1 /* $OpenBSD: frontend.c,v 1.83 2024/09/05 08:22:46 florian Exp $ */
2
3 /*
4 * Copyright (c) 2018 Florian Obser <florian@openbsd.org>
5 * Copyright (c) 2005 Claudio Jeker <claudio@openbsd.org>
6 * Copyright (c) 2004 Esben Norby <norby@openbsd.org>
7 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
8 *
9 * Permission to use, copy, modify, and distribute this software for any
10 * purpose with or without fee is hereby granted, provided that the above
11 * copyright notice and this permission notice appear in all copies.
12 *
13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 */
21
22 #include <sys/types.h>
23 #include <sys/queue.h>
24 #include <sys/socket.h>
25 #include <sys/syslog.h>
26 #include <sys/tree.h>
27 #include <sys/uio.h>
28
29 #include <netinet/in.h>
30 #include <net/if.h>
31 #include <net/route.h>
32
33 #include <errno.h>
34 #include <event.h>
35 #include <ifaddrs.h>
36 #include <imsg.h>
37 #include <netdb.h>
38 #include <pwd.h>
39 #include <signal.h>
40 #include <stdint.h>
41 #include <stdio.h>
42 #include <stdlib.h>
43 #include <string.h>
44 #include <time.h>
45 #include <unistd.h>
46
47 #include "libunbound/config.h"
48 #include "libunbound/sldns/pkthdr.h"
49 #include "libunbound/sldns/sbuffer.h"
50 #include "libunbound/sldns/str2wire.h"
51 #include "libunbound/sldns/wire2str.h"
52 #include "libunbound/util/alloc.h"
53 #include "libunbound/util/net_help.h"
54 #include "libunbound/util/regional.h"
55 #include "libunbound/util/data/dname.h"
56 #include "libunbound/util/data/msgencode.h"
57 #include "libunbound/util/data/msgparse.h"
58 #include "libunbound/util/data/msgreply.h"
59
60 #include "log.h"
61 #include "unwind.h"
62 #include "frontend.h"
63 #include "control.h"
64 #include "dns64_synth.h"
65
66 #define MINIMUM(a, b) (((a) < (b)) ? (a) : (b))
67 #define ROUTE_SOCKET_BUF_SIZE 16384
68
69 /*
70 * size of a resource record with name a two octed pointer to qname
71 * 2 octets pointer to qname
72 * 2 octets TYPE
73 * 2 octets CLASS
74 * 4 octets TTL
75 * 2 octets RDLENGTH
76 */
77 #define COMPRESSED_RR_SIZE 12
78 #define MINIMIZE_ANSWER 1
79
80 #define FD_RESERVE 5
81 #define TCP_TIMEOUT 15
82 #define DEFAULT_TCP_SIZE 512
83
84 struct udp_ev {
85 struct event ev;
86 uint8_t query[65536];
87 struct msghdr rcvmhdr;
88 struct iovec rcviov[1];
89 struct sockaddr_storage from;
90 } udp4ev, udp6ev;
91
92 struct tcp_accept_ev {
93 struct event ev;
94 struct event pause;
95 } tcp4ev, tcp6ev;
96
97 struct pending_query {
98 TAILQ_ENTRY(pending_query) entry;
99 struct sockaddr_storage from;
100 struct sldns_buffer *qbuf;
101 struct sldns_buffer *abuf;
102 struct regional *region;
103 struct query_info qinfo;
104 struct edns_data edns;
105 struct event ev; /* for tcp */
106 struct event resp_ev; /* for tcp */
107 struct event tmo_ev; /* for tcp */
108 uint64_t imsg_id;
109 uint16_t id;
110 uint16_t flags;
111 int fd;
112 int tcp;
113 int dns64_synthesize;
114 };
115
116 TAILQ_HEAD(, pending_query) pending_queries;
117
118 struct bl_node {
119 RB_ENTRY(bl_node) entry;
120 char *domain;
121 };
122
123 __dead void frontend_shutdown(void);
124 void frontend_sig_handler(int, short, void *);
125 void frontend_startup(void);
126 void udp_receive(int, short, void *);
127 void handle_query(struct pending_query *);
128 void free_pending_query(struct pending_query *);
129 void tcp_accept(int, short, void *);
130 int accept_reserve(int, struct sockaddr *, socklen_t *);
131 void accept_paused(int, short, void *);
132 void tcp_request(int, short, void *);
133 void tcp_response(int, short, void *);
134 void tcp_timeout(int, short, void *);
135 int check_query(sldns_buffer*);
136 void noerror_answer(struct pending_query *);
137 void synthesize_dns64_answer(struct pending_query *);
138 void resend_dns64_query(struct pending_query *);
139 void chaos_answer(struct pending_query *);
140 void error_answer(struct pending_query *, int rcode);
141 void send_answer(struct pending_query *);
142 void route_receive(int, short, void *);
143 void handle_route_message(struct rt_msghdr *,
144 struct sockaddr **);
145 void get_rtaddrs(int, struct sockaddr *,
146 struct sockaddr **);
147 struct pending_query *find_pending_query(uint64_t);
148 void parse_trust_anchor(struct trust_anchor_head *, int);
149 void send_trust_anchors(struct trust_anchor_head *);
150 void write_trust_anchors(struct trust_anchor_head *, int);
151 void parse_blocklist(int);
152 int bl_cmp(struct bl_node *, struct bl_node *);
153 void free_bl(void);
154 int pending_query_cnt(void);
155 void check_available_af(void);
156
157 struct uw_conf *frontend_conf;
158 static struct imsgev *iev_main;
159 static struct imsgev *iev_resolver;
160 struct event ev_route;
161 int udp4sock = -1, udp6sock = -1;
162 int tcp4sock = -1, tcp6sock = -1;
163 int ta_fd = -1;
164
165 static struct trust_anchor_head trust_anchors, new_trust_anchors;
166
167 RB_HEAD(bl_tree, bl_node) bl_head = RB_INITIALIZER(&bl_head);
168 RB_PROTOTYPE(bl_tree, bl_node, entry, bl_cmp)
169 RB_GENERATE(bl_tree, bl_node, entry, bl_cmp)
170
171 struct dns64_prefix *dns64_prefixes;
172 int dns64_prefix_count;
173
174 void
frontend_sig_handler(int sig,short event,void * bula)175 frontend_sig_handler(int sig, short event, void *bula)
176 {
177 /*
178 * Normal signal handler rules don't apply because libevent
179 * decouples for us.
