1 /* $OpenBSD: frontend.c,v 1.65 2021/01/24 18:29:15 florian Exp $ */ 2 3 /* 4 * Copyright (c) 2018 Florian Obser <florian@openbsd.org> 5 * Copyright (c) 2005 Claudio Jeker <claudio@openbsd.org> 6 * Copyright (c) 2004 Esben Norby <norby@openbsd.org> 7 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 8 * 9 * Permission to use, copy, modify, and distribute this software for any 10 * purpose with or without fee is hereby granted, provided that the above 11 * copyright notice and this permission notice appear in all copies. 12 * 13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 */ 21 22 #include <sys/types.h> 23 #include <sys/queue.h> 24 #include <sys/socket.h> 25 #include <sys/syslog.h> 26 #include <sys/tree.h> 27 #include <sys/uio.h> 28 29 #include <netinet/in.h> 30 #include <net/if.h> 31 #include <net/route.h> 32 33 #include <errno.h> 34 #include <event.h> 35 #include <imsg.h> 36 #include <netdb.h> 37 #include <pwd.h> 38 #include <signal.h> 39 #include <stdint.h> 40 #include <stdio.h> 41 #include <stdlib.h> 42 #include <string.h> 43 #include <time.h> 44 #include <unistd.h> 45 46 #include "libunbound/config.h" 47 #include "libunbound/sldns/pkthdr.h" 48 #include "libunbound/sldns/sbuffer.h" 49 #include "libunbound/sldns/str2wire.h" 50 #include "libunbound/sldns/wire2str.h" 51 #include "libunbound/util/alloc.h" 52 #include "libunbound/util/net_help.h" 53 #include "libunbound/util/regional.h" 54 #include "libunbound/util/data/dname.h" 55 #include "libunbound/util/data/msgencode.h" 56 #include "libunbound/util/data/msgparse.h" 57 #include "libunbound/util/data/msgreply.h" 58 59 #include "log.h" 60 #include "unwind.h" 61 #include "frontend.h" 62 #include "control.h" 63 #include "dns64_synth.h" 64 65 #define ROUTE_SOCKET_BUF_SIZE 16384 66 67 /* 68 * size of a resource record with name a two octed pointer to qname 69 * 2 octets pointer to qname 70 * 2 octets TYPE 71 * 2 octets CLASS 72 * 4 octets TTL 73 * 2 octets RDLENGTH 74 */ 75 #define COMPRESSED_RR_SIZE 12 76 #define MINIMIZE_ANSWER 1 77 78 #define FD_RESERVE 5 79 #define TCP_TIMEOUT 15 80 #define DEFAULT_TCP_SIZE 512 81 82 struct udp_ev { 83 struct event ev; 84 uint8_t query[65536]; 85 struct msghdr rcvmhdr; 86 struct iovec rcviov[1]; 87 struct sockaddr_storage from; 88 } udp4ev, udp6ev; 89 90 struct tcp_accept_ev { 91 struct event ev; 92 struct event pause; 93 } tcp4ev, tcp6ev; 94 95 struct pending_query { 96 TAILQ_ENTRY(pending_query) entry; 97 struct sockaddr_storage from; 98 struct sldns_buffer *qbuf; 99 struct sldns_buffer *abuf; 100 struct regional *region; 101 struct query_info qinfo; 102 struct msg_parse *qmsg; 103 struct edns_data edns; 104 struct event ev; /* for tcp */ 105 struct event resp_ev; /* for tcp */ 106 struct event tmo_ev; /* for tcp */ 107 uint64_t imsg_id; 108 int fd; 109 int tcp; 110 int dns64_synthesize; 111 }; 112 113 TAILQ_HEAD(, pending_query) pending_queries; 114 115 struct bl_node { 116 RB_ENTRY(bl_node) entry; 117 char *domain; 118 }; 119 120 __dead void frontend_shutdown(void); 121 void frontend_sig_handler(int, short, void *); 122 void frontend_startup(void); 123 void udp_receive(int, short, void *); 124 void handle_query(struct pending_query *); 125 void free_pending_query(struct pending_query *); 126 void tcp_accept(int, short, void *); 127 int accept_reserve(int, struct sockaddr *, socklen_t *); 128 void accept_paused(int, short, void *); 129 void tcp_request(int, short, void *); 130 void tcp_response(int, short, void *); 131 void tcp_timeout(int, short, void *); 132 int check_query(sldns_buffer*); 133 void noerror_answer(struct pending_query *); 134 void synthesize_dns64_answer(struct pending_query *); 135 void resend_dns64_query(struct pending_query *); 136 void chaos_answer(struct pending_query *); 137 void error_answer(struct pending_query *, int rcode); 138 void send_answer(struct pending_query *); 139 void route_receive(int, short, void *); 140 void handle_route_message(struct rt_msghdr *, 141 struct sockaddr **); 142 void get_rtaddrs(int, struct sockaddr *, 143 struct sockaddr **); 144 void rtmget_default(void); 145 struct pending_query *find_pending_query(uint64_t); 146 void parse_trust_anchor(struct trust_anchor_head *, int); 147 void send_trust_anchors(struct trust_anchor_head *); 148 void write_trust_anchors(struct trust_anchor_head *, int); 149 void parse_blocklist(int); 150 int bl_cmp(struct bl_node *, struct bl_node *); 151 void free_bl(void); 152 int pending_query_cnt(void); 153 154 struct uw_conf *frontend_conf; 155 static struct imsgev *iev_main; 156 static struct imsgev *iev_resolver; 157 struct event ev_route; 158 int udp4sock = -1, udp6sock = -1; 159 int tcp4sock = -1, tcp6sock = -1; 160 int ta_fd = -1; 161 162 static struct trust_anchor_head trust_anchors, new_trust_anchors; 163 164 RB_HEAD(bl_tree, bl_node) bl_head = RB_INITIALIZER(&bl_head); 165 RB_PROTOTYPE(bl_tree, bl_node, entry, bl_cmp) 166 RB_GENERATE(bl_tree, bl_node, entry, bl_cmp) 167 168 struct dns64_prefix *dns64_prefixes; 169 int dns64_prefix_count; 170 171 void 172 frontend_sig_handler(int sig, short event, void *bula) 173 { 174 /* 175 * Normal signal handler rules don't apply because libevent 176 * decouples for us. 177 */ 178 179 switch (sig) { 180 case SIGINT: 181 case SIGTERM: 182 frontend_shutdown(); 183 default: 184 fatalx("unexpected signal"); 185 } 186 } 187 188 void 189 frontend(int debug, int verbose) 190 { 191 struct event ev_sigint, ev_sigterm; 192 struct passwd *pw; 193 194 frontend_conf = config_new_empty(); 195 196 log_init(debug, LOG_DAEMON); 197 log_setverbose(verbose); 198 199 if ((pw = getpwnam(UNWIND_USER)) == NULL) 200 fatal("getpwnam"); 201 202 if (chroot(pw->pw_dir) == -1) 203 fatal("chroot"); 204 if (chdir("/") == -1) 205 fatal("chdir(\"/\")"); 206 207 setproctitle("%s", "frontend"); 208 log_procinit("frontend"); 209 210 if (setgroups(1, &pw->pw_gid) || 211 setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || 212 setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) 213 fatal("can't drop privileges"); 214 215 