1 /* $OpenBSD: frontend.c,v 1.67 2021/01/30 10:31:51 florian Exp $ */ 2 3 /* 4 * Copyright (c) 2018 Florian Obser <florian@openbsd.org> 5 * Copyright (c) 2005 Claudio Jeker <claudio@openbsd.org> 6 * Copyright (c) 2004 Esben Norby <norby@openbsd.org> 7 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 8 * 9 * Permission to use, copy, modify, and distribute this software for any 10 * purpose with or without fee is hereby granted, provided that the above 11 * copyright notice and this permission notice appear in all copies. 12 * 13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 */ 21 22 #include <sys/types.h> 23 #include <sys/queue.h> 24 #include <sys/socket.h> 25 #include <sys/syslog.h> 26 #include <sys/tree.h> 27 #include <sys/uio.h> 28 29 #include <netinet/in.h> 30 #include <net/if.h> 31 #include <net/route.h> 32 33 #include <errno.h> 34 #include <event.h> 35 #include <ifaddrs.h> 36 #include <imsg.h> 37 #include <netdb.h> 38 #include <pwd.h> 39 #include <signal.h> 40 #include <stdint.h> 41 #include <stdio.h> 42 #include <stdlib.h> 43 #include <string.h> 44 #include <time.h> 45 #include <unistd.h> 46 47 #include "libunbound/config.h" 48 #include "libunbound/sldns/pkthdr.h" 49 #include "libunbound/sldns/sbuffer.h" 50 #include "libunbound/sldns/str2wire.h" 51 #include "libunbound/sldns/wire2str.h" 52 #include "libunbound/util/alloc.h" 53 #include "libunbound/util/net_help.h" 54 #include "libunbound/util/regional.h" 55 #include "libunbound/util/data/dname.h" 56 #include "libunbound/util/data/msgencode.h" 57 #include "libunbound/util/data/msgparse.h" 58 #include "libunbound/util/data/msgreply.h" 59 60 #include "log.h" 61 #include "unwind.h" 62 #include "frontend.h" 63 #include "control.h" 64 #include "dns64_synth.h" 65 66 #define ROUTE_SOCKET_BUF_SIZE 16384 67 68 /* 69 * size of a resource record with name a two octed pointer to qname 70 * 2 octets pointer to qname 71 * 2 octets TYPE 72 * 2 octets CLASS 73 * 4 octets TTL 74 * 2 octets RDLENGTH 75 */ 76 #define COMPRESSED_RR_SIZE 12 77 #define MINIMIZE_ANSWER 1 78 79 #define FD_RESERVE 5 80 #define TCP_TIMEOUT 15 81 #define DEFAULT_TCP_SIZE 512 82 83 struct udp_ev { 84 struct event ev; 85 uint8_t query[65536]; 86 struct msghdr rcvmhdr; 87 struct iovec rcviov[1]; 88 struct sockaddr_storage from; 89 } udp4ev, udp6ev; 90 91 struct tcp_accept_ev { 92 struct event ev; 93 struct event pause; 94 } tcp4ev, tcp6ev; 95 96 struct pending_query { 97 TAILQ_ENTRY(pending_query) entry; 98 struct sockaddr_storage from; 99 struct sldns_buffer *qbuf; 100 struct sldns_buffer *abuf; 101 struct regional *region; 102 struct query_info qinfo; 103 struct msg_parse *qmsg; 104 struct edns_data edns; 105 struct event ev; /* for tcp */ 106 struct event resp_ev; /* for tcp */ 107 struct event tmo_ev; /* for tcp */ 108 uint64_t imsg_id; 109 int fd; 110 int tcp; 111 int dns64_synthesize; 112 }; 113 114 TAILQ_HEAD(, pending_query) pending_queries; 115 116 struct bl_node { 117 RB_ENTRY(bl_node) entry; 118 char *domain; 119 }; 120 121 __dead void frontend_shutdown(void); 122 void frontend_sig_handler(int, short, void *); 123 void frontend_startup(void); 124 void udp_receive(int, short, void *); 125 void handle_query(struct pending_query *); 126 void free_pending_query(struct pending_query *); 127 void tcp_accept(int, short, void *); 128 int accept_reserve(int, struct sockaddr *, socklen_t *); 129 void accept_paused(int, short, void *); 130 void tcp_request(int, short, void *); 131 void tcp_response(int, short, void *); 132 void tcp_timeout(int, short, void *); 133 int check_query(sldns_buffer*); 134 void noerror_answer(struct pending_query *); 135 void synthesize_dns64_answer(struct pending_query *); 136 void resend_dns64_query(struct pending_query *); 137 void chaos_answer(struct pending_query *); 138 void error_answer(struct pending_query *, int rcode); 139 void send_answer(struct pending_query *); 140 void route_receive(int, short, void *); 141 void handle_route_message(struct rt_msghdr *, 142 struct sockaddr **); 143 void get_rtaddrs(int, struct sockaddr *, 144 struct sockaddr **); 145 void rtmget_default(void); 146 struct pending_query *find_pending_query(uint64_t); 147 void parse_trust_anchor(struct trust_anchor_head *, int); 148 void send_trust_anchors(struct trust_anchor_head *); 149 void write_trust_anchors(struct trust_anchor_head *, int); 150 void parse_blocklist(int); 151 int bl_cmp(struct bl_node *, struct bl_node *); 152 void free_bl(void); 153 int pending_query_cnt(void); 154 void check_available_af(void); 155 156 struct uw_conf *frontend_conf; 157 static struct imsgev *iev_main; 158 static struct imsgev *iev_resolver; 159 struct event ev_route; 160 int udp4sock = -1, udp6sock = -1; 161 int tcp4sock = -1, tcp6sock = -1; 162 int ta_fd = -1; 163 164 static struct trust_anchor_head trust_anchors, new_trust_anchors; 165 166 RB_HEAD(bl_tree, bl_node) bl_head = RB_INITIALIZER(&bl_head); 167 RB_PROTOTYPE(bl_tree, bl_node, entry, bl_cmp) 168 RB_GENERATE(bl_tree, bl_node, entry, bl_cmp) 169 170 struct dns64_prefix *dns64_prefixes; 171 int dns64_prefix_count; 172 173 void 174 frontend_sig_handler(int sig, short event, void *bula) 175 { 176 /* 177 * Normal signal handler rules don't apply because libevent 178 * decouples for us. 179 */ 180 181 switch (sig) { 182 case SIGINT: 183 case SIGTERM: 184 frontend_shutdown(); 185 default: 186 fatalx("unexpected signal"); 187 } 188 } 189 190 void 191 frontend(int debug, int verbose) 192 { 193 struct event ev_sigint, ev_sigterm; 194 struct passwd *pw; 195 196 frontend_conf = config_new_empty(); 197 198 log_init(debug, LOG_DAEMON); 199 log_setverbose(verbose); 200 201 if ((pw = getpwnam(UNWIND_USER)) == NULL) 202 fatal("getpwnam"); 203 204 if (chroot(pw->pw_dir) == -1) 205 fatal("chroot"); 206 if (chdir("/") == -1) 207 fatal("chdir(\"/\")"); 208 209 setproctitle("%s", "frontend"); 210 log_procinit("frontend"); 211 212 if (setgroups(1, &pw->pw_gid) || 213 setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || 214 setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) 215 fatal("can't drop privileges"); 216 217 if (pledge("stdio dns unix recvfd", NULL) == -1) 218 fatal("pledge"); 219 220 event_init(); 221 222 /* Setup signal handler. */ 223 signal_set(&ev_sigint, SIGINT, frontend_sig_handler, NULL); 224 signal_set(&ev_sigterm, SIGTERM, frontend_sig_handler, NULL); 