180 */
181
182 switch (sig) {
183 case SIGINT:
184 case SIGTERM:
185 frontend_shutdown();
186 default:
187 fatalx("unexpected signal");
188 }
189 }
190
191 void
frontend(int debug,int verbose)192 frontend(int debug, int verbose)
193 {
194 struct event ev_sigint, ev_sigterm;
195 struct passwd *pw;
196
197 frontend_conf = config_new_empty();
198
199 log_init(debug, LOG_DAEMON);
200 log_setverbose(verbose);
201
202 if ((pw = getpwnam(UNWIND_USER)) == NULL)
203 fatal("getpwnam");
204
205 if (chroot(pw->pw_dir) == -1)
206 fatal("chroot");
207 if (chdir("/") == -1)
208 fatal("chdir(\"/\")");
209
210 setproctitle("%s", "frontend");
211 log_procinit("frontend");
212
213 if (setgroups(1, &pw->pw_gid) ||
214 setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
215 setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
216 fatal("can't drop privileges");
217
218 if (pledge("stdio dns unix recvfd", NULL) == -1)
219 fatal("pledge");
220
221 event_init();
222
223 /* Setup signal handler. */
224 signal_set(&ev_sigint, SIGINT, frontend_sig_handler, NULL);
225 signal_set(&ev_sigterm, SIGTERM, frontend_sig_handler, NULL);
226 signal_add(&ev_sigint, NULL);
227 signal_add(&ev_sigterm, NULL);
228 signal(SIGPIPE, SIG_IGN);
229 signal(SIGHUP, SIG_IGN);
230
231 /* Setup pipe and event handler to the parent process. */
232 if (iev_main != NULL)
233 fatal("iev_main");
234 if ((iev_main = malloc(sizeof(struct imsgev))) == NULL)
235 fatal(NULL);
236 imsg_init(&iev_main->ibuf, 3);
237 iev_main->handler = frontend_dispatch_main;
238 iev_main->events = EV_READ;
239 event_set(&iev_main->ev, iev_main->ibuf.fd, iev_main->events,
240 iev_main->handler, iev_main);
241 event_add(&iev_main->ev, NULL);
242
243 udp4ev.rcviov[0].iov_base = (caddr_t)udp4ev.query;
244 udp4ev.rcviov[0].iov_len = sizeof(udp4ev.query);
245 udp4ev.rcvmhdr.msg_name = (caddr_t)&udp4ev.from;
246 udp4ev.rcvmhdr.msg_namelen = sizeof(udp4ev.from);
247 udp4ev.rcvmhdr.msg_iov = udp4ev.rcviov;
248 udp4ev.rcvmhdr.msg_iovlen = 1;
249
250 udp6ev.rcviov[0].iov_base = (caddr_t)udp6ev.query;
251 udp6ev.rcviov[0].iov_len = sizeof(udp6ev.query);
252 udp6ev.rcvmhdr.msg_name = (caddr_t)&udp6ev.from;
253 udp6ev.rcvmhdr.msg_namelen = sizeof(udp6ev.from);
254 udp6ev.rcvmhdr.msg_iov = udp6ev.rcviov;
255 udp6ev.rcvmhdr.msg_iovlen = 1;
256
257 TAILQ_INIT(&pending_queries);
258
259 TAILQ_INIT(&trust_anchors);
260 TAILQ_INIT(&new_trust_anchors);
261
262 add_new_ta(&trust_anchors, KSK2017);
263 add_new_ta(&trust_anchors, KSK2024);
264
265 event_dispatch();
266
267 frontend_shutdown();
268 }
269
270 __dead void
frontend_shutdown(void)271 frontend_shutdown(void)
272 {
273 /* Close pipes. */
274 msgbuf_write(&iev_resolver->ibuf.w);
275 msgbuf_clear(&iev_resolver->ibuf.w);
276 close(iev_resolver->ibuf.fd);
277 msgbuf_write(&iev_main->ibuf.w);
278 msgbuf_clear(&iev_main->ibuf.w);
279 close(iev_main->ibuf.fd);
280
281 config_clear(frontend_conf);
282
283 free(iev_resolver);
284 free(iev_main);
285
286 log_info("frontend exiting");
287 exit(0);
288 }
289
290 int
frontend_imsg_compose_main(int type,pid_t pid,void * data,uint16_t datalen)291 frontend_imsg_compose_main(int type, pid_t pid, void *data, uint16_t datalen)
292 {
293 return (imsg_compose_event(iev_main, type, 0, pid, -1, data, datalen));
294 }
295
296 int
frontend_imsg_compose_resolver(int type,pid_t pid,void * data,uint16_t datalen)297 frontend_imsg_compose_resolver(int type, pid_t pid, void *data,
298 uint16_t datalen)
299 {
300 return (imsg_compose_event(iev_resolver, type, 0, pid, -1, data,
301 datalen));
302 }
303
304 void
frontend_dispatch_main(int fd,short event,void * bula)305 frontend_dispatch_main(int fd, short event, void *bula)
306 {
307 static struct uw_conf *nconf;
308 struct imsg imsg;
309 struct imsgev *iev = bula;
310 struct imsgbuf *ibuf = &iev->ibuf;
311 int n, shut = 0;
312
313 if (event & EV_READ) {
314 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
315 fatal("imsg_read error");
316 if (n == 0) /* Connection closed. */
317 shut = 1;
318 }
319 if (event & EV_WRITE) {
320 if ((n = msgbuf_write(&ibuf->w)) == -1 && errno != EAGAIN)
321 fatal("msgbuf_write");
322 if (n == 0) /* Connection closed. */
323 shut = 1;
324 }
325
326 for (;;) {
327 if ((n = imsg_get(ibuf, &imsg)) == -1)
328 fatal("%s: imsg_get error", __func__);
329 if (n == 0) /* No more messages. */
330 break;
331
332 switch (imsg.hdr.type) {
333 case IMSG_SOCKET_IPC_RESOLVER:
334 /*
335 * Setup pipe and event handler to the resolver
336 * process.
337 */
338 if (iev_resolver) {
339 fatalx("%s: received unexpected imsg fd "
340 "to frontend", __func__);
341 break;
342 }
343 if ((fd = imsg_get_fd(&imsg)) == -1) {
344 fatalx("%s: expected to receive imsg fd to "
345 "frontend but didn't receive any",
346 __func__);
347 break;
348 }
349
350 if (iev_resolver != NULL)
351 fatal("iev_resolver");
352 iev_resolver = malloc(sizeof(struct imsgev));
353 if (iev_resolver == NULL)
354 fatal(NULL);
355
356 imsg_init(&iev_resolver->ibuf, fd);
357 iev_resolver->handler = frontend_dispatch_resolver;
358 iev_resolver->events = EV_READ;
359
360 event_set(&iev_resolver->ev, iev_resolver->ibuf.fd,
361 iev_resolver->events, iev_resolver->handler,
362 iev_resolver);
363 event_add(&iev_resolver->ev, NULL);
364 break;
365 case IMSG_RECONF_CONF:
366 case IMSG_RECONF_BLOCKLIST_FILE:
367 case IMSG_RECONF_FORWARDER:
368 case IMSG_RECONF_DOT_FORWARDER:
369 case IMSG_RECONF_FORCE:
370 imsg_receive_config(&imsg, &nconf);
371 break;
372 case IMSG_RECONF_END:
373 if (nconf == NULL)
374 fatalx("%s: IMSG_RECONF_END without "
375 "IMSG_RECONF_CONF", __func__);
376 merge_config(frontend_conf, nconf);
377 if (frontend_conf->blocklist_file == NULL)
378 free_bl();
379 nconf = NULL;
380 break;
381 case IMSG_UDP6SOCK:
382 if (udp6sock != -1)
383 fatalx("%s: received unexpected udp6sock",
384 __func__);
385 if ((udp6sock = imsg_get_fd(&imsg)) == -1)
386 fatalx("%s: expected to receive imsg "
387 "UDP6 fd but didn't receive any", __func__);
388 event_set(&udp6ev.ev, udp6sock, EV_READ | EV_PERSIST,
389 udp_receive, &udp6ev);
390 event_add(&udp6ev.ev, NULL);
391 break;
392 case IMSG_UDP4SOCK:
393 if (udp4sock != -1)
394 fatalx("%s: received unexpected udp4sock",
395 __func__);
396 if ((udp4sock = imsg_get_fd(&imsg)) == -1)
397 fatalx("%s: expected to receive imsg "
398 "UDP4 fd but didn't receive any", __func__);
399 event_set(&udp4ev.ev, udp4sock, EV_READ | EV_PERSIST,
400 udp_receive, &udp4ev);
401 event_add(&udp4ev.ev, NULL);
402 break;
403 case IMSG_TCP4SOCK:
404 if (tcp4sock != -1)
