2 * DNS Resolver Module User-space Helper for AFSDB records
4 * Copyright (C) Wang Lei (wang840925@gmail.com) 2010
5 * Authors: Wang Lei (wang840925@gmail.com)
6 * David Howells (dhowells@redhat.com)
8 * This is a userspace tool for querying AFSDB RR records in the DNS on behalf
9 * of the kernel, and converting the VL server addresses to IPv4 format so that
10 * they can be used by the kAFS filesystem.
14 * cc -o key.dns_resolver key.dns_resolver.c -lresolv -lkeyutils
16 * As some function like res_init() should use the static liberary, which is a
17 * bug of libresolv, that is the reason for cifs.upcall to reimplement.
19 * To use this program, you must tell /sbin/request-key how to invoke it. You
20 * need to have the keyutils package installed and something like the following
21 * lines added to your /etc/request-key.conf file:
23 * #OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...
24 * ====== ============ =========== ============ ==========================
25 * create dns_resolver afsdb:* * /sbin/key.dns_resolver %k
28 * This program is free software; you can redistribute it and/or modify
29 * it under the terms of the GNU General Public License as published by
30 * the Free Software Foundation; either version 2 of the License, or
31 * (at your option) any later version.
33 * This program is distributed in the hope that it will be useful,
34 * but WITHOUT ANY WARRANTY; without even the implied warranty of
35 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
36 * GNU General Public License for more details.
37 * You should have received a copy of the GNU General Public License
38 * along with this program; if not, write to the Free Software
39 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
42 #include <netinet/in.h>
43 #include <arpa/nameser.h>
44 #include <arpa/inet.h>
47 #include <sys/types.h>
48 #include <sys/socket.h>
60 static const char *DNS_PARSE_VERSION = "1.0";
61 static const char prog[] = "key.dns_resolver";
62 static const char key_type[] = "dns_resolver";
63 static const char a_query_type[] = "a";
64 static const char aaaa_query_type[] = "aaaa";
65 static const char afsdb_query_type[] = "afsdb";
66 static key_serial_t key;
68 static int debug_mode;
71 #define MAX_VLS 15 /* Max Volume Location Servers Per-Cell */
72 #define DNS_EXPIRY_PREFIX "expiry_time="
73 #define DNS_EXPIRY_TIME_LEN 10 /* 2^32 - 1 = 4294967295 */
74 #define AFSDB_MAX_DATA_LEN \
75 ((MAX_VLS * (INET6_ADDRSTRLEN + 1)) + sizeof(DNS_EXPIRY_PREFIX) + \
76 DNS_EXPIRY_TIME_LEN + 1 /* '#'*/ + 1 /* end 0 */)
78 #define INET_IP4_ONLY 0x1
79 #define INET_IP6_ONLY 0x2
81 #define ONE_ADDR_ONLY 0x100
82 #define LIST_MULTIPLE_ADDRS 0x200
88 struct iovec payload[N_PAYLOAD];
92 * Print an error to stderr or the syslog, negate the key being created and
95 static __attribute__((format(printf, 1, 2), noreturn))
96 void error(const char *fmt, ...)
102 vfprintf(stderr, fmt, va);
105 vsyslog(LOG_ERR, fmt, va);
110 * on error, negatively instantiate the key ourselves so that we can
111 * make sure the kernel doesn't hang it off of a searchable keyring
112 * and interfere with the next attempt to instantiate the key.
115 keyctl_negate(key, 1, KEY_REQKEY_DEFL_DEFAULT);
120 #define error(FMT, ...) error("Error: " FMT, ##__VA_ARGS__);
123 * Just print an error to stderr or the syslog
125 static __attribute__((format(printf, 1, 2)))
126 void _error(const char *fmt, ...)
132 vfprintf(stderr, fmt, va);
135 vsyslog(LOG_ERR, fmt, va);
141 * Print status information
143 static __attribute__((format(printf, 1, 2)))
144 void info(const char *fmt, ...)
