Tor 0.4.9.0-alpha-dev
dns.c
Go to the documentation of this file.
1/* Copyright (c) 2003-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2021, The Tor Project, Inc. */
4/* See LICENSE for licensing information */
5
6/**
7 * \file dns.c
8 * \brief Implements a local cache for DNS results for Tor servers.
9 * This is implemented as a wrapper around Adam Langley's eventdns.c code.
10 * (We can't just use gethostbyname() and friends because we really need to
11 * be nonblocking.)
12 *
13 * There are three main cases when a Tor relay uses dns.c to launch a DNS
14 * request:
15 * <ol>
16 * <li>To check whether the DNS server is working more or less correctly.
17 * This happens via dns_launch_correctness_checks(). The answer is
18 * reported in the return value from later calls to
19 * dns_seems_to_be_broken().
20 * <li>When a client has asked the relay, in a RELAY_BEGIN cell, to connect
21 * to a given server by hostname. This happens via dns_resolve().
22 * <li>When a client has asked the relay, in a RELAY_RESOLVE cell, to look
23 * up a given server's IP address(es) by hostname. This also happens via
24 * dns_resolve().
25 * </ol>
26 *
27 * Each of these gets handled a little differently.
28 *
29 * To check for correctness, we look up some hostname we expect to exist and
30 * have real entries, some hostnames which we expect to definitely not exist,
31 * and some hostnames that we expect to probably not exist. If too many of
32 * the hostnames that shouldn't exist do exist, that's a DNS hijacking
33 * attempt. If too many of the hostnames that should exist have the same
34 * addresses as the ones that shouldn't exist, that's a very bad DNS hijacking
35 * attempt, or a very naughty captive portal. And if the hostnames that
36 * should exist simply don't exist, we probably have a broken nameserver.
37 *
38 * To handle client requests, we first check our cache for answers. If there
39 * isn't something up-to-date, we've got to launch A or AAAA requests as
40 * appropriate. How we handle responses to those in particular is a bit
41 * complex; see dns_lookup() and set_exitconn_info_from_resolve().
42 *
43 * When a lookup is finally complete, the inform_pending_connections()
44 * function will tell all of the streams that have been waiting for the
45 * resolve, by calling connection_exit_connect() if the client sent a
46 * RELAY_BEGIN cell, and by calling send_resolved_cell() or
47 * send_hostname_cell() if the client sent a RELAY_RESOLVE cell.
48 **/
49
50#define DNS_PRIVATE
51
52#include "core/or/or.h"
53#include "app/config/config.h"
57#include "core/or/circuitlist.h"
58#include "core/or/circuituse.h"
60#include "core/or/policies.h"
61#include "core/or/relay.h"
63#include "feature/relay/dns.h"
70#include "lib/sandbox/sandbox.h"
71
73#include "core/or/or_circuit_st.h"
75
76#include "ht.h"
77
78#ifdef HAVE_SYS_STAT_H
79#include <sys/stat.h>
80#endif
81
82#include <event2/event.h>
83#include <event2/dns.h>
84
85/** How long will we wait for an answer from the resolver before we decide
86 * that the resolver is wedged? */
87#define RESOLVE_MAX_TIMEOUT 300
88
89/** Our evdns_base; this structure handles all our name lookups. */
90static struct evdns_base *the_evdns_base = NULL;
91
92/** Have we currently configured nameservers with eventdns? */
94/** Did our most recent attempt to configure nameservers with eventdns fail? */
96/** What was the resolv_conf fname we last used when configuring the
97 * nameservers? Used to check whether we need to reconfigure. */
98static char *resolv_conf_fname = NULL;
99/** What was the mtime on the resolv.conf file we last used when configuring
100 * the nameservers? Used to check whether we need to reconfigure. */
101static time_t resolv_conf_mtime = 0;
102
103static void purge_expired_resolves(time_t now);
104static void dns_found_answer(const char *address, uint8_t query_type,
105 int dns_answer,
106 const tor_addr_t *addr,
107 const char *hostname,
108 uint32_t ttl);
109static void add_wildcarded_test_address(const char *address);
110static int configure_nameservers(int force);
111static int answer_is_wildcarded(const char *ip);
112static int evdns_err_is_transient(int err);
113static void inform_pending_connections(cached_resolve_t *resolve);
115static void configure_libevent_options(void);
116
117#ifdef DEBUG_DNS_CACHE
118static void assert_cache_ok_(void);
119#define assert_cache_ok() assert_cache_ok_()
120#else
121#define assert_cache_ok() STMT_NIL
122#endif /* defined(DEBUG_DNS_CACHE) */
123static void assert_resolve_ok(cached_resolve_t *resolve);
124
125/** Hash table of cached_resolve objects. */
126static HT_HEAD(cache_map, cached_resolve_t) cache_root;
127
128/** Global: how many IPv6 requests have we made in all? */
129static uint64_t n_ipv6_requests_made = 0;
130/** Global: how many IPv6 requests have timed out? */
131static uint64_t n_ipv6_timeouts = 0;
132/** Global: Do we think that IPv6 DNS is broken? */
133static int dns_is_broken_for_ipv6 = 0;
134
135/** Function to compare hashed resolves on their addresses; used to
136 * implement hash tables. */
137static inline int
138cached_resolves_eq(cached_resolve_t *a, cached_resolve_t *b)
139{
140 /* make this smarter one day? */
141 assert_resolve_ok(a); // Not b; b may be just a search.
