1 /* $OpenBSD: frontend.c,v 1.90 2024/11/24 11:33:34 kirill Exp $ */ 2 3 /* 4 * Copyright (c) 2018 Florian Obser <florian@openbsd.org> 5 * Copyright (c) 2005 Claudio Jeker <claudio@openbsd.org> 6 * Copyright (c) 2004 Esben Norby <norby@openbsd.org> 7 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 8 * 9 * Permission to use, copy, modify, and distribute this software for any 10 * purpose with or without fee is hereby granted, provided that the above 11 * copyright notice and this permission notice appear in all copies. 12 * 13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 */ 21 22 #include <sys/types.h> 23 #include <sys/queue.h> 24 #include <sys/socket.h> 25 #include <sys/syslog.h> 26 #include <sys/tree.h> 27 #include <sys/uio.h> 28 29 #include <netinet/in.h> 30 #include <net/if.h> 31 #include <net/route.h> 32 33 #include <errno.h> 34 #include <event.h> 35 #include <ifaddrs.h> 36 #include <imsg.h> 37 #include <netdb.h> 38 #include <pwd.h> 39 #include <signal.h> 40 #include <stdint.h> 41 #include <stdio.h> 42 #include <stdlib.h> 43 #include <string.h> 44 #include <time.h> 45 #include <unistd.h> 46 47 #include "libunbound/config.h" 48 #include "libunbound/sldns/pkthdr.h" 49 #include "libunbound/sldns/sbuffer.h" 50 #include "libunbound/sldns/str2wire.h" 51 #include "libunbound/sldns/wire2str.h" 52 #include "libunbound/util/alloc.h" 53 #include "libunbound/util/net_help.h" 54 #include "libunbound/util/regional.h" 55 #include "libunbound/util/data/dname.h" 56 #include "libunbound/util/data/msgencode.h" 57 #include "libunbound/util/data/msgparse.h" 58 #include "libunbound/util/data/msgreply.h" 59 60 #include "log.h" 61 #include "unwind.h" 62 #include "frontend.h" 63 #include "control.h" 64 #include "dns64_synth.h" 65 66 #define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) 67 #define ROUTE_SOCKET_BUF_SIZE 16384 68 69 /* 70 * size of a resource record with name a two octed pointer to qname 71 * 2 octets pointer to qname 72 * 2 octets TYPE 73 * 2 octets CLASS 74 * 4 octets TTL 75 * 2 octets RDLENGTH 76 */ 77 #define COMPRESSED_RR_SIZE 12 78 #define MINIMIZE_ANSWER 1 79 80 #define FD_RESERVE 5 81 #define TCP_TIMEOUT 15 82 #define DEFAULT_TCP_SIZE 512 83 84 struct udp_ev { 85 struct event ev; 86 uint8_t query[65536]; 87 struct msghdr rcvmhdr; 88 struct iovec rcviov[1]; 89 struct sockaddr_storage from; 90 } udp4ev, udp6ev; 91 92 struct tcp_accept_ev { 93 struct event ev; 94 struct event pause; 95 } tcp4ev, tcp6ev; 96 97 struct pending_query { 98 TAILQ_ENTRY(pending_query) entry; 99 struct sockaddr_storage from; 100 struct sldns_buffer *qbuf; 101 struct sldns_buffer *abuf; 102 struct regional *region; 103 struct query_info qinfo; 104 struct edns_data edns; 105 struct event ev; /* for tcp */ 106 struct event resp_ev; /* for tcp */ 107 struct event tmo_ev; /* for tcp */ 108 uint64_t imsg_id; 109 uint16_t id; 110 uint16_t flags; 111 int fd; 112 int tcp; 113 int dns64_synthesize; 114 }; 115 116 TAILQ_HEAD(, pending_query) pending_queries; 117 118 struct bl_node { 119 RB_ENTRY(bl_node) entry; 120 char *domain; 121 int len; 122 int wildcard; 123 }; 124 125 __dead void frontend_shutdown(void); 126 void frontend_sig_handler(int, short, void *); 127 void frontend_startup(void); 128 void udp_receive(int, short, void *); 129 void handle_query(struct pending_query *); 130 void free_pending_query(struct pending_query *); 131 void tcp_accept(int, short, void *); 132 int accept_reserve(int, struct sockaddr *, socklen_t *); 133 void accept_paused(int, short, void *); 134 void tcp_request(int, short, void *); 135 void tcp_response(int, short, void *); 136 void tcp_timeout(int, short, void *); 137 int check_query(sldns_buffer*); 138 void noerror_answer(struct pending_query *); 139 void synthesize_dns64_answer(struct pending_query *); 140 void resend_dns64_query(struct pending_query *); 141 void chaos_answer(struct pending_query *); 142 void error_answer(struct pending_query *, int rcode); 143 void send_answer(struct pending_query *); 144 void route_receive(int, short, void *); 145 void handle_route_message(struct rt_msghdr *, 146 struct sockaddr **); 147 void get_rtaddrs(int, struct sockaddr *, 148 struct sockaddr **); 149 struct pending_query *find_pending_query(uint64_t); 150 void parse_trust_anchor(struct trust_anchor_head *, int); 151 void send_trust_anchors(struct trust_anchor_head *); 152 void write_trust_anchors(struct trust_anchor_head *, int); 153 void parse_blocklist(int); 154 int bl_cmp(struct bl_node *, struct bl_node *); 155 void free_bl(void); 156 int pending_query_cnt(void); 157 void check_available_af(void); 158 void reverse(char *, char *); 159 160 struct uw_conf *frontend_conf; 161 static struct imsgev *iev_main; 162 static struct imsgev *iev_resolver; 163 struct event ev_route; 164 int udp4sock = -1, udp6sock = -1; 165 int tcp4sock = -1, tcp6sock = -1; 166 int ta_fd = -1; 167 168 static struct trust_anchor_head trust_anchors, new_trust_anchors; 169 170 RB_HEAD(bl_tree, bl_node) bl_head = RB_INITIALIZER(&bl_head); 171 RB_PROTOTYPE(bl_tree, bl_node, entry, bl_cmp) 172 RB_GENERATE(bl_tree, bl_node, entry, bl_cmp) 173 174 struct dns64_prefix *dns64_prefixes; 175 int dns64_prefix_count; 176 177 void 178 frontend_sig_handler(int sig, short event, void *bula) 179 { 180 /* 181 * Normal signal handler rules don't apply because libevent 182 * decouples for us. 183 */ 184 185 switch (sig) { 186 case SIGINT: 187 case SIGTERM: 188 frontend_shutdown(); 189 default: 190 fatalx("unexpected signal"); 191 } 192 } 193 194 void 195 frontend(int debug, int verbose) 196 { 197 struct event ev_sigint, ev_sigterm; 198 struct passwd *pw; 199 200 frontend_conf = config_new_empty(); 201 202 log_init(debug, LOG_DAEMON); 203 log_setverbose(verbose); 204 205 if ((pw = getpwnam(UNWIND_USER)) == NULL) 206 fatal("getpwnam"); 207 208 if (chroot(pw->pw_dir) == -1) 209 fatal("chroot"); 210 if (chdir("/") == -1) 211 fatal("chdir(\"/\")"); 212 213 setproctitle("%s", "frontend"); 214 log_procinit("frontend"); 215 216 if (setgroups(1, &pw->pw_gid) || 217 setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || 218 setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) 219 fatal("can't drop privileges"); 220 221 if (pledge("stdio dns unix recvfd", NULL) == -1) 222 fatal("pledge"); 223 224 event_init(); 225 226 /* Setup signal handler. */ 227 signal_set(&ev_sigint, SIGINT, frontend_sig_handler, NULL); 