1 /* $OpenBSD: frontend.c,v 1.50 2020/01/28 15:44:13 bket Exp $ */ 2 3 /* 4 * Copyright (c) 2018 Florian Obser <florian@openbsd.org> 5 * Copyright (c) 2005 Claudio Jeker <claudio@openbsd.org> 6 * Copyright (c) 2004 Esben Norby <norby@openbsd.org> 7 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 8 * 9 * Permission to use, copy, modify, and distribute this software for any 10 * purpose with or without fee is hereby granted, provided that the above 11 * copyright notice and this permission notice appear in all copies. 12 * 13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 */ 21 22 #include <sys/types.h> 23 #include <sys/queue.h> 24 #include <sys/socket.h> 25 #include <sys/syslog.h> 26 #include <sys/tree.h> 27 #include <sys/uio.h> 28 29 #include <netinet/in.h> 30 #include <net/if.h> 31 #include <net/route.h> 32 33 #include <errno.h> 34 #include <event.h> 35 #include <imsg.h> 36 #include <netdb.h> 37 #include <pwd.h> 38 #include <signal.h> 39 #include <stdint.h> 40 #include <stdio.h> 41 #include <stdlib.h> 42 #include <string.h> 43 #include <time.h> 44 #include <unistd.h> 45 46 #include "libunbound/config.h" 47 #include "libunbound/sldns/pkthdr.h" 48 #include "libunbound/sldns/sbuffer.h" 49 #include "libunbound/sldns/str2wire.h" 50 #include "libunbound/sldns/wire2str.h" 51 #include "libunbound/util/data/dname.h" 52 #include "libunbound/util/data/msgparse.h" 53 #include "libunbound/util/data/msgreply.h" 54 55 #include "log.h" 56 #include "unwind.h" 57 #include "frontend.h" 58 #include "control.h" 59 60 #define ROUTE_SOCKET_BUF_SIZE 16384 61 62 /* 63 * size of a resource record with name a two octed pointer to qname 64 * 2 octets pointer to qname 65 * 2 octets TYPE 66 * 2 octets CLASS 67 * 4 octets TTL 68 * 2 octets RDLENGTH 69 */ 70 #define COMPRESSED_RR_SIZE 12 71 72 struct udp_ev { 73 struct event ev; 74 uint8_t query[65536]; 75 struct msghdr rcvmhdr; 76 struct iovec rcviov[1]; 77 struct sockaddr_storage from; 78 } udp4ev, udp6ev; 79 80 struct pending_query { 81 TAILQ_ENTRY(pending_query) entry; 82 struct sockaddr_storage from; 83 struct sldns_buffer *qbuf; 84 ssize_t len; 85 uint64_t imsg_id; 86 int fd; 87 int bogus; 88 int rcode_override; 89 ssize_t answer_len; 90 uint8_t *answer; 91 }; 92 93 TAILQ_HEAD(, pending_query) pending_queries; 94 95 struct bl_node { 96 RB_ENTRY(bl_node) entry; 97 char *domain; 98 }; 99 100 __dead void frontend_shutdown(void); 101 void frontend_sig_handler(int, short, void *); 102 void frontend_startup(void); 103 void udp_receive(int, short, void *); 104 int check_query(sldns_buffer*); 105 void chaos_answer(struct pending_query *); 106 void send_answer(struct pending_query *); 107 void route_receive(int, short, void *); 108 void handle_route_message(struct rt_msghdr *, 109 struct sockaddr **); 110 void get_rtaddrs(int, struct sockaddr *, 111 struct sockaddr **); 112 void rtmget_default(void); 113 struct pending_query *find_pending_query(uint64_t); 114 void parse_trust_anchor(struct trust_anchor_head *, int); 115 void send_trust_anchors(struct trust_anchor_head *); 116 void write_trust_anchors(struct trust_anchor_head *, int); 117 void parse_blocklist(int); 118 int bl_cmp(struct bl_node *, struct bl_node *); 119 void free_bl(void); 120 int pending_query_cnt(void); 121 122 struct uw_conf *frontend_conf; 123 struct imsgev *iev_main; 124 struct imsgev *iev_resolver; 125 struct event ev_route; 126 int udp4sock = -1, udp6sock = -1, routesock = -1; 127 int ta_fd = -1; 128 129 static struct trust_anchor_head trust_anchors, new_trust_anchors; 130 131 RB_HEAD(bl_tree, bl_node) bl_head = RB_INITIALIZER(&bl_head); 132 RB_PROTOTYPE(bl_tree, bl_node, entry, bl_cmp) 133 RB_GENERATE(bl_tree, bl_node, entry, bl_cmp) 134 135 void 136 frontend_sig_handler(int sig, short event, void *bula) 137 { 138 /* 139 * Normal signal handler rules don't apply because libevent 140 * decouples for us. 141 */ 142 143 switch (sig) { 144 case SIGINT: 145 case SIGTERM: 146 frontend_shutdown(); 147 default: 148 fatalx("unexpected signal"); 149 } 150 } 151 152 void 153 frontend(int debug, int verbose) 154 { 155 struct event ev_sigint, ev_sigterm; 156 struct passwd *pw; 157 158 frontend_conf = config_new_empty(); 159 control_state.fd = -1; 160 161 log_init(debug, LOG_DAEMON); 162 log_setverbose(verbose); 163 164 if ((pw = getpwnam(UNWIND_USER)) == NULL) 165 fatal("getpwnam"); 166 167 if (chroot(pw->pw_dir) == -1) 168 fatal("chroot"); 169 if (chdir("/") == -1) 170 fatal("chdir(\"/\")"); 171 172 uw_process = PROC_FRONTEND; 173 setproctitle("%s", log_procnames[uw_process]); 174 log_procinit(log_procnames[uw_process]); 175 176 if (setgroups(1, &pw->pw_gid) || 177 setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || 178 setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) 179 fatal("can't drop privileges"); 180 181 if (pledge("stdio unix recvfd", NULL) == -1) 182 fatal("pledge"); 183 184 event_init(); 185 186 /* Setup signal handler. */ 187 signal_set(&ev_sigint, SIGINT, frontend_sig_handler, NULL); 188 signal_set(&ev_sigterm, SIGTERM, frontend_sig_handler, NULL); 189 signal_add(&ev_sigint, NULL); 190 signal_add(&ev_sigterm, NULL); 191 signal(SIGPIPE, SIG_IGN); 192 signal(SIGHUP, SIG_IGN); 193 194 /* Setup pipe and event handler to the parent process. */ 195 if (iev_main != NULL) 196 fatal("iev_main"); 197 if ((iev_main = malloc(sizeof(struct imsgev))) == NULL) 198 fatal(NULL); 199 imsg_init(&iev_main->ibuf, 3); 200 iev_main->handler = frontend_dispatch_main; 201 iev_main->events = EV_READ; 202 event_set(&iev_main->ev, iev_main->ibuf.fd, iev_main->events, 203 iev_main->handler, iev_main); 204 event_add(&iev_main->ev, NULL); 205 206 udp4ev.rcviov[0].iov_base = (caddr_t)udp4ev.query; 207 udp4ev.rcviov[0].iov_len = sizeof(udp4ev.query); 208 udp4ev.rcvmhdr.msg_name = (caddr_t)&udp4ev.from; 209 udp4ev.rcvmhdr.msg_namelen = sizeof(udp4ev.from); 210 udp4ev.rcvmhdr.msg_iov = udp4ev.rcviov; 211 udp4ev.rcvmhdr.msg_iovlen = 1; 212 213 udp6ev.rcviov[0].iov_base = (caddr_t)udp6ev.query; 214 udp6ev.rcviov[0].iov_len = sizeof(udp6ev.query); 215 udp6ev.rcvmhdr.msg_name = (caddr_t)&udp6ev.from; 216 udp6ev.rcvmhdr.msg_namelen = sizeof(udp6ev.from); 217 udp6ev.rcvmhdr.msg_iov = udp6ev.rcviov; 218 udp6ev.rcvmhdr.msg_iovlen = 1; 219 220 TAILQ_INIT(&pending_queries); 221 222 TAILQ_INIT(&trust_anchors); 223 TAILQ_INIT(&new_trust_anchors); 224 225 add_new_ta(&trust_anchors, KSK2017); 226 227 event_dispatch(); 228 229 frontend_shutdown(); 230 } 231 232 __dead void 233 frontend_shutdown(void) 234 { 235 /* Close pipes. */ 236 msgbuf_write(&iev_resolver->ibuf.w); 237 msgbuf_clear(&iev_resolver->ibuf.w); 238 close(iev_resolver->ibuf.fd); 239 msgbuf_write(&iev_main->ibuf.w); 240 msgbuf_clear(&iev_main->ibuf.w); 241 close(iev_main->ibuf.fd); 242 243 config_clear(frontend_conf); 244 245 free(iev_resolver); 246 free(iev_main); 247 248 log_info("frontend exiting"); 249 exit(0); 250 } 251 252 int 253 frontend_imsg_compose_main(int type, pid_t pid, void *data, uint16_t datalen) 254 { 255 return (imsg_compose_event(iev_main, type, 0, pid, -1, data, datalen)); 256 } 257 258 int 259 frontend_imsg_compose_resolver(int type, pid_t pid, void *data, 260 uint16_t datalen) 261 { 262 return (imsg_compose_event(iev_resolver, type, 0, pid, -1, data, 263 datalen)); 264 } 265 266 void 267 frontend_dispatch_main(int fd, short event, void *bula) 268 { 269 static struct uw_conf *nconf; 270 struct imsg imsg; 271 struct imsgev *iev = bula; 272 struct imsgbuf *ibuf = &iev->ibuf; 273 int n, shut = 0; 274 275 if (event & EV_READ) { 276 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN) 277 fatal("imsg_read error"); 278 if (n == 0) /* Connection closed. */ 279 shut = 1; 280 } 281 if (event & EV_WRITE) { 282 if ((n = msgbuf_write(&ibuf->w)) == -1 && errno != EAGAIN) 283 fatal("msgbuf_write"); 284 if (n == 0) /* Connection closed. */ 285 shut = 1; 286 } 287 288 for (;;) { 289 if ((n = imsg_get(ibuf, &imsg)) == -1) 290 fatal("%s: imsg_get error", __func__); 291 if (n == 0) /* No more messages. */ 292 break; 293 294 switch (imsg.hdr.type) { 295 case IMSG_SOCKET_IPC_RESOLVER: 296 /* 297 * Setup pipe and event handler to the resolver 298 * process. 