142 return !strncmp(a->address, b->address, MAX_ADDRESSLEN);
143}
144
145/** Hash function for cached_resolve objects */
146static inline unsigned int
148{
149 return (unsigned) siphash24g((const uint8_t*)a->address, strlen(a->address));
150}
151
153 cached_resolves_eq);
154HT_GENERATE2(cache_map, cached_resolve_t, node, cached_resolve_hash,
155 cached_resolves_eq, 0.6, tor_reallocarray_, tor_free_);
156
157/** Initialize the DNS cache. */
158static void
160{
161 HT_INIT(cache_map, &cache_root);
162}
163
164/** Helper: called by eventdns when eventdns wants to log something. */
165static void
166evdns_log_cb(int warn, const char *msg)
167{
168 const char *cp;
169 static int all_down = 0;
170 int severity = warn ? LOG_WARN : LOG_INFO;
171 if (!strcmpstart(msg, "Resolve requested for") &&
172 get_options()->SafeLogging) {
173 log_info(LD_EXIT, "eventdns: Resolve requested.");
174 return;
175 } else if (!strcmpstart(msg, "Search: ")) {
176 return;
177 }
178 if (!strcmpstart(msg, "Nameserver ") && (cp=strstr(msg, " has failed: "))) {
179 char *ns = tor_strndup(msg+11, cp-(msg+11));
180 const char *colon = strchr(cp, ':');
181 tor_assert(colon);
182 const char *err = colon+2;
183 /* Don't warn about a single failed nameserver; we'll warn with 'all
184 * nameservers have failed' if we're completely out of nameservers;
185 * otherwise, the situation is tolerable. */
186 severity = LOG_INFO;
188 "NAMESERVER_STATUS NS=%s STATUS=DOWN ERR=%s",
189 ns, escaped(err));
190 tor_free(ns);
191 } else if (!strcmpstart(msg, "Nameserver ") &&
192 (cp=strstr(msg, " is back up"))) {
193 char *ns = tor_strndup(msg+11, cp-(msg+11));
194 severity = (all_down && warn) ? LOG_NOTICE : LOG_INFO;
195 all_down = 0;
197 "NAMESERVER_STATUS NS=%s STATUS=UP", ns);
198 tor_free(ns);
199 } else if (!strcmp(msg, "All nameservers have failed")) {
200 control_event_server_status(LOG_WARN, "NAMESERVER_ALL_DOWN");
201 all_down = 1;
202 } else if (!strcmpstart(msg, "Address mismatch on received DNS")) {
203 static ratelim_t mismatch_limit = RATELIM_INIT(3600);
204 const char *src = strstr(msg, " Apparent source");
205 if (!src || get_options()->SafeLogging) {
206 src = "";
207 }
208 log_fn_ratelim(&mismatch_limit, severity, LD_EXIT,
209 "eventdns: Received a DNS packet from "
210 "an IP address to which we did not send a request. This "
211 "could be a DNS spoofing attempt, or some kind of "
212 "misconfiguration.%s", src);
213 return;
214 }
215 tor_log(severity, LD_EXIT, "eventdns: %s", msg);
216}
217
218/** New consensus just appeared, take appropriate actions if need be. */
219void
221{
222 (void) ns;
223
224 /* Consensus has parameters for the Exit relay DNS side and so we only reset
225 * the DNS nameservers if we are in server mode. */
226 if (server_mode(get_options())) {
228 }
229}
230
231/** Initialize the DNS subsystem; called by the OR process. */
232int
234{
236 if (server_mode(get_options())) {
237 int r = configure_nameservers(1);
238 return r;
239 }
240 return 0;
241}
242
243/** Called when DNS-related options change (or may have changed). Returns -1
244 * on failure, 0 on success. */
245int
247{
248 const or_options_t *options = get_options();
249 if (! server_mode(options)) {
250
251 if (!the_evdns_base) {
252 if (!(the_evdns_base = evdns_base_new(tor_libevent_get_base(), 0))) {
253 log_err(LD_BUG, "Couldn't create an evdns_base");
254 return -1;
255 }
256 }
257
258 evdns_base_clear_nameservers_and_suspend(the_evdns_base);
259 evdns_base_search_clear(the_evdns_base);
263 } else {
264 if (configure_nameservers(0) < 0) {
265 return -1;
266 }
267 }
268 return 0;
269}
270
271/** Return true iff the most recent attempt to initialize the DNS subsystem
272 * failed. */
273int
275{
277}
278
279/** Helper: free storage held by an entry in the DNS cache. */
280static void
282{
283 if (!r)
284 return;
285 while (r->pending_connections) {
287 r->pending_connections = victim->next;
288 tor_free(victim);
289 }
290 if (r->res_status_hostname == RES_STATUS_DONE_OK)
291 tor_free(r->result_ptr.hostname);
292 r->magic = 0xFF00FF00;
293 tor_free(r);
294}
295
296/** Compare two cached_resolve_t pointers by expiry time, and return
297 * less-than-zero, zero, or greater-than-zero as appropriate. Used for
298 * the priority queue implementation. */
299static int
300compare_cached_resolves_by_expiry_(const void *_a, const void *_b)
301{
302 const cached_resolve_t *a = _a, *b = _b;
303 if (a->expire < b->expire)
304 return -1;
305 else if (a->expire == b->expire)
306 return 0;
307 else
308 return 1;
309}
310
311/** Priority queue of cached_resolve_t objects to let us know when they
312 * will expire. */
314
315static void
316cached_resolve_add_answer(cached_resolve_t *resolve,
317 int query_type,
318 int dns_result,
319 const tor_addr_t *answer_addr,
320 const char *answer_hostname,
321 uint32_t ttl)
322{
323 if (query_type == DNS_PTR) {
324 if (resolve->res_status_hostname != RES_STATUS_INFLIGHT)
325 return;
326
327 if (dns_result == DNS_ERR_NONE && answer_hostname) {
328 resolve->result_ptr.hostname = tor_strdup(answer_hostname);
329 resolve->res_status_hostname = RES_STATUS_DONE_OK;
330 } else {
331 resolve->result_ptr.err_hostname = dns_result;
332 resolve->res_status_hostname = RES_STATUS_DONE_ERR;
333 }
334 resolve->ttl_hostname = ttl;
335 } else if (query_type == DNS_IPv4_A) {
336 if (resolve->res_status_ipv4 != RES_STATUS_INFLIGHT)
337 return;
338
339 if (dns_result == DNS_ERR_NONE && answer_addr &&
340 tor_addr_family(answer_addr) == AF_INET) {
341 resolve->result_ipv4.addr_ipv4 = tor_addr_to_ipv4h(answer_addr);
342 resolve->res_status_ipv4 = RES_STATUS_DONE_OK;
343 } else {
344 resolve->result_ipv4.err_ipv4 = dns_result;
345 resolve->res_status_ipv4 = RES_STATUS_DONE_ERR;
346 }
347 resolve->ttl_ipv4 = ttl;
348 } else if (query_type == DNS_IPv6_AAAA) {
349 if (resolve->res_status_ipv6 != RES_STATUS_INFLIGHT)
350 return;
351
352 if (dns_result == DNS_ERR_NONE && answer_addr &&
353 tor_addr_family(answer_addr) == AF_INET6) {
354 memcpy(&resolve->result_ipv6.addr_ipv6,
355 tor_addr_to_in6(answer_addr),
356 sizeof(struct in6_addr));
357 resolve->res_status_ipv6 = RES_STATUS_DONE_OK;
358 } else {
359 resolve->result_ipv6.err_ipv6 = dns_result;
360 resolve->res_status_ipv6 = RES_STATUS_DONE_ERR;
361 }
362 resolve->ttl_ipv6 = ttl;
363 }
364}
365
366/** Return true iff there are no in-flight requests for <b>resolve</b>. */
367static int
369{
370 return (resolve->res_status_ipv4 != RES_STATUS_INFLIGHT &&
371 resolve->res_status_ipv6 != RES_STATUS_INFLIGHT &&
372 resolve->res_status_hostname != RES_STATUS_INFLIGHT);
373}
374
375/** Set an expiry time for a cached_resolve_t, and add it to the expiry
376 * priority queue */
377static void
378set_expiry(cached_resolve_t *resolve, time_t expires)
379{
380 tor_assert(resolve && resolve->expire == 0);
383 resolve->expire = expires;
386 offsetof(cached_resolve_t, minheap_idx),
387 resolve);
388}
389
390/** Free all storage held in the DNS cache and related structures. */
391void
393{
