1 /* $OpenBSD: frontend.c,v 1.72 2022/03/03 18:54:07 florian Exp $ */ 2 3 /* 4 * Copyright (c) 2018 Florian Obser <florian@openbsd.org> 5 * Copyright (c) 2005 Claudio Jeker <claudio@openbsd.org> 6 * Copyright (c) 2004 Esben Norby <norby@openbsd.org> 7 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 8 * 9 * Permission to use, copy, modify, and distribute this software for any 10 * purpose with or without fee is hereby granted, provided that the above 11 * copyright notice and this permission notice appear in all copies. 12 * 13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 */ 21 22 #include <sys/types.h> 23 #include <sys/queue.h> 24 #include <sys/socket.h> 25 #include <sys/syslog.h> 26 #include <sys/tree.h> 27 #include <sys/uio.h> 28 29 #include <netinet/in.h> 30 #include <net/if.h> 31 #include <net/route.h> 32 33 #include <errno.h> 34 #include <event.h> 35 #include <ifaddrs.h> 36 #include <imsg.h> 37 #include <netdb.h> 38 #include <pwd.h> 39 #include <signal.h> 40 #include <stdint.h> 41 #include <stdio.h> 42 #include <stdlib.h> 43 #include <string.h> 44 #include <time.h> 45 #include <unistd.h> 46 47 #include "libunbound/config.h" 48 #include "libunbound/sldns/pkthdr.h" 49 #include "libunbound/sldns/sbuffer.h" 50 #include "libunbound/sldns/str2wire.h" 51 #include "libunbound/sldns/wire2str.h" 52 #include "libunbound/util/alloc.h" 53 #include "libunbound/util/net_help.h" 54 #include "libunbound/util/regional.h" 55 #include "libunbound/util/data/dname.h" 56 #include "libunbound/util/data/msgencode.h" 57 #include "libunbound/util/data/msgparse.h" 58 #include "libunbound/util/data/msgreply.h" 59 60 #include "log.h" 61 #include "unwind.h" 62 #include "frontend.h" 63 #include "control.h" 64 #include "dns64_synth.h" 65 66 #define ROUTE_SOCKET_BUF_SIZE 16384 67 68 /* 69 * size of a resource record with name a two octed pointer to qname 70 * 2 octets pointer to qname 71 * 2 octets TYPE 72 * 2 octets CLASS 73 * 4 octets TTL 74 * 2 octets RDLENGTH 75 */ 76 #define COMPRESSED_RR_SIZE 12 77 #define MINIMIZE_ANSWER 1 78 79 #define FD_RESERVE 5 80 #define TCP_TIMEOUT 15 81 #define DEFAULT_TCP_SIZE 512 82 83 struct udp_ev { 84 struct event ev; 85 uint8_t query[65536]; 86 struct msghdr rcvmhdr; 87 struct iovec rcviov[1]; 88 struct sockaddr_storage from; 89 } udp4ev, udp6ev; 90 91 struct tcp_accept_ev { 92 struct event ev; 93 struct event pause; 94 } tcp4ev, tcp6ev; 95 96 struct pending_query { 97 TAILQ_ENTRY(pending_query) entry; 98 struct sockaddr_storage from; 99 struct sldns_buffer *qbuf; 100 struct sldns_buffer *abuf; 101 struct regional *region; 102 struct query_info qinfo; 103 struct msg_parse *qmsg; 104 struct edns_data edns; 105 struct event ev; /* for tcp */ 106 struct event resp_ev; /* for tcp */ 107 struct event tmo_ev; /* for tcp */ 108 uint64_t imsg_id; 109 int fd; 110 int tcp; 111 int dns64_synthesize; 112 }; 113 114 TAILQ_HEAD(, pending_query) pending_queries; 115 116 struct bl_node { 117 RB_ENTRY(bl_node) entry; 118 char *domain; 119 }; 120 121 __dead void frontend_shutdown(void); 122 void frontend_sig_handler(int, short, void *); 123 void frontend_startup(void); 124 void udp_receive(int, short, void *); 125 void handle_query(struct pending_query *); 126 void free_pending_query(struct pending_query *); 127 void tcp_accept(int, short, void *); 128 int accept_reserve(int, struct sockaddr *, socklen_t *); 129 void accept_paused(int, short, void *); 130 void tcp_request(int, short, void *); 131 void tcp_response(int, short, void *); 132 void tcp_timeout(int, short, void *); 133 int check_query(sldns_buffer*); 134 void noerror_answer(struct pending_query *); 135 void synthesize_dns64_answer(struct pending_query *); 136 void resend_dns64_query(struct pending_query *); 137 void chaos_answer(struct pending_query *); 138 void error_answer(struct pending_query *, int rcode); 139 void send_answer(struct pending_query *); 140 void route_receive(int, short, void *); 141 void handle_route_message(struct rt_msghdr *, 142 struct sockaddr **); 143 void get_rtaddrs(int, struct sockaddr *, 144 struct sockaddr **); 145 void rtmget_default(void); 146 struct pending_query *find_pending_query(uint64_t); 147 void parse_trust_anchor(struct trust_anchor_head *, int); 148 void send_trust_anchors(struct trust_anchor_head *); 149 void write_trust_anchors(struct trust_anchor_head *, int); 150 void parse_blocklist(int); 151 int bl_cmp(struct bl_node *, struct bl_node *); 152 void free_bl(void); 153 int pending_query_cnt(void); 154 void check_available_af(void); 155 156 struct uw_conf *frontend_conf; 157 static struct imsgev *iev_main; 158 static struct imsgev *iev_resolver; 159 struct event ev_route; 160 int udp4sock = -1, udp6sock = -1; 161 int tcp4sock = -1, tcp6sock = -1; 162 int ta_fd = -1; 163 164 static struct trust_anchor_head trust_anchors, new_trust_anchors; 165 166 RB_HEAD(bl_tree, bl_node) bl_head = RB_INITIALIZER(&bl_head); 167 RB_PROTOTYPE(bl_tree, bl_node, entry, bl_cmp) 168 RB_GENERATE(bl_tree, bl_node, entry, bl_cmp) 169 170 struct dns64_prefix *dns64_prefixes; 171 int dns64_prefix_count; 172 173 void 174 frontend_sig_handler(int sig, short event, void *bula) 175 { 176 /* 177 * Normal signal handler rules don't apply because libevent 178 * decouples for us. 179 */ 180 181 switch (sig) { 182 case SIGINT: 183 case SIGTERM: 184 frontend_shutdown(); 185 default: 186 fatalx("unexpected signal"); 187 } 188 } 189 190 void 191 frontend(int debug, int verbose) 192 { 193 struct event ev_sigint, ev_sigterm; 194 struct passwd *pw; 195 196 frontend_conf = config_new_empty(); 197 198 log_init(debug, LOG_DAEMON); 199 log_setverbose(verbose); 200 201 if ((pw = getpwnam(UNWIND_USER)) == NULL) 202 fatal("getpwnam"); 203 204 if (chroot(pw->pw_dir) == -1) 205 fatal("chroot"); 206 if (chdir("/") == -1) 207 fatal("chdir(\"/\")"); 208 209 setproctitle("%s", "frontend"); 210 log_procinit("frontend"); 211 212 if (setgroups(1, &pw->pw_gid) || 213 setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || 214 setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) 215 fatal("can't drop privileges"); 216 217 if (pledge("stdio dns unix recvfd", NULL) == -1) 218 fatal("pledge"); 219 220 event_init(); 221 222 /* Setup signal handler. */ 223 signal_set(&ev_sigint, SIGINT, frontend_sig_handler, NULL); 