153 fputs("I: ", stdout);
154 vfprintf(stdout, fmt, va);
157 vsyslog(LOG_INFO, fmt, va);
163 * Print a nameserver error and exit
165 static const int ns_errno_map[] = {
167 [HOST_NOT_FOUND] = ENODATA,
168 [TRY_AGAIN] = EAGAIN,
169 [NO_RECOVERY] = ECONNREFUSED,
173 static __attribute__((noreturn))
174 void nsError(int err, const char *domain)
176 unsigned timeout = 1 * 60;
180 fprintf(stderr, "%s: %s.\n", domain, hstrerror(err));
182 syslog(LOG_INFO, "%s: %s", domain, hstrerror(err));
184 if (err >= sizeof(ns_errno_map) / sizeof(ns_errno_map[0]))
187 err = ns_errno_map[err];
189 info("Reject the key with error %d", err);
193 else if (err == ECONNREFUSED)
197 ret = keyctl_reject(key, timeout, err, KEY_REQKEY_DEFL_DEFAULT);
199 error("%s: keyctl_reject: %m", __func__);
205 * Print debugging information
207 static __attribute__((format(printf, 1, 2)))
208 void debug(const char *fmt, ...)
217 fputs("D: ", stdout);
218 vfprintf(stdout, fmt, va);
221 vsyslog(LOG_DEBUG, fmt, va);
227 * Append an address to the payload segment list
229 static void append_address_to_payload(char *p, size_t sz)
233 debug("append '%*.*s'", (int)sz, (int)sz, p);
235 /* discard duplicates */
236 for (loop = 0; loop < payload_index; loop++)
237 if (payload[loop].iov_len == sz &&
238 memcmp(payload[loop].iov_base, p, sz) == 0)
241 if (payload_index != 0) {
242 if (payload_index + 2 > N_PAYLOAD - 1)
244 payload[payload_index ].iov_base = ",";
245 payload[payload_index++].iov_len = 1;
247 if (payload_index + 1 > N_PAYLOAD - 1)
251 payload[payload_index ].iov_base = p;
252 payload[payload_index++].iov_len = sz;
256 * Dump the payload when debugging
258 static void dump_payload(void)
270 for (loop = 0; loop < payload_index; loop++) {
271 n = payload[loop].iov_len;
272 debug("seg[%d]: %zu", loop, n);
276 info("The key instantiation data is empty");
280 debug("total: %zu", plen);
281 buf = malloc(plen + 1);
286 for (loop = 0; loop < payload_index; loop++) {
287 n = payload[loop].iov_len;
288 memcpy(p, payload[loop].iov_base, n);
292 info("The key instantiation data is '%s'", buf);
297 * Perform address resolution on a hostname and add the resulting address as a
298 * string to the list of payload segments.
301 dns_resolver(const char *server_name, unsigned mask)
303 struct addrinfo hints, *addr, *ai;
305 char buf[INET6_ADDRSTRLEN + 1], *seg;
309 debug("Resolve '%s' with %x", server_name, mask);
311 memset(&hints, 0, sizeof(hints));
312 switch (mask & INET_ALL) {
313 case INET_IP4_ONLY: hints.ai_family = AF_INET; debug("IPv4"); break;
314 case INET_IP6_ONLY: hints.ai_family = AF_INET6; debug("IPv6"); break;
318 /* resolve name to ip */
319 ret = getaddrinfo(server_name, NULL, &hints, &addr);
321 info("unable to resolve hostname: %s [%s]",
322 server_name, gai_strerror(ret));
326 debug("getaddrinfo = %d", ret);
328 for (ai = addr; ai; ai = ai->ai_next) {
329 debug("RR: %x,%x,%x,%x,%x,%s",
330 ai->ai_flags, ai->ai_family,
331 ai->ai_socktype, ai->ai_protocol,
332 ai->ai_addrlen, ai->ai_canonname);
334 /* convert address to string */
335 switch (ai->ai_family) {
337 if (!(mask & INET_IP4_ONLY))
339 sa = &(((struct sockaddr_in *)ai->ai_addr)->sin_addr);
340 len = INET_ADDRSTRLEN;
343 if (!(mask & INET_IP6_ONLY))
345 sa = &(((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr);
346 len = INET6_ADDRSTRLEN;
349 debug("Address of unknown family %u", addr->ai_family);
353 if (!inet_ntop(ai->ai_family, sa, buf, len))
354 error("%s: inet_ntop: %m", __func__);
359 error("%s: inet_ntop: %m", __func__);
360 memcpy(seg, buf, slen);
361 append_address_to_payload(seg, slen);
362 if (mask & ONE_ADDR_ONLY)
373 static void afsdb_hosts_to_addrs(char *vllist[],
383 unsigned int ttl = UINT_MAX, rr_ttl;
385 debug("AFSDB RR count is %d", ns_msg_count(handle, section));
387 /* Look at all the resource records in this section. */
388 for (rrnum = 0; rrnum < ns_msg_count(handle, section); rrnum++) {
389 /* Expand the resource record number rrnum into rr. */
390 if (ns_parserr(&handle, section, rrnum, &rr)) {
391 _error("ns_parserr failed : %m");
395 /* We're only interested in AFSDB records */
396 if (ns_rr_type(rr) == ns_t_afsdb) {
397 vllist[*vlsnum] = malloc(MAXDNAME);
398 if (!vllist[*vlsnum])
399 error("Out of memory");
401 subtype = ns_get16(ns_rr_rdata(rr));
403 /* Expand the name server's domain name */
404 if (ns_name_uncompress(ns_msg_base(handle),
409 error("ns_name_uncompress failed");
411 rr_ttl = ns_rr_ttl(rr);
415 /* Check the domain name we've just unpacked and add it to
416 * the list of VL servers if it is not a duplicate.
