, mDNSNULL); + for (i=0; i<NumSubTypes; i++) + { + if (sr->SubTypes[i].resrec.AnonInfo) + { + LogMsg("SetAnonInfoSRS: Freeing AnonInfo for subtype record %##s, should have been freed already", sr->SubTypes[i].resrec.name->c); + FreeAnonInfo(sr->SubTypes[i].resrec.AnonInfo); + } + sr->SubTypes[i].resrec.AnonInfo = AllocateAnonInfo(sr->SubTypes[i].resrec.name, sr->AnonData, len, mDNSNULL); + } +} + +mDNSlocal void ResetAnonInfoSRS(ServiceRecordSet *sr, int NumSubTypes) +{ + int i; + + if (!sr->AnonData) + return; + if (sr->RR_PTR.resrec.AnonInfo) + { + FreeAnonInfo(sr->RR_PTR.resrec.AnonInfo); + sr->RR_PTR.resrec.AnonInfo = mDNSNULL; + } + for (i=0; i<NumSubTypes; i++) + { + if (sr->SubTypes[i].resrec.AnonInfo) + { + FreeAnonInfo(sr->SubTypes[i].resrec.AnonInfo); + sr->SubTypes[i].resrec.AnonInfo = mDNSNULL; + } + } +} + +mDNSlocal void ServiceCallback(mDNS *const m, AuthRecord *const rr, mStatus result) +{ + ServiceRecordSet *sr = (ServiceRecordSet *)rr->RecordContext; + (void)m; // Unused parameter + + #if MDNS_DEBUGMSGS + { + char *msg = "Unknown result"; + if (result == mStatus_NoError) msg = "Name Registered"; + else if (result == mStatus_NameConflict) msg = "Name Conflict"; + else if (result == mStatus_MemFree) msg = "Memory Free"; + debugf("ServiceCallback: %##s (%s) %s (%d)", rr->resrec.name->c, DNSTypeName(rr->resrec.rrtype), msg, result); + } + #endif + + // Only pass on the NoError acknowledgement for the SRV record (when it finishes probing) + if (result == mStatus_NoError && rr != &sr->RR_SRV) return; + + // If we got a name conflict on either SRV or TXT, forcibly deregister this service, and record that we did that + if (result == mStatus_NameConflict) + { + sr->Conflict = mDNStrue; // Record that this service set had a conflict + mDNS_DeregisterService(m, sr); // Unlink the records from our list + return; + } + + if (result == mStatus_MemFree) + { + // If the SRV/TXT/PTR records, or the _services._dns-sd._udp record, or any of the subtype PTR records, + // are still in the process of deregistering, don't pass on the NameConflict/MemFree message until + // every record is finished cleaning up. + mDNSu32 i; + ExtraResourceRecord *e = sr->Extras; + + if (sr->RR_SRV.resrec.RecordType != kDNSRecordTypeUnregistered) return; + if (sr->RR_TXT.resrec.RecordType != kDNSRecordTypeUnregistered) return; + if (sr->RR_PTR.resrec.RecordType != kDNSRecordTypeUnregistered) return; + if (sr->RR_ADV.resrec.RecordType != kDNSRecordTypeUnregistered) return; + for (i=0; i<sr->NumSubTypes; i++) if (sr->SubTypes[i].resrec.RecordType != kDNSRecordTypeUnregistered) return; + + while (e) + { + if (e->r.resrec.RecordType != kDNSRecordTypeUnregistered) return; + e = e->next; + } + ResetAnonInfoSRS(sr, sr->NumSubTypes); + + // If this ServiceRecordSet was forcibly deregistered, and now its memory is ready for reuse, + // then we can now report the NameConflict to the client + if (sr->Conflict) result = mStatus_NameConflict; + + } + + LogInfo("ServiceCallback: All records %s for %##s", (result == mStatus_MemFree ? "Unregistered" : "Registered"), sr->RR_PTR.resrec.name->c); + // CAUTION: MUST NOT do anything more with sr after calling sr->Callback(), because the client's callback + // function is allowed to do anything, including deregistering this service and freeing its memory. + if (sr->ServiceCallback) + sr->ServiceCallback(m, sr, result); +} + +mDNSlocal void NSSCallback(mDNS *const m, AuthRecord *const rr, mStatus result) +{ + ServiceRecordSet *sr = (ServiceRecordSet *)rr->RecordContext; + if (sr->ServiceCallback) + sr->ServiceCallback(m, sr, result); +} + + +mDNSlocal AuthRecType setAuthRecType(mDNSInterfaceID InterfaceID, mDNSu32 flags) +{ + AuthRecType artype; + + if (InterfaceID == mDNSInterface_LocalOnly) + artype = AuthRecordLocalOnly; + else if (InterfaceID == mDNSInterface_P2P) + artype = AuthRecordP2P; + else if ((InterfaceID == mDNSInterface_Any) && (flags & coreFlagIncludeP2P) + && (flags & coreFlagIncludeAWDL)) + artype = AuthRecordAnyIncludeAWDLandP2P; + else if ((InterfaceID == mDNSInterface_Any) && (flags & coreFlagIncludeP2P)) + artype = AuthRecordAnyIncludeP2P; + else if ((InterfaceID == mDNSInterface_Any) && (flags & coreFlagIncludeAWDL)) + artype = AuthRecordAnyIncludeAWDL; + else + artype = AuthRecordAny; + + return artype; +} + +// Note: +// Name is first label of domain name (any dots in the name are actual dots, not label separators) +// Type is service type (e.g. "_ipp._tcp.") +// Domain is fully qualified domain name (i.e. ending with a null label) +// We always register a TXT, even if it is empty (so that clients are not +// left waiting forever looking for a nonexistent record.) +// If the host parameter is mDNSNULL or the root domain (ASCII NUL), +// then the default host name (m->MulticastHostname) is automatically used +// If the optional target host parameter is set, then the storage it points to must remain valid for the lifetime of the service registration +mDNSexport mStatus mDNS_RegisterService(mDNS *const m, ServiceRecordSet *sr, + const domainlabel *const name, const domainname *const type, const domainname *const domain, + const domainname *const host, mDNSIPPort port, const mDNSu8 txtinfo[], mDNSu16 txtlen, + AuthRecord *SubTypes, mDNSu32 NumSubTypes, + mDNSInterfaceID InterfaceID, mDNSServiceCallback Callback, void *Context, mDNSu32 flags) +{ + mStatus err; + mDNSu32 i; + mDNSu32 hostTTL; + AuthRecType artype; + mDNSu8 recordType = (flags & coreFlagKnownUnique) ? kDNSRecordTypeKnownUnique : kDNSRecordTypeUnique; + + sr->ServiceCallback = Callback; + sr->ServiceContext = Context; + sr->Conflict = mDNSfalse; + + sr->Extras = mDNSNULL; + sr->NumSubTypes = NumSubTypes; + sr->SubTypes = SubTypes; + sr->flags = flags; + + artype = setAuthRecType(InterfaceID, flags); + + // Initialize the AuthRecord objects to sane values + // Need to initialize everything correctly *before* making the decision whether to do a RegisterNoSuchService and bail out + mDNS_SetupResourceRecord(&sr->RR_ADV, mDNSNULL, InterfaceID, kDNSType_PTR, kStandardTTL, kDNSRecordTypeAdvisory, artype, ServiceCallback, sr); + mDNS_SetupResourceRecord(&sr->RR_PTR, mDNSNULL, InterfaceID, kDNSType_PTR, kStandardTTL, kDNSRecordTypeShared, artype, ServiceCallback, sr); + + if (flags & coreFlagWakeOnly) + { + sr->RR_PTR.AuthFlags = AuthFlagsWakeOnly; + } + + if (SameDomainName(type, (const domainname *) "\x4" "_ubd" "\x4" "_tcp")) + hostTTL = kHostNameSmallTTL; + else + hostTTL = kHostNameTTL; + + mDNS_SetupResourceRecord(&sr->RR_SRV, mDNSNULL, InterfaceID, kDNSType_SRV, hostTTL, recordType, artype, ServiceCallback, sr); + mDNS_SetupResourceRecord(&sr->RR_TXT, mDNSNULL, InterfaceID, kDNSType_TXT, kStandardTTL, kDNSRecordTypeUnique, artype, ServiceCallback, sr); + + // If port number is zero, that means the client is really trying to do a RegisterNoSuchService + if (mDNSIPPortIsZero(port)) + return(mDNS_RegisterNoSuchService(m, &sr->RR_SRV, name, type, domain, mDNSNULL, InterfaceID, NSSCallback, sr, flags)); + + // If the client is registering an oversized TXT record, + // it is the client's responsibility to alloate a ServiceRecordSet structure that is large enough for it + if (sr->RR_TXT.resrec.rdata->MaxRDLength < txtlen) + sr->RR_TXT.resrec.rdata->MaxRDLength = txtlen; + + // Set up the record names + // For now we only create an advisory record for the main type, not for subtypes + // We need to gain some operational experience before we decide if there's a need to create them for subtypes too + if (ConstructServiceName(&sr->RR_ADV.namestorage, (const domainlabel*)"\x09_services", (const domainname*)"\x07_dns-sd\x04_udp", domain) == mDNSNULL) + return(mStatus_BadParamErr); + if (ConstructServiceName(&sr->RR_PTR.namestorage, mDNSNULL, type, domain) == mDNSNULL) return(mStatus_BadParamErr); + if (ConstructServiceName(&sr->RR_SRV.namestorage, name, type, domain) == mDNSNULL) return(mStatus_BadParamErr); + AssignDomainName(&sr->RR_TXT.namestorage, sr->RR_SRV.resrec.name); + + // 1. Set up the ADV record rdata to advertise our service type + AssignDomainName(&sr->RR_ADV.resrec.rdata->u.name, sr->RR_PTR.resrec.name); + + // 2. Set up the PTR record rdata to point to our service name + // We set up two additionals, so when a client asks for this PTR we automatically send the SRV and the TXT too + // Note: uDNS registration code assumes that Additional1 points to the SRV record + AssignDomainName(&sr->RR_PTR.resrec.rdata->u.name, sr->RR_SRV.resrec.name); + sr->RR_PTR.Additional1 = &sr->RR_SRV; + sr->RR_PTR.Additional2 = &sr->RR_TXT; + + // 2a. Set up any subtype PTRs to point to our service name + // If the client is using subtypes, it is the client's responsibility to have + // already set the first label of the record name to the subtype being registered + for (i=0; i<NumSubTypes; i++) + { + domainname st; + AssignDomainName(&st, sr->SubTypes[i].resrec.name); + st.c[1+st.c[0]] = 0; // Only want the first label, not the whole FQDN (particularly for mDNS_RenameAndReregisterService()) + AppendDomainName(&st, type); + mDNS_SetupResourceRecord(&sr->SubTypes[i], mDNSNULL, InterfaceID, kDNSType_PTR, kStandardTTL, kDNSRecordTypeShared, artype, ServiceCallback, sr); + if (ConstructServiceName(&sr->SubTypes[i].namestorage, mDNSNULL, &st, domain) == mDNSNULL) return(mStatus_BadParamErr); + AssignDomainName(&sr->SubTypes[i].resrec.rdata->u.name, &sr->RR_SRV.namestorage); + sr->SubTypes[i].Additional1 = &sr->RR_SRV; + sr->SubTypes[i].Additional2 = &sr->RR_TXT; + } + + SetAnonInfoSRS(sr, NumSubTypes); + + // 3. Set up the SRV record rdata. + sr->RR_SRV.resrec.rdata->u.srv.priority = 0; + sr->RR_SRV.resrec.rdata->u.srv.weight = 0; + sr->RR_SRV.resrec.rdata->u.srv.port = port; + + // Setting AutoTarget tells DNS that the target of this SRV is to be automatically kept in sync with our host name + if (host && host->c[0]) AssignDomainName(&sr->RR_SRV.resrec.rdata->u.srv.target, host); + else { sr->RR_SRV.AutoTarget = Target_AutoHost; sr->RR_SRV.resrec.rdata->u.srv.target.c[0] = '\0'; } + + // 4. Set up the TXT record rdata, + // and set DependentOn because we're depending on the SRV record to find and resolve conflicts for us + // Note: uDNS registration code assumes that DependentOn points to the SRV record + if (txtinfo == mDNSNULL) sr->RR_TXT.resrec.rdlength = 0; + else if (txtinfo != sr->RR_TXT.resrec.rdata->u.txt.c) + { + sr->RR_TXT.resrec.rdlength = txtlen; + if (sr->RR_TXT.resrec.rdlength > sr->RR_TXT.resrec.rdata->MaxRDLength) return(mStatus_BadParamErr); + mDNSPlatformMemCopy(sr->RR_TXT.resrec.rdata->u.txt.c, txtinfo, txtlen); + } + sr->RR_TXT.DependentOn = &sr->RR_SRV; + + mDNS_Lock(m); + // It is important that we register SRV first. uDNS assumes that SRV is registered first so + // that if the SRV cannot find a target, rest of the records that belong to this service + // will not be activated. + err = mDNS_Register_internal(m, &sr->RR_SRV); + // If we can't register the SRV record due to errors, bail out. It has not been inserted in + // any list and hence no need to deregister. We could probably do similar checks for other + // records below and bail out. For now, this seems to be sufficient to address rdar://9304275 + if (err) + { + mDNS_Unlock(m); + return err; + } + if (!err) err = mDNS_Register_internal(m, &sr->RR_TXT); + // We register the RR_PTR last, because we want to be sure that in the event of a forced call to + // mDNS_StartExit, the RR_PTR will be the last one to be forcibly deregistered, since that is what triggers + // the mStatus_MemFree callback to ServiceCallback, which in turn passes on the mStatus_MemFree back to + // the client callback, which is then at liberty to free the ServiceRecordSet memory at will. We need to + // make sure we've deregistered all our records and done any other necessary cleanup before that happens. + if (!err) err = mDNS_Register_internal(m, &sr->RR_ADV); + for (i=0; i<NumSubTypes; i++) if (!err) err = mDNS_Register_internal(m, &sr->SubTypes[i]); + if (!err) err = mDNS_Register_internal(m, &sr->RR_PTR); + + mDNS_Unlock(m); + + if (err) mDNS_DeregisterService(m, sr); + return(err); +} + +mDNSexport mStatus mDNS_AddRecordToService(mDNS *const m, ServiceRecordSet *sr, + ExtraResourceRecord *extra, RData *rdata, mDNSu32 ttl, mDNSu32 flags) +{ + ExtraResourceRecord **e; + mStatus status; + AuthRecType artype; + mDNSInterfaceID InterfaceID = sr->RR_PTR.resrec.InterfaceID; + + artype = setAuthRecType(InterfaceID, flags); + + extra->next = mDNSNULL; + mDNS_SetupResourceRecord(&extra->r, rdata, sr->RR_PTR.resrec.InterfaceID, + extra->r.resrec.rrtype, ttl, kDNSRecordTypeUnique, artype, ServiceCallback, sr); + AssignDomainName(&extra->r.namestorage, sr->RR_SRV.resrec.name); + + mDNS_Lock(m); + e = &sr->Extras; + while (*e) e = &(*e)->next; + + if (ttl == 0) ttl = kStandardTTL; + + extra->r.DependentOn = &sr->RR_SRV; + + debugf("mDNS_AddRecordToService adding record to %##s %s %d", + extra->r.resrec.name->c, DNSTypeName(extra->r.resrec.rrtype), extra->r.resrec.rdlength); + + status = mDNS_Register_internal(m, &extra->r); + if (status == mStatus_NoError) *e = extra; + + mDNS_Unlock(m); + return(status); +} + +mDNSexport mStatus mDNS_RemoveRecordFromService(mDNS *const m, ServiceRecordSet *sr, ExtraResourceRecord *extra, + mDNSRecordCallback MemFreeCallback, void *Context) +{ + ExtraResourceRecord **e; + mStatus status; + + mDNS_Lock(m); + e = &sr->Extras; + while (*e && *e != extra) e = &(*e)->next; + if (!*e) + { + debugf("mDNS_RemoveRecordFromService failed to remove record from %##s", extra->r.resrec.name->c); + status = mStatus_BadReferenceErr; + } + else + { + debugf("mDNS_RemoveRecordFromService removing record from %##s", extra->r.resrec.name->c); + extra->r.RecordCallback = MemFreeCallback; + extra->r.RecordContext = Context; + *e = (*e)->next; + status = mDNS_Deregister_internal(m, &extra->r, mDNS_Dereg_normal); + } + mDNS_Unlock(m); + return(status); +} + +mDNSexport mStatus mDNS_RenameAndReregisterService(mDNS *const m, ServiceRecordSet *const sr, const domainlabel *newname) +{ + // Note: Don't need to use mDNS_Lock(m) here, because this code is just using public routines + // mDNS_RegisterService() and mDNS_AddRecordToService(), which do the right locking internally. + domainlabel name1, name2; + domainname type, domain; + const domainname *host = sr->RR_SRV.AutoTarget ? mDNSNULL : &sr->RR_SRV.resrec.rdata->u.srv.target; + ExtraResourceRecord *extras = sr->Extras; + mStatus err; + + DeconstructServiceName(sr->RR_SRV.resrec.name, &name1, &type, &domain); + if (!newname) + { + name2 = name1; + IncrementLabelSuffix(&name2, mDNStrue); + newname = &name2; + } + + if (SameDomainName(&domain, &localdomain)) + debugf("%##s service renamed from \"%#s\" to \"%#s\"", type.c, name1.c, newname->c); + else debugf("%##s service (domain %##s) renamed from \"%#s\" to \"%#s\"",type.c, domain.c, name1.c, newname->c); + + err = mDNS_RegisterService(m, sr, newname, &type, &domain, + host, sr->RR_SRV.resrec.rdata->u.srv.port, sr->RR_TXT.resrec.rdata->u.txt.c, sr->RR_TXT.resrec.rdlength, + sr->SubTypes, sr->NumSubTypes, + sr->RR_PTR.resrec.InterfaceID, sr->ServiceCallback, sr->ServiceContext, sr->flags); + + // mDNS_RegisterService() just reset sr->Extras to NULL. + // Fortunately we already grabbed ourselves a copy of this pointer (above), so we can now run + // through the old list of extra records, and re-add them to our freshly created service registration + while (!err && extras) + { + ExtraResourceRecord *e = extras; + extras = extras->next; + err = mDNS_AddRecordToService(m, sr, e, e->r.resrec.rdata, e->r.resrec.rroriginalttl, 0); + } + + return(err); +} + +// Note: mDNS_DeregisterService calls mDNS_Deregister_internal which can call a user callback, +// which may change the record list and/or question list. +// Any code walking either list must use the CurrentQuestion and/or CurrentRecord mechanism to protect against this. +mDNSexport mStatus mDNS_DeregisterService_drt(mDNS *const m, ServiceRecordSet *sr, mDNS_Dereg_type drt) +{ + // If port number is zero, that means this was actually registered using mDNS_RegisterNoSuchService() + if (mDNSIPPortIsZero(sr->RR_SRV.resrec.rdata->u.srv.port)) return(mDNS_DeregisterNoSuchService(m, &sr->RR_SRV)); + + if (sr->RR_PTR.resrec.RecordType == kDNSRecordTypeUnregistered) + { + debugf("Service set for %##s already deregistered", sr->RR_SRV.resrec.name->c); + return(mStatus_BadReferenceErr); + } + else if (sr->RR_PTR.resrec.RecordType == kDNSRecordTypeDeregistering) + { + LogInfo("Service set for %##s already in the process of deregistering", sr->RR_SRV.resrec.name->c); + // Avoid race condition: + // If a service gets a conflict, then we set the Conflict flag to tell us to generate + // an mStatus_NameConflict message when we get the mStatus_MemFree for our PTR record. + // If the client happens to deregister the service in the middle of that process, then + // we clear the flag back to the normal state, so that we deliver a plain mStatus_MemFree + // instead of incorrectly promoting it to mStatus_NameConflict. + // This race condition is exposed particularly when the conformance test generates + // a whole batch of simultaneous conflicts across a range of services all advertised + // using the same system default name, and if we don't take this precaution then + // we end up incrementing m->nicelabel multiple times instead of just once. + // <rdar://problem/4060169> Bug when auto-renaming Computer Name after name collision + sr->Conflict = mDNSfalse; + return(mStatus_NoError); + } + else + { + mDNSu32 i; + mStatus status; + ExtraResourceRecord *e; + mDNS_Lock(m); + e = sr->Extras; + + // We use mDNS_Dereg_repeat because, in the event of a collision, some or all of the + // SRV, TXT, or Extra records could have already been automatically deregistered, and that's okay + mDNS_Deregister_internal(m, &sr->RR_SRV, mDNS_Dereg_repeat); + mDNS_Deregister_internal(m, &sr->RR_TXT, mDNS_Dereg_repeat); + + mDNS_Deregister_internal(m, &sr->RR_ADV, drt); + + // We deregister all of the extra records, but we leave the sr->Extras list intact + // in case the client wants to do a RenameAndReregister and reinstate the registration + while (e) + { + mDNS_Deregister_internal(m, &e->r, mDNS_Dereg_repeat); + e = e->next; + } + + for (i=0; i<sr->NumSubTypes; i++) + mDNS_Deregister_internal(m, &sr->SubTypes[i], drt); + + status = mDNS_Deregister_internal(m, &sr->RR_PTR, drt); + mDNS_Unlock(m); + return(status); + } +} + +// Create a registration that asserts that no such service exists with this name. +// This can be useful where there is a given function is available through several protocols. +// For example, a printer called "Stuart's Printer" may implement printing via the "pdl-datastream" and "IPP" +// protocols, but not via "LPR". In this case it would be prudent for the printer to assert the non-existence of an +// "LPR" service called "Stuart's Printer". Without this precaution, another printer than offers only "LPR" printing +// could inadvertently advertise its service under the same name "Stuart's Printer", which might be confusing for users. +mDNSexport mStatus mDNS_RegisterNoSuchService(mDNS *const m, AuthRecord *const rr, + const domainlabel *const name, const domainname *const type, const domainname *const domain, + const domainname *const host, + const mDNSInterfaceID InterfaceID, mDNSRecordCallback Callback, void *Context, mDNSu32 flags) +{ + AuthRecType artype; + + artype = setAuthRecType(InterfaceID, flags); + + mDNS_SetupResourceRecord(rr, mDNSNULL, InterfaceID, kDNSType_SRV, kHostNameTTL, kDNSRecordTypeUnique, artype, Callback, Context); + if (ConstructServiceName(&rr->namestorage, name, type, domain) == mDNSNULL) return(mStatus_BadParamErr); + rr->resrec.rdata->u.srv.priority = 0; + rr->resrec.rdata->u.srv.weight = 0; + rr->resrec.rdata->u.srv.port = zeroIPPort; + if (host && host->c[0]) AssignDomainName(&rr->resrec.rdata->u.srv.target, host); + else rr->AutoTarget = Target_AutoHost; + return(mDNS_Register(m, rr)); +} + +mDNSexport mStatus mDNS_AdvertiseDomains(mDNS *const m, AuthRecord *rr, + mDNS_DomainType DomainType, const mDNSInterfaceID InterfaceID, char *domname) +{ + AuthRecType artype; + + if (InterfaceID == mDNSInterface_LocalOnly) + artype = AuthRecordLocalOnly; + else if (InterfaceID == mDNSInterface_P2P) + artype = AuthRecordP2P; + else + artype = AuthRecordAny; + mDNS_SetupResourceRecord(rr, mDNSNULL, InterfaceID, kDNSType_PTR, kStandardTTL, kDNSRecordTypeShared, artype, mDNSNULL, mDNSNULL); + if (!MakeDomainNameFromDNSNameString(&rr->namestorage, mDNS_DomainTypeNames[DomainType])) return(mStatus_BadParamErr); + if (!MakeDomainNameFromDNSNameString(&rr->resrec.rdata->u.name, domname)) return(mStatus_BadParamErr); + return(mDNS_Register(m, rr)); +} + +mDNSlocal mDNSBool mDNS_IdUsedInResourceRecordsList(mDNS * const m, mDNSOpaque16 id) +{ + AuthRecord *r; + for (r = m->ResourceRecords; r; r=r->next) if (mDNSSameOpaque16(id, r->updateid)) return mDNStrue; + return mDNSfalse; +} + +mDNSlocal mDNSBool mDNS_IdUsedInQuestionsList(mDNS * const m, mDNSOpaque16 id) +{ + DNSQuestion *q; + for (q = m->Questions; q; q=q->next) if (mDNSSameOpaque16(id, q->TargetQID)) return mDNStrue; + return mDNSfalse; +} + +mDNSexport mDNSOpaque16 mDNS_NewMessageID(mDNS * const m) +{ + mDNSOpaque16 id; + int i; + + for (i=0; i<10; i++) + { + id = mDNSOpaque16fromIntVal(1 + (mDNSu16)mDNSRandom(0xFFFE)); + if (!mDNS_IdUsedInResourceRecordsList(m, id) && !mDNS_IdUsedInQuestionsList(m, id)) break; + } + + debugf("mDNS_NewMessageID: %5d", mDNSVal16(id)); + + return id; +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - Sleep Proxy Server +#endif + +mDNSlocal void RestartARPProbing(mDNS *const m, AuthRecord *const rr) +{ + // If we see an ARP from a machine we think is sleeping, then either + // (i) the machine has woken, or + // (ii) it's just a stray old packet from before the machine slept + // To handle the second case, we reset ProbeCount, so we'll suppress our own answers for a while, to avoid + // generating ARP conflicts with a waking machine, and set rr->LastAPTime so we'll start probing again in 10 seconds. + // If the machine has just woken then we'll discard our records when we see the first new mDNS probe from that machine. + // If it was a stray old packet, then after 10 seconds we'll probe again and then start answering ARPs again. In this case we *do* + // need to send new ARP Announcements, because the owner's ARP broadcasts will have updated neighboring ARP caches, so we need to + // re-assert our (temporary) ownership of that IP address in order to receive subsequent packets addressed to that IPv4 address. + + rr->resrec.RecordType = kDNSRecordTypeUnique; + rr->ProbeCount = DefaultProbeCountForTypeUnique; + rr->ProbeRestartCount++; + + // If we haven't started announcing yet (and we're not already in ten-second-delay mode) the machine is probably + // still going to sleep, so we just reset rr->ProbeCount so we'll continue probing until it stops responding. + // If we *have* started announcing, the machine is probably in the process of waking back up, so in that case + // we're more cautious and we wait ten seconds before probing it again. We do this because while waking from + // sleep, some network interfaces tend to lose or delay inbound packets, and without this delay, if the waking machine + // didn't answer our three probes within three seconds then we'd announce and cause it an unnecessary address conflict. + if (rr->AnnounceCount == InitialAnnounceCount && m->timenow - rr->LastAPTime >= 0) + InitializeLastAPTime(m, rr); + else + { + rr->AnnounceCount = InitialAnnounceCount; + rr->ThisAPInterval = mDNSPlatformOneSecond; + rr->LastAPTime = m->timenow + mDNSPlatformOneSecond * 9; // Send first packet at rr->LastAPTime + rr->ThisAPInterval, i.e. 10 seconds from now + SetNextAnnounceProbeTime(m, rr); + } +} + +mDNSlocal void mDNSCoreReceiveRawARP(mDNS *const m, const ARP_EthIP *const arp, const mDNSInterfaceID InterfaceID) +{ + static const mDNSOpaque16 ARP_op_request = { { 0, 1 } }; + AuthRecord *rr; + NetworkInterfaceInfo *intf = FirstInterfaceForID(m, InterfaceID); + if (!intf) return; + + mDNS_Lock(m); + + // Pass 1: + // Process ARP Requests and Probes (but not Announcements), and generate an ARP Reply if necessary. + // We also process ARPs from our own kernel (and 'answer' them by injecting a local ARP table entry) + // We ignore ARP Announcements here -- Announcements are not questions, they're assertions, so we don't need to answer them. + // The times we might need to react to an ARP Announcement are: + // (i) as an indication that the host in question has not gone to sleep yet (so we should delay beginning to proxy for it) or + // (ii) if it's a conflicting Announcement from another host + // -- and we check for these in Pass 2 below. + if (mDNSSameOpaque16(arp->op, ARP_op_request) && !mDNSSameIPv4Address(arp->spa, arp->tpa)) + { + for (rr = m->ResourceRecords; rr; rr=rr->next) + if (rr->resrec.InterfaceID == InterfaceID && rr->resrec.RecordType != kDNSRecordTypeDeregistering && + rr->AddressProxy.type == mDNSAddrType_IPv4 && mDNSSameIPv4Address(rr->AddressProxy.ip.v4, arp->tpa)) + { + static const char msg1[] = "ARP Req from owner -- re-probing"; + static const char msg2[] = "Ignoring ARP Request from "; + static const char msg3[] = "Creating Local ARP Cache entry "; + static const char msg4[] = "Answering ARP Request from "; + const char *const msg = mDNSSameEthAddress(&arp->sha, &rr->WakeUp.IMAC) ? msg1 : + (rr->AnnounceCount == InitialAnnounceCount) ? msg2 : + mDNSSameEthAddress(&arp->sha, &intf->MAC) ? msg3 : msg4; + LogSPS("%-7s %s %.6a %.4a for %.4a -- H-MAC %.6a I-MAC %.6a %s", + intf->ifname, msg, &arp->sha, &arp->spa, &arp->tpa, &rr->WakeUp.HMAC, &rr->WakeUp.IMAC, ARDisplayString(m, rr)); + if (msg == msg1) + { + if ( rr->ProbeRestartCount < MAX_PROBE_RESTARTS) + RestartARPProbing(m, rr); + else + LogSPS("Reached maximum number of restarts for probing - %s", ARDisplayString(m,rr)); + } + else if (msg == msg3) + { + mDNSPlatformSetLocalAddressCacheEntry(m, &rr->AddressProxy, &rr->WakeUp.IMAC, InterfaceID); + } + else if (msg == msg4) + { + SendARP(m, 2, rr, &arp->tpa, &arp->sha, &arp->spa, &arp->sha); + } + } + } + + // Pass 2: + // For all types of ARP packet we check the Sender IP address to make sure it doesn't conflict with any AddressProxy record we're holding. + // (Strictly speaking we're only checking Announcement/Request/Reply packets, since ARP Probes have zero Sender IP address, + // so by definition (and by design) they can never conflict with any real (i.e. non-zero) IP address). + // We ignore ARPs we sent ourselves (Sender MAC address is our MAC address) because our own proxy ARPs do not constitute a conflict that we need to handle. + // If we see an apparently conflicting ARP, we check the sender hardware address: + // If the sender hardware address is the original owner this is benign, so we just suppress our own proxy answering for a while longer. + // If the sender hardware address is *not* the original owner, then this is a conflict, and we need to wake the sleeping machine to handle it. + if (mDNSSameEthAddress(&arp->sha, &intf->MAC)) + debugf("ARP from self for %.4a", &arp->tpa); + else + { + if (!mDNSSameIPv4Address(arp->spa, zerov4Addr)) + for (rr = m->ResourceRecords; rr; rr=rr->next) + if (rr->resrec.InterfaceID == InterfaceID && rr->resrec.RecordType != kDNSRecordTypeDeregistering && + rr->AddressProxy.type == mDNSAddrType_IPv4 && mDNSSameIPv4Address(rr->AddressProxy.ip.v4, arp->spa) && (rr->ProbeRestartCount < MAX_PROBE_RESTARTS)) + { + if (mDNSSameEthAddress(&zeroEthAddr, &rr->WakeUp.HMAC)) + { + LogSPS("%-7s ARP from %.6a %.4a for %.4a -- Invalid H-MAC %.6a I-MAC %.6a %s", intf->ifname, + &arp->sha, &arp->spa, &arp->tpa, &rr->WakeUp.HMAC, &rr->WakeUp.IMAC, ARDisplayString(m, rr)); + } + else + { + RestartARPProbing(m, rr); + if (mDNSSameEthAddress(&arp->sha, &rr->WakeUp.IMAC)) + { + LogSPS("%-7s ARP %s from owner %.6a %.4a for %-15.4a -- re-starting probing for %s", intf->ifname, + mDNSSameIPv4Address(arp->spa, arp->tpa) ? "Announcement " : mDNSSameOpaque16(arp->op, ARP_op_request) ? "Request " : "Response ", + &arp->sha, &arp->spa, &arp->tpa, ARDisplayString(m, rr)); + } + else + { + LogMsg("%-7s Conflicting ARP from %.6a %.4a for %.4a -- waking H-MAC %.6a I-MAC %.6a %s", intf->ifname, + &arp->sha, &arp->spa, &arp->tpa, &rr->WakeUp.HMAC, &rr->WakeUp.IMAC, ARDisplayString(m, rr)); + ScheduleWakeup(m, rr->resrec.InterfaceID, &rr->WakeUp.HMAC); + } + } + } + } + + mDNS_Unlock(m); +} + +/* + // Option 1 is Source Link Layer Address Option + // Option 2 is Target Link Layer Address Option + mDNSlocal const mDNSEthAddr *GetLinkLayerAddressOption(const IPv6NDP *const ndp, const mDNSu8 *const end, mDNSu8 op) + { + const mDNSu8 *options = (mDNSu8 *)(ndp+1); + while (options < end) + { + debugf("NDP Option %02X len %2d %d", options[0], options[1], end - options); + if (options[0] == op && options[1] == 1) return (const mDNSEthAddr*)(options+2); + options += options[1] * 8; + } + return mDNSNULL; + } + */ + +mDNSlocal void mDNSCoreReceiveRawND(mDNS *const m, const mDNSEthAddr *const sha, const mDNSv6Addr *spa, + const IPv6NDP *const ndp, const mDNSu8 *const end, const mDNSInterfaceID InterfaceID) +{ + AuthRecord *rr; + NetworkInterfaceInfo *intf = FirstInterfaceForID(m, InterfaceID); + if (!intf) return; + + mDNS_Lock(m); + + // Pass 1: Process Neighbor Solicitations, and generate a Neighbor Advertisement if necessary. + if (ndp->type == NDP_Sol) + { + //const mDNSEthAddr *const sha = GetLinkLayerAddressOption(ndp, end, NDP_SrcLL); + (void)end; + for (rr = m->ResourceRecords; rr; rr=rr->next) + if (rr->resrec.InterfaceID == InterfaceID && rr->resrec.RecordType != kDNSRecordTypeDeregistering && + rr->AddressProxy.type == mDNSAddrType_IPv6 && mDNSSameIPv6Address(rr->AddressProxy.ip.v6, ndp->target)) + { + static const char msg1[] = "NDP Req from owner -- re-probing"; + static const char msg2[] = "Ignoring NDP Request from "; + static const char msg3[] = "Creating Local NDP Cache entry "; + static const char msg4[] = "Answering NDP Request from "; + static const char msg5[] = "Answering NDP Probe from "; + const char *const msg = sha && mDNSSameEthAddress(sha, &rr->WakeUp.IMAC) ? msg1 : + (rr->AnnounceCount == InitialAnnounceCount) ? msg2 : + sha && mDNSSameEthAddress(sha, &intf->MAC) ? msg3 : + spa && mDNSIPv6AddressIsZero(*spa) ? msg4 : msg5; + LogSPS("%-7s %s %.6a %.16a for %.16a -- H-MAC %.6a I-MAC %.6a %s", + intf->ifname, msg, sha, spa, &ndp->target, &rr->WakeUp.HMAC, &rr->WakeUp.IMAC, ARDisplayString(m, rr)); + if (msg == msg1) + { + if (rr->ProbeRestartCount < MAX_PROBE_RESTARTS) + RestartARPProbing(m, rr); + else + LogSPS("Reached maximum number of restarts for probing - %s", ARDisplayString(m,rr)); + } + else if (msg == msg3) + mDNSPlatformSetLocalAddressCacheEntry(m, &rr->AddressProxy, &rr->WakeUp.IMAC, InterfaceID); + else if (msg == msg4) + SendNDP(m, NDP_Adv, NDP_Solicited, rr, &ndp->target, mDNSNULL, spa, sha); + else if (msg == msg5) + SendNDP(m, NDP_Adv, 0, rr, &ndp->target, mDNSNULL, &AllHosts_v6, &AllHosts_v6_Eth); + } + } + + // Pass 2: For all types of NDP packet we check the Sender IP address to make sure it doesn't conflict with any AddressProxy record we're holding. + if (mDNSSameEthAddress(sha, &intf->MAC)) + debugf("NDP from self for %.16a", &ndp->target); + else + { + // For Neighbor Advertisements we check the Target address field, not the actual IPv6 source address. + // When a machine has both link-local and routable IPv6 addresses, it may send NDP packets making assertions + // about its routable IPv6 address, using its link-local address as the source address for all NDP packets. + // Hence it is the NDP target address we care about, not the actual packet source address. + if (ndp->type == NDP_Adv) spa = &ndp->target; + if (!mDNSSameIPv6Address(*spa, zerov6Addr)) + for (rr = m->ResourceRecords; rr; rr=rr->next) + if (rr->resrec.InterfaceID == InterfaceID && rr->resrec.RecordType != kDNSRecordTypeDeregistering && + rr->AddressProxy.type == mDNSAddrType_IPv6 && mDNSSameIPv6Address(rr->AddressProxy.ip.v6, *spa) && (rr->ProbeRestartCount < MAX_PROBE_RESTARTS)) + { + if (mDNSSameEthAddress(&zeroEthAddr, &rr->WakeUp.HMAC)) + { + LogSPS("%-7s NDP from %.6a %.16a for %.16a -- Invalid H-MAC %.6a I-MAC %.6a %s", intf->ifname, + sha, spa, &ndp->target, &rr->WakeUp.HMAC, &rr->WakeUp.IMAC, ARDisplayString(m, rr)); + } + else + { + RestartARPProbing(m, rr); + if (mDNSSameEthAddress(sha, &rr->WakeUp.IMAC)) + { + LogSPS("%-7s NDP %s from owner %.6a %.16a for %.16a -- re-starting probing for %s", intf->ifname, + ndp->type == NDP_Sol ? "Solicitation " : "Advertisement", sha, spa, &ndp->target, ARDisplayString(m, rr)); + } + else + { + LogMsg("%-7s Conflicting NDP from %.6a %.16a for %.16a -- waking H-MAC %.6a I-MAC %.6a %s", intf->ifname, + sha, spa, &ndp->target, &rr->WakeUp.HMAC, &rr->WakeUp.IMAC, ARDisplayString(m, rr)); + ScheduleWakeup(m, rr->resrec.InterfaceID, &rr->WakeUp.HMAC); + } + } + } + } + + mDNS_Unlock(m); +} + +mDNSlocal void mDNSCoreReceiveRawTransportPacket(mDNS *const m, const mDNSEthAddr *const sha, const mDNSAddr *const src, const mDNSAddr *const dst, const mDNSu8 protocol, + const mDNSu8 *const p, const TransportLayerPacket *const t, const mDNSu8 *const end, const mDNSInterfaceID InterfaceID, const mDNSu16 len) +{ + const mDNSIPPort port = (protocol == 0x06) ? t->tcp.dst : (protocol == 0x11) ? t->udp.dst : zeroIPPort; + mDNSBool wake = mDNSfalse; + mDNSBool kaWake = mDNSfalse; + + switch (protocol) + { + #define XX wake ? "Received" : "Ignoring", end-p + case 0x01: LogSPS("Ignoring %d-byte ICMP from %#a to %#a", end-p, src, dst); + break; + + case 0x06: { + AuthRecord *kr; + mDNSu32 seq, ack; + #define TH_FIN 0x01 + #define TH_SYN 0x02 + #define TH_RST 0x04 + #define TH_ACK 0x10 + + kr = mDNS_MatchKeepaliveInfo(m, dst, src, port, t->tcp.src, &seq, &ack); + if (kr) + { + LogSPS("mDNSCoreReceiveRawTransportPacket: Found a Keepalive record from %#a:%d to %#a:%d", src, mDNSVal16(t->tcp.src), dst, mDNSVal16(port)); + // Plan to wake if + // (a) RST or FIN is set (the keepalive that we sent could have caused a reset) + // (b) packet that contains new data and acks a sequence number higher than the one + // we have been sending in the keepalive + + wake = ((t->tcp.flags & TH_RST) || (t->tcp.flags & TH_FIN)) ; + if (!wake) + { + mDNSu8 *ptr; + mDNSu32 pseq, pack; + mDNSBool data = mDNSfalse; + mDNSu8 tcphlen; + + // Convert to host order + ptr = (mDNSu8 *)&seq; + seq = ptr[0] << 24 | ptr[1] << 16 | ptr[2] << 8 | ptr[3]; + + ptr = (mDNSu8 *)&ack; + ack = ptr[0] << 24 | ptr[1] << 16 | ptr[2] << 8 | ptr[3]; + + pseq = t->tcp.seq; + ptr = (mDNSu8 *)&pseq; + pseq = ptr[0] << 24 | ptr[1] << 16 | ptr[2] << 8 | ptr[3]; + + pack = t->tcp.ack; + ptr = (mDNSu8 *)&pack; + pack = ptr[0] << 24 | ptr[1] << 16 | ptr[2] << 8 | ptr[3]; + + // If the other side is acking one more than our sequence number (keepalive is one + // less than the last valid sequence sent) and it's sequence is more than what we + // acked before + //if (end - p - 34 - ((t->tcp.offset >> 4) * 4) > 0) data = mDNStrue; + tcphlen = ((t->tcp.offset >> 4) * 4); + if (end - ((mDNSu8 *)t + tcphlen) > 0) data = mDNStrue; + wake = ((int)(pack - seq) > 0) && ((int)(pseq - ack) >= 0) && data; + + // If we got a regular keepalive on a connection that was registed with the KeepAlive API, respond with an ACK + if ((t->tcp.flags & TH_ACK) && (data == mDNSfalse) && + ((int)(ack - pseq) == 1)) + { + // Send an ACK; + mDNS_SendKeepaliveACK(m, kr); + } + LogSPS("mDNSCoreReceiveRawTransportPacket: End %p, hlen %d, Datalen %d, pack %u, seq %u, pseq %u, ack %u, wake %d", + end, tcphlen, end - ((mDNSu8 *)t + tcphlen), pack, seq, pseq, ack, wake); + } + else { LogSPS("mDNSCoreReceiveRawTransportPacket: waking because of RST or FIN th_flags %d", t->tcp.flags); } + kaWake = wake; + } + else + { + // Plan to wake if + // (a) RST is not set, AND + // (b) packet is SYN, SYN+FIN, or plain data packet (no SYN or FIN). We won't wake for FIN alone. + wake = (!(t->tcp.flags & TH_RST) && (t->tcp.flags & (TH_FIN|TH_SYN)) != TH_FIN); + + // For now, to reduce spurious wakeups, we wake only for TCP SYN, + // except for ssh connections, where we'll wake for plain data packets too + if (!mDNSSameIPPort(port, SSHPort) && !(t->tcp.flags & 2)) wake = mDNSfalse; + + LogSPS("%s %d-byte TCP from %#a:%d to %#a:%d%s%s%s", XX, + src, mDNSVal16(t->tcp.src), dst, mDNSVal16(port), + (t->tcp.flags & 2) ? " SYN" : "", + (t->tcp.flags & 1) ? " FIN" : "", + (t->tcp.flags & 4) ? " RST" : ""); + } + break; + } + + case 0x11: { + #define ARD_AsNumber 3283 + static const mDNSIPPort ARD = { { ARD_AsNumber >> 8, ARD_AsNumber & 0xFF } }; + const mDNSu16 udplen = (mDNSu16)((mDNSu16)t->bytes[4] << 8 | t->bytes[5]); // Length *including* 8-byte UDP header + if (udplen >= sizeof(UDPHeader)) + { + const mDNSu16 datalen = udplen - sizeof(UDPHeader); + wake = mDNStrue; + + // For Back to My Mac UDP port 4500 (IPSEC) packets, we do some special handling + if (mDNSSameIPPort(port, IPSECPort)) + { + // Specifically ignore NAT keepalive packets + if (datalen == 1 && end >= &t->bytes[9] && t->bytes[8] == 0xFF) wake = mDNSfalse; + else + { + // Skip over the Non-ESP Marker if present + const mDNSBool NonESP = (end >= &t->bytes[12] && t->bytes[8] == 0 && t->bytes[9] == 0 && t->bytes[10] == 0 && t->bytes[11] == 0); + const IKEHeader *const ike = (IKEHeader *)(t + (NonESP ? 12 : 8)); + const mDNSu16 ikelen = datalen - (NonESP ? 4 : 0); + if (ikelen >= sizeof(IKEHeader) && end >= ((mDNSu8 *)ike) + sizeof(IKEHeader)) + if ((ike->Version & 0x10) == 0x10) + { + // ExchangeType == 5 means 'Informational' <http://www.ietf.org/rfc/rfc2408.txt> + // ExchangeType == 34 means 'IKE_SA_INIT' <http://www.iana.org/assignments/ikev2-parameters> + if (ike->ExchangeType == 5 || ike->ExchangeType == 34) wake = mDNSfalse; + LogSPS("%s %d-byte IKE ExchangeType %d", XX, ike->ExchangeType); + } + } + } + + // For now, because we haven't yet worked out a clean elegant way to do this, we just special-case the + // Apple Remote Desktop port number -- we ignore all packets to UDP 3283 (the "Net Assistant" port), + // except for Apple Remote Desktop's explicit manual wakeup packet, which looks like this: + // UDP header (8 bytes) + // Payload: 13 88 00 6a 41 4e 41 20 (8 bytes) ffffffffffff (6 bytes) 16xMAC (96 bytes) = 110 bytes total + if (mDNSSameIPPort(port, ARD)) wake = (datalen >= 110 && end >= &t->bytes[10] && t->bytes[8] == 0x13 && t->bytes[9] == 0x88); + + LogSPS("%s %d-byte UDP from %#a:%d to %#a:%d", XX, src, mDNSVal16(t->udp.src), dst, mDNSVal16(port)); + } + } + break; + + case 0x3A: if (&t->bytes[len] <= end) + { + mDNSu16 checksum = IPv6CheckSum(&src->ip.v6, &dst->ip.v6, protocol, t->bytes, len); + if (!checksum) mDNSCoreReceiveRawND(m, sha, &src->ip.v6, &t->ndp, &t->bytes[len], InterfaceID); + else LogInfo("IPv6CheckSum bad %04X %02X%02X from %#a to %#a", checksum, t->bytes[2], t->bytes[3], src, dst); + } + break; + + default: LogSPS("Ignoring %d-byte IP packet unknown protocol %d from %#a to %#a", end-p, protocol, src, dst); + break; + } + + if (wake) + { + AuthRecord *rr, *r2; + + mDNS_Lock(m); + for (rr = m->ResourceRecords; rr; rr=rr->next) + if (rr->resrec.InterfaceID == InterfaceID && + rr->resrec.RecordType != kDNSRecordTypeDeregistering && + rr->AddressProxy.type && mDNSSameAddress(&rr->AddressProxy, dst)) + { + const mDNSu8 *const tp = (protocol == 6) ? (const mDNSu8 *)"\x4_tcp" : (const mDNSu8 *)"\x4_udp"; + for (r2 = m->ResourceRecords; r2; r2=r2->next) + if (r2->resrec.InterfaceID == InterfaceID && mDNSSameEthAddress(&r2->WakeUp.HMAC, &rr->WakeUp.HMAC) && + r2->resrec.RecordType != kDNSRecordTypeDeregistering && + r2->resrec.rrtype == kDNSType_SRV && mDNSSameIPPort(r2->resrec.rdata->u.srv.port, port) && + SameDomainLabel(ThirdLabel(r2->resrec.name)->c, tp)) + break; + if (!r2 && mDNSSameIPPort(port, IPSECPort)) r2 = rr; // So that we wake for BTMM IPSEC packets, even without a matching SRV record + if (!r2 && kaWake) r2 = rr; // So that we wake for keepalive packets, even without a matching SRV record + if (r2) + { + LogMsg("Waking host at %s %#a H-MAC %.6a I-MAC %.6a for %s", + InterfaceNameForID(m, rr->resrec.InterfaceID), dst, &rr->WakeUp.HMAC, &rr->WakeUp.IMAC, ARDisplayString(m, r2)); + ScheduleWakeup(m, rr->resrec.InterfaceID, &rr->WakeUp.HMAC); + } + else + LogSPS("Sleeping host at %s %#a %.6a has no service on %#s %d", + InterfaceNameForID(m, rr->resrec.InterfaceID), dst, &rr->WakeUp.HMAC, tp, mDNSVal16(port)); + } + mDNS_Unlock(m); + } +} + +mDNSexport void mDNSCoreReceiveRawPacket(mDNS *const m, const mDNSu8 *const p, const mDNSu8 *const end, const mDNSInterfaceID InterfaceID) +{ + static const mDNSOpaque16 Ethertype_ARP = { { 0x08, 0x06 } }; // Ethertype 0x0806 = ARP + static const mDNSOpaque16 Ethertype_IPv4 = { { 0x08, 0x00 } }; // Ethertype 0x0800 = IPv4 + static const mDNSOpaque16 Ethertype_IPv6 = { { 0x86, 0xDD } }; // Ethertype 0x86DD = IPv6 + static const mDNSOpaque16 ARP_hrd_eth = { { 0x00, 0x01 } }; // Hardware address space (Ethernet = 1) + static const mDNSOpaque16 ARP_pro_ip = { { 0x08, 0x00 } }; // Protocol address space (IP = 0x0800) + + // Note: BPF guarantees that the NETWORK LAYER header will be word aligned, not the link-layer header. + // In other words, we can safely assume that pkt below (ARP, IPv4 or IPv6) is properly word aligned, + // but if pkt is 4-byte aligned, that necessarily means that eth CANNOT also be 4-byte aligned + // since it points to a an address 14 bytes before pkt. + const EthernetHeader *const eth = (const EthernetHeader *)p; + const NetworkLayerPacket *const pkt = (const NetworkLayerPacket *)(eth+1); + mDNSAddr src, dst; + #define RequiredCapLen(P) ((P)==0x01 ? 4 : (P)==0x06 ? 20 : (P)==0x11 ? 8 : (P)==0x3A ? 24 : 0) + + // Is ARP? Length must be at least 14 + 28 = 42 bytes + if (end >= p+42 && mDNSSameOpaque16(eth->ethertype, Ethertype_ARP) && mDNSSameOpaque16(pkt->arp.hrd, ARP_hrd_eth) && mDNSSameOpaque16(pkt->arp.pro, ARP_pro_ip)) + mDNSCoreReceiveRawARP(m, &pkt->arp, InterfaceID); + // Is IPv4 with zero fragmentation offset? Length must be at least 14 + 20 = 34 bytes + else if (end >= p+34 && mDNSSameOpaque16(eth->ethertype, Ethertype_IPv4) && (pkt->v4.flagsfrags.b[0] & 0x1F) == 0 && pkt->v4.flagsfrags.b[1] == 0) + { + const mDNSu8 *const trans = p + 14 + (pkt->v4.vlen & 0xF) * 4; + debugf("Got IPv4 %02X from %.4a to %.4a", pkt->v4.protocol, &pkt->v4.src, &pkt->v4.dst); + src.type = mDNSAddrType_IPv4; src.ip.v4 = pkt->v4.src; + dst.type = mDNSAddrType_IPv4; dst.ip.v4 = pkt->v4.dst; + if (end >= trans + RequiredCapLen(pkt->v4.protocol)) + mDNSCoreReceiveRawTransportPacket(m, ð->src, &src, &dst, pkt->v4.protocol, p, (TransportLayerPacket*)trans, end, InterfaceID, 0); + } + // Is IPv6? Length must be at least 14 + 28 = 42 bytes + else if (end >= p+54 && mDNSSameOpaque16(eth->ethertype, Ethertype_IPv6)) + { + const mDNSu8 *const trans = p + 54; + debugf("Got IPv6 %02X from %.16a to %.16a", pkt->v6.pro, &pkt->v6.src, &pkt->v6.dst); + src.type = mDNSAddrType_IPv6; src.ip.v6 = pkt->v6.src; + dst.type = mDNSAddrType_IPv6; dst.ip.v6 = pkt->v6.dst; + if (end >= trans + RequiredCapLen(pkt->v6.pro)) + mDNSCoreReceiveRawTransportPacket(m, ð->src, &src, &dst, pkt->v6.pro, p, (TransportLayerPacket*)trans, end, InterfaceID, + (mDNSu16)pkt->bytes[4] << 8 | pkt->bytes[5]); + } +} + +mDNSlocal void ConstructSleepProxyServerName(mDNS *const m, domainlabel *name) +{ + name->c[0] = (mDNSu8)mDNS_snprintf((char*)name->c+1, 62, "%d-%d-%d-%d.%d %#s", + m->SPSType, m->SPSPortability, m->SPSMarginalPower, m->SPSTotalPower, m->SPSFeatureFlags, &m->nicelabel); +} + +#ifndef SPC_DISABLED +mDNSlocal void SleepProxyServerCallback(mDNS *const m, ServiceRecordSet *const srs, mStatus result) +{ + if (result == mStatus_NameConflict) + mDNS_RenameAndReregisterService(m, srs, mDNSNULL); + else if (result == mStatus_MemFree) + { + if (m->SleepState) + m->SPSState = 3; + else + { + m->SPSState = (mDNSu8)(m->SPSSocket != mDNSNULL); + if (m->SPSState) + { + domainlabel name; + ConstructSleepProxyServerName(m, &name); + mDNS_RegisterService(m, srs, + &name, &SleepProxyServiceType, &localdomain, + mDNSNULL, m->SPSSocket->port, // Host, port + (mDNSu8 *)"", 1, // TXT data, length + mDNSNULL, 0, // Subtypes (none) + mDNSInterface_Any, // Interface ID + SleepProxyServerCallback, mDNSNULL, 0); // Callback, context, flags + } + LogSPS("Sleep Proxy Server %#s %s", srs->RR_SRV.resrec.name->c, m->SPSState ? "started" : "stopped"); + } + } +} +#endif + +// Called with lock held +mDNSexport void mDNSCoreBeSleepProxyServer_internal(mDNS *const m, mDNSu8 sps, mDNSu8 port, mDNSu8 marginalpower, mDNSu8 totpower, mDNSu8 features) +{ + // This routine uses mDNS_DeregisterService and calls SleepProxyServerCallback, so we execute in user callback context + mDNS_DropLockBeforeCallback(); + + // If turning off SPS, close our socket + // (Do this first, BEFORE calling mDNS_DeregisterService below) + if (!sps && m->SPSSocket) { mDNSPlatformUDPClose(m->SPSSocket); m->SPSSocket = mDNSNULL; } + + // If turning off, or changing type, deregister old name +#ifndef SPC_DISABLED + if (m->SPSState == 1 && sps != m->SPSType) + { m->SPSState = 2; mDNS_DeregisterService_drt(m, &m->SPSRecords, sps ? mDNS_Dereg_rapid : mDNS_Dereg_normal); } +#endif // SPC_DISABLED + + // Record our new SPS parameters + m->SPSType = sps; + m->SPSPortability = port; + m->SPSMarginalPower = marginalpower; + m->SPSTotalPower = totpower; + m->SPSFeatureFlags = features; + // If turning on, open socket and advertise service + if (sps) + { + if (!m->SPSSocket) + { + m->SPSSocket = mDNSPlatformUDPSocket(m, zeroIPPort); + if (!m->SPSSocket) { LogMsg("mDNSCoreBeSleepProxyServer: Failed to allocate SPSSocket"); goto fail; } + } +#ifndef SPC_DISABLED + if (m->SPSState == 0) SleepProxyServerCallback(m, &m->SPSRecords, mStatus_MemFree); +#endif // SPC_DISABLED + } + else if (m->SPSState) + { + LogSPS("mDNSCoreBeSleepProxyServer turning off from state %d; will wake clients", m->SPSState); + m->NextScheduledSPS = m->timenow; + } +fail: + mDNS_ReclaimLockAfterCallback(); +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - Startup and Shutdown +#endif + +mDNSlocal void mDNS_GrowCache_internal(mDNS *const m, CacheEntity *storage, mDNSu32 numrecords) +{ + if (storage && numrecords) + { + mDNSu32 i; + debugf("Adding cache storage for %d more records (%d bytes)", numrecords, numrecords*sizeof(CacheEntity)); + for (i=0; i<numrecords; i++) storage[i].next = &storage[i+1]; + storage[numrecords-1].next = m->rrcache_free; + m->rrcache_free = storage; + m->rrcache_size += numrecords; + } +} + +mDNSexport void mDNS_GrowCache(mDNS *const m, CacheEntity *storage, mDNSu32 numrecords) +{ + mDNS_Lock(m); + mDNS_GrowCache_internal(m, storage, numrecords); + mDNS_Unlock(m); +} + +mDNSexport mStatus mDNS_Init(mDNS *const m, mDNS_PlatformSupport *const p, + CacheEntity *rrcachestorage, mDNSu32 rrcachesize, + mDNSBool AdvertiseLocalAddresses, mDNSCallback *Callback, void *Context) +{ + mDNSu32 slot; + mDNSs32 timenow; + mStatus result; + + if (!rrcachestorage) rrcachesize = 0; + + m->p = p; + m->CanReceiveUnicastOn5353 = mDNSfalse; // Assume we can't receive unicasts on 5353, unless platform layer tells us otherwise + m->AdvertiseLocalAddresses = AdvertiseLocalAddresses; + m->DivertMulticastAdvertisements = mDNSfalse; + m->mDNSPlatformStatus = mStatus_Waiting; + m->UnicastPort4 = zeroIPPort; + m->UnicastPort6 = zeroIPPort; + m->PrimaryMAC = zeroEthAddr; + m->MainCallback = Callback; + m->MainContext = Context; + m->rec.r.resrec.RecordType = 0; + m->rec.r.resrec.AnonInfo = mDNSNULL; + + // For debugging: To catch and report locking failures + m->mDNS_busy = 0; + m->mDNS_reentrancy = 0; + m->ShutdownTime = 0; + m->lock_rrcache = 0; + m->lock_Questions = 0; + m->lock_Records = 0; + + // Task Scheduling variables + result = mDNSPlatformTimeInit(); + if (result != mStatus_NoError) return(result); + m->timenow_adjust = (mDNSs32)mDNSRandom(0xFFFFFFFF); + timenow = mDNS_TimeNow_NoLock(m); + + m->timenow = 0; // MUST only be set within mDNS_Lock/mDNS_Unlock section + m->timenow_last = timenow; + m->NextScheduledEvent = timenow; + m->SuppressSending = timenow; + m->NextCacheCheck = timenow + 0x78000000; + m->NextScheduledQuery = timenow + 0x78000000; + m->NextScheduledProbe = timenow + 0x78000000; + m->NextScheduledResponse = timenow + 0x78000000; + m->NextScheduledNATOp = timenow + 0x78000000; + m->NextScheduledSPS = timenow + 0x78000000; + m->NextScheduledKA = timenow + 0x78000000; + m->NextScheduledStopTime = timenow + 0x78000000; + m->RandomQueryDelay = 0; + m->RandomReconfirmDelay = 0; + m->PktNum = 0; + m->MPktNum = 0; + m->LocalRemoveEvents = mDNSfalse; + m->SleepState = SleepState_Awake; + m->SleepSeqNum = 0; + m->SystemWakeOnLANEnabled = mDNSfalse; + m->AnnounceOwner = NonZeroTime(timenow + 60 * mDNSPlatformOneSecond); + m->DelaySleep = 0; + m->SleepLimit = 0; + +#if APPLE_OSX_mDNSResponder + m->StatStartTime = mDNSPlatformUTC(); + m->NextStatLogTime = m->StatStartTime + kDefaultNextStatsticsLogTime; + m->ActiveStatTime = 0; + m->UnicastPacketsSent = 0; + m->MulticastPacketsSent = 0; + m->RemoteSubnet = 0; +#endif // APPLE_OSX_mDNSResponder + + // These fields only required for mDNS Searcher... + m->Questions = mDNSNULL; + m->NewQuestions = mDNSNULL; + m->CurrentQuestion = mDNSNULL; + m->LocalOnlyQuestions = mDNSNULL; + m->NewLocalOnlyQuestions = mDNSNULL; + m->RestartQuestion = mDNSNULL; + m->ValidationQuestion = mDNSNULL; + m->rrcache_size = 0; + m->rrcache_totalused = 0; + m->rrcache_active = 0; + m->rrcache_report = 10; + m->rrcache_free = mDNSNULL; + + for (slot = 0; slot < CACHE_HASH_SLOTS; slot++) + { + m->rrcache_hash[slot] = mDNSNULL; + m->rrcache_nextcheck[slot] = timenow + 0x78000000;; + } + + mDNS_GrowCache_internal(m, rrcachestorage, rrcachesize); + m->rrauth.rrauth_free = mDNSNULL; + + for (slot = 0; slot < AUTH_HASH_SLOTS; slot++) + m->rrauth.rrauth_hash[slot] = mDNSNULL; + + // Fields below only required for mDNS Responder... + m->hostlabel.c[0] = 0; + m->nicelabel.c[0] = 0; + m->MulticastHostname.c[0] = 0; + m->HIHardware.c[0] = 0; + m->HISoftware.c[0] = 0; + m->ResourceRecords = mDNSNULL; + m->DuplicateRecords = mDNSNULL; + m->NewLocalRecords = mDNSNULL; + m->NewLocalOnlyRecords = mDNSfalse; + m->CurrentRecord = mDNSNULL; + m->HostInterfaces = mDNSNULL; + m->ProbeFailTime = 0; + m->NumFailedProbes = 0; + m->SuppressProbes = 0; + +#ifndef UNICAST_DISABLED + m->NextuDNSEvent = timenow + 0x78000000; + m->NextSRVUpdate = timenow + 0x78000000; + + m->DNSServers = mDNSNULL; + + m->Router = zeroAddr; + m->AdvertisedV4 = zeroAddr; + m->AdvertisedV6 = zeroAddr; + + m->AuthInfoList = mDNSNULL; + + m->ReverseMap.ThisQInterval = -1; + m->StaticHostname.c[0] = 0; + m->FQDN.c[0] = 0; + m->Hostnames = mDNSNULL; + m->AutoTunnelNAT.clientContext = mDNSNULL; + + m->WABBrowseQueriesCount = 0; + m->WABLBrowseQueriesCount = 0; + m->WABRegQueriesCount = 0; +#if !TARGET_OS_EMBEDDED + m->mDNSOppCaching = mDNStrue; +#else + m->mDNSOppCaching = mDNSfalse; +#endif + m->AutoTargetServices = 0; + + // NAT traversal fields + m->LLQNAT.clientCallback = mDNSNULL; + m->LLQNAT.clientContext = mDNSNULL; + m->NATTraversals = mDNSNULL; + m->CurrentNATTraversal = mDNSNULL; + m->retryIntervalGetAddr = 0; // delta between time sent and retry + m->retryGetAddr = timenow + 0x78000000; // absolute time when we retry + m->ExtAddress = zerov4Addr; + m->PCPNonce[0] = mDNSRandom(-1); + m->PCPNonce[1] = mDNSRandom(-1); + m->PCPNonce[2] = mDNSRandom(-1); + + m->NATMcastRecvskt = mDNSNULL; + m->LastNATupseconds = 0; + m->LastNATReplyLocalTime = timenow; + m->LastNATMapResultCode = NATErr_None; + + m->UPnPInterfaceID = 0; + m->SSDPSocket = mDNSNULL; + m->SSDPWANPPPConnection = mDNSfalse; + m->UPnPRouterPort = zeroIPPort; + m->UPnPSOAPPort = zeroIPPort; + m->UPnPRouterURL = mDNSNULL; + m->UPnPWANPPPConnection = mDNSfalse; + m->UPnPSOAPURL = mDNSNULL; + m->UPnPRouterAddressString = mDNSNULL; + m->UPnPSOAPAddressString = mDNSNULL; + m->SPSType = 0; + m->SPSPortability = 0; + m->SPSMarginalPower = 0; + m->SPSTotalPower = 0; + m->SPSFeatureFlags = 0; + m->SPSState = 0; + m->SPSProxyListChanged = mDNSNULL; + m->SPSSocket = mDNSNULL; + m->SPSBrowseCallback = mDNSNULL; + m->ProxyRecords = 0; + +#endif + +#if APPLE_OSX_mDNSResponder + m->TunnelClients = mDNSNULL; + +#if !NO_WCF + CHECK_WCF_FUNCTION(WCFConnectionNew) + { + m->WCF = WCFConnectionNew(); + if (!m->WCF) { LogMsg("WCFConnectionNew failed"); return -1; } + } +#endif + +#endif + + result = mDNSPlatformInit(m); + +#ifndef UNICAST_DISABLED + // It's better to do this *after* the platform layer has set up the + // interface list and security credentials + uDNS_SetupDNSConfig(m); // Get initial DNS configuration +#endif + + return(result); +} + +mDNSexport void mDNS_ConfigChanged(mDNS *const m) +{ + if (m->SPSState == 1) + { + domainlabel name, newname; +#ifndef SPC_DISABLED + domainname type, domain; + DeconstructServiceName(m->SPSRecords.RR_SRV.resrec.name, &name, &type, &domain); +#endif // SPC_DISABLED + ConstructSleepProxyServerName(m, &newname); + if (!SameDomainLabelCS(name.c, newname.c)) + { + LogSPS("Renaming SPS from “%#s” to “%#s”", name.c, newname.c); + // When SleepProxyServerCallback gets the mStatus_MemFree message, + // it will reregister the service under the new name + m->SPSState = 2; +#ifndef SPC_DISABLED + mDNS_DeregisterService_drt(m, &m->SPSRecords, mDNS_Dereg_rapid); +#endif // SPC_DISABLED + } + } + + if (m->MainCallback) + m->MainCallback(m, mStatus_ConfigChanged); +} + +mDNSlocal void DynDNSHostNameCallback(mDNS *const m, AuthRecord *const rr, mStatus result) +{ + (void)m; // unused + debugf("NameStatusCallback: result %d for registration of name %##s", result, rr->resrec.name->c); + mDNSPlatformDynDNSHostNameStatusChanged(rr->resrec.name, result); +} + +mDNSlocal void PurgeOrReconfirmCacheRecord(mDNS *const m, CacheRecord *cr, const DNSServer * const ptr, mDNSBool lameduck) +{ + mDNSBool purge = cr->resrec.RecordType == kDNSRecordTypePacketNegative || + cr->resrec.rrtype == kDNSType_A || + cr->resrec.rrtype == kDNSType_AAAA || + cr->resrec.rrtype == kDNSType_SRV; + + (void) lameduck; + (void) ptr; + debugf("PurgeOrReconfirmCacheRecord: %s cache record due to %s server %p %#a:%d (%##s): %s", + purge ? "purging" : "reconfirming", + lameduck ? "lame duck" : "new", + ptr, &ptr->addr, mDNSVal16(ptr->port), ptr->domain.c, CRDisplayString(m, cr)); + + if (purge) + { + LogInfo("PurgeorReconfirmCacheRecord: Purging Resourcerecord %s, RecordType %x", CRDisplayString(m, cr), cr->resrec.RecordType); + mDNS_PurgeCacheResourceRecord(m, cr); + } + else + { + LogInfo("PurgeorReconfirmCacheRecord: Reconfirming Resourcerecord %s, RecordType %x", CRDisplayString(m, cr), cr->resrec.RecordType); + mDNS_Reconfirm_internal(m, cr, kDefaultReconfirmTimeForNoAnswer); + } +} + +mDNSlocal void mDNS_PurgeForQuestion(mDNS *const m, DNSQuestion *q) +{ + const mDNSu32 slot = HashSlot(&q->qname); + CacheGroup *const cg = CacheGroupForName(m, slot, q->qnamehash, &q->qname); + CacheRecord *rp; + mDNSu8 validatingResponse = 0; + + // For DNSSEC questions, purge the corresponding RRSIGs also. + if (DNSSECQuestion(q)) + { + validatingResponse = q->ValidatingResponse; + q->ValidatingResponse = mDNStrue; + } + for (rp = cg ? cg->members : mDNSNULL; rp; rp = rp->next) + { + if (SameNameRecordAnswersQuestion(&rp->resrec, q)) + { + LogInfo("mDNS_PurgeForQuestion: Flushing %s", CRDisplayString(m, rp)); + mDNS_PurgeCacheResourceRecord(m, rp); + } + } + if (DNSSECQuestion(q)) + { + q->ValidatingResponse = validatingResponse; + } +} + +// For DNSSEC question, we need the DNSSEC records also. If the cache does not +// have the DNSSEC records, we need to re-issue the question with EDNS0/DO bit set. +// Just re-issuing the question for RRSIGs does not work in practice as the response +// may not contain the RRSIGs whose typeCovered field matches the question's qtype. +// +// For negative responses, we need the NSECs to prove the non-existence. If we don't +// have the cached NSECs, purge them. For positive responses, if we don't have the +// RRSIGs and if we have not already issued the question with EDNS0/DO bit set, purge +// them. +mDNSlocal void CheckForDNSSECRecords(mDNS *const m, DNSQuestion *q) +{ + const mDNSu32 slot = HashSlot(&q->qname); + CacheGroup *const cg = CacheGroupForName(m, slot, q->qnamehash, &q->qname); + CacheRecord *rp; + + for (rp = cg ? cg->members : mDNSNULL; rp; rp = rp->next) + { + if (SameNameRecordAnswersQuestion(&rp->resrec, q)) + { + if (rp->resrec.RecordType != kDNSRecordTypePacketNegative || !rp->nsec) + { + if (!rp->CRDNSSECQuestion) + { + LogInfo("CheckForDNSSECRecords: Flushing %s", CRDisplayString(m, rp)); + mDNS_PurgeCacheResourceRecord(m, rp); + } + } + } + } +} + +// Check for a positive unicast response to the question but with qtype +mDNSexport mDNSBool mDNS_CheckForCacheRecord(mDNS *const m, DNSQuestion *q, mDNSu16 qtype) +{ + DNSQuestion question; + const mDNSu32 slot = HashSlot(&q->qname); + CacheGroup *const cg = CacheGroupForName(m, slot, q->qnamehash, &q->qname); + CacheRecord *rp; + + // Create an identical question but with qtype + mDNS_SetupQuestion(&question, q->InterfaceID, &q->qname, qtype, mDNSNULL, mDNSNULL); + question.qDNSServer = q->qDNSServer; + + for (rp = cg ? cg->members : mDNSNULL; rp; rp = rp->next) + { + if (!rp->resrec.InterfaceID && rp->resrec.RecordType != kDNSRecordTypePacketNegative && + SameNameRecordAnswersQuestion(&rp->resrec, &question)) + { + LogInfo("mDNS_CheckForCacheRecord: Found %s", CRDisplayString(m, rp)); + return mDNStrue; + } + } + return mDNSfalse; +} + +mDNSexport void DNSServerChangeForQuestion(mDNS *const m, DNSQuestion *q, DNSServer *new) +{ + DNSQuestion *qptr; + + (void) m; + + if (q->DuplicateOf) + LogMsg("DNSServerChangeForQuestion: ERROR: Called for duplicate question %##s", q->qname.c); + + // Make sure all the duplicate questions point to the same DNSServer so that delivery + // of events for all of them are consistent. Duplicates for a question are always inserted + // after in the list. + q->qDNSServer = new; + for (qptr = q->next ; qptr; qptr = qptr->next) + { + if (qptr->DuplicateOf == q) { qptr->validDNSServers = q->validDNSServers; qptr->qDNSServer = new; } + } +} + +mDNSlocal void SetConfigState(mDNS *const m, mDNSBool delete) +{ + McastResolver *mr; + DNSServer *ptr; + + if (delete) + { + for (ptr = m->DNSServers; ptr; ptr = ptr->next) + { + ptr->penaltyTime = 0; + NumUnicastDNSServers--; + ptr->flags |= DNSServer_FlagDelete; + } + // We handle the mcast resolvers here itself as mDNSPlatformSetDNSConfig looks at + // mcast resolvers. Today we get both mcast and ucast configuration using the same + // API + for (mr = m->McastResolvers; mr; mr = mr->next) + mr->flags |= McastResolver_FlagDelete; + } + else + { + for (ptr = m->DNSServers; ptr; ptr = ptr->next) + { + ptr->penaltyTime = 0; + NumUnicastDNSServers++; + ptr->flags &= ~DNSServer_FlagDelete; + } + for (mr = m->McastResolvers; mr; mr = mr->next) + mr->flags &= ~McastResolver_FlagDelete; + } +} + +mDNSexport mStatus uDNS_SetupDNSConfig(mDNS *const m) +{ + mDNSu32 slot; + CacheGroup *cg; + CacheRecord *cr; + mDNSBool Restart = mDNSfalse; + mDNSAddr v4, v6, r; + domainname fqdn; + DNSServer *ptr, **p = &m->DNSServers; + const DNSServer *oldServers = m->DNSServers; + DNSQuestion *q; + McastResolver *mr, **mres = &m->McastResolvers; + + debugf("uDNS_SetupDNSConfig: entry"); + + // Let the platform layer get the current DNS information and setup the WAB queries if needed. + uDNS_SetupWABQueries(m); + + mDNS_Lock(m); + + // We need to first mark all the entries to be deleted. If the configuration changed, then + // the entries would be undeleted appropriately. Otherwise, we need to clear them. + // + // Note: The last argument to mDNSPlatformSetDNSConfig is "mDNStrue" which means ack the + // configuration. We already processed search domains in uDNS_SetupWABQueries above and + // hence we are ready to ack the configuration as this is the last call to mDNSPlatformSetConfig + // for the dns configuration change notification. + SetConfigState(m, mDNStrue); + if (!mDNSPlatformSetDNSConfig(m, mDNStrue, mDNSfalse, &fqdn, mDNSNULL, mDNSNULL, mDNStrue)) + { + SetConfigState(m, mDNSfalse); + mDNS_Unlock(m); + LogInfo("uDNS_SetupDNSConfig: No configuration change"); + return mStatus_NoError; + } + + // For now, we just delete the mcast resolvers. We don't deal with cache or + // questions here. Neither question nor cache point to mcast resolvers. Questions + // do inherit the timeout values from mcast resolvers. But we don't bother + // affecting them as they never change. + while (*mres) + { + if (((*mres)->flags & DNSServer_FlagDelete) != 0) + { + mr = *mres; + *mres = (*mres)->next; + debugf("uDNS_SetupDNSConfig: Deleting mcast resolver %##s", mr, mr->domain.c); + mDNSPlatformMemFree(mr); + } + else + { + (*mres)->flags &= ~McastResolver_FlagNew; + mres = &(*mres)->next; + } + } + + // Update our qDNSServer pointers before we go and free the DNSServer object memory + // + // All non-scoped resolvers share the same resGroupID. At no point in time a cache entry using DNSServer + // from scoped resolver will be used to answer non-scoped questions and vice versa, as scoped and non-scoped + // resolvers don't share the same resGroupID. A few examples to describe the interaction with how we pick + // DNSServers and flush the cache. + // + // - A non-scoped question picks DNSServer X, creates a cache entry with X. If a new resolver gets added later that + // is a better match, we pick the new DNSServer for the question and activate the unicast query. We may or may not + // flush the cache (See PurgeOrReconfirmCacheRecord). In either case, we don't change the cache record's DNSServer + // pointer immediately (qDNSServer and rDNSServer may be different but still share the same resGroupID). If we don't + // flush the cache immediately, the record's rDNSServer pointer will be updated (in mDNSCoreReceiveResponse) + // later when we get the response. If we purge the cache, we still deliver a RMV when it is purged even though + // we don't update the cache record's DNSServer pointer to match the question's DNSSever, as they both point to + // the same resGroupID. + // + // Note: If the new DNSServer comes back with a different response than what we have in the cache, we will deliver a RMV + // of the old followed by ADD of the new records. + // + // - A non-scoped question picks DNSServer X, creates a cache entry with X. If the resolver gets removed later, we will + // pick a new DNSServer for the question which may or may not be NULL and set the cache record's pointer to the same + // as in question's qDNSServer if the cache record is not flushed. If there is no active question, it will be set to NULL. + // + // - Two questions scoped and non-scoped for the same name will pick two different DNSServer and will end up creating separate + // cache records and as the resGroupID is different, you can't use the cache record from the scoped DNSServer to answer the + // non-scoped question and vice versa. + // + for (q = m->Questions; q; q=q->next) + { + if (!mDNSOpaque16IsZero(q->TargetQID)) + { + DNSServer *s, *t; + DNSQuestion *qptr; + if (q->DuplicateOf) continue; + SetValidDNSServers(m, q); + q->triedAllServersOnce = 0; + s = GetServerForQuestion(m, q); + t = q->qDNSServer; + if (t != s) + { + mDNSBool old, new; + // If DNS Server for this question has changed, reactivate it + LogInfo("uDNS_SetupDNSConfig: Updating DNS Server from %#a:%d (%##s) to %#a:%d (%##s) for question %##s (%s) (scope:%p)", + t ? &t->addr : mDNSNULL, mDNSVal16(t ? t->port : zeroIPPort), t ? t->domain.c : (mDNSu8*)"", + s ? &s->addr : mDNSNULL, mDNSVal16(s ? s->port : zeroIPPort), s ? s->domain.c : (mDNSu8*)"", + q->qname.c, DNSTypeName(q->qtype), q->InterfaceID); + + old = q->SuppressQuery; + new = ShouldSuppressUnicastQuery(m, q, s); + if (old != new) + { + // Changing the DNS server affected the SuppressQuery status. We need to + // deliver RMVs for the previous ADDs (if any) before switching to the new + // DNSServer. To keep it simple, we walk all the questions and mark them + // to be restarted and then handle all of them at once. + q->Restart = 1; + q->SuppressQuery = new; + for (qptr = q->next ; qptr; qptr = qptr->next) + { + if (qptr->DuplicateOf == q) + qptr->Restart = 1; + } + Restart = mDNStrue; + } + else + { + DNSServerChangeForQuestion(m, q, s); + q->unansweredQueries = 0; + + // If we had sent a query out to DNSServer "t" and we are changing to "s", we + // need to ignore the responses coming back from "t" as the DNS configuration + // has changed e.g., when a new interface is coming up and that becomes the primary + // interface, we switch to the DNS servers configured for the primary interface. In + // this case, we should not accept responses associated with the previous interface as + // the "name" could resolve differently on this new primary interface. Hence, discard + // in-flight responses. + q->TargetQID = mDNS_NewMessageID(m); + + if (!QuerySuppressed(q)) + { + debugf("uDNS_SetupDNSConfig: Activating query %p %##s (%s)", q, q->qname.c, DNSTypeName(q->qtype)); + ActivateUnicastQuery(m, q, mDNStrue); + // ActivateUnicastQuery is called for duplicate questions also as it does something + // special for AutoTunnel questions + for (qptr = q->next ; qptr; qptr = qptr->next) + { + if (qptr->DuplicateOf == q) ActivateUnicastQuery(m, qptr, mDNStrue); + } + } + } + } + else + { + debugf("uDNS_SetupDNSConfig: Not Updating DNS server question %p %##s (%s) DNS server %#a:%d %p %d", + q, q->qname.c, DNSTypeName(q->qtype), t ? &t->addr : mDNSNULL, mDNSVal16(t ? t->port : zeroIPPort), q->DuplicateOf, q->SuppressUnusable); + for (qptr = q->next ; qptr; qptr = qptr->next) + if (qptr->DuplicateOf == q) { qptr->validDNSServers = q->validDNSServers; qptr->qDNSServer = q->qDNSServer; } + } + } + } + if (Restart) + RestartUnicastQuestions(m); + + FORALL_CACHERECORDS(slot, cg, cr) + { + if (cr->resrec.InterfaceID) + continue; + + // We already walked the questions and restarted/reactivated them if the dns server + // change affected the question. That should take care of updating the cache. But + // what if there is no active question at this point when the DNS server change + // happened ? There could be old cache entries lying around and if we don't flush + // them, a new question after the DNS server change could pick up these stale + // entries and get a wrong answer. + // + // For cache entries that have active questions we might have skipped rescheduling + // the questions if they were suppressed (see above). To keep it simple, we walk + // all the cache entries to make sure that there are no stale entries. We use the + // active question's InterfaceID/ServiceID for looking up the right DNS server. + // Note that the unscoped value for ServiceID is -1. + // + // Note: If GetServerForName returns NULL, it could either mean that there are no + // DNS servers or no matching DNS servers for this question. In either case, + // the cache should get purged below when we process deleted DNS servers. + + ptr = GetServerForName(m, cr->resrec.name, + (cr->CRActiveQuestion ? cr->CRActiveQuestion->InterfaceID : mDNSNULL), + (cr->CRActiveQuestion ? cr->CRActiveQuestion->ServiceID : -1)); + + // Purge or Reconfirm if this cache entry would use the new DNS server + if (ptr && (ptr != cr->resrec.rDNSServer)) + { + // As the DNSServers for this cache record is not the same anymore, we don't + // want any new questions to pick this old value. If there is no active question, + // we can't possibly re-confirm, so purge in that case. If it is a DNSSEC question, + // purge the cache as the DNSSEC capabilities of the DNS server may have changed. + + if (cr->CRActiveQuestion == mDNSNULL || DNSSECQuestion(cr->CRActiveQuestion)) + { + LogInfo("uDNS_SetupDNSConfig: Purging Resourcerecord %s, New DNS server %#a , Old DNS server %#a", CRDisplayString(m, cr), + &ptr->addr, (cr->resrec.rDNSServer != mDNSNULL ? &cr->resrec.rDNSServer->addr : mDNSNULL)); + mDNS_PurgeCacheResourceRecord(m, cr); + } + else + { + LogInfo("uDNS_SetupDNSConfig: Purging/Reconfirming Resourcerecord %s, New DNS server %#a, Old DNS server %#a", CRDisplayString(m, cr), + &ptr->addr, (cr->resrec.rDNSServer != mDNSNULL ? &cr->resrec.rDNSServer->addr : mDNSNULL)); + PurgeOrReconfirmCacheRecord(m, cr, ptr, mDNSfalse); + } + } + } + + while (*p) + { + if (((*p)->flags & DNSServer_FlagDelete) != 0) + { + // Scan our cache, looking for uDNS records that we would have queried this server for. + // We reconfirm any records that match, because in this world of split DNS, firewalls, etc. + // different DNS servers can give different answers to the same question. + ptr = *p; + FORALL_CACHERECORDS(slot, cg, cr) + { + if (cr->resrec.InterfaceID) continue; + if (cr->resrec.rDNSServer == ptr) + { + // If we don't have an active question for this cache record, neither Purge can + // generate RMV events nor Reconfirm can send queries out. Just set the DNSServer + // pointer on the record NULL so that we don't point to freed memory (We might dereference + // DNSServer pointers from resource record for logging purposes). + // + // If there is an active question, point to its DNSServer as long as it does not point to the + // freed one. We already went through the questions above and made them point at either the + // new server or NULL if there is no server. + + if (cr->CRActiveQuestion) + { + DNSQuestion *qptr = cr->CRActiveQuestion; + + if (qptr->qDNSServer == ptr) + { + LogMsg("uDNS_SetupDNSConfig: ERROR!! Cache Record %s Active question %##s (%s) (scope:%p) poining to DNSServer Address %#a" + " to be freed", CRDisplayString(m, cr), qptr->qname.c, DNSTypeName(qptr->qtype), qptr->InterfaceID, &ptr->addr); + qptr->validDNSServers = zeroOpaque64; + qptr->qDNSServer = mDNSNULL; + cr->resrec.rDNSServer = mDNSNULL; + } + else + { + LogInfo("uDNS_SetupDNSConfig: Cache Record %s, Active question %##s (%s) (scope:%p), pointing to DNSServer %#a (to be deleted)," + " resetting to question's DNSServer Address %#a", CRDisplayString(m, cr), qptr->qname.c, DNSTypeName(qptr->qtype), + qptr->InterfaceID, &ptr->addr, (qptr->qDNSServer ? &qptr->qDNSServer->addr : mDNSNULL)); + cr->resrec.rDNSServer = qptr->qDNSServer; + } + } + else + { + LogInfo("uDNS_SetupDNSConfig: Cache Record %##s has no Active question, Record's DNSServer Address %#a, Server to be deleted %#a", + cr->resrec.name, &cr->resrec.rDNSServer->addr, &ptr->addr); + cr->resrec.rDNSServer = mDNSNULL; + } + + PurgeOrReconfirmCacheRecord(m, cr, ptr, mDNStrue); + } + } + *p = (*p)->next; + LogInfo("uDNS_SetupDNSConfig: Deleting server %p %#a:%d (%##s) %d", ptr, &ptr->addr, mDNSVal16(ptr->port), ptr->domain.c, NumUnicastDNSServers); + mDNSPlatformMemFree(ptr); + } + else + { + (*p)->flags &= ~DNSServer_FlagNew; + p = &(*p)->next; + } + } + + // If we now have no DNS servers at all and we used to have some, then immediately purge all unicast cache records (including for LLQs). + // This is important for giving prompt remove events when the user disconnects the Ethernet cable or turns off wireless. + // Otherwise, stale data lingers for 5-10 seconds, which is not the user-experience people expect from Bonjour. + // Similarly, if we now have some DNS servers and we used to have none, we want to purge any fake negative results we may have generated. + if ((m->DNSServers != mDNSNULL) != (oldServers != mDNSNULL)) + { + int count = 0; + FORALL_CACHERECORDS(slot, cg, cr) + { + if (!cr->resrec.InterfaceID) + { + mDNS_PurgeCacheResourceRecord(m, cr); + count++; + } + } + LogInfo("uDNS_SetupDNSConfig: %s available; purged %d unicast DNS records from cache", + m->DNSServers ? "DNS server became" : "No DNS servers", count); + + // Force anything that needs to get zone data to get that information again + RestartRecordGetZoneData(m); + } + + // Did our FQDN change? + if (!SameDomainName(&fqdn, &m->FQDN)) + { + if (m->FQDN.c[0]) mDNS_RemoveDynDNSHostName(m, &m->FQDN); + + AssignDomainName(&m->FQDN, &fqdn); + + if (m->FQDN.c[0]) + { + mDNSPlatformDynDNSHostNameStatusChanged(&m->FQDN, 1); + mDNS_AddDynDNSHostName(m, &m->FQDN, DynDNSHostNameCallback, mDNSNULL); + } + } + + mDNS_Unlock(m); + + // handle router and primary interface changes + v4 = v6 = r = zeroAddr; + v4.type = r.type = mDNSAddrType_IPv4; + + if (mDNSPlatformGetPrimaryInterface(m, &v4, &v6, &r) == mStatus_NoError && !mDNSv4AddressIsLinkLocal(&v4.ip.v4)) + { + mDNS_SetPrimaryInterfaceInfo(m, + !mDNSIPv4AddressIsZero(v4.ip.v4) ? &v4 : mDNSNULL, + !mDNSIPv6AddressIsZero(v6.ip.v6) ? &v6 : mDNSNULL, + !mDNSIPv4AddressIsZero(r.ip.v4) ? &r : mDNSNULL); + } + else + { + mDNS_SetPrimaryInterfaceInfo(m, mDNSNULL, mDNSNULL, mDNSNULL); + if (m->FQDN.c[0]) mDNSPlatformDynDNSHostNameStatusChanged(&m->FQDN, 1); // Set status to 1 to indicate temporary failure + } + + debugf("uDNS_SetupDNSConfig: number of unicast DNS servers %d", NumUnicastDNSServers); + return mStatus_NoError; +} + +mDNSexport void mDNSCoreInitComplete(mDNS *const m, mStatus result) +{ + m->mDNSPlatformStatus = result; + if (m->MainCallback) + { + mDNS_Lock(m); + mDNS_DropLockBeforeCallback(); // Allow client to legally make mDNS API calls from the callback + m->MainCallback(m, mStatus_NoError); + mDNS_ReclaimLockAfterCallback(); // Decrement mDNS_reentrancy to block mDNS API calls again + mDNS_Unlock(m); + } +} + +mDNSlocal void DeregLoop(mDNS *const m, AuthRecord *const start) +{ + m->CurrentRecord = start; + while (m->CurrentRecord) + { + AuthRecord *rr = m->CurrentRecord; + LogInfo("DeregLoop: %s deregistration for %p %02X %s", + (rr->resrec.RecordType != kDNSRecordTypeDeregistering) ? "Initiating " : "Accelerating", + rr, rr->resrec.RecordType, ARDisplayString(m, rr)); + if (rr->resrec.RecordType != kDNSRecordTypeDeregistering) + mDNS_Deregister_internal(m, rr, mDNS_Dereg_rapid); + else if (rr->AnnounceCount > 1) + { + rr->AnnounceCount = 1; + rr->LastAPTime = m->timenow - rr->ThisAPInterval; + } + // Mustn't advance m->CurrentRecord until *after* mDNS_Deregister_internal, because + // new records could have been added to the end of the list as a result of that call. + if (m->CurrentRecord == rr) // If m->CurrentRecord was not advanced for us, do it now + m->CurrentRecord = rr->next; + } +} + +mDNSexport void mDNS_StartExit(mDNS *const m) +{ + NetworkInterfaceInfo *intf; + AuthRecord *rr; + + mDNS_Lock(m); + + LogInfo("mDNS_StartExit"); + m->ShutdownTime = NonZeroTime(m->timenow + mDNSPlatformOneSecond * 5); + + mDNSCoreBeSleepProxyServer_internal(m, 0, 0, 0, 0, 0); + +#if APPLE_OSX_mDNSResponder +#if !NO_WCF + CHECK_WCF_FUNCTION(WCFConnectionDealloc) + { + if (m->WCF) WCFConnectionDealloc((WCFConnection *)m->WCF); + } +#endif +#endif + +#ifndef UNICAST_DISABLED + { + SearchListElem *s; + SuspendLLQs(m); + // Don't need to do SleepRecordRegistrations() here + // because we deregister all records and services later in this routine + while (m->Hostnames) mDNS_RemoveDynDNSHostName(m, &m->Hostnames->fqdn); + + // For each member of our SearchList, deregister any records it may have created, and cut them from the list. + // Otherwise they'll be forcibly deregistered for us (without being cut them from the appropriate list) + // and we may crash because the list still contains dangling pointers. + for (s = SearchList; s; s = s->next) + while (s->AuthRecs) + { + ARListElem *dereg = s->AuthRecs; + s->AuthRecs = s->AuthRecs->next; + mDNS_Deregister_internal(m, &dereg->ar, mDNS_Dereg_normal); // Memory will be freed in the FreeARElemCallback + } + } +#endif + + for (intf = m->HostInterfaces; intf; intf = intf->next) + if (intf->Advertise) + DeadvertiseInterface(m, intf); + + // Shut down all our active NAT Traversals + while (m->NATTraversals) + { + NATTraversalInfo *t = m->NATTraversals; + mDNS_StopNATOperation_internal(m, t); // This will cut 't' from the list, thereby advancing m->NATTraversals in the process + + // After stopping the NAT Traversal, we zero out the fields. + // This has particularly important implications for our AutoTunnel records -- + // when we deregister our AutoTunnel records below, we don't want their mStatus_MemFree + // handlers to just turn around and attempt to re-register those same records. + // Clearing t->ExternalPort/t->RequestedPort will cause the mStatus_MemFree callback handlers + // to not do this. + t->ExternalAddress = zerov4Addr; + t->NewAddress = zerov4Addr; + t->ExternalPort = zeroIPPort; + t->RequestedPort = zeroIPPort; + t->Lifetime = 0; + t->Result = mStatus_NoError; + } + + // Make sure there are nothing but deregistering records remaining in the list + if (m->CurrentRecord) + LogMsg("mDNS_StartExit: ERROR m->CurrentRecord already set %s", ARDisplayString(m, m->CurrentRecord)); + + // We're in the process of shutting down, so queries, etc. are no longer available. + // Consequently, determining certain information, e.g. the uDNS update server's IP + // address, will not be possible. The records on the main list are more likely to + // already contain such information, so we deregister the duplicate records first. + LogInfo("mDNS_StartExit: Deregistering duplicate resource records"); + DeregLoop(m, m->DuplicateRecords); + LogInfo("mDNS_StartExit: Deregistering resource records"); + DeregLoop(m, m->ResourceRecords); + + // If we scheduled a response to send goodbye packets, we set NextScheduledResponse to now. Normally when deregistering records, + // we allow up to 100ms delay (to help improve record grouping) but when shutting down we don't want any such delay. + if (m->NextScheduledResponse - m->timenow < mDNSPlatformOneSecond) + { + m->NextScheduledResponse = m->timenow; + m->SuppressSending = 0; + } + + if (m->ResourceRecords) LogInfo("mDNS_StartExit: Sending final record deregistrations"); + else LogInfo("mDNS_StartExit: No deregistering records remain"); + + for (rr = m->DuplicateRecords; rr; rr = rr->next) + LogMsg("mDNS_StartExit: Should not still have Duplicate Records remaining: %02X %s", rr->resrec.RecordType, ARDisplayString(m, rr)); + + // If any deregistering records remain, send their deregistration announcements before we exit + if (m->mDNSPlatformStatus != mStatus_NoError) DiscardDeregistrations(m); + + mDNS_Unlock(m); + + LogInfo("mDNS_StartExit: done"); +} + +mDNSexport void mDNS_FinalExit(mDNS *const m) +{ + mDNSu32 rrcache_active = 0; + mDNSu32 rrcache_totalused = 0; + mDNSu32 slot; + AuthRecord *rr; + + LogInfo("mDNS_FinalExit: mDNSPlatformClose"); + mDNSPlatformClose(m); + + rrcache_totalused = m->rrcache_totalused; + for (slot = 0; slot < CACHE_HASH_SLOTS; slot++) + { + while (m->rrcache_hash[slot]) + { + CacheGroup *cg = m->rrcache_hash[slot]; + while (cg->members) + { + CacheRecord *cr = cg->members; + cg->members = cg->members->next; + if (cr->CRActiveQuestion) rrcache_active++; + ReleaseCacheRecord(m, cr); + } + cg->rrcache_tail = &cg->members; + ReleaseCacheGroup(m, &m->rrcache_hash[slot]); + } + } + debugf("mDNS_FinalExit: RR Cache was using %ld records, %lu active", rrcache_totalused, rrcache_active); + if (rrcache_active != m->rrcache_active) + LogMsg("*** ERROR *** rrcache_active %lu != m->rrcache_active %lu", rrcache_active, m->rrcache_active); + + for (rr = m->ResourceRecords; rr; rr = rr->next) + LogMsg("mDNS_FinalExit failed to send goodbye for: %p %02X %s", rr, rr->resrec.RecordType, ARDisplayString(m, rr)); + + LogInfo("mDNS_FinalExit: done"); +} diff --git a/mDNSResponder/mDNSCore/mDNSDebug.h b/mDNSResponder/mDNSCore/mDNSDebug.h new file mode 100755 index 00000000..5467ae64 --- /dev/null +++ b/mDNSResponder/mDNSCore/mDNSDebug.h @@ -0,0 +1,166 @@ +/* -*- Mode: C; tab-width: 4 -*- + * + * Copyright (c) 2002-2003 Apple Computer, Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef __mDNSDebug_h +#define __mDNSDebug_h + +// Set MDNS_DEBUGMSGS to 0 to optimize debugf() calls out of the compiled code +// Set MDNS_DEBUGMSGS to 1 to generate normal debugging messages +// Set MDNS_DEBUGMSGS to 2 to generate verbose debugging messages +// MDNS_DEBUGMSGS is normally set in the project options (or makefile) but can also be set here if desired +// (If you edit the file here to turn on MDNS_DEBUGMSGS while you're debugging some code, be careful +// not to accidentally check-in that change by mistake when you check in your other changes.) + +//#undef MDNS_DEBUGMSGS +//#define MDNS_DEBUGMSGS 2 + +// Set MDNS_CHECK_PRINTF_STYLE_FUNCTIONS to 1 to enable extra GCC compiler warnings +// Note: You don't normally want to do this, because it generates a bunch of +// spurious warnings for the following custom extensions implemented by mDNS_vsnprintf: +// warning: `#' flag used with `%s' printf format (for %#s -- pascal string format) +// warning: repeated `#' flag in format (for %##s -- DNS name string format) +// warning: double format, pointer arg (arg 2) (for %.4a, %.16a, %#a -- IP address formats) +#define MDNS_CHECK_PRINTF_STYLE_FUNCTIONS 0 + +typedef enum +{ + MDNS_LOG_MSG, + MDNS_LOG_OPERATION, + MDNS_LOG_SPS, + MDNS_LOG_INFO, + MDNS_LOG_DEBUG, +} mDNSLogLevel_t; + +// Set this symbol to 1 to answer remote queries for our Address, reverse mapping PTR, and HINFO records +#define ANSWER_REMOTE_HOSTNAME_QUERIES 0 + +// Set this symbol to 1 to do extra debug checks on malloc() and free() +// Set this symbol to 2 to write a log message for every malloc() and free() +//#define MACOSX_MDNS_MALLOC_DEBUGGING 1 + +//#define ForceAlerts 1 +//#define LogTimeStamps 1 + +// Developer-settings section ends here + +#if MDNS_CHECK_PRINTF_STYLE_FUNCTIONS +#define IS_A_PRINTF_STYLE_FUNCTION(F,A) __attribute__ ((format(printf,F,A))) +#else +#define IS_A_PRINTF_STYLE_FUNCTION(F,A) +#endif + +#ifdef __cplusplus +extern "C" { +#endif + +// Variable argument macro support. Use ANSI C99 __VA_ARGS__ where possible. Otherwise, use the next best thing. + +#if (defined(__GNUC__)) + #if ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 2))) + #define MDNS_C99_VA_ARGS 1 + #define MDNS_GNU_VA_ARGS 0 + #else + #define MDNS_C99_VA_ARGS 0 + #define MDNS_GNU_VA_ARGS 1 + #endif + #define MDNS_HAS_VA_ARG_MACROS 1 +#elif (_MSC_VER >= 1400) // Visual Studio 2005 and later + #define MDNS_C99_VA_ARGS 1 + #define MDNS_GNU_VA_ARGS 0 + #define MDNS_HAS_VA_ARG_MACROS 1 +#elif (defined(__MWERKS__)) + #define MDNS_C99_VA_ARGS 1 + #define MDNS_GNU_VA_ARGS 0 + #define MDNS_HAS_VA_ARG_MACROS 1 +#else + #define MDNS_C99_VA_ARGS 0 + #define MDNS_GNU_VA_ARGS 0 + #define MDNS_HAS_VA_ARG_MACROS 0 +#endif + +#if (MDNS_HAS_VA_ARG_MACROS) + #if (MDNS_C99_VA_ARGS) + #define debug_noop(... ) ((void)0) + #define LogMsg(... ) LogMsgWithLevel(MDNS_LOG_MSG, __VA_ARGS__) + #define LogOperation(... ) do { if (mDNS_LoggingEnabled) LogMsgWithLevel(MDNS_LOG_OPERATION, __VA_ARGS__);} while (0) + #define LogSPS(... ) do { if (mDNS_LoggingEnabled) LogMsgWithLevel(MDNS_LOG_SPS, __VA_ARGS__);} while (0) + #define LogInfo(... ) do { if (mDNS_LoggingEnabled) LogMsgWithLevel(MDNS_LOG_INFO, __VA_ARGS__);} while (0) + #elif (MDNS_GNU_VA_ARGS) + #define debug_noop( ARGS... ) ((void)0) + #define LogMsg( ARGS... ) LogMsgWithLevel(MDNS_LOG_MSG, ARGS) + #define LogOperation( ARGS... ) do { if (mDNS_LoggingEnabled) LogMsgWithLevel(MDNS_LOG_OPERATION, ARGS);} while (0) + #define LogSPS( ARGS... ) do { if (mDNS_LoggingEnabled) LogMsgWithLevel(MDNS_LOG_SPS, ARGS);} while (0) + #define LogInfo( ARGS... ) do { if (mDNS_LoggingEnabled) LogMsgWithLevel(MDNS_LOG_INFO, ARGS);} while (0) + #else + #error Unknown variadic macros + #endif +#else +// If your platform does not support variadic macros, you need to define the following variadic functions. +// See mDNSShared/mDNSDebug.c for sample implementation + #define debug_noop 1 ? (void)0 : (void) + #define LogMsg LogMsg_ + #define LogOperation (mDNS_LoggingEnabled == 0) ? ((void)0) : LogOperation_ + #define LogSPS (mDNS_LoggingEnabled == 0) ? ((void)0) : LogSPS_ + #define LogInfo (mDNS_LoggingEnabled == 0) ? ((void)0) : LogInfo_ +extern void LogMsg_(const char *format, ...) IS_A_PRINTF_STYLE_FUNCTION(1,2); +extern void LogOperation_(const char *format, ...) IS_A_PRINTF_STYLE_FUNCTION(1,2); +extern void LogSPS_(const char *format, ...) IS_A_PRINTF_STYLE_FUNCTION(1,2); +extern void LogInfo_(const char *format, ...) IS_A_PRINTF_STYLE_FUNCTION(1,2); +#endif + +#if MDNS_DEBUGMSGS +#define debugf debugf_ +extern void debugf_(const char *format, ...) IS_A_PRINTF_STYLE_FUNCTION(1,2); +#else +#define debugf debug_noop +#endif + +#if MDNS_DEBUGMSGS > 1 +#define verbosedebugf verbosedebugf_ +extern void verbosedebugf_(const char *format, ...) IS_A_PRINTF_STYLE_FUNCTION(1,2); +#else +#define verbosedebugf debug_noop +#endif + +extern int mDNS_LoggingEnabled; +extern int mDNS_PacketLoggingEnabled; +extern int mDNS_McastLoggingEnabled; +extern int mDNS_McastTracingEnabled; +extern int mDNS_DebugMode; // If non-zero, LogMsg() writes to stderr instead of syslog +extern const char ProgramName[]; + +extern void LogMsgWithLevel(mDNSLogLevel_t logLevel, const char *format, ...) IS_A_PRINTF_STYLE_FUNCTION(2,3); +// LogMsgNoIdent needs to be fixed so that it logs without the ident prefix like it used to +// (or completely overhauled to use the new "log to a separate file" facility) +#define LogMsgNoIdent LogMsg + +#if APPLE_OSX_mDNSResponder && MACOSX_MDNS_MALLOC_DEBUGGING >= 1 +extern void *mallocL(char *msg, unsigned int size); +extern void freeL(char *msg, void *x); +extern void LogMemCorruption(const char *format, ...); +extern void uds_validatelists(void); +extern void udns_validatelists(void *const v); +#else +#define mallocL(X,Y) malloc(Y) +#define freeL(X,Y) free(Y) +#endif + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/mDNSResponder/mDNSCore/mDNSEmbeddedAPI.h b/mDNSResponder/mDNSCore/mDNSEmbeddedAPI.h new file mode 100755 index 00000000..785ed3fe --- /dev/null +++ b/mDNSResponder/mDNSCore/mDNSEmbeddedAPI.h @@ -0,0 +1,3586 @@ +/* -*- Mode: C; tab-width: 4 -*- + * + * Copyright (c) 2002-2013 Apple Computer, Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + + NOTE: + If you're building an application that uses DNS Service Discovery + this is probably NOT the header file you're looking for. + In most cases you will want to use /usr/include/dns_sd.h instead. + + This header file defines the lowest level raw interface to mDNSCore, + which is appropriate *only* on tiny embedded systems where everything + runs in a single address space and memory is extremely constrained. + All the APIs here are malloc-free, which means that the caller is + responsible for passing in a pointer to the relevant storage that + will be used in the execution of that call, and (when called with + correct parameters) all the calls are guaranteed to succeed. There + is never a case where a call can suffer intermittent failures because + the implementation calls malloc() and sometimes malloc() returns NULL + because memory is so limited that no more is available. + This is primarily for devices that need to have precisely known fixed + memory requirements, with absolutely no uncertainty or run-time variation, + but that certainty comes at a cost of more difficult programming. + + For applications running on general-purpose desktop operating systems + (Mac OS, Linux, Solaris, Windows, etc.) the API you should use is + /usr/include/dns_sd.h, which defines the API by which multiple + independent client processes communicate their DNS Service Discovery + requests to a single "mdnsd" daemon running in the background. + + Even on platforms that don't run multiple independent processes in + multiple independent address spaces, you can still use the preferred + dns_sd.h APIs by linking in "dnssd_clientshim.c", which implements + the standard "dns_sd.h" API calls, allocates any required storage + using malloc(), and then calls through to the low-level malloc-free + mDNSCore routines defined here. This has the benefit that even though + you're running on a small embedded system with a single address space, + you can still use the exact same client C code as you'd use on a + general-purpose desktop system. + + */ + +#ifndef __mDNSEmbeddedAPI_h +#define __mDNSEmbeddedAPI_h + +#if defined(EFI32) || defined(EFI64) || defined(EFIX64) +// EFI doesn't have stdarg.h unless it's building with GCC. +#include "Tiano.h" +#if !defined(__GNUC__) +#define va_list VA_LIST +#define va_start(a, b) VA_START(a, b) +#define va_end(a) VA_END(a) +#define va_arg(a, b) VA_ARG(a, b) +#endif +#else +#include <stdarg.h> // stdarg.h is required for for va_list support for the mDNS_vsnprintf declaration +#endif + +#include "mDNSDebug.h" +#if APPLE_OSX_mDNSResponder +#include <uuid/uuid.h> +#endif + +#ifdef __cplusplus +extern "C" { +#endif + +// *************************************************************************** +// Feature removal compile options & limited resource targets + +// The following compile options are responsible for removing certain features from mDNSCore to reduce the +// memory footprint for use in embedded systems with limited resources. + +// UNICAST_DISABLED - disables unicast DNS functionality, including Wide Area Bonjour +// ANONYMOUS_DISABLED - disables anonymous functionality +// DNSSEC_DISABLED - disables DNSSEC functionality +// SPC_DISABLED - disables Bonjour Sleep Proxy client +// IDLESLEEPCONTROL_DISABLED - disables sleep control for Bonjour Sleep Proxy clients + +// In order to disable the above features pass the option to your compiler, e.g. -D UNICAST_DISABLED + +// Additionally, the LIMITED_RESOURCES_TARGET compile option will eliminate caching and +// and reduce the maximum DNS message sizes. + +#ifdef LIMITED_RESOURCES_TARGET +// Don't support jumbo frames +#define AbsoluteMaxDNSMessageData 1500 +// StandardAuthRDSize is 264 (256+8), which is large enough to hold a maximum-sized SRV record (6 + 256 bytes) +#define MaximumRDSize 264 +// Don't cache anything +#define AUTH_HASH_SLOTS 1 +#define CACHE_HASH_SLOTS 1 +#endif + +// *************************************************************************** +// Function scope indicators + +// If you see "mDNSlocal" before a function name in a C file, it means the function is not callable outside this file +#ifndef mDNSlocal +#define mDNSlocal static +#endif +// If you see "mDNSexport" before a symbol in a C file, it means the symbol is exported for use by clients +// For every "mDNSexport" in a C file, there needs to be a corresponding "extern" declaration in some header file +// (When a C file #includes a header file, the "extern" declarations tell the compiler: +// "This symbol exists -- but not necessarily in this C file.") +#ifndef mDNSexport +#define mDNSexport +#endif + +// Explanation: These local/export markers are a little habit of mine for signaling the programmers' intentions. +// When "mDNSlocal" is just a synonym for "static", and "mDNSexport" is a complete no-op, you could be +// forgiven for asking what purpose they serve. The idea is that if you see "mDNSexport" in front of a +// function definition it means the programmer intended it to be exported and callable from other files +// in the project. If you see "mDNSlocal" in front of a function definition it means the programmer +// intended it to be private to that file. If you see neither in front of a function definition it +// means the programmer forgot (so you should work out which it is supposed to be, and fix it). +// Using "mDNSlocal" instead of "static" makes it easier to do a textual searches for one or the other. +// For example you can do a search for "static" to find if any functions declare any local variables as "static" +// (generally a bad idea unless it's also "const", because static storage usually risks being non-thread-safe) +// without the results being cluttered with hundreds of matches for functions declared static. +// - Stuart Cheshire + +// *************************************************************************** +// Structure packing macro + +// If we're not using GNUC, it's not fatal. +// Most compilers naturally pack the on-the-wire structures correctly anyway, so a plain "struct" is usually fine. +// In the event that structures are not packed correctly, mDNS_Init() will detect this and report an error, so the +// developer will know what's wrong, and can investigate what needs to be done on that compiler to provide proper packing. +#ifndef packedstruct + #if ((__GNUC__ > 2) || ((__GNUC__ == 2) && (__GNUC_MINOR__ >= 9))) + #define packedstruct struct __attribute__((__packed__)) + #define packedunion union __attribute__((__packed__)) + #else + #define packedstruct struct + #define packedunion union + #endif +#endif + +// *************************************************************************** +#if 0 +#pragma mark - DNS Resource Record class and type constants +#endif + +typedef enum // From RFC 1035 +{ + kDNSClass_IN = 1, // Internet + kDNSClass_CS = 2, // CSNET + kDNSClass_CH = 3, // CHAOS + kDNSClass_HS = 4, // Hesiod + kDNSClass_NONE = 254, // Used in DNS UPDATE [RFC 2136] + + kDNSClass_Mask = 0x7FFF, // Multicast DNS uses the bottom 15 bits to identify the record class... + kDNSClass_UniqueRRSet = 0x8000, // ... and the top bit indicates that all other cached records are now invalid + + kDNSQClass_ANY = 255, // Not a DNS class, but a DNS query class, meaning "all classes" + kDNSQClass_UnicastResponse = 0x8000 // Top bit set in a question means "unicast response acceptable" +} DNS_ClassValues; + +typedef enum // From RFC 1035 +{ + kDNSType_A = 1, // 1 Address + kDNSType_NS, // 2 Name Server + kDNSType_MD, // 3 Mail Destination + kDNSType_MF, // 4 Mail Forwarder + kDNSType_CNAME, // 5 Canonical Name + kDNSType_SOA, // 6 Start of Authority + kDNSType_MB, // 7 Mailbox + kDNSType_MG, // 8 Mail Group + kDNSType_MR, // 9 Mail Rename + kDNSType_NULL, // 10 NULL RR + kDNSType_WKS, // 11 Well-known-service + kDNSType_PTR, // 12 Domain name pointer + kDNSType_HINFO, // 13 Host information + kDNSType_MINFO, // 14 Mailbox information + kDNSType_MX, // 15 Mail Exchanger + kDNSType_TXT, // 16 Arbitrary text string + kDNSType_RP, // 17 Responsible person + kDNSType_AFSDB, // 18 AFS cell database + kDNSType_X25, // 19 X_25 calling address + kDNSType_ISDN, // 20 ISDN calling address + kDNSType_RT, // 21 Router + kDNSType_NSAP, // 22 NSAP address + kDNSType_NSAP_PTR, // 23 Reverse NSAP lookup (deprecated) + kDNSType_SIG, // 24 Security signature + kDNSType_KEY, // 25 Security key + kDNSType_PX, // 26 X.400 mail mapping + kDNSType_GPOS, // 27 Geographical position (withdrawn) + kDNSType_AAAA, // 28 IPv6 Address + kDNSType_LOC, // 29 Location Information + kDNSType_NXT, // 30 Next domain (security) + kDNSType_EID, // 31 Endpoint identifier + kDNSType_NIMLOC, // 32 Nimrod Locator + kDNSType_SRV, // 33 Service record + kDNSType_ATMA, // 34 ATM Address + kDNSType_NAPTR, // 35 Naming Authority PoinTeR + kDNSType_KX, // 36 Key Exchange + kDNSType_CERT, // 37 Certification record + kDNSType_A6, // 38 IPv6 Address (deprecated) + kDNSType_DNAME, // 39 Non-terminal DNAME (for IPv6) + kDNSType_SINK, // 40 Kitchen sink (experimental) + kDNSType_OPT, // 41 EDNS0 option (meta-RR) + kDNSType_APL, // 42 Address Prefix List + kDNSType_DS, // 43 Delegation Signer + kDNSType_SSHFP, // 44 SSH Key Fingerprint + kDNSType_IPSECKEY, // 45 IPSECKEY + kDNSType_RRSIG, // 46 RRSIG + kDNSType_NSEC, // 47 Denial of Existence + kDNSType_DNSKEY, // 48 DNSKEY + kDNSType_DHCID, // 49 DHCP Client Identifier + kDNSType_NSEC3, // 50 Hashed Authenticated Denial of Existence + kDNSType_NSEC3PARAM, // 51 Hashed Authenticated Denial of Existence + + kDNSType_HIP = 55, // 55 Host Identity Protocol + + kDNSType_SPF = 99, // 99 Sender Policy Framework for E-Mail + kDNSType_UINFO, // 100 IANA-Reserved + kDNSType_UID, // 101 IANA-Reserved + kDNSType_GID, // 102 IANA-Reserved + kDNSType_UNSPEC, // 103 IANA-Reserved + + kDNSType_TKEY = 249, // 249 Transaction key + kDNSType_TSIG, // 250 Transaction signature + kDNSType_IXFR, // 251 Incremental zone transfer + kDNSType_AXFR, // 252 Transfer zone of authority + kDNSType_MAILB, // 253 Transfer mailbox records + kDNSType_MAILA, // 254 Transfer mail agent records + kDNSQType_ANY // Not a DNS type, but a DNS query type, meaning "all types" +} DNS_TypeValues; + +// *************************************************************************** +#if 0 +#pragma mark - +#pragma mark - Simple types +#endif + +// mDNS defines its own names for these common types to simplify portability across +// multiple platforms that may each have their own (different) names for these types. +typedef unsigned char mDNSBool; +typedef signed char mDNSs8; +typedef unsigned char mDNSu8; +typedef signed short mDNSs16; +typedef unsigned short mDNSu16; + +// Source: http://www.unix.org/version2/whatsnew/lp64_wp.html +// http://software.intel.com/sites/products/documentation/hpc/mkl/lin/MKL_UG_structure/Support_for_ILP64_Programming.htm +// It can be safely assumed that int is 32bits on the platform +#if defined(_ILP64) || defined(__ILP64__) +typedef signed int32 mDNSs32; +typedef unsigned int32 mDNSu32; +#else +typedef signed int mDNSs32; +typedef unsigned int mDNSu32; +#endif + +// To enforce useful type checking, we make mDNSInterfaceID be a pointer to a dummy struct +// This way, mDNSInterfaceIDs can be assigned, and compared with each other, but not with other types +// Declaring the type to be the typical generic "void *" would lack this type checking +typedef struct mDNSInterfaceID_dummystruct { void *dummy; } *mDNSInterfaceID; + +// These types are for opaque two- and four-byte identifiers. +// The "NotAnInteger" fields of the unions allow the value to be conveniently passed around in a +// register for the sake of efficiency, and compared for equality or inequality, but don't forget -- +// just because it is in a register doesn't mean it is an integer. Operations like greater than, +// less than, add, multiply, increment, decrement, etc., are undefined for opaque identifiers, +// and if you make the mistake of trying to do those using the NotAnInteger field, then you'll +// find you get code that doesn't work consistently on big-endian and little-endian machines. +#if defined(_WIN32) + #pragma pack(push,2) +#endif +typedef union { mDNSu8 b[ 2]; mDNSu16 NotAnInteger; } mDNSOpaque16; +typedef union { mDNSu8 b[ 4]; mDNSu32 NotAnInteger; } mDNSOpaque32; +typedef packedunion { mDNSu8 b[ 6]; mDNSu16 w[3]; mDNSu32 l[1]; } mDNSOpaque48; +typedef union { mDNSu8 b[ 8]; mDNSu16 w[4]; mDNSu32 l[2]; } mDNSOpaque64; +typedef union { mDNSu8 b[16]; mDNSu16 w[8]; mDNSu32 l[4]; } mDNSOpaque128; +#if defined(_WIN32) + #pragma pack(pop) +#endif + +typedef mDNSOpaque16 mDNSIPPort; // An IP port is a two-byte opaque identifier (not an integer) +typedef mDNSOpaque32 mDNSv4Addr; // An IP address is a four-byte opaque identifier (not an integer) +typedef mDNSOpaque128 mDNSv6Addr; // An IPv6 address is a 16-byte opaque identifier (not an integer) +typedef mDNSOpaque48 mDNSEthAddr; // An Ethernet address is a six-byte opaque identifier (not an integer) + +// Bit operations for opaque 64 bit quantity. Uses the 32 bit quantity(l[2]) to set and clear bits +#define mDNSNBBY 8 +#define bit_set_opaque64(op64, index) (op64.l[((index))/(sizeof(mDNSu32) * mDNSNBBY)] |= (1 << ((index) % (sizeof(mDNSu32) * mDNSNBBY)))) +#define bit_clr_opaque64(op64, index) (op64.l[((index))/(sizeof(mDNSu32) * mDNSNBBY)] &= ~(1 << ((index) % (sizeof(mDNSu32) * mDNSNBBY)))) +#define bit_get_opaque64(op64, index) (op64.l[((index))/(sizeof(mDNSu32) * mDNSNBBY)] & (1 << ((index) % (sizeof(mDNSu32) * mDNSNBBY)))) + +enum +{ + mDNSAddrType_None = 0, + mDNSAddrType_IPv4 = 4, + mDNSAddrType_IPv6 = 6, + mDNSAddrType_Unknown = ~0 // Special marker value used in known answer list recording +}; + +enum +{ + mDNSTransport_None = 0, + mDNSTransport_UDP = 1, + mDNSTransport_TCP = 2 +}; + +typedef struct +{ + mDNSs32 type; + union { mDNSv6Addr v6; mDNSv4Addr v4; } ip; +} mDNSAddr; + +enum { mDNSfalse = 0, mDNStrue = 1 }; + +#define mDNSNULL 0L + +enum +{ + mStatus_Waiting = 1, + mStatus_NoError = 0, + + // mDNS return values are in the range FFFE FF00 (-65792) to FFFE FFFF (-65537) + // The top end of the range (FFFE FFFF) is used for error codes; + // the bottom end of the range (FFFE FF00) is used for non-error values; + + // Error codes: + mStatus_UnknownErr = -65537, // First value: 0xFFFE FFFF + mStatus_NoSuchNameErr = -65538, + mStatus_NoMemoryErr = -65539, + mStatus_BadParamErr = -65540, + mStatus_BadReferenceErr = -65541, + mStatus_BadStateErr = -65542, + mStatus_BadFlagsErr = -65543, + mStatus_UnsupportedErr = -65544, + mStatus_NotInitializedErr = -65545, + mStatus_NoCache = -65546, + mStatus_AlreadyRegistered = -65547, + mStatus_NameConflict = -65548, + mStatus_Invalid = -65549, + mStatus_Firewall = -65550, + mStatus_Incompatible = -65551, + mStatus_BadInterfaceErr = -65552, + mStatus_Refused = -65553, + mStatus_NoSuchRecord = -65554, + mStatus_NoAuth = -65555, + mStatus_NoSuchKey = -65556, + mStatus_NATTraversal = -65557, + mStatus_DoubleNAT = -65558, + mStatus_BadTime = -65559, + mStatus_BadSig = -65560, // while we define this per RFC 2845, BIND 9 returns Refused for bad/missing signatures + mStatus_BadKey = -65561, + mStatus_TransientErr = -65562, // transient failures, e.g. sending packets shortly after a network transition or wake from sleep + mStatus_ServiceNotRunning = -65563, // Background daemon not running + mStatus_NATPortMappingUnsupported = -65564, // NAT doesn't support PCP, NAT-PMP or UPnP + mStatus_NATPortMappingDisabled = -65565, // NAT supports PCP, NAT-PMP or UPnP, but it's disabled by the administrator + mStatus_NoRouter = -65566, + mStatus_PollingMode = -65567, + mStatus_Timeout = -65568, + // -65568 to -65786 currently unused; available for allocation + + // tcp connection status + mStatus_ConnPending = -65787, + mStatus_ConnFailed = -65788, + mStatus_ConnEstablished = -65789, + + // Non-error values: + mStatus_GrowCache = -65790, + mStatus_ConfigChanged = -65791, + mStatus_MemFree = -65792 // Last value: 0xFFFE FF00 + // mStatus_MemFree is the last legal mDNS error code, at the end of the range allocated for mDNS +}; + +typedef mDNSs32 mStatus; +#define MaxIp 5 // Needs to be consistent with MaxInputIf in dns_services.h + +typedef enum { q_stop = 0, q_start } q_state; +typedef enum { reg_stop = 0, reg_start } reg_state; + +// RFC 1034/1035 specify that a domain label consists of a length byte plus up to 63 characters +#define MAX_DOMAIN_LABEL 63 +typedef struct { mDNSu8 c[ 64]; } domainlabel; // One label: length byte and up to 63 characters + +// RFC 1034/1035/2181 specify that a domain name (length bytes and data bytes) may be up to 255 bytes long, +// plus the terminating zero at the end makes 256 bytes total in the on-the-wire format. +#define MAX_DOMAIN_NAME 256 +typedef struct { mDNSu8 c[256]; } domainname; // Up to 256 bytes of length-prefixed domainlabels + +typedef struct { mDNSu8 c[256]; } UTF8str255; // Null-terminated C string + +// The longest legal textual form of a DNS name is 1009 bytes, including the C-string terminating NULL at the end. +// Explanation: +// When a native domainname object is converted to printable textual form using ConvertDomainNameToCString(), +// non-printing characters are represented in the conventional DNS way, as '\ddd', where ddd is a three-digit decimal number. +// The longest legal domain name is 256 bytes, in the form of four labels as shown below: +// Length byte, 63 data bytes, length byte, 63 data bytes, length byte, 63 data bytes, length byte, 62 data bytes, zero byte. +// Each label is encoded textually as characters followed by a trailing dot. +// If every character has to be represented as a four-byte escape sequence, then this makes the maximum textual form four labels +// plus the C-string terminating NULL as shown below: +// 63*4+1 + 63*4+1 + 63*4+1 + 62*4+1 + 1 = 1009. +// Note that MAX_ESCAPED_DOMAIN_LABEL is not normally used: If you're only decoding a single label, escaping is usually not required. +// It is for domain names, where dots are used as label separators, that proper escaping is vital. +#define MAX_ESCAPED_DOMAIN_LABEL 254 +#define MAX_ESCAPED_DOMAIN_NAME 1009 + +// MAX_REVERSE_MAPPING_NAME +// For IPv4: "123.123.123.123.in-addr.arpa." 30 bytes including terminating NUL +// For IPv6: "x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa." 74 bytes including terminating NUL + +#define MAX_REVERSE_MAPPING_NAME_V4 30 +#define MAX_REVERSE_MAPPING_NAME_V6 74 +#define MAX_REVERSE_MAPPING_NAME 74 + +// Most records have a TTL of 75 minutes, so that their 80% cache-renewal query occurs once per hour. +// For records containing a hostname (in the name on the left, or in the rdata on the right), +// like A, AAAA, reverse-mapping PTR, and SRV, we use a two-minute TTL by default, because we don't want +// them to hang around for too long in the cache if the host in question crashes or otherwise goes away. + +#define kStandardTTL (3600UL * 100 / 80) +#define kHostNameTTL 120UL + +// Some applications want to register their SRV records with a lower ttl so that in case the server +// using a dynamic port number restarts, the clients will not have stale information for more than +// 10 seconds + +#define kHostNameSmallTTL 10UL + + +// Multicast DNS uses announcements (gratuitous responses) to update peer caches. +// This means it is feasible to use relatively larger TTL values than we might otherwise +// use, because we have a cache coherency protocol to keep the peer caches up to date. +// With Unicast DNS, once an authoritative server gives a record with a certain TTL value to a client +// or caching server, that client or caching server is entitled to hold onto the record until its TTL +// expires, and has no obligation to contact the authoritative server again until that time arrives. +// This means that whereas Multicast DNS can use announcements to pre-emptively update stale data +// before it would otherwise have expired, standard Unicast DNS (not using LLQs) has no equivalent +// mechanism, and TTL expiry is the *only* mechanism by which stale data gets deleted. Because of this, +// we currently limit the TTL to ten seconds in such cases where no dynamic cache updating is possible. +#define kStaticCacheTTL 10 + +#define DefaultTTLforRRType(X) (((X) == kDNSType_A || (X) == kDNSType_AAAA || (X) == kDNSType_SRV) ? kHostNameTTL : kStandardTTL) +#define mDNS_KeepaliveRecord(rr) ((rr)->rrtype == kDNSType_NULL && SameDomainLabel(SecondLabel((rr)->name)->c, (mDNSu8 *)"\x0A_keepalive")) + +// Number of times keepalives are sent if no ACK is received before waking up the system +// this is analogous to net.inet.tcp.keepcnt +#define kKeepaliveRetryCount 10 +// The frequency at which keepalives are retried if no ACK is received +#define kKeepaliveRetryInterval 30 + +typedef struct AuthRecord_struct AuthRecord; +typedef struct ServiceRecordSet_struct ServiceRecordSet; +typedef struct CacheRecord_struct CacheRecord; +typedef struct CacheGroup_struct CacheGroup; +typedef struct AuthGroup_struct AuthGroup; +typedef struct DNSQuestion_struct DNSQuestion; +typedef struct ZoneData_struct ZoneData; +typedef struct mDNS_struct mDNS; +typedef struct mDNS_PlatformSupport_struct mDNS_PlatformSupport; +typedef struct NATTraversalInfo_struct NATTraversalInfo; +typedef struct ResourceRecord_struct ResourceRecord; + +// Structure to abstract away the differences between TCP/SSL sockets, and one for UDP sockets +// The actual definition of these structures appear in the appropriate platform support code +typedef struct TCPSocket_struct TCPSocket; +typedef struct UDPSocket_struct UDPSocket; + +// *************************************************************************** +#if 0 +#pragma mark - +#pragma mark - DNS Message structures +#endif + +#define mDNS_numZones numQuestions +#define mDNS_numPrereqs numAnswers +#define mDNS_numUpdates numAuthorities + +typedef packedstruct +{ + mDNSOpaque16 id; + mDNSOpaque16 flags; + mDNSu16 numQuestions; + mDNSu16 numAnswers; + mDNSu16 numAuthorities; + mDNSu16 numAdditionals; +} DNSMessageHeader; + +// We can send and receive packets up to 9000 bytes (Ethernet Jumbo Frame size, if that ever becomes widely used) +// However, in the normal case we try to limit packets to 1500 bytes so that we don't get IP fragmentation on standard Ethernet +// 40 (IPv6 header) + 8 (UDP header) + 12 (DNS message header) + 1440 (DNS message body) = 1500 total +#ifndef AbsoluteMaxDNSMessageData +#define AbsoluteMaxDNSMessageData 8940 +#endif +#define NormalMaxDNSMessageData 1440 +typedef packedstruct +{ + DNSMessageHeader h; // Note: Size 12 bytes + mDNSu8 data[AbsoluteMaxDNSMessageData]; // 40 (IPv6) + 8 (UDP) + 12 (DNS header) + 8940 (data) = 9000 +} DNSMessage; + +typedef struct tcpInfo_t +{ + mDNS *m; + TCPSocket *sock; + DNSMessage request; + int requestLen; + DNSQuestion *question; // For queries + AuthRecord *rr; // For record updates + mDNSAddr Addr; + mDNSIPPort Port; + mDNSIPPort SrcPort; + DNSMessage *reply; + mDNSu16 replylen; + unsigned long nread; + int numReplies; +} tcpInfo_t; + +// *************************************************************************** +#if 0 +#pragma mark - +#pragma mark - Other Packet Format Structures +#endif + +typedef packedstruct +{ + mDNSEthAddr dst; + mDNSEthAddr src; + mDNSOpaque16 ethertype; +} EthernetHeader; // 14 bytes + +typedef packedstruct +{ + mDNSOpaque16 hrd; + mDNSOpaque16 pro; + mDNSu8 hln; + mDNSu8 pln; + mDNSOpaque16 op; + mDNSEthAddr sha; + mDNSv4Addr spa; + mDNSEthAddr tha; + mDNSv4Addr tpa; +} ARP_EthIP; // 28 bytes + +typedef packedstruct +{ + mDNSu8 vlen; + mDNSu8 tos; + mDNSu16 totlen; + mDNSOpaque16 id; + mDNSOpaque16 flagsfrags; + mDNSu8 ttl; + mDNSu8 protocol; // Payload type: 0x06 = TCP, 0x11 = UDP + mDNSu16 checksum; + mDNSv4Addr src; + mDNSv4Addr dst; +} IPv4Header; // 20 bytes + +typedef packedstruct +{ + mDNSu32 vcf; // Version, Traffic Class, Flow Label + mDNSu16 len; // Payload Length + mDNSu8 pro; // Type of next header: 0x06 = TCP, 0x11 = UDP, 0x3A = ICMPv6 + mDNSu8 ttl; // Hop Limit + mDNSv6Addr src; + mDNSv6Addr dst; +} IPv6Header; // 40 bytes + +typedef packedstruct +{ + mDNSv6Addr src; + mDNSv6Addr dst; + mDNSOpaque32 len; + mDNSOpaque32 pro; +} IPv6PseudoHeader; // 40 bytes + +typedef union +{ + mDNSu8 bytes[20]; + ARP_EthIP arp; + IPv4Header v4; + IPv6Header v6; +} NetworkLayerPacket; + +typedef packedstruct +{ + mDNSIPPort src; + mDNSIPPort dst; + mDNSu32 seq; + mDNSu32 ack; + mDNSu8 offset; + mDNSu8 flags; + mDNSu16 window; + mDNSu16 checksum; + mDNSu16 urgent; +} TCPHeader; // 20 bytes; IP protocol type 0x06 + +typedef struct +{ + mDNSInterfaceID IntfId; + mDNSu32 seq; + mDNSu32 ack; + mDNSu16 window; +} mDNSTCPInfo; + +typedef packedstruct +{ + mDNSIPPort src; + mDNSIPPort dst; + mDNSu16 len; // Length including UDP header (i.e. minimum value is 8 bytes) + mDNSu16 checksum; +} UDPHeader; // 8 bytes; IP protocol type 0x11 + +typedef packedstruct +{ + mDNSu8 type; // 0x87 == Neighbor Solicitation, 0x88 == Neighbor Advertisement + mDNSu8 code; + mDNSu16 checksum; + mDNSu32 flags_res; // R/S/O flags and reserved bits + mDNSv6Addr target; + // Typically 8 bytes of options are also present +} IPv6NDP; // 24 bytes or more; IP protocol type 0x3A + +typedef struct +{ + mDNSAddr ipaddr; + char ethaddr[18]; +} IPAddressMACMapping; + +#define NDP_Sol 0x87 +#define NDP_Adv 0x88 + +#define NDP_Router 0x80 +#define NDP_Solicited 0x40 +#define NDP_Override 0x20 + +#define NDP_SrcLL 1 +#define NDP_TgtLL 2 + +typedef union +{ + mDNSu8 bytes[20]; + TCPHeader tcp; + UDPHeader udp; + IPv6NDP ndp; +} TransportLayerPacket; + +typedef packedstruct +{ + mDNSOpaque64 InitiatorCookie; + mDNSOpaque64 ResponderCookie; + mDNSu8 NextPayload; + mDNSu8 Version; + mDNSu8 ExchangeType; + mDNSu8 Flags; + mDNSOpaque32 MessageID; + mDNSu32 Length; +} IKEHeader; // 28 bytes + +// *************************************************************************** +#if 0 +#pragma mark - +#pragma mark - Resource Record structures +#endif + +// Authoritative Resource Records: +// There are four basic types: Shared, Advisory, Unique, Known Unique + +// * Shared Resource Records do not have to be unique +// -- Shared Resource Records are used for DNS-SD service PTRs +// -- It is okay for several hosts to have RRs with the same name but different RDATA +// -- We use a random delay on responses to reduce collisions when all the hosts respond to the same query +// -- These RRs typically have moderately high TTLs (e.g. one hour) +// -- These records are announced on startup and topology changes for the benefit of passive listeners +// -- These records send a goodbye packet when deregistering +// +// * Advisory Resource Records are like Shared Resource Records, except they don't send a goodbye packet +// +// * Unique Resource Records should be unique among hosts within any given mDNS scope +// -- The majority of Resource Records are of this type +// -- If two entities on the network have RRs with the same name but different RDATA, this is a conflict +// -- Responses may be sent immediately, because only one host should be responding to any particular query +// -- These RRs typically have low TTLs (e.g. a few minutes) +// -- On startup and after topology changes, a host issues queries to verify uniqueness + +// * Known Unique Resource Records are treated like Unique Resource Records, except that mDNS does +// not have to verify their uniqueness because this is already known by other means (e.g. the RR name +// is derived from the host's IP or Ethernet address, which is already known to be a unique identifier). + +// Summary of properties of different record types: +// Probe? Does this record type send probes before announcing? +// Conflict? Does this record type react if we observe an apparent conflict? +// Goodbye? Does this record type send a goodbye packet on departure? +// +// Probe? Conflict? Goodbye? Notes +// Unregistered Should not appear in any list (sanity check value) +// Shared No No Yes e.g. Service PTR record +// Deregistering No No Yes Shared record about to announce its departure and leave the list +// Advisory No No No +// Unique Yes Yes No Record intended to be unique -- will probe to verify +// Verified Yes Yes No Record has completed probing, and is verified unique +// KnownUnique No Yes No Record is assumed by other means to be unique + +// Valid lifecycle of a record: +// Unregistered -> Shared -> Deregistering -(goodbye)-> Unregistered +// Unregistered -> Advisory -> Unregistered +// Unregistered -> Unique -(probe)-> Verified -> Unregistered +// Unregistered -> KnownUnique -> Unregistered + +// Each Authoritative kDNSRecordType has only one bit set. This makes it easy to quickly see if a record +// is one of a particular set of types simply by performing the appropriate bitwise masking operation. + +// Cache Resource Records (received from the network): +// There are four basic types: Answer, Unique Answer, Additional, Unique Additional +// Bit 7 (the top bit) of kDNSRecordType is always set for Cache Resource Records; always clear for Authoritative Resource Records +// Bit 6 (value 0x40) is set for answer records; clear for authority/additional records +// Bit 5 (value 0x20) is set for records received with the kDNSClass_UniqueRRSet + +enum +{ + kDNSRecordTypeUnregistered = 0x00, // Not currently in any list + kDNSRecordTypeDeregistering = 0x01, // Shared record about to announce its departure and leave the list + + kDNSRecordTypeUnique = 0x02, // Will become a kDNSRecordTypeVerified when probing is complete + + kDNSRecordTypeAdvisory = 0x04, // Like Shared, but no goodbye packet + kDNSRecordTypeShared = 0x08, // Shared means record name does not have to be unique -- use random delay on responses + + kDNSRecordTypeVerified = 0x10, // Unique means mDNS should check that name is unique (and then send immediate responses) + kDNSRecordTypeKnownUnique = 0x20, // Known Unique means mDNS can assume name is unique without checking + // For Dynamic Update records, Known Unique means the record must already exist on the server. + kDNSRecordTypeUniqueMask = (kDNSRecordTypeUnique | kDNSRecordTypeVerified | kDNSRecordTypeKnownUnique), + kDNSRecordTypeActiveSharedMask = (kDNSRecordTypeAdvisory | kDNSRecordTypeShared), + kDNSRecordTypeActiveUniqueMask = (kDNSRecordTypeVerified | kDNSRecordTypeKnownUnique), + kDNSRecordTypeActiveMask = (kDNSRecordTypeActiveSharedMask | kDNSRecordTypeActiveUniqueMask), + + kDNSRecordTypePacketAdd = 0x80, // Received in the Additional Section of a DNS Response + kDNSRecordTypePacketAddUnique = 0x90, // Received in the Additional Section of a DNS Response with kDNSClass_UniqueRRSet set + kDNSRecordTypePacketAuth = 0xA0, // Received in the Authorities Section of a DNS Response + kDNSRecordTypePacketAuthUnique = 0xB0, // Received in the Authorities Section of a DNS Response with kDNSClass_UniqueRRSet set + kDNSRecordTypePacketAns = 0xC0, // Received in the Answer Section of a DNS Response + kDNSRecordTypePacketAnsUnique = 0xD0, // Received in the Answer Section of a DNS Response with kDNSClass_UniqueRRSet set + + kDNSRecordTypePacketNegative = 0xF0, // Pseudo-RR generated to cache non-existence results like NXDomain + + kDNSRecordTypePacketUniqueMask = 0x10 // True for PacketAddUnique, PacketAnsUnique, PacketAuthUnique, kDNSRecordTypePacketNegative +}; + +typedef packedstruct { mDNSu16 priority; mDNSu16 weight; mDNSIPPort port; domainname target; } rdataSRV; +typedef packedstruct { mDNSu16 preference; domainname exchange; } rdataMX; +typedef packedstruct { domainname mbox; domainname txt; } rdataRP; +typedef packedstruct { mDNSu16 preference; domainname map822; domainname mapx400; } rdataPX; + +typedef packedstruct +{ + domainname mname; + domainname rname; + mDNSs32 serial; // Modular counter; increases when zone changes + mDNSu32 refresh; // Time in seconds that a slave waits after successful replication of the database before it attempts replication again + mDNSu32 retry; // Time in seconds that a slave waits after an unsuccessful replication attempt before it attempts replication again + mDNSu32 expire; // Time in seconds that a slave holds on to old data while replication attempts remain unsuccessful + mDNSu32 min; // Nominally the minimum record TTL for this zone, in seconds; also used for negative caching. +} rdataSOA; + +// http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml +// Algorithm used for RRSIG, DS and DNS KEY +#define CRYPTO_RSA_SHA1 0x05 +#define CRYPTO_DSA_NSEC3_SHA1 0x06 +#define CRYPTO_RSA_NSEC3_SHA1 0x07 +#define CRYPTO_RSA_SHA256 0x08 +#define CRYPTO_RSA_SHA512 0x0A + +#define CRYPTO_ALG_MAX 0x0B + +// alg - same as in RRSIG, DNS KEY or DS. +// RFC 4034 defines SHA1 +// RFC 4509 defines SHA256 +// Note: NSEC3 also uses 1 for SHA1 and hence we will reuse for now till a new +// value is assigned. +// +#define SHA1_DIGEST_TYPE 1 +#define SHA256_DIGEST_TYPE 2 +#define DIGEST_TYPE_MAX 3 + +// We need support for base64 and base32 encoding for displaying KEY, NSEC3 +// To make this platform agnostic, we define two types which the platform +// needs to support +#define ENC_BASE32 1 +#define ENC_BASE64 2 +#define ENC_ALG_MAX 3 + +#define DS_FIXED_SIZE 4 +typedef packedstruct +{ + mDNSu16 keyTag; + mDNSu8 alg; + mDNSu8 digestType; + mDNSu8 *digest; +} rdataDS; + +typedef struct TrustAnchor +{ + struct TrustAnchor *next; + int digestLen; + mDNSu32 validFrom; + mDNSu32 validUntil; + domainname zone; + rdataDS rds; +} TrustAnchor; + +//size of rdataRRSIG excluding signerName and signature (which are variable fields) +#define RRSIG_FIXED_SIZE 18 +typedef packedstruct +{ + mDNSu16 typeCovered; + mDNSu8 alg; + mDNSu8 labels; + mDNSu32 origTTL; + mDNSu32 sigExpireTime; + mDNSu32 sigInceptTime; + mDNSu16 keyTag; + mDNSu8 *signerName; + // mDNSu8 *signature +} rdataRRSig; + +// RFC 4034: For DNS Key RR +// flags - the valid value for DNSSEC is 256 (Zone signing key - ZSK) and 257 (Secure Entry Point) which also +// includes the ZSK bit +// +#define DNSKEY_ZONE_SIGN_KEY 0x100 +#define DNSKEY_SECURE_ENTRY_POINT 0x101 + +// proto - the only valid value for protocol is 3 (See RFC 4034) +#define DNSKEY_VALID_PROTO_VALUE 0x003 + +// alg - The only mandatory algorithm that we support is RSA/SHA-1 +// DNSSEC_RSA_SHA1_ALG + +#define DNSKEY_FIXED_SIZE 4 +typedef packedstruct +{ + mDNSu16 flags; + mDNSu8 proto; + mDNSu8 alg; + mDNSu8 *data; +} rdataDNSKey; + +#define NSEC3_FIXED_SIZE 5 +#define NSEC3_FLAGS_OPTOUT 1 +#define NSEC3_MAX_ITERATIONS 2500 +typedef packedstruct +{ + mDNSu8 alg; + mDNSu8 flags; + mDNSu16 iterations; + mDNSu8 saltLength; + mDNSu8 *salt; + // hashLength, nxt, bitmap +} rdataNSEC3; + +// In the multicast usage of NSEC3, we know the actual size of RData +// 4 bytes : HashAlg, Flags,Iterations +// 5 bytes : Salt Length 1 byte, Salt 4 bytes +// 21 bytes : HashLength 1 byte, Hash 20 bytes +// 34 bytes : Window number, Bitmap length, Type bit map to include the first 256 types +#define MCAST_NSEC3_RDLENGTH (4 + 5 + 21 + 34) +#define SHA1_HASH_LENGTH 20 + +// Base32 encoding takes 5 bytes of the input and encodes as 8 bytes of output. +// For example, SHA-1 hash of 20 bytes will be encoded as 20/5 * 8 = 32 base32 +// bytes. For a max domain name size of 255 bytes of base32 encoding : (255/8)*5 +// is the max hash length possible. +#define NSEC3_MAX_HASH_LEN 155 +// In NSEC3, the names are hashed and stored in the first label and hence cannot exceed label +// size. +#define NSEC3_MAX_B32_LEN MAX_DOMAIN_LABEL + +// We define it here instead of dnssec.h so that these values can be used +// in files without bringing in all of dnssec.h unnecessarily. +typedef enum +{ + DNSSEC_Secure = 1, // Securely validated and has a chain up to the trust anchor + DNSSEC_Insecure, // Cannot build a chain up to the trust anchor + DNSSEC_Indeterminate, // Not used currently + DNSSEC_Bogus, // failed to validate signatures + DNSSEC_NoResponse // No DNSSEC records to start with +} DNSSECStatus; + +#define DNSSECRecordType(rrtype) (((rrtype) == kDNSType_RRSIG) || ((rrtype) == kDNSType_NSEC) || ((rrtype) == kDNSType_DNSKEY) || ((rrtype) == kDNSType_DS) || \ + ((rrtype) == kDNSType_NSEC3)) + +typedef enum +{ + platform_OSX = 1, // OSX Platform + platform_iOS, // iOS Platform + platform_Atv, // Atv Platform + platform_NonApple // Non-Apple (Windows, POSIX) Platform +} Platform_t; + +// EDNS Option Code registrations are recorded in the "DNS EDNS0 Options" section of +// <http://www.iana.org/assignments/dns-parameters> + +#define kDNSOpt_LLQ 1 +#define kDNSOpt_Lease 2 +#define kDNSOpt_NSID 3 +#define kDNSOpt_Owner 4 +#define kDNSOpt_Trace 65001 // 65001-65534 Reserved for Local/Experimental Use + +typedef struct +{ + mDNSu16 vers; + mDNSu16 llqOp; + mDNSu16 err; // Or UDP reply port, in setup request + // Note: In the in-memory form, there's typically a two-byte space here, so that the following 64-bit id is word-aligned + mDNSOpaque64 id; + mDNSu32 llqlease; +} LLQOptData; + +typedef struct +{ + mDNSu8 vers; // Version number of this Owner OPT record + mDNSs8 seq; // Sleep/wake epoch + mDNSEthAddr HMAC; // Host's primary identifier (e.g. MAC of on-board Ethernet) + mDNSEthAddr IMAC; // Interface's MAC address (if different to primary MAC) + mDNSOpaque48 password; // Optional password +} OwnerOptData; + +typedef struct +{ + mDNSu8 platf; // Running platform (see enum Platform_t) + mDNSu32 mDNSv; // mDNSResponder Version (DNS_SD_H defined in dns_sd.h) +} TracerOptData; + +// Note: rdataOPT format may be repeated an arbitrary number of times in a single resource record +typedef packedstruct +{ + mDNSu16 opt; + mDNSu16 optlen; + union { LLQOptData llq; mDNSu32 updatelease; OwnerOptData owner; TracerOptData tracer; } u; +} rdataOPT; + +// Space needed to put OPT records into a packet: +// Header 11 bytes (name 1, type 2, class 2, TTL 4, length 2) +// LLQ rdata 18 bytes (opt 2, len 2, vers 2, op 2, err 2, id 8, lease 4) +// Lease rdata 8 bytes (opt 2, len 2, lease 4) +// Owner rdata 12-24 bytes (opt 2, len 2, owner 8-20) +// Trace rdata 9 bytes (opt 2, len 2, platf 1, mDNSv 4) + + +#define DNSOpt_Header_Space 11 +#define DNSOpt_LLQData_Space (4 + 2 + 2 + 2 + 8 + 4) +#define DNSOpt_LeaseData_Space (4 + 4) +#define DNSOpt_OwnerData_ID_Space (4 + 2 + 6) +#define DNSOpt_OwnerData_ID_Wake_Space (4 + 2 + 6 + 6) +#define DNSOpt_OwnerData_ID_Wake_PW4_Space (4 + 2 + 6 + 6 + 4) +#define DNSOpt_OwnerData_ID_Wake_PW6_Space (4 + 2 + 6 + 6 + 6) +#define DNSOpt_TraceData_Space (4 + 1 + 4) + +#define ValidOwnerLength(X) ( (X) == DNSOpt_OwnerData_ID_Space - 4 || \ + (X) == DNSOpt_OwnerData_ID_Wake_Space - 4 || \ + (X) == DNSOpt_OwnerData_ID_Wake_PW4_Space - 4 || \ + (X) == DNSOpt_OwnerData_ID_Wake_PW6_Space - 4 ) + +#define DNSOpt_Owner_Space(A,B) (mDNSSameEthAddress((A),(B)) ? DNSOpt_OwnerData_ID_Space : DNSOpt_OwnerData_ID_Wake_Space) + +#define DNSOpt_Data_Space(O) ( \ + (O)->opt == kDNSOpt_LLQ ? DNSOpt_LLQData_Space : \ + (O)->opt == kDNSOpt_Lease ? DNSOpt_LeaseData_Space : \ + (O)->opt == kDNSOpt_Trace ? DNSOpt_TraceData_Space : \ + (O)->opt == kDNSOpt_Owner ? DNSOpt_Owner_Space(&(O)->u.owner.HMAC, &(O)->u.owner.IMAC) : 0x10000) + +// NSEC record is defined in RFC 4034. +// 16 bit RRTYPE space is split into 256 windows and each window has 256 bits (32 bytes). +// If we create a structure for NSEC, it's size would be: +// +// 256 bytes domainname 'nextname' +// + 256 * 34 = 8704 bytes of bitmap data +// = 8960 bytes total +// +// This would be a waste, as types about 256 are not very common. But it would be odd, if we receive +// a type above 256 (.US zone had TYPE65534 when this code was written) and not able to handle it. +// Hence, we handle any size by not fixing a strucure in place. The following is just a placeholder +// and never used anywhere. +// +#define NSEC_MCAST_WINDOW_SIZE 32 +typedef struct +{ + domainname *next; //placeholders are uncommented because C89 in Windows requires that a struct has at least a member. + char bitmap[32]; +} rdataNSEC; + +// StandardAuthRDSize is 264 (256+8), which is large enough to hold a maximum-sized SRV record (6 + 256 bytes) +// MaximumRDSize is 8K the absolute maximum we support (at least for now) +#define StandardAuthRDSize 264 +#ifndef MaximumRDSize +#define MaximumRDSize 8192 +#endif + +// InlineCacheRDSize is 68 +// Records received from the network with rdata this size or less have their rdata stored right in the CacheRecord object +// Records received from the network with rdata larger than this have additional storage allocated for the rdata +// A quick unscientific sample from a busy network at Apple with lots of machines revealed this: +// 1461 records in cache +// 292 were one-byte TXT records +// 136 were four-byte A records +// 184 were sixteen-byte AAAA records +// 780 were various PTR, TXT and SRV records from 12-64 bytes +// Only 69 records had rdata bigger than 64 bytes +// Note that since CacheRecord object and a CacheGroup object are allocated out of the same pool, it's sensible to +// have them both be the same size. Making one smaller without making the other smaller won't actually save any memory. +#define InlineCacheRDSize 68 + +// The RDataBody union defines the common rdata types that fit into our 264-byte limit +typedef union +{ + mDNSu8 data[StandardAuthRDSize]; + mDNSv4Addr ipv4; // For 'A' record + domainname name; // For PTR, NS, CNAME, DNAME + UTF8str255 txt; + rdataMX mx; + mDNSv6Addr ipv6; // For 'AAAA' record + rdataSRV srv; + rdataOPT opt[2]; // For EDNS0 OPT record; RDataBody may contain multiple variable-length rdataOPT objects packed together +} RDataBody; + +// The RDataBody2 union is the same as above, except it includes fields for the larger types like soa, rp, px +typedef union +{ + mDNSu8 data[StandardAuthRDSize]; + mDNSv4Addr ipv4; // For 'A' record + domainname name; // For PTR, NS, CNAME, DNAME + rdataSOA soa; // This is large; not included in the normal RDataBody definition + UTF8str255 txt; + rdataMX mx; + rdataRP rp; // This is large; not included in the normal RDataBody definition + rdataPX px; // This is large; not included in the normal RDataBody definition + mDNSv6Addr ipv6; // For 'AAAA' record + rdataSRV srv; + rdataOPT opt[2]; // For EDNS0 OPT record; RDataBody may contain multiple variable-length rdataOPT objects packed together + rdataDS ds; + rdataDNSKey key; + rdataRRSig rrsig; +} RDataBody2; + +typedef struct +{ + mDNSu16 MaxRDLength; // Amount of storage allocated for rdata (usually sizeof(RDataBody)) + mDNSu16 padding; // So that RDataBody is aligned on 32-bit boundary + RDataBody u; +} RData; + +// sizeofRDataHeader should be 4 bytes +#define sizeofRDataHeader (sizeof(RData) - sizeof(RDataBody)) + +// RData_small is a smaller version of the RData object, used for inline data storage embedded in a CacheRecord_struct +typedef struct +{ + mDNSu16 MaxRDLength; // Storage allocated for data (may be greater than InlineCacheRDSize if additional storage follows this object) + mDNSu16 padding; // So that data is aligned on 32-bit boundary + mDNSu8 data[InlineCacheRDSize]; +} RData_small; + +// Note: Within an mDNSRecordCallback mDNS all API calls are legal except mDNS_Init(), mDNS_Exit(), mDNS_Execute() +typedef void mDNSRecordCallback (mDNS *const m, AuthRecord *const rr, mStatus result); + +// Note: +// Restrictions: An mDNSRecordUpdateCallback may not make any mDNS API calls. +// The intent of this callback is to allow the client to free memory, if necessary. +// The internal data structures of the mDNS code may not be in a state where mDNS API calls may be made safely. +typedef void mDNSRecordUpdateCallback (mDNS *const m, AuthRecord *const rr, RData *OldRData, mDNSu16 OldRDLen); + +// *************************************************************************** +#if 0 +#pragma mark - +#pragma mark - NAT Traversal structures and constants +#endif + +#define NATMAP_MAX_RETRY_INTERVAL ((mDNSPlatformOneSecond * 60) * 15) // Max retry interval is 15 minutes +#define NATMAP_MIN_RETRY_INTERVAL (mDNSPlatformOneSecond * 2) // Min retry interval is 2 seconds +#define NATMAP_INIT_RETRY (mDNSPlatformOneSecond / 4) // start at 250ms w/ exponential decay +#define NATMAP_DEFAULT_LEASE (60 * 60 * 2) // 2 hour lease life in seconds +#define NATMAP_VERS 0 + +typedef enum +{ + NATOp_AddrRequest = 0, + NATOp_MapUDP = 1, + NATOp_MapTCP = 2, + + NATOp_AddrResponse = 0x80 | 0, + NATOp_MapUDPResponse = 0x80 | 1, + NATOp_MapTCPResponse = 0x80 | 2, +} NATOp_t; + +enum +{ + NATErr_None = 0, + NATErr_Vers = 1, + NATErr_Refused = 2, + NATErr_NetFail = 3, + NATErr_Res = 4, + NATErr_Opcode = 5 +}; + +typedef mDNSu16 NATErr_t; + +typedef packedstruct +{ + mDNSu8 vers; + mDNSu8 opcode; +} NATAddrRequest; + +typedef packedstruct +{ + mDNSu8 vers; + mDNSu8 opcode; + mDNSu16 err; + mDNSu32 upseconds; // Time since last NAT engine reboot, in seconds + mDNSv4Addr ExtAddr; +} NATAddrReply; + +typedef packedstruct +{ + mDNSu8 vers; + mDNSu8 opcode; + mDNSOpaque16 unused; + mDNSIPPort intport; + mDNSIPPort extport; + mDNSu32 NATReq_lease; +} NATPortMapRequest; + +typedef packedstruct +{ + mDNSu8 vers; + mDNSu8 opcode; + mDNSu16 err; + mDNSu32 upseconds; // Time since last NAT engine reboot, in seconds + mDNSIPPort intport; + mDNSIPPort extport; + mDNSu32 NATRep_lease; +} NATPortMapReply; + +// PCP Support for IPv4 mappings + +#define PCP_VERS 0x02 +#define PCP_WAITSECS_AFTER_EPOCH_INVALID 5 + +typedef enum +{ + PCPOp_Announce = 0, + PCPOp_Map = 1 +} PCPOp_t; + +typedef enum +{ + PCPProto_All = 0, + PCPProto_TCP = 6, + PCPProto_UDP = 17 +} PCPProto_t; + +typedef enum +{ + PCPResult_Success = 0, + PCPResult_UnsuppVersion = 1, + PCPResult_NotAuthorized = 2, + PCPResult_MalformedReq = 3, + PCPResult_UnsuppOpcode = 4, + PCPResult_UnsuppOption = 5, + PCPResult_MalformedOption = 6, + PCPResult_NetworkFailure = 7, + PCPResult_NoResources = 8, + PCPResult_UnsuppProtocol = 9, + PCPResult_UserExQuota = 10, + PCPResult_CantProvideExt = 11, + PCPResult_AddrMismatch = 12, + PCPResult_ExcesRemotePeer = 13 +} PCPResult_t; + +typedef packedstruct +{ + mDNSu8 version; + mDNSu8 opCode; + mDNSOpaque16 reserved; + mDNSu32 lifetime; + mDNSv6Addr clientAddr; + mDNSu32 nonce[3]; + mDNSu8 protocol; + mDNSu8 reservedMapOp[3]; + mDNSIPPort intPort; + mDNSIPPort extPort; + mDNSv6Addr extAddress; +} PCPMapRequest; + +typedef packedstruct +{ + mDNSu8 version; + mDNSu8 opCode; + mDNSu8 reserved; + mDNSu8 result; + mDNSu32 lifetime; + mDNSu32 epoch; + mDNSu32 clientAddrParts[3]; + mDNSu32 nonce[3]; + mDNSu8 protocol; + mDNSu8 reservedMapOp[3]; + mDNSIPPort intPort; + mDNSIPPort extPort; + mDNSv6Addr extAddress; +} PCPMapReply; + +// LNT Support + +typedef enum +{ + LNTDiscoveryOp = 1, + LNTExternalAddrOp = 2, + LNTPortMapOp = 3, + LNTPortMapDeleteOp = 4 +} LNTOp_t; + +#define LNT_MAXBUFSIZE 8192 +typedef struct tcpLNTInfo_struct tcpLNTInfo; +struct tcpLNTInfo_struct +{ + tcpLNTInfo *next; + mDNS *m; + NATTraversalInfo *parentNATInfo; // pointer back to the parent NATTraversalInfo + TCPSocket *sock; + LNTOp_t op; // operation performed using this connection + mDNSAddr Address; // router address + mDNSIPPort Port; // router port + mDNSu8 *Request; // xml request to router + int requestLen; + mDNSu8 *Reply; // xml reply from router + int replyLen; + unsigned long nread; // number of bytes read so far + int retries; // number of times we've tried to do this port mapping +}; + +typedef void (*NATTraversalClientCallback)(mDNS *m, NATTraversalInfo *n); + +// if m->timenow < ExpiryTime then we have an active mapping, and we'll renew halfway to expiry +// if m->timenow >= ExpiryTime then our mapping has expired, and we're trying to create one + +typedef enum +{ + NATTProtocolNone = 0, + NATTProtocolNATPMP = 1, + NATTProtocolUPNPIGD = 2, + NATTProtocolPCP = 3, +} NATTProtocol; + +struct NATTraversalInfo_struct +{ + // Internal state fields. These are used internally by mDNSCore; the client layer needn't be concerned with them. + NATTraversalInfo *next; + + mDNSs32 ExpiryTime; // Time this mapping expires, or zero if no mapping + mDNSs32 retryInterval; // Current interval, between last packet we sent and the next one + mDNSs32 retryPortMap; // If Protocol is nonzero, time to send our next mapping packet + mStatus NewResult; // New error code; will be copied to Result just prior to invoking callback + NATTProtocol lastSuccessfulProtocol; // To send correct deletion request & update non-PCP external address operations + mDNSBool sentNATPMP; // Whether we just sent a NAT-PMP packet, so we won't send another if + // we receive another NAT-PMP "Unsupported Version" packet + +#ifdef _LEGACY_NAT_TRAVERSAL_ + tcpLNTInfo tcpInfo; // Legacy NAT traversal (UPnP) TCP connection +#endif + + // Result fields: When the callback is invoked these fields contain the answers the client is looking for + // When the callback is invoked ExternalPort is *usually* set to be the same the same as RequestedPort, except: + // (a) When we're behind a NAT gateway with port mapping disabled, ExternalPort is reported as zero to + // indicate that we don't currently have a working mapping (but RequestedPort retains the external port + // we'd like to get, the next time we meet an accomodating NAT gateway willing to give us one). + // (b) When we have a routable non-RFC1918 address, we don't *need* a port mapping, so ExternalPort + // is reported as the same as our InternalPort, since that is effectively our externally-visible port too. + // Again, RequestedPort retains the external port we'd like to get the next time we find ourself behind a NAT gateway. + // To improve stability of port mappings, RequestedPort is updated any time we get a successful + // mapping response from the PCP, NAT-PMP or UPnP gateway. For example, if we ask for port 80, and + // get assigned port 81, then thereafter we'll contine asking for port 81. + mDNSInterfaceID InterfaceID; + mDNSv4Addr ExternalAddress; // Initially set to onesIPv4Addr, until first callback + mDNSv4Addr NewAddress; // May be updated with actual value assigned by gateway + mDNSIPPort ExternalPort; + mDNSu32 Lifetime; + mStatus Result; + + // Client API fields: The client must set up these fields *before* making any NAT traversal API calls + mDNSu8 Protocol; // NATOp_MapUDP or NATOp_MapTCP, or zero if just requesting the external IP address + mDNSIPPort IntPort; // Client's internal port number (doesn't change) + mDNSIPPort RequestedPort; // Requested external port; may be updated with actual value assigned by gateway + mDNSu32 NATLease; // Requested lifetime in seconds (doesn't change) + NATTraversalClientCallback clientCallback; + void *clientContext; +}; + +// *************************************************************************** +#if 0 +#pragma mark - +#pragma mark - DNSServer & McastResolver structures and constants +#endif + +enum +{ + DNSServer_Untested = 0, + DNSServer_Passed = 1, + DNSServer_Failed = 2, + DNSServer_Disabled = 3 +}; + +enum +{ + DNSServer_FlagDelete = 1, + DNSServer_FlagNew = 2 +}; + +enum +{ + McastResolver_FlagDelete = 1, + McastResolver_FlagNew = 2 +}; + +typedef struct McastResolver +{ + struct McastResolver *next; + mDNSInterfaceID interface; + mDNSu32 flags; // Set when we're planning to delete this from the list + domainname domain; + mDNSu32 timeout; // timeout value for questions +} McastResolver; + +// scoped values for DNSServer matching +enum +{ + kScopeNone = 0, // DNS server used by unscoped questions + kScopeInterfaceID = 1, // Scoped DNS server used only by scoped questions + kScopeServiceID = 2 // Service specific DNS server used only by questions + // have a matching serviceID +}; + +// Note: DNSSECAware is set if we are able to get a valid response to +// a DNSSEC question. In some cases it is possible that the proxy +// strips the EDNS0 option and we just get a plain response with no +// signatures. But we still mark DNSSECAware in that case. As DNSSECAware +// is only used to determine whether DNSSEC_VALIDATION_SECURE_OPTIONAL +// should be turned off or not, it is sufficient that we are getting +// responses back. +typedef struct DNSServer +{ + struct DNSServer *next; + mDNSInterfaceID interface; // DNS requests should be sent on this interface + mDNSs32 serviceID; + mDNSAddr addr; + mDNSIPPort port; + mDNSOpaque16 testid; + mDNSu32 flags; // Set when we're planning to delete this from the list + mDNSu32 teststate; // Have we sent bug-detection query to this server? + mDNSs32 lasttest; // Time we sent last bug-detection query to this server + domainname domain; // name->server matching for "split dns" + mDNSs32 penaltyTime; // amount of time this server is penalized + mDNSu32 scoped; // See the scoped enum above + mDNSu32 timeout; // timeout value for questions + mDNSBool cellIntf; // Resolver from Cellular Interface ? + mDNSu16 resGroupID; // ID of the resolver group that contains this DNSServer + mDNSBool req_A; // If set, send v4 query (DNSConfig allows A queries) + mDNSBool req_AAAA; // If set, send v6 query (DNSConfig allows AAAA queries) + mDNSBool req_DO; // If set, okay to send DNSSEC queries (EDNS DO bit is supported) + mDNSBool retransDO; // Total Retransmissions for queries sent with DO option + mDNSBool DNSSECAware; // set if we are able to receive a response to a request + // sent with DO option. +} DNSServer; + +typedef struct +{ + mDNSu8 *AnonData; + int AnonDataLen; + mDNSu32 salt; + ResourceRecord *nsec3RR; + mDNSInterfaceID SendNow; // The interface ID that this record should be sent on +} AnonymousInfo; + +struct ResourceRecord_struct +{ + mDNSu8 RecordType; // See enum above + mDNSu16 rrtype; + mDNSu16 rrclass; + mDNSu32 rroriginalttl; // In seconds + mDNSu16 rdlength; // Size of the raw rdata, in bytes, in the on-the-wire format + // (In-memory storage may be larger, for structures containing 'holes', like SOA) + mDNSu16 rdestimate; // Upper bound on on-the-wire size of rdata after name compression + mDNSu32 namehash; // Name-based (i.e. case-insensitive) hash of name + mDNSu32 rdatahash; // For rdata containing domain name (e.g. PTR, SRV, CNAME etc.), case-insensitive name hash + // else, for all other rdata, 32-bit hash of the raw rdata + // Note: This requirement is important. Various routines like AddAdditionalsToResponseList(), + // ReconfirmAntecedents(), etc., use rdatahash as a pre-flight check to see + // whether it's worth doing a full SameDomainName() call. If the rdatahash + // is not a correct case-insensitive name hash, they'll get false negatives. + + // Grouping pointers together at the end of the structure improves the memory layout efficiency + mDNSInterfaceID InterfaceID; // Set if this RR is specific to one interface + // For records received off the wire, InterfaceID is *always* set to the receiving interface + // For our authoritative records, InterfaceID is usually zero, except for those few records + // that are interface-specific (e.g. address records, especially linklocal addresses) + const domainname *name; + RData *rdata; // Pointer to storage for this rdata + DNSServer *rDNSServer; // Unicast DNS server authoritative for this entry;null for multicast + AnonymousInfo *AnonInfo; // Anonymous Information +}; + + +// Unless otherwise noted, states may apply to either independent record registrations or service registrations +typedef enum +{ + regState_Zero = 0, + regState_Pending = 1, // update sent, reply not received + regState_Registered = 2, // update sent, reply received + regState_DeregPending = 3, // dereg sent, reply not received + regState_Unregistered = 4, // not in any list + regState_Refresh = 5, // outstanding refresh (or target change) message + regState_NATMap = 6, // establishing NAT port mapping + regState_UpdatePending = 7, // update in flight as result of mDNS_Update call + regState_NoTarget = 8, // SRV Record registration pending registration of hostname + regState_NATError = 9 // unable to complete NAT traversal +} regState_t; + +enum +{ + Target_Manual = 0, + Target_AutoHost = 1, + Target_AutoHostAndNATMAP = 2 +}; + +typedef enum +{ + mergeState_Zero = 0, + mergeState_DontMerge = 1 // Set on fatal error conditions to disable merging +} mergeState_t; + +#define AUTH_GROUP_NAME_SIZE 128 +struct AuthGroup_struct // Header object for a list of AuthRecords with the same name +{ + AuthGroup *next; // Next AuthGroup object in this hash table bucket + mDNSu32 namehash; // Name-based (i.e. case insensitive) hash of name + AuthRecord *members; // List of CacheRecords with this same name + AuthRecord **rrauth_tail; // Tail end of that list + domainname *name; // Common name for all AuthRecords in this list + AuthRecord *NewLocalOnlyRecords; + mDNSu8 namestorage[AUTH_GROUP_NAME_SIZE]; +}; + +#ifndef AUTH_HASH_SLOTS +#define AUTH_HASH_SLOTS 499 +#endif +#define FORALL_AUTHRECORDS(SLOT,AG,AR) \ + for ((SLOT) = 0; (SLOT) < AUTH_HASH_SLOTS; (SLOT)++) \ + for ((AG)=m->rrauth.rrauth_hash[(SLOT)]; (AG); (AG)=(AG)->next) \ + for ((AR) = (AG)->members; (AR); (AR)=(AR)->next) + +typedef union AuthEntity_union AuthEntity; +union AuthEntity_union { AuthEntity *next; AuthGroup ag; }; +typedef struct { + mDNSu32 rrauth_size; // Total number of available auth entries + mDNSu32 rrauth_totalused; // Number of auth entries currently occupied + mDNSu32 rrauth_report; + mDNSu8 rrauth_lock; // For debugging: Set at times when these lists may not be modified + AuthEntity *rrauth_free; + AuthGroup *rrauth_hash[AUTH_HASH_SLOTS]; +}AuthHash; + +// AuthRecordAny includes mDNSInterface_Any and interface specific auth records. +typedef enum +{ + AuthRecordAny, // registered for *Any, NOT including P2P interfaces + AuthRecordAnyIncludeP2P, // registered for *Any, including P2P interfaces + AuthRecordAnyIncludeAWDL, // registered for *Any, including AWDL interface + AuthRecordAnyIncludeAWDLandP2P, // registered for *Any, including AWDL and P2P interfaces + AuthRecordLocalOnly, + AuthRecordP2P // discovered over D2D/P2P framework +} AuthRecType; + +typedef enum +{ + AuthFlagsWakeOnly = 0x1 // WakeOnly service +} AuthRecordFlags; + +struct AuthRecord_struct +{ + // For examples of how to set up this structure for use in mDNS_Register(), + // see mDNS_AdvertiseInterface() or mDNS_RegisterService(). + // Basically, resrec and persistent metadata need to be set up before calling mDNS_Register(). + // mDNS_SetupResourceRecord() is avaliable as a helper routine to set up most fields to sensible default values for you + + AuthRecord *next; // Next in list; first element of structure for efficiency reasons + // Field Group 1: Common ResourceRecord fields + ResourceRecord resrec; // 36 bytes when compiling for 32-bit; 48 when compiling for 64-bit + + // Field Group 2: Persistent metadata for Authoritative Records + AuthRecord *Additional1; // Recommended additional record to include in response (e.g. SRV for PTR record) + AuthRecord *Additional2; // Another additional (e.g. TXT for PTR record) + AuthRecord *DependentOn; // This record depends on another for its uniqueness checking + AuthRecord *RRSet; // This unique record is part of an RRSet + mDNSRecordCallback *RecordCallback; // Callback function to call for state changes, and to free memory asynchronously on deregistration + void *RecordContext; // Context parameter for the callback function + mDNSu8 AutoTarget; // Set if the target of this record (PTR, CNAME, SRV, etc.) is our host name + mDNSu8 AllowRemoteQuery; // Set if we allow hosts not on the local link to query this record + mDNSu8 ForceMCast; // Set by client to advertise solely via multicast, even for apparently unicast names + mDNSu8 AuthFlags; + + OwnerOptData WakeUp; // WakeUp.HMAC.l[0] nonzero indicates that this is a Sleep Proxy record + mDNSAddr AddressProxy; // For reverse-mapping Sleep Proxy PTR records, address in question + mDNSs32 TimeRcvd; // In platform time units + mDNSs32 TimeExpire; // In platform time units + AuthRecType ARType; // LocalOnly, P2P or Normal ? + mDNSs32 KATimeExpire; // In platform time units: time to send keepalive packet for the proxy record + + // Field Group 3: Transient state for Authoritative Records + mDNSu8 Acknowledged; // Set if we've given the success callback to the client + mDNSu8 ProbeRestartCount; // Number of times we have restarted probing + mDNSu8 ProbeCount; // Number of probes remaining before this record is valid (kDNSRecordTypeUnique) + mDNSu8 AnnounceCount; // Number of announcements remaining (kDNSRecordTypeShared) + mDNSu8 RequireGoodbye; // Set if this RR has been announced on the wire and will require a goodbye packet + mDNSu8 AnsweredLocalQ; // Set if this AuthRecord has been delivered to any local question (LocalOnly or mDNSInterface_Any) + mDNSu8 IncludeInProbe; // Set if this RR is being put into a probe right now + mDNSu8 ImmedUnicast; // Set if we may send our response directly via unicast to the requester + mDNSInterfaceID SendNSECNow; // Set if we need to generate associated NSEC data for this rrname + mDNSInterfaceID ImmedAnswer; // Someone on this interface issued a query we need to answer (all-ones for all interfaces) +#if MDNS_LOG_ANSWER_SUPPRESSION_TIMES + mDNSs32 ImmedAnswerMarkTime; +#endif + mDNSInterfaceID ImmedAdditional; // Hint that we might want to also send this record, just to be helpful + mDNSInterfaceID SendRNow; // The interface this query is being sent on right now + mDNSv4Addr v4Requester; // Recent v4 query for this record, or all-ones if more than one recent query + mDNSv6Addr v6Requester; // Recent v6 query for this record, or all-ones if more than one recent query + AuthRecord *NextResponse; // Link to the next element in the chain of responses to generate + const mDNSu8 *NR_AnswerTo; // Set if this record was selected by virtue of being a direct answer to a question + AuthRecord *NR_AdditionalTo; // Set if this record was selected by virtue of being additional to another + mDNSs32 ThisAPInterval; // In platform time units: Current interval for announce/probe + mDNSs32 LastAPTime; // In platform time units: Last time we sent announcement/probe + mDNSs32 LastMCTime; // Last time we multicast this record (used to guard against packet-storm attacks) + mDNSInterfaceID LastMCInterface; // Interface this record was multicast on at the time LastMCTime was recorded + RData *NewRData; // Set if we are updating this record with new rdata + mDNSu16 newrdlength; // ... and the length of the new RData + mDNSRecordUpdateCallback *UpdateCallback; + mDNSu32 UpdateCredits; // Token-bucket rate limiting of excessive updates + mDNSs32 NextUpdateCredit; // Time next token is added to bucket + mDNSs32 UpdateBlocked; // Set if update delaying is in effect + + // Field Group 4: Transient uDNS state for Authoritative Records + regState_t state; // Maybe combine this with resrec.RecordType state? Right now it's ambiguous and confusing. + // e.g. rr->resrec.RecordType can be kDNSRecordTypeUnregistered, + // and rr->state can be regState_Unregistered + // What if we find one of those statements is true and the other false? What does that mean? + mDNSBool uselease; // dynamic update contains (should contain) lease option + mDNSs32 expire; // In platform time units: expiration of lease (-1 for static) + mDNSBool Private; // If zone is private, DNS updates may have to be encrypted to prevent eavesdropping + mDNSOpaque16 updateid; // Identifier to match update request and response -- also used when transferring records to Sleep Proxy + mDNSOpaque64 updateIntID; // Interface IDs (one bit per interface index)to which updates have been sent + const domainname *zone; // the zone that is updated + ZoneData *nta; + struct tcpInfo_t *tcp; + NATTraversalInfo NATinfo; + mDNSBool SRVChanged; // temporarily deregistered service because its SRV target or port changed + mergeState_t mState; // Unicast Record Registrations merge state + mDNSu8 refreshCount; // Number of refreshes to the server + mStatus updateError; // Record update resulted in Error ? + + // uDNS_UpdateRecord support fields + // Do we really need all these in *addition* to NewRData and newrdlength above? + void *UpdateContext; // Context parameter for the update callback function + mDNSu16 OrigRDLen; // previously registered, being deleted + mDNSu16 InFlightRDLen; // currently being registered + mDNSu16 QueuedRDLen; // pending operation (re-transmitting if necessary) THEN register the queued update + RData *OrigRData; + RData *InFlightRData; + RData *QueuedRData; + + // Field Group 5: Large data objects go at the end + domainname namestorage; + RData rdatastorage; // Normally the storage is right here, except for oversized records + // rdatastorage MUST be the last thing in the structure -- when using oversized AuthRecords, extra bytes + // are appended after the end of the AuthRecord, logically augmenting the size of the rdatastorage + // DO NOT ADD ANY MORE FIELDS HERE +}; + +// IsLocalDomain alone is not sufficient to determine that a record is mDNS or uDNS. By default domain names within +// the "local" pseudo-TLD (and within the IPv4 and IPv6 link-local reverse mapping domains) are automatically treated +// as mDNS records, but it is also possible to force any record (even those not within one of the inherently local +// domains) to be handled as an mDNS record by setting the ForceMCast flag, or by setting a non-zero InterfaceID. +// For example, the reverse-mapping PTR record created in AdvertiseInterface sets the ForceMCast flag, since it points to +// a dot-local hostname, and therefore it would make no sense to register this record with a wide-area Unicast DNS server. +// The same applies to Sleep Proxy records, which we will answer for when queried via mDNS, but we never want to try +// to register them with a wide-area Unicast DNS server -- and we probably don't have the required credentials anyway. +// Currently we have no concept of a wide-area uDNS record scoped to a particular interface, so if the InterfaceID is +// nonzero we treat this the same as ForceMCast. +// Note: Question_uDNS(Q) is used in *only* one place -- on entry to mDNS_StartQuery_internal, to decide whether to set TargetQID. +// Everywhere else in the code, the determination of whether a question is unicast is made by checking to see if TargetQID is nonzero. +#define AuthRecord_uDNS(R) ((R)->resrec.InterfaceID == mDNSInterface_Any && !