if (pledge("stdio unix recvfd", NULL) == -1) 216 fatal("pledge"); 217 218 event_init(); 219 220 /* Setup signal handler. */ 221 signal_set(&ev_sigint, SIGINT, frontend_sig_handler, NULL); 222 signal_set(&ev_sigterm, SIGTERM, frontend_sig_handler, NULL); 223 signal_add(&ev_sigint, NULL); 224 signal_add(&ev_sigterm, NULL); 225 signal(SIGPIPE, SIG_IGN); 226 signal(SIGHUP, SIG_IGN); 227 228 /* Setup pipe and event handler to the parent process. */ 229 if (iev_main != NULL) 230 fatal("iev_main"); 231 if ((iev_main = malloc(sizeof(struct imsgev))) == NULL) 232 fatal(NULL); 233 imsg_init(&iev_main->ibuf, 3); 234 iev_main->handler = frontend_dispatch_main; 235 iev_main->events = EV_READ; 236 event_set(&iev_main->ev, iev_main->ibuf.fd, iev_main->events, 237 iev_main->handler, iev_main); 238 event_add(&iev_main->ev, NULL); 239 240 udp4ev.rcviov[0].iov_base = (caddr_t)udp4ev.query; 241 udp4ev.rcviov[0].iov_len = sizeof(udp4ev.query); 242 udp4ev.rcvmhdr.msg_name = (caddr_t)&udp4ev.from; 243 udp4ev.rcvmhdr.msg_namelen = sizeof(udp4ev.from); 244 udp4ev.rcvmhdr.msg_iov = udp4ev.rcviov; 245 udp4ev.rcvmhdr.msg_iovlen = 1; 246 247 udp6ev.rcviov[0].iov_base = (caddr_t)udp6ev.query; 248 udp6ev.rcviov[0].iov_len = sizeof(udp6ev.query); 249 udp6ev.rcvmhdr.msg_name = (caddr_t)&udp6ev.from; 250 udp6ev.rcvmhdr.msg_namelen = sizeof(udp6ev.from); 251 udp6ev.rcvmhdr.msg_iov = udp6ev.rcviov; 252 udp6ev.rcvmhdr.msg_iovlen = 1; 253 254 TAILQ_INIT(&pending_queries); 255 256 TAILQ_INIT(&trust_anchors); 257 TAILQ_INIT(&new_trust_anchors); 258 259 add_new_ta(&trust_anchors, KSK2017); 260 261 event_dispatch(); 262 263 frontend_shutdown(); 264 } 265 266 __dead void 267 frontend_shutdown(void) 268 { 269 /* Close pipes. */ 270 msgbuf_write(&iev_resolver->ibuf.w); 271 msgbuf_clear(&iev_resolver->ibuf.w); 272 close(iev_resolver->ibuf.fd); 273 msgbuf_write(&iev_main->ibuf.w); 274 msgbuf_clear(&iev_main->ibuf.w); 275 close(iev_main->ibuf.fd); 276 277 config_clear(frontend_conf); 278 279 free(iev_resolver); 280 free(iev_main); 281 282 log_info("frontend exiting"); 283 exit(0); 284 } 285 286 int 287 frontend_imsg_compose_main(int type, pid_t pid, void *data, uint16_t datalen) 288 { 289 return (imsg_compose_event(iev_main, type, 0, pid, -1, data, datalen)); 290 } 291 292 int 293 frontend_imsg_compose_resolver(int type, pid_t pid, void *data, 294 uint16_t datalen) 295 { 296 return (imsg_compose_event(iev_resolver, type, 0, pid, -1, data, 297 datalen)); 298 } 299 300 void 301 frontend_dispatch_main(int fd, short event, void *bula) 302 { 303 static struct uw_conf *nconf; 304 struct imsg imsg; 305 struct imsgev *iev = bula; 306 struct imsgbuf *ibuf = &iev->ibuf; 307 int n, shut = 0; 308 309 if (event & EV_READ) { 310 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN) 311 fatal("imsg_read error"); 312 if (n == 0) /* Connection closed. */ 313 shut = 1; 314 } 315 if (event & EV_WRITE) { 316 if ((n = msgbuf_write(&ibuf->w)) == -1 && errno != EAGAIN) 317 fatal("msgbuf_write"); 318 if (n == 0) /* Connection closed. */ 319 shut = 1; 320 } 321 322 for (;;) { 323 if ((n = imsg_get(ibuf, &imsg)) == -1) 324 fatal("%s: imsg_get error", __func__); 325 if (n == 0) /* No more messages. */ 326 break; 327 328 switch (imsg.hdr.type) { 329 case IMSG_SOCKET_IPC_RESOLVER: 330 /* 331 * Setup pipe and event handler to the resolver 332 * process. 333 */ 334 if (iev_resolver) { 335 fatalx("%s: received unexpected imsg fd " 336 "to frontend", __func__); 337 break; 338 } 339 if ((fd = imsg.fd) == -1) { 340 fatalx("%s: expected to receive imsg fd to " 341 "frontend but didn't receive any", 342 __func__); 343 break; 344 } 345 346 if (iev_resolver != NULL) 347 fatal("iev_resolver"); 348 iev_resolver = malloc(sizeof(struct imsgev)); 349 if (iev_resolver == NULL) 350 fatal(NULL); 351 352 imsg_init(&iev_resolver->ibuf, fd); 353 iev_resolver->handler = frontend_dispatch_resolver; 354 iev_resolver->events = EV_READ; 355 356 event_set(&iev_resolver->ev, iev_resolver->ibuf.fd, 357 iev_resolver->events, iev_resolver->handler, 358 iev_resolver); 359 event_add(&iev_resolver->ev, NULL); 360 break; 361 case IMSG_RECONF_CONF: 362 case IMSG_RECONF_BLOCKLIST_FILE: 363 case IMSG_RECONF_FORWARDER: 364 case IMSG_RECONF_DOT_FORWARDER: 365 case IMSG_RECONF_FORCE: 366 imsg_receive_config(&imsg, &nconf); 367 break; 368 case IMSG_RECONF_END: 369 if (nconf == NULL) 370 fatalx("%s: IMSG_RECONF_END without " 371 "IMSG_RECONF_CONF", __func__); 372 merge_config(frontend_conf, nconf); 373 if (frontend_conf->blocklist_file == NULL) 374 free_bl(); 375 nconf = NULL; 376 break; 377 case IMSG_UDP6SOCK: 378 if (udp6sock != -1) 379 fatalx("%s: received unexpected udp6sock", 380 __func__); 381 if ((udp6sock = imsg.fd) == -1) 382 fatalx("%s: expected to receive imsg " 383 "UDP6 fd but didn't receive any", __func__); 384 event_set(&udp6ev.ev, udp6sock, EV_READ | EV_PERSIST, 385 udp_receive, &udp6ev); 386 event_add(&udp6ev.ev, NULL); 387 break; 388 case IMSG_UDP4SOCK: 389 if (udp4sock != -1) 390 fatalx("%s: received unexpected udp4sock", 391 __func__); 392 if ((udp4sock = imsg.fd) == -1) 393 fatalx("%s: expected to receive imsg " 394 "UDP4 fd but didn't receive any", __func__); 395 event_set(&udp4ev.ev, udp4sock, EV_READ | EV_PERSIST, 396 udp_receive, &udp4ev); 397 event_add(&udp4ev.ev, NULL); 398 break; 399 case IMSG_TCP4SOCK: 400 if (tcp4sock != -1) 401 fatalx("%s: received unexpected tcp4sock", 402 __func__); 403 if ((tcp4sock = imsg.fd) == -1) 404 fatalx("%s: expected to receive imsg " 405 "TCP4 fd but didn't receive any", __func__); 406 event_set(&tcp4ev.ev, tcp4sock, EV_READ | EV_PERSIST, 407 tcp_accept, &tcp4ev); 408 event_add(&tcp4ev.ev, NULL); 409 evtimer_set(&tcp4ev.pause, accept_paused, &tcp4ev); 410 break; 411 case IMSG_TCP6SOCK: 412 if (tcp6sock != -1) 413 fatalx("%s: received unexpected tcp6sock", 414 __func__); 415 if ((tcp6sock = imsg.fd) == -1) 416 fatalx("%s: expected to receive imsg " 417 "TCP6 fd but didn't receive any", __func__); 418 event_set(&tcp6ev.ev, tcp6sock, EV_READ | EV_PERSIST, 419 tcp_accept, &tcp6ev); 