299 */ 300 if (iev_resolver) { 301 fatalx("%s: received unexpected imsg fd " 302 "to frontend", __func__); 303 break; 304 } 305 if ((fd = imsg.fd) == -1) { 306 fatalx("%s: expected to receive imsg fd to " 307 "frontend but didn't receive any", 308 __func__); 309 break; 310 } 311 312 if (iev_resolver != NULL) 313 fatal("iev_resolver"); 314 iev_resolver = malloc(sizeof(struct imsgev)); 315 if (iev_resolver == NULL) 316 fatal(NULL); 317 318 imsg_init(&iev_resolver->ibuf, fd); 319 iev_resolver->handler = frontend_dispatch_resolver; 320 iev_resolver->events = EV_READ; 321 322 event_set(&iev_resolver->ev, iev_resolver->ibuf.fd, 323 iev_resolver->events, iev_resolver->handler, 324 iev_resolver); 325 event_add(&iev_resolver->ev, NULL); 326 break; 327 case IMSG_RECONF_CONF: 328 case IMSG_RECONF_BLOCKLIST_FILE: 329 case IMSG_RECONF_FORWARDER: 330 case IMSG_RECONF_DOT_FORWARDER: 331 case IMSG_RECONF_FORCE: 332 imsg_receive_config(&imsg, &nconf); 333 break; 334 case IMSG_RECONF_END: 335 if (nconf == NULL) 336 fatalx("%s: IMSG_RECONF_END without " 337 "IMSG_RECONF_CONF", __func__); 338 merge_config(frontend_conf, nconf); 339 if (frontend_conf->blocklist_file == NULL) 340 free_bl(); 341 nconf = NULL; 342 break; 343 case IMSG_UDP6SOCK: 344 if (udp6sock != -1) 345 fatalx("%s: received unexpected udp6sock", 346 __func__); 347 if ((udp6sock = imsg.fd) == -1) 348 fatalx("%s: expected to receive imsg " 349 "UDP6 fd but didn't receive any", __func__); 350 event_set(&udp6ev.ev, udp6sock, EV_READ | EV_PERSIST, 351 udp_receive, &udp6ev); 352 event_add(&udp6ev.ev, NULL); 353 break; 354 case IMSG_UDP4SOCK: 355 if (udp4sock != -1) 356 fatalx("%s: received unexpected udp4sock", 357 __func__); 358 if ((udp4sock = imsg.fd) == -1) 359 fatalx("%s: expected to receive imsg " 360 "UDP4 fd but didn't receive any", __func__); 361 event_set(&udp4ev.ev, udp4sock, EV_READ | EV_PERSIST, 362 udp_receive, &udp4ev); 363 event_add(&udp4ev.ev, NULL); 364 break; 365 case IMSG_ROUTESOCK: 366 if (routesock != -1) 367 fatalx("%s: received unexpected routesock", 368 __func__); 369 if ((fd = imsg.fd) == -1) 370 fatalx("%s: expected to receive imsg " 371 "routesocket fd but didn't receive any", 372 __func__); 373 routesock = fd; 374 event_set(&ev_route, fd, EV_READ | EV_PERSIST, 375 route_receive, NULL); 376 break; 377 case IMSG_STARTUP: 378 frontend_startup(); 379 break; 380 case IMSG_CONTROLFD: 381 if (control_state.fd != -1) 382 fatalx("%s: received unexpected controlsock", 383 __func__); 384 if ((fd = imsg.fd) == -1) 385 fatalx("%s: expected to receive imsg control " 386 "fd but didn't receive any", __func__); 387 control_state.fd = fd; 388 /* Listen on control socket. */ 389 TAILQ_INIT(&ctl_conns); 390 control_listen(); 391 break; 392 case IMSG_TAFD: 393 if ((ta_fd = imsg.fd) != -1) 394 parse_trust_anchor(&trust_anchors, ta_fd); 395 if (!TAILQ_EMPTY(&trust_anchors)) 396 send_trust_anchors(&trust_anchors); 397 break; 398 case IMSG_BLFD: 399 if ((fd = imsg.fd) == -1) 400 fatalx("%s: expected to receive imsg block " 401 "list fd but didn't receive any", __func__); 402 parse_blocklist(fd); 403 break; 404 default: 405 log_debug("%s: error handling imsg %d", __func__, 406 imsg.hdr.type); 407 break; 408 } 409 imsg_free(&imsg); 410 } 411 if (!shut) 412 imsg_event_add(iev); 413 else { 414 /* This pipe is dead. Remove its event handler. */ 415 event_del(&iev->ev); 416 event_loopexit(NULL); 417 } 418 } 419 420 void 421 frontend_dispatch_resolver(int fd, short event, void *bula) 422 { 423 static struct pending_query *pq; 424 struct imsgev *iev = bula; 425 struct imsgbuf *ibuf = &iev->ibuf; 426 struct imsg imsg; 427 struct query_imsg *query_imsg; 428 int n, shut = 0, chg; 429 430 if (event & EV_READ) { 431 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN) 432 fatal("imsg_read error"); 433 if (n == 0) /* Connection closed. */ 434 shut = 1; 435 } 436 if (event & EV_WRITE) { 437 if ((n = msgbuf_write(&ibuf->w)) == -1 && errno != EAGAIN) 438 fatal("msgbuf_write"); 439 if (n == 0) /* Connection closed. */ 440 shut = 1; 441 } 442 443 for (;;) { 444 if ((n = imsg_get(ibuf, &imsg)) == -1) 445 fatal("%s: imsg_get error", __func__); 446 if (n == 0) /* No more messages. */ 447 break; 448 449 switch (imsg.hdr.type) { 450 case IMSG_ANSWER_HEADER: 451 if (pq != NULL) 452 fatalx("expected IMSG_ANSWER but got HEADER"); 453 if (IMSG_DATA_SIZE(imsg) != sizeof(*query_imsg)) 454 fatalx("%s: IMSG_ANSWER_HEADER wrong length: " 455 "%lu", __func__, IMSG_DATA_SIZE(imsg)); 456 query_imsg = (struct query_imsg *)imsg.data; 457 if ((pq = find_pending_query(query_imsg->id)) == 458 NULL) { 459 log_warnx("cannot find pending query %llu", 460 query_imsg->id); 461 break; 462 } 463 if (query_imsg->err) { 464 send_answer(pq); 465 pq = NULL; 466 break; 467 } 468 pq->bogus = query_imsg->bogus; 469 break; 470 case IMSG_ANSWER: 471 if (pq == NULL) 472 fatalx("IMSG_ANSWER without HEADER"); 473 474 if (pq->answer) 475 fatal("pq->answer"); 476 if ((pq->answer = malloc(IMSG_DATA_SIZE(imsg))) != 477 NULL) { 478 pq->answer_len = IMSG_DATA_SIZE(imsg); 479 memcpy(pq->answer, imsg.data, pq->answer_len); 480 } else 481 pq->rcode_override = LDNS_RCODE_SERVFAIL; 482 send_answer(pq); 483 pq = NULL; 484 break; 485 case IMSG_CTL_RESOLVER_INFO: 486 case IMSG_CTL_AUTOCONF_RESOLVER_INFO: 487 case IMSG_CTL_MEM_INFO: 488 case IMSG_CTL_END: 489 control_imsg_relay(&imsg); 490 break; 491 case IMSG_NEW_TA: 492 /* make sure this is a string */ 493 ((char *)imsg.data)[IMSG_DATA_SIZE(imsg) - 1] = '\0'; 494 add_new_ta(&new_trust_anchors, imsg.data); 495 break; 496 case IMSG_NEW_TAS_ABORT: 497 free_tas(&new_trust_anchors); 498 break; 499 case IMSG_NEW_TAS_DONE: 500 chg = merge_tas(&new_trust_anchors, &trust_anchors); 501 if (chg) 502 send_trust_anchors(&trust_anchors); 503 504 /* 505 * always write trust anchors, the modify date on 506 * the file is an indication when we made progress 507 */ 508 if (ta_fd != -1) 509 write_trust_anchors(&trust_anchors, ta_fd); 510 break; 511 default: 512 log_debug("%s: error handling imsg %d", __func__, 513 imsg.hdr.type); 514 break; 515 } 516 imsg_free(&imsg); 517 } 518 if (!shut) 519 imsg_event_add(iev); 520 else { 521 /* This pipe is dead. Remove its event handler. */ 522 event_del(&iev->ev); 523 event_loopexit(NULL); 524 } 525 } 526 527 void 528 frontend_startup(void) 529 { 530 if (!event_initialized(&ev_route)) 531 fatalx("%s: did not receive a route socket from the main " 532 "process", __func__); 533 534 event_add(&ev_route, NULL); 535 536 frontend_imsg_compose_main(IMSG_STARTUP_DONE, 0, NULL, 0); 537 } 538 539 void 540 udp_receive(int fd, short events, void *arg) 541 { 542 struct udp_ev *udpev = (struct udp_ev *)arg; 543 struct pending_query *pq; 544 struct query_imsg query_imsg; 545 struct query_info qinfo; 546 struct bl_node find; 547 ssize_t len, dname_len; 548 int ret; 549 char *str; 550 char dname[LDNS_MAX_DOMAINLEN + 1]; 551 char qclass_buf[16]; 552 char qtype_buf[16]; 553 554 memset(&qinfo, 0, sizeof(qinfo)); 555 556 if ((len = recvmsg(fd, &udpev->rcvmhdr, 0)) == -1) { 557 log_warn("recvmsg"); 558 return; 559 } 560 561 if ((pq = calloc(1, sizeof(*pq))) == NULL) { 562 log_warn(NULL); 563 return; 564 } 565 566 pq->rcode_override = LDNS_RCODE_NOERROR; 567 pq->len = len; 568 pq->from = udpev->from; 569 pq->fd = fd; 570 571 do { 572 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id)); 573 } while(find_pending_query(pq->imsg_id) != NULL); 574 575 if ((pq->qbuf = sldns_buffer_new(len)) == NULL) { 