405 fatalx("%s: received unexpected tcp4sock",
406 __func__);
407 if ((tcp4sock = imsg_get_fd(&imsg)) == -1)
408 fatalx("%s: expected to receive imsg "
409 "TCP4 fd but didn't receive any", __func__);
410 event_set(&tcp4ev.ev, tcp4sock, EV_READ | EV_PERSIST,
411 tcp_accept, &tcp4ev);
412 event_add(&tcp4ev.ev, NULL);
413 evtimer_set(&tcp4ev.pause, accept_paused, &tcp4ev);
414 break;
415 case IMSG_TCP6SOCK:
416 if (tcp6sock != -1)
417 fatalx("%s: received unexpected tcp6sock",
418 __func__);
419 if ((tcp6sock = imsg_get_fd(&imsg)) == -1)
420 fatalx("%s: expected to receive imsg "
421 "TCP6 fd but didn't receive any", __func__);
422 event_set(&tcp6ev.ev, tcp6sock, EV_READ | EV_PERSIST,
423 tcp_accept, &tcp6ev);
424 event_add(&tcp6ev.ev, NULL);
425 evtimer_set(&tcp6ev.pause, accept_paused, &tcp6ev);
426 break;
427 case IMSG_ROUTESOCK: {
428 static int routesock = -1;
429
430 if (routesock != -1)
431 fatalx("%s: received unexpected routesock",
432 __func__);
433 if ((fd = imsg_get_fd(&imsg)) == -1)
434 fatalx("%s: expected to receive imsg "
435 "routesocket fd but didn't receive any",
436 __func__);
437 routesock = fd;
438 event_set(&ev_route, fd, EV_READ | EV_PERSIST,
439 route_receive, NULL);
440 break;
441 }
442 case IMSG_STARTUP:
443 frontend_startup();
444 break;
445 case IMSG_CONTROLFD:
446 if ((fd = imsg_get_fd(&imsg)) == -1)
447 fatalx("%s: expected to receive imsg control "
448 "fd but didn't receive any", __func__);
449 /* Listen on control socket. */
450 control_listen(fd);
451 break;
452 case IMSG_TAFD:
453 if ((ta_fd = imsg_get_fd(&imsg)) != -1)
454 parse_trust_anchor(&trust_anchors, ta_fd);
455 if (!TAILQ_EMPTY(&trust_anchors))
456 send_trust_anchors(&trust_anchors);
457 break;
458 case IMSG_BLFD:
459 if ((fd = imsg_get_fd(&imsg)) == -1)
460 fatalx("%s: expected to receive imsg block "
461 "list fd but didn't receive any", __func__);
462 parse_blocklist(fd);
463 break;
464 default:
465 log_debug("%s: error handling imsg %d", __func__,
466 imsg.hdr.type);
467 break;
468 }
469 imsg_free(&imsg);
470 }
471 if (!shut)
472 imsg_event_add(iev);
473 else {
474 /* This pipe is dead. Remove its event handler. */
475 event_del(&iev->ev);
476 event_loopexit(NULL);
477 }
478 }
479
480 void
frontend_dispatch_resolver(int fd,short event,void * bula)481 frontend_dispatch_resolver(int fd, short event, void *bula)
482 {
483 static struct dns64_prefix *new_dns64_prefixes = NULL;
484 static int new_dns64_prefix_count = 0;
485 static int new_dns64_prefix_pos = 0;
486 struct pending_query *pq;
487 struct imsgev *iev = bula;
488 struct imsgbuf *ibuf = &iev->ibuf;
489 struct imsg imsg;
490 int n, shut = 0, chg;
491
492 if (event & EV_READ) {
493 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
494 fatal("imsg_read error");
495 if (n == 0) /* Connection closed. */
496 shut = 1;
497 }
498 if (event & EV_WRITE) {
499 if ((n = msgbuf_write(&ibuf->w)) == -1 && errno != EAGAIN)
500 fatal("msgbuf_write");
501 if (n == 0) /* Connection closed. */
502 shut = 1;
503 }
504
505 for (;;) {
506 if ((n = imsg_get(ibuf, &imsg)) == -1)
507 fatal("%s: imsg_get error", __func__);
508 if (n == 0) /* No more messages. */
509 break;
510
511 switch (imsg.hdr.type) {
512 case IMSG_ANSWER: {
513 struct answer_header *answer_header;
514 int data_len;
515 uint8_t *data;
516
517 if (IMSG_DATA_SIZE(imsg) < sizeof(*answer_header))
518 fatalx("%s: IMSG_ANSWER wrong length: "
519 "%lu", __func__, IMSG_DATA_SIZE(imsg));
520 answer_header = (struct answer_header *)imsg.data;
521 data = (uint8_t *)imsg.data + sizeof(*answer_header);
522 if (answer_header->answer_len > UINT16_MAX)
523 fatalx("%s: IMSG_ANSWER answer too big: %d",
524 __func__, answer_header->answer_len);
525 data_len = IMSG_DATA_SIZE(imsg) -
526 sizeof(*answer_header);
527
528 if ((pq = find_pending_query(answer_header->id)) ==
529 NULL) {
530 log_warnx("%s: cannot find pending query %llu",
531 __func__, answer_header->id);
532 break;
533 }
534
535 if (answer_header->srvfail) {
536 error_answer(pq, LDNS_RCODE_SERVFAIL);
537 send_answer(pq);
538 break;
539 }
540
541 if (answer_header->bogus && !(pq->flags & BIT_CD)) {
542 error_answer(pq, LDNS_RCODE_SERVFAIL);
543 send_answer(pq);
544 break;
545 }
546
547 if (sldns_buffer_position(pq->abuf) == 0 &&
548 !sldns_buffer_set_capacity(pq->abuf,
549 answer_header->answer_len)) {
550 error_answer(pq, LDNS_RCODE_SERVFAIL);
551 send_answer(pq);
552 break;
553 }
554
555 if (sldns_buffer_position(pq->abuf) + data_len >
556 sldns_buffer_capacity(pq->abuf))
557 fatalx("%s: IMSG_ANSWER answer too big: %d",
558 __func__, data_len);
559 sldns_buffer_write(pq->abuf, data, data_len);
560
561 if (sldns_buffer_position(pq->abuf) ==
562 sldns_buffer_capacity(pq->abuf)) {
563 sldns_buffer_flip(pq->abuf);
564 if (pq->dns64_synthesize) {
565 synthesize_dns64_answer(pq);
566 send_answer(pq);
567 } else {
568 noerror_answer(pq);
569 if (pq->dns64_synthesize)
570 /* we did not find a answer */
571 resend_dns64_query(pq);
572 else
573 send_answer(pq);
574 }
575 }
576 break;
577 }
578 case IMSG_CTL_RESOLVER_INFO:
579 case IMSG_CTL_AUTOCONF_RESOLVER_INFO:
580 case IMSG_CTL_MEM_INFO:
581 case IMSG_CTL_END:
582 control_imsg_relay(&imsg);
583 break;
584 case IMSG_NEW_TA:
585 /* make sure this is a string */
586 ((char *)imsg.data)[IMSG_DATA_SIZE(imsg) - 1] = '\0';
587 add_new_ta(&new_trust_anchors, imsg.data);
588 break;
589 case IMSG_NEW_TAS_ABORT:
590 free_tas(&new_trust_anchors);
591 break;
592 case IMSG_NEW_TAS_DONE:
593 chg = merge_tas(&new_trust_anchors, &trust_anchors);
594 if (chg)
595 send_trust_anchors(&trust_anchors);
596
597 /*
598 * always write trust anchors, the modify date on
599 * the file is an indication when we made progress
600 */
601 if (ta_fd != -1)
602 write_trust_anchors(&trust_anchors, ta_fd);
603 break;
604 case IMSG_NEW_DNS64_PREFIXES_START:
605 if (IMSG_DATA_SIZE(imsg) !=
606 sizeof(new_dns64_prefix_count))
607 fatalx("%s: IMSG_NEW_DNS64_PREFIXES_START "
608 "wrong length: %lu", __func__,
609 IMSG_DATA_SIZE(imsg));
610 memcpy(&new_dns64_prefix_count, imsg.data,
611 sizeof(new_dns64_prefix_count));
612 free(new_dns64_prefixes);
613 new_dns64_prefixes = NULL;
614 if (new_dns64_prefix_count > 0)
615 new_dns64_prefixes =
616 calloc(new_dns64_prefix_count,
617 sizeof(struct dns64_prefix));
618 new_dns64_prefix_pos = 0;
619 break;
620 case IMSG_NEW_DNS64_PREFIX: {
621 if (IMSG_DATA_SIZE(imsg) != sizeof(struct dns64_prefix))
622 fatalx("%s: IMSG_NEW_DNS64_PREFIX wrong "
623 "length: %lu", __func__,
624 IMSG_DATA_SIZE(imsg));
625 if (new_dns64_prefixes == NULL)
626 break;