225 signal_add(&ev_sigint, NULL); 226 signal_add(&ev_sigterm, NULL); 227 signal(SIGPIPE, SIG_IGN); 228 signal(SIGHUP, SIG_IGN); 229 230 /* Setup pipe and event handler to the parent process. */ 231 if (iev_main != NULL) 232 fatal("iev_main"); 233 if ((iev_main = malloc(sizeof(struct imsgev))) == NULL) 234 fatal(NULL); 235 imsg_init(&iev_main->ibuf, 3); 236 iev_main->handler = frontend_dispatch_main; 237 iev_main->events = EV_READ; 238 event_set(&iev_main->ev, iev_main->ibuf.fd, iev_main->events, 239 iev_main->handler, iev_main); 240 event_add(&iev_main->ev, NULL); 241 242 udp4ev.rcviov[0].iov_base = (caddr_t)udp4ev.query; 243 udp4ev.rcviov[0].iov_len = sizeof(udp4ev.query); 244 udp4ev.rcvmhdr.msg_name = (caddr_t)&udp4ev.from; 245 udp4ev.rcvmhdr.msg_namelen = sizeof(udp4ev.from); 246 udp4ev.rcvmhdr.msg_iov = udp4ev.rcviov; 247 udp4ev.rcvmhdr.msg_iovlen = 1; 248 249 udp6ev.rcviov[0].iov_base = (caddr_t)udp6ev.query; 250 udp6ev.rcviov[0].iov_len = sizeof(udp6ev.query); 251 udp6ev.rcvmhdr.msg_name = (caddr_t)&udp6ev.from; 252 udp6ev.rcvmhdr.msg_namelen = sizeof(udp6ev.from); 253 udp6ev.rcvmhdr.msg_iov = udp6ev.rcviov; 254 udp6ev.rcvmhdr.msg_iovlen = 1; 255 256 TAILQ_INIT(&pending_queries); 257 258 TAILQ_INIT(&trust_anchors); 259 TAILQ_INIT(&new_trust_anchors); 260 261 event_dispatch(); 262 263 frontend_shutdown(); 264 } 265 266 __dead void 267 frontend_shutdown(void) 268 { 269 /* Close pipes. */ 270 msgbuf_write(&iev_resolver->ibuf.w); 271 msgbuf_clear(&iev_resolver->ibuf.w); 272 close(iev_resolver->ibuf.fd); 273 msgbuf_write(&iev_main->ibuf.w); 274 msgbuf_clear(&iev_main->ibuf.w); 275 close(iev_main->ibuf.fd); 276 277 config_clear(frontend_conf); 278 279 free(iev_resolver); 280 free(iev_main); 281 282 log_info("frontend exiting"); 283 exit(0); 284 } 285 286 int 287 frontend_imsg_compose_main(int type, pid_t pid, void *data, uint16_t datalen) 288 { 289 return (imsg_compose_event(iev_main, type, 0, pid, -1, data, datalen)); 290 } 291 292 int 293 frontend_imsg_compose_resolver(int type, pid_t pid, void *data, 294 uint16_t datalen) 295 { 296 return (imsg_compose_event(iev_resolver, type, 0, pid, -1, data, 297 datalen)); 298 } 299 300 void 301 frontend_dispatch_main(int fd, short event, void *bula) 302 { 303 static struct uw_conf *nconf; 304 struct imsg imsg; 305 struct imsgev *iev = bula; 306 struct imsgbuf *ibuf = &iev->ibuf; 307 int n, shut = 0; 308 309 if (event & EV_READ) { 310 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN) 311 fatal("imsg_read error"); 312 if (n == 0) /* Connection closed. */ 313 shut = 1; 314 } 315 if (event & EV_WRITE) { 316 if ((n = msgbuf_write(&ibuf->w)) == -1 && errno != EAGAIN) 317 fatal("msgbuf_write"); 318 if (n == 0) /* Connection closed. */ 319 shut = 1; 320 } 321 322 for (;;) { 323 if ((n = imsg_get(ibuf, &imsg)) == -1) 324 fatal("%s: imsg_get error", __func__); 325 if (n == 0) /* No more messages. */ 326 break; 327 328 switch (imsg.hdr.type) { 329 case IMSG_SOCKET_IPC_RESOLVER: 330 /* 331 * Setup pipe and event handler to the resolver 332 * process. 333 */ 334 if (iev_resolver) { 335 fatalx("%s: received unexpected imsg fd " 336 "to frontend", __func__); 337 break; 338 } 339 if ((fd = imsg.fd) == -1) { 340 fatalx("%s: expected to receive imsg fd to " 341 "frontend but didn't receive any", 342 __func__); 343 break; 344 } 345 346 if (iev_resolver != NULL) 347 fatal("iev_resolver"); 348 iev_resolver = malloc(sizeof(struct imsgev)); 349 if (iev_resolver == NULL) 350 fatal(NULL); 351 352 imsg_init(&iev_resolver->ibuf, fd); 353 iev_resolver->handler = frontend_dispatch_resolver; 354 iev_resolver->events = EV_READ; 355 356 event_set(&iev_resolver->ev, iev_resolver->ibuf.fd, 357 iev_resolver->events, iev_resolver->handler, 358 iev_resolver); 359 event_add(&iev_resolver->ev, NULL); 360 break; 361 case IMSG_RECONF_CONF: 362 case IMSG_RECONF_BLOCKLIST_FILE: 363 case IMSG_RECONF_FORWARDER: 364 case IMSG_RECONF_DOT_FORWARDER: 365 case IMSG_RECONF_FORCE: 366 imsg_receive_config(&imsg, &nconf); 367 break; 368 case IMSG_RECONF_END: 369 if (nconf == NULL) 370 fatalx("%s: IMSG_RECONF_END without " 371 "IMSG_RECONF_CONF", __func__); 372 merge_config(frontend_conf, nconf); 373 if (frontend_conf->blocklist_file == NULL) 374 free_bl(); 375 nconf = NULL; 376 break; 377 case IMSG_UDP6SOCK: 378 if (udp6sock != -1) 379 fatalx("%s: received unexpected udp6sock", 380 __func__); 381 if ((udp6sock = imsg.fd) == -1) 382 fatalx("%s: expected to receive imsg " 383 "UDP6 fd but didn't receive any", __func__); 384 event_set(&udp6ev.ev, udp6sock, EV_READ | EV_PERSIST, 385 udp_receive, &udp6ev); 386 event_add(&udp6ev.ev, NULL); 387 break; 388 case IMSG_UDP4SOCK: 389 if (udp4sock != -1) 390 fatalx("%s: received unexpected udp4sock", 391 __func__); 392 if ((udp4sock = imsg.fd) == -1) 393 fatalx("%s: expected to receive imsg " 394 "UDP4 fd but didn't receive any", __func__); 395 event_set(&udp4ev.ev, udp4sock, EV_READ | EV_PERSIST, 396 udp_receive, &udp4ev); 397 event_add(&udp4ev.ev, NULL); 398 break; 399 case IMSG_TCP4SOCK: 400 if (tcp4sock != -1) 401 fatalx("%s: received unexpected tcp4sock", 402 __func__); 403 if ((tcp4sock = imsg.fd) == -1) 404 fatalx("%s: expected to receive imsg " 405 "TCP4 fd but didn't receive any", __func__); 406 event_set(&tcp4ev.ev, tcp4sock, EV_READ | EV_PERSIST, 407 tcp_accept, &tcp4ev); 408 event_add(&tcp4ev.ev, NULL); 409 evtimer_set(&tcp4ev.pause, accept_paused, &tcp4ev); 410 break; 411 case IMSG_TCP6SOCK: 412 if (tcp6sock != -1) 413 fatalx("%s: received unexpected tcp6sock", 414 __func__); 415 if ((tcp6sock = imsg.fd) == -1) 416 fatalx("%s: expected to receive imsg " 417 "TCP6 fd but didn't receive any", __func__); 418 event_set(&tcp6ev.ev, tcp6sock, EV_READ | EV_PERSIST, 419 tcp_accept, &tcp6ev); 420 event_add(&tcp6ev.ev, NULL); 421 evtimer_set(&tcp6ev.pause, accept_paused, &tcp6ev); 422 break; 423 case IMSG_ROUTESOCK: { 424 static int routesock = -1; 425 426 if (routesock != -1) 427 fatalx("%s: received unexpected routesock", 428 __func__); 429 if ((fd = imsg.fd) == -1) 430 fatalx("%s: expected to receive imsg " 431 "routesocket fd but didn't receive any", 432 __func__); 433 routesock = fd; 434 event_set(&ev_route, fd, EV_READ | EV_PERSIST, 435 route_receive, NULL); 436 break; 437 } 438 case IMSG_STARTUP: 439 frontend_startup(); 440 break; 