228 signal_set(&ev_sigterm, SIGTERM, frontend_sig_handler, NULL); 229 signal_add(&ev_sigint, NULL); 230 signal_add(&ev_sigterm, NULL); 231 signal(SIGPIPE, SIG_IGN); 232 signal(SIGHUP, SIG_IGN); 233 234 /* Setup pipe and event handler to the parent process. */ 235 if (iev_main != NULL) 236 fatal("iev_main"); 237 if ((iev_main = malloc(sizeof(struct imsgev))) == NULL) 238 fatal(NULL); 239 if (imsgbuf_init(&iev_main->ibuf, 3) == -1) 240 fatal(NULL); 241 imsgbuf_allow_fdpass(&iev_main->ibuf); 242 iev_main->handler = frontend_dispatch_main; 243 iev_main->events = EV_READ; 244 event_set(&iev_main->ev, iev_main->ibuf.fd, iev_main->events, 245 iev_main->handler, iev_main); 246 event_add(&iev_main->ev, NULL); 247 248 udp4ev.rcviov[0].iov_base = (caddr_t)udp4ev.query; 249 udp4ev.rcviov[0].iov_len = sizeof(udp4ev.query); 250 udp4ev.rcvmhdr.msg_name = (caddr_t)&udp4ev.from; 251 udp4ev.rcvmhdr.msg_namelen = sizeof(udp4ev.from); 252 udp4ev.rcvmhdr.msg_iov = udp4ev.rcviov; 253 udp4ev.rcvmhdr.msg_iovlen = 1; 254 255 udp6ev.rcviov[0].iov_base = (caddr_t)udp6ev.query; 256 udp6ev.rcviov[0].iov_len = sizeof(udp6ev.query); 257 udp6ev.rcvmhdr.msg_name = (caddr_t)&udp6ev.from; 258 udp6ev.rcvmhdr.msg_namelen = sizeof(udp6ev.from); 259 udp6ev.rcvmhdr.msg_iov = udp6ev.rcviov; 260 udp6ev.rcvmhdr.msg_iovlen = 1; 261 262 TAILQ_INIT(&pending_queries); 263 264 TAILQ_INIT(&trust_anchors); 265 TAILQ_INIT(&new_trust_anchors); 266 267 add_new_ta(&trust_anchors, KSK2017); 268 add_new_ta(&trust_anchors, KSK2024); 269 270 event_dispatch(); 271 272 frontend_shutdown(); 273 } 274 275 __dead void 276 frontend_shutdown(void) 277 { 278 /* Close pipes. */ 279 imsgbuf_write(&iev_resolver->ibuf); 280 imsgbuf_clear(&iev_resolver->ibuf); 281 close(iev_resolver->ibuf.fd); 282 imsgbuf_write(&iev_main->ibuf); 283 imsgbuf_clear(&iev_main->ibuf); 284 close(iev_main->ibuf.fd); 285 286 config_clear(frontend_conf); 287 288 free(iev_resolver); 289 free(iev_main); 290 291 log_info("frontend exiting"); 292 exit(0); 293 } 294 295 int 296 frontend_imsg_compose_main(int type, pid_t pid, void *data, uint16_t datalen) 297 { 298 return (imsg_compose_event(iev_main, type, 0, pid, -1, data, datalen)); 299 } 300 301 int 302 frontend_imsg_compose_resolver(int type, pid_t pid, void *data, 303 uint16_t datalen) 304 { 305 return (imsg_compose_event(iev_resolver, type, 0, pid, -1, data, 306 datalen)); 307 } 308 309 void 310 frontend_dispatch_main(int fd, short event, void *bula) 311 { 312 static struct uw_conf *nconf; 313 struct imsg imsg; 314 struct imsgev *iev = bula; 315 struct imsgbuf *ibuf = &iev->ibuf; 316 int n, shut = 0; 317 318 if (event & EV_READ) { 319 if ((n = imsgbuf_read(ibuf)) == -1) 320 fatal("imsgbuf_read error"); 321 if (n == 0) /* Connection closed. */ 322 shut = 1; 323 } 324 if (event & EV_WRITE) { 325 if (imsgbuf_write(ibuf) == -1) { 326 if (errno == EPIPE) /* Connection closed. */ 327 shut = 1; 328 else 329 fatal("imsgbuf_write"); 330 } 331 } 332 333 for (;;) { 334 if ((n = imsg_get(ibuf, &imsg)) == -1) 335 fatal("%s: imsg_get error", __func__); 336 if (n == 0) /* No more messages. */ 337 break; 338 339 switch (imsg.hdr.type) { 340 case IMSG_SOCKET_IPC_RESOLVER: 341 /* 342 * Setup pipe and event handler to the resolver 343 * process. 344 */ 345 if (iev_resolver) { 346 fatalx("%s: received unexpected imsg fd " 347 "to frontend", __func__); 348 break; 349 } 350 if ((fd = imsg_get_fd(&imsg)) == -1) { 351 fatalx("%s: expected to receive imsg fd to " 352 "frontend but didn't receive any", 353 __func__); 354 break; 355 } 356 357 if (iev_resolver != NULL) 358 fatal("iev_resolver"); 359 iev_resolver = malloc(sizeof(struct imsgev)); 360 if (iev_resolver == NULL) 361 fatal(NULL); 362 363 if (imsgbuf_init(&iev_resolver->ibuf, fd) == -1) 364 fatal(NULL); 365 iev_resolver->handler = frontend_dispatch_resolver; 366 iev_resolver->events = EV_READ; 367 368 event_set(&iev_resolver->ev, iev_resolver->ibuf.fd, 369 iev_resolver->events, iev_resolver->handler, 370 iev_resolver); 371 event_add(&iev_resolver->ev, NULL); 372 break; 373 case IMSG_RECONF_CONF: 374 case IMSG_RECONF_BLOCKLIST_FILE: 375 case IMSG_RECONF_FORWARDER: 376 case IMSG_RECONF_DOT_FORWARDER: 377 case IMSG_RECONF_FORCE: 378 imsg_receive_config(&imsg, &nconf); 379 break; 380 case IMSG_RECONF_END: 381 if (nconf == NULL) 382 fatalx("%s: IMSG_RECONF_END without " 383 "IMSG_RECONF_CONF", __func__); 384 merge_config(frontend_conf, nconf); 385 if (frontend_conf->blocklist_file == NULL) 386 free_bl(); 387 nconf = NULL; 388 break; 389 case IMSG_UDP6SOCK: 390 if (udp6sock != -1) 391 fatalx("%s: received unexpected udp6sock", 392 __func__); 393 if ((udp6sock = imsg_get_fd(&imsg)) == -1) 394 fatalx("%s: expected to receive imsg " 395 "UDP6 fd but didn't receive any", __func__); 396 event_set(&udp6ev.ev, udp6sock, EV_READ | EV_PERSIST, 397 udp_receive, &udp6ev); 398 event_add(&udp6ev.ev, NULL); 399 break; 400 case IMSG_UDP4SOCK: 401 if (udp4sock != -1) 402 fatalx("%s: received unexpected udp4sock", 403 __func__); 404 if ((udp4sock = imsg_get_fd(&imsg)) == -1) 405 fatalx("%s: expected to receive imsg " 406 "UDP4 fd but didn't receive any", __func__); 407 event_set(&udp4ev.ev, udp4sock, EV_READ | EV_PERSIST, 408 udp_receive, &udp4ev); 409 event_add(&udp4ev.ev, NULL); 410 break; 411 case IMSG_TCP4SOCK: 412 if (tcp4sock != -1) 413 fatalx("%s: received unexpected tcp4sock", 414 __func__); 415 if ((tcp4sock = imsg_get_fd(&imsg)) == -1) 416 fatalx("%s: expected to receive imsg " 417 "TCP4 fd but didn't receive any", __func__); 418 event_set(&tcp4ev.ev, tcp4sock, EV_READ | EV_PERSIST, 419 tcp_accept, &tcp4ev); 420 event_add(&tcp4ev.ev, NULL); 421 evtimer_set(&tcp4ev.pause, accept_paused, &tcp4ev); 422 break; 423 case IMSG_TCP6SOCK: 424 if (tcp6sock != -1) 425 fatalx("%s: received unexpected tcp6sock", 426 __func__); 427 if ((tcp6sock = imsg_get_fd(&imsg)) == -1) 428 fatalx("%s: expected to receive imsg " 429 "TCP6 fd but didn't receive any", __func__); 430 event_set(&tcp6ev.ev, tcp6sock, EV_READ | EV_PERSIST, 431 tcp_accept, &tcp6ev); 432 event_add(&tcp6ev.ev, NULL); 433 evtimer_set(&tcp6ev.pause, accept_paused, &tcp6ev); 434 break; 435 case IMSG_ROUTESOCK: { 436 static int routesock = -1; 437 438 if (routesock != -1) 439 fatalx("%s: received unexpected routesock", 440 __func__); 441 if ((fd = imsg_get_fd(&imsg)) == -1) 442 fatalx("%s: expected