627 if (new_dns64_prefix_pos >= new_dns64_prefix_count)
628 fatalx("%s: IMSG_NEW_DNS64_PREFIX: too many "
629 "prefixes", __func__);
630 memcpy(&new_dns64_prefixes[new_dns64_prefix_pos++],
631 imsg.data, sizeof(struct dns64_prefix));
632 break;
633 }
634 case IMSG_NEW_DNS64_PREFIXES_DONE:
635 free(dns64_prefixes);
636 dns64_prefixes = new_dns64_prefixes;
637 dns64_prefix_count = new_dns64_prefix_count;
638 new_dns64_prefixes = NULL;
639 break;
640 default:
641 log_debug("%s: error handling imsg %d", __func__,
642 imsg.hdr.type);
643 break;
644 }
645 imsg_free(&imsg);
646 }
647 if (!shut)
648 imsg_event_add(iev);
649 else {
650 /* This pipe is dead. Remove its event handler. */
651 event_del(&iev->ev);
652 event_loopexit(NULL);
653 }
654 }
655
656 void
frontend_startup(void)657 frontend_startup(void)
658 {
659 if (!event_initialized(&ev_route))
660 fatalx("%s: did not receive a route socket from the main "
661 "process", __func__);
662
663 event_add(&ev_route, NULL);
664
665 frontend_imsg_compose_main(IMSG_STARTUP_DONE, 0, NULL, 0);
666 check_available_af();
667 }
668
669 void
free_pending_query(struct pending_query * pq)670 free_pending_query(struct pending_query *pq)
671 {
672 if (!pq)
673 return;
674
675 TAILQ_REMOVE(&pending_queries, pq, entry);
676 regional_destroy(pq->region);
677 sldns_buffer_free(pq->qbuf);
678 sldns_buffer_free(pq->abuf);
679 if (pq->tcp) {
680 if (event_initialized(&pq->ev))
681 event_del(&pq->ev);
682 if (event_initialized(&pq->resp_ev))
683 event_del(&pq->resp_ev);
684 if (event_initialized(&pq->tmo_ev))
685 event_del(&pq->tmo_ev);
686 if (pq->fd != -1)
687 close(pq->fd);
688 }
689 free(pq);
690 }
691
692 void
udp_receive(int fd,short events,void * arg)693 udp_receive(int fd, short events, void *arg)
694 {
695 struct udp_ev *udpev = (struct udp_ev *)arg;
696 struct pending_query *pq = NULL;
697 ssize_t len;
698
699 if ((len = recvmsg(fd, &udpev->rcvmhdr, 0)) == -1) {
700 log_warn("recvmsg");
701 return;
702 }
703
704 if ((pq = calloc(1, sizeof(*pq))) == NULL) {
705 log_warn(NULL);
706 return;
707 }
708
709 do {
710 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id));
711 } while(find_pending_query(pq->imsg_id) != NULL);
712
713 TAILQ_INSERT_TAIL(&pending_queries, pq, entry);
714
715 pq->from = udpev->from;
716 pq->fd = fd;
717 pq->qbuf = sldns_buffer_new(len);
718 pq->abuf = sldns_buffer_new(len); /* make sure we can send errors */
719 pq->region = regional_create();
720
721 if (!pq->qbuf || !pq->abuf || !pq->region) {
722 log_warnx("out of memory");
723 free_pending_query(pq);
724 return;
725 }
726
727 sldns_buffer_write(pq->qbuf, udpev->query, len);
728 sldns_buffer_flip(pq->qbuf);
729 handle_query(pq);
730 }
731
732 void
handle_query(struct pending_query * pq)733 handle_query(struct pending_query *pq)
734 {
735 struct query_imsg query_imsg;
736 struct bl_node find;
737 int rcode;
738 char *str;
739 char dname[LDNS_MAX_DOMAINLEN + 1];
740 char qclass_buf[16];
741 char qtype_buf[16];
742
743 if (log_getverbose() & OPT_VERBOSE2 && (str =
744 sldns_wire2str_pkt(sldns_buffer_begin(pq->qbuf),
745 sldns_buffer_limit(pq->qbuf))) != NULL) {
746 log_debug("from: %s\n%s", ip_port((struct sockaddr *)
747 &pq->from), str);
748 free(str);
749 }
750
751 if (sldns_buffer_remaining(pq->qbuf) < LDNS_HEADER_SIZE) {
752 log_warnx("bad query: too short, dropped");
753 goto drop;
754 }
755
756 pq->id = sldns_buffer_read_u16_at(pq->qbuf, 0);
757 pq->flags = sldns_buffer_read_u16_at(pq->qbuf, 2);
758
759 if (!query_info_parse(&pq->qinfo, pq->qbuf)) {
760 log_warnx("query_info_parse failed");
761 goto drop;
762 }
763
764 rcode = check_query(pq->qbuf);
765 switch (rcode) {
766 case LDNS_RCODE_NOERROR:
767 break;
768 case -1:
769 goto drop;
770 default:
771 error_answer(pq, rcode);
772 goto send_answer;
773 }
774
775 rcode = parse_edns_from_query_pkt(pq->qbuf, &pq->edns, NULL, NULL,
776 NULL, 0, pq->region, NULL);
777 if (rcode != LDNS_RCODE_NOERROR) {
778 error_answer(pq, rcode);
779 goto send_answer;
780 }
781
782 if (!dname_valid(pq->qinfo.qname, pq->qinfo.qname_len)) {
783 error_answer(pq, LDNS_RCODE_FORMERR);
784 goto send_answer;
785 }
786 dname_str(pq->qinfo.qname, dname);
787
788 sldns_wire2str_class_buf(pq->qinfo.qclass, qclass_buf,
789 sizeof(qclass_buf));
790 sldns_wire2str_type_buf(pq->qinfo.qtype, qtype_buf, sizeof(qtype_buf));
791 log_debug("%s: %s %s %s ?", ip_port((struct sockaddr *)&pq->from),
792 dname, qclass_buf, qtype_buf);
793
794 find.domain = dname;
795 if (RB_FIND(bl_tree, &bl_head, &find) != NULL) {
796 if (frontend_conf->blocklist_log)
797 log_info("blocking %s", dname);
798 error_answer(pq, LDNS_RCODE_REFUSED);
799 goto send_answer;
800 }
801
802 if (pq->qinfo.qtype == LDNS_RR_TYPE_AXFR || pq->qinfo.qtype ==
803 LDNS_RR_TYPE_IXFR) {
804 error_answer(pq, LDNS_RCODE_REFUSED);
805 goto send_answer;
806 }
807
808 if(pq->qinfo.qtype == LDNS_RR_TYPE_OPT ||
809 pq->qinfo.qtype == LDNS_RR_TYPE_TSIG ||
810 pq->qinfo.qtype == LDNS_RR_TYPE_TKEY ||
811 pq->qinfo.qtype == LDNS_RR_TYPE_MAILA ||
812 pq->qinfo.qtype == LDNS_RR_TYPE_MAILB ||
813 (pq->qinfo.qtype >= 128 && pq->qinfo.qtype <= 248)) {
814 error_answer(pq, LDNS_RCODE_FORMERR);
815 goto send_answer;
816 }
817
818 if (pq->qinfo.qclass == LDNS_RR_CLASS_CH) {
819 if (strcasecmp(dname, "version.server.") == 0 ||
820 strcasecmp(dname, "version.bind.") == 0) {
821 chaos_answer(pq);
822 } else
823 error_answer(pq, LDNS_RCODE_REFUSED);
824 goto send_answer;
825 }
826
827 if (strlcpy(query_imsg.qname, dname, sizeof(query_imsg.qname)) >=
828 sizeof(query_imsg.qname)) {
829 log_warnx("qname too long");
830 error_answer(pq, LDNS_RCODE_FORMERR);
831 goto send_answer;
832 }
833 query_imsg.id = pq->imsg_id;
834 query_imsg.t = pq->qinfo.qtype;
835 query_imsg.c = pq->qinfo.qclass;
836
837 if (frontend_imsg_compose_resolver(IMSG_QUERY, 0, &query_imsg,
838 sizeof(query_imsg)) == -1) {
839 error_answer(pq, LDNS_RCODE_SERVFAIL);
840 goto send_answer;
841 }
842 return;
843
844 send_answer:
845 send_answer(pq);
846 return;
847
848 drop:
849 free_pending_query(pq);
850 }
851
852 void
noerror_answer(struct pending_query * pq)853 noerror_answer(struct pending_query *pq)
854 {
855 struct query_info skip, qinfo;
856 struct reply_info *rinfo = NULL;
857 struct alloc_cache alloc;
858 struct edns_data edns;
859 struct ub_packed_rrset_key *an_rrset = NULL;
860 struct packed_rrset_data *an_rrset_data = NULL;
861
862 alloc_init(&alloc, NULL, 0);
863 memset(&qinfo, 0, sizeof(qinfo));
864 /* read past query section, no memory is allocated */
865 if (!query_info_parse(&skip, pq->abuf))