441 case IMSG_CONTROLFD: 442 if ((fd = imsg.fd) == -1) 443 fatalx("%s: expected to receive imsg control " 444 "fd but didn't receive any", __func__); 445 /* Listen on control socket. */ 446 control_listen(fd); 447 break; 448 case IMSG_TAFD: 449 if ((ta_fd = imsg.fd) == -1) 450 fatalx("%s: expected to receive imsg trust " 451 "anchor fd but didn't receive any", 452 __func__); 453 if (TAILQ_EMPTY(&trust_anchors)) { 454 /* 455 * We did not receive a trustanchor from DNS, 456 * maybe the built-in one is out of date, try 457 * with the one from disk. 458 */ 459 parse_trust_anchor(&trust_anchors, ta_fd); 460 if (!TAILQ_EMPTY(&trust_anchors)) 461 send_trust_anchors(&trust_anchors); 462 } else 463 write_trust_anchors(&trust_anchors, ta_fd); 464 break; 465 case IMSG_BLFD: 466 if ((fd = imsg.fd) == -1) 467 fatalx("%s: expected to receive imsg block " 468 "list fd but didn't receive any", __func__); 469 parse_blocklist(fd); 470 break; 471 default: 472 log_debug("%s: error handling imsg %d", __func__, 473 imsg.hdr.type); 474 break; 475 } 476 imsg_free(&imsg); 477 } 478 if (!shut) 479 imsg_event_add(iev); 480 else { 481 /* This pipe is dead. Remove its event handler. */ 482 event_del(&iev->ev); 483 event_loopexit(NULL); 484 } 485 } 486 487 void 488 frontend_dispatch_resolver(int fd, short event, void *bula) 489 { 490 static struct dns64_prefix *new_dns64_prefixes = NULL; 491 static int new_dns64_prefix_count = 0; 492 static int new_dns64_prefix_pos = 0; 493 struct pending_query *pq; 494 struct imsgev *iev = bula; 495 struct imsgbuf *ibuf = &iev->ibuf; 496 struct imsg imsg; 497 int n, shut = 0, chg; 498 499 if (event & EV_READ) { 500 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN) 501 fatal("imsg_read error"); 502 if (n == 0) /* Connection closed. */ 503 shut = 1; 504 } 505 if (event & EV_WRITE) { 506 if ((n = msgbuf_write(&ibuf->w)) == -1 && errno != EAGAIN) 507 fatal("msgbuf_write"); 508 if (n == 0) /* Connection closed. */ 509 shut = 1; 510 } 511 512 for (;;) { 513 if ((n = imsg_get(ibuf, &imsg)) == -1) 514 fatal("%s: imsg_get error", __func__); 515 if (n == 0) /* No more messages. */ 516 break; 517 518 switch (imsg.hdr.type) { 519 case IMSG_ANSWER: { 520 struct answer_header *answer_header; 521 int data_len; 522 uint8_t *data; 523 524 if (IMSG_DATA_SIZE(imsg) < sizeof(*answer_header)) 525 fatalx("%s: IMSG_ANSWER wrong length: " 526 "%lu", __func__, IMSG_DATA_SIZE(imsg)); 527 answer_header = (struct answer_header *)imsg.data; 528 data = (uint8_t *)imsg.data + sizeof(*answer_header); 529 if (answer_header->answer_len > UINT16_MAX) 530 fatalx("%s: IMSG_ANSWER answer too big: %d", 531 __func__, answer_header->answer_len); 532 data_len = IMSG_DATA_SIZE(imsg) - 533 sizeof(*answer_header); 534 535 if ((pq = find_pending_query(answer_header->id)) == 536 NULL) { 537 log_warnx("%s: cannot find pending query %llu", 538 __func__, answer_header->id); 539 break; 540 } 541 542 if (answer_header->srvfail) { 543 error_answer(pq, LDNS_RCODE_SERVFAIL); 544 send_answer(pq); 545 break; 546 } 547 548 if (answer_header->bogus && !(pq->qmsg->flags & 549 BIT_CD)) { 550 error_answer(pq, LDNS_RCODE_SERVFAIL); 551 send_answer(pq); 552 break; 553 } 554 555 if (sldns_buffer_position(pq->abuf) == 0 && 556 !sldns_buffer_set_capacity(pq->abuf, 557 answer_header->answer_len)) { 558 error_answer(pq, LDNS_RCODE_SERVFAIL); 559 send_answer(pq); 560 break; 561 } 562 563 if (sldns_buffer_position(pq->abuf) + data_len > 564 sldns_buffer_capacity(pq->abuf)) 565 fatalx("%s: IMSG_ANSWER answer too big: %d", 566 __func__, data_len); 567 sldns_buffer_write(pq->abuf, data, data_len); 568 569 if (sldns_buffer_position(pq->abuf) == 570 sldns_buffer_capacity(pq->abuf)) { 571 sldns_buffer_flip(pq->abuf); 572 if (pq->dns64_synthesize) { 573 synthesize_dns64_answer(pq); 574 send_answer(pq); 575 } else { 576 noerror_answer(pq); 577 if (pq->dns64_synthesize) 578 /* we did not find a answer */ 579 resend_dns64_query(pq); 580 else 581 send_answer(pq); 582 } 583 } 584 break; 585 } 586 case IMSG_CTL_RESOLVER_INFO: 587 case IMSG_CTL_AUTOCONF_RESOLVER_INFO: 588 case IMSG_CTL_MEM_INFO: 589 case IMSG_CTL_END: 590 control_imsg_relay(&imsg); 591 break; 592 case IMSG_NEW_TA: 593 /* make sure this is a string */ 594 ((char *)imsg.data)[IMSG_DATA_SIZE(imsg) - 1] = '\0'; 595 add_new_ta(&new_trust_anchors, imsg.data); 596 break; 597 case IMSG_NEW_TAS_ABORT: 598 free_tas(&new_trust_anchors); 599 break; 600 case IMSG_NEW_TAS_DONE: 601 chg = merge_tas(&new_trust_anchors, &trust_anchors); 602 if (chg) 603 send_trust_anchors(&trust_anchors); 604 605 /* 606 * always write trust anchors, the modify date on 607 * the file is an indication when we made progress 608 */ 609 if (ta_fd != -1) 610 write_trust_anchors(&trust_anchors, ta_fd); 611 break; 612 case IMSG_NEW_DNS64_PREFIXES_START: 613 if (IMSG_DATA_SIZE(imsg) != 614 sizeof(new_dns64_prefix_count)) 615 fatalx("%s: IMSG_NEW_DNS64_PREFIXES_START " 616 "wrong length: %lu", __func__, 617 IMSG_DATA_SIZE(imsg)); 618 memcpy(&new_dns64_prefix_count, imsg.data, 619 sizeof(new_dns64_prefix_count)); 620 free(new_dns64_prefixes); 621 new_dns64_prefixes = NULL; 622 if (new_dns64_prefix_count > 0) 623 new_dns64_prefixes = 624 calloc(new_dns64_prefix_count, 625 sizeof(struct dns64_prefix)); 626 new_dns64_prefix_pos = 0; 627 break; 628 case IMSG_NEW_DNS64_PREFIX: { 629 if (IMSG_DATA_SIZE(imsg) != sizeof(struct dns64_prefix)) 630 fatalx("%s: IMSG_NEW_DNS64_PREFIX wrong " 631 "length: %lu", __func__, 632 IMSG_DATA_SIZE(imsg)); 633 if (new_dns64_prefixes == NULL) 634 break; 635 if (new_dns64_prefix_pos >= new_dns64_prefix_count) 636 fatalx("%s: IMSG_NEW_DNS64_PREFIX: too many " 637 "prefixes", __func__); 638 memcpy(&new_dns64_prefixes[new_dns64_prefix_pos++], 639 imsg.data, sizeof(struct dns64_prefix)); 640 break; 641 } 642 case IMSG_NEW_DNS64_PREFIXES_DONE: 643 free(dns64_prefixes); 644 dns64_prefixes = new_dns64_prefixes; 645 dns64_prefix_count = new_dns64_prefix_count; 646 new_dns64_prefixes = NULL; 647 break; 648 default: 649 log_debug("%s: error handling imsg %d", __func__, 650 imsg.hdr.type); 651 break; 652 } 653 imsg_free(&imsg); 654 } 655 if (!shut) 656 imsg_event_add(iev); 657 else { 658 /* This pipe is dead. Remove its event handler. */ 659 event_del(&iev->ev); 660 event_loopexit(NULL); 661 } 662 } 663 664 void 665 frontend_startup(void) 