1 /* $OpenBSD: frontend.c,v 1.73 2022/03/13 15:14:01 florian Exp $ */ 2 3 /* 4 * Copyright (c) 2018 Florian Obser <florian@openbsd.org> 5 * Copyright (c) 2005 Claudio Jeker <claudio@openbsd.org> 6 * Copyright (c) 2004 Esben Norby <norby@openbsd.org> 7 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 8 * 9 * Permission to use, copy, modify, and distribute this software for any 10 * purpose with or without fee is hereby granted, provided that the above 11 * copyright notice and this permission notice appear in all copies. 12 * 13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 */ 21 22 #include <sys/types.h> 23 #include <sys/queue.h> 24 #include <sys/socket.h> 25 #include <sys/syslog.h> 26 #include <sys/tree.h> 27 #include <sys/uio.h> 28 29 #include <netinet/in.h> 30 #include <net/if.h> 31 #include <net/route.h> 32 33 #include <errno.h> 34 #include <event.h> 35 #include <ifaddrs.h> 36 #include <imsg.h> 37 #include <netdb.h> 38 #include <pwd.h> 39 #include <signal.h> 40 #include <stdint.h> 41 #include <stdio.h> 42 #include <stdlib.h> 43 #include <string.h> 44 #include <time.h> 45 #include <unistd.h> 46 47 #include "libunbound/config.h" 48 #include "libunbound/sldns/pkthdr.h" 49 #include "libunbound/sldns/sbuffer.h" 50 #include "libunbound/sldns/str2wire.h" 51 #include "libunbound/sldns/wire2str.h" 52 #include "libunbound/util/alloc.h" 53 #include "libunbound/util/net_help.h" 54 #include "libunbound/util/regional.h" 55 #include "libunbound/util/data/dname.h" 56 #include "libunbound/util/data/msgencode.h" 57 #include "libunbound/util/data/msgparse.h" 58 #include "libunbound/util/data/msgreply.h" 59 60 #include "log.h" 61 #include "unwind.h" 62 #include "frontend.h" 63 #include "control.h" 64 #include "dns64_synth.h" 65 66 #define ROUTE_SOCKET_BUF_SIZE 16384 67 68 /* 69 * size of a resource record with name a two octed pointer to qname 70 * 2 octets pointer to qname 71 * 2 octets TYPE 72 * 2 octets CLASS 73 * 4 octets TTL 74 * 2 octets RDLENGTH 75 */ 76 #define COMPRESSED_RR_SIZE 12 77 #define MINIMIZE_ANSWER 1 78 79 #define FD_RESERVE 5 80 #define TCP_TIMEOUT 15 81 #define DEFAULT_TCP_SIZE 512 82 83 struct udp_ev { 84 struct event ev; 85 uint8_t query[65536]; 86 struct msghdr rcvmhdr; 87 struct iovec rcviov[1]; 88 struct sockaddr_storage from; 89 } udp4ev, udp6ev; 90 91 struct tcp_accept_ev { 92 struct event ev; 93 struct event pause; 94 } tcp4ev, tcp6ev; 95 96 struct pending_query { 97 TAILQ_ENTRY(pending_query) entry; 98 struct sockaddr_storage from; 99 struct sldns_buffer *qbuf; 100 struct sldns_buffer *abuf; 101 struct regional *region; 102 struct query_info qinfo; 103 struct edns_data edns; 104 struct event ev; /* for tcp */ 105 struct event resp_ev; /* for tcp */ 106 struct event tmo_ev; /* for tcp */ 107 uint64_t imsg_id; 108 uint16_t id; 109 uint16_t flags; 110 int fd; 111 int tcp; 112 int dns64_synthesize; 113 }; 114 115 TAILQ_HEAD(, pending_query) pending_queries; 116 117 struct bl_node { 118 RB_ENTRY(bl_node) entry; 119 char *domain; 120 }; 121 122 __dead void frontend_shutdown(void); 123 void frontend_sig_handler(int, short, void *); 124 void frontend_startup(void); 125 void udp_receive(int, short, void *); 126 void handle_query(struct pending_query *); 127 void free_pending_query(struct pending_query *); 128 void tcp_accept(int, short, void *); 129 int accept_reserve(int, struct sockaddr *, socklen_t *); 130 void accept_paused(int, short, void *); 131 void tcp_request(int, short, void *); 132 void tcp_response(int, short, void *); 133 void tcp_timeout(int, short, void *); 134 int check_query(sldns_buffer*); 135 void noerror_answer(struct pending_query *); 136 void synthesize_dns64_answer(struct pending_query *); 137 void resend_dns64_query(struct pending_query *); 138 void chaos_answer(struct pending_query *); 139 void error_answer(struct pending_query *, int rcode); 140 void send_answer(struct pending_query *); 141 void route_receive(int, short, void *); 142 void handle_route_message(struct rt_msghdr *, 143 struct sockaddr **); 144 void get_rtaddrs(int, struct sockaddr *, 145 struct sockaddr **); 146 void rtmget_default(void); 147 struct pending_query *find_pending_query(uint64_t); 148 void parse_trust_anchor(struct trust_anchor_head *, int); 149 void send_trust_anchors(struct trust_anchor_head *); 150 void write_trust_anchors(struct trust_anchor_head *, int); 151 void parse_blocklist(int); 152 int bl_cmp(struct bl_node *, struct bl_node *); 153 void free_bl(void); 154 int pending_query_cnt(void); 155 void check_available_af(void); 156 157 struct uw_conf *frontend_conf; 158 static struct imsgev *iev_main; 159 static struct imsgev *iev_resolver; 160 struct event ev_route; 161 int udp4sock = -1, udp6sock = -1; 162 int tcp4sock = -1, tcp6sock = -1; 163 int ta_fd = -1; 164 165 static struct trust_anchor_head trust_anchors, new_trust_anchors; 166 167 RB_HEAD(bl_tree, bl_node) bl_head = RB_INITIALIZER(&bl_head); 168 RB_PROTOTYPE(bl_tree, bl_node, entry, bl_cmp) 169 RB_GENERATE(bl_tree, bl_node, entry, bl_cmp) 170 171 struct dns64_prefix *dns64_prefixes; 172 int dns64_prefix_count; 173 174 void 175 frontend_sig_handler(int sig, short event, void *bula) 176 { 177 /* 178 * Normal signal handler rules don't apply because libevent 179 * decouples for us. 180 */ 181 182 switch (sig) { 183 case SIGINT: 184 case SIGTERM: 185 frontend_shutdown(); 186 default: 187 fatalx("unexpected signal"); 188 } 189 } 190 191 void 192 frontend(int debug, int verbose) 193 { 194 struct event ev_sigint, ev_sigterm; 195 struct passwd *pw; 196 197 frontend_conf = config_new_empty(); 198 199 log_init(debug, LOG_DAEMON); 200 log_setverbose(verbose); 201 202 if ((pw = getpwnam(UNWIND_USER)) == NULL) 203 fatal("getpwnam"); 204 205 if (chroot(pw->pw_dir) == -1) 206 fatal("chroot"); 207 if (chdir("/") == -1) 208 fatal("chdir(\"/\")"); 209 210 setproctitle("%s", "frontend"); 211 log_procinit("frontend"); 212 213 if (setgroups(1, &pw->pw_gid) || 214 setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || 215 setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) 216 fatal("can't drop privileges"); 217 218 if (pledge("stdio dns unix recvfd", NULL) == -1) 219 fatal("pledge"); 220 221 event_init(); 222 223 /* Setup signal handler. */ 224 signal_set(&ev_sigint, SIGINT, frontend_sig_handler, NULL); 225 signal_set(&ev_sigterm, SIGTERM, frontend_sig_handler, NULL); 226 signal_add(&ev_sigint, NULL); 227 signal_add(&ev_sigterm, NULL); 228 signal(SIGPIPE, SIG_IGN); 229 signal(SIGHUP, SIG_IGN); 230 231 /* Setup pipe and event handler to the parent process. */ 232 if (iev_main != NULL) 233 fatal("iev_main"); 234 if ((iev_main = malloc(sizeof(struct imsgev))) == NULL) 235 fatal(NULL); 236 imsg_init(&iev_main->ibuf, 3); 237 iev_main->handler = frontend_dispatch_main; 238 iev_main->events = EV_READ; 239 event_set(&iev_main->ev, iev_main->ibuf.fd, iev_main->events, 240 iev_main->handler, iev_main); 241 event_add(&iev_main->ev, NULL); 242 243 udp4ev.rcviov[0].iov_base = (caddr_t)udp4ev.query; 244 udp4ev.rcviov[0].iov_len = sizeof(udp4ev.query); 245 udp4ev.rcvmhdr.msg_name = (caddr_t)&udp4ev.from; 246 udp4ev.rcvmhdr.msg_namelen = sizeof(udp4ev.from); 247 udp4ev.rcvmhdr.msg_iov = udp4ev.rcviov; 248 udp4ev.rcvmhdr.msg_iovlen = 1; 249 250 udp6ev.rcviov[0].iov_base = (caddr_t)udp6ev.query; 251 udp6ev.rcviov[0].iov_len = sizeof(udp6ev.query); 252 udp6ev.rcvmhdr.msg_name = (caddr_t)&udp6ev.from; 253 udp6ev.rcvmhdr.msg_namelen = sizeof(udp6ev.from); 254 udp6ev.rcvmhdr.msg_iov = udp6ev.rcviov; 255 udp6ev.rcvmhdr.msg_iovlen = 1; 256 257 TAILQ_INIT(&pending_queries); 258 259 TAILQ_INIT(&trust_anchors); 260 TAILQ_INIT(&new_trust_anchors); 261 262 add_new_ta(&trust_anchors, KSK2017); 263 264 event_dispatch(); 265 266 frontend_shutdown(); 267 } 268 269 __dead void 270 frontend_shutdown(void) 271 { 272 /* Close pipes. */ 273 msgbuf_write(&iev_resolver->ibuf.w); 274 msgbuf_clear(&iev_resolver->ibuf.w); 275 close(iev_resolver->ibuf.fd); 276 msgbuf_write(&iev_main->ibuf.w); 277 msgbuf_clear(&iev_main->ibuf.w); 278 close(iev_main->ibuf.fd); 279 280 config_clear(frontend_conf); 281 282 free(iev_resolver); 283 free(iev_main); 284 285 log_info("frontend exiting"); 286 exit(0); 287 } 288 289 int 290 frontend_imsg_compose_main(int type, pid_t pid, void *data, uint16_t datalen) 291 { 292 return (imsg_compose_event(iev_main, type, 0, pid, -1, data, datalen)); 293 } 294 295 int 296 frontend_imsg_compose_resolver(int type, pid_t pid, void *data, 297 uint16_t datalen) 298 { 299 return (imsg_compose_event(iev_resolver, type, 0, pid, -1, data, 300 datalen)); 301 } 302 303 void 304 frontend_dispatch_main(int fd, short event, void *bula) 305 { 306 static struct uw_conf *nconf; 307 struct imsg imsg; 308 struct imsgev *iev = bula; 309 struct imsgbuf *ibuf = &iev->ibuf; 310 int n, shut = 0; 311 312 if (event & EV_READ) { 313 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN) 314 fatal("imsg_read error"); 315 if (n == 0) /* Connection closed. */ 316 shut = 1; 317 } 318 if (event & EV_WRITE) { 319 if ((n = msgbuf_write(&ibuf->w)) == -1 && errno != EAGAIN) 320 fatal("msgbuf_write"); 321 if (n == 0) /* Connection closed. */ 322 shut = 1; 323 } 324 325 for (;;) { 326 if ((n = imsg_get(ibuf, &imsg)) == -1) 327 fatal("%s: imsg_get error", __func__); 328 if (n == 0) /* No more messages. */ 329 break; 330 331 switch (imsg.hdr.type) { 332 case IMSG_SOCKET_IPC_RESOLVER: 333 /* 334 * Setup pipe and event handler to the resolver 335 * process. 336 */ 337 if (iev_resolver) { 338 fatalx("%s: received unexpected imsg fd " 339 "to frontend", __func__); 340 break; 341 } 342 if ((fd = imsg.fd) == -1) { 343 fatalx("%s: expected to receive imsg fd to " 344 "frontend but didn't receive any", 345 __func__); 346 break; 347 } 348 349 if (iev_resolver != NULL) 350 fatal("iev_resolver"); 351 iev_resolver = malloc(sizeof(struct imsgev)); 352 if (iev_resolver == NULL) 353 fatal(NULL); 354 355 imsg_init(&iev_resolver->ibuf, fd); 356 iev_resolver->handler = frontend_dispatch_resolver; 357 iev_resolver->events = EV_READ; 358 359 event_set(&iev_resolver->ev, iev_resolver->ibuf.fd, 360 iev_resolver->events, iev_resolver->handler, 361 iev_resolver); 362 event_add(&iev_resolver->ev, NULL); 363 break; 364 case IMSG_RECONF_CONF: 365 case IMSG_RECONF_BLOCKLIST_FILE: 366 case IMSG_RECONF_FORWARDER: 367 case IMSG_RECONF_DOT_FORWARDER: 368 case IMSG_RECONF_FORCE: 369 imsg_receive_config(&imsg, &nconf); 370 break; 371 case IMSG_RECONF_END: 372 if (nconf == NULL) 373 fatalx("%s: IMSG_RECONF_END without " 374 "IMSG_RECONF_CONF", __func__); 375 merge_config(frontend_conf, nconf); 376 if (frontend_conf->blocklist_file == NULL) 377 free_bl(); 378 nconf = NULL; 379 break; 380 case IMSG_UDP6SOCK: 381 if (udp6sock != -1) 382 fatalx("%s: received unexpected udp6sock", 383 __func__); 384 if ((udp6sock = imsg.fd) == -1) 385 fatalx("%s: expected to receive imsg " 386 "UDP6 fd but didn't receive any", __func__); 387 event_set(&udp6ev.ev, udp6sock, EV_READ | EV_PERSIST, 388 udp_receive, &udp6ev); 389 event_add(&udp6ev.ev, NULL); 390 break; 391 case IMSG_UDP4SOCK: 392 if (udp4sock != -1) 393 fatalx("%s: received unexpected udp4sock", 394 __func__); 395 if ((udp4sock = imsg.fd) == -1) 396 fatalx("%s: expected to receive imsg " 397 "UDP4 fd but didn't receive any", __func__); 398 event_set(&udp4ev.ev, udp4sock, EV_READ | EV_PERSIST, 399 udp_receive, &udp4ev); 400 event_add(&udp4ev.ev, NULL); 401 break; 402 case IMSG_TCP4SOCK: 403 if (tcp4sock != -1) 404 fatalx("%s: received unexpected tcp4sock", 405 __func__); 406 if ((tcp4sock = imsg.fd) == -1) 407 fatalx("%s: expected to receive imsg " 408 "TCP4 fd but didn't receive any", __func__); 409 event_set(&tcp4ev.ev, tcp4sock, EV_READ | EV_PERSIST, 410 tcp_accept, &tcp4ev); 411 event_add(&tcp4ev.ev, NULL); 412 evtimer_set(&tcp4ev.pause, accept_paused, &tcp4ev); 413 break; 414 case IMSG_TCP6SOCK: 415 if (tcp6sock != -1) 416 fatalx("%s: received unexpected tcp6sock", 417 __func__); 418 if ((tcp6sock = imsg.fd) == -1) 419 fatalx("%s: expected to receive imsg " 420 "TCP6 fd but didn't receive any", __func__); 421 event_set(&tcp6ev.ev, tcp6sock, EV_READ | EV_PERSIST, 422 tcp_accept, &tcp6ev); 423 event_add(&tcp6ev.ev, NULL); 424 evtimer_set(&tcp6ev.pause, accept_paused, &tcp6ev); 425 break; 426 case IMSG_ROUTESOCK: { 427 static int routesock = -1; 428 429 if (routesock != -1) 430 fatalx("%s: received unexpected routesock", 431 __func__); 432 if ((fd = imsg.fd) == -1) 433 fatalx("%s: expected to receive imsg " 434 "routesocket fd but didn't receive any", 435 __func__); 436 routesock = fd; 437 event_set(&ev_route, fd, EV_READ | EV_PERSIST, 438 route_receive, NULL); 439 break; 440 } 441 case IMSG_STARTUP: 442 frontend_startup(); 443 break; 444 case IMSG_CONTROLFD: 445 if ((fd = imsg.fd) == -1) 446 fatalx("%s: expected to receive imsg control " 447 "fd but didn't receive any", __func__); 448 /* Listen on control socket. */ 449 control_listen(fd); 450 break; 451 case IMSG_TAFD: 452 if ((ta_fd = imsg.fd) != -1) 453 parse_trust_anchor(&trust_anchors, ta_fd); 454 if (!TAILQ_EMPTY(&trust_anchors)) 455 send_trust_anchors(&trust_anchors); 456 break; 457 case IMSG_BLFD: 458 if ((fd = imsg.fd) == -1) 459 fatalx("%s: expected to receive imsg block " 460 "list fd but didn't receive any", __func__); 461 parse_blocklist(fd); 462 break; 463 default: 464 log_debug("%s: error handling imsg %d", __func__, 465 imsg.hdr.type); 466 break; 467 } 468 imsg_free(&imsg); 469 } 470 if (!shut) 471 imsg_event_add(iev); 472 else { 473 /* This pipe is dead. Remove its event handler. */ 474 event_del(&iev->ev); 475 event_loopexit(NULL); 476 } 477 } 478 479 void 480 frontend_dispatch_resolver(int fd, short event, void *bula) 481 { 482 static struct dns64_prefix *new_dns64_prefixes = NULL; 483 static int new_dns64_prefix_count = 0; 484 static int new_dns64_prefix_pos = 0; 485 struct pending_query *pq; 486 struct imsgev *iev = bula; 487 struct imsgbuf *ibuf = &iev->ibuf; 488 struct imsg imsg; 489 int n, shut = 0, chg; 490 491 if (event & EV_READ) { 492 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN) 493 fatal("imsg_read error"); 494 if (n == 0) /* Connection closed. */ 495 shut = 1; 496 } 497 if (event & EV_WRITE) { 498 if ((n = msgbuf_write(&ibuf->w)) == -1 && errno != EAGAIN) 499 fatal("msgbuf_write"); 500 if (n == 0) /* Connection closed. */ 501 shut = 1; 502 } 503 504 for (;;) { 505 if ((n = imsg_get(ibuf, &imsg)) == -1) 506 fatal("%s: imsg_get error", __func__); 507 if (n == 0) /* No more messages. */ 508 break; 509 510 switch (imsg.hdr.type) { 511 case IMSG_ANSWER: { 512 struct answer_header *answer_header; 513 int data_len; 514 uint8_t *data; 515 516 if (IMSG_DATA_SIZE(imsg) < sizeof(*answer_header)) 517 fatalx("%s: IMSG_ANSWER wrong length: " 518 "%lu", __func__, IMSG_DATA_SIZE(imsg)); 519 answer_header = (struct answer_header *)imsg.data; 520 data = (uint8_t *)imsg.data + sizeof(*answer_header); 521 if (answer_header->answer_len > UINT16_MAX) 522 fatalx("%s: IMSG_ANSWER answer too big: %d", 523 __func__, answer_header->answer_len); 524 data_len = IMSG_DATA_SIZE(imsg) - 525 sizeof(*answer_header); 526 527 if ((pq = find_pending_query(answer_header->id)) == 528 NULL) { 529 log_warnx("%s: cannot find pending query %llu", 530 __func__, answer_header->id); 531 break; 532 } 533 534 if (answer_header->srvfail) { 535 error_answer(pq, LDNS_RCODE_SERVFAIL); 536 send_answer(pq); 537 break; 538 } 539 540 if (answer_header->bogus && !(pq->flags & BIT_CD)) { 541 error_answer(pq, LDNS_RCODE_SERVFAIL); 542 send_answer(pq); 543 break; 544 } 545 546 if (sldns_buffer_position(pq->abuf) == 0 && 547 !sldns_buffer_set_capacity(pq->abuf, 548 answer_header->answer_len)) { 549 error_answer(pq, LDNS_RCODE_SERVFAIL); 550 send_answer(pq); 551 break; 552 } 553 554 if (sldns_buffer_position(pq->abuf) + data_len > 555 sldns_buffer_capacity(pq->abuf)) 556 fatalx("%s: IMSG_ANSWER answer too big: %d", 557 __func__, data_len); 558 sldns_buffer_write(pq->abuf, data, data_len); 559 560 if (sldns_buffer_position(pq->abuf) == 561 sldns_buffer_capacity(pq->abuf)) { 562 sldns_buffer_flip(pq->abuf); 563 if (pq->dns64_synthesize) { 564 synthesize_dns64_answer(pq); 565 send_answer(pq); 566 } else { 567 noerror_answer(pq); 568 if (pq->dns64_synthesize) 569 /* we did not find a answer */ 570 resend_dns64_query(pq); 571 else 572 send_answer(pq); 573 } 574 } 575 break; 576 } 577 case IMSG_CTL_RESOLVER_INFO: 578 case IMSG_CTL_AUTOCONF_RESOLVER_INFO: 579 case IMSG_CTL_MEM_INFO: 580 case IMSG_CTL_END: 581 control_imsg_relay(&imsg); 582 break; 583 case IMSG_NEW_TA: 584 /* make sure this is a string */ 585 ((char *)imsg.data)[IMSG_DATA_SIZE(imsg) - 1] = '\0'; 586 add_new_ta(&new_trust_anchors, imsg.data); 587 break; 588 case IMSG_NEW_TAS_ABORT: 589 free_tas(&new_trust_anchors); 590 break; 591 case IMSG_NEW_TAS_DONE: 592 chg = merge_tas(&new_trust_anchors, &trust_anchors); 593 if (chg) 594 send_trust_anchors(&trust_anchors); 595 596 /* 597 * always write trust anchors, the modify date on 598 * the file is an indication when we made progress 599 */ 600 if (ta_fd != -1) 601 write_trust_anchors(&trust_anchors, ta_fd); 602 break; 603 case IMSG_NEW_DNS64_PREFIXES_START: 604 if (IMSG_DATA_SIZE(imsg) != 605 sizeof(new_dns64_prefix_count)) 606 fatalx("%s: IMSG_NEW_DNS64_PREFIXES_START " 607 "wrong length: %lu", __func__, 608 IMSG_DATA_SIZE(imsg)); 609 memcpy(&new_dns64_prefix_count, imsg.data, 610 sizeof(new_dns64_prefix_count)); 611 free(new_dns64_prefixes); 612 new_dns64_prefixes = NULL; 613 if (new_dns64_prefix_count > 0) 614 new_dns64_prefixes = 615 calloc(new_dns64_prefix_count, 616 sizeof(struct dns64_prefix)); 617 new_dns64_prefix_pos = 0; 618 break; 619 case IMSG_NEW_DNS64_PREFIX: { 620 if (IMSG_DATA_SIZE(imsg) != sizeof(struct dns64_prefix)) 621 fatalx("%s: IMSG_NEW_DNS64_PREFIX wrong " 622 "length: %lu", __func__, 623 IMSG_DATA_SIZE(imsg)); 624 if (new_dns64_prefixes == NULL) 625 break; 626 if (new_dns64_prefix_pos >= new_dns64_prefix_count) 627 fatalx("%s: IMSG_NEW_DNS64_PREFIX: too many " 628 "prefixes", __func__); 629 memcpy(&new_dns64_prefixes[new_dns64_prefix_pos++], 630 imsg.data, sizeof(struct dns64_prefix)); 631 break; 632 } 633 case IMSG_NEW_DNS64_PREFIXES_DONE: 634 free(dns64_prefixes); 635 dns64_prefixes = new_dns64_prefixes; 636 dns64_prefix_count = new_dns64_prefix_count; 637 new_dns64_prefixes = NULL; 638 break; 639 default: 640 log_debug("%s: error handling imsg %d", __func__, 641 imsg.hdr.type); 642 break; 643 } 644 imsg_free(&imsg); 645 } 646 if (!shut) 647 imsg_event_add(iev); 648 else { 649 /* This pipe is dead. Remove its event handler. */ 650 event_del(&iev->ev); 651 event_loopexit(NULL); 652 } 653 } 654 655 void 656 frontend_startup(void) 657 { 658 if (!event_initialized(&ev_route)) 659 fatalx("%s: did not receive a route socket from the main " 660 "process", __func__); 661 662 event_add(&ev_route, NULL); 663 664 frontend_imsg_compose_main(IMSG_STARTUP_DONE, 0, NULL, 0); 665 check_available_af(); 666 } 667 668 void 669 free_pending_query(struct pending_query *pq) 670 { 671 if (!pq) 672 return; 673 674 TAILQ_REMOVE(&pending_queries, pq, entry); 675 regional_destroy(pq->region); 676 sldns_buffer_free(pq->qbuf); 677 sldns_buffer_free(pq->abuf); 678 if (pq->tcp) { 679 if (event_initialized(&pq->ev)) 680 event_del(&pq->ev); 681 if (event_initialized(&pq->resp_ev)) 682 event_del(&pq->resp_ev); 683 if (event_initialized(&pq->tmo_ev)) 684 event_del(&pq->tmo_ev); 685 if (pq->fd != -1) 686 close(pq->fd); 687 } 688 free(pq); 689 } 690 691 void 692 udp_receive(int fd, short events, void *arg) 693 { 694 struct udp_ev *udpev = (struct udp_ev *)arg; 695 struct pending_query *pq = NULL; 696 ssize_t len; 697 698 if ((len = recvmsg(fd, &udpev->rcvmhdr, 0)) == -1) { 699 log_warn("recvmsg"); 700 return; 701 } 702 703 if ((pq = calloc(1, sizeof(*pq))) == NULL) { 704 log_warn(NULL); 705 return; 706 } 707 708 do { 709 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id)); 710 } while(find_pending_query(pq->imsg_id) != NULL); 711 712 TAILQ_INSERT_TAIL(&pending_queries, pq, entry); 713 714 pq->from = udpev->from; 715 pq->fd = fd; 716 pq->qbuf = sldns_buffer_new(len); 717 pq->abuf = sldns_buffer_new(len); /* make sure we can send errors */ 718 pq->region = regional_create(); 719 720 if (!pq->qbuf || !pq->abuf || !pq->region) { 721 log_warnx("out of memory"); 722 free_pending_query(pq); 723 return; 724 } 725 726 sldns_buffer_write(pq->qbuf, udpev->query, len); 727 sldns_buffer_flip(pq->qbuf); 728 handle_query(pq); 729 } 730 731 void 732 handle_query(struct pending_query *pq) 733 { 734 struct query_imsg query_imsg; 735 struct bl_node find; 736 int rcode; 737 char *str; 738 char dname[LDNS_MAX_DOMAINLEN + 1]; 739 char qclass_buf[16]; 740 char qtype_buf[16]; 741 742 if (log_getverbose() & OPT_VERBOSE2 && (str = 743 sldns_wire2str_pkt(sldns_buffer_begin(pq->qbuf), 744 sldns_buffer_limit(pq->qbuf))) != NULL) { 745 log_debug("from: %s\n%s", ip_port((struct sockaddr *) 746 &pq->from), str); 747 free(str); 748 } 749 750 if (sldns_buffer_remaining(pq->qbuf) < LDNS_HEADER_SIZE) { 751 log_warnx("bad query: too short, dropped"); 752 goto drop; 753 } 754 755 pq->id = sldns_buffer_read_u16_at(pq->qbuf, 0); 756 pq->flags = sldns_buffer_read_u16_at(pq->qbuf, 2); 757 758 if (!query_info_parse(&pq->qinfo, pq->qbuf)) { 759 log_warnx("query_info_parse failed"); 760 goto drop; 761 } 762 763 rcode = check_query(pq->qbuf); 764 switch (rcode) { 765 case LDNS_RCODE_NOERROR: 766 break; 767 case -1: 768 goto drop; 769 default: 770 error_answer(pq, rcode); 771 goto send_answer; 772 } 773 774 rcode = parse_edns_from_query_pkt(pq->qbuf, &pq->edns, NULL, NULL, 775 pq->region); 776 if (rcode != LDNS_RCODE_NOERROR) { 777 error_answer(pq, rcode); 778 goto send_answer; 779 } 780 781 if (!dname_valid(pq->qinfo.qname, pq->qinfo.qname_len)) { 782 error_answer(pq, LDNS_RCODE_FORMERR); 783 goto send_answer; 784 } 785 dname_str(pq->qinfo.qname, dname); 786 787 sldns_wire2str_class_buf(pq->qinfo.qclass, qclass_buf, 788 sizeof(qclass_buf)); 789 sldns_wire2str_type_buf(pq->qinfo.qtype, qtype_buf, sizeof(qtype_buf)); 790 log_debug("%s: %s %s %s ?", ip_port((struct sockaddr *)&pq->from), 791 dname, qclass_buf, qtype_buf); 792 793 find.domain = dname; 794 if (RB_FIND(bl_tree, &bl_head, &find) != NULL) { 795 if (frontend_conf->blocklist_log) 796 log_info("blocking %s", dname); 797 error_answer(pq, LDNS_RCODE_REFUSED); 798 goto send_answer; 799 } 800 801 if (pq->qinfo.qtype == LDNS_RR_TYPE_AXFR || pq->qinfo.qtype == 802 LDNS_RR_TYPE_IXFR) { 803 error_answer(pq, LDNS_RCODE_REFUSED); 804 goto send_answer; 805 } 806 807 if(pq->qinfo.qtype == LDNS_RR_TYPE_OPT || 808 pq->qinfo.qtype == LDNS_RR_TYPE_TSIG || 809 pq->qinfo.qtype == LDNS_RR_TYPE_TKEY || 810 pq->qinfo.qtype == LDNS_RR_TYPE_MAILA || 811 pq->qinfo.qtype == LDNS_RR_TYPE_MAILB || 812 (pq->qinfo.qtype >= 128 && pq->qinfo.qtype <= 248)) { 813 error_answer(pq, LDNS_RCODE_FORMERR); 814 goto send_answer; 815 } 816 817 if (pq->qinfo.qclass == LDNS_RR_CLASS_CH) { 818 if (strcasecmp(dname, "version.server.") == 0 || 819 strcasecmp(dname, "version.bind.") == 0) { 820 chaos_answer(pq); 821 } else 822 error_answer(pq, LDNS_RCODE_REFUSED); 823 goto send_answer; 824 } 825 826 if (strlcpy(query_imsg.qname, dname, sizeof(query_imsg.qname)) >= 827 sizeof(query_imsg.qname)) { 828 log_warnx("qname too long"); 829 error_answer(pq, LDNS_RCODE_FORMERR); 830 goto send_answer; 831 } 832 query_imsg.id = pq->imsg_id; 833 query_imsg.t = pq->qinfo.qtype; 834 query_imsg.c = pq->qinfo.qclass; 835 836 if (frontend_imsg_compose_resolver(IMSG_QUERY, 0, &query_imsg, 837 sizeof(query_imsg)) == -1) { 838 error_answer(pq, LDNS_RCODE_SERVFAIL); 839 goto send_answer; 840 } 841 return; 842 843 send_answer: 844 send_answer(pq); 845 return; 846 847 drop: 848 free_pending_query(pq); 849 } 850 851 void 852 noerror_answer(struct pending_query *pq) 853 { 854 struct query_info skip, qinfo; 855 struct reply_info *rinfo = NULL; 856 struct alloc_cache alloc; 857 struct edns_data edns; 858 struct ub_packed_rrset_key *an_rrset = NULL; 859 struct packed_rrset_data *an_rrset_data = NULL; 860 861 alloc_init(&alloc, NULL, 0); 862 memset(&qinfo, 0, sizeof(qinfo)); 863 /* read past query section, no memory is allocated */ 864 if (!query_info_parse(&skip, pq->abuf)) 865 goto srvfail; 866 867 if (reply_info_parse(pq->abuf, &alloc, &qinfo, &rinfo, pq->region, 868 &edns) != 0) 869 goto srvfail; 870 871 if ((an_rrset = reply_find_answer_rrset(&qinfo, rinfo)) != NULL) 872 an_rrset_data = (struct packed_rrset_data*)an_rrset->entry.data; 873 874 /* reply_info_parse() allocates memory */ 875 query_info_clear(&qinfo); 876 877 /* XXX check that there a no AAAA records in answer section? */ 878 if ((an_rrset_data == NULL || an_rrset_data->count == 0) && 879 !pq->dns64_synthesize && pq->qinfo.qtype == LDNS_RR_TYPE_AAAA && 880 pq->qinfo.qclass == LDNS_RR_CLASS_IN && dns64_prefix_count > 0) { 881 pq->dns64_synthesize = 1; 882 return; 883 } 884 885 sldns_buffer_clear(pq->abuf); 886 if (reply_info_encode(&pq->qinfo, rinfo, htons(pq->id), rinfo->flags, 887 pq->abuf, 0, pq->region, pq->tcp ? UINT16_MAX : pq->edns.udp_size, 888 pq->edns.bits & EDNS_DO, MINIMIZE_ANSWER) == 0) 889 goto srvfail; 890 891 reply_info_parsedelete(rinfo, &alloc); 892 alloc_clear(&alloc); 893 return; 894 895 srvfail: 896 reply_info_parsedelete(rinfo, &alloc); 897 alloc_clear(&alloc); 898 error_answer(pq, LDNS_RCODE_SERVFAIL); 899 } 900 901 void 902 synthesize_dns64_answer(struct pending_query *pq) 903 { 904 struct query_info skip, qinfo; 905 struct reply_info *rinfo = NULL, *synth_rinfo = NULL; 906 struct alloc_cache alloc; 907 struct edns_data edns; 908 size_t i; 909 910 pq->dns64_synthesize = 0; 911 912 alloc_init(&alloc, NULL, 0); 913 memset(&qinfo, 0, sizeof(qinfo)); 914 /* read past query section, no memory is allocated */ 915 if (!query_info_parse(&skip, pq->abuf)) 916 goto srvfail; 917 918 if (reply_info_parse(pq->abuf, &alloc, &qinfo, &rinfo, pq->region, 919 &edns) != 0) 920 goto srvfail; 921 922 /* reply_info_parse() allocates memory */ 923 query_info_clear(&qinfo); 924 925 synth_rinfo = construct_reply_info_base(pq->region, rinfo->flags, 926 rinfo->qdcount, rinfo->ttl, rinfo->prefetch_ttl, 927 rinfo->serve_expired_ttl, rinfo->an_numrrsets, 928 rinfo->ns_numrrsets, rinfo->ar_numrrsets, rinfo->rrset_count, 929 rinfo->security); 930 931 if (!synth_rinfo) 932 goto srvfail; 933 934 if(!reply_info_alloc_rrset_keys(synth_rinfo, NULL, pq->region)) 935 goto srvfail; 936 937 for (i = 0; i < synth_rinfo->rrset_count; i++) { 938 struct ub_packed_rrset_key *src_rrset_key, *dst_rrset_key; 939 struct packed_rrset_data *src_rrset_data; 940 struct packed_rrset_data *dst_rrset_data; 941 942 src_rrset_key = rinfo->rrsets[i]; 943 src_rrset_data = 944 (struct packed_rrset_data *)src_rrset_key->entry.data; 945 dst_rrset_key = synth_rinfo->rrsets[i]; 946 947 dst_rrset_key->id = src_rrset_key->id; 948 dst_rrset_key->rk = src_rrset_key->rk; 949 950 if (i < rinfo->an_numrrsets && src_rrset_key->rk.type == 951 htons(LDNS_RR_TYPE_A)) { 952 dns64_synth_aaaa_data(src_rrset_key, src_rrset_data, 953 dst_rrset_key, &dst_rrset_data, pq->region); 954 if (dst_rrset_data == NULL) 955 goto srvfail; 956 } else { 957 dst_rrset_key->entry.hash = src_rrset_key->entry.hash; 958 dst_rrset_key->rk.dname = regional_alloc_init( 959 pq->region, src_rrset_key->rk.dname, 960 src_rrset_key->rk.dname_len); 961 if (dst_rrset_key->rk.dname == NULL) 962 goto srvfail; 963 964 dst_rrset_data = regional_alloc_init(pq->region, 965 src_rrset_data, 966 packed_rrset_sizeof(src_rrset_data)); 967 if (dst_rrset_data == NULL) 968 goto srvfail; 969 } 970 971 packed_rrset_ptr_fixup(dst_rrset_data); 972 dst_rrset_key->entry.data = dst_rrset_data; 973 } 974 975 if (!sldns_buffer_set_capacity(pq->abuf, pq->tcp ? UINT16_MAX : 976 pq->edns.udp_size)) 977 goto srvfail; 978 979 sldns_buffer_clear(pq->abuf); 980 981 if (reply_info_encode(&pq->qinfo, synth_rinfo, htons(pq->id), 982 synth_rinfo->flags, pq->abuf, 0, pq->region, 983 pq->tcp ? UINT16_MAX : pq->edns.udp_size, 984 pq->edns.bits & EDNS_DO, MINIMIZE_ANSWER) == 0) 985 goto srvfail; 986 987 reply_info_parsedelete(rinfo, &alloc); 988 alloc_clear(&alloc); 989 return; 990 991 srvfail: 992 reply_info_parsedelete(rinfo, &alloc); 993 alloc_clear(&alloc); 994 error_answer(pq, LDNS_RCODE_SERVFAIL); 995 } 996 997 void 998 resend_dns64_query(struct pending_query *opq) { 999 struct pending_query *pq; 1000 struct query_imsg query_imsg; 1001 int rcode; 1002 char dname[LDNS_MAX_DOMAINLEN + 1]; 1003 1004 if ((pq = calloc(1, sizeof(*pq))) == NULL) { 1005 log_warn(NULL); 1006 return; 1007 } 1008 1009 do { 1010 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id)); 1011 } while(find_pending_query(pq->imsg_id) != NULL); 1012 1013 TAILQ_INSERT_TAIL(&pending_queries, pq, entry); 1014 1015 pq->from = opq->from; 1016 pq->fd = opq->fd; 1017 opq->fd = -1; 1018 pq->tcp = opq->tcp; 1019 pq->qbuf = sldns_buffer_new(sldns_buffer_capacity(opq->qbuf)); 1020 pq->abuf = sldns_buffer_new(sldns_buffer_capacity(opq->abuf)); 1021 pq->region = regional_create(); 1022 1023 if (!pq->qbuf || !pq->abuf || !pq->region) { 1024 log_warnx("out of memory"); 1025 free_pending_query(pq); 1026 free_pending_query(opq); 1027 return; 1028 } 1029 1030 sldns_buffer_rewind(opq->qbuf); 1031 sldns_buffer_write(pq->qbuf, sldns_buffer_current(opq->qbuf), 1032 sldns_buffer_remaining(opq->qbuf)); 1033 sldns_buffer_flip(pq->qbuf); 1034 1035 if (pq->tcp) { 1036 struct timeval timeout = {TCP_TIMEOUT, 0}; 1037 1038 event_set(&pq->ev, pq->fd, EV_READ | EV_PERSIST, tcp_request, 1039 pq); 1040 event_set(&pq->resp_ev, pq->fd, EV_WRITE | EV_PERSIST, 1041 tcp_response, pq); 1042 evtimer_set(&pq->tmo_ev, tcp_timeout, pq); 1043 evtimer_add(&pq->tmo_ev, &timeout); 1044 } 1045 1046 if (sldns_buffer_remaining(pq->qbuf) < LDNS_HEADER_SIZE) { 1047 log_warnx("bad query: too short, dropped"); 1048 goto drop; 1049 } 1050 1051 pq->id = sldns_buffer_read_u16_at(pq->qbuf, 0); 1052 pq->flags = sldns_buffer_read_u16_at(pq->qbuf, 2); 1053 1054 if (!query_info_parse(&pq->qinfo, pq->qbuf)) { 1055 log_warnx("query_info_parse failed"); 1056 goto drop; 1057 } 1058 1059 rcode = parse_edns_from_query_pkt(pq->qbuf, &pq->edns, NULL, NULL, 1060 pq->region); 1061 if (rcode != LDNS_RCODE_NOERROR) { 1062 error_answer(pq, rcode); 1063 goto send_answer; 1064 } 1065 1066 dname_str(pq->qinfo.qname, dname); 1067 strlcpy(query_imsg.qname, dname, sizeof(query_imsg.qname)); 1068 query_imsg.id = pq->imsg_id; 1069 query_imsg.t = LDNS_RR_TYPE_A; 1070 query_imsg.c = pq->qinfo.qclass; 1071 1072 pq->dns64_synthesize = 1; 1073 1074 if (frontend_imsg_compose_resolver(IMSG_QUERY, 0, &query_imsg, 1075 sizeof(query_imsg)) == -1) { 1076 error_answer(pq, LDNS_RCODE_SERVFAIL); 1077 goto send_answer; 1078 } 1079 1080 free_pending_query(opq); 1081 return; 1082 1083 send_answer: 1084 free_pending_query(opq); 1085 send_answer(pq); 1086 return; 1087 1088 drop: 1089 free_pending_query(opq); 1090 free_pending_query(pq); 1091 } 1092 1093 void 1094 chaos_answer(struct pending_query *pq) 1095 { 1096 size_t len; 1097 