224 signal_set(&ev_sigterm, SIGTERM, frontend_sig_handler, NULL); 225 signal_add(&ev_sigint, NULL); 226 signal_add(&ev_sigterm, NULL); 227 signal(SIGPIPE, SIG_IGN); 228 signal(SIGHUP, SIG_IGN); 229 230 /* Setup pipe and event handler to the parent process. */ 231 if (iev_main != NULL) 232 fatal("iev_main"); 233 if ((iev_main = malloc(sizeof(struct imsgev))) == NULL) 234 fatal(NULL); 235 imsg_init(&iev_main->ibuf, 3); 236 iev_main->handler = frontend_dispatch_main; 237 iev_main->events = EV_READ; 238 event_set(&iev_main->ev, iev_main->ibuf.fd, iev_main->events, 239 iev_main->handler, iev_main); 240 event_add(&iev_main->ev, NULL); 241 242 udp4ev.rcviov[0].iov_base = (caddr_t)udp4ev.query; 243 udp4ev.rcviov[0].iov_len = sizeof(udp4ev.query); 244 udp4ev.rcvmhdr.msg_name = (caddr_t)&udp4ev.from; 245 udp4ev.rcvmhdr.msg_namelen = sizeof(udp4ev.from); 246 udp4ev.rcvmhdr.msg_iov = udp4ev.rcviov; 247 udp4ev.rcvmhdr.msg_iovlen = 1; 248 249 udp6ev.rcviov[0].iov_base = (caddr_t)udp6ev.query; 250 udp6ev.rcviov[0].iov_len = sizeof(udp6ev.query); 251 udp6ev.rcvmhdr.msg_name = (caddr_t)&udp6ev.from; 252 udp6ev.rcvmhdr.msg_namelen = sizeof(udp6ev.from); 253 udp6ev.rcvmhdr.msg_iov = udp6ev.rcviov; 254 udp6ev.rcvmhdr.msg_iovlen = 1; 255 256 TAILQ_INIT(&pending_queries); 257 258 TAILQ_INIT(&trust_anchors); 259 TAILQ_INIT(&new_trust_anchors); 260 261 add_new_ta(&trust_anchors, KSK2017); 262 263 event_dispatch(); 264 265 frontend_shutdown(); 266 } 267 268 __dead void 269 frontend_shutdown(void) 270 { 271 /* Close pipes. */ 272 msgbuf_write(&iev_resolver->ibuf.w); 273 msgbuf_clear(&iev_resolver->ibuf.w); 274 close(iev_resolver->ibuf.fd); 275 msgbuf_write(&iev_main->ibuf.w); 276 msgbuf_clear(&iev_main->ibuf.w); 277 close(iev_main->ibuf.fd); 278 279 config_clear(frontend_conf); 280 281 free(iev_resolver); 282 free(iev_main); 283 284 log_info("frontend exiting"); 285 exit(0); 286 } 287 288 int 289 frontend_imsg_compose_main(int type, pid_t pid, void *data, uint16_t datalen) 290 { 291 return (imsg_compose_event(iev_main, type, 0, pid, -1, data, datalen)); 292 } 293 294 int 295 frontend_imsg_compose_resolver(int type, pid_t pid, void *data, 296 uint16_t datalen) 297 { 298 return (imsg_compose_event(iev_resolver, type, 0, pid, -1, data, 299 datalen)); 300 } 301 302 void 303 frontend_dispatch_main(int fd, short event, void *bula) 304 { 305 static struct uw_conf *nconf; 306 struct imsg imsg; 307 struct imsgev *iev = bula; 308 struct imsgbuf *ibuf = &iev->ibuf; 309 int n, shut = 0; 310 311 if (event & EV_READ) { 312 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN) 313 fatal("imsg_read error"); 314 if (n == 0) /* Connection closed. */ 315 shut = 1; 316 } 317 if (event & EV_WRITE) { 318 if ((n = msgbuf_write(&ibuf->w)) == -1 && errno != EAGAIN) 319 fatal("msgbuf_write"); 320 if (n == 0) /* Connection closed. */ 321 shut = 1; 322 } 323 324 for (;;) { 325 if ((n = imsg_get(ibuf, &imsg)) == -1) 326 fatal("%s: imsg_get error", __func__); 327 if (n == 0) /* No more messages. */ 328 break; 329 330 switch (imsg.hdr.type) { 331 case IMSG_SOCKET_IPC_RESOLVER: 332 /* 333 * Setup pipe and event handler to the resolver 334 * process. 335 */ 336 if (iev_resolver) { 337 fatalx("%s: received unexpected imsg fd " 338 "to frontend", __func__); 339 break; 340 } 341 if ((fd = imsg.fd) == -1) { 342 fatalx("%s: expected to receive imsg fd to " 343 "frontend but didn't receive any", 344 __func__); 345 break; 346 } 347 348 if (iev_resolver != NULL) 349 fatal("iev_resolver"); 350 iev_resolver = malloc(sizeof(struct imsgev)); 351 if (iev_resolver == NULL) 352 fatal(NULL); 353 354 imsg_init(&iev_resolver->ibuf, fd); 355 iev_resolver->handler = frontend_dispatch_resolver; 356 iev_resolver->events = EV_READ; 357 358 event_set(&iev_resolver->ev, iev_resolver->ibuf.fd, 359 iev_resolver->events, iev_resolver->handler, 360 iev_resolver); 361 event_add(&iev_resolver->ev, NULL); 362 break; 363 case IMSG_RECONF_CONF: 364 case IMSG_RECONF_BLOCKLIST_FILE: 365 case IMSG_RECONF_FORWARDER: 366 case IMSG_RECONF_DOT_FORWARDER: 367 case IMSG_RECONF_FORCE: 368 imsg_receive_config(&imsg, &nconf); 369 break; 370 case IMSG_RECONF_END: 371 if (nconf == NULL) 372 fatalx("%s: IMSG_RECONF_END without " 373 "IMSG_RECONF_CONF", __func__); 374 merge_config(frontend_conf, nconf); 375 if (frontend_conf->blocklist_file == NULL) 376 free_bl(); 377 nconf = NULL; 378 break; 379 case IMSG_UDP6SOCK: 380 if (udp6sock != -1) 381 fatalx("%s: received unexpected udp6sock", 382 __func__); 383 if ((udp6sock = imsg.fd) == -1) 384 fatalx("%s: expected to receive imsg " 385 "UDP6 fd but didn't receive any", __func__); 386 event_set(&udp6ev.ev, udp6sock, EV_READ | EV_PERSIST, 387 udp_receive, &udp6ev); 388 event_add(&udp6ev.ev, NULL); 389 break; 390 case IMSG_UDP4SOCK: 391 if (udp4sock != -1) 392 fatalx("%s: received unexpected udp4sock", 393 __func__); 394 if ((udp4sock = imsg.fd) == -1) 395 fatalx("%s: expected to receive imsg " 396 "UDP4 fd but didn't receive any", __func__); 397 event_set(&udp4ev.ev, udp4sock, EV_READ | EV_PERSIST, 398 udp_receive, &udp4ev); 399 event_add(&udp4ev.ev, NULL); 400 break; 401 case IMSG_TCP4SOCK: 402 if (tcp4sock != -1) 403 fatalx("%s: received unexpected tcp4sock", 404 __func__); 405 if ((tcp4sock = imsg.fd) == -1) 406 fatalx("%s: expected to receive imsg " 407 "TCP4 fd but didn't receive any", __func__); 408 event_set(&tcp4ev.ev, tcp4sock, EV_READ | EV_PERSIST, 409 tcp_accept, &tcp4ev); 410 event_add(&tcp4ev.ev, NULL); 411 evtimer_set(&tcp4ev.pause, accept_paused, &tcp4ev); 412 break; 413 case IMSG_TCP6SOCK: 414 if (tcp6sock != -1) 415 fatalx("%s: received unexpected tcp6sock", 416 __func__); 417 if ((tcp6sock = imsg.fd) == -1) 418 fatalx("%s: expected to receive imsg " 419 "TCP6 fd but didn't receive any", __func__); 420 event_set(&tcp6ev.ev, tcp6sock, EV_READ | EV_PERSIST, 421 tcp_accept, &tcp6ev); 422 event_add(&tcp6ev.ev, NULL); 423 evtimer_set(&tcp6ev.pause, accept_paused, &tcp6ev); 424 break; 425 case IMSG_ROUTESOCK: { 426 static int routesock = -1; 427 428 if (routesock != -1) 429 fatalx("%s: received unexpected routesock", 430 __func__); 431 if ((fd = imsg.fd) == -1) 432 fatalx("%s: expected to receive imsg " 433 "routesocket fd but didn't receive any", 434 __func__); 435 routesock = fd; 436 event_set(&ev_route, fd, EV_READ | EV_PERSIST, 437 route_receive, NULL); 438 break; 439 } 440 case IMSG_STARTUP: 441 frontend_startup(); 442 break; 443 case IMSG_CONTROLFD: 444 if ((fd = imsg.fd) == -1) 445 fatalx("%s: expected to receive imsg control " 446 "fd but didn't receive any", __func__); 447 /* Listen on control socket. */ 448 control_listen(fd); 449 break; 450 case IMSG_TAFD: 451 if ((ta_fd = imsg.fd) != -1) 452 parse_trust_anchor(&trust_anchors, ta_fd); 453 if (!TAILQ_EMPTY(&trust_anchors)) 454 send_trust_anchors(&trust_anchors); 455 break; 456 case IMSG_BLFD: 457 if ((fd = imsg.fd) == -1) 458 fatalx("%s: expected to receive imsg block " 459 "list fd but didn't receive any", __func__); 460 parse_blocklist(fd); 461 break; 462 default: 463 log_debug("%s: error handling imsg %d", __func__, 464 imsg.hdr.type); 465 break; 466 } 467 imsg_free(&imsg); 468 } 469 if (!shut) 470 imsg_event_add(iev); 471 else { 472 /* This pipe is dead. Remove its event handler. */ 473 event_del(&iev->ev); 474 event_loopexit(NULL); 475 } 476 } 477 478 void 479 frontend_dispatch_resolver(int fd, short event, void *bula) 480 { 481 static struct dns64_prefix *new_dns64_prefixes = NULL; 482 static int new_dns64_prefix_count = 0; 483 static int new_dns64_prefix_pos = 0; 484 struct pending_query *pq; 485 struct imsgev *iev = bula; 486 struct imsgbuf *ibuf = &iev->ibuf; 487 struct imsg imsg; 488 int n, shut = 0, chg; 489 490 if (event & EV_READ) { 491 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN) 492 fatal("imsg_read error"); 493 if (n == 0) /* Connection closed. */ 494 shut = 1; 495 } 496 if (event & EV_WRITE) { 497 if ((n = msgbuf_write(&ibuf->w)) == -1 && errno != EAGAIN) 498 fatal("msgbuf_write"); 499 if (n == 0) /* Connection closed. */ 500 shut = 1; 501 } 502 503 for (;;) { 504 if ((n = imsg_get(ibuf, &imsg)) == -1) 505 fatal("%s: imsg_get error", __func__); 506 if (n == 0) /* No more messages. */ 507 break; 508 509 switch (imsg.hdr.type) { 510 case IMSG_ANSWER: { 511 struct answer_header *answer_header; 512 int data_len; 513 uint8_t *data; 514 515 if (IMSG_DATA_SIZE(imsg) < sizeof(*answer_header)) 516 fatalx("%s: IMSG_ANSWER wrong length: " 517 "%lu", __func__, IMSG_DATA_SIZE(imsg)); 518 answer_header = (struct answer_header *)imsg.data; 519 data = (uint8_t *)imsg.data + sizeof(*answer_header); 520 if (answer_header->answer_len > UINT16_MAX) 521 fatalx("%s: IMSG_ANSWER answer too big: %d", 522 __func__, answer_header->answer_len); 523 data_len = IMSG_DATA_SIZE(imsg) - 524 sizeof(*answer_header); 525 526 if ((pq = find_pending_query(answer_header->id)) == 527 NULL) { 528 log_warnx("%s: cannot find pending query %llu", 529 __func__, answer_header->id); 530 break; 531 } 532 533 if (answer_header->srvfail) { 534 error_answer(pq, LDNS_RCODE_SERVFAIL); 535 send_answer(pq); 536 break; 537 } 538 539 if (answer_header->bogus && !(pq->qmsg->flags & 540 BIT_CD)) { 541 error_answer(pq, LDNS_RCODE_SERVFAIL); 542 send_answer(pq); 543 break; 544 } 545 546 if (sldns_buffer_position(pq->abuf) == 0 && 547 !sldns_buffer_set_capacity(pq->abuf, 548 answer_header->answer_len)) { 549 error_answer(pq, LDNS_RCODE_SERVFAIL); 550 send_answer(pq); 551 break; 552 } 553 554 if (sldns_buffer_position(pq->abuf) + data_len > 555 sldns_buffer_capacity(pq->abuf)) 556 fatalx("%s: IMSG_ANSWER answer too big: %d", 557 __func__, data_len); 558 sldns_buffer_write(pq->abuf, data, data_len); 559 560 if (sldns_buffer_position(pq->abuf) == 561 sldns_buffer_capacity(pq->abuf)) { 562 sldns_buffer_flip(pq->abuf); 563 if (pq->dns64_synthesize) { 564 synthesize_dns64_answer(pq); 565 send_answer(pq); 566 } else { 567 noerror_answer(pq); 568 if (pq->dns64_synthesize) 569 /* we did not find a answer */ 570 resend_dns64_query(pq); 571 else 572 send_answer(pq); 573 } 574 } 575 break; 576 } 577 case IMSG_CTL_RESOLVER_INFO: 578 case IMSG_CTL_AUTOCONF_RESOLVER_INFO: 579 case IMSG_CTL_MEM_INFO: 580 case IMSG_CTL_END: 581 control_imsg_relay(&imsg); 582 break; 583 case IMSG_NEW_TA: 584 /* make sure this is a string */ 585 ((char *)imsg.data)[IMSG_DATA_SIZE(imsg) - 1] = '\0'; 586 add_new_ta(&new_trust_anchors, imsg.data); 587 break; 588 case IMSG_NEW_TAS_ABORT: 589 free_tas(&new_trust_anchors); 590 break; 591 case IMSG_NEW_TAS_DONE: 592 chg = merge_tas(&new_trust_anchors, &trust_anchors); 593 if (chg) 594 send_trust_anchors(&trust_anchors); 595 596 /* 597 * always write trust anchors, the modify date on 598 * the file is an indication when we made progress 599 */ 600 if (ta_fd != -1) 601 write_trust_anchors(&trust_anchors, ta_fd); 602 break; 603 case IMSG_NEW_DNS64_PREFIXES_START: 604 if (IMSG_DATA_SIZE(imsg) != 605 sizeof(new_dns64_prefix_count)) 606 fatalx("%s: IMSG_NEW_DNS64_PREFIXES_START " 607 "wrong length: %lu", __func__, 608 IMSG_DATA_SIZE(imsg)); 609 memcpy(&new_dns64_prefix_count, imsg.data, 610 sizeof(new_dns64_prefix_count)); 611 free(new_dns64_prefixes); 612 new_dns64_prefixes = NULL; 613 if (new_dns64_prefix_count > 0) 614 new_dns64_prefixes = 615 calloc(new_dns64_prefix_count, 616 sizeof(struct dns64_prefix)); 617 new_dns64_prefix_pos = 0; 618 break; 619 case IMSG_NEW_DNS64_PREFIX: { 620 if (IMSG_DATA_SIZE(imsg) != sizeof(struct dns64_prefix)) 621 fatalx("%s: IMSG_NEW_DNS64_PREFIX wrong " 622 "length: %lu", __func__, 623 IMSG_DATA_SIZE(imsg)); 624 if (new_dns64_prefixes == NULL) 625 break; 626 if (new_dns64_prefix_pos >= new_dns64_prefix_count) 627 fatalx("%s: IMSG_NEW_DNS64_PREFIX: too many " 628 "prefixes", __func__); 629 memcpy(&new_dns64_prefixes[new_dns64_prefix_pos++], 630 imsg.data, sizeof(struct dns64_prefix)); 631 break; 632 } 633 case IMSG_NEW_DNS64_PREFIXES_DONE: 634 free(dns64_prefixes); 635 dns64_prefixes = new_dns64_prefixes; 636 dns64_prefix_count = new_dns64_prefix_count; 637 new_dns64_prefixes = NULL; 638 break; 639 default: 640 log_debug("%s: error handling imsg %d", __func__, 641 imsg.hdr.type); 642 break; 643 } 644 imsg_free(&imsg); 645 } 646 if (!shut) 647 imsg_event_add(iev); 648 else { 649 /* This pipe is dead. Remove its event handler. */ 650 event_del(&iev->ev); 651 event_loopexit(NULL); 652 } 653 } 654 655 void 656 frontend_startup(void) 657 { 658 if (!event_initialized(&ev_route)) 659 fatalx("%s: did not receive a route socket from the main " 660 "process", __func__); 661 662 event_add(&ev_route, NULL); 663 664 