420 event_add(&tcp6ev.ev, NULL); 421 evtimer_set(&tcp6ev.pause, accept_paused, &tcp6ev); 422 break; 423 case IMSG_ROUTESOCK: { 424 static int routesock = -1; 425 426 if (routesock != -1) 427 fatalx("%s: received unexpected routesock", 428 __func__); 429 if ((fd = imsg.fd) == -1) 430 fatalx("%s: expected to receive imsg " 431 "routesocket fd but didn't receive any", 432 __func__); 433 routesock = fd; 434 event_set(&ev_route, fd, EV_READ | EV_PERSIST, 435 route_receive, NULL); 436 break; 437 } 438 case IMSG_STARTUP: 439 frontend_startup(); 440 break; 441 case IMSG_CONTROLFD: 442 if ((fd = imsg.fd) == -1) 443 fatalx("%s: expected to receive imsg control " 444 "fd but didn't receive any", __func__); 445 /* Listen on control socket. */ 446 control_listen(fd); 447 break; 448 case IMSG_TAFD: 449 if ((ta_fd = imsg.fd) != -1) 450 parse_trust_anchor(&trust_anchors, ta_fd); 451 if (!TAILQ_EMPTY(&trust_anchors)) 452 send_trust_anchors(&trust_anchors); 453 break; 454 case IMSG_BLFD: 455 if ((fd = imsg.fd) == -1) 456 fatalx("%s: expected to receive imsg block " 457 "list fd but didn't receive any", __func__); 458 parse_blocklist(fd); 459 break; 460 default: 461 log_debug("%s: error handling imsg %d", __func__, 462 imsg.hdr.type); 463 break; 464 } 465 imsg_free(&imsg); 466 } 467 if (!shut) 468 imsg_event_add(iev); 469 else { 470 /* This pipe is dead. Remove its event handler. */ 471 event_del(&iev->ev); 472 event_loopexit(NULL); 473 } 474 } 475 476 void 477 frontend_dispatch_resolver(int fd, short event, void *bula) 478 { 479 static struct dns64_prefix *new_dns64_prefixes = NULL; 480 static int new_dns64_prefix_count = 0; 481 static int new_dns64_prefix_pos = 0; 482 struct pending_query *pq; 483 struct imsgev *iev = bula; 484 struct imsgbuf *ibuf = &iev->ibuf; 485 struct imsg imsg; 486 int n, shut = 0, chg; 487 488 if (event & EV_READ) { 489 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN) 490 fatal("imsg_read error"); 491 if (n == 0) /* Connection closed. */ 492 shut = 1; 493 } 494 if (event & EV_WRITE) { 495 if ((n = msgbuf_write(&ibuf->w)) == -1 && errno != EAGAIN) 496 fatal("msgbuf_write"); 497 if (n == 0) /* Connection closed. */ 498 shut = 1; 499 } 500 501 for (;;) { 502 if ((n = imsg_get(ibuf, &imsg)) == -1) 503 fatal("%s: imsg_get error", __func__); 504 if (n == 0) /* No more messages. */ 505 break; 506 507 switch (imsg.hdr.type) { 508 case IMSG_ANSWER: { 509 struct answer_header *answer_header; 510 int data_len; 511 uint8_t *data; 512 513 if (IMSG_DATA_SIZE(imsg) < sizeof(*answer_header)) 514 fatalx("%s: IMSG_ANSWER wrong length: " 515 "%lu", __func__, IMSG_DATA_SIZE(imsg)); 516 answer_header = (struct answer_header *)imsg.data; 517 data = (uint8_t *)imsg.data + sizeof(*answer_header); 518 if (answer_header->answer_len > UINT16_MAX) 519 fatalx("%s: IMSG_ANSWER answer too big: %d", 520 __func__, answer_header->answer_len); 521 data_len = IMSG_DATA_SIZE(imsg) - 522 sizeof(*answer_header); 523 524 if ((pq = find_pending_query(answer_header->id)) == 525 NULL) { 526 log_warnx("%s: cannot find pending query %llu", 527 __func__, answer_header->id); 528 break; 529 } 530 531 if (answer_header->srvfail) { 532 error_answer(pq, LDNS_RCODE_SERVFAIL); 533 send_answer(pq); 534 break; 535 } 536 537 if (answer_header->bogus && !(pq->qmsg->flags & 538 BIT_CD)) { 539 error_answer(pq, LDNS_RCODE_SERVFAIL); 540 send_answer(pq); 541 break; 542 } 543 544 if (sldns_buffer_position(pq->abuf) == 0 && 545 !sldns_buffer_set_capacity(pq->abuf, 546 answer_header->answer_len)) { 547 error_answer(pq, LDNS_RCODE_SERVFAIL); 548 send_answer(pq); 549 break; 550 } 551 552 if (sldns_buffer_position(pq->abuf) + data_len > 553 sldns_buffer_capacity(pq->abuf)) 554 fatalx("%s: IMSG_ANSWER answer too big: %d", 555 __func__, data_len); 556 sldns_buffer_write(pq->abuf, data, data_len); 557 558 if (sldns_buffer_position(pq->abuf) == 559 sldns_buffer_capacity(pq->abuf)) { 560 sldns_buffer_flip(pq->abuf); 561 if (pq->dns64_synthesize) { 562 synthesize_dns64_answer(pq); 563 send_answer(pq); 564 } else { 565 noerror_answer(pq); 566 if (pq->dns64_synthesize) 567 /* we did not find a answer */ 568 resend_dns64_query(pq); 569 else 570 send_answer(pq); 571 } 572 } 573 break; 574 } 575 case IMSG_CTL_RESOLVER_INFO: 576 case IMSG_CTL_AUTOCONF_RESOLVER_INFO: 577 case IMSG_CTL_MEM_INFO: 578 case IMSG_CTL_END: 579 control_imsg_relay(&imsg); 580 break; 581 case IMSG_NEW_TA: 582 /* make sure this is a string */ 583 ((char *)imsg.data)[IMSG_DATA_SIZE(imsg) - 1] = '\0'; 584 add_new_ta(&new_trust_anchors, imsg.data); 585 break; 586 case IMSG_NEW_TAS_ABORT: 587 free_tas(&new_trust_anchors); 588 break; 589 case IMSG_NEW_TAS_DONE: 590 chg = merge_tas(&new_trust_anchors, &trust_anchors); 591 if (chg) 592 send_trust_anchors(&trust_anchors); 593 594 /* 595 * always write trust anchors, the modify date on 596 * the file is an indication when we made progress 597 */ 598 if (ta_fd != -1) 599 write_trust_anchors(&trust_anchors, ta_fd); 600 break; 601 case IMSG_NEW_DNS64_PREFIXES_START: 602 if (IMSG_DATA_SIZE(imsg) != 603 sizeof(new_dns64_prefix_count)) 604 fatalx("%s: IMSG_NEW_DNS64_PREFIXES_START " 605 "wrong length: %lu", __func__, 606 IMSG_DATA_SIZE(imsg)); 607 memcpy(&new_dns64_prefix_count, imsg.data, 608 sizeof(new_dns64_prefix_count)); 609 free(new_dns64_prefixes); 610 new_dns64_prefixes = NULL; 611 if (new_dns64_prefix_count > 0) 612 new_dns64_prefixes = 613 calloc(new_dns64_prefix_count, 614 sizeof(struct dns64_prefix)); 615 new_dns64_prefix_pos = 0; 616 break; 617 case IMSG_NEW_DNS64_PREFIX: { 618 if (IMSG_DATA_SIZE(imsg) != sizeof(struct dns64_prefix)) 619 fatalx("%s: IMSG_NEW_DNS64_PREFIX wrong " 620 "length: %lu", __func__, 621 IMSG_DATA_SIZE(imsg)); 622 if (new_dns64_prefixes == NULL) 623 break; 624 if (new_dns64_prefix_pos >= new_dns64_prefix_count) 625 fatalx("%s: IMSG_NEW_DNS64_PREFIX: too many " 626 "prefixes", __func__); 627 memcpy(&new_dns64_prefixes[new_dns64_prefix_pos++], 628 imsg.data, sizeof(struct dns64_prefix)); 629 break; 630 } 631 case IMSG_NEW_DNS64_PREFIXES_DONE: 