417 * If it is a duplicate, just ignore it.
419 for (i = 0; i < *vlsnum; i++)
420 if (strcasecmp(vllist[i], vllist[*vlsnum]) == 0)
423 /* Turn the hostname into IP addresses */
424 ret = dns_resolver(vllist[*vlsnum], mask);
426 debug("AFSDB RR can't resolve."
427 "subtype:%d, server name:%s, netmask:%u",
428 subtype, vllist[*vlsnum], mask);
432 info("AFSDB RR subtype:%d, server name:%s, ip:%*.*s, ttl:%u",
433 subtype, vllist[*vlsnum],
434 (int)payload[payload_index - 1].iov_len,
435 (int)payload[payload_index - 1].iov_len,
436 (char *)payload[payload_index - 1].iov_base,
439 /* prepare for the next record */
444 free(vllist[*vlsnum]);
449 info("ttl: %u", ttl);
453 * Look up an AFSDB record to get the VL server addresses.
455 * The callout_info is parsed for request options. For instance, "ipv4" to
456 * request only IPv4 addresses and "ipv6" to request only IPv6 addresses.
458 static __attribute__((noreturn))
459 int dns_query_afsdb(key_serial_t key, const char *cell, char *options)
462 char *vllist[MAX_VLS]; /* list of name servers */
463 int vlsnum = 0; /* number of name servers in list */
464 unsigned mask = INET_ALL;
465 int response_len; /* buffer length */
466 ns_msg handle; /* handle for response message */
467 unsigned long ttl = ULONG_MAX;
470 u_char buf[NS_PACKETSZ];
471 } response; /* response buffers */
473 debug("Get AFSDB RR for cell name:'%s', options:'%s'", cell, options);
475 /* query the dns for an AFSDB resource record */
476 response_len = res_query(cell,
482 if (response_len < 0)
483 /* negative result */
484 nsError(h_errno, cell);
486 if (ns_initparse(response.buf, response_len, &handle) < 0)
487 error("ns_initparse: %m");
489 /* Is the IP address family limited? */
490 if (strcmp(options, "ipv4") == 0)
491 mask = INET_IP4_ONLY;
492 else if (strcmp(options, "ipv6") == 0)
493 mask = INET_IP6_ONLY;
495 /* look up the hostnames we've obtained to get the actual addresses */
496 afsdb_hosts_to_addrs(vllist, &vlsnum, handle, ns_s_an, mask, &ttl);
498 info("DNS query AFSDB RR results:%u ttl:%lu", payload_index, ttl);
500 /* set the key's expiry time from the minimum TTL encountered */
502 ret = keyctl_set_timeout(key, ttl);
504 error("%s: keyctl_set_timeout: %m", __func__);
507 /* handle a lack of results */
508 if (payload_index == 0)
509 nsError(NO_DATA, cell);
511 /* must include a NUL char at the end of the payload */
512 payload[payload_index].iov_base = "";
513 payload[payload_index++].iov_len = 1;
516 /* load the key with data key */
518 ret = keyctl_instantiate_iov(key, payload, payload_index, 0);
520 error("%s: keyctl_instantiate: %m", __func__);
527 * Look up a A and/or AAAA records to get host addresses
529 * The callout_info is parsed for request options. For instance, "ipv4" to
530 * request only IPv4 addresses, "ipv6" to request only IPv6 addresses and
531 * "list" to get multiple addresses.