frontend_imsg_compose_main(IMSG_STARTUP_DONE, 0, NULL, 0); 665 check_available_af(); 666 } 667 668 void 669 free_pending_query(struct pending_query *pq) 670 { 671 if (!pq) 672 return; 673 674 TAILQ_REMOVE(&pending_queries, pq, entry); 675 regional_destroy(pq->region); 676 sldns_buffer_free(pq->qbuf); 677 sldns_buffer_free(pq->abuf); 678 if (pq->tcp) { 679 if (event_initialized(&pq->ev)) 680 event_del(&pq->ev); 681 if (event_initialized(&pq->resp_ev)) 682 event_del(&pq->resp_ev); 683 if (event_initialized(&pq->tmo_ev)) 684 event_del(&pq->tmo_ev); 685 if (pq->fd != -1) 686 close(pq->fd); 687 } 688 free(pq); 689 } 690 691 void 692 udp_receive(int fd, short events, void *arg) 693 { 694 struct udp_ev *udpev = (struct udp_ev *)arg; 695 struct pending_query *pq = NULL; 696 ssize_t len; 697 698 if ((len = recvmsg(fd, &udpev->rcvmhdr, 0)) == -1) { 699 log_warn("recvmsg"); 700 return; 701 } 702 703 if ((pq = calloc(1, sizeof(*pq))) == NULL) { 704 log_warn(NULL); 705 return; 706 } 707 708 do { 709 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id)); 710 } while(find_pending_query(pq->imsg_id) != NULL); 711 712 TAILQ_INSERT_TAIL(&pending_queries, pq, entry); 713 714 pq->from = udpev->from; 715 pq->fd = fd; 716 pq->qbuf = sldns_buffer_new(len); 717 pq->abuf = sldns_buffer_new(len); /* make sure we can send errors */ 718 pq->region = regional_create(); 719 pq->qmsg = regional_alloc(pq->region, sizeof(*pq->qmsg)); 720 721 if (!pq->qbuf || !pq->abuf || !pq->region || !pq->qmsg) { 722 log_warnx("out of memory"); 723 free_pending_query(pq); 724 return; 725 } 726 727 memset(pq->qmsg, 0, sizeof(*pq->qmsg)); 728 sldns_buffer_write(pq->qbuf, udpev->query, len); 729 sldns_buffer_flip(pq->qbuf); 730 handle_query(pq); 731 } 732 733 void 734 handle_query(struct pending_query *pq) 735 { 736 struct query_imsg query_imsg; 737 struct query_info skip; 738 struct bl_node find; 739 int rcode; 740 char *str; 741 char dname[LDNS_MAX_DOMAINLEN + 1]; 742 char qclass_buf[16]; 743 char qtype_buf[16]; 744 745 if (log_getverbose() & OPT_VERBOSE2 && (str = 746 sldns_wire2str_pkt(sldns_buffer_begin(pq->qbuf), 747 sldns_buffer_limit(pq->qbuf))) != NULL) { 748 log_debug("from: %s\n%s", ip_port((struct sockaddr *) 749 &pq->from), str); 750 free(str); 751 } 752 753 if (!query_info_parse(&pq->qinfo, pq->qbuf)) { 754 log_warnx("query_info_parse failed"); 755 goto drop; 756 } 757 758 sldns_buffer_rewind(pq->qbuf); 759 760 if (parse_packet(pq->qbuf, pq->qmsg, pq->region) != 761 LDNS_RCODE_NOERROR) { 762 log_warnx("parse_packet failed"); 763 goto drop; 764 } 765 766 rcode = check_query(pq->qbuf); 767 switch (rcode) { 768 case LDNS_RCODE_NOERROR: 769 break; 770 case -1: 771 goto drop; 772 default: 773 error_answer(pq, rcode); 774 goto send_answer; 775 } 776 777 sldns_buffer_rewind(pq->qbuf); 778 if (!query_info_parse(&skip, pq->qbuf)) { 779 error_answer(pq, LDNS_RCODE_SERVFAIL); 780 goto send_answer; 781 } 782 rcode = parse_edns_from_query_pkt(pq->qbuf, &pq->edns, NULL, NULL, 783 pq->region); 784 if (rcode != LDNS_RCODE_NOERROR) { 785 error_answer(pq, rcode); 786 goto send_answer; 787 } 788 789 if (!dname_valid(pq->qinfo.qname, pq->qinfo.qname_len)) { 790 error_answer(pq, LDNS_RCODE_FORMERR); 791 goto send_answer; 792 } 793 dname_str(pq->qinfo.qname, dname); 794 795 sldns_wire2str_class_buf(pq->qinfo.qclass, qclass_buf, 796 sizeof(qclass_buf)); 797 sldns_wire2str_type_buf(pq->qinfo.qtype, qtype_buf, sizeof(qtype_buf)); 798 log_debug("%s: %s %s %s ?", ip_port((struct sockaddr *)&pq->from), 799 dname, qclass_buf, qtype_buf); 800 801 find.domain = dname; 802 if (RB_FIND(bl_tree, &bl_head, &find) != NULL) { 803 if (frontend_conf->blocklist_log) 804 log_info("blocking %s", dname); 805 error_answer(pq, LDNS_RCODE_REFUSED); 806 goto send_answer; 807 } 808 809 if (pq->qinfo.qtype == LDNS_RR_TYPE_AXFR || pq->qinfo.qtype == 810 LDNS_RR_TYPE_IXFR) { 811 error_answer(pq, LDNS_RCODE_REFUSED); 812 goto send_answer; 813 } 814 815 if(pq->qinfo.qtype == LDNS_RR_TYPE_OPT || 816 pq->qinfo.qtype == LDNS_RR_TYPE_TSIG || 817 pq->qinfo.qtype == LDNS_RR_TYPE_TKEY || 818 pq->qinfo.qtype == LDNS_RR_TYPE_MAILA || 819 pq->qinfo.qtype == LDNS_RR_TYPE_MAILB || 820 (pq->qinfo.qtype >= 128 && pq->qinfo.qtype <= 248)) { 821 error_answer(pq, LDNS_RCODE_FORMERR); 822 goto send_answer; 823 } 824 825 if (pq->qinfo.qclass == LDNS_RR_CLASS_CH) { 826 if (strcasecmp(dname, "version.server.") == 0 || 827 strcasecmp(dname, "version.bind.") == 0) { 828 chaos_answer(pq); 829 } else 830 error_answer(pq, LDNS_RCODE_REFUSED); 831 goto send_answer; 832 } 833 834 if (strlcpy(query_imsg.qname, dname, sizeof(query_imsg.qname)) >= 835 sizeof(query_imsg.qname)) { 836 log_warnx("qname too long"); 837 error_answer(pq, LDNS_RCODE_FORMERR); 838 goto send_answer; 839 } 840 query_imsg.id = pq->imsg_id; 841 query_imsg.t = pq->qinfo.qtype; 842 query_imsg.c = pq->qinfo.qclass; 843 844 if (frontend_imsg_compose_resolver(IMSG_QUERY, 0, &query_imsg, 845 sizeof(query_imsg)) == -1) { 846 error_answer(pq, LDNS_RCODE_SERVFAIL); 847 goto send_answer; 848 } 849 return; 850 851 send_answer: 852 send_answer(pq); 853 return; 854 855 drop: 856 free_pending_query(pq); 857 } 858 859 void 860 noerror_answer(struct pending_query *pq) 861 { 862 struct query_info skip, qinfo; 863 struct reply_info *rinfo = NULL; 864 struct alloc_cache alloc; 865 struct edns_data edns; 866 struct ub_packed_rrset_key *an_rrset = NULL; 867 struct packed_rrset_data *an_rrset_data = NULL; 868 869 alloc_init(&alloc, NULL, 0); 870 memset(&qinfo, 0, sizeof(qinfo)); 871 /* read past query section, no memory is allocated */ 872 if (!query_info_parse(&skip, pq->abuf)) 873 goto srvfail; 874 875 if (reply_info_parse(pq->abuf, &alloc, &qinfo, &rinfo, pq->region, 876 &edns) != 0) 877 goto srvfail; 878 879 if ((an_rrset = reply_find_answer_rrset(&qinfo, rinfo)) != NULL) 880 an_rrset_data = (struct packed_rrset_data*)an_rrset->entry.data; 881 882 /* reply_info_parse() allocates memory */ 883 query_info_clear(&qinfo); 884 885 /* XXX check that there a no AAAA records in answer section? */ 886 if ((an_rrset_data == NULL || an_rrset_data->count == 0) && 887 !pq->dns64_synthesize && pq->qinfo.qtype == LDNS_RR_TYPE_AAAA && 888 pq->qinfo.qclass == LDNS_RR_CLASS_IN && dns64_prefix_count > 0) { 889 pq->dns64_synthesize = 1; 890 return; 