632 free(dns64_prefixes); 633 dns64_prefixes = new_dns64_prefixes; 634 dns64_prefix_count = new_dns64_prefix_count; 635 new_dns64_prefixes = NULL; 636 break; 637 default: 638 log_debug("%s: error handling imsg %d", __func__, 639 imsg.hdr.type); 640 break; 641 } 642 imsg_free(&imsg); 643 } 644 if (!shut) 645 imsg_event_add(iev); 646 else { 647 /* This pipe is dead. Remove its event handler. */ 648 event_del(&iev->ev); 649 event_loopexit(NULL); 650 } 651 } 652 653 void 654 frontend_startup(void) 655 { 656 if (!event_initialized(&ev_route)) 657 fatalx("%s: did not receive a route socket from the main " 658 "process", __func__); 659 660 event_add(&ev_route, NULL); 661 662 frontend_imsg_compose_main(IMSG_STARTUP_DONE, 0, NULL, 0); 663 } 664 665 void 666 free_pending_query(struct pending_query *pq) 667 { 668 if (!pq) 669 return; 670 671 TAILQ_REMOVE(&pending_queries, pq, entry); 672 regional_destroy(pq->region); 673 sldns_buffer_free(pq->qbuf); 674 sldns_buffer_free(pq->abuf); 675 if (pq->tcp) { 676 if (event_initialized(&pq->ev)) 677 event_del(&pq->ev); 678 if (event_initialized(&pq->resp_ev)) 679 event_del(&pq->resp_ev); 680 if (event_initialized(&pq->tmo_ev)) 681 event_del(&pq->tmo_ev); 682 if (pq->fd != -1) 683 close(pq->fd); 684 } 685 free(pq); 686 } 687 688 void 689 udp_receive(int fd, short events, void *arg) 690 { 691 struct udp_ev *udpev = (struct udp_ev *)arg; 692 struct pending_query *pq = NULL; 693 ssize_t len; 694 695 if ((len = recvmsg(fd, &udpev->rcvmhdr, 0)) == -1) { 696 log_warn("recvmsg"); 697 return; 698 } 699 700 if ((pq = calloc(1, sizeof(*pq))) == NULL) { 701 log_warn(NULL); 702 return; 703 } 704 705 do { 706 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id)); 707 } while(find_pending_query(pq->imsg_id) != NULL); 708 709 TAILQ_INSERT_TAIL(&pending_queries, pq, entry); 710 711 pq->from = udpev->from; 712 pq->fd = fd; 713 pq->qbuf = sldns_buffer_new(len); 714 pq->abuf = sldns_buffer_new(len); /* make sure we can send errors */ 715 pq->region = regional_create(); 716 pq->qmsg = regional_alloc(pq->region, sizeof(*pq->qmsg)); 717 718 if (!pq->qbuf || !pq->abuf || !pq->region || !pq->qmsg) { 719 log_warnx("out of memory"); 720 free_pending_query(pq); 721 return; 722 } 723 724 memset(pq->qmsg, 0, sizeof(*pq->qmsg)); 725 sldns_buffer_write(pq->qbuf, udpev->query, len); 726 sldns_buffer_flip(pq->qbuf); 727 handle_query(pq); 728 } 729 730 void 731 handle_query(struct pending_query *pq) 732 { 733 struct query_imsg query_imsg; 734 struct bl_node find; 735 int rcode; 736 char *str; 737 char dname[LDNS_MAX_DOMAINLEN + 1]; 738 char qclass_buf[16]; 739 char qtype_buf[16]; 740 741 if (log_getverbose() & OPT_VERBOSE2 && (str = 742 sldns_wire2str_pkt(sldns_buffer_begin(pq->qbuf), 743 sldns_buffer_limit(pq->qbuf))) != NULL) { 744 log_debug("from: %s\n%s", ip_port((struct sockaddr *) 745 &pq->from), str); 746 free(str); 747 } 748 749 if (!query_info_parse(&pq->qinfo, pq->qbuf)) { 750 log_warnx("query_info_parse failed"); 751 goto drop; 752 } 753 754 sldns_buffer_rewind(pq->qbuf); 755 756 if (parse_packet(pq->qbuf, pq->qmsg, pq->region) != 757 LDNS_RCODE_NOERROR) { 758 log_warnx("parse_packet failed"); 759 goto drop; 760 } 761 762 rcode = check_query(pq->qbuf); 763 switch (rcode) { 764 case LDNS_RCODE_NOERROR: 765 break; 766 case -1: 767 goto drop; 768 default: 769 error_answer(pq, rcode); 770 goto send_answer; 771 } 772 773 rcode = parse_extract_edns(pq->qmsg, &pq->edns, pq->region); 774 if (rcode != LDNS_RCODE_NOERROR) { 775 error_answer(pq, rcode); 776 goto send_answer; 777 } 778 779 if (!dname_valid(pq->qinfo.qname, pq->qinfo.qname_len)) { 780 error_answer(pq, LDNS_RCODE_FORMERR); 781 goto send_answer; 782 } 783 dname_str(pq->qinfo.qname, dname); 784 785 sldns_wire2str_class_buf(pq->qinfo.qclass, qclass_buf, 786 sizeof(qclass_buf)); 787 sldns_wire2str_type_buf(pq->qinfo.qtype, qtype_buf, sizeof(qtype_buf)); 788 log_debug("%s: %s %s %s ?", ip_port((struct sockaddr *)&pq->from), 789 dname, qclass_buf, qtype_buf); 790 791 find.domain = dname; 792 if (RB_FIND(bl_tree, &bl_head, &find) != NULL) { 793 if (frontend_conf->blocklist_log) 794 log_info("blocking %s", dname); 795 error_answer(pq, LDNS_RCODE_REFUSED); 796 goto send_answer; 797 } 798 799 if (pq->qinfo.qtype == LDNS_RR_TYPE_AXFR || pq->qinfo.qtype == 800 LDNS_RR_TYPE_IXFR) { 801 error_answer(pq, LDNS_RCODE_REFUSED); 802 goto send_answer; 803 } 804 805 if(pq->qinfo.qtype == LDNS_RR_TYPE_OPT || 806 pq->qinfo.qtype == LDNS_RR_TYPE_TSIG || 807 pq->qinfo.qtype == LDNS_RR_TYPE_TKEY || 808 pq->qinfo.qtype == LDNS_RR_TYPE_MAILA || 809 pq->qinfo.qtype == LDNS_RR_TYPE_MAILB || 810 (pq->qinfo.qtype >= 128 && pq->qinfo.qtype <= 248)) { 811 error_answer(pq, LDNS_RCODE_FORMERR); 812 goto send_answer; 813 } 814 815 if (pq->qinfo.qclass == LDNS_RR_CLASS_CH) { 816 if (strcasecmp(dname, "version.server.") == 0 || 817 strcasecmp(dname, "version.bind.") == 0) { 818 chaos_answer(pq); 819 } else 820 error_answer(pq, LDNS_RCODE_REFUSED); 821 goto send_answer; 822 } 823 824 if (strlcpy(query_imsg.qname, dname, sizeof(query_imsg.qname)) >= 825 sizeof(query_imsg.qname)) { 826 log_warnx("qname too long"); 827 error_answer(pq, LDNS_RCODE_FORMERR); 828 goto send_answer; 829 } 830 query_imsg.id = pq->imsg_id; 831 query_imsg.t = pq->qinfo.qtype; 832 query_imsg.c = pq->qinfo.qclass; 833 834 if (frontend_imsg_compose_resolver(IMSG_QUERY, 0, &query_imsg, 835 sizeof(query_imsg)) == -1) { 836 error_answer(pq, LDNS_RCODE_SERVFAIL); 837 goto send_answer; 838 } 839 return; 840 841 send_answer: 842 send_answer(pq); 843 return; 844 845 drop: 846 free_pending_query(pq); 847 } 848 849 void 850 noerror_answer(struct pending_query *pq) 851 { 852 struct query_info skip, qinfo; 853 struct reply_info *rinfo = NULL; 854 struct alloc_cache alloc; 855 struct edns_data edns; 856 struct ub_packed_rrset_key *an_rrset = NULL; 857 struct packed_rrset_data *an_rrset_data = NULL; 858 859 alloc_init(&alloc, NULL, 0); 860 memset(&qinfo, 0, sizeof(qinfo)); 861 /* read past query section, no memory is allocated */ 862 if (!query_info_parse(&skip, pq->abuf)) 863 goto srvfail; 864 865 if (reply_info_parse(pq->abuf, &alloc, &qinfo, &rinfo, pq->region, 866 &edns) != 0) 867 goto srvfail; 868 869 if ((an_rrset = reply_find_answer_rrset(&qinfo, rinfo)) != NULL) 870 an_rrset_data = (struct packed_rrset_data*)an_rrset->entry.data; 871 872 /* reply_info_parse() allocates memory */ 873 query_info_clear(&qinfo); 874 875 /* XXX check that there a no AAAA records in answer section? */ 876 if ((an_rrset_data == NULL || an_rrset_data->count == 0) && 877 !pq->dns64_synthesize && pq->qinfo.qtype == LDNS_RR_TYPE_AAAA && 878 pq->qinfo.qclass == LDNS_RR_CLASS_IN && dns64_prefix_count > 0) { 879 pq->dns64_synthesize = 1; 880 return; 881 } 882 883 sldns_buffer_clear(pq->abuf); 884 if (reply_info_encode(&pq->qinfo, rinfo, pq->qmsg->id, rinfo->flags, 885 pq->abuf, 0, pq->region, pq->tcp ? UINT16_MAX : pq->edns.udp_size, 886 pq->edns.bits & EDNS_DO, MINIMIZE_ANSWER) == 0) 887 goto srvfail; 888 889 reply_info_parsedelete(rinfo, &alloc); 890 alloc_clear(&alloc); 891 return; 892 893 srvfail: 894 reply_info_parsedelete(rinfo, &alloc); 895 alloc_clear(&alloc); 896 error_answer(pq, LDNS_RCODE_SERVFAIL); 897 } 898 899 void 900 synthesize_dns64_answer(struct pending_query *pq) 901 { 902 struct query_info skip, qinfo; 903 struct reply_info *rinfo = NULL, *synth_rinfo = NULL; 904 struct alloc_cache alloc; 905 struct edns_data edns; 906 size_t i; 907 908 pq->dns64_synthesize = 0; 909 910 alloc_init(&alloc, NULL, 0); 911 memset(&qinfo, 0, sizeof(qinfo)); 912 /* read past query section, no memory is allocated */ 913 if (!query_info_parse(&skip, pq->abuf)) 914 goto srvfail; 915 916 if (reply_info_parse(pq->abuf, &alloc, &qinfo, &rinfo, pq->region, 917 &edns) != 0) 918 goto srvfail; 919 920 /* reply_info_parse() allocates memory */ 921 query_info_clear(&qinfo); 922 923 synth_rinfo = construct_reply_info_base(pq->region, rinfo->flags, 924 rinfo->qdcount, rinfo->ttl, rinfo->prefetch_ttl, 925 rinfo->serve_expired_ttl, rinfo->an_numrrsets, 926 rinfo->ns_numrrsets, rinfo->ar_numrrsets, rinfo->rrset_count, 927 rinfo->security); 928 929 if (!synth_rinfo) 930 goto srvfail; 931 932 if(!reply_info_alloc_rrset_keys(synth_rinfo, NULL, pq->region)) 933 goto srvfail; 934 935 for (i = 0; i < synth_rinfo->rrset_count; i++) { 936 struct ub_packed_rrset_key *src_rrset_key, *dst_rrset_key; 937 struct packed_rrset_data *src_rrset_data; 938 struct packed_rrset_data *dst_rrset_data; 939 940 src_rrset_key = rinfo->rrsets[i]; 941 src_rrset_data = 942 (struct packed_rrset_data *)src_rrset_key->entry.data; 943 dst_rrset_key = synth_rinfo->rrsets[i]; 944 945 dst_rrset_key->id = src_rrset_key->id; 946 dst_rrset_key->rk = src_rrset_key->rk; 947 948 if (i < rinfo->an_numrrsets && src_rrset_key->rk.type == 949 htons(LDNS_RR_TYPE_A)) { 950 dns64_synth_aaaa_data(src_rrset_key, src_rrset_data, 951 dst_rrset_key, &dst_rrset_data, pq->region); 952 if (dst_rrset_data == NULL) 953 goto srvfail; 954 } else { 955 dst_rrset_key->entry.hash = src_rrset_key->entry.hash; 956 dst_rrset_key->rk.dname = regional_alloc_init( 957 pq->region, src_rrset_key->rk.dname, 958 src_rrset_key->rk.dname_len); 959 if (dst_rrset_key->rk.dname == NULL) 960 goto srvfail; 961 962 dst_rrset_data = regional_alloc_init(pq->region, 963 src_rrset_data, 964 packed_rrset_sizeof(src_rrset_data)); 965 if (dst_rrset_data == NULL) 966 goto srvfail; 967 } 968 969 packed_rrset_ptr_fixup(dst_rrset_data); 970 dst_rrset_key->entry.data = dst_rrset_data; 971 } 972 973 if (!sldns_buffer_set_capacity(pq->abuf, pq->tcp ? UINT16_MAX : 974 pq->edns.udp_size)) 975 goto srvfail; 976 977 sldns_buffer_clear(pq->abuf); 978 979 if (reply_info_encode(&pq->qinfo, synth_rinfo, pq->qmsg->id, 980 synth_rinfo->flags, pq->abuf, 0, pq->region, 981 pq->tcp ? UINT16_MAX : pq->edns.udp_size, 982 pq->edns.bits & EDNS_DO, MINIMIZE_ANSWER) == 0) 983 goto srvfail; 984 985 reply_info_parsedelete(rinfo, &alloc); 986 alloc_clear(&alloc); 987 return; 988 989 srvfail: 990 reply_info_parsedelete(rinfo, &alloc); 991 alloc_clear(&alloc); 992 error_answer(pq, LDNS_RCODE_SERVFAIL); 993 } 994 995 void 996 resend_dns64_query(struct pending_query *opq) { 997 struct pending_query *pq; 998 struct query_imsg query_imsg; 999 int rcode; 1000 char dname[LDNS_MAX_DOMAINLEN + 1]; 1001 1002 if ((pq = calloc(1, sizeof(*pq))) == NULL) { 1003 log_warn(NULL); 1004 return; 1005 } 1006 1007 do { 1008 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id)); 1009 } while(find_pending_query(pq->imsg_id) != NULL); 1010 1011 TAILQ_INSERT_TAIL(&pending_queries, pq, entry); 1012 1013 pq->from = opq->from; 1014 pq->fd = opq->fd; 1015 opq->fd = -1; 1016 pq->tcp = opq->tcp; 1017 pq->qbuf = sldns_buffer_new(sldns_buffer_capacity(opq->qbuf)); 1018 pq->abuf = sldns_buffer_new(sldns_buffer_capacity(opq->abuf)); 1019 pq->region = regional_create(); 1020 pq->qmsg = regional_alloc(pq->region, sizeof(*pq->qmsg)); 1021 1022 if (!pq->qbuf || !pq->abuf || !pq->region || !pq->qmsg) { 1023 log_warnx("out of memory"); 1024 free_pending_query(pq); 1025 free_pending_query(opq); 1026 return; 1027 } 1028 1029 sldns_buffer_rewind(opq->qbuf); 1030 sldns_buffer_write(pq->qbuf, sldns_buffer_current(opq->qbuf), 1031 sldns_buffer_remaining(opq->qbuf)); 1032 sldns_buffer_flip(pq->qbuf); 1033 memset(pq->qmsg, 0, sizeof(*pq->qmsg)); 1034 1035 if (pq->tcp) { 1036 struct timeval timeout = {TCP_TIMEOUT, 0}; 1037 1038 event_set(&pq->ev, pq->fd, EV_READ | EV_PERSIST, tcp_request, 1039 pq); 1040 event_set(&pq->resp_ev, pq->fd, EV_WRITE | EV_PERSIST, 1041 tcp_response, pq); 1042 evtimer_set(&pq->tmo_ev, tcp_timeout, pq); 1043 evtimer_add(&pq->tmo_ev, &timeout); 1044 } 1045 1046 if (!query_info_parse(&pq->qinfo, pq->qbuf)) { 1047 log_warnx("query_info_parse failed"); 1048 goto drop; 1049 } 1050 1051 sldns_buffer_rewind(pq->qbuf); 1052 1053 if (parse_packet(pq->qbuf, pq->qmsg, pq->region) != 1054 LDNS_RCODE_NOERROR) { 1055 log_warnx("parse_packet failed"); 1056 goto drop; 1057 } 1058 1059 rcode = parse_extract_edns(pq->qmsg, &pq->edns, pq->region); 1060 