576 log_warnx("sldns_buffer_new"); 577 goto drop; 578 } 579 sldns_buffer_clear(pq->qbuf); 580 sldns_buffer_write(pq->qbuf, udpev->query, len); 581 sldns_buffer_flip(pq->qbuf); 582 583 if (log_getverbose() & OPT_VERBOSE2 && (str = 584 sldns_wire2str_pkt(udpev->query, len)) != NULL) { 585 log_debug("from: %s\n%s", ip_port((struct sockaddr *) 586 &udpev->from), str); 587 free(str); 588 } 589 590 if ((ret = check_query(pq->qbuf)) != LDNS_RCODE_NOERROR) { 591 if (ret == -1) 592 goto drop; 593 else 594 pq->rcode_override = ret; 595 goto send_answer; 596 } 597 598 if (!query_info_parse(&qinfo, pq->qbuf)) { 599 pq->rcode_override = LDNS_RCODE_FORMERR; 600 goto send_answer; 601 } 602 603 if ((dname_len = dname_valid(qinfo.qname, qinfo.qname_len)) == 0) { 604 pq->rcode_override = LDNS_RCODE_FORMERR; 605 goto send_answer; 606 } 607 dname_str(qinfo.qname, dname); 608 609 sldns_wire2str_class_buf(qinfo.qclass, qclass_buf, sizeof(qclass_buf)); 610 sldns_wire2str_type_buf(qinfo.qtype, qtype_buf, sizeof(qtype_buf)); 611 log_debug("%s: %s %s %s ?", ip_port((struct sockaddr *)&udpev->from), 612 dname, qclass_buf, qtype_buf); 613 614 find.domain = dname; 615 if (RB_FIND(bl_tree, &bl_head, &find) != NULL) { 616 if (frontend_conf->blocklist_log) 617 log_info("blocking %s", dname); 618 pq->rcode_override = LDNS_RCODE_REFUSED; 619 goto send_answer; 620 } 621 622 if (qinfo.qtype == LDNS_RR_TYPE_AXFR || qinfo.qtype == 623 LDNS_RR_TYPE_IXFR) { 624 pq->rcode_override = LDNS_RCODE_REFUSED; 625 goto send_answer; 626 } 627 628 if(qinfo.qtype == LDNS_RR_TYPE_OPT || 629 qinfo.qtype == LDNS_RR_TYPE_TSIG || 630 qinfo.qtype == LDNS_RR_TYPE_TKEY || 631 qinfo.qtype == LDNS_RR_TYPE_MAILA || 632 qinfo.qtype == LDNS_RR_TYPE_MAILB || 633 (qinfo.qtype >= 128 && qinfo.qtype <= 248)) { 634 pq->rcode_override = LDNS_RCODE_FORMERR; 635 goto send_answer; 636 } 637 638 if (qinfo.qclass == LDNS_RR_CLASS_CH) { 639 if (strcasecmp(dname, "version.server.") == 0 || 640 strcasecmp(dname, "version.bind.") == 0) { 641 chaos_answer(pq); 642 } else 643 pq->rcode_override = LDNS_RCODE_REFUSED; 644 goto send_answer; 645 } 646 647 if (strlcpy(query_imsg.qname, dname, sizeof(query_imsg.qname)) >= 648 sizeof(query_imsg.qname)) { 649 log_warnx("qname too long"); 650 pq->rcode_override = LDNS_RCODE_FORMERR; 651 goto send_answer; 652 } 653 query_imsg.id = pq->imsg_id; 654 query_imsg.t = qinfo.qtype; 655 query_imsg.c = qinfo.qclass; 656 657 if (frontend_imsg_compose_resolver(IMSG_QUERY, 0, &query_imsg, 658 sizeof(query_imsg)) != -1) 659 TAILQ_INSERT_TAIL(&pending_queries, pq, entry); 660 else { 661 pq->rcode_override = LDNS_RCODE_SERVFAIL; 662 goto send_answer; 663 } 664 return; 665 666 send_answer: 667 TAILQ_INSERT_TAIL(&pending_queries, pq, entry); 668 send_answer(pq); 669 pq = NULL; 670 drop: 671 if (pq != NULL) 672 sldns_buffer_free(pq->qbuf); 673 free(pq); 674 } 675 676 void 677 chaos_answer(struct pending_query *pq) 678 { 679 struct sldns_buffer buf, *pkt = &buf; 680 size_t size, len; 681 char *name = "unwind"; 682 683 len = strlen(name); 684 size = sldns_buffer_capacity(pq->qbuf) + COMPRESSED_RR_SIZE + 1 + len; 685 686 if (pq->answer != 0) 687 fatal("chaos_answer"); 688 if ((pq->answer = calloc(1, size)) == NULL) 689 return; 690 pq->answer_len = size; 691 memcpy(pq->answer, sldns_buffer_begin(pq->qbuf), 692 sldns_buffer_capacity(pq->qbuf)); 693 sldns_buffer_init_frm_data(pkt, pq->answer, size); 694 695 sldns_buffer_clear(pkt); 696 697 sldns_buffer_skip(pkt, sizeof(uint16_t)); /* skip id */ 698 sldns_buffer_write_u16(pkt, 0); /* clear flags */ 699 LDNS_QR_SET(sldns_buffer_begin(pkt)); 700 LDNS_RA_SET(sldns_buffer_begin(pkt)); 701 if (LDNS_RD_WIRE(sldns_buffer_begin(pq->qbuf))) 702 LDNS_RD_SET(sldns_buffer_begin(pkt)); 703 if (LDNS_CD_WIRE(sldns_buffer_begin(pq->qbuf))) 704 LDNS_CD_SET(sldns_buffer_begin(pkt)); 705 LDNS_RCODE_SET(sldns_buffer_begin(pkt), LDNS_RCODE_NOERROR); 706 