(R)->ForceMCast && !IsLocalDomain((R)->resrec.name)) +#define Question_uDNS(Q) ((Q)->InterfaceID == mDNSInterface_Unicast || (Q)->ProxyQuestion || \ + ((Q)->InterfaceID != mDNSInterface_LocalOnly && (Q)->InterfaceID != mDNSInterface_P2P && !(Q)->ForceMCast && !IsLocalDomain(&(Q)->qname))) + +#define RRLocalOnly(rr) ((rr)->ARType == AuthRecordLocalOnly || (rr)->ARType == AuthRecordP2P) + +#define RRAny(rr) ((rr)->ARType == AuthRecordAny || (rr)->ARType == AuthRecordAnyIncludeP2P || (rr)->ARType == AuthRecordAnyIncludeAWDL || (rr)->ARType == AuthRecordAnyIncludeAWDLandP2P) + +// Question (A or AAAA) that is suppressed currently because IPv4 or IPv6 address +// is not available locally for A or AAAA question respectively. Also, if the +// query is disallowed for the "pid" that we are sending on behalf of, suppress it. +#define QuerySuppressed(Q) (((Q)->SuppressUnusable && (Q)->SuppressQuery) || ((Q)->DisallowPID)) + +#define PrivateQuery(Q) ((Q)->AuthInfo && (Q)->AuthInfo->AutoTunnel) + +// Normally we always lookup the cache and /etc/hosts before sending the query on the wire. For single label +// queries (A and AAAA) that are unqualified (indicated by AppendSearchDomains), we want to append search +// domains before we try them as such +#define ApplySearchDomainsFirst(q) ((q)->AppendSearchDomains && (CountLabels(&((q)->qname))) == 1) + +// Wrapper struct for Auth Records for higher-level code that cannot use the AuthRecord's ->next pointer field +typedef struct ARListElem +{ + struct ARListElem *next; + AuthRecord ar; // Note: Must be last element of structure, to accomodate oversized AuthRecords +} ARListElem; + +struct CacheRecord_struct +{ + CacheRecord *next; // Next in list; first element of structure for efficiency reasons + ResourceRecord resrec; // 36 bytes when compiling for 32-bit; 48 when compiling for 64-bit + + // Transient state for Cache Records + CacheRecord *NextInKAList; // Link to the next element in the chain of known answers to send + mDNSs32 TimeRcvd; // In platform time units + mDNSs32 DelayDelivery; // Set if we want to defer delivery of this answer to local clients + mDNSs32 NextRequiredQuery; // In platform time units + mDNSs32 LastUsed; // In platform time units + DNSQuestion *CRActiveQuestion; // Points to an active question referencing this answer. Can never point to a NewQuestion. + mDNSs32 LastUnansweredTime; // In platform time units; last time we incremented UnansweredQueries + mDNSu8 UnansweredQueries; // Number of times we've issued a query for this record without getting an answer + mDNSu8 CRDNSSECQuestion; // Set to 1 if this was created in response to a DNSSEC question + mDNSOpaque16 responseFlags; // Second 16 bit in the DNS response +#if ENABLE_MULTI_PACKET_QUERY_SNOOPING + mDNSu32 MPUnansweredQ; // Multi-packet query handling: Number of times we've seen a query for this record + mDNSs32 MPLastUnansweredQT; // Multi-packet query handling: Last time we incremented MPUnansweredQ + mDNSu32 MPUnansweredKA; // Multi-packet query handling: Number of times we've seen this record in a KA list + mDNSBool MPExpectingKA; // Multi-packet query handling: Set when we increment MPUnansweredQ; allows one KA +#endif + CacheRecord *NextInCFList; // Set if this is in the list of records we just received with the cache flush bit set + CacheRecord *nsec; // NSEC records needed for non-existence proofs + CacheRecord *soa; // SOA record to return for proxy questions + + mDNSAddr sourceAddress; // node from which we received this record + // Size to here is 76 bytes when compiling 32-bit; 104 bytes when compiling 64-bit + RData_small smallrdatastorage; // Storage for small records is right here (4 bytes header + 68 bytes data = 72 bytes) +}; + +// Should match the CacheGroup_struct members, except namestorage[]. Only used to calculate +// the size of the namestorage array in CacheGroup_struct so that +// sizeof(CacheGroup) == sizeof(CacheRecord) +struct CacheGroup_base +{ + CacheGroup *next; + mDNSu32 namehash; + CacheRecord *members; + CacheRecord **rrcache_tail; + domainname *name; +}; + +struct CacheGroup_struct // Header object for a list of CacheRecords with the same name +{ + CacheGroup *next; // Next CacheGroup object in this hash table bucket + mDNSu32 namehash; // Name-based (i.e. case insensitive) hash of name + CacheRecord *members; // List of CacheRecords with this same name + CacheRecord **rrcache_tail; // Tail end of that list + domainname *name; // Common name for all CacheRecords in this list + mDNSu8 namestorage[sizeof(CacheRecord) - sizeof(struct CacheGroup_base)]; // match sizeof(CacheRecord) +}; + +// Storage sufficient to hold either a CacheGroup header or a CacheRecord +// -- for best efficiency (to avoid wasted unused storage) they should be the same size +typedef union CacheEntity_union CacheEntity; +union CacheEntity_union { CacheEntity *next; CacheGroup cg; CacheRecord cr; }; + +typedef struct +{ + CacheRecord r; + mDNSu8 _extradata[MaximumRDSize-InlineCacheRDSize]; // Glue on the necessary number of extra bytes + domainname namestorage; // Needs to go *after* the extra rdata bytes +} LargeCacheRecord; + +typedef struct HostnameInfo +{ + struct HostnameInfo *next; + NATTraversalInfo natinfo; + domainname fqdn; + AuthRecord arv4; // registered IPv4 address record + AuthRecord arv6; // registered IPv6 address record + mDNSRecordCallback *StatusCallback; // callback to deliver success or error code to client layer + const void *StatusContext; // Client Context +} HostnameInfo; + +typedef struct ExtraResourceRecord_struct ExtraResourceRecord; +struct ExtraResourceRecord_struct +{ + ExtraResourceRecord *next; + mDNSu32 ClientID; // Opaque ID field to be used by client to map an AddRecord call to a set of Extra records + AuthRecord r; + // Note: Add any additional fields *before* the AuthRecord in this structure, not at the end. + // In some cases clients can allocate larger chunks of memory and set r->rdata->MaxRDLength to indicate + // that this extra memory is available, which would result in any fields after the AuthRecord getting smashed +}; + +// Note: Within an mDNSServiceCallback mDNS all API calls are legal except mDNS_Init(), mDNS_Exit(), mDNS_Execute() +typedef void mDNSServiceCallback (mDNS *const m, ServiceRecordSet *const sr, mStatus result); + +// A ServiceRecordSet has no special meaning to the core code of the Multicast DNS protocol engine; +// it is just a convenience structure to group together the records that make up a standard service +// registration so that they can be allocted and deallocted together as a single memory object. +// It contains its own ServiceCallback+ServiceContext to report aggregate results up to the next layer of software above. +// It also contains: +// * the basic PTR/SRV/TXT triplet used to represent any DNS-SD service +// * the "_services" PTR record for service enumeration +// * the optional list of SubType PTR records +// * the optional list of additional records attached to the service set (e.g. iChat pictures) + +struct ServiceRecordSet_struct +{ + // These internal state fields are used internally by mDNSCore; the client layer needn't be concerned with them. + // No fields need to be set up by the client prior to calling mDNS_RegisterService(); + // all required data is passed as parameters to that function. + mDNSServiceCallback *ServiceCallback; + void *ServiceContext; + mDNSBool Conflict; // Set if this record set was forcibly deregistered because of a conflict + + ExtraResourceRecord *Extras; // Optional list of extra AuthRecords attached to this service registration + mDNSu32 NumSubTypes; + AuthRecord *SubTypes; + const mDNSu8 *AnonData; + mDNSu32 flags; // saved for subsequent calls to mDNS_RegisterService() if records + // need to be re-registered. + AuthRecord RR_ADV; // e.g. _services._dns-sd._udp.local. PTR _printer._tcp.local. + AuthRecord RR_PTR; // e.g. _printer._tcp.local. PTR Name._printer._tcp.local. + AuthRecord RR_SRV; // e.g. Name._printer._tcp.local. SRV 0 0 port target + AuthRecord RR_TXT; // e.g. Name._printer._tcp.local. TXT PrintQueueName + // Don't add any fields after AuthRecord RR_TXT. + // This is where the implicit extra space goes if we allocate a ServiceRecordSet containing an oversized RR_TXT record +}; + +// *************************************************************************** +#if 0 +#pragma mark - +#pragma mark - Question structures +#endif + +// We record the last eight instances of each duplicate query +// This gives us v4/v6 on each of Ethernet, AirPort and Firewire, and two free slots "for future expansion" +// If the host has more active interfaces that this it is not fatal -- duplicate question suppression will degrade gracefully. +// Since we will still remember the last eight, the busiest interfaces will still get the effective duplicate question suppression. +#define DupSuppressInfoSize 8 + +typedef struct +{ + mDNSs32 Time; + mDNSInterfaceID InterfaceID; + mDNSs32 Type; // v4 or v6? +} DupSuppressInfo; + +typedef enum +{ + LLQ_InitialRequest = 1, + LLQ_SecondaryRequest = 2, + LLQ_Established = 3, + LLQ_Poll = 4 +} LLQ_State; + +// LLQ constants +#define kLLQ_Vers 1 +#define kLLQ_DefLease 7200 // 2 hours +#define kLLQ_MAX_TRIES 3 // retry an operation 3 times max +#define kLLQ_INIT_RESEND 2 // resend an un-ack'd packet after 2 seconds, then double for each additional +// LLQ Operation Codes +#define kLLQOp_Setup 1 +#define kLLQOp_Refresh 2 +#define kLLQOp_Event 3 + +// LLQ Errror Codes +enum +{ + LLQErr_NoError = 0, + LLQErr_ServFull = 1, + LLQErr_Static = 2, + LLQErr_FormErr = 3, + LLQErr_NoSuchLLQ = 4, + LLQErr_BadVers = 5, + LLQErr_UnknownErr = 6 +}; + +enum { NoAnswer_Normal = 0, NoAnswer_Suspended = 1, NoAnswer_Fail = 2 }; + +#define HMAC_LEN 64 +#define HMAC_IPAD 0x36 +#define HMAC_OPAD 0x5c +#define MD5_LEN 16 + +#define AutoTunnelUnregistered(X) ( \ + (X)->AutoTunnelHostRecord.resrec.RecordType == kDNSRecordTypeUnregistered && \ + (X)->AutoTunnelTarget.resrec.RecordType == kDNSRecordTypeUnregistered && \ + (X)->AutoTunnelDeviceInfo.resrec.RecordType == kDNSRecordTypeUnregistered && \ + (X)->AutoTunnelService.resrec.RecordType == kDNSRecordTypeUnregistered && \ + (X)->AutoTunnel6Record.resrec.RecordType == kDNSRecordTypeUnregistered ) + +// Internal data structure to maintain authentication information +typedef struct DomainAuthInfo +{ + struct DomainAuthInfo *next; + mDNSs32 deltime; // If we're planning to delete this DomainAuthInfo, the time we want it deleted + mDNSBool AutoTunnel; // Whether this is AutoTunnel + AuthRecord AutoTunnelHostRecord; // User-visible hostname; used as SRV target for AutoTunnel services + AuthRecord AutoTunnelTarget; // Opaque hostname of tunnel endpoint; used as SRV target for AutoTunnelService record + AuthRecord AutoTunnelDeviceInfo; // Device info of tunnel endpoint + AuthRecord AutoTunnelService; // Service record (possibly NAT-Mapped) of IKE daemon implementing tunnel endpoint + AuthRecord AutoTunnel6Record; // AutoTunnel AAAA Record obtained from awacsd + mDNSBool AutoTunnelServiceStarted; // Whether a service has been registered in this domain + mDNSv6Addr AutoTunnelInnerAddress; + domainname domain; + domainname keyname; + domainname hostname; + mDNSIPPort port; + char b64keydata[32]; + mDNSu8 keydata_ipad[HMAC_LEN]; // padded key for inner hash rounds + mDNSu8 keydata_opad[HMAC_LEN]; // padded key for outer hash rounds +} DomainAuthInfo; + +// Note: Within an mDNSQuestionCallback mDNS all API calls are legal except mDNS_Init(), mDNS_Exit(), mDNS_Execute() +// Note: Any value other than QC_rmv i.e., any non-zero value will result in kDNSServiceFlagsAdd to the application +// layer. These values are used within mDNSResponder and not sent across to the application. QC_addnocache is for +// delivering a response without adding to the cache. QC_forceresponse is superset of QC_addnocache where in +// addition to not entering in the cache, it also forces the negative response through. +typedef enum { QC_rmv = 0, QC_add, QC_addnocache, QC_forceresponse, QC_dnssec , QC_nodnssec, QC_suppressed } QC_result; +typedef void mDNSQuestionCallback (mDNS *const m, DNSQuestion *question, const ResourceRecord *const answer, QC_result AddRecord); +typedef void AsyncDispatchFunc(mDNS *const m, void *context); +typedef void DNSSECAuthInfoFreeCallback(mDNS *const m, void *context); +extern void mDNSPlatformDispatchAsync(mDNS *const m, void *context, AsyncDispatchFunc func); + +#define NextQSendTime(Q) ((Q)->LastQTime + (Q)->ThisQInterval) +#define ActiveQuestion(Q) ((Q)->ThisQInterval > 0 && !(Q)->DuplicateOf) +#define TimeToSendThisQuestion(Q,time) (ActiveQuestion(Q) && (time) - NextQSendTime(Q) >= 0) + +// q->ValidationStatus is either DNSSECValNotRequired or DNSSECValRequired and then moves onto DNSSECValInProgress. +// When Validation is done, we mark all "DNSSECValInProgress" questions "DNSSECValDone". If we are answering +// questions from /etc/hosts, then we go straight to DNSSECValDone from the initial state. +typedef enum { DNSSECValNotRequired = 0, DNSSECValRequired, DNSSECValInProgress, DNSSECValDone } DNSSECValState; + +// ValidationRequired can be set to the following values: +// +// SECURE validation is set to determine whether something is secure or bogus +// INSECURE validation is set internally by dnssec code to indicate that it is currently proving something +// is insecure +#define DNSSEC_VALIDATION_NONE 0x00 +#define DNSSEC_VALIDATION_SECURE 0x01 +#define DNSSEC_VALIDATION_SECURE_OPTIONAL 0x02 +#define DNSSEC_VALIDATION_INSECURE 0x03 + +// For both ValidationRequired and ValidatingResponse question, we validate DNSSEC responses. +// For ProxyQuestion with DNSSECOK, we just receive the DNSSEC records to pass them along without +// validation and if the CD bit is not set, we also validate. +#define DNSSECQuestion(q) ((q)->ValidationRequired || (q)->ValidatingResponse || ((q)->ProxyQuestion && (q)->ProxyDNSSECOK)) + +// ValidatingQuestion is used when we need to know whether we are validating the DNSSEC responses for a question +#define ValidatingQuestion(q) ((q)->ValidationRequired || (q)->ValidatingResponse) + +#define DNSSECOptionalQuestion(q) ((q)->ValidationRequired == DNSSEC_VALIDATION_SECURE_OPTIONAL) + +// Given the resource record and the question, should we follow the CNAME ? +#define FollowCNAME(q, rr, AddRecord) (AddRecord && (q)->qtype != kDNSType_CNAME && \ + (rr)->RecordType != kDNSRecordTypePacketNegative && \ + (rr)->rrtype == kDNSType_CNAME) + +// RFC 4122 defines it to be 16 bytes +#define UUID_SIZE 16 + +struct DNSQuestion_struct +{ + // Internal state fields. These are used internally by mDNSCore; the client layer needn't be concerned with them. + DNSQuestion *next; + mDNSu32 qnamehash; + mDNSs32 DelayAnswering; // Set if we want to defer answering this question until the cache settles + mDNSs32 LastQTime; // Last scheduled transmission of this Q on *all* applicable interfaces + mDNSs32 ThisQInterval; // LastQTime + ThisQInterval is the next scheduled transmission of this Q + // ThisQInterval > 0 for an active question; + // ThisQInterval = 0 for a suspended question that's still in the list + // ThisQInterval = -1 for a cancelled question (should not still be in list) + mDNSs32 ExpectUnicastResp; // Set when we send a query with the kDNSQClass_UnicastResponse bit set + mDNSs32 LastAnswerPktNum; // The sequence number of the last response packet containing an answer to this Q + mDNSu32 RecentAnswerPkts; // Number of answers since the last time we sent this query + mDNSu32 CurrentAnswers; // Number of records currently in the cache that answer this question + mDNSu32 BrowseThreshold; // If we have received at least this number of answers, + // set the next question interval to MaxQuestionInterval + mDNSu32 LargeAnswers; // Number of answers with rdata > 1024 bytes + mDNSu32 UniqueAnswers; // Number of answers received with kDNSClass_UniqueRRSet bit set + mDNSInterfaceID FlappingInterface1; // Set when an interface goes away, to flag if remove events are delivered for this Q + mDNSInterfaceID FlappingInterface2; // Set when an interface goes away, to flag if remove events are delivered for this Q + DomainAuthInfo *AuthInfo; // Non-NULL if query is currently being done using Private DNS + DNSQuestion *DuplicateOf; + DNSQuestion *NextInDQList; + AnonymousInfo *AnonInfo; // Anonymous Information + DupSuppressInfo DupSuppress[DupSuppressInfoSize]; + mDNSInterfaceID SendQNow; // The interface this query is being sent on right now + mDNSBool SendOnAll; // Set if we're sending this question on all active interfaces + mDNSBool CachedAnswerNeedsUpdate; // See SendQueries(). Set if we're sending this question + // because a cached answer needs to be refreshed. + mDNSu32 RequestUnicast; // Non-zero if we want to send query with kDNSQClass_UnicastResponse bit set + mDNSs32 LastQTxTime; // Last time this Q was sent on one (but not necessarily all) interfaces + mDNSu32 CNAMEReferrals; // Count of how many CNAME redirections we've done + mDNSBool SuppressQuery; // This query should be suppressed and not sent on the wire + mDNSu8 LOAddressAnswers; // Number of answers from the local only auth records that are + // answering A, AAAA, CNAME, or PTR (/etc/hosts) + mDNSu8 WakeOnResolveCount; // Number of wakes that should be sent on resolve + mDNSs32 StopTime; // Time this question should be stopped by giving them a negative answer + + // DNSSEC fields + DNSSECValState ValidationState; // Current state of the Validation process + DNSSECStatus ValidationStatus; // Validation status for "ValidationRequired" questions (dnssec) + mDNSu8 ValidatingResponse; // Question trying to validate a response (dnssec) on behalf of + // ValidationRequired question + void *DNSSECAuthInfo; + DNSSECAuthInfoFreeCallback *DAIFreeCallback; + + // Wide Area fields. These are used internally by the uDNS core (Unicast) + UDPSocket *LocalSocket; + + // |-> DNS Configuration related fields used in uDNS (Subset of Wide Area/Unicast fields) + DNSServer *qDNSServer; // Caching server for this query (in the absence of an SRV saying otherwise) + mDNSOpaque64 validDNSServers; // Valid DNSServers for this question + mDNSu16 noServerResponse; // At least one server did not respond. + mDNSu16 triedAllServersOnce; // Tried all DNS servers once + mDNSu8 unansweredQueries; // The number of unanswered queries to this server + + ZoneData *nta; // Used for getting zone data for private or LLQ query + mDNSAddr servAddr; // Address and port learned from _dns-llq, _dns-llq-tls or _dns-query-tls SRV query + mDNSIPPort servPort; + struct tcpInfo_t *tcp; + mDNSIPPort tcpSrcPort; // Local Port TCP packet received on;need this as tcp struct is disposed + // by tcpCallback before calling into mDNSCoreReceive + mDNSu8 NoAnswer; // Set if we want to suppress answers until tunnel setup has completed + mDNSu8 Restart; // This question should be restarted soon + + // LLQ-specific fields. These fields are only meaningful when LongLived flag is set + LLQ_State state; + mDNSu32 ReqLease; // seconds (relative) + mDNSs32 expire; // ticks (absolute) + mDNSs16 ntries; // for UDP: the number of packets sent for this LLQ state + // for TCP: there is some ambiguity in the use of this variable, but in general, it is + // the number of TCP/TLS connection attempts for this LLQ state, or + // the number of packets sent for this TCP/TLS connection + mDNSOpaque64 id; + + // DNS Proxy fields + mDNSOpaque16 responseFlags; // Temporary place holder for the error we get back from the DNS server + // till we populate in the cache + mDNSBool DisallowPID; // Is the query allowed for the "PID" that we are sending on behalf of ? + mDNSs32 ServiceID; // Service identifier to match against the DNS server + + // Client API fields: The client must set up these fields *before* calling mDNS_StartQuery() + mDNSInterfaceID InterfaceID; // Non-zero if you want to issue queries only on a single specific IP interface + mDNSu32 flags; // flags from original DNSService*() API request. + mDNSAddr Target; // Non-zero if you want to direct queries to a specific unicast target address + mDNSIPPort TargetPort; // Must be set if Target is set + mDNSOpaque16 TargetQID; // Must be set if Target is set + domainname qname; + mDNSu16 qtype; + mDNSu16 qclass; + mDNSBool LongLived; // Set by client for calls to mDNS_StartQuery to indicate LLQs to unicast layer. + mDNSBool ExpectUnique; // Set by client if it's expecting unique RR(s) for this question, not shared RRs + mDNSBool ForceMCast; // Set by client to force mDNS query, even for apparently uDNS names + mDNSBool ReturnIntermed; // Set by client to request callbacks for intermediate CNAME/NXDOMAIN results + mDNSBool SuppressUnusable; // Set by client to suppress unusable queries to be sent on the wire + mDNSu8 RetryWithSearchDomains; // Retry with search domains if there is no entry in the cache or AuthRecords + mDNSu8 TimeoutQuestion; // Timeout this question if there is no reply in configured time + mDNSu8 WakeOnResolve; // Send wakeup on resolve + mDNSu8 UseBackgroundTrafficClass; // Use background traffic class for request + mDNSs8 SearchListIndex; // Index into SearchList; Used by the client layer but not touched by core + mDNSs8 AppendSearchDomains; // Search domains can be appended for this query + mDNSs8 AppendLocalSearchDomains; // Search domains ending in .local can be appended for this query + mDNSu8 ValidationRequired; // Requires DNSSEC validation. + mDNSu8 ProxyQuestion; // Proxy Question + mDNSu8 ProxyDNSSECOK; // Proxy Question with EDNS0 DNSSEC OK bit set + mDNSs32 pid; // Process ID of the client that is requesting the question + mDNSu8 uuid[UUID_SIZE]; // Unique ID of the client that is requesting the question (valid only if pid is zero) + domainname *qnameOrig; // Copy of the original question name if it is not fully qualified + mDNSQuestionCallback *QuestionCallback; + void *QuestionContext; +}; + +typedef struct +{ + // Client API fields: The client must set up name and InterfaceID *before* calling mDNS_StartResolveService() + // When the callback is invoked, ip, port, TXTlen and TXTinfo will have been filled in with the results learned from the network. + domainname name; + mDNSInterfaceID InterfaceID; // ID of the interface the response was received on + mDNSAddr ip; // Remote (destination) IP address where this service can be accessed + mDNSIPPort port; // Port where this service can be accessed + mDNSu16 TXTlen; + mDNSu8 TXTinfo[2048]; // Additional demultiplexing information (e.g. LPR queue name) +} ServiceInfo; + +// Note: Within an mDNSServiceInfoQueryCallback mDNS all API calls are legal except mDNS_Init(), mDNS_Exit(), mDNS_Execute() +typedef struct ServiceInfoQuery_struct ServiceInfoQuery; +typedef void mDNSServiceInfoQueryCallback (mDNS *const m, ServiceInfoQuery *query); +struct ServiceInfoQuery_struct +{ + // Internal state fields. These are used internally by mDNSCore; the client layer needn't be concerned with them. + // No fields need to be set up by the client prior to calling mDNS_StartResolveService(); + // all required data is passed as parameters to that function. + // The ServiceInfoQuery structure memory is working storage for mDNSCore to discover the requested information + // and place it in the ServiceInfo structure. After the client has called mDNS_StopResolveService(), it may + // dispose of the ServiceInfoQuery structure while retaining the results in the ServiceInfo structure. + DNSQuestion qSRV; + DNSQuestion qTXT; + DNSQuestion qAv4; + DNSQuestion qAv6; + mDNSu8 GotSRV; + mDNSu8 GotTXT; + mDNSu8 GotADD; + mDNSu32 Answers; + ServiceInfo *info; + mDNSServiceInfoQueryCallback *ServiceInfoQueryCallback; + void *ServiceInfoQueryContext; +}; + +typedef enum { ZoneServiceUpdate, ZoneServiceQuery, ZoneServiceLLQ } ZoneService; + +typedef void ZoneDataCallback (mDNS *const m, mStatus err, const ZoneData *result); + +struct ZoneData_struct +{ + domainname ChildName; // Name for which we're trying to find the responsible server + ZoneService ZoneService; // Which service we're seeking for this zone (update, query, or LLQ) + domainname *CurrentSOA; // Points to somewhere within ChildName + domainname ZoneName; // Discovered result: Left-hand-side of SOA record + mDNSu16 ZoneClass; // Discovered result: DNS Class from SOA record + domainname Host; // Discovered result: Target host from SRV record + mDNSIPPort Port; // Discovered result: Update port, query port, or LLQ port from SRV record + mDNSAddr Addr; // Discovered result: Address of Target host from SRV record + mDNSBool ZonePrivate; // Discovered result: Does zone require encrypted queries? + ZoneDataCallback *ZoneDataCallback; // Caller-specified function to be called upon completion + void *ZoneDataContext; + DNSQuestion question; // Storage for any active question +}; + +extern ZoneData *StartGetZoneData(mDNS *const m, const domainname *const name, const ZoneService target, ZoneDataCallback callback, void *callbackInfo); +extern void CancelGetZoneData(mDNS *const m, ZoneData *nta); +extern mDNSBool IsGetZoneDataQuestion(DNSQuestion *q); + +typedef struct DNameListElem +{ + struct DNameListElem *next; + mDNSu32 uid; + domainname name; +} DNameListElem; + +#if APPLE_OSX_mDNSResponder +// Different states that we go through locating the peer +#define TC_STATE_AAAA_PEER 0x000000001 /* Peer's BTMM IPv6 address */ +#define TC_STATE_AAAA_PEER_RELAY 0x000000002 /* Peer's IPv6 Relay address */ +#define TC_STATE_SRV_PEER 0x000000003 /* Peer's SRV Record corresponding to IPv4 address */ +#define TC_STATE_ADDR_PEER 0x000000004 /* Peer's IPv4 address */ + +typedef struct ClientTunnel +{ + struct ClientTunnel *next; + domainname dstname; + mDNSBool MarkedForDeletion; + mDNSv6Addr loc_inner; + mDNSv4Addr loc_outer; + mDNSv6Addr loc_outer6; + mDNSv6Addr rmt_inner; + mDNSv4Addr rmt_outer; + mDNSv6Addr rmt_outer6; + mDNSIPPort rmt_outer_port; + mDNSu16 tc_state; + DNSQuestion q; +} ClientTunnel; +#endif + +// *************************************************************************** +#if 0 +#pragma mark - +#pragma mark - NetworkInterfaceInfo_struct +#endif + +typedef struct NetworkInterfaceInfo_struct NetworkInterfaceInfo; + +// A NetworkInterfaceInfo_struct serves two purposes: +// 1. It holds the address, PTR and HINFO records to advertise a given IP address on a given physical interface +// 2. It tells mDNSCore which physical interfaces are available; each physical interface has its own unique InterfaceID. +// Since there may be multiple IP addresses on a single physical interface, +// there may be multiple NetworkInterfaceInfo_structs with the same InterfaceID. +// In this case, to avoid sending the same packet n times, when there's more than one +// struct with the same InterfaceID, mDNSCore picks one member of the set to be the +// active representative of the set; all others have the 'InterfaceActive' flag unset. + +struct NetworkInterfaceInfo_struct +{ + // Internal state fields. These are used internally by mDNSCore; the client layer needn't be concerned with them. + NetworkInterfaceInfo *next; + + mDNSu8 InterfaceActive; // Set if interface is sending & receiving packets (see comment above) + mDNSu8 IPv4Available; // If InterfaceActive, set if v4 available on this InterfaceID + mDNSu8 IPv6Available; // If InterfaceActive, set if v6 available on this InterfaceID + + DNSQuestion NetWakeBrowse; + DNSQuestion NetWakeResolve[3]; // For fault-tolerance, we try up to three Sleep Proxies + mDNSAddr SPSAddr[3]; + mDNSIPPort SPSPort[3]; + mDNSs32 NextSPSAttempt; // -1 if we're not currently attempting to register with any Sleep Proxy + mDNSs32 NextSPSAttemptTime; + + // Standard AuthRecords that every Responder host should have (one per active IP address) + AuthRecord RR_A; // 'A' or 'AAAA' (address) record for our ".local" name + AuthRecord RR_PTR; // PTR (reverse lookup) record + AuthRecord RR_HINFO; + + // Client API fields: The client must set up these fields *before* calling mDNS_RegisterInterface() + mDNSInterfaceID InterfaceID; // Identifies physical interface; MUST NOT be 0, -1, or -2 + mDNSAddr ip; // The IPv4 or IPv6 address to advertise + mDNSAddr mask; + mDNSEthAddr MAC; + char ifname[64]; // Windows uses a GUID string for the interface name, which doesn't fit in 16 bytes + mDNSu8 Advertise; // False if you are only searching on this interface + mDNSu8 McastTxRx; // Send/Receive multicast on this { InterfaceID, address family } ? + mDNSu8 NetWake; // Set if Wake-On-Magic-Packet is enabled on this interface + mDNSu8 Loopback; // Set if this is the loopback interface + mDNSu8 IgnoreIPv4LL; // Set if IPv4 Link-Local addresses have to be ignored. + mDNSu8 SendGoodbyes; // Send goodbyes on this interface while sleeping + mDNSBool DirectLink; // a direct link, indicating we can skip the probe for + // address records +}; + +#define SLE_DELETE 0x00000001 +#define SLE_WAB_BROWSE_QUERY_STARTED 0x00000002 +#define SLE_WAB_LBROWSE_QUERY_STARTED 0x00000004 +#define SLE_WAB_REG_QUERY_STARTED 0x00000008 + +typedef struct SearchListElem +{ + struct SearchListElem *next; + domainname domain; + int flag; + mDNSInterfaceID InterfaceID; + DNSQuestion BrowseQ; + DNSQuestion DefBrowseQ; + DNSQuestion AutomaticBrowseQ; + DNSQuestion RegisterQ; + DNSQuestion DefRegisterQ; + int numCfAnswers; + ARListElem *AuthRecs; +} SearchListElem; + +// For domain enumeration and automatic browsing +// This is the user's DNS search list. +// In each of these domains we search for our special pointer records (lb._dns-sd._udp.<domain>, etc.) +// to discover recommended domains for domain enumeration (browse, default browse, registration, +// default registration) and possibly one or more recommended automatic browsing domains. +extern SearchListElem *SearchList; // This really ought to be part of mDNS_struct -- SC + +// *************************************************************************** +#if 0 +#pragma mark - +#pragma mark - Main mDNS object, used to hold all the mDNS state +#endif + +typedef void mDNSCallback (mDNS *const m, mStatus result); + +#ifndef CACHE_HASH_SLOTS +#define CACHE_HASH_SLOTS 499 +#endif + +enum +{ + SleepState_Awake = 0, + SleepState_Transferring = 1, + SleepState_Sleeping = 2 +}; + +typedef enum +{ + kStatsActionIncrement, + kStatsActionDecrement, + kStatsActionClear, + kStatsActionSet +} DNSSECStatsAction; + +typedef enum +{ + kStatsTypeMemoryUsage, + kStatsTypeLatency, + kStatsTypeExtraPackets, + kStatsTypeStatus, + kStatsTypeProbe, + kStatsTypeMsgSize +} DNSSECStatsType; + +typedef struct +{ + mDNSu32 TotalMemUsed; + mDNSu32 Latency0; // 0 to 4 ms + mDNSu32 Latency5; // 5 to 9 ms + mDNSu32 Latency10; // 10 to 19 ms + mDNSu32 Latency20; // 20 to 49 ms + mDNSu32 Latency50; // 50 to 99 ms + mDNSu32 Latency100; // >= 100 ms + mDNSu32 ExtraPackets0; // 0 to 2 packets + mDNSu32 ExtraPackets3; // 3 to 6 packets + mDNSu32 ExtraPackets7; // 7 to 9 packets + mDNSu32 ExtraPackets10; // >= 10 packets + mDNSu32 SecureStatus; + mDNSu32 InsecureStatus; + mDNSu32 IndeterminateStatus; + mDNSu32 BogusStatus; + mDNSu32 NoResponseStatus; + mDNSu32 NumProbesSent; // Number of probes sent + mDNSu32 MsgSize0; // DNSSEC message size <= 1024 + mDNSu32 MsgSize1; // DNSSEC message size <= 2048 + mDNSu32 MsgSize2; // DNSSEC message size > 2048 +} DNSSECStatistics; + +typedef struct +{ + mDNSu32 NameConflicts; // Normal Name conflicts + mDNSu32 KnownUniqueNameConflicts; // Name Conflicts for KnownUnique Records + mDNSu32 DupQuerySuppressions; // Duplicate query suppressions + mDNSu32 KnownAnswerSuppressions; // Known Answer suppressions + mDNSu32 KnownAnswerMultiplePkts; // Known Answer in queries spannign multiple packets + mDNSu32 PoofCacheDeletions; // Number of times the cache was deleted due to POOF + mDNSu32 UnicastBitInQueries; // Queries with QU bit set + mDNSu32 NormalQueries; // Queries with QU bit not set + mDNSu32 MatchingAnswersForQueries; // Queries for which we had a response + mDNSu32 UnicastResponses; // Unicast responses to queries + mDNSu32 MulticastResponses; // Multicast responses to queries + mDNSu32 UnicastDemotedToMulticast; // Number of times unicast demoted to multicast + mDNSu32 Sleeps; // Total sleeps + mDNSu32 Wakes; // Total wakes + mDNSu32 InterfaceUp; // Total Interface UP events + mDNSu32 InterfaceUpFlap; // Total Interface UP events with flaps + mDNSu32 InterfaceDown; // Total Interface Down events + mDNSu32 InterfaceDownFlap; // Total Interface Down events with flaps + mDNSu32 CacheRefreshQueries; // Number of queries that we sent for refreshing cache + mDNSu32 CacheRefreshed; // Number of times the cache was refreshed due to a response + mDNSu32 WakeOnResolves; // Number of times we did a wake on resolve +} mDNSStatistics; +extern void LogMDNSStatistics(mDNS *const m); + +struct mDNS_struct +{ + // Internal state fields. These hold the main internal state of mDNSCore; + // the client layer needn't be concerned with them. + // No fields need to be set up by the client prior to calling mDNS_Init(); + // all required data is passed as parameters to that function. + + mDNS_PlatformSupport *p; // Pointer to platform-specific data of indeterminite size + mDNSBool CanReceiveUnicastOn5353; + mDNSBool AdvertiseLocalAddresses; + mDNSBool DivertMulticastAdvertisements; // from interfaces that do not advertise local addresses to local-only + mStatus mDNSPlatformStatus; + mDNSIPPort UnicastPort4; + mDNSIPPort UnicastPort6; + mDNSEthAddr PrimaryMAC; // Used as unique host ID + mDNSCallback *MainCallback; + void *MainContext; + + // For debugging: To catch and report locking failures + mDNSu32 mDNS_busy; // Incremented between mDNS_Lock/mDNS_Unlock section + mDNSu32 mDNS_reentrancy; // Incremented when calling a client callback + mDNSu8 lock_rrcache; // For debugging: Set at times when these lists may not be modified + mDNSu8 lock_Questions; + mDNSu8 lock_Records; +#ifndef MaxMsg + #define MaxMsg 512 +#endif + char MsgBuffer[MaxMsg]; // Temp storage used while building error log messages + + // Task Scheduling variables + mDNSs32 timenow_adjust; // Correction applied if we ever discover time went backwards + mDNSs32 timenow; // The time that this particular activation of the mDNS code started + mDNSs32 timenow_last; // The time the last time we ran + mDNSs32 NextScheduledEvent; // Derived from values below + mDNSs32 ShutdownTime; // Set when we're shutting down; allows us to skip some unnecessary steps + mDNSs32 SuppressSending; // Don't send local-link mDNS packets during this time + mDNSs32 NextCacheCheck; // Next time to refresh cache record before it expires + mDNSs32 NextScheduledQuery; // Next time to send query in its exponential backoff sequence + mDNSs32 NextScheduledProbe; // Next time to probe for new authoritative record + mDNSs32 NextScheduledResponse; // Next time to send authoritative record(s) in responses + mDNSs32 NextScheduledNATOp; // Next time to send NAT-traversal packets + mDNSs32 NextScheduledSPS; // Next time to purge expiring Sleep Proxy records + mDNSs32 NextScheduledKA; // Next time to send Keepalive packets (SPS) + mDNSs32 RandomQueryDelay; // For de-synchronization of query packets on the wire + mDNSu32 RandomReconfirmDelay; // For de-synchronization of reconfirmation queries on the wire + mDNSs32 PktNum; // Unique sequence number assigned to each received packet + mDNSs32 MPktNum; // Unique sequence number assigned to each received Multicast packet + mDNSu8 LocalRemoveEvents; // Set if we may need to deliver remove events for local-only questions and/or local-only records + mDNSu8 SleepState; // Set if we're sleeping + mDNSu8 SleepSeqNum; // "Epoch number" of our current period of wakefulness + mDNSu8 SystemWakeOnLANEnabled; // Set if we want to register with a Sleep Proxy before going to sleep + mDNSu8 SentSleepProxyRegistration; // Set if we registered (or tried to register) with a Sleep Proxy + mDNSu8 SystemSleepOnlyIfWakeOnLAN; // Set if we may only sleep if we managed to register with a Sleep Proxy + mDNSs32 AnnounceOwner; // After waking from sleep, include OWNER option in packets until this time + mDNSs32 DelaySleep; // To inhibit re-sleeping too quickly right after wake + mDNSs32 SleepLimit; // Time window to allow deregistrations, etc., + // during which underying platform layer should inhibit system sleep + mDNSs32 TimeSlept; // Time we went to sleep. + + mDNSs32 StatStartTime; // Time we started gathering statistics during this interval. + mDNSs32 NextStatLogTime; // Next time to log statistics. + mDNSs32 ActiveStatTime; // Total time awake/gathering statistics for this log period. + mDNSs32 UnicastPacketsSent; // Number of unicast packets sent. + mDNSs32 MulticastPacketsSent; // Number of multicast packets sent. + mDNSs32 RemoteSubnet; // Multicast packets received from outside our subnet. + + mDNSs32 NextScheduledSPRetry; // Time next sleep proxy registration action is required. + // Only valid if SleepLimit is nonzero and DelaySleep is zero. + + mDNSs32 NextScheduledStopTime; // Next time to stop a question + + + // These fields only required for mDNS Searcher... + DNSQuestion *Questions; // List of all registered questions, active and inactive + DNSQuestion *NewQuestions; // Fresh questions not yet answered from cache + DNSQuestion *CurrentQuestion; // Next question about to be examined in AnswerLocalQuestions() + DNSQuestion *LocalOnlyQuestions; // Questions with InterfaceID set to mDNSInterface_LocalOnly or mDNSInterface_P2P + DNSQuestion *NewLocalOnlyQuestions; // Fresh local-only or P2P questions not yet answered + DNSQuestion *RestartQuestion; // Questions that are being restarted (stop followed by start) + DNSQuestion *ValidationQuestion; // Questions that are being validated (dnssec) + mDNSu32 rrcache_size; // Total number of available cache entries + mDNSu32 rrcache_totalused; // Number of cache entries currently occupied + mDNSu32 rrcache_totalused_unicast; // Number of cache entries currently occupied by unicast + mDNSu32 rrcache_active; // Number of cache entries currently occupied by records that answer active questions + mDNSu32 rrcache_report; + CacheEntity *rrcache_free; + CacheGroup *rrcache_hash[CACHE_HASH_SLOTS]; + mDNSs32 rrcache_nextcheck[CACHE_HASH_SLOTS]; + + AuthHash rrauth; + + // Fields below only required for mDNS Responder... + domainlabel nicelabel; // Rich text label encoded using canonically precomposed UTF-8 + domainlabel hostlabel; // Conforms to RFC 1034 "letter-digit-hyphen" ARPANET host name rules + domainname MulticastHostname; // Fully Qualified "dot-local" Host Name, e.g. "Foo.local." + UTF8str255 HIHardware; + UTF8str255 HISoftware; + AuthRecord DeviceInfo; + AuthRecord *ResourceRecords; + AuthRecord *DuplicateRecords; // Records currently 'on hold' because they are duplicates of existing records + AuthRecord *NewLocalRecords; // Fresh AuthRecords (public) not yet delivered to our local-only questions + AuthRecord *CurrentRecord; // Next AuthRecord about to be examined + mDNSBool NewLocalOnlyRecords; // Fresh AuthRecords (local only) not yet delivered to our local questions + NetworkInterfaceInfo *HostInterfaces; + mDNSs32 ProbeFailTime; + mDNSu32 NumFailedProbes; + mDNSs32 SuppressProbes; + Platform_t mDNS_plat; + + // Unicast-specific data + mDNSs32 NextuDNSEvent; // uDNS next event + mDNSs32 NextSRVUpdate; // Time to perform delayed update + + DNSServer *DNSServers; // list of DNS servers + McastResolver *McastResolvers; // list of Mcast Resolvers + + mDNSAddr Router; + mDNSAddr AdvertisedV4; // IPv4 address pointed to by hostname + mDNSAddr AdvertisedV6; // IPv6 address pointed to by hostname + + DomainAuthInfo *AuthInfoList; // list of domains requiring authentication for updates + + DNSQuestion ReverseMap; // Reverse-map query to find static hostname for service target + DNSQuestion AutomaticBrowseDomainQ; + domainname StaticHostname; // Current answer to reverse-map query + domainname FQDN; + HostnameInfo *Hostnames; // List of registered hostnames + hostname metadata + NATTraversalInfo AutoTunnelNAT; // Shared between all AutoTunnel DomainAuthInfo structs + mDNSv6Addr AutoTunnelRelayAddr; + + mDNSu32 WABBrowseQueriesCount; // Number of WAB Browse domain enumeration queries (b, db) callers + mDNSu32 WABLBrowseQueriesCount; // Number of legacy WAB Browse domain enumeration queries (lb) callers + mDNSu32 WABRegQueriesCount; // Number of WAB Registration domain enumeration queries (r, dr) callers + mDNSu8 SearchDomainsHash[MD5_LEN]; + + // NAT-Traversal fields + NATTraversalInfo LLQNAT; // Single shared NAT Traversal to receive inbound LLQ notifications + NATTraversalInfo *NATTraversals; + NATTraversalInfo *CurrentNATTraversal; + mDNSs32 retryIntervalGetAddr; // delta between time sent and retry for NAT-PMP & UPnP/IGD external address request + mDNSs32 retryGetAddr; // absolute time when we retry for NAT-PMP & UPnP/IGD external address request + mDNSv4Addr ExtAddress; // the external address discovered via NAT-PMP or UPnP/IGD + mDNSu32 PCPNonce[3]; // the nonce if using PCP + + UDPSocket *NATMcastRecvskt; // For receiving PCP & NAT-PMP announcement multicasts from router on port 5350 + mDNSu32 LastNATupseconds; // NAT engine uptime in seconds, from most recent NAT packet + mDNSs32 LastNATReplyLocalTime; // Local time in ticks when most recent NAT packet was received + mDNSu16 LastNATMapResultCode; // Most recent error code for mappings + + tcpLNTInfo tcpAddrInfo; // legacy NAT traversal TCP connection info for external address + tcpLNTInfo tcpDeviceInfo; // legacy NAT traversal TCP connection info for device info + tcpLNTInfo *tcpInfoUnmapList; // list of pending unmap requests + mDNSInterfaceID UPnPInterfaceID; + UDPSocket *SSDPSocket; // For SSDP request/response + mDNSBool SSDPWANPPPConnection; // whether we should send the SSDP query for WANIPConnection or WANPPPConnection + mDNSIPPort UPnPRouterPort; // port we send discovery messages to + mDNSIPPort UPnPSOAPPort; // port we send SOAP messages to + mDNSu8 *UPnPRouterURL; // router's URL string + mDNSBool UPnPWANPPPConnection; // whether we're using WANIPConnection or WANPPPConnection + mDNSu8 *UPnPSOAPURL; // router's SOAP control URL string + mDNSu8 *UPnPRouterAddressString; // holds both the router's address and port + mDNSu8 *UPnPSOAPAddressString; // holds both address and port for SOAP messages + + // Sleep Proxy client fields + AuthRecord *SPSRRSet; // To help the client keep track of the records registered with the sleep proxy + + // Sleep Proxy Server fields + mDNSu8 SPSType; // 0 = off, 10-99 encodes desirability metric + mDNSu8 SPSPortability; // 10-99 + mDNSu8 SPSMarginalPower; // 10-99 + mDNSu8 SPSTotalPower; // 10-99 + mDNSu8 SPSFeatureFlags; // Features supported. Currently 1 = TCP KeepAlive supported. + mDNSu8 SPSState; // 0 = off, 1 = running, 2 = shutting down, 3 = suspended during sleep + mDNSInterfaceID SPSProxyListChanged; + UDPSocket *SPSSocket; +#ifndef SPC_DISABLED + ServiceRecordSet SPSRecords; +#endif + mDNSQuestionCallback *SPSBrowseCallback; // So the platform layer can do something useful with SPS browse results + int ProxyRecords; // Total number of records we're holding as proxy + #define MAX_PROXY_RECORDS 10000 /* DOS protection: 400 machines at 25 records each */ + +#if APPLE_OSX_mDNSResponder + ClientTunnel *TunnelClients; + uuid_t asl_uuid; // uuid for ASL logging + void *WCF; +#endif + // DNS Proxy fields + mDNSu32 dp_ipintf[MaxIp]; // input interface index list from the DNS Proxy Client + mDNSu32 dp_opintf; // output interface index from the DNS Proxy Client + + TrustAnchor *TrustAnchors; + int notifyToken; + int uds_listener_skt; // Listening socket for incoming UDS clients + mDNSBool mDNSOppCaching; // Opportunistic Caching + mDNSu32 AutoTargetServices; // # of services that have AutoTarget set + DNSSECStatistics DNSSECStats; + mDNSStatistics mDNSStats; + + // Fixed storage, to avoid creating large objects on the stack + // The imsg is declared as a union with a pointer type to enforce CPU-appropriate alignment + union { DNSMessage m; void *p; } imsg; // Incoming message received from wire + DNSMessage omsg; // Outgoing message we're building + LargeCacheRecord rec; // Resource Record extracted from received message +}; + +#define FORALL_CACHERECORDS(SLOT,CG,CR) \ + for ((SLOT) = 0; (SLOT) < CACHE_HASH_SLOTS; (SLOT)++) \ + for ((CG)=m->rrcache_hash[(SLOT)]; (CG); (CG)=(CG)->next) \ + for ((CR) = (CG)->members; (CR); (CR)=(CR)->next) + +// *************************************************************************** +#if 0 +#pragma mark - +#pragma mark - Useful Static Constants +#endif + +extern const mDNSInterfaceID mDNSInterface_Any; // Zero +extern const mDNSInterfaceID mDNSInterface_LocalOnly; // Special value +extern const mDNSInterfaceID mDNSInterface_Unicast; // Special value +extern const mDNSInterfaceID mDNSInterfaceMark; // Special value +extern const mDNSInterfaceID mDNSInterface_P2P; // Special value +extern const mDNSInterfaceID uDNSInterfaceMark; // Special value + +extern const mDNSIPPort DiscardPort; +extern const mDNSIPPort SSHPort; +extern const mDNSIPPort UnicastDNSPort; +extern const mDNSIPPort SSDPPort; +extern const mDNSIPPort IPSECPort; +extern const mDNSIPPort NSIPCPort; +extern const mDNSIPPort NATPMPAnnouncementPort; +extern const mDNSIPPort NATPMPPort; +extern const mDNSIPPort DNSEXTPort; +extern const mDNSIPPort MulticastDNSPort; +extern const mDNSIPPort LoopbackIPCPort; +extern const mDNSIPPort PrivateDNSPort; + +extern const OwnerOptData zeroOwner; + +extern const mDNSIPPort zeroIPPort; +extern const mDNSv4Addr zerov4Addr; +extern const mDNSv6Addr zerov6Addr; +extern const mDNSEthAddr zeroEthAddr; +extern const mDNSv4Addr onesIPv4Addr; +extern const mDNSv6Addr onesIPv6Addr; +extern const mDNSEthAddr onesEthAddr; +extern const mDNSAddr zeroAddr; + +extern const mDNSv4Addr AllDNSAdminGroup; +extern const mDNSv4Addr AllHosts_v4; +extern const mDNSv6Addr AllHosts_v6; +extern const mDNSv6Addr NDP_prefix; +extern const mDNSEthAddr AllHosts_v6_Eth; +extern const mDNSAddr AllDNSLinkGroup_v4; +extern const mDNSAddr AllDNSLinkGroup_v6; + +extern const mDNSOpaque16 zeroID; +extern const mDNSOpaque16 onesID; +extern const mDNSOpaque16 QueryFlags; +extern const mDNSOpaque16 uQueryFlags; +extern const mDNSOpaque16 DNSSecQFlags; +extern const mDNSOpaque16 ResponseFlags; +extern const mDNSOpaque16 UpdateReqFlags; +extern const mDNSOpaque16 UpdateRespFlags; + +extern const mDNSOpaque64 zeroOpaque64; + +extern mDNSBool StrictUnicastOrdering; +extern mDNSu8 NumUnicastDNSServers; + +#define localdomain (*(const domainname *)"\x5" "local") +#define DeviceInfoName (*(const domainname *)"\xC" "_device-info" "\x4" "_tcp") +#define LocalDeviceInfoName (*(const domainname *)"\xC" "_device-info" "\x4" "_tcp" "\x5" "local") +#define SleepProxyServiceType (*(const domainname *)"\xC" "_sleep-proxy" "\x4" "_udp") + +// *************************************************************************** +#if 0 +#pragma mark - +#pragma mark - Inline functions +#endif + +#if (defined(_MSC_VER)) + #define mDNSinline static __inline +#elif ((__GNUC__ > 2) || ((__GNUC__ == 2) && (__GNUC_MINOR__ >= 9))) + #define mDNSinline static inline +#endif + +// If we're not doing inline functions, then this header needs to have the extern declarations +#if !defined(mDNSinline) +extern mDNSs32 NonZeroTime(mDNSs32 t); +extern mDNSu16 mDNSVal16(mDNSOpaque16 x); +extern mDNSOpaque16 mDNSOpaque16fromIntVal(mDNSu16 v); +#endif + +// If we're compiling the particular C file that instantiates our inlines, then we +// define "mDNSinline" (to empty string) so that we generate code in the following section +#if (!defined(mDNSinline) && mDNS_InstantiateInlines) +#define mDNSinline +#endif + +#ifdef mDNSinline + +mDNSinline mDNSs32 NonZeroTime(mDNSs32 t) { if (t) return(t);else return(1);} + +mDNSinline mDNSu16 mDNSVal16(mDNSOpaque16 x) { return((mDNSu16)((mDNSu16)x.b[0] << 8 | (mDNSu16)x.b[1])); } + +mDNSinline mDNSOpaque16 mDNSOpaque16fromIntVal(mDNSu16 v) +{ + mDNSOpaque16 x; + x.b[0] = (mDNSu8)(v >> 8); + x.b[1] = (mDNSu8)(v & 0xFF); + return(x); +} + +#endif + +// *************************************************************************** +#if 0 +#pragma mark - +#pragma mark - Main Client Functions +#endif + +// Every client should call mDNS_Init, passing in storage for the mDNS object and the mDNS_PlatformSupport object. +// +// Clients that are only advertising services should use mDNS_Init_NoCache and mDNS_Init_ZeroCacheSize. +// Clients that plan to perform queries (mDNS_StartQuery, mDNS_StartBrowse, mDNS_StartResolveService, etc.) +// need to provide storage for the resource record cache, or the query calls will return 'mStatus_NoCache'. +// The rrcachestorage parameter is the address of memory for the resource record cache, and +// the rrcachesize parameter is the number of entries in the CacheRecord array passed in. +// (i.e. the size of the cache memory needs to be sizeof(CacheRecord) * rrcachesize). +// OS X 10.3 Panther uses an initial cache size of 64 entries, and then mDNSCore sends an +// mStatus_GrowCache message if it needs more. +// +// Most clients should use mDNS_Init_AdvertiseLocalAddresses. This causes mDNSCore to automatically +// create the correct address records for all the hosts interfaces. If you plan to advertise +// services being offered by the local machine, this is almost always what you want. +// There are two cases where you might use mDNS_Init_DontAdvertiseLocalAddresses: +// 1. A client-only device, that browses for services but doesn't advertise any of its own. +// 2. A proxy-registration service, that advertises services being offered by other machines, and takes +// the appropriate steps to manually create the correct address records for those other machines. +// In principle, a proxy-like registration service could manually create address records for its own machine too, +// but this would be pointless extra effort when using mDNS_Init_AdvertiseLocalAddresses does that for you. +// +// Note that a client-only device that wishes to prohibit multicast advertisements (e.g. from +// higher-layer API calls) must also set DivertMulticastAdvertisements in the mDNS structure and +// advertise local address(es) on a loopback interface. +// +// When mDNS has finished setting up the client's callback is called +// A client can also spin and poll the mDNSPlatformStatus field to see when it changes from mStatus_Waiting to mStatus_NoError +// +// Call mDNS_StartExit to tidy up before exiting +// Because exiting may be an asynchronous process (e.g. if unicast records need to be deregistered) +// client layer may choose to wait until mDNS_ExitNow() returns true before calling mDNS_FinalExit(). +// +// Call mDNS_Register with a completed AuthRecord object to register a resource record +// If the resource record type is kDNSRecordTypeUnique (or kDNSknownunique) then if a conflicting resource record is discovered, +// the resource record's mDNSRecordCallback will be called with error code mStatus_NameConflict. The callback should deregister +// the record, and may then try registering the record again after picking a new name (e.g. by automatically appending a number). +// Following deregistration, the RecordCallback will be called with result mStatus_MemFree to signal that it is safe to deallocate +// the record's storage (memory must be freed asynchronously to allow for goodbye packets and dynamic update deregistration). +// +// Call mDNS_StartQuery to initiate a query. mDNS will proceed to issue Multicast DNS query packets, and any time a response +// is received containing a record which matches the question, the DNSQuestion's mDNSAnswerCallback function will be called +// Call mDNS_StopQuery when no more answers are required +// +// Care should be taken on multi-threaded or interrupt-driven environments. +// The main mDNS routines call mDNSPlatformLock() on entry and mDNSPlatformUnlock() on exit; +// each platform layer needs to implement these appropriately for its respective platform. +// For example, if the support code on a particular platform implements timer callbacks at interrupt time, then +// mDNSPlatformLock/Unlock need to disable interrupts or do similar concurrency control to ensure that the mDNS +// code is not entered by an interrupt-time timer callback while in the middle of processing a client call. + +extern mStatus mDNS_Init (mDNS *const m, mDNS_PlatformSupport *const p, + CacheEntity *rrcachestorage, mDNSu32 rrcachesize, + mDNSBool AdvertiseLocalAddresses, + mDNSCallback *Callback, void *Context); +// See notes above on use of NoCache/ZeroCacheSize +#define mDNS_Init_NoCache mDNSNULL +#define mDNS_Init_ZeroCacheSize 0 +// See notes above on use of Advertise/DontAdvertiseLocalAddresses +#define mDNS_Init_AdvertiseLocalAddresses mDNStrue +#define mDNS_Init_DontAdvertiseLocalAddresses mDNSfalse +#define mDNS_Init_NoInitCallback mDNSNULL +#define mDNS_Init_NoInitCallbackContext mDNSNULL + +extern void mDNS_ConfigChanged(mDNS *const m); +extern void mDNS_GrowCache (mDNS *const m, CacheEntity *storage, mDNSu32 numrecords); +extern void mDNS_GrowAuth (mDNS *const m, AuthEntity *storage, mDNSu32 numrecords); +extern void mDNS_StartExit (mDNS *const m); +extern void mDNS_FinalExit (mDNS *const m); +#define mDNS_Close(m) do { mDNS_StartExit(m); mDNS_FinalExit(m); } while(0) +#define mDNS_ExitNow(m, now) ((now) - (m)->ShutdownTime >= 0 || (!(m)->ResourceRecords)) + +extern mDNSs32 mDNS_Execute (mDNS *const m); + +extern mStatus mDNS_Register (mDNS *const m, AuthRecord *const rr); +extern mStatus mDNS_Update (mDNS *const m, AuthRecord *const rr, mDNSu32 newttl, + const mDNSu16 newrdlength, RData *const newrdata, mDNSRecordUpdateCallback *Callback); +extern mStatus mDNS_Deregister(mDNS *const m, AuthRecord *const rr); + +extern mStatus mDNS_StartQuery(mDNS *const m, DNSQuestion *const question); +extern mStatus mDNS_StopQuery (mDNS *const m, DNSQuestion *const question); +extern mStatus mDNS_StopQueryWithRemoves(mDNS *const m, DNSQuestion *const question); +extern mStatus mDNS_Reconfirm (mDNS *const m, CacheRecord *const cacherr); +extern mStatus mDNS_Reconfirm_internal(mDNS *const m, CacheRecord *const rr, mDNSu32 interval); +extern mStatus mDNS_ReconfirmByValue(mDNS *const m, ResourceRecord *const rr); +extern void mDNS_PurgeCacheResourceRecord(mDNS *const m, CacheRecord *rr); +extern mDNSs32 mDNS_TimeNow(const mDNS *const m); + +extern mStatus mDNS_StartNATOperation(mDNS *const m, NATTraversalInfo *traversal); +extern mStatus mDNS_StopNATOperation(mDNS *const m, NATTraversalInfo *traversal); +extern mStatus mDNS_StopNATOperation_internal(mDNS *m, NATTraversalInfo *traversal); + +extern DomainAuthInfo *GetAuthInfoForName(mDNS *m, const domainname *const name); + +extern void mDNS_UpdateAllowSleep(mDNS *const m); + +// *************************************************************************** +#if 0 +#pragma mark - +#pragma mark - Platform support functions that are accessible to the client layer too +#endif + +extern mDNSs32 mDNSPlatformOneSecond; + +// *************************************************************************** +#if 0 +#pragma mark - +#pragma mark - General utility and helper functions +#endif + +// mDNS_Dereg_normal is used for most calls to mDNS_Deregister_internal +// mDNS_Dereg_rapid is used to send one goodbye instead of three, when we want the memory available for reuse sooner +// mDNS_Dereg_conflict is used to indicate that this record is being forcibly deregistered because of a conflict +// mDNS_Dereg_repeat is used when cleaning up, for records that may have already been forcibly deregistered +typedef enum { mDNS_Dereg_normal, mDNS_Dereg_rapid, mDNS_Dereg_conflict, mDNS_Dereg_repeat } mDNS_Dereg_type; + +// mDNS_RegisterService is a single call to register the set of resource records associated with a given named service. +// +// mDNS_StartResolveService is single call which is equivalent to multiple calls to mDNS_StartQuery, +// to find the IP address, port number, and demultiplexing information for a given named service. +// As with mDNS_StartQuery, it executes asynchronously, and calls the ServiceInfoQueryCallback when the answer is +// found. After the service is resolved, the client should call mDNS_StopResolveService to complete the transaction. +// The client can also call mDNS_StopResolveService at any time to abort the transaction. +// +// mDNS_AddRecordToService adds an additional record to a Service Record Set. This record may be deregistered +// via mDNS_RemoveRecordFromService, or by deregistering the service. mDNS_RemoveRecordFromService is passed a +// callback to free the memory associated with the extra RR when it is safe to do so. The ExtraResourceRecord +// object can be found in the record's context pointer. + +// mDNS_GetBrowseDomains is a special case of the mDNS_StartQuery call, where the resulting answers +// are a list of PTR records indicating (in the rdata) domains that are recommended for browsing. +// After getting the list of domains to browse, call mDNS_StopQuery to end the search. +// mDNS_GetDefaultBrowseDomain returns the name of the domain that should be highlighted by default. +// +// mDNS_GetRegistrationDomains and mDNS_GetDefaultRegistrationDomain are the equivalent calls to get the list +// of one or more domains that should be offered to the user as choices for where they may register their service, +// and the default domain in which to register in the case where the user has made no selection. + +extern void mDNS_SetupResourceRecord(AuthRecord *rr, RData *RDataStorage, mDNSInterfaceID InterfaceID, + mDNSu16 rrtype, mDNSu32 ttl, mDNSu8 RecordType, AuthRecType artype, mDNSRecordCallback Callback, void *Context); + +// mDNS_RegisterService() flags parameter bit definitions. +// Note these are only defined to transfer the corresponding DNSServiceFlags settings into mDNSCore routines, +// since code in mDNSCore does not include the DNSServiceFlags definitions in dns_sd.h. +enum +{ + coreFlagIncludeP2P = 0x1, // include P2P interfaces when using mDNSInterface_Any + coreFlagIncludeAWDL = 0x2, // include AWDL interface when using mDNSInterface_Any + coreFlagKnownUnique = 0x4, // client guarantees that SRV and TXT record names are unique + coreFlagWakeOnly = 0x8 // Service won't be registered with sleep proxy +}; + +extern mStatus mDNS_RegisterService (mDNS *const m, ServiceRecordSet *sr, + const domainlabel *const name, const domainname *const type, const domainname *const domain, + const domainname *const host, mDNSIPPort port, const mDNSu8 txtinfo[], mDNSu16 txtlen, + AuthRecord *SubTypes, mDNSu32 NumSubTypes, + mDNSInterfaceID InterfaceID, mDNSServiceCallback Callback, void *Context, mDNSu32 flags); +extern mStatus mDNS_AddRecordToService(mDNS *const m, ServiceRecordSet *sr, ExtraResourceRecord *extra, RData *rdata, mDNSu32 ttl, mDNSu32 flags); +extern mStatus mDNS_RemoveRecordFromService(mDNS *const m, ServiceRecordSet *sr, ExtraResourceRecord *extra, mDNSRecordCallback MemFreeCallback, void *Context); +extern mStatus mDNS_RenameAndReregisterService(mDNS *const m, ServiceRecordSet *const sr, const domainlabel *newname); +extern mStatus mDNS_DeregisterService_drt(mDNS *const m, ServiceRecordSet *sr, mDNS_Dereg_type drt); +#define mDNS_DeregisterService(M,S) mDNS_DeregisterService_drt((M), (S), mDNS_Dereg_normal) + +extern mStatus mDNS_RegisterNoSuchService(mDNS *const m, AuthRecord *const rr, + const domainlabel *const name, const domainname *const type, const domainname *const domain, + const domainname *const host, + const mDNSInterfaceID InterfaceID, mDNSRecordCallback Callback, void *Context, mDNSu32 flags); +#define mDNS_DeregisterNoSuchService mDNS_Deregister + +extern void mDNS_SetupQuestion(DNSQuestion *const q, const mDNSInterfaceID InterfaceID, const domainname *const name, + const mDNSu16 qtype, mDNSQuestionCallback *const callback, void *const context); + +extern mStatus mDNS_StartBrowse(mDNS *const m, DNSQuestion *const question, + const domainname *const srv, const domainname *const domain, const mDNSu8 *anondata, + const mDNSInterfaceID InterfaceID, mDNSu32 flags, + mDNSBool ForceMCast, mDNSBool useBackgroundTrafficClass, + mDNSQuestionCallback *Callback, void *Context); +#define mDNS_StopBrowse mDNS_StopQuery + +extern mStatus mDNS_StartResolveService(mDNS *const m, ServiceInfoQuery *query, ServiceInfo *info, mDNSServiceInfoQueryCallback *Callback, void *Context); +extern void mDNS_StopResolveService (mDNS *const m, ServiceInfoQuery *query); + +typedef enum +{ + mDNS_DomainTypeBrowse = 0, + mDNS_DomainTypeBrowseDefault = 1, + mDNS_DomainTypeBrowseAutomatic = 2, + mDNS_DomainTypeRegistration = 3, + mDNS_DomainTypeRegistrationDefault = 4, + + mDNS_DomainTypeMax = 4 +} mDNS_DomainType; + +extern const char *const mDNS_DomainTypeNames[]; + +extern mStatus mDNS_GetDomains(mDNS *const m, DNSQuestion *const question, mDNS_DomainType DomainType, const domainname *dom, + const mDNSInterfaceID InterfaceID, mDNSQuestionCallback *Callback, void *Context); +#define mDNS_StopGetDomains mDNS_StopQuery +extern mStatus mDNS_AdvertiseDomains(mDNS *const m, AuthRecord *rr, mDNS_DomainType DomainType, const mDNSInterfaceID InterfaceID, char *domname); +#define mDNS_StopAdvertiseDomains mDNS_Deregister + +extern mDNSOpaque16 mDNS_NewMessageID(mDNS *const m); +extern mDNSBool mDNS_AddressIsLocalSubnet(mDNS *const m, const mDNSInterfaceID InterfaceID, const mDNSAddr *addr, mDNSBool *myself); + +extern DNSServer *GetServerForQuestion(mDNS *m, DNSQuestion *question); +extern mDNSu32 SetValidDNSServers(mDNS *m, DNSQuestion *question); + +// *************************************************************************** +#if 0 +#pragma mark - +#pragma mark - DNS name utility functions +#endif + +// In order to expose the full capabilities of the DNS protocol (which allows any arbitrary eight-bit values +// in domain name labels, including unlikely characters like ascii nulls and even dots) all the mDNS APIs +// work with DNS's native length-prefixed strings. For convenience in C, the following utility functions +// are provided for converting between C's null-terminated strings and DNS's length-prefixed strings. + +// Assignment +// A simple C structure assignment of a domainname can cause a protection fault by accessing unmapped memory, +// because that object is defined to be 256 bytes long, but not all domainname objects are truly the full size. +// This macro uses mDNSPlatformMemCopy() to make sure it only touches the actual bytes that are valid. +#define AssignDomainName(DST, SRC) do { mDNSu16 len__ = DomainNameLength((SRC)); \ + if (len__ <= MAX_DOMAIN_NAME) mDNSPlatformMemCopy((DST)->c, (SRC)->c, len__);else (DST)->c[0] = 0;} while(0) + +// Comparison functions +#define SameDomainLabelCS(A,B) ((A)[0] == (B)[0] && mDNSPlatformMemSame((A)+1, (B)+1, (A)[0])) +extern mDNSBool SameDomainLabel(const mDNSu8 *a, const mDNSu8 *b); +extern mDNSBool SameDomainName(const domainname *const d1, const domainname *const d2); +extern mDNSBool SameDomainNameCS(const domainname *const d1, const domainname *const d2); +typedef mDNSBool DomainNameComparisonFn (const domainname *const d1, const domainname *const d2); +extern mDNSBool IsLocalDomain(const domainname *d); // returns true for domains that by default should be looked up using link-local multicast + +#define StripFirstLabel(X) ((const domainname *)& (X)->c[(X)->c[0] ? 1 + (X)->c[0] : 0]) + +#define FirstLabel(X) ((const domainlabel *)(X)) +#define SecondLabel(X) ((const domainlabel *)StripFirstLabel(X)) +#define ThirdLabel(X) ((const domainlabel *)StripFirstLabel(StripFirstLabel(X))) + +extern const mDNSu8 *LastLabel(const domainname *d); + +// Get total length of domain name, in native DNS format, including terminal root label +// (e.g. length of "com." is 5 (length byte, three data bytes, final zero) +extern mDNSu16 DomainNameLengthLimit(const domainname *const name, const mDNSu8 *limit); +#define DomainNameLength(name) DomainNameLengthLimit((name), (name)->c + MAX_DOMAIN_NAME) + +// Append functions to append one or more labels to an existing native format domain name: +// AppendLiteralLabelString adds a single label from a literal C string, with no escape character interpretation. +// AppendDNSNameString adds zero or more labels from a C string using conventional DNS dots-and-escaping interpretation +// AppendDomainLabel adds a single label from a native format domainlabel +// AppendDomainName adds zero or more labels from a native format domainname +extern mDNSu8 *AppendLiteralLabelString(domainname *const name, const char *cstr); +extern mDNSu8 *AppendDNSNameString (domainname *const name, const char *cstr); +extern mDNSu8 *AppendDomainLabel (domainname *const name, const domainlabel *const label); +extern mDNSu8 *AppendDomainName (domainname *const name, const domainname *const append); + +// Convert from null-terminated string to native DNS format: +// The DomainLabel form makes a single label from a literal C string, with no escape character interpretation. +// The DomainName form makes native format domain name from a C string using conventional DNS interpretation: +// dots separate labels, and within each label, '\.' represents a literal dot, '\\' represents a literal +// backslash and backslash with three decimal digits (e.g. \000) represents an arbitrary byte value. +extern mDNSBool MakeDomainLabelFromLiteralString(domainlabel *const label, const char *cstr); +extern mDNSu8 *MakeDomainNameFromDNSNameString (domainname *const name, const char *cstr); + +// Convert native format domainlabel or domainname back to C string format +// IMPORTANT: +// When using ConvertDomainLabelToCString, the target buffer must be MAX_ESCAPED_DOMAIN_LABEL (254) bytes long +// to guarantee there will be no buffer overrun. It is only safe to use a buffer shorter than this in rare cases +// where the label is known to be constrained somehow (for example, if the label is known to be either "_tcp" or "_udp"). +// Similarly, when using ConvertDomainNameToCString, the target buffer must be MAX_ESCAPED_DOMAIN_NAME (1009) bytes long. +// See definitions of MAX_ESCAPED_DOMAIN_LABEL and MAX_ESCAPED_DOMAIN_NAME for more detailed explanation. +extern char *ConvertDomainLabelToCString_withescape(const domainlabel *const name, char *cstr, char esc); +#define ConvertDomainLabelToCString_unescaped(D,C) ConvertDomainLabelToCString_withescape((D), (C), 0) +#define ConvertDomainLabelToCString(D,C) ConvertDomainLabelToCString_withescape((D), (C), '\\') +extern char *ConvertDomainNameToCString_withescape(const domainname *const name, char *cstr, char esc); +#define ConvertDomainNameToCString_unescaped(D,C) ConvertDomainNameToCString_withescape((D), (C), 0) +#define ConvertDomainNameToCString(D,C) ConvertDomainNameToCString_withescape((D), (C), '\\') + +extern void ConvertUTF8PstringToRFC1034HostLabel(const mDNSu8 UTF8Name[], domainlabel *const hostlabel); + +extern mDNSu8 *ConstructServiceName(domainname *const fqdn, const domainlabel *name, const domainname *type, const domainname *const domain); +extern mDNSBool DeconstructServiceName(const domainname *const fqdn, domainlabel *const name, domainname *const type, domainname *const domain); + +// Note: Some old functions have been replaced by more sensibly-named versions. +// You can uncomment the hash-defines below if you don't want to have to change your source code right away. +// When updating your code, note that (unlike the old versions) *all* the new routines take the target object +// as their first parameter. +//#define ConvertCStringToDomainName(SRC,DST) MakeDomainNameFromDNSNameString((DST),(SRC)) +//#define ConvertCStringToDomainLabel(SRC,DST) MakeDomainLabelFromLiteralString((DST),(SRC)) +//#define AppendStringLabelToName(DST,SRC) AppendLiteralLabelString((DST),(SRC)) +//#define AppendStringNameToName(DST,SRC) AppendDNSNameString((DST),(SRC)) +//#define AppendDomainLabelToName(DST,SRC) AppendDomainLabel((DST),(SRC)) +//#define AppendDomainNameToName(DST,SRC) AppendDomainName((DST),(SRC)) + +// *************************************************************************** +#if 0 +#pragma mark - +#pragma mark - Other utility functions and macros +#endif + +// mDNS_vsnprintf/snprintf return the number of characters written, excluding the final terminating null. +// The output is always null-terminated: for example, if the output turns out to be exactly buflen long, +// then the output will be truncated by one character to allow space for the terminating null. +// Unlike standard C vsnprintf/snprintf, they return the number of characters *actually* written, +// not the number of characters that *would* have been printed were buflen unlimited. +extern mDNSu32 mDNS_vsnprintf(char *sbuffer, mDNSu32 buflen, const char *fmt, va_list arg); +extern mDNSu32 mDNS_snprintf(char *sbuffer, mDNSu32 buflen, const char *fmt, ...) IS_A_PRINTF_STYLE_FUNCTION(3,4); +extern mDNSu32 NumCacheRecordsForInterfaceID(const mDNS *const m, mDNSInterfaceID id); +extern char *DNSTypeName(mDNSu16 rrtype); +extern char *GetRRDisplayString_rdb(const ResourceRecord *const rr, const RDataBody *const rd1, char *const buffer); +#define RRDisplayString(m, rr) GetRRDisplayString_rdb(rr, &(rr)->rdata->u, (m)->MsgBuffer) +#define ARDisplayString(m, rr) GetRRDisplayString_rdb(&(rr)->resrec, &(rr)->resrec.rdata->u, (m)->MsgBuffer) +#define CRDisplayString(m, rr) GetRRDisplayString_rdb(&(rr)->resrec, &(rr)->resrec.rdata->u, (m)->MsgBuffer) +extern mDNSBool mDNSSameAddress(const mDNSAddr *ip1, const mDNSAddr *ip2); +extern void IncrementLabelSuffix(domainlabel *name, mDNSBool RichText); +extern mDNSBool mDNSv4AddrIsRFC1918(const mDNSv4Addr * const addr); // returns true for RFC1918 private addresses +#define mDNSAddrIsRFC1918(X) ((X)->type == mDNSAddrType_IPv4 && mDNSv4AddrIsRFC1918(&(X)->ip.v4)) + +// For PCP +extern void mDNSAddrMapIPv4toIPv6(mDNSv4Addr* in, mDNSv6Addr* out); +extern mDNSBool mDNSAddrIPv4FromMappedIPv6(mDNSv6Addr *in, mDNSv4Addr *out); + +#define mDNSSameIPPort(A,B) ((A).NotAnInteger == (B).NotAnInteger) +#define mDNSSameOpaque16(A,B) ((A).NotAnInteger == (B).NotAnInteger) +#define mDNSSameOpaque32(A,B) ((A).NotAnInteger == (B).NotAnInteger) +#define mDNSSameOpaque64(A,B) ((A)->l[0] == (B)->l[0] && (A)->l[1] == (B)->l[1]) + +#define mDNSSameIPv4Address(A,B) ((A).NotAnInteger == (B).NotAnInteger) +#define mDNSSameIPv6Address(A,B) ((A).l[0] == (B).l[0] && (A).l[1] == (B).l[1] && (A).l[2] == (B).l[2] && (A).l[3] == (B).l[3]) +#define mDNSSameIPv6NetworkPart(A,B) ((A).l[0] == (B).l[0] && (A).l[1] == (B).l[1]) +#define mDNSSameEthAddress(A,B) ((A)->w[0] == (B)->w[0] && (A)->w[1] == (B)->w[1] && (A)->w[2] == (B)->w[2]) + +#define mDNSIPPortIsZero(A) ((A).NotAnInteger == 0) +#define mDNSOpaque16IsZero(A) ((A).NotAnInteger == 0) +#define mDNSOpaque64IsZero(A) (((A)->l[0] | (A)->l[1] ) == 0) +#define mDNSIPv4AddressIsZero(A) ((A).NotAnInteger == 0) +#define mDNSIPv6AddressIsZero(A) (((A).l[0] | (A).l[1] | (A).l[2] | (A).l[3]) == 0) +#define mDNSEthAddressIsZero(A) (((A).w[0] | (A).w[1] | (A).w[2] ) == 0) + +#define mDNSIPv4AddressIsOnes(A) ((A).NotAnInteger == 0xFFFFFFFF) +#define mDNSIPv6AddressIsOnes(A) (((A).l[0] & (A).l[1] & (A).l[2] & (A).l[3]) == 0xFFFFFFFF) + +#define mDNSAddressIsAllDNSLinkGroup(X) ( \ + ((X)->type == mDNSAddrType_IPv4 && mDNSSameIPv4Address((X)->ip.v4, AllDNSLinkGroup_v4.ip.v4)) || \ + ((X)->type == mDNSAddrType_IPv6 && mDNSSameIPv6Address((X)->ip.v6, AllDNSLinkGroup_v6.ip.v6)) ) + +#define mDNSAddressIsZero(X) ( \ + ((X)->type == mDNSAddrType_IPv4 && mDNSIPv4AddressIsZero((X)->ip.v4)) || \ + ((X)->type == mDNSAddrType_IPv6 && mDNSIPv6AddressIsZero((X)->ip.v6)) ) + +#define mDNSAddressIsValidNonZero(X) ( \ + ((X)->type == mDNSAddrType_IPv4 && !mDNSIPv4AddressIsZero((X)->ip.v4)) || \ + ((X)->type == mDNSAddrType_IPv6 && !mDNSIPv6AddressIsZero((X)->ip.v6)) ) + +#define mDNSAddressIsOnes(X) ( \ + ((X)->type == mDNSAddrType_IPv4 && mDNSIPv4AddressIsOnes((X)->ip.v4)) || \ + ((X)->type == mDNSAddrType_IPv6 && mDNSIPv6AddressIsOnes((X)->ip.v6)) ) + +#define mDNSAddressIsValid(X) ( \ + ((X)->type == mDNSAddrType_IPv4) ? !