if (rcode != LDNS_RCODE_NOERROR) { 1061 error_answer(pq, rcode); 1062 goto send_answer; 1063 } 1064 1065 dname_str(pq->qinfo.qname, dname); 1066 strlcpy(query_imsg.qname, dname, sizeof(query_imsg.qname)); 1067 query_imsg.id = pq->imsg_id; 1068 query_imsg.t = LDNS_RR_TYPE_A; 1069 query_imsg.c = pq->qinfo.qclass; 1070 1071 pq->dns64_synthesize = 1; 1072 1073 if (frontend_imsg_compose_resolver(IMSG_QUERY, 0, &query_imsg, 1074 sizeof(query_imsg)) == -1) { 1075 error_answer(pq, LDNS_RCODE_SERVFAIL); 1076 goto send_answer; 1077 } 1078 1079 free_pending_query(opq); 1080 return; 1081 1082 send_answer: 1083 free_pending_query(opq); 1084 send_answer(pq); 1085 return; 1086 1087 drop: 1088 free_pending_query(opq); 1089 free_pending_query(pq); 1090 } 1091 1092 void 1093 chaos_answer(struct pending_query *pq) 1094 { 1095 size_t len; 1096 const char *name = "unwind"; 1097 1098 len = strlen(name); 1099 if (!sldns_buffer_set_capacity(pq->abuf, 1100 sldns_buffer_capacity(pq->qbuf) + COMPRESSED_RR_SIZE + 1 + len)) { 1101 error_answer(pq, LDNS_RCODE_SERVFAIL); 1102 return; 1103 } 1104 1105 sldns_buffer_copy(pq->abuf, pq->qbuf); 1106 1107 sldns_buffer_clear(pq->abuf); 1108 1109 sldns_buffer_skip(pq->abuf, sizeof(uint16_t)); /* skip id */ 1110 sldns_buffer_write_u16(pq->abuf, 0); /* clear flags */ 1111 LDNS_QR_SET(sldns_buffer_begin(pq->abuf)); 1112 LDNS_RA_SET(sldns_buffer_begin(pq->abuf)); 1113 if (LDNS_RD_WIRE(sldns_buffer_begin(pq->qbuf))) 1114 LDNS_RD_SET(sldns_buffer_begin(pq->abuf)); 1115 if (LDNS_CD_WIRE(sldns_buffer_begin(pq->qbuf))) 1116 LDNS_CD_SET(sldns_buffer_begin(pq->abuf)); 1117 LDNS_RCODE_SET(sldns_buffer_begin(pq->abuf), LDNS_RCODE_NOERROR); 1118 sldns_buffer_write_u16(pq->abuf, 1); /* qdcount */ 1119 sldns_buffer_write_u16(pq->abuf, 1); /* ancount */ 1120 sldns_buffer_write_u16(pq->abuf, 0); /* nscount */ 1121 sldns_buffer_write_u16(pq->abuf, 0); /* arcount */ 1122 (void)query_dname_len(pq->abuf); /* skip qname */ 1123 sldns_buffer_skip(pq->abuf, sizeof(uint16_t)); /* skip qtype */ 1124 sldns_buffer_skip(pq->abuf, sizeof(uint16_t)); /* skip qclass */ 1125 1126 sldns_buffer_write_u16(pq->abuf, 0xc00c); /* ptr to query */ 1127 sldns_buffer_write_u16(pq->abuf, LDNS_RR_TYPE_TXT); 1128 sldns_buffer_write_u16(pq->abuf, LDNS_RR_CLASS_CH); 1129 sldns_buffer_write_u32(pq->abuf, 0); /* TTL */ 1130 sldns_buffer_write_u16(pq->abuf, 1 + len); /* RDLENGTH */ 1131 sldns_buffer_write_u8(pq->abuf, len); /* length octed */ 1132 sldns_buffer_write(pq->abuf, name, len); 1133 sldns_buffer_flip(pq->abuf); 1134 } 1135 1136 void 1137 error_answer(struct pending_query *pq, int rcode) 1138 { 1139 sldns_buffer_clear(pq->abuf); 1140 error_encode(pq->abuf, rcode, &pq->qinfo, pq->qmsg->id, 1141 pq->qmsg->flags, pq->edns.edns_present ? &pq->edns : NULL); 1142 } 1143 1144 int 1145 check_query(sldns_buffer* pkt) 1146 { 1147 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) { 1148 log_warnx("bad query: too short, dropped"); 1149 return -1; 1150 } 1151 if(LDNS_QR_WIRE(sldns_buffer_begin(pkt))) { 1152 log_warnx("bad query: QR set, dropped"); 1153 return -1; 1154 } 1155 if(LDNS_TC_WIRE(sldns_buffer_begin(pkt))) { 1156 LDNS_TC_CLR(sldns_buffer_begin(pkt)); 1157 log_warnx("bad query: TC set"); 1158 return (LDNS_RCODE_FORMERR); 1159 } 1160 if(!(LDNS_RD_WIRE(sldns_buffer_begin(pkt)))) { 1161 log_warnx("bad query: RD not set"); 1162 return (LDNS_RCODE_REFUSED); 1163 } 1164 if(LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_PACKET_QUERY) { 1165 log_warnx("bad query: unknown opcode %d", 1166 LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt))); 1167 return (LDNS_RCODE_NOTIMPL); 1168 } 1169 1170 if (LDNS_QDCOUNT(sldns_buffer_begin(pkt)) != 1 && 1171 LDNS_ANCOUNT(sldns_buffer_begin(pkt))!= 0 && 1172 LDNS_NSCOUNT(sldns_buffer_begin(pkt))!= 0 && 1173 LDNS_ARCOUNT(sldns_buffer_begin(pkt)) > 1) { 1174 log_warnx("bad query: qdcount: %d, ancount: %d " 1175 "nscount: %d, arcount: %d", 1176 LDNS_QDCOUNT(sldns_buffer_begin(pkt)), 1177 LDNS_ANCOUNT(sldns_buffer_begin(pkt)), 1178 LDNS_NSCOUNT(sldns_buffer_begin(pkt)), 1179 LDNS_ARCOUNT(sldns_buffer_begin(pkt))); 1180 return (LDNS_RCODE_FORMERR); 1181 } 1182 return 0; 1183 } 1184 1185 void 1186 send_answer(struct pending_query *pq) 1187 { 1188 char *str; 1189 1190 if (log_getverbose() & OPT_VERBOSE2 && (str = 1191 sldns_wire2str_pkt(sldns_buffer_begin(pq->abuf), 1192 sldns_buffer_limit(pq->abuf))) != NULL) { 1193 log_debug("from: %s\n%s", ip_port((struct sockaddr *) 1194 &pq->from), str); 1195 free(str); 1196 } 1197 1198 if (!pq->tcp) { 1199 if(sendto(pq->fd, sldns_buffer_current(pq->abuf), 1200 sldns_buffer_remaining(pq->abuf), 0, 1201 (struct sockaddr *)&pq->from, pq->from.ss_len) == -1) 1202 log_warn("sendto"); 1203 free_pending_query(pq); 1204 } else { 1205 struct sldns_buffer *tmp; 1206 1207 tmp = sldns_buffer_new(sldns_buffer_limit(pq->abuf) + 2); 1208 1209 if (!tmp) { 1210 free_pending_query(pq); 1211 return; 1212 } 1213 1214 sldns_buffer_write_u16(tmp, sldns_buffer_limit(pq->abuf)); 1215 sldns_buffer_write(tmp, sldns_buffer_current(pq->abuf), 1216 sldns_buffer_remaining(pq->abuf)); 1217 sldns_buffer_flip(tmp); 1218 sldns_buffer_free(pq->abuf); 1219 pq->abuf = tmp; 1220 event_add(&pq->resp_ev, NULL); 1221 } 1222 } 1223 1224 char* 1225 ip_port(struct sockaddr *sa) 1226 { 1227 static char hbuf[NI_MAXHOST], buf[NI_MAXHOST]; 1228 1229 if (getnameinfo(sa, sa->sa_len, hbuf, sizeof(hbuf), NULL, 0, 1230 NI_NUMERICHOST) != 0) { 1231 snprintf(buf, sizeof(buf), "%s", "(unknown)"); 1232 return buf; 1233 } 1234 1235 if (sa->sa_family == AF_INET6) 1236 snprintf(buf, sizeof(buf), "[%s]:%d", hbuf, ntohs( 1237 ((struct sockaddr_in6 *)sa)->sin6_port)); 1238 if (sa->sa_family == AF_INET) 1239 snprintf(buf, sizeof(buf), "[%s]:%d", hbuf, ntohs( 1240 ((struct sockaddr_in *)sa)->sin_port)); 1241 1242 return buf; 1243 } 1244 1245 struct pending_query* 1246 find_pending_query(uint64_t id) 1247 { 1248 struct pending_query *pq; 1249 1250 TAILQ_FOREACH(pq, &pending_queries, entry) 1251 if (pq->imsg_id == id) 1252 return pq; 1253 return