891 } 892 893 sldns_buffer_clear(pq->abuf); 894 if (reply_info_encode(&pq->qinfo, rinfo, pq->qmsg->id, rinfo->flags, 895 pq->abuf, 0, pq->region, pq->tcp ? UINT16_MAX : pq->edns.udp_size, 896 pq->edns.bits & EDNS_DO, MINIMIZE_ANSWER) == 0) 897 goto srvfail; 898 899 reply_info_parsedelete(rinfo, &alloc); 900 alloc_clear(&alloc); 901 return; 902 903 srvfail: 904 reply_info_parsedelete(rinfo, &alloc); 905 alloc_clear(&alloc); 906 error_answer(pq, LDNS_RCODE_SERVFAIL); 907 } 908 909 void 910 synthesize_dns64_answer(struct pending_query *pq) 911 { 912 struct query_info skip, qinfo; 913 struct reply_info *rinfo = NULL, *synth_rinfo = NULL; 914 struct alloc_cache alloc; 915 struct edns_data edns; 916 size_t i; 917 918 pq->dns64_synthesize = 0; 919 920 alloc_init(&alloc, NULL, 0); 921 memset(&qinfo, 0, sizeof(qinfo)); 922 /* read past query section, no memory is allocated */ 923 if (!query_info_parse(&skip, pq->abuf)) 924 goto srvfail; 925 926 if (reply_info_parse(pq->abuf, &alloc, &qinfo, &rinfo, pq->region, 927 &edns) != 0) 928 goto srvfail; 929 930 /* reply_info_parse() allocates memory */ 931 query_info_clear(&qinfo); 932 933 synth_rinfo = construct_reply_info_base(pq->region, rinfo->flags, 934 rinfo->qdcount, rinfo->ttl, rinfo->prefetch_ttl, 935 rinfo->serve_expired_ttl, rinfo->an_numrrsets, 936 rinfo->ns_numrrsets, rinfo->ar_numrrsets, rinfo->rrset_count, 937 rinfo->security); 938 939 if (!synth_rinfo) 940 goto srvfail; 941 942 if(!reply_info_alloc_rrset_keys(synth_rinfo, NULL, pq->region)) 943 goto srvfail; 944 945 for (i = 0; i < synth_rinfo->rrset_count; i++) { 946 struct ub_packed_rrset_key *src_rrset_key, *dst_rrset_key; 947 struct packed_rrset_data *src_rrset_data; 948 struct packed_rrset_data *dst_rrset_data; 949 950 src_rrset_key = rinfo->rrsets[i]; 951 src_rrset_data = 952 (struct packed_rrset_data *)src_rrset_key->entry.data; 953 dst_rrset_key = synth_rinfo->rrsets[i]; 954 955 dst_rrset_key->id = src_rrset_key->id; 956 dst_rrset_key->rk = src_rrset_key->rk; 957 958 if (i < rinfo->an_numrrsets && src_rrset_key->rk.type == 959 htons(LDNS_RR_TYPE_A)) { 960 dns64_synth_aaaa_data(src_rrset_key, src_rrset_data, 961 dst_rrset_key, &dst_rrset_data, pq->region); 962 if (dst_rrset_data == NULL) 963 goto srvfail; 964 } else { 965 dst_rrset_key->entry.hash = src_rrset_key->entry.hash; 966 dst_rrset_key->rk.dname = regional_alloc_init( 967 pq->region, src_rrset_key->rk.dname, 968 src_rrset_key->rk.dname_len); 969 if (dst_rrset_key->rk.dname == NULL) 970 goto srvfail; 971 972 dst_rrset_data = regional_alloc_init(pq->region, 973 src_rrset_data, 974 packed_rrset_sizeof(src_rrset_data)); 975 if (dst_rrset_data == NULL) 976 goto srvfail; 977 } 978 979 packed_rrset_ptr_fixup(dst_rrset_data); 980 dst_rrset_key->entry.data = dst_rrset_data; 981 } 982 983 if (!sldns_buffer_set_capacity(pq->abuf, pq->tcp ? UINT16_MAX : 984 pq->edns.udp_size)) 985 goto srvfail; 986 987 sldns_buffer_clear(pq->abuf); 988 989 if (reply_info_encode(&pq->qinfo, synth_rinfo, pq->qmsg->id, 990 synth_rinfo->flags, pq->abuf, 0, pq->region, 991 pq->tcp ? UINT16_MAX : pq->edns.udp_size, 992 pq->edns.bits & EDNS_DO, MINIMIZE_ANSWER) == 0) 993 goto srvfail; 994 995 reply_info_parsedelete(rinfo, &alloc); 996 alloc_clear(&alloc); 997 return; 998 999 srvfail: 1000 reply_info_parsedelete(rinfo, &alloc); 1001 alloc_clear(&alloc); 1002 error_answer(pq, LDNS_RCODE_SERVFAIL); 1003 } 1004 1005 void 1006 resend_dns64_query(struct pending_query *opq) { 1007 struct pending_query *pq; 1008 struct query_imsg query_imsg; 1009 struct query_info skip; 1010 int rcode; 1011 char dname[LDNS_MAX_DOMAINLEN + 1]; 1012 1013 if ((pq = calloc(1, sizeof(*pq))) == NULL) { 1014 log_warn(NULL); 1015 return; 1016 } 1017 1018 do { 1019 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id)); 1020 } while(find_pending_query(pq->imsg_id) != NULL); 1021 1022 TAILQ_INSERT_TAIL(&pending_queries, pq, entry); 1023 1024 pq->from = opq->from; 1025 pq->fd = opq->fd; 1026 opq->fd = -1; 1027 pq->tcp = opq->tcp; 1028 pq->qbuf = sldns_buffer_new(sldns_buffer_capacity(opq->qbuf)); 1029 pq->abuf = sldns_buffer_new(sldns_buffer_capacity(opq->abuf)); 1030 pq->region = regional_create(); 1031 pq->qmsg = regional_alloc(pq->region, sizeof(*pq->qmsg)); 1032 1033 if (!pq->qbuf || !pq->abuf || !pq->region || !pq->qmsg) { 1034 log_warnx("out of memory"); 1035 free_pending_query(pq); 1036 free_pending_query(opq); 1037 return; 1038 } 1039 1040 sldns_buffer_rewind(opq->qbuf); 1041 sldns_buffer_write(pq->qbuf, sldns_buffer_current(opq->qbuf), 1042 sldns_buffer_remaining(opq->qbuf)); 1043 sldns_buffer_flip(pq->qbuf); 1044 memset(pq->qmsg, 0, sizeof(*pq->qmsg)); 1045 1046 if (pq->tcp) { 1047 struct timeval timeout = {TCP_TIMEOUT, 0}; 1048 1049 event_set(&pq->ev, pq->fd, EV_READ | EV_PERSIST, tcp_request, 1050 pq); 1051 event_set(&pq->resp_ev, pq->fd, EV_WRITE | EV_PERSIST, 1052 tcp_response, pq); 1053 evtimer_set(&pq->tmo_ev, tcp_timeout, pq); 1054 evtimer_add(&pq->tmo_ev, &timeout); 1055 } 1056 1057 if (!query_info_parse(&pq->qinfo, pq->qbuf)) { 1058 log_warnx("query_info_parse failed"); 1059 goto drop; 1060 } 1061 1062 sldns_buffer_rewind(pq->qbuf); 1063 1064 if (parse_packet(pq->qbuf, pq->qmsg, pq->region) != 1065 LDNS_RCODE_NOERROR) { 1066 log_warnx("parse_packet failed"); 1067 goto drop; 1068 } 1069 1070 sldns_buffer_rewind(pq->qbuf); 1071 if (!query_info_parse(&skip, pq->qbuf)) { 1072 error_answer(pq, LDNS_RCODE_SERVFAIL); 1073 goto send_answer; 1074 } 1075 rcode = parse_edns_from_query_pkt(pq->qbuf, &pq->edns, NULL, NULL, 1076 pq->region); 1077 if (rcode != LDNS_RCODE_NOERROR) { 1078 error_answer(pq, rcode); 1079 goto send_answer; 1080 } 1081 1082 dname_str(pq->qinfo.qname, dname); 1083 strlcpy(query_imsg.qname, dname, sizeof(query_imsg.qname)); 1084 query_imsg.id = pq->imsg_id; 1085 query_imsg.t = LDNS_RR_TYPE_A; 1086 query_imsg.c = pq->qinfo.qclass; 1087 1088 pq->dns64_synthesize = 1; 1089 1090 if (frontend_imsg_compose_resolver(IMSG_QUERY, 0, &query_imsg, 1091 sizeof(query_imsg)) == -1) { 1092 error_answer(pq, LDNS_RCODE_SERVFAIL); 1093 goto send_answer; 1094 } 1095 1096 free_pending_query(opq); 1097 return; 1098 1099 send_answer: 1100 free_pending_query(opq); 1101 send_answer(pq); 1102 return; 1103 1104 drop: 1105 free_pending_query(opq); 1106 free_pending_query(pq); 