1 /* $OpenBSD: frontend.c,v 1.75 2022/11/27 14:29:06 tb Exp $ */ 2 3 /* 4 * Copyright (c) 2018 Florian Obser <florian@openbsd.org> 5 * Copyright (c) 2005 Claudio Jeker <claudio@openbsd.org> 6 * Copyright (c) 2004 Esben Norby <norby@openbsd.org> 7 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 8 * 9 * Permission to use, copy, modify, and distribute this software for any 10 * purpose with or without fee is hereby granted, provided that the above 11 * copyright notice and this permission notice appear in all copies. 12 * 13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 */ 21 22 #include <sys/types.h> 23 #include <sys/queue.h> 24 #include <sys/socket.h> 25 #include <sys/syslog.h> 26 #include <sys/tree.h> 27 #include <sys/uio.h> 28 29 #include <netinet/in.h> 30 #include <net/if.h> 31 #include <net/route.h> 32 33 #include <errno.h> 34 #include <event.h> 35 #include <ifaddrs.h> 36 #include <imsg.h> 37 #include <netdb.h> 38 #include <pwd.h> 39 #include <signal.h> 40 #include <stdint.h> 41 #include <stdio.h> 42 #include <stdlib.h> 43 #include <string.h> 44 #include <time.h> 45 #include <unistd.h> 46 47 #include "libunbound/config.h" 48 #include "libunbound/sldns/pkthdr.h" 49 #include "libunbound/sldns/sbuffer.h" 50 #include "libunbound/sldns/str2wire.h" 51 #include "libunbound/sldns/wire2str.h" 52 #include "libunbound/util/alloc.h" 53 #include "libunbound/util/net_help.h" 54 #include "libunbound/util/regional.h" 55 #include "libunbound/util/data/dname.h" 56 #include "libunbound/util/data/msgencode.h" 57 #include "libunbound/util/data/msgparse.h" 58 #include "libunbound/util/data/msgreply.h" 59 60 #include "log.h" 61 #include "unwind.h" 62 #include "frontend.h" 63 #include "control.h" 64 #include "dns64_synth.h" 65 66 #define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) 67 #define ROUTE_SOCKET_BUF_SIZE 16384 68 69 /* 70 * size of a resource record with name a two octed pointer to qname 71 * 2 octets pointer to qname 72 * 2 octets TYPE 73 * 2 octets CLASS 74 * 4 octets TTL 75 * 2 octets RDLENGTH 76 */ 77 #define COMPRESSED_RR_SIZE 12 78 #define MINIMIZE_ANSWER 1 79 80 #define FD_RESERVE 5 81 #define TCP_TIMEOUT 15 82 #define DEFAULT_TCP_SIZE 512 83 84 struct udp_ev { 85 struct event ev; 86 uint8_t query[65536]; 87 struct msghdr rcvmhdr; 88 struct iovec rcviov[1]; 89 struct sockaddr_storage from; 90 } udp4ev, udp6ev; 91 92 struct tcp_accept_ev { 93 struct event ev; 94 struct event pause; 95 } tcp4ev, tcp6ev; 96 97 struct pending_query { 98 TAILQ_ENTRY(pending_query) entry; 99 struct sockaddr_storage from; 100 struct sldns_buffer *qbuf; 101 struct sldns_buffer *abuf; 102 struct regional *region; 103 struct query_info qinfo; 104 struct edns_data edns; 105 struct event ev; /* for tcp */ 106 struct event resp_ev; /* for tcp */ 107 struct event tmo_ev; /* for tcp */ 108 uint64_t imsg_id; 109 uint16_t id; 110 uint16_t flags; 111 int fd; 112 int tcp; 113 int dns64_synthesize; 114 }; 115 116 TAILQ_HEAD(, pending_query) pending_queries; 117 118 struct bl_node { 119 RB_ENTRY(bl_node) entry; 120 char *domain; 121 }; 122 123 __dead void frontend_shutdown(void); 124 void frontend_sig_handler(int, short, void *); 125 void frontend_startup(void); 126 void udp_receive(int, short, void *); 127 void handle_query(struct pending_query *); 128 void free_pending_query(struct pending_query *); 129 void tcp_accept(int, short, void *); 130 int accept_reserve(int, struct sockaddr *, socklen_t *); 131 void accept_paused(int, short, void *); 132 void tcp_request(int, short, void *); 133 void tcp_response(int, short, void *); 134 void tcp_timeout(int, short, void *); 135 int check_query(sldns_buffer*); 136 void noerror_answer(struct pending_query *); 137 void synthesize_dns64_answer(struct pending_query *); 138 void resend_dns64_query(struct pending_query *); 139 void chaos_answer(struct pending_query *); 140 void error_answer(struct pending_query *, int rcode); 141 void send_answer(struct pending_query *); 142 void route_receive(int, short, void *); 143 void handle_route_message(struct rt_msghdr *, 144 struct sockaddr **); 145 void get_rtaddrs(int, struct sockaddr *, 146 struct sockaddr **); 147 void rtmget_default(void); 148 struct pending_query *find_pending_query(uint64_t); 149 void parse_trust_anchor(struct trust_anchor_head *, int); 150 void send_trust_anchors(struct trust_anchor_head *); 151 void write_trust_anchors(struct trust_anchor_head *, int); 152 void parse_blocklist(int); 153 int bl_cmp(struct bl_node *, struct bl_node *); 154 void free_bl(void); 155 int pending_query_cnt(void); 156 void check_available_af(void); 157 158 struct uw_conf *frontend_conf; 159 static struct imsgev *iev_main; 160 static struct imsgev *iev_resolver; 161 struct event ev_route; 162 int udp4sock = -1, udp6sock = -1; 163 int tcp4sock = -1, tcp6sock = -1; 164 int ta_fd = -1; 165 166 static struct trust_anchor_head trust_anchors, new_trust_anchors; 167 168 RB_HEAD(bl_tree, bl_node) bl_head = RB_INITIALIZER(&bl_head); 169 RB_PROTOTYPE(bl_tree, bl_node, entry, bl_cmp) 170 RB_GENERATE(bl_tree, bl_node, entry, bl_cmp) 171 172 struct dns64_prefix *dns64_prefixes; 173 int dns64_prefix_count; 174 175 void 176 frontend_sig_handler(int sig, short event, void *bula) 177 { 178 /* 179 * Normal signal handler rules don't apply because libevent 180 * decouples for us. 181 */ 182 183 switch (sig) { 184 case SIGINT: 185 case SIGTERM: 186 frontend_shutdown(); 187 default: 188 fatalx("unexpected signal"); 189 } 190 } 191 192 void 193 frontend(int debug, int verbose) 194 { 195 struct event ev_sigint, ev_sigterm; 196 struct passwd *pw; 197 198 frontend_conf = config_new_empty(); 199 200 log_init(debug, LOG_DAEMON); 201 log_setverbose(verbose); 202 203 if ((pw = getpwnam(UNWIND_USER)) == NULL) 204 fatal("getpwnam"); 205 206 if (chroot(pw->pw_dir) == -1) 207 fatal("chroot"); 208 if (chdir("/") == -1) 209 fatal("chdir(\"/\")"); 210 211 setproctitle("%s", "frontend"); 212 log_procinit("frontend"); 213 214 if (setgroups(1, &pw->pw_gid) || 215 setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || 216 setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) 217 fatal("can't drop privileges"); 218 219 if (pledge("stdio dns unix recvfd", NULL) == -1) 220 