666 { 667 if (!event_initialized(&ev_route)) 668 fatalx("%s: did not receive a route socket from the main " 669 "process", __func__); 670 671 event_add(&ev_route, NULL); 672 673 frontend_imsg_compose_main(IMSG_STARTUP_DONE, 0, NULL, 0); 674 check_available_af(); 675 } 676 677 void 678 free_pending_query(struct pending_query *pq) 679 { 680 if (!pq) 681 return; 682 683 TAILQ_REMOVE(&pending_queries, pq, entry); 684 regional_destroy(pq->region); 685 sldns_buffer_free(pq->qbuf); 686 sldns_buffer_free(pq->abuf); 687 if (pq->tcp) { 688 if (event_initialized(&pq->ev)) 689 event_del(&pq->ev); 690 if (event_initialized(&pq->resp_ev)) 691 event_del(&pq->resp_ev); 692 if (event_initialized(&pq->tmo_ev)) 693 event_del(&pq->tmo_ev); 694 if (pq->fd != -1) 695 close(pq->fd); 696 } 697 free(pq); 698 } 699 700 void 701 udp_receive(int fd, short events, void *arg) 702 { 703 struct udp_ev *udpev = (struct udp_ev *)arg; 704 struct pending_query *pq = NULL; 705 ssize_t len; 706 707 if ((len = recvmsg(fd, &udpev->rcvmhdr, 0)) == -1) { 708 log_warn("recvmsg"); 709 return; 710 } 711 712 if ((pq = calloc(1, sizeof(*pq))) == NULL) { 713 log_warn(NULL); 714 return; 715 } 716 717 do { 718 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id)); 719 } while(find_pending_query(pq->imsg_id) != NULL); 720 721 TAILQ_INSERT_TAIL(&pending_queries, pq, entry); 722 723 pq->from = udpev->from; 724 pq->fd = fd; 725 pq->qbuf = sldns_buffer_new(len); 726 pq->abuf = sldns_buffer_new(len); /* make sure we can send errors */ 727 pq->region = regional_create(); 728 pq->qmsg = regional_alloc(pq->region, sizeof(*pq->qmsg)); 729 730 if (!pq->qbuf || !pq->abuf || !pq->region || !pq->qmsg) { 731 log_warnx("out of memory"); 732 free_pending_query(pq); 733 return; 734 } 735 736 memset(pq->qmsg, 0, sizeof(*pq->qmsg)); 737 sldns_buffer_write(pq->qbuf, udpev->query, len); 738 sldns_buffer_flip(pq->qbuf); 739 handle_query(pq); 740 } 741 742 void 743 handle_query(struct pending_query *pq) 744 { 745 struct query_imsg query_imsg; 746 struct bl_node find; 747 int rcode; 748 char *str; 749 char dname[LDNS_MAX_DOMAINLEN + 1]; 750 char qclass_buf[16]; 751 char qtype_buf[16]; 752 753 if (log_getverbose() & OPT_VERBOSE2 && (str = 754 sldns_wire2str_pkt(sldns_buffer_begin(pq->qbuf), 755 sldns_buffer_limit(pq->qbuf))) != NULL) { 756 log_debug("from: %s\n%s", ip_port((struct sockaddr *) 757 &pq->from), str); 758 free(str); 759 } 760 761 if (!query_info_parse(&pq->qinfo, pq->qbuf)) { 762 log_warnx("query_info_parse failed"); 763 goto drop; 764 } 765 766 sldns_buffer_rewind(pq->qbuf); 767 768 if (parse_packet(pq->qbuf, pq->qmsg, pq->region) != 769 LDNS_RCODE_NOERROR) { 770 log_warnx("parse_packet failed"); 771 goto drop; 772 } 773 774 rcode = check_query(pq->qbuf); 775 switch (rcode) { 776 case LDNS_RCODE_NOERROR: 777 break; 778 case -1: 779 goto drop; 780 default: 781 error_answer(pq, rcode); 782 goto send_answer; 783 } 784 785 rcode = parse_extract_edns(pq->qmsg, &pq->edns, pq->region); 786 if (rcode != LDNS_RCODE_NOERROR) { 787 error_answer(pq, rcode); 788 goto send_answer; 789 } 790 791 if (!dname_valid(pq->qinfo.qname, pq->qinfo.qname_len)) { 792 error_answer(pq, LDNS_RCODE_FORMERR); 793 goto send_answer; 794 } 795 dname_str(pq->qinfo.qname, dname); 796 797 sldns_wire2str_class_buf(pq->qinfo.qclass, qclass_buf, 798 sizeof(qclass_buf)); 799 sldns_wire2str_type_buf(pq->qinfo.qtype, qtype_buf, sizeof(qtype_buf)); 800 log_debug("%s: %s %s %s ?", ip_port((struct sockaddr *)&pq->from), 801 dname, qclass_buf, qtype_buf); 802 803 find.domain = dname; 804 if (RB_FIND(bl_tree, &bl_head, &find) != NULL) { 805 if (frontend_conf->blocklist_log) 806 log_info("blocking %s", dname); 807 error_answer(pq, LDNS_RCODE_REFUSED); 808 goto send_answer; 809 } 810 811 if (pq->qinfo.qtype == LDNS_RR_TYPE_AXFR || pq->qinfo.qtype == 812 LDNS_RR_TYPE_IXFR) { 813 error_answer(pq, LDNS_RCODE_REFUSED); 814 goto send_answer; 815 } 816 817 if(pq->qinfo.qtype == LDNS_RR_TYPE_OPT || 818 pq->qinfo.qtype == LDNS_RR_TYPE_TSIG || 819 pq->qinfo.qtype == LDNS_RR_TYPE_TKEY || 820 pq->qinfo.qtype == LDNS_RR_TYPE_MAILA || 821 pq->qinfo.qtype == LDNS_RR_TYPE_MAILB || 822 (pq->qinfo.qtype >= 128 && pq->qinfo.qtype <= 248)) { 823 error_answer(pq, LDNS_RCODE_FORMERR); 824 goto send_answer; 825 } 826 827 if (pq->qinfo.qclass == LDNS_RR_CLASS_CH) { 828 if (strcasecmp(dname, "version.server.") == 0 || 829 strcasecmp(dname, "version.bind.") == 0) { 830 chaos_answer(pq); 831 } else 832 error_answer(pq, LDNS_RCODE_REFUSED); 833 goto send_answer; 834 } 835 836 if (strlcpy(query_imsg.qname, dname, sizeof(query_imsg.qname)) >= 837 sizeof(query_imsg.qname)) { 838 log_warnx("qname too long"); 839 error_answer(pq, LDNS_RCODE_FORMERR); 840 goto send_answer; 841 } 842 query_imsg.id = pq->imsg_id; 843 query_imsg.t = pq->qinfo.qtype; 844 query_imsg.c = pq->qinfo.qclass; 845 846 if (frontend_imsg_compose_resolver(IMSG_QUERY, 0, &query_imsg, 847 sizeof(query_imsg)) == -1) { 848 error_answer(pq, LDNS_RCODE_SERVFAIL); 849 goto send_answer; 850 } 851 return; 852 853 send_answer: 854 send_answer(pq); 855 return; 856 857 drop: 858 free_pending_query(pq); 859 } 860 861 void 862 noerror_answer(struct pending_query *pq) 863 { 864 struct query_info skip, qinfo; 865 struct reply_info *rinfo = NULL; 866 struct alloc_cache alloc; 867 struct edns_data edns; 868 struct ub_packed_rrset_key *an_rrset = NULL; 869 struct packed_rrset_data *an_rrset_data = NULL; 870 871 alloc_init(&alloc, NULL, 0); 872 memset(&qinfo, 0, sizeof(qinfo)); 873 /* read past query section, no memory is allocated */ 874 if (!query_info_parse(&skip, pq->abuf)) 875 goto srvfail; 876 877 if (reply_info_parse(pq->abuf, &alloc, &qinfo, &rinfo, pq->region, 878 &edns) != 0) 879 goto srvfail; 880 881 if ((an_rrset = reply_find_answer_rrset(&qinfo, rinfo)) != NULL) 882 an_rrset_data = (struct packed_rrset_data*)an_rrset->entry.data; 883 884 /* reply_info_parse() allocates memory */ 885 query_info_clear(&qinfo); 886 887 /* XXX check that there a no AAAA records in answer section? */ 888 if ((an_rrset_data == NULL || an_rrset_data->count == 0) && 889 !pq->dns64_synthesize && pq->qinfo.qtype == LDNS_RR_TYPE_AAAA && 890 pq->qinfo.qclass == LDNS_RR_CLASS_IN && dns64_prefix_count > 0) { 891 pq->dns64_synthesize = 1; 892 return; 893 } 894 895 sldns_buffer_clear(pq->abuf); 896 if (reply_info_encode(&pq->qinfo, rinfo, pq->qmsg->id, rinfo->flags, 897 pq->abuf, 0, pq->region, pq->tcp ? UINT16_MAX : pq->edns.udp_size, 898 pq->edns.bits & EDNS_DO, MINIMIZE_ANSWER) == 0) 899 goto srvfail; 900 901 reply_info_parsedelete(rinfo, &alloc); 902 alloc_clear(&alloc); 903 return; 904 905 srvfail: 906 reply_info_parsedelete(rinfo, &alloc); 907 alloc_clear(&alloc); 908 error_answer(pq, LDNS_RCODE_SERVFAIL); 909 } 910 911 void 912 synthesize_dns64_answer(struct pending_query *pq) 913 { 914 struct query_info skip, qinfo; 915 struct reply_info *rinfo = NULL, *synth_rinfo = NULL; 916 struct alloc_cache alloc; 917 struct edns_data edns; 918 size_t i; 919 920 pq->dns64_synthesize = 0; 921 922 alloc_init(&alloc, NULL, 0); 923 memset(&qinfo, 0, sizeof(qinfo)); 924 /* read past query section, no memory is allocated */ 925 if (!query_info_parse(&skip, pq->abuf)) 926 goto srvfail; 927 928 if (reply_info_parse(pq->abuf, &alloc, &qinfo, &rinfo, pq->region, 929 &edns) != 0) 930 goto srvfail; 931 932 /* reply_info_parse() allocates memory */ 933 query_info_clear(&qinfo); 934 935 synth_rinfo = construct_reply_info_base(pq->region, rinfo->flags, 936 rinfo->qdcount, rinfo->ttl, rinfo->prefetch_ttl, 937 rinfo->serve_expired_ttl, rinfo->an_numrrsets, 938 rinfo->ns_numrrsets, rinfo->ar_numrrsets, rinfo->rrset_count, 939 rinfo->security); 940 941 if (!synth_rinfo) 942 goto srvfail; 943 944 if(!reply_info_alloc_rrset_keys(synth_rinfo, NULL, pq->region)) 945 goto srvfail; 946 947 for (i = 0; i < synth_rinfo->rrset_count; i++) { 948 struct ub_packed_rrset_key *src_rrset_key, *dst_rrset_key; 949 struct packed_rrset_data *src_rrset_data; 950 struct packed_rrset_data *dst_rrset_data; 951 952 src_rrset_key = rinfo->rrsets[i]; 953 src_rrset_data = 954 (struct packed_rrset_data *)src_rrset_key->entry.data; 955 dst_rrset_key = synth_rinfo->rrsets[i]; 956 957 dst_rrset_key->id = src_rrset_key->id; 958 dst_rrset_key->rk = src_rrset_key->rk; 959 960 if (i < rinfo->an_numrrsets && src_rrset_key->rk.type == 961 htons(LDNS_RR_TYPE_A)) { 962 dns64_synth_aaaa_data(src_rrset_key, src_rrset_data, 963 dst_rrset_key, &dst_rrset_data, pq->region); 964 if (dst_rrset_data == NULL) 965 goto srvfail; 966 } else { 967 dst_rrset_key->entry.hash = src_rrset_key->entry.hash; 968 dst_rrset_key->rk.dname = regional_alloc_init( 969 pq->region, src_rrset_key->rk.dname, 970 src_rrset_key->rk.dname_len); 971 if (dst_rrset_key->rk.dname == NULL) 972 goto srvfail; 973 974 dst_rrset_data = regional_alloc_init(pq->region, 975 src_rrset_data, 976 packed_rrset_sizeof(src_rrset_data)); 977 if (dst_rrset_data == NULL) 978 goto srvfail; 979 } 980 981 packed_rrset_ptr_fixup(dst_rrset_data); 982 dst_rrset_key->entry.data = dst_rrset_data; 983 } 984 985 if (!sldns_buffer_set_capacity(pq->abuf, pq->tcp ? UINT16_MAX : 986 pq->edns.udp_size)) 987 goto srvfail; 988 989 sldns_buffer_clear(pq->abuf); 990 991 if (reply_info_encode(&pq->qinfo, synth_rinfo, pq->qmsg->id, 992 synth_rinfo->flags, pq->abuf, 0, pq->region, 993 pq->tcp ? UINT16_MAX : pq->edns.udp_size, 994 pq->edns.bits & EDNS_DO, MINIMIZE_ANSWER) == 0) 995 goto srvfail; 996 997 reply_info_parsedelete(rinfo, &alloc); 998 alloc_clear(&alloc); 999 return; 1000 1001 srvfail: 1002 reply_info_parsedelete(rinfo, &alloc); 1003 alloc_clear(&alloc); 1004 error_answer(pq, LDNS_RCODE_SERVFAIL); 1005 } 1006 1007 void 1008 resend_dns64_query(struct pending_query *opq) { 1009 struct pending_query *pq; 1010 struct query_imsg query_imsg; 1011 int rcode; 1012 char dname[LDNS_MAX_DOMAINLEN + 1]; 1013 1014 if ((pq = calloc(1, sizeof(*pq))) == NULL) { 1015 log_warn(NULL); 1016 return; 1017 } 1018 1019 do { 1020 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id)); 1021 } while(find_pending_query(pq->imsg_id) != NULL); 1022 1023 TAILQ_INSERT_TAIL(&pending_queries, pq, entry); 1024 1025 pq->from = opq->from; 1026 pq->fd = opq->fd; 1027 opq->fd = -1; 1028 pq->tcp = opq->tcp; 1029 pq->qbuf = sldns_buffer_new(sldns_buffer_capacity(opq->qbuf)); 1030 pq->abuf = sldns_buffer_new(sldns_buffer_capacity(opq->abuf)); 1031 pq->region = regional_create(); 1032 pq->qmsg = regional_alloc(pq->region, sizeof(*pq->qmsg)); 1033 1034 if (!pq->qbuf || !pq->abuf || !pq->region || !pq->qmsg) { 1035 log_warnx("out of memory"); 1036 free_pending_query(pq); 1037 free_pending_query(opq); 1038 return; 1039 } 1040 1041 sldns_buffer_rewind(opq->qbuf); 1042 sldns_buffer_write(pq->qbuf, sldns_buffer_current(opq->qbuf), 1043 sldns_buffer_remaining(opq->qbuf)); 1044 sldns_buffer_flip(pq->qbuf); 1045 memset(pq->qmsg, 0, sizeof(*pq->qmsg)); 1046 1047 if (pq->tcp) { 1048 struct timeval timeout = {TCP_TIMEOUT, 0}; 1049 1050 event_set(&pq->ev, pq->fd, EV_READ | EV_PERSIST, tcp_request, 1051 pq); 1052 event_set(&pq->resp_ev, pq->fd, EV_WRITE | EV_PERSIST, 1053 tcp_response, pq); 1054 evtimer_set(&pq->tmo_ev, tcp_timeout, pq); 1055 evtimer_add(&pq->tmo_ev, &timeout); 1056 } 1057 1058 if (!query_info_parse(&pq->qinfo, pq->qbuf)) { 1059 log_warnx("query_info_parse failed"); 1060 goto drop; 1061 } 1062 1063 sldns_buffer_rewind(pq->qbuf); 1064 1065 if (parse_packet(pq->qbuf, pq->qmsg, pq->region) != 1066 LDNS_RCODE_NOERROR) { 1067 log_warnx("parse_packet failed"); 1068 goto drop; 1069 } 1070 1071 rcode = parse_extract_edns(pq->qmsg, &pq->edns, pq->region); 1072 if (rcode != LDNS_RCODE_NOERROR) { 1073 error_answer(pq, rcode); 1074 goto send_answer; 1075 } 1076 1077 dname_str(pq->qinfo.qname, dname); 1078 strlcpy(query_imsg.qname, dname, sizeof(query_imsg.qname)); 1079 query_imsg.id = pq->imsg_id; 1080 query_imsg.t = LDNS_RR_TYPE_A; 1081 query_imsg.c = pq->qinfo.qclass; 1082 1083 pq->dns64_synthesize = 1; 1084 1085 if (frontend_imsg_compose_resolver(IMSG_QUERY, 0, &query_imsg, 1086 sizeof(query_imsg)) == -1) { 1087 error_answer(pq, LDNS_RCODE_SERVFAIL); 1088 goto send_answer; 1089 } 1090 1091 free_pending_query(opq); 1092 return; 1093 1094 send_answer: 1095 free_pending_query(opq); 1096 send_answer(pq); 1097 return; 1098 1099 drop: 1100 free_pending_query(opq); 1101 free_pending_query(pq); 1102 } 1103 1104 void 1105 chaos_answer(struct pending_query *pq) 1106 { 1107 size_t len; 1108 const char *name = "unwind"; 1109 1110 len = strlen(name); 1111 if (!sldns_buffer_set_capacity(pq->abuf, 1112 sldns_buffer_capacity(pq->qbuf) + COMPRESSED_RR_SIZE + 1 + len)) { 1113 error_answer(pq, LDNS_RCODE_SERVFAIL); 