const char *name = "unwind"; 1098 1099 len = strlen(name); 1100 if (!sldns_buffer_set_capacity(pq->abuf, 1101 sldns_buffer_capacity(pq->qbuf) + COMPRESSED_RR_SIZE + 1 + len)) { 1102 error_answer(pq, LDNS_RCODE_SERVFAIL); 1103 return; 1104 } 1105 1106 sldns_buffer_copy(pq->abuf, pq->qbuf); 1107 1108 sldns_buffer_clear(pq->abuf); 1109 1110 sldns_buffer_skip(pq->abuf, sizeof(uint16_t)); /* skip id */ 1111 sldns_buffer_write_u16(pq->abuf, 0); /* clear flags */ 1112 LDNS_QR_SET(sldns_buffer_begin(pq->abuf)); 1113 LDNS_RA_SET(sldns_buffer_begin(pq->abuf)); 1114 if (LDNS_RD_WIRE(sldns_buffer_begin(pq->qbuf))) 1115 LDNS_RD_SET(sldns_buffer_begin(pq->abuf)); 1116 if (LDNS_CD_WIRE(sldns_buffer_begin(pq->qbuf))) 1117 LDNS_CD_SET(sldns_buffer_begin(pq->abuf)); 1118 LDNS_RCODE_SET(sldns_buffer_begin(pq->abuf), LDNS_RCODE_NOERROR); 1119 sldns_buffer_write_u16(pq->abuf, 1); /* qdcount */ 1120 sldns_buffer_write_u16(pq->abuf, 1); /* ancount */ 1121 sldns_buffer_write_u16(pq->abuf, 0); /* nscount */ 1122 sldns_buffer_write_u16(pq->abuf, 0); /* arcount */ 1123 (void)query_dname_len(pq->abuf); /* skip qname */ 1124 sldns_buffer_skip(pq->abuf, sizeof(uint16_t)); /* skip qtype */ 1125 sldns_buffer_skip(pq->abuf, sizeof(uint16_t)); /* skip qclass */ 1126 1127 sldns_buffer_write_u16(pq->abuf, 0xc00c); /* ptr to query */ 1128 sldns_buffer_write_u16(pq->abuf, LDNS_RR_TYPE_TXT); 1129 sldns_buffer_write_u16(pq->abuf, LDNS_RR_CLASS_CH); 1130 sldns_buffer_write_u32(pq->abuf, 0); /* TTL */ 1131 sldns_buffer_write_u16(pq->abuf, 1 + len); /* RDLENGTH */ 1132 sldns_buffer_write_u8(pq->abuf, len); /* length octed */ 1133 sldns_buffer_write(pq->abuf, name, len); 1134 sldns_buffer_flip(pq->abuf); 1135 } 1136 1137 void 1138 error_answer(struct pending_query *pq, int rcode) 1139 { 1140 sldns_buffer_clear(pq->abuf); 1141 error_encode(pq->abuf, rcode, &pq->qinfo, htons(pq->id), pq->flags, 1142 pq->edns.edns_present ? &pq->edns : NULL); 1143 } 1144 1145 int 1146 check_query(sldns_buffer* pkt) 1147 { 1148 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) { 1149 log_warnx("bad query: too short, dropped"); 1150 return -1; 1151 } 1152 if(LDNS_QR_WIRE(sldns_buffer_begin(pkt))) { 1153 log_warnx("bad query: QR set, dropped"); 1154 return -1; 1155 } 1156 if(LDNS_TC_WIRE(sldns_buffer_begin(pkt))) { 1157 LDNS_TC_CLR(sldns_buffer_begin(pkt)); 1158 log_warnx("bad query: TC set"); 1159 return (LDNS_RCODE_FORMERR); 1160 } 1161 if(!(LDNS_RD_WIRE(sldns_buffer_begin(pkt)))) { 1162 log_warnx("bad query: RD not set"); 1163 return (LDNS_RCODE_REFUSED); 1164 } 1165 if(LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_PACKET_QUERY) { 1166 log_warnx("bad query: unknown opcode %d", 1167 LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt))); 1168 return (LDNS_RCODE_NOTIMPL); 1169 } 1170 1171 if (LDNS_QDCOUNT(sldns_buffer_begin(pkt)) != 1 && 1172 LDNS_ANCOUNT(sldns_buffer_begin(pkt))!= 0 && 1173 LDNS_NSCOUNT(sldns_buffer_begin(pkt))!= 0 && 1174 LDNS_ARCOUNT(sldns_buffer_begin(pkt)) > 1) { 1175 log_warnx("bad query: qdcount: %d, ancount: %d " 1176 "nscount: %d, arcount: %d", 1177 LDNS_QDCOUNT(sldns_buffer_begin(pkt)), 1178 LDNS_ANCOUNT(sldns_buffer_begin(pkt)), 1179 LDNS_NSCOUNT(sldns_buffer_begin(pkt)), 1180 LDNS_ARCOUNT(sldns_buffer_begin(pkt))); 1181 return (LDNS_RCODE_FORMERR); 1182 } 1183 return (LDNS_RCODE_NOERROR); 1184 } 1185 1186 void 1187 send_answer(struct pending_query *pq) 1188 { 1189 char *str; 1190 1191 if (log_getverbose() & OPT_VERBOSE2 && (str = 1192 sldns_wire2str_pkt(sldns_buffer_begin(pq->abuf), 1193 sldns_buffer_limit(pq->abuf))) != NULL) { 1194 log_debug("from: %s\n%s", ip_port((struct sockaddr *) 1195 &pq->from), str); 1196 free(str); 1197 } 1198 1199 if (!pq->tcp) { 1200 if(sendto(pq->fd, sldns_buffer_current(pq->abuf), 1201 sldns_buffer_remaining(pq->abuf), 0, 1202 (struct sockaddr *)&pq->from, pq->from.ss_len) == -1) 1203 log_warn("sendto"); 1204 free_pending_query(pq); 1205 } else { 1206 struct sldns_buffer *tmp; 1207 1208 tmp = sldns_buffer_new(sldns_buffer_limit(pq->abuf) + 2); 1209 1210 if (!tmp) { 1211 free_pending_query(pq); 1212 return; 1213 } 1214 1215 sldns_buffer_write_u16(tmp, sldns_buffer_limit(pq->abuf)); 1216 sldns_buffer_write(tmp, sldns_buffer_current(pq->abuf), 1217 sldns_buffer_remaining(pq->abuf)); 1218 sldns_buffer_flip(tmp); 1219 sldns_buffer_free(pq->abuf); 1220 pq->abuf = tmp; 1221 event_add(&pq->resp_ev, NULL); 1222 } 1223 } 1224 1225 char* 1226 ip_port(struct sockaddr *sa) 1227 { 1228 static char hbuf[NI_MAXHOST], buf[NI_MAXHOST]; 1229 1230 if (getnameinfo(sa, sa->sa_len, hbuf, sizeof(hbuf), NULL, 0, 1231 NI_NUMERICHOST) != 0) { 1232 snprintf(buf, sizeof(buf), "%s", "(unknown)"); 1233 return buf; 1234 } 1235 1236 if (sa->sa_family == AF_INET6) 1237 snprintf(buf, sizeof(buf), "[%s]:%d", hbuf, ntohs( 1238 ((struct sockaddr_in6 *)sa)->sin6_port)); 1239 if (sa->sa_family == AF_INET) 1240 snprintf(buf, sizeof(buf), "[%s]:%d", hbuf, ntohs( 1241 ((struct sockaddr_in *)sa)->sin_port)); 1242 1243 return buf; 1244 } 1245 1246 struct pending_query* 1247 find_pending_query(uint64_t id) 1248 { 1249 struct pending_query *pq; 1250 1251 TAILQ_FOREACH(pq, &pending_queries, entry) 1252 if (pq->imsg_id == id) 1253 return pq; 1254 return NULL; 1255 } 1256 1257 void 1258 route_receive(int fd, short events, void *arg) 1259 { 1260 static uint8_t *buf; 1261 1262 struct rt_msghdr *rtm; 1263 struct sockaddr *sa, *rti_info[RTAX_MAX]; 1264 ssize_t n; 1265 1266 if (buf == NULL) { 1267 buf = malloc(ROUTE_SOCKET_BUF_SIZE); 1268 if (buf == NULL) 1269 fatal("malloc"); 1270 } 1271 rtm = (struct rt_msghdr *)buf; 1272 if ((n = read(fd, buf, ROUTE_SOCKET_BUF_SIZE)) == -1) { 1273 if (errno == EAGAIN || errno == EINTR) 1274 return; 1275 log_warn("dispatch_rtmsg: read error"); 1276 return; 1277 } 1278 1279 if (n == 0) 1280 fatal("routing socket closed"); 1281 1282 if (n < (ssize_t)sizeof(rtm->rtm_msglen) || n < rtm->rtm_msglen) { 1283 log_warnx("partial rtm of %zd in buffer", n); 1284 return; 1285 } 1286 1287 if (rtm->rtm_version != RTM_VERSION) 1288 return; 1289 1290 sa = (struct sockaddr *)(buf + rtm->rtm_hdrlen); 1291 get_rtaddrs(rtm->rtm_addrs, sa, rti_info); 1292 1293 handle_route_message(rtm, rti_info); 1294 } 1295 1296 #define ROUNDUP(a) \ 1297 ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long)) 1298 1299 void 1300 get_rtaddrs(int addrs, struct sockaddr *sa, struct sockaddr **rti_info) 1301 { 1302 int i; 1303 1304 for (i = 0; i < RTAX_MAX; i++) { 1305 if (addrs & (1 << i)) { 1306 rti_info[i] = sa; 1307 sa = (struct sockaddr *)((char *)(sa) + 1308 ROUNDUP(sa->sa_len)); 1309 } else 1310 rti_info[i] = NULL; 1311 } 1312 } 1313 1314 void 1315 handle_route_message(struct rt_msghdr *rtm, struct sockaddr **rti_info) 1316 { 1317 struct imsg_rdns_proposal rdns_proposal; 1318 struct sockaddr_rtdns *rtdns; 1319 struct if_announcemsghdr *ifan; 1320 1321 switch (rtm->rtm_type) { 1322 case RTM_IFANNOUNCE: 1323 ifan = (struct if_announcemsghdr *)rtm; 1324 if (ifan->ifan_what == IFAN_ARRIVAL) 1325 break; 1326 rdns_proposal.if_index = ifan->ifan_index; 1327 rdns_proposal.src = 0; 1328 rdns_proposal.rtdns.sr_family = AF_INET; 1329 rdns_proposal.rtdns.sr_len = offsetof(struct sockaddr_rtdns, 1330 sr_dns); 1331 frontend_imsg_compose_resolver(IMSG_REPLACE_DNS, 0, 1332 &rdns_proposal, sizeof(rdns_proposal)); 1333 break; 1334 case RTM_IFINFO: 1335 frontend_imsg_compose_resolver(IMSG_NETWORK_CHANGED, 0, NULL, 1336 0); 1337 break; 1338 case RTM_PROPOSAL: 1339 if (!(rtm->rtm_addrs & RTA_DNS)) 1340 break; 1341 1342 rtdns = (struct sockaddr_rtdns*)rti_info[RTAX_DNS]; 1343 rdns_proposal.if_index = rtm->rtm_index; 1344 rdns_proposal.src = rtm->rtm_priority; 1345 memcpy(&rdns_proposal.rtdns, rtdns, sizeof(rdns_proposal.rtdns)); 1346 frontend_imsg_compose_resolver(IMSG_REPLACE_DNS, 0, 1347 &rdns_proposal, sizeof(rdns_proposal)); 1348 break; 1349 case RTM_NEWADDR: 1350 case RTM_DELADDR: 1351 case RTM_DESYNC: 1352 check_available_af(); 1353 break; 1354 default: 1355 break; 1356 } 1357 } 1358 1359 void 1360 add_new_ta(struct trust_anchor_head *tah, char *val) 1361 { 1362 struct trust_anchor *ta, *i; 1363 int cmp; 1364 1365 if ((ta = malloc(sizeof(*ta))) == NULL) 1366 fatal("%s", __func__); 1367 if ((ta->ta = strdup(val)) == NULL) 1368 fatal("%s", __func__); 1369 1370 /* keep the list sorted to prevent churn if the order changes in DNS */ 1371 TAILQ_FOREACH(i, tah, entry) { 1372 cmp = strcmp(i->ta, ta->ta); 1373 if ( cmp == 0) { 1374 /* duplicate */ 1375 free(ta->ta); 1376 free(ta); 1377 return; 1378 } else if (cmp > 0) { 1379 TAILQ_INSERT_BEFORE(i, ta, entry); 1380 return; 1381 } 1382 } 1383 TAILQ_INSERT_TAIL(tah, ta, entry); 1384 } 1385 1386 void 1387 free_tas(struct trust_anchor_head *tah) 1388 { 1389 struct trust_anchor *ta; 1390 1391 while ((ta = TAILQ_FIRST(tah))) { 1392 TAILQ_REMOVE(tah, ta, entry); 1393 free(ta->ta); 1394 free(ta); 1395 } 1396 } 1397 1398 int 1399 merge_tas(struct trust_anchor_head *newh, struct trust_anchor_head *oldh) 1400 { 1401 struct trust_anchor *i, *j; 1402 int chg = 0; 1403 1404 j = TAILQ_FIRST(oldh); 1405 1406 TAILQ_FOREACH(i, newh, entry) { 1407 if (j == NULL || strcmp(i->ta, j->ta) != 0) { 1408 chg = 1; 1409 break; 1410 } 1411 j = TAILQ_NEXT(j, entry); 1412 } 1413 if (j != NULL) 1414 chg = 1; 1415 1416 if (chg) { 1417 free_tas(oldh); 1418 TAILQ_CONCAT(oldh, newh, entry); 1419 } else { 1420 free_tas(newh); 1421 } 1422 return (chg); 1423 } 1424 1425 void 1426 parse_trust_anchor(struct trust_anchor_head *tah, int fd) 1427 { 1428 size_t len, dname_len; 1429 ssize_t n, sz; 1430 uint8_t rr[LDNS_RR_BUF_SIZE]; 1431 char *str, *p, buf[512], *line; 1432 1433 sz = 0; 1434 str = NULL; 1435 1436 while ((n = read(fd, buf, sizeof(buf))) > 0) { 1437 p = recallocarray(str, sz, sz + n, 1); 1438 if (p == NULL) { 1439 log_warn("%s", __func__); 1440 goto out; 1441 } 1442 str = p; 1443 memcpy(str + sz, buf, n); 1444 sz += n; 1445 } 1446 1447 if (n == -1) { 1448 log_warn("%s", __func__); 1449 goto out; 1450 } 1451 1452 /* make it a string */ 1453 p = recallocarray(str, sz, sz + 1, 1); 1454 if (p == NULL) { 1455 log_warn("%s", __func__); 1456 goto out; 1457 } 1458 str = p; 1459 sz++; 1460 1461 len = sizeof(rr); 1462 1463 while ((line = strsep(&p, "\n")) != NULL) { 1464 if (sldns_str2wire_rr_buf(line, rr, &len, &dname_len, 1465 ROOT_DNSKEY_TTL, NULL, 0, NULL, 0) != 0) 1466 continue; 1467 if (sldns_wirerr_get_type(rr, len, dname_len) == 1468 LDNS_RR_TYPE_DNSKEY) 1469 add_new_ta(tah, line); 1470 } 1471 1472 out: 1473 free(str); 1474 return; 1475 } 1476 1477 void 1478 send_trust_anchors(struct trust_anchor_head *tah) 1479 { 1480 struct trust_anchor *ta; 1481 1482 TAILQ_FOREACH(ta, tah, entry) 1483 frontend_imsg_compose_resolver(IMSG_NEW_TA, 0, ta->ta, 1484 strlen(ta->ta) + 1); 1485 frontend_imsg_compose_resolver(IMSG_NEW_TAS_DONE, 0, NULL, 0); 1486 } 1487 1488 void 1489 write_trust_anchors(struct trust_anchor_head *tah, int fd) 1490 { 1491 struct trust_anchor *ta; 1492 size_t len = 0; 1493 ssize_t n; 1494 char *str; 1495 1496 if (lseek(fd, 0, SEEK_SET) == -1) { 1497 log_warn("%s", __func__); 1498 goto out; 1499 } 1500 1501 TAILQ_FOREACH(ta, tah, entry) { 1502 if ((n = asprintf(&str, "%s\n", ta->ta)) == -1) { 1503 log_warn("%s", __func__); 1504 len = 0; 1505 goto out; 1506 } 1507 len += n; 1508 if (write(fd, str, n) != n) { 1509 log_warn("%s", __func__); 1510 free(str); 1511 len = 0; 1512 goto out; 1513 } 1514 free(str); 1515 } 1516 out: 1517 ftruncate(fd, len); 1518 fsync(fd); 1519 } 1520 1521 void 1522 parse_blocklist(int fd) 1523 { 1524 FILE *f; 1525 struct bl_node *bl_node; 1526 char *line = NULL; 1527 size_t linesize = 0; 1528 ssize_t linelen; 1529 1530 if((f = fdopen(fd, "r")) == NULL) { 1531 log_warn("cannot read block list"); 1532 close(fd); 1533 return; 1534 } 1535 1536 free_bl(); 1537 1538 while ((linelen = getline(&line, &linesize, f)) != -1) { 1539 if (line[linelen - 1] == '\n') { 1540 if (linelen >= 2 && line[linelen - 2] != '.') 