fatal("pledge"); 221 222 event_init(); 223 224 /* Setup signal handler. */ 225 signal_set(&ev_sigint, SIGINT, frontend_sig_handler, NULL); 226 signal_set(&ev_sigterm, SIGTERM, frontend_sig_handler, NULL); 227 signal_add(&ev_sigint, NULL); 228 signal_add(&ev_sigterm, NULL); 229 signal(SIGPIPE, SIG_IGN); 230 signal(SIGHUP, SIG_IGN); 231 232 /* Setup pipe and event handler to the parent process. */ 233 if (iev_main != NULL) 234 fatal("iev_main"); 235 if ((iev_main = malloc(sizeof(struct imsgev))) == NULL) 236 fatal(NULL); 237 imsg_init(&iev_main->ibuf, 3); 238 iev_main->handler = frontend_dispatch_main; 239 iev_main->events = EV_READ; 240 event_set(&iev_main->ev, iev_main->ibuf.fd, iev_main->events, 241 iev_main->handler, iev_main); 242 event_add(&iev_main->ev, NULL); 243 244 udp4ev.rcviov[0].iov_base = (caddr_t)udp4ev.query; 245 udp4ev.rcviov[0].iov_len = sizeof(udp4ev.query); 246 udp4ev.rcvmhdr.msg_name = (caddr_t)&udp4ev.from; 247 udp4ev.rcvmhdr.msg_namelen = sizeof(udp4ev.from); 248 udp4ev.rcvmhdr.msg_iov = udp4ev.rcviov; 249 udp4ev.rcvmhdr.msg_iovlen = 1; 250 251 udp6ev.rcviov[0].iov_base = (caddr_t)udp6ev.query; 252 udp6ev.rcviov[0].iov_len = sizeof(udp6ev.query); 253 udp6ev.rcvmhdr.msg_name = (caddr_t)&udp6ev.from; 254 udp6ev.rcvmhdr.msg_namelen = sizeof(udp6ev.from); 255 udp6ev.rcvmhdr.msg_iov = udp6ev.rcviov; 256 udp6ev.rcvmhdr.msg_iovlen = 1; 257 258 TAILQ_INIT(&pending_queries); 259 260 TAILQ_INIT(&trust_anchors); 261 TAILQ_INIT(&new_trust_anchors); 262 263 add_new_ta(&trust_anchors, KSK2017); 264 265 event_dispatch(); 266 267 frontend_shutdown(); 268 } 269 270 __dead void 271 frontend_shutdown(void) 272 { 273 /* Close pipes. */ 274 msgbuf_write(&iev_resolver->ibuf.w); 275 msgbuf_clear(&iev_resolver->ibuf.w); 276 close(iev_resolver->ibuf.fd); 277 msgbuf_write(&iev_main->ibuf.w); 278 msgbuf_clear(&iev_main->ibuf.w); 279 close(iev_main->ibuf.fd); 280 281 config_clear(frontend_conf); 282 283 free(iev_resolver); 284 free(iev_main); 285 286 log_info("frontend exiting"); 287 exit(0); 288 } 289 290 int 291 frontend_imsg_compose_main(int type, pid_t pid, void *data, uint16_t datalen) 292 { 293 return (imsg_compose_event(iev_main, type, 0, pid, -1, data, datalen)); 294 } 295 296 int 297 frontend_imsg_compose_resolver(int type, pid_t pid, void *data, 298 uint16_t datalen) 299 { 300 return (imsg_compose_event(iev_resolver, type, 0, pid, -1, data, 301 datalen)); 302 } 303 304 void 305 frontend_dispatch_main(int fd, short event, void *bula) 306 { 307 static struct uw_conf *nconf; 308 struct imsg imsg; 309 struct imsgev *iev = bula; 310 struct imsgbuf *ibuf = &iev->ibuf; 311 int n, shut = 0; 312 313 if (event & EV_READ) { 314 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN) 315 fatal("imsg_read error"); 316 if (n == 0) /* Connection closed. */ 317 shut = 1; 318 } 319 if (event & EV_WRITE) { 320 if ((n = msgbuf_write(&ibuf->w)) == -1 && errno != EAGAIN) 321 fatal("msgbuf_write"); 322 if (n == 0) /* Connection closed. */ 323 shut = 1; 324 } 325 326 for (;;) { 327 if ((n = imsg_get(ibuf, &imsg)) == -1) 328 fatal("%s: imsg_get error", __func__); 329 if (n == 0) /* No more messages. */ 330 break; 331 332 switch (imsg.hdr.type) { 333 case IMSG_SOCKET_IPC_RESOLVER: 334 /* 335 * Setup pipe and event handler to the resolver 336 * process. 337 */ 338 if (iev_resolver) { 339 fatalx("%s: received unexpected imsg fd " 340 "to frontend", __func__); 341 break; 342 } 343 if ((fd = imsg.fd) == -1) { 344 fatalx("%s: expected to receive imsg fd to " 345 "frontend but didn't receive any", 346 __func__); 347 break; 348 } 349 350 if (iev_resolver != NULL) 351 fatal("iev_resolver"); 352 iev_resolver = malloc(sizeof(struct imsgev)); 353 if (iev_resolver == NULL) 354 fatal(NULL); 355 356 imsg_init(&iev_resolver->ibuf, fd); 357 iev_resolver->handler = frontend_dispatch_resolver; 358 iev_resolver->events = EV_READ; 359 360 event_set(&iev_resolver->ev, iev_resolver->ibuf.fd, 361 iev_resolver->events, iev_resolver->handler, 362 iev_resolver); 363 event_add(&iev_resolver->ev, NULL); 364 break; 365 case IMSG_RECONF_CONF: 366 case IMSG_RECONF_BLOCKLIST_FILE: 367 case IMSG_RECONF_FORWARDER: 368 case IMSG_RECONF_DOT_FORWARDER: 369 case IMSG_RECONF_FORCE: 370 imsg_receive_config(&imsg, &nconf); 371 break; 372 case IMSG_RECONF_END: 373 if (nconf == NULL) 374 fatalx("%s: IMSG_RECONF_END without " 375 "IMSG_RECONF_CONF", __func__); 376 merge_config(frontend_conf, nconf); 377 if (frontend_conf->blocklist_file == NULL) 378 free_bl(); 379 nconf = NULL; 380 break; 381 case IMSG_UDP6SOCK: 382 if (udp6sock != -1) 383 fatalx("%s: received unexpected udp6sock", 384 __func__); 385 if ((udp6sock = imsg.fd) == -1) 386 fatalx("%s: expected to receive imsg " 387 "UDP6 fd but didn't receive any", __func__); 388 event_set(&udp6ev.ev, udp6sock, EV_READ | EV_PERSIST, 389 udp_receive, &udp6ev); 390 event_add(&udp6ev.ev, NULL); 391 break; 392 case IMSG_UDP4SOCK: 393 if (udp4sock != -1) 394 fatalx("%s: received unexpected udp4sock", 395 __func__); 396 if ((udp4sock = imsg.fd) == -1) 397 fatalx("%s: expected to receive imsg " 398 "UDP4 fd but didn't receive any", __func__); 399 event_set(&udp4ev.ev, udp4sock, EV_READ | EV_PERSIST, 400 udp_receive, &udp4ev); 401 event_add(&udp4ev.ev, NULL); 402 break; 403 case IMSG_TCP4SOCK: 404 if (tcp4sock != -1) 405 fatalx("%s: received unexpected tcp4sock", 406 __func__); 407 if ((tcp4sock = imsg.fd) == -1) 408 fatalx("%s: expected to receive imsg " 409 "TCP4 fd but didn't receive any", __func__); 410 event_set(&tcp4ev.ev, tcp4sock, EV_READ | EV_PERSIST, 411 tcp_accept, &tcp4ev); 412 event_add(&tcp4ev.ev, NULL); 413 evtimer_set(&tcp4ev.pause, accept_paused, &tcp4ev); 414 break; 415 case IMSG_TCP6SOCK: 416 if (tcp6sock != -1) 417 fatalx("%s: received unexpected tcp6sock", 418 __func__); 419 if ((tcp6sock = imsg.fd) == -1) 420 fatalx("%s: expected to receive imsg " 421 "TCP6 fd but didn't receive any", __func__); 422 event_set(&tcp6ev.ev, tcp6sock, EV_READ | EV_PERSIST, 423 tcp_accept, &tcp6ev); 424 event_add(&tcp6ev.ev, NULL); 425 evtimer_set(&tcp6ev.pause, accept_paused, &tcp6ev); 426 break; 427 case IMSG_ROUTESOCK: { 428 static int routesock = -1; 429 430 if (routesock != -1) 431 fatalx("%s: received unexpected routesock", 432 __func__); 433 if ((fd = imsg.fd) == -1) 434 fatalx("%s: expected to receive imsg " 435 "routesocket fd but didn't receive any", 436 __func__); 437 routesock = fd; 438 event_set(&ev_route, fd, EV_READ | EV_PERSIST, 439 route_receive, NULL); 440 break; 441 } 442 case IMSG_STARTUP: 443 frontend_startup(); 444 break; 445 case IMSG_CONTROLFD: 446 if ((fd = imsg.fd) == -1) 447 fatalx("%s: expected to receive imsg control " 448 "fd but didn't receive any", __func__); 449 /* Listen on control socket. */ 450 control_listen(fd); 451 break; 452 case IMSG_TAFD: 453 if ((ta_fd = imsg.fd) != -1) 454 parse_trust_anchor(&trust_anchors, ta_fd); 455 if (!TAILQ_EMPTY(&trust_anchors)) 456 send_trust_anchors(&trust_anchors); 457 break; 458 case IMSG_BLFD: 459 if ((fd = imsg.fd) == -1) 460 fatalx("%s: expected to receive imsg block " 461 "list fd but didn't receive any", __func__); 462 parse_blocklist(fd); 463 break; 464 default: 465 log_debug("%s: error handling imsg %d", __func__, 466 imsg.hdr.type); 467 break; 468 } 469 imsg_free(&imsg); 470 } 471 if (!shut) 472 imsg_event_add(iev); 473 else { 474 /* This pipe is dead. Remove its event handler. */ 475 event_del(&iev->ev); 476 event_loopexit(NULL); 477 } 478 } 479 480 void 481 frontend_dispatch_resolver(int fd, short event, void *bula) 482 { 483 static struct dns64_prefix *new_dns64_prefixes = NULL; 484 static int new_dns64_prefix_count = 0; 485 static int new_dns64_prefix_pos = 0; 486 struct pending_query *pq; 487 struct imsgev *iev = bula; 488 struct imsgbuf *ibuf = &iev->ibuf; 489 struct imsg imsg; 490 int n, shut = 0, chg; 491 492 if (event & EV_READ) { 493 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN) 494 fatal("imsg_read error"); 495 if (n == 0) /* Connection closed. */ 496 shut = 1; 497 } 498 if (event & EV_WRITE) { 499 if ((n = msgbuf_write(&ibuf->w)) == -1 && errno != EAGAIN) 500 fatal("msgbuf_write"); 501 if (n == 0) /* Connection closed. */ 502 shut = 1; 503 } 504 505 for (;;) { 506 if ((n = imsg_get(ibuf, &imsg)) == -1) 507 fatal("%s: imsg_get error", __func__); 508 if (n == 0) /* No more messages. */ 509 break; 510 511 switch (imsg.hdr.type) { 512 case IMSG_ANSWER: { 513 struct answer_header *answer_header; 514 int data_len; 515 uint8_t *data; 516 517 if (IMSG_DATA_SIZE(imsg) < sizeof(*answer_header)) 518 fatalx("%s: IMSG_ANSWER wrong length: " 519 "%lu", __func__, IMSG_DATA_SIZE(imsg)); 520 answer_header = (struct answer_header *)imsg.data; 521 data = (uint8_t *)imsg.data + sizeof(*answer_header); 522 if (answer_header->answer_len > UINT16_MAX) 523 fatalx("%s: IMSG_ANSWER answer too big: %d", 524 __func__, answer_header->answer_len); 525 data_len = IMSG_DATA_SIZE(imsg) - 526 sizeof(*answer_header); 527 528 if ((pq = find_pending_query(answer_header->id)) == 529 NULL) { 530 log_warnx("%s: cannot find pending query %llu", 531 __func__, answer_header->id); 532 break; 533 } 534 535 if (answer_header->srvfail) { 536 error_answer(pq, LDNS_RCODE_SERVFAIL); 537 send_answer(pq); 538 break; 539 } 540 541 if (answer_header->bogus && !(pq->flags & BIT_CD)) { 542 error_answer(pq, LDNS_RCODE_SERVFAIL); 543 send_answer(pq); 544 break; 545 } 546 547 if (sldns_buffer_position(pq->abuf) == 0 && 548 !sldns_buffer_set_capacity(pq->abuf, 549 answer_header->answer_len)) { 550 error_answer(pq, LDNS_RCODE_SERVFAIL); 551 send_answer(pq); 552 break; 553 } 554 555 if (sldns_buffer_position(pq->abuf) + data_len > 556 sldns_buffer_capacity(pq->abuf)) 557 fatalx("%s: IMSG_ANSWER answer too big: %d", 558 __func__, data_len); 559 sldns_buffer_write(pq->abuf, data, data_len); 560 561 if (sldns_buffer_position(pq->abuf) == 562 sldns_buffer_capacity(pq->abuf)) { 563 sldns_buffer_flip(pq->abuf); 564 if (pq->dns64_synthesize) { 565 synthesize_dns64_answer(pq); 566 send_answer(pq); 567 } else { 568 noerror_answer(pq); 569 if (pq->dns64_synthesize) 570 /* we did not find a answer */ 571 resend_dns64_query(pq); 572 else 573 send_answer(pq); 574 } 575 } 576 break; 577 } 578 case IMSG_CTL_RESOLVER_INFO: 579 case IMSG_CTL_AUTOCONF_RESOLVER_INFO: 580 case IMSG_CTL_MEM_INFO: 581 case IMSG_CTL_END: 582 control_imsg_relay(&imsg); 583 break; 584 case IMSG_NEW_TA: 585 /* make sure this is a string */ 586 ((char *)imsg.data)[IMSG_DATA_SIZE(imsg) - 1] = '\0'; 587 add_new_ta(&new_trust_anchors, imsg.data); 588 break; 589 case IMSG_NEW_TAS_ABORT: 590 free_tas(&new_trust_anchors); 591 break; 592 case IMSG_NEW_TAS_DONE: 593 chg = merge_tas(&new_trust_anchors, &trust_anchors); 594 if (chg) 595 send_trust_anchors(&trust_anchors); 596 597 /* 598 * always write trust anchors, the modify date on 599 * the file is an indication when we made progress 600 */ 601 if (ta_fd != -1) 602 write_trust_anchors(&trust_anchors, ta_fd); 603 break; 604 case IMSG_NEW_DNS64_PREFIXES_START: 605 if (IMSG_DATA_SIZE(imsg) != 606 sizeof(new_dns64_prefix_count)) 607 fatalx("%s: IMSG_NEW_DNS64_PREFIXES_START " 608 "wrong length: %lu", __func__, 609 IMSG_DATA_SIZE(imsg)); 610 memcpy(&new_dns64_prefix_count, imsg.data, 611 sizeof(new_dns64_prefix_count)); 612 free(new_dns64_prefixes); 613 new_dns64_prefixes = NULL; 614 if (new_dns64_prefix_count > 0) 615 new_dns64_prefixes = 616 calloc(new_dns64_prefix_count, 617 sizeof(struct dns64_prefix)); 618 new_dns64_prefix_pos = 0; 619 break; 620 case IMSG_NEW_DNS64_PREFIX: { 621 if (IMSG_DATA_SIZE(imsg) != sizeof(struct dns64_prefix)) 622 fatalx("%s: IMSG_NEW_DNS64_PREFIX wrong " 623 "length: %lu", __func__, 624 IMSG_DATA_SIZE(imsg)); 625 if (new_dns64_prefixes == NULL) 626 break; 627 if (new_dns64_prefix_pos >= new_dns64_prefix_count) 628 fatalx("%s: IMSG_NEW_DNS64_PREFIX: too many " 629 "prefixes", __func__); 630 memcpy(&new_dns64_prefixes[new_dns64_prefix_pos++], 631 imsg.data, sizeof(struct dns64_prefix)); 632 break; 633 } 634 case IMSG_NEW_DNS64_PREFIXES_DONE: 635 free(dns64_prefixes); 636 dns64_prefixes = new_dns64_prefixes; 637 dns64_prefix_count = new_dns64_prefix_count; 638 new_dns64_prefixes = NULL; 639 break; 640 default: 641 log_debug("%s: error handling imsg %d", __func__, 642 imsg.hdr.type); 643 break; 644 } 645 imsg_free(&imsg); 646 } 647 if (!shut) 648 imsg_event_add(iev); 649 else { 650 /* This pipe is dead. Remove its event handler. */ 651 event_del(&iev->ev); 652 