1114 return; 1115 } 1116 1117 sldns_buffer_copy(pq->abuf, pq->qbuf); 1118 1119 sldns_buffer_clear(pq->abuf); 1120 1121 sldns_buffer_skip(pq->abuf, sizeof(uint16_t)); /* skip id */ 1122 sldns_buffer_write_u16(pq->abuf, 0); /* clear flags */ 1123 LDNS_QR_SET(sldns_buffer_begin(pq->abuf)); 1124 LDNS_RA_SET(sldns_buffer_begin(pq->abuf)); 1125 if (LDNS_RD_WIRE(sldns_buffer_begin(pq->qbuf))) 1126 LDNS_RD_SET(sldns_buffer_begin(pq->abuf)); 1127 if (LDNS_CD_WIRE(sldns_buffer_begin(pq->qbuf))) 1128 LDNS_CD_SET(sldns_buffer_begin(pq->abuf)); 1129 LDNS_RCODE_SET(sldns_buffer_begin(pq->abuf), LDNS_RCODE_NOERROR); 1130 sldns_buffer_write_u16(pq->abuf, 1); /* qdcount */ 1131 sldns_buffer_write_u16(pq->abuf, 1); /* ancount */ 1132 sldns_buffer_write_u16(pq->abuf, 0); /* nscount */ 1133 sldns_buffer_write_u16(pq->abuf, 0); /* arcount */ 1134 (void)query_dname_len(pq->abuf); /* skip qname */ 1135 sldns_buffer_skip(pq->abuf, sizeof(uint16_t)); /* skip qtype */ 1136 sldns_buffer_skip(pq->abuf, sizeof(uint16_t)); /* skip qclass */ 1137 1138 sldns_buffer_write_u16(pq->abuf, 0xc00c); /* ptr to query */ 1139 sldns_buffer_write_u16(pq->abuf, LDNS_RR_TYPE_TXT); 1140 sldns_buffer_write_u16(pq->abuf, LDNS_RR_CLASS_CH); 1141 sldns_buffer_write_u32(pq->abuf, 0); /* TTL */ 1142 sldns_buffer_write_u16(pq->abuf, 1 + len); /* RDLENGTH */ 1143 sldns_buffer_write_u8(pq->abuf, len); /* length octed */ 1144 sldns_buffer_write(pq->abuf, name, len); 1145 sldns_buffer_flip(pq->abuf); 1146 } 1147 1148 void 1149 error_answer(struct pending_query *pq, int rcode) 1150 { 1151 sldns_buffer_clear(pq->abuf); 1152 error_encode(pq->abuf, rcode, &pq->qinfo, pq->qmsg->id, 1153 pq->qmsg->flags, pq->edns.edns_present ? &pq->edns : NULL); 1154 } 1155 1156 int 1157 check_query(sldns_buffer* pkt) 1158 { 1159 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) { 1160 log_warnx("bad query: too short, dropped"); 1161 return -1; 1162 } 1163 if(LDNS_QR_WIRE(sldns_buffer_begin(pkt))) { 1164 log_warnx("bad query: QR set, dropped"); 1165 return -1; 1166 } 1167 if(LDNS_TC_WIRE(sldns_buffer_begin(pkt))) { 1168 LDNS_TC_CLR(sldns_buffer_begin(pkt)); 1169 log_warnx("bad query: TC set"); 1170 return (LDNS_RCODE_FORMERR); 1171 } 1172 if(!(LDNS_RD_WIRE(sldns_buffer_begin(pkt)))) { 1173 log_warnx("bad query: RD not set"); 1174 return (LDNS_RCODE_REFUSED); 1175 } 1176 if(LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_PACKET_QUERY) { 1177 log_warnx("bad query: unknown opcode %d", 1178 LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt))); 1179 return (LDNS_RCODE_NOTIMPL); 1180 } 1181 1182 if (LDNS_QDCOUNT(sldns_buffer_begin(pkt)) != 1 && 1183 LDNS_ANCOUNT(sldns_buffer_begin(pkt))!= 0 && 1184 LDNS_NSCOUNT(sldns_buffer_begin(pkt))!= 0 && 1185 LDNS_ARCOUNT(sldns_buffer_begin(pkt)) > 1) { 1186 log_warnx("bad query: qdcount: %d, ancount: %d " 1187 "nscount: %d, arcount: %d", 1188 LDNS_QDCOUNT(sldns_buffer_begin(pkt)), 1189 LDNS_ANCOUNT(sldns_buffer_begin(pkt)), 1190 LDNS_NSCOUNT(sldns_buffer_begin(pkt)), 1191 LDNS_ARCOUNT(sldns_buffer_begin(pkt))); 1192 return (LDNS_RCODE_FORMERR); 1193 } 1194 return 0; 1195 } 1196 1197 void 1198 send_answer(struct pending_query *pq) 1199 { 1200 char *str; 1201 1202 if (log_getverbose() & OPT_VERBOSE2 && (str = 1203 sldns_wire2str_pkt(sldns_buffer_begin(pq->abuf), 1204 sldns_buffer_limit(pq->abuf))) != NULL) { 1205 log_debug("from: %s\n%s", ip_port((struct sockaddr *) 1206 &pq->from), str); 1207 free(str); 1208 } 1209 1210 if (!pq->tcp) { 1211 if(sendto(pq->fd, sldns_buffer_current(pq->abuf), 1212 sldns_buffer_remaining(pq->abuf), 0, 1213 (struct sockaddr *)&pq->from, pq->from.ss_len) == -1) 1214 log_warn("sendto"); 1215 free_pending_query(pq); 1216 } else { 1217 struct sldns_buffer *tmp; 1218 1219 tmp = sldns_buffer_new(sldns_buffer_limit(pq->abuf) + 2); 1220 1221 if (!tmp) { 1222 free_pending_query(pq); 1223 return; 1224 } 1225 1226 sldns_buffer_write_u16(tmp, sldns_buffer_limit(pq->abuf)); 1227 sldns_buffer_write(tmp, sldns_buffer_current(pq->abuf), 1228 sldns_buffer_remaining(pq->abuf)); 1229 sldns_buffer_flip(tmp); 1230 sldns_buffer_free(pq->abuf); 1231 pq->abuf = tmp; 1232 event_add(&pq->resp_ev, NULL); 1233 } 1234 } 1235 1236 char* 1237 ip_port(struct sockaddr *sa) 1238 { 1239 static char hbuf[NI_MAXHOST], buf[NI_MAXHOST]; 1240 1241 if (getnameinfo(sa, sa->sa_len, hbuf, sizeof(hbuf), NULL, 0, 1242 NI_NUMERICHOST) != 0) { 1243 snprintf(buf, sizeof(buf), "%s", "(unknown)"); 1244 return buf; 1245 } 1246 1247 if (sa->sa_family == AF_INET6) 1248 snprintf(buf, sizeof(buf), "[%s]:%d", hbuf, ntohs( 1249 ((struct sockaddr_in6 *)sa)->sin6_port)); 1250 if (sa->sa_family == AF_INET) 1251 snprintf(buf, sizeof(buf), "[%s]:%d", hbuf, ntohs( 1252 ((struct sockaddr_in *)sa)->sin_port)); 1253 1254 return buf; 1255 } 1256 1257 struct pending_query* 1258 find_pending_query(uint64_t id) 1259 { 1260 struct pending_query *pq; 1261 1262 TAILQ_FOREACH(pq, &pending_queries, entry) 1263 if (pq->imsg_id == id) 1264 return pq; 1265 return NULL; 1266 } 1267 1268 void 1269 route_receive(int fd, short events, void *arg) 1270 { 1271 static uint8_t *buf; 1272 1273 struct rt_msghdr *rtm; 1274 struct sockaddr *sa, *rti_info[RTAX_MAX]; 1275 ssize_t n; 1276 1277 if (buf == NULL) { 1278 buf = malloc(ROUTE_SOCKET_BUF_SIZE); 1279 if (buf == NULL) 1280 fatal("malloc"); 1281 } 1282 rtm = (struct rt_msghdr *)buf; 1283 if ((n = read(fd, buf, ROUTE_SOCKET_BUF_SIZE)) == -1) { 1284 if (errno == EAGAIN || errno == EINTR) 1285 return; 1286 log_warn("dispatch_rtmsg: read error"); 1287 return; 1288 } 1289 1290 if (n == 0) 1291 fatal("routing socket closed"); 1292 1293 if (n < (ssize_t)sizeof(rtm->rtm_msglen) || n < rtm->rtm_msglen) { 1294 log_warnx("partial rtm of %zd in buffer", n); 1295 return; 1296 } 1297 1298 if (rtm->rtm_version != RTM_VERSION) 1299 return; 1300 1301 sa = (struct sockaddr *)(buf + rtm->rtm_hdrlen); 1302 get_rtaddrs(rtm->rtm_addrs, sa, rti_info); 1303 1304 handle_route_message(rtm, rti_info); 1305 } 1306 1307 #define ROUNDUP(a) \ 1308 ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long)) 1309 1310 void 1311 get_rtaddrs(int addrs, struct sockaddr *sa, struct sockaddr **rti_info) 1312 { 1313 int i; 1314 1315 for (i = 0; i < RTAX_MAX; i++) { 1316 if (addrs & (1 << i)) { 1317 rti_info[i] = sa; 1318 sa = (struct sockaddr *)((char *)(sa) + 1319 ROUNDUP(sa->sa_len)); 1320 } else 1321 rti_info[i] = NULL; 1322 } 1323 } 1324 1325 void 1326 handle_route_message(struct rt_msghdr *rtm, struct sockaddr **rti_info) 1327 { 1328 struct imsg_rdns_proposal rdns_proposal; 1329 struct sockaddr_rtdns *rtdns; 1330 struct if_announcemsghdr *ifan; 1331 1332 switch (rtm->rtm_type) { 1333 case RTM_IFANNOUNCE: 1334 ifan = (struct if_announcemsghdr *)rtm; 1335 if (ifan->ifan_what == IFAN_ARRIVAL) 1336 break; 1337 rdns_proposal.if_index = ifan->ifan_index; 1338 rdns_proposal.src = 0; 1339 rdns_proposal.rtdns.sr_family = AF_INET; 1340 rdns_proposal.rtdns.sr_len = offsetof(struct sockaddr_rtdns, 1341 sr_dns); 1342 frontend_imsg_compose_resolver(IMSG_REPLACE_DNS, 0, 1343 &rdns_proposal, sizeof(rdns_proposal)); 1344 break; 1345 case RTM_IFINFO: 1346 frontend_imsg_compose_resolver(IMSG_NETWORK_CHANGED, 0, NULL, 1347 0); 1348 break; 1349 case RTM_PROPOSAL: 1350 if (!