to receive imsg " 443 "routesocket fd but didn't receive any", 444 __func__); 445 routesock = fd; 446 event_set(&ev_route, fd, EV_READ | EV_PERSIST, 447 route_receive, NULL); 448 break; 449 } 450 case IMSG_STARTUP: 451 frontend_startup(); 452 break; 453 case IMSG_CONTROLFD: 454 if ((fd = imsg_get_fd(&imsg)) == -1) 455 fatalx("%s: expected to receive imsg control " 456 "fd but didn't receive any", __func__); 457 /* Listen on control socket. */ 458 control_listen(fd); 459 break; 460 case IMSG_TAFD: 461 if ((ta_fd = imsg_get_fd(&imsg)) != -1) 462 parse_trust_anchor(&trust_anchors, ta_fd); 463 if (!TAILQ_EMPTY(&trust_anchors)) 464 send_trust_anchors(&trust_anchors); 465 break; 466 case IMSG_BLFD: 467 if ((fd = imsg_get_fd(&imsg)) == -1) 468 fatalx("%s: expected to receive imsg block " 469 "list fd but didn't receive any", __func__); 470 parse_blocklist(fd); 471 break; 472 default: 473 log_debug("%s: error handling imsg %d", __func__, 474 imsg.hdr.type); 475 break; 476 } 477 imsg_free(&imsg); 478 } 479 if (!shut) 480 imsg_event_add(iev); 481 else { 482 /* This pipe is dead. Remove its event handler. */ 483 event_del(&iev->ev); 484 event_loopexit(NULL); 485 } 486 } 487 488 void 489 frontend_dispatch_resolver(int fd, short event, void *bula) 490 { 491 static struct dns64_prefix *new_dns64_prefixes = NULL; 492 static int new_dns64_prefix_count = 0; 493 static int new_dns64_prefix_pos = 0; 494 struct pending_query *pq; 495 struct imsgev *iev = bula; 496 struct imsgbuf *ibuf = &iev->ibuf; 497 struct imsg imsg; 498 int n, shut = 0, chg; 499 500 if (event & EV_READ) { 501 if ((n = imsgbuf_read(ibuf)) == -1) 502 fatal("imsgbuf_read error"); 503 if (n == 0) /* Connection closed. */ 504 shut = 1; 505 } 506 if (event & EV_WRITE) { 507 if (imsgbuf_write(ibuf) == -1) { 508 if (errno == EPIPE) /* Connection closed. */ 509 shut = 1; 510 else 511 fatal("imsgbuf_write"); 512 } 513 } 514 515 for (;;) { 516 if ((n = imsg_get(ibuf, &imsg)) == -1) 517 fatal("%s: imsg_get error", __func__); 518 if (n == 0) /* No more messages. */ 519 break; 520 521 switch (imsg.hdr.type) { 522 case IMSG_ANSWER: { 523 struct answer_header *answer_header; 524 int data_len; 525 uint8_t *data; 526 527 if (IMSG_DATA_SIZE(imsg) < sizeof(*answer_header)) 528 fatalx("%s: IMSG_ANSWER wrong length: " 529 "%lu", __func__, IMSG_DATA_SIZE(imsg)); 530 answer_header = (struct answer_header *)imsg.data; 531 data = (uint8_t *)imsg.data + sizeof(*answer_header); 532 if (answer_header->answer_len > UINT16_MAX) 533 fatalx("%s: IMSG_ANSWER answer too big: %d", 534 __func__, answer_header->answer_len); 535 data_len = IMSG_DATA_SIZE(imsg) - 536 sizeof(*answer_header); 537 538 if ((pq = find_pending_query(answer_header->id)) == 539 NULL) { 540 log_warnx("%s: cannot find pending query %llu", 541 __func__, answer_header->id); 542 break; 543 } 544 545 if (answer_header->srvfail) { 546 error_answer(pq, LDNS_RCODE_SERVFAIL); 547 send_answer(pq); 548 break; 549 } 550 551 if (answer_header->bogus && !(pq->flags & BIT_CD)) { 552 error_answer(pq, LDNS_RCODE_SERVFAIL); 553 send_answer(pq); 554 break; 555 } 556 557 if (sldns_buffer_position(pq->abuf) == 0 && 558 !sldns_buffer_set_capacity(pq->abuf, 559 answer_header->answer_len)) { 560 error_answer(pq, LDNS_RCODE_SERVFAIL); 561 send_answer(pq); 562 break; 563 } 564 565 if (sldns_buffer_position(pq->abuf) + data_len > 566 sldns_buffer_capacity(pq->abuf)) 567 fatalx("%s: IMSG_ANSWER answer too big: %d", 568 __func__, data_len); 569 sldns_buffer_write(pq->abuf, data, data_len); 570 571 if (sldns_buffer_position(pq->abuf) == 572 sldns_buffer_capacity(pq->abuf)) { 573 sldns_buffer_flip(pq->abuf); 574 if (pq->dns64_synthesize) { 575 synthesize_dns64_answer(pq); 576 send_answer(pq); 577 } else { 578 noerror_answer(pq); 579 if (pq->dns64_synthesize) 580 /* we did not find a answer */ 581 resend_dns64_query(pq); 582 else 583 send_answer(pq); 584 } 585 } 586 break; 587 } 588 case IMSG_CTL_RESOLVER_INFO: 589 case IMSG_CTL_AUTOCONF_RESOLVER_INFO: 590 case IMSG_CTL_MEM_INFO: 591 case IMSG_CTL_END: 592 control_imsg_relay(&imsg); 593 break; 594 case IMSG_NEW_TA: 595 /* make sure this is a string */ 596 ((char *)imsg.data)[IMSG_DATA_SIZE(imsg) - 1] = '\0'; 597 add_new_ta(&new_trust_anchors, imsg.data); 598 break; 599 case IMSG_NEW_TAS_ABORT: 600 free_tas(&new_trust_anchors); 601 break; 602 case IMSG_NEW_TAS_DONE: 603 chg = merge_tas(&new_trust_anchors, &trust_anchors); 604 if (chg) 605 send_trust_anchors(&trust_anchors); 606 607 /* 608 * always write trust anchors, the modify date on 609 * the file is an indication when we made progress 610 */ 611 if (ta_fd != -1) 612 write_trust_anchors(&trust_anchors, ta_fd); 613 break; 614 case IMSG_NEW_DNS64_PREFIXES_START: 615 if (IMSG_DATA_SIZE(imsg) != 616 sizeof(new_dns64_prefix_count)) 617 fatalx("%s: IMSG_NEW_DNS64_PREFIXES_START " 618 "wrong length: %lu", __func__, 619 IMSG_DATA_SIZE(imsg)); 620 memcpy(&new_dns64_prefix_count, imsg.data, 621 sizeof(new_dns64_prefix_count)); 622 free(new_dns64_prefixes); 623 new_dns64_prefixes = NULL; 624 if (new_dns64_prefix_count > 0) 625 new_dns64_prefixes = 626 calloc(new_dns64_prefix_count, 627 sizeof(struct dns64_prefix)); 628 new_dns64_prefix_pos = 0; 629 break; 630 case IMSG_NEW_DNS64_PREFIX: { 631 if (IMSG_DATA_SIZE(imsg) != sizeof(struct dns64_prefix)) 632 fatalx("%s: IMSG_NEW_DNS64_PREFIX wrong " 633 "length: %lu", __func__, 634 IMSG_DATA_SIZE(imsg)); 635 if (new_dns64_prefixes == NULL) 636 break; 637 if (new_dns64_prefix_pos >= new_dns64_prefix_count) 638 fatalx("%s: IMSG_NEW_DNS64_PREFIX: too many " 639 "prefixes", __func__); 640 memcpy(&new_dns64_prefixes[new_dns64_prefix_pos++], 641 imsg.data, sizeof(struct dns64_prefix)); 642 break; 643 } 644 case IMSG_NEW_DNS64_PREFIXES_DONE: 645 free(dns64_prefixes); 646 dns64_prefixes = new_dns64_prefixes; 647 dns64_prefix_count = new_dns64_prefix_count; 648 new_dns64_prefixes = NULL; 649 break; 650 default: 651 log_debug("%s: error handling imsg %d", __func__, 652 imsg.hdr.type); 653 break; 654 } 655 imsg_free(&imsg); 656 } 657 if (!shut) 658 imsg_event_add(iev); 659 else { 660 /* This pipe is dead. Remove its event handler. */ 661 event_del(&iev->ev); 662 event_loopexit(NULL); 663 } 664 } 665 666 void 667 frontend_startup(void) 668 { 669 if (!event_initialized(&ev_route)) 670 fatalx("%s: did not receive a route socket from the main " 671 "process", __func__); 