(mDNSIPv4AddressIsZero((X)->ip.v4) || mDNSIPv4AddressIsOnes((X)->ip.v4)) : \ + ((X)->type == mDNSAddrType_IPv6) ? !(mDNSIPv6AddressIsZero((X)->ip.v6) || mDNSIPv6AddressIsOnes((X)->ip.v6)) : mDNSfalse) + +#define mDNSv4AddressIsLinkLocal(X) ((X)->b[0] == 169 && (X)->b[1] == 254) +#define mDNSv6AddressIsLinkLocal(X) ((X)->b[0] == 0xFE && ((X)->b[1] & 0xC0) == 0x80) + +#define mDNSAddressIsLinkLocal(X) ( \ + ((X)->type == mDNSAddrType_IPv4) ? mDNSv4AddressIsLinkLocal(&(X)->ip.v4) : \ + ((X)->type == mDNSAddrType_IPv6) ? mDNSv6AddressIsLinkLocal(&(X)->ip.v6) : mDNSfalse) + +#define mDNSv4AddressIsLoopback(X) ((X)->b[0] == 127 && (X)->b[1] == 0 && (X)->b[2] == 0 && (X)->b[3] == 1) +#define mDNSv6AddressIsLoopback(X) ((((X)->l[0] | (X)->l[1] | (X)->l[2]) == 0) && ((X)->b[12] == 0 && (X)->b[13] == 0 && (X)->b[14] == 0 && (X)->b[15] == 1)) + +#define mDNSAddressIsLoopback(X) ( \ + ((X)->type == mDNSAddrType_IPv4) ? mDNSv4AddressIsLoopback(&(X)->ip.v4) : \ + ((X)->type == mDNSAddrType_IPv6) ? mDNSv6AddressIsLoopback(&(X)->ip.v6) : mDNSfalse) + +// *************************************************************************** +#if 0 +#pragma mark - +#pragma mark - Authentication Support +#endif + +// Unicast DNS and Dynamic Update specific Client Calls +// +// mDNS_SetSecretForDomain tells the core to authenticate (via TSIG with an HMAC_MD5 hash of the shared secret) +// when dynamically updating a given zone (and its subdomains). The key used in authentication must be in +// domain name format. The shared secret must be a null-terminated base64 encoded string. A minimum size of +// 16 bytes (128 bits) is recommended for an MD5 hash as per RFC 2485. +// Calling this routine multiple times for a zone replaces previously entered values. Call with a NULL key +// to disable authentication for the zone. A non-NULL autoTunnelPrefix means this is an AutoTunnel domain, +// and the value is prepended to the IPSec identifier (used for key lookup) + +extern mStatus mDNS_SetSecretForDomain(mDNS *m, DomainAuthInfo *info, + const domainname *domain, const domainname *keyname, const char *b64keydata, const domainname *hostname, mDNSIPPort *port, mDNSBool autoTunnel); + +extern void RecreateNATMappings(mDNS *const m, const mDNSu32 waitTicks); + +// Hostname/Unicast Interface Configuration + +// All hostnames advertised point to one IPv4 address and/or one IPv6 address, set via SetPrimaryInterfaceInfo. Invoking this routine +// updates all existing hostnames to point to the new address. + +// A hostname is added via AddDynDNSHostName, which points to the primary interface's v4 and/or v6 addresss + +// The status callback is invoked to convey success or failure codes - the callback should not modify the AuthRecord or free memory. +// Added hostnames may be removed (deregistered) via mDNS_RemoveDynDNSHostName. + +// Host domains added prior to specification of the primary interface address and computer name will be deferred until +// these values are initialized. + +// DNS servers used to resolve unicast queries are specified by mDNS_AddDNSServer. +// For "split" DNS configurations, in which queries for different domains are sent to different servers (e.g. VPN and external), +// a domain may be associated with a DNS server. For standard configurations, specify the root label (".") or NULL. + +extern void mDNS_AddDynDNSHostName(mDNS *m, const domainname *fqdn, mDNSRecordCallback *StatusCallback, const void *StatusContext); +extern void mDNS_RemoveDynDNSHostName(mDNS *m, const domainname *fqdn); +extern void mDNS_SetPrimaryInterfaceInfo(mDNS *m, const mDNSAddr *v4addr, const mDNSAddr *v6addr, const mDNSAddr *router); +extern DNSServer *mDNS_AddDNSServer(mDNS *const m, const domainname *d, const mDNSInterfaceID interface, mDNSs32 serviceID, const mDNSAddr *addr, + const mDNSIPPort port, mDNSu32 scoped, mDNSu32 timeout, mDNSBool cellIntf, mDNSu16 resGroupID, mDNSBool reqA, + mDNSBool reqAAAA, mDNSBool reqDO); +extern void PenalizeDNSServer(mDNS *const m, DNSQuestion *q, mDNSOpaque16 responseFlags); +extern void mDNS_AddSearchDomain(const domainname *const domain, mDNSInterfaceID InterfaceID); + +extern McastResolver *mDNS_AddMcastResolver(mDNS *const m, const domainname *d, const mDNSInterfaceID interface, mDNSu32 timeout); + +// We use ((void *)0) here instead of mDNSNULL to avoid compile warnings on gcc 4.2 +#define mDNS_AddSearchDomain_CString(X, I) \ + do { domainname d__; if (((X) != (void*)0) && MakeDomainNameFromDNSNameString(&d__, (X)) && d__.c[0]) mDNS_AddSearchDomain(&d__, I);} while(0) + +// Routines called by the core, exported by DNSDigest.c + +// Convert an arbitrary base64 encoded key key into an HMAC key (stored in AuthInfo struct) +extern mDNSs32 DNSDigest_ConstructHMACKeyfromBase64(DomainAuthInfo *info, const char *b64key); + +// sign a DNS message. The message must be complete, with all values in network byte order. end points to the end +// of the message, and is modified by this routine. numAdditionals is a pointer to the number of additional +// records in HOST byte order, which is incremented upon successful completion of this routine. The function returns +// the new end pointer on success, and NULL on failure. +extern void DNSDigest_SignMessage(DNSMessage *msg, mDNSu8 **end, DomainAuthInfo *info, mDNSu16 tcode); + +#define SwapDNSHeaderBytes(M) do { \ + (M)->h.numQuestions = (mDNSu16)((mDNSu8 *)&(M)->h.numQuestions )[0] << 8 | ((mDNSu8 *)&(M)->h.numQuestions )[1]; \ + (M)->h.numAnswers = (mDNSu16)((mDNSu8 *)&(M)->h.numAnswers )[0] << 8 | ((mDNSu8 *)&(M)->h.numAnswers )[1]; \ + (M)->h.numAuthorities = (mDNSu16)((mDNSu8 *)&(M)->h.numAuthorities)[0] << 8 | ((mDNSu8 *)&(M)->h.numAuthorities)[1]; \ + (M)->h.numAdditionals = (mDNSu16)((mDNSu8 *)&(M)->h.numAdditionals)[0] << 8 | ((mDNSu8 *)&(M)->h.numAdditionals)[1]; \ +} while (0) + +#define DNSDigest_SignMessageHostByteOrder(M,E,INFO) \ + do { SwapDNSHeaderBytes(M); DNSDigest_SignMessage((M), (E), (INFO), 0); SwapDNSHeaderBytes(M); } while (0) + +// verify a DNS message. The message must be complete, with all values in network byte order. end points to the +// end of the record. tsig is a pointer to the resource record that contains the TSIG OPT record. info is +// the matching key to use for verifying the message. This function expects that the additionals member +// of the DNS message header has already had one subtracted from it. +extern mDNSBool DNSDigest_VerifyMessage(DNSMessage *msg, mDNSu8 *end, LargeCacheRecord *tsig, DomainAuthInfo *info, mDNSu16 *rcode, mDNSu16 *tcode); + +// *************************************************************************** +#if 0 +#pragma mark - +#pragma mark - PlatformSupport interface +#endif + +// This section defines the interface to the Platform Support layer. +// Normal client code should not use any of types defined here, or directly call any of the functions defined here. +// The definitions are placed here because sometimes clients do use these calls indirectly, via other supported client operations. +// For example, AssignDomainName is a macro defined using mDNSPlatformMemCopy() + +// Every platform support module must provide the following functions. +// mDNSPlatformInit() typically opens a communication endpoint, and starts listening for mDNS packets. +// When Setup is complete, the platform support layer calls mDNSCoreInitComplete(). +// mDNSPlatformSendUDP() sends one UDP packet +// When a packet is received, the PlatformSupport code calls mDNSCoreReceive() +// mDNSPlatformClose() tidies up on exit +// +// Note: mDNSPlatformMemAllocate/mDNSPlatformMemFree are only required for handling oversized resource records and unicast DNS. +// If your target platform has a well-defined specialized application, and you know that all the records it uses +// are InlineCacheRDSize or less, then you can just make a simple mDNSPlatformMemAllocate() stub that always returns +// NULL. InlineCacheRDSize is a compile-time constant, which is set by default to 68. If you need to handle records +// a little larger than this and you don't want to have to implement run-time allocation and freeing, then you +// can raise the value of this constant to a suitable value (at the expense of increased memory usage). +// +// USE CAUTION WHEN CALLING mDNSPlatformRawTime: The m->timenow_adjust correction factor needs to be added +// Generally speaking: +// Code that's protected by the main mDNS lock should just use the m->timenow value +// Code outside the main mDNS lock should use mDNS_TimeNow(m) to get properly adjusted time +// In certain cases there may be reasons why it's necessary to get the time without taking the lock first +// (e.g. inside the routines that are doing the locking and unlocking, where a call to get the lock would result in a +// recursive loop); in these cases use mDNS_TimeNow_NoLock(m) to get mDNSPlatformRawTime with the proper correction factor added. +// +// mDNSPlatformUTC returns the time, in seconds, since Jan 1st 1970 UTC and is required for generating TSIG records + +extern mStatus mDNSPlatformInit (mDNS *const m); +extern void mDNSPlatformClose (mDNS *const m); +extern mStatus mDNSPlatformSendUDP(const mDNS *const m, const void *const msg, const mDNSu8 *const end, + mDNSInterfaceID InterfaceID, UDPSocket *src, const mDNSAddr *dst, + mDNSIPPort dstport, mDNSBool useBackgroundTrafficClass); + +extern mDNSBool mDNSPlatformPeekUDP (mDNS *const m, UDPSocket *src); +extern void mDNSPlatformLock (const mDNS *const m); +extern void mDNSPlatformUnlock (const mDNS *const m); + +extern void mDNSPlatformStrCopy ( void *dst, const void *src); +extern mDNSu32 mDNSPlatformStrLen ( const void *src); +extern void mDNSPlatformMemCopy ( void *dst, const void *src, mDNSu32 len); +extern mDNSBool mDNSPlatformMemSame (const void *dst, const void *src, mDNSu32 len); +extern int mDNSPlatformMemCmp (const void *dst, const void *src, mDNSu32 len); +extern void mDNSPlatformMemZero ( void *dst, mDNSu32 len); +extern void mDNSPlatformQsort (void *base, int nel, int width, int (*compar)(const void *, const void *)); +#if APPLE_OSX_mDNSResponder && MACOSX_MDNS_MALLOC_DEBUGGING +#define mDNSPlatformMemAllocate(X) mallocL(# X, X) +#else +extern void * mDNSPlatformMemAllocate (mDNSu32 len); +#endif +extern void mDNSPlatformMemFree (void *mem); + +// If the platform doesn't have a strong PRNG, we define a naive multiply-and-add based on a seed +// from the platform layer. Long-term, we should embed an arc4 implementation, but the strength +// will still depend on the randomness of the seed. +#if !defined(_PLATFORM_HAS_STRONG_PRNG_) && (_BUILDING_XCODE_PROJECT_ || defined(_WIN32)) +#define _PLATFORM_HAS_STRONG_PRNG_ 1 +#endif +#if _PLATFORM_HAS_STRONG_PRNG_ +extern mDNSu32 mDNSPlatformRandomNumber(void); +#else +extern mDNSu32 mDNSPlatformRandomSeed (void); +#endif // _PLATFORM_HAS_STRONG_PRNG_ + +extern mStatus mDNSPlatformTimeInit (void); +extern mDNSs32 mDNSPlatformRawTime (void); +extern mDNSs32 mDNSPlatformUTC (void); +#define mDNS_TimeNow_NoLock(m) (mDNSPlatformRawTime() + (m)->timenow_adjust) + +#if MDNS_DEBUGMSGS +extern void mDNSPlatformWriteDebugMsg(const char *msg); +#endif +extern void mDNSPlatformWriteLogMsg(const char *ident, const char *msg, mDNSLogLevel_t loglevel); + +#if APPLE_OSX_mDNSResponder +// Utility function for ASL logging +mDNSexport void mDNSASLLog(uuid_t *uuid, const char *subdomain, const char *result, const char *signature, const char *fmt, ...); + +// Log unicast and multicast traffic statistics once a day. Also used for DNSSEC statistics. +#define kDefaultNextStatsticsLogTime (24 * 60 * 60) + +extern void mDNSLogStatistics(mDNS *const m); + +#endif // APPLE_OSX_mDNSResponder + +// Platform support modules should provide the following functions to map between opaque interface IDs +// and interface indexes in order to support the DNS-SD API. If your target platform does not support +// multiple interfaces and/or does not support the DNS-SD API, these functions can be empty. +extern mDNSInterfaceID mDNSPlatformInterfaceIDfromInterfaceIndex(mDNS *const m, mDNSu32 ifindex); +extern mDNSu32 mDNSPlatformInterfaceIndexfromInterfaceID(mDNS *const m, mDNSInterfaceID id, mDNSBool suppressNetworkChange); + +// Every platform support module must provide the following functions if it is to support unicast DNS +// and Dynamic Update. +// All TCP socket operations implemented by the platform layer MUST NOT BLOCK. +// mDNSPlatformTCPConnect initiates a TCP connection with a peer, adding the socket descriptor to the +// main event loop. The return value indicates whether the connection succeeded, failed, or is pending +// (i.e. the call would block.) On return, the descriptor parameter is set to point to the connected socket. +// The TCPConnectionCallback is subsequently invoked when the connection +// completes (in which case the ConnectionEstablished parameter is true), or data is available for +// reading on the socket (indicated by the ConnectionEstablished parameter being false.) If the connection +// asynchronously fails, the TCPConnectionCallback should be invoked as usual, with the error being +// returned in subsequent calls to PlatformReadTCP or PlatformWriteTCP. (This allows for platforms +// with limited asynchronous error detection capabilities.) PlatformReadTCP and PlatformWriteTCP must +// return the number of bytes read/written, 0 if the call would block, and -1 if an error. PlatformReadTCP +// should set the closed argument if the socket has been closed. +// PlatformTCPCloseConnection must close the connection to the peer and remove the descriptor from the +// event loop. CloseConnectin may be called at any time, including in a ConnectionCallback. + +typedef enum +{ + kTCPSocketFlags_Zero = 0, + kTCPSocketFlags_UseTLS = (1 << 0) +} TCPSocketFlags; + +typedef void (*TCPConnectionCallback)(TCPSocket *sock, void *context, mDNSBool ConnectionEstablished, mStatus err); +extern TCPSocket *mDNSPlatformTCPSocket(mDNS *const m, TCPSocketFlags flags, mDNSIPPort *port, mDNSBool useBackgroundTrafficClass); // creates a TCP socket +extern TCPSocket *mDNSPlatformTCPAccept(TCPSocketFlags flags, int sd); +extern int mDNSPlatformTCPGetFD(TCPSocket *sock); +extern mStatus mDNSPlatformTCPConnect(TCPSocket *sock, const mDNSAddr *dst, mDNSOpaque16 dstport, domainname *hostname, + mDNSInterfaceID InterfaceID, TCPConnectionCallback callback, void *context); +extern void mDNSPlatformTCPCloseConnection(TCPSocket *sock); +extern long mDNSPlatformReadTCP(TCPSocket *sock, void *buf, unsigned long buflen, mDNSBool *closed); +extern long mDNSPlatformWriteTCP(TCPSocket *sock, const char *msg, unsigned long len); +extern UDPSocket *mDNSPlatformUDPSocket(mDNS *const m, const mDNSIPPort requestedport); +extern mDNSu16 mDNSPlatformGetUDPPort(UDPSocket *sock); +extern void mDNSPlatformUDPClose(UDPSocket *sock); +extern void mDNSPlatformReceiveBPF_fd(mDNS *const m, int fd); +extern void mDNSPlatformUpdateProxyList(mDNS *const m, const mDNSInterfaceID InterfaceID); +extern void mDNSPlatformSendRawPacket(const void *const msg, const mDNSu8 *const end, mDNSInterfaceID InterfaceID); +extern void mDNSPlatformSetLocalAddressCacheEntry(mDNS *const m, const mDNSAddr *const tpa, const mDNSEthAddr *const tha, mDNSInterfaceID InterfaceID); +extern void mDNSPlatformSourceAddrForDest(mDNSAddr *const src, const mDNSAddr *const dst); +extern void mDNSPlatformSendKeepalive(mDNSAddr *sadd, mDNSAddr *dadd, mDNSIPPort *lport, mDNSIPPort *rport, mDNSu32 seq, mDNSu32 ack, mDNSu16 win); +extern mStatus mDNSPlatformRetrieveTCPInfo(mDNS *const m, mDNSAddr *laddr, mDNSIPPort *lport, mDNSAddr *raddr, mDNSIPPort *rport, mDNSTCPInfo *mti); +extern mStatus mDNSPlatformGetRemoteMacAddr(mDNS *const m, mDNSAddr *raddr); +extern mStatus mDNSPlatformStoreSPSMACAddr(mDNSAddr *spsaddr, char *ifname); +extern mStatus mDNSPlatformClearSPSMACAddr(void); + +// mDNSPlatformTLSSetupCerts/mDNSPlatformTLSTearDownCerts used by dnsextd +extern mStatus mDNSPlatformTLSSetupCerts(void); +extern void mDNSPlatformTLSTearDownCerts(void); + +// Platforms that support unicast browsing and dynamic update registration for clients who do not specify a domain +// in browse/registration calls must implement these routines to get the "default" browse/registration list. + +extern mDNSBool mDNSPlatformSetDNSConfig(mDNS *const m, mDNSBool setservers, mDNSBool setsearch, domainname *const fqdn, DNameListElem **RegDomains, + DNameListElem **BrowseDomains, mDNSBool ackConfig); +extern mStatus mDNSPlatformGetPrimaryInterface(mDNS *const m, mDNSAddr *v4, mDNSAddr *v6, mDNSAddr *router); +extern void mDNSPlatformDynDNSHostNameStatusChanged(const domainname *const dname, const mStatus status); + +extern void mDNSPlatformSetAllowSleep(mDNS *const m, mDNSBool allowSleep, const char *reason); +extern void mDNSPlatformSendWakeupPacket(mDNS *const m, mDNSInterfaceID InterfaceID, char *EthAddr, char *IPAddr, int iteration); + +extern mDNSBool mDNSPlatformInterfaceIsD2D(mDNSInterfaceID InterfaceID); +extern mDNSBool mDNSPlatformInterfaceIsAWDL(const NetworkInterfaceInfo *intf); +extern mDNSBool mDNSPlatformValidRecordForQuestion(const ResourceRecord *const rr, const DNSQuestion *const q); +extern mDNSBool mDNSPlatformValidRecordForInterface(AuthRecord *rr, const NetworkInterfaceInfo *intf); +extern mDNSBool mDNSPlatformValidQuestionForInterface(DNSQuestion *q, const NetworkInterfaceInfo *intf); + +extern void mDNSPlatformFormatTime(unsigned long t, mDNSu8 *buf, int bufsize); + +#ifdef _LEGACY_NAT_TRAVERSAL_ +// Support for legacy NAT traversal protocols, implemented by the platform layer and callable by the core. +extern void LNT_SendDiscoveryMsg(mDNS *m); +extern void LNT_ConfigureRouterInfo(mDNS *m, const mDNSInterfaceID InterfaceID, const mDNSu8 *const data, const mDNSu16 len); +extern mStatus LNT_GetExternalAddress(mDNS *m); +extern mStatus LNT_MapPort(mDNS *m, NATTraversalInfo *const n); +extern mStatus LNT_UnmapPort(mDNS *m, NATTraversalInfo *const n); +extern void LNT_ClearState(mDNS *const m); +#endif // _LEGACY_NAT_TRAVERSAL_ + +// The core mDNS code provides these functions, for the platform support code to call at appropriate times +// +// mDNS_SetFQDN() is called once on startup (typically from mDNSPlatformInit()) +// and then again on each subsequent change of the host name. +// +// mDNS_RegisterInterface() is used by the platform support layer to inform mDNSCore of what +// physical and/or logical interfaces are available for sending and receiving packets. +// Typically it is called on startup for each available interface, but register/deregister may be +// called again later, on multiple occasions, to inform the core of interface configuration changes. +// If set->Advertise is set non-zero, then mDNS_RegisterInterface() also registers the standard +// resource records that should be associated with every publicised IP address/interface: +// -- Name-to-address records (A/AAAA) +// -- Address-to-name records (PTR) +// -- Host information (HINFO) +// IMPORTANT: The specified mDNSInterfaceID MUST NOT be 0, -1, or -2; these values have special meaning +// mDNS_RegisterInterface does not result in the registration of global hostnames via dynamic update - +// see mDNS_SetPrimaryInterfaceInfo, mDNS_AddDynDNSHostName, etc. for this purpose. +// Note that the set may be deallocated immediately after it is deregistered via mDNS_DeegisterInterface. +// +// mDNS_RegisterDNS() is used by the platform support layer to provide the core with the addresses of +// available domain name servers for unicast queries/updates. RegisterDNS() should be called once for +// each name server, typically at startup, or when a new name server becomes available. DeregiterDNS() +// must be called whenever a registered name server becomes unavailable. DeregisterDNSList deregisters +// all registered servers. mDNS_DNSRegistered() returns true if one or more servers are registered in the core. +// +// mDNSCoreInitComplete() is called when the platform support layer is finished. +// Typically this is at the end of mDNSPlatformInit(), but may be later +// (on platforms like OT that allow asynchronous initialization of the networking stack). +// +// mDNSCoreReceive() is called when a UDP packet is received +// +// mDNSCoreMachineSleep() is called when the machine sleeps or wakes +// (This refers to heavyweight laptop-style sleep/wake that disables network access, +// not lightweight second-by-second CPU power management modes.) + +extern void mDNS_SetFQDN(mDNS *const m); +extern void mDNS_ActivateNetWake_internal (mDNS *const m, NetworkInterfaceInfo *set); +extern void mDNS_DeactivateNetWake_internal(mDNS *const m, NetworkInterfaceInfo *set); +extern mStatus mDNS_RegisterInterface (mDNS *const m, NetworkInterfaceInfo *set, mDNSBool flapping); +extern void mDNS_DeregisterInterface(mDNS *const m, NetworkInterfaceInfo *set, mDNSBool flapping); +extern void mDNSCoreInitComplete(mDNS *const m, mStatus result); +extern void mDNSCoreReceive(mDNS *const m, void *const msg, const mDNSu8 *const end, + const mDNSAddr *const srcaddr, const mDNSIPPort srcport, + const mDNSAddr *dstaddr, const mDNSIPPort dstport, const mDNSInterfaceID InterfaceID); +extern void mDNSCoreRestartQueries(mDNS *const m); +extern void mDNSCoreRestartQuestion(mDNS *const m, DNSQuestion *q); +extern void mDNSCoreRestartRegistration(mDNS *const m, AuthRecord *rr, int announceCount); +typedef void (*FlushCache)(mDNS *const m); +typedef void (*CallbackBeforeStartQuery)(mDNS *const m, void *context); +extern void mDNSCoreRestartAddressQueries(mDNS *const m, mDNSBool SearchDomainsChanged, FlushCache flushCacheRecords, + CallbackBeforeStartQuery beforeQueryStart, void *context); +extern mDNSBool mDNSCoreHaveAdvertisedMulticastServices(mDNS *const m); +extern void mDNSCoreMachineSleep(mDNS *const m, mDNSBool wake); +extern mDNSBool mDNSCoreReadyForSleep(mDNS *m, mDNSs32 now); +extern mDNSs32 mDNSCoreIntervalToNextWake(mDNS *const m, mDNSs32 now); + +extern void mDNSCoreReceiveRawPacket (mDNS *const m, const mDNSu8 *const p, const mDNSu8 *const end, const mDNSInterfaceID InterfaceID); + +extern mDNSBool mDNSAddrIsDNSMulticast(const mDNSAddr *ip); + +extern CacheRecord *CreateNewCacheEntry(mDNS *const m, const mDNSu32 slot, CacheGroup *cg, mDNSs32 delay, mDNSBool Add, const mDNSAddr *sourceAddress); +extern CacheGroup *CacheGroupForName(const mDNS *const m, const mDNSu32 slot, const mDNSu32 namehash, const domainname *const name); +extern void ReleaseCacheRecord(mDNS *const m, CacheRecord *r); +extern void ScheduleNextCacheCheckTime(mDNS *const m, const mDNSu32 slot, const mDNSs32 event); +extern void SetNextCacheCheckTimeForRecord(mDNS *const m, CacheRecord *const rr); +extern void GrantCacheExtensions(mDNS *const m, DNSQuestion *q, mDNSu32 lease); +extern void MakeNegativeCacheRecord(mDNS *const m, CacheRecord *const cr, + const domainname *const name, const mDNSu32 namehash, const mDNSu16 rrtype, const mDNSu16 rrclass, mDNSu32 ttl_seconds, + mDNSInterfaceID InterfaceID, DNSServer *dnsserver); +extern void CompleteDeregistration(mDNS *const m, AuthRecord *rr); +extern void AnswerCurrentQuestionWithResourceRecord(mDNS *const m, CacheRecord *const rr, const QC_result AddRecord); +extern void AnswerQuestionByFollowingCNAME(mDNS *const m, DNSQuestion *q, ResourceRecord *rr); +extern char *InterfaceNameForID(mDNS *const m, const mDNSInterfaceID InterfaceID); +extern void DNSServerChangeForQuestion(mDNS *const m, DNSQuestion *q, DNSServer *newServer); +extern void ActivateUnicastRegistration(mDNS *const m, AuthRecord *const rr); +extern void CheckSuppressUnusableQuestions(mDNS *const m); +extern void RetrySearchDomainQuestions(mDNS *const m); +extern mDNSBool DomainEnumQuery(const domainname *qname); +extern mStatus UpdateKeepaliveRData(mDNS *const m, AuthRecord *rr, NetworkInterfaceInfo *const intf, mDNSBool updateMac, char *ethAddr); +extern void UpdateKeepaliveRMACAsync(mDNS *const m, void *context); +extern void UpdateRMACCallback(mDNS *const m, void *context); + +// Used only in logging to restrict the number of /etc/hosts entries printed +extern void FreeEtcHosts(mDNS *const m, AuthRecord *const rr, mStatus result); +// exported for using the hash for /etc/hosts AuthRecords +extern AuthGroup *AuthGroupForName(AuthHash *r, const mDNSu32 slot, const mDNSu32 namehash, const domainname *const name); +extern AuthGroup *AuthGroupForRecord(AuthHash *r, const mDNSu32 slot, const ResourceRecord *const rr); +extern AuthGroup *InsertAuthRecord(mDNS *const m, AuthHash *r, AuthRecord *rr); +extern AuthGroup *RemoveAuthRecord(mDNS *const m, AuthHash *r, AuthRecord *rr); +extern mDNSBool mDNS_CheckForCacheRecord(mDNS *const m, DNSQuestion *q, mDNSu16 qtype); + +// For now this AutoTunnel stuff is specific to Mac OS X. +// In the future, if there's demand, we may see if we can abstract it out cleanly into the platform layer +#if APPLE_OSX_mDNSResponder +extern void AutoTunnelCallback(mDNS *const m, DNSQuestion *question, const ResourceRecord *const answer, QC_result AddRecord); +extern void AddNewClientTunnel(mDNS *const m, DNSQuestion *const q); +extern void StartServerTunnel(mDNS *const m, DomainAuthInfo *const info); +extern void UpdateAutoTunnelDomainStatuses(const mDNS *const m); +extern void RemoveAutoTunnel6Record(mDNS *const m); +extern mDNSBool RecordReadyForSleep(mDNS *const m, AuthRecord *rr); +// For now this LocalSleepProxy stuff is specific to Mac OS X. +// In the future, if there's demand, we may see if we can abstract it out cleanly into the platform layer +extern mStatus ActivateLocalProxy(mDNS *const m, NetworkInterfaceInfo *const intf); +extern void mDNSPlatformUpdateDNSStatus(mDNS *const m, DNSQuestion *q); +extern void mDNSPlatformTriggerDNSRetry(mDNS *const m, DNSQuestion *v4q, DNSQuestion *v6q); +extern void mDNSPlatformLogToFile(int log_level, const char *buffer); +extern mDNSBool SupportsInNICProxy(NetworkInterfaceInfo *const intf); +#endif + +typedef void ProxyCallback (mDNS *const m, void *socket, void *const msg, const mDNSu8 *const end, const mDNSAddr *const srcaddr, + const mDNSIPPort srcport, const mDNSAddr *dstaddr, const mDNSIPPort dstport, const mDNSInterfaceID InterfaceID, void *context); +extern void mDNSPlatformInitDNSProxySkts(mDNS *const m, ProxyCallback *UDPCallback, ProxyCallback *TCPCallback); +extern void mDNSPlatformCloseDNSProxySkts(mDNS *const m); +extern void mDNSPlatformDisposeProxyContext(void *context); +extern mDNSu8 *DNSProxySetAttributes(DNSQuestion *q, DNSMessageHeader *h, DNSMessage *msg, mDNSu8 *start, mDNSu8 *limit); + +// Sleep Assertions are specific to Mac OS X +#if APPLE_OSX_mDNSResponder +extern void mDNSPlatformSleepAssertion(mDNS *const m, double timeout); +#endif + +extern mDNSBool mDNSPlatformAllowPID(mDNS *const m, DNSQuestion *q); +extern mDNSs32 mDNSPlatformGetServiceID(mDNS *const m, DNSQuestion *q); +extern void mDNSPlatformSetDelegatePID(UDPSocket *src, const mDNSAddr *dst, DNSQuestion *q); +extern mDNSs32 mDNSPlatformGetPID(void); + +// *************************************************************************** +#if 0 +#pragma mark - +#pragma mark - Sleep Proxy +#endif + +// Sleep Proxy Server Property Encoding +// +// Sleep Proxy Servers are advertised using a structured service name, consisting of four +// metrics followed by a human-readable name. The metrics assist clients in deciding which +// Sleep Proxy Server(s) to use when multiple are available on the network. Each metric +// is a two-digit decimal number in the range 10-99. Lower metrics are generally better. +// +// AA-BB-CC-DD.FF Name +// +// Metrics: +// +// AA = Intent +// BB = Portability +// CC = Marginal Power +// DD = Total Power +// FF = Features Supported (Currently TCP Keepalive only) +// +// +// ** Intent Metric ** +// +// 20 = Dedicated Sleep Proxy Server -- a device, permanently powered on, +// installed for the express purpose of providing Sleep Proxy Service. +// +// 30 = Primary Network Infrastructure Hardware -- a router, DHCP server, NAT gateway, +// or similar permanently installed device which is permanently powered on. +// This is hardware designed for the express purpose of being network +// infrastructure, and for most home users is typically a single point +// of failure for the local network -- e.g. most home users only have +// a single NAT gateway / DHCP server. Even though in principle the +// hardware might technically be capable of running different software, +// a typical user is unlikely to do that. e.g. AirPort base station. +// +// 40 = Primary Network Infrastructure Software -- a general-purpose computer +// (e.g. Mac, Windows, Linux, etc.) which is currently running DHCP server +// or NAT gateway software, but the user could choose to turn that off +// fairly easily. e.g. iMac running Internet Sharing +// +// 50 = Secondary Network Infrastructure Hardware -- like primary infrastructure +// hardware, except not a single point of failure for the entire local network. +// For example, an AirPort base station in bridge mode. This may have clients +// associated with it, and if it goes away those clients will be inconvenienced, +// but unlike the NAT gateway / DHCP server, the entire local network is not +// dependent on it. +// +// 60 = Secondary Network Infrastructure Software -- like 50, but in a general- +// purpose CPU. +// +// 70 = Incidentally Available Hardware -- a device which has no power switch +// and is generally left powered on all the time. Even though it is not a +// part of what we conventionally consider network infrastructure (router, +// DHCP, NAT, DNS, etc.), and the rest of the network can operate fine +// without it, since it's available and unlikely to be turned off, it is a +// reasonable candidate for providing Sleep Proxy Service e.g. Apple TV, +// or an AirPort base station in client mode, associated with an existing +// wireless network (e.g. AirPort Express connected to a music system, or +// being used to share a USB printer). +// +// 80 = Incidentally Available Software -- a general-purpose computer which +// happens at this time to be set to "never sleep", and as such could be +// useful as a Sleep Proxy Server, but has not been intentionally provided +// for this purpose. Of all the Intent Metric categories this is the +// one most likely to be shut down or put to sleep without warning. +// However, if nothing else is availalable, it may be better than nothing. +// e.g. Office computer in the workplace which has been set to "never sleep" +// +// +// ** Portability Metric ** +// +// Inversely related to mass of device, on the basis that, all other things +// being equal, heavier devices are less likely to be moved than lighter devices. +// E.g. A MacBook running Internet Sharing is probably more likely to be +// put to sleep and taken away than a Mac Pro running Internet Sharing. +// The Portability Metric is a logarithmic decibel scale, computed by taking the +// (approximate) mass of the device in milligrammes, taking the base 10 logarithm +// of that, multiplying by 10, and subtracting the result from 100: +// +// Portability Metric = 100 - (log10(mg) * 10) +// +// The Portability Metric is not necessarily computed literally from the actual +// mass of the device; the intent is just that lower numbers indicate more +// permanent devices, and higher numbers indicate devices more likely to be +// removed from the network, e.g., in order of increasing portability: +// +// Mac Pro < iMac < Laptop < iPhone +// +// Example values: +// +// 10 = 1 metric tonne +// 40 = 1kg +// 70 = 1g +// 90 = 10mg +// +// +// ** Marginal Power and Total Power Metrics ** +// +// The Marginal Power Metric is the power difference between sleeping and staying awake +// to be a Sleep Proxy Server. +// +// The Total Power Metric is the total power consumption when being Sleep Proxy Server. +// +// The Power Metrics use a logarithmic decibel scale, computed as ten times the +// base 10 logarithm of the (approximate) power in microwatts: +// +// Power Metric = log10(uW) * 10 +// +// Higher values indicate higher power consumption. Example values: +// +// 10 = 10 uW +// 20 = 100 uW +// 30 = 1 mW +// 60 = 1 W +// 90 = 1 kW + +typedef enum +{ + mDNSSleepProxyMetric_Dedicated = 20, + mDNSSleepProxyMetric_PrimaryHardware = 30, + mDNSSleepProxyMetric_PrimarySoftware = 40, + mDNSSleepProxyMetric_SecondaryHardware = 50, + mDNSSleepProxyMetric_SecondarySoftware = 60, + mDNSSleepProxyMetric_IncidentalHardware = 70, + mDNSSleepProxyMetric_IncidentalSoftware = 80 +} mDNSSleepProxyMetric; + +typedef enum +{ + mDNS_NoWake = 0, // System does not support Wake on LAN + mDNS_WakeOnAC = 1, // System supports Wake on LAN when connected to AC power only + mDNS_WakeOnBattery = 2 // System supports Wake on LAN on battery +} mDNSWakeForNetworkAccess; + +extern void mDNSCoreBeSleepProxyServer_internal(mDNS *const m, mDNSu8 sps, mDNSu8 port, mDNSu8 marginalpower, mDNSu8 totpower, mDNSu8 features); +#define mDNSCoreBeSleepProxyServer(M,S,P,MP,TP,F) \ + do { mDNS_Lock(m); mDNSCoreBeSleepProxyServer_internal((M),(S),(P),(MP),(TP),(F)); mDNS_Unlock(m); } while(0) + +extern void FindSPSInCache(mDNS *const m, const DNSQuestion *const q, const CacheRecord *sps[3]); +#define PrototypeSPSName(X) ((X)[0] >= 11 && (X)[3] == '-' && (X)[ 4] == '9' && (X)[ 5] == '9' && \ + (X)[6] == '-' && (X)[ 7] == '9' && (X)[ 8] == '9' && \ + (X)[9] == '-' && (X)[10] == '9' && (X)[11] == '9' ) +#define ValidSPSName(X) ((X)[0] >= 5 && mDNSIsDigit((X)[1]) && mDNSIsDigit((X)[2]) && mDNSIsDigit((X)[4]) && mDNSIsDigit((X)[5])) +#define SPSMetric(X) (!ValidSPSName(X) || PrototypeSPSName(X) ? 1000000 : \ + ((X)[1]-'0') * 100000 + ((X)[2]-'0') * 10000 + ((X)[4]-'0') * 1000 + ((X)[5]-'0') * 100 + ((X)[7]-'0') * 10 + ((X)[8]-'0')) +#define LocalSPSMetric(X) ( (X)->SPSType * 10000 + (X)->SPSPortability * 100 + (X)->SPSMarginalPower) +#define SPSFeatures(X) ((X)[0] >= 13 && (X)[12] =='.' ? ((X)[13]-'0') : 0 ) + +#define MD5_DIGEST_LENGTH 16 /* digest length in bytes */ +#define MD5_BLOCK_BYTES 64 /* block size in bytes */ +#define MD5_BLOCK_LONG (MD5_BLOCK_BYTES / sizeof(mDNSu32)) + +typedef struct MD5state_st +{ + mDNSu32 A,B,C,D; + mDNSu32 Nl,Nh; + mDNSu32 data[MD5_BLOCK_LONG]; + int num; +} MD5_CTX; + +extern int MD5_Init(MD5_CTX *c); +extern int MD5_Update(MD5_CTX *c, const void *data, unsigned long len); +extern int MD5_Final(unsigned char *md, MD5_CTX *c); + +// *************************************************************************** +#if 0 +#pragma mark - +#pragma mark - Compile-Time assertion checks +#endif + +// Some C compiler cleverness. We can make the compiler check certain things for +// us, and report compile-time errors if anything is wrong. The usual way to do +// this would be to use a run-time "if" statement, but then you don't find out +// what's wrong until you run the software. This way, if the assertion condition +// is false, the array size is negative, and the complier complains immediately. + +struct CompileTimeAssertionChecks_mDNS +{ + // Check that the compiler generated our on-the-wire packet format structure definitions + // properly packed, without adding padding bytes to align fields on 32-bit or 64-bit boundaries. + char assert0[(sizeof(rdataSRV) == 262 ) ? 1 : -1]; + char assert1[(sizeof(DNSMessageHeader) == 12 ) ? 1 : -1]; + char assert2[(sizeof(DNSMessage) == 12+AbsoluteMaxDNSMessageData) ? 1 : -1]; + char assert3[(sizeof(mDNSs8) == 1 ) ? 1 : -1]; + char assert4[(sizeof(mDNSu8) == 1 ) ? 1 : -1]; + char assert5[(sizeof(mDNSs16) == 2 ) ? 1 : -1]; + char assert6[(sizeof(mDNSu16) == 2 ) ? 1 : -1]; + char assert7[(sizeof(mDNSs32) == 4 ) ? 1 : -1]; + char assert8[(sizeof(mDNSu32) == 4 ) ? 1 : -1]; + char assert9[(sizeof(mDNSOpaque16) == 2 ) ? 1 : -1]; + char assertA[(sizeof(mDNSOpaque32) == 4 ) ? 1 : -1]; + char assertB[(sizeof(mDNSOpaque128) == 16 ) ? 1 : -1]; + char assertC[(sizeof(CacheRecord ) == sizeof(CacheGroup) ) ? 1 : -1]; + char assertD[(sizeof(int) >= 4 ) ? 1 : -1]; + char assertE[(StandardAuthRDSize >= 256 ) ? 1 : -1]; + char assertF[(sizeof(EthernetHeader) == 14 ) ? 1 : -1]; + char assertG[(sizeof(ARP_EthIP ) == 28 ) ? 1 : -1]; + char assertH[(sizeof(IPv4Header ) == 20 ) ? 1 : -1]; + char assertI[(sizeof(IPv6Header ) == 40 ) ? 1 : -1]; + char assertJ[(sizeof(IPv6NDP ) == 24 ) ? 1 : -1]; + char assertK[(sizeof(UDPHeader ) == 8 ) ? 1 : -1]; + char assertL[(sizeof(IKEHeader ) == 28 ) ? 1 : -1]; + char assertM[(sizeof(TCPHeader ) == 20 ) ? 1 : -1]; + + // Check our structures are reasonable sizes. Including overly-large buffers, or embedding + // other overly-large structures instead of having a pointer to them, can inadvertently + // cause structure sizes (and therefore memory usage) to balloon unreasonably. + char sizecheck_RDataBody [(sizeof(RDataBody) == 264) ? 1 : -1]; + char sizecheck_ResourceRecord [(sizeof(ResourceRecord) <= 72) ? 1 : -1]; + char sizecheck_AuthRecord [(sizeof(AuthRecord) <= 1208) ? 1 : -1]; + char sizecheck_CacheRecord [(sizeof(CacheRecord) <= 232) ? 1 : -1]; + char sizecheck_CacheGroup [(sizeof(CacheGroup) <= 232) ? 1 : -1]; + char sizecheck_DNSQuestion [(sizeof(DNSQuestion) <= 832) ? 1 : -1]; + +// Checks commented out when sizeof(DNSQuestion) change cascaded into having to change yet another +// set of hardcoded size values because these structures contain one or more DNSQuestion +// instances. +// char sizecheck_ZoneData [(sizeof(ZoneData) <= 1648) ? 1 : -1]; + char sizecheck_NATTraversalInfo [(sizeof(NATTraversalInfo) <= 200) ? 1 : -1]; + char sizecheck_HostnameInfo [(sizeof(HostnameInfo) <= 3050) ? 1 : -1]; + char sizecheck_DNSServer [(sizeof(DNSServer) <= 340) ? 1 : -1]; +// char sizecheck_NetworkInterfaceInfo[(sizeof(NetworkInterfaceInfo) <= 6988) ? 1 : -1]; + char sizecheck_ServiceRecordSet [(sizeof(ServiceRecordSet) <= 5540) ? 1 : -1]; + char sizecheck_DomainAuthInfo [(sizeof(DomainAuthInfo) <= 7888) ? 1 : -1]; +// char sizecheck_ServiceInfoQuery [(sizeof(ServiceInfoQuery) <= 3302) ? 1 : -1]; +#if APPLE_OSX_mDNSResponder +// char sizecheck_ClientTunnel [(sizeof(ClientTunnel) <= 1160) ? 1 : -1]; +#endif +}; + +// Routine to initialize device-info TXT record contents +mDNSu32 initializeDeviceInfoTXT(mDNS *m, mDNSu8 *ptr); + +#if APPLE_OSX_mDNSResponder +extern void D2D_start_advertising_interface(NetworkInterfaceInfo *interface); +extern void D2D_stop_advertising_interface(NetworkInterfaceInfo *interface); +#endif + +// *************************************************************************** + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/mDNSResponder/mDNSCore/nsec.c b/mDNSResponder/mDNSCore/nsec.c new file mode 100644 index 00000000..a9f16b3f --- /dev/null +++ b/mDNSResponder/mDNSCore/nsec.c @@ -0,0 +1,1266 @@ +/* -*- Mode: C; tab-width: 4 -*- + * + * Copyright (c) 2011 Apple Computer, Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// *************************************************************************** +// nsec.c: This file contains support functions to validate NSEC records for +// NODATA and NXDOMAIN error. +// *************************************************************************** + +#include "mDNSEmbeddedAPI.h" +#include "DNSCommon.h" +#include "nsec.h" +#include "nsec3.h" + +// Define DNSSEC_DISABLED to remove all the DNSSEC functionality +// and use the stub functions implemented later in this file. + +#ifndef DNSSEC_DISABLED + +// Implementation Notes +// +// NSEC records in DNSSEC are used for authenticated denial of existence i.e., if the response to a query +// results in NXDOMAIN or NODATA error, the response also contains NSEC records in the additional section +// to prove the non-existence of the original name. In most of the cases, NSEC records don't have any +// relationship to the original name queried i.e, if they are cached based on the name like other records, +// it can't be located to prove the non-existence of the original name. Hence, we create a negative cache +// record like we do for the NXDOMAIN/NODATA error and then cache the NSEC records as part of that. Sometimes, +// NSEC records are also used for wildcard expanded answer in which case they are cached with the cache record +// that is created for the original name. NSEC records are freed when the parent cache (the record that they +// are attached to is expired). +// +// NSEC records also can be queried like any other record and hence can exist independent of the negative +// cache record. It exists as part of negative cache record only when we get a NXDOMAIN/NODATA error with +// NSEC records. When a query results in NXDOMAIN/NODATA error and needs to be validated, the NSEC +// records (and its RRSIGS) are cached as part of the negative cache record. The NSEC records that +// exist separately from the negative cache record should not be used to answer ValidationRequired/ +// ValidatingResponse questions as it may not be sufficient to prove the non-existence of the name. +// The exception is when the NSEC record is looked up explicitly. See DNSSECRecordAnswersQuestion +// for more details. +// + +mDNSlocal CacheRecord *NSECParentForQuestion(mDNS *const m, DNSQuestion *q) +{ + CacheGroup *cg; + CacheRecord *cr; + mDNSu32 slot; + mDNSu32 namehash; + + slot = HashSlot(&q->qname); + namehash = DomainNameHashValue(&q->qname); + cg = CacheGroupForName(m, slot, namehash, &q->qname); + if (!cg) + { + LogDNSSEC("NSECParentForQuestion: Cannot find cg for %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + return mDNSNULL; + } + for (cr = cg->members; cr; cr = cr->next) + if (SameNameRecordAnswersQuestion(&cr->resrec, q)) + return cr; + return mDNSNULL; +} + +mDNSlocal void UpdateParent(DNSSECVerifier *dv) +{ + AuthChainLink(dv->parent, dv->ac); + ResetAuthChain(dv); + dv->parent->NumPackets += dv->NumPackets; +} + +// Note: This should just call the parent callback which will free the DNSSECVerifier. +mDNSlocal void VerifyNSECCallback(mDNS *const m, DNSSECVerifier *dv, DNSSECStatus status) +{ + if (!dv->parent) + { + LogMsg("VerifyNSECCCallback: ERROR!! no parent DV\n"); + FreeDNSSECVerifier(m, dv); + return; + } + if (dv->ac) + { + // Before we free the "dv", we need to update the + // parent with our AuthChain information + UpdateParent(dv); + } + // "status" indicates whether we are able to successfully verify + // the NSEC/NSEC3 signatures. For NSEC3, the OptOut flag may be set + // for which we need to deliver insecure result. + if ((dv->parent->flags & NSEC3_OPT_OUT) && (status == DNSSEC_Secure)) + { + dv->parent->DVCallback(m, dv->parent, DNSSEC_Insecure); + } + else + { + dv->parent->DVCallback(m, dv->parent, status); + } + // The callback we called in the previous line should recursively + // free all the DNSSECVerifiers starting from dv->parent and above. + // So, set that to NULL and free the "dv" itself here. + dv->parent = mDNSNULL; + FreeDNSSECVerifier(m, dv); +} + +// If the caller provides a callback, it takes the responsibility of calling the original callback +// in "pdv" when it is done. +// +// INPUT: +// +// rr: The NSEC record that should be verified +// rv: The NSEC record can also be provided like this +// pdv: Parent DNSSECVerifier which will be called when the verification is done. +// callback: As part of the proof, we need multiple NSEC verifications before we call the "pdv" callback in +// which case a intermediate "callback" is provided which can be used to do multiple verifications. +// ncr: The cache record where the RRSIGS are cached +// +// NSEC records and signatures are cached along with the cache record so that we can expire them all together. We can't cache +// them based on the name hash like other records as in most cases the returned NSECs has a different name than we asked for +// (except for NODATA error where the name exists but type does not exist). +// +mDNSexport void VerifyNSEC(mDNS *const m, ResourceRecord *rr, RRVerifier *rv, DNSSECVerifier *pdv, CacheRecord *ncr, DNSSECVerifierCallback callback) +{ + DNSSECVerifier *dv = mDNSNULL; + CacheRecord **rp; + const domainname *name; + mDNSu16 rrtype; + + if (!rv && !rr) + { + LogDNSSEC("VerifyNSEC: Both rr and rv are NULL"); + goto error; + } + if (!pdv) + { + LogDNSSEC("VerifyNSEC: ERROR!! pdv is NULL"); + return; + } + // Remember the name and type for which we are verifying, so that when we are done processing all + // the verifications, we can trace it back. + // + // Note: Currently it is not used because when the verification completes as we just + // call the "pdv" callback which has its origName and origType. + if (rr) + { + name = rr->name; + rrtype = rr->rrtype; + } + else + { + name = &rv->name; + rrtype = rv->rrtype; + } + + dv = AllocateDNSSECVerifier(m, name, rrtype, pdv->q.InterfaceID, DNSSEC_VALIDATION_SECURE, + (callback ? callback : VerifyNSECCallback), mDNSNULL); + if (!dv) + { + LogMsg("VerifyNSEC: mDNSPlatformMemAlloc failed"); + return; + } + + dv->parent = pdv; + + if (AddRRSetToVerifier(dv, rr, rv, RRVS_rr) != mStatus_NoError) + { + LogMsg("VerifyNSEC: ERROR!! AddRRSetToVerifier failed to add NSEC"); + goto error; + } + + // Add the signatures after validating them + rp = &(ncr->nsec); + while (*rp) + { + if ((*rp)->resrec.rrtype == kDNSType_RRSIG) + { + ValidateRRSIG(dv, RRVS_rrsig, &(*rp)->resrec); + } + rp=&(*rp)->next; + } + + if (!dv->rrset) + { + LogMsg("VerifyNSEC: ERROR!! AddRRSetToVerifier missing rrset"); + goto error; + } + // Expired signatures. + if (!dv->rrsig) + goto error; + + // Next step is to fetch the keys + dv->next = RRVS_key; + + StartDNSSECVerification(m, dv); + return; +error: + pdv->DVCallback(m, pdv, DNSSEC_Bogus); + if (dv) + { + dv->parent = mDNSNULL; + FreeDNSSECVerifier(m, dv); + } + return; +} + +mDNSlocal void DeleteCachedNSECS(mDNS *const m, CacheRecord *cr) +{ + CacheRecord *rp, *next; + + if (cr->nsec) LogDNSSEC("DeleteCachedNSECS: Deleting NSEC Records\n"); + for (rp = cr->nsec; rp; rp = next) + { + next = rp->next; + ReleaseCacheRecord(m, rp); + } + cr->nsec = mDNSNULL; +} + +// Returns success if it adds the nsecs and the rrsigs to the cache record. Otherwise, it returns +// failure (mDNSfalse) +mDNSexport mDNSBool AddNSECSForCacheRecord(mDNS *const m, CacheRecord *crlist, CacheRecord *negcr, mDNSu8 rcode) +{ + CacheRecord *cr; + mDNSBool nsecs_seen = mDNSfalse; + mDNSBool nsec3s_seen = mDNSfalse; + + if (rcode != kDNSFlag1_RC_NoErr && rcode != kDNSFlag1_RC_NXDomain) + { + LogMsg("AddNSECSForCacheRecord: Addings nsecs for rcode %d", rcode); + return mDNSfalse; + } + + // Sanity check the list to see if we have anything else other than + // NSECs and its RRSIGs + for (cr = crlist; cr; cr = cr->next) + { + if (cr->resrec.rrtype != kDNSType_NSEC && cr->resrec.rrtype != kDNSType_NSEC3 && + cr->resrec.rrtype != kDNSType_SOA && cr->resrec.rrtype != kDNSType_RRSIG) + { + LogMsg("AddNSECSForCacheRecord: ERROR!! Adding Wrong record %s", CRDisplayString(m, cr)); + return mDNSfalse; + } + if (cr->resrec.rrtype == kDNSType_RRSIG) + { + RDataBody2 *const rdb = (RDataBody2 *)cr->smallrdatastorage.data; + rdataRRSig *rrsig = &rdb->rrsig; + mDNSu16 tc = swap16(rrsig->typeCovered); + if (tc != kDNSType_NSEC && tc != kDNSType_NSEC3 && tc != kDNSType_SOA) + { + LogMsg("AddNSECSForCacheRecord:ERROR!! Adding RRSIG with Wrong type %s", CRDisplayString(m, cr)); + return mDNSfalse; + } + } + else if (cr->resrec.rrtype == kDNSType_NSEC) + { + nsecs_seen = mDNStrue; + } + else if (cr->resrec.rrtype == kDNSType_NSEC3) + { + nsec3s_seen = mDNStrue; + } + LogDNSSEC("AddNSECSForCacheRecord: Found a valid record %s", CRDisplayString(m, cr)); + } + if ((nsecs_seen && nsec3s_seen) || (!nsecs_seen && !nsec3s_seen)) + { + LogDNSSEC("AddNSECSForCacheRecord:ERROR nsecs_seen %d, nsec3s_seen %d", nsecs_seen, nsec3s_seen); + return mDNSfalse; + } + DeleteCachedNSECS(m, negcr); + LogDNSSEC("AddNSECSForCacheRecord: Adding NSEC Records for %s", CRDisplayString(m, negcr)); + negcr->nsec = crlist; + return mDNStrue; +} + +// Return the number of labels that matches starting from the right (excluding the +// root label) +mDNSexport int CountLabelsMatch(const domainname *const d1, const domainname *const d2) +{ + int count, c1, c2; + int match, i, skip1, skip2; + + c1 = CountLabels(d1); + skip1 = c1 - 1; + c2 = CountLabels(d2); + skip2 = c2 - 1; + + // Root label always matches. And we don't include it here to + // match CountLabels + match = 0; + + // Compare as many labels as possible starting from the rightmost + count = c1 < c2 ? c1 : c2; + for (i = count; i > 0; i--) + { + const domainname *da, *db; + + da = SkipLeadingLabels(d1, skip1); + db = SkipLeadingLabels(d2, skip2); + if (!SameDomainName(da, db)) return match; + skip1--; + skip2--; + match++; + } + return match; +} + +// Empty Non-Terminal (ENT): if the qname is bigger than nsec owner's name and a +// subdomain of the nsec's nxt field, then the qname is a empty non-terminal. For +// example, if you are looking for (in RFC 4035 example zone) "y.w.example A" +// record, if it is a ENT, then it would return +// +// x.w.example. 3600 NSEC x.y.w.example. MX RRSIG NSEC +// +// This function is normally called before checking for wildcard matches. If you +// find this NSEC, there is no need to look for a wildcard record +// that could possibly answer the question. +mDNSlocal mDNSBool NSECAnswersENT(const ResourceRecord *const rr, domainname *qname) +{ + const domainname *oname = rr->name; + const RDataBody2 *const rdb = (RDataBody2 *)rr->rdata->u.data; + const domainname *nxt = (const domainname *)&rdb->data; + int ret; + int subdomain; + + // Is the owner name smaller than qname? + ret = DNSSECCanonicalOrder(oname, qname, mDNSNULL); + if (ret < 0) + { + // Is the next domain field a subdomain of qname ? + ret = DNSSECCanonicalOrder(nxt, qname, &subdomain); + if (subdomain) + { + if (ret <= 0) + { + LogMsg("NSECAnswersENT: ERROR!! DNSSECCanonicalOrder subdomain set " + " qname %##s, NSEC %##s", qname->c, rr->name->c); + } + return mDNStrue; + } + } + return mDNSfalse; +} + +mDNSlocal const domainname *NSECClosestEncloser(ResourceRecord *rr, domainname *qname) +{ + const domainname *oname = rr->name; + const RDataBody2 *const rdb = (RDataBody2 *)rr->rdata->u.data; + const domainname *nxt = (const domainname *)&rdb->data; + int match1, match2; + + match1 = CountLabelsMatch(oname, qname); + match2 = CountLabelsMatch(nxt, qname); + // Return the closest i.e the one that matches more labels + if (match1 > match2) + return SkipLeadingLabels(oname, CountLabels(oname) - match1); + else + return SkipLeadingLabels(nxt, CountLabels(nxt) - match2); +} + +// Assumption: NSEC has been validated outside of this function +// +// Does the name exist given the name and NSEC rr ? +// +// Returns -1 if it is an inappropriate nsec +// Returns 1 if the name exists +// Returns 0 if the name does not exist +// +mDNSlocal int NSECNameExists(mDNS *const m, ResourceRecord *rr, domainname *name, mDNSu16 qtype) +{ + const RDataBody2 *const rdb = (RDataBody2 *)rr->rdata->u.data; + const domainname *nxt = (const domainname *)&rdb->data; + const domainname *oname = rr->name; // owner name + int ret1, subdomain1; + int ret2, subdomain2; + int ret3, subdomain3; + + ret1 = DNSSECCanonicalOrder(oname, name, &subdomain1); + if (ret1 > 0) + { + LogDNSSEC("NSECNameExists: owner name %##s is bigger than name %##s", oname->c, name->c); + return -1; + } + + // Section 4.1 of draft-ietf-dnsext-dnssec-bis-updates-14: + // + // Ancestor delegation NSEC or NSEC3 RRs MUST NOT be used to assume non- + // existence of any RRs below that zone cut, which include all RRs at + // that (original) owner name other than DS RRs, and all RRs below that + // owner name regardless of type. + // + // This also implies that we can't use the child side NSEC for DS question. + + if (!ret1) + { + mDNSBool soa = RRAssertsExistence(rr, kDNSType_SOA); + mDNSBool ns = RRAssertsExistence(rr, kDNSType_NS); + + // We are here because the owner name is the same as "name". Make sure the + // NSEC has the right NS and SOA bits set. + if (qtype != kDNSType_DS && ns && !soa) + { + LogDNSSEC("NSECNameExists: Parent side NSEC %s can't be used for question %##s (%s)", + RRDisplayString(m, rr), name->c, DNSTypeName(qtype)); + return -1; + } + else if (qtype == kDNSType_DS && soa) + { + LogDNSSEC("NSECNameExists: Child side NSEC %s can't be used for question %##s (%s)", + RRDisplayString(m, rr), name->c, DNSTypeName(qtype)); + return -1; + } + LogDNSSEC("NSECNameExists: owner name %##s is same as name %##s", oname->c, name->c); + return 1; + } + + // If the name is a.b.com and NSEC's owner name is b.com i.e., a subdomain + // and nsec comes from the parent (NS is set and SOA is not set), then this + // NSEC can't be used for names below the owner name. + // + // Similarly if DNAME is set, we can't use it here. See RFC2672-bis-dname + // appendix. + if (subdomain1 && (RRAssertsExistence(rr, kDNSType_DNAME) || + (RRAssertsNonexistence(rr, kDNSType_SOA) && RRAssertsExistence(rr, kDNSType_NS)))) + { + LogDNSSEC("NSECNameExists: NSEC %s comes from the parent, can't use it here", + RRDisplayString(m, rr)); + return -1; + } + + // At this stage, we know that name is greater than the owner name and + // the nsec is not from the parent side. + // + // Compare with the next field in the nsec. + // + ret2 = DNSSECCanonicalOrder(name, nxt, &subdomain2); + + // Exact match with the nsec next name + if (!ret2) + { + LogDNSSEC("NSECNameExists: name %##s is same as nxt name %##s", name->c, nxt->c); + return 1; + } + + ret3 = DNSSECCanonicalOrder(oname, nxt, &subdomain3); + + if (!ret3) + { + // Pathological case of a single name in the domain. This means only the + // apex of the zone itself exists. Nothing below it. "subdomain2" indicates + // that name is a subdmain of "next" and hence below the zone. + if (subdomain2) + { + LogDNSSEC("NSECNameExists: owner name %##s subdomain of nxt name %##s", oname->c, nxt->c); + return 0; + } + else + { + LogDNSSEC("NSECNameExists: Single name in zone, owner name %##s is same as nxt name %##s", oname->c, nxt->c); + return -1; + } + } + + if (ret3 < 0) + { + // Regular NSEC in the zone. Make sure that the "name" lies within + // oname and next. oname < name and name < next + if (ret1 < 0 && ret2 < 0) + { + LogDNSSEC("NSECNameExists: Normal NSEC name %##s lies within owner %##s and nxt name %##s", + name->c, oname->c, nxt->c); + return 0; + } + else + { + LogDNSSEC("NSECNameExists: Normal NSEC name %##s does not lie within owner %##s and nxt name %##s", + name->c, oname->c, nxt->c); + return -1; + } + } + else + { + // Last NSEC in the zone. The "next" is pointing to the apex. All names + // should be a subdomain of that and the name should be bigger than + // oname + if (ret1 < 0 && subdomain2) + { + LogDNSSEC("NSECNameExists: Last NSEC name %##s lies within owner %##s and nxt name %##s", + name->c, oname->c, nxt->c); + return 0; + } + else + { + LogDNSSEC("NSECNameExists: Last NSEC name %##s does not lie within owner %##s and nxt name %##s", + name->c, oname->c, nxt->c); + return -1; + } + } + + LogDNSSEC("NSECNameExists: NSEC %s did not match any case", RRDisplayString(m, rr)); + return -1; +} + +// If the answer was result of a wildcard match, then this function proves +// that a proper wildcard was used to answer the question and that the +// original name does not exist +mDNSexport void WildcardAnswerProof(mDNS *const m, DNSSECVerifier *dv) +{ + CacheRecord *ncr; + CacheRecord **rp; + const domainname *ce; + DNSQuestion q; + CacheRecord **nsec3 = mDNSNULL; + + LogDNSSEC("WildcardAnswerProof: Question %##s (%s)", dv->origName.c, DNSTypeName(dv->origType)); + // + // RFC 4035: Section 3.1.3.3 + // + // 1) We used a wildcard because the qname does not exist, so verify + // that the qname does not exist + // + // 2) Is the wildcard the right one ? + // + // Unfortunately, this is not well explained in that section. Refer to + // RFC 5155 section 7.2.6. + + // Walk the list of nsecs we received and see if they prove that + // the name does not exist + + mDNSPlatformMemZero(&q, sizeof(DNSQuestion)); + q.ThisQInterval = -1; + InitializeQuestion(m, &q, dv->InterfaceID, &dv->origName, dv->origType, mDNSNULL, mDNSNULL); + + ncr = NSECParentForQuestion(m, &q); + if (!ncr) + { + LogMsg("WildcardAnswerProof: Can't find NSEC Parent for %##s (%s)", q.qname.c, DNSTypeName(q.qtype)); + goto error; + } + else + { + LogDNSSEC("WildcardAnswerProof: found %s", CRDisplayString(m, ncr)); + } + rp = &(ncr->nsec); + while (*rp) + { + if ((*rp)->resrec.rrtype == kDNSType_NSEC) + { + CacheRecord *cr = *rp; + if (!NSECNameExists(m, &cr->resrec, &dv->origName, dv->origType)) + break; + } + else if ((*rp)->resrec.rrtype == kDNSType_NSEC3) + { + nsec3 = rp; + } + rp=&(*rp)->next; + } + if (!(*rp)) + { + mDNSBool ret = mDNSfalse; + if (nsec3) + { + ret = NSEC3WildcardAnswerProof(m, ncr, dv); + } + if (!ret) + { + LogDNSSEC("WildcardAnswerProof: NSEC3 wildcard proof failed for %##s (%s)", q.qname.c, DNSTypeName(q.qtype)); + goto error; + } + rp = nsec3; + } + else + { + ce = NSECClosestEncloser(&((*rp)->resrec), &dv->origName); + if (!ce) + { + LogMsg("WildcardAnswerProof: ERROR!! Closest Encloser NULL for %##s (%s)", q.qname.c, DNSTypeName(q.qtype)); + goto error; + } + if (!SameDomainName(ce, dv->wildcardName)) + { + LogMsg("WildcardAnswerProof: ERROR!! Closest Encloser %##s does not match wildcard name %##s", q.qname.c, dv->wildcardName->c); + goto error; + } + } + + VerifyNSEC(m, &((*rp)->resrec), mDNSNULL, dv, ncr, mDNSNULL); + return; +error: + dv->DVCallback(m, dv, DNSSEC_Bogus); +} + +// We have a NSEC. Need to see if it proves that NODATA exists for the given name. Note that this +// function does not prove anything as proof may require more than one NSEC and this function +// processes only one NSEC at a time. +// +// Returns mDNSfalse if the NSEC does not prove the NODATA error +// Returns mDNStrue if the NSEC proves the NODATA error +// +mDNSlocal mDNSBool NSECNoDataError(mDNS *const m, ResourceRecord *rr, domainname *name, mDNSu16 qtype, domainname **wildcard) +{ + const domainname *oname = rr->name; // owner name + + if (wildcard) *wildcard = mDNSNULL; + // RFC 4035 + // + // section 3.1.3.1 : Name matches. Prove that the type does not exist and also CNAME is + // not set as in that case CNAME should have been returned ( CNAME part is mentioned in + // section 4.3 of dnssec-bis-updates.) Without the CNAME check, a positive response can + // be converted to a NODATA/NOERROR response. + // + // section 3.1.3.4 : No exact match for the name but there is a wildcard that could match + // the name but not the type. There are two NSECs in this case. One of them is a wildcard + // NSEC and another NSEC proving that the qname does not exist. We are called with one + // NSEC at a time. We return what we matched and the caller should decide whether all + // conditions are met for the proof. + if (SameDomainName(oname, name)) + { + mDNSBool soa = RRAssertsExistence(rr, kDNSType_SOA); + mDNSBool ns = RRAssertsExistence(rr, kDNSType_NS); + if (qtype != kDNSType_DS) + { + // For non-DS type questions, we don't want to use the parent side records to + // answer it + if (ns && !soa) + { + LogDNSSEC("NSECNoDataError: Parent side NSEC %s, can't use for child qname %##s (%s)", + RRDisplayString(m, rr), name->c, DNSTypeName(qtype)); + return mDNSfalse; + } + } + else + { + if (soa) + { + LogDNSSEC("NSECNoDataError: Child side NSEC %s, can't use for parent qname %##s (%s)", + RRDisplayString(m, rr), name->c, DNSTypeName(qtype)); + return mDNSfalse; + } + } + if (RRAssertsExistence(rr, qtype) || RRAssertsExistence(rr, kDNSType_CNAME)) + { + LogMsg("NSECNoDataError: ERROR!! qtype %s exists in %s", DNSTypeName(qtype), RRDisplayString(m, rr)); + return mDNSfalse; + } + LogDNSSEC("NSECNoDataError: qype %s does not exist in %s", DNSTypeName(qtype), RRDisplayString(m, rr)); + return mDNStrue; + } + else + { + // Name does not exist. Before we check for a wildcard match, make sure that + // this is not an ENT. + if (NSECAnswersENT(rr, name)) + { + LogDNSSEC("NSECNoDataError: name %##s exists %s", name->c, RRDisplayString(m, rr)); + return mDNSfalse; + } + + // Wildcard check. If this is a wildcard NSEC, then check to see if we could + // have answered the question using this wildcard and it should not have the + // "qtype" passed in with its bitmap. + // + // See RFC 4592, on how wildcards are used to synthesize answers. Find the + // closest encloser and the qname should be a subdomain i.e if the wildcard + // is *.x.example, x.example is the closest encloser and the qname should be + // a subdomain e.g., y.x.example or z.y.x.example and so on. + if (oname->c[0] == 1 && oname->c[1] == '*') + { + int r, s; + const domainname *ce = SkipLeadingLabels(oname, 1); + + r = DNSSECCanonicalOrder(name, ce, &s); + if (s) + { + if (RRAssertsExistence(rr, qtype) || RRAssertsExistence(rr, kDNSType_CNAME)) + { + LogMsg("NSECNoDataError: ERROR!! qtype %s exists in wildcard %s", DNSTypeName(qtype), RRDisplayString(m, rr)); + return mDNSfalse; + } + if (qtype == kDNSType_DS && RRAssertsExistence(rr, kDNSType_SOA)) + { + LogDNSSEC("NSECNoDataError: Child side wildcard NSEC %s, can't use for parent qname %##s (%s)", + RRDisplayString(m, rr), name->c, DNSTypeName(qtype)); + return mDNSfalse; + } + else if (qtype != kDNSType_DS && RRAssertsNonexistence(rr, kDNSType_SOA) && + RRAssertsExistence(rr, kDNSType_NS)) + { + // Don't use the parent side record for this + LogDNSSEC("NSECNoDataError: Parent side wildcard NSEC %s, can't use for child qname %##s (%s)", + RRDisplayString(m, rr), name->c, DNSTypeName(qtype)); + return mDNSfalse; + } + *wildcard = (domainname *)ce; + LogDNSSEC("NSECNoDataError: qtype %s does not exist in wildcard %s", DNSTypeName(qtype), RRDisplayString(m, rr)); + return mDNStrue; + } + } + return mDNSfalse; + } +} + +mDNSexport void NoDataNSECCallback(mDNS *const m, DNSSECVerifier *dv, DNSSECStatus status) +{ + RRVerifier *rv; + DNSSECVerifier *pdv; + CacheRecord *ncr; + + LogDNSSEC("NoDataNSECCallback: called"); + if (!dv->parent) + { + LogMsg("NoDataNSECCCallback: no parent DV"); + FreeDNSSECVerifier(m, dv); + return; + } + + if (dv->ac) + { + // Before we free the "dv", we need to update the + // parent with our AuthChain information + UpdateParent(dv); + } + + pdv = dv->parent; + + // We don't care about the "dv" that was allocated in VerifyNSEC + // as it just verifies one of the nsecs. Get the original verifier and + // verify the other NSEC like we did the first time. + dv->parent = mDNSNULL; + FreeDNSSECVerifier(m, dv); + + if (status != DNSSEC_Secure) + { + goto error; + } + + ncr = NSECParentForQuestion(m, &pdv->q); + if (!ncr) + { + LogMsg("NoDataNSECCallback: Can't find NSEC Parent for %##s (%s)", pdv->q.qname.c, DNSTypeName(pdv->q.qtype)); + goto error; + } + rv = pdv->pendingNSEC; + pdv->pendingNSEC = rv->next; + // We might have more than one pendingNSEC in the case of NSEC3. If this is the last one, + // we don't need to come back here; let the regular NSECCallback call the original callback. + rv->next = mDNSNULL; + LogDNSSEC("NoDataNSECCallback: Verifying %##s (%s)", rv->name.c, DNSTypeName(rv->rrtype)); + if (!pdv->pendingNSEC) + VerifyNSEC(m, mDNSNULL, rv, pdv, ncr, mDNSNULL); + else + VerifyNSEC(m, mDNSNULL, rv, pdv, ncr, NoDataNSECCallback); + return; + +error: + pdv->DVCallback(m, pdv, status); +} + +mDNSexport void NameErrorNSECCallback(mDNS *const m, DNSSECVerifier *dv, DNSSECStatus status) +{ + RRVerifier *rv; + DNSSECVerifier *pdv; + CacheRecord *ncr; + + LogDNSSEC("NameErrorNSECCallback: called"); + if (!dv->parent) + { + LogMsg("NameErrorNSECCCallback: no parent DV"); + FreeDNSSECVerifier(m, dv); + return; + } + + if (dv->ac) + { + // Before we free the "dv", we need to update the + // parent with our AuthChain information + UpdateParent(dv); + } + + pdv = dv->parent; + // We don't care about the "dv" that was allocated in VerifyNSEC + // as it just verifies one of the nsecs. Get the original verifier and + // verify the other NSEC like we did the first time. + dv->parent = mDNSNULL; + FreeDNSSECVerifier(m, dv); + + if (status != DNSSEC_Secure) + { + goto error; + } + + ncr = NSECParentForQuestion(m, &pdv->q); + if (!ncr) + { + LogMsg("NameErrorNSECCallback: Can't find NSEC Parent for %##s (%s)", pdv->q.qname.c, DNSTypeName(pdv->q.qtype)); + goto error; + } + rv = pdv->pendingNSEC; + pdv->pendingNSEC = rv->next; + // We might have more than one pendingNSEC in the case of NSEC3. If this is the last one, + // we don't need to come back here; let the regular NSECCallback call the original callback. + rv->next = mDNSNULL; + LogDNSSEC("NameErrorNSECCallback: Verifying %##s (%s)", rv->name.c, DNSTypeName(rv->rrtype)); + if (!pdv->pendingNSEC) + VerifyNSEC(m, mDNSNULL, rv, pdv, ncr, mDNSNULL); + else + VerifyNSEC(m, mDNSNULL, rv, pdv, ncr, NameErrorNSECCallback); + + return; + +error: + pdv->DVCallback(m, pdv, status); +} + +// We get a NODATA error with no records in answer section. This proves +// that qname does not exist. +mDNSlocal void NoDataProof(mDNS *const m, DNSSECVerifier *dv, CacheRecord *ncr) +{ + CacheRecord **rp; + domainname *wildcard = mDNSNULL; + const domainname *ce = mDNSNULL; + ResourceRecord *nsec_wild = mDNSNULL; + ResourceRecord *nsec_noname = mDNSNULL; + + // NODATA Error could mean two things. The name exists with no type or there is a + // wildcard that matches the name but no type. This is done by NSECNoDataError. + // + // If it is the case of wildcard, there are two NSECs. One is the wildcard NSEC and + // the other NSEC to prove that there is no other closer match. + + wildcard = mDNSNULL; + rp = &(ncr->nsec); + while (*rp) + { + if ((*rp)->resrec.rrtype == kDNSType_NSEC) + { + CacheRecord *cr = *rp; + if (NSECNoDataError(m, &cr->resrec, &dv->q.qname, dv->q.qtype, &wildcard)) + { + if (wildcard) + { + dv->flags |= WILDCARD_PROVES_NONAME_EXISTS; + LogDNSSEC("NoDataProof: NSEC %s proves NODATA error for %##s (%s)", + RRDisplayString(m, &(*rp)->resrec), dv->q.qname.c, DNSTypeName(dv->q.qtype)); + } + else + { + dv->flags |= NSEC_PROVES_NOTYPE_EXISTS; + LogDNSSEC("NoDataProof: NSEC %s proves NOTYPE error for %##s (%s)", + RRDisplayString(m, &(*rp)->resrec), dv->q.qname.c, DNSTypeName(dv->q.qtype)); + } + nsec_wild = &cr->resrec; + } + if (!NSECNameExists(m, &cr->resrec, &dv->q.qname, dv->q.qtype)) + { + LogDNSSEC("NoDataProof: NSEC %s proves that name %##s (%s) does not exist", + RRDisplayString(m, &(*rp)->resrec), dv->q.qname.c, DNSTypeName(dv->q.qtype)); + // If we have a wildcard, then we should check to see if the closest + // encloser is the same as the wildcard. + ce = NSECClosestEncloser(&cr->resrec, &dv->q.qname); + dv->flags |= NSEC_PROVES_NONAME_EXISTS; + nsec_noname = &cr->resrec; + } + } + rp=&(*rp)->next; + } + if (!nsec_noname && !nsec_wild) + { + LogDNSSEC("NoDataProof: No valid NSECs for %##s (%s)", dv->q.qname.c, DNSTypeName(dv->q.qtype)); + goto error; + } + // If the type exists, then we have to verify just that NSEC + if (!