(rtm->rtm_addrs & RTA_DNS)) 1351 break; 1352 1353 rtdns = (struct sockaddr_rtdns*)rti_info[RTAX_DNS]; 1354 switch (rtdns->sr_family) { 1355 case AF_INET: 1356 if ((rtdns->sr_len - 2) % sizeof(struct in_addr) != 0) { 1357 log_warnx("ignoring invalid RTM_PROPOSAL"); 1358 return; 1359 } 1360 break; 1361 case AF_INET6: 1362 if ((rtdns->sr_len - 2) % sizeof(struct in6_addr) != 0) { 1363 log_warnx("ignoring invalid RTM_PROPOSAL"); 1364 return; 1365 } 1366 break; 1367 default: 1368 log_warnx("ignoring invalid RTM_PROPOSAL"); 1369 return; 1370 } 1371 rdns_proposal.if_index = rtm->rtm_index; 1372 rdns_proposal.src = rtm->rtm_priority; 1373 memcpy(&rdns_proposal.rtdns, rtdns, sizeof(rdns_proposal.rtdns)); 1374 frontend_imsg_compose_resolver(IMSG_REPLACE_DNS, 0, 1375 &rdns_proposal, sizeof(rdns_proposal)); 1376 break; 1377 case RTM_NEWADDR: 1378 case RTM_DELADDR: 1379 case RTM_DESYNC: 1380 check_available_af(); 1381 break; 1382 default: 1383 break; 1384 } 1385 } 1386 1387 void 1388 add_new_ta(struct trust_anchor_head *tah, char *val) 1389 { 1390 struct trust_anchor *ta, *i; 1391 int cmp; 1392 1393 if ((ta = malloc(sizeof(*ta))) == NULL) 1394 fatal("%s", __func__); 1395 if ((ta->ta = strdup(val)) == NULL) 1396 fatal("%s", __func__); 1397 1398 /* keep the list sorted to prevent churn if the order changes in DNS */ 1399 TAILQ_FOREACH(i, tah, entry) { 1400 cmp = strcmp(i->ta, ta->ta); 1401 if ( cmp == 0) { 1402 /* duplicate */ 1403 free(ta->ta); 1404 free(ta); 1405 return; 1406 } else if (cmp > 0) { 1407 TAILQ_INSERT_BEFORE(i, ta, entry); 1408 return; 1409 } 1410 } 1411 TAILQ_INSERT_TAIL(tah, ta, entry); 1412 } 1413 1414 void 1415 free_tas(struct trust_anchor_head *tah) 1416 { 1417 struct trust_anchor *ta; 1418 1419 while ((ta = TAILQ_FIRST(tah))) { 1420 TAILQ_REMOVE(tah, ta, entry); 1421 free(ta->ta); 1422 free(ta); 1423 } 1424 } 1425 1426 int 1427 merge_tas(struct trust_anchor_head *newh, struct trust_anchor_head *oldh) 1428 { 1429 struct trust_anchor *i, *j; 1430 int chg = 0; 1431 1432 j = TAILQ_FIRST(oldh); 1433 1434 TAILQ_FOREACH(i, newh, entry) { 1435 if (j == NULL || strcmp(i->ta, j->ta) != 0) { 1436 chg = 1; 1437 break; 1438 } 1439 j = TAILQ_NEXT(j, entry); 1440 } 1441 if (j != NULL) 1442 chg = 1; 1443 1444 if (chg) { 1445 free_tas(oldh); 1446 TAILQ_CONCAT(oldh, newh, entry); 1447 } else { 1448 free_tas(newh); 1449 } 1450 return (chg); 1451 } 1452 1453 void 1454 parse_trust_anchor(struct trust_anchor_head *tah, int fd) 1455 { 1456 size_t len, dname_len; 1457 ssize_t n, sz; 1458 uint8_t rr[LDNS_RR_BUF_SIZE]; 1459 char *str, *p, buf[512], *line; 1460 1461 sz = 0; 1462 str = NULL; 1463 1464 while ((n = read(fd, buf, sizeof(buf))) > 0) { 1465 p = recallocarray(str, sz, sz + n, 1); 1466 if (p == NULL) { 1467 log_warn("%s", __func__); 1468 goto out; 1469 } 1470 str = p; 1471 memcpy(str + sz, buf, n); 1472 sz += n; 1473 } 1474 1475 if (n == -1) { 1476 log_warn("%s", __func__); 1477 goto out; 1478 } 1479 1480 /* make it a string */ 1481 p = recallocarray(str, sz, sz + 1, 1); 1482 if (p == NULL) { 1483 log_warn("%s", __func__); 1484 goto out; 1485 } 1486 str = p; 1487 sz++; 1488 1489 len = sizeof(rr); 1490 1491 while ((line = strsep(&p, "\n")) != NULL) { 1492 if (sldns_str2wire_rr_buf(line, rr, &len, &dname_len, 1493 ROOT_DNSKEY_TTL, NULL, 0, NULL, 0) != 0) 1494 continue; 1495 if (sldns_wirerr_get_type(rr, len, dname_len) == 1496 LDNS_RR_TYPE_DNSKEY) 1497 add_new_ta(tah, line); 1498 } 1499 1500 out: 1501 free(str); 1502 return; 1503 } 1504 1505 void 1506 send_trust_anchors(struct trust_anchor_head *tah) 1507 { 1508 struct trust_anchor *ta; 1509 1510 TAILQ_FOREACH(ta, tah, entry) 1511 frontend_imsg_compose_resolver(IMSG_NEW_TA, 0, ta->ta, 1512 strlen(ta->ta) + 1); 1513 frontend_imsg_compose_resolver(IMSG_NEW_TAS_DONE, 0, NULL, 0); 1514 } 1515 1516 void 1517 write_trust_anchors(struct trust_anchor_head *tah, int fd) 1518 { 1519 struct trust_anchor *ta; 1520 size_t len = 0; 1521 ssize_t n; 1522 char *str; 1523 1524 if (lseek(fd, 0, SEEK_SET) == -1) { 1525 log_warn("%s", __func__); 1526 goto out; 1527 } 1528 1529 TAILQ_FOREACH(ta, tah, entry) { 1530 if ((n = asprintf(&str, "%s\n", ta->ta)) == -1) { 1531 log_warn("%s", __func__); 1532 len = 0; 1533 goto out; 1534 } 1535 len += n; 1536 if (write(fd, str, n) != n) { 1537 log_warn("%s", __func__); 1538 free(str); 1539 len = 0; 1540 goto out; 1541 } 1542 free(str); 1543 } 1544 out: 1545 ftruncate(fd, len); 1546 fsync(fd); 1547 } 1548 1549 void 1550 parse_blocklist(int fd) 1551 { 1552 FILE *f; 1553 struct bl_node *bl_node; 1554 char *line = NULL; 1555 size_t linesize = 0; 1556 ssize_t linelen; 1557 1558 if((f = fdopen(fd, "r")) == NULL) { 1559 log_warn("cannot read block list"); 1560 close(fd); 1561 return; 1562 } 1563 1564 free_bl(); 1565 1566 while ((linelen = getline(&line, &linesize, f)) != -1) { 1567 if (line[linelen - 1] == '\n') { 1568 if (linelen >= 2 && line[linelen - 2] != '.') 