1541 line[linelen - 1] = '.'; 1542 else 1543 line[linelen - 1] = '\0'; 1544 } 1545 1546 bl_node = malloc(sizeof *bl_node); 1547 if (bl_node == NULL) 1548 fatal("%s: malloc", __func__); 1549 if ((bl_node->domain = strdup(line)) == NULL) 1550 fatal("%s: strdup", __func__); 1551 if (RB_INSERT(bl_tree, &bl_head, bl_node) != NULL) { 1552 log_warnx("duplicate blocked domain \"%s\"", line); 1553 free(bl_node->domain); 1554 free(bl_node); 1555 } 1556 } 1557 free(line); 1558 if (ferror(f)) 1559 log_warn("getline"); 1560 fclose(f); 1561 } 1562 1563 int 1564 bl_cmp(struct bl_node *e1, struct bl_node *e2) { 1565 return (strcasecmp(e1->domain, e2->domain)); 1566 } 1567 1568 void 1569 free_bl(void) 1570 { 1571 struct bl_node *n, *nxt; 1572 1573 RB_FOREACH_SAFE(n, bl_tree, &bl_head, nxt) { 1574 RB_REMOVE(bl_tree, &bl_head, n); 1575 free(n->domain); 1576 free(n); 1577 } 1578 } 1579 1580 int 1581 pending_query_cnt(void) 1582 { 1583 struct pending_query *e; 1584 int cnt = 0; 1585 1586 TAILQ_FOREACH(e, &pending_queries, entry) 1587 cnt++; 1588 return cnt; 1589 } 1590 1591 void 1592 accept_paused(int fd, short events, void *arg) 1593 { 1594 struct tcp_accept_ev *tcpev = arg; 1595 event_add(&tcpev->ev, NULL); 1596 } 1597 1598 int 1599 accept_reserve(int sockfd, struct sockaddr *addr, socklen_t *addrlen) 1600 { 1601 if (getdtablecount() + FD_RESERVE >= getdtablesize()) { 1602 log_debug("%s: inflight fds exceeded", __func__); 1603 errno = EMFILE; 1604 return -1; 1605 } 1606 return accept4(sockfd, addr, addrlen, SOCK_NONBLOCK | SOCK_CLOEXEC); 1607 } 1608 1609 void 1610 tcp_accept(int fd, short events, void *arg) 1611 { 1612 static struct timeval timeout = {TCP_TIMEOUT, 0}; 1613 static struct timeval backoff = {1, 0}; 1614 struct pending_query *pq; 1615 struct tcp_accept_ev *tcpev; 1616 struct sockaddr_storage ss; 1617 socklen_t len; 1618 int s; 1619 1620 tcpev = arg; 1621 len = sizeof(ss); 1622 1623 if ((s = accept_reserve(fd, (struct sockaddr *)&ss, &len)) == -1) { 1624 switch (errno) { 1625 case EINTR: 1626 case EWOULDBLOCK: 1627 case ECONNABORTED: 1628 return; 1629 case EMFILE: 1630 case ENFILE: 1631 event_del(&tcpev->ev); 1632 evtimer_add(&tcpev->pause, &backoff); 1633 return; 1634 default: 1635 fatal("accept"); 1636 } 1637 } 1638 1639 if ((pq = calloc(1, sizeof(*pq))) == NULL) { 1640 log_warn(NULL); 1641 close(s); 1642 return; 1643 } 1644 1645 do { 1646 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id)); 1647 } while(find_pending_query(pq->imsg_id) != NULL); 1648 1649 TAILQ_INSERT_TAIL(&pending_queries, pq, entry); 1650 1651 pq->from = ss; 1652 pq->fd = s; 1653 pq->tcp = 1; 1654 pq->qbuf = sldns_buffer_new(DEFAULT_TCP_SIZE); 1655 pq->region = regional_create(); 1656 1657 if (!pq->qbuf || !pq->region) { 1658 free_pending_query(pq); 1659 return; 1660 } 1661 1662 event_set(&pq->ev, s, EV_READ | EV_PERSIST, tcp_request, pq); 1663 event_add(&pq->ev, NULL); 1664 event_set(&pq->resp_ev, s, EV_WRITE | EV_PERSIST, tcp_response, pq); 1665 1666 evtimer_set(&pq->tmo_ev, tcp_timeout, pq); 1667 evtimer_add(&pq->tmo_ev, &timeout); 1668 } 1669 1670 void 1671 tcp_request(int fd, short events, void *arg) 1672 { 1673 struct pending_query *pq; 1674 ssize_t n; 1675 1676 pq = arg; 1677 1678 n = read(fd, sldns_buffer_current(pq->qbuf), 1679 sldns_buffer_remaining(pq->qbuf)); 1680 1681 switch (n) { 1682 case -1: 1683 switch (errno) { 1684 case EINTR: 1685 case EAGAIN: 1686 return; 1687 default: 1688 goto fail; 1689 } 1690 break; 1691 case 0: 1692 log_debug("closed connection"); 1693 goto fail; 1694 default: 1695 break; 1696 } 1697 1698 sldns_buffer_skip(pq->qbuf, n); 1699 1700 if (sldns_buffer_position(pq->qbuf) >= 2 && !pq->abuf) { 1701 struct sldns_buffer *tmp; 1702 uint16_t len; 1703 1704 sldns_buffer_flip(pq->qbuf); 1705 len = sldns_buffer_read_u16(pq->qbuf); 1706 tmp = sldns_buffer_new(len); 1707 pq->abuf = sldns_buffer_new(len); 1708 1709 if (!tmp || !pq->abuf) 1710 goto fail; 1711 1712 sldns_buffer_write(tmp, sldns_buffer_current(pq->qbuf), 1713 sldns_buffer_remaining(pq->qbuf)); 1714 sldns_buffer_free(pq->qbuf); 1715 pq->qbuf = tmp; 1716 } 1717 if (sldns_buffer_remaining(pq->qbuf) == 0) { 1718 sldns_buffer_flip(pq->qbuf); 1719 shutdown(fd, SHUT_RD); 1720 event_del(&pq->ev); 1721 handle_query(pq); 1722 } 1723 return; 1724 fail: 1725 free_pending_query(pq); 1726 } 1727 1728 void 1729 tcp_response(int fd, short events, void *arg) 1730 { 1731 struct pending_query *pq; 1732 ssize_t n; 1733 1734 pq = arg; 1735 1736 n = write(fd, sldns_buffer_current(pq->abuf), 1737 sldns_buffer_remaining(pq->abuf)); 1738 1739 if (n == -1) { 1740 if (errno == EAGAIN || errno == EINTR) 1741 return; 1742 free_pending_query(pq); 1743 } 1744 sldns_buffer_skip(pq->abuf, n); 1745 if (sldns_buffer_remaining(pq->abuf) == 0) 1746 free_pending_query(pq); 1747 } 1748 1749 void 1750 tcp_timeout(int fd, short events, void *arg) 1751 { 1752 free_pending_query(arg); 1753 } 1754 1755 void 1756 check_available_af() 1757 { 1758 static int available_af = HAVE_IPV4 | HAVE_IPV6; 1759 static int rtable = -1; 1760 struct ifaddrs *ifap, *ifa; 1761 struct if_data *ifa_data; 1762 struct sockaddr_in *sin4; 1763 struct sockaddr_in6 *sin6; 1764 int new_available_af = 0, ifa_rtable = -1; 1765 1766 if (rtable == -1) 1767 rtable = getrtable(); 1768 1769 if (getifaddrs(&ifap) != 0) { 1770 log_warn("getifaddrs"); 1771 return; 1772 } 1773 1774 for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) { 1775 if (ifa->ifa_addr == NULL) 1776 continue; 1777 switch(ifa->ifa_addr->sa_family) { 1778 case AF_LINK: 1779 /* AF_LINK comes before inet / inet6 on an interface */ 1780 ifa_data = (struct if_data *)ifa->ifa_data; 1781 ifa_rtable = ifa_data->ifi_rdomain; 1782 break; 1783 case AF_INET: 1784 if (ifa_rtable != rtable) 1785 continue; 1786 1787 sin4 = (struct sockaddr_in *)ifa->ifa_addr; 1788 if ((ntohl(sin4->sin_addr.s_addr) >> 24) == 1789 IN_LOOPBACKNET) 1790 continue; 1791 new_available_af |= HAVE_IPV4; 1792 break; 1793 case AF_INET6: 1794 if (ifa_rtable != rtable) 1795 continue; 1796 1797 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 1798 if (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr) || 1799 IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr) || 1800 IN6_IS_ADDR_MC_LINKLOCAL(&sin6->sin6_addr) || 1801 IN6_IS_ADDR_MC_INTFACELOCAL(&sin6->sin6_addr)) 1802 continue; 1803 new_available_af |= HAVE_IPV6; 1804 break; 1805 default: 1806 break; 1807 } 1808 if (new_available_af == (HAVE_IPV4 | HAVE_IPV6)) 1809 break; 1810 } 1811 freeifaddrs(ifap); 1812 if (new_available_af != available_af) { 1813 available_af = new_available_af; 1814 frontend_imsg_compose_resolver(IMSG_CHANGE_AFS, 0, 1815 &available_af, sizeof(available_af)); 1816 } 1817 } 1818