(dv->flags & NSEC_PROVES_NOTYPE_EXISTS)) + { + // If we have a wildcard, then we should have a "ce" which matches the wildcard + // If we don't have a wildcard, then we should have proven that the name does not + // exist which means we would have set the "ce". + if (wildcard && !ce) + { + LogMsg("NoDataProof: Cannot prove that the name %##s (%s) does not exist", dv->q.qname.c, DNSTypeName(dv->q.qtype)); + goto error; + } + if (wildcard && !SameDomainName(wildcard, ce)) + { + LogMsg("NoDataProof: wildcard %##s does not match closest encloser %##s", wildcard->c, ce->c); + goto error; + } + // If a single NSEC can prove both, then we just have validate that one NSEC. + if (nsec_wild == nsec_noname) + { + nsec_noname = mDNSNULL; + dv->flags &= ~NSEC_PROVES_NONAME_EXISTS; + } + } + + if ((dv->flags & (WILDCARD_PROVES_NONAME_EXISTS|NSEC_PROVES_NONAME_EXISTS)) == + (WILDCARD_PROVES_NONAME_EXISTS|NSEC_PROVES_NONAME_EXISTS)) + { + mStatus status; + RRVerifier *r = AllocateRRVerifier(nsec_noname, &status); + if (!r) goto error; + // First verify wildcard NSEC and then when we are done, we + // will verify the noname nsec + dv->pendingNSEC = r; + LogDNSSEC("NoDataProof: Verifying wild and noname %s", RRDisplayString(m, nsec_wild)); + VerifyNSEC(m, nsec_wild, mDNSNULL, dv, ncr, NoDataNSECCallback); + } + else if ((dv->flags & WILDCARD_PROVES_NONAME_EXISTS) || + (dv->flags & NSEC_PROVES_NOTYPE_EXISTS)) + { + LogDNSSEC("NoDataProof: Verifying wild %s", RRDisplayString(m, nsec_wild)); + VerifyNSEC(m, nsec_wild, mDNSNULL, dv, ncr, mDNSNULL); + } + else if (dv->flags & NSEC_PROVES_NONAME_EXISTS) + { + LogDNSSEC("NoDataProof: Verifying noname %s", RRDisplayString(m, nsec_noname)); + VerifyNSEC(m, nsec_noname, mDNSNULL, dv, ncr, mDNSNULL); + } + return; +error: + LogDNSSEC("NoDataProof: Error return"); + dv->DVCallback(m, dv, DNSSEC_Bogus); +} + +mDNSlocal mDNSBool NSECNoWildcard(mDNS *const m, ResourceRecord *rr, domainname *qname, mDNSu16 qtype) +{ + const domainname *ce; + domainname wild; + + // If the query name is c.x.w.example and if the name does not exist, we should get + // get a nsec back that looks something like this: + // + // w.example NSEC a.w.example + // + // First, we need to get the closest encloser which in this case is w.example. Wild + // card synthesis works by finding the closest encloser first and then look for + // a "*" label (assuming * label does not appear in the question). If it does not + // exists, it would return the NSEC at that name. And the wildcard name at the + // closest encloser "*.w.example" would be covered by such an NSEC. (Appending "*" + // makes it bigger than w.example and "* is smaller than "a" for the above NSEC) + // + ce = NSECClosestEncloser(rr, qname); + if (!ce) { LogMsg("NSECNoWildcard: No closest encloser for rr %s, qname %##s (%s)", qname->c, DNSTypeName(qtype)); return mDNSfalse; } + + wild.c[0] = 1; + wild.c[1] = '*'; + wild.c[2] = 0; + if (!AppendDomainName(&wild, ce)) + { + LogMsg("NSECNoWildcard: ERROR!! Can't append domainname closest encloser name %##s, qname %##s (%s)", ce->c, qname->c, DNSTypeName(qtype)); + return mDNSfalse; + } + if (NSECNameExists(m, rr, &wild, qtype) != 0) + { + LogDNSSEC("NSECNoWildcard: Wildcard name %##s exists or not valid qname %##s (%s)", wild.c, qname->c, DNSTypeName(qtype)); + return mDNSfalse; + } + LogDNSSEC("NSECNoWildcard: Wildcard name %##s does not exist for record %s, qname %##s (%s)", wild.c, + RRDisplayString(m, rr), qname->c, DNSTypeName(qtype)); + return mDNStrue; +} + +// We get a NXDOMAIN error with no records in answer section. This proves +// that qname does not exist. +mDNSlocal void NameErrorProof(mDNS *const m, DNSSECVerifier *dv, CacheRecord *ncr) +{ + CacheRecord **rp; + ResourceRecord *nsec_wild = mDNSNULL; + ResourceRecord *nsec_noname = mDNSNULL; + mStatus status; + + // NXDOMAIN Error. We need to prove that the qname does not exist and there + // is no wildcard that can be used to answer the question. + + rp = &(ncr->nsec); + while (*rp) + { + if ((*rp)->resrec.rrtype == kDNSType_NSEC) + { + CacheRecord *cr = *rp; + if (!NSECNameExists(m, &cr->resrec, &dv->q.qname, dv->q.qtype)) + { + LogDNSSEC("NameErrorProof: NSEC %s proves name does not exist for %##s (%s)", + RRDisplayString(m, &(*rp)->resrec), dv->q.qname.c, DNSTypeName(dv->q.qtype)); + // If we have a wildcard, then we should check to see if the closest + // encloser is the same as the wildcard. + dv->flags |= NSEC_PROVES_NONAME_EXISTS; + nsec_noname = &cr->resrec; + } + if (NSECNoWildcard(m, &cr->resrec, &dv->q.qname, dv->q.qtype)) + { + dv->flags |= WILDCARD_PROVES_NONAME_EXISTS; + nsec_wild = &cr->resrec; + LogDNSSEC("NameErrorProof: NSEC %s proves wildcard cannot answer question for %##s (%s)", + RRDisplayString(m, &(*rp)->resrec), dv->q.qname.c, DNSTypeName(dv->q.qtype)); + } + } + rp=&(*rp)->next; + } + if (!nsec_noname || !nsec_wild) + { + LogMsg("NameErrorProof: Proof failed for %##s (%s) noname %p, wild %p", dv->q.qname.c, DNSTypeName(dv->q.qtype), nsec_noname, nsec_wild); + goto error; + } + + // First verify wildcard NSEC and then when we are done, we will verify the noname nsec. + // Sometimes a single NSEC can prove both that the "qname" does not exist and a wildcard + // could not have produced qname. These are a few examples where this can happen. + // + // 1. If the zone is example.com and you look up *.example.com and if there are no wildcards, + // you will get a NSEC back "example.com NSEC a.example.com". This proves that both the + // name does not exist and *.example.com also does not exist + // + // 2. If the zone is example.com and it has a record like this: + // + // example.com NSEC d.example.com + // + // any name you lookup in between like a.example.com,b.example.com etc. you will get a single + // NSEC back. In that case we just have to verify only once. + // + if (nsec_wild != nsec_noname) + { + RRVerifier *r = AllocateRRVerifier(nsec_noname, &status); + if (!r) goto error; + dv->pendingNSEC = r; + LogDNSSEC("NoDataProof: Verifying wild %s", RRDisplayString(m, nsec_wild)); + VerifyNSEC(m, nsec_wild, mDNSNULL, dv, ncr, NameErrorNSECCallback); + } + else + { + LogDNSSEC("NoDataProof: Verifying only one %s", RRDisplayString(m, nsec_wild)); + VerifyNSEC(m, nsec_wild, mDNSNULL, dv, ncr, mDNSNULL); + } + return; +error: + dv->DVCallback(m, dv, DNSSEC_Bogus); +} + +mDNSexport CacheRecord *NSECRecordIsDelegation(mDNS *const m, domainname *name, mDNSu16 qtype) +{ + CacheGroup *cg; + CacheRecord *cr; + mDNSu32 slot, namehash; + + slot = HashSlot(name); + namehash = DomainNameHashValue(name); + + cg = CacheGroupForName(m, (const mDNSu32)slot, namehash, name); + if (!cg) + { + LogDNSSEC("NSECRecordForName: cg NULL for %##s", name); + return mDNSNULL; + } + for (cr = cg->members; cr; cr = cr->next) + { + if (cr->resrec.RecordType == kDNSRecordTypePacketNegative && cr->resrec.rrtype == qtype) + { + CacheRecord *ncr; + for (ncr = cr->nsec; ncr; ncr = ncr->next) + { + if (ncr->resrec.rrtype == kDNSType_NSEC && + SameDomainName(ncr->resrec.name, name)) + { + // See the Insecure Delegation Proof section in dnssec-bis: DS bit and SOA bit + // should be absent + if (RRAssertsExistence(&ncr->resrec, kDNSType_SOA) || + RRAssertsExistence(&ncr->resrec, kDNSType_DS)) + { + LogDNSSEC("NSECRecordForName: found record %s for %##s (%s), but DS or SOA bit set", CRDisplayString(m, ncr), name, + DNSTypeName(qtype)); + return mDNSNULL; + } + // Section 2.3 of RFC 4035 states that: + // + // Each owner name in the zone that has authoritative data or a delegation point NS RRset MUST + // have an NSEC resource record. + // + // So, if we have an NSEC record matching the question name with the NS bit set, + // then this is a delegation. + // + if (RRAssertsExistence(&ncr->resrec, kDNSType_NS)) + { + LogDNSSEC("NSECRecordForName: found record %s for %##s (%s)", CRDisplayString(m, ncr), name, DNSTypeName(qtype)); + return ncr; + } + else + { + LogDNSSEC("NSECRecordForName: found record %s for %##s (%s), but NS bit is not set", CRDisplayString(m, ncr), name, + DNSTypeName(qtype)); + return mDNSNULL; + } + } + } + } + } + return mDNSNULL; +} + +mDNSlocal void StartInsecureProof(mDNS * const m, DNSSECVerifier *dv) +{ + domainname trigger; + DNSSECVerifier *prevdv = mDNSNULL; + + // Remember the name that triggered the insecure proof + AssignDomainName(&trigger, &dv->q.qname); + while (dv->parent) + { + prevdv = dv; + dv = dv->parent; + } + if (prevdv) + { + prevdv->parent = mDNSNULL; + FreeDNSSECVerifier(m, prevdv); + } + // For Optional DNSSEC, we are opportunistically verifying dnssec. We don't care + // if something results in bogus as we still want to deliver results to the + // application e.g., CNAME processing results in bogus because the path is broken, + // but we still want to follow CNAMEs so that we can deliver the final results to + // the application. + if (dv->ValidationRequired == DNSSEC_VALIDATION_SECURE_OPTIONAL) + { + LogDNSSEC("StartInsecureProof: Aborting insecure proof for %##s (%s)", dv->q.qname.c, DNSTypeName(dv->q.qtype)); + dv->DVCallback(m, dv, DNSSEC_Bogus); + return; + } + + LogDNSSEC("StartInsecureProof for %##s (%s)", dv->q.qname.c, DNSTypeName(dv->q.qtype)); + // Don't start the insecure proof again after we finish the one that we start here by + // setting InsecureProofDone. + dv->InsecureProofDone = 1; + ProveInsecure(m, dv, mDNSNULL, &trigger); + return; +} + +mDNSexport void ValidateWithNSECS(mDNS *const m, DNSSECVerifier *dv, CacheRecord *cr) +{ + LogDNSSEC("ValidateWithNSECS: called for %s", CRDisplayString(m, cr)); + + // If we are encountering a break in the chain of trust i.e., NSEC/NSEC3s for + // DS query, then do the insecure proof. This is important because if we + // validate these NSECs normally and prove that they are "secure", we will + // end up delivering the secure result to the original question where as + // these NSEC/NSEC3s actually prove that DS does not exist and hence insecure. + // + // This break in the chain can happen after we have partially validated the + // path (dv->ac is non-NULL) or the first time (dv->ac is NULL) after we + // fetched the DNSKEY (dv->key is non-NULL). We don't want to do this + // if we have just started the non-existence proof (dv->key is NULL) as + // it does not indicate a break in the chain of trust. + // + // If we are already doing a insecurity proof, don't start another one. In + // the case of NSECs, it is possible that insecurity proof starts and it + // gets NSECs and as part of validating that we receive more NSECS in which + // case we don't want to start another insecurity proof. + if (dv->ValidationRequired != DNSSEC_VALIDATION_INSECURE && + (!dv->parent || dv->parent->ValidationRequired != DNSSEC_VALIDATION_INSECURE)) + { + if ((dv->ac && dv->q.qtype == kDNSType_DS) || + (!dv->ac && dv->key && dv->q.qtype == kDNSType_DS)) + { + LogDNSSEC("ValidateWithNSECS: Starting insecure proof: name %##s ac %p, key %p, parent %p", dv->q.qname.c, + dv->ac, dv->key, dv->parent); + StartInsecureProof(m, dv); + return; + } + } + // "parent" is set when we are validating a NSEC and we should not be here in + // the normal case when parent is set. For example, we are looking up the A + // record for www.example.com and following can happen. + // + // a) Record does not exist and we get a NSEC + // b) While validating (a), we get an NSEC for the first DS record that we look up + // c) Record exists but we get NSECs for the first DS record + // d) We are able to partially validate (a) or (b), but we get NSECs somewhere in + // the chain + // + // For (a), parent is not set as we are not validating the NSEC yet. Hence we would + // start the validation now. + // + // For (b), the parent is set, but should be caught by the above "if" block because we + // should have gotten the DNSKEY at least. In the case of nested insecurity proof, + // we would end up here and fail with bogus. + // + // For (c), the parent is not set and should be caught by the above "if" block because we + // should have gotten the DNSKEY at least. + // + // For (d), the above "if" block would catch it as "dv->ac" is non-NULL. + // + // Hence, we should not come here in the normal case. Possible pathological cases are: + // Insecure proof getting NSECs while validating NSECs, getting NSECs for DNSKEY for (c) + // above etc. + if (dv->parent) + { + LogDNSSEC("ValidateWithNSECS: dv parent set for %##s (%s)", dv->q.qname.c, DNSTypeName(dv->q.qtype)); + dv->DVCallback(m, dv, DNSSEC_Bogus); + return; + } + if (cr->resrec.RecordType == kDNSRecordTypePacketNegative) + { + mDNSu8 rcode; + CacheRecord *neg = cr->nsec; + mDNSBool nsecs_seen = mDNSfalse; + + while (neg) + { + // The list can only have NSEC or NSEC3s. This was checked when we added the + // NSECs to the cache record. + if (neg->resrec.rrtype == kDNSType_NSEC) + nsecs_seen = mDNStrue; + LogDNSSEC("ValidateWithNSECS: NSECCached Record %s", CRDisplayString(m, neg)); + neg = neg->next; + } + + rcode = (mDNSu8)(cr->responseFlags.b[1] & kDNSFlag1_RC_Mask); + if (rcode == kDNSFlag1_RC_NoErr) + { + if (nsecs_seen) + NoDataProof(m, dv, cr); + else + NSEC3NoDataProof(m, dv, cr); + } + else if (rcode == kDNSFlag1_RC_NXDomain) + { + if (nsecs_seen) + NameErrorProof(m, dv, cr); + else + NSEC3NameErrorProof(m, dv, cr); + } + else + { + LogDNSSEC("ValidateWithNSECS: Rcode %d invalid", rcode); + dv->DVCallback(m, dv, DNSSEC_Bogus); + } + } + else + { + LogMsg("ValidateWithNSECS: Not a valid cache record %s for NSEC proofs", CRDisplayString(m, cr)); + dv->DVCallback(m, dv, DNSSEC_Bogus); + return; + } +} + +#else // !DNSSEC_DISABLED + +mDNSexport mDNSBool AddNSECSForCacheRecord(mDNS *const m, CacheRecord *crlist, CacheRecord *negcr, mDNSu8 rcode) +{ + (void)m; + (void)crlist; + (void)negcr; + (void)rcode; + + return mDNSfalse; +} + +#endif // !DNSSEC_DISABLED diff --git a/mDNSResponder/mDNSCore/nsec.h b/mDNSResponder/mDNSCore/nsec.h new file mode 100644 index 00000000..3dbb841f --- /dev/null +++ b/mDNSResponder/mDNSCore/nsec.h @@ -0,0 +1,33 @@ +/* -*- Mode: C; tab-width: 4 -*- + * + * Copyright (c) 2011 Apple Computer, Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef __NSEC_H +#define __NSEC_H + +#include "dnssec.h" + +extern mDNSBool AddNSECSForCacheRecord(mDNS *const m, CacheRecord *crlist, CacheRecord *negcr, mDNSu8 rcode); +extern void WildcardAnswerProof(mDNS *const m, DNSSECVerifier *dv); +extern void ValidateWithNSECS(mDNS *const m, DNSSECVerifier *dv, CacheRecord *rr); +extern mDNSBool NSECAnswersDS(mDNS *const m, ResourceRecord *rr, DNSQuestion *q); +extern int CountLabelsMatch(const domainname *const d1, const domainname *const d2); +extern void NameErrorNSECCallback(mDNS *const m, DNSSECVerifier *dv, DNSSECStatus status); +extern void VerifyNSEC(mDNS *const m, ResourceRecord *rr, RRVerifier *rv, DNSSECVerifier *pdv, CacheRecord *ncr, + DNSSECVerifierCallback callback); +extern CacheRecord *NSECRecordIsDelegation(mDNS *const m, domainname *name, mDNSu16 qtype); +extern void NoDataNSECCallback(mDNS *const m, DNSSECVerifier *dv, DNSSECStatus status); + +#endif // __NSEC_H diff --git a/mDNSResponder/mDNSCore/nsec3.c b/mDNSResponder/mDNSCore/nsec3.c new file mode 100644 index 00000000..a039418a --- /dev/null +++ b/mDNSResponder/mDNSCore/nsec3.c @@ -0,0 +1,769 @@ +/* -*- Mode: C; tab-width: 4 -*- + * + * Copyright (c) 2011 Apple Computer, Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// *************************************************************************** +// nsec3.c: This file contains support functions to validate NSEC3 records for +// NODATA and NXDOMAIN error. +// *************************************************************************** + +#include "mDNSEmbeddedAPI.h" +#include "DNSCommon.h" +#include "CryptoAlg.h" +#include "nsec3.h" +#include "nsec.h" + +// Define DNSSEC_DISABLED to remove all the DNSSEC functionality +// and use the stub functions implemented later in this file. + +#ifndef DNSSEC_DISABLED + +typedef enum +{ + NSEC3ClosestEncloser, + NSEC3Covers, + NSEC3CEProof +} NSEC3FindValues; + +//#define NSEC3_DEBUG 1 + +#if NSEC3_DEBUG +mDNSlocal void PrintHash(mDNSu8 *digest, int digestlen, char *buffer, int buflen) +{ + int length = 0; + for (int j = 0; j < digestlen; j++) + { + length += mDNS_snprintf(buffer+length, buflen-length-1, "%x", digest[j]); + } +} +#endif + +mDNSlocal mDNSBool NSEC3OptOut(CacheRecord *cr) +{ + const RDataBody2 *const rdb = (RDataBody2 *)cr->resrec.rdata->u.data; + rdataNSEC3 *nsec3 = (rdataNSEC3 *)rdb->data; + return (nsec3->flags & NSEC3_FLAGS_OPTOUT); +} + +mDNSlocal int NSEC3SameName(const mDNSu8 *name, int namelen, const mDNSu8 *nsecName, int nsecLen) +{ + int i; + + // Note: With NSEC3, the lengths should always be same. + if (namelen != nsecLen) + { + LogMsg("NSEC3SameName: ERROR!! namelen %d, nsecLen %d", namelen, nsecLen); + return ((namelen < nsecLen) ? -1 : 1); + } + + for (i = 0; i < namelen; i++) + { + mDNSu8 ac = *name++; + mDNSu8 bc = *nsecName++; + if (mDNSIsUpperCase(ac)) ac += 'a' - 'A'; + if (mDNSIsUpperCase(bc)) bc += 'a' - 'A'; + if (ac != bc) + { + verbosedebugf("NSEC3SameName: returning ac %c, bc %c", ac, bc); + return ((ac < bc) ? -1 : 1); + } + } + return 0; +} + +// Does the NSEC3 in "ncr" covers the "name" ? +// hashName is hash of the "name" and b32Name is the base32 encoded equivalent. +mDNSlocal mDNSBool NSEC3CoversName(mDNS *const m, CacheRecord *ncr, const mDNSu8 *hashName, int hashLen, const mDNSu8 *b32Name, + int b32len) +{ + mDNSu8 *nxtName; + int nxtLength; + int ret, ret1, ret2; + const mDNSu8 b32nxtname[NSEC3_MAX_B32_LEN+1]; + int b32nxtlen; + + NSEC3Parse(&ncr->resrec, mDNSNULL, &nxtLength, &nxtName, mDNSNULL, mDNSNULL); + + if (nxtLength != hashLen || ncr->resrec.name->c[0] != b32len) + return mDNSfalse; + + // Compare the owner names and the "nxt" names. + // + // Owner name is base32 encoded and hence use the base32 encoded name b32name. + // nxt name is binary and hence use the binary value in hashName. + ret1 = NSEC3SameName(&ncr->resrec.name->c[1], ncr->resrec.name->c[0], b32Name, b32len); + ret2 = DNSMemCmp(nxtName, hashName, hashLen); + +#if NSEC3_DEBUG + { + char nxtbuf1[50]; + char nxtbuf2[50]; + + PrintHash(nxtName, nxtLength, nxtbuf1, sizeof(nxtbuf1)); + PrintHash((mDNSu8 *)hashName, hashLen, nxtbuf2, sizeof(nxtbuf2)); + LogMsg("NSEC3CoversName: Owner name %s, name %s", &ncr->resrec.name->c[1], b32Name); + LogMsg("NSEC3CoversName: Nxt hash name %s, name %s", nxtbuf1, nxtbuf2); + } +#endif + + // "name" is greater than the owner name and smaller than nxtName. This also implies + // that nxtName > owner name implying that it is normal NSEC3. + if (ret1 < 0 && ret2 > 0) + { + LogDNSSEC("NSEC3CoversName: NSEC3 %s covers %s (Normal)", CRDisplayString(m, ncr), b32Name); + return mDNStrue; + } + // Need to compare the owner name and "nxt" to see if this is the last + // NSEC3 in the zone. Only the owner name is in base32 and hence we need to + // convert the nxtName to base32. + b32nxtlen = baseEncode((char *)b32nxtname, sizeof(b32nxtname), nxtName, nxtLength, ENC_BASE32); + if (!b32nxtlen) + { + LogDNSSEC("NSEC3CoversName: baseEncode of nxtName of %s failed", CRDisplayString(m, ncr)); + return mDNSfalse; + } + if (b32len != b32nxtlen) + { + LogDNSSEC("NSEC3CoversName: baseEncode of nxtName for %s resulted in wrong length b32nxtlen %d, b32len %d", + CRDisplayString(m, ncr), b32len, b32nxtlen); + return mDNSfalse; + } + LogDNSSEC("NSEC3CoversName: Owner name %s, b32nxtname %s, ret1 %d, ret2 %d", &ncr->resrec.name->c[1], b32nxtname, ret1, ret2); + + // If it is the last NSEC3 in the zone nxt < "name" and NSEC3SameName returns -1. + // + // - ret1 < 0 means "name > owner" + // - ret2 > 0 means "name < nxt" + // + // Note: We also handle the case of only NSEC3 in the zone where NSEC3SameName returns zero. + ret = NSEC3SameName(b32nxtname, b32nxtlen, &ncr->resrec.name->c[1], ncr->resrec.name->c[0]); + if (ret <= 0 && + (ret1 < 0 || ret2 > 0)) + { + LogDNSSEC("NSEC3CoversName: NSEC3 %s covers %s (Last), ret1 %d, ret2 %d", CRDisplayString(m, ncr), b32Name, ret1, ret2); + return mDNStrue; + } + + return mDNSfalse; +} + +// This function can be called with NSEC3ClosestEncloser, NSEC3Covers and NSEC3CEProof +// +// Passing in NSEC3ClosestEncloser means "find an exact match for the origName". +// Passing in NSEC3Covers means "find an NSEC3 that covers the origName". +// +// i.e., in both cases the nsec3 records are iterated to find the best match and returned. +// With NSEC3ClosestEncloser, as we are just looking for a name match, extra checks for +// the types being present or absent will not be checked. +// +// If NSEC3CEProof is passed, the name is tried as such first by iterating through all NSEC3s +// finding a ClosestEncloser or CloserEncloser and then one label skipped from the left and +// retried again till both the closest and closer encloser is found. +// +// ncr is the negative cache record that has the NSEC3 chain +// origName is the name for which we are trying to find the ClosestEncloser etc. +// closestEncloser and closerEncloser are the return values of the function +// ce is the closest encloser that will be returned if we find one +mDNSlocal mDNSBool NSEC3Find(mDNS *const m, NSEC3FindValues val, CacheRecord *ncr, domainname *origName, CacheRecord **closestEncloser, + CacheRecord **closerEncloser, const domainname **ce, mDNSu16 qtype) +{ + int i; + int labelCount = CountLabels(origName); + CacheRecord *cr; + rdataNSEC3 *nsec3; + + (void) qtype; // unused + // Pick the first NSEC for the iterations, salt etc. + for (cr = ncr->nsec; cr; cr = cr->next) + { + if (cr->resrec.rrtype == kDNSType_NSEC3) + { + const RDataBody2 *const rdb = (RDataBody2 *)cr->resrec.rdata->u.data; + nsec3 = (rdataNSEC3 *)rdb->data; + break; + } + } + if (!cr) + { + LogMsg("NSEC3Find: cr NULL"); + return mDNSfalse; + } + + // Note: The steps defined in this function are for "NSEC3CEProof". As part of NSEC3CEProof, + // we need to find both the closestEncloser and closerEncloser which can also be found + // by passing NSEC3ClosestEncloser and NSEC3Covers respectively. + // + // Section 8.3 of RFC 5155. + // 1. Set SNAME=QNAME. Clear the flag. + // + // closerEncloser is the "flag". "name" below is SNAME. + + if (closestEncloser) + { + *ce = mDNSNULL; + *closestEncloser = mDNSNULL; + } + if (closerEncloser) + *closerEncloser = mDNSNULL; + + // If we are looking for a closestEncloser or a covering NSEC3, we don't have + // to truncate the name. For the give name, try to find the closest or closer + // encloser. + if (val != NSEC3CEProof) + { + labelCount = 0; + } + + for (i = 0; i < labelCount + 1; i++) + { + int hlen; + const mDNSu8 hashName[NSEC3_MAX_HASH_LEN]; + const domainname *name; + const mDNSu8 b32Name[NSEC3_MAX_B32_LEN+1]; + int b32len; + + name = SkipLeadingLabels(origName, i); + if (!NSEC3HashName(name, nsec3, mDNSNULL, 0, hashName, &hlen)) + { + LogMsg("NSEC3Find: NSEC3HashName failed for ##s", name->c); + continue; + } + + b32len = baseEncode((char *)b32Name, sizeof(b32Name), (mDNSu8 *)hashName, hlen, ENC_BASE32); + if (!b32len) + { + LogMsg("NSEC3Find: baseEncode of name %##s failed", name->c); + continue; + } + + + for (cr = ncr->nsec; cr; cr = cr->next) + { + const domainname *nsecZone; + int result, subdomain; + + if (cr->resrec.rrtype != kDNSType_NSEC3) + continue; + + nsecZone = SkipLeadingLabels(cr->resrec.name, 1); + if (!nsecZone) + { + LogMsg("NSEC3Find: SkipLeadingLabel failed for %s, current name %##s", + CRDisplayString(m, cr), name->c); + continue; + } + + // NSEC3 owner names are formed by hashing the owner name and then appending + // the zone name to it. If we skip the first label, the rest should be + // the zone name. See whether it is the subdomain of the name we are looking + // for. + result = DNSSECCanonicalOrder(origName, nsecZone, &subdomain); + + // The check can't be a strict subdomain check. When NSEC3ClosestEncloser is + // passed in, there can be an exact match. If it is a subdomain or an exact + // match, we should continue with the proof. + if (!(subdomain || !result)) + { + LogMsg("NSEC3Find: NSEC3 %s not a subdomain of %##s, result %d", CRDisplayString(m, cr), + origName->c, result); + continue; + } + + // 2.1) If there is no NSEC3 RR in the response that matches SNAME + // (i.e., an NSEC3 RR whose owner name is the same as the hash of + // SNAME, prepended as a single label to the zone name), clear + // the flag. + // + // Note: We don't try to determine the actual zone name. We know that + // the labels following the hash (nsecZone) is the ancestor and we don't + // know where the zone cut is. Hence, we verify just the hash to be + // the same. + + if (val == NSEC3ClosestEncloser || val == NSEC3CEProof) + { + if (!NSEC3SameName(&cr->resrec.name->c[1], cr->resrec.name->c[0], (const mDNSu8 *)b32Name, b32len)) + { + int bmaplen; + mDNSu8 *bmap; + + // For NSEC3ClosestEncloser, we are finding an exact match and + // "type" specific checks should be done by the caller. + if (val != NSEC3ClosestEncloser) + { + // DNAME bit must not be set and NS bit may be set only if SOA bit is set + NSEC3Parse(&cr->resrec, mDNSNULL, mDNSNULL, mDNSNULL, &bmaplen, &bmap); + if (BitmapTypeCheck(bmap, bmaplen, kDNSType_DNAME)) + { + LogDNSSEC("NSEC3Find: DNAME bit set in %s, ignoring", CRDisplayString(m, cr)); + return mDNSfalse; + } + // This is the closest encloser and should come from the right zone. + if (BitmapTypeCheck(bmap, bmaplen, kDNSType_NS) && + !BitmapTypeCheck(bmap, bmaplen, kDNSType_SOA)) + { + LogDNSSEC("NSEC3Find: NS bit set without SOA bit in %s, ignoring", CRDisplayString(m, cr)); + return mDNSfalse; + } + } + + LogDNSSEC("NSEC3Find: ClosestEncloser %s found for name %##s", CRDisplayString(m, cr), name->c); + if (closestEncloser) + { + *ce = name; + *closestEncloser = cr; + } + if (val == NSEC3ClosestEncloser) + return mDNStrue; + else + break; + } + } + + if ((val == NSEC3Covers || val == NSEC3CEProof) && !(*closerEncloser)) + { + if (NSEC3CoversName(m, cr, hashName, hlen, b32Name, b32len)) + { + // 2.2) If there is an NSEC3 RR in the response that covers SNAME, set the flag. + if (closerEncloser) + *closerEncloser = cr; + if (val == NSEC3Covers) + return mDNStrue; + else + break; + } + } + } + // 2.3) If there is a matching NSEC3 RR in the response and the flag + // was set, then the proof is complete, and SNAME is the closest + // encloser. + if (val == NSEC3CEProof) + { + if (*closestEncloser && *closerEncloser) + { + LogDNSSEC("NSEC3Find: Found closest and closer encloser"); + return mDNStrue; + } + + // 2.4) If there is a matching NSEC3 RR in the response, but the flag + // is not set, then the response is bogus. + // + // Note: We don't have to wait till we finish trying all the names. If the matchName + // happens, we found the closest encloser which means we should have found the closer + // encloser before. + + if (*closestEncloser && !(*closerEncloser)) + { + LogDNSSEC("NSEC3Find: Found closest, but not closer encloser"); + return mDNSfalse; + } + } + // 3. Truncate SNAME by one label from the left, go to step 2. + } + LogDNSSEC("NSEC3Find: Cannot find name %##s (%s)", origName->c, DNSTypeName(qtype)); + return mDNSfalse; +} + +mDNSlocal mDNSBool NSEC3ClosestEncloserProof(mDNS *const m, CacheRecord *ncr, domainname *name, CacheRecord **closestEncloser, CacheRecord **closerEncloser, + const domainname **ce, mDNSu16 qtype) +{ + if (!NSEC3Find(m, NSEC3CEProof, ncr, name, closestEncloser, closerEncloser, ce, qtype)) + { + LogDNSSEC("NSEC3ClosestEncloserProof: ERROR!! Cannot do closest encloser proof"); + return mDNSfalse; + } + + // Note: It is possible that closestEncloser and closerEncloser are the same. + if (!closestEncloser || !closerEncloser || !ce) + { + LogMsg("NSEC3ClosestEncloserProof: ClosestEncloser %p or CloserEncloser %p ce %p, something is NULL", *closestEncloser, + *closerEncloser, *ce); + return mDNSfalse; + } + + // If the name exists, we should not have gotten the name error + if (SameDomainName((*ce), name)) + { + LogMsg("NSEC3ClosestEncloserProof: ClosestEncloser %s same as origName %##s", CRDisplayString(m, *closestEncloser), + (*ce)->c); + return mDNSfalse; + } + return mDNStrue; +} + +mDNSlocal mDNSBool VerifyNSEC3(mDNS *const m, DNSSECVerifier *dv, CacheRecord *ncr, CacheRecord *closestEncloser, + CacheRecord *closerEncloser, CacheRecord *wildcard, DNSSECVerifierCallback callback) +{ + mStatus status; + RRVerifier *r; + + // We have three NSEC3s. If any of two are same, we should just prove one of them. + // This is just not an optimization; DNSSECNegativeValidationCB does not handle + // identical NSEC3s very well. + + if (closestEncloser == closerEncloser) + closestEncloser = mDNSNULL; + if (closerEncloser == wildcard) + closerEncloser = mDNSNULL; + if (closestEncloser == wildcard) + closestEncloser = mDNSNULL; + + dv->pendingNSEC = mDNSNULL; + if (closestEncloser) + { + r = AllocateRRVerifier(&closestEncloser->resrec, &status); + if (!r) + return mDNSfalse; + r->next = dv->pendingNSEC; + dv->pendingNSEC = r; + } + if (closerEncloser) + { + r = AllocateRRVerifier(&closerEncloser->resrec, &status); + if (!r) + return mDNSfalse; + r->next = dv->pendingNSEC; + dv->pendingNSEC = r; + } + if (wildcard) + { + r = AllocateRRVerifier(&wildcard->resrec, &status); + if (!r) + return mDNSfalse; + r->next = dv->pendingNSEC; + dv->pendingNSEC = r; + } + if (!dv->pendingNSEC) + { + LogMsg("VerifyNSEC3: ERROR!! pending NSEC null"); + return mDNSfalse; + } + r = dv->pendingNSEC; + dv->pendingNSEC = r->next; + r->next = mDNSNULL; + + LogDNSSEC("VerifyNSEC3: Verifying %##s (%s)", r->name.c, DNSTypeName(r->rrtype)); + if (!dv->pendingNSEC) + VerifyNSEC(m, mDNSNULL, r, dv, ncr, mDNSNULL); + else + VerifyNSEC(m, mDNSNULL, r, dv, ncr, callback); + return mDNStrue; +} + +mDNSexport void NSEC3NameErrorProof(mDNS *const m, DNSSECVerifier *dv, CacheRecord *ncr) +{ + CacheRecord *closerEncloser; + CacheRecord *closestEncloser; + CacheRecord *wildcard; + const domainname *ce = mDNSNULL; + domainname wild; + + if (!NSEC3ClosestEncloserProof(m, ncr, &dv->q.qname, &closestEncloser, &closerEncloser, &ce, dv->q.qtype)) + { + goto error; + } + LogDNSSEC("NSEC3NameErrorProof: ClosestEncloser %s, ce %##s", CRDisplayString(m, closestEncloser), ce->c); + LogDNSSEC("NSEC3NameErrorProof: CloserEncloser %s", CRDisplayString(m, closerEncloser)); + + // *.closestEncloser should be covered by some nsec3 which would then prove + // that the wildcard does not exist + wild.c[0] = 1; + wild.c[1] = '*'; + wild.c[2] = 0; + if (!AppendDomainName(&wild, ce)) + { + LogMsg("NSEC3NameErrorProof: Can't append domainname to closest encloser name %##s", ce->c); + goto error; + } + if (!NSEC3Find(m, NSEC3Covers, ncr, &wild, mDNSNULL, &wildcard, mDNSNULL, dv->q.qtype)) + { + LogMsg("NSEC3NameErrorProof: Cannot find encloser for wildcard"); + goto error; + } + else + { + LogDNSSEC("NSEC3NameErrorProof: Wildcard %##s covered by %s", wild.c, CRDisplayString(m, wildcard)); + if (wildcard == closestEncloser) + { + LogDNSSEC("NSEC3NameErrorProof: ClosestEncloser matching Wildcard %s", CRDisplayString(m, wildcard)); + } + } + if (NSEC3OptOut(closerEncloser)) + { + dv->flags |= NSEC3_OPT_OUT; + } + if (!VerifyNSEC3(m, dv, ncr, closestEncloser, closerEncloser, wildcard, NameErrorNSECCallback)) + goto error; + else + return; + +error: + dv->DVCallback(m, dv, DNSSEC_Bogus); +} + +// Section 8.5, 8.6 of RFC 5155 first paragraph +mDNSlocal mDNSBool NSEC3NoDataError(mDNS *const m, CacheRecord *ncr, domainname *name, mDNSu16 qtype, CacheRecord **closestEncloser) +{ + const domainname *ce = mDNSNULL; + + *closestEncloser = mDNSNULL; + // Note: This also covers ENT in which case the bitmap is empty + if (NSEC3Find(m, NSEC3ClosestEncloser, ncr, name, closestEncloser, mDNSNULL, &ce, qtype)) + { + int bmaplen; + mDNSu8 *bmap; + mDNSBool ns, soa; + + NSEC3Parse(&(*closestEncloser)->resrec, mDNSNULL, mDNSNULL, mDNSNULL, &bmaplen, &bmap); + if (BitmapTypeCheck(bmap, bmaplen, qtype) || BitmapTypeCheck(bmap, bmaplen, kDNSType_CNAME)) + { + LogMsg("NSEC3NoDataError: qtype %s exists in %s", DNSTypeName(qtype), CRDisplayString(m, *closestEncloser)); + return mDNSfalse; + } + ns = BitmapTypeCheck(bmap, bmaplen, kDNSType_NS); + soa = BitmapTypeCheck(bmap, bmaplen, kDNSType_SOA); + if (qtype != kDNSType_DS) + { + // For non-DS type questions, we don't want to use the parent side records to + // answer it + if (ns && !soa) + { + LogDNSSEC("NSEC3NoDataError: Parent side NSEC %s, can't use for child qname %##s (%s)", + CRDisplayString(m, *closestEncloser), name->c, DNSTypeName(qtype)); + return mDNSfalse; + } + } + else + { + if (soa) + { + LogDNSSEC("NSEC3NoDataError: Child side NSEC %s, can't use for parent qname %##s (%s)", + CRDisplayString(m, *closestEncloser), name->c, DNSTypeName(qtype)); + return mDNSfalse; + } + } + LogDNSSEC("NSEC3NoDataError: Name -%##s- exists, but qtype %s does not exist in %s", name->c, DNSTypeName(qtype), CRDisplayString(m, *closestEncloser)); + return mDNStrue; + } + return mDNSfalse; +} + +mDNSexport void NSEC3NoDataProof(mDNS *const m, DNSSECVerifier *dv, CacheRecord *ncr) +{ + CacheRecord *closerEncloser = mDNSNULL; + CacheRecord *closestEncloser = mDNSNULL; + CacheRecord *wildcard = mDNSNULL; + const domainname *ce = mDNSNULL; + domainname wild; + + // Section 8.5, 8.6 of RFC 5155 + if (NSEC3NoDataError(m, ncr, &dv->q.qname, dv->q.qtype, &closestEncloser)) + { + goto verify; + } + // Section 8.6, 8.7: if we can't find the NSEC3 RR, verify the closest encloser proof + // for QNAME and the "next closer" should have the opt out + if (!NSEC3ClosestEncloserProof(m, ncr, &dv->q.qname, &closestEncloser, &closerEncloser, &ce, dv->q.qtype)) + { + goto error; + } + + // Section 8.7: find a matching NSEC3 for *.closestEncloser + wild.c[0] = 1; + wild.c[1] = '*'; + wild.c[2] = 0; + if (!AppendDomainName(&wild, ce)) + { + LogMsg("NSEC3NameErrorProof: Can't append domainname to closest encloser name %##s", ce->c); + goto error; + } + if (!NSEC3Find(m, NSEC3ClosestEncloser, ncr, &wild, &wildcard, mDNSNULL, &ce, dv->q.qtype)) + { + // Not a wild card case. Section 8.6 second para applies. + LogDNSSEC("NSEC3NoDataProof: Cannot find encloser for wildcard, perhaps not a wildcard case"); + if (!NSEC3OptOut(closerEncloser)) + { + LogDNSSEC("NSEC3DataProof: opt out not set for %##s (%s), bogus", dv->q.qname.c, DNSTypeName(dv->q.qtype)); + goto error; + } + LogDNSSEC("NSEC3DataProof: opt out set, proof complete for %##s (%s)", dv->q.qname.c, DNSTypeName(dv->q.qtype)); + dv->flags |= NSEC3_OPT_OUT; + } + else + { + int bmaplen; + mDNSu8 *bmap; + NSEC3Parse(&wildcard->resrec, mDNSNULL, mDNSNULL, mDNSNULL, &bmaplen, &bmap); + if (BitmapTypeCheck(bmap, bmaplen, dv->q.qtype) || BitmapTypeCheck(bmap, bmaplen, kDNSType_CNAME)) + { + LogDNSSEC("NSEC3NoDataProof: qtype %s exists in %s", DNSTypeName(dv->q.qtype), CRDisplayString(m, wildcard)); + goto error; + } + if (dv->q.qtype == kDNSType_DS && BitmapTypeCheck(bmap, bmaplen, kDNSType_SOA)) + { + LogDNSSEC("NSEC3NoDataProof: Child side wildcard NSEC3 %s, can't use for parent qname %##s (%s)", + CRDisplayString(m, wildcard), dv->q.qname.c, DNSTypeName(dv->q.qtype)); + goto error; + } + else if (dv->q.qtype != kDNSType_DS && !BitmapTypeCheck(bmap, bmaplen, kDNSType_SOA) && + BitmapTypeCheck(bmap, bmaplen, kDNSType_NS)) + { + // Don't use the parent side record for this + LogDNSSEC("NSEC3NoDataProof: Parent side wildcard NSEC3 %s, can't use for child qname %##s (%s)", + CRDisplayString(m, wildcard), dv->q.qname.c, DNSTypeName(dv->q.qtype)); + goto error; + } + LogDNSSEC("NSEC3NoDataProof: Wildcard %##s matched by %s", wild.c, CRDisplayString(m, wildcard)); + } +verify: + + if (!VerifyNSEC3(m, dv, ncr, closestEncloser, closerEncloser, wildcard, NoDataNSECCallback)) + goto error; + else + return; +error: + dv->DVCallback(m, dv, DNSSEC_Bogus); +} + +mDNSexport mDNSBool NSEC3WildcardAnswerProof(mDNS *const m, CacheRecord *ncr, DNSSECVerifier *dv) +{ + int skip; + const domainname *nc; + CacheRecord *closerEncloser; + + (void) m; + + // Find the next closer name and prove that it is covered by the NSEC3 + skip = CountLabels(&dv->origName) - CountLabels(dv->wildcardName) - 1; + if (skip) + nc = SkipLeadingLabels(&dv->origName, skip); + else + nc = &dv->origName; + + LogDNSSEC("NSEC3WildcardAnswerProof: wildcard name %##s", nc->c); + + if (!NSEC3Find(m, NSEC3Covers, ncr, (domainname *)nc, mDNSNULL, &closerEncloser, mDNSNULL, dv->q.qtype)) + { + LogMsg("NSEC3WildcardAnswerProof: Cannot find closer encloser"); + return mDNSfalse; + } + if (!closerEncloser) + { + LogMsg("NSEC3WildcardAnswerProof: closerEncloser NULL"); + return mDNSfalse; + } + if (NSEC3OptOut(closerEncloser)) + { + dv->flags |= NSEC3_OPT_OUT; + } + // NSEC3 Verification is done by the caller + return mDNStrue; +} + +mDNSexport CacheRecord *NSEC3RecordIsDelegation(mDNS *const m, domainname *name, mDNSu16 qtype) +{ + CacheGroup *cg; + CacheRecord *cr; + CacheRecord *ncr; + mDNSu32 slot, namehash; + + slot = HashSlot(name); + namehash = DomainNameHashValue(name); + + cg = CacheGroupForName(m, (const mDNSu32)slot, namehash, name); + if (!cg) + { + LogDNSSEC("NSEC3RecordForName: cg NULL for %##s", name); + return mDNSNULL; + } + for (ncr = cg->members; ncr; ncr = ncr->next) + { + if (ncr->resrec.RecordType != kDNSRecordTypePacketNegative || + ncr->resrec.rrtype != qtype) + { + continue; + } + for (cr = ncr->nsec; cr; cr = cr->next) + { + int hlen, b32len; + const mDNSu8 hashName[NSEC3_MAX_HASH_LEN]; + const mDNSu8 b32Name[NSEC3_MAX_B32_LEN+1]; + const RDataBody2 *const rdb = (RDataBody2 *)cr->resrec.rdata->u.data; + rdataNSEC3 *nsec3; + + if (cr->resrec.rrtype != kDNSType_NSEC3) + continue; + + nsec3 = (rdataNSEC3 *)rdb->data; + + if (!NSEC3HashName(name, nsec3, mDNSNULL, 0, hashName, &hlen)) + { + LogMsg("NSEC3RecordIsDelegation: NSEC3HashName failed for ##s", name->c); + return mDNSNULL; + } + + b32len = baseEncode((char *)b32Name, sizeof(b32Name), (mDNSu8 *)hashName, hlen, ENC_BASE32); + if (!b32len) + { + LogMsg("NSEC3RecordIsDelegation: baseEncode of name %##s failed", name->c); + return mDNSNULL; + } + // Section 2.3 of RFC 4035 states that: + // + // Each owner name in the zone that has authoritative data or a delegation point NS RRset MUST + // have an NSEC resource record. + // + // This applies to NSEC3 record. So, if we have an NSEC3 record matching the question name with the + // NS bit set, then this is a delegation. + // + if (!NSEC3SameName(&cr->resrec.name->c[1], cr->resrec.name->c[0], (const mDNSu8 *)b32Name, b32len)) + { + int bmaplen; + mDNSu8 *bmap; + + LogDNSSEC("NSEC3RecordIsDelegation: CacheRecord %s matches name %##s, b32name %s", CRDisplayString(m, cr), name->c, b32Name); + NSEC3Parse(&cr->resrec, mDNSNULL, mDNSNULL, mDNSNULL, &bmaplen, &bmap); + + // See the Insecure Delegation Proof section in dnssec-bis: DS bit and SOA bit + // should be absent + if (BitmapTypeCheck(bmap, bmaplen, kDNSType_SOA) || + BitmapTypeCheck(bmap, bmaplen, kDNSType_DS)) + { + LogDNSSEC("NSEC3RecordIsDelegation: CacheRecord %s has DS or SOA bit set, ignoring", CRDisplayString(m, cr)); + return mDNSNULL; + } + if (BitmapTypeCheck(bmap, bmaplen, kDNSType_NS)) + return cr; + else + return mDNSNULL; + } + // If opt-out is not set, then it does not cover any delegations + if (!(nsec3->flags & NSEC3_FLAGS_OPTOUT)) + continue; + // Opt-out allows insecure delegations to exist without the NSEC3 RR at the + // hashed owner name (see RFC 5155 section 6.0). + if (NSEC3CoversName(m, cr, hashName, hlen, b32Name, b32len)) + { + LogDNSSEC("NSEC3RecordIsDelegation: CacheRecord %s covers name %##s with optout", CRDisplayString(m, cr), name->c); + return cr; + } + } + } + return mDNSNULL; +} + +#else // !DNSSEC_DISABLED + +#endif // !DNSSEC_DISABLED diff --git a/mDNSResponder/mDNSCore/nsec3.h b/mDNSResponder/mDNSCore/nsec3.h new file mode 100644 index 00000000..ce3b85a3 --- /dev/null +++ b/mDNSResponder/mDNSCore/nsec3.h @@ -0,0 +1,28 @@ +/* -*- Mode: C; tab-width: 4 -*- + * + * Copyright (c) 2011 Apple Computer, Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef __NSEC3_H +#define __NSEC3_H + +#include "dnssec.h" + +extern mDNSBool NSEC3WildcardAnswerProof(mDNS *const m, CacheRecord *ncr, DNSSECVerifier *dv); +extern void NSEC3NameErrorProof(mDNS *const m, DNSSECVerifier *dv, CacheRecord *ncr); +extern void NSEC3NoDataProof(mDNS *const m, DNSSECVerifier *dv, CacheRecord *ncr); +extern CacheRecord *NSEC3RecordIsDelegation(mDNS *const m, domainname *name, mDNSu16 qtype); + +#endif // __NSEC3_H diff --git a/mDNSResponder/mDNSCore/uDNS.c b/mDNSResponder/mDNSCore/uDNS.c new file mode 100755 index 00000000..be7a5a32 --- /dev/null +++ b/mDNSResponder/mDNSCore/uDNS.c @@ -0,0 +1,5995 @@ +/* -*- Mode: C; tab-width: 4 -*- + * + * Copyright (c) 2002-2013 Apple Computer, Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + + * To Do: + * Elimate all mDNSPlatformMemAllocate/mDNSPlatformMemFree from this code -- the core code + * is supposed to be malloc-free so that it runs in constant memory determined at compile-time. + * Any dynamic run-time requirements should be handled by the platform layer below or client layer above + */ + +#if APPLE_OSX_mDNSResponder +#include <TargetConditionals.h> +#endif +#include "uDNS.h" + +#if (defined(_MSC_VER)) +// Disable "assignment within conditional expression". +// Other compilers understand the convention that if you place the assignment expression within an extra pair +// of parentheses, this signals to the compiler that you really intended an assignment and no warning is necessary. +// The Microsoft compiler doesn't understand this convention, so in the absense of any other way to signal +// to the compiler that the assignment is intentional, we have to just turn this warning off completely. + #pragma warning(disable:4706) +#endif + +// For domain enumeration and automatic browsing +// This is the user's DNS search list. +// In each of these domains we search for our special pointer records (lb._dns-sd._udp.<domain>, etc.) +// to discover recommended domains for domain enumeration (browse, default browse, registration, +// default registration) and possibly one or more recommended automatic browsing domains. +mDNSexport SearchListElem *SearchList = mDNSNULL; + +// The value can be set to true by the Platform code e.g., MacOSX uses the plist mechanism +mDNSBool StrictUnicastOrdering = mDNSfalse; + +// We keep track of the number of unicast DNS servers and log a message when we exceed 64. +// Currently the unicast queries maintain a 64 bit map to track the valid DNS servers for that +// question. Bit position is the index into the DNS server list. This is done so to try all +// the servers exactly once before giving up. If we could allocate memory in the core, then +// arbitrary limitation of 64 DNSServers can be removed. +mDNSu8 NumUnicastDNSServers = 0; +#define MAX_UNICAST_DNS_SERVERS 64 + +#define SetNextuDNSEvent(m, rr) { \ + if ((m)->NextuDNSEvent - ((rr)->LastAPTime + (rr)->ThisAPInterval) >= 0) \ + (m)->NextuDNSEvent = ((rr)->LastAPTime + (rr)->ThisAPInterval); \ +} + +#ifndef UNICAST_DISABLED + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - General Utility Functions +#endif + +// set retry timestamp for record with exponential backoff +mDNSlocal void SetRecordRetry(mDNS *const m, AuthRecord *rr, mDNSu32 random) +{ + rr->LastAPTime = m->timenow; + + if (rr->expire && rr->refreshCount < MAX_UPDATE_REFRESH_COUNT) + { + mDNSs32 remaining = rr->expire - m->timenow; + rr->refreshCount++; + if (remaining > MIN_UPDATE_REFRESH_TIME) + { + // Refresh at 70% + random (currently it is 0 to 10%) + rr->ThisAPInterval = 7 * (remaining/10) + (random ? random : mDNSRandom(remaining/10)); + // Don't update more often than 5 minutes + if (rr->ThisAPInterval < MIN_UPDATE_REFRESH_TIME) + rr->ThisAPInterval = MIN_UPDATE_REFRESH_TIME; + LogInfo("SetRecordRetry refresh in %d of %d for %s", + rr->ThisAPInterval/mDNSPlatformOneSecond, (rr->expire - m->timenow)/mDNSPlatformOneSecond, ARDisplayString(m, rr)); + } + else + { + rr->ThisAPInterval = MIN_UPDATE_REFRESH_TIME; + LogInfo("SetRecordRetry clamping to min refresh in %d of %d for %s", + rr->ThisAPInterval/mDNSPlatformOneSecond, (rr->expire - m->timenow)/mDNSPlatformOneSecond, ARDisplayString(m, rr)); + } + return; + } + + rr->expire = 0; + + rr->ThisAPInterval = rr->ThisAPInterval * QuestionIntervalStep; // Same Retry logic as Unicast Queries + if (rr->ThisAPInterval < INIT_RECORD_REG_INTERVAL) + rr->ThisAPInterval = INIT_RECORD_REG_INTERVAL; + if (rr->ThisAPInterval > MAX_RECORD_REG_INTERVAL) + rr->ThisAPInterval = MAX_RECORD_REG_INTERVAL; + + LogInfo("SetRecordRetry retry in %d ms for %s", rr->ThisAPInterval, ARDisplayString(m, rr)); +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - Name Server List Management +#endif + +mDNSexport DNSServer *mDNS_AddDNSServer(mDNS *const m, const domainname *d, const mDNSInterfaceID interface, const mDNSs32 serviceID, const mDNSAddr *addr, + const mDNSIPPort port, mDNSu32 scoped, mDNSu32 timeout, mDNSBool cellIntf, mDNSu16 resGroupID, mDNSBool reqA, + mDNSBool reqAAAA, mDNSBool reqDO) +{ + DNSServer **p = &m->DNSServers; + DNSServer *tmp = mDNSNULL; + + if ((NumUnicastDNSServers + 1) > MAX_UNICAST_DNS_SERVERS) + { + LogMsg("mDNS_AddDNSServer: DNS server limit of %d reached, not adding this server", MAX_UNICAST_DNS_SERVERS); + return mDNSNULL; + } + + if (!d) + d = (const domainname *)""; + + LogInfo("mDNS_AddDNSServer(%d): Adding %#a for %##s, InterfaceID %p, serviceID %u, scoped %d, resGroupID %d req_A is %s req_AAAA is %s cell %s req_DO is %s", + NumUnicastDNSServers, addr, d->c, interface, serviceID, scoped, resGroupID, reqA ? "True" : "False", reqAAAA ? "True" : "False", + cellIntf ? "True" : "False", reqDO ? "True" : "False"); + + mDNS_CheckLock(m); + + while (*p) // Check if we already have this {interface,address,port,domain} tuple registered + reqA/reqAAAA bits + { + if ((*p)->scoped == scoped && (*p)->interface == interface && (*p)->serviceID == serviceID && (*p)->teststate != DNSServer_Disabled && + mDNSSameAddress(&(*p)->addr, addr) && mDNSSameIPPort((*p)->port, port) && SameDomainName(&(*p)->domain, d) && + (*p)->req_A == reqA && (*p)->req_AAAA == reqAAAA) + { + if (!((*p)->flags & DNSServer_FlagDelete)) + debugf("Note: DNS Server %#a:%d for domain %##s (%p) registered more than once", addr, mDNSVal16(port), d->c, interface); + tmp = *p; + *p = tmp->next; + tmp->next = mDNSNULL; + } + else + { + p=&(*p)->next; + } + } + + // NumUnicastDNSServers is the count of active DNS servers i.e., ones that are not marked + // with DNSServer_FlagDelete. We should increment it: + // + // 1) When we add a new DNS server + // 2) When we resurrect a old DNS server that is marked with DNSServer_FlagDelete + // + // Don't increment when we resurrect a DNS server that is not marked with DNSServer_FlagDelete. + // We have already accounted for it when it was added for the first time. This case happens when + // we add DNS servers with the same address multiple times (mis-configuration). + + if (!tmp || (tmp->flags & DNSServer_FlagDelete)) + NumUnicastDNSServers++; + + + if (tmp) + { + tmp->flags &= ~DNSServer_FlagDelete; + *p = tmp; // move to end of list, to ensure ordering from platform layer + } + else + { + // allocate, add to list + *p = mDNSPlatformMemAllocate(sizeof(**p)); + if (!*p) + { + LogMsg("Error: mDNS_AddDNSServer - malloc"); + } + else + { + (*p)->scoped = scoped; + (*p)->interface = interface; + (*p)->serviceID = serviceID; + (*p)->addr = *addr; + (*p)->port = port; + (*p)->flags = DNSServer_FlagNew; + (*p)->teststate = /* DNSServer_Untested */ DNSServer_Passed; + (*p)->lasttest = m->timenow - INIT_UCAST_POLL_INTERVAL; + (*p)->timeout = timeout; + (*p)->cellIntf = cellIntf; + (*p)->req_A = reqA; + (*p)->req_AAAA = reqAAAA; + (*p)->req_DO = reqDO; + // We start off assuming that the DNS server is not DNSSEC aware and + // when we receive the first response to a DNSSEC question, we set + // it to true. + (*p)->DNSSECAware = mDNSfalse; + (*p)->retransDO = 0; + AssignDomainName(&(*p)->domain, d); + (*p)->next = mDNSNULL; + } + } + (*p)->penaltyTime = 0; + // We always update the ID (not just when we allocate a new instance) because we could + // be adding a new non-scoped resolver with a new ID and we want all the non-scoped + // resolvers belong to the same group. + (*p)->resGroupID = resGroupID; + return(*p); +} + +// PenalizeDNSServer is called when the number of queries to the unicast +// DNS server exceeds MAX_UCAST_UNANSWERED_QUERIES or when we receive an +// error e.g., SERV_FAIL from DNS server. +mDNSexport void PenalizeDNSServer(mDNS *const m, DNSQuestion *q, mDNSOpaque16 responseFlags) +{ + DNSServer *new; + DNSServer *orig = q->qDNSServer; + + mDNS_CheckLock(m); + + LogInfo("PenalizeDNSServer: Penalizing DNS server %#a question for question %p %##s (%s) SuppressUnusable %d", + (q->qDNSServer ? &q->qDNSServer->addr : mDNSNULL), q, q->qname.c, DNSTypeName(q->qtype), q->SuppressUnusable); + + // If we get error from any DNS server, remember the error. If all of the servers, + // return the error, then return the first error. + if (mDNSOpaque16IsZero(q->responseFlags)) + q->responseFlags = responseFlags; + + // After we reset the qDNSServer to NULL, we could get more SERV_FAILS that might end up + // peanlizing again. + if (!q->qDNSServer) goto end; + + // If strict ordering of unicast servers needs to be preserved, we just lookup + // the next best match server below + // + // If strict ordering is not required which is the default behavior, we penalize the server + // for DNSSERVER_PENALTY_TIME. We may also use additional logic e.g., don't penalize for PTR + // in the future. + + if (!StrictUnicastOrdering) + { + LogInfo("PenalizeDNSServer: Strict Unicast Ordering is FALSE"); + // We penalize the server so that new queries don't pick this server for DNSSERVER_PENALTY_TIME + // XXX Include other logic here to see if this server should really be penalized + // + if (q->qtype == kDNSType_PTR) + { + LogInfo("PenalizeDNSServer: Not Penalizing PTR question"); + } + else + { + LogInfo("PenalizeDNSServer: Penalizing question type %d", q->qtype); + q->qDNSServer->penaltyTime = NonZeroTime(m->timenow + DNSSERVER_PENALTY_TIME); + } + } + else + { + LogInfo("PenalizeDNSServer: Strict Unicast Ordering is TRUE"); + } + +end: + new = GetServerForQuestion(m, q); + + if (new == orig) + { + if (new) + { + LogMsg("PenalizeDNSServer: ERROR!! GetServerForQuestion returned the same server %#a:%d", &new->addr, + mDNSVal16(new->port)); + q->ThisQInterval = 0; // Inactivate this question so that we dont bombard the network + } + else + { + // When we have no more DNS servers, we might end up calling PenalizeDNSServer multiple + // times when we receive SERVFAIL from delayed packets in the network e.g., DNS server + // is slow in responding and we have sent three queries. When we repeatedly call, it is + // okay to receive the same NULL DNS server. Next time we try to send the query, we will + // realize and re-initialize the DNS servers. + LogInfo("PenalizeDNSServer: GetServerForQuestion returned the same server NULL"); + } + } + else + { + // The new DNSServer is set in DNSServerChangeForQuestion + DNSServerChangeForQuestion(m, q, new); + + if (new) + { + LogInfo("PenalizeDNSServer: Server for %##s (%s) changed to %#a:%d (%##s)", + q->qname.c, DNSTypeName(q->qtype), &q->qDNSServer->addr, mDNSVal16(q->qDNSServer->port), q->qDNSServer->domain.c); + // We want to try the next server immediately. As the question may already have backed off, reset + // the interval. We do this only the first time when we try all the DNS servers. Once we reached the end of + // list and retrying all the servers again e.g., at least one server failed to respond in the previous try, we + // use the normal backoff which is done in uDNS_CheckCurrentQuestion when we send the packet out. + if (!q->triedAllServersOnce) + { + q->ThisQInterval = InitialQuestionInterval; + q->LastQTime = m->timenow - q->ThisQInterval; + SetNextQueryTime(m, q); + } + } + else + { + // We don't have any more DNS servers for this question. If some server in the list did not return + // any response, we need to keep retrying till we get a response. uDNS_CheckCurrentQuestion handles + // this case. + // + // If all servers responded with a negative response, We need to do two things. First, generate a + // negative response so that applications get a reply. We also need to reinitialize the DNS servers + // so that when the cache expires, we can restart the query. We defer this up until we generate + // a negative cache response in uDNS_CheckCurrentQuestion. + // + // Be careful not to touch the ThisQInterval here. For a normal question, when we answer the question + // in AnswerCurrentQuestionWithResourceRecord will set ThisQInterval to MaxQuestionInterval and hence + // the next query will not happen until cache expiry. If it is a long lived question, + // AnswerCurrentQuestionWithResourceRecord will not set it to MaxQuestionInterval. In that case, + // we want the normal backoff to work. + LogInfo("PenalizeDNSServer: Server for %p, %##s (%s) changed to NULL, Interval %d", q, q->qname.c, DNSTypeName(q->qtype), q->ThisQInterval); + } + q->unansweredQueries = 0; + + } +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - authorization management +#endif + +mDNSlocal DomainAuthInfo *GetAuthInfoForName_direct(mDNS *m, const domainname *const name) +{ + const domainname *n = name; + while (n->c[0]) + { + DomainAuthInfo *ptr; + for (ptr = m->AuthInfoList; ptr; ptr = ptr->next) + if (SameDomainName(&ptr->domain, n)) + { + debugf("GetAuthInfoForName %##s Matched %##s Key name %##s", name->c, ptr->domain.c, ptr->keyname.c); + return(ptr); + } + n = (const domainname *)(n->c + 1 + n->c[0]); + } + //LogInfo("GetAuthInfoForName none found for %##s", name->c); + return mDNSNULL; +} + +// MUST be called with lock held +mDNSexport DomainAuthInfo *GetAuthInfoForName_internal(mDNS *m, const domainname *const name) +{ + DomainAuthInfo **p = &m->AuthInfoList; + + mDNS_CheckLock(m); + + // First purge any dead keys from the list + while (*p) + { + if ((*p)->deltime && m->timenow - (*p)->deltime >= 0 && AutoTunnelUnregistered(*p)) + { + DNSQuestion *q; + DomainAuthInfo *info = *p; + LogInfo("GetAuthInfoForName_internal deleting expired key %##s %##s", info->domain.c, info->keyname.c); + *p = info->next; // Cut DomainAuthInfo from list *before* scanning our question list updating AuthInfo pointers + for (q = m->Questions; q; q=q->next) + if (q->AuthInfo == info) + { + q->AuthInfo = GetAuthInfoForName_direct(m, &q->qname); + debugf("GetAuthInfoForName_internal updated q->AuthInfo from %##s to %##s for %##s (%s)", + info->domain.c, q->AuthInfo ? q->AuthInfo->domain.c : mDNSNULL, q->qname.c, DNSTypeName(q->qtype)); + } + + // Probably not essential, but just to be safe, zero out the secret key data + // so we don't leave it hanging around in memory + // (where it could potentially get exposed via some other bug) + mDNSPlatformMemZero(info, sizeof(*info)); + mDNSPlatformMemFree(info); + } + else + p = &(*p)->next; + } + + return(GetAuthInfoForName_direct(m, name)); +} + +mDNSexport DomainAuthInfo *GetAuthInfoForName(mDNS *m, const domainname *const name) +{ + DomainAuthInfo *d; + mDNS_Lock(m); + d = GetAuthInfoForName_internal(m, name); + mDNS_Unlock(m); + return(d); +} + +// MUST be called with the lock held +mDNSexport mStatus mDNS_SetSecretForDomain(mDNS *m, DomainAuthInfo *info, + const domainname *domain, const domainname *keyname, const char *b64keydata, const domainname *hostname, mDNSIPPort *port, mDNSBool autoTunnel) +{ + DNSQuestion *q; + DomainAuthInfo **p = &m->AuthInfoList; + if (!info || !b64keydata) { LogMsg("mDNS_SetSecretForDomain: ERROR: info %p b64keydata %p", info, b64keydata); return(mStatus_BadParamErr); } + + LogInfo("mDNS_SetSecretForDomain: domain %##s key %##s%s", domain->c, keyname->c, autoTunnel ? " AutoTunnel" : ""); + + info->AutoTunnel = autoTunnel; + AssignDomainName(&info->domain, domain); + AssignDomainName(&info->keyname, keyname); + if (hostname) + AssignDomainName(&info->hostname, hostname); + else + info->hostname.c[0] = 0; + if (port) + info->port = *port; + else + info->port = zeroIPPort; + mDNS_snprintf(info->b64keydata, sizeof(info->b64keydata), "%s", b64keydata); + + if (DNSDigest_ConstructHMACKeyfromBase64(info, b64keydata) < 0) + { + LogMsg("mDNS_SetSecretForDomain: ERROR: Could not convert shared secret from base64: domain %##s key %##s %s", domain->c, keyname->c, mDNS_LoggingEnabled ? b64keydata : ""); + return(mStatus_BadParamErr); + } + + // Don't clear deltime until after we've ascertained that b64keydata is valid + info->deltime = 0; + + while (*p && (*p) != info) p=&(*p)->next; + if (*p) {LogInfo("mDNS_SetSecretForDomain: Domain %##s Already in list", (*p)->domain.c); return(mStatus_AlreadyRegistered);} + + // Caution: Only zero AutoTunnelHostRecord.namestorage AFTER we've determined that this is a NEW DomainAuthInfo + // being added to the list. Otherwise we risk smashing our AutoTunnel host records that are already active and in use. + info->AutoTunnelHostRecord.resrec.RecordType = kDNSRecordTypeUnregistered; + info->AutoTunnelHostRecord.namestorage.c[0] = 0; + info->AutoTunnelTarget.resrec.RecordType = kDNSRecordTypeUnregistered; + info->AutoTunnelDeviceInfo.resrec.RecordType = kDNSRecordTypeUnregistered; + info->AutoTunnelService.resrec.RecordType = kDNSRecordTypeUnregistered; + info->AutoTunnel6Record.resrec.RecordType = kDNSRecordTypeUnregistered; + info->AutoTunnelServiceStarted = mDNSfalse; + info->AutoTunnelInnerAddress = zerov6Addr; + info->next = mDNSNULL; + *p = info; + + // Check to see if adding this new DomainAuthInfo has changed the credentials for any of our questions + for (q = m->Questions; q; q=q->next) + { + DomainAuthInfo *newinfo = GetAuthInfoForQuestion(m, q); + if (q->AuthInfo != newinfo) + { + debugf("mDNS_SetSecretForDomain updating q->AuthInfo from %##s to %##s for %##s (%s)", + q->AuthInfo ? q->AuthInfo->domain.c : mDNSNULL, + newinfo ? newinfo->domain.c : mDNSNULL, q->qname.c, DNSTypeName(q->qtype)); + q->AuthInfo = newinfo; + } + } + + return(mStatus_NoError); +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - NAT Traversal +#endif + +// Keep track of when to request/refresh the external address using NAT-PMP or UPnP/IGD, +// and do so when necessary +mDNSlocal mStatus uDNS_RequestAddress(mDNS *m) +{ + mStatus err = mStatus_NoError; + + if (!m->NATTraversals) + { + m->retryGetAddr = NonZeroTime(m->timenow + 0x78000000); + LogInfo("uDNS_RequestAddress: Setting retryGetAddr to future"); + } + else if (m->timenow - m->retryGetAddr >= 0) + { + if (mDNSv4AddrIsRFC1918(&m->Router.ip.v4)) + { + static NATAddrRequest req = {NATMAP_VERS, NATOp_AddrRequest}; + static mDNSu8* start = (mDNSu8*)&req; + mDNSu8* end = start + sizeof(NATAddrRequest); + err = mDNSPlatformSendUDP(m, start, end, 0, mDNSNULL, &m->Router, NATPMPPort, mDNSfalse); + debugf("uDNS_RequestAddress: Sent NAT-PMP external address request %d", err); + +#ifdef _LEGACY_NAT_TRAVERSAL_ + if (mDNSIPPortIsZero(m->UPnPRouterPort) || mDNSIPPortIsZero(m->UPnPSOAPPort)) + { + LNT_SendDiscoveryMsg(m); + debugf("uDNS_RequestAddress: LNT_SendDiscoveryMsg"); + } + else + { + mStatus lnterr = LNT_GetExternalAddress(m); + if (lnterr) + LogMsg("uDNS_RequestAddress: LNT_GetExternalAddress returned error %d", lnterr); + + err = err ? err : lnterr; // NAT-PMP error takes precedence + } +#endif // _LEGACY_NAT_TRAVERSAL_ + } + + // Always update the interval and retry time, so that even if we fail to send the + // packet, we won't spin in an infinite loop repeatedly failing to send the packet + if (m->retryIntervalGetAddr < NATMAP_INIT_RETRY) + { + m->retryIntervalGetAddr = NATMAP_INIT_RETRY; + } + else if (m->retryIntervalGetAddr < NATMAP_MAX_RETRY_INTERVAL / 2) + { + m->retryIntervalGetAddr *= 2; + } + else + { + m->retryIntervalGetAddr = NATMAP_MAX_RETRY_INTERVAL; + } + + m->retryGetAddr = NonZeroTime(m->timenow + m->retryIntervalGetAddr); + } + else + { + debugf("uDNS_RequestAddress: Not time to send address request"); + } + + // Always update NextScheduledNATOp, even if we didn't change retryGetAddr, so we'll + // be called when we need to send the request(s) + if (m->NextScheduledNATOp - m->retryGetAddr > 0) + m->NextScheduledNATOp = m->retryGetAddr; + + return err; +} + +mDNSlocal mStatus uDNS_SendNATMsg(mDNS *m, NATTraversalInfo *info, mDNSBool usePCP) +{ + mStatus err = mStatus_NoError; + + if (!info) + { + LogMsg("uDNS_SendNATMsg called unexpectedly with NULL info"); + return mStatus_BadParamErr; + } + + // send msg if the router's address is private (which means it's non-zero) + if (mDNSv4AddrIsRFC1918(&m->Router.ip.v4)) + { + if (!usePCP) + { + if (!info->sentNATPMP) + { + if (info->Protocol) + { + static NATPortMapRequest NATPortReq; + static const mDNSu8* end = (mDNSu8 *)&NATPortReq + sizeof(NATPortMapRequest); + mDNSu8 *p = (mDNSu8 *)&NATPortReq.NATReq_lease; + + NATPortReq.vers = NATMAP_VERS; + NATPortReq.opcode = info->Protocol; + NATPortReq.unused = zeroID; + NATPortReq.intport = info->IntPort; + NATPortReq.extport = info->RequestedPort; + p[0] = (mDNSu8)((info->NATLease >> 24) & 0xFF); + p[1] = (mDNSu8)((info->NATLease >> 16) & 0xFF); + p[2] = (mDNSu8)((info->NATLease >> 8) & 0xFF); + p[3] = (mDNSu8)( info->NATLease & 0xFF); + + err = mDNSPlatformSendUDP(m, (mDNSu8 *)&NATPortReq, end, 0, mDNSNULL, &m->Router, NATPMPPort, mDNSfalse); + debugf("uDNS_SendNATMsg: Sent NAT-PMP mapping request %d", err); + } + + // In case the address request already went out for another NAT-T, + // set the NewAddress to the currently known global external address, so + // Address-only operations will get the callback immediately + info->NewAddress = m->ExtAddress; + + // Remember that we just sent a NAT-PMP packet, so we won't resend one later. + // We do this because the NAT-PMP "Unsupported Version" response has no + // information about the (PCP) request that triggered it, so we must send + // NAT-PMP requests for all operations. Without this, we'll send n PCP + // requests for n operations, receive n NAT-PMP "Unsupported Version" + // responses, and send n NAT-PMP requests for each of those responses, + // resulting in (n + n^2) packets sent. We only want to send 2n packets: + // n PCP requests followed by n NAT-PMP requests. + info->sentNATPMP = mDNStrue; + } + } + else + { + PCPMapRequest req; + mDNSu8* start = (mDNSu8*)&req; + mDNSu8* end = start + sizeof(req); + mDNSu8* p = (mDNSu8*)&req.lifetime; + + req.version = PCP_VERS; + req.opCode = PCPOp_Map; + req.reserved = zeroID; + + p[0] = (mDNSu8)((info->NATLease >> 24) & 0xFF); + p[1] = (mDNSu8)((info->NATLease >> 16) & 0xFF); + p[2] = (mDNSu8)((info->NATLease >> 8) & 0xFF); + p[3] = (mDNSu8)( info->NATLease & 0xFF); + + mDNSAddrMapIPv4toIPv6(&m->AdvertisedV4.ip.v4, &req.clientAddr); + + req.nonce[0] = m->PCPNonce[0]; + req.nonce[1] = m->PCPNonce[1]; + req.nonce[2] = m->PCPNonce[2]; + + req.protocol = (info->Protocol == NATOp_MapUDP ? PCPProto_UDP : PCPProto_TCP); + + req.reservedMapOp[0] = 0; + req.reservedMapOp[1] = 0; + req.reservedMapOp[2] = 0; + + req.intPort = info->Protocol ? info->IntPort : DiscardPort; + req.extPort = info->RequestedPort; + + // Since we only support IPv4, even if using the all-zeros address, map it, so + // the PCP gateway will give us an IPv4 address & not an IPv6 address. + mDNSAddrMapIPv4toIPv6(&info->NewAddress, &req.extAddress); + + err = mDNSPlatformSendUDP(m, start, end, 0, mDNSNULL, &m->Router, NATPMPPort, mDNSfalse); + debugf("uDNS_SendNATMsg: Sent PCP Mapping request %d", err); + + // Unset the sentNATPMP flag, so that we'll send a NAT-PMP packet if we + // receive a NAT-PMP "Unsupported Version" packet. This will result in every + // renewal, retransmission, etc. being tried first as PCP, then if a NAT-PMP + // "Unsupported Version" response is received, fall-back & send the request + // using NAT-PMP. + info->sentNATPMP = mDNSfalse; + +#ifdef _LEGACY_NAT_TRAVERSAL_ + if (mDNSIPPortIsZero(m->UPnPRouterPort) || mDNSIPPortIsZero(m->UPnPSOAPPort)) + { + LNT_SendDiscoveryMsg(m); + debugf("uDNS_SendNATMsg: LNT_SendDiscoveryMsg"); + } + else + { + mStatus lnterr = LNT_MapPort(m, info); + if (lnterr) + LogMsg("uDNS_SendNATMsg: LNT_MapPort returned error %d", lnterr); + + err = err ? err : lnterr; // PCP error takes precedence + } +#endif // _LEGACY_NAT_TRAVERSAL_ + } + } + + return(err); +} + +mDNSexport void RecreateNATMappings(mDNS *const m, const mDNSu32 waitTicks) +{ + mDNSu32 when = NonZeroTime(m->timenow + waitTicks); + NATTraversalInfo *n; + for (n = m->NATTraversals; n; n=n->next) + { + n->ExpiryTime = 0; // Mark this mapping as expired + n->retryInterval = NATMAP_INIT_RETRY; + n->retryPortMap = when; + n->lastSuccessfulProtocol = NATTProtocolNone; + if (!n->Protocol) n->NewResult = mStatus_NoError; +#ifdef _LEGACY_NAT_TRAVERSAL_ + if (n->tcpInfo.sock) { mDNSPlatformTCPCloseConnection(n->tcpInfo.sock); n->tcpInfo.sock = mDNSNULL; } +#endif // _LEGACY_NAT_TRAVERSAL_ + } + + m->PCPNonce[0] = mDNSRandom(-1); + m->PCPNonce[1] = mDNSRandom(-1); + m->PCPNonce[2] = mDNSRandom(-1); + m->retryIntervalGetAddr = 0; + m->retryGetAddr = when; + +#ifdef _LEGACY_NAT_TRAVERSAL_ + LNT_ClearState(m); +#endif // _LEGACY_NAT_TRAVERSAL_ + + m->NextScheduledNATOp = m->timenow; // Need to send packets immediately +} + +mDNSexport void natTraversalHandleAddressReply(mDNS *const m, mDNSu16 err, mDNSv4Addr ExtAddr) +{ + static mDNSu16 last_err = 0; + NATTraversalInfo *n; + + if (err) + { + if (err != last_err) LogMsg("Error getting external address %d", err); + ExtAddr = zerov4Addr; + } + else + { + LogInfo("Received external IP address %.4a from NAT", &ExtAddr); + if (mDNSv4AddrIsRFC1918(&ExtAddr)) + LogMsg("Double NAT (external NAT gateway address %.4a is also a private RFC 1918 address)", &ExtAddr); + if (mDNSIPv4AddressIsZero(ExtAddr)) + err = NATErr_NetFail; // fake error to handle routers that pathologically report success with the zero address + } + + // Globally remember the most recently discovered address, so it can be used in each + // new NATTraversal structure + m->ExtAddress = ExtAddr; + + if (!err) // Success, back-off to maximum interval + m->retryIntervalGetAddr = NATMAP_MAX_RETRY_INTERVAL; + else if (!last_err) // Failure after success, retry quickly (then back-off exponentially) + m->retryIntervalGetAddr = NATMAP_INIT_RETRY; + // else back-off normally in case of pathological failures + + m->retryGetAddr = m->timenow + m->retryIntervalGetAddr; + if (m->NextScheduledNATOp - m->retryGetAddr > 0) + m->NextScheduledNATOp = m->retryGetAddr; + + last_err = err; + + for (n = m->NATTraversals; n; n=n->next) + { + // We should change n->NewAddress only when n is one of: + // 1) a mapping operation that most recently succeeded using NAT-PMP or UPnP/IGD, + // because such an operation needs the update now. If the lastSuccessfulProtocol + // is currently none, then natTraversalHandlePortMapReplyWithAddress() will be + // called should NAT-PMP or UPnP/IGD succeed in the future. + // 2) an address-only operation that did not succeed via PCP, because when such an + // operation succeeds via PCP, it's for the TCP discard port just to learn the + // address. And that address may be different than the external address + // discovered via NAT-PMP or UPnP/IGD. If the lastSuccessfulProtocol + // is currently none, we must update the NewAddress as PCP may not succeed. + if (!mDNSSameIPv4Address(n->NewAddress, ExtAddr) && + (n->Protocol ? + (n->lastSuccessfulProtocol == NATTProtocolNATPMP || n->lastSuccessfulProtocol == NATTProtocolUPNPIGD) : + (n->lastSuccessfulProtocol != NATTProtocolPCP))) + { + // Needs an update immediately + n->NewAddress = ExtAddr; + n->ExpiryTime = 0; + n->retryInterval = NATMAP_INIT_RETRY; + n->retryPortMap = m->timenow; +#ifdef _LEGACY_NAT_TRAVERSAL_ + if (n->tcpInfo.sock) { mDNSPlatformTCPCloseConnection(n->tcpInfo.sock); n->tcpInfo.sock = mDNSNULL; } +#endif // _LEGACY_NAT_TRAVERSAL_ + + m->NextScheduledNATOp = m->timenow; // Need to send packets immediately + } + } +} + +// Both places that call NATSetNextRenewalTime() update m->NextScheduledNATOp correctly afterwards +mDNSlocal void NATSetNextRenewalTime(mDNS *const m, NATTraversalInfo *n) +{ + n->retryInterval = (n->ExpiryTime - m->timenow)/2; + if (n->retryInterval < NATMAP_MIN_RETRY_INTERVAL) // Min retry interval is 2 seconds + n->retryInterval = NATMAP_MIN_RETRY_INTERVAL; + n->retryPortMap = m->timenow + n->retryInterval; +} + +mDNSlocal void natTraversalHandlePortMapReplyWithAddress(mDNS *const m, NATTraversalInfo *n, const mDNSInterfaceID InterfaceID, mDNSu16 err, mDNSv4Addr extaddr, mDNSIPPort extport, mDNSu32 lease, NATTProtocol protocol) +{ + const char *prot = n->Protocol == 0 ? "Add" : n->Protocol == NATOp_MapUDP ? "UDP" : n->Protocol == NATOp_MapTCP ? "TCP" : "???"; + (void)prot; + n->NewResult = err; + if (err || lease == 0 || mDNSIPPortIsZero(extport)) + { + LogInfo("natTraversalHandlePortMapReplyWithAddress: %p Response %s Port %5d External %.4a:%d lease %d error %d", + n, prot, mDNSVal16(n->IntPort), &extaddr, mDNSVal16(extport), lease, err); + n->retryInterval = NATMAP_MAX_RETRY_INTERVAL; + n->retryPortMap = m->timenow + NATMAP_MAX_RETRY_INTERVAL; + // No need to set m->NextScheduledNATOp here, since we're only ever extending the m->retryPortMap time + if (err == NATErr_Refused) n->NewResult = mStatus_NATPortMappingDisabled; + else if (err > NATErr_None && err <= NATErr_Opcode) n->NewResult = mStatus_NATPortMappingUnsupported; + } + else + { + if (lease > 999999999UL / mDNSPlatformOneSecond) + lease = 999999999UL / mDNSPlatformOneSecond; + n->ExpiryTime = NonZeroTime(m->timenow + lease * mDNSPlatformOneSecond); + + if (!mDNSSameIPv4Address(n->NewAddress, extaddr) || !mDNSSameIPPort(n->RequestedPort, extport)) + LogInfo("natTraversalHandlePortMapReplyWithAddress: %p %s Response %s Port %5d External %.4a:%d changed to %.4a:%d lease %d", + n, + (n->lastSuccessfulProtocol == NATTProtocolNone ? "None " : + n->lastSuccessfulProtocol == NATTProtocolNATPMP ? "NAT-PMP " : + n->lastSuccessfulProtocol == NATTProtocolUPNPIGD ? "UPnP/IGD" : + n->lastSuccessfulProtocol == NATTProtocolPCP ? "PCP " : + /* else */ "Unknown " ), + prot, mDNSVal16(n->IntPort), &n->NewAddress, mDNSVal16(n->RequestedPort), + &extaddr, mDNSVal16(extport), lease); + + n->InterfaceID = InterfaceID; + n->NewAddress = extaddr; + if (n->Protocol) n->RequestedPort = extport; // Don't report the (PCP) external port to address-only operations + n->lastSuccessfulProtocol = protocol; + + NATSetNextRenewalTime(m, n); // Got our port mapping; now set timer to renew it at halfway point + m->NextScheduledNATOp = m->timenow; // May need to invoke client callback immediately + } +} + +// To be called for NAT-PMP or UPnP/IGD mappings, to use currently discovered (global) address +mDNSexport void natTraversalHandlePortMapReply(mDNS *const m, NATTraversalInfo *n, const mDNSInterfaceID InterfaceID, mDNSu16 err, mDNSIPPort extport, mDNSu32 lease, NATTProtocol protocol) +{ + natTraversalHandlePortMapReplyWithAddress(m, n, InterfaceID, err, m->ExtAddress, extport, lease, protocol); +} + +// Must be called with the mDNS_Lock held +mDNSexport mStatus mDNS_StartNATOperation_internal(mDNS *const m, NATTraversalInfo *traversal) +{ + NATTraversalInfo **n; + + LogInfo("mDNS_StartNATOperation_internal %p Protocol %d IntPort %d RequestedPort %d NATLease %d", traversal, + traversal->Protocol, mDNSVal16(traversal->IntPort), mDNSVal16(traversal->RequestedPort), traversal->NATLease); + + // Note: It important that new traversal requests are appended at the *end* of the list, not prepended at the start + for (n = &m->NATTraversals; *n; n=&(*n)->next) + { + if (traversal == *n) + { + LogMsg("Error! Tried to add a NAT traversal that's already in the active list: request %p Prot %d Int %d TTL %d", + traversal, traversal->Protocol, mDNSVal16(traversal->IntPort), traversal->NATLease); + #if ForceAlerts + *(long*)0 = 0; + #endif + return(mStatus_AlreadyRegistered); + } + if (traversal->Protocol && traversal->Protocol == (*n)->Protocol && mDNSSameIPPort(traversal->IntPort, (*n)->IntPort) && + !mDNSSameIPPort(traversal->IntPort, SSHPort)) + LogMsg("Warning: Created port mapping request %p Prot %d Int %d TTL %d " + "duplicates existing port mapping request %p Prot %d Int %d TTL %d", + traversal, traversal->Protocol, mDNSVal16(traversal->IntPort), traversal->NATLease, + *n, (*n)->Protocol, mDNSVal16((*n)->IntPort), (*n)->NATLease); + } + + // Initialize necessary fields + traversal->next = mDNSNULL; + traversal->ExpiryTime = 0; + traversal->retryInterval = NATMAP_INIT_RETRY; + traversal->retryPortMap = m->timenow; + traversal->NewResult = mStatus_NoError; + traversal->lastSuccessfulProtocol = NATTProtocolNone; + traversal->sentNATPMP = mDNSfalse; + traversal->ExternalAddress = onesIPv4Addr; + traversal->NewAddress = zerov4Addr; + traversal->ExternalPort = zeroIPPort; + traversal->Lifetime = 0; + traversal->Result = mStatus_NoError; + + // set default lease if necessary + if (!traversal->NATLease) traversal->NATLease = NATMAP_DEFAULT_LEASE; + +#ifdef _LEGACY_NAT_TRAVERSAL_ + mDNSPlatformMemZero(&traversal->tcpInfo, sizeof(traversal->tcpInfo)); +#endif // _LEGACY_NAT_TRAVERSAL_ + + if (!m->NATTraversals) // If this is our first NAT request, kick off an address request too + { + m->retryGetAddr = m->timenow; + m->retryIntervalGetAddr = NATMAP_INIT_RETRY; + } + + // If this is an address-only operation, initialize to the current global address, + // or (in non-PCP environments) we won't know the address until the next external + // address request/response. + if (!traversal->Protocol) + { + traversal->NewAddress = m->ExtAddress; + } + + m->NextScheduledNATOp = m->timenow; // This will always trigger sending the packet ASAP, and generate client callback if necessary + + *n = traversal; // Append new NATTraversalInfo to the end of our list + + return(mStatus_NoError); +} + +// Must be called with the mDNS_Lock held +mDNSexport mStatus mDNS_StopNATOperation_internal(mDNS *m, NATTraversalInfo *traversal) +{ + mDNSBool unmap = mDNStrue; + NATTraversalInfo *p; + NATTraversalInfo **ptr = &m->NATTraversals; + + while (*ptr && *ptr != traversal) ptr=&(*ptr)->next; + if (*ptr) *ptr = (*ptr)->next; // If we found it, cut this NATTraversalInfo struct from our list + else + { + LogMsg("mDNS_StopNATOperation_internal: NATTraversalInfo %p not found in list", traversal); + return(mStatus_BadReferenceErr); + } + + LogInfo("mDNS_StopNATOperation_internal %p %d %d %d %d", traversal, + traversal->Protocol, mDNSVal16(traversal->IntPort), mDNSVal16(traversal->RequestedPort), traversal->NATLease); + + if (m->CurrentNATTraversal == traversal) + m->CurrentNATTraversal = m->CurrentNATTraversal->next; + + // If there is a match for the operation being stopped, don't send a deletion request (unmap) + for (p = m->NATTraversals; p; p=p->next) + { + if (traversal->Protocol ? + ((traversal->Protocol == p->Protocol && mDNSSameIPPort(traversal->IntPort, p->IntPort)) || + (!p->Protocol && traversal->Protocol == NATOp_MapTCP && mDNSSameIPPort(traversal->IntPort, DiscardPort))) : + (!p->Protocol || (p->Protocol == NATOp_MapTCP && mDNSSameIPPort(p->IntPort, DiscardPort)))) + { + LogInfo("Warning: Removed port mapping request %p Prot %d Int %d TTL %d " + "duplicates existing port mapping request %p Prot %d Int %d TTL %d", + traversal, traversal->Protocol, mDNSVal16(traversal->IntPort), traversal->NATLease, + p, p->Protocol, mDNSVal16( p->IntPort), p->NATLease); + unmap = mDNSfalse; + } + } + + if (traversal->ExpiryTime && unmap) + { + traversal->NATLease = 0; + traversal->retryInterval = 0; + + // In case we most recently sent NAT-PMP, we need to set sentNATPMP to false so + // that we'll send a NAT-PMP request to destroy the mapping. We do this because + // the NATTraversal struct has already been cut from the list, and the client + // layer will destroy the memory upon returning from this function, so we can't + // try PCP first and then fall-back to NAT-PMP. That is, if we most recently + // created/renewed the mapping using NAT-PMP, we need to destroy it using NAT-PMP + // now, because we won't get a chance later. + traversal->sentNATPMP = mDNSfalse; + + // Both NAT-PMP & PCP RFCs state that the suggested port in deletion requests + // should be zero. And for PCP, the suggested external address should also be + // zero, specifically, the all-zeros IPv4-mapped address, since we would only + // would have requested an IPv4 address. + traversal->RequestedPort = zeroIPPort; + traversal->NewAddress = zerov4Addr; + + uDNS_SendNATMsg(m, traversal, traversal->lastSuccessfulProtocol != NATTProtocolNATPMP); + } + + // Even if we DIDN'T make a successful UPnP mapping yet, we might still have a partially-open TCP connection we need to clean up + #ifdef _LEGACY_NAT_TRAVERSAL_ + { + mStatus err = LNT_UnmapPort(m, traversal); + if (err) LogMsg("Legacy NAT Traversal - unmap request failed with error %d", err); + } + #endif // _LEGACY_NAT_TRAVERSAL_ + + return(mStatus_NoError); +} + +mDNSexport mStatus mDNS_StartNATOperation(mDNS *const m, NATTraversalInfo *traversal) +{ + mStatus status; + mDNS_Lock(m); + status = mDNS_StartNATOperation_internal(m, traversal); + mDNS_Unlock(m); + return(status); +} + +mDNSexport mStatus mDNS_StopNATOperation(mDNS *const m, NATTraversalInfo *traversal) +{ + mStatus status; + mDNS_Lock(m); + status = mDNS_StopNATOperation_internal(m, traversal); + mDNS_Unlock(m); + return(status); +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - +#pragma mark - Long-Lived Queries +#endif + +// Lock must be held -- otherwise m->timenow is undefined +mDNSlocal void StartLLQPolling(mDNS *const m, DNSQuestion *q) +{ + debugf("StartLLQPolling: %##s", q->qname.c); + q->state = LLQ_Poll; + q->ThisQInterval = INIT_UCAST_POLL_INTERVAL; + // We want to send our poll query ASAP, but the "+ 1" is because if we set the time to now, + // we risk causing spurious "SendQueries didn't send all its queries" log messages + q->LastQTime = m->timenow - q->ThisQInterval + 1; + SetNextQueryTime(m, q); +#if APPLE_OSX_mDNSResponder + UpdateAutoTunnelDomainStatuses(m); +#endif +} + +mDNSlocal mDNSu8 *putLLQ(DNSMessage *const msg, mDNSu8 *ptr, const DNSQuestion *const question, const LLQOptData *const data) +{ + AuthRecord rr; + ResourceRecord *opt = &rr.resrec; + rdataOPT *optRD; + + //!!!KRS when we implement multiple llqs per message, we'll need to memmove anything past the question section + ptr = putQuestion(msg, ptr, msg->data + AbsoluteMaxDNSMessageData, &question->qname, question->qtype, question->qclass); + if (!ptr) { LogMsg("ERROR: putLLQ - putQuestion"); return mDNSNULL; } + + // locate OptRR if it exists, set pointer to end + // !!!KRS implement me + + // format opt rr (fields not specified are zero-valued) + mDNS_SetupResourceRecord(&rr, mDNSNULL, mDNSInterface_Any, kDNSType_OPT, kStandardTTL, kDNSRecordTypeKnownUnique, AuthRecordAny, mDNSNULL, mDNSNULL); + opt->rrclass = NormalMaxDNSMessageData; + opt->rdlength = sizeof(rdataOPT); // One option in this OPT record + opt->rdestimate = sizeof(rdataOPT); + + optRD = &rr.resrec.rdata->u.opt[0]; + optRD->opt = kDNSOpt_LLQ; + optRD->u.llq = *data; + ptr = PutResourceRecordTTLJumbo(msg, ptr, &msg->h.numAdditionals, opt, 0); + if (!ptr) { LogMsg("ERROR: putLLQ - PutResourceRecordTTLJumbo"); return mDNSNULL; } + + return ptr; +} + +// Normally we'd just request event packets be sent directly to m->LLQNAT.ExternalPort, except... +// with LLQs over TLS/TCP we're doing a weird thing where instead of requesting packets be sent to ExternalAddress:ExternalPort +// we're requesting that packets be sent to ExternalPort, but at the source address of our outgoing TCP connection. +// Normally, after going through the NAT gateway, the source address of our outgoing TCP connection is the same as ExternalAddress, +// so this is fine, except when the TCP connection ends up going over a VPN tunnel instead. +// To work around this, if we find that the source address for our TCP connection is not a private address, we tell the Dot Mac +// LLQ server to send events to us directly at port 5353 on that address, instead of at our mapped external NAT port. + +mDNSlocal mDNSu16 GetLLQEventPort(const mDNS *const m, const mDNSAddr *const dst) +{ + mDNSAddr src; + mDNSPlatformSourceAddrForDest(&src, dst); + //LogMsg("GetLLQEventPort: src %#a for dst %#a (%d)", &src, dst, mDNSv4AddrIsRFC1918(&src.ip.v4) ? mDNSVal16(m->LLQNAT.ExternalPort) : 0); + return(mDNSv4AddrIsRFC1918(&src.ip.v4) ? mDNSVal16(m->LLQNAT.ExternalPort) : mDNSVal16(MulticastDNSPort)); +} + +// Normally called with llq set. +// May be called with llq NULL, when retransmitting a lost Challenge Response +mDNSlocal void sendChallengeResponse(mDNS *const m, DNSQuestion *const q, const LLQOptData *llq) +{ + mDNSu8 *responsePtr = m->omsg.data; + LLQOptData llqBuf; + + if (q->tcp) { LogMsg("sendChallengeResponse: ERROR!!: question %##s (%s) tcp non-NULL", q->qname.c, DNSTypeName(q->qtype)); return; } + + if (PrivateQuery(q)) { LogMsg("sendChallengeResponse: ERROR!!: Private Query %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); return; } + + if (q->ntries++ == kLLQ_MAX_TRIES) + { + LogMsg("sendChallengeResponse: %d failed attempts for LLQ %##s", kLLQ_MAX_TRIES, q->qname.c); + StartLLQPolling(m,q); + return; + } + + if (!llq) // Retransmission: need to make a new LLQOptData + { + llqBuf.vers = kLLQ_Vers; + llqBuf.llqOp = kLLQOp_Setup; + llqBuf.err = LLQErr_NoError; // Don't need to tell server UDP notification port when sending over UDP + llqBuf.id = q->id; + llqBuf.llqlease = q->ReqLease; + llq = &llqBuf; + } + + q->LastQTime = m->timenow; + q->ThisQInterval = q->tcp ? 