1569 line[linelen - 1] = '.'; 1570 else 1571 line[linelen - 1] = '\0'; 1572 } 1573 1574 bl_node = malloc(sizeof *bl_node); 1575 if (bl_node == NULL) 1576 fatal("%s: malloc", __func__); 1577 if ((bl_node->domain = strdup(line)) == NULL) 1578 fatal("%s: strdup", __func__); 1579 if (RB_INSERT(bl_tree, &bl_head, bl_node) != NULL) { 1580 log_warnx("duplicate blocked domain \"%s\"", line); 1581 free(bl_node->domain); 1582 free(bl_node); 1583 } 1584 } 1585 free(line); 1586 if (ferror(f)) 1587 log_warn("getline"); 1588 fclose(f); 1589 } 1590 1591 int 1592 bl_cmp(struct bl_node *e1, struct bl_node *e2) { 1593 return (strcasecmp(e1->domain, e2->domain)); 1594 } 1595 1596 void 1597 free_bl(void) 1598 { 1599 struct bl_node *n, *nxt; 1600 1601 RB_FOREACH_SAFE(n, bl_tree, &bl_head, nxt) { 1602 RB_REMOVE(bl_tree, &bl_head, n); 1603 free(n->domain); 1604 free(n); 1605 } 1606 } 1607 1608 int 1609 pending_query_cnt(void) 1610 { 1611 struct pending_query *e; 1612 int cnt = 0; 1613 1614 TAILQ_FOREACH(e, &pending_queries, entry) 1615 cnt++; 1616 return cnt; 1617 } 1618 1619 void 1620 accept_paused(int fd, short events, void *arg) 1621 { 1622 struct tcp_accept_ev *tcpev = arg; 1623 event_add(&tcpev->ev, NULL); 1624 } 1625 1626 int 1627 accept_reserve(int sockfd, struct sockaddr *addr, socklen_t *addrlen) 1628 { 1629 if (getdtablecount() + FD_RESERVE >= getdtablesize()) { 1630 log_debug("%s: inflight fds exceeded", __func__); 1631 errno = EMFILE; 1632 return -1; 1633 } 1634 return accept4(sockfd, addr, addrlen, SOCK_NONBLOCK | SOCK_CLOEXEC); 1635 } 1636 1637 void 1638 tcp_accept(int fd, short events, void *arg) 1639 { 1640 static struct timeval timeout = {TCP_TIMEOUT, 0}; 1641 static struct timeval backoff = {1, 0}; 1642 struct pending_query *pq; 1643 struct tcp_accept_ev *tcpev; 1644 struct sockaddr_storage ss; 1645 socklen_t len; 1646 int s; 1647 1648 tcpev = arg; 1649 len = sizeof(ss); 1650 1651 if ((s = accept_reserve(fd, (struct sockaddr *)&ss, &len)) == -1) { 1652 switch (errno) { 1653 case EINTR: 1654 case EWOULDBLOCK: 1655 case ECONNABORTED: 1656 return; 1657 case EMFILE: 1658 case ENFILE: 1659 event_del(&tcpev->ev); 1660 evtimer_add(&tcpev->pause, &backoff); 1661 return; 1662 default: 1663 fatal("accept"); 1664 } 1665 } 1666 1667 if ((pq = calloc(1, sizeof(*pq))) == NULL) { 1668 log_warn(NULL); 1669 close(s); 1670 return; 1671 } 1672 1673 do { 1674 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id)); 1675 } while(find_pending_query(pq->imsg_id) != NULL); 1676 1677 TAILQ_INSERT_TAIL(&pending_queries, pq, entry); 1678 1679 pq->from = ss; 1680 pq->fd = s; 1681 pq->tcp = 1; 1682 pq->qbuf = sldns_buffer_new(DEFAULT_TCP_SIZE); 1683 pq->region = regional_create(); 1684 pq->qmsg = regional_alloc(pq->region, sizeof(*pq->qmsg)); 1685 1686 if (!pq->qbuf || !pq->region || !pq->qmsg) { 1687 free_pending_query(pq); 1688 return; 1689 } 1690 1691 memset(pq->qmsg, 0, sizeof(*pq->qmsg)); 1692 1693 event_set(&pq->ev, s, EV_READ | EV_PERSIST, tcp_request, pq); 1694 event_add(&pq->ev, NULL); 1695 event_set(&pq->resp_ev, s, EV_WRITE | EV_PERSIST, tcp_response, pq); 1696 1697 evtimer_set(&pq->tmo_ev, tcp_timeout, pq); 1698 evtimer_add(&pq->tmo_ev, &timeout); 1699 } 1700 1701 void 1702 tcp_request(int fd, short events, void *arg) 1703 { 1704 struct pending_query *pq; 1705 ssize_t n; 1706 1707 pq = arg; 1708 1709 n = read(fd, sldns_buffer_current(pq->qbuf), 1710 sldns_buffer_remaining(pq->qbuf)); 1711 1712 switch (n) { 1713 case -1: 1714 switch (errno) { 1715 case EINTR: 1716 case EAGAIN: 1717 return; 1718 default: 1719 goto fail; 1720 } 1721 break; 1722 case 0: 1723 log_debug("closed connection"); 1724 goto fail; 1725 default: 1726 break; 1727 } 1728 1729 sldns_buffer_skip(pq->qbuf, n); 1730 1731 if (sldns_buffer_position(pq->qbuf) >= 2 && !pq->abuf) { 1732 struct sldns_buffer *tmp; 1733 uint16_t len; 1734 1735 sldns_buffer_flip(pq->qbuf); 1736 len = sldns_buffer_read_u16(pq->qbuf); 1737 tmp = sldns_buffer_new(len); 1738 pq->abuf = sldns_buffer_new(len); 1739 1740 if (!tmp || !pq->abuf) 1741 goto fail; 1742 1743 sldns_buffer_write(tmp, sldns_buffer_current(pq->qbuf), 1744 sldns_buffer_remaining(pq->qbuf)); 1745 sldns_buffer_free(pq->qbuf); 1746 pq->qbuf = tmp; 1747 } 1748 if (sldns_buffer_remaining(pq->qbuf) == 0) { 1749 sldns_buffer_flip(pq->qbuf); 1750 shutdown(fd, SHUT_RD); 1751 event_del(&pq->ev); 1752 handle_query(pq); 1753 } 1754 return; 1755 fail: 1756 free_pending_query(pq); 1757 } 1758 1759 void 1760 tcp_response(int fd, short events, void *arg) 1761 { 1762 struct pending_query *pq; 1763 ssize_t n; 1764 1765 pq = arg; 1766 1767 n = write(fd, sldns_buffer_current(pq->abuf), 1768 sldns_buffer_remaining(pq->abuf)); 1769 1770 if (n == -1) { 1771 if (errno == EAGAIN || errno == EINTR) 1772 return; 1773 free_pending_query(pq); 1774 } 1775 sldns_buffer_skip(pq->abuf, n); 1776 if (sldns_buffer_remaining(pq->abuf) == 0) 1777 free_pending_query(pq); 1778 } 1779 1780 void 1781 tcp_timeout(int fd, short events, void *arg) 1782 { 1783 free_pending_query(arg); 1784 } 1785 1786 void 1787 check_available_af() 1788 { 1789 static int available_af = HAVE_IPV4 | HAVE_IPV6; 1790 static int rtable = -1; 1791 struct ifaddrs *ifap, *ifa; 1792 struct if_data *ifa_data; 1793 struct sockaddr_in *sin4; 1794 struct sockaddr_in6 *sin6; 1795 int new_available_af = 0, ifa_rtable = -1; 1796 1797 if (rtable == -1) 1798 rtable = getrtable(); 1799 1800 if (getifaddrs(&ifap) != 0) { 1801 log_warn("getifaddrs"); 1802 return; 1803 } 1804 1805 for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) { 1806 if (ifa->ifa_addr == NULL) 1807 continue; 1808 switch(ifa->ifa_addr->sa_family) { 1809 case AF_LINK: 1810 /* AF_LINK comes before inet / inet6 on an interface */ 1811 ifa_data = (struct if_data *)ifa->ifa_data; 1812 ifa_rtable = ifa_data->ifi_rdomain; 1813 break; 1814 case AF_INET: 1815 if (ifa_rtable != rtable) 1816 continue; 1817 1818 sin4 = (struct sockaddr_in *)ifa->ifa_addr; 1819 if ((ntohl(sin4->sin_addr.s_addr) >> 24) == 1820 IN_LOOPBACKNET) 1821 continue; 1822 new_available_af |= HAVE_IPV4; 1823 break; 1824 case AF_INET6: 1825 if (ifa_rtable != rtable) 1826 continue; 1827 1828 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 1829 if (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr) || 1830 IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr) || 1831 IN6_IS_ADDR_MC_LINKLOCAL(&sin6->sin6_addr) || 1832 IN6_IS_ADDR_MC_INTFACELOCAL(&sin6->sin6_addr)) 1833 continue; 1834 new_available_af |= HAVE_IPV6; 1835 break; 1836 default: 1837 break; 1838 } 1839 if (new_available_af == (HAVE_IPV4 | HAVE_IPV6)) 1840 break; 1841 } 1842 freeifaddrs(ifap); 1843 if (new_available_af != available_af) { 1844 available_af = new_available_af; 1845 frontend_imsg_compose_resolver(IMSG_CHANGE_AFS, 0, 1846 &available_af, sizeof(available_af)); 1847 } 1848 } 1849