NULL; 1254 } 1255 1256 void 1257 route_receive(int fd, short events, void *arg) 1258 { 1259 static uint8_t *buf; 1260 1261 struct rt_msghdr *rtm; 1262 struct sockaddr *sa, *rti_info[RTAX_MAX]; 1263 ssize_t n; 1264 1265 if (buf == NULL) { 1266 buf = malloc(ROUTE_SOCKET_BUF_SIZE); 1267 if (buf == NULL) 1268 fatal("malloc"); 1269 } 1270 rtm = (struct rt_msghdr *)buf; 1271 if ((n = read(fd, buf, ROUTE_SOCKET_BUF_SIZE)) == -1) { 1272 if (errno == EAGAIN || errno == EINTR) 1273 return; 1274 log_warn("dispatch_rtmsg: read error"); 1275 return; 1276 } 1277 1278 if (n == 0) 1279 fatal("routing socket closed"); 1280 1281 if (n < (ssize_t)sizeof(rtm->rtm_msglen) || n < rtm->rtm_msglen) { 1282 log_warnx("partial rtm of %zd in buffer", n); 1283 return; 1284 } 1285 1286 if (rtm->rtm_version != RTM_VERSION) 1287 return; 1288 1289 sa = (struct sockaddr *)(buf + rtm->rtm_hdrlen); 1290 get_rtaddrs(rtm->rtm_addrs, sa, rti_info); 1291 1292 handle_route_message(rtm, rti_info); 1293 } 1294 1295 #define ROUNDUP(a) \ 1296 ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long)) 1297 1298 void 1299 get_rtaddrs(int addrs, struct sockaddr *sa, struct sockaddr **rti_info) 1300 { 1301 int i; 1302 1303 for (i = 0; i < RTAX_MAX; i++) { 1304 if (addrs & (1 << i)) { 1305 rti_info[i] = sa; 1306 sa = (struct sockaddr *)((char *)(sa) + 1307 ROUNDUP(sa->sa_len)); 1308 } else 1309 rti_info[i] = NULL; 1310 } 1311 } 1312 1313 void 1314 handle_route_message(struct rt_msghdr *rtm, struct sockaddr **rti_info) 1315 { 1316 struct imsg_rdns_proposal rdns_proposal; 1317 struct sockaddr_rtdns *rtdns; 1318 struct if_announcemsghdr *ifan; 1319 1320 switch (rtm->rtm_type) { 1321 case RTM_IFANNOUNCE: 1322 ifan = (struct if_announcemsghdr *)rtm; 1323 if (ifan->ifan_what == IFAN_ARRIVAL) 1324 break; 1325 rdns_proposal.if_index = ifan->ifan_index; 1326 rdns_proposal.src = 0; 1327 rdns_proposal.rtdns.sr_family = AF_INET; 1328 rdns_proposal.rtdns.sr_len = offsetof(struct sockaddr_rtdns, 1329 sr_dns); 1330 frontend_imsg_compose_resolver(IMSG_REPLACE_DNS, 0, 1331 &rdns_proposal, sizeof(rdns_proposal)); 1332 break; 1333 case RTM_IFINFO: 1334 frontend_imsg_compose_resolver(IMSG_NETWORK_CHANGED, 0, NULL, 1335 0); 1336 break; 1337 case RTM_PROPOSAL: 1338 if (!(rtm->rtm_addrs & RTA_DNS)) 1339 break; 1340 1341 rtdns = (struct sockaddr_rtdns*)rti_info[RTAX_DNS]; 1342 switch (rtdns->sr_family) { 1343 case AF_INET: 1344 if ((rtdns->sr_len - 2) % sizeof(struct in_addr) != 0) { 1345 log_warnx("ignoring invalid RTM_PROPOSAL"); 1346 return; 1347 } 1348 break; 1349 case AF_INET6: 1350 if ((rtdns->sr_len - 2) % sizeof(struct in6_addr) != 0) { 1351 log_warnx("ignoring invalid RTM_PROPOSAL"); 1352 return; 1353 } 1354 break; 1355 default: 1356 log_warnx("ignoring invalid RTM_PROPOSAL"); 1357 return; 1358 } 1359 rdns_proposal.if_index = rtm->rtm_index; 1360 rdns_proposal.src = rtm->rtm_priority; 1361 memcpy(&rdns_proposal.rtdns, rtdns, sizeof(rdns_proposal.rtdns)); 1362 frontend_imsg_compose_resolver(IMSG_REPLACE_DNS, 0, 1363 &rdns_proposal, sizeof(rdns_proposal)); 1364 break; 1365 default: 1366 break; 1367 } 1368 } 1369 1370 void 1371 add_new_ta(struct trust_anchor_head *tah, char *val) 1372 { 1373 struct trust_anchor *ta, *i; 1374 int cmp; 1375 1376 if ((ta = malloc(sizeof(*ta))) == NULL) 1377 fatal("%s", __func__); 1378 if ((ta->ta = strdup(val)) == NULL) 1379 fatal("%s", __func__); 1380 1381 /* keep the list sorted to prevent churn if the order changes in DNS */ 1382 TAILQ_FOREACH(i, tah, entry) { 1383 cmp = strcmp(i->ta, ta->ta); 1384 if ( cmp == 0) { 1385 /* duplicate */ 1386 free(ta->ta); 1387 free(ta); 1388 return; 1389 } else if (cmp > 0) { 1390 TAILQ_INSERT_BEFORE(i, ta, entry); 1391 return; 1392 } 1393 } 1394 TAILQ_INSERT_TAIL(tah, ta, entry); 1395 } 1396 1397 void 1398 free_tas(struct trust_anchor_head *tah) 1399 { 1400 struct trust_anchor *ta; 1401 1402 while ((ta = TAILQ_FIRST(tah))) { 1403 TAILQ_REMOVE(tah, ta, entry); 1404 free(ta->ta); 1405 free(ta); 1406 } 1407 } 1408 1409 int 1410 merge_tas(struct trust_anchor_head *newh, struct trust_anchor_head *oldh) 1411 { 1412 struct trust_anchor *i, *j; 1413 int chg = 0; 1414 1415 j = TAILQ_FIRST(oldh); 1416 1417 TAILQ_FOREACH(i, newh, entry) { 1418 if (j == NULL || strcmp(i->ta, j->ta) != 0) { 1419 chg = 1; 1420 break; 1421 } 1422 j = TAILQ_NEXT(j, entry); 1423 } 1424 if (j != NULL) 1425 chg = 1; 1426 1427 if (chg) { 1428 free_tas(oldh); 1429 TAILQ_CONCAT(oldh, newh, entry); 1430 } else { 1431 free_tas(newh); 1432 } 1433 return (chg); 1434 } 1435 1436 void 1437 parse_trust_anchor(struct trust_anchor_head *tah, int fd) 1438 { 1439 size_t len, dname_len; 1440 ssize_t n, sz; 1441 uint8_t rr[LDNS_RR_BUF_SIZE]; 1442 char *str, *p, buf[512], *line; 1443 1444 sz = 0; 1445 str = NULL; 1446 1447 while ((n = read(fd, buf, sizeof(buf))) > 0) { 1448 p = recallocarray(str, sz, sz + n, 1); 1449 if (p == NULL) { 1450 log_warn("%s", __func__); 1451 goto out; 1452 } 1453 str = p; 1454 memcpy(str + sz, buf, n); 1455 sz += n; 1456 } 1457 1458 if (n == -1) { 1459 log_warn("%s", __func__); 1460 goto out; 1461 } 1462 1463 /* make it a string */ 1464 p = recallocarray(str, sz, sz + 1, 1); 1465 if (p == NULL) { 1466 log_warn("%s", __func__); 1467 goto out; 1468 } 1469 str = p; 1470 sz++; 1471 1472 len = sizeof(rr); 1473 1474 while ((line = strsep(&p, "\n")) != NULL) { 1475 if (sldns_str2wire_rr_buf(line, rr, &len, &dname_len, 1476 ROOT_DNSKEY_TTL, NULL, 0, NULL, 0) != 0) 1477 continue; 1478 if (sldns_wirerr_get_type(rr, len, dname_len) == 1479 LDNS_RR_TYPE_DNSKEY) 1480 add_new_ta(tah, line); 1481 } 1482 1483 out: 1484 free(str); 1485 return; 1486 } 1487 1488 void 1489 send_trust_anchors(struct trust_anchor_head *tah) 1490 { 1491 struct trust_anchor *ta; 1492 1493 TAILQ_FOREACH(ta, tah, entry) 1494 frontend_imsg_compose_resolver(IMSG_NEW_TA, 0, ta->ta, 1495 strlen(ta->ta) + 1); 1496 frontend_imsg_compose_resolver(IMSG_NEW_TAS_DONE, 0, NULL, 0); 1497 } 1498 1499 void 1500 write_trust_anchors(struct trust_anchor_head *tah, int fd) 1501 { 1502 struct trust_anchor *ta; 1503 size_t len = 0; 1504 ssize_t n; 1505 char *str; 1506 1507 if (lseek(fd, 0, SEEK_SET) == -1) { 1508 log_warn("%s", __func__); 1509 goto out; 1510 } 1511 1512 TAILQ_FOREACH(ta, tah, entry) { 1513 if ((n = asprintf(&str, "%s\n", ta->ta)) == -1) { 1514 log_warn("%s", __func__); 1515 len = 0; 1516 goto out; 1517 } 1518 len += n; 1519 if (write(fd, str, n) != n) { 1520 log_warn("%s", __func__); 1521 free(str); 1522 len = 0; 1523 goto out; 1524 } 1525 free(str); 1526 } 1527 out: 1528 ftruncate(fd, len); 1529 fsync(fd); 1530 } 1531 1532 void 1533 parse_blocklist(int fd) 1534 { 1535 FILE *f; 1536 struct bl_node *bl_node; 1537 char *line = NULL; 1538 size_t linesize = 0; 1539 ssize_t linelen; 1540 1541 if((f = fdopen(fd, "r")) == NULL) { 1542 log_warn("cannot read block list"); 1543 close(fd); 1544 return; 1545 } 1546 1547 free_bl(); 1548 1549 while ((linelen = getline(&line, &linesize, f)) != -1) { 1550 if (line[linelen - 1] == '\n') { 1551 if (linelen >= 2 && line[linelen - 2] != '.') 1552 line[linelen - 1] = '.'; 1553 else 1554 line[linelen - 1] = '\0'; 1555 } 1556 1557 bl_node = malloc(sizeof *bl_node); 1558 if (bl_node == NULL) 1559 fatal("%s: malloc", __func__); 1560 if ((bl_node->domain = strdup(line)) == NULL) 1561 fatal("%s: strdup", __func__); 1562 if (RB_INSERT(bl_tree, &bl_head, bl_node) != NULL) { 1563 log_warnx("duplicate blocked domain \"%s\"", line); 1564 free(bl_node->domain); 1565 free(bl_node); 1566 } 1567 } 1568 free(line); 1569 if (ferror(f)) 1570 log_warn("getline"); 1571 fclose(f); 1572 } 1573 1574 int 1575 bl_cmp(struct bl_node *e1, struct bl_node *e2) { 1576 return (strcasecmp(e1->domain, e2->domain)); 1577 } 1578 1579 void 1580 free_bl(void) 1581 { 1582 struct bl_node *n, *nxt; 1583 1584 RB_FOREACH_SAFE(n, bl_tree, &bl_head, nxt) { 1585 RB_REMOVE(bl_tree, &bl_head, n); 1586 free(n->domain); 1587 free(n); 1588 } 1589 } 1590 1591 int 1592 pending_query_cnt(void) 1593 { 1594 struct pending_query *e; 1595 int cnt = 0; 1596 1597 TAILQ_FOREACH(e, &pending_queries, entry) 1598 cnt++; 1599 return cnt; 1600 } 1601 1602 void 1603 accept_paused(int fd, short events, void *arg) 1604 { 1605 struct tcp_accept_ev *tcpev = arg; 1606 event_add(&tcpev->ev, NULL); 1607 } 1608 1609 int 1610 accept_reserve(int sockfd, struct sockaddr *addr, socklen_t *addrlen) 1611 { 1612 if (getdtablecount() + FD_RESERVE >= getdtablesize()) { 1613 log_debug("%s: inflight fds exceeded", __func__); 1614 errno = EMFILE; 1615 return -1; 1616 } 1617 return accept4(sockfd, addr, addrlen, SOCK_NONBLOCK | SOCK_CLOEXEC); 1618 } 1619 1620 void 1621 tcp_accept(int fd, short events, void *arg) 1622 { 1623 static struct timeval timeout = {TCP_TIMEOUT, 0}; 1624 static struct timeval backoff = {1, 0}; 1625 struct pending_query *pq; 1626 struct tcp_accept_ev *tcpev; 1627 struct sockaddr_storage ss; 1628 socklen_t len; 1629 int s; 1630 1631 tcpev = arg; 1632 len = sizeof(ss); 1633 1634 if ((s = accept_reserve(fd, (struct sockaddr *)&ss, &len)) == -1) { 1635 switch (errno) { 1636 case EINTR: 1637 case EWOULDBLOCK: 1638 case ECONNABORTED: 1639 return; 1640 case EMFILE: 1641 case ENFILE: 1642 event_del(&tcpev->ev); 1643 evtimer_add(&tcpev->pause, &backoff); 1644 return; 1645 default: 1646 fatal("accept"); 1647 } 1648 } 1649 1650 if ((pq = calloc(1, sizeof(*pq))) == NULL) { 1651 log_warn(NULL); 1652 close(s); 1653 return; 1654 } 1655 1656 do { 1657 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id)); 1658 } while(find_pending_query(pq->imsg_id) != NULL); 1659 1660 TAILQ_INSERT_TAIL(&pending_queries, pq, entry); 1661 1662 pq->from = ss; 1663 pq->fd = s; 1664 pq->tcp = 1; 1665 pq->qbuf = sldns_buffer_new(DEFAULT_TCP_SIZE); 1666 pq->region = regional_create(); 1667 pq->qmsg = regional_alloc(pq->region, sizeof(*pq->qmsg)); 1668 1669 if (!pq->qbuf || !pq->region || !pq->qmsg) { 1670 free_pending_query(pq); 1671 return; 1672 } 1673 1674 memset(pq->qmsg, 0, sizeof(*pq->qmsg)); 1675 1676 event_set(&pq->ev, s, EV_READ | EV_PERSIST, tcp_request, pq); 1677 event_add(&pq->ev, NULL); 1678 event_set(&pq->resp_ev, s, EV_WRITE | EV_PERSIST, tcp_response, pq); 1679 1680 evtimer_set(&pq->tmo_ev, tcp_timeout, pq); 1681 evtimer_add(&pq->tmo_ev, &timeout); 1682 } 1683 1684 void 1685 tcp_request(int fd, short events, void *arg) 1686 { 1687 struct pending_query *pq; 1688 ssize_t n; 1689 1690 pq = arg; 1691 1692 n = read(fd, sldns_buffer_current(pq->qbuf), 1693 sldns_buffer_remaining(pq->qbuf)); 1694 1695 switch (n) { 1696 case -1: 1697 switch (errno) { 1698 case EINTR: 1699 case EAGAIN: 1700 return; 1701 default: 1702 goto fail; 1703 } 1704 break; 1705 case 0: 1706 log_debug("closed connection"); 1707 goto fail; 1708 default: 1709 break; 1710 } 1711 1712 sldns_buffer_skip(pq->qbuf, n); 1713 1714 if (sldns_buffer_position(pq->qbuf) >= 2 && !pq->abuf) { 1715 struct sldns_buffer *tmp; 1716 uint16_t len; 1717 1718 sldns_buffer_flip(pq->qbuf); 1719 len = sldns_buffer_read_u16(pq->qbuf); 1720 tmp = sldns_buffer_new(len); 1721 pq->abuf = sldns_buffer_new(len); 1722 1723 if (!tmp || !pq->abuf) 1724 goto fail; 1725 1726 sldns_buffer_write(tmp, sldns_buffer_current(pq->qbuf), 1727 sldns_buffer_remaining(pq->qbuf)); 1728 sldns_buffer_free(pq->qbuf); 1729 pq->qbuf = tmp; 1730 } 1731 if (sldns_buffer_remaining(pq->qbuf) == 0) { 1732 sldns_buffer_flip(pq->qbuf); 1733 shutdown(fd, SHUT_RD); 1734 event_del(&pq->ev); 1735 handle_query(pq); 1736 } 1737 return; 1738 fail: 1739 free_pending_query(pq); 1740 } 1741 1742 void 1743 tcp_response(int fd, short events, void *arg) 1744 { 1745 struct pending_query *pq; 1746 ssize_t n; 1747 1748 pq = arg; 1749 1750 n = write(fd, sldns_buffer_current(pq->abuf), 1751 sldns_buffer_remaining(pq->abuf)); 1752 1753 if (n == -1) { 1754 if (errno == EAGAIN || errno == EINTR) 1755 return; 1756 free_pending_query(pq); 1757 } 1758 sldns_buffer_skip(pq->abuf, n); 1759 if (sldns_buffer_remaining(pq->abuf) == 0) 1760 free_pending_query(pq); 1761 } 1762 1763 void 1764 tcp_timeout(int fd, short events, void *arg) 1765 { 1766 free_pending_query(arg); 1767 } 1768