394 cached_resolve_t **ptr, **next, *item;
395 assert_cache_ok();
398 {
399 if (res->state == CACHE_STATE_DONE)
401 });
402 }
403 for (ptr = HT_START(cache_map, &cache_root); ptr != NULL; ptr = next) {
404 item = *ptr;
405 next = HT_NEXT_RMV(cache_map, &cache_root, ptr);
407 }
408 HT_CLEAR(cache_map, &cache_root);
409 smartlist_free(cached_resolve_pqueue);
412}
413
414/** Remove every cached_resolve whose <b>expire</b> time is before or
415 * equal to <b>now</b> from the cache. */
416static void
418{
419 cached_resolve_t *resolve, *removed;
421 edge_connection_t *pendconn;
422
423 assert_cache_ok();
425 return;
426
427 while (smartlist_len(cached_resolve_pqueue)) {
428 resolve = smartlist_get(cached_resolve_pqueue, 0);
429 if (resolve->expire > now)
430 break;
433 offsetof(cached_resolve_t, minheap_idx));
434
435 if (resolve->state == CACHE_STATE_PENDING) {
436 log_debug(LD_EXIT,
437 "Expiring a dns resolve %s that's still pending. Forgot to "
438 "cull it? DNS resolve didn't tell us about the timeout?",
439 escaped_safe_str(resolve->address));
440 } else if (resolve->state == CACHE_STATE_CACHED) {
441 log_debug(LD_EXIT,
442 "Forgetting old cached resolve (address %s, expires %lu)",
443 escaped_safe_str(resolve->address),
444 (unsigned long)resolve->expire);
446 } else {
447 tor_assert(resolve->state == CACHE_STATE_DONE);
449 }
450
451 if (resolve->pending_connections) {
452 log_debug(LD_EXIT,
453 "Closing pending connections on timed-out DNS resolve!");
454 while (resolve->pending_connections) {
455 pend = resolve->pending_connections;
456 resolve->pending_connections = pend->next;
457 /* Connections should only be pending if they have no socket. */
458 tor_assert(!SOCKET_OK(pend->conn->base_.s));
459 pendconn = pend->conn;
460 /* Prevent double-remove */
461 pendconn->base_.state = EXIT_CONN_STATE_RESOLVEFAILED;
462 if (!pendconn->base_.marked_for_close) {
463 connection_edge_end(pendconn, END_STREAM_REASON_TIMEOUT);
465 connection_free_(TO_CONN(pendconn));
466 }
467 tor_free(pend);
468 }
469 }
470
471 if (resolve->state == CACHE_STATE_CACHED ||
472 resolve->state == CACHE_STATE_PENDING) {
473 removed = HT_REMOVE(cache_map, &cache_root, resolve);
474 if (removed != resolve) {
475 log_err(LD_BUG, "The expired resolve we purged didn't match any in"
476 " the cache. Tried to purge %s (%p); instead got %s (%p).",
477 resolve->address, (void*)resolve,
478 removed ? removed->address : "NULL", (void*)removed);
479 }
480 tor_assert(removed == resolve);
481 } else {
482 /* This should be in state DONE. Make sure it's not in the cache. */
483 cached_resolve_t *tmp = HT_FIND(cache_map, &cache_root, resolve);
484 tor_assert(tmp != resolve);
485 }
486 if (resolve->res_status_hostname == RES_STATUS_DONE_OK)
487 tor_free(resolve->result_ptr.hostname);
488 resolve->magic = 0xF0BBF0BB;
489 tor_free(resolve);
490 }
491
492 assert_cache_ok();
493}
494
495/* argument for send_resolved_cell only, meaning "let the answer type be ipv4
496 * or ipv6 depending on the connection's address". */
497#define RESOLVED_TYPE_AUTO 0xff
498
499/** Send a response to the RESOLVE request of a connection.
500 * <b>answer_type</b> must be one of
501 * RESOLVED_TYPE_(AUTO|ERROR|ERROR_TRANSIENT|).
502 *
503 * If <b>circ</b> is provided, and we have a cached answer, send the
504 * answer back along circ; otherwise, send the answer back along
505 * <b>conn</b>'s attached circuit.
506 */
507MOCK_IMPL(STATIC void,
508send_resolved_cell,(edge_connection_t *conn, uint8_t answer_type,
509 const cached_resolve_t *resolved))
510{
511 char buf[RELAY_PAYLOAD_SIZE], *cp = buf;
512 size_t buflen = 0;
513 uint32_t ttl;
514
515 buf[0] = answer_type;
516 ttl = conn->address_ttl;
517
518 switch (answer_type)
519 {
520 case RESOLVED_TYPE_AUTO:
521 if (resolved && resolved->res_status_ipv4 == RES_STATUS_DONE_OK) {
522 cp[0] = RESOLVED_TYPE_IPV4;
523 cp[1] = 4;
524 set_uint32(cp+2, htonl(resolved->result_ipv4.addr_ipv4));
525 set_uint32(cp+6, htonl(ttl));
526 cp += 10;
527 }
528 if (resolved && resolved->res_status_ipv6 == RES_STATUS_DONE_OK) {
529 const uint8_t *bytes = resolved->result_ipv6.addr_ipv6.s6_addr;
530 cp[0] = RESOLVED_TYPE_IPV6;
531 cp[1] = 16;
532 memcpy(cp+2, bytes, 16);
533 set_uint32(cp+18, htonl(ttl));
534 cp += 22;
535 }
536 if (cp != buf) {
537 buflen = cp - buf;
538 break;
539 } else {
540 answer_type = RESOLVED_TYPE_ERROR;
541 /* We let this fall through and treat it as an error. */
542 }
543 FALLTHROUGH;
544 case RESOLVED_TYPE_ERROR_TRANSIENT:
545 case RESOLVED_TYPE_ERROR:
546 {
547 const char *errmsg = "Error resolving hostname";
548 size_t msglen = strlen(errmsg);
549
550 buf[0] = answer_type;
551 buf[1] = msglen;
552 strlcpy(buf+2, errmsg, sizeof(buf)-2);
553 set_uint32(buf+2+msglen, htonl(ttl));
554 buflen = 6+msglen;
555 break;
556 }
557 default:
558 tor_assert(0);
559 return;
560 }
561 // log_notice(LD_EXIT, "Sending a regular RESOLVED reply: ");
562
563 connection_edge_send_command(conn, RELAY_COMMAND_RESOLVED, buf, buflen);
564}
565
566/** Send a response to the RESOLVE request of a connection for an in-addr.arpa
567 * address on connection <b>conn</b> which yielded the result <b>hostname</b>.
568 * The answer type will be RESOLVED_HOSTNAME.
569 *
570 * If <b>circ</b> is provided, and we have a cached answer, send the
571 * answer back along circ; otherwise, send the answer back along
572 * <b>conn</b>'s attached circuit.
573 */
574MOCK_IMPL(STATIC void,
576 const char *hostname))
577{
578 char buf[RELAY_PAYLOAD_SIZE];
579 size_t buflen;
580 uint32_t ttl;
581
582 if (BUG(!hostname))
583 return;
584
585 size_t namelen = strlen(hostname);
586
587 tor_assert(namelen < 256);
588 ttl = conn->address_ttl;
589
590 buf[0] = RESOLVED_TYPE_HOSTNAME;
591 buf[1] = (uint8_t)namelen;
592 memcpy(buf+2, hostname, namelen);
593 set_uint32(buf+2+namelen, htonl(ttl));
594 buflen = 2+namelen+4;
595
596 // log_notice(LD_EXIT, "Sending a reply RESOLVED reply: %s", hostname);
597 connection_edge_send_command(conn, RELAY_COMMAND_RESOLVED, buf, buflen);
598 // log_notice(LD_EXIT, "Sent");
599}
600
601/** See if we have a cache entry for <b>exitconn</b>->address. If so,
602 * if resolve valid, put it into <b>exitconn</b>->addr and return 1.
603 * If resolve failed, free exitconn and return -1.
604 *
605 * (For EXIT_PURPOSE_RESOLVE connections, send back a RESOLVED error cell
606 * on returning -1. For EXIT_PURPOSE_CONNECT connections, there's no
607 * need to send back an END cell, since connection_exit_begin_conn will
608 * do that for us.)
609 *
610 * If we have a cached answer, send the answer back along <b>exitconn</b>'s
611 * circuit.
612 *
613 * Else, if seen before and pending, add conn to the pending list,
614 * and return 0.
615 *
616 * Else, if not seen before, add conn to pending list, hand to
617 * dns farm, and return 0.
618 *
619 * Exitconn's on_circuit field must be set, but exitconn should not
620 * yet be linked onto the n_streams/resolving_streams list of that circuit.
621 * On success, link the connection to n_streams if it's an exit connection.