0 : (kLLQ_INIT_RESEND * q->ntries * mDNSPlatformOneSecond); // If using TCP, don't need to retransmit + SetNextQueryTime(m, q); + + // To simulate loss of challenge response packet, uncomment line below + //if (q->ntries == 1) return; + + InitializeDNSMessage(&m->omsg.h, q->TargetQID, uQueryFlags); + responsePtr = putLLQ(&m->omsg, responsePtr, q, llq); + if (responsePtr) + { + mStatus err = mDNSSendDNSMessage(m, &m->omsg, responsePtr, mDNSInterface_Any, q->LocalSocket, &q->servAddr, q->servPort, mDNSNULL, mDNSNULL, mDNSfalse); + if (err) { LogMsg("sendChallengeResponse: mDNSSendDNSMessage%s failed: %d", q->tcp ? " (TCP)" : "", err); } + } + else StartLLQPolling(m,q); +} + +mDNSlocal void SetLLQTimer(mDNS *const m, DNSQuestion *const q, const LLQOptData *const llq) +{ + mDNSs32 lease = (mDNSs32)llq->llqlease * mDNSPlatformOneSecond; + q->ReqLease = llq->llqlease; + q->LastQTime = m->timenow; + q->expire = m->timenow + lease; + q->ThisQInterval = lease/2 + mDNSRandom(lease/10); + debugf("SetLLQTimer setting %##s (%s) to %d %d", q->qname.c, DNSTypeName(q->qtype), lease/mDNSPlatformOneSecond, q->ThisQInterval/mDNSPlatformOneSecond); + SetNextQueryTime(m, q); +} + +mDNSlocal void recvSetupResponse(mDNS *const m, mDNSu8 rcode, DNSQuestion *const q, const LLQOptData *const llq) +{ + if (rcode && rcode != kDNSFlag1_RC_NXDomain) + { LogMsg("ERROR: recvSetupResponse %##s (%s) - rcode && rcode != kDNSFlag1_RC_NXDomain", q->qname.c, DNSTypeName(q->qtype)); return; } + + if (llq->llqOp != kLLQOp_Setup) + { LogMsg("ERROR: recvSetupResponse %##s (%s) - bad op %d", q->qname.c, DNSTypeName(q->qtype), llq->llqOp); return; } + + if (llq->vers != kLLQ_Vers) + { LogMsg("ERROR: recvSetupResponse %##s (%s) - bad vers %d", q->qname.c, DNSTypeName(q->qtype), llq->vers); return; } + + if (q->state == LLQ_InitialRequest) + { + //LogInfo("Got LLQ_InitialRequest"); + + if (llq->err) { LogMsg("recvSetupResponse - received llq->err %d from server", llq->err); StartLLQPolling(m,q); return; } + + if (q->ReqLease != llq->llqlease) + debugf("recvSetupResponse: requested lease %lu, granted lease %lu", q->ReqLease, llq->llqlease); + + // cache expiration in case we go to sleep before finishing setup + q->ReqLease = llq->llqlease; + q->expire = m->timenow + ((mDNSs32)llq->llqlease * mDNSPlatformOneSecond); + + // update state + q->state = LLQ_SecondaryRequest; + q->id = llq->id; + q->ntries = 0; // first attempt to send response + sendChallengeResponse(m, q, llq); + } + else if (q->state == LLQ_SecondaryRequest) + { + //LogInfo("Got LLQ_SecondaryRequest"); + + // Fix this immediately if not sooner. Copy the id from the LLQOptData into our DNSQuestion struct. This is only + // an issue for private LLQs, because we skip parts 2 and 3 of the handshake. This is related to a bigger + // problem of the current implementation of TCP LLQ setup: we're not handling state transitions correctly + // if the server sends back SERVFULL or STATIC. + if (PrivateQuery(q)) + { + LogInfo("Private LLQ_SecondaryRequest; copying id %08X%08X", llq->id.l[0], llq->id.l[1]); + q->id = llq->id; + } + + if (llq->err) { LogMsg("ERROR: recvSetupResponse %##s (%s) code %d from server", q->qname.c, DNSTypeName(q->qtype), llq->err); StartLLQPolling(m,q); return; } + if (!mDNSSameOpaque64(&q->id, &llq->id)) + { LogMsg("recvSetupResponse - ID changed. discarding"); return; } // this can happen rarely (on packet loss + reordering) + q->state = LLQ_Established; + q->ntries = 0; + SetLLQTimer(m, q, llq); +#if APPLE_OSX_mDNSResponder + UpdateAutoTunnelDomainStatuses(m); +#endif + } +} + +mDNSexport uDNS_LLQType uDNS_recvLLQResponse(mDNS *const m, const DNSMessage *const msg, const mDNSu8 *const end, + const mDNSAddr *const srcaddr, const mDNSIPPort srcport, DNSQuestion **matchQuestion) +{ + DNSQuestion pktQ, *q; + if (msg->h.numQuestions && getQuestion(msg, msg->data, end, 0, &pktQ)) + { + const rdataOPT *opt = GetLLQOptData(m, msg, end); + + for (q = m->Questions; q; q = q->next) + { + if (!mDNSOpaque16IsZero(q->TargetQID) && q->LongLived && q->qtype == pktQ.qtype && q->qnamehash == pktQ.qnamehash && SameDomainName(&q->qname, &pktQ.qname)) + { + debugf("uDNS_recvLLQResponse found %##s (%s) %d %#a %#a %X %X %X %X %d", + q->qname.c, DNSTypeName(q->qtype), q->state, srcaddr, &q->servAddr, + opt ? opt->u.llq.id.l[0] : 0, opt ? opt->u.llq.id.l[1] : 0, q->id.l[0], q->id.l[1], opt ? opt->u.llq.llqOp : 0); + if (q->state == LLQ_Poll) debugf("uDNS_LLQ_Events: q->state == LLQ_Poll msg->h.id %d q->TargetQID %d", mDNSVal16(msg->h.id), mDNSVal16(q->TargetQID)); + if (q->state == LLQ_Poll && mDNSSameOpaque16(msg->h.id, q->TargetQID)) + { + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + + // Don't reset the state to IntialRequest as we may write that to the dynamic store + // and PrefPane might wrongly think that we are "Starting" instead of "Polling". If + // we are in polling state because of PCP/NAT-PMP disabled or DoubleNAT, next LLQNATCallback + // would kick us back to LLQInitialRequest. So, resetting the state here may not be useful. + // + // If we have a good NAT (neither PCP/NAT-PMP disabled nor Double-NAT), then we should not be + // possibly in polling state. To be safe, we want to retry from the start in that case + // as there may not be another LLQNATCallback + // + // NOTE: We can be in polling state if we cannot resolve the SOA record i.e, servAddr is set to + // all ones. In that case, we would set it in LLQ_InitialRequest as it overrides the PCP/NAT-PMP or + // Double-NAT state. + if (!mDNSAddressIsOnes(&q->servAddr) && !mDNSIPPortIsZero(m->LLQNAT.ExternalPort) && + !m->LLQNAT.Result) + { + debugf("uDNS_recvLLQResponse got poll response; moving to LLQ_InitialRequest for %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + q->state = LLQ_InitialRequest; + } + q->servPort = zeroIPPort; // Clear servPort so that startLLQHandshake will retry the GetZoneData processing + q->ThisQInterval = LLQ_POLL_INTERVAL + mDNSRandom(LLQ_POLL_INTERVAL/10); // Retry LLQ setup in approx 15 minutes + q->LastQTime = m->timenow; + SetNextQueryTime(m, q); + *matchQuestion = q; + return uDNS_LLQ_Entire; // uDNS_LLQ_Entire means flush stale records; assume a large effective TTL + } + // Note: In LLQ Event packets, the msg->h.id does not match our q->TargetQID, because in that case the msg->h.id nonce is selected by the server + else if (opt && q->state == LLQ_Established && opt->u.llq.llqOp == kLLQOp_Event && mDNSSameOpaque64(&opt->u.llq.id, &q->id)) + { + mDNSu8 *ackEnd; + //debugf("Sending LLQ ack for %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + InitializeDNSMessage(&m->omsg.h, msg->h.id, ResponseFlags); + ackEnd = putLLQ(&m->omsg, m->omsg.data, q, &opt->u.llq); + if (ackEnd) mDNSSendDNSMessage(m, &m->omsg, ackEnd, mDNSInterface_Any, q->LocalSocket, srcaddr, srcport, mDNSNULL, mDNSNULL, mDNSfalse); + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + debugf("uDNS_LLQ_Events: q->state == LLQ_Established msg->h.id %d q->TargetQID %d", mDNSVal16(msg->h.id), mDNSVal16(q->TargetQID)); + *matchQuestion = q; + return uDNS_LLQ_Events; + } + if (opt && mDNSSameOpaque16(msg->h.id, q->TargetQID)) + { + if (q->state == LLQ_Established && opt->u.llq.llqOp == kLLQOp_Refresh && mDNSSameOpaque64(&opt->u.llq.id, &q->id) && msg->h.numAdditionals && !msg->h.numAnswers) + { + if (opt->u.llq.err != LLQErr_NoError) LogMsg("recvRefreshReply: received error %d from server", opt->u.llq.err); + else + { + //LogInfo("Received refresh confirmation ntries %d for %##s (%s)", q->ntries, q->qname.c, DNSTypeName(q->qtype)); + // If we're waiting to go to sleep, then this LLQ deletion may have been the thing + // we were waiting for, so schedule another check to see if we can sleep now. + if (opt->u.llq.llqlease == 0 && m->SleepLimit) m->NextScheduledSPRetry = m->timenow; + GrantCacheExtensions(m, q, opt->u.llq.llqlease); + SetLLQTimer(m, q, &opt->u.llq); + q->ntries = 0; + } + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + *matchQuestion = q; + return uDNS_LLQ_Ignore; + } + if (q->state < LLQ_Established && mDNSSameAddress(srcaddr, &q->servAddr)) + { + LLQ_State oldstate = q->state; + recvSetupResponse(m, msg->h.flags.b[1] & kDNSFlag1_RC_Mask, q, &opt->u.llq); + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + // We have a protocol anomaly here in the LLQ definition. + // Both the challenge packet from the server and the ack+answers packet have opt->u.llq.llqOp == kLLQOp_Setup. + // However, we need to treat them differently: + // The challenge packet has no answers in it, and tells us nothing about whether our cache entries + // are still valid, so this packet should not cause us to do anything that messes with our cache. + // The ack+answers packet gives us the whole truth, so we should handle it by updating our cache + // to match the answers in the packet, and only the answers in the packet. + *matchQuestion = q; + return (oldstate == LLQ_SecondaryRequest ? uDNS_LLQ_Entire : uDNS_LLQ_Ignore); + } + } + } + } + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + } + *matchQuestion = mDNSNULL; + return uDNS_LLQ_Not; +} + +// Stub definition of TCPSocket_struct so we can access flags field. (Rest of TCPSocket_struct is platform-dependent.) +struct TCPSocket_struct { TCPSocketFlags flags; /* ... */ }; + +// tcpCallback is called to handle events (e.g. connection opening and data reception) on TCP connections for +// Private DNS operations -- private queries, private LLQs, private record updates and private service updates +mDNSlocal void tcpCallback(TCPSocket *sock, void *context, mDNSBool ConnectionEstablished, mStatus err) +{ + tcpInfo_t *tcpInfo = (tcpInfo_t *)context; + mDNSBool closed = mDNSfalse; + mDNS *m = tcpInfo->m; + DNSQuestion *const q = tcpInfo->question; + tcpInfo_t **backpointer = + q ? &q->tcp : + tcpInfo->rr ? &tcpInfo->rr->tcp : mDNSNULL; + if (backpointer && *backpointer != tcpInfo) + LogMsg("tcpCallback: %d backpointer %p incorrect tcpInfo %p question %p rr %p", + mDNSPlatformTCPGetFD(tcpInfo->sock), *backpointer, tcpInfo, q, tcpInfo->rr); + + if (err) goto exit; + + if (ConnectionEstablished) + { + mDNSu8 *end = ((mDNSu8*) &tcpInfo->request) + tcpInfo->requestLen; + DomainAuthInfo *AuthInfo; + + // Defensive coding for <rdar://problem/5546824> Crash in mDNSResponder at GetAuthInfoForName_internal + 366 + // Don't know yet what's causing this, but at least we can be cautious and try to avoid crashing if we find our pointers in an unexpected state + if (tcpInfo->rr && tcpInfo->rr->resrec.name != &tcpInfo->rr->namestorage) + LogMsg("tcpCallback: ERROR: tcpInfo->rr->resrec.name %p != &tcpInfo->rr->namestorage %p", + tcpInfo->rr->resrec.name, &tcpInfo->rr->namestorage); + if (tcpInfo->rr && tcpInfo->rr->resrec.name != &tcpInfo->rr->namestorage) return; + + AuthInfo = tcpInfo->rr ? GetAuthInfoForName(m, tcpInfo->rr->resrec.name) : mDNSNULL; + + // connection is established - send the message + if (q && q->LongLived && q->state == LLQ_Established) + { + // Lease renewal over TCP, resulting from opening a TCP connection in sendLLQRefresh + end = ((mDNSu8*) &tcpInfo->request) + tcpInfo->requestLen; + } + else if (q && q->LongLived && q->state != LLQ_Poll && !mDNSIPPortIsZero(m->LLQNAT.ExternalPort) && !mDNSIPPortIsZero(q->servPort)) + { + // Notes: + // If we have a NAT port mapping, ExternalPort is the external port + // If we have a routable address so we don't need a port mapping, ExternalPort is the same as our own internal port + // If we need a NAT port mapping but can't get one, then ExternalPort is zero + LLQOptData llqData; // set llq rdata + llqData.vers = kLLQ_Vers; + llqData.llqOp = kLLQOp_Setup; + llqData.err = GetLLQEventPort(m, &tcpInfo->Addr); // We're using TCP; tell server what UDP port to send notifications to + LogInfo("tcpCallback: eventPort %d", llqData.err); + llqData.id = zeroOpaque64; + llqData.llqlease = kLLQ_DefLease; + InitializeDNSMessage(&tcpInfo->request.h, q->TargetQID, uQueryFlags); + end = putLLQ(&tcpInfo->request, tcpInfo->request.data, q, &llqData); + if (!end) { LogMsg("ERROR: tcpCallback - putLLQ"); err = mStatus_UnknownErr; goto exit; } + AuthInfo = q->AuthInfo; // Need to add TSIG to this message + q->ntries = 0; // Reset ntries so that tcp/tls connection failures don't affect sendChallengeResponse failures + } + else if (q) + { + // LLQ Polling mode or non-LLQ uDNS over TCP + InitializeDNSMessage(&tcpInfo->request.h, q->TargetQID, (DNSSECQuestion(q) ? DNSSecQFlags : uQueryFlags)); + end = putQuestion(&tcpInfo->request, tcpInfo->request.data, tcpInfo->request.data + AbsoluteMaxDNSMessageData, &q->qname, q->qtype, q->qclass); + if (DNSSECQuestion(q) && q->qDNSServer && !q->qDNSServer->cellIntf) + { + if (q->ProxyQuestion) + end = DNSProxySetAttributes(q, &tcpInfo->request.h, &tcpInfo->request, end, tcpInfo->request.data + AbsoluteMaxDNSMessageData); + else + end = putDNSSECOption(&tcpInfo->request, end, tcpInfo->request.data + AbsoluteMaxDNSMessageData); + } + + AuthInfo = q->AuthInfo; // Need to add TSIG to this message + } + + err = mDNSSendDNSMessage(m, &tcpInfo->request, end, mDNSInterface_Any, mDNSNULL, &tcpInfo->Addr, tcpInfo->Port, sock, AuthInfo, mDNSfalse); + if (err) { debugf("ERROR: tcpCallback: mDNSSendDNSMessage - %d", err); err = mStatus_UnknownErr; goto exit; } + + // Record time we sent this question + if (q) + { + mDNS_Lock(m); + q->LastQTime = m->timenow; + if (q->ThisQInterval < (256 * mDNSPlatformOneSecond)) // Now we have a TCP connection open, make sure we wait at least 256 seconds before retrying + q->ThisQInterval = (256 * mDNSPlatformOneSecond); + SetNextQueryTime(m, q); + mDNS_Unlock(m); + } + } + else + { + long n; + if (tcpInfo->nread < 2) // First read the two-byte length preceeding the DNS message + { + mDNSu8 *lenptr = (mDNSu8 *)&tcpInfo->replylen; + n = mDNSPlatformReadTCP(sock, lenptr + tcpInfo->nread, 2 - tcpInfo->nread, &closed); + if (n < 0) + { + LogMsg("ERROR: tcpCallback - attempt to read message length failed (%d)", n); + err = mStatus_ConnFailed; + goto exit; + } + else if (closed) + { + // It's perfectly fine for this socket to close after the first reply. The server might + // be sending gratuitous replies using UDP and doesn't have a need to leave the TCP socket open. + // We'll only log this event if we've never received a reply before. + // BIND 9 appears to close an idle connection after 30 seconds. + if (tcpInfo->numReplies == 0) + { + LogMsg("ERROR: socket closed prematurely tcpInfo->nread = %d", tcpInfo->nread); + err = mStatus_ConnFailed; + goto exit; + } + else + { + // Note that we may not be doing the best thing if an error occurs after we've sent a second request + // over this tcp connection. That is, we only track whether we've received at least one response + // which may have been to a previous request sent over this tcp connection. + if (backpointer) *backpointer = mDNSNULL; // Clear client backpointer FIRST so we don't risk double-disposing our tcpInfo_t + DisposeTCPConn(tcpInfo); + return; + } + } + + tcpInfo->nread += n; + if (tcpInfo->nread < 2) goto exit; + + tcpInfo->replylen = (mDNSu16)((mDNSu16)lenptr[0] << 8 | lenptr[1]); + if (tcpInfo->replylen < sizeof(DNSMessageHeader)) + { LogMsg("ERROR: tcpCallback - length too short (%d bytes)", tcpInfo->replylen); err = mStatus_UnknownErr; goto exit; } + + tcpInfo->reply = mDNSPlatformMemAllocate(tcpInfo->replylen); + if (!tcpInfo->reply) { LogMsg("ERROR: tcpCallback - malloc failed"); err = mStatus_NoMemoryErr; goto exit; } + } + + n = mDNSPlatformReadTCP(sock, ((char *)tcpInfo->reply) + (tcpInfo->nread - 2), tcpInfo->replylen - (tcpInfo->nread - 2), &closed); + + if (n < 0) + { + LogMsg("ERROR: tcpCallback - read returned %d", n); + err = mStatus_ConnFailed; + goto exit; + } + else if (closed) + { + if (tcpInfo->numReplies == 0) + { + LogMsg("ERROR: socket closed prematurely tcpInfo->nread = %d", tcpInfo->nread); + err = mStatus_ConnFailed; + goto exit; + } + else + { + // Note that we may not be doing the best thing if an error occurs after we've sent a second request + // over this tcp connection. That is, we only track whether we've received at least one response + // which may have been to a previous request sent over this tcp connection. + if (backpointer) *backpointer = mDNSNULL; // Clear client backpointer FIRST so we don't risk double-disposing our tcpInfo_t + DisposeTCPConn(tcpInfo); + return; + } + } + + tcpInfo->nread += n; + + if ((tcpInfo->nread - 2) == tcpInfo->replylen) + { + mDNSBool tls; + DNSMessage *reply = tcpInfo->reply; + mDNSu8 *end = (mDNSu8 *)tcpInfo->reply + tcpInfo->replylen; + mDNSAddr Addr = tcpInfo->Addr; + mDNSIPPort Port = tcpInfo->Port; + mDNSIPPort srcPort = zeroIPPort; + tcpInfo->numReplies++; + tcpInfo->reply = mDNSNULL; // Detach reply buffer from tcpInfo_t, to make sure client callback can't cause it to be disposed + tcpInfo->nread = 0; + tcpInfo->replylen = 0; + + // If we're going to dispose this connection, do it FIRST, before calling client callback + // Note: Sleep code depends on us clearing *backpointer here -- it uses the clearing of rr->tcp + // as the signal that the DNS deregistration operation with the server has completed, and the machine may now sleep + // If we clear the tcp pointer in the question, mDNSCoreReceiveResponse cannot find a matching question. Hence + // we store the minimal information i.e., the source port of the connection in the question itself. + // Dereference sock before it is disposed in DisposeTCPConn below. + + if (sock->flags & kTCPSocketFlags_UseTLS) tls = mDNStrue; + else tls = mDNSfalse; + + if (q && q->tcp) {srcPort = q->tcp->SrcPort; q->tcpSrcPort = srcPort;} + + if (backpointer) + if (!q || !q->LongLived || m->SleepState) + { *backpointer = mDNSNULL; DisposeTCPConn(tcpInfo); } + + mDNSCoreReceive(m, reply, end, &Addr, Port, tls ? (mDNSAddr *)1 : mDNSNULL, srcPort, 0); + // USE CAUTION HERE: Invoking mDNSCoreReceive may have caused the environment to change, including canceling this operation itself + + mDNSPlatformMemFree(reply); + return; + } + } + +exit: + + if (err) + { + // Clear client backpointer FIRST -- that way if one of the callbacks cancels its operation + // we won't end up double-disposing our tcpInfo_t + if (backpointer) *backpointer = mDNSNULL; + + mDNS_Lock(m); // Need to grab the lock to get m->timenow + + if (q) + { + if (q->ThisQInterval == 0) + { + // We get here when we fail to establish a new TCP/TLS connection that would have been used for a new LLQ request or an LLQ renewal. + // Note that ThisQInterval is also zero when sendChallengeResponse resends the LLQ request on an extant TCP/TLS connection. + q->LastQTime = m->timenow; + if (q->LongLived) + { + // We didn't get the chance to send our request packet before the TCP/TLS connection failed. + // We want to retry quickly, but want to back off exponentially in case the server is having issues. + // Since ThisQInterval was 0, we can't just multiply by QuestionIntervalStep, we must track the number + // of TCP/TLS connection failures using ntries. + mDNSu32 count = q->ntries + 1; // want to wait at least 1 second before retrying + + q->ThisQInterval = InitialQuestionInterval; + + for (; count; count--) + q->ThisQInterval *= QuestionIntervalStep; + + if (q->ThisQInterval > LLQ_POLL_INTERVAL) + q->ThisQInterval = LLQ_POLL_INTERVAL; + else + q->ntries++; + + LogMsg("tcpCallback: stream connection for LLQ %##s (%s) failed %d times, retrying in %d ms", q->qname.c, DNSTypeName(q->qtype), q->ntries, q->ThisQInterval); + } + else + { + q->ThisQInterval = MAX_UCAST_POLL_INTERVAL; + LogMsg("tcpCallback: stream connection for %##s (%s) failed, retrying in %d ms", q->qname.c, DNSTypeName(q->qtype), q->ThisQInterval); + } + SetNextQueryTime(m, q); + } + else if (NextQSendTime(q) - m->timenow > (q->LongLived ? LLQ_POLL_INTERVAL : MAX_UCAST_POLL_INTERVAL)) + { + // If we get an error and our next scheduled query for this question is more than the max interval from now, + // reset the next query to ensure we wait no longer the maximum interval from now before trying again. + q->LastQTime = m->timenow; + q->ThisQInterval = q->LongLived ? LLQ_POLL_INTERVAL : MAX_UCAST_POLL_INTERVAL; + SetNextQueryTime(m, q); + LogMsg("tcpCallback: stream connection for %##s (%s) failed, retrying in %d ms", q->qname.c, DNSTypeName(q->qtype), q->ThisQInterval); + } + + // We're about to dispose of the TCP connection, so we must reset the state to retry over TCP/TLS + // because sendChallengeResponse will send the query via UDP if we don't have a tcp pointer. + // Resetting to LLQ_InitialRequest will cause uDNS_CheckCurrentQuestion to call startLLQHandshake, which + // will attempt to establish a new tcp connection. + if (q->LongLived && q->state == LLQ_SecondaryRequest) + q->state = LLQ_InitialRequest; + + // ConnFailed may happen if the server sends a TCP reset or TLS fails, in which case we want to retry establishing the LLQ + // quickly rather than switching to polling mode. This case is handled by the above code to set q->ThisQInterval just above. + // If the error isn't ConnFailed, then the LLQ is in bad shape, so we switch to polling mode. + if (err != mStatus_ConnFailed) + { + if (q->LongLived && q->state != LLQ_Poll) StartLLQPolling(m, q); + } + } + + mDNS_Unlock(m); + + DisposeTCPConn(tcpInfo); + } +} + +mDNSlocal tcpInfo_t *MakeTCPConn(mDNS *const m, const DNSMessage *const msg, const mDNSu8 *const end, + TCPSocketFlags flags, const mDNSAddr *const Addr, const mDNSIPPort Port, domainname *hostname, + DNSQuestion *const question, AuthRecord *const rr) +{ + mStatus err; + mDNSIPPort srcport = zeroIPPort; + tcpInfo_t *info; + mDNSBool useBackgroundTrafficClass; + + useBackgroundTrafficClass = question ? question->UseBackgroundTrafficClass : mDNSfalse; + + if ((flags & kTCPSocketFlags_UseTLS) && (!hostname || !hostname->c[0])) + { LogMsg("MakeTCPConn: TLS connection being setup with NULL hostname"); return mDNSNULL; } + + info = (tcpInfo_t *)mDNSPlatformMemAllocate(sizeof(tcpInfo_t)); + if (!info) { LogMsg("ERROR: MakeTCP - memallocate failed"); return(mDNSNULL); } + mDNSPlatformMemZero(info, sizeof(tcpInfo_t)); + + info->m = m; + info->sock = mDNSPlatformTCPSocket(m, flags, &srcport, useBackgroundTrafficClass); + info->requestLen = 0; + info->question = question; + info->rr = rr; + info->Addr = *Addr; + info->Port = Port; + info->reply = mDNSNULL; + info->replylen = 0; + info->nread = 0; + info->numReplies = 0; + info->SrcPort = srcport; + + if (msg) + { + info->requestLen = (int) (end - ((mDNSu8*)msg)); + mDNSPlatformMemCopy(&info->request, msg, info->requestLen); + } + + if (!info->sock) { LogMsg("MakeTCPConn: unable to create TCP socket"); mDNSPlatformMemFree(info); return(mDNSNULL); } + err = mDNSPlatformTCPConnect(info->sock, Addr, Port, hostname, (question ? question->InterfaceID : mDNSNULL), tcpCallback, info); + + // Probably suboptimal here. + // Instead of returning mDNSNULL here on failure, we should probably invoke the callback with an error code. + // That way clients can put all the error handling and retry/recovery code in one place, + // instead of having to handle immediate errors in one place and async errors in another. + // Also: "err == mStatus_ConnEstablished" probably never happens. + + // Don't need to log "connection failed" in customer builds -- it happens quite often during sleep, wake, configuration changes, etc. + if (err == mStatus_ConnEstablished) { tcpCallback(info->sock, info, mDNStrue, mStatus_NoError); } + else if (err != mStatus_ConnPending ) { LogInfo("MakeTCPConn: connection failed"); DisposeTCPConn(info); return(mDNSNULL); } + return(info); +} + +mDNSexport void DisposeTCPConn(struct tcpInfo_t *tcp) +{ + mDNSPlatformTCPCloseConnection(tcp->sock); + if (tcp->reply) mDNSPlatformMemFree(tcp->reply); + mDNSPlatformMemFree(tcp); +} + +// Lock must be held +mDNSexport void startLLQHandshake(mDNS *m, DNSQuestion *q) +{ + if (m->LLQNAT.clientContext != mDNSNULL) // LLQNAT just started, give it some time + { + LogInfo("startLLQHandshake: waiting for NAT status for %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + q->ThisQInterval = LLQ_POLL_INTERVAL + mDNSRandom(LLQ_POLL_INTERVAL/10); // Retry in approx 15 minutes + q->LastQTime = m->timenow; + SetNextQueryTime(m, q); + return; + } + + // Either we don't have {PCP, NAT-PMP, UPnP/IGD} support (ExternalPort is zero) or behind a Double NAT that may or + // may not have {PCP, NAT-PMP, UPnP/IGD} support (NATResult is non-zero) + if (mDNSIPPortIsZero(m->LLQNAT.ExternalPort) || m->LLQNAT.Result) + { + LogInfo("startLLQHandshake: Cannot receive inbound packets; will poll for %##s (%s) External Port %d, NAT Result %d", + q->qname.c, DNSTypeName(q->qtype), mDNSVal16(m->LLQNAT.ExternalPort), m->LLQNAT.Result); + StartLLQPolling(m, q); + return; + } + + if (mDNSIPPortIsZero(q->servPort)) + { + debugf("startLLQHandshake: StartGetZoneData for %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + q->ThisQInterval = LLQ_POLL_INTERVAL + mDNSRandom(LLQ_POLL_INTERVAL/10); // Retry in approx 15 minutes + q->LastQTime = m->timenow; + SetNextQueryTime(m, q); + q->servAddr = zeroAddr; + // We know q->servPort is zero because of check above + if (q->nta) CancelGetZoneData(m, q->nta); + q->nta = StartGetZoneData(m, &q->qname, ZoneServiceLLQ, LLQGotZoneData, q); + return; + } + + if (PrivateQuery(q)) + { + if (q->tcp) LogInfo("startLLQHandshake: Disposing existing TCP connection for %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + if (q->tcp) { DisposeTCPConn(q->tcp); q->tcp = mDNSNULL; } + if (!q->nta) + { + // Normally we lookup the zone data and then call this function. And we never free the zone data + // for "PrivateQuery". But sometimes this can happen due to some race conditions. When we + // switch networks, we might end up "Polling" the network e.g., we are behind a Double NAT. + // When we poll, we free the zone information as we send the query to the server (See + // PrivateQueryGotZoneData). The NAT callback (LLQNATCallback) may happen soon after that. If we + // are still behind Double NAT, we would have returned early in this function. But we could + // have switched to a network with no NATs and we should get the zone data again. + LogInfo("startLLQHandshake: nta is NULL for %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + q->nta = StartGetZoneData(m, &q->qname, ZoneServiceLLQ, LLQGotZoneData, q); + return; + } + else if (!q->nta->Host.c[0]) + { + // This should not happen. If it happens, we print a log and MakeTCPConn will fail if it can't find a hostname + LogMsg("startLLQHandshake: ERROR!!: nta non NULL for %##s (%s) but HostName %d NULL, LongLived %d", q->qname.c, DNSTypeName(q->qtype), q->nta->Host.c[0], q->LongLived); + } + q->tcp = MakeTCPConn(m, mDNSNULL, mDNSNULL, kTCPSocketFlags_UseTLS, &q->servAddr, q->servPort, &q->nta->Host, q, mDNSNULL); + if (!q->tcp) + q->ThisQInterval = mDNSPlatformOneSecond * 5; // If TCP failed (transient networking glitch) try again in five seconds + else + { + q->state = LLQ_SecondaryRequest; // Right now, for private DNS, we skip the four-way LLQ handshake + q->ReqLease = kLLQ_DefLease; + q->ThisQInterval = 0; + } + q->LastQTime = m->timenow; + SetNextQueryTime(m, q); + } + else + { + debugf("startLLQHandshake: m->AdvertisedV4 %#a%s Server %#a:%d%s %##s (%s)", + &m->AdvertisedV4, mDNSv4AddrIsRFC1918(&m->AdvertisedV4.ip.v4) ? " (RFC 1918)" : "", + &q->servAddr, mDNSVal16(q->servPort), mDNSAddrIsRFC1918(&q->servAddr) ? " (RFC 1918)" : "", + q->qname.c, DNSTypeName(q->qtype)); + + if (q->ntries++ >= kLLQ_MAX_TRIES) + { + LogMsg("startLLQHandshake: %d failed attempts for LLQ %##s Polling.", kLLQ_MAX_TRIES, q->qname.c); + StartLLQPolling(m, q); + } + else + { + mDNSu8 *end; + LLQOptData llqData; + + // set llq rdata + llqData.vers = kLLQ_Vers; + llqData.llqOp = kLLQOp_Setup; + llqData.err = LLQErr_NoError; // Don't need to tell server UDP notification port when sending over UDP + llqData.id = zeroOpaque64; + llqData.llqlease = kLLQ_DefLease; + + InitializeDNSMessage(&m->omsg.h, q->TargetQID, uQueryFlags); + end = putLLQ(&m->omsg, m->omsg.data, q, &llqData); + if (!end) { LogMsg("ERROR: startLLQHandshake - putLLQ"); StartLLQPolling(m,q); return; } + + mDNSSendDNSMessage(m, &m->omsg, end, mDNSInterface_Any, q->LocalSocket, &q->servAddr, q->servPort, mDNSNULL, mDNSNULL, mDNSfalse); + + // update question state + q->state = LLQ_InitialRequest; + q->ReqLease = kLLQ_DefLease; + q->ThisQInterval = (kLLQ_INIT_RESEND * mDNSPlatformOneSecond); + q->LastQTime = m->timenow; + SetNextQueryTime(m, q); + } + } +} + +// forward declaration so GetServiceTarget can do reverse lookup if needed +mDNSlocal void GetStaticHostname(mDNS *m); + +mDNSexport const domainname *GetServiceTarget(mDNS *m, AuthRecord *const rr) +{ + debugf("GetServiceTarget %##s", rr->resrec.name->c); + + if (!rr->AutoTarget) // If not automatically tracking this host's current name, just return the existing target + return(&rr->resrec.rdata->u.srv.target); + else + { +#if APPLE_OSX_mDNSResponder + DomainAuthInfo *AuthInfo = GetAuthInfoForName_internal(m, rr->resrec.name); + if (AuthInfo && AuthInfo->AutoTunnel) + { + StartServerTunnel(m, AuthInfo); + if (AuthInfo->AutoTunnelHostRecord.namestorage.c[0] == 0) return(mDNSNULL); + debugf("GetServiceTarget: Returning %##s", AuthInfo->AutoTunnelHostRecord.namestorage.c); + return(&AuthInfo->AutoTunnelHostRecord.namestorage); + } + else +#endif // APPLE_OSX_mDNSResponder + { + const int srvcount = CountLabels(rr->resrec.name); + HostnameInfo *besthi = mDNSNULL, *hi; + int best = 0; + for (hi = m->Hostnames; hi; hi = hi->next) + if (hi->arv4.state == regState_Registered || hi->arv4.state == regState_Refresh || + hi->arv6.state == regState_Registered || hi->arv6.state == regState_Refresh) + { + int x, hostcount = CountLabels(&hi->fqdn); + for (x = hostcount < srvcount ? hostcount : srvcount; x > 0 && x > best; x--) + if (SameDomainName(SkipLeadingLabels(rr->resrec.name, srvcount - x), SkipLeadingLabels(&hi->fqdn, hostcount - x))) + { best = x; besthi = hi; } + } + + if (besthi) return(&besthi->fqdn); + } + if (m->StaticHostname.c[0]) return(&m->StaticHostname); + else GetStaticHostname(m); // asynchronously do reverse lookup for primary IPv4 address + LogInfo("GetServiceTarget: Returning NULL for %s", ARDisplayString(m, rr)); + return(mDNSNULL); + } +} + +mDNSlocal const domainname *PUBLIC_UPDATE_SERVICE_TYPE = (const domainname*)"\x0B_dns-update" "\x04_udp"; +mDNSlocal const domainname *PUBLIC_LLQ_SERVICE_TYPE = (const domainname*)"\x08_dns-llq" "\x04_udp"; + +mDNSlocal const domainname *PRIVATE_UPDATE_SERVICE_TYPE = (const domainname*)"\x0F_dns-update-tls" "\x04_tcp"; +mDNSlocal const domainname *PRIVATE_QUERY_SERVICE_TYPE = (const domainname*)"\x0E_dns-query-tls" "\x04_tcp"; +mDNSlocal const domainname *PRIVATE_LLQ_SERVICE_TYPE = (const domainname*)"\x0C_dns-llq-tls" "\x04_tcp"; + +#define ZoneDataSRV(X) ( \ + (X)->ZoneService == ZoneServiceUpdate ? ((X)->ZonePrivate ? PRIVATE_UPDATE_SERVICE_TYPE : PUBLIC_UPDATE_SERVICE_TYPE) : \ + (X)->ZoneService == ZoneServiceQuery ? ((X)->ZonePrivate ? PRIVATE_QUERY_SERVICE_TYPE : (const domainname*)"" ) : \ + (X)->ZoneService == ZoneServiceLLQ ? ((X)->ZonePrivate ? PRIVATE_LLQ_SERVICE_TYPE : PUBLIC_LLQ_SERVICE_TYPE ) : (const domainname*)"") + +// Forward reference: GetZoneData_StartQuery references GetZoneData_QuestionCallback, and +// GetZoneData_QuestionCallback calls GetZoneData_StartQuery +mDNSlocal mStatus GetZoneData_StartQuery(mDNS *const m, ZoneData *zd, mDNSu16 qtype); + +// GetZoneData_QuestionCallback is called from normal client callback context (core API calls allowed) +mDNSlocal void GetZoneData_QuestionCallback(mDNS *const m, DNSQuestion *question, const ResourceRecord *const answer, QC_result AddRecord) +{ + ZoneData *zd = (ZoneData*)question->QuestionContext; + + debugf("GetZoneData_QuestionCallback: %s %s", AddRecord ? "Add" : "Rmv", RRDisplayString(m, answer)); + + if (!AddRecord) return; // Don't care about REMOVE events + if (AddRecord == QC_addnocache && answer->rdlength == 0) return; // Don't care about transient failure indications + if (answer->rrtype != question->qtype) return; // Don't care about CNAMEs + + if (answer->rrtype == kDNSType_SOA) + { + debugf("GetZoneData GOT SOA %s", RRDisplayString(m, answer)); + mDNS_StopQuery(m, question); + if (question->ThisQInterval != -1) + LogMsg("GetZoneData_QuestionCallback: Question %##s (%s) ThisQInterval %d not -1", question->qname.c, DNSTypeName(question->qtype), question->ThisQInterval); + if (answer->rdlength) + { + AssignDomainName(&zd->ZoneName, answer->name); + zd->ZoneClass = answer->rrclass; + AssignDomainName(&zd->question.qname, &zd->ZoneName); + GetZoneData_StartQuery(m, zd, kDNSType_SRV); + } + else if (zd->CurrentSOA->c[0]) + { + DomainAuthInfo *AuthInfo = GetAuthInfoForName(m, zd->CurrentSOA); + if (AuthInfo && AuthInfo->AutoTunnel) + { + // To keep the load on the server down, we don't chop down on + // SOA lookups for AutoTunnels + LogInfo("GetZoneData_QuestionCallback: not chopping labels for %##s", zd->CurrentSOA->c); + zd->ZoneDataCallback(m, mStatus_NoSuchNameErr, zd); + } + else + { + zd->CurrentSOA = (domainname *)(zd->CurrentSOA->c + zd->CurrentSOA->c[0]+1); + AssignDomainName(&zd->question.qname, zd->CurrentSOA); + GetZoneData_StartQuery(m, zd, kDNSType_SOA); + } + } + else + { + LogInfo("GetZoneData recursed to root label of %##s without finding SOA", zd->ChildName.c); + zd->ZoneDataCallback(m, mStatus_NoSuchNameErr, zd); + } + } + else if (answer->rrtype == kDNSType_SRV) + { + debugf("GetZoneData GOT SRV %s", RRDisplayString(m, answer)); + mDNS_StopQuery(m, question); + if (question->ThisQInterval != -1) + LogMsg("GetZoneData_QuestionCallback: Question %##s (%s) ThisQInterval %d not -1", question->qname.c, DNSTypeName(question->qtype), question->ThisQInterval); +// Right now we don't want to fail back to non-encrypted operations +// If the AuthInfo has the AutoTunnel field set, then we want private or nothing +// <rdar://problem/5687667> BTMM: Don't fallback to unencrypted operations when SRV lookup fails +#if 0 + if (!answer->rdlength && zd->ZonePrivate && zd->ZoneService != ZoneServiceQuery) + { + zd->ZonePrivate = mDNSfalse; // Causes ZoneDataSRV() to yield a different SRV name when building the query + GetZoneData_StartQuery(m, zd, kDNSType_SRV); // Try again, non-private this time + } + else +#endif + { + if (answer->rdlength) + { + AssignDomainName(&zd->Host, &answer->rdata->u.srv.target); + zd->Port = answer->rdata->u.srv.port; + AssignDomainName(&zd->question.qname, &zd->Host); + GetZoneData_StartQuery(m, zd, kDNSType_A); + } + else + { + zd->ZonePrivate = mDNSfalse; + zd->Host.c[0] = 0; + zd->Port = zeroIPPort; + zd->Addr = zeroAddr; + zd->ZoneDataCallback(m, mStatus_NoError, zd); + } + } + } + else if (answer->rrtype == kDNSType_A) + { + debugf("GetZoneData GOT A %s", RRDisplayString(m, answer)); + mDNS_StopQuery(m, question); + if (question->ThisQInterval != -1) + LogMsg("GetZoneData_QuestionCallback: Question %##s (%s) ThisQInterval %d not -1", question->qname.c, DNSTypeName(question->qtype), question->ThisQInterval); + zd->Addr.type = mDNSAddrType_IPv4; + zd->Addr.ip.v4 = (answer->rdlength == 4) ? answer->rdata->u.ipv4 : zerov4Addr; + // In order to simulate firewalls blocking our outgoing TCP connections, returning immediate ICMP errors or TCP resets, + // the code below will make us try to connect to loopback, resulting in an immediate "port unreachable" failure. + // This helps us test to make sure we handle this case gracefully + // <rdar://problem/5607082> BTMM: mDNSResponder taking 100 percent CPU after upgrading to 10.5.1 +#if 0 + zd->Addr.ip.v4.b[0] = 127; + zd->Addr.ip.v4.b[1] = 0; + zd->Addr.ip.v4.b[2] = 0; + zd->Addr.ip.v4.b[3] = 1; +#endif + // The caller needs to free the memory when done with zone data + zd->ZoneDataCallback(m, mStatus_NoError, zd); + } +} + +// GetZoneData_StartQuery is called from normal client context (lock not held, or client callback) +mDNSlocal mStatus GetZoneData_StartQuery(mDNS *const m, ZoneData *zd, mDNSu16 qtype) +{ + if (qtype == kDNSType_SRV) + { + AssignDomainName(&zd->question.qname, ZoneDataSRV(zd)); + AppendDomainName(&zd->question.qname, &zd->ZoneName); + debugf("lookupDNSPort %##s", zd->question.qname.c); + } + + // CancelGetZoneData can get called at any time. We should stop the question if it has not been + // stopped already. A value of -1 for ThisQInterval indicates that the question is not active + // yet. + zd->question.ThisQInterval = -1; + zd->question.InterfaceID = mDNSInterface_Any; + zd->question.flags = 0; + zd->question.Target = zeroAddr; + //zd->question.qname.c[0] = 0; // Already set + zd->question.qtype = qtype; + zd->question.qclass = kDNSClass_IN; + zd->question.LongLived = mDNSfalse; + zd->question.ExpectUnique = mDNStrue; + zd->question.ForceMCast = mDNSfalse; + zd->question.ReturnIntermed = mDNStrue; + zd->question.SuppressUnusable = mDNSfalse; + zd->question.SearchListIndex = 0; + zd->question.AppendSearchDomains = 0; + zd->question.RetryWithSearchDomains = mDNSfalse; + zd->question.TimeoutQuestion = 0; + zd->question.WakeOnResolve = 0; + zd->question.UseBackgroundTrafficClass = mDNSfalse; + zd->question.ValidationRequired = 0; + zd->question.ValidatingResponse = 0; + zd->question.ProxyQuestion = 0; + zd->question.qnameOrig = mDNSNULL; + zd->question.AnonInfo = mDNSNULL; + zd->question.pid = mDNSPlatformGetPID(); + zd->question.QuestionCallback = GetZoneData_QuestionCallback; + zd->question.QuestionContext = zd; + + //LogMsg("GetZoneData_StartQuery %##s (%s) %p", zd->question.qname.c, DNSTypeName(zd->question.qtype), zd->question.Private); + return(mDNS_StartQuery(m, &zd->question)); +} + +// StartGetZoneData is an internal routine (i.e. must be called with the lock already held) +mDNSexport ZoneData *StartGetZoneData(mDNS *const m, const domainname *const name, const ZoneService target, ZoneDataCallback callback, void *ZoneDataContext) +{ + DomainAuthInfo *AuthInfo = GetAuthInfoForName_internal(m, name); + int initialskip = (AuthInfo && AuthInfo->AutoTunnel) ? DomainNameLength(name) - DomainNameLength(&AuthInfo->domain) : 0; + ZoneData *zd = (ZoneData*)mDNSPlatformMemAllocate(sizeof(ZoneData)); + if (!zd) { LogMsg("ERROR: StartGetZoneData - mDNSPlatformMemAllocate failed"); return mDNSNULL; } + mDNSPlatformMemZero(zd, sizeof(ZoneData)); + AssignDomainName(&zd->ChildName, name); + zd->ZoneService = target; + zd->CurrentSOA = (domainname *)(&zd->ChildName.c[initialskip]); + zd->ZoneName.c[0] = 0; + zd->ZoneClass = 0; + zd->Host.c[0] = 0; + zd->Port = zeroIPPort; + zd->Addr = zeroAddr; + zd->ZonePrivate = AuthInfo && AuthInfo->AutoTunnel ? mDNStrue : mDNSfalse; + zd->ZoneDataCallback = callback; + zd->ZoneDataContext = ZoneDataContext; + + zd->question.QuestionContext = zd; + + mDNS_DropLockBeforeCallback(); // GetZoneData_StartQuery expects to be called from a normal callback, so we emulate that here + if (AuthInfo && AuthInfo->AutoTunnel && !mDNSIPPortIsZero(AuthInfo->port)) + { + LogInfo("StartGetZoneData: Bypassing SOA, SRV query for %##s", AuthInfo->domain.c); + // We bypass SOA and SRV queries if we know the hostname and port already from the configuration. + // Today this is only true for AutoTunnel. As we bypass, we need to infer a few things: + // + // 1. Zone name is the same as the AuthInfo domain + // 2. ZoneClass is kDNSClass_IN which should be a safe assumption + // + // If we want to make this bypass mechanism work for non-AutoTunnels also, (1) has to hold + // good. Otherwise, it has to be configured also. + + AssignDomainName(&zd->ZoneName, &AuthInfo->domain); + zd->ZoneClass = kDNSClass_IN; + AssignDomainName(&zd->Host, &AuthInfo->hostname); + zd->Port = AuthInfo->port; + AssignDomainName(&zd->question.qname, &zd->Host); + GetZoneData_StartQuery(m, zd, kDNSType_A); + } + else + { + if (AuthInfo && AuthInfo->AutoTunnel) LogInfo("StartGetZoneData: Not Bypassing SOA, SRV query for %##s", AuthInfo->domain.c); + AssignDomainName(&zd->question.qname, zd->CurrentSOA); + GetZoneData_StartQuery(m, zd, kDNSType_SOA); + } + mDNS_ReclaimLockAfterCallback(); + + return zd; +} + +// Returns if the question is a GetZoneData question. These questions are special in +// that they are created internally while resolving a private query or LLQs. +mDNSexport mDNSBool IsGetZoneDataQuestion(DNSQuestion *q) +{ + if (q->QuestionCallback == GetZoneData_QuestionCallback) return(mDNStrue); + else return(mDNSfalse); +} + +// GetZoneData queries are a special case -- even if we have a key for them, we don't do them privately, +// because that would result in an infinite loop (i.e. to do a private query we first need to get +// the _dns-query-tls SRV record for the zone, and we can't do *that* privately because to do so +// we'd need to already know the _dns-query-tls SRV record. +// Also, as a general rule, we never do SOA queries privately +mDNSexport DomainAuthInfo *GetAuthInfoForQuestion(mDNS *m, const DNSQuestion *const q) // Must be called with lock held +{ + if (q->QuestionCallback == GetZoneData_QuestionCallback) return(mDNSNULL); + if (q->qtype == kDNSType_SOA ) return(mDNSNULL); + return(GetAuthInfoForName_internal(m, &q->qname)); +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - host name and interface management +#endif + +mDNSlocal void SendRecordRegistration(mDNS *const m, AuthRecord *rr); +mDNSlocal void SendRecordDeregistration(mDNS *m, AuthRecord *rr); +mDNSlocal mDNSBool IsRecordMergeable(mDNS *const m, AuthRecord *rr, mDNSs32 time); + +// When this function is called, service record is already deregistered. We just +// have to deregister the PTR and TXT records. +mDNSlocal void UpdateAllServiceRecords(mDNS *const m, AuthRecord *rr, mDNSBool reg) +{ + AuthRecord *r, *srvRR; + + if (rr->resrec.rrtype != kDNSType_SRV) { LogMsg("UpdateAllServiceRecords:ERROR!! ResourceRecord not a service record %s", ARDisplayString(m, rr)); return; } + + if (reg && rr->state == regState_NoTarget) { LogMsg("UpdateAllServiceRecords:ERROR!! SRV record %s in noTarget state during registration", ARDisplayString(m, rr)); return; } + + LogInfo("UpdateAllServiceRecords: ResourceRecord %s", ARDisplayString(m, rr)); + + for (r = m->ResourceRecords; r; r=r->next) + { + if (!AuthRecord_uDNS(r)) continue; + srvRR = mDNSNULL; + if (r->resrec.rrtype == kDNSType_PTR) + srvRR = r->Additional1; + else if (r->resrec.rrtype == kDNSType_TXT) + srvRR = r->DependentOn; + if (srvRR && srvRR->resrec.rrtype != kDNSType_SRV) + LogMsg("UpdateAllServiceRecords: ERROR!! Resource record %s wrong, expecting SRV type", ARDisplayString(m, srvRR)); + if (srvRR == rr) + { + if (!reg) + { + LogInfo("UpdateAllServiceRecords: deregistering %s", ARDisplayString(m, r)); + r->SRVChanged = mDNStrue; + r->ThisAPInterval = INIT_RECORD_REG_INTERVAL; + r->LastAPTime = m->timenow - INIT_RECORD_REG_INTERVAL; + r->state = regState_DeregPending; + } + else + { + // Clearing SRVchanged is a safety measure. If our pevious dereg never + // came back and we had a target change, we are starting fresh + r->SRVChanged = mDNSfalse; + // if it is already registered or in the process of registering, then don't + // bother re-registering. This happens today for non-BTMM domains where the + // TXT and PTR get registered before SRV records because of the delay in + // getting the port mapping. There is no point in re-registering the TXT + // and PTR records. + if ((r->state == regState_Registered) || + (r->state == regState_Pending && r->nta && !mDNSIPv4AddressIsZero(r->nta->Addr.ip.v4))) + LogInfo("UpdateAllServiceRecords: not registering %s, state %d", ARDisplayString(m, r), r->state); + else + { + LogInfo("UpdateAllServiceRecords: registering %s, state %d", ARDisplayString(m, r), r->state); + ActivateUnicastRegistration(m, r); + } + } + } + } +} + +// Called in normal client context (lock not held) +// Currently only supports SRV records for nat mapping +mDNSlocal void CompleteRecordNatMap(mDNS *m, NATTraversalInfo *n) +{ + const domainname *target; + domainname *srvt; + AuthRecord *rr = (AuthRecord *)n->clientContext; + debugf("SRVNatMap complete %.4a IntPort %u ExternalPort %u NATLease %u", &n->ExternalAddress, mDNSVal16(n->IntPort), mDNSVal16(n->ExternalPort), n->NATLease); + + if (!rr) { LogMsg("CompleteRecordNatMap called with unknown AuthRecord object"); return; } + if (!n->NATLease) { LogMsg("CompleteRecordNatMap No NATLease for %s", ARDisplayString(m, rr)); return; } + + if (rr->resrec.rrtype != kDNSType_SRV) {LogMsg("CompleteRecordNatMap: Not a service record %s", ARDisplayString(m, rr)); return; } + + if (rr->resrec.RecordType == kDNSRecordTypeDeregistering) { LogInfo("CompleteRecordNatMap called for %s, Service deregistering", ARDisplayString(m, rr)); return; } + + if (rr->state == regState_DeregPending) { LogInfo("CompleteRecordNatMap called for %s, record in DeregPending", ARDisplayString(m, rr)); return; } + + // As we free the zone info after registering/deregistering with the server (See hndlRecordUpdateReply), + // we need to restart the get zone data and nat mapping request to get the latest mapping result as we can't handle it + // at this moment. Restart from the beginning. + if (!rr->nta || mDNSIPv4AddressIsZero(rr->nta->Addr.ip.v4)) + { + LogInfo("CompleteRecordNatMap called for %s but no zone information!", ARDisplayString(m, rr)); + // We need to clear out the NATinfo state so that it will result in re-acquiring the mapping + // and hence this callback called again. + if (rr->NATinfo.clientContext) + { + mDNS_StopNATOperation_internal(m, &rr->NATinfo); + rr->NATinfo.clientContext = mDNSNULL; + } + rr->state = regState_Pending; + rr->ThisAPInterval = INIT_RECORD_REG_INTERVAL; + rr->LastAPTime = m->timenow - INIT_RECORD_REG_INTERVAL; + return; + } + + mDNS_Lock(m); + // Reevaluate the target always as Target could have changed while + // we were getting the port mapping (See UpdateOneSRVRecord) + target = GetServiceTarget(m, rr); + srvt = GetRRDomainNameTarget(&rr->resrec); + if (!target || target->c[0] == 0 || mDNSIPPortIsZero(n->ExternalPort)) + { + if (target && target->c[0]) + LogInfo("CompleteRecordNatMap - Target %##s for ResourceRecord %##s, ExternalPort %d", target->c, rr->resrec.name->c, mDNSVal16(n->ExternalPort)); + else + LogInfo("CompleteRecordNatMap - no target for %##s, ExternalPort %d", rr->resrec.name->c, mDNSVal16(n->ExternalPort)); + if (srvt) srvt->c[0] = 0; + rr->state = regState_NoTarget; + rr->resrec.rdlength = rr->resrec.rdestimate = 0; + mDNS_Unlock(m); + UpdateAllServiceRecords(m, rr, mDNSfalse); + return; + } + LogInfo("CompleteRecordNatMap - Target %##s for ResourceRecord %##s, ExternalPort %d", target->c, rr->resrec.name->c, mDNSVal16(n->ExternalPort)); + // This function might get called multiple times during a network transition event. Previosuly, we could + // have put the SRV record in NoTarget state above and deregistered all the other records. When this + // function gets called again with a non-zero ExternalPort, we need to set the target and register the + // other records again. + if (srvt && !SameDomainName(srvt, target)) + { + AssignDomainName(srvt, target); + SetNewRData(&rr->resrec, mDNSNULL, 0); // Update rdlength, rdestimate, rdatahash + } + + // SRVChanged is set when when the target of the SRV record changes (See UpdateOneSRVRecord). + // As a result of the target change, we might register just that SRV Record if it was + // previously registered and we have a new target OR deregister SRV (and the associated + // PTR/TXT records) if we don't have a target anymore. When we get a response from the server, + // SRVChanged state tells that we registered/deregistered because of a target change + // and hence handle accordingly e.g., if we deregistered, put the records in NoTarget state OR + // if we registered then put it in Registered state. + // + // Here, we are registering all the records again from the beginning. Treat this as first time + // registration rather than a temporary target change. + rr->SRVChanged = mDNSfalse; + + // We want IsRecordMergeable to check whether it is a record whose update can be + // sent with others. We set the time before we call IsRecordMergeable, so that + // it does not fail this record based on time. We are interested in other checks + // at this time + rr->state = regState_Pending; + rr->ThisAPInterval = INIT_RECORD_REG_INTERVAL; + rr->LastAPTime = m->timenow - INIT_RECORD_REG_INTERVAL; + if (IsRecordMergeable(m, rr, m->timenow + MERGE_DELAY_TIME)) + // Delay the record registration by MERGE_DELAY_TIME so that we can merge them + // into one update + rr->LastAPTime += MERGE_DELAY_TIME; + mDNS_Unlock(m); + // We call this always even though it may not be necessary always e.g., normal registration + // process where TXT and PTR gets registered followed by the SRV record after it gets + // the port mapping. In that case, UpdateAllServiceRecords handles the optimization. The + // update of TXT and PTR record is required if we entered noTargetState before as explained + // above. + UpdateAllServiceRecords(m, rr, mDNStrue); +} + +mDNSlocal void StartRecordNatMap(mDNS *m, AuthRecord *rr) +{ + const mDNSu8 *p; + mDNSu8 protocol; + + if (rr->resrec.rrtype != kDNSType_SRV) + { + LogInfo("StartRecordNatMap: Resource Record %##s type %d, not supported", rr->resrec.name->c, rr->resrec.rrtype); + return; + } + p = rr->resrec.name->c; + //Assume <Service Instance>.<App Protocol>.<Transport protocol>.<Name> + // Skip the first two labels to get to the transport protocol + if (p[0]) p += 1 + p[0]; + if (p[0]) p += 1 + p[0]; + if (SameDomainLabel(p, (mDNSu8 *)"\x4" "_tcp")) protocol = NATOp_MapTCP; + else if (SameDomainLabel(p, (mDNSu8 *)"\x4" "_udp")) protocol = NATOp_MapUDP; + else { LogMsg("StartRecordNatMap: could not determine transport protocol of service %##s", rr->resrec.name->c); return; } + + //LogMsg("StartRecordNatMap: clientContext %p IntPort %d srv.port %d %s", + // rr->NATinfo.clientContext, mDNSVal16(rr->NATinfo.IntPort), mDNSVal16(rr->resrec.rdata->u.srv.port), ARDisplayString(m, rr)); + if (rr->NATinfo.clientContext) mDNS_StopNATOperation_internal(m, &rr->NATinfo); + rr->NATinfo.Protocol = protocol; + + // Shouldn't be trying to set IntPort here -- + // BuildUpdateMessage overwrites srs->RR_SRV.resrec.rdata->u.srv.port with external (mapped) port number + rr->NATinfo.IntPort = rr->resrec.rdata->u.srv.port; + rr->NATinfo.RequestedPort = rr->resrec.rdata->u.srv.port; + rr->NATinfo.NATLease = 0; // Request default lease + rr->NATinfo.clientCallback = CompleteRecordNatMap; + rr->NATinfo.clientContext = rr; + mDNS_StartNATOperation_internal(m, &rr->NATinfo); +} + +// Unlink an Auth Record from the m->ResourceRecords list. +// When a resource record enters regState_NoTarget initially, mDNS_Register_internal +// does not initialize completely e.g., it cannot check for duplicates etc. The resource +// record is temporarily left in the ResourceRecords list so that we can initialize later +// when the target is resolvable. Similarly, when host name changes, we enter regState_NoTarget +// and we do the same. + +// This UnlinkResourceRecord routine is very worrying. It bypasses all the normal cleanup performed +// by mDNS_Deregister_internal and just unceremoniously cuts the record from the active list. +// This is why re-regsitering this record was producing syslog messages like this: +// "Error! Tried to add a NAT traversal that's already in the active list" +// Right now UnlinkResourceRecord is fortunately only called by RegisterAllServiceRecords, +// which then immediately calls mDNS_Register_internal to re-register the record, which probably +// masked more serious problems. Any other use of UnlinkResourceRecord is likely to lead to crashes. +// For now we'll workaround that specific problem by explicitly calling mDNS_StopNATOperation_internal, +// but long-term we should either stop cancelling the record registration and then re-registering it, +// or if we really do need to do this for some reason it should be done via the usual +// mDNS_Deregister_internal path instead of just cutting the record from the list. + +mDNSlocal mStatus UnlinkResourceRecord(mDNS *const m, AuthRecord *const rr) +{ + AuthRecord **list = &m->ResourceRecords; + while (*list && *list != rr) list = &(*list)->next; + if (*list) + { + *list = rr->next; + rr->next = mDNSNULL; + + // Temporary workaround to cancel any active NAT mapping operation + if (rr->NATinfo.clientContext) + { + mDNS_StopNATOperation_internal(m, &rr->NATinfo); + rr->NATinfo.clientContext = mDNSNULL; + if (rr->resrec.rrtype == kDNSType_SRV) rr->resrec.rdata->u.srv.port = rr->NATinfo.IntPort; + } + + return(mStatus_NoError); + } + LogMsg("UnlinkResourceRecord:ERROR!! - no such active record %##s", rr->resrec.name->c); + return(mStatus_NoSuchRecord); +} + +// We need to go through mDNS_Register again as we did not complete the +// full initialization last time e.g., duplicate checks. +// After we register, we will be in regState_GetZoneData. +mDNSlocal void RegisterAllServiceRecords(mDNS *const m, AuthRecord *rr) +{ + LogInfo("RegisterAllServiceRecords: Service Record %##s", rr->resrec.name->c); + // First Register the service record, we do this differently from other records because + // when it entered NoTarget state, it did not go through complete initialization + rr->SRVChanged = mDNSfalse; + UnlinkResourceRecord(m, rr); + mDNS_Register_internal(m, rr); + // Register the other records + UpdateAllServiceRecords(m, rr, mDNStrue); +} + +// Called with lock held +mDNSlocal void UpdateOneSRVRecord(mDNS *m, AuthRecord *rr) +{ + // Target change if: + // We have a target and were previously waiting for one, or + // We had a target and no longer do, or + // The target has changed + + domainname *curtarget = &rr->resrec.rdata->u.srv.target; + const domainname *const nt = GetServiceTarget(m, rr); + const domainname *const newtarget = nt ? nt : (domainname*)""; + mDNSBool TargetChanged = (newtarget->c[0] && rr->state == regState_NoTarget) || !SameDomainName(curtarget, newtarget); + mDNSBool HaveZoneData = rr->nta && !mDNSIPv4AddressIsZero(rr->nta->Addr.ip.v4); + + // Nat state change if: + // We were behind a NAT, and now we are behind a new NAT, or + // We're not behind a NAT but our port was previously mapped to a different external port + // We were not behind a NAT and now we are + + mDNSIPPort port = rr->resrec.rdata->u.srv.port; + mDNSBool NowNeedNATMAP = (rr->AutoTarget == Target_AutoHostAndNATMAP && !mDNSIPPortIsZero(port) && mDNSv4AddrIsRFC1918(&m->AdvertisedV4.ip.v4) && rr->nta && !mDNSAddrIsRFC1918(&rr->nta->Addr)); + mDNSBool WereBehindNAT = (rr->NATinfo.clientContext != mDNSNULL); + mDNSBool PortWasMapped = (rr->NATinfo.clientContext && !mDNSSameIPPort(rr->NATinfo.RequestedPort, port)); // I think this is always false -- SC Sept 07 + mDNSBool NATChanged = (!WereBehindNAT && NowNeedNATMAP) || (!NowNeedNATMAP && PortWasMapped); + + (void)HaveZoneData; //unused + + LogInfo("UpdateOneSRVRecord: Resource Record %s TargetChanged %d, NewTarget %##s", ARDisplayString(m, rr), TargetChanged, nt->c); + + debugf("UpdateOneSRVRecord: %##s newtarget %##s TargetChanged %d HaveZoneData %d port %d NowNeedNATMAP %d WereBehindNAT %d PortWasMapped %d NATChanged %d", + rr->resrec.name->c, newtarget, + TargetChanged, HaveZoneData, mDNSVal16(port), NowNeedNATMAP, WereBehindNAT, PortWasMapped, NATChanged); + + mDNS_CheckLock(m); + + if (!TargetChanged && !NATChanged) return; + + // If we are deregistering the record, then ignore any NAT/Target change. + if (rr->resrec.RecordType == kDNSRecordTypeDeregistering) + { + LogInfo("UpdateOneSRVRecord: Deregistering record, Ignoring TargetChanged %d, NATChanged %d for %##s, state %d", TargetChanged, NATChanged, + rr->resrec.name->c, rr->state); + return; + } + + if (newtarget) + LogInfo("UpdateOneSRVRecord: TargetChanged %d, NATChanged %d for %##s, state %d, newtarget %##s", TargetChanged, NATChanged, rr->resrec.name->c, rr->state, newtarget->c); + else + LogInfo("UpdateOneSRVRecord: TargetChanged %d, NATChanged %d for %##s, state %d, null newtarget", TargetChanged, NATChanged, rr->resrec.name->c, rr->state); + switch(rr->state) + { + case regState_NATMap: + // In these states, the SRV has either not yet been registered (it will get up-to-date information when it is) + // or is in the process of, or has already been, deregistered. This assumes that whenever we transition out + // of this state, we need to look at the target again. + return; + + case regState_UpdatePending: + // We are getting a Target change/NAT change while the SRV record is being updated ? + // let us not do anything for now. + return; + + case regState_NATError: + if (!NATChanged) return; + // if nat changed, register if we have a target (below) + + case regState_NoTarget: + if (!newtarget->c[0]) + { + LogInfo("UpdateOneSRVRecord: No target yet for Resource Record %s", ARDisplayString(m, rr)); + return; + } + RegisterAllServiceRecords(m, rr); + return; + case regState_DeregPending: + // We are in DeregPending either because the service was deregistered from above or we handled + // a NAT/Target change before and sent the deregistration below. There are a few race conditions + // possible + // + // 1. We are handling a second NAT/Target change while the first dereg is in progress. It is possible + // that first dereg never made it through because there was no network connectivity e.g., disconnecting + // from network triggers this function due to a target change and later connecting to the network + // retriggers this function but the deregistration never made it through yet. Just fall through. + // If there is a target register otherwise deregister. + // + // 2. While we sent the dereg during a previous NAT/Target change, uDNS_DeregisterRecord gets + // called as part of service deregistration. When the response comes back, we call + // CompleteDeregistration rather than handle NAT/Target change because the record is in + // kDNSRecordTypeDeregistering state. + // + // 3. If the upper layer deregisters the service, we check for kDNSRecordTypeDeregistering both + // here in this function to avoid handling NAT/Target change and in hndlRecordUpdateReply to call + // CompleteDeregistration instead of handling NAT/Target change. Hence, we are not concerned + // about that case here. + // + // We just handle case (1) by falling through + case regState_Pending: + case regState_Refresh: + case regState_Registered: + // target or nat changed. deregister service. upon completion, we'll look for a new target + rr->SRVChanged = mDNStrue; + rr->ThisAPInterval = INIT_RECORD_REG_INTERVAL; + rr->LastAPTime = m->timenow - INIT_RECORD_REG_INTERVAL; + if (newtarget->c[0]) + { + LogInfo("UpdateOneSRVRecord: SRV record changed for service %##s, registering with new target %##s", + rr->resrec.name->c, newtarget->c); + rr->state = regState_Pending; + } + else + { + LogInfo("UpdateOneSRVRecord: SRV record changed for service %##s de-registering", rr->resrec.name->c); + rr->state = regState_DeregPending; + UpdateAllServiceRecords(m, rr, mDNSfalse); + } + return; + case regState_Unregistered: + default: LogMsg("UpdateOneSRVRecord: Unknown state %d for %##s", rr->state, rr->resrec.name->c); + } +} + +mDNSexport void UpdateAllSRVRecords(mDNS *m) +{ + m->NextSRVUpdate = 0; + LogInfo("UpdateAllSRVRecords %d", m->SleepState); + + if (m->CurrentRecord) + LogMsg("UpdateAllSRVRecords ERROR m->CurrentRecord already set %s", ARDisplayString(m, m->CurrentRecord)); + m->CurrentRecord = m->ResourceRecords; + while (m->CurrentRecord) + { + AuthRecord *rptr = m->CurrentRecord; + m->CurrentRecord = m->CurrentRecord->next; + if (AuthRecord_uDNS(rptr) && rptr->resrec.rrtype == kDNSType_SRV) + UpdateOneSRVRecord(m, rptr); + } +} + +// Forward reference: AdvertiseHostname references HostnameCallback, and HostnameCallback calls AdvertiseHostname +mDNSlocal void HostnameCallback(mDNS *const m, AuthRecord *const rr, mStatus result); + +// Called in normal client context (lock not held) +mDNSlocal void hostnameGetPublicAddressCallback(mDNS *m, NATTraversalInfo *n) +{ + HostnameInfo *h = (HostnameInfo *)n->clientContext; + + if (!h) { LogMsg("RegisterHostnameRecord: registration cancelled"); return; } + + if (!n->Result) + { + if (mDNSIPv4AddressIsZero(n->ExternalAddress) || mDNSv4AddrIsRFC1918(&n->ExternalAddress)) return; + + if (h->arv4.resrec.RecordType) + { + if (mDNSSameIPv4Address(h->arv4.resrec.rdata->u.ipv4, n->ExternalAddress)) return; // If address unchanged, do nothing + LogInfo("Updating hostname %p %##s IPv4 from %.4a to %.4a (NAT gateway's external address)",n, + h->arv4.resrec.name->c, &h->arv4.resrec.rdata->u.ipv4, &n->ExternalAddress); + mDNS_Deregister(m, &h->arv4); // mStatus_MemFree callback will re-register with new address + } + else + { + LogInfo("Advertising hostname %##s IPv4 %.4a (NAT gateway's external address)", h->arv4.resrec.name->c, &n->ExternalAddress); + h->arv4.resrec.RecordType = kDNSRecordTypeKnownUnique; + h->arv4.resrec.rdata->u.ipv4 = n->ExternalAddress; + mDNS_Register(m, &h->arv4); + } + } +} + +// register record or begin NAT traversal +mDNSlocal void AdvertiseHostname(mDNS *m, HostnameInfo *h) +{ + if (!mDNSIPv4AddressIsZero(m->AdvertisedV4.ip.v4) && h->arv4.resrec.RecordType == kDNSRecordTypeUnregistered) + { + mDNS_SetupResourceRecord(&h->arv4, mDNSNULL, mDNSInterface_Any, kDNSType_A, kHostNameTTL, kDNSRecordTypeUnregistered, AuthRecordAny, HostnameCallback, h); + AssignDomainName(&h->arv4.namestorage, &h->fqdn); + h->arv4.resrec.rdata->u.ipv4 = m->AdvertisedV4.ip.v4; + h->arv4.state = regState_Unregistered; + if (mDNSv4AddrIsRFC1918(&m->AdvertisedV4.ip.v4)) + { + // If we already have a NAT query active, stop it and restart it to make sure we get another callback + if (h->natinfo.clientContext) mDNS_StopNATOperation_internal(m, &h->natinfo); + h->natinfo.Protocol = 0; + h->natinfo.IntPort = zeroIPPort; + h->natinfo.RequestedPort = zeroIPPort; + h->natinfo.NATLease = 0; + h->natinfo.clientCallback = hostnameGetPublicAddressCallback; + h->natinfo.clientContext = h; + mDNS_StartNATOperation_internal(m, &h->natinfo); + } + else + { + LogInfo("Advertising hostname %##s IPv4 %.4a", h->arv4.resrec.name->c, &m->AdvertisedV4.ip.v4); + h->arv4.resrec.RecordType = kDNSRecordTypeKnownUnique; + mDNS_Register_internal(m, &h->arv4); + } + } + + if (!mDNSIPv6AddressIsZero(m->AdvertisedV6.ip.v6) && h->arv6.resrec.RecordType == kDNSRecordTypeUnregistered) + { + mDNS_SetupResourceRecord(&h->arv6, mDNSNULL, mDNSInterface_Any, kDNSType_AAAA, kHostNameTTL, kDNSRecordTypeKnownUnique, AuthRecordAny, HostnameCallback, h); + AssignDomainName(&h->arv6.namestorage, &h->fqdn); + h->arv6.resrec.rdata->u.ipv6 = m->AdvertisedV6.ip.v6; + h->arv6.state = regState_Unregistered; + LogInfo("Advertising hostname %##s IPv6 %.16a", h->arv6.resrec.name->c, &m->AdvertisedV6.ip.v6); + mDNS_Register_internal(m, &h->arv6); + } +} + +mDNSlocal void HostnameCallback(mDNS *const m, AuthRecord *const rr, mStatus result) +{ + HostnameInfo *hi = (HostnameInfo *)rr->RecordContext; + + if (result == mStatus_MemFree) + { + if (hi) + { + // If we're still in the Hostnames list, update to new address + HostnameInfo *i; + LogInfo("HostnameCallback: Got mStatus_MemFree for %p %p %s", hi, rr, ARDisplayString(m, rr)); + for (i = m->Hostnames; i; i = i->next) + if (rr == &i->arv4 || rr == &i->arv6) + { mDNS_Lock(m); AdvertiseHostname(m, i); mDNS_Unlock(m); return; } + + // Else, we're not still in the Hostnames list, so free the memory + if (hi->arv4.resrec.RecordType == kDNSRecordTypeUnregistered && + hi->arv6.resrec.RecordType == kDNSRecordTypeUnregistered) + { + if (hi->natinfo.clientContext) mDNS_StopNATOperation_internal(m, &hi->natinfo); + hi->natinfo.clientContext = mDNSNULL; + mDNSPlatformMemFree(hi); // free hi when both v4 and v6 AuthRecs deallocated + } + } + return; + } + + if (result) + { + // don't unlink or free - we can retry when we get a new address/router + if (rr->resrec.rrtype == kDNSType_A) + LogMsg("HostnameCallback: Error %d for registration of %##s IP %.4a", result, rr->resrec.name->c, &rr->resrec.rdata->u.ipv4); + else + LogMsg("HostnameCallback: Error %d for registration of %##s IP %.16a", result, rr->resrec.name->c, &rr->resrec.rdata->u.ipv6); + if (!hi) { mDNSPlatformMemFree(rr); return; } + if (rr->state != regState_Unregistered) LogMsg("Error: HostnameCallback invoked with error code for record not in regState_Unregistered!"); + + if (hi->arv4.state == regState_Unregistered && + hi->arv6.state == regState_Unregistered) + { + // only deliver status if both v4 and v6 fail + rr->RecordContext = (void *)hi->StatusContext; + if (hi->StatusCallback) + hi->StatusCallback(m, rr, result); // client may NOT make API calls here + rr->RecordContext = (void *)hi; + } + return; + } + + // register any pending services that require a target + mDNS_Lock(m); + m->NextSRVUpdate = NonZeroTime(m->timenow); + mDNS_Unlock(m); + + // Deliver success to client + if (!hi) { LogMsg("HostnameCallback invoked with orphaned address record"); return; } + if (rr->resrec.rrtype == kDNSType_A) + LogInfo("Registered hostname %##s IP %.4a", rr->resrec.name->c, &rr->resrec.rdata->u.ipv4); + else + LogInfo("Registered hostname %##s IP %.16a", rr->resrec.name->c, &rr->resrec.rdata->u.ipv6); + + rr->RecordContext = (void *)hi->StatusContext; + if (hi->StatusCallback) + hi->StatusCallback(m, rr, result); // client may NOT make API calls here + rr->RecordContext = (void *)hi; +} + +mDNSlocal void FoundStaticHostname(mDNS *const m, DNSQuestion *question, const ResourceRecord *const answer, QC_result AddRecord) +{ + const domainname *pktname = &answer->rdata->u.name; + domainname *storedname = &m->StaticHostname; + HostnameInfo *h = m->Hostnames; + + (void)question; + + if (answer->rdlength != 0) + LogInfo("FoundStaticHostname: question %##s -> answer %##s (%s)", question->qname.c, answer->rdata->u.name.c, AddRecord ? "ADD" : "RMV"); + else + LogInfo("FoundStaticHostname: question %##s -> answer NULL (%s)", question->qname.c, AddRecord ? "ADD" : "RMV"); + + if (AddRecord && answer->rdlength != 0 && !SameDomainName(pktname, storedname)) + { + AssignDomainName(storedname, pktname); + while (h) + { + if (h->arv4.state == regState_Pending || h->arv4.state == regState_NATMap || h->arv6.state == regState_Pending) + { + // if we're in the process of registering a dynamic hostname, delay SRV update so we don't have to reregister services if the dynamic name succeeds + m->NextSRVUpdate = NonZeroTime(m->timenow + 5 * mDNSPlatformOneSecond); + debugf("FoundStaticHostname: NextSRVUpdate in %d %d", m->NextSRVUpdate - m->timenow, m->timenow); + return; + } + h = h->next; + } + mDNS_Lock(m); + m->NextSRVUpdate = NonZeroTime(m->timenow); + mDNS_Unlock(m); + } + else if (!AddRecord && SameDomainName(pktname, storedname)) + { + mDNS_Lock(m); + storedname->c[0] = 0; + m->NextSRVUpdate = NonZeroTime(m->timenow); + mDNS_Unlock(m); + } +} + +// Called with lock held +mDNSlocal void GetStaticHostname(mDNS *m) +{ + char buf[MAX_REVERSE_MAPPING_NAME_V4]; + DNSQuestion *q = &m->ReverseMap; + mDNSu8 *ip = m->AdvertisedV4.ip.v4.b; + mStatus err; + + if (m->ReverseMap.ThisQInterval != -1) return; // already running + if (mDNSIPv4AddressIsZero(m->AdvertisedV4.ip.v4)) return; + + mDNSPlatformMemZero(q, sizeof(*q)); + // Note: This is reverse order compared to a normal dotted-decimal IP address, so we can't use our customary "%.4a" format code + mDNS_snprintf(buf, sizeof(buf), "%d.%d.%d.%d.in-addr.arpa.", ip[3], ip[2], ip[1], ip[0]); + if (!MakeDomainNameFromDNSNameString(&q->qname, buf)) { LogMsg("Error: GetStaticHostname - bad name %s", buf); return; } + + q->InterfaceID = mDNSInterface_Any; + q->flags = 0; + q->Target = zeroAddr; + q->qtype = kDNSType_PTR; + q->qclass = kDNSClass_IN; + q->LongLived = mDNSfalse; + q->ExpectUnique = mDNSfalse; + q->ForceMCast = mDNSfalse; + q->ReturnIntermed = mDNStrue; + q->SuppressUnusable = mDNSfalse; + q->SearchListIndex = 0; + q->AppendSearchDomains = 0; + q->RetryWithSearchDomains = mDNSfalse; + q->TimeoutQuestion = 0; + q->WakeOnResolve = 0; + q->UseBackgroundTrafficClass = mDNSfalse; + q->ValidationRequired = 0; + q->ValidatingResponse = 0; + q->ProxyQuestion = 0; + q->qnameOrig = mDNSNULL; + q->AnonInfo = mDNSNULL; + q->pid = mDNSPlatformGetPID(); + q->QuestionCallback = FoundStaticHostname; + q->QuestionContext = mDNSNULL; + + LogInfo("GetStaticHostname: %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + err = mDNS_StartQuery_internal(m, q); + if (err) LogMsg("Error: GetStaticHostname - StartQuery returned error %d", err); +} + +mDNSexport void mDNS_AddDynDNSHostName(mDNS *m, const domainname *fqdn, mDNSRecordCallback *StatusCallback, const void *StatusContext) +{ + HostnameInfo **ptr = &m->Hostnames; + + LogInfo("mDNS_AddDynDNSHostName %##s", fqdn); + + while (*ptr && !SameDomainName(fqdn, &(*ptr)->fqdn)) ptr = &(*ptr)->next; + if (*ptr) { LogMsg("DynDNSHostName %##s already in list", fqdn->c); return; } + + // allocate and format new address record + *ptr = mDNSPlatformMemAllocate(sizeof(**ptr)); + if (!