event_loopexit(NULL); 653 } 654 } 655 656 void 657 frontend_startup(void) 658 { 659 if (!event_initialized(&ev_route)) 660 fatalx("%s: did not receive a route socket from the main " 661 "process", __func__); 662 663 event_add(&ev_route, NULL); 664 665 frontend_imsg_compose_main(IMSG_STARTUP_DONE, 0, NULL, 0); 666 check_available_af(); 667 } 668 669 void 670 free_pending_query(struct pending_query *pq) 671 { 672 if (!pq) 673 return; 674 675 TAILQ_REMOVE(&pending_queries, pq, entry); 676 regional_destroy(pq->region); 677 sldns_buffer_free(pq->qbuf); 678 sldns_buffer_free(pq->abuf); 679 if (pq->tcp) { 680 if (event_initialized(&pq->ev)) 681 event_del(&pq->ev); 682 if (event_initialized(&pq->resp_ev)) 683 event_del(&pq->resp_ev); 684 if (event_initialized(&pq->tmo_ev)) 685 event_del(&pq->tmo_ev); 686 if (pq->fd != -1) 687 close(pq->fd); 688 } 689 free(pq); 690 } 691 692 void 693 udp_receive(int fd, short events, void *arg) 694 { 695 struct udp_ev *udpev = (struct udp_ev *)arg; 696 struct pending_query *pq = NULL; 697 ssize_t len; 698 699 if ((len = recvmsg(fd, &udpev->rcvmhdr, 0)) == -1) { 700 log_warn("recvmsg"); 701 return; 702 } 703 704 if ((pq = calloc(1, sizeof(*pq))) == NULL) { 705 log_warn(NULL); 706 return; 707 } 708 709 do { 710 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id)); 711 } while(find_pending_query(pq->imsg_id) != NULL); 712 713 TAILQ_INSERT_TAIL(&pending_queries, pq, entry); 714 715 pq->from = udpev->from; 716 pq->fd = fd; 717 pq->qbuf = sldns_buffer_new(len); 718 pq->abuf = sldns_buffer_new(len); /* make sure we can send errors */ 719 pq->region = regional_create(); 720 721 if (!pq->qbuf || !pq->abuf || !pq->region) { 722 log_warnx("out of memory"); 723 free_pending_query(pq); 724 return; 725 } 726 727 sldns_buffer_write(pq->qbuf, udpev->query, len); 728 sldns_buffer_flip(pq->qbuf); 729 handle_query(pq); 730 } 731 732 void 733 handle_query(struct pending_query *pq) 734 { 735 struct query_imsg query_imsg; 736 struct bl_node find; 737 int rcode; 738 char *str; 739 char dname[LDNS_MAX_DOMAINLEN + 1]; 740 char qclass_buf[16]; 741 char qtype_buf[16]; 742 743 if (log_getverbose() & OPT_VERBOSE2 && (str = 744 sldns_wire2str_pkt(sldns_buffer_begin(pq->qbuf), 745 sldns_buffer_limit(pq->qbuf))) != NULL) { 746 log_debug("from: %s\n%s", ip_port((struct sockaddr *) 747 &pq->from), str); 748 free(str); 749 } 750 751 if (sldns_buffer_remaining(pq->qbuf) < LDNS_HEADER_SIZE) { 752 log_warnx("bad query: too short, dropped"); 753 goto drop; 754 } 755 756 pq->id = sldns_buffer_read_u16_at(pq->qbuf, 0); 757 pq->flags = sldns_buffer_read_u16_at(pq->qbuf, 2); 758 759 if (!query_info_parse(&pq->qinfo, pq->qbuf)) { 760 log_warnx("query_info_parse failed"); 761 goto drop; 762 } 763 764 rcode = check_query(pq->qbuf); 765 switch (rcode) { 766 case LDNS_RCODE_NOERROR: 767 break; 768 case -1: 769 goto drop; 770 default: 771 error_answer(pq, rcode); 772 goto send_answer; 773 } 774 775 rcode = parse_edns_from_query_pkt(pq->qbuf, &pq->edns, NULL, NULL, 776 pq->region); 777 if (rcode != LDNS_RCODE_NOERROR) { 778 error_answer(pq, rcode); 779 goto send_answer; 780 } 781 782 if (!dname_valid(pq->qinfo.qname, pq->qinfo.qname_len)) { 783 error_answer(pq, LDNS_RCODE_FORMERR); 784 goto send_answer; 785 } 786 dname_str(pq->qinfo.qname, dname); 787 788 sldns_wire2str_class_buf(pq->qinfo.qclass, qclass_buf, 789 sizeof(qclass_buf)); 790 sldns_wire2str_type_buf(pq->qinfo.qtype, qtype_buf, sizeof(qtype_buf)); 791 log_debug("%s: %s %s %s ?", ip_port((struct sockaddr *)&pq->from), 792 dname, qclass_buf, qtype_buf); 793 794 find.domain = dname; 795 if (RB_FIND(bl_tree, &bl_head, &find) != NULL) { 796 if (frontend_conf->blocklist_log) 797 log_info("blocking %s", dname); 798 error_answer(pq, LDNS_RCODE_REFUSED); 799 goto send_answer; 800 } 801 802 if (pq->qinfo.qtype == LDNS_RR_TYPE_AXFR || pq->qinfo.qtype == 803 LDNS_RR_TYPE_IXFR) { 804 error_answer(pq, LDNS_RCODE_REFUSED); 805 goto send_answer; 806 } 807 808 if(pq->qinfo.qtype == LDNS_RR_TYPE_OPT || 809 pq->qinfo.qtype == LDNS_RR_TYPE_TSIG || 810 pq->qinfo.qtype == LDNS_RR_TYPE_TKEY || 811 pq->qinfo.qtype == LDNS_RR_TYPE_MAILA || 812 pq->qinfo.qtype == LDNS_RR_TYPE_MAILB || 813 (pq->qinfo.qtype >= 128 && pq->qinfo.qtype <= 248)) { 814 error_answer(pq, LDNS_RCODE_FORMERR); 815 goto send_answer; 816 } 817 818 if (pq->qinfo.qclass == LDNS_RR_CLASS_CH) { 819 if (strcasecmp(dname, "version.server.") == 0 || 820 strcasecmp(dname, "version.bind.") == 0) { 821 chaos_answer(pq); 822 } else 823 error_answer(pq, LDNS_RCODE_REFUSED); 824 goto send_answer; 825 } 826 827 if (strlcpy(query_imsg.qname, dname, sizeof(query_imsg.qname)) >= 828 sizeof(query_imsg.qname)) { 829 log_warnx("qname too long"); 830 error_answer(pq, LDNS_RCODE_FORMERR); 831 goto send_answer; 832 } 833 query_imsg.id = pq->imsg_id; 834 query_imsg.t = pq->qinfo.qtype; 835 query_imsg.c = pq->qinfo.qclass; 836 837 if (frontend_imsg_compose_resolver(IMSG_QUERY, 0, &query_imsg, 838 sizeof(query_imsg)) == -1) { 839 error_answer(pq, LDNS_RCODE_SERVFAIL); 840 goto send_answer; 841 } 842 return; 843 844 send_answer: 845 send_answer(pq); 846 return; 847 848 drop: 849 free_pending_query(pq); 850 } 851 852 void 853 noerror_answer(struct pending_query *pq) 854 { 855 struct query_info skip, qinfo; 856 struct reply_info *rinfo = NULL; 857 struct alloc_cache alloc; 858 struct edns_data edns; 859 struct ub_packed_rrset_key *an_rrset = NULL; 860 struct packed_rrset_data *an_rrset_data = NULL; 861 862 alloc_init(&alloc, NULL, 0); 863 memset(&qinfo, 0, sizeof(qinfo)); 864 /* read past query section, no memory is allocated */ 865 if (!query_info_parse(&skip, pq->abuf)) 866 goto srvfail; 867 868 if (reply_info_parse(pq->abuf, &alloc, &qinfo, &rinfo, pq->region, 869 &edns) != 0) 870 goto srvfail; 871 872 if ((an_rrset = reply_find_answer_rrset(&qinfo, rinfo)) != NULL) 873 an_rrset_data = (struct packed_rrset_data*)an_rrset->entry.data; 874 875 /* reply_info_parse() allocates memory */ 876 query_info_clear(&qinfo); 877 878 /* XXX check that there a no AAAA records in answer section? */ 879 if ((an_rrset_data == NULL || an_rrset_data->count == 0) && 880 !pq->dns64_synthesize && pq->qinfo.qtype == LDNS_RR_TYPE_AAAA && 881 pq->qinfo.qclass == LDNS_RR_CLASS_IN && dns64_prefix_count > 0) { 882 pq->dns64_synthesize = 1; 883 return; 884 } 885 886 sldns_buffer_clear(pq->abuf); 887 if (reply_info_encode(&pq->qinfo, rinfo, htons(pq->id), rinfo->flags, 888 pq->abuf, 0, pq->region, pq->tcp ? UINT16_MAX : pq->edns.udp_size, 889 pq->edns.bits & EDNS_DO, MINIMIZE_ANSWER) == 0) 890 goto srvfail; 891 892 reply_info_parsedelete(rinfo, &alloc); 893 alloc_clear(&alloc); 894 return; 895 896 srvfail: 897 reply_info_parsedelete(rinfo, &alloc); 898 alloc_clear(&alloc); 899 error_answer(pq, LDNS_RCODE_SERVFAIL); 900 } 901 902 void 903 synthesize_dns64_answer(struct pending_query *pq) 904 { 905 struct query_info skip, qinfo; 906 struct reply_info *rinfo = NULL, *synth_rinfo = NULL; 907 struct alloc_cache alloc; 908 struct edns_data edns; 909 size_t i; 910 911 pq->dns64_synthesize = 0; 912 913 alloc_init(&alloc, NULL, 0); 914 memset(&qinfo, 0, sizeof(qinfo)); 915 /* read past query section, no memory is allocated */ 916 if (!query_info_parse(&skip, pq->abuf)) 917 goto srvfail; 918 919 if (reply_info_parse(pq->abuf, &alloc, &qinfo, &rinfo, pq->region, 920 &edns) != 0) 921 goto srvfail; 922 923 /* reply_info_parse() allocates memory */ 924 query_info_clear(&qinfo); 925 926 synth_rinfo = construct_reply_info_base(pq->region, rinfo->flags, 927 rinfo->qdcount, rinfo->ttl, rinfo->prefetch_ttl, 928 rinfo->serve_expired_ttl, rinfo->an_numrrsets, 929 rinfo->ns_numrrsets, rinfo->ar_numrrsets, rinfo->rrset_count, 930 rinfo->security); 931 932 if (!synth_rinfo) 933 goto srvfail; 934 935 if(!reply_info_alloc_rrset_keys(synth_rinfo, NULL, pq->region)) 936 goto srvfail; 937 938 for (i = 0; i < synth_rinfo->rrset_count; i++) { 939 struct ub_packed_rrset_key *src_rrset_key, *dst_rrset_key; 940 struct packed_rrset_data *src_rrset_data; 941 struct packed_rrset_data *dst_rrset_data; 942 943 src_rrset_key = rinfo->rrsets[i]; 944 src_rrset_data = 945 (struct packed_rrset_data *)src_rrset_key->entry.data; 946 dst_rrset_key = synth_rinfo->rrsets[i]; 947 948 dst_rrset_key->id = src_rrset_key->id; 949 dst_rrset_key->rk = src_rrset_key->rk; 950 951 if (i < rinfo->an_numrrsets && src_rrset_key->rk.type == 952 htons(LDNS_RR_TYPE_A)) { 953 dns64_synth_aaaa_data(src_rrset_key, src_rrset_data, 954 dst_rrset_key, &dst_rrset_data, pq->region); 955 if (dst_rrset_data == NULL) 956 goto srvfail; 957 } else { 958 dst_rrset_key->entry.hash = src_rrset_key->entry.hash; 959 dst_rrset_key->rk.dname = regional_alloc_init( 960 pq->region, src_rrset_key->rk.dname, 961 src_rrset_key->rk.dname_len); 962 if (dst_rrset_key->rk.dname == NULL) 963 goto srvfail; 964 965 dst_rrset_data = regional_alloc_init(pq->region, 966 src_rrset_data, 967 packed_rrset_sizeof(src_rrset_data)); 968 if (dst_rrset_data == NULL) 969 goto srvfail; 970 } 971 972 packed_rrset_ptr_fixup(dst_rrset_data); 973 dst_rrset_key->entry.data = dst_rrset_data; 974 } 975 976 if (!sldns_buffer_set_capacity(pq->abuf, pq->tcp ? UINT16_MAX : 977 pq->edns.udp_size)) 978 goto srvfail; 979 980 sldns_buffer_clear(pq->abuf); 981 982 if (reply_info_encode(&pq->qinfo, synth_rinfo, htons(pq->id), 983 synth_rinfo->flags, pq->abuf, 0, pq->region, 984 pq->tcp ? UINT16_MAX : pq->edns.udp_size, 985 pq->edns.bits & EDNS_DO, MINIMIZE_ANSWER) == 0) 986 goto srvfail; 987 988 reply_info_parsedelete(rinfo, &alloc); 989 alloc_clear(&alloc); 990 return; 991 992 srvfail: 993 reply_info_parsedelete(rinfo, &alloc); 994 alloc_clear(&alloc); 995 error_answer(pq, LDNS_RCODE_SERVFAIL); 996 } 997 998 void 999 resend_dns64_query(struct pending_query *opq) 1000 { 1001 struct pending_query *pq; 1002 struct query_imsg query_imsg; 1003 int rcode; 1004 char dname[LDNS_MAX_DOMAINLEN + 1]; 1005 1006 if ((pq = calloc(1, sizeof(*pq))) == NULL) { 1007 log_warn(NULL); 1008 return; 1009 } 1010 1011 do { 1012 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id)); 1013 } while(find_pending_query(pq->imsg_id) != NULL); 1014 1015 TAILQ_INSERT_TAIL(&pending_queries, pq, entry); 1016 1017 pq->from = opq->from; 1018 pq->fd = opq->fd; 1019 opq->fd = -1; 1020 pq->tcp = opq->tcp; 1021 pq->qbuf = sldns_buffer_new(sldns_buffer_capacity(opq->qbuf)); 1022 pq->abuf = sldns_buffer_new(sldns_buffer_capacity(opq->abuf)); 1023 pq->region = regional_create(); 1024 1025 if (!pq->qbuf || !pq->abuf || !pq->region) { 1026 log_warnx("out of memory"); 1027 free_pending_query(pq); 1028 free_pending_query(opq); 1029 return; 1030 } 1031 1032 sldns_buffer_rewind(opq->qbuf); 1033 sldns_buffer_write(pq->qbuf, sldns_buffer_current(opq->qbuf), 1034 sldns_buffer_remaining(opq->qbuf)); 1035 sldns_buffer_flip(pq->qbuf); 1036 1037 if (pq->tcp) { 1038 struct timeval timeout = {TCP_TIMEOUT, 0}; 1039 1040 event_set(&pq->ev, pq->fd, EV_READ | EV_PERSIST, tcp_request, 1041 pq); 1042 event_set(&pq->resp_ev, pq->fd, EV_WRITE | EV_PERSIST, 1043 tcp_response, pq); 1044 evtimer_set(&pq->tmo_ev, tcp_timeout, pq); 1045 evtimer_add(&pq->tmo_ev, &timeout); 1046 } 1047 1048 if (sldns_buffer_remaining(pq->qbuf) < LDNS_HEADER_SIZE) { 1049 log_warnx("bad query: too short, dropped"); 1050 goto drop; 1051 } 1052 1053 pq->id = sldns_buffer_read_u16_at(pq->qbuf, 0); 1054 pq->flags = sldns_buffer_read_u16_at(pq->qbuf, 2); 1055 1056 if (!query_info_parse(&pq->qinfo, pq->qbuf)) { 1057 log_warnx("query_info_parse failed"); 1058 goto drop; 1059 } 1060 1061 rcode = parse_edns_from_query_pkt(pq->qbuf, &pq->edns, NULL, NULL, 1062 pq->region); 1063 if (rcode != LDNS_RCODE_NOERROR) { 1064 error_answer(pq, rcode); 1065 goto send_answer; 1066 } 1067 1068 dname_str(pq->qinfo.qname, dname); 1069 strlcpy(query_imsg.qname, dname, sizeof(query_imsg.qname)); 1070 query_imsg.id = pq->imsg_id; 1071 query_imsg.t = LDNS_RR_TYPE_A; 1072 query_imsg.c = pq->qinfo.qclass; 1073 1074 pq->dns64_synthesize = 1; 1075 1076 if (frontend_imsg_compose_resolver(IMSG_QUERY, 0, &query_imsg, 1077 sizeof(query_imsg)) == -1) { 1078 error_answer(pq, LDNS_RCODE_SERVFAIL); 1079 goto send_answer; 1080 } 1081 1082 free_pending_query(opq); 1083 return; 1084 1085 send_answer: 1086 free_pending_query(opq); 1087 send_answer(pq); 1088 return; 1089 1090 drop: 1091 free_pending_query(opq); 1092 free_pending_query(pq); 1093 } 1094 1095 void 1096 chaos_answer(struct pending_query *pq) 1097 { 1098 size_t len; 1099 