622 * On "pending", link the connection to resolving streams. Otherwise,
623 * clear its on_circuit field.
624 */
625int
627{
628 or_circuit_t *oncirc = TO_OR_CIRCUIT(exitconn->on_circuit);
629 int is_resolve, r;
630 int made_connection_pending = 0;
631 char *hostname = NULL;
632 cached_resolve_t *resolve = NULL;
633 is_resolve = exitconn->base_.purpose == EXIT_PURPOSE_RESOLVE;
634
635 r = dns_resolve_impl(exitconn, is_resolve, oncirc, &hostname,
636 &made_connection_pending, &resolve);
637
638 switch (r) {
639 case 1:
640 /* We got an answer without a lookup -- either the answer was
641 * cached, or it was obvious (like an IP address). */
642 if (is_resolve) {
643 /* Send the answer back right now, and detach. */
644 if (hostname)
645 send_resolved_hostname_cell(exitconn, hostname);
646 else
647 send_resolved_cell(exitconn, RESOLVED_TYPE_AUTO, resolve);
648 exitconn->on_circuit = NULL;
649 } else {
650 /* Add to the n_streams list; the calling function will send back a
651 * connected cell. */
652 exitconn->next_stream = oncirc->n_streams;
653 oncirc->n_streams = exitconn;
654 conflux_update_n_streams(oncirc, exitconn);
655 }
656 break;
657 case 0:
658 /* The request is pending: add the connection into the linked list of
659 * resolving_streams on this circuit. */
660 exitconn->base_.state = EXIT_CONN_STATE_RESOLVING;
661 exitconn->next_stream = oncirc->resolving_streams;
662 oncirc->resolving_streams = exitconn;
663 conflux_update_resolving_streams(oncirc, exitconn);
664 break;
665 case -2:
666 case -1:
667 /* The request failed before it could start: cancel this connection,
668 * and stop everybody waiting for the same connection. */
669 if (is_resolve) {
670 send_resolved_cell(exitconn,
671 (r == -1) ? RESOLVED_TYPE_ERROR : RESOLVED_TYPE_ERROR_TRANSIENT,
672 NULL);
673 }
674
675 exitconn->on_circuit = NULL;
676
677 dns_cancel_pending_resolve(exitconn->base_.address);
678
679 if (!made_connection_pending && !exitconn->base_.marked_for_close) {
680 /* If we made the connection pending, then we freed it already in
681 * dns_cancel_pending_resolve(). If we marked it for close, it'll
682 * get freed from the main loop. Otherwise, can free it now. */
683 connection_free_(TO_CONN(exitconn));
684 }
685 break;
686 default:
687 tor_assert(0);
688 }
689
690 tor_free(hostname);
691 return r;
692}
693
694/** Helper function for dns_resolve: same functionality, but does not handle:
695 * - marking connections on error and clearing their on_circuit
696 * - linking connections to n_streams/resolving_streams,
697 * - sending resolved cells if we have an answer/error right away,
698 *
699 * Return -2 on a transient error. If it's a reverse resolve and it's
700 * successful, sets *<b>hostname_out</b> to a newly allocated string
701 * holding the cached reverse DNS value.
702 *
703 * Set *<b>made_connection_pending_out</b> to true if we have placed
704 * <b>exitconn</b> on the list of pending connections for some resolve; set it
705 * to false otherwise.
706 *
707 * Set *<b>resolve_out</b> to a cached resolve, if we found one.
708 */
709MOCK_IMPL(STATIC int,
710dns_resolve_impl,(edge_connection_t *exitconn, int is_resolve,
711 or_circuit_t *oncirc, char **hostname_out,
712 int *made_connection_pending_out,
713 cached_resolve_t **resolve_out))
714{
715 cached_resolve_t *resolve;
716 cached_resolve_t search;
717 pending_connection_t *pending_connection;
718 int is_reverse = 0;
719 tor_addr_t addr;
720 time_t now = time(NULL);
721 int r;
722 assert_connection_ok(TO_CONN(exitconn), 0);
723 tor_assert(!SOCKET_OK(exitconn->base_.s));
724 assert_cache_ok();
725 tor_assert(oncirc);
726 *made_connection_pending_out = 0;
727
728 /* first check if exitconn->base_.address is an IP. If so, we already
729 * know the answer. */
730 if (tor_addr_parse(&addr, exitconn->base_.address) >= 0) {
731 if (tor_addr_family(&addr) == AF_INET ||
732 tor_addr_family(&addr) == AF_INET6) {
733 tor_addr_copy(&exitconn->base_.addr, &addr);
734 exitconn->address_ttl = DEFAULT_DNS_TTL;
735 return 1;
736 } else {
737 /* XXXX unspec? Bogus? */
738 return -1;
739 }
740 }
741
742 /* If we're a non-exit, don't even do DNS lookups. */
744 return -1;
745
746 if (address_is_invalid_destination(exitconn->base_.address, 0)) {
747 tor_log(LOG_PROTOCOL_WARN, LD_EXIT,
748 "Rejecting invalid destination address %s",
749 escaped_safe_str(exitconn->base_.address));
750 return -1;
751 }
752
753 /* then take this opportunity to see if there are any expired
754 * resolves in the hash table. */
756
757 /* lower-case exitconn->base_.address, so it's in canonical form */
758 tor_strlower(exitconn->base_.address);
759
760 /* Check whether this is a reverse lookup. If it's malformed, or it's a
761 * .in-addr.arpa address but this isn't a resolve request, kill the
762 * connection.
763 */
764 if ((r = tor_addr_parse_PTR_name(&addr, exitconn->base_.address,
765 AF_UNSPEC, 0)) != 0) {
766 if (r == 1) {
767 is_reverse = 1;
768 if (tor_addr_is_internal(&addr, 0)) /* internal address? */
769 return -1;
770 }
771
772 if (!is_reverse || !is_resolve) {
773 if (!is_reverse)
774 log_info(LD_EXIT, "Bad .in-addr.arpa address %s; sending error.",
775 escaped_safe_str(exitconn->base_.address));
776 else if (!is_resolve)
777 log_info(LD_EXIT,
778 "Attempt to connect to a .in-addr.arpa address %s; "
779 "sending error.",
780 escaped_safe_str(exitconn->base_.address));
781
782 return -1;
783 }
784 //log_notice(LD_EXIT, "Looks like an address %s",
785 //exitconn->base_.address);
786 }
787 exitconn->is_reverse_dns_lookup = is_reverse;
788
789 /* now check the hash table to see if 'address' is already there. */
790 strlcpy(search.address, exitconn->base_.address, sizeof(search.address));
791 resolve = HT_FIND(cache_map, &cache_root, &search);
792 if (resolve && resolve->expire > now) { /* already there */
793 switch (resolve->state) {
795 /* add us to the pending list */
796 pending_connection = tor_malloc_zero(
797 sizeof(pending_connection_t));
798 pending_connection->conn = exitconn;
799 pending_connection->next = resolve->pending_connections;
800 resolve->pending_connections = pending_connection;
801 *made_connection_pending_out = 1;
802 log_debug(LD_EXIT,"Connection (fd "TOR_SOCKET_T_FORMAT") waiting "
803 "for pending DNS resolve of %s", exitconn->base_.s,
804 escaped_safe_str(exitconn->base_.address));
805 return 0;
807 log_debug(LD_EXIT,"Connection (fd "TOR_SOCKET_T_FORMAT") found "
808 "cached answer for %s",
809 exitconn->base_.s,
810 escaped_safe_str(resolve->address));
811
812 *resolve_out = resolve;
813
814 return set_exitconn_info_from_resolve(exitconn, resolve, hostname_out);
815 case CACHE_STATE_DONE:
816 log_err(LD_BUG, "Found a 'DONE' dns resolve still in the cache.");
818 }
819 tor_assert(0);
820 }
821 tor_assert(!resolve);
822 /* not there, need to add it */
823 resolve = tor_malloc_zero(sizeof(cached_resolve_t));
824 resolve->magic = CACHED_RESOLVE_MAGIC;
825 resolve->state = CACHE_STATE_PENDING;
826 resolve->minheap_idx = -1;
827 strlcpy(resolve->address, exitconn->base_.address, sizeof(resolve->address));
828
829 /* add this connection to the pending list */
830 pending_connection = tor_malloc_zero(sizeof(pending_connection_t));
831 pending_connection->conn = exitconn;
832 resolve->pending_connections = pending_connection;
833 *made_connection_pending_out = 1;
834
835 /* Add this resolve to the cache and priority queue. */
836 HT_INSERT(cache_map, &cache_root, resolve);
837 set_expiry(resolve, now + RESOLVE_MAX_TIMEOUT);
838
839 log_debug(LD_EXIT,"Launching %s.",
840 escaped_safe_str(exitconn->base_.address));
841 assert_cache_ok();
842
843 return launch_resolve(resolve);
844}
845
846/** Given an exit connection <b>exitconn</b>, and a cached_resolve_t
847 * <b>resolve</b> whose DNS lookups have all either succeeded or failed,
848 * update the appropriate fields (address_ttl and addr) of <b>exitconn</b>.