672 673 event_add(&ev_route, NULL); 674 675 frontend_imsg_compose_main(IMSG_STARTUP_DONE, 0, NULL, 0); 676 check_available_af(); 677 } 678 679 void 680 free_pending_query(struct pending_query *pq) 681 { 682 if (!pq) 683 return; 684 685 TAILQ_REMOVE(&pending_queries, pq, entry); 686 regional_destroy(pq->region); 687 sldns_buffer_free(pq->qbuf); 688 sldns_buffer_free(pq->abuf); 689 if (pq->tcp) { 690 if (event_initialized(&pq->ev)) 691 event_del(&pq->ev); 692 if (event_initialized(&pq->resp_ev)) 693 event_del(&pq->resp_ev); 694 if (event_initialized(&pq->tmo_ev)) 695 event_del(&pq->tmo_ev); 696 if (pq->fd != -1) 697 close(pq->fd); 698 } 699 free(pq); 700 } 701 702 void 703 udp_receive(int fd, short events, void *arg) 704 { 705 struct udp_ev *udpev = (struct udp_ev *)arg; 706 struct pending_query *pq = NULL; 707 ssize_t len; 708 709 if ((len = recvmsg(fd, &udpev->rcvmhdr, 0)) == -1) { 710 log_warn("recvmsg"); 711 return; 712 } 713 714 if ((pq = calloc(1, sizeof(*pq))) == NULL) { 715 log_warn(NULL); 716 return; 717 } 718 719 do { 720 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id)); 721 } while(find_pending_query(pq->imsg_id) != NULL); 722 723 TAILQ_INSERT_TAIL(&pending_queries, pq, entry); 724 725 pq->from = udpev->from; 726 pq->fd = fd; 727 pq->qbuf = sldns_buffer_new(len); 728 pq->abuf = sldns_buffer_new(len); /* make sure we can send errors */ 729 pq->region = regional_create(); 730 731 if (!pq->qbuf || !pq->abuf || !pq->region) { 732 log_warnx("out of memory"); 733 free_pending_query(pq); 734 return; 735 } 736 737 sldns_buffer_write(pq->qbuf, udpev->query, len); 738 sldns_buffer_flip(pq->qbuf); 739 handle_query(pq); 740 } 741 742 void 743 handle_query(struct pending_query *pq) 744 { 745 struct query_imsg query_imsg; 746 struct bl_node find; 747 int rcode, matched; 748 char *str; 749 char dname[LDNS_MAX_DOMAINLEN + 1]; 750 char qclass_buf[16]; 751 char qtype_buf[16]; 752 753 if (log_getverbose() & OPT_VERBOSE2 && (str = 754 sldns_wire2str_pkt(sldns_buffer_begin(pq->qbuf), 755 sldns_buffer_limit(pq->qbuf))) != NULL) { 756 log_debug("from: %s\n%s", ip_port((struct sockaddr *) 757 &pq->from), str); 758 free(str); 759 } 760 761 if (sldns_buffer_remaining(pq->qbuf) < LDNS_HEADER_SIZE) { 762 log_warnx("bad query: too short, dropped"); 763 goto drop; 764 } 765 766 pq->id = sldns_buffer_read_u16_at(pq->qbuf, 0); 767 pq->flags = sldns_buffer_read_u16_at(pq->qbuf, 2); 768 769 if (!query_info_parse(&pq->qinfo, pq->qbuf)) { 770 log_warnx("query_info_parse failed"); 771 goto drop; 772 } 773 774 rcode = check_query(pq->qbuf); 775 switch (rcode) { 776 case LDNS_RCODE_NOERROR: 777 break; 778 case -1: 779 goto drop; 780 default: 781 error_answer(pq, rcode); 782 goto send_answer; 783 } 784 785 rcode = parse_edns_from_query_pkt(pq->qbuf, &pq->edns, NULL, NULL, 786 NULL, 0, pq->region, NULL); 787 if (rcode != LDNS_RCODE_NOERROR) { 788 error_answer(pq, rcode); 789 goto send_answer; 790 } 791 792 if (!dname_valid(pq->qinfo.qname, pq->qinfo.qname_len)) { 793 error_answer(pq, LDNS_RCODE_FORMERR); 794 goto send_answer; 795 } 796 dname_str(pq->qinfo.qname, dname); 797 798 sldns_wire2str_class_buf(pq->qinfo.qclass, qclass_buf, 799 sizeof(qclass_buf)); 800 sldns_wire2str_type_buf(pq->qinfo.qtype, qtype_buf, sizeof(qtype_buf)); 801 log_debug("%s: %s %s %s ?", ip_port((struct sockaddr *)&pq->from), 802 dname, qclass_buf, qtype_buf); 803 804 if (!RB_EMPTY(&bl_head)) { 805 find.len = strlen(dname); 806 find.wildcard = 0; 807 reverse(dname, dname + find.len); 808 find.domain = dname; 809 matched = (RB_FIND(bl_tree, &bl_head, &find) != NULL); 810 reverse(dname, dname + find.len); 811 if (matched) { 812 if (frontend_conf->blocklist_log) 813 log_info("blocking %s", dname); 814 error_answer(pq, LDNS_RCODE_REFUSED); 815 goto send_answer; 816 } 817 } 818 819 if (pq->qinfo.qtype == LDNS_RR_TYPE_AXFR || pq->qinfo.qtype == 820 LDNS_RR_TYPE_IXFR) { 821 error_answer(pq, LDNS_RCODE_REFUSED); 822 goto send_answer; 823 } 824 825 if(pq->qinfo.qtype == LDNS_RR_TYPE_OPT || 826 pq->qinfo.qtype == LDNS_RR_TYPE_TSIG || 827 pq->qinfo.qtype == LDNS_RR_TYPE_TKEY || 828 pq->qinfo.qtype == LDNS_RR_TYPE_MAILA || 829 pq->qinfo.qtype == LDNS_RR_TYPE_MAILB || 830 (pq->qinfo.qtype >= 128 && pq->qinfo.qtype <= 248)) { 831 error_answer(pq, LDNS_RCODE_FORMERR); 832 goto send_answer; 833 } 834 835 if (pq->qinfo.qclass == LDNS_RR_CLASS_CH) { 836 if (strcasecmp(dname, "version.server.") == 0 || 837 strcasecmp(dname, "version.bind.") == 0) { 838 chaos_answer(pq); 839 } else 840 error_answer(pq, LDNS_RCODE_REFUSED); 841 goto send_answer; 842 } 843 844 if (strlcpy(query_imsg.qname, dname, sizeof(query_imsg.qname)) >= 845 sizeof(query_imsg.qname)) { 846 log_warnx("qname too long"); 847 error_answer(pq, LDNS_RCODE_FORMERR); 848 goto send_answer; 849 } 850 query_imsg.id = pq->imsg_id; 851 query_imsg.t = pq->qinfo.qtype; 852 query_imsg.c = pq->qinfo.qclass; 853 854 if (frontend_imsg_compose_resolver(IMSG_QUERY, 0, &query_imsg, 855 sizeof(query_imsg)) == -1) { 856 error_answer(pq, LDNS_RCODE_SERVFAIL); 857 goto send_answer; 858 } 859 return; 860 861 send_answer: 862 send_answer(pq); 863 return; 864 865 drop: 866 free_pending_query(pq); 867 } 868 869 void 870 noerror_answer(struct pending_query *pq) 871 { 872 struct query_info skip, qinfo; 873 struct reply_info *rinfo = NULL; 874 struct alloc_cache alloc; 875 struct edns_data edns; 876 struct ub_packed_rrset_key *an_rrset = NULL; 877 struct packed_rrset_data *an_rrset_data = NULL; 878 879 alloc_init(&alloc, NULL, 0); 880 memset(&qinfo, 0, sizeof(qinfo)); 881 /* read past query section, no memory is allocated */ 882 if (!query_info_parse(&skip, pq->abuf)) 883 goto srvfail; 884 885 if (reply_info_parse(pq->abuf, &alloc, &qinfo, &rinfo, pq->region, 886 &edns) != 0) 887 goto srvfail; 888 889 if ((an_rrset = reply_find_answer_rrset(&qinfo, rinfo)) != NULL) 890 an_rrset_data = (struct packed_rrset_data*)an_rrset->entry.data; 891 892 /* reply_info_parse() allocates memory */ 893 query_info_clear(&qinfo); 894 895 /* XXX check that there a no AAAA records in answer section? */ 896 if ((an_rrset_data == NULL || an_rrset_data->count == 0) && 897 !pq->dns64_synthesize && pq->qinfo.qtype == LDNS_RR_TYPE_AAAA && 898 pq->qinfo.qclass == LDNS_RR_CLASS_IN && dns64_prefix_count > 0) { 899 pq->dns64_synthesize = 1; 900 return; 901 } 902 903 sldns_buffer_clear(pq->abuf); 904 if (reply_info_encode(&pq->qinfo, rinfo, htons(pq->id), rinfo->flags, 905 pq->abuf, 0, pq->region, pq->tcp ? UINT16_MAX : pq->edns.udp_size, 906 pq->edns.bits & EDNS_DO, MINIMIZE_ANSWER) == 0) 907 goto srvfail; 908 909 reply_info_parsedelete(rinfo, &alloc); 910 alloc_clear(&alloc); 911 return; 912 913 srvfail: 914 reply_info_parsedelete(rinfo, &alloc); 915 alloc_clear(&alloc); 916 error_answer(pq, LDNS_RCODE_SERVFAIL); 917 } 918 919 void 920 synthesize_dns64_answer(struct pending_query *pq) 921 { 922 struct query_info skip, qinfo; 923 struct reply_info *rinfo = NULL, *synth_rinfo = NULL; 924 struct alloc_cache alloc; 925 struct edns_data edns; 926 size_t i; 927 928 pq->dns64_synthesize = 0; 929 930 alloc_init(&alloc, NULL, 0); 931 memset(&qinfo, 0, sizeof(qinfo)); 932 /* read past query section, no memory is allocated */ 933 if (!query_info_parse(&skip, pq->abuf)) 934 goto srvfail; 935 936 if (reply_info_parse(pq->abuf, &alloc, &qinfo, &rinfo, pq->region, 937 &edns) != 0) 938 goto srvfail; 939 940 /* reply_info_parse() allocates memory */ 941 query_info_clear(&qinfo); 942 943 synth_rinfo = construct_reply_info_base(pq->region, rinfo->flags, 944 rinfo->qdcount, rinfo->ttl, rinfo->prefetch_ttl, 945 rinfo->serve_expired_ttl, rinfo->an_numrrsets, 946 rinfo->ns_numrrsets, rinfo->ar_numrrsets, rinfo->rrset_count, 947 rinfo->security, rinfo->reason_bogus); 948 949 if (!synth_rinfo) 950 goto srvfail; 951 952 if(!reply_info_alloc_rrset_keys(synth_rinfo, NULL, pq->region)) 953 goto srvfail; 954 955 for (i = 0; i < synth_rinfo->rrset_count; i++) { 956 struct ub_packed_rrset_key *src_rrset_key, *dst_rrset_key; 957 struct packed_rrset_data *src_rrset_data; 958 struct packed_rrset_data *dst_rrset_data; 959 960 src_rrset_key = rinfo->rrsets[i]; 961 src_rrset_data = 962 (struct packed_rrset_data *)src_rrset_key->entry.data; 963 dst_rrset_key = synth_rinfo->rrsets[i]; 964 965 dst_rrset_key->id = src_rrset_key->id; 966 dst_rrset_key->rk = src_rrset_key->rk; 967 968 if (i < rinfo->an_numrrsets && src_rrset_key->rk.type == 969 htons(LDNS_RR_TYPE_A)) { 970 dns64_synth_aaaa_data(src_rrset_key, src_rrset_data, 971 dst_rrset_key, &dst_rrset_data, pq->region); 972 if (dst_rrset_data == NULL) 973 goto srvfail; 974 } else { 975 dst_rrset_key->entry.hash = src_rrset_key->entry.hash; 976 dst_rrset_key->rk.dname = regional_alloc_init( 977 pq->region, src_rrset_key->rk.dname, 978 src_rrset_key->rk.dname_len); 979 if (dst_rrset_key->rk.dname == NULL) 980 goto srvfail; 981 982 dst_rrset_data = regional_alloc_init(pq->region, 983 src_rrset_data, 984 packed_rrset_sizeof(src_rrset_data)); 985 if (dst_rrset_data == NULL) 986 goto srvfail; 987 } 988 989 packed_rrset_ptr_fixup(dst_rrset_data); 990 dst_rrset_key->entry.data = dst_rrset_data; 991 } 992 993 if (!sldns_buffer_set_capacity(pq->abuf, pq->tcp ? UINT16_MAX : 994 pq->edns.udp_size)) 995 goto srvfail; 996 997 sldns_buffer_clear(pq->abuf); 998 999 if (reply_info_encode(&pq->qinfo, synth_rinfo, htons(pq->id), 1000 synth_rinfo->flags, pq->abuf, 0, pq->region, 1001 pq->tcp ? UINT16_MAX : pq->edns.udp_size, 1002 pq->edns.bits & EDNS_DO, MINIMIZE_ANSWER) == 0) 1003 goto srvfail; 1004 1005 reply_info_parsedelete(rinfo, &alloc); 1006 alloc_clear(&alloc); 1007 return; 1008 1009 srvfail: 1010 reply_info_parsedelete(rinfo, &alloc); 1011 alloc_clear(&alloc); 1012 error_answer(pq, LDNS_RCODE_SERVFAIL); 1013 } 1014 1015 void 1016 resend_dns64_query(struct pending_query *opq) 1017 { 1018 struct pending_query *pq; 1019 struct query_imsg query_imsg; 1020 int rcode; 1021 char dname[LDNS_MAX_DOMAINLEN + 1]; 1022 1023 if ((pq = calloc(1, sizeof(*pq))) == NULL) { 1024 log_warn(NULL); 1025 return; 1026 } 1027 1028 do { 1029 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id)); 1030 } while(find_pending_query(pq->imsg_id) != NULL); 1031 1032 TAILQ_INSERT_TAIL(&pending_queries, pq, entry); 1033 1034 pq->from = opq->from; 1035 pq->fd = opq->fd; 1036 opq->fd = -1; 1037 pq->tcp = opq->tcp; 1038 pq->qbuf = sldns_buffer_new(sldns_buffer_capacity(opq->qbuf)); 1039 pq->abuf = sldns_buffer_new(sldns_buffer_capacity(opq->abuf)); 1040 pq->region = regional_create(); 1041 1042 if (!pq->qbuf || !pq->abuf || !pq->region) { 1043 log_warnx("out of memory"); 1044 free_pending_query(pq); 1045 free_pending_query(opq); 1046 return; 1047 } 1048 1049 sldns_buffer_rewind(opq->qbuf); 1050 sldns_buffer_write(pq->qbuf, sldns_buffer_current(opq->qbuf), 1051 sldns_buffer_remaining(opq->qbuf)); 1052 sldns_buffer_flip(pq->qbuf); 1053 1054 if (pq->tcp) { 1055 struct timeval timeout = {TCP_TIMEOUT, 0}; 1056 1057 event_set(&pq->ev, pq->fd, EV_READ | EV_PERSIST, tcp_request, 1058 pq); 1059 event_set(&pq->resp_ev, pq->fd, EV_WRITE | EV_PERSIST, 1060 tcp_response, pq); 1061 evtimer_set(&pq->tmo_ev, tcp_timeout, pq); 1062 evtimer_add(&pq->tmo_ev, &timeout); 1063 } 1064 1065 if (sldns_buffer_remaining(pq->qbuf) < LDNS_HEADER_SIZE) { 1066 log_warnx("bad query: too short, dropped"); 1067 goto drop; 1068 } 1069 1070 pq->id = sldns_buffer_read_u16_at(pq->qbuf, 0); 1071 pq->flags = sldns_buffer_read_u16_at(pq->qbuf, 2); 1072 1073 if (!query_info_parse(&pq->qinfo, pq->qbuf)) { 1074 log_warnx("query_info_parse failed"); 1075 goto drop; 1076 } 1077 1078 rcode = parse_edns_from_query_pkt(pq->qbuf, &pq->edns, NULL, NULL, 1079 NULL, 0, pq->region, NULL); 1080 if (rcode != LDNS_RCODE_NOERROR) { 1081 error_answer(pq, rcode); 1082 goto send_answer; 1083 } 1084 1085 dname_str(pq->qinfo.qname, dname); 1086 strlcpy(query_imsg.qname, dname, sizeof(query_imsg.qname)); 1087 query_imsg.id = pq->imsg_id; 1088 query_imsg.t = LDNS_RR_TYPE_A; 1089 query_imsg.c = pq->qinfo.qclass; 1090 1091 pq->dns64_synthesize = 1; 1092 1093 if (frontend_imsg_compose_resolver(IMSG_QUERY, 0, &query_imsg, 1094 sizeof(query_imsg)) == -1) { 1095 error_answer(pq, LDNS_RCODE_SERVFAIL); 1096 goto send_answer; 1097 } 1098 1099 free_pending_query(opq); 1100 return; 1101 1102 send_answer: 1103 free_pending_query(opq); 1104 send_answer(pq); 1105 return; 1106 1107 drop: 1108 free_pending_query(opq); 1109 free_pending_query(pq); 1110 } 1111 1112 void 1113 chaos_answer(struct pending_query *pq) 1114 { 1115 size_t len; 1116 const char *name = "unwind"; 1117 1118 len = strlen(name); 1119 if (!sldns_buffer_set_capacity(pq->abuf, 1120 sldns_buffer_capacity(pq->qbuf) + COMPRESSED_RR_SIZE + 1 + len)) { 1121 error_answer(pq, LDNS_RCODE_SERVFAIL); 