866 goto srvfail;
867
868 if (reply_info_parse(pq->abuf, &alloc, &qinfo, &rinfo, pq->region,
869 &edns) != 0)
870 goto srvfail;
871
872 if ((an_rrset = reply_find_answer_rrset(&qinfo, rinfo)) != NULL)
873 an_rrset_data = (struct packed_rrset_data*)an_rrset->entry.data;
874
875 /* reply_info_parse() allocates memory */
876 query_info_clear(&qinfo);
877
878 /* XXX check that there a no AAAA records in answer section? */
879 if ((an_rrset_data == NULL || an_rrset_data->count == 0) &&
880 !pq->dns64_synthesize && pq->qinfo.qtype == LDNS_RR_TYPE_AAAA &&
881 pq->qinfo.qclass == LDNS_RR_CLASS_IN && dns64_prefix_count > 0) {
882 pq->dns64_synthesize = 1;
883 return;
884 }
885
886 sldns_buffer_clear(pq->abuf);
887 if (reply_info_encode(&pq->qinfo, rinfo, htons(pq->id), rinfo->flags,
888 pq->abuf, 0, pq->region, pq->tcp ? UINT16_MAX : pq->edns.udp_size,
889 pq->edns.bits & EDNS_DO, MINIMIZE_ANSWER) == 0)
890 goto srvfail;
891
892 reply_info_parsedelete(rinfo, &alloc);
893 alloc_clear(&alloc);
894 return;
895
896 srvfail:
897 reply_info_parsedelete(rinfo, &alloc);
898 alloc_clear(&alloc);
899 error_answer(pq, LDNS_RCODE_SERVFAIL);
900 }
901
902 void
synthesize_dns64_answer(struct pending_query * pq)903 synthesize_dns64_answer(struct pending_query *pq)
904 {
905 struct query_info skip, qinfo;
906 struct reply_info *rinfo = NULL, *synth_rinfo = NULL;
907 struct alloc_cache alloc;
908 struct edns_data edns;
909 size_t i;
910
911 pq->dns64_synthesize = 0;
912
913 alloc_init(&alloc, NULL, 0);
914 memset(&qinfo, 0, sizeof(qinfo));
915 /* read past query section, no memory is allocated */
916 if (!query_info_parse(&skip, pq->abuf))
917 goto srvfail;
918
919 if (reply_info_parse(pq->abuf, &alloc, &qinfo, &rinfo, pq->region,
920 &edns) != 0)
921 goto srvfail;
922
923 /* reply_info_parse() allocates memory */
924 query_info_clear(&qinfo);
925
926 synth_rinfo = construct_reply_info_base(pq->region, rinfo->flags,
927 rinfo->qdcount, rinfo->ttl, rinfo->prefetch_ttl,
928 rinfo->serve_expired_ttl, rinfo->an_numrrsets,
929 rinfo->ns_numrrsets, rinfo->ar_numrrsets, rinfo->rrset_count,
930 rinfo->security, rinfo->reason_bogus);
931
932 if (!synth_rinfo)
933 goto srvfail;
934
935 if(!reply_info_alloc_rrset_keys(synth_rinfo, NULL, pq->region))
936 goto srvfail;
937
938 for (i = 0; i < synth_rinfo->rrset_count; i++) {
939 struct ub_packed_rrset_key *src_rrset_key, *dst_rrset_key;
940 struct packed_rrset_data *src_rrset_data;
941 struct packed_rrset_data *dst_rrset_data;
942
943 src_rrset_key = rinfo->rrsets[i];
944 src_rrset_data =
945 (struct packed_rrset_data *)src_rrset_key->entry.data;
946 dst_rrset_key = synth_rinfo->rrsets[i];
947
948 dst_rrset_key->id = src_rrset_key->id;
949 dst_rrset_key->rk = src_rrset_key->rk;
950
951 if (i < rinfo->an_numrrsets && src_rrset_key->rk.type ==
952 htons(LDNS_RR_TYPE_A)) {
953 dns64_synth_aaaa_data(src_rrset_key, src_rrset_data,
954 dst_rrset_key, &dst_rrset_data, pq->region);
955 if (dst_rrset_data == NULL)
956 goto srvfail;
957 } else {
958 dst_rrset_key->entry.hash = src_rrset_key->entry.hash;
959 dst_rrset_key->rk.dname = regional_alloc_init(
960 pq->region, src_rrset_key->rk.dname,
961 src_rrset_key->rk.dname_len);
962 if (dst_rrset_key->rk.dname == NULL)
963 goto srvfail;
964
965 dst_rrset_data = regional_alloc_init(pq->region,
966 src_rrset_data,
967 packed_rrset_sizeof(src_rrset_data));
968 if (dst_rrset_data == NULL)
969 goto srvfail;
970 }
971
972 packed_rrset_ptr_fixup(dst_rrset_data);
973 dst_rrset_key->entry.data = dst_rrset_data;
974 }
975
976 if (!sldns_buffer_set_capacity(pq->abuf, pq->tcp ? UINT16_MAX :
977 pq->edns.udp_size))
978 goto srvfail;
979
980 sldns_buffer_clear(pq->abuf);
981
982 if (reply_info_encode(&pq->qinfo, synth_rinfo, htons(pq->id),
983 synth_rinfo->flags, pq->abuf, 0, pq->region,
984 pq->tcp ? UINT16_MAX : pq->edns.udp_size,
985 pq->edns.bits & EDNS_DO, MINIMIZE_ANSWER) == 0)
986 goto srvfail;
987
988 reply_info_parsedelete(rinfo, &alloc);
989 alloc_clear(&alloc);
990 return;
991
992 srvfail:
993 reply_info_parsedelete(rinfo, &alloc);
994 alloc_clear(&alloc);
995 error_answer(pq, LDNS_RCODE_SERVFAIL);
996 }
997
998 void
resend_dns64_query(struct pending_query * opq)999 resend_dns64_query(struct pending_query *opq)
1000 {
1001 struct pending_query *pq;
1002 struct query_imsg query_imsg;
1003 int rcode;
1004 char dname[LDNS_MAX_DOMAINLEN + 1];
1005
1006 if ((pq = calloc(1, sizeof(*pq))) == NULL) {
1007 log_warn(NULL);
1008 return;
1009 }
1010
1011 do {
1012 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id));
1013 } while(find_pending_query(pq->imsg_id) != NULL);
1014
1015 TAILQ_INSERT_TAIL(&pending_queries, pq, entry);
1016
1017 pq->from = opq->from;
1018 pq->fd = opq->fd;
1019 opq->fd = -1;
1020 pq->tcp = opq->tcp;
1021 pq->qbuf = sldns_buffer_new(sldns_buffer_capacity(opq->qbuf));
1022 pq->abuf = sldns_buffer_new(sldns_buffer_capacity(opq->abuf));
1023 pq->region = regional_create();
1024
1025 if (!pq->qbuf || !pq->abuf || !pq->region) {
1026 log_warnx("out of memory");
1027 free_pending_query(pq);
1028 free_pending_query(opq);
1029 return;
1030 }
1031
1032 sldns_buffer_rewind(opq->qbuf);
1033 sldns_buffer_write(pq->qbuf, sldns_buffer_current(opq->qbuf),
1034 sldns_buffer_remaining(opq->qbuf));
1035 sldns_buffer_flip(pq->qbuf);
1036
1037 if (pq->tcp) {
1038 struct timeval timeout = {TCP_TIMEOUT, 0};
1039
1040 event_set(&pq->ev, pq->fd, EV_READ | EV_PERSIST, tcp_request,
1041 pq);
1042 event_set(&pq->resp_ev, pq->fd, EV_WRITE | EV_PERSIST,
1043 tcp_response, pq);
1044 evtimer_set(&pq->tmo_ev, tcp_timeout, pq);
1045 evtimer_add(&pq->tmo_ev, &timeout);
1046 }
1047
1048 if (sldns_buffer_remaining(pq->qbuf) < LDNS_HEADER_SIZE) {
1049 log_warnx("bad query: too short, dropped");
1050 goto drop;
1051 }
1052
1053 pq->id = sldns_buffer_read_u16_at(pq->qbuf, 0);
1054 pq->flags = sldns_buffer_read_u16_at(pq->qbuf, 2);
1055
1056 if (!query_info_parse(&pq->qinfo, pq->qbuf)) {
1057 log_warnx("query_info_parse failed");
1058 goto drop;
1059 }
1060
1061 rcode = parse_edns_from_query_pkt(pq->qbuf, &pq->edns, NULL, NULL,
1062 NULL, 0, pq->region, NULL);
1063 if (rcode != LDNS_RCODE_NOERROR) {
1064 error_answer(pq, rcode);
1065 goto send_answer;
1066 }
1067
1068 dname_str(pq->qinfo.qname, dname);
1069 strlcpy(query_imsg.qname, dname, sizeof(query_imsg.qname));
1070 query_imsg.id = pq->imsg_id;
1071 query_imsg.t = LDNS_RR_TYPE_A;
1072 query_imsg.c = pq->qinfo.qclass;
1073
1074 pq->dns64_synthesize = 1;
1075
1076 if (frontend_imsg_compose_resolver(IMSG_QUERY, 0, &query_imsg,