533 static __attribute__((noreturn))
534 int dns_query_a_or_aaaa(key_serial_t key, const char *hostname, char *options)
539 debug("Get A/AAAA RR for hostname:'%s', options:'%s'",
544 mask = INET_IP4_ONLY | ONE_ADDR_ONLY;
548 mask = INET_ALL | ONE_ADDR_ONLY;
552 options = strchr(options, ' ');
554 options = key + strlen(key);
559 if (strchr(key, ','))
560 error("Option name '%s' contains a comma", key);
562 val = strchr(key, '=');
566 debug("Opt %s", key);
568 if (strcmp(key, "ipv4") == 0) {
570 mask |= INET_IP4_ONLY;
571 } else if (strcmp(key, "ipv6") == 0) {
573 mask |= INET_IP6_ONLY;
574 } else if (strcmp(key, "list") == 0) {
575 mask &= ~ONE_ADDR_ONLY;
576 mask |= LIST_MULTIPLE_ADDRS;
582 /* Turn the hostname into IP addresses */
583 ret = dns_resolver(hostname, mask);
585 nsError(NO_DATA, hostname);
587 /* handle a lack of results */
588 if (payload_index == 0)
589 nsError(NO_DATA, hostname);
591 /* must include a NUL char at the end of the payload */
592 payload[payload_index].iov_base = "";
593 payload[payload_index++].iov_len = 1;
596 /* load the key with data key */
598 ret = keyctl_instantiate_iov(key, payload, payload_index, 0);
600 error("%s: keyctl_instantiate: %m", __func__);
607 * Print usage details,
609 static __attribute__((noreturn))
614 "Usage: %s [-vv] key_serial\n",
617 "Usage: %s -D [-vv] <desc> <calloutinfo>\n",
620 info("Usage: %s [-vv] key_serial", prog);
623 keyctl_negate(key, 1, KEY_REQKEY_DEFL_DEFAULT);
627 const struct option long_options[] = {
628 { "debug", 0, NULL, 'D' },
629 { "verbose", 0, NULL, 'v' },
630 { "version", 0, NULL, 'V' },
637 int main(int argc, char *argv[])
639 int ktlen, qtlen, ret;
641 char *callout_info = NULL;
642 char *buf = NULL, *name;
644 openlog(prog, 0, LOG_DAEMON);
646 while ((ret = getopt_long(argc, argv, "vD", long_options, NULL)) != -1) {
652 printf("version: %s\n", DNS_PARSE_VERSION);
659 syslog(LOG_ERR, "unknown option: %c", ret);
673 key = strtol(*argv, NULL, 10);
675 error("Invalid key ID format: %m");
677 /* get the key description (of the form "x;x;x;x;<query_type>:<name>") */
679 ret = keyctl_describe_alloc(key, &buf);
681 error("keyctl_describe_alloc failed: %m");
684 /* get the callout_info (which can supply options) */
686 ret = keyctl_read_alloc(KEY_SPEC_REQKEY_AUTH_KEY,
687 (void **)&callout_info);
689 error("Invalid key callout_info read: %m");
695 ret = asprintf(&buf, "%s;-1;-1;0;%s", key_type, argv[0]);
698 callout_info = argv[1];
702 info("Key description: '%s'", buf);
703 info("Callout info: '%s'", callout_info);
705 p = strchr(buf, ';');
707 error("Badly formatted key description '%s'", buf);
710 /* make sure it's the type we are expecting */
711 if (ktlen != sizeof(key_type) - 1 ||
712 memcmp(buf, key_type, ktlen) != 0)
713 error("Key type is not supported: '%*.*s'", ktlen, ktlen, buf);
715 keyend = buf + ktlen + 1;
717 /* the actual key description follows the last semicolon */
718 keyend = rindex(keyend, ';');
720 error("Invalid key description: %s", buf);
723 name = index(keyend, ':');
725 dns_query_a_or_aaaa(key, keyend, callout_info);
727 qtlen = name - keyend;
730 if ((qtlen == sizeof(a_query_type) - 1 &&
731 memcmp(keyend, a_query_type, sizeof(a_query_type) - 1) == 0) ||
732 (qtlen == sizeof(aaaa_query_type) - 1 &&
733 memcmp(keyend, aaaa_query_type, sizeof(aaaa_query_type) - 1) == 0)
735 info("Do DNS query of A/AAAA type for:'%s' mask:'%s'",
737 dns_query_a_or_aaaa(key, name, callout_info);
740 if (qtlen == sizeof(afsdb_query_type) - 1 &&
741 memcmp(keyend, afsdb_query_type, sizeof(afsdb_query_type) - 1) == 0
743 info("Do DNS query of AFSDB type for:'%s' mask:'%s'",
745 dns_query_afsdb(key, name, callout_info);
748 error("Query type: \"%*.*s\" is not supported", qtlen, qtlen, keyend);
projects / platform / upstream / keyutils.git / blob