849 *
850 * The logic can be complicated here, since we might have launched both
851 * an A lookup and an AAAA lookup, and since either of those might have
852 * succeeded or failed, and since we want to answer a RESOLVE cell with
853 * a full answer but answer a BEGIN cell with whatever answer the client
854 * would accept <i>and</i> we could still connect to.
855 *
856 * If this is a reverse lookup, set *<b>hostname_out</b> to a newly allocated
857 * copy of the name resulting hostname.
858 *
859 * Return -2 on a transient error, -1 on a permenent error, and 1 on
860 * a successful lookup.
861 */
862MOCK_IMPL(STATIC int,
864 const cached_resolve_t *resolve,
865 char **hostname_out))
866{
867 int ipv4_ok, ipv6_ok, answer_with_ipv4, r;
868 uint32_t begincell_flags;
869 const int is_resolve = exitconn->base_.purpose == EXIT_PURPOSE_RESOLVE;
870 tor_assert(exitconn);
871 tor_assert(resolve);
872
873 if (exitconn->is_reverse_dns_lookup) {
874 exitconn->address_ttl = resolve->ttl_hostname;
875 if (resolve->res_status_hostname == RES_STATUS_DONE_OK) {
876 *hostname_out = tor_strdup(resolve->result_ptr.hostname);
877 return 1;
878 } else {
879 return -1;
880 }
881 }
882
883 /* If we're here then the connection wants one or either of ipv4, ipv6, and
884 * we can give it one or both. */
885 if (is_resolve) {
886 begincell_flags = BEGIN_FLAG_IPV6_OK;
887 } else {
888 begincell_flags = exitconn->begincell_flags;
889 }
890
891 ipv4_ok = (resolve->res_status_ipv4 == RES_STATUS_DONE_OK) &&
892 ! (begincell_flags & BEGIN_FLAG_IPV4_NOT_OK);
893 ipv6_ok = (resolve->res_status_ipv6 == RES_STATUS_DONE_OK) &&
894 (begincell_flags & BEGIN_FLAG_IPV6_OK) &&
896
897 /* Now decide which one to actually give. */
898 if (ipv4_ok && ipv6_ok && is_resolve) {
899 answer_with_ipv4 = 1;
900 } else if (ipv4_ok && ipv6_ok) {
901 /* If we have both, see if our exit policy has an opinion. */
902 const uint16_t port = exitconn->base_.port;
903 int ipv4_allowed, ipv6_allowed;
904 tor_addr_t a4, a6;
907 ipv4_allowed = !router_compare_to_my_exit_policy(&a4, port);
908 ipv6_allowed = !router_compare_to_my_exit_policy(&a6, port);
909 if (ipv4_allowed && !ipv6_allowed) {
910 answer_with_ipv4 = 1;
911 } else if (ipv6_allowed && !ipv4_allowed) {
912 answer_with_ipv4 = 0;
913 } else {
914 /* Our exit policy would permit both. Answer with whichever the user
915 * prefers */
916 answer_with_ipv4 = !(begincell_flags &
918 }
919 } else {
920 /* Otherwise if one is okay, send it back. */
921 if (ipv4_ok) {
922 answer_with_ipv4 = 1;
923 } else if (ipv6_ok) {
924 answer_with_ipv4 = 0;
925 } else {
926 /* Neither one was okay. Choose based on user preference. */
927 answer_with_ipv4 = !(begincell_flags &
929 }
930 }
931
932 /* Finally, we write the answer back. */
933 r = 1;
934 if (answer_with_ipv4) {
935 if (resolve->res_status_ipv4 == RES_STATUS_DONE_OK) {
936 tor_addr_from_ipv4h(&exitconn->base_.addr,
937 resolve->result_ipv4.addr_ipv4);
938 } else {
939 r = evdns_err_is_transient(resolve->result_ipv4.err_ipv4) ? -2 : -1;
940 }
941
942 exitconn->address_ttl = resolve->ttl_ipv4;
943 } else {
944 if (resolve->res_status_ipv6 == RES_STATUS_DONE_OK) {
945 tor_addr_from_in6(&exitconn->base_.addr,
946 &resolve->result_ipv6.addr_ipv6);
947 } else {
948 r = evdns_err_is_transient(resolve->result_ipv6.err_ipv6) ? -2 : -1;
949 }
950
951 exitconn->address_ttl = resolve->ttl_ipv6;
952 }
953
954 return r;
955}
956
957/** Log an error and abort if conn is waiting for a DNS resolve.
958 */
959void
961{
963 cached_resolve_t search;
964
965#if 1
966 cached_resolve_t *resolve;
967 strlcpy(search.address, conn->base_.address, sizeof(search.address));
968 resolve = HT_FIND(cache_map, &cache_root, &search);
969 if (!resolve)
970 return;
971 for (pend = resolve->pending_connections; pend; pend = pend->next) {
972 tor_assert(pend->conn != conn);
973 }
974#else /* !(1) */
975 cached_resolve_t **resolve;
976 HT_FOREACH(resolve, cache_map, &cache_root) {
977 for (pend = (*resolve)->pending_connections; pend; pend = pend->next) {
978 tor_assert(pend->conn != conn);
979 }
980 }
981#endif /* 1 */
982}
983
984/** Remove <b>conn</b> from the list of connections waiting for conn->address.