sldns_buffer_write_u16(pkt, 1); /* qdcount */ 707 sldns_buffer_write_u16(pkt, 1); /* ancount */ 708 sldns_buffer_write_u16(pkt, 0); /* nscount */ 709 sldns_buffer_write_u16(pkt, 0); /* arcount */ 710 (void)query_dname_len(pkt); /* skip qname */ 711 sldns_buffer_skip(pkt, sizeof(uint16_t)); /* skip qtype */ 712 sldns_buffer_skip(pkt, sizeof(uint16_t)); /* skip qclass */ 713 714 sldns_buffer_write_u16(pkt, 0xc00c); /* ptr to query */ 715 sldns_buffer_write_u16(pkt, LDNS_RR_TYPE_TXT); 716 sldns_buffer_write_u16(pkt, LDNS_RR_CLASS_CH); 717 sldns_buffer_write_u32(pkt, 0); /* TTL */ 718 sldns_buffer_write_u16(pkt, 1 + len); /* RDLENGTH */ 719 sldns_buffer_write_u8(pkt, len); /* length octed */ 720 sldns_buffer_write(pkt, name, len); 721 } 722 723 int 724 check_query(sldns_buffer* pkt) 725 { 726 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) { 727 log_warnx("bad query: too short, dropped"); 728 return -1; 729 } 730 if(LDNS_QR_WIRE(sldns_buffer_begin(pkt))) { 731 log_warnx("bad query: QR set, dropped"); 732 return -1; 733 } 734 if(LDNS_TC_WIRE(sldns_buffer_begin(pkt))) { 735 LDNS_TC_CLR(sldns_buffer_begin(pkt)); 736 log_warnx("bad query: TC set"); 737 return (LDNS_RCODE_FORMERR); 738 } 739 if(!(LDNS_RD_WIRE(sldns_buffer_begin(pkt)))) { 740 log_warnx("bad query: RD not set"); 741 return (LDNS_RCODE_REFUSED); 742 } 743 if(LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_PACKET_QUERY) { 744 log_warnx("bad query: unknown opcode %d", 745 LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt))); 746 return (LDNS_RCODE_NOTIMPL); 747 } 748 749 if (LDNS_QDCOUNT(sldns_buffer_begin(pkt)) != 1 && 750 LDNS_ANCOUNT(sldns_buffer_begin(pkt))!= 0 && 751 LDNS_NSCOUNT(sldns_buffer_begin(pkt))!= 0 && 752 LDNS_ARCOUNT(sldns_buffer_begin(pkt)) > 1) { 753 log_warnx("bad query: qdcount: %d, ancount: %d " 754 "nscount: %d, arcount: %d", 755 LDNS_QDCOUNT(sldns_buffer_begin(pkt)), 756 LDNS_ANCOUNT(sldns_buffer_begin(pkt)), 757 LDNS_NSCOUNT(sldns_buffer_begin(pkt)), 758 LDNS_ARCOUNT(sldns_buffer_begin(pkt))); 759 return (LDNS_RCODE_FORMERR); 760 } 761 return 0; 762 } 763 764 void 765 send_answer(struct pending_query *pq) 766 { 767 ssize_t len; 768 char *str; 769 uint8_t *answer; 770 771 answer = pq->answer; 772 len = pq->answer_len; 773 774 if (answer == NULL) { 775 answer = sldns_buffer_begin(pq->qbuf); 776 len = pq->len; 777 778 LDNS_QR_SET(answer); 779 LDNS_RA_SET(answer); 780 if (pq->rcode_override != LDNS_RCODE_NOERROR) 781 LDNS_RCODE_SET(answer, pq->rcode_override); 782 else 783 LDNS_RCODE_SET(answer, LDNS_RCODE_SERVFAIL); 784 } else { 785 if (pq->bogus) { 786 if(LDNS_CD_WIRE(sldns_buffer_begin(pq->qbuf))) { 787 LDNS_ID_SET(answer, LDNS_ID_WIRE( 788 sldns_buffer_begin(pq->qbuf))); 789 LDNS_CD_SET(answer); 790 } else { 791 answer = sldns_buffer_begin(pq->qbuf); 792 len = pq->len; 793 794 LDNS_QR_SET(answer); 795 LDNS_RA_SET(answer); 796 LDNS_RCODE_SET(answer, LDNS_RCODE_SERVFAIL); 797 } 798 } else { 799 LDNS_ID_SET(answer, LDNS_ID_WIRE(sldns_buffer_begin( 800 pq->qbuf))); 801 } 802 } 803 804 if (log_getverbose() & OPT_VERBOSE2 && (str = 805 sldns_wire2str_pkt(answer, len)) != NULL) { 806 log_debug("to: %s\n%s", 807 ip_port((struct sockaddr *)&pq->from),str); 808 free(str); 809 log_debug("pending query count: %d", pending_query_cnt()); 810 } 811 812 if(sendto(pq->fd, answer, len, 0, (struct sockaddr *)&pq->from, 813 pq->from.ss_len) == -1) 814 log_warn("sendto"); 815 816 TAILQ_REMOVE(&pending_queries, pq, entry); 817 sldns_buffer_free(pq->qbuf); 818 free(pq->answer); 819 free(pq); 820 } 821 822 char* 823 ip_port(struct sockaddr *sa) 824 { 825 static char hbuf[NI_MAXHOST], buf[NI_MAXHOST]; 826 827 if (getnameinfo(sa, sa->sa_len, hbuf, sizeof(hbuf), NULL, 0, 828 NI_NUMERICHOST) != 0) { 829 snprintf(buf, sizeof(buf), "%s", "(unknown)"); 830 return buf; 831 } 832 833 if (sa->sa_family == AF_INET6) 834 snprintf(buf, sizeof(buf), "[%s]:%d", hbuf, ntohs( 