*ptr) { LogMsg("ERROR: mDNS_AddDynDNSHostName - malloc"); return; } + + mDNSPlatformMemZero(*ptr, sizeof(**ptr)); + AssignDomainName(&(*ptr)->fqdn, fqdn); + (*ptr)->arv4.state = regState_Unregistered; + (*ptr)->arv6.state = regState_Unregistered; + (*ptr)->StatusCallback = StatusCallback; + (*ptr)->StatusContext = StatusContext; + + AdvertiseHostname(m, *ptr); +} + +mDNSexport void mDNS_RemoveDynDNSHostName(mDNS *m, const domainname *fqdn) +{ + HostnameInfo **ptr = &m->Hostnames; + + LogInfo("mDNS_RemoveDynDNSHostName %##s", fqdn); + + while (*ptr && !SameDomainName(fqdn, &(*ptr)->fqdn)) ptr = &(*ptr)->next; + if (!*ptr) LogMsg("mDNS_RemoveDynDNSHostName: no such domainname %##s", fqdn->c); + else + { + HostnameInfo *hi = *ptr; + // We do it this way because, if we have no active v6 record, the "mDNS_Deregister_internal(m, &hi->arv4);" + // below could free the memory, and we have to make sure we don't touch hi fields after that. + mDNSBool f4 = hi->arv4.resrec.RecordType != kDNSRecordTypeUnregistered && hi->arv4.state != regState_Unregistered; + mDNSBool f6 = hi->arv6.resrec.RecordType != kDNSRecordTypeUnregistered && hi->arv6.state != regState_Unregistered; + if (f4) LogInfo("mDNS_RemoveDynDNSHostName removing v4 %##s", fqdn); + if (f6) LogInfo("mDNS_RemoveDynDNSHostName removing v6 %##s", fqdn); + *ptr = (*ptr)->next; // unlink + if (f4) mDNS_Deregister_internal(m, &hi->arv4, mDNS_Dereg_normal); + if (f6) mDNS_Deregister_internal(m, &hi->arv6, mDNS_Dereg_normal); + // When both deregistrations complete we'll free the memory in the mStatus_MemFree callback + } + mDNS_CheckLock(m); + m->NextSRVUpdate = NonZeroTime(m->timenow); +} + +// Currently called without holding the lock +// Maybe we should change that? +mDNSexport void mDNS_SetPrimaryInterfaceInfo(mDNS *m, const mDNSAddr *v4addr, const mDNSAddr *v6addr, const mDNSAddr *router) +{ + mDNSBool v4Changed, v6Changed, RouterChanged; + + if (m->mDNS_busy != m->mDNS_reentrancy) + LogMsg("mDNS_SetPrimaryInterfaceInfo: mDNS_busy (%ld) != mDNS_reentrancy (%ld)", m->mDNS_busy, m->mDNS_reentrancy); + + if (v4addr && v4addr->type != mDNSAddrType_IPv4) { LogMsg("mDNS_SetPrimaryInterfaceInfo v4 address - incorrect type. Discarding. %#a", v4addr); return; } + if (v6addr && v6addr->type != mDNSAddrType_IPv6) { LogMsg("mDNS_SetPrimaryInterfaceInfo v6 address - incorrect type. Discarding. %#a", v6addr); return; } + if (router && router->type != mDNSAddrType_IPv4) { LogMsg("mDNS_SetPrimaryInterfaceInfo passed non-v4 router. Discarding. %#a", router); return; } + + mDNS_Lock(m); + + v4Changed = !mDNSSameIPv4Address(m->AdvertisedV4.ip.v4, v4addr ? v4addr->ip.v4 : zerov4Addr); + v6Changed = !mDNSSameIPv6Address(m->AdvertisedV6.ip.v6, v6addr ? v6addr->ip.v6 : zerov6Addr); + RouterChanged = !mDNSSameIPv4Address(m->Router.ip.v4, router ? router->ip.v4 : zerov4Addr); + + if (v4addr && (v4Changed || RouterChanged)) + debugf("mDNS_SetPrimaryInterfaceInfo: address changed from %#a to %#a", &m->AdvertisedV4, v4addr); + + if (v4addr) m->AdvertisedV4 = *v4addr;else m->AdvertisedV4.ip.v4 = zerov4Addr; + if (v6addr) m->AdvertisedV6 = *v6addr;else m->AdvertisedV6.ip.v6 = zerov6Addr; + if (router) m->Router = *router;else m->Router.ip.v4 = zerov4Addr; + // setting router to zero indicates that nat mappings must be reestablished when router is reset + + if (v4Changed || RouterChanged || v6Changed) + { + HostnameInfo *i; + LogInfo("mDNS_SetPrimaryInterfaceInfo: %s%s%s%#a %#a %#a", + v4Changed ? "v4Changed " : "", + RouterChanged ? "RouterChanged " : "", + v6Changed ? "v6Changed " : "", v4addr, v6addr, router); + + for (i = m->Hostnames; i; i = i->next) + { + LogInfo("mDNS_SetPrimaryInterfaceInfo updating host name registrations for %##s", i->fqdn.c); + + if (i->arv4.resrec.RecordType > kDNSRecordTypeDeregistering && + !mDNSSameIPv4Address(i->arv4.resrec.rdata->u.ipv4, m->AdvertisedV4.ip.v4)) + { + LogInfo("mDNS_SetPrimaryInterfaceInfo deregistering %s", ARDisplayString(m, &i->arv4)); + mDNS_Deregister_internal(m, &i->arv4, mDNS_Dereg_normal); + } + + if (i->arv6.resrec.RecordType > kDNSRecordTypeDeregistering && + !mDNSSameIPv6Address(i->arv6.resrec.rdata->u.ipv6, m->AdvertisedV6.ip.v6)) + { + LogInfo("mDNS_SetPrimaryInterfaceInfo deregistering %s", ARDisplayString(m, &i->arv6)); + mDNS_Deregister_internal(m, &i->arv6, mDNS_Dereg_normal); + } + + // AdvertiseHostname will only register new address records. + // For records still in the process of deregistering it will ignore them, and let the mStatus_MemFree callback handle them. + AdvertiseHostname(m, i); + } + + if (v4Changed || RouterChanged) + { + // If we have a non-zero IPv4 address, we should try immediately to see if we have a NAT gateway + // If we have no IPv4 address, we don't want to be in quite such a hurry to report failures to our clients + // <rdar://problem/6935929> Sleeping server sometimes briefly disappears over Back to My Mac after it wakes up + mDNSu32 waitSeconds = v4addr ? 0 : 5; + NATTraversalInfo *n; + m->ExtAddress = zerov4Addr; + m->LastNATMapResultCode = NATErr_None; + + RecreateNATMappings(m, mDNSPlatformOneSecond * waitSeconds); + + for (n = m->NATTraversals; n; n=n->next) + n->NewAddress = zerov4Addr; + + LogInfo("mDNS_SetPrimaryInterfaceInfo:%s%s: recreating NAT mappings in %d seconds", + v4Changed ? " v4Changed" : "", + RouterChanged ? " RouterChanged" : "", + waitSeconds); + } + + if (m->ReverseMap.ThisQInterval != -1) mDNS_StopQuery_internal(m, &m->ReverseMap); + m->StaticHostname.c[0] = 0; + + m->NextSRVUpdate = NonZeroTime(m->timenow); + +#if APPLE_OSX_mDNSResponder + if (RouterChanged) uuid_generate(m->asl_uuid); + UpdateAutoTunnelDomainStatuses(m); +#endif + } + + mDNS_Unlock(m); +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - Incoming Message Processing +#endif + +mDNSlocal mStatus ParseTSIGError(mDNS *const m, const DNSMessage *const msg, const mDNSu8 *const end, const domainname *const displayname) +{ + const mDNSu8 *ptr; + mStatus err = mStatus_NoError; + int i; + + ptr = LocateAdditionals(msg, end); + if (!ptr) goto finish; + + for (i = 0; i < msg->h.numAdditionals; i++) + { + ptr = GetLargeResourceRecord(m, msg, ptr, end, 0, kDNSRecordTypePacketAdd, &m->rec); + if (!ptr) goto finish; + if (m->rec.r.resrec.RecordType != kDNSRecordTypePacketNegative && m->rec.r.resrec.rrtype == kDNSType_TSIG) + { + mDNSu32 macsize; + mDNSu8 *rd = m->rec.r.resrec.rdata->u.data; + mDNSu8 *rdend = rd + m->rec.r.resrec.rdlength; + int alglen = DomainNameLengthLimit(&m->rec.r.resrec.rdata->u.name, rdend); + if (alglen > MAX_DOMAIN_NAME) goto finish; + rd += alglen; // algorithm name + if (rd + 6 > rdend) goto finish; + rd += 6; // 48-bit timestamp + if (rd + sizeof(mDNSOpaque16) > rdend) goto finish; + rd += sizeof(mDNSOpaque16); // fudge + if (rd + sizeof(mDNSOpaque16) > rdend) goto finish; + macsize = mDNSVal16(*(mDNSOpaque16 *)rd); + rd += sizeof(mDNSOpaque16); // MAC size + if (rd + macsize > rdend) goto finish; + rd += macsize; + if (rd + sizeof(mDNSOpaque16) > rdend) goto finish; + rd += sizeof(mDNSOpaque16); // orig id + if (rd + sizeof(mDNSOpaque16) > rdend) goto finish; + err = mDNSVal16(*(mDNSOpaque16 *)rd); // error code + + if (err == TSIG_ErrBadSig) { LogMsg("%##s: bad signature", displayname->c); err = mStatus_BadSig; } + else if (err == TSIG_ErrBadKey) { LogMsg("%##s: bad key", displayname->c); err = mStatus_BadKey; } + else if (err == TSIG_ErrBadTime) { LogMsg("%##s: bad time", displayname->c); err = mStatus_BadTime; } + else if (err) { LogMsg("%##s: unknown tsig error %d", displayname->c, err); err = mStatus_UnknownErr; } + goto finish; + } + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + } + +finish: + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + return err; +} + +mDNSlocal mStatus checkUpdateResult(mDNS *const m, const domainname *const displayname, const mDNSu8 rcode, const DNSMessage *const msg, const mDNSu8 *const end) +{ + (void)msg; // currently unused, needed for TSIG errors + if (!rcode) return mStatus_NoError; + else if (rcode == kDNSFlag1_RC_YXDomain) + { + debugf("name in use: %##s", displayname->c); + return mStatus_NameConflict; + } + else if (rcode == kDNSFlag1_RC_Refused) + { + LogMsg("Update %##s refused", displayname->c); + return mStatus_Refused; + } + else if (rcode == kDNSFlag1_RC_NXRRSet) + { + LogMsg("Reregister refused (NXRRSET): %##s", displayname->c); + return mStatus_NoSuchRecord; + } + else if (rcode == kDNSFlag1_RC_NotAuth) + { + // TSIG errors should come with FormErr as per RFC 2845, but BIND 9 sends them with NotAuth so we look here too + mStatus tsigerr = ParseTSIGError(m, msg, end, displayname); + if (!tsigerr) + { + LogMsg("Permission denied (NOAUTH): %##s", displayname->c); + return mStatus_UnknownErr; + } + else return tsigerr; + } + else if (rcode == kDNSFlag1_RC_FormErr) + { + mStatus tsigerr = ParseTSIGError(m, msg, end, displayname); + if (!tsigerr) + { + LogMsg("Format Error: %##s", displayname->c); + return mStatus_UnknownErr; + } + else return tsigerr; + } + else + { + LogMsg("Update %##s failed with rcode %d", displayname->c, rcode); + return mStatus_UnknownErr; + } +} + +// We add three Additional Records for unicast resource record registrations +// which is a function of AuthInfo and AutoTunnel properties +mDNSlocal mDNSu32 RRAdditionalSize(mDNS *const m, DomainAuthInfo *AuthInfo) +{ + mDNSu32 leaseSize, hinfoSize, tsigSize; + mDNSu32 rr_base_size = 10; // type (2) class (2) TTL (4) rdlength (2) + + // OPT RR : Emptyname(.) + base size + rdataOPT + leaseSize = 1 + rr_base_size + sizeof(rdataOPT); + + // HINFO: Resource Record Name + base size + RDATA + // HINFO is added only for autotunnels + hinfoSize = 0; + if (AuthInfo && AuthInfo->AutoTunnel) + hinfoSize = (m->hostlabel.c[0] + 1) + DomainNameLength(&AuthInfo->domain) + + rr_base_size + (2 + m->HIHardware.c[0] + m->HISoftware.c[0]); + + //TSIG: Resource Record Name + base size + RDATA + // RDATA: + // Algorithm name: hmac-md5.sig-alg.reg.int (8+7+3+3 + 5 bytes for length = 26 bytes) + // Time: 6 bytes + // Fudge: 2 bytes + // Mac Size: 2 bytes + // Mac: 16 bytes + // ID: 2 bytes + // Error: 2 bytes + // Len: 2 bytes + // Total: 58 bytes + tsigSize = 0; + if (AuthInfo) tsigSize = DomainNameLength(&AuthInfo->keyname) + rr_base_size + 58; + + return (leaseSize + hinfoSize + tsigSize); +} + +//Note: Make sure that RREstimatedSize is updated accordingly if anything that is done here +//would modify rdlength/rdestimate +mDNSlocal mDNSu8* BuildUpdateMessage(mDNS *const m, mDNSu8 *ptr, AuthRecord *rr, mDNSu8 *limit) +{ + //If this record is deregistering, then just send the deletion record + if (rr->state == regState_DeregPending) + { + rr->expire = 0; // Indicate that we have no active registration any more + ptr = putDeletionRecordWithLimit(&m->omsg, ptr, &rr->resrec, limit); + if (!ptr) goto exit; + return ptr; + } + + // This is a common function to both sending an update in a group or individual + // records separately. Hence, we change the state here. + if (rr->state == regState_Registered) rr->state = regState_Refresh; + if (rr->state != regState_Refresh && rr->state != regState_UpdatePending) + rr->state = regState_Pending; + + // For Advisory records like e.g., _services._dns-sd, which is shared, don't send goodbyes as multiple + // host might be registering records and deregistering from one does not make sense + if (rr->resrec.RecordType != kDNSRecordTypeAdvisory) rr->RequireGoodbye = mDNStrue; + + if ((rr->resrec.rrtype == kDNSType_SRV) && (rr->AutoTarget == Target_AutoHostAndNATMAP) && + !mDNSIPPortIsZero(rr->NATinfo.ExternalPort)) + { + rr->resrec.rdata->u.srv.port = rr->NATinfo.ExternalPort; + } + + if (rr->state == regState_UpdatePending) + { + // delete old RData + SetNewRData(&rr->resrec, rr->OrigRData, rr->OrigRDLen); + if (!(ptr = putDeletionRecordWithLimit(&m->omsg, ptr, &rr->resrec, limit))) goto exit; // delete old rdata + + // add new RData + SetNewRData(&rr->resrec, rr->InFlightRData, rr->InFlightRDLen); + if (!(ptr = PutResourceRecordTTLWithLimit(&m->omsg, ptr, &m->omsg.h.mDNS_numUpdates, &rr->resrec, rr->resrec.rroriginalttl, limit))) goto exit; + } + else + { + if (rr->resrec.RecordType == kDNSRecordTypeKnownUnique || rr->resrec.RecordType == kDNSRecordTypeVerified) + { + // KnownUnique : Delete any previous value + // For Unicast registrations, we don't verify that it is unique, but set to verified and hence we want to + // delete any previous value + ptr = putDeleteRRSetWithLimit(&m->omsg, ptr, rr->resrec.name, rr->resrec.rrtype, limit); + if (!ptr) goto exit; + } + else if (rr->resrec.RecordType != kDNSRecordTypeShared) + { + // For now don't do this, until we have the logic for intelligent grouping of individual records into logical service record sets + //ptr = putPrereqNameNotInUse(rr->resrec.name, &m->omsg, ptr, end); + if (!ptr) goto exit; + } + + ptr = PutResourceRecordTTLWithLimit(&m->omsg, ptr, &m->omsg.h.mDNS_numUpdates, &rr->resrec, rr->resrec.rroriginalttl, limit); + if (!ptr) goto exit; + } + + return ptr; +exit: + LogMsg("BuildUpdateMessage: Error formatting message for %s", ARDisplayString(m, rr)); + return mDNSNULL; +} + +// Called with lock held +mDNSlocal void SendRecordRegistration(mDNS *const m, AuthRecord *rr) +{ + mDNSu8 *ptr = m->omsg.data; + mStatus err = mStatus_UnknownErr; + mDNSu8 *limit; + DomainAuthInfo *AuthInfo; + + // For the ability to register large TXT records, we limit the single record registrations + // to AbsoluteMaxDNSMessageData + limit = ptr + AbsoluteMaxDNSMessageData; + + AuthInfo = GetAuthInfoForName_internal(m, rr->resrec.name); + limit -= RRAdditionalSize(m, AuthInfo); + + mDNS_CheckLock(m); + + if (!rr->nta || mDNSIPv4AddressIsZero(rr->nta->Addr.ip.v4)) + { + // We never call this function when there is no zone information . Log a message if it ever happens. + LogMsg("SendRecordRegistration: No Zone information, should not happen %s", ARDisplayString(m, rr)); + return; + } + + rr->updateid = mDNS_NewMessageID(m); + InitializeDNSMessage(&m->omsg.h, rr->updateid, UpdateReqFlags); + + // set zone + ptr = putZone(&m->omsg, ptr, limit, rr->zone, mDNSOpaque16fromIntVal(rr->resrec.rrclass)); + if (!ptr) goto exit; + + if (!(ptr = BuildUpdateMessage(m, ptr, rr, limit))) goto exit; + + if (rr->uselease) + { + ptr = putUpdateLeaseWithLimit(&m->omsg, ptr, DEFAULT_UPDATE_LEASE, limit); + if (!ptr) goto exit; + } + if (rr->Private) + { + LogInfo("SendRecordRegistration TCP %p %s", rr->tcp, ARDisplayString(m, rr)); + if (rr->tcp) LogInfo("SendRecordRegistration: Disposing existing TCP connection for %s", ARDisplayString(m, rr)); + if (rr->tcp) { DisposeTCPConn(rr->tcp); rr->tcp = mDNSNULL; } + if (!rr->nta) { LogMsg("SendRecordRegistration:Private:ERROR!! nta is NULL for %s", ARDisplayString(m, rr)); return; } + rr->tcp = MakeTCPConn(m, &m->omsg, ptr, kTCPSocketFlags_UseTLS, &rr->nta->Addr, rr->nta->Port, &rr->nta->Host, mDNSNULL, rr); + } + else + { + LogInfo("SendRecordRegistration UDP %s", ARDisplayString(m, rr)); + if (!rr->nta) { LogMsg("SendRecordRegistration:ERROR!! nta is NULL for %s", ARDisplayString(m, rr)); return; } + err = mDNSSendDNSMessage(m, &m->omsg, ptr, mDNSInterface_Any, mDNSNULL, &rr->nta->Addr, rr->nta->Port, mDNSNULL, GetAuthInfoForName_internal(m, rr->resrec.name), mDNSfalse); + if (err) debugf("ERROR: SendRecordRegistration - mDNSSendDNSMessage - %d", err); + } + + SetRecordRetry(m, rr, 0); + return; +exit: + LogMsg("SendRecordRegistration: Error formatting message for %s, disabling further updates", ARDisplayString(m, rr)); + // Disable this record from future updates + rr->state = regState_NoTarget; +} + +// Is the given record "rr" eligible for merging ? +mDNSlocal mDNSBool IsRecordMergeable(mDNS *const m, AuthRecord *rr, mDNSs32 time) +{ + DomainAuthInfo *info; + (void) m; //unused + // A record is eligible for merge, if the following properties are met. + // + // 1. uDNS Resource Record + // 2. It is time to send them now + // 3. It is in proper state + // 4. Update zone has been resolved + // 5. if DomainAuthInfo exists for the zone, it should not be soon deleted + // 6. Zone information is present + // 7. Update server is not zero + // 8. It has a non-null zone + // 9. It uses a lease option + // 10. DontMerge is not set + // + // Following code is implemented as separate "if" statements instead of one "if" statement + // is for better debugging purposes e.g., we know exactly what failed if debugging turned on. + + if (!AuthRecord_uDNS(rr)) return mDNSfalse; + + if (rr->LastAPTime + rr->ThisAPInterval - time > 0) + { debugf("IsRecordMergeable: Time %d not reached for %s", rr->LastAPTime + rr->ThisAPInterval - m->timenow, ARDisplayString(m, rr)); return mDNSfalse; } + + if (!rr->zone) return mDNSfalse; + + info = GetAuthInfoForName_internal(m, rr->zone); + + if (info && info->deltime && m->timenow - info->deltime >= 0) {debugf("IsRecordMergeable: Domain %##s will be deleted soon", info->domain.c); return mDNSfalse;} + + if (rr->state != regState_DeregPending && rr->state != regState_Pending && rr->state != regState_Registered && rr->state != regState_Refresh && rr->state != regState_UpdatePending) + { debugf("IsRecordMergeable: state %d not right %s", rr->state, ARDisplayString(m, rr)); return mDNSfalse; } + + if (!rr->nta || mDNSIPv4AddressIsZero(rr->nta->Addr.ip.v4)) return mDNSfalse; + + if (!rr->uselease) return mDNSfalse; + + if (rr->mState == mergeState_DontMerge) {debugf("IsRecordMergeable Dontmerge true %s", ARDisplayString(m, rr)); return mDNSfalse;} + debugf("IsRecordMergeable: Returning true for %s", ARDisplayString(m, rr)); + return mDNStrue; +} + +// Is the resource record "rr" eligible to merge to with "currentRR" ? +mDNSlocal mDNSBool AreRecordsMergeable(mDNS *const m, AuthRecord *currentRR, AuthRecord *rr, mDNSs32 time) +{ + // A record is eligible to merge with another record as long it is eligible for merge in itself + // and it has the same zone information as the other record + if (!IsRecordMergeable(m, rr, time)) return mDNSfalse; + + if (!SameDomainName(currentRR->zone, rr->zone)) + { debugf("AreRecordMergeable zone mismatch current rr Zone %##s, rr zone %##s", currentRR->zone->c, rr->zone->c); return mDNSfalse; } + + if (!mDNSSameIPv4Address(currentRR->nta->Addr.ip.v4, rr->nta->Addr.ip.v4)) return mDNSfalse; + + if (!mDNSSameIPPort(currentRR->nta->Port, rr->nta->Port)) return mDNSfalse; + + debugf("AreRecordsMergeable: Returning true for %s", ARDisplayString(m, rr)); + return mDNStrue; +} + +// If we can't build the message successfully because of problems in pre-computing +// the space, we disable merging for all the current records +mDNSlocal void RRMergeFailure(mDNS *const m) +{ + AuthRecord *rr; + for (rr = m->ResourceRecords; rr; rr = rr->next) + { + rr->mState = mergeState_DontMerge; + rr->SendRNow = mDNSNULL; + // Restarting the registration is much simpler than saving and restoring + // the exact time + ActivateUnicastRegistration(m, rr); + } +} + +mDNSlocal void SendGroupRRMessage(mDNS *const m, AuthRecord *anchorRR, mDNSu8 *ptr, DomainAuthInfo *info) +{ + mDNSu8 *limit; + if (!anchorRR) {debugf("SendGroupRRMessage: Could not merge records"); return;} + + if (info && info->AutoTunnel) limit = m->omsg.data + AbsoluteMaxDNSMessageData; + else limit = m->omsg.data + NormalMaxDNSMessageData; + + // This has to go in the additional section and hence need to be done last + ptr = putUpdateLeaseWithLimit(&m->omsg, ptr, DEFAULT_UPDATE_LEASE, limit); + if (!ptr) + { + LogMsg("SendGroupRRMessage: ERROR: Could not put lease option, failing the group registration"); + // if we can't put the lease, we need to undo the merge + RRMergeFailure(m); + return; + } + if (anchorRR->Private) + { + if (anchorRR->tcp) debugf("SendGroupRRMessage: Disposing existing TCP connection for %s", ARDisplayString(m, anchorRR)); + if (anchorRR->tcp) { DisposeTCPConn(anchorRR->tcp); anchorRR->tcp = mDNSNULL; } + if (!anchorRR->nta) { LogMsg("SendGroupRRMessage:ERROR!! nta is NULL for %s", ARDisplayString(m, anchorRR)); return; } + anchorRR->tcp = MakeTCPConn(m, &m->omsg, ptr, kTCPSocketFlags_UseTLS, &anchorRR->nta->Addr, anchorRR->nta->Port, &anchorRR->nta->Host, mDNSNULL, anchorRR); + if (!anchorRR->tcp) LogInfo("SendGroupRRMessage: Cannot establish TCP connection for %s", ARDisplayString(m, anchorRR)); + else LogInfo("SendGroupRRMessage: Sent a group update ID: %d start %p, end %p, limit %p", mDNSVal16(m->omsg.h.id), m->omsg.data, ptr, limit); + } + else + { + mStatus err = mDNSSendDNSMessage(m, &m->omsg, ptr, mDNSInterface_Any, mDNSNULL, &anchorRR->nta->Addr, anchorRR->nta->Port, mDNSNULL, info, mDNSfalse); + if (err) LogInfo("SendGroupRRMessage: Cannot send UDP message for %s", ARDisplayString(m, anchorRR)); + else LogInfo("SendGroupRRMessage: Sent a group UDP update ID: %d start %p, end %p, limit %p", mDNSVal16(m->omsg.h.id), m->omsg.data, ptr, limit); + } + return; +} + +// As we always include the zone information and the resource records contain zone name +// at the end, it will get compressed. Hence, we subtract zoneSize and add two bytes for +// the compression pointer +mDNSlocal mDNSu32 RREstimatedSize(AuthRecord *rr, int zoneSize) +{ + int rdlength; + + // Note: Estimation of the record size has to mirror the logic in BuildUpdateMessage, otherwise estimation + // would be wrong. Currently BuildUpdateMessage calls SetNewRData in UpdatePending case. Hence, we need + // to account for that here. Otherwise, we might under estimate the size. + if (rr->state == regState_UpdatePending) + // old RData that will be deleted + // new RData that will be added + rdlength = rr->OrigRDLen + rr->InFlightRDLen; + else + rdlength = rr->resrec.rdestimate; + + if (rr->state == regState_DeregPending) + { + debugf("RREstimatedSize: ResourceRecord %##s (%s), DomainNameLength %d, zoneSize %d, rdestimate %d", + rr->resrec.name->c, DNSTypeName(rr->resrec.rrtype), DomainNameLength(rr->resrec.name), zoneSize, rdlength); + return DomainNameLength(rr->resrec.name) - zoneSize + 2 + 10 + rdlength; + } + + // For SRV, TXT, AAAA etc. that are Unique/Verified, we also send a Deletion Record + if (rr->resrec.RecordType == kDNSRecordTypeKnownUnique || rr->resrec.RecordType == kDNSRecordTypeVerified) + { + // Deletion Record: Resource Record Name + Base size (10) + 0 + // Record: Resource Record Name (Compressed = 2) + Base size (10) + rdestimate + + debugf("RREstimatedSize: ResourceRecord %##s (%s), DomainNameLength %d, zoneSize %d, rdestimate %d", + rr->resrec.name->c, DNSTypeName(rr->resrec.rrtype), DomainNameLength(rr->resrec.name), zoneSize, rdlength); + return DomainNameLength(rr->resrec.name) - zoneSize + 2 + 10 + 2 + 10 + rdlength; + } + else + { + return DomainNameLength(rr->resrec.name) - zoneSize + 2 + 10 + rdlength; + } +} + +mDNSlocal AuthRecord *MarkRRForSending(mDNS *const m) +{ + AuthRecord *rr; + AuthRecord *firstRR = mDNSNULL; + + // Look for records that needs to be sent in the next two seconds (MERGE_DELAY_TIME is set to 1 second). + // The logic is as follows. + // + // 1. Record 1 finishes getting zone data and its registration gets delayed by 1 second + // 2. Record 2 comes 0.1 second later, finishes getting its zone data and its registration is also delayed by + // 1 second which is now scheduled at 1.1 second + // + // By looking for 1 second into the future (m->timenow + MERGE_DELAY_TIME below does that) we have merged both + // of the above records. Note that we can't look for records too much into the future as this will affect the + // retry logic. The first retry is scheduled at 3 seconds. Hence, we should always look smaller than that. + // Anything more than one second will affect the first retry to happen sooner. + // + // Note: As a side effect of looking one second into the future to facilitate merging, the retries happen + // one second sooner. + for (rr = m->ResourceRecords; rr; rr = rr->next) + { + if (!firstRR) + { + if (!IsRecordMergeable(m, rr, m->timenow + MERGE_DELAY_TIME)) continue; + firstRR = rr; + } + else if (!AreRecordsMergeable(m, firstRR, rr, m->timenow + MERGE_DELAY_TIME)) continue; + + if (rr->SendRNow) LogMsg("MarkRRForSending: Resourcerecord %s already marked for sending", ARDisplayString(m, rr)); + rr->SendRNow = uDNSInterfaceMark; + } + + // We parsed through all records and found something to send. The services/records might + // get registered at different times but we want the refreshes to be all merged and sent + // as one update. Hence, we accelerate some of the records so that they will sync up in + // the future. Look at the records excluding the ones that we have already sent in the + // previous pass. If it half way through its scheduled refresh/retransmit, merge them + // into this packet. + // + // Note that we only look at Registered/Refresh state to keep it simple. As we don't know + // whether the current update will fit into one or more packets, merging a resource record + // (which is in a different state) that has been scheduled for retransmit would trigger + // sending more packets. + if (firstRR) + { + int acc = 0; + for (rr = m->ResourceRecords; rr; rr = rr->next) + { + if ((rr->state != regState_Registered && rr->state != regState_Refresh) || + (rr->SendRNow == uDNSInterfaceMark) || + (!AreRecordsMergeable(m, firstRR, rr, m->timenow + rr->ThisAPInterval/2))) + continue; + rr->SendRNow = uDNSInterfaceMark; + acc++; + } + if (acc) LogInfo("MarkRRForSending: Accelereated %d records", acc); + } + return firstRR; +} + +mDNSlocal mDNSBool SendGroupUpdates(mDNS *const m) +{ + mDNSOpaque16 msgid; + mDNSs32 spaceleft = 0; + mDNSs32 zoneSize, rrSize; + mDNSu8 *oldnext; // for debugging + mDNSu8 *next = m->omsg.data; + AuthRecord *rr; + AuthRecord *anchorRR = mDNSNULL; + int nrecords = 0; + AuthRecord *startRR = m->ResourceRecords; + mDNSu8 *limit = mDNSNULL; + DomainAuthInfo *AuthInfo = mDNSNULL; + mDNSBool sentallRecords = mDNStrue; + + + // We try to fit as many ResourceRecords as possible in AbsoluteNormal/MaxDNSMessageData. Before we start + // putting in resource records, we need to reserve space for a few things. Every group/packet should + // have the following. + // + // 1) Needs space for the Zone information (which needs to be at the beginning) + // 2) Additional section MUST have space for lease option, HINFO and TSIG option (which needs to + // to be at the end) + // + // In future we need to reserve space for the pre-requisites which also goes at the beginning. + // To accomodate pre-requisites in the future, first we walk the whole list marking records + // that can be sent in this packet and computing the space needed for these records. + // For TXT and SRV records, we delete the previous record if any by sending the same + // resource record with ANY RDATA and zero rdlen. Hence, we need to have space for both of them. + + while (startRR) + { + AuthInfo = mDNSNULL; + anchorRR = mDNSNULL; + nrecords = 0; + zoneSize = 0; + for (rr = startRR; rr; rr = rr->next) + { + if (rr->SendRNow != uDNSInterfaceMark) continue; + + rr->SendRNow = mDNSNULL; + + if (!anchorRR) + { + AuthInfo = GetAuthInfoForName_internal(m, rr->zone); + + // Though we allow single record registrations for UDP to be AbsoluteMaxDNSMessageData (See + // SendRecordRegistration) to handle large TXT records, to avoid fragmentation we limit UDP + // message to NormalMaxDNSMessageData + if (AuthInfo && AuthInfo->AutoTunnel) spaceleft = AbsoluteMaxDNSMessageData; + else spaceleft = NormalMaxDNSMessageData; + + next = m->omsg.data; + spaceleft -= RRAdditionalSize(m, AuthInfo); + if (spaceleft <= 0) + { + LogMsg("SendGroupUpdates: ERROR!!: spaceleft is zero at the beginning"); + RRMergeFailure(m); + return mDNSfalse; + } + limit = next + spaceleft; + + // Build the initial part of message before putting in the other records + msgid = mDNS_NewMessageID(m); + InitializeDNSMessage(&m->omsg.h, msgid, UpdateReqFlags); + + // We need zone information at the beginning of the packet. Length: ZNAME, ZTYPE(2), ZCLASS(2) + // zone has to be non-NULL for a record to be mergeable, hence it is safe to set/ examine zone + //without checking for NULL. + zoneSize = DomainNameLength(rr->zone) + 4; + spaceleft -= zoneSize; + if (spaceleft <= 0) + { + LogMsg("SendGroupUpdates: ERROR no space for zone information, disabling merge"); + RRMergeFailure(m); + return mDNSfalse; + } + next = putZone(&m->omsg, next, limit, rr->zone, mDNSOpaque16fromIntVal(rr->resrec.rrclass)); + if (!next) + { + LogMsg("SendGroupUpdates: ERROR! Cannot put zone, disabling merge"); + RRMergeFailure(m); + return mDNSfalse; + } + anchorRR = rr; + } + + rrSize = RREstimatedSize(rr, zoneSize - 4); + + if ((spaceleft - rrSize) < 0) + { + // If we can't fit even a single message, skip it, it will be sent separately + // in CheckRecordUpdates + if (!nrecords) + { + LogInfo("SendGroupUpdates: Skipping message %s, spaceleft %d, rrSize %d", ARDisplayString(m, rr), spaceleft, rrSize); + // Mark this as not sent so that the caller knows about it + rr->SendRNow = uDNSInterfaceMark; + // We need to remove the merge delay so that we can send it immediately + rr->ThisAPInterval = INIT_RECORD_REG_INTERVAL; + rr->LastAPTime = m->timenow - INIT_RECORD_REG_INTERVAL; + rr = rr->next; + anchorRR = mDNSNULL; + sentallRecords = mDNSfalse; + } + else + { + LogInfo("SendGroupUpdates:1: Parsed %d records and sending using %s, spaceleft %d, rrSize %d", nrecords, ARDisplayString(m, anchorRR), spaceleft, rrSize); + SendGroupRRMessage(m, anchorRR, next, AuthInfo); + } + break; // breaks out of for loop + } + spaceleft -= rrSize; + oldnext = next; + LogInfo("SendGroupUpdates: Building a message with resource record %s, next %p, state %d, ttl %d", ARDisplayString(m, rr), next, rr->state, rr->resrec.rroriginalttl); + if (!(next = BuildUpdateMessage(m, next, rr, limit))) + { + // We calculated the space and if we can't fit in, we had some bug in the calculation, + // disable merge completely. + LogMsg("SendGroupUpdates: ptr NULL while building message with %s", ARDisplayString(m, rr)); + RRMergeFailure(m); + return mDNSfalse; + } + // If our estimate was higher, adjust to the actual size + if ((next - oldnext) > rrSize) + LogMsg("SendGroupUpdates: ERROR!! Record size estimation is wrong for %s, Estimate %d, Actual %d, state %d", ARDisplayString(m, rr), rrSize, next - oldnext, rr->state); + else { spaceleft += rrSize; spaceleft -= (next - oldnext); } + + nrecords++; + // We could have sent an update earlier with this "rr" as anchorRR for which we never got a response. + // To preserve ordering, we blow away the previous connection before sending this. + if (rr->tcp) { DisposeTCPConn(rr->tcp); rr->tcp = mDNSNULL;} + rr->updateid = msgid; + + // By setting the retry time interval here, we will not be looking at these records + // again when we return to CheckGroupRecordUpdates. + SetRecordRetry(m, rr, 0); + } + // Either we have parsed all the records or stopped at "rr" above due to lack of space + startRR = rr; + } + + if (anchorRR) + { + LogInfo("SendGroupUpdates: Parsed %d records and sending using %s", nrecords, ARDisplayString(m, anchorRR)); + SendGroupRRMessage(m, anchorRR, next, AuthInfo); + } + return sentallRecords; +} + +// Merge the record registrations and send them as a group only if they +// have same DomainAuthInfo and hence the same key to put the TSIG +mDNSlocal void CheckGroupRecordUpdates(mDNS *const m) +{ + AuthRecord *rr, *nextRR; + // Keep sending as long as there is at least one record to be sent + while (MarkRRForSending(m)) + { + if (!SendGroupUpdates(m)) + { + // if everything that was marked was not sent, send them out individually + for (rr = m->ResourceRecords; rr; rr = nextRR) + { + // SendRecordRegistrtion might delete the rr from list, hence + // dereference nextRR before calling the function + nextRR = rr->next; + if (rr->SendRNow == uDNSInterfaceMark) + { + // Any records marked for sending should be eligible to be sent out + // immediately. Just being cautious + if (rr->LastAPTime + rr->ThisAPInterval - m->timenow > 0) + { LogMsg("CheckGroupRecordUpdates: ERROR!! Resourcerecord %s not ready", ARDisplayString(m, rr)); continue; } + rr->SendRNow = mDNSNULL; + SendRecordRegistration(m, rr); + } + } + } + } + + debugf("CheckGroupRecordUpdates: No work, returning"); + return; +} + +mDNSlocal void hndlSRVChanged(mDNS *const m, AuthRecord *rr) +{ + // Reevaluate the target always as NAT/Target could have changed while + // we were registering/deeregistering + domainname *dt; + const domainname *target = GetServiceTarget(m, rr); + if (!target || target->c[0] == 0) + { + // we don't have a target, if we just derregistered, then we don't have to do anything + if (rr->state == regState_DeregPending) + { + LogInfo("hndlSRVChanged: SRVChanged, No Target, SRV Deregistered for %##s, state %d", rr->resrec.name->c, + rr->state); + rr->SRVChanged = mDNSfalse; + dt = GetRRDomainNameTarget(&rr->resrec); + if (dt) dt->c[0] = 0; + rr->state = regState_NoTarget; // Wait for the next target change + rr->resrec.rdlength = rr->resrec.rdestimate = 0; + return; + } + + // we don't have a target, if we just registered, we need to deregister + if (rr->state == regState_Pending) + { + LogInfo("hndlSRVChanged: SRVChanged, No Target, Deregistering again %##s, state %d", rr->resrec.name->c, rr->state); + rr->ThisAPInterval = INIT_RECORD_REG_INTERVAL; + rr->LastAPTime = m->timenow - INIT_RECORD_REG_INTERVAL; + rr->state = regState_DeregPending; + return; + } + LogInfo("hndlSRVChanged: Not in DeregPending or RegPending state %##s, state %d", rr->resrec.name->c, rr->state); + } + else + { + // If we were in registered state and SRV changed to NULL, we deregister and come back here + // if we have a target, we need to register again. + // + // if we just registered check to see if it is same. If it is different just re-register the + // SRV and its assoicated records + // + // UpdateOneSRVRecord takes care of re-registering all service records + if ((rr->state == regState_DeregPending) || + (rr->state == regState_Pending && !SameDomainName(target, &rr->resrec.rdata->u.srv.target))) + { + dt = GetRRDomainNameTarget(&rr->resrec); + if (dt) dt->c[0] = 0; + rr->state = regState_NoTarget; // NoTarget will allow us to pick up new target OR nat traversal state + rr->resrec.rdlength = rr->resrec.rdestimate = 0; + LogInfo("hndlSRVChanged: SRVChanged, Valid Target %##s, Registering all records for %##s, state %d", + target->c, rr->resrec.name->c, rr->state); + rr->SRVChanged = mDNSfalse; + UpdateOneSRVRecord(m, rr); + return; + } + // Target did not change while this record was registering. Hence, we go to + // Registered state - the state we started from. + if (rr->state == regState_Pending) rr->state = regState_Registered; + } + + rr->SRVChanged = mDNSfalse; +} + +// Called with lock held +mDNSlocal void hndlRecordUpdateReply(mDNS *m, AuthRecord *rr, mStatus err, mDNSu32 random) +{ + mDNSBool InvokeCallback = mDNStrue; + mDNSIPPort UpdatePort = zeroIPPort; + + mDNS_CheckLock(m); + + LogInfo("hndlRecordUpdateReply: err %d ID %d state %d %s(%p)", err, mDNSVal16(rr->updateid), rr->state, ARDisplayString(m, rr), rr); + + rr->updateError = err; +#if APPLE_OSX_mDNSResponder + if (err == mStatus_BadSig || err == mStatus_BadKey || err == mStatus_BadTime) UpdateAutoTunnelDomainStatuses(m); +#endif + + SetRecordRetry(m, rr, random); + + rr->updateid = zeroID; // Make sure that this is not considered as part of a group anymore + // Later when need to send an update, we will get the zone data again. Thus we avoid + // using stale information. + // + // Note: By clearing out the zone info here, it also helps better merging of records + // in some cases. For example, when we get out regState_NoTarget state e.g., move out + // of Double NAT, we want all the records to be in one update. Some BTMM records like + // _autotunnel6 and host records are registered/deregistered when NAT state changes. + // As they are re-registered the zone information is cleared out. To merge with other + // records that might be possibly going out, clearing out the information here helps + // as all of them try to get the zone data. + if (rr->nta) + { + // We always expect the question to be stopped when we get a valid response from the server. + // If the zone info tries to change during this time, updateid would be different and hence + // this response should not have been accepted. + if (rr->nta->question.ThisQInterval != -1) + LogMsg("hndlRecordUpdateReply: ResourceRecord %s, zone info question %##s (%s) interval %d not -1", + ARDisplayString(m, rr), rr->nta->question.qname.c, DNSTypeName(rr->nta->question.qtype), rr->nta->question.ThisQInterval); + UpdatePort = rr->nta->Port; + CancelGetZoneData(m, rr->nta); + rr->nta = mDNSNULL; + } + + // If we are deregistering the record, then complete the deregistration. Ignore any NAT/SRV change + // that could have happened during that time. + if (rr->resrec.RecordType == kDNSRecordTypeDeregistering && rr->state == regState_DeregPending) + { + debugf("hndlRecordUpdateReply: Received reply for deregister record %##s type %d", rr->resrec.name->c, rr->resrec.rrtype); + if (err) LogMsg("ERROR: Deregistration of record %##s type %d failed with error %d", + rr->resrec.name->c, rr->resrec.rrtype, err); + rr->state = regState_Unregistered; + CompleteDeregistration(m, rr); + return; + } + + // We are returning early without updating the state. When we come back from sleep we will re-register after + // re-initializing all the state as though it is a first registration. If the record can't be registered e.g., + // no target, it will be deregistered. Hence, the updating to the right state should not matter when going + // to sleep. + if (m->SleepState) + { + // Need to set it to NoTarget state so that RecordReadyForSleep knows that + // we are done + if (rr->resrec.rrtype == kDNSType_SRV && rr->state == regState_DeregPending) + rr->state = regState_NoTarget; + return; + } + + if (rr->state == regState_UpdatePending) + { + if (err) LogMsg("Update record failed for %##s (err %d)", rr->resrec.name->c, err); + rr->state = regState_Registered; + // deallocate old RData + if (rr->UpdateCallback) rr->UpdateCallback(m, rr, rr->OrigRData, rr->OrigRDLen); + SetNewRData(&rr->resrec, rr->InFlightRData, rr->InFlightRDLen); + rr->OrigRData = mDNSNULL; + rr->InFlightRData = mDNSNULL; + } + + if (rr->SRVChanged) + { + if (rr->resrec.rrtype == kDNSType_SRV) + hndlSRVChanged(m, rr); + else + { + LogInfo("hndlRecordUpdateReply: Deregistered %##s (%s), state %d", rr->resrec.name->c, DNSTypeName(rr->resrec.rrtype), rr->state); + rr->SRVChanged = mDNSfalse; + if (rr->state != regState_DeregPending) LogMsg("hndlRecordUpdateReply: ResourceRecord %s not in DeregPending state %d", ARDisplayString(m, rr), rr->state); + rr->state = regState_NoTarget; // Wait for the next target change + } + return; + } + + if (rr->state == regState_Pending || rr->state == regState_Refresh) + { + if (!err) + { + if (rr->state == regState_Refresh) InvokeCallback = mDNSfalse; + rr->state = regState_Registered; + } + else + { + // Retry without lease only for non-Private domains + LogMsg("hndlRecordUpdateReply: Registration of record %##s type %d failed with error %d", rr->resrec.name->c, rr->resrec.rrtype, err); + if (!rr->Private && rr->uselease && err == mStatus_UnknownErr && mDNSSameIPPort(UpdatePort, UnicastDNSPort)) + { + LogMsg("hndlRecordUpdateReply: Will retry update of record %##s without lease option", rr->resrec.name->c); + rr->uselease = mDNSfalse; + rr->ThisAPInterval = INIT_RECORD_REG_INTERVAL; + rr->LastAPTime = m->timenow - INIT_RECORD_REG_INTERVAL; + SetNextuDNSEvent(m, rr); + return; + } + // Communicate the error to the application in the callback below + } + } + + if (rr->QueuedRData && rr->state == regState_Registered) + { + rr->state = regState_UpdatePending; + rr->InFlightRData = rr->QueuedRData; + rr->InFlightRDLen = rr->QueuedRDLen; + rr->OrigRData = rr->resrec.rdata; + rr->OrigRDLen = rr->resrec.rdlength; + rr->QueuedRData = mDNSNULL; + rr->ThisAPInterval = INIT_RECORD_REG_INTERVAL; + rr->LastAPTime = m->timenow - INIT_RECORD_REG_INTERVAL; + SetNextuDNSEvent(m, rr); + return; + } + + // Don't invoke the callback on error as this may not be useful to the client. + // The client may potentially delete the resource record on error which we normally + // delete during deregistration + if (!err && InvokeCallback && rr->RecordCallback) + { + LogInfo("hndlRecordUpdateReply: Calling record callback on %##s", rr->resrec.name->c); + mDNS_DropLockBeforeCallback(); + rr->RecordCallback(m, rr, err); + mDNS_ReclaimLockAfterCallback(); + } + // CAUTION: MUST NOT do anything more with rr after calling rr->Callback(), because the client's callback function + // is allowed to do anything, including starting/stopping queries, registering/deregistering records, etc. +} + +mDNSlocal void uDNS_ReceiveNATPMPPacket(mDNS *m, const mDNSInterfaceID InterfaceID, mDNSu8 *pkt, mDNSu16 len) +{ + NATTraversalInfo *ptr; + NATAddrReply *AddrReply = (NATAddrReply *)pkt; + NATPortMapReply *PortMapReply = (NATPortMapReply *)pkt; + mDNSu32 nat_elapsed, our_elapsed; + + // Minimum NAT-PMP packet is vers (1) opcode (1) + err (2) = 4 bytes + if (len < 4) { LogMsg("NAT-PMP message too short (%d bytes)", len); return; } + + // Read multi-byte error value (field is identical in a NATPortMapReply) + AddrReply->err = (mDNSu16) ((mDNSu16)pkt[2] << 8 | pkt[3]); + + if (AddrReply->err == NATErr_Vers) + { + NATTraversalInfo *n; + LogInfo("NAT-PMP version unsupported message received"); + for (n = m->NATTraversals; n; n=n->next) + { + // Send a NAT-PMP request for this operation as needed + // and update the state variables + uDNS_SendNATMsg(m, n, mDNSfalse); + } + + m->NextScheduledNATOp = m->timenow; + + return; + } + + // The minimum reasonable NAT-PMP packet length is vers (1) + opcode (1) + err (2) + upseconds (4) = 8 bytes + // If it's not at least this long, bail before we byte-swap the upseconds field & overrun our buffer. + // The retry timer will ensure we converge to correctness. + if (len < 8) + { + LogMsg("NAT-PMP message too short (%d bytes) 0x%X 0x%X", len, AddrReply->opcode, AddrReply->err); + return; + } + + // Read multi-byte upseconds value (field is identical in a NATPortMapReply) + AddrReply->upseconds = (mDNSs32) ((mDNSs32)pkt[4] << 24 | (mDNSs32)pkt[5] << 16 | (mDNSs32)pkt[6] << 8 | pkt[7]); + + nat_elapsed = AddrReply->upseconds - m->LastNATupseconds; + our_elapsed = (m->timenow - m->LastNATReplyLocalTime) / mDNSPlatformOneSecond; + debugf("uDNS_ReceiveNATPMPPacket %X upseconds %u nat_elapsed %d our_elapsed %d", AddrReply->opcode, AddrReply->upseconds, nat_elapsed, our_elapsed); + + // We compute a conservative estimate of how much the NAT gateways's clock should have advanced + // 1. We subtract 12.5% from our own measured elapsed time, to allow for NAT gateways that have an inacurate clock that runs slowly + // 2. We add a two-second safety margin to allow for rounding errors: e.g. + // -- if NAT gateway sends a packet at t=2.000 seconds, then one at t=7.999, that's approximately 6 real seconds, + // but based on the values in the packet (2,7) the apparent difference according to the packet is only 5 seconds + // -- if we're slow handling packets and/or we have coarse clock granularity, + // we could receive the t=2 packet at our t=1.999 seconds, which we round down to 1 + // and the t=7.999 packet at our t=8.000 seconds, which we record as 8, + // giving an apparent local time difference of 7 seconds + // The two-second safety margin coves this possible calculation discrepancy + if (AddrReply->upseconds < m->LastNATupseconds || nat_elapsed + 2 < our_elapsed - our_elapsed/8) + { LogMsg("NAT-PMP epoch time check failed: assuming NAT gateway %#a rebooted", &m->Router); RecreateNATMappings(m, 0); } + + m->LastNATupseconds = AddrReply->upseconds; + m->LastNATReplyLocalTime = m->timenow; +#ifdef _LEGACY_NAT_TRAVERSAL_ + LNT_ClearState(m); +#endif // _LEGACY_NAT_TRAVERSAL_ + + if (AddrReply->opcode == NATOp_AddrResponse) + { +#if APPLE_OSX_mDNSResponder + static char msgbuf[16]; + mDNS_snprintf(msgbuf, sizeof(msgbuf), "%d", AddrReply->err); + mDNSASLLog((uuid_t *)&m->asl_uuid, "natt.natpmp.AddressRequest", AddrReply->err ? "failure" : "success", msgbuf, ""); +#endif + if (!AddrReply->err && len < sizeof(NATAddrReply)) { LogMsg("NAT-PMP AddrResponse message too short (%d bytes)", len); return; } + natTraversalHandleAddressReply(m, AddrReply->err, AddrReply->ExtAddr); + } + else if (AddrReply->opcode == NATOp_MapUDPResponse || AddrReply->opcode == NATOp_MapTCPResponse) + { + mDNSu8 Protocol = AddrReply->opcode & 0x7F; +#if APPLE_OSX_mDNSResponder + static char msgbuf[16]; + mDNS_snprintf(msgbuf, sizeof(msgbuf), "%s - %d", AddrReply->opcode == NATOp_MapUDPResponse ? "UDP" : "TCP", PortMapReply->err); + mDNSASLLog((uuid_t *)&m->asl_uuid, "natt.natpmp.PortMapRequest", PortMapReply->err ? "failure" : "success", msgbuf, ""); +#endif + if (!PortMapReply->err) + { + if (len < sizeof(NATPortMapReply)) { LogMsg("NAT-PMP PortMapReply message too short (%d bytes)", len); return; } + PortMapReply->NATRep_lease = (mDNSu32) ((mDNSu32)pkt[12] << 24 | (mDNSu32)pkt[13] << 16 | (mDNSu32)pkt[14] << 8 | pkt[15]); + } + + // Since some NAT-PMP server implementations don't return the requested internal port in + // the reply, we can't associate this reply with a particular NATTraversalInfo structure. + // We globally keep track of the most recent error code for mappings. + m->LastNATMapResultCode = PortMapReply->err; + + for (ptr = m->NATTraversals; ptr; ptr=ptr->next) + if (ptr->Protocol == Protocol && mDNSSameIPPort(ptr->IntPort, PortMapReply->intport)) + natTraversalHandlePortMapReply(m, ptr, InterfaceID, PortMapReply->err, PortMapReply->extport, PortMapReply->NATRep_lease, NATTProtocolNATPMP); + } + else { LogMsg("Received NAT-PMP response with unknown opcode 0x%X", AddrReply->opcode); return; } + + // Don't need an SSDP socket if we get a NAT-PMP packet + if (m->SSDPSocket) { debugf("uDNS_ReceiveNATPMPPacket destroying SSDPSocket %p", &m->SSDPSocket); mDNSPlatformUDPClose(m->SSDPSocket); m->SSDPSocket = mDNSNULL; } +} + +mDNSlocal void uDNS_ReceivePCPPacket(mDNS *m, const mDNSInterfaceID InterfaceID, mDNSu8 *pkt, mDNSu16 len) +{ + NATTraversalInfo *ptr; + PCPMapReply *reply = (PCPMapReply*)pkt; + mDNSu32 client_delta, server_delta; + mDNSBool checkEpochValidity = m->LastNATupseconds != 0; + mDNSu8 strippedOpCode; + mDNSv4Addr mappedAddress = zerov4Addr; + mDNSu8 protocol = 0; + mDNSIPPort intport = zeroIPPort; + mDNSIPPort extport = zeroIPPort; + + // Minimum PCP packet is 24 bytes + if (len < 24) + { + LogMsg("uDNS_ReceivePCPPacket: message too short (%d bytes)", len); + return; + } + + strippedOpCode = reply->opCode & 0x7f; + + if ((reply->opCode & 0x80) == 0x00 || (strippedOpCode != PCPOp_Announce && strippedOpCode != PCPOp_Map)) + { + LogMsg("uDNS_ReceivePCPPacket: unhandled opCode %u", reply->opCode); + return; + } + + // Read multi-byte values + reply->lifetime = (mDNSs32)((mDNSs32)pkt[4] << 24 | (mDNSs32)pkt[5] << 16 | (mDNSs32)pkt[ 6] << 8 | pkt[ 7]); + reply->epoch = (mDNSs32)((mDNSs32)pkt[8] << 24 | (mDNSs32)pkt[9] << 16 | (mDNSs32)pkt[10] << 8 | pkt[11]); + + client_delta = (m->timenow - m->LastNATReplyLocalTime) / mDNSPlatformOneSecond; + server_delta = reply->epoch - m->LastNATupseconds; + debugf("uDNS_ReceivePCPPacket: %X %X upseconds %u client_delta %d server_delta %d", reply->opCode, reply->result, reply->epoch, client_delta, server_delta); + + // If seconds since the epoch is 0, use 1 so we'll check epoch validity next time + m->LastNATupseconds = reply->epoch ? reply->epoch : 1; + m->LastNATReplyLocalTime = m->timenow; + +#ifdef _LEGACY_NAT_TRAVERSAL_ + LNT_ClearState(m); +#endif // _LEGACY_NAT_TRAVERSAL_ + + // Don't need an SSDP socket if we get a PCP packet + if (m->SSDPSocket) { debugf("uDNS_ReceivePCPPacket: destroying SSDPSocket %p", &m->SSDPSocket); mDNSPlatformUDPClose(m->SSDPSocket); m->SSDPSocket = mDNSNULL; } + + if (checkEpochValidity && (client_delta + 2 < server_delta - server_delta / 16 || server_delta + 2 < client_delta - client_delta / 16)) + { + // If this is an ANNOUNCE packet, wait a random interval up to 5 seconds + // otherwise, refresh immediately + mDNSu32 waitTicks = strippedOpCode ? 0 : mDNSRandom(PCP_WAITSECS_AFTER_EPOCH_INVALID * mDNSPlatformOneSecond); + LogMsg("uDNS_ReceivePCPPacket: Epoch invalid, %#a likely rebooted, waiting %u ticks", &m->Router, waitTicks); + RecreateNATMappings(m, waitTicks); + // we can ignore the rest of this packet, as new requests are about to go out + return; + } + + if (strippedOpCode == PCPOp_Announce) + return; + + // We globally keep track of the most recent error code for mappings. + // This seems bad to do with PCP, but best not change it now. + m->LastNATMapResultCode = reply->result; + + if (!reply->result) + { + if (len < sizeof(PCPMapReply)) + { + LogMsg("uDNS_ReceivePCPPacket: mapping response too short (%d bytes)", len); + return; + } + + // Check the nonce + if (reply->nonce[0] != m->PCPNonce[0] || reply->nonce[1] != m->PCPNonce[1] || reply->nonce[2] != m->PCPNonce[2]) + { + LogMsg("uDNS_ReceivePCPPacket: invalid nonce, ignoring. received { %x %x %x } expected { %x %x %x }", + reply->nonce[0], reply->nonce[1], reply->nonce[2], + m->PCPNonce[0], m->PCPNonce[1], m->PCPNonce[2]); + return; + } + + // Get the values + protocol = reply->protocol; + intport = reply->intPort; + extport = reply->extPort; + + // Get the external address, which should be mapped, since we only support IPv4 + if (!mDNSAddrIPv4FromMappedIPv6(&reply->extAddress, &mappedAddress)) + { + LogMsg("uDNS_ReceivePCPPacket: unexpected external address: %.16a", &reply->extAddress); + reply->result = NATErr_NetFail; + // fall through to report the error + } + else if (mDNSIPv4AddressIsZero(mappedAddress)) + { + // If this is the deletion case, we will have sent the zero IPv4-mapped address + // in our request, and the server should reflect it in the response, so we + // should not log about receiving a zero address. And in this case, we no + // longer have a NATTraversal to report errors back to, so it's ok to set the + // result here. + // In other cases, a zero address is an error, and we will have a NATTraversal + // to report back to, so set an error and fall through to report it. + // CheckNATMappings will log the error. + reply->result = NATErr_NetFail; + } + } + else + { + LogInfo("uDNS_ReceivePCPPacket: error received from server. opcode %X result %X lifetime %X epoch %X", + reply->opCode, reply->result, reply->lifetime, reply->epoch); + + // If the packet is long enough, get the protocol & intport for matching to report + // the error + if (len >= sizeof(PCPMapReply)) + { + protocol = reply->protocol; + intport = reply->intPort; + } + } + + for (ptr = m->NATTraversals; ptr; ptr=ptr->next) + { + mDNSu8 ptrProtocol = ((ptr->Protocol & NATOp_MapTCP) == NATOp_MapTCP ? PCPProto_TCP : PCPProto_UDP); + if ((protocol == ptrProtocol && mDNSSameIPPort(ptr->IntPort, intport)) || + (!ptr->Protocol && protocol == PCPProto_TCP && mDNSSameIPPort(DiscardPort, intport))) + { + natTraversalHandlePortMapReplyWithAddress(m, ptr, InterfaceID, reply->result ? NATErr_NetFail : NATErr_None, mappedAddress, extport, reply->lifetime, NATTProtocolPCP); + } + } +} + +mDNSexport void uDNS_ReceiveNATPacket(mDNS *m, const mDNSInterfaceID InterfaceID, mDNSu8 *pkt, mDNSu16 len) +{ + if (len == 0) + LogMsg("uDNS_ReceiveNATPacket: zero length packet"); + else if (pkt[0] == PCP_VERS) + uDNS_ReceivePCPPacket(m, InterfaceID, pkt, len); + else if (pkt[0] == NATMAP_VERS) + uDNS_ReceiveNATPMPPacket(m, InterfaceID, pkt, len); + else + LogMsg("uDNS_ReceiveNATPacket: packet with version %u (expected %u or %u)", pkt[0], PCP_VERS, NATMAP_VERS); +} + +// <rdar://problem/3925163> Shorten DNS-SD queries to avoid NAT bugs +// <rdar://problem/4288449> Add check to avoid crashing NAT gateways that have buggy DNS relay code +// +// We know of bugs in home NAT gateways that cause them to crash if they receive certain DNS queries. +// The DNS queries that make them crash are perfectly legal DNS queries, but even if they weren't, +// the gateway shouldn't crash -- in today's world of viruses and network attacks, software has to +// be written assuming that a malicious attacker could send them any packet, properly-formed or not. +// Still, we don't want to be crashing people's home gateways, so we go out of our way to avoid +// the queries that crash them. +// +// Some examples: +// +// 1. Any query where the name ends in ".in-addr.arpa." and the text before this is 32 or more bytes. +// The query type does not need to be PTR -- the gateway will crash for any query type. +// e.g. "ping long-name-crashes-the-buggy-router.in-addr.arpa" will crash one of these. +// +// 2. Any query that results in a large response with the TC bit set. +// +// 3. Any PTR query that doesn't begin with four decimal numbers. +// These gateways appear to assume that the only possible PTR query is a reverse-mapping query +// (e.g. "1.0.168.192.in-addr.arpa") and if they ever get a PTR query where the first four +// labels are not all decimal numbers in the range 0-255, they handle that by crashing. +// These gateways also ignore the remainder of the name following the four decimal numbers +// -- whether or not it actually says in-addr.arpa, they just make up an answer anyway. +// +// The challenge therefore is to craft a query that will discern whether the DNS server +// is one of these buggy ones, without crashing it. Furthermore we don't want our test +// queries making it all the way to the root name servers, putting extra load on those +// name servers and giving Apple a bad reputation. To this end we send this query: +// dig -t ptr 1.0.0.127.dnsbugtest.1.0.0.127.in-addr.arpa. +// +// The text preceding the ".in-addr.arpa." is under 32 bytes, so it won't cause crash (1). +// It will not yield a large response with the TC bit set, so it won't cause crash (2). +// It starts with four decimal numbers, so it won't cause crash (3). +// The name falls within the "1.0.0.127.in-addr.arpa." domain, the reverse-mapping name for the local +// loopback address, and therefore the query will black-hole at the first properly-configured DNS server +// it reaches, making it highly unlikely that this query will make it all the way to the root. +// +// Finally, the correct response to this query is NXDOMAIN or a similar error, but the +// gateways that ignore the remainder of the name following the four decimal numbers +// give themselves away by actually returning a result for this nonsense query. + +mDNSlocal const domainname *DNSRelayTestQuestion = (const domainname*) + "\x1" "1" "\x1" "0" "\x1" "0" "\x3" "127" "\xa" "dnsbugtest" + "\x1" "1" "\x1" "0" "\x1" "0" "\x3" "127" "\x7" "in-addr" "\x4" "arpa"; + +// See comments above for DNSRelayTestQuestion +// If this is the kind of query that has the risk of crashing buggy DNS servers, we do a test question first +mDNSlocal mDNSBool NoTestQuery(DNSQuestion *q) +{ + int i; + mDNSu8 *p = q->qname.c; + if (q->AuthInfo) return(mDNStrue); // Don't need a test query for private queries sent directly to authoritative server over TLS/TCP + if (q->qtype != kDNSType_PTR) return(mDNStrue); // Don't need a test query for any non-PTR queries + for (i=0; i<4; i++) // If qname does not begin with num.num.num.num, can't skip the test query + { + if (p[0] < 1 || p[0] > 3) return(mDNSfalse); + if ( p[1] < '0' || p[1] > '9' ) return(mDNSfalse); + if (p[0] >= 2 && (p[2] < '0' || p[2] > '9')) return(mDNSfalse); + if (p[0] >= 3 && (p[3] < '0' || p[3] > '9')) return(mDNSfalse); + p += 1 + p[0]; + } + // If remainder of qname is ".in-addr.arpa.", this is a vanilla reverse-mapping query and + // we can safely do it without needing a test query first, otherwise we need the test query. + return(SameDomainName((domainname*)p, (const domainname*)"\x7" "in-addr" "\x4" "arpa")); +} + +// Returns mDNStrue if response was handled +mDNSlocal mDNSBool uDNS_ReceiveTestQuestionResponse(mDNS *const m, DNSMessage *const msg, const mDNSu8 *const end, + const mDNSAddr *const srcaddr, const mDNSIPPort srcport) +{ + const mDNSu8 *ptr = msg->data; + DNSQuestion pktq; + DNSServer *s; + mDNSu32 result = 0; + + // 1. Find out if this is an answer to one of our test questions + if (msg->h.numQuestions != 1) return(mDNSfalse); + ptr = getQuestion(msg, ptr, end, mDNSInterface_Any, &pktq); + if (!ptr) return(mDNSfalse); + if (pktq.qtype != kDNSType_PTR || pktq.qclass != kDNSClass_IN) return(mDNSfalse); + if (!SameDomainName(&pktq.qname, DNSRelayTestQuestion)) return(mDNSfalse); + + // 2. If the DNS relay gave us a positive response, then it's got buggy firmware + // else, if the DNS relay gave us an error or no-answer response, it passed our test + if ((msg->h.flags.b[1] & kDNSFlag1_RC_Mask) == kDNSFlag1_RC_NoErr && msg->h.numAnswers > 0) + result = DNSServer_Failed; + else + result = DNSServer_Passed; + + // 3. Find occurrences of this server in our list, and mark them appropriately + for (s = m->DNSServers; s; s = s->next) + { + mDNSBool matchaddr = (s->teststate != result && mDNSSameAddress(srcaddr, &s->addr) && mDNSSameIPPort(srcport, s->port)); + mDNSBool matchid = (s->teststate == DNSServer_Untested && mDNSSameOpaque16(msg->h.id, s->testid)); + if (matchaddr || matchid) + { + DNSQuestion *q; + s->teststate = result; + if (result == DNSServer_Passed) + { + LogInfo("DNS Server %#a:%d (%#a:%d) %d passed%s", + &s->addr, mDNSVal16(s->port), srcaddr, mDNSVal16(srcport), mDNSVal16(s->testid), + matchaddr ? "" : " NOTE: Reply did not come from address to which query was sent"); + } + else + { + LogMsg("NOTE: Wide-Area Service Discovery disabled to avoid crashing defective DNS relay %#a:%d (%#a:%d) %d%s", + &s->addr, mDNSVal16(s->port), srcaddr, mDNSVal16(srcport), mDNSVal16(s->testid), + matchaddr ? "" : " NOTE: Reply did not come from address to which query was sent"); + } + + // If this server has just changed state from DNSServer_Untested to DNSServer_Passed, then retrigger any waiting questions. + // We use the NoTestQuery() test so that we only retrigger questions that were actually blocked waiting for this test to complete. + if (result == DNSServer_Passed) // Unblock any questions that were waiting for this result + for (q = m->Questions; q; q=q->next) + if (q->qDNSServer == s && !NoTestQuery(q)) + { + q->ThisQInterval = INIT_UCAST_POLL_INTERVAL / QuestionIntervalStep; + q->unansweredQueries = 0; + q->LastQTime = m->timenow - q->ThisQInterval; + m->NextScheduledQuery = m->timenow; + } + } + } + + return(mDNStrue); // Return mDNStrue to tell uDNS_ReceiveMsg it doesn't need to process this packet further +} + +// Called from mDNSCoreReceive with the lock held +mDNSexport void uDNS_ReceiveMsg(mDNS *const m, DNSMessage *const msg, const mDNSu8 *const end, const mDNSAddr *const srcaddr, const mDNSIPPort srcport) +{ + DNSQuestion *qptr; + mStatus err = mStatus_NoError; + + mDNSu8 StdR = kDNSFlag0_QR_Response | kDNSFlag0_OP_StdQuery; + mDNSu8 UpdateR = kDNSFlag0_QR_Response | kDNSFlag0_OP_Update; + mDNSu8 QR_OP = (mDNSu8)(msg->h.flags.b[0] & kDNSFlag0_QROP_Mask); + mDNSu8 rcode = (mDNSu8)(msg->h.flags.b[1] & kDNSFlag1_RC_Mask); + + (void)srcport; // Unused + + debugf("uDNS_ReceiveMsg from %#-15a with " + "%2d Question%s %2d Answer%s %2d Authorit%s %2d Additional%s %d bytes", + srcaddr, + msg->h.numQuestions, msg->h.numQuestions == 1 ? ", " : "s,", + msg->h.numAnswers, msg->h.numAnswers == 1 ? ", " : "s,", + msg->h.numAuthorities, msg->h.numAuthorities == 1 ? "y, " : "ies,", + msg->h.numAdditionals, msg->h.numAdditionals == 1 ? "" : "s", end - msg->data); + + if (QR_OP == StdR) + { + //if (srcaddr && recvLLQResponse(m, msg, end, srcaddr, srcport)) return; + if (uDNS_ReceiveTestQuestionResponse(m, msg, end, srcaddr, srcport)) return; + for (qptr = m->Questions; qptr; qptr = qptr->next) + if (msg->h.flags.b[0] & kDNSFlag0_TC && mDNSSameOpaque16(qptr->TargetQID, msg->h.id) && m->timenow - qptr->LastQTime < RESPONSE_WINDOW) + { + if (!srcaddr) LogMsg("uDNS_ReceiveMsg: TCP DNS response had TC bit set: ignoring"); + else + { + // Don't reuse TCP connections. We might have failed over to a different DNS server + // while the first TCP connection is in progress. We need a new TCP connection to the + // new DNS server. So, always try to establish a new connection. + if (qptr->tcp) { DisposeTCPConn(qptr->tcp); qptr->tcp = mDNSNULL; } + qptr->tcp = MakeTCPConn(m, mDNSNULL, mDNSNULL, kTCPSocketFlags_Zero, srcaddr, srcport, mDNSNULL, qptr, mDNSNULL); + } + } + } + + if (QR_OP == UpdateR) + { + mDNSu32 lease = GetPktLease(m, msg, end); + mDNSs32 expire = m->timenow + (mDNSs32)lease * mDNSPlatformOneSecond; + mDNSu32 random = mDNSRandom((mDNSs32)lease * mDNSPlatformOneSecond/10); + + //rcode = kDNSFlag1_RC_ServFail; // Simulate server failure (rcode 2) + + // Walk through all the records that matches the messageID. There could be multiple + // records if we had sent them in a group + if (m->CurrentRecord) + LogMsg("uDNS_ReceiveMsg ERROR m->CurrentRecord already set %s", ARDisplayString(m, m->CurrentRecord)); + m->CurrentRecord = m->ResourceRecords; + while (m->CurrentRecord) + { + AuthRecord *rptr = m->CurrentRecord; + m->CurrentRecord = m->CurrentRecord->next; + if (AuthRecord_uDNS(rptr) && mDNSSameOpaque16(rptr->updateid, msg->h.id)) + { + err = checkUpdateResult(m, rptr->resrec.name, rcode, msg, end); + if (!err && rptr->uselease && lease) + if (rptr->expire - expire >= 0 || rptr->state != regState_UpdatePending) + { + rptr->expire = expire; + rptr->refreshCount = 0; + } + // We pass the random value to make sure that if we update multiple + // records, they all get the same random value + hndlRecordUpdateReply(m, rptr, err, random); + } + } + } + debugf("Received unexpected response: ID %d matches no active records", mDNSVal16(msg->h.id)); +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - Query Routines +#endif + +mDNSexport void sendLLQRefresh(mDNS *m, DNSQuestion *q) +{ + mDNSu8 *end; + LLQOptData llq; + mDNSu8 *limit = m->omsg.data + AbsoluteMaxDNSMessageData; + + if (q->ReqLease) + if ((q->state == LLQ_Established && q->ntries >= kLLQ_MAX_TRIES) || q->expire - m->timenow < 0) + { + LogMsg("Unable to refresh LLQ %##s (%s) - will retry in %d seconds", q->qname.c, DNSTypeName(q->qtype), LLQ_POLL_INTERVAL / mDNSPlatformOneSecond); + StartLLQPolling(m,q); + return; + } + + llq.vers = kLLQ_Vers; + llq.llqOp = kLLQOp_Refresh; + llq.err = q->tcp ? GetLLQEventPort(m, &q->servAddr) : LLQErr_NoError; // If using TCP tell server what UDP port to send notifications to + llq.id = q->id; + llq.llqlease = q->ReqLease; + + InitializeDNSMessage(&m->omsg.h, q->TargetQID, uQueryFlags); + end = putLLQ(&m->omsg, m->omsg.data, q, &llq); + if (!end) { LogMsg("sendLLQRefresh: putLLQ failed %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); return; } + + // Note that we (conditionally) add HINFO and TSIG here, since the question might be going away, + // so we may not be able to reference it (most importantly it's AuthInfo) when we actually send the message + end = putHINFO(m, &m->omsg, end, q->AuthInfo, limit); + if (!end) { LogMsg("sendLLQRefresh: putHINFO failed %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); return; } + + if (PrivateQuery(q)) + { + DNSDigest_SignMessageHostByteOrder(&m->omsg, &end, q->AuthInfo); + if (!end) { LogMsg("sendLLQRefresh: DNSDigest_SignMessage failed %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); return; } + } + + if (PrivateQuery(q) && !q->tcp) + { + LogInfo("sendLLQRefresh setting up new TLS session %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + if (!q->nta) + { + // Note: If a question is in LLQ_Established state, we never free the zone data for the + // question (PrivateQuery). If we free, we reset the state to something other than LLQ_Established. + // This function is called only if the query is in LLQ_Established state and hence nta should + // never be NULL. In spite of that, we have seen q->nta being NULL in the field. Just refetch the + // zone data in that case. + q->nta = StartGetZoneData(m, &q->qname, ZoneServiceLLQ, LLQGotZoneData, q); + return; + // ThisQInterval is not adjusted when we return from here which means that we will get called back + // again immediately. As q->servAddr and q->servPort are still valid and the nta->Host is initialized + // without any additional discovery for PrivateQuery, things work. + } + q->tcp = MakeTCPConn(m, &m->omsg, end, kTCPSocketFlags_UseTLS, &q->servAddr, q->servPort, &q->nta->Host, q, mDNSNULL); + } + else + { + mStatus err; + + // if AuthInfo and AuthInfo->AutoTunnel is set, we use the TCP socket but don't need to pass the AuthInfo as + // we already protected the message above. + LogInfo("sendLLQRefresh: using existing %s session %##s (%s)", PrivateQuery(q) ? "TLS" : "UDP", + q->qname.c, DNSTypeName(q->qtype)); + + err = mDNSSendDNSMessage(m, &m->omsg, end, mDNSInterface_Any, q->LocalSocket, &q->servAddr, q->servPort, q->tcp ? q->tcp->sock : mDNSNULL, mDNSNULL, mDNSfalse); + if (err) + { + LogMsg("sendLLQRefresh: mDNSSendDNSMessage%s failed: %d", q->tcp ? " (TCP)" : "", err); + if (q->tcp) { DisposeTCPConn(q->tcp); q->tcp = mDNSNULL; } + } + } + + q->ntries++; + + debugf("sendLLQRefresh ntries %d %##s (%s)", q->ntries, q->qname.c, DNSTypeName(q->qtype)); + + q->LastQTime = m->timenow; + SetNextQueryTime(m, q); +} + +mDNSexport void LLQGotZoneData(mDNS *const m, mStatus err, const ZoneData *zoneInfo) +{ + DNSQuestion *q = (DNSQuestion *)zoneInfo->ZoneDataContext; + + mDNS_Lock(m); + + // If we get here it means that the GetZoneData operation has completed. + // We hold on to the zone data if it is AutoTunnel as we use the hostname + // in zoneInfo during the TLS connection setup. + q->servAddr = zeroAddr; + q->servPort = zeroIPPort; + + if (!err && zoneInfo && !mDNSIPPortIsZero(zoneInfo->Port) && !mDNSAddressIsZero(&zoneInfo->Addr) && zoneInfo->Host.c[0]) + { + q->servAddr = zoneInfo->Addr; + q->servPort = zoneInfo->Port; + if (!PrivateQuery(q)) + { + // We don't need the zone data as we use it only for the Host information which we + // don't need if we are not going to use TLS connections. + if (q->nta) + { + if (q->nta != zoneInfo) LogMsg("LLQGotZoneData: nta (%p) != zoneInfo (%p) %##s (%s)", q->nta, zoneInfo, q->qname.c, DNSTypeName(q->qtype)); + CancelGetZoneData(m, q->nta); + q->nta = mDNSNULL; + } + } + q->ntries = 0; + debugf("LLQGotZoneData %#a:%d", &q->servAddr, mDNSVal16(q->servPort)); + startLLQHandshake(m, q); + } + else + { + if (q->nta) + { + if (q->nta != zoneInfo) LogMsg("LLQGotZoneData: nta (%p) != zoneInfo (%p) %##s (%s)", q->nta, zoneInfo, q->qname.c, DNSTypeName(q->qtype)); + CancelGetZoneData(m, q->nta); + q->nta = mDNSNULL; + } + StartLLQPolling(m,q); + if (err == mStatus_NoSuchNameErr) + { + // this actually failed, so mark it by setting address to all ones + q->servAddr.type = mDNSAddrType_IPv4; + q->servAddr.ip.v4 = onesIPv4Addr; + } + } + + mDNS_Unlock(m); +} + +// Called in normal callback context (i.e. mDNS_busy and mDNS_reentrancy are both 1) +mDNSlocal void PrivateQueryGotZoneData(mDNS *const m, mStatus err, const ZoneData *zoneInfo) +{ + DNSQuestion *q = (DNSQuestion *) zoneInfo->ZoneDataContext; + + LogInfo("PrivateQueryGotZoneData %##s (%s) err %d Zone %##s Private %d", q->qname.c, DNSTypeName(q->qtype), err, zoneInfo->ZoneName.c, zoneInfo->ZonePrivate); + + if (q->nta != zoneInfo) LogMsg("PrivateQueryGotZoneData:ERROR!!: nta (%p) != zoneInfo (%p) %##s (%s)", q->nta, zoneInfo, q->qname.c, DNSTypeName(q->qtype)); + + if (err || !zoneInfo || mDNSAddressIsZero(&zoneInfo->Addr) || mDNSIPPortIsZero(zoneInfo->Port) || !zoneInfo->Host.c[0]) + { + LogInfo("PrivateQueryGotZoneData: ERROR!! %##s (%s) invoked with error code %d %p %#a:%d", + q->qname.c, DNSTypeName(q->qtype), err, zoneInfo, + zoneInfo ? &zoneInfo->Addr : mDNSNULL, + zoneInfo ? mDNSVal16(zoneInfo->Port) : 0); + CancelGetZoneData(m, q->nta); + q->nta = mDNSNULL; + return; + } + + if (!zoneInfo->ZonePrivate) + { + debugf("Private port lookup failed -- retrying without TLS -- %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + q->AuthInfo = mDNSNULL; // Clear AuthInfo so we try again non-private + q->ThisQInterval = InitialQuestionInterval; + q->LastQTime = m->timenow - q->ThisQInterval; + CancelGetZoneData(m, q->nta); + q->nta = mDNSNULL; + mDNS_Lock(m); + SetNextQueryTime(m, q); + mDNS_Unlock(m); + return; + // Next call to uDNS_CheckCurrentQuestion() will do this as a non-private query + } + + if (!PrivateQuery(q)) + { + LogMsg("PrivateQueryGotZoneData: ERROR!! Not a private query %##s (%s) AuthInfo %p", q->qname.c, DNSTypeName(q->qtype), q->AuthInfo); + CancelGetZoneData(m, q->nta); + q->nta = mDNSNULL; + return; + } + + q->TargetQID = mDNS_NewMessageID(m); + if (q->tcp) { DisposeTCPConn(q->tcp); q->tcp = mDNSNULL; } + if (!q->nta) { LogMsg("PrivateQueryGotZoneData:ERROR!! nta is NULL for %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); return; } + q->tcp = MakeTCPConn(m, mDNSNULL, mDNSNULL, kTCPSocketFlags_UseTLS, &zoneInfo->Addr, zoneInfo->Port, &q->nta->Host, q, mDNSNULL); + if (q->nta) { CancelGetZoneData(m, q->nta); q->nta = mDNSNULL; } +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - Dynamic Updates +#endif + +// Called in normal callback context (i.e. mDNS_busy and mDNS_reentrancy are both 1) +mDNSexport void RecordRegistrationGotZoneData(mDNS *const m, mStatus err, const ZoneData *zoneData) +{ + AuthRecord *newRR = (AuthRecord*)zoneData->ZoneDataContext; + AuthRecord *ptr; + int c1, c2; + + if (newRR->nta != zoneData) + LogMsg("RecordRegistrationGotZoneData: nta (%p) != zoneData (%p) %##s (%s)", newRR->nta, zoneData, newRR->resrec.name->c, DNSTypeName(newRR->resrec.rrtype)); + + if (m->mDNS_busy != m->mDNS_reentrancy) + LogMsg("RecordRegistrationGotZoneData: mDNS_busy (%ld) != mDNS_reentrancy (%ld)", m->mDNS_busy, m->mDNS_reentrancy); + + // make sure record is still in list (!!!) + for (ptr = m->ResourceRecords; ptr; ptr = ptr->next) if (ptr == newRR) break; + if (!ptr) + { + LogMsg("RecordRegistrationGotZoneData - RR no longer in list. Discarding."); + CancelGetZoneData(m, newRR->nta); + newRR->nta = mDNSNULL; + return; + } + + // check error/result + if (err) + { + if (err != mStatus_NoSuchNameErr) LogMsg("RecordRegistrationGotZoneData: error %d", err); + CancelGetZoneData(m, newRR->nta); + newRR->nta = mDNSNULL; + return; + } + + if (!zoneData) { LogMsg("ERROR: RecordRegistrationGotZoneData invoked with NULL result and no error"); return; } + + if (newRR->resrec.rrclass != zoneData->ZoneClass) + { + LogMsg("ERROR: New resource record's class (%d) does not match zone class (%d)", newRR->resrec.rrclass, zoneData->ZoneClass); + CancelGetZoneData(m, newRR->nta); + newRR->nta = mDNSNULL; + return; + } + + // Don't try to do updates to the root name server. + // We might be tempted also to block updates to any single-label name server (e.g. com, edu, net, etc.) but some + // organizations use their own private pseudo-TLD, like ".home", etc, and we don't want to block that. + if (zoneData->ZoneName.c[0] == 0) + { + LogInfo("RecordRegistrationGotZoneData: No name server found claiming responsibility for \"%##s\"!", newRR->resrec.name->c); + CancelGetZoneData(m, newRR->nta); + newRR->nta = mDNSNULL; + return; + } + + // Store discovered zone data + c1 = CountLabels(newRR->resrec.name); + c2 = CountLabels(&zoneData->ZoneName); + if (c2 > c1) + { + LogMsg("RecordRegistrationGotZoneData: Zone \"%##s\" is longer than \"%##s\"", zoneData->ZoneName.c, newRR->resrec.name->c); + CancelGetZoneData(m, newRR->nta); + newRR->nta = mDNSNULL; + return; + } + newRR->zone = SkipLeadingLabels(newRR->resrec.name, c1-c2); + if (!SameDomainName(newRR->zone, &zoneData->ZoneName)) + { + LogMsg("RecordRegistrationGotZoneData: Zone \"%##s\" does not match \"%##s\" for \"%##s\"", newRR->zone->c, zoneData->ZoneName.c, newRR->resrec.name->c); + CancelGetZoneData(m, newRR->nta); + newRR->nta = mDNSNULL; + return; + } + + if (mDNSIPPortIsZero(zoneData->Port) || mDNSAddressIsZero(&zoneData->Addr) || !zoneData->Host.c[0]) + { + LogInfo("RecordRegistrationGotZoneData: No _dns-update._udp service found for \"%##s\"!", newRR->resrec.name->c); + CancelGetZoneData(m, newRR->nta); + newRR->nta = mDNSNULL; + return; + } + + newRR->Private = zoneData->ZonePrivate; + debugf("RecordRegistrationGotZoneData: Set zone information for %##s %##s to %#a:%d", + newRR->resrec.name->c, zoneData->ZoneName.c, &zoneData->Addr, mDNSVal16(zoneData->Port)); + + // If we are deregistering, uDNS_DeregisterRecord will do that as it has the zone data now. + if (newRR->state == regState_DeregPending) + { + mDNS_Lock(m); + uDNS_DeregisterRecord(m, newRR); + mDNS_Unlock(m); + return; + } + + if (newRR->resrec.rrtype == kDNSType_SRV) + { + const domainname *target; + // Reevaluate the target always