985 */
986void
988{
989 pending_connection_t *pend, *victim;
990 cached_resolve_t search;
991 cached_resolve_t *resolve;
992
993 tor_assert(conn->base_.type == CONN_TYPE_EXIT);
995
996 strlcpy(search.address, conn->base_.address, sizeof(search.address));
997
998 resolve = HT_FIND(cache_map, &cache_root, &search);
999 if (!resolve) {
1000 log_notice(LD_BUG, "Address %s is not pending. Dropping.",
1001 escaped_safe_str(conn->base_.address));
1002 return;
1003 }
1004
1007
1008 pend = resolve->pending_connections;
1009
1010 if (pend->conn == conn) {
1011 resolve->pending_connections = pend->next;
1012 tor_free(pend);
1013 log_debug(LD_EXIT, "First connection (fd "TOR_SOCKET_T_FORMAT") no "
1014 "longer waiting for resolve of %s",
1015 conn->base_.s,
1016 escaped_safe_str(conn->base_.address));
1017 return;
1018 } else {
1019 for ( ; pend->next; pend = pend->next) {
1020 if (pend->next->conn == conn) {
1021 victim = pend->next;
1022 pend->next = victim->next;
1023 tor_free(victim);
1024 log_debug(LD_EXIT,
1025 "Connection (fd "TOR_SOCKET_T_FORMAT") no longer waiting "
1026 "for resolve of %s",
1027 conn->base_.s, escaped_safe_str(conn->base_.address));
1028 return; /* more are pending */
1029 }
1030 }
1031 log_warn(LD_BUG, "Connection (fd "TOR_SOCKET_T_FORMAT") was not waiting "
1032 "for a resolve of %s, but we tried to remove it.",
1033 conn->base_.s, escaped_safe_str(conn->base_.address));
1034 }
1035}
1036
1037/** Mark all connections waiting for <b>address</b> for close. Then cancel
1038 * the resolve for <b>address</b> itself, and remove any cached results for
1039 * <b>address</b> from the cache.
1040 */
1041MOCK_IMPL(STATIC void,
1042dns_cancel_pending_resolve,(const char *address))
1043{
1045 cached_resolve_t search;
1046 cached_resolve_t *resolve, *tmp;
1047 edge_connection_t *pendconn;
1048 circuit_t *circ;
1049
1050 strlcpy(search.address, address, sizeof(search.address));
1051
1052 resolve = HT_FIND(cache_map, &cache_root, &search);
1053 if (!resolve)
1054 return;
1055
1056 if (resolve->state != CACHE_STATE_PENDING) {
1057 /* We can get into this state if we never actually created the pending
1058 * resolve, due to finding an earlier cached error or something. Just
1059 * ignore it. */
1060 if (resolve->pending_connections) {
1061 log_warn(LD_BUG,
1062 "Address %s is not pending but has pending connections!",
1063 escaped_safe_str(address));
1065 }
1066 return;
1067 }
1068
1069 if (!resolve->pending_connections) {
1070 log_warn(LD_BUG,
1071 "Address %s is pending but has no pending connections!",
1072 escaped_safe_str(address));
1074 return;
1075 }
1077
1078 /* mark all pending connections to fail */
1079 log_debug(LD_EXIT,
1080 "Failing all connections waiting on DNS resolve of %s",
1081 escaped_safe_str(address));
1082 while (resolve->pending_connections) {
1083 pend = resolve->pending_connections;
1084 pend->conn->base_.state = EXIT_CONN_STATE_RESOLVEFAILED;
1085 pendconn = pend->conn;
1086 assert_connection_ok(TO_CONN(pendconn), 0);
1087 tor_assert(!SOCKET_OK(pendconn->base_.s));
1088 if (!pendconn->base_.marked_for_close) {
1089 connection_edge_end(pendconn, END_STREAM_REASON_RESOLVEFAILED);
1090 }
1091 circ = circuit_get_by_edge_conn(pendconn);
1092 if (circ)
1093 circuit_detach_stream(circ, pendconn);
1094 if (!pendconn->base_.marked_for_close)
1095 connection_free_(TO_CONN(pendconn));
1096 resolve->pending_connections = pend->next;
1097 tor_free(pend);
1098 }
1099
1100 tmp = HT_REMOVE(cache_map, &cache_root, resolve);
1101 if (tmp != resolve) {
1102 log_err(LD_BUG, "The cancelled resolve we purged didn't match any in"
1103 " the cache. Tried to purge %s (%p); instead got %s (%p).",
1104 resolve->address, (void*)resolve,
1105 tmp ? tmp->address : "NULL", (void*)tmp);
1106 }
1107 tor_assert(tmp == resolve);
1108
1109 resolve->state = CACHE_STATE_DONE;
1110}
1111
1112/** Return true iff <b>address</b> is one of the addresses we use to verify
1113 * that well-known sites aren't being hijacked by our DNS servers. */
1114static inline int
1115is_test_address(const char *address)
1116{
1117 const or_options_t *options = get_options();
1118 return options->ServerDNSTestAddresses &&
1120}
1121
1122/** Called on the OR side when the eventdns library tells us the outcome of a
1123 * single DNS resolve: remember the answer, and tell all pending connections
1124 * about the result of the lookup if the lookup is now done. (<b>address</b>
1125 * is a NUL-terminated string containing the address to look up;
1126 * <b>query_type</b> is one of DNS_{IPv4_A,IPv6_AAAA,PTR}; <b>dns_answer</b>
1127 * is DNS_OK or one of DNS_ERR_*, <b>addr</b> is an IPv4 or IPv6 address if we
1128 * got one; <b>hostname</b> is a hostname fora PTR request if we got one, and
1129 * <b>ttl</b> is the time-to-live of this answer, in seconds.)
1130 */
1131static void
1132dns_found_answer(const char *address, uint8_t query_type,
1133 int dns_answer,
1134 const tor_addr_t *addr,
1135 const char *hostname, uint32_t ttl)
1136{
1137 cached_resolve_t search;
1138 cached_resolve_t *resolve;
1139
1140 assert_cache_ok();
1141
1142 strlcpy(search.address, address, sizeof(search.address));
1143
1144 resolve = HT_FIND(cache_map, &cache_root, &search);
1145 if (!resolve) {
1146 int is_test_addr = is_test_address(address);
1147 if (!is_test_addr)
1148 log_info(LD_EXIT,"Resolved unasked address %s; ignoring.",
1149 escaped_safe_str(address));
1150 return;
1151 }
1152 assert_resolve_ok(resolve);
1153
1154 if (resolve->state != CACHE_STATE_PENDING) {
1155 /* XXXX Maybe update addr? or check addr for consistency? Or let
1156 * VALID replace FAILED? */
1157 int is_test_addr = is_test_address(address);
1158 if (!is_test_addr)
1159 log_notice(LD_EXIT,
1160 "Resolved %s which was already resolved; ignoring",
1161 escaped_safe_str(address));
1162 tor_assert(resolve->pending_connections == NULL);
1163 return;
1164 }
1165
1166 cached_resolve_add_answer(resolve, query_type, dns_answer,
1167 addr, hostname, ttl);
1168
1169 if (cached_resolve_have_all_answers(resolve)) {
1171
1173 }
1174}
1175
1176/** Given a pending cached_resolve_t that we just finished resolving,
1177 * inform every connection that was waiting for the outcome of that
1178 * resolution.
1179 *
1180 * Do this by sending a RELAY_RESOLVED cell (if the pending stream had sent us
1181 * RELAY_RESOLVE cell), or by launching an exit connection (if the pending
1182 * stream had send us a RELAY_BEGIN cell).
1183 */
1184static void
1186{
1188 edge_connection_t *pendconn;
1189 int r;
1190
1191 while (resolve->pending_connections) {
1192 char *hostname = NULL;
1193 pend = resolve->pending_connections;
1194 pendconn = pend->conn; /* don't pass complex things to the
1195 connection_mark_for_close macro */
1196 assert_connection_ok(TO_CONN(pendconn),time(NULL));
1197
1198 if (pendconn->base_.marked_for_close) {
1199 /* prevent double-remove. */
1200 pendconn->base_.state = EXIT_CONN_STATE_RESOLVEFAILED;
1201 resolve->pending_connections = pend->next;
1202 tor_free(pend);
1203 continue;
1204 }
1205
1206 r = set_exitconn_info_from_resolve(pendconn,
1207 resolve,
1208 &hostname);
1209
1210 if (r < 0) {
1211 /* prevent double-remove. */
1212 pendconn->base_.state = EXIT_CONN_STATE_RESOLVEFAILED;
1213 if (pendconn->base_.purpose == EXIT_PURPOSE_CONNECT) {
1214 connection_edge_end(pendconn, END_STREAM_REASON_RESOLVEFAILED);
1215 /* This detach must happen after we send the end cell. */
1217 } else {
1218 send_resolved_cell(pendconn, r == -1 ?