const char *name = "unwind"; 1100 1101 len = strlen(name); 1102 if (!sldns_buffer_set_capacity(pq->abuf, 1103 sldns_buffer_capacity(pq->qbuf) + COMPRESSED_RR_SIZE + 1 + len)) { 1104 error_answer(pq, LDNS_RCODE_SERVFAIL); 1105 return; 1106 } 1107 1108 sldns_buffer_copy(pq->abuf, pq->qbuf); 1109 1110 sldns_buffer_clear(pq->abuf); 1111 1112 sldns_buffer_skip(pq->abuf, sizeof(uint16_t)); /* skip id */ 1113 sldns_buffer_write_u16(pq->abuf, 0); /* clear flags */ 1114 LDNS_QR_SET(sldns_buffer_begin(pq->abuf)); 1115 LDNS_RA_SET(sldns_buffer_begin(pq->abuf)); 1116 if (LDNS_RD_WIRE(sldns_buffer_begin(pq->qbuf))) 1117 LDNS_RD_SET(sldns_buffer_begin(pq->abuf)); 1118 if (LDNS_CD_WIRE(sldns_buffer_begin(pq->qbuf))) 1119 LDNS_CD_SET(sldns_buffer_begin(pq->abuf)); 1120 LDNS_RCODE_SET(sldns_buffer_begin(pq->abuf), LDNS_RCODE_NOERROR); 1121 sldns_buffer_write_u16(pq->abuf, 1); /* qdcount */ 1122 sldns_buffer_write_u16(pq->abuf, 1); /* ancount */ 1123 sldns_buffer_write_u16(pq->abuf, 0); /* nscount */ 1124 sldns_buffer_write_u16(pq->abuf, 0); /* arcount */ 1125 (void)query_dname_len(pq->abuf); /* skip qname */ 1126 sldns_buffer_skip(pq->abuf, sizeof(uint16_t)); /* skip qtype */ 1127 sldns_buffer_skip(pq->abuf, sizeof(uint16_t)); /* skip qclass */ 1128 1129 sldns_buffer_write_u16(pq->abuf, 0xc00c); /* ptr to query */ 1130 sldns_buffer_write_u16(pq->abuf, LDNS_RR_TYPE_TXT); 1131 sldns_buffer_write_u16(pq->abuf, LDNS_RR_CLASS_CH); 1132 sldns_buffer_write_u32(pq->abuf, 0); /* TTL */ 1133 sldns_buffer_write_u16(pq->abuf, 1 + len); /* RDLENGTH */ 1134 sldns_buffer_write_u8(pq->abuf, len); /* length octed */ 1135 sldns_buffer_write(pq->abuf, name, len); 1136 sldns_buffer_flip(pq->abuf); 1137 } 1138 1139 void 1140 error_answer(struct pending_query *pq, int rcode) 1141 { 1142 sldns_buffer_clear(pq->abuf); 1143 error_encode(pq->abuf, rcode, &pq->qinfo, htons(pq->id), pq->flags, 1144 pq->edns.edns_present ? &pq->edns : NULL); 1145 } 1146 1147 int 1148 check_query(sldns_buffer* pkt) 1149 { 1150 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) { 1151 log_warnx("bad query: too short, dropped"); 1152 return -1; 1153 } 1154 if(LDNS_QR_WIRE(sldns_buffer_begin(pkt))) { 1155 log_warnx("bad query: QR set, dropped"); 1156 return -1; 1157 } 1158 if(LDNS_TC_WIRE(sldns_buffer_begin(pkt))) { 1159 LDNS_TC_CLR(sldns_buffer_begin(pkt)); 1160 log_warnx("bad query: TC set"); 1161 return (LDNS_RCODE_FORMERR); 1162 } 1163 if(!(LDNS_RD_WIRE(sldns_buffer_begin(pkt)))) { 1164 log_warnx("bad query: RD not set"); 1165 return (LDNS_RCODE_REFUSED); 1166 } 1167 if(LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_PACKET_QUERY) { 1168 log_warnx("bad query: unknown opcode %d", 1169 LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt))); 1170 return (LDNS_RCODE_NOTIMPL); 1171 } 1172 1173 if (LDNS_QDCOUNT(sldns_buffer_begin(pkt)) != 1 && 1174 LDNS_ANCOUNT(sldns_buffer_begin(pkt))!= 0 && 1175 LDNS_NSCOUNT(sldns_buffer_begin(pkt))!= 0 && 1176 LDNS_ARCOUNT(sldns_buffer_begin(pkt)) > 1) { 1177 log_warnx("bad query: qdcount: %d, ancount: %d " 1178 "nscount: %d, arcount: %d", 1179 LDNS_QDCOUNT(sldns_buffer_begin(pkt)), 1180 LDNS_ANCOUNT(sldns_buffer_begin(pkt)), 1181 LDNS_NSCOUNT(sldns_buffer_begin(pkt)), 1182 LDNS_ARCOUNT(sldns_buffer_begin(pkt))); 1183 return (LDNS_RCODE_FORMERR); 1184 } 1185 return (LDNS_RCODE_NOERROR); 1186 } 1187 1188 void 1189 send_answer(struct pending_query *pq) 1190 { 1191 char *str; 1192 1193 if (log_getverbose() & OPT_VERBOSE2 && (str = 1194 sldns_wire2str_pkt(sldns_buffer_begin(pq->abuf), 1195 sldns_buffer_limit(pq->abuf))) != NULL) { 1196 log_debug("from: %s\n%s", ip_port((struct sockaddr *) 1197 &pq->from), str); 1198 free(str); 1199 } 1200 1201 if (!pq->tcp) { 1202 if(sendto(pq->fd, sldns_buffer_current(pq->abuf), 1203 sldns_buffer_remaining(pq->abuf), 0, 1204 (struct sockaddr *)&pq->from, pq->from.ss_len) == -1) 1205 log_warn("sendto"); 1206 free_pending_query(pq); 1207 } else { 1208 struct sldns_buffer *tmp; 1209 1210 tmp = sldns_buffer_new(sldns_buffer_limit(pq->abuf) + 2); 1211 1212 if (!tmp) { 1213 free_pending_query(pq); 1214 return; 1215 } 1216 1217 sldns_buffer_write_u16(tmp, sldns_buffer_limit(pq->abuf)); 1218 sldns_buffer_write(tmp, sldns_buffer_current(pq->abuf), 1219 sldns_buffer_remaining(pq->abuf)); 1220 sldns_buffer_flip(tmp); 1221 sldns_buffer_free(pq->abuf); 1222 pq->abuf = tmp; 1223 event_add(&pq->resp_ev, NULL); 1224 } 1225 } 1226 1227 char* 1228 ip_port(struct sockaddr *sa) 1229 { 1230 static char hbuf[NI_MAXHOST], buf[NI_MAXHOST]; 1231 1232 if (getnameinfo(sa, sa->sa_len, hbuf, sizeof(hbuf), NULL, 0, 1233 NI_NUMERICHOST) != 0) { 1234 snprintf(buf, sizeof(buf), "%s", "(unknown)"); 1235 return buf; 1236 } 1237 1238 if (sa->sa_family == AF_INET6) 1239 snprintf(buf, sizeof(buf), "[%s]:%d", hbuf, ntohs( 1240 ((struct sockaddr_in6 *)sa)->sin6_port)); 1241 if (sa->sa_family == AF_INET) 1242 snprintf(buf, sizeof(buf), "[%s]:%d", hbuf, ntohs( 1243 ((struct sockaddr_in *)sa)->sin_port)); 1244 1245 return buf; 1246 } 1247 1248 struct pending_query* 1249 find_pending_query(uint64_t id) 1250 { 1251 struct pending_query *pq; 1252 1253 TAILQ_FOREACH(pq, &pending_queries, entry) 1254 if (pq->imsg_id == id) 1255 return pq; 1256 return NULL; 1257 } 1258 1259 void 1260 route_receive(int fd, short events, void *arg) 1261 { 1262 static uint8_t *buf; 1263 1264 struct rt_msghdr *rtm; 1265 struct sockaddr *sa, *rti_info[RTAX_MAX]; 1266 ssize_t n; 1267 1268 if (buf == NULL) { 1269 buf = malloc(ROUTE_SOCKET_BUF_SIZE); 1270 if (buf == NULL) 1271 fatal("malloc"); 1272 } 1273 rtm = (struct rt_msghdr *)buf; 1274 if ((n = read(fd, buf, ROUTE_SOCKET_BUF_SIZE)) == -1) { 1275 if (errno == EAGAIN || errno == EINTR) 1276 return; 1277 log_warn("dispatch_rtmsg: read error"); 1278 return; 1279 } 1280 1281 if (n == 0) 1282 fatal("routing socket closed"); 1283 1284 if (n < (ssize_t)sizeof(rtm->rtm_msglen) || n < rtm->rtm_msglen) { 1285 log_warnx("partial rtm of %zd in buffer", n); 1286 return; 1287 } 1288 1289 if (rtm->rtm_version != RTM_VERSION) 1290 return; 1291 1292 sa = (struct sockaddr *)(buf + rtm->rtm_hdrlen); 1293 get_rtaddrs(rtm->rtm_addrs, sa, rti_info); 1294 1295 handle_route_message(rtm, rti_info); 1296 } 1297 1298 #define ROUNDUP(a) \ 