as NAT/Target could have changed while + // we were fetching zone data. + mDNS_Lock(m); + target = GetServiceTarget(m, newRR); + mDNS_Unlock(m); + if (!target || target->c[0] == 0) + { + domainname *t = GetRRDomainNameTarget(&newRR->resrec); + LogInfo("RecordRegistrationGotZoneData - no target for %##s", newRR->resrec.name->c); + if (t) t->c[0] = 0; + newRR->resrec.rdlength = newRR->resrec.rdestimate = 0; + newRR->state = regState_NoTarget; + CancelGetZoneData(m, newRR->nta); + newRR->nta = mDNSNULL; + return; + } + } + // If we have non-zero service port (always?) + // and a private address, and update server is non-private + // and this service is AutoTarget + // then initiate a NAT mapping request. On completion it will do SendRecordRegistration() for us + if (newRR->resrec.rrtype == kDNSType_SRV && !mDNSIPPortIsZero(newRR->resrec.rdata->u.srv.port) && + mDNSv4AddrIsRFC1918(&m->AdvertisedV4.ip.v4) && newRR->nta && !mDNSAddrIsRFC1918(&newRR->nta->Addr) && + newRR->AutoTarget == Target_AutoHostAndNATMAP) + { + DomainAuthInfo *AuthInfo; + AuthInfo = GetAuthInfoForName(m, newRR->resrec.name); + if (AuthInfo && AuthInfo->AutoTunnel) + { + domainname *t = GetRRDomainNameTarget(&newRR->resrec); + LogMsg("RecordRegistrationGotZoneData: ERROR!! AutoTunnel has Target_AutoHostAndNATMAP for %s", ARDisplayString(m, newRR)); + if (t) t->c[0] = 0; + newRR->resrec.rdlength = newRR->resrec.rdestimate = 0; + newRR->state = regState_NoTarget; + CancelGetZoneData(m, newRR->nta); + newRR->nta = mDNSNULL; + return; + } + // During network transitions, we are called multiple times in different states. Setup NAT + // state just once for this record. + if (!newRR->NATinfo.clientContext) + { + LogInfo("RecordRegistrationGotZoneData StartRecordNatMap %s", ARDisplayString(m, newRR)); + newRR->state = regState_NATMap; + StartRecordNatMap(m, newRR); + return; + } + else LogInfo("RecordRegistrationGotZoneData: StartRecordNatMap for %s, state %d, context %p", ARDisplayString(m, newRR), newRR->state, newRR->NATinfo.clientContext); + } + mDNS_Lock(m); + // We want IsRecordMergeable to check whether it is a record whose update can be + // sent with others. We set the time before we call IsRecordMergeable, so that + // it does not fail this record based on time. We are interested in other checks + // at this time. If a previous update resulted in error, then don't reset the + // interval. Preserve the back-off so that we don't keep retrying aggressively. + if (newRR->updateError == mStatus_NoError) + { + newRR->ThisAPInterval = INIT_RECORD_REG_INTERVAL; + newRR->LastAPTime = m->timenow - INIT_RECORD_REG_INTERVAL; + } + if (IsRecordMergeable(m, newRR, m->timenow + MERGE_DELAY_TIME)) + { + // Delay the record registration by MERGE_DELAY_TIME so that we can merge them + // into one update + LogInfo("RecordRegistrationGotZoneData: Delayed registration for %s", ARDisplayString(m, newRR)); + newRR->LastAPTime += MERGE_DELAY_TIME; + } + mDNS_Unlock(m); +} + +mDNSlocal void SendRecordDeregistration(mDNS *m, AuthRecord *rr) +{ + mDNSu8 *ptr = m->omsg.data; + mDNSu8 *limit; + DomainAuthInfo *AuthInfo; + + mDNS_CheckLock(m); + + if (!rr->nta || mDNSIPv4AddressIsZero(rr->nta->Addr.ip.v4)) + { + LogMsg("SendRecordDeRegistration: No zone info for Resource record %s RecordType %d", ARDisplayString(m, rr), rr->resrec.RecordType); + return; + } + + limit = ptr + AbsoluteMaxDNSMessageData; + AuthInfo = GetAuthInfoForName_internal(m, rr->resrec.name); + limit -= RRAdditionalSize(m, AuthInfo); + + rr->updateid = mDNS_NewMessageID(m); + InitializeDNSMessage(&m->omsg.h, rr->updateid, UpdateReqFlags); + + // set zone + ptr = putZone(&m->omsg, ptr, limit, rr->zone, mDNSOpaque16fromIntVal(rr->resrec.rrclass)); + if (!ptr) goto exit; + + ptr = BuildUpdateMessage(m, ptr, rr, limit); + + if (!ptr) goto exit; + + if (rr->Private) + { + LogInfo("SendRecordDeregistration TCP %p %s", rr->tcp, ARDisplayString(m, rr)); + if (rr->tcp) LogInfo("SendRecordDeregistration: Disposing existing TCP connection for %s", ARDisplayString(m, rr)); + if (rr->tcp) { DisposeTCPConn(rr->tcp); rr->tcp = mDNSNULL; } + if (!rr->nta) { LogMsg("SendRecordDeregistration:Private:ERROR!! nta is NULL for %s", ARDisplayString(m, rr)); return; } + rr->tcp = MakeTCPConn(m, &m->omsg, ptr, kTCPSocketFlags_UseTLS, &rr->nta->Addr, rr->nta->Port, &rr->nta->Host, mDNSNULL, rr); + } + else + { + mStatus err; + LogInfo("SendRecordDeregistration UDP %s", ARDisplayString(m, rr)); + if (!rr->nta) { LogMsg("SendRecordDeregistration:ERROR!! nta is NULL for %s", ARDisplayString(m, rr)); return; } + err = mDNSSendDNSMessage(m, &m->omsg, ptr, mDNSInterface_Any, mDNSNULL, &rr->nta->Addr, rr->nta->Port, mDNSNULL, GetAuthInfoForName_internal(m, rr->resrec.name), mDNSfalse); + if (err) debugf("ERROR: SendRecordDeregistration - mDNSSendDNSMessage - %d", err); + //if (rr->state == regState_DeregPending) CompleteDeregistration(m, rr); // Don't touch rr after this + } + SetRecordRetry(m, rr, 0); + return; +exit: + LogMsg("SendRecordDeregistration: Error formatting message for %s", ARDisplayString(m, rr)); +} + +mDNSexport mStatus uDNS_DeregisterRecord(mDNS *const m, AuthRecord *const rr) +{ + DomainAuthInfo *info; + + LogInfo("uDNS_DeregisterRecord: Resource Record %s, state %d", ARDisplayString(m, rr), rr->state); + + switch (rr->state) + { + case regState_Refresh: + case regState_Pending: + case regState_UpdatePending: + case regState_Registered: break; + case regState_DeregPending: break; + + case regState_NATError: + case regState_NATMap: + // A record could be in NoTarget to start with if the corresponding SRV record could not find a target. + // It is also possible to reenter the NoTarget state when we move to a network with a NAT that has + // no {PCP, NAT-PMP, UPnP/IGD} support. In that case before we entered NoTarget, we already deregistered with + // the server. + case regState_NoTarget: + case regState_Unregistered: + case regState_Zero: + default: + LogInfo("uDNS_DeregisterRecord: State %d for %##s type %s", rr->state, rr->resrec.name->c, DNSTypeName(rr->resrec.rrtype)); + // This function may be called during sleep when there are no sleep proxy servers + if (rr->resrec.RecordType == kDNSRecordTypeDeregistering) CompleteDeregistration(m, rr); + return mStatus_NoError; + } + + // if unsent rdata is queued, free it. + // + // The data may be queued in QueuedRData or InFlightRData. + // + // 1) If the record is in Registered state, we store it in InFlightRData and copy the same in "rdata" + // *just* before sending the update to the server. Till we get the response, InFlightRData and "rdata" + // in the resource record are same. We don't want to free in that case. It will be freed when "rdata" + // is freed. If they are not same, the update has not been sent and we should free it here. + // + // 2) If the record is in UpdatePending state, we queue the update in QueuedRData. When the previous update + // comes back from the server, we copy it from QueuedRData to InFlightRData and repeat (1). This implies + // that QueuedRData can never be same as "rdata" in the resource record. As long as we have something + // left in QueuedRData, we should free it here. + + if (rr->InFlightRData && rr->UpdateCallback) + { + if (rr->InFlightRData != rr->resrec.rdata) + { + LogInfo("uDNS_DeregisterRecord: Freeing InFlightRData for %s", ARDisplayString(m, rr)); + rr->UpdateCallback(m, rr, rr->InFlightRData, rr->InFlightRDLen); + rr->InFlightRData = mDNSNULL; + } + else + LogInfo("uDNS_DeregisterRecord: InFlightRData same as rdata for %s", ARDisplayString(m, rr)); + } + + if (rr->QueuedRData && rr->UpdateCallback) + { + if (rr->QueuedRData == rr->resrec.rdata) + LogMsg("uDNS_DeregisterRecord: ERROR!! QueuedRData same as rdata for %s", ARDisplayString(m, rr)); + else + { + LogInfo("uDNS_DeregisterRecord: Freeing QueuedRData for %s", ARDisplayString(m, rr)); + rr->UpdateCallback(m, rr, rr->QueuedRData, rr->QueuedRDLen); + rr->QueuedRData = mDNSNULL; + } + } + + // If a current group registration is pending, we can't send this deregisration till that registration + // has reached the server i.e., the ordering is important. Previously, if we did not send this + // registration in a group, then the previous connection will be torn down as part of sending the + // deregistration. If we send this in a group, we need to locate the resource record that was used + // to send this registration and terminate that connection. This means all the updates on that might + // be lost (assuming the response is not waiting for us at the socket) and the retry will send the + // update again sometime in the near future. + // + // NOTE: SSL handshake failures normally free the TCP connection immediately. Hence, you may not + // find the TCP below there. This case can happen only when tcp is trying to actively retransmit + // the request or SSL negotiation taking time i.e resource record is actively trying to get the + // message to the server. During that time a deregister has to happen. + + if (!mDNSOpaque16IsZero(rr->updateid)) + { + AuthRecord *anchorRR; + mDNSBool found = mDNSfalse; + for (anchorRR = m->ResourceRecords; anchorRR; anchorRR = anchorRR->next) + { + if (AuthRecord_uDNS(rr) && mDNSSameOpaque16(anchorRR->updateid, rr->updateid) && anchorRR->tcp) + { + LogInfo("uDNS_DeregisterRecord: Found Anchor RR %s terminated", ARDisplayString(m, anchorRR)); + if (found) + LogMsg("uDNS_DeregisterRecord: ERROR: Another anchorRR %s found", ARDisplayString(m, anchorRR)); + DisposeTCPConn(anchorRR->tcp); + anchorRR->tcp = mDNSNULL; + found = mDNStrue; + } + } + if (!found) LogInfo("uDNSDeregisterRecord: Cannot find the anchor Resource Record for %s, not an error", ARDisplayString(m, rr)); + } + + // Retry logic for deregistration should be no different from sending registration the first time. + // Currently ThisAPInterval most likely is set to the refresh interval + rr->state = regState_DeregPending; + rr->ThisAPInterval = INIT_RECORD_REG_INTERVAL; + rr->LastAPTime = m->timenow - INIT_RECORD_REG_INTERVAL; + info = GetAuthInfoForName_internal(m, rr->resrec.name); + if (IsRecordMergeable(m, rr, m->timenow + MERGE_DELAY_TIME)) + { + // Delay the record deregistration by MERGE_DELAY_TIME so that we can merge them + // into one update. If the domain is being deleted, delay by 2 * MERGE_DELAY_TIME + // so that we can merge all the AutoTunnel records and the service records in + // one update (they get deregistered a little apart) + if (info && info->deltime) rr->LastAPTime += (2 * MERGE_DELAY_TIME); + else rr->LastAPTime += MERGE_DELAY_TIME; + } + // IsRecordMergeable could have returned false for several reasons e.g., DontMerge is set or + // no zone information. Most likely it is the latter, CheckRecordUpdates will fetch the zone + // data when it encounters this record. + + if (m->NextuDNSEvent - (rr->LastAPTime + rr->ThisAPInterval) >= 0) + m->NextuDNSEvent = (rr->LastAPTime + rr->ThisAPInterval); + + return mStatus_NoError; +} + +mDNSexport mStatus uDNS_UpdateRecord(mDNS *m, AuthRecord *rr) +{ + LogInfo("uDNS_UpdateRecord: Resource Record %##s, state %d", rr->resrec.name->c, rr->state); + switch(rr->state) + { + case regState_DeregPending: + case regState_Unregistered: + // not actively registered + goto unreg_error; + + case regState_NATMap: + case regState_NoTarget: + // change rdata directly since it hasn't been sent yet + if (rr->UpdateCallback) rr->UpdateCallback(m, rr, rr->resrec.rdata, rr->resrec.rdlength); + SetNewRData(&rr->resrec, rr->NewRData, rr->newrdlength); + rr->NewRData = mDNSNULL; + return mStatus_NoError; + + case regState_Pending: + case regState_Refresh: + case regState_UpdatePending: + // registration in-flight. queue rdata and return + if (rr->QueuedRData && rr->UpdateCallback) + // if unsent rdata is already queued, free it before we replace it + rr->UpdateCallback(m, rr, rr->QueuedRData, rr->QueuedRDLen); + rr->QueuedRData = rr->NewRData; + rr->QueuedRDLen = rr->newrdlength; + rr->NewRData = mDNSNULL; + return mStatus_NoError; + + case regState_Registered: + rr->OrigRData = rr->resrec.rdata; + rr->OrigRDLen = rr->resrec.rdlength; + rr->InFlightRData = rr->NewRData; + rr->InFlightRDLen = rr->newrdlength; + rr->NewRData = mDNSNULL; + rr->state = regState_UpdatePending; + rr->ThisAPInterval = INIT_RECORD_REG_INTERVAL; + rr->LastAPTime = m->timenow - INIT_RECORD_REG_INTERVAL; + SetNextuDNSEvent(m, rr); + return mStatus_NoError; + + case regState_NATError: + LogMsg("ERROR: uDNS_UpdateRecord called for record %##s with bad state regState_NATError", rr->resrec.name->c); + return mStatus_UnknownErr; // states for service records only + + default: LogMsg("uDNS_UpdateRecord: Unknown state %d for %##s", rr->state, rr->resrec.name->c); + } + +unreg_error: + LogMsg("uDNS_UpdateRecord: Requested update of record %##s type %d, in erroneous state %d", + rr->resrec.name->c, rr->resrec.rrtype, rr->state); + return mStatus_Invalid; +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - Periodic Execution Routines +#endif + +mDNSlocal void handle_unanswered_query(mDNS *const m) +{ + DNSQuestion *q = m->CurrentQuestion; + + if (q->unansweredQueries >= MAX_DNSSEC_UNANSWERED_QUERIES && DNSSECOptionalQuestion(q)) + { + // If we are not receiving any responses for DNSSEC question, it could be due to + // a broken middlebox or a DNS server that does not understand the EDNS0/DOK option that + // silently drops the packets. Also as per RFC 5625 there are certain buggy DNS Proxies + // that are known to drop these pkts. To handle this, we turn off sending the EDNS0/DOK + // option if we have not received any responses indicating that the server or + // the middlebox is DNSSEC aware. If we receive at least one response to a DNSSEC + // question, we don't turn off validation. Also, we wait for MAX_DNSSEC_RETRANSMISSIONS + // before turning off validation to accomodate packet loss. + // + // Note: req_DO affects only DNSSEC_VALIDATION_SECURE_OPTIONAL questions; + // DNSSEC_VALIDATION_SECURE questions ignores req_DO. + + if (q->qDNSServer && !q->qDNSServer->DNSSECAware && q->qDNSServer->req_DO) + { + q->qDNSServer->retransDO++; + if (q->qDNSServer->retransDO == MAX_DNSSEC_RETRANSMISSIONS) + { + LogInfo("handle_unanswered_query: setting req_DO false for %#a", &q->qDNSServer->addr); + q->qDNSServer->req_DO = mDNSfalse; + } + } + + if (!q->qDNSServer->req_DO) + { + q->ValidationState = DNSSECValNotRequired; + q->ValidationRequired = DNSSEC_VALIDATION_NONE; + + if (q->ProxyQuestion) + q->ProxyDNSSECOK = mDNSfalse; + LogInfo("handle_unanswered_query: unanswered query for %##s (%s), so turned off validation for %#a", + q->qname.c, DNSTypeName(q->qtype), &q->qDNSServer->addr); + } + } +} + +// The question to be checked is not passed in as an explicit parameter; +// instead it is implicit that the question to be checked is m->CurrentQuestion. +mDNSexport void uDNS_CheckCurrentQuestion(mDNS *const m) +{ + DNSQuestion *q = m->CurrentQuestion; + if (m->timenow - NextQSendTime(q) < 0) return; + + if (q->LongLived) + { + switch (q->state) + { + case LLQ_InitialRequest: startLLQHandshake(m, q); break; + case LLQ_SecondaryRequest: + // For PrivateQueries, we need to start the handshake again as we don't do the Challenge/Response step + if (PrivateQuery(q)) + startLLQHandshake(m, q); + else + sendChallengeResponse(m, q, mDNSNULL); + break; + case LLQ_Established: sendLLQRefresh(m, q); break; + case LLQ_Poll: break; // Do nothing (handled below) + } + } + + handle_unanswered_query(m); + // We repeat the check above (rather than just making this the "else" case) because startLLQHandshake can change q->state to LLQ_Poll + if (!(q->LongLived && q->state != LLQ_Poll)) + { + if (q->unansweredQueries >= MAX_UCAST_UNANSWERED_QUERIES) + { + DNSServer *orig = q->qDNSServer; + if (orig) + LogInfo("uDNS_CheckCurrentQuestion: Sent %d unanswered queries for %##s (%s) to %#a:%d (%##s)", + q->unansweredQueries, q->qname.c, DNSTypeName(q->qtype), &orig->addr, mDNSVal16(orig->port), orig->domain.c); + + PenalizeDNSServer(m, q, zeroID); + q->noServerResponse = 1; + } + // There are two cases here. + // + // 1. We have only one DNS server for this question. It is not responding even after we sent MAX_UCAST_UNANSWERED_QUERIES. + // In that case, we need to keep retrying till we get a response. But we need to backoff as we retry. We set + // noServerResponse in the block above and below we do not touch the question interval. When we come here, we + // already waited for the response. We need to send another query right at this moment. We do that below by + // reinitializing dns servers and reissuing the query. + // + // 2. We have more than one DNS server. If at least one server did not respond, we would have set noServerResponse + // either now (the last server in the list) or before (non-last server in the list). In either case, if we have + // reached the end of DNS server list, we need to try again from the beginning. Ideally we should try just the + // servers that did not respond, but for simplicity we try all the servers. Once we reached the end of list, we + // set triedAllServersOnce so that we don't try all the servers aggressively. See PenalizeDNSServer. + if (!q->qDNSServer && q->noServerResponse) + { + DNSServer *new; + DNSQuestion *qptr; + q->triedAllServersOnce = 1; + // Re-initialize all DNS servers for this question. If we have a DNSServer, DNSServerChangeForQuestion will + // handle all the work including setting the new DNS server. + SetValidDNSServers(m, q); + new = GetServerForQuestion(m, q); + if (new) + { + LogInfo("uDNS_checkCurrentQuestion: Retrying question %p %##s (%s) DNS Server %#a:%d ThisQInterval %d", + q, q->qname.c, DNSTypeName(q->qtype), new ? &new->addr : mDNSNULL, mDNSVal16(new ? new->port : zeroIPPort), q->ThisQInterval); + DNSServerChangeForQuestion(m, q, new); + } + for (qptr = q->next ; qptr; qptr = qptr->next) + if (qptr->DuplicateOf == q) { qptr->validDNSServers = q->validDNSServers; qptr->qDNSServer = q->qDNSServer; } + } + if (q->qDNSServer && q->qDNSServer->teststate != DNSServer_Disabled) + { + mDNSu8 *end = m->omsg.data; + mStatus err = mStatus_NoError; + mDNSBool private = mDNSfalse; + + InitializeDNSMessage(&m->omsg.h, q->TargetQID, (DNSSECQuestion(q) ? DNSSecQFlags : uQueryFlags)); + + if (q->qDNSServer->teststate != DNSServer_Untested || NoTestQuery(q)) + { + end = putQuestion(&m->omsg, m->omsg.data, m->omsg.data + AbsoluteMaxDNSMessageData, &q->qname, q->qtype, q->qclass); + if (DNSSECQuestion(q) && !q->qDNSServer->cellIntf) + { + if (q->ProxyQuestion) + end = DNSProxySetAttributes(q, &m->omsg.h, &m->omsg, end, m->omsg.data + AbsoluteMaxDNSMessageData); + else + end = putDNSSECOption(&m->omsg, end, m->omsg.data + AbsoluteMaxDNSMessageData); + } + private = PrivateQuery(q); + } + else if (m->timenow - q->qDNSServer->lasttest >= INIT_UCAST_POLL_INTERVAL) // Make sure at least three seconds has elapsed since last test query + { + LogInfo("Sending DNS test query to %#a:%d", &q->qDNSServer->addr, mDNSVal16(q->qDNSServer->port)); + q->ThisQInterval = INIT_UCAST_POLL_INTERVAL / QuestionIntervalStep; + q->qDNSServer->lasttest = m->timenow; + end = putQuestion(&m->omsg, m->omsg.data, m->omsg.data + AbsoluteMaxDNSMessageData, DNSRelayTestQuestion, kDNSType_PTR, kDNSClass_IN); + q->qDNSServer->testid = m->omsg.h.id; + } + + if (end > m->omsg.data && (q->qDNSServer->teststate != DNSServer_Failed || NoTestQuery(q))) + { + //LogMsg("uDNS_CheckCurrentQuestion %p %d %p %##s (%s)", q, NextQSendTime(q) - m->timenow, private, q->qname.c, DNSTypeName(q->qtype)); + if (private) + { + if (q->nta) CancelGetZoneData(m, q->nta); + q->nta = StartGetZoneData(m, &q->qname, q->LongLived ? ZoneServiceLLQ : ZoneServiceQuery, PrivateQueryGotZoneData, q); + if (q->state == LLQ_Poll) q->ThisQInterval = (LLQ_POLL_INTERVAL + mDNSRandom(LLQ_POLL_INTERVAL/10)) / QuestionIntervalStep; + } + else + { + debugf("uDNS_CheckCurrentQuestion sending %p %##s (%s) %#a:%d UnansweredQueries %d", + q, q->qname.c, DNSTypeName(q->qtype), + q->qDNSServer ? &q->qDNSServer->addr : mDNSNULL, mDNSVal16(q->qDNSServer ? q->qDNSServer->port : zeroIPPort), q->unansweredQueries); + if (!q->LocalSocket) + { + q->LocalSocket = mDNSPlatformUDPSocket(m, zeroIPPort); + if (q->LocalSocket) + mDNSPlatformSetDelegatePID(q->LocalSocket, &q->qDNSServer->addr, q); + } + if (!q->LocalSocket) err = mStatus_NoMemoryErr; // If failed to make socket (should be very rare), we'll try again next time + else err = mDNSSendDNSMessage(m, &m->omsg, end, q->qDNSServer->interface, q->LocalSocket, &q->qDNSServer->addr, q->qDNSServer->port, mDNSNULL, mDNSNULL, q->UseBackgroundTrafficClass); + } + } + + if (err != mStatus_TransientErr) // if it is not a transient error backoff and DO NOT flood queries unnecessarily + { + q->ThisQInterval = q->ThisQInterval * QuestionIntervalStep; // Only increase interval if send succeeded + q->unansweredQueries++; + if (q->ThisQInterval > MAX_UCAST_POLL_INTERVAL) + q->ThisQInterval = MAX_UCAST_POLL_INTERVAL; + if (private && q->state != LLQ_Poll) + { + // We don't want to retransmit too soon. Hence, we always schedule our first + // retransmisson at 3 seconds rather than one second + if (q->ThisQInterval < (3 * mDNSPlatformOneSecond)) + q->ThisQInterval = q->ThisQInterval * QuestionIntervalStep; + if (q->ThisQInterval > LLQ_POLL_INTERVAL) + q->ThisQInterval = LLQ_POLL_INTERVAL; + LogInfo("uDNS_CheckCurrentQuestion: private non polling question for %##s (%s) will be retried in %d ms", q->qname.c, DNSTypeName(q->qtype), q->ThisQInterval); + } + if (q->qDNSServer->cellIntf) + { + // We don't want to retransmit too soon. Schedule our first retransmisson at + // MIN_UCAST_RETRANS_TIMEOUT seconds. + if (q->ThisQInterval < MIN_UCAST_RETRANS_TIMEOUT) + q->ThisQInterval = MIN_UCAST_RETRANS_TIMEOUT; + } + debugf("uDNS_CheckCurrentQuestion: Increased ThisQInterval to %d for %##s (%s), cell %d", q->ThisQInterval, q->qname.c, DNSTypeName(q->qtype), q->qDNSServer->cellIntf); + } + q->LastQTime = m->timenow; + SetNextQueryTime(m, q); + } + else + { + // If we have no server for this query, or the only server is a disabled one, then we deliver + // a transient failure indication to the client. This is important for things like iPhone + // where we want to return timely feedback to the user when no network is available. + // After calling MakeNegativeCacheRecord() we store the resulting record in the + // cache so that it will be visible to other clients asking the same question. + // (When we have a group of identical questions, only the active representative of the group gets + // passed to uDNS_CheckCurrentQuestion -- we only want one set of query packets hitting the wire -- + // but we want *all* of the questions to get answer callbacks.) + CacheRecord *rr; + const mDNSu32 slot = HashSlot(&q->qname); + CacheGroup *const cg = CacheGroupForName(m, slot, q->qnamehash, &q->qname); + + if (!q->qDNSServer) + { + if (!mDNSOpaque64IsZero(&q->validDNSServers)) + LogMsg("uDNS_CheckCurrentQuestion: ERROR!!: valid DNSServer bits not zero 0x%x, 0x%x for question %##s (%s)", + q->validDNSServers.l[1], q->validDNSServers.l[0], q->qname.c, DNSTypeName(q->qtype)); + // If we reached the end of list while picking DNS servers, then we don't want to deactivate the + // question. Try after 60 seconds. We find this by looking for valid DNSServers for this question, + // if we find any, then we must have tried them before we came here. This avoids maintaining + // another state variable to see if we had valid DNS servers for this question. + SetValidDNSServers(m, q); + if (mDNSOpaque64IsZero(&q->validDNSServers)) + { + LogInfo("uDNS_CheckCurrentQuestion: no DNS server for %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + q->ThisQInterval = 0; + } + else + { + DNSQuestion *qptr; + // Pretend that we sent this question. As this is an ActiveQuestion, the NextScheduledQuery should + // be set properly. Also, we need to properly backoff in cases where we don't set the question to + // MaxQuestionInterval when we answer the question e.g., LongLived, we need to keep backing off + q->ThisQInterval = q->ThisQInterval * QuestionIntervalStep; + q->LastQTime = m->timenow; + SetNextQueryTime(m, q); + // Pick a new DNS server now. Otherwise, when the cache is 80% of its expiry, we will try + // to send a query and come back to the same place here and log the above message. + q->qDNSServer = GetServerForQuestion(m, q); + for (qptr = q->next ; qptr; qptr = qptr->next) + if (qptr->DuplicateOf == q) { qptr->validDNSServers = q->validDNSServers; qptr->qDNSServer = q->qDNSServer; } + LogInfo("uDNS_checkCurrentQuestion: Tried all DNS servers, retry question %p SuppressUnusable %d %##s (%s) with DNS Server %#a:%d after 60 seconds, ThisQInterval %d", + q, q->SuppressUnusable, q->qname.c, DNSTypeName(q->qtype), + q->qDNSServer ? &q->qDNSServer->addr : mDNSNULL, mDNSVal16(q->qDNSServer ? q->qDNSServer->port : zeroIPPort), q->ThisQInterval); + } + } + else + { + q->ThisQInterval = 0; + LogMsg("uDNS_CheckCurrentQuestion DNS server %#a:%d for %##s is disabled", &q->qDNSServer->addr, mDNSVal16(q->qDNSServer->port), q->qname.c); + } + + if (cg) + { + for (rr = cg->members; rr; rr=rr->next) + { + if (SameNameRecordAnswersQuestion(&rr->resrec, q)) + { + LogInfo("uDNS_CheckCurrentQuestion: Purged resourcerecord %s", CRDisplayString(m, rr)); + mDNS_PurgeCacheResourceRecord(m, rr); + } + } + } + // For some of the WAB queries that we generate form within the mDNSResponder, most of the home routers + // don't understand and return ServFail/NXDomain. In those cases, we don't want to try too often. We try + // every fifteen minutes in that case + MakeNegativeCacheRecord(m, &m->rec.r, &q->qname, q->qnamehash, q->qtype, q->qclass, (DomainEnumQuery(&q->qname) ? 60 * 15 : 60), mDNSInterface_Any, q->qDNSServer); + q->unansweredQueries = 0; + if (!mDNSOpaque16IsZero(q->responseFlags)) + m->rec.r.responseFlags = q->responseFlags; + // We're already using the m->CurrentQuestion pointer, so CacheRecordAdd can't use it to walk the question list. + // To solve this problem we set rr->DelayDelivery to a nonzero value (which happens to be 'now') so that we + // momentarily defer generating answer callbacks until mDNS_Execute time. + CreateNewCacheEntry(m, slot, cg, NonZeroTime(m->timenow), mDNStrue, mDNSNULL); + ScheduleNextCacheCheckTime(m, slot, NonZeroTime(m->timenow)); + m->rec.r.responseFlags = zeroID; + m->rec.r.resrec.RecordType = 0; // Clear RecordType to show we're not still using it + // MUST NOT touch m->CurrentQuestion (or q) after this -- client callback could have deleted it + } + } +} + +mDNSexport void CheckNATMappings(mDNS *m) +{ + mStatus err = mStatus_NoError; + mDNSBool rfc1918 = mDNSv4AddrIsRFC1918(&m->AdvertisedV4.ip.v4); + mDNSBool HaveRoutable = !rfc1918 && !mDNSIPv4AddressIsZero(m->AdvertisedV4.ip.v4); + m->NextScheduledNATOp = m->timenow + 0x3FFFFFFF; + + if (HaveRoutable) m->ExtAddress = m->AdvertisedV4.ip.v4; + + if (m->NATTraversals && rfc1918) // Do we need to open a socket to receive multicast announcements from router? + { + if (m->NATMcastRecvskt == mDNSNULL) // If we are behind a NAT and the socket hasn't been opened yet, open it + { + // we need to log a message if we can't get our socket, but only the first time (after success) + static mDNSBool needLog = mDNStrue; + m->NATMcastRecvskt = mDNSPlatformUDPSocket(m, NATPMPAnnouncementPort); + if (!m->NATMcastRecvskt) + { + if (needLog) + { + LogMsg("CheckNATMappings: Failed to allocate port 5350 UDP multicast socket for PCP & NAT-PMP announcements"); + needLog = mDNSfalse; + } + } + else + needLog = mDNStrue; + } + } + else // else, we don't want to listen for announcements, so close them if they're open + { + if (m->NATMcastRecvskt) { mDNSPlatformUDPClose(m->NATMcastRecvskt); m->NATMcastRecvskt = mDNSNULL; } + if (m->SSDPSocket) { debugf("CheckNATMappings destroying SSDPSocket %p", &m->SSDPSocket); mDNSPlatformUDPClose(m->SSDPSocket); m->SSDPSocket = mDNSNULL; } + } + + uDNS_RequestAddress(m); + + if (m->CurrentNATTraversal) LogMsg("WARNING m->CurrentNATTraversal already in use"); + m->CurrentNATTraversal = m->NATTraversals; + + while (m->CurrentNATTraversal) + { + NATTraversalInfo *cur = m->CurrentNATTraversal; + mDNSv4Addr EffectiveAddress = HaveRoutable ? m->AdvertisedV4.ip.v4 : cur->NewAddress; + m->CurrentNATTraversal = m->CurrentNATTraversal->next; + + if (HaveRoutable) // If not RFC 1918 address, our own address and port are effectively our external address and port + { + cur->ExpiryTime = 0; + cur->NewResult = mStatus_NoError; + } + else // Check if it's time to send port mapping packet(s) + { + if (m->timenow - cur->retryPortMap >= 0) // Time to send a mapping request for this packet + { + if (cur->ExpiryTime && cur->ExpiryTime - m->timenow < 0) // Mapping has expired + { + cur->ExpiryTime = 0; + cur->retryInterval = NATMAP_INIT_RETRY; + } + + err = uDNS_SendNATMsg(m, cur, mDNStrue); // Will also do UPnP discovery for us, if necessary + + if (cur->ExpiryTime) // If have active mapping then set next renewal time halfway to expiry + NATSetNextRenewalTime(m, cur); + else // else no mapping; use exponential backoff sequence + { + if (cur->retryInterval < NATMAP_INIT_RETRY ) cur->retryInterval = NATMAP_INIT_RETRY; + else if (cur->retryInterval < NATMAP_MAX_RETRY_INTERVAL / 2) cur->retryInterval *= 2; + else cur->retryInterval = NATMAP_MAX_RETRY_INTERVAL; + cur->retryPortMap = m->timenow + cur->retryInterval; + } + } + + if (m->NextScheduledNATOp - cur->retryPortMap > 0) + { + m->NextScheduledNATOp = cur->retryPortMap; + } + } + + // Notify the client if necessary. We invoke the callback if: + // (1) We have an effective address, + // or we've tried and failed a couple of times to discover it + // AND + // (2) the client requested the address only, + // or the client won't need a mapping because we have a routable address, + // or the client has an expiry time and therefore a successful mapping, + // or we've tried and failed a couple of times (see "Time line" below) + // AND + // (3) we have new data to give the client that's changed since the last callback + // + // Time line is: Send, Wait 500ms, Send, Wait 1sec, Send, Wait 2sec, Send + // At this point we've sent three requests without an answer, we've just sent our fourth request, + // retryInterval is now 4 seconds, which is greater than NATMAP_INIT_RETRY * 8 (2 seconds), + // so we return an error result to the caller. + if (!mDNSIPv4AddressIsZero(EffectiveAddress) || cur->retryInterval > NATMAP_INIT_RETRY * 8) + { + const mStatus EffectiveResult = cur->NewResult ? cur->NewResult : mDNSv4AddrIsRFC1918(&EffectiveAddress) ? mStatus_DoubleNAT : mStatus_NoError; + const mDNSIPPort ExternalPort = HaveRoutable ? cur->IntPort : + !mDNSIPv4AddressIsZero(EffectiveAddress) && cur->ExpiryTime ? cur->RequestedPort : zeroIPPort; + + if (!cur->Protocol || HaveRoutable || cur->ExpiryTime || cur->retryInterval > NATMAP_INIT_RETRY * 8) + { + if (!mDNSSameIPv4Address(cur->ExternalAddress, EffectiveAddress) || + !mDNSSameIPPort (cur->ExternalPort, ExternalPort) || + cur->Result != EffectiveResult) + { + //LogMsg("NAT callback %d %d %d", cur->Protocol, cur->ExpiryTime, cur->retryInterval); + if (cur->Protocol && mDNSIPPortIsZero(ExternalPort) && !mDNSIPv4AddressIsZero(m->Router.ip.v4)) + { + if (!EffectiveResult) + LogInfo("CheckNATMapping: Failed to obtain NAT port mapping %p from router %#a external address %.4a internal port %5d interval %d error %d", + cur, &m->Router, &EffectiveAddress, mDNSVal16(cur->IntPort), cur->retryInterval, EffectiveResult); + else + LogMsg("CheckNATMapping: Failed to obtain NAT port mapping %p from router %#a external address %.4a internal port %5d interval %d error %d", + cur, &m->Router, &EffectiveAddress, mDNSVal16(cur->IntPort), cur->retryInterval, EffectiveResult); + } + + cur->ExternalAddress = EffectiveAddress; + cur->ExternalPort = ExternalPort; + cur->Lifetime = cur->ExpiryTime && !mDNSIPPortIsZero(ExternalPort) ? + (cur->ExpiryTime - m->timenow + mDNSPlatformOneSecond/2) / mDNSPlatformOneSecond : 0; + cur->Result = EffectiveResult; + mDNS_DropLockBeforeCallback(); // Allow client to legally make mDNS API calls from the callback + if (cur->clientCallback) + cur->clientCallback(m, cur); + mDNS_ReclaimLockAfterCallback(); // Decrement mDNS_reentrancy to block mDNS API calls again + // MUST NOT touch cur after invoking the callback + } + } + } + } +} + +mDNSlocal mDNSs32 CheckRecordUpdates(mDNS *m) +{ + AuthRecord *rr; + mDNSs32 nextevent = m->timenow + 0x3FFFFFFF; + + CheckGroupRecordUpdates(m); + + for (rr = m->ResourceRecords; rr; rr = rr->next) + { + if (!AuthRecord_uDNS(rr)) continue; + if (rr->state == regState_NoTarget) {debugf("CheckRecordUpdates: Record %##s in NoTarget", rr->resrec.name->c); continue;} + // While we are waiting for the port mapping, we have nothing to do. The port mapping callback + // will take care of this + if (rr->state == regState_NATMap) {debugf("CheckRecordUpdates: Record %##s in NATMap", rr->resrec.name->c); continue;} + if (rr->state == regState_Pending || rr->state == regState_DeregPending || rr->state == regState_UpdatePending || + rr->state == regState_Refresh || rr->state == regState_Registered) + { + if (rr->LastAPTime + rr->ThisAPInterval - m->timenow <= 0) + { + if (rr->tcp) { DisposeTCPConn(rr->tcp); rr->tcp = mDNSNULL; } + if (!rr->nta || mDNSIPv4AddressIsZero(rr->nta->Addr.ip.v4)) + { + // Zero out the updateid so that if we have a pending response from the server, it won't + // be accepted as a valid response. If we accept the response, we might free the new "nta" + if (rr->nta) { rr->updateid = zeroID; CancelGetZoneData(m, rr->nta); } + rr->nta = StartGetZoneData(m, rr->resrec.name, ZoneServiceUpdate, RecordRegistrationGotZoneData, rr); + + // We have just started the GetZoneData. We need to wait for it to finish. SetRecordRetry here + // schedules the update timer to fire in the future. + // + // There are three cases. + // + // 1) When the updates are sent the first time, the first retry is intended to be at three seconds + // in the future. But by calling SetRecordRetry here we set it to nine seconds. But it does not + // matter because when the answer comes back, RecordRegistrationGotZoneData resets the interval + // back to INIT_RECORD_REG_INTERVAL. This also gives enough time for the query. + // + // 2) In the case of update errors (updateError), this causes further backoff as + // RecordRegistrationGotZoneData does not reset the timer. This is intentional as in the case of + // errors, we don't want to update aggressively. + // + // 3) We might be refreshing the update. This is very similar to case (1). RecordRegistrationGotZoneData + // resets it back to INIT_RECORD_REG_INTERVAL. + // + SetRecordRetry(m, rr, 0); + } + else if (rr->state == regState_DeregPending) SendRecordDeregistration(m, rr); + else SendRecordRegistration(m, rr); + } + } + if (nextevent - (rr->LastAPTime + rr->ThisAPInterval) > 0) + nextevent = (rr->LastAPTime + rr->ThisAPInterval); + } + return nextevent; +} + +mDNSexport void uDNS_Tasks(mDNS *const m) +{ + mDNSs32 nexte; + DNSServer *d; + + m->NextuDNSEvent = m->timenow + 0x3FFFFFFF; + + nexte = CheckRecordUpdates(m); + if (m->NextuDNSEvent - nexte > 0) + m->NextuDNSEvent = nexte; + + for (d = m->DNSServers; d; d=d->next) + if (d->penaltyTime) + { + if (m->timenow - d->penaltyTime >= 0) + { + LogInfo("DNS server %#a:%d out of penalty box", &d->addr, mDNSVal16(d->port)); + d->penaltyTime = 0; + } + else + if (m->NextuDNSEvent - d->penaltyTime > 0) + m->NextuDNSEvent = d->penaltyTime; + } + + if (m->CurrentQuestion) + LogMsg("uDNS_Tasks ERROR m->CurrentQuestion already set: %##s (%s)", m->CurrentQuestion->qname.c, DNSTypeName(m->CurrentQuestion->qtype)); + m->CurrentQuestion = m->Questions; + while (m->CurrentQuestion && m->CurrentQuestion != m->NewQuestions) + { + DNSQuestion *const q = m->CurrentQuestion; + if (ActiveQuestion(q) && !mDNSOpaque16IsZero(q->TargetQID)) + { + uDNS_CheckCurrentQuestion(m); + if (q == m->CurrentQuestion) + if (m->NextuDNSEvent - NextQSendTime(q) > 0) + m->NextuDNSEvent = NextQSendTime(q); + } + // If m->CurrentQuestion wasn't modified out from under us, advance it now + // We can't do this at the start of the loop because uDNS_CheckCurrentQuestion() + // depends on having m->CurrentQuestion point to the right question + if (m->CurrentQuestion == q) + m->CurrentQuestion = q->next; + } + m->CurrentQuestion = mDNSNULL; +} + +// *************************************************************************** +#if COMPILER_LIKES_PRAGMA_MARK +#pragma mark - Startup, Shutdown, and Sleep +#endif + +mDNSexport void SleepRecordRegistrations(mDNS *m) +{ + AuthRecord *rr; + for (rr = m->ResourceRecords; rr; rr=rr->next) + { + if (AuthRecord_uDNS(rr)) + { + // Zero out the updateid so that if we have a pending response from the server, it won't + // be accepted as a valid response. + if (rr->nta) { rr->updateid = zeroID; CancelGetZoneData(m, rr->nta); rr->nta = mDNSNULL; } + + if (rr->NATinfo.clientContext) + { + mDNS_StopNATOperation_internal(m, &rr->NATinfo); + rr->NATinfo.clientContext = mDNSNULL; + } + // We are waiting to update the resource record. The original data of the record is + // in OrigRData and the updated value is in InFlightRData. Free the old and the new + // one will be registered when we come back. + if (rr->state == regState_UpdatePending) + { + // act as if the update succeeded, since we're about to delete the name anyway + rr->state = regState_Registered; + // deallocate old RData + if (rr->UpdateCallback) rr->UpdateCallback(m, rr, rr->OrigRData, rr->OrigRDLen); + SetNewRData(&rr->resrec, rr->InFlightRData, rr->InFlightRDLen); + rr->OrigRData = mDNSNULL; + rr->InFlightRData = mDNSNULL; + } + + // If we have not begun the registration process i.e., never sent a registration packet, + // then uDNS_DeregisterRecord will not send a deregistration + uDNS_DeregisterRecord(m, rr); + + // When we wake, we call ActivateUnicastRegistration which starts at StartGetZoneData + } + } +} + +mDNSexport void mDNS_AddSearchDomain(const domainname *const domain, mDNSInterfaceID InterfaceID) +{ + SearchListElem **p; + SearchListElem *tmp = mDNSNULL; + + // Check to see if we already have this domain in our list + for (p = &SearchList; *p; p = &(*p)->next) + if (((*p)->InterfaceID == InterfaceID) && SameDomainName(&(*p)->domain, domain)) + { + // If domain is already in list, and marked for deletion, unmark the delete + // Be careful not to touch the other flags that may be present + LogInfo("mDNS_AddSearchDomain already in list %##s", domain->c); + if ((*p)->flag & SLE_DELETE) (*p)->flag &= ~SLE_DELETE; + tmp = *p; + *p = tmp->next; + tmp->next = mDNSNULL; + break; + } + + + // move to end of list so that we maintain the same order + while (*p) p = &(*p)->next; + + if (tmp) *p = tmp; + else + { + // if domain not in list, add to list, mark as add (1) + *p = mDNSPlatformMemAllocate(sizeof(SearchListElem)); + if (!*p) { LogMsg("ERROR: mDNS_AddSearchDomain - malloc"); return; } + mDNSPlatformMemZero(*p, sizeof(SearchListElem)); + AssignDomainName(&(*p)->domain, domain); + (*p)->next = mDNSNULL; + (*p)->InterfaceID = InterfaceID; + LogInfo("mDNS_AddSearchDomain created new %##s, InterfaceID %p", domain->c, InterfaceID); + } +} + +mDNSlocal void FreeARElemCallback(mDNS *const m, AuthRecord *const rr, mStatus result) +{ + (void)m; // unused + if (result == mStatus_MemFree) mDNSPlatformMemFree(rr->RecordContext); +} + +mDNSlocal void FoundDomain(mDNS *const m, DNSQuestion *question, const ResourceRecord *const answer, QC_result AddRecord) +{ + SearchListElem *slElem = question->QuestionContext; + mStatus err; + const char *name; + + if (answer->rrtype != kDNSType_PTR) return; + if (answer->RecordType == kDNSRecordTypePacketNegative) return; + if (answer->InterfaceID == mDNSInterface_LocalOnly) return; + + if (question == &slElem->BrowseQ) name = mDNS_DomainTypeNames[mDNS_DomainTypeBrowse]; + else if (question == &slElem->DefBrowseQ) name = mDNS_DomainTypeNames[mDNS_DomainTypeBrowseDefault]; + else if (question == &slElem->AutomaticBrowseQ) name = mDNS_DomainTypeNames[mDNS_DomainTypeBrowseAutomatic]; + else if (question == &slElem->RegisterQ) name = mDNS_DomainTypeNames[mDNS_DomainTypeRegistration]; + else if (question == &slElem->DefRegisterQ) name = mDNS_DomainTypeNames[mDNS_DomainTypeRegistrationDefault]; + else { LogMsg("FoundDomain - unknown question"); return; } + + LogInfo("FoundDomain: %p %s %s Q %##s A %s", answer->InterfaceID, AddRecord ? "Add" : "Rmv", name, question->qname.c, RRDisplayString(m, answer)); + + if (AddRecord) + { + ARListElem *arElem = mDNSPlatformMemAllocate(sizeof(ARListElem)); + if (!arElem) { LogMsg("ERROR: FoundDomain out of memory"); return; } + mDNS_SetupResourceRecord(&arElem->ar, mDNSNULL, mDNSInterface_LocalOnly, kDNSType_PTR, 7200, kDNSRecordTypeShared, AuthRecordLocalOnly, FreeARElemCallback, arElem); + MakeDomainNameFromDNSNameString(&arElem->ar.namestorage, name); + AppendDNSNameString (&arElem->ar.namestorage, "local"); + AssignDomainName(&arElem->ar.resrec.rdata->u.name, &answer->rdata->u.name); + LogInfo("FoundDomain: Registering %s", ARDisplayString(m, &arElem->ar)); + err = mDNS_Register(m, &arElem->ar); + if (err) { LogMsg("ERROR: FoundDomain - mDNS_Register returned %d", err); mDNSPlatformMemFree(arElem); return; } + arElem->next = slElem->AuthRecs; + slElem->AuthRecs = arElem; + } + else + { + ARListElem **ptr = &slElem->AuthRecs; + while (*ptr) + { + if (SameDomainName(&(*ptr)->ar.resrec.rdata->u.name, &answer->rdata->u.name)) + { + ARListElem *dereg = *ptr; + *ptr = (*ptr)->next; + LogInfo("FoundDomain: Deregistering %s", ARDisplayString(m, &dereg->ar)); + err = mDNS_Deregister(m, &dereg->ar); + if (err) LogMsg("ERROR: FoundDomain - mDNS_Deregister returned %d", err); + // Memory will be freed in the FreeARElemCallback + } + else + ptr = &(*ptr)->next; + } + } +} + +#if APPLE_OSX_mDNSResponder && MACOSX_MDNS_MALLOC_DEBUGGING +mDNSexport void udns_validatelists(void *const v) +{ + mDNS *const m = v; + + NATTraversalInfo *n; + for (n = m->NATTraversals; n; n=n->next) + if (n->next == (NATTraversalInfo *)~0 || n->clientCallback == (NATTraversalClientCallback) ~0) + LogMemCorruption("m->NATTraversals: %p is garbage", n); + + DNSServer *d; + for (d = m->DNSServers; d; d=d->next) + if (d->next == (DNSServer *)~0 || d->teststate > DNSServer_Disabled) + LogMemCorruption("m->DNSServers: %p is garbage (%d)", d, d->teststate); + + DomainAuthInfo *info; + for (info = m->AuthInfoList; info; info = info->next) + if (info->next == (DomainAuthInfo *)~0) + LogMemCorruption("m->AuthInfoList: %p is garbage", info); + + HostnameInfo *hi; + for (hi = m->Hostnames; hi; hi = hi->next) + if (hi->next == (HostnameInfo *)~0 || hi->StatusCallback == (mDNSRecordCallback*)~0) + LogMemCorruption("m->Hostnames: %p is garbage", n); + + SearchListElem *ptr; + for (ptr = SearchList; ptr; ptr = ptr->next) + if (ptr->next == (SearchListElem *)~0 || ptr->AuthRecs == (void*)~0) + LogMemCorruption("SearchList: %p is garbage (%X)", ptr, ptr->AuthRecs); +} +#endif + +// This should probably move to the UDS daemon -- the concept of legacy clients and automatic registration / automatic browsing +// is really a UDS API issue, not something intrinsic to uDNS + +mDNSlocal void uDNS_DeleteWABQueries(mDNS *const m, SearchListElem *ptr, int delete) +{ + const char *name1 = mDNSNULL; + const char *name2 = mDNSNULL; + ARListElem **arList = &ptr->AuthRecs; + domainname namestorage1, namestorage2; + mStatus err; + + // "delete" parameter indicates the type of query. + switch (delete) + { + case UDNS_WAB_BROWSE_QUERY: + mDNS_StopGetDomains(m, &ptr->BrowseQ); + mDNS_StopGetDomains(m, &ptr->DefBrowseQ); + name1 = mDNS_DomainTypeNames[mDNS_DomainTypeBrowse]; + name2 = mDNS_DomainTypeNames[mDNS_DomainTypeBrowseDefault]; + break; + case UDNS_WAB_LBROWSE_QUERY: + mDNS_StopGetDomains(m, &ptr->AutomaticBrowseQ); + name1 = mDNS_DomainTypeNames[mDNS_DomainTypeBrowseAutomatic]; + break; + case UDNS_WAB_REG_QUERY: + mDNS_StopGetDomains(m, &ptr->RegisterQ); + mDNS_StopGetDomains(m, &ptr->DefRegisterQ); + name1 = mDNS_DomainTypeNames[mDNS_DomainTypeRegistration]; + name2 = mDNS_DomainTypeNames[mDNS_DomainTypeRegistrationDefault]; + break; + default: + LogMsg("uDNS_DeleteWABQueries: ERROR!! returning from default"); + return; + } + // When we get the results to the domain enumeration queries, we add a LocalOnly + // entry. For example, if we issue a domain enumeration query for b._dns-sd._udp.xxxx.com, + // and when we get a response, we add a LocalOnly entry b._dns-sd._udp.local whose RDATA + // points to what we got in the response. Locate the appropriate LocalOnly entries and delete + // them. + if (name1) + { + MakeDomainNameFromDNSNameString(&namestorage1, name1); + AppendDNSNameString(&namestorage1, "local"); + } + if (name2) + { + MakeDomainNameFromDNSNameString(&namestorage2, name2); + AppendDNSNameString(&namestorage2, "local"); + } + while (*arList) + { + ARListElem *dereg = *arList; + if ((name1 && SameDomainName(&dereg->ar.namestorage, &namestorage1)) || + (name2 && SameDomainName(&dereg->ar.namestorage, &namestorage2))) + { + LogInfo("uDNS_DeleteWABQueries: Deregistering PTR %##s -> %##s", dereg->ar.resrec.name->c, dereg->ar.resrec.rdata->u.name.c); + *arList = dereg->next; + err = mDNS_Deregister(m, &dereg->ar); + if (err) LogMsg("uDNS_DeleteWABQueries:: ERROR!! mDNS_Deregister returned %d", err); + // Memory will be freed in the FreeARElemCallback + } + else + { + LogInfo("uDNS_DeleteWABQueries: Skipping PTR %##s -> %##s", dereg->ar.resrec.name->c, dereg->ar.resrec.rdata->u.name.c); + arList = &(*arList)->next; + } + } +} + +mDNSexport void uDNS_SetupWABQueries(mDNS *const m) +{ + SearchListElem **p = &SearchList, *ptr; + mStatus err; + int action = 0; + + // step 1: mark each element for removal + for (ptr = SearchList; ptr; ptr = ptr->next) + ptr->flag |= SLE_DELETE; + + // Make sure we have the search domains from the platform layer so that if we start the WAB + // queries below, we have the latest information. + mDNS_Lock(m); + if (!mDNSPlatformSetDNSConfig(m, mDNSfalse, mDNStrue, mDNSNULL, mDNSNULL, mDNSNULL, mDNSfalse)) + { + // If the configuration did not change, clear the flag so that we don't free the searchlist. + // We still have to start the domain enumeration queries as we may not have started them + // before. + for (ptr = SearchList; ptr; ptr = ptr->next) + ptr->flag &= ~SLE_DELETE; + LogInfo("uDNS_SetupWABQueries: No config change"); + } + mDNS_Unlock(m); + + if (m->WABBrowseQueriesCount) + action |= UDNS_WAB_BROWSE_QUERY; + if (m->WABLBrowseQueriesCount) + action |= UDNS_WAB_LBROWSE_QUERY; + if (m->WABRegQueriesCount) + action |= UDNS_WAB_REG_QUERY; + + + // delete elems marked for removal, do queries for elems marked add + while (*p) + { + ptr = *p; + LogInfo("uDNS_SetupWABQueries:action 0x%x: Flags 0x%x, AuthRecs %p, InterfaceID %p %##s", action, ptr->flag, ptr->AuthRecs, ptr->InterfaceID, ptr->domain.c); + // If SLE_DELETE is set, stop all the queries, deregister all the records and free the memory. + // Otherwise, check to see what the "action" requires. If a particular action bit is not set and + // we have started the corresponding queries as indicated by the "flags", stop those queries and + // deregister the records corresponding to them. + if ((ptr->flag & SLE_DELETE) || + (!(action & UDNS_WAB_BROWSE_QUERY) && (ptr->flag & SLE_WAB_BROWSE_QUERY_STARTED)) || + (!(action & UDNS_WAB_LBROWSE_QUERY) && (ptr->flag & SLE_WAB_LBROWSE_QUERY_STARTED)) || + (!(action & UDNS_WAB_REG_QUERY) && (ptr->flag & SLE_WAB_REG_QUERY_STARTED))) + { + if (ptr->flag & SLE_DELETE) + { + ARListElem *arList = ptr->AuthRecs; + ptr->AuthRecs = mDNSNULL; + *p = ptr->next; + + // If the user has "local" in their DNS searchlist, we ignore that for the purposes of domain enumeration queries + // We suppressed the domain enumeration for scoped search domains below. When we enable that + // enable this. + if ((ptr->flag & SLE_WAB_BROWSE_QUERY_STARTED) && + !SameDomainName(&ptr->domain, &localdomain) && (ptr->InterfaceID == mDNSInterface_Any)) + { + LogInfo("uDNS_SetupWABQueries: DELETE Browse for domain %##s", ptr->domain.c); + mDNS_StopGetDomains(m, &ptr->BrowseQ); + mDNS_StopGetDomains(m, &ptr->DefBrowseQ); + } + if ((ptr->flag & SLE_WAB_LBROWSE_QUERY_STARTED) && + !SameDomainName(&ptr->domain, &localdomain) && (ptr->InterfaceID == mDNSInterface_Any)) + { + LogInfo("uDNS_SetupWABQueries: DELETE Legacy Browse for domain %##s", ptr->domain.c); + mDNS_StopGetDomains(m, &ptr->AutomaticBrowseQ); + } + if ((ptr->flag & SLE_WAB_REG_QUERY_STARTED) && + !SameDomainName(&ptr->domain, &localdomain) && (ptr->InterfaceID == mDNSInterface_Any)) + { + LogInfo("uDNS_SetupWABQueries: DELETE Registration for domain %##s", ptr->domain.c); + mDNS_StopGetDomains(m, &ptr->RegisterQ); + mDNS_StopGetDomains(m, &ptr->DefRegisterQ); + } + + mDNSPlatformMemFree(ptr); + + // deregister records generated from answers to the query + while (arList) + { + ARListElem *dereg = arList; + arList = arList->next; + LogInfo("uDNS_SetupWABQueries: DELETE Deregistering PTR %##s -> %##s", dereg->ar.resrec.name->c, dereg->ar.resrec.rdata->u.name.c); + err = mDNS_Deregister(m, &dereg->ar); + if (err) LogMsg("uDNS_SetupWABQueries:: ERROR!! mDNS_Deregister returned %d", err); + // Memory will be freed in the FreeARElemCallback + } + continue; + } + + // If the user has "local" in their DNS searchlist, we ignore that for the purposes of domain enumeration queries + // We suppressed the domain enumeration for scoped search domains below. When we enable that + // enable this. + if (!(action & UDNS_WAB_BROWSE_QUERY) && (ptr->flag & SLE_WAB_BROWSE_QUERY_STARTED) && + !SameDomainName(&ptr->domain, &localdomain) && (ptr->InterfaceID == mDNSInterface_Any)) + { + LogInfo("uDNS_SetupWABQueries: Deleting Browse for domain %##s", ptr->domain.c); + ptr->flag &= ~SLE_WAB_BROWSE_QUERY_STARTED; + uDNS_DeleteWABQueries(m, ptr, UDNS_WAB_BROWSE_QUERY); + } + + if (!(action & UDNS_WAB_LBROWSE_QUERY) && (ptr->flag & SLE_WAB_LBROWSE_QUERY_STARTED) && + !SameDomainName(&ptr->domain, &localdomain) && (ptr->InterfaceID == mDNSInterface_Any)) + { + LogInfo("uDNS_SetupWABQueries: Deleting Legacy Browse for domain %##s", ptr->domain.c); + ptr->flag &= ~SLE_WAB_LBROWSE_QUERY_STARTED; + uDNS_DeleteWABQueries(m, ptr, UDNS_WAB_LBROWSE_QUERY); + } + + if (!(action & UDNS_WAB_REG_QUERY) && (ptr->flag & SLE_WAB_REG_QUERY_STARTED) && + !SameDomainName(&ptr->domain, &localdomain) && (ptr->InterfaceID == mDNSInterface_Any)) + { + LogInfo("uDNS_SetupWABQueries: Deleting Registration for domain %##s", ptr->domain.c); + ptr->flag &= ~SLE_WAB_REG_QUERY_STARTED; + uDNS_DeleteWABQueries(m, ptr, UDNS_WAB_REG_QUERY); + } + + // Fall through to handle the ADDs + } + + if ((action & UDNS_WAB_BROWSE_QUERY) && !(ptr->flag & SLE_WAB_BROWSE_QUERY_STARTED)) + { + // If the user has "local" in their DNS searchlist, we ignore that for the purposes of domain enumeration queries. + // Also, suppress the domain enumeration for scoped search domains for now until there is a need. + if (!SameDomainName(&ptr->domain, &localdomain) && (ptr->InterfaceID == mDNSInterface_Any)) + { + mStatus err1, err2; + err1 = mDNS_GetDomains(m, &ptr->BrowseQ, mDNS_DomainTypeBrowse, &ptr->domain, ptr->InterfaceID, FoundDomain, ptr); + if (err1) + { + LogMsg("uDNS_SetupWABQueries: GetDomains for domain %##s returned error(s):\n" + "%d (mDNS_DomainTypeBrowse)\n", ptr->domain.c, err1); + } + else + { + LogInfo("uDNS_SetupWABQueries: Starting Browse for domain %##s", ptr->domain.c); + } + err2 = mDNS_GetDomains(m, &ptr->DefBrowseQ, mDNS_DomainTypeBrowseDefault, &ptr->domain, ptr->InterfaceID, FoundDomain, ptr); + if (err2) + { + LogMsg("uDNS_SetupWABQueries: GetDomains for domain %##s returned error(s):\n" + "%d (mDNS_DomainTypeBrowseDefault)\n", ptr->domain.c, err2); + } + else + { + LogInfo("uDNS_SetupWABQueries: Starting Default Browse for domain %##s", ptr->domain.c); + } + // For simplicity, we mark a single bit for denoting that both the browse queries have started. + // It is not clear as to why one would fail to start and the other would succeed in starting up. + // If that happens, we will try to stop both the queries and one of them won't be in the list and + // it is not a hard error. + if (!err1 || !err2) + { + ptr->flag |= SLE_WAB_BROWSE_QUERY_STARTED; + } + } + } + if ((action & UDNS_WAB_LBROWSE_QUERY) && !(ptr->flag & SLE_WAB_LBROWSE_QUERY_STARTED)) + { + // If the user has "local" in their DNS searchlist, we ignore that for the purposes of domain enumeration queries. + // Also, suppress the domain enumeration for scoped search domains for now until there is a need. + if (!SameDomainName(&ptr->domain, &localdomain) && (ptr->InterfaceID == mDNSInterface_Any)) + { + mStatus err1; + err1 = mDNS_GetDomains(m, &ptr->AutomaticBrowseQ, mDNS_DomainTypeBrowseAutomatic, &ptr->domain, ptr->InterfaceID, FoundDomain, ptr); + if (err1) + { + LogMsg("uDNS_SetupWABQueries: GetDomains for domain %##s returned error(s):\n" + "%d (mDNS_DomainTypeBrowseAutomatic)\n", + ptr->domain.c, err1); + } + else + { + ptr->flag |= SLE_WAB_LBROWSE_QUERY_STARTED; + LogInfo("uDNS_SetupWABQueries: Starting Legacy Browse for domain %##s", ptr->domain.c); + } + } + } + if ((action & UDNS_WAB_REG_QUERY) && !(ptr->flag & SLE_WAB_REG_QUERY_STARTED)) + { + // If the user has "local" in their DNS searchlist, we ignore that for the purposes of domain enumeration queries. + // Also, suppress the domain enumeration for scoped search domains for now until there is a need. + if (!SameDomainName(&ptr->domain, &localdomain) && (ptr->InterfaceID == mDNSInterface_Any)) + { + mStatus err1, err2; + err1 = mDNS_GetDomains(m, &ptr->RegisterQ, mDNS_DomainTypeRegistration, &ptr->domain, ptr->InterfaceID, FoundDomain, ptr); + if (err1) + { + LogMsg("uDNS_SetupWABQueries: GetDomains for domain %##s returned error(s):\n" + "%d (mDNS_DomainTypeRegistration)\n", ptr->domain.c, err1); + } + else + { + LogInfo("uDNS_SetupWABQueries: Starting Registration for domain %##s", ptr->domain.c); + } + err2 = mDNS_GetDomains(m, &ptr->DefRegisterQ, mDNS_DomainTypeRegistrationDefault, &ptr->domain, ptr->InterfaceID, FoundDomain, ptr); + if (err2) + { + LogMsg("uDNS_SetupWABQueries: GetDomains for domain %##s returned error(s):\n" + "%d (mDNS_DomainTypeRegistrationDefault)", ptr->domain.c, err2); + } + else + { + LogInfo("uDNS_SetupWABQueries: Starting Default Registration for domain %##s", ptr->domain.c); + } + if (!err1 || !err2) + { + ptr->flag |= SLE_WAB_REG_QUERY_STARTED; + } + } + } + + p = &ptr->next; + } +} + +// mDNS_StartWABQueries is called once per API invocation where normally +// one of the bits is set. +mDNSexport void uDNS_StartWABQueries(mDNS *const m, int queryType) +{ + if (queryType & UDNS_WAB_BROWSE_QUERY) + { + m->WABBrowseQueriesCount++; + LogInfo("uDNS_StartWABQueries: Browse query count %d", m->WABBrowseQueriesCount); + } + if (queryType & UDNS_WAB_LBROWSE_QUERY) + { + m->WABLBrowseQueriesCount++; + LogInfo("uDNS_StartWABQueries: Legacy Browse query count %d", m->WABLBrowseQueriesCount); + } + if (queryType & UDNS_WAB_REG_QUERY) + { + m->WABRegQueriesCount++; + LogInfo("uDNS_StartWABQueries: Reg query count %d", m->WABRegQueriesCount); + } + uDNS_SetupWABQueries(m); +} + +// mDNS_StopWABQueries is called once per API invocation where normally +// one of the bits is set. +mDNSexport void uDNS_StopWABQueries(mDNS *const m, int queryType) +{ + if (queryType & UDNS_WAB_BROWSE_QUERY) + { + m->WABBrowseQueriesCount--; + LogInfo("uDNS_StopWABQueries: Browse query count %d", m->WABBrowseQueriesCount); + } + if (queryType & UDNS_WAB_LBROWSE_QUERY) + { + m->WABLBrowseQueriesCount--; + LogInfo("uDNS_StopWABQueries: Legacy Browse query count %d", m->WABLBrowseQueriesCount); + } + if (queryType & UDNS_WAB_REG_QUERY) + { + m->WABRegQueriesCount--; + LogInfo("uDNS_StopWABQueries: Reg query count %d", m->WABRegQueriesCount); + } + uDNS_SetupWABQueries(m); +} + +mDNSexport domainname *uDNS_GetNextSearchDomain(mDNS *const m, mDNSInterfaceID InterfaceID, mDNSs8 *searchIndex, mDNSBool ignoreDotLocal) +{ + SearchListElem *p = SearchList; + int count = *searchIndex; + (void) m; // unused + + if (count < 0) { LogMsg("uDNS_GetNextSearchDomain: count %d less than zero", count); return mDNSNULL; } + + // Skip the domains that we already looked at before. Guard against "p" + // being NULL. When search domains change we may not set the SearchListIndex + // of the question to zero immediately e.g., domain enumeration query calls + // uDNS_SetupWABQueries which reads in the new search domain but does not + // restart the questions immediately. Questions are restarted as part of + // network change and hence temporarily SearchListIndex may be out of range. + + for (; count && p; count--) + p = p->next; + + while (p) + { + int labels = CountLabels(&p->domain); + if (labels > 0) + { + const domainname *d = SkipLeadingLabels(&p->domain, labels - 1); + if (SameDomainLabel(d->c, (const mDNSu8 *)"\x4" "arpa")) + { + LogInfo("uDNS_GetNextSearchDomain: skipping search domain %##s, InterfaceID %p", p->domain.c, p->InterfaceID); + (*searchIndex)++; + p = p->next; + continue; + } + if (ignoreDotLocal && SameDomainLabel(d->c, (const mDNSu8 *)"\x5" "local")) + { + LogInfo("uDNS_GetNextSearchDomain: skipping local domain %##s, InterfaceID %p", p->domain.c, p->InterfaceID); + (*searchIndex)++; + p = p->next; + continue; + } + } + // Point to the next one in the list which we will look at next time. + (*searchIndex)++; + // When we are appending search domains in a ActiveDirectory domain, the question's InterfaceID + // set to mDNSInterface_Unicast. Match the unscoped entries in that case. + if (((InterfaceID == mDNSInterface_Unicast) && (p->InterfaceID == mDNSInterface_Any)) || + p->InterfaceID == InterfaceID) + { + LogInfo("uDNS_GetNextSearchDomain returning domain %##s, InterfaceID %p", p->domain.c, p->InterfaceID); + return &p->domain; + } + LogInfo("uDNS_GetNextSearchDomain skipping domain %##s, InterfaceID %p", p->domain.c, p->InterfaceID); + p = p->next; + } + return mDNSNULL; +} + +mDNSlocal void FlushAddressCacheRecords(mDNS *const m) +{ + mDNSu32 slot; + CacheGroup *cg; + CacheRecord *cr; + FORALL_CACHERECORDS(slot, cg, cr) + { + if (cr->resrec.InterfaceID) continue; + + // If a resource record can answer A or AAAA, they need to be flushed so that we will + // deliver an ADD or RMV + if (RRTypeAnswersQuestionType(&cr->resrec, kDNSType_A) || + RRTypeAnswersQuestionType(&cr->resrec, kDNSType_AAAA)) + { + LogInfo("FlushAddressCacheRecords: Purging Resourcerecord %s", CRDisplayString(m, cr)); + mDNS_PurgeCacheResourceRecord(m, cr); + } + } +} + +// Retry questions which has seach domains appended +mDNSexport void RetrySearchDomainQuestions(mDNS *const m) +{ + DNSQuestion *q; + mDNSBool found = mDNSfalse; + + // Check to see if there are any questions which needs search domains to be applied. + // If there is none, search domains can't possibly affect them. + for (q = m->Questions; q; q = q->next) + { + if (q->AppendSearchDomains) + { + found = mDNStrue; + break; + } + } + if (!found) + { + LogInfo("RetrySearchDomainQuestions: Questions with AppendSearchDomain not found"); + return; + } + LogInfo("RetrySearchDomainQuestions: Question with AppendSearchDomain found %##s (%s)", q->qname.c, DNSTypeName(q->qtype)); + // Purge all the A/AAAA cache records and restart the queries. mDNSCoreRestartAddressQueries + // does this. When we restart the question, we first want to try the new search domains rather + // than use the entries that is already in the cache. When we appended search domains, we might + // have created cache entries which is no longer valid as there are new search domains now + mDNSCoreRestartAddressQueries(m, mDNStrue, FlushAddressCacheRecords, mDNSNULL, mDNSNULL); +} + +// Construction of Default Browse domain list (i.e. when clients pass NULL) is as follows: +// 1) query for b._dns-sd._udp.local on LocalOnly interface +// (.local manually generated via explicit callback) +// 2) for each search domain (from prefs pane), query for b._dns-sd._udp.<searchdomain>. +// 3) for each result from (2), register LocalOnly PTR record b._dns-sd._udp.local. -> <result> +// 4) result above should generate a callback from question in (1). result added to global list +// 5) global list delivered to client via GetSearchDomainList() +// 6) client calls to enumerate domains now go over LocalOnly interface +// (!!!KRS may add outgoing interface in addition) + +struct CompileTimeAssertionChecks_uDNS +{ + // Check our structures are reasonable sizes. Including overly-large buffers, or embedding + // other overly-large structures instead of having a pointer to them, can inadvertently + // cause structure sizes (and therefore memory usage) to balloon unreasonably. + char sizecheck_tcpInfo_t [(sizeof(tcpInfo_t) <= 9056) ? 1 : -1]; + char sizecheck_SearchListElem[(sizeof(SearchListElem) <= 5000) ? 1 : -1]; +}; + +#else // !UNICAST_DISABLED + +mDNSexport const domainname *GetServiceTarget(mDNS *m, AuthRecord *const rr) +{ + (void) m; + (void) rr; + + return mDNSNULL; +} + +mDNSexport DomainAuthInfo *GetAuthInfoForName_internal(mDNS *m, const domainname *const name) +{ + (void) m; + (void) name; + + return mDNSNULL; +} + +mDNSexport DomainAuthInfo *GetAuthInfoForQuestion(mDNS *m, const DNSQuestion *const q) +{ + (void) m; + (void) q; + + return mDNSNULL; +} + +mDNSexport void startLLQHandshake(mDNS *m, DNSQuestion *q) +{ + (void) m; + (void) q; +} + +mDNSexport void DisposeTCPConn(struct tcpInfo_t *tcp) +{ + (void) tcp; +} + +mDNSexport mStatus mDNS_StartNATOperation_internal(mDNS *m, NATTraversalInfo *traversal) +{ + (void) m; + (void) traversal; + + return mStatus_UnsupportedErr; +} + +mDNSexport mStatus mDNS_StopNATOperation_internal(mDNS *m, NATTraversalInfo *traversal) +{ + (void) m; + (void) traversal; + + return mStatus_UnsupportedErr; +} + +mDNSexport void sendLLQRefresh(mDNS *m, DNSQuestion *q) +{ + (void) m; + (void) q; +} + +mDNSexport ZoneData *StartGetZoneData(mDNS *const m, const domainname *const name, const ZoneService target, ZoneDataCallback callback, void *ZoneDataContext) +{ + (void) m; + (void) name; + (void) target; + (void) callback; + (void) ZoneDataContext; + + return mDNSNULL; +} + +mDNSexport void RecordRegistrationGotZoneData(mDNS *const m, mStatus err, const ZoneData *zoneData) +{ + (void) m; + (void) err; + (void) zoneData; +} + +mDNSexport uDNS_LLQType uDNS_recvLLQResponse(mDNS *const m, const DNSMessage *const msg, const mDNSu8 *const end, + const mDNSAddr *const srcaddr, const mDNSIPPort srcport, DNSQuestion **matchQuestion) +{ + (void) m; + (void) msg; + (void) end; + (void) srcaddr; + (void) srcport; + (void) matchQuestion; + + return uDNS_LLQ_Not; +} + +mDNSexport void PenalizeDNSServer(mDNS *const m, DNSQuestion *q, mDNSOpaque16 responseFlags) +{ + (void) m; + (void) q; + (void) responseFlags; +} + +mDNSexport void mDNS_AddSearchDomain(const domainname *const domain, mDNSInterfaceID InterfaceID) +{ + (void) domain; + (void) InterfaceID; +} + +mDNSexport void RetrySearchDomainQuestions(mDNS *const m) +{ + (void) m; +} + +mDNSexport mStatus mDNS_SetSecretForDomain(mDNS *m, DomainAuthInfo *info, const domainname *domain, const domainname *keyname, const char *b64keydata, const domainname *hostname, mDNSIPPort *port, mDNSBool autoTunnel) +{ + (void) m; + (void) info; + (void) domain; + (void) keyname; + (void) b64keydata; + (void) hostname; + (void) port; + (void) autoTunnel; + + return mStatus_UnsupportedErr; +} + +mDNSexport domainname *uDNS_GetNextSearchDomain(mDNS *const m, mDNSInterfaceID InterfaceID, mDNSs8 *searchIndex, mDNSBool ignoreDotLocal) +{ + (void) m; + (void) InterfaceID; + (void) searchIndex; + (void) ignoreDotLocal; + + return mDNSNULL; +} + +mDNSexport DomainAuthInfo *GetAuthInfoForName(mDNS *m, const domainname *const name) +{ + (void) m; + (void) name; + + return mDNSNULL; +} + +mDNSexport mStatus mDNS_StartNATOperation(mDNS *const m, NATTraversalInfo *traversal) +{ + (void) m; + (void) traversal; + + return mStatus_UnsupportedErr; +} + +mDNSexport mStatus mDNS_StopNATOperation(mDNS *const m, NATTraversalInfo *traversal) +{ + (void) m; + (void) traversal; + + return mStatus_UnsupportedErr; +} + +mDNSexport DNSServer *mDNS_AddDNSServer(mDNS *const m, const domainname *d, const mDNSInterfaceID interface, const mDNSs32 serviceID, const mDNSAddr *addr, + const mDNSIPPort port, mDNSu32 scoped, mDNSu32 timeout, mDNSBool cellIntf, mDNSu16 resGroupID, mDNSBool reqA, + mDNSBool reqAAAA, mDNSBool reqDO) +{ + (void) m; + (void) d; + (void) interface; + (void) serviceID; + (void) addr; + (void) port; + (void) scoped; + (void) timeout; + (void) cellIntf; + (void) resGroupID; + (void) reqA; + (void) reqAAAA; + (void) reqDO; + + return mDNSNULL; +} + +mDNSexport void uDNS_SetupWABQueries(mDNS *const m) +{ + (void) m; +} + +mDNSexport void uDNS_StartWABQueries(mDNS *const m, int queryType) +{ + (void) m; + (void) queryType; +} + +mDNSexport void uDNS_StopWABQueries(mDNS *const m, int queryType) +{ + (void) m; + (void) queryType; +} + +mDNSexport void mDNS_AddDynDNSHostName(mDNS *m, const domainname *fqdn, mDNSRecordCallback *StatusCallback, const void *StatusContext) +{ + (void) m; + (void) fqdn; + (void) StatusCallback; + (void) StatusContext; +} +mDNSexport void mDNS_SetPrimaryInterfaceInfo(mDNS *m, const mDNSAddr *v4addr, const mDNSAddr *v6addr, const mDNSAddr *router) +{ + (void) m; + (void) v4addr; + (void) v6addr; + (void) router; +} + +mDNSexport void mDNS_RemoveDynDNSHostName(mDNS *m, const domainname *fqdn) +{ + (void) m; + (void) fqdn; +} + +mDNSexport void RecreateNATMappings(mDNS *const m, const mDNSu32 waitTicks) +{ + (void) m; + (void) waitTicks; +} + +mDNSexport mDNSBool IsGetZoneDataQuestion(DNSQuestion *q) +{ + (void)q; + + return mDNSfalse; +} + +#endif // !UNICAST_DISABLED diff --git a/mDNSResponder/mDNSCore/uDNS.h b/mDNSResponder/mDNSCore/uDNS.h new file mode 100755 index 00000000..eca8b701 --- /dev/null +++ b/mDNSResponder/mDNSCore/uDNS.h @@ -0,0 +1,151 @@ +/* -*- Mode: C; tab-width: 4 -*- + * + * Copyright (c) 2002-2013 Apple Computer, Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef __UDNS_H_ +#define __UDNS_H_ + +#include "mDNSEmbeddedAPI.h" +#include "DNSCommon.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define RESTART_GOODBYE_DELAY (6 * mDNSPlatformOneSecond) // delay after restarting LLQ before nuking previous known answers (avoids flutter if we restart before we have networking up) +#define INIT_UCAST_POLL_INTERVAL (3 * mDNSPlatformOneSecond) // this interval is used after send failures on network transitions + // which typically heal quickly, so we start agressively and exponentially back off +#define MAX_UCAST_POLL_INTERVAL (60 * 60 * mDNSPlatformOneSecond) +//#define MAX_UCAST_POLL_INTERVAL (1 * 60 * mDNSPlatformOneSecond) +#define LLQ_POLL_INTERVAL (15 * 60 * mDNSPlatformOneSecond) // Polling interval for zones w/ an advertised LLQ port (ie not static zones) if LLQ fails due to NAT, etc. +#define RESPONSE_WINDOW (60 * mDNSPlatformOneSecond) // require server responses within one minute of request +#define MAX_DNSSEC_UNANSWERED_QUERIES 1 // number of unanswered queries from any one uDNS server before turning off DNSSEC Validation +#define MAX_UCAST_UNANSWERED_QUERIES 2 // number of unanswered queries from any one uDNS server before trying another server +#define DNSSERVER_PENALTY_TIME (60 * mDNSPlatformOneSecond) // number of seconds for which new questions don't pick this server + +// On some interfaces, we want to delay the first retransmission to a minimum of 2 seconds +// rather than the default (1 second). +#define MIN_UCAST_RETRANS_TIMEOUT (2 * mDNSPlatformOneSecond) + +#define DEFAULT_UPDATE_LEASE 7200 + +#define QuestionIntervalStep 3 +#define QuestionIntervalStep2 (QuestionIntervalStep*QuestionIntervalStep) +#define QuestionIntervalStep3 (QuestionIntervalStep*QuestionIntervalStep*QuestionIntervalStep) +#define InitialQuestionInterval ((mDNSPlatformOneSecond + QuestionIntervalStep-1) / QuestionIntervalStep) +#define MaxQuestionInterval (3600 * mDNSPlatformOneSecond) + +// just move to MaxQuestionInterval once over this threshold +#define QuestionIntervalThreshold (QuestionIntervalStep3 * mDNSPlatformOneSecond) + +// For Unicast record registrations, we initialize the interval to 1 second. When we send any query for +// the record registration e.g., GetZoneData, we always back off by QuestionIntervalStep +// so that the first retry does not happen until 3 seconds which should be enough for TCP/TLS to be done. +#define INIT_RECORD_REG_INTERVAL (1 * mDNSPlatformOneSecond) +#define MAX_RECORD_REG_INTERVAL (15 * 60 * mDNSPlatformOneSecond) +#define MERGE_DELAY_TIME (1 * mDNSPlatformOneSecond) + +// If we are refreshing, we do it at least 5 times with a min update frequency of +// 5 minutes +#define MAX_UPDATE_REFRESH_COUNT 5 +#define MIN_UPDATE_REFRESH_TIME (5 * 60 * mDNSPlatformOneSecond) + +// For questions that use kDNSServiceFlagsTimeout and we don't have a matching resolver e.g., no dns servers, +// then use the default value of 30 seconds +#define DEFAULT_UDNS_TIMEOUT 30 // in seconds + +// For questions that are validating responses (q->ValidatingResponse == 1), use 10 seconds +// which accomodates two DNS servers and two queries per DNS server. +#define DEFAULT_UDNSSEC_TIMEOUT 10 // in seconds + +// If we are sending queries with EDNS0/DO option and we have no indications that the server +// is DNSSEC aware and we have already reached MAX_DNSSEC_RETRANSMISSIONS, we disable +// validation (for optional case only) for any questions that uses this server +#define MAX_DNSSEC_RETRANSMISSIONS 3 + +// Entry points into unicast-specific routines + +extern void LLQGotZoneData(mDNS *const m, mStatus err, const ZoneData *zoneInfo); +extern void startLLQHandshake(mDNS *m, DNSQuestion *q); +extern void sendLLQRefresh(mDNS *m, DNSQuestion *q); + +extern void SleepRecordRegistrations(mDNS *m); + +// uDNS_UpdateRecord +// following fields must be set, and the update validated, upon entry. +// rr->NewRData +// rr->newrdlength +// rr->UpdateCallback + +extern mStatus uDNS_UpdateRecord(mDNS *m, AuthRecord *rr); + +extern void SetNextQueryTime(mDNS *const m, const DNSQuestion *const q); +extern mStatus mDNS_Register_internal(mDNS *const m, AuthRecord *const rr); +extern mStatus mDNS_Deregister_internal(mDNS *const m, AuthRecord *const rr, mDNS_Dereg_type drt); +extern mStatus mDNS_StartQuery_internal(mDNS *const m, DNSQuestion *const question); +extern mStatus mDNS_StopQuery_internal(mDNS *const m, DNSQuestion *const question); +extern mStatus mDNS_StartNATOperation_internal(mDNS *const m, NATTraversalInfo *traversal); + +extern void RecordRegistrationGotZoneData(mDNS *const m, mStatus err, const ZoneData *zoneData); +extern mStatus uDNS_DeregisterRecord(mDNS *const m, AuthRecord *const rr); +extern const domainname *GetServiceTarget(mDNS *m, AuthRecord *const rr); +extern void uDNS_CheckCurrentQuestion(mDNS *const m); + +// integer fields of msg header must be in HOST byte order before calling this routine +extern void uDNS_ReceiveMsg(mDNS *const m, DNSMessage *const msg, const mDNSu8 *const end, + const mDNSAddr *const srcaddr, const mDNSIPPort srcport); + +extern void uDNS_Tasks(mDNS *const m); +extern void UpdateAllSRVRecords(mDNS *m); +extern void CheckNATMappings(mDNS *m); + +extern mStatus uDNS_SetupDNSConfig(mDNS *const m); + +// uDNS_SetupWABQueries reads search domains from the platform layer and starts the Wide Area Bonjour +// (WAB) domain enumeration queries if necessary. + +#define UDNS_WAB_BROWSE_QUERY 0x00000001 // Browse queries (b, db) +#define UDNS_WAB_LBROWSE_QUERY 0x00000002 // Browse queries (lb) +#define UDNS_WAB_REG_QUERY 0x00000004 // Registration queries (r and dr) + +extern void uDNS_SetupWABQueries(mDNS *const m); +extern void uDNS_StartWABQueries(mDNS *const m, int queryType); +extern void uDNS_StopWABQueries(mDNS *const m, int queryType); +extern domainname *uDNS_GetNextSearchDomain(mDNS *const m, mDNSInterfaceID InterfaceID, mDNSs8 *searchIndex, mDNSBool ignoreDotLocal); + +typedef enum +{ + uDNS_LLQ_Not = 0, // Normal uDNS answer: Flush any stale records from cache, and respect record TTL + uDNS_LLQ_Ignore, // LLQ initial challenge packet: ignore -- has no useful records for us + uDNS_LLQ_Entire, // LLQ initial set of answers: Flush any stale records from cache, but assume TTL is 2 x LLQ refresh interval + uDNS_LLQ_Events // LLQ event packet: don't flush cache; assume TTL is 2 x LLQ refresh interval +} uDNS_LLQType; + +extern uDNS_LLQType uDNS_recvLLQResponse(mDNS *const m, const DNSMessage *const msg, const mDNSu8 *const end, const mDNSAddr *const srcaddr, const mDNSIPPort srcport, DNSQuestion **matchQuestion); +extern DomainAuthInfo *GetAuthInfoForName_internal(mDNS *m, const domainname *const name); +extern DomainAuthInfo *GetAuthInfoForQuestion(mDNS *m, const DNSQuestion *const q); +extern void DisposeTCPConn(struct tcpInfo_t *tcp); + +// NAT traversal +extern void uDNS_ReceiveNATPacket(mDNS *m, const mDNSInterfaceID InterfaceID, mDNSu8 *pkt, mDNSu16 len); // Called for each received PCP or NAT-PMP packet +extern void natTraversalHandleAddressReply(mDNS *const m, mDNSu16 err, mDNSv4Addr ExtAddr); +extern void natTraversalHandlePortMapReply(mDNS *const m, NATTraversalInfo *n, const mDNSInterfaceID InterfaceID, mDNSu16 err, mDNSIPPort extport, mDNSu32 lease, NATTProtocol protocol); + +#ifdef __cplusplus +} +#endif + +#endif // __UDNS_H_ |