1219 RESOLVED_TYPE_ERROR : RESOLVED_TYPE_ERROR_TRANSIENT,
1220 NULL);
1221 /* This detach must happen after we send the resolved cell. */
1223 }
1224 connection_free_(TO_CONN(pendconn));
1225 } else {
1226 circuit_t *circ;
1227 if (pendconn->base_.purpose == EXIT_PURPOSE_CONNECT) {
1228 /* prevent double-remove. */
1229 pend->conn->base_.state = EXIT_CONN_STATE_CONNECTING;
1230
1231 circ = circuit_get_by_edge_conn(pend->conn);
1232 tor_assert(circ);
1234 /* unlink pend->conn from resolving_streams, */
1235 circuit_detach_stream(circ, pend->conn);
1236 /* and link it to n_streams */
1237 pend->conn->next_stream = TO_OR_CIRCUIT(circ)->n_streams;
1238 pend->conn->on_circuit = circ;
1239 TO_OR_CIRCUIT(circ)->n_streams = pend->conn;
1240 conflux_update_n_streams(TO_OR_CIRCUIT(circ), pend->conn);
1241
1242 connection_exit_connect(pend->conn);
1243 } else {
1244 /* prevent double-remove. This isn't really an accurate state,
1245 * but it does the right thing. */
1246 pendconn->base_.state = EXIT_CONN_STATE_RESOLVEFAILED;
1247 if (pendconn->is_reverse_dns_lookup)
1248 send_resolved_hostname_cell(pendconn, hostname);
1249 else
1250 send_resolved_cell(pendconn, RESOLVED_TYPE_AUTO, resolve);
1251 circ = circuit_get_by_edge_conn(pendconn);
1252 tor_assert(circ);
1253 circuit_detach_stream(circ, pendconn);
1254 connection_free_(TO_CONN(pendconn));
1255 }
1256 }
1257 resolve->pending_connections = pend->next;
1258 tor_free(pend);
1259 tor_free(hostname);
1260 }
1261}
1262
1263/** Remove a pending cached_resolve_t from the hashtable, and add a
1264 * corresponding cached cached_resolve_t.
1265 *
1266 * This function is only necessary because of the perversity of our
1267 * cache timeout code; see inline comment for ideas on eliminating it.
1268 **/
1269static void
1271{
1272 cached_resolve_t *removed;
1273
1274 resolve->state = CACHE_STATE_DONE;
1275 removed = HT_REMOVE(cache_map, &cache_root, resolve);
1276 if (removed != resolve) {
1277 log_err(LD_BUG, "The pending resolve we found wasn't removable from"
1278 " the cache. Tried to purge %s (%p); instead got %s (%p).",
1279 resolve->address, (void*)resolve,
1280 removed ? removed->address : "NULL", (void*)removed);
1281 }
1282 assert_resolve_ok(resolve);
1283 assert_cache_ok();
1284 /* The resolve will eventually just hit the time-out in the expiry queue and
1285 * expire. See fd0bafb0dedc7e2 for a brief explanation of how this got that
1286 * way. XXXXX we could do better!*/
1287
1288 {
1289 cached_resolve_t *new_resolve = tor_memdup(resolve,
1290 sizeof(cached_resolve_t));
1291 uint32_t ttl = UINT32_MAX;
1292 new_resolve->expire = 0; /* So that set_expiry won't croak. */
1293 if (resolve->res_status_hostname == RES_STATUS_DONE_OK)
1294 new_resolve->result_ptr.hostname =
1295 tor_strdup(resolve->result_ptr.hostname);
1296
1297 new_resolve->state = CACHE_STATE_CACHED;
1298
1299 assert_resolve_ok(new_resolve);
1300 HT_INSERT(cache_map, &cache_root, new_resolve);
1301
1302 if ((resolve->res_status_ipv4 == RES_STATUS_DONE_OK ||
1303 resolve->res_status_ipv4 == RES_STATUS_DONE_ERR) &&
1304 resolve->ttl_ipv4 < ttl)
1305 ttl = resolve->ttl_ipv4;
1306
1307 if ((resolve->res_status_ipv6 == RES_STATUS_DONE_OK ||
1308 resolve->res_status_ipv6 == RES_STATUS_DONE_ERR) &&
1309 resolve->ttl_ipv6 < ttl)
1310 ttl = resolve->ttl_ipv6;
1311
1312 if ((resolve->res_status_hostname == RES_STATUS_DONE_OK ||
1313 resolve->res_status_hostname == RES_STATUS_DONE_ERR) &&
1314 resolve->ttl_hostname < ttl)
1315 ttl = resolve->ttl_hostname;
1316
1317 set_expiry(new_resolve, time(NULL) + ttl);
1318 }
1319
1320 assert_cache_ok();
1321}
1322
1323/** Eventdns helper: return true iff the eventdns result <b>err</b> is
1324 * a transient failure. */
1325static int
1327{
1328 switch (err)
1329 {
1330 case DNS_ERR_SERVERFAILED:
1331 case DNS_ERR_TRUNCATED:
1332 case DNS_ERR_TIMEOUT:
1333 return 1;
1334 default:
1335 return 0;
1336 }
1337}
1338
1339/**
1340 * Return number of configured nameservers in <b>the_evdns_base</b>.
1341 */
1342size_t
1344{
1345 return evdns_base_count_nameservers(the_evdns_base);
1346}
1347
1348#ifdef HAVE_EVDNS_BASE_GET_NAMESERVER_ADDR
1349/**
1350 * Return address of configured nameserver in <b>the_evdns_base</b>
1351 * at index <b>idx</b>.