1299 ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long)) 1300 1301 void 1302 get_rtaddrs(int addrs, struct sockaddr *sa, struct sockaddr **rti_info) 1303 { 1304 int i; 1305 1306 for (i = 0; i < RTAX_MAX; i++) { 1307 if (addrs & (1 << i)) { 1308 rti_info[i] = sa; 1309 sa = (struct sockaddr *)((char *)(sa) + 1310 ROUNDUP(sa->sa_len)); 1311 } else 1312 rti_info[i] = NULL; 1313 } 1314 } 1315 1316 void 1317 handle_route_message(struct rt_msghdr *rtm, struct sockaddr **rti_info) 1318 { 1319 struct imsg_rdns_proposal rdns_proposal; 1320 struct sockaddr_rtdns *rtdns; 1321 struct if_announcemsghdr *ifan; 1322 1323 switch (rtm->rtm_type) { 1324 case RTM_IFANNOUNCE: 1325 ifan = (struct if_announcemsghdr *)rtm; 1326 if (ifan->ifan_what == IFAN_ARRIVAL) 1327 break; 1328 rdns_proposal.if_index = ifan->ifan_index; 1329 rdns_proposal.src = 0; 1330 rdns_proposal.rtdns.sr_family = AF_INET; 1331 rdns_proposal.rtdns.sr_len = offsetof(struct sockaddr_rtdns, 1332 sr_dns); 1333 frontend_imsg_compose_resolver(IMSG_REPLACE_DNS, 0, 1334 &rdns_proposal, sizeof(rdns_proposal)); 1335 break; 1336 case RTM_IFINFO: 1337 frontend_imsg_compose_resolver(IMSG_NETWORK_CHANGED, 0, NULL, 1338 0); 1339 break; 1340 case RTM_PROPOSAL: 1341 if (!(rtm->rtm_addrs & RTA_DNS)) 1342 break; 1343 1344 rtdns = (struct sockaddr_rtdns*)rti_info[RTAX_DNS]; 1345 rdns_proposal.if_index = rtm->rtm_index; 1346 rdns_proposal.src = rtm->rtm_priority; 1347 memcpy(&rdns_proposal.rtdns, rtdns, sizeof(rdns_proposal.rtdns)); 1348 frontend_imsg_compose_resolver(IMSG_REPLACE_DNS, 0, 1349 &rdns_proposal, sizeof(rdns_proposal)); 1350 break; 1351 case RTM_NEWADDR: 1352 case RTM_DELADDR: 1353 case RTM_DESYNC: 1354 check_available_af(); 1355 break; 1356 default: 1357 break; 1358 } 1359 } 1360 1361 void 1362 add_new_ta(struct trust_anchor_head *tah, char *val) 1363 { 1364 struct trust_anchor *ta, *i; 1365 int cmp; 1366 1367 if ((ta = malloc(sizeof(*ta))) == NULL) 1368 fatal("%s", __func__); 1369 if ((ta->ta = strdup(val)) == NULL) 1370 fatal("%s", __func__); 1371 1372 /* keep the list sorted to prevent churn if the order changes in DNS */ 1373 TAILQ_FOREACH(i, tah, entry) { 1374 cmp = strcmp(i->ta, ta->ta); 1375 if ( cmp == 0) { 1376 /* duplicate */ 1377 free(ta->ta); 1378 free(ta); 1379 return; 1380 } else if (cmp > 0) { 1381 TAILQ_INSERT_BEFORE(i, ta, entry); 1382 return; 1383 } 1384 } 1385 TAILQ_INSERT_TAIL(tah, ta, entry); 1386 } 1387 1388 void 1389 free_tas(struct trust_anchor_head *tah) 1390 { 1391 struct trust_anchor *ta; 1392 1393 while ((ta = TAILQ_FIRST(tah))) { 1394 TAILQ_REMOVE(tah, ta, entry); 1395 free(ta->ta); 1396 free(ta); 1397 } 1398 } 1399 1400 int 1401 merge_tas(struct trust_anchor_head *newh, struct trust_anchor_head *oldh) 1402 { 1403 struct trust_anchor *i, *j; 1404 int chg = 0; 1405 1406 j = TAILQ_FIRST(oldh); 1407 1408 TAILQ_FOREACH(i, newh, entry) { 1409 if (j == NULL || strcmp(i->ta, j->ta) != 0) { 1410 chg = 1; 1411 break; 1412 } 1413 j = TAILQ_NEXT(j, entry); 1414 } 1415 if (j != NULL) 1416 chg = 1; 1417 1418 if (chg) { 1419 free_tas(oldh); 1420 TAILQ_CONCAT(oldh, newh, entry); 1421 } else { 1422 free_tas(newh); 1423 } 1424 return (chg); 1425 } 1426 1427 void 1428 parse_trust_anchor(struct trust_anchor_head *tah, int fd) 1429 { 1430 size_t len, dname_len; 1431 ssize_t n, sz; 1432 uint8_t rr[LDNS_RR_BUF_SIZE]; 1433 char *str, *p, buf[512], *line; 1434 1435 sz = 0; 1436 str = NULL; 1437 1438 while ((n = read(fd, buf, sizeof(buf))) > 0) { 1439 p = recallocarray(str, sz, sz + n, 1); 1440 if (p == NULL) { 1441 log_warn("%s", __func__); 1442 goto out; 1443 } 1444 str = p; 1445 memcpy(str + sz, buf, n); 1446 sz += n; 1447 } 1448 1449 if (n == -1) { 1450 log_warn("%s", __func__); 1451 goto out; 1452 } 1453 1454 /* make it a string */ 1455 p = recallocarray(str, sz, sz + 1, 1); 1456 if (p == NULL) { 1457 log_warn("%s", __func__); 1458 goto out; 1459 } 1460 str = p; 1461 sz++; 1462 1463 len = sizeof(rr); 1464 1465 while ((line = strsep(&p, "\n")) != NULL) { 1466 if (sldns_str2wire_rr_buf(line, rr, &len, &dname_len, 1467 ROOT_DNSKEY_TTL, NULL, 0, NULL, 0) != 0) 1468 continue; 1469 if (sldns_wirerr_get_type(rr, len, dname_len) == 1470 LDNS_RR_TYPE_DNSKEY) 1471 add_new_ta(tah, line); 1472 } 1473 1474 out: 1475 free(str); 1476 return; 1477 } 1478 1479 void 1480 send_trust_anchors(struct trust_anchor_head *tah) 1481 { 1482 struct trust_anchor *ta; 1483 1484 TAILQ_FOREACH(ta, tah, entry) 1485 frontend_imsg_compose_resolver(IMSG_NEW_TA, 0, ta->ta, 1486 strlen(ta->ta) + 1); 1487 frontend_imsg_compose_resolver(IMSG_NEW_TAS_DONE, 0, NULL, 0); 1488 } 1489 1490 void 1491 write_trust_anchors(struct trust_anchor_head *tah, int fd) 1492 { 1493 struct trust_anchor *ta; 1494 size_t len = 0; 1495 ssize_t n; 1496 char *str; 1497 1498 if (lseek(fd, 0, SEEK_SET) == -1) { 1499 log_warn("%s", __func__); 1500 goto out; 1501 } 1502 1503 TAILQ_FOREACH(ta, tah, entry) { 1504 if ((n = asprintf(&str, "%s\n", ta->ta)) == -1) { 1505 log_warn("%s", __func__); 1506 len = 0; 1507 goto out; 1508 } 1509 len += n; 1510 if (write(fd, str, n) != n) { 1511 log_warn("%s", __func__); 1512 free(str); 1513 len = 0; 1514 goto out; 1515 } 1516 free(str); 1517 } 1518 out: 1519 ftruncate(fd, len); 1520 fsync(fd); 1521 } 1522 1523 void 1524 parse_blocklist(int fd) 1525 { 1526 FILE *f; 1527 struct bl_node *bl_node; 1528 char *line = NULL; 1529 size_t linesize = 0; 1530 ssize_t linelen; 1531 1532 if((f = fdopen(fd, "r")) == NULL) { 1533 log_warn("cannot read block list"); 1534 close(fd); 1535 return; 1536 } 1537 1538 free_bl(); 1539 1540 while ((linelen = getline(&line, &linesize, f)) != -1) { 1541 if (line[linelen - 1] == '\n') { 1542 if (linelen >= 2 && line[linelen - 2] != '.') 