1077 sizeof(query_imsg)) == -1) {
1078 error_answer(pq, LDNS_RCODE_SERVFAIL);
1079 goto send_answer;
1080 }
1081
1082 free_pending_query(opq);
1083 return;
1084
1085 send_answer:
1086 free_pending_query(opq);
1087 send_answer(pq);
1088 return;
1089
1090 drop:
1091 free_pending_query(opq);
1092 free_pending_query(pq);
1093 }
1094
1095 void
chaos_answer(struct pending_query * pq)1096 chaos_answer(struct pending_query *pq)
1097 {
1098 size_t len;
1099 const char *name = "unwind";
1100
1101 len = strlen(name);
1102 if (!sldns_buffer_set_capacity(pq->abuf,
1103 sldns_buffer_capacity(pq->qbuf) + COMPRESSED_RR_SIZE + 1 + len)) {
1104 error_answer(pq, LDNS_RCODE_SERVFAIL);
1105 return;
1106 }
1107
1108 sldns_buffer_copy(pq->abuf, pq->qbuf);
1109
1110 sldns_buffer_clear(pq->abuf);
1111
1112 sldns_buffer_skip(pq->abuf, sizeof(uint16_t)); /* skip id */
1113 sldns_buffer_write_u16(pq->abuf, 0); /* clear flags */
1114 LDNS_QR_SET(sldns_buffer_begin(pq->abuf));
1115 LDNS_RA_SET(sldns_buffer_begin(pq->abuf));
1116 if (LDNS_RD_WIRE(sldns_buffer_begin(pq->qbuf)))
1117 LDNS_RD_SET(sldns_buffer_begin(pq->abuf));
1118 if (LDNS_CD_WIRE(sldns_buffer_begin(pq->qbuf)))
1119 LDNS_CD_SET(sldns_buffer_begin(pq->abuf));
1120 LDNS_RCODE_SET(sldns_buffer_begin(pq->abuf), LDNS_RCODE_NOERROR);
1121 sldns_buffer_write_u16(pq->abuf, 1); /* qdcount */
1122 sldns_buffer_write_u16(pq->abuf, 1); /* ancount */
1123 sldns_buffer_write_u16(pq->abuf, 0); /* nscount */
1124 sldns_buffer_write_u16(pq->abuf, 0); /* arcount */
1125 (void)query_dname_len(pq->abuf); /* skip qname */
1126 sldns_buffer_skip(pq->abuf, sizeof(uint16_t)); /* skip qtype */
1127 sldns_buffer_skip(pq->abuf, sizeof(uint16_t)); /* skip qclass */
1128
1129 sldns_buffer_write_u16(pq->abuf, 0xc00c); /* ptr to query */
1130 sldns_buffer_write_u16(pq->abuf, LDNS_RR_TYPE_TXT);
1131 sldns_buffer_write_u16(pq->abuf, LDNS_RR_CLASS_CH);
1132 sldns_buffer_write_u32(pq->abuf, 0); /* TTL */
1133 sldns_buffer_write_u16(pq->abuf, 1 + len); /* RDLENGTH */
1134 sldns_buffer_write_u8(pq->abuf, len); /* length octed */
1135 sldns_buffer_write(pq->abuf, name, len);
1136 sldns_buffer_flip(pq->abuf);
1137 }
1138
1139 void
error_answer(struct pending_query * pq,int rcode)1140 error_answer(struct pending_query *pq, int rcode)
1141 {
1142 sldns_buffer_clear(pq->abuf);
1143 error_encode(pq->abuf, rcode, &pq->qinfo, htons(pq->id), pq->flags,
1144 pq->edns.edns_present ? &pq->edns : NULL);
1145 }
1146
1147 int
check_query(sldns_buffer * pkt)1148 check_query(sldns_buffer* pkt)
1149 {
1150 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) {
1151 log_warnx("bad query: too short, dropped");
1152 return -1;
1153 }
1154 if(LDNS_QR_WIRE(sldns_buffer_begin(pkt))) {
1155 log_warnx("bad query: QR set, dropped");
1156 return -1;
1157 }
1158 if(LDNS_TC_WIRE(sldns_buffer_begin(pkt))) {
1159 LDNS_TC_CLR(sldns_buffer_begin(pkt));
1160 log_warnx("bad query: TC set");
1161 return (LDNS_RCODE_FORMERR);
1162 }
1163 if(!(LDNS_RD_WIRE(sldns_buffer_begin(pkt)))) {
1164 log_warnx("bad query: RD not set");
1165 return (LDNS_RCODE_REFUSED);
1166 }
1167 if(LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_PACKET_QUERY) {
1168 log_warnx("bad query: unknown opcode %d",
1169 LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)));
1170 return (LDNS_RCODE_NOTIMPL);
1171 }
1172
1173 if (LDNS_QDCOUNT(sldns_buffer_begin(pkt)) != 1 &&
1174 LDNS_ANCOUNT(sldns_buffer_begin(pkt))!= 0 &&
1175 LDNS_NSCOUNT(sldns_buffer_begin(pkt))!= 0 &&
1176 LDNS_ARCOUNT(sldns_buffer_begin(pkt)) > 1) {
1177 log_warnx("bad query: qdcount: %d, ancount: %d "
1178 "nscount: %d, arcount: %d",
1179 LDNS_QDCOUNT(sldns_buffer_begin(pkt)),
1180 LDNS_ANCOUNT(sldns_buffer_begin(pkt)),
1181 LDNS_NSCOUNT(sldns_buffer_begin(pkt)),
1182 LDNS_ARCOUNT(sldns_buffer_begin(pkt)));
1183 return (LDNS_RCODE_FORMERR);
1184 }
1185 return (LDNS_RCODE_NOERROR);
1186 }
1187
1188 void
send_answer(struct pending_query * pq)1189 send_answer(struct pending_query *pq)
1190 {
1191 char *str;
1192
1193 if (log_getverbose() & OPT_VERBOSE2 && (str =
1194 sldns_wire2str_pkt(sldns_buffer_begin(pq->abuf),
1195 sldns_buffer_limit(pq->abuf))) != NULL) {
1196 log_debug("from: %s\n%s", ip_port((struct sockaddr *)
1197 &pq->from), str);
1198 free(str);
1199 }
1200
1201 if (!pq->tcp) {
1202 if(sendto(pq->fd, sldns_buffer_current(pq->abuf),
1203 sldns_buffer_remaining(pq->abuf), 0,
1204 (struct sockaddr *)&pq->from, pq->from.ss_len) == -1)
1205 log_warn("sendto");
1206 free_pending_query(pq);
1207 } else {
1208 struct sldns_buffer *tmp;
1209
1210 tmp = sldns_buffer_new(sldns_buffer_limit(pq->abuf) + 2);
1211
1212 if (!tmp) {
1213 free_pending_query(pq);
1214 return;
1215 }
1216
1217 sldns_buffer_write_u16(tmp, sldns_buffer_limit(pq->abuf));
1218 sldns_buffer_write(tmp, sldns_buffer_current(pq->abuf),
1219 sldns_buffer_remaining(pq->abuf));
1220 sldns_buffer_flip(tmp);
1221 sldns_buffer_free(pq->abuf);
1222 pq->abuf = tmp;
1223 event_add(&pq->resp_ev, NULL);
1224 }
1225 }
1226
1227 char*
ip_port(struct sockaddr * sa)1228 ip_port(struct sockaddr *sa)
1229 {
1230 static char hbuf[NI_MAXHOST], buf[NI_MAXHOST];
1231
1232 if (getnameinfo(sa, sa->sa_len, hbuf, sizeof(hbuf), NULL, 0,
1233 NI_NUMERICHOST) != 0) {
1234 snprintf(buf, sizeof(buf), "%s", "(unknown)");
1235 return buf;
1236 }
1237
1238 if (sa->sa_family == AF_INET6)
1239 snprintf(buf, sizeof(buf), "[%s]:%d", hbuf, ntohs(
1240 ((struct sockaddr_in6 *)sa)->sin6_port));
1241 if (sa->sa_family == AF_INET)
1242 snprintf(buf, sizeof(buf), "[%s]:%d", hbuf, ntohs(
1243 ((struct sockaddr_in *)sa)->sin_port));
1244
1245 return buf;
1246 }
1247
1248 struct pending_query*
find_pending_query(uint64_t id)1249 find_pending_query(uint64_t id)
1250 {
1251 struct pending_query *pq;
1252
1253 TAILQ_FOREACH(pq, &pending_queries, entry)
1254 if (pq->imsg_id == id)
1255 return pq;
1256 return NULL;
1257 }
1258
1259 void
route_receive(int fd,short events,void * arg)1260 route_receive(int fd, short events, void *arg)
1261 {
1262 static uint8_t *buf;
1263
1264 struct rt_msghdr *rtm;
1265 struct sockaddr *sa, *rti_info[RTAX_MAX];
1266 ssize_t n;
1267
1268 if (buf == NULL) {
1269 buf = malloc(ROUTE_SOCKET_BUF_SIZE);
1270 if (buf == NULL)
1271 fatal("malloc");
1272 }
1273 rtm = (struct rt_msghdr *)buf;
1274 if ((n = read(fd, buf, ROUTE_SOCKET_BUF_SIZE)) == -1) {
1275 if (errno == EAGAIN || errno == EINTR)
1276 return;
1277 log_warn("dispatch_rtmsg: read error");
1278 return;
1279 }
1280
1281 if (n == 0)
1282 fatal("routing socket closed");
1283
1284 if (n < (ssize_t)sizeof(rtm->rtm_msglen) || n < rtm->rtm_msglen) {