1122 return; 1123 } 1124 1125 sldns_buffer_copy(pq->abuf, pq->qbuf); 1126 1127 sldns_buffer_clear(pq->abuf); 1128 1129 sldns_buffer_skip(pq->abuf, sizeof(uint16_t)); /* skip id */ 1130 sldns_buffer_write_u16(pq->abuf, 0); /* clear flags */ 1131 LDNS_QR_SET(sldns_buffer_begin(pq->abuf)); 1132 LDNS_RA_SET(sldns_buffer_begin(pq->abuf)); 1133 if (LDNS_RD_WIRE(sldns_buffer_begin(pq->qbuf))) 1134 LDNS_RD_SET(sldns_buffer_begin(pq->abuf)); 1135 if (LDNS_CD_WIRE(sldns_buffer_begin(pq->qbuf))) 1136 LDNS_CD_SET(sldns_buffer_begin(pq->abuf)); 1137 LDNS_RCODE_SET(sldns_buffer_begin(pq->abuf), LDNS_RCODE_NOERROR); 1138 sldns_buffer_write_u16(pq->abuf, 1); /* qdcount */ 1139 sldns_buffer_write_u16(pq->abuf, 1); /* ancount */ 1140 sldns_buffer_write_u16(pq->abuf, 0); /* nscount */ 1141 sldns_buffer_write_u16(pq->abuf, 0); /* arcount */ 1142 (void)query_dname_len(pq->abuf); /* skip qname */ 1143 sldns_buffer_skip(pq->abuf, sizeof(uint16_t)); /* skip qtype */ 1144 sldns_buffer_skip(pq->abuf, sizeof(uint16_t)); /* skip qclass */ 1145 1146 sldns_buffer_write_u16(pq->abuf, 0xc00c); /* ptr to query */ 1147 sldns_buffer_write_u16(pq->abuf, LDNS_RR_TYPE_TXT); 1148 sldns_buffer_write_u16(pq->abuf, LDNS_RR_CLASS_CH); 1149 sldns_buffer_write_u32(pq->abuf, 0); /* TTL */ 1150 sldns_buffer_write_u16(pq->abuf, 1 + len); /* RDLENGTH */ 1151 sldns_buffer_write_u8(pq->abuf, len); /* length octed */ 1152 sldns_buffer_write(pq->abuf, name, len); 1153 sldns_buffer_flip(pq->abuf); 1154 } 1155 1156 void 1157 error_answer(struct pending_query *pq, int rcode) 1158 { 1159 sldns_buffer_clear(pq->abuf); 1160 error_encode(pq->abuf, rcode, &pq->qinfo, htons(pq->id), pq->flags, 1161 pq->edns.edns_present ? &pq->edns : NULL); 1162 } 1163 1164 int 1165 check_query(sldns_buffer* pkt) 1166 { 1167 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) { 1168 log_warnx("bad query: too short, dropped"); 1169 return -1; 1170 } 1171 if(LDNS_QR_WIRE(sldns_buffer_begin(pkt))) { 1172 log_warnx("bad query: QR set, dropped"); 1173 return -1; 1174 } 1175 if(LDNS_TC_WIRE(sldns_buffer_begin(pkt))) { 1176 LDNS_TC_CLR(sldns_buffer_begin(pkt)); 1177 log_warnx("bad query: TC set"); 1178 return (LDNS_RCODE_FORMERR); 1179 } 1180 if(!(LDNS_RD_WIRE(sldns_buffer_begin(pkt)))) { 1181 log_warnx("bad query: RD not set"); 1182 return (LDNS_RCODE_REFUSED); 1183 } 1184 if(LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_PACKET_QUERY) { 1185 log_warnx("bad query: unknown opcode %d", 1186 LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt))); 1187 return (LDNS_RCODE_NOTIMPL); 1188 } 1189 1190 if (LDNS_QDCOUNT(sldns_buffer_begin(pkt)) != 1 && 1191 LDNS_ANCOUNT(sldns_buffer_begin(pkt))!= 0 && 1192 LDNS_NSCOUNT(sldns_buffer_begin(pkt))!= 0 && 1193 LDNS_ARCOUNT(sldns_buffer_begin(pkt)) > 1) { 1194 log_warnx("bad query: qdcount: %d, ancount: %d " 1195 "nscount: %d, arcount: %d", 1196 LDNS_QDCOUNT(sldns_buffer_begin(pkt)), 1197 LDNS_ANCOUNT(sldns_buffer_begin(pkt)), 1198 LDNS_NSCOUNT(sldns_buffer_begin(pkt)), 1199 LDNS_ARCOUNT(sldns_buffer_begin(pkt))); 1200 return (LDNS_RCODE_FORMERR); 1201 } 1202 return (LDNS_RCODE_NOERROR); 1203 } 1204 1205 void 1206 send_answer(struct pending_query *pq) 1207 { 1208 char *str; 1209 1210 if (log_getverbose() & OPT_VERBOSE2 && (str = 1211 sldns_wire2str_pkt(sldns_buffer_begin(pq->abuf), 1212 sldns_buffer_limit(pq->abuf))) != NULL) { 1213 log_debug("from: %s\n%s", ip_port((struct sockaddr *) 1214 &pq->from), str); 1215 free(str); 1216 } 1217 1218 if (!pq->tcp) { 1219 if(sendto(pq->fd, sldns_buffer_current(pq->abuf), 1220 sldns_buffer_remaining(pq->abuf), 0, 1221 (struct sockaddr *)&pq->from, pq->from.ss_len) == -1) 1222 log_warn("sendto"); 1223 free_pending_query(pq); 1224 } else { 1225 struct sldns_buffer *tmp; 1226 1227 tmp = sldns_buffer_new(sldns_buffer_limit(pq->abuf) + 2); 1228 1229 if (!tmp) { 1230 free_pending_query(pq); 1231 return; 1232 } 1233 1234 sldns_buffer_write_u16(tmp, sldns_buffer_limit(pq->abuf)); 1235 sldns_buffer_write(tmp, sldns_buffer_current(pq->abuf), 1236 sldns_buffer_remaining(pq->abuf)); 1237 sldns_buffer_flip(tmp); 1238 sldns_buffer_free(pq->abuf); 1239 pq->abuf = tmp; 1240 event_add(&pq->resp_ev, NULL); 1241 } 1242 } 1243 1244 char* 1245 ip_port(struct sockaddr *sa) 1246 { 1247 static char hbuf[NI_MAXHOST], buf[NI_MAXHOST]; 1248 1249 if (getnameinfo(sa, sa->sa_len, hbuf, sizeof(hbuf), NULL, 0, 1250 NI_NUMERICHOST) != 0) { 1251 snprintf(buf, sizeof(buf), "%s", "(unknown)"); 1252 return buf; 1253 } 1254 1255 if (sa->sa_family == AF_INET6) 1256 snprintf(buf, sizeof(buf), "[%s]:%d", hbuf, ntohs( 1257 ((struct sockaddr_in6 *)sa)->sin6_port)); 1258 if (sa->sa_family == AF_INET) 1259 snprintf(buf, sizeof(buf), "[%s]:%d", hbuf, ntohs( 1260 ((struct sockaddr_in *)sa)->sin_port)); 1261 1262 return buf; 1263 } 1264 1265 struct pending_query* 1266 find_pending_query(uint64_t id) 1267 { 1268 struct pending_query *pq; 1269 1270 TAILQ_FOREACH(pq, &pending_queries, entry) 1271 if (pq->imsg_id == id) 1272 return pq; 1273 return NULL; 1274 } 1275 1276 void 1277 route_receive(int fd, short events, void *arg) 1278 { 1279 static uint8_t *buf; 1280 1281 struct rt_msghdr *rtm; 1282 struct sockaddr *sa, *rti_info[RTAX_MAX]; 1283 ssize_t n; 1284 1285 if (buf == NULL) { 1286 buf = malloc(ROUTE_SOCKET_BUF_SIZE); 1287 if (buf == NULL) 1288 fatal("malloc"); 1289 } 1290 rtm = (struct rt_msghdr *)buf; 1291 if ((n = read(fd, buf, ROUTE_SOCKET_BUF_SIZE)) == -1) { 1292 if (errno == EAGAIN || errno == EINTR) 1293 return; 1294 log_warn("dispatch_rtmsg: read error"); 1295 return; 1296 } 1297 1298 if (n == 0) 1299 fatal("routing socket closed"); 1300 1301 if (n < (ssize_t)sizeof(rtm->rtm_msglen) || n < rtm->rtm_msglen) { 1302 log_warnx("partial rtm of %zd in buffer", n); 1303 return; 1304 } 1305 1306 if (rtm->rtm_version != RTM_VERSION) 1307 return; 1308 1309 sa = (struct sockaddr *)(buf + rtm->rtm_hdrlen); 1310 get_rtaddrs(rtm->rtm_addrs, sa, rti_info); 1311 1312 handle_route_message(rtm, rti_info); 1313 } 1314 1315 #define ROUNDUP(a) \ 1316 ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long)) 1317 1318 void 1319 get_rtaddrs(int addrs, struct sockaddr *sa, struct sockaddr **rti_info) 1320 { 1321 int i; 1322 1323 for (i = 0; i < RTAX_MAX; i++) { 1324 if (addrs & (1 << i)) { 1325 rti_info[i] = sa; 1326 sa = (struct sockaddr *)((char *)(sa) + 1327 ROUNDUP(sa->sa_len)); 1328 } else 1329 rti_info[i] = NULL; 1330 } 1331 } 1332 1333 void 1334 handle_route_message(struct rt_msghdr *rtm, struct sockaddr **rti_info) 1335 { 1336 struct imsg_rdns_proposal rdns_proposal; 1337 struct sockaddr_rtdns *rtdns; 1338 struct if_announcemsghdr *ifan; 1339 1340 switch (rtm->rtm_type) { 1341 case RTM_IFANNOUNCE: 1342 ifan = (struct if_announcemsghdr *)rtm; 1343 if (ifan->ifan_what == IFAN_ARRIVAL) 1344 break; 1345 rdns_proposal.if_index = ifan->ifan_index; 1346 rdns_proposal.src = 0; 1347 rdns_proposal.rtdns.sr_family = AF_INET; 1348 rdns_proposal.rtdns.sr_len = offsetof(struct sockaddr_rtdns, 1349 sr_dns); 1350 frontend_imsg_compose_resolver(IMSG_REPLACE_DNS, 0, 1351 &rdns_proposal, sizeof(rdns_proposal)); 1352 break; 1353 case RTM_IFINFO: 1354 frontend_imsg_compose_resolver(IMSG_NETWORK_CHANGED, 0, NULL, 1355 0); 1356 break; 1357 case RTM_PROPOSAL: 1358 if (!