1107 } 1108 1109 void 1110 chaos_answer(struct pending_query *pq) 1111 { 1112 size_t len; 1113 const char *name = "unwind"; 1114 1115 len = strlen(name); 1116 if (!sldns_buffer_set_capacity(pq->abuf, 1117 sldns_buffer_capacity(pq->qbuf) + COMPRESSED_RR_SIZE + 1 + len)) { 1118 error_answer(pq, LDNS_RCODE_SERVFAIL); 1119 return; 1120 } 1121 1122 sldns_buffer_copy(pq->abuf, pq->qbuf); 1123 1124 sldns_buffer_clear(pq->abuf); 1125 1126 sldns_buffer_skip(pq->abuf, sizeof(uint16_t)); /* skip id */ 1127 sldns_buffer_write_u16(pq->abuf, 0); /* clear flags */ 1128 LDNS_QR_SET(sldns_buffer_begin(pq->abuf)); 1129 LDNS_RA_SET(sldns_buffer_begin(pq->abuf)); 1130 if (LDNS_RD_WIRE(sldns_buffer_begin(pq->qbuf))) 1131 LDNS_RD_SET(sldns_buffer_begin(pq->abuf)); 1132 if (LDNS_CD_WIRE(sldns_buffer_begin(pq->qbuf))) 1133 LDNS_CD_SET(sldns_buffer_begin(pq->abuf)); 1134 LDNS_RCODE_SET(sldns_buffer_begin(pq->abuf), LDNS_RCODE_NOERROR); 1135 sldns_buffer_write_u16(pq->abuf, 1); /* qdcount */ 1136 sldns_buffer_write_u16(pq->abuf, 1); /* ancount */ 1137 sldns_buffer_write_u16(pq->abuf, 0); /* nscount */ 1138 sldns_buffer_write_u16(pq->abuf, 0); /* arcount */ 1139 (void)query_dname_len(pq->abuf); /* skip qname */ 1140 sldns_buffer_skip(pq->abuf, sizeof(uint16_t)); /* skip qtype */ 1141 sldns_buffer_skip(pq->abuf, sizeof(uint16_t)); /* skip qclass */ 1142 1143 sldns_buffer_write_u16(pq->abuf, 0xc00c); /* ptr to query */ 1144 sldns_buffer_write_u16(pq->abuf, LDNS_RR_TYPE_TXT); 1145 sldns_buffer_write_u16(pq->abuf, LDNS_RR_CLASS_CH); 1146 sldns_buffer_write_u32(pq->abuf, 0); /* TTL */ 1147 sldns_buffer_write_u16(pq->abuf, 1 + len); /* RDLENGTH */ 1148 sldns_buffer_write_u8(pq->abuf, len); /* length octed */ 1149 sldns_buffer_write(pq->abuf, name, len); 1150 sldns_buffer_flip(pq->abuf); 1151 } 1152 1153 void 1154 error_answer(struct pending_query *pq, int rcode) 1155 { 1156 sldns_buffer_clear(pq->abuf); 1157 error_encode(pq->abuf, rcode, &pq->qinfo, pq->qmsg->id, 1158 pq->qmsg->flags, pq->edns.edns_present ? &pq->edns : NULL); 1159 } 1160 1161 int 1162 check_query(sldns_buffer* pkt) 1163 { 1164 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) { 1165 log_warnx("bad query: too short, dropped"); 1166 return -1; 1167 } 1168 if(LDNS_QR_WIRE(sldns_buffer_begin(pkt))) { 1169 log_warnx("bad query: QR set, dropped"); 1170 return -1; 1171 } 1172 if(LDNS_TC_WIRE(sldns_buffer_begin(pkt))) { 1173 LDNS_TC_CLR(sldns_buffer_begin(pkt)); 1174 log_warnx("bad query: TC set"); 1175 return (LDNS_RCODE_FORMERR); 1176 } 1177 if(!(LDNS_RD_WIRE(sldns_buffer_begin(pkt)))) { 1178 log_warnx("bad query: RD not set"); 1179 return (LDNS_RCODE_REFUSED); 1180 } 1181 if(LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_PACKET_QUERY) { 1182 log_warnx("bad query: unknown opcode %d", 1183 LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt))); 1184 return (LDNS_RCODE_NOTIMPL); 1185 } 1186 1187 if (LDNS_QDCOUNT(sldns_buffer_begin(pkt)) != 1 && 1188 LDNS_ANCOUNT(sldns_buffer_begin(pkt))!= 0 && 1189 LDNS_NSCOUNT(sldns_buffer_begin(pkt))!= 0 && 1190 LDNS_ARCOUNT(sldns_buffer_begin(pkt)) > 1) { 1191 log_warnx("bad query: qdcount: %d, ancount: %d " 1192 "nscount: %d, arcount: %d", 1193 LDNS_QDCOUNT(sldns_buffer_begin(pkt)), 1194 LDNS_ANCOUNT(sldns_buffer_begin(pkt)), 1195 LDNS_NSCOUNT(sldns_buffer_begin(pkt)), 1196 LDNS_ARCOUNT(sldns_buffer_begin(pkt))); 1197 return (LDNS_RCODE_FORMERR); 1198 } 1199 return (LDNS_RCODE_NOERROR); 1200 } 1201 1202 void 1203 send_answer(struct pending_query *pq) 1204 { 1205 char *str; 1206 1207 if (log_getverbose() & OPT_VERBOSE2 && (str = 1208 sldns_wire2str_pkt(sldns_buffer_begin(pq->abuf), 1209 sldns_buffer_limit(pq->abuf))) != NULL) { 1210 log_debug("from: %s\n%s", ip_port((struct sockaddr *) 1211 &pq->from), str); 1212 free(str); 1213 } 1214 1215 if (!pq->tcp) { 1216 if(sendto(pq->fd, sldns_buffer_current(pq->abuf), 1217 sldns_buffer_remaining(pq->abuf), 0, 1218 (struct sockaddr *)&pq->from, pq->from.ss_len) == -1) 1219 log_warn("sendto"); 1220 free_pending_query(pq); 1221 } else { 1222 struct sldns_buffer *tmp; 1223 1224 tmp = sldns_buffer_new(sldns_buffer_limit(pq->abuf) + 2); 1225 1226 if (!tmp) { 1227 free_pending_query(pq); 1228 return; 1229 } 1230 1231 sldns_buffer_write_u16(tmp, sldns_buffer_limit(pq->abuf)); 1232 sldns_buffer_write(tmp, sldns_buffer_current(pq->abuf), 1233 sldns_buffer_remaining(pq->abuf)); 1234 sldns_buffer_flip(tmp); 1235 sldns_buffer_free(pq->abuf); 1236 pq->abuf = tmp; 1237 event_add(&pq->resp_ev, NULL); 1238 } 1239 } 1240 1241 char* 1242 ip_port(struct sockaddr *sa) 1243 { 1244 static char hbuf[NI_MAXHOST], buf[NI_MAXHOST]; 1245 1246 if (getnameinfo(sa, sa->sa_len, hbuf, sizeof(hbuf), NULL, 0, 1247 NI_NUMERICHOST) != 0) { 1248 snprintf(buf, sizeof(buf), "%s", "(unknown)"); 1249 return buf; 1250 } 1251 1252 if (sa->sa_family == AF_INET6) 1253 snprintf(buf, sizeof(buf), "[%s]:%d", hbuf, ntohs( 1254 ((struct sockaddr_in6 *)sa)->sin6_port)); 1255 if (sa->sa_family == AF_INET) 1256 snprintf(buf, sizeof(buf), "[%s]:%d", hbuf, ntohs( 1257 ((struct sockaddr_in *)sa)->sin_port)); 1258 1259 return buf; 1260 } 1261 1262 struct pending_query* 1263 find_pending_query(uint64_t id) 1264 { 1265 struct pending_query *pq; 1266 1267 TAILQ_FOREACH(pq, &pending_queries, entry) 1268 if (pq->imsg_id == id) 1269 return pq; 1270 return NULL; 1271 } 1272 1273 void 1274 route_receive(int fd, short events, void *arg) 1275 { 1276 static uint8_t *buf; 1277 1278 struct rt_msghdr *rtm; 1279 struct sockaddr *sa, *rti_info[RTAX_MAX]; 1280 ssize_t n; 1281 1282 if (buf == NULL) { 1283 buf = malloc(ROUTE_SOCKET_BUF_SIZE); 1284 if (buf == NULL) 1285 fatal("malloc"); 1286 } 1287 rtm = (struct rt_msghdr *)buf; 1288 if ((n = read(fd, buf, ROUTE_SOCKET_BUF_SIZE)) == -1) { 1289 if (errno == EAGAIN || errno == EINTR) 1290 return; 1291 log_warn("dispatch_rtmsg: read error"); 1292 return; 1293 } 1294 1295 if (n == 0) 1296 fatal("routing socket closed"); 1297 1298 if (n < (ssize_t)sizeof(rtm->rtm_msglen) || n < rtm->rtm_msglen) { 1299 log_warnx("partial rtm of %zd in buffer", n); 1300 return; 1301 } 1302 1303 if (rtm->rtm_version != RTM_VERSION) 1304 return; 1305 1306 sa = (struct sockaddr *)(buf + rtm->rtm_hdrlen); 1307 get_rtaddrs(rtm->rtm_addrs, sa, rti_info); 1308 1309 handle_route_message(rtm, rti_info); 