835 ((struct sockaddr_in6 *)sa)->sin6_port)); 836 if (sa->sa_family == AF_INET) 837 snprintf(buf, sizeof(buf), "[%s]:%d", hbuf, ntohs( 838 ((struct sockaddr_in *)sa)->sin_port)); 839 840 return buf; 841 } 842 843 struct pending_query* 844 find_pending_query(uint64_t id) 845 { 846 struct pending_query *pq; 847 848 TAILQ_FOREACH(pq, &pending_queries, entry) 849 if (pq->imsg_id == id) 850 return pq; 851 return NULL; 852 } 853 854 void 855 route_receive(int fd, short events, void *arg) 856 { 857 static uint8_t *buf; 858 859 struct rt_msghdr *rtm; 860 struct sockaddr *sa, *rti_info[RTAX_MAX]; 861 ssize_t n; 862 863 if (buf == NULL) { 864 buf = malloc(ROUTE_SOCKET_BUF_SIZE); 865 if (buf == NULL) 866 fatal("malloc"); 867 } 868 rtm = (struct rt_msghdr *)buf; 869 if ((n = read(fd, buf, ROUTE_SOCKET_BUF_SIZE)) == -1) { 870 if (errno == EAGAIN || errno == EINTR) 871 return; 872 log_warn("dispatch_rtmsg: read error"); 873 return; 874 } 875 876 if (n == 0) 877 fatal("routing socket closed"); 878 879 if (n < (ssize_t)sizeof(rtm->rtm_msglen) || n < rtm->rtm_msglen) { 880 log_warnx("partial rtm of %zd in buffer", n); 881 return; 882 } 883 884 if (rtm->rtm_version != RTM_VERSION) 885 return; 886 887 sa = (struct sockaddr *)(buf + rtm->rtm_hdrlen); 888 get_rtaddrs(rtm->rtm_addrs, sa, rti_info); 889 890 handle_route_message(rtm, rti_info); 891 } 892 893 #define ROUNDUP(a) \ 894 ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long)) 895 896 void 897 get_rtaddrs(int addrs, struct sockaddr *sa, struct sockaddr **rti_info) 898 { 899 int i; 900 901 for (i = 0; i < RTAX_MAX; i++) { 902 if (addrs & (1 << i)) { 903 rti_info[i] = sa; 904 sa = (struct sockaddr *)((char *)(sa) + 905 ROUNDUP(sa->sa_len)); 906 } else 907 rti_info[i] = NULL; 908 } 909 } 910 911 void 912 handle_route_message(struct rt_msghdr *rtm, struct sockaddr **rti_info) 913 { 914 struct imsg_rdns_proposal rdns_proposal; 915 struct sockaddr_rtdns *rtdns; 916 917 switch (rtm->rtm_type) { 918 case RTM_IFINFO: 919 frontend_imsg_compose_resolver(IMSG_NETWORK_CHANGED, 0, NULL, 920 0); 921 break; 922 case RTM_PROPOSAL: 923 if (!(rtm->rtm_addrs & RTA_DNS)) 924 break; 925 926 rtdns = (struct sockaddr_rtdns*)rti_info[RTAX_DNS]; 927 switch (rtdns->sr_family) { 928 case AF_INET: 929 if ((rtdns->sr_len - 2) % sizeof(struct in_addr) != 0) { 930 log_warnx("ignoring invalid RTM_PROPOSAL"); 931 return; 932 } 933 break; 934 case AF_INET6: 935 if ((rtdns->sr_len - 2) % sizeof(struct in6_addr) != 0) { 936 log_warnx("ignoring invalid RTM_PROPOSAL"); 937 return; 938 } 939 break; 940 default: 941 log_warnx("ignoring invalid RTM_PROPOSAL"); 942 return; 943 } 944 rdns_proposal.if_index = rtm->rtm_index; 945 rdns_proposal.src = rtm->rtm_priority; 946 memcpy(&rdns_proposal.rtdns, rtdns, sizeof(rdns_proposal.rtdns)); 947 frontend_imsg_compose_resolver(IMSG_REPLACE_DNS, 0, 948 &rdns_proposal, sizeof(rdns_proposal)); 949 break; 950 default: 951 break; 952 } 953 } 954 955 void 956 add_new_ta(struct trust_anchor_head *tah, char *val) 957 { 958 struct trust_anchor *ta, *i; 959 int cmp; 960 961 if ((ta = malloc(sizeof(*ta))) == NULL) 962 fatal("%s", __func__); 963 if ((ta->ta = strdup(val)) == NULL) 964 fatal("%s", __func__); 965 966 /* keep the list sorted to prevent churn if the order changes in DNS */ 967 TAILQ_FOREACH(i, tah, entry) { 968 cmp = strcmp(i->ta, ta->ta); 969 if ( cmp == 0) { 970 /* duplicate */ 971 free(ta->ta); 972 free(ta); 973 return; 974 } else if (cmp > 0) { 975 TAILQ_INSERT_BEFORE(i, ta, entry); 976 return; 977 } 978 } 979 TAILQ_INSERT_TAIL(tah, ta, entry); 980 } 981 982 void 983 free_tas(struct trust_anchor_head *tah) 984 { 985 struct trust_anchor *ta; 986 987 while ((ta = TAILQ_FIRST(tah))) { 988 TAILQ_REMOVE(tah, ta, entry); 989 free(ta->ta); 990 free(ta); 991 } 992 } 993 994 int 995 merge_tas(struct trust_anchor_head *newh, struct trust_anchor_head *oldh) 996 { 997 struct trust_anchor *i, *j; 998 int chg = 0; 999 1000 j = TAILQ_FIRST(oldh); 1001 1002 TAILQ_FOREACH(i, newh, entry) { 1003 if (j == NULL || strcmp(i->ta, j->ta) != 0) { 1004 chg = 1; 1005 break; 1006 } 1007 j = TAILQ_NEXT(j, entry); 1008 } 1009 if (j != NULL) 1010 chg = 1; 1011 1012 if (chg) { 1013 free_tas(oldh); 1014 TAILQ_CONCAT(oldh, newh, entry); 1015 } else { 1016 free_tas(newh); 1017 } 1018 return (chg); 1019 } 1020 1021 void 1022 parse_trust_anchor(struct trust_anchor_head *tah, int fd) 1023 { 1024 size_t len, dname_len; 1025 ssize_t n, sz; 1026 uint8_t rr[LDNS_RR_BUF_SIZE]; 1027 char *str, *p, buf[512], *line; 1028 1029 sz = 0; 1030 str = NULL; 1031 1032 while ((n = read(fd, buf, sizeof(buf))) > 0) { 1033 p = recallocarray(str, sz, sz + n, 1); 1034 if (p == NULL) { 1035 log_warn("%s", __func__); 1036 goto out; 1037 } 1038 str = p; 1039 memcpy(str + sz, buf, n); 1040 sz += n; 1041 } 1042 1043 if (n == -1) { 1044 log_warn("%s", __func__); 1045 goto out; 1046 } 1047 1048 /* make it a string */ 1049 p = recallocarray(str, sz, sz + 1, 1); 1050 if (p == NULL) { 1051 log_warn("%s", __func__); 1052 goto out; 1053 } 1054 str = p; 1055 sz++; 1056 1057 len = sizeof(rr); 1058 1059 while ((line = strsep(&str, "\n")) != NULL) { 1060 if (sldns_str2wire_rr_buf(line, rr, &len, &dname_len, 1061 ROOT_DNSKEY_TTL, NULL, 0, NULL, 0) != 0) 1062 continue; 1063 if (sldns_wirerr_get_type(rr, len, dname_len) == 1064 LDNS_RR_TYPE_DNSKEY) 1065 add_new_ta(tah, line); 1066 } 1067 1068 out: 1069 free(str); 1070 return; 1071 } 1072 1073 void 1074 send_trust_anchors(struct trust_anchor_head *tah) 1075 { 1076 struct trust_anchor *ta; 1077 1078 TAILQ_FOREACH(ta, tah, entry) 1079 frontend_imsg_compose_resolver(IMSG_NEW_TA, 0, ta->ta, 1080 strlen(ta->ta) + 1); 1081 frontend_imsg_compose_resolver(IMSG_NEW_TAS_DONE, 0, NULL, 0); 1082 } 1083 1084 void 1085 write_trust_anchors(struct trust_anchor_head *tah, int fd) 1086 { 1087 struct trust_anchor *ta; 1088 size_t len = 0; 1089 ssize_t n; 1090 char *str; 1091 1092 if (lseek(fd, 0, SEEK_SET) == -1) { 1093 log_warn("%s", __func__); 1094 goto out; 1095 } 1096 1097 TAILQ_FOREACH(ta, tah, entry) { 1098 if ((n = asprintf(&str, "%s\n", ta->ta)) == -1) { 1099 log_warn("%s", __func__); 1100 len = 0; 1101 goto out; 1102 } 1103 len += n; 1104 if (write(fd, str, n) != n) { 1105 log_warn("%s", __func__); 1106 free(str); 1107 len = 0; 1108 goto out; 1109 } 1110 free(str); 1111 } 1112 out: 1113 ftruncate(fd, len); 1114 fsync(fd); 1115 } 1116 1117 void 1118 parse_blocklist(int fd) 1119 { 1120 FILE *f; 1121 struct bl_node *bl_node; 1122 char *line = NULL; 1123 size_t linesize = 0; 1124 ssize_t linelen; 1125 1126 if((f = fdopen(fd, "r")) == NULL) { 1127 log_warn("cannot read block list"); 1128 close(fd); 1129 return; 1130 } 1131 1132 free_bl(); 1133 1134 while ((linelen = getline(&line, &linesize, f)) != -1) { 1135 if (line[linelen - 1] == '\n') { 1136 if (linelen >= 2 && line[linelen - 2] != '.') 1137 line[linelen - 1] = '.'; 1138 else 1139 line[linelen - 1] = '\0'; 1140 } 1141 1142 bl_node = malloc(sizeof *bl_node); 1143 if (bl_node == NULL) 1144 fatal("%s: malloc", __func__); 1145 if ((bl_node->domain = strdup(line)) == NULL) 1146 fatal("%s: strdup", __func__); 1147 RB_INSERT(bl_tree, &bl_head, bl_node); 1148 } 1149 free(line); 1150 if (ferror(f)) 1151 log_warn("getline"); 1152 fclose(f); 1153 } 1154 1155 int 1156 bl_cmp(struct bl_node *e1, struct bl_node *e2) { 1157 return (strcasecmp(e1->domain, e2->domain)); 1158 } 1159 1160 void 1161 free_bl(void) 1162 { 1163 struct bl_node *n, *nxt; 1164 1165 for (n = RB_MIN(bl_tree, &bl_head); n != NULL; n = nxt) { 1166 nxt = RB_NEXT(bl_tree, &bl_head, n); 1167 RB_REMOVE(bl_tree, &bl_head, n); 1168 free(n); 1169 } 1170 } 1171 1172 int 1173 pending_query_cnt(void) 1174 { 1175 struct pending_query *e; 1176 int cnt = 0; 1177 1178 TAILQ_FOREACH(e, &pending_queries, entry) 1179 cnt++; 1180 return cnt; 1181 } 1182