(rtm->rtm_addrs & RTA_DNS)) 1359 break; 1360 1361 rtdns = (struct sockaddr_rtdns*)rti_info[RTAX_DNS]; 1362 rdns_proposal.if_index = rtm->rtm_index; 1363 rdns_proposal.src = rtm->rtm_priority; 1364 memcpy(&rdns_proposal.rtdns, rtdns, sizeof(rdns_proposal.rtdns)); 1365 frontend_imsg_compose_resolver(IMSG_REPLACE_DNS, 0, 1366 &rdns_proposal, sizeof(rdns_proposal)); 1367 break; 1368 case RTM_NEWADDR: 1369 case RTM_DELADDR: 1370 case RTM_DESYNC: 1371 check_available_af(); 1372 break; 1373 default: 1374 break; 1375 } 1376 } 1377 1378 void 1379 add_new_ta(struct trust_anchor_head *tah, char *val) 1380 { 1381 struct trust_anchor *ta, *i; 1382 int cmp; 1383 1384 if ((ta = malloc(sizeof(*ta))) == NULL) 1385 fatal("%s", __func__); 1386 if ((ta->ta = strdup(val)) == NULL) 1387 fatal("%s", __func__); 1388 1389 /* keep the list sorted to prevent churn if the order changes in DNS */ 1390 TAILQ_FOREACH(i, tah, entry) { 1391 cmp = strcmp(i->ta, ta->ta); 1392 if ( cmp == 0) { 1393 /* duplicate */ 1394 free(ta->ta); 1395 free(ta); 1396 return; 1397 } else if (cmp > 0) { 1398 TAILQ_INSERT_BEFORE(i, ta, entry); 1399 return; 1400 } 1401 } 1402 TAILQ_INSERT_TAIL(tah, ta, entry); 1403 } 1404 1405 void 1406 free_tas(struct trust_anchor_head *tah) 1407 { 1408 struct trust_anchor *ta; 1409 1410 while ((ta = TAILQ_FIRST(tah))) { 1411 TAILQ_REMOVE(tah, ta, entry); 1412 free(ta->ta); 1413 free(ta); 1414 } 1415 } 1416 1417 int 1418 merge_tas(struct trust_anchor_head *newh, struct trust_anchor_head *oldh) 1419 { 1420 struct trust_anchor *i, *j; 1421 int chg = 0; 1422 1423 j = TAILQ_FIRST(oldh); 1424 1425 TAILQ_FOREACH(i, newh, entry) { 1426 if (j == NULL || strcmp(i->ta, j->ta) != 0) { 1427 chg = 1; 1428 break; 1429 } 1430 j = TAILQ_NEXT(j, entry); 1431 } 1432 if (j != NULL) 1433 chg = 1; 1434 1435 if (chg) { 1436 free_tas(oldh); 1437 TAILQ_CONCAT(oldh, newh, entry); 1438 } else { 1439 free_tas(newh); 1440 } 1441 return (chg); 1442 } 1443 1444 void 1445 parse_trust_anchor(struct trust_anchor_head *tah, int fd) 1446 { 1447 size_t len, dname_len; 1448 ssize_t n, sz; 1449 uint8_t rr[LDNS_RR_BUF_SIZE]; 1450 char *str, *p, buf[512], *line; 1451 1452 sz = 0; 1453 str = NULL; 1454 1455 while ((n = read(fd, buf, sizeof(buf))) > 0) { 1456 p = recallocarray(str, sz, sz + n, 1); 1457 if (p == NULL) { 1458 log_warn("%s", __func__); 1459 goto out; 1460 } 1461 str = p; 1462 memcpy(str + sz, buf, n); 1463 sz += n; 1464 } 1465 1466 if (n == -1) { 1467 log_warn("%s", __func__); 1468 goto out; 1469 } 1470 1471 /* make it a string */ 1472 p = recallocarray(str, sz, sz + 1, 1); 1473 if (p == NULL) { 1474 log_warn("%s", __func__); 1475 goto out; 1476 } 1477 str = p; 1478 sz++; 1479 1480 len = sizeof(rr); 1481 1482 while ((line = strsep(&p, "\n")) != NULL) { 1483 if (sldns_str2wire_rr_buf(line, rr, &len, &dname_len, 1484 ROOT_DNSKEY_TTL, NULL, 0, NULL, 0) != 0) 1485 continue; 1486 if (sldns_wirerr_get_type(rr, len, dname_len) == 1487 LDNS_RR_TYPE_DNSKEY) 1488 add_new_ta(tah, line); 1489 } 1490 1491 out: 1492 free(str); 1493 return; 1494 } 1495 1496 void 1497 send_trust_anchors(struct trust_anchor_head *tah) 1498 { 1499 struct trust_anchor *ta; 1500 1501 TAILQ_FOREACH(ta, tah, entry) 1502 frontend_imsg_compose_resolver(IMSG_NEW_TA, 0, ta->ta, 1503 strlen(ta->ta) + 1); 1504 frontend_imsg_compose_resolver(IMSG_NEW_TAS_DONE, 0, NULL, 0); 1505 } 1506 1507 void 1508 write_trust_anchors(struct trust_anchor_head *tah, int fd) 1509 { 1510 struct trust_anchor *ta; 1511 size_t len = 0; 1512 ssize_t n; 1513 char *str; 1514 1515 if (lseek(fd, 0, SEEK_SET) == -1) { 1516 log_warn("%s", __func__); 1517 goto out; 1518 } 1519 1520 TAILQ_FOREACH(ta, tah, entry) { 1521 if ((n = asprintf(&str, "%s\n", ta->ta)) == -1) { 1522 log_warn("%s", __func__); 1523 len = 0; 1524 goto out; 1525 } 1526 len += n; 1527 if (write(fd, str, n) != n) { 1528 log_warn("%s", __func__); 1529 free(str); 1530 len = 0; 1531 goto out; 1532 } 1533 free(str); 1534 } 1535 out: 1536 ftruncate(fd, len); 1537 fsync(fd); 1538 } 1539 1540 void 1541 parse_blocklist(int fd) 1542 { 1543 FILE *f; 1544 struct bl_node *bl_node; 1545 char *line = NULL; 1546 size_t linesize = 0; 1547 ssize_t linelen; 1548 1549 if((f = fdopen(fd, "r")) == NULL) { 1550 log_warn("cannot read block list"); 1551 close(fd); 1552 return; 1553 } 1554 1555 free_bl(); 1556 1557 while ((linelen = getline(&line, &linesize, f)) != -1) { 1558 if (line[linelen - 1] == '\n') { 1559 if (linelen >= 2 && line[linelen - 2] != '.') 1560 line[linelen - 1] = '.'; 1561 else 1562 line[linelen-- - 1] = '\0'; 1563 } 1564 1565 if (line[0] == '#') 1566 continue; 1567 1568 bl_node = malloc(sizeof *bl_node); 1569 if (bl_node == NULL) 1570 fatal("%s: malloc", __func__); 1571 if ((bl_node->domain = strdup(line)) == NULL) 1572 fatal("%s: strdup", __func__); 1573 reverse(bl_node->domain, bl_node->domain + linelen); 1574 bl_node->len = linelen; 1575 bl_node->wildcard = line[0] == '.'; 1576 if (RB_INSERT(bl_tree, &bl_head, bl_node) != NULL) { 1577 log_warnx("duplicate blocked domain \"%s\"", line); 1578 free(bl_node->domain); 1579 free(bl_node); 1580 } 1581 } 1582 free(line); 1583 if (ferror(f)) 1584 log_warn("getline"); 1585 fclose(f); 1586 } 1587 1588 int 1589 bl_cmp(struct bl_node *e1, struct bl_node *e2) { 1590 if (e1->wildcard == e2->wildcard) 1591 return (strcasecmp(e1->domain, e2->domain)); 1592 else if (e1->wildcard) 1593 return (strncasecmp(e1->domain, e2->domain, e1->len)); 1594 else /* e2->wildcard */ 1595 return (strncasecmp(e1->domain, e2->domain, e2->len)); 