1310 } 1311 1312 #define ROUNDUP(a) \ 1313 ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long)) 1314 1315 void 1316 get_rtaddrs(int addrs, struct sockaddr *sa, struct sockaddr **rti_info) 1317 { 1318 int i; 1319 1320 for (i = 0; i < RTAX_MAX; i++) { 1321 if (addrs & (1 << i)) { 1322 rti_info[i] = sa; 1323 sa = (struct sockaddr *)((char *)(sa) + 1324 ROUNDUP(sa->sa_len)); 1325 } else 1326 rti_info[i] = NULL; 1327 } 1328 } 1329 1330 void 1331 handle_route_message(struct rt_msghdr *rtm, struct sockaddr **rti_info) 1332 { 1333 struct imsg_rdns_proposal rdns_proposal; 1334 struct sockaddr_rtdns *rtdns; 1335 struct if_announcemsghdr *ifan; 1336 1337 switch (rtm->rtm_type) { 1338 case RTM_IFANNOUNCE: 1339 ifan = (struct if_announcemsghdr *)rtm; 1340 if (ifan->ifan_what == IFAN_ARRIVAL) 1341 break; 1342 rdns_proposal.if_index = ifan->ifan_index; 1343 rdns_proposal.src = 0; 1344 rdns_proposal.rtdns.sr_family = AF_INET; 1345 rdns_proposal.rtdns.sr_len = offsetof(struct sockaddr_rtdns, 1346 sr_dns); 1347 frontend_imsg_compose_resolver(IMSG_REPLACE_DNS, 0, 1348 &rdns_proposal, sizeof(rdns_proposal)); 1349 break; 1350 case RTM_IFINFO: 1351 frontend_imsg_compose_resolver(IMSG_NETWORK_CHANGED, 0, NULL, 1352 0); 1353 break; 1354 case RTM_PROPOSAL: 1355 if (!(rtm->rtm_addrs & RTA_DNS)) 1356 break; 1357 1358 rtdns = (struct sockaddr_rtdns*)rti_info[RTAX_DNS]; 1359 rdns_proposal.if_index = rtm->rtm_index; 1360 rdns_proposal.src = rtm->rtm_priority; 1361 memcpy(&rdns_proposal.rtdns, rtdns, sizeof(rdns_proposal.rtdns)); 1362 frontend_imsg_compose_resolver(IMSG_REPLACE_DNS, 0, 1363 &rdns_proposal, sizeof(rdns_proposal)); 1364 break; 1365 case RTM_NEWADDR: 1366 case RTM_DELADDR: 1367 case RTM_DESYNC: 1368 check_available_af(); 1369 break; 1370 default: 1371 break; 1372 } 1373 } 1374 1375 void 1376 add_new_ta(struct trust_anchor_head *tah, char *val) 1377 { 1378 struct trust_anchor *ta, *i; 1379 int cmp; 1380 1381 if ((ta = malloc(sizeof(*ta))) == NULL) 1382 fatal("%s", __func__); 1383 if ((ta->ta = strdup(val)) == NULL) 1384 fatal("%s", __func__); 1385 1386 /* keep the list sorted to prevent churn if the order changes in DNS */ 1387 TAILQ_FOREACH(i, tah, entry) { 1388 cmp = strcmp(i->ta, ta->ta); 1389 if ( cmp == 0) { 1390 /* duplicate */ 1391 free(ta->ta); 1392 free(ta); 1393 return; 1394 } else if (cmp > 0) { 1395 TAILQ_INSERT_BEFORE(i, ta, entry); 1396 return; 1397 } 1398 } 1399 TAILQ_INSERT_TAIL(tah, ta, entry); 1400 } 1401 1402 void 1403 free_tas(struct trust_anchor_head *tah) 1404 { 1405 struct trust_anchor *ta; 1406 1407 while ((ta = TAILQ_FIRST(tah))) { 1408 TAILQ_REMOVE(tah, ta, entry); 1409 free(ta->ta); 1410 free(ta); 1411 } 1412 } 1413 1414 int 1415 merge_tas(struct trust_anchor_head *newh, struct trust_anchor_head *oldh) 1416 { 1417 struct trust_anchor *i, *j; 1418 int chg = 0; 1419 1420 j = TAILQ_FIRST(oldh); 1421 1422 TAILQ_FOREACH(i, newh, entry) { 1423 if (j == NULL || strcmp(i->ta, j->ta) != 0) { 1424 chg = 1; 1425 break; 1426 } 1427 j = TAILQ_NEXT(j, entry); 1428 } 1429 if (j != NULL) 1430 chg = 1; 1431 1432 if (chg) { 1433 free_tas(oldh); 1434 TAILQ_CONCAT(oldh, newh, entry); 1435 } else { 1436 free_tas(newh); 1437 } 1438 return (chg); 1439 } 1440 1441 void 1442 parse_trust_anchor(struct trust_anchor_head *tah, int fd) 1443 { 1444 size_t len, dname_len; 1445 ssize_t n, sz; 1446 uint8_t rr[LDNS_RR_BUF_SIZE]; 1447 char *str, *p, buf[512], *line; 1448 1449 sz = 0; 1450 str = NULL; 1451 1452 while ((n = read(fd, buf, sizeof(buf))) > 0) { 1453 p = recallocarray(str, sz, sz + n, 1); 1454 if (p == NULL) { 1455 log_warn("%s", __func__); 1456 goto out; 1457 } 1458 str = p; 1459 memcpy(str + sz, buf, n); 1460 sz += n; 1461 } 1462 1463 if (n == -1) { 1464 log_warn("%s", __func__); 1465 goto out; 1466 } 1467 1468 /* make it a string */ 1469 p = recallocarray(str, sz, sz + 1, 1); 1470 if (p == NULL) { 1471 log_warn("%s", __func__); 1472 goto out; 1473 } 1474 str = p; 1475 sz++; 1476 1477 len = sizeof(rr); 1478 1479 while ((line = strsep(&p, "\n")) != NULL) { 1480 if (sldns_str2wire_rr_buf(line, rr, &len, &dname_len, 1481 ROOT_DNSKEY_TTL, NULL, 0, NULL, 0) != 0) 1482 continue; 1483 if (sldns_wirerr_get_type(rr, len, dname_len) == 1484 LDNS_RR_TYPE_DNSKEY) 1485 add_new_ta(tah, line); 1486 } 1487 1488 out: 1489 free(str); 1490 return; 1491 } 1492 1493 void 1494 send_trust_anchors(struct trust_anchor_head *tah) 1495 { 1496 struct trust_anchor *ta; 1497 1498 TAILQ_FOREACH(ta, tah, entry) 1499 frontend_imsg_compose_resolver(IMSG_NEW_TA, 0, ta->ta, 1500 strlen(ta->ta) + 1); 1501 frontend_imsg_compose_resolver(IMSG_NEW_TAS_DONE, 0, NULL, 0); 1502 } 1503 1504 void 1505 write_trust_anchors(struct trust_anchor_head *tah, int fd) 1506 { 1507 struct trust_anchor *ta; 1508 size_t len = 0; 1509 ssize_t n; 1510 char *str; 1511 1512 if (lseek(fd, 0, SEEK_SET) == -1) { 1513 log_warn("%s", __func__); 1514 goto out; 1515 } 1516 1517 TAILQ_FOREACH(ta, tah, entry) { 1518 if ((n = asprintf(&str, "%s\n", ta->ta)) == -1) { 1519 log_warn("%s", __func__); 1520 len = 0; 1521 goto out; 1522 } 1523 len += n; 1524 if (write(fd, str, n) != n) { 1525 log_warn("%s", __func__); 1526 free(str); 1527 len = 0; 1528 goto out; 1529 } 1530 free(str); 1531 } 1532 out: 1533 ftruncate(fd, len); 1534 fsync(fd); 1535 } 1536 1537 void 1538 parse_blocklist(int fd) 1539 { 1540 FILE *f; 1541 struct bl_node *bl_node; 1542 char *line = NULL; 1543 size_t linesize = 0; 1544 ssize_t linelen; 1545 1546 if((f = fdopen(fd, "r")) == NULL) { 1547 log_warn("cannot read block list"); 1548 close(fd); 1549 return; 1550 } 1551 1552 free_bl(); 1553 1554 while ((linelen = getline(&line, &linesize, f)) != -1) { 1555 if (line[linelen - 1] == '\n') { 1556 if (linelen >= 2 && line[linelen - 2] != '.') 