1543 line[linelen - 1] = '.'; 1544 else 1545 line[linelen - 1] = '\0'; 1546 } 1547 1548 bl_node = malloc(sizeof *bl_node); 1549 if (bl_node == NULL) 1550 fatal("%s: malloc", __func__); 1551 if ((bl_node->domain = strdup(line)) == NULL) 1552 fatal("%s: strdup", __func__); 1553 if (RB_INSERT(bl_tree, &bl_head, bl_node) != NULL) { 1554 log_warnx("duplicate blocked domain \"%s\"", line); 1555 free(bl_node->domain); 1556 free(bl_node); 1557 } 1558 } 1559 free(line); 1560 if (ferror(f)) 1561 log_warn("getline"); 1562 fclose(f); 1563 } 1564 1565 int 1566 bl_cmp(struct bl_node *e1, struct bl_node *e2) { 1567 return (strcasecmp(e1->domain, e2->domain)); 1568 } 1569 1570 void 1571 free_bl(void) 1572 { 1573 struct bl_node *n, *nxt; 1574 1575 RB_FOREACH_SAFE(n, bl_tree, &bl_head, nxt) { 1576 RB_REMOVE(bl_tree, &bl_head, n); 1577 free(n->domain); 1578 free(n); 1579 } 1580 } 1581 1582 int 1583 pending_query_cnt(void) 1584 { 1585 struct pending_query *e; 1586 int cnt = 0; 1587 1588 TAILQ_FOREACH(e, &pending_queries, entry) 1589 cnt++; 1590 return cnt; 1591 } 1592 1593 void 1594 accept_paused(int fd, short events, void *arg) 1595 { 1596 struct tcp_accept_ev *tcpev = arg; 1597 event_add(&tcpev->ev, NULL); 1598 } 1599 1600 int 1601 accept_reserve(int sockfd, struct sockaddr *addr, socklen_t *addrlen) 1602 { 1603 if (getdtablecount() + FD_RESERVE >= getdtablesize()) { 1604 log_debug("%s: inflight fds exceeded", __func__); 1605 errno = EMFILE; 1606 return -1; 1607 } 1608 return accept4(sockfd, addr, addrlen, SOCK_NONBLOCK | SOCK_CLOEXEC); 1609 } 1610 1611 void 1612 tcp_accept(int fd, short events, void *arg) 1613 { 1614 static struct timeval timeout = {TCP_TIMEOUT, 0}; 1615 static struct timeval backoff = {1, 0}; 1616 struct pending_query *pq; 1617 struct tcp_accept_ev *tcpev; 1618 struct sockaddr_storage ss; 1619 socklen_t len; 1620 int s; 1621 1622 tcpev = arg; 1623 len = sizeof(ss); 1624 1625 if ((s = accept_reserve(fd, (struct sockaddr *)&ss, &len)) == -1) { 1626 switch (errno) { 1627 case EINTR: 1628 case EWOULDBLOCK: 1629 case ECONNABORTED: 1630 return; 1631 case EMFILE: 1632 case ENFILE: 1633 event_del(&tcpev->ev); 1634 evtimer_add(&tcpev->pause, &backoff); 1635 return; 1636 default: 1637 fatal("accept"); 1638 } 1639 } 1640 1641 if ((pq = calloc(1, sizeof(*pq))) == NULL) { 1642 log_warn(NULL); 1643 close(s); 1644 return; 1645 } 1646 1647 do { 1648 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id)); 1649 } while(find_pending_query(pq->imsg_id) != NULL); 1650 1651 TAILQ_INSERT_TAIL(&pending_queries, pq, entry); 1652 1653 pq->from = ss; 1654 pq->fd = s; 1655 pq->tcp = 1; 1656 pq->qbuf = sldns_buffer_new(DEFAULT_TCP_SIZE); 1657 pq->region = regional_create(); 1658 1659 if (!pq->qbuf || !pq->region) { 1660 free_pending_query(pq); 1661 return; 1662 } 1663 1664 event_set(&pq->ev, s, EV_READ | EV_PERSIST, tcp_request, pq); 1665 event_add(&pq->ev, NULL); 1666 event_set(&pq->resp_ev, s, EV_WRITE | EV_PERSIST, tcp_response, pq); 1667 1668 evtimer_set(&pq->tmo_ev, tcp_timeout, pq); 1669 evtimer_add(&pq->tmo_ev, &timeout); 1670 } 1671 1672 void 1673 tcp_request(int fd, short events, void *arg) 1674 { 1675 struct pending_query *pq; 1676 ssize_t n; 1677 1678 pq = arg; 1679 1680 n = read(fd, sldns_buffer_current(pq->qbuf), 1681 sldns_buffer_remaining(pq->qbuf)); 1682 1683 switch (n) { 1684 case -1: 1685 switch (errno) { 1686 case EINTR: 1687 case EAGAIN: 1688 return; 1689 default: 1690 goto fail; 1691 } 1692 break; 1693 case 0: 1694 log_debug("closed connection"); 1695 goto fail; 1696 default: 1697 break; 1698 } 1699 1700 sldns_buffer_skip(pq->qbuf, n); 1701 1702 if (sldns_buffer_position(pq->qbuf) >= 2 && !pq->abuf) { 1703 struct sldns_buffer *tmp; 1704 size_t rem; 1705 uint16_t len; 1706 1707 sldns_buffer_flip(pq->qbuf); 1708 len = sldns_buffer_read_u16(pq->qbuf); 1709 tmp = sldns_buffer_new(len); 1710 pq->abuf = sldns_buffer_new(len); 1711 1712 if (!tmp || !pq->abuf) 1713 goto fail; 1714 1715 rem = sldns_buffer_remaining(pq->qbuf); 1716 sldns_buffer_write(tmp, sldns_buffer_current(pq->qbuf), 1717 MINIMUM(len, rem)); 1718 sldns_buffer_free(pq->qbuf); 1719 pq->qbuf = tmp; 1720 } 1721 if (sldns_buffer_remaining(pq->qbuf) == 0) { 1722 sldns_buffer_flip(pq->qbuf); 1723 shutdown(fd, SHUT_RD); 1724 event_del(&pq->ev); 1725 handle_query(pq); 1726 } 1727 return; 1728 fail: 1729 free_pending_query(pq); 1730 } 1731 1732 void 1733 tcp_response(int fd, short events, void *arg) 1734 { 1735 struct pending_query *pq; 1736 ssize_t n; 1737 1738 pq = arg; 1739 1740 n = write(fd, sldns_buffer_current(pq->abuf), 1741 sldns_buffer_remaining(pq->abuf)); 1742 1743 if (n == -1) { 1744 if (errno == EAGAIN || errno == EINTR) 1745 return; 1746 free_pending_query(pq); 1747 } 1748 sldns_buffer_skip(pq->abuf, n); 1749 if (sldns_buffer_remaining(pq->abuf) == 0) 1750 free_pending_query(pq); 1751 } 1752 1753 void 1754 tcp_timeout(int fd, short events, void *arg) 1755 { 1756 free_pending_query(arg); 1757 } 1758 1759 void 1760 check_available_af() 1761 { 1762 static int available_af = HAVE_IPV4 | HAVE_IPV6; 1763 static int rtable = -1; 1764 struct ifaddrs *ifap, *ifa; 1765 struct if_data *ifa_data; 1766 struct sockaddr_in *sin4; 1767 struct sockaddr_in6 *sin6; 1768 int new_available_af = 0, ifa_rtable = -1; 1769 1770 if (rtable == -1) 1771 rtable = getrtable(); 1772 1773 if (getifaddrs(&ifap) != 0) { 1774 log_warn("getifaddrs"); 1775 return; 1776 } 1777 1778 for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) { 1779 if (ifa->ifa_addr == NULL) 1780 continue; 1781 switch(ifa->ifa_addr->sa_family) { 1782 case AF_LINK: 1783 /* AF_LINK comes before inet / inet6 on an interface */ 1784 ifa_data = (struct if_data *)ifa->ifa_data; 1785 ifa_rtable = ifa_data->ifi_rdomain; 1786 break; 1787 case AF_INET: 1788 if (ifa_rtable != rtable) 1789 continue; 1790 1791 sin4 = (struct sockaddr_in *)ifa->ifa_addr; 1792 if ((ntohl(sin4->sin_addr.s_addr) >> 24) == 1793 IN_LOOPBACKNET) 1794 continue; 1795 new_available_af |= HAVE_IPV4; 1796 break; 1797 case AF_INET6: 1798 if (ifa_rtable != rtable) 1799 continue; 1800 1801 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 1802 if (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr) || 1803 IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr) || 1804 IN6_IS_ADDR_MC_LINKLOCAL(&sin6->sin6_addr) || 1805 IN6_IS_ADDR_MC_INTFACELOCAL(&sin6->sin6_addr)) 1806 continue; 1807 new_available_af |= HAVE_IPV6; 1808 break; 1809 default: 1810 break; 1811 } 1812 if (new_available_af == (HAVE_IPV4 | HAVE_IPV6)) 1813 break; 1814 } 1815 freeifaddrs(ifap); 1816 if (new_available_af != available_af) { 1817 available_af = new_available_af; 1818 frontend_imsg_compose_resolver(IMSG_CHANGE_AFS, 0, 1819 &available_af, sizeof(available_af)); 1820 } 1821 } 1822