1596 } 1597 1598 void 1599 free_bl(void) 1600 { 1601 struct bl_node *n, *nxt; 1602 1603 RB_FOREACH_SAFE(n, bl_tree, &bl_head, nxt) { 1604 RB_REMOVE(bl_tree, &bl_head, n); 1605 free(n->domain); 1606 free(n); 1607 } 1608 } 1609 1610 int 1611 pending_query_cnt(void) 1612 { 1613 struct pending_query *e; 1614 int cnt = 0; 1615 1616 TAILQ_FOREACH(e, &pending_queries, entry) 1617 cnt++; 1618 return cnt; 1619 } 1620 1621 void 1622 accept_paused(int fd, short events, void *arg) 1623 { 1624 struct tcp_accept_ev *tcpev = arg; 1625 event_add(&tcpev->ev, NULL); 1626 } 1627 1628 int 1629 accept_reserve(int sockfd, struct sockaddr *addr, socklen_t *addrlen) 1630 { 1631 if (getdtablecount() + FD_RESERVE >= getdtablesize()) { 1632 log_debug("%s: inflight fds exceeded", __func__); 1633 errno = EMFILE; 1634 return -1; 1635 } 1636 return accept4(sockfd, addr, addrlen, SOCK_NONBLOCK | SOCK_CLOEXEC); 1637 } 1638 1639 void 1640 tcp_accept(int fd, short events, void *arg) 1641 { 1642 static struct timeval timeout = {TCP_TIMEOUT, 0}; 1643 static struct timeval backoff = {1, 0}; 1644 struct pending_query *pq; 1645 struct tcp_accept_ev *tcpev; 1646 struct sockaddr_storage ss; 1647 socklen_t len; 1648 int s; 1649 1650 tcpev = arg; 1651 len = sizeof(ss); 1652 1653 if ((s = accept_reserve(fd, (struct sockaddr *)&ss, &len)) == -1) { 1654 switch (errno) { 1655 case EINTR: 1656 case EWOULDBLOCK: 1657 case ECONNABORTED: 1658 return; 1659 case EMFILE: 1660 case ENFILE: 1661 event_del(&tcpev->ev); 1662 evtimer_add(&tcpev->pause, &backoff); 1663 return; 1664 default: 1665 fatal("accept"); 1666 } 1667 } 1668 1669 if ((pq = calloc(1, sizeof(*pq))) == NULL) { 1670 log_warn(NULL); 1671 close(s); 1672 return; 1673 } 1674 1675 do { 1676 arc4random_buf(&pq->imsg_id, sizeof(pq->imsg_id)); 1677 } while(find_pending_query(pq->imsg_id) != NULL); 1678 1679 TAILQ_INSERT_TAIL(&pending_queries, pq, entry); 1680 1681 pq->from = ss; 1682 pq->fd = s; 1683 pq->tcp = 1; 1684 pq->qbuf = sldns_buffer_new(DEFAULT_TCP_SIZE); 1685 pq->region = regional_create(); 1686 1687 if (!pq->qbuf || !pq->region) { 1688 free_pending_query(pq); 1689 return; 1690 } 1691 1692 event_set(&pq->ev, s, EV_READ | EV_PERSIST, tcp_request, pq); 1693 event_add(&pq->ev, NULL); 1694 event_set(&pq->resp_ev, s, EV_WRITE | EV_PERSIST, tcp_response, pq); 1695 1696 evtimer_set(&pq->tmo_ev, tcp_timeout, pq); 1697 evtimer_add(&pq->tmo_ev, &timeout); 1698 } 1699 1700 void 1701 tcp_request(int fd, short events, void *arg) 1702 { 1703 struct pending_query *pq; 1704 ssize_t n; 1705 1706 pq = arg; 1707 1708 n = read(fd, sldns_buffer_current(pq->qbuf), 1709 sldns_buffer_remaining(pq->qbuf)); 1710 1711 switch (n) { 1712 case -1: 1713 switch (errno) { 1714 case EINTR: 1715 case EAGAIN: 1716 return; 1717 default: 1718 goto fail; 1719 } 1720 break; 1721 case 0: 1722 log_debug("closed connection"); 1723 goto fail; 1724 default: 1725 break; 1726 } 1727 1728 sldns_buffer_skip(pq->qbuf, n); 1729 1730 if (sldns_buffer_position(pq->qbuf) >= 2 && !pq->abuf) { 1731 struct sldns_buffer *tmp; 1732 size_t rem; 1733 uint16_t len; 1734 1735 sldns_buffer_flip(pq->qbuf); 1736 len = sldns_buffer_read_u16(pq->qbuf); 1737 tmp = sldns_buffer_new(len); 1738 if (tmp == NULL) 1739 goto fail; 1740 pq->abuf = sldns_buffer_new(len); 1741 if (pq->abuf == NULL) { 1742 sldns_buffer_free(tmp); 1743 goto fail; 1744 } 1745 1746 rem = sldns_buffer_remaining(pq->qbuf); 1747 sldns_buffer_write(tmp, sldns_buffer_current(pq->qbuf), 1748 MINIMUM(len, rem)); 1749 sldns_buffer_free(pq->qbuf); 1750 pq->qbuf = tmp; 1751 } 1752 if (sldns_buffer_remaining(pq->qbuf) == 0) { 1753 sldns_buffer_flip(pq->qbuf); 1754 shutdown(fd, SHUT_RD); 1755 event_del(&pq->ev); 1756 handle_query(pq); 1757 } 1758 return; 1759 fail: 1760 free_pending_query(pq); 1761 } 1762 1763 void 1764 tcp_response(int fd, short events, void *arg) 1765 { 1766 struct pending_query *pq; 1767 ssize_t n; 1768 1769 pq = arg; 1770 1771 n = write(fd, sldns_buffer_current(pq->abuf), 1772 sldns_buffer_remaining(pq->abuf)); 1773 1774 if (n == -1) { 1775 if (errno == EAGAIN || errno == EINTR) 1776 return; 1777 free_pending_query(pq); 1778 return; 1779 } 1780 sldns_buffer_skip(pq->abuf, n); 1781 if (sldns_buffer_remaining(pq->abuf) == 0) 1782 free_pending_query(pq); 1783 } 1784 1785 void 1786 tcp_timeout(int fd, short events, void *arg) 1787 { 1788 free_pending_query(arg); 1789 } 1790 1791 void 1792 check_available_af(void) 1793 { 1794 static int available_af = HAVE_IPV4 | HAVE_IPV6; 1795 static int rtable = -1; 1796 struct ifaddrs *ifap, *ifa; 1797 struct if_data *ifa_data; 1798 struct sockaddr_in *sin4; 1799 struct sockaddr_in6 *sin6; 1800 int new_available_af = 0, ifa_rtable = -1; 1801 1802 if (rtable == -1) 1803 rtable = getrtable(); 1804 1805 if (getifaddrs(&ifap) != 0) { 1806 log_warn("getifaddrs"); 1807 return; 1808 } 1809 1810 for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) { 1811 if (ifa->ifa_addr == NULL) 1812 continue; 1813 switch(ifa->ifa_addr->sa_family) { 1814 case AF_LINK: 1815 /* AF_LINK comes before inet / inet6 on an interface */ 1816 ifa_data = (struct if_data *)ifa->ifa_data; 1817 ifa_rtable = ifa_data->ifi_rdomain; 1818 break; 1819 case AF_INET: 1820 if (ifa_rtable != rtable) 1821 continue; 1822 1823 sin4 = (struct sockaddr_in *)ifa->ifa_addr; 1824 if ((ntohl(sin4->sin_addr.s_addr) >> 24) == 1825 IN_LOOPBACKNET) 1826 continue; 1827 new_available_af |= HAVE_IPV4; 1828 break; 1829 case AF_INET6: 1830 if (ifa_rtable != rtable) 1831 continue; 1832 1833 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 1834 if (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr) || 1835 IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr) || 1836 IN6_IS_ADDR_MC_LINKLOCAL(&sin6->sin6_addr) || 1837 IN6_IS_ADDR_MC_INTFACELOCAL(&sin6->sin6_addr)) 1838 continue; 1839 new_available_af |= HAVE_IPV6; 1840 break; 1841 default: 1842 break; 1843 } 1844 if (new_available_af == (HAVE_IPV4 | HAVE_IPV6)) 1845 break; 1846 } 1847 freeifaddrs(ifap); 1848 if (new_available_af != available_af) { 1849 available_af = new_available_af; 1850 frontend_imsg_compose_resolver(IMSG_CHANGE_AFS, 0, 1851 &available_af, sizeof(available_af)); 1852 } 1853 } 1854 1855 void 1856 reverse(char *begin, char *end) 1857 { 1858 char t; 1859 1860 while (begin < --end) { 1861 t = *begin; 1862 *begin = *end; 1863 *end = t; 1864 ++begin; 1865 } 1866 } 1867