1557 line[linelen - 1] = '.'; 1558 else 1559 line[linelen - 1] = '\0'; 1560 } 1561 1562 bl_node = malloc(sizeof *bl_node); 1563 if (bl_node == NULL) 1564 fatal("%s: malloc", __func__); 1565 if ((bl_node->domain = strdup(line)) == NULL) 1566 fatal("%s: strdup", __func__); 1567 if (RB_INSERT(bl_tree, &bl_head, bl_node) != NULL) { 1568 log_warnx("duplicate blocked domain \"%s\"", line); 1569 free(bl_node->domain); 1570 free(bl_node); 1571 } 1572 } 1573 free(line); 1574 if (ferror(f)) 1575 log_warn("getline"); 1576 fclose(f); 1577 } 1578 1579 int 1580 bl_cmp(struct bl_node *e1, struct bl_node *e2) { 1581 return (strcasecmp(e1->domain, e2->domain)); 1582 } 1583 1584 void 1585 free_bl(void) 1586 { 1587 struct bl_node *n, *nxt; 1588 1589 RB_FOREACH_SAFE(n, bl_tree, &bl_head, nxt) { 1590 RB_REMOVE(bl_tree, &bl_head, n); 1591 free(n->domain); 1592 free(n); 1593 } 1594 } 1595 1596 int 1597 pending_query_cnt(void) 1598 { 1599 struct pending_query *e; 1600 int cnt = 0; 1601 1602 TAILQ_FOREACH(e, &pending_queries, entry) 1603 cnt++; 1604 return cnt; 1605 } 1606 1607 void 1608 accept_paused(int fd, short events, void *arg) 1609 { 1610 struct tcp_accept_ev *tcpev = arg; 1611 event_add(&tcpev->ev, NULL); 1612 } 1613 1614 int 1615 accept_reserve(int sockfd, struct sockaddr *addr, socklen_t *addrlen) 1616 { 1617 if (getdtablecount() + FD_RESERVE >= getdtablesize()) { 1618 log_debug("%s: inflight fds exceeded", __func__); 1619 errno = EMFILE; 1620 return -1; 1621 } 1622 return accept4(sockfd, addr, addrlen, SOCK_NONBLOCK | SOCK_CLOEXEC); 1623 } 1624 1625 void 1626 tcp_accept(int fd, short events, void *arg) 1627 { 1628 static struct timeval timeout = {TCP_TIMEOUT, 0}; 1629 static struct timeval backoff = {1, 0}; 1630 struct pending_query *pq; 1631 struct tcp_accept_ev *tcpev; 1632 struct sockaddr_storage ss; 1633 socklen_t len; 1634 int s; 1635 1636 tcpev = arg; 1637 len = sizeof(ss); 1638 1639 if ((s = accept_reserve(fd, (struct sockaddr *)&ss, &len)) == -1) { 1640 switch (errno) { 1641 case EINTR: 1642 case EWOULDBLOCK: 1643 case ECONNABORTED: 1644 return; 1645 case EMFILE: 1646 case ENFILE: 1647 event_del(&tcpev->ev); 1648 evtimer_add(&tcpev->pause, &backoff); 1649 return; 1650 default: 1651 fatal("accept"); 1652 } 1653 } 1654 1655 if ((pq = calloc(1, sizeof(*pq))) == NULL) { 1656 log_warn(NULL); 1657 close(s); 1658 return; 1659 } 1660 1661 do { 1662 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id)); 1663 } while(find_pending_query(pq->imsg_id) != NULL); 1664 1665 TAILQ_INSERT_TAIL(&pending_queries, pq, entry); 1666 1667 pq->from = ss; 1668 pq->fd = s; 1669 pq->tcp = 1; 1670 pq->qbuf = sldns_buffer_new(DEFAULT_TCP_SIZE); 1671 pq->region = regional_create(); 1672 pq->qmsg = regional_alloc(pq->region, sizeof(*pq->qmsg)); 1673 1674 if (!pq->qbuf || !pq->region || !pq->qmsg) { 1675 free_pending_query(pq); 1676 return; 1677 } 1678 1679 memset(pq->qmsg, 0, sizeof(*pq->qmsg)); 1680 1681 event_set(&pq->ev, s, EV_READ | EV_PERSIST, tcp_request, pq); 1682 event_add(&pq->ev, NULL); 1683 event_set(&pq->resp_ev, s, EV_WRITE | EV_PERSIST, tcp_response, pq); 1684 1685 evtimer_set(&pq->tmo_ev, tcp_timeout, pq); 1686 evtimer_add(&pq->tmo_ev, &timeout); 1687 } 1688 1689 void 1690 tcp_request(int fd, short events, void *arg) 1691 { 1692 struct pending_query *pq; 1693 ssize_t n; 1694 1695 pq = arg; 1696 1697 n = read(fd, sldns_buffer_current(pq->qbuf), 1698 sldns_buffer_remaining(pq->qbuf)); 1699 1700 switch (n) { 1701 case -1: 1702 switch (errno) { 1703 case EINTR: 1704 case EAGAIN: 1705 return; 1706 default: 1707 goto fail; 1708 } 1709 break; 1710 case 0: 1711 log_debug("closed connection"); 1712 goto fail; 1713 default: 1714 break; 1715 } 1716 1717 sldns_buffer_skip(pq->qbuf, n); 1718 1719 if (sldns_buffer_position(pq->qbuf) >= 2 && !pq->abuf) { 1720 struct sldns_buffer *tmp; 1721 uint16_t len; 1722 1723 sldns_buffer_flip(pq->qbuf); 1724 len = sldns_buffer_read_u16(pq->qbuf); 1725 tmp = sldns_buffer_new(len); 1726 pq->abuf = sldns_buffer_new(len); 1727 1728 if (!tmp || !pq->abuf) 1729 goto fail; 1730 1731 sldns_buffer_write(tmp, sldns_buffer_current(pq->qbuf), 1732 sldns_buffer_remaining(pq->qbuf)); 1733 sldns_buffer_free(pq->qbuf); 1734 pq->qbuf = tmp; 1735 } 1736 if (sldns_buffer_remaining(pq->qbuf) == 0) { 1737 sldns_buffer_flip(pq->qbuf); 1738 shutdown(fd, SHUT_RD); 1739 event_del(&pq->ev); 1740 handle_query(pq); 1741 } 1742 return; 1743 fail: 1744 free_pending_query(pq); 1745 } 1746 1747 void 1748 tcp_response(int fd, short events, void *arg) 1749 { 1750 struct pending_query *pq; 1751 ssize_t n; 1752 1753 pq = arg; 1754 1755 n = write(fd, sldns_buffer_current(pq->abuf), 1756 sldns_buffer_remaining(pq->abuf)); 1757 1758 if (n == -1) { 1759 if (errno == EAGAIN || errno == EINTR) 1760 return; 1761 free_pending_query(pq); 1762 } 1763 sldns_buffer_skip(pq->abuf, n); 1764 if (sldns_buffer_remaining(pq->abuf) == 0) 1765 free_pending_query(pq); 1766 } 1767 1768 void 1769 tcp_timeout(int fd, short events, void *arg) 1770 { 1771 free_pending_query(arg); 1772 } 1773 1774 void 1775 check_available_af() 1776 { 1777 static int available_af = HAVE_IPV4 | HAVE_IPV6; 1778 static int rtable = -1; 1779 struct ifaddrs *ifap, *ifa; 1780 struct if_data *ifa_data; 1781 struct sockaddr_in *sin4; 1782 struct sockaddr_in6 *sin6; 1783 int new_available_af = 0, ifa_rtable = -1; 1784 1785 if (rtable == -1) 1786 rtable = getrtable(); 1787 1788 if (getifaddrs(&ifap) != 0) { 1789 log_warn("getifaddrs"); 1790 return; 1791 } 1792 1793 for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) { 1794 if (ifa->ifa_addr == NULL) 1795 continue; 1796 switch(ifa->ifa_addr->sa_family) { 1797 case AF_LINK: 1798 /* AF_LINK comes before inet / inet6 on an interface */ 1799 ifa_data = (struct if_data *)ifa->ifa_data; 1800 ifa_rtable = ifa_data->ifi_rdomain; 1801 break; 1802 case AF_INET: 1803 if (ifa_rtable != rtable) 1804 continue; 1805 1806 sin4 = (struct sockaddr_in *)ifa->ifa_addr; 1807 if ((ntohl(sin4->sin_addr.s_addr) >> 24) == 1808 IN_LOOPBACKNET) 1809 continue; 1810 new_available_af |= HAVE_IPV4; 1811 break; 1812 case AF_INET6: 1813 if (ifa_rtable != rtable) 1814 continue; 1815 1816 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 1817 if (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr) || 1818 IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr) || 1819 IN6_IS_ADDR_MC_LINKLOCAL(&sin6->sin6_addr) || 1820 IN6_IS_ADDR_MC_INTFACELOCAL(&sin6->sin6_addr)) 1821 continue; 1822 new_available_af |= HAVE_IPV6; 1823 break; 1824 default: 1825 break; 1826 } 1827 if (new_available_af == (HAVE_IPV4 | HAVE_IPV6)) 1828 break; 1829 } 1830 freeifaddrs(ifap); 1831 if (new_available_af != available_af) { 1832 available_af = new_available_af; 1833 frontend_imsg_compose_resolver(IMSG_CHANGE_AFS, 0, 1834 &available_af, sizeof(available_af)); 1835 } 1836 } 1837