1285 log_warnx("partial rtm of %zd in buffer", n);
1286 return;
1287 }
1288
1289 if (rtm->rtm_version != RTM_VERSION)
1290 return;
1291
1292 sa = (struct sockaddr *)(buf + rtm->rtm_hdrlen);
1293 get_rtaddrs(rtm->rtm_addrs, sa, rti_info);
1294
1295 handle_route_message(rtm, rti_info);
1296 }
1297
1298 #define ROUNDUP(a) \
1299 ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
1300
1301 void
get_rtaddrs(int addrs,struct sockaddr * sa,struct sockaddr ** rti_info)1302 get_rtaddrs(int addrs, struct sockaddr *sa, struct sockaddr **rti_info)
1303 {
1304 int i;
1305
1306 for (i = 0; i < RTAX_MAX; i++) {
1307 if (addrs & (1 << i)) {
1308 rti_info[i] = sa;
1309 sa = (struct sockaddr *)((char *)(sa) +
1310 ROUNDUP(sa->sa_len));
1311 } else
1312 rti_info[i] = NULL;
1313 }
1314 }
1315
1316 void
handle_route_message(struct rt_msghdr * rtm,struct sockaddr ** rti_info)1317 handle_route_message(struct rt_msghdr *rtm, struct sockaddr **rti_info)
1318 {
1319 struct imsg_rdns_proposal rdns_proposal;
1320 struct sockaddr_rtdns *rtdns;
1321 struct if_announcemsghdr *ifan;
1322
1323 switch (rtm->rtm_type) {
1324 case RTM_IFANNOUNCE:
1325 ifan = (struct if_announcemsghdr *)rtm;
1326 if (ifan->ifan_what == IFAN_ARRIVAL)
1327 break;
1328 rdns_proposal.if_index = ifan->ifan_index;
1329 rdns_proposal.src = 0;
1330 rdns_proposal.rtdns.sr_family = AF_INET;
1331 rdns_proposal.rtdns.sr_len = offsetof(struct sockaddr_rtdns,
1332 sr_dns);
1333 frontend_imsg_compose_resolver(IMSG_REPLACE_DNS, 0,
1334 &rdns_proposal, sizeof(rdns_proposal));
1335 break;
1336 case RTM_IFINFO:
1337 frontend_imsg_compose_resolver(IMSG_NETWORK_CHANGED, 0, NULL,
1338 0);
1339 break;
1340 case RTM_PROPOSAL:
1341 if (!(rtm->rtm_addrs & RTA_DNS))
1342 break;
1343
1344 rtdns = (struct sockaddr_rtdns*)rti_info[RTAX_DNS];
1345 rdns_proposal.if_index = rtm->rtm_index;
1346 rdns_proposal.src = rtm->rtm_priority;
1347 memcpy(&rdns_proposal.rtdns, rtdns, sizeof(rdns_proposal.rtdns));
1348 frontend_imsg_compose_resolver(IMSG_REPLACE_DNS, 0,
1349 &rdns_proposal, sizeof(rdns_proposal));
1350 break;
1351 case RTM_NEWADDR:
1352 case RTM_DELADDR:
1353 case RTM_DESYNC:
1354 check_available_af();
1355 break;
1356 default:
1357 break;
1358 }
1359 }
1360
1361 void
add_new_ta(struct trust_anchor_head * tah,char * val)1362 add_new_ta(struct trust_anchor_head *tah, char *val)
1363 {
1364 struct trust_anchor *ta, *i;
1365 int cmp;
1366
1367 if ((ta = malloc(sizeof(*ta))) == NULL)
1368 fatal("%s", __func__);
1369 if ((ta->ta = strdup(val)) == NULL)
1370 fatal("%s", __func__);
1371
1372 /* keep the list sorted to prevent churn if the order changes in DNS */
1373 TAILQ_FOREACH(i, tah, entry) {
1374 cmp = strcmp(i->ta, ta->ta);
1375 if ( cmp == 0) {
1376 /* duplicate */
1377 free(ta->ta);
1378 free(ta);
1379 return;
1380 } else if (cmp > 0) {
1381 TAILQ_INSERT_BEFORE(i, ta, entry);
1382 return;
1383 }
1384 }
1385 TAILQ_INSERT_TAIL(tah, ta, entry);
1386 }
1387
1388 void
free_tas(struct trust_anchor_head * tah)1389 free_tas(struct trust_anchor_head *tah)
1390 {
1391 struct trust_anchor *ta;
1392
1393 while ((ta = TAILQ_FIRST(tah))) {
1394 TAILQ_REMOVE(tah, ta, entry);
1395 free(ta->ta);
1396 free(ta);
1397 }
1398 }
1399
1400 int
merge_tas(struct trust_anchor_head * newh,struct trust_anchor_head * oldh)1401 merge_tas(struct trust_anchor_head *newh, struct trust_anchor_head *oldh)
1402 {
1403 struct trust_anchor *i, *j;
1404 int chg = 0;
1405
1406 j = TAILQ_FIRST(oldh);
1407
1408 TAILQ_FOREACH(i, newh, entry) {
1409 if (j == NULL || strcmp(i->ta, j->ta) != 0) {
1410 chg = 1;
1411 break;
1412 }
1413 j = TAILQ_NEXT(j, entry);
1414 }
1415 if (j != NULL)
1416 chg = 1;
1417
1418 if (chg) {
1419 free_tas(oldh);
1420 TAILQ_CONCAT(oldh, newh, entry);
1421 } else {
1422 free_tas(newh);
1423 }
1424 return (chg);
1425 }
1426
1427 void
parse_trust_anchor(struct trust_anchor_head * tah,int fd)1428 parse_trust_anchor(struct trust_anchor_head *tah, int fd)
1429 {
1430 size_t len, dname_len;
1431 ssize_t n, sz;
1432 uint8_t rr[LDNS_RR_BUF_SIZE];
1433 char *str, *p, buf[512], *line;
1434
1435 sz = 0;
1436 str = NULL;
1437
1438 while ((n = read(fd, buf, sizeof(buf))) > 0) {
1439 p = recallocarray(str, sz, sz + n, 1);
1440 if (p == NULL) {
1441 log_warn("%s", __func__);
1442 goto out;
1443 }
1444 str = p;
1445 memcpy(str + sz, buf, n);
1446 sz += n;
1447 }
1448
1449 if (n == -1) {
1450 log_warn("%s", __func__);
1451 goto out;
1452 }
1453
1454 /* make it a string */
1455 p = recallocarray(str, sz, sz + 1, 1);
1456 if (p == NULL) {
1457 log_warn("%s", __func__);
1458 goto out;
1459 }
1460 str = p;
1461 sz++;
1462
1463 len = sizeof(rr);
1464
1465 while ((line = strsep(&p, "\n")) != NULL) {
1466 if (sldns_str2wire_rr_buf(line, rr, &len, &dname_len,
1467 ROOT_DNSKEY_TTL, NULL, 0, NULL, 0) != 0)
1468 continue;
1469 if (sldns_wirerr_get_type(rr, len, dname_len) ==
1470 LDNS_RR_TYPE_DNSKEY)
1471 add_new_ta(tah, line);
1472 }
1473
1474 out:
1475 free(str);
1476 return;
1477 }
1478
1479 void
send_trust_anchors(struct trust_anchor_head * tah)1480 send_trust_anchors(struct trust_anchor_head *tah)
1481 {
1482 struct trust_anchor *ta;
1483
1484 TAILQ_FOREACH(ta, tah, entry)
1485 frontend_imsg_compose_resolver(IMSG_NEW_TA, 0, ta->ta,
1486 strlen(ta->ta) + 1);
1487 frontend_imsg_compose_resolver(IMSG_NEW_TAS_DONE, 0, NULL, 0);
1488 }
1489
1490 void
write_trust_anchors(struct trust_anchor_head * tah,int fd)1491 write_trust_anchors(struct trust_anchor_head *tah, int fd)
1492 {
1493 struct trust_anchor *ta;
1494 size_t len = 0;
1495 ssize_t n;
1496 char *str;
1497
1498 if (lseek(fd, 0, SEEK_SET) == -1) {
1499 log_warn("%s", __func__);
1500 goto out;
1501 }
1502
1503 TAILQ_FOREACH(ta, tah, entry) {
1504 if ((n = asprintf(&str, "%s\n", ta->ta)) == -1) {
1505 log_warn("%s", __func__);
1506 len = 0;
1507 goto out;
1508 }
1509 len += n;
1510 if (write(fd, str, n) != n) {
1511 log_warn("%s", __func__);
1512 free(str);
1513 len = 0;
1514 goto out;
1515 }
1516 free(str);
1517 }
1518 out:
1519 ftruncate(fd, len);
1520 fsync(fd);
1521 }
1522
1523 void
parse_blocklist(int fd)1524 parse_blocklist(int fd)
1525 {
1526 FILE *f;
1527 struct bl_node *bl_node;
1528 char *line = NULL;
1529 size_t linesize = 0;
1530 ssize_t linelen;
1531
1532 if((f = fdopen(fd, "r")) == NULL) {
1533 log_warn("cannot read block list");
1534 close(fd);
1535 return;
1536 }
1537
1538 free_bl();
1539
1540 while ((linelen = getline(&line, &linesize, f)) != -1) {
1541 if (line[linelen - 1] == '\n') {
1542 if (linelen >= 2 && line[linelen - 2] != '.')
1543 line[linelen - 1] = '.';
1544 else
1545 line[linelen - 1] = '\0';
1546 }
1547
1548 bl_node = malloc(sizeof *bl_node);
1549 if (bl_node == NULL)
1550 fatal("%s: malloc", __func__);
1551 if ((bl_node->domain = strdup(line)) == NULL)
1552 fatal("%s: strdup", __func__);
1553 if (RB_INSERT(bl_tree, &bl_head, bl_node) != NULL) {
1554 log_warnx("duplicate blocked domain \"%s\"", line);
1555 free(bl_node->domain);
1556 free(bl_node);
1557 }
1558 }
1559 free(line);
1560 if (ferror(f))
1561 log_warn("getline");
1562 fclose(f);
1563 }
1564
1565 int
bl_cmp(struct bl_node * e1,struct bl_node * e2)1566 bl_cmp(struct bl_node *e1, struct bl_node *e2) {
1567 return (strcasecmp(e1->domain, e2->domain));
1568 }
1569
1570 void
free_bl(void)1571 free_bl(void)
1572 {
1573 struct bl_node *n, *nxt;
1574
1575 RB_FOREACH_SAFE(n, bl_tree, &bl_head, nxt) {
1576 RB_REMOVE(bl_tree, &bl_head, n);
1577 free(n->domain);
1578 free(n);
1579 }
1580 }
1581
1582 int
pending_query_cnt(void)1583 pending_query_cnt(void)
1584 {
1585 struct pending_query *e;
1586 int cnt = 0;
1587
1588 TAILQ_FOREACH(e, &pending_queries, entry)
1589 cnt++;
1590 return cnt;
1591 }
1592
1593 void
accept_paused(int fd,short events,void * arg)1594 accept_paused(int fd, short events, void *arg)
1595 {
1596 struct tcp_accept_ev *tcpev = arg;
1597 event_add(&tcpev->ev, NULL);
1598 }
1599
1600 int
accept_reserve(int sockfd,struct sockaddr * addr,socklen_t * addrlen)1601 accept_reserve(int sockfd, struct sockaddr *addr, socklen_t *addrlen)
1602 {
1603 if (getdtablecount() + FD_RESERVE >= getdtablesize()) {
1604 log_debug("%s: inflight fds exceeded", __func__);
1605 errno = EMFILE;
1606 return -1;
1607 }
1608 return accept4(sockfd, addr, addrlen, SOCK_NONBLOCK | SOCK_CLOEXEC);
1609 }
1610
1611 void
tcp_accept(int fd,short events,void * arg)1612 tcp_accept(int fd, short events, void *arg)
1613 {
1614 static struct timeval timeout = {TCP_TIMEOUT, 0};
1615 static struct timeval backoff = {1, 0};
1616 struct pending_query *pq;
1617 struct tcp_accept_ev *tcpev;
1618 struct sockaddr_storage ss;
1619 socklen_t len;
1620 int s;
1621
1622 tcpev = arg;
1623 len = sizeof(ss);
1624
1625 if ((s = accept_reserve(fd, (struct sockaddr *)&ss, &len)) == -1) {
1626 switch (errno) {
1627 case EINTR:
1628 case EWOULDBLOCK:
1629 case ECONNABORTED:
1630 return;
1631 case EMFILE:
1632 case ENFILE:
1633 event_del(&tcpev->ev);
1634 evtimer_add(&tcpev->pause, &backoff);
1635 return;
1636 default:
1637 fatal("accept");
1638 }
1639 }
1640
1641 if ((pq = calloc(1, sizeof(*pq))) == NULL) {
1642 log_warn(NULL);
1643 close(s);
1644 return;
1645 }
1646
1647 do {
1648 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id));
1649 } while(find_pending_query(pq->imsg_id) != NULL);
1650
1651 TAILQ_INSERT_TAIL(&pending_queries, pq, entry);
1652
1653 pq->from = ss;
1654 pq->fd = s;
1655 pq->tcp = 1;
1656 pq->qbuf = sldns_buffer_new(DEFAULT_TCP_SIZE);
1657 pq->region = regional_create();
1658
1659 if (!pq->qbuf || !pq->region) {
1660 free_pending_query(pq);
1661 return;
1662 }
1663
1664 event_set(&pq->ev, s, EV_READ | EV_PERSIST, tcp_request, pq);
1665 event_add(&pq->ev, NULL);
1666 event_set(&pq->resp_ev, s, EV_WRITE | EV_PERSIST, tcp_response, pq);
1667
1668 evtimer_set(&pq->tmo_ev, tcp_timeout, pq);
1669 evtimer_add(&pq->tmo_ev, &timeout);
1670 }
1671
1672 void
tcp_request(int fd,short events,void * arg)1673 tcp_request(int fd, short events, void *arg)
1674 {
1675 struct pending_query *pq;
1676 ssize_t n;
1677
1678 pq = arg;
1679
1680 n = read(fd, sldns_buffer_current(pq->qbuf),
1681 sldns_buffer_remaining(pq->qbuf));
1682
1683 switch (n) {
1684 case -1:
1685 switch (errno) {
1686 case EINTR:
1687 case EAGAIN:
1688 return;
1689 default:
1690 goto fail;
1691 }
1692 break;
1693 case 0:
1694 log_debug("closed connection");
1695 goto fail;
1696 default:
1697 break;
1698 }
1699
1700 sldns_buffer_skip(pq->qbuf, n);
1701
1702 if (sldns_buffer_position(pq->qbuf) >= 2 && !pq->abuf) {
1703 struct sldns_buffer *tmp;
1704 size_t rem;
1705 uint16_t len;
1706
1707 sldns_buffer_flip(pq->qbuf);
1708 len = sldns_buffer_read_u16(pq->qbuf);
1709 tmp = sldns_buffer_new(len);
1710 if (tmp == NULL)
1711 goto fail;
1712 pq->abuf = sldns_buffer_new(len);
1713 if (pq->abuf == NULL) {
1714 sldns_buffer_free(tmp);
1715 goto fail;
1716 }
1717
1718 rem = sldns_buffer_remaining(pq->qbuf);
1719 sldns_buffer_write(tmp, sldns_buffer_current(pq->qbuf),
1720 MINIMUM(len, rem));
1721 sldns_buffer_free(pq->qbuf);
1722 pq->qbuf = tmp;
1723 }
1724 if (sldns_buffer_remaining(pq->qbuf) == 0) {
1725 sldns_buffer_flip(pq->qbuf);
1726 shutdown(fd, SHUT_RD);
1727 event_del(&pq->ev);
1728 handle_query(pq);
1729 }
1730 return;
1731 fail:
1732 free_pending_query(pq);
1733 }
1734
1735 void
tcp_response(int fd,short events,void * arg)1736 tcp_response(int fd, short events, void *arg)
1737 {
1738 struct pending_query *pq;
1739 ssize_t n;
1740
1741 pq = arg;
1742
1743 n = write(fd, sldns_buffer_current(pq->abuf),
1744 sldns_buffer_remaining(pq->abuf));
1745
1746 if (n == -1) {
1747 if (errno == EAGAIN || errno == EINTR)
1748 return;
1749 free_pending_query(pq);
1750 return;
1751 }
1752 sldns_buffer_skip(pq->abuf, n);
1753 if (sldns_buffer_remaining(pq->abuf) == 0)
1754 free_pending_query(pq);
1755 }
1756
1757 void
tcp_timeout(int fd,short events,void * arg)1758 tcp_timeout(int fd, short events, void *arg)
1759 {
1760 free_pending_query(arg);
1761 }
1762
1763 void
check_available_af(void)1764 check_available_af(void)
1765 {
1766 static int available_af = HAVE_IPV4 | HAVE_IPV6;
1767 static int rtable = -1;
1768 struct ifaddrs *ifap, *ifa;
1769 struct if_data *ifa_data;
1770 struct sockaddr_in *sin4;
1771 struct sockaddr_in6 *sin6;
1772 int new_available_af = 0, ifa_rtable = -1;
1773
1774 if (rtable == -1)
1775 rtable = getrtable();
1776
1777 if (getifaddrs(&ifap) != 0) {
1778 log_warn("getifaddrs");
1779 return;
1780 }
1781
1782 for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) {
1783 if (ifa->ifa_addr == NULL)
1784 continue;
1785 switch(ifa->ifa_addr->sa_family) {
1786 case AF_LINK:
1787 /* AF_LINK comes before inet / inet6 on an interface */
1788 ifa_data = (struct if_data *)ifa->ifa_data;
1789 ifa_rtable = ifa_data->ifi_rdomain;
1790 break;
1791 case AF_INET:
1792 if (ifa_rtable != rtable)
1793 continue;
1794
1795 sin4 = (struct sockaddr_in *)ifa->ifa_addr;
1796 if ((ntohl(sin4->sin_addr.s_addr) >> 24) ==
1797 IN_LOOPBACKNET)
1798 continue;
1799 new_available_af |= HAVE_IPV4;
1800 break;
1801 case AF_INET6:
1802 if (ifa_rtable != rtable)
1803 continue;
1804
1805 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr;
1806 if (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr) ||
1807 IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr) ||
1808 IN6_IS_ADDR_MC_LINKLOCAL(&sin6->sin6_addr) ||
1809 IN6_IS_ADDR_MC_INTFACELOCAL(&sin6->sin6_addr))
1810 continue;
1811 new_available_af |= HAVE_IPV6;
1812 break;
1813 default:
1814 break;
1815 }
1816 if (new_available_af == (HAVE_IPV4 | HAVE_IPV6))
1817 break;
1818 }
1819 freeifaddrs(ifap);
1820 if (new_available_af != available_af) {
1821 available_af = new_available_af;
1822 frontend_imsg_compose_resolver(IMSG_CHANGE_AFS, 0,
1823 &available_af, sizeof(available_af));
1824 }
1825 }
1826