1352 */
1353tor_addr_t *
1354configured_nameserver_address(const size_t idx)
1355{
1356 struct sockaddr_storage sa;
1357 ev_socklen_t sa_len = sizeof(sa);
1358
1359 if (evdns_base_get_nameserver_addr(the_evdns_base, (int)idx,
1360 (struct sockaddr *)&sa,
1361 sa_len) > 0) {
1362 tor_addr_t *tor_addr = tor_malloc(sizeof(tor_addr_t));
1363 if (tor_addr_from_sockaddr(tor_addr,
1364 (const struct sockaddr *)&sa,
1365 NULL) == 0) {
1366 return tor_addr;
1367 }
1368 tor_free(tor_addr);
1369 }
1370
1371 return NULL;
1372}
1373#endif /* defined(HAVE_EVDNS_BASE_GET_NAMESERVER_ADDR) */
1374
1375/** Return a pointer to a stack allocated buffer containing the string
1376 * representation of the exit_dns_timeout consensus parameter. */
1377static const char *
1379{
1380 static char str[4];
1381
1382 /* Get the Exit DNS timeout value from the consensus or default. This is in
1383 * milliseconds. */
1384#define EXIT_DNS_TIMEOUT_DEFAULT (1000)
1385#define EXIT_DNS_TIMEOUT_MIN (1)
1386#define EXIT_DNS_TIMEOUT_MAX (120000)
1387 int32_t val = networkstatus_get_param(NULL, "exit_dns_timeout",
1388 EXIT_DNS_TIMEOUT_DEFAULT,
1389 EXIT_DNS_TIMEOUT_MIN,
1390 EXIT_DNS_TIMEOUT_MAX);
1391 /* NOTE: We convert it to seconds because libevent only supports that. In the
1392 * future, if we support different resolver(s), we might want to specialize
1393 * this call. */
1394
1395 /* NOTE: We also don't allow 0 and so we must cap the division to 1 second
1396 * else all DNS request would fail if the consensus would ever tell us a
1397 * value below 1000 (1 sec). */
1398 val = MAX(1, val / 1000);
1399
1400 tor_snprintf(str, sizeof(str), "%d", val);
1401 return str;
1402}
1403
1404/** Return a pointer to a stack allocated buffer containing the string
1405 * representation of the exit_dns_num_attempts consensus parameter. */
1406static const char *
1408{
1409 static char str[4];
1410
1411 /* Get the Exit DNS number of attempt value from the consensus or default. */
1412#define EXIT_DNS_NUM_ATTEMPTS_DEFAULT (2)
1413#define EXIT_DNS_NUM_ATTEMPTS_MIN (0)
1414#define EXIT_DNS_NUM_ATTEMPTS_MAX (255)
1415 int32_t val = networkstatus_get_param(NULL, "exit_dns_num_attempts",
1416 EXIT_DNS_NUM_ATTEMPTS_DEFAULT,
1417 EXIT_DNS_NUM_ATTEMPTS_MIN,
1418 EXIT_DNS_NUM_ATTEMPTS_MAX);
1419 tor_snprintf(str, sizeof(str), "%d", val);
1420 return str;
1421}
1422
1423/** Configure the libevent options. This can safely be called after
1424 * initialization or even if the evdns base is not set. */
1425static void
1427{
1428 /* This is possible because we can get called when a new consensus is set
1429 * while the DNS subsystem is not initialized just yet. It should be
1430 * harmless. */
1431 if (!the_evdns_base) {
1432 return;
1433 }
1434
1435#define SET(k,v) evdns_base_set_option(the_evdns_base, (k), (v))
1436
1437 // If we only have one nameserver, it does not make sense to back off
1438 // from it for a timeout. Unfortunately, the value for max-timeouts is
1439 // currently clamped by libevent to 255, but it does not hurt to set
1440 // it higher in case libevent gets a patch for this. Higher-than-
1441 // default maximum of 3 with multiple nameservers to avoid spuriously
1442 // marking one down on bursts of timeouts resulting from scans/attacks
1443 // against non-responding authoritative DNS servers.
1444 if (evdns_base_count_nameservers(the_evdns_base) == 1) {
1445 SET("max-timeouts:", "1000000");
1446 } else {
1447 SET("max-timeouts:", "10");
1448 }
1449
1450 // Elongate the queue of maximum inflight dns requests, so if a bunch
1451 // remain pending at the resolver (happens commonly with Unbound) we won't
1452 // stall every other DNS request. This potentially means some wasted
1453 // CPU as there's a walk over a linear queue involved, but this is a
1454 // much better tradeoff compared to just failing DNS requests because
1455 // of a full queue.
1456 SET("max-inflight:", "8192");
1457
1458 /* Set timeout to be 1 second. This tells libevent that it shouldn't wait
1459 * more than N second to drop a DNS query and consider it "timed out". It is
1460 * very important to differentiate here a libevent timeout and a DNS server
1461 * timeout. And so, by setting this to N second, libevent sends back
1462 * "DNS_ERR_TIMEOUT" if that N second is reached which does NOT indicate that
1463 * the query itself timed out in transit. */
1464 SET("timeout:", get_consensus_param_exit_dns_timeout());
1465
1466 /* This tells libevent to attempt up to X times a DNS query if the previous
1467 * one failed to complete within N second. We believe that this should be
1468 * enough to catch temporary hiccups on the first query. But after that, it
1469 * should signal us that it won't be able to resolve it. */
1470 SET("attempts:", get_consensus_param_exit_dns_attempts());
1471
1472 if (get_options()->ServerDNSRandomizeCase)
1473 SET("randomize-case:", "1");
1474 else
1475 SET("randomize-case:", "0");
1476
1477#undef SET
1478}
1479
1480/** Configure eventdns nameservers if force is true, or if the configuration
1481 * has changed since the last time we called this function, or if we failed on
1482 * our last attempt. On Unix, this reads from /etc/resolv.conf or
1483 * options->ServerDNSResolvConfFile; on Windows, this reads from
1484 * options->ServerDNSResolvConfFile or the registry. Return 0 on success or
1485 * -1 on failure. */
1486static int
1488{
1489 const or_options_t *options;
1490 const char *conf_fname;
1491 struct stat st;
1492 int r, flags;
1493 options = get_options();
1494 conf_fname = options->ServerDNSResolvConfFile;
1495#ifndef _WIN32
1496 if (!conf_fname)
1497 conf_fname = "/etc/resolv.conf";
1498#endif
1499 flags = DNS_OPTIONS_ALL;
1500
1501 if (!the_evdns_base) {
1502 if (!(the_evdns_base = evdns_base_new(tor_libevent_get_base(), 0))) {
1503 log_err(LD_BUG, "Couldn't create an evdns_base");
1504 return -1;
1505 }
1506 }
1507
1508 evdns_set_log_fn(evdns_log_cb);
1509 if (conf_fname) {
1510 log_debug(LD_FS, "stat()ing %s", conf_fname);
1511 int missing_resolv_conf = 0;
1512 int stat_res = stat(sandbox_intern_string(conf_fname), &st);
1513
1514 if (stat_res) {
1515 log_warn(LD_EXIT, "Unable to stat resolver configuration in '%s': %s",
1516 conf_fname, strerror(errno));
1517 missing_resolv_conf = 1;
1518 } else if (!force && resolv_conf_fname &&
1519 !strcmp(conf_fname,resolv_conf_fname)
1520 && st.st_mtime == resolv_conf_mtime) {
1521 log_info(LD_EXIT, "No change to '%s'", conf_fname);
1522 return 0;
1523 }
1524
1525 if (stat_res == 0 && st.st_size == 0)
1526 missing_resolv_conf = 1;
1527
1529 evdns_base_search_clear(the_evdns_base);
1530 evdns_base_clear_nameservers_and_suspend(the_evdns_base);
1531 }
1532#if defined(DNS_OPTION_HOSTSFILE) && defined(USE_LIBSECCOMP)
1533 if (flags & DNS_OPTION_HOSTSFILE) {
1534 flags ^= DNS_OPTION_HOSTSFILE;
1535 log_debug(LD_FS, "Loading /etc/hosts");
1536 evdns_base_load_hosts(the_evdns_base,
1537 sandbox_intern_string("/etc/hosts"));
1538 }
1539#endif /* defined(DNS_OPTION_HOSTSFILE) && defined(USE_LIBSECCOMP) */
1540
1541 if (!missing_resolv_conf) {
1542 log_info(LD_EXIT, "Parsing resolver configuration in '%s'", conf_fname);
1543 if ((r = evdns_base_resolv_conf_parse(the_evdns_base, flags,
1544 sandbox_intern_string(conf_fname)))) {
1545 log_warn(LD_EXIT, "Unable to parse '%s', or no nameservers "
1546 "in '%s' (%d)", conf_fname, conf_fname, r);
1547
1548 if (r != 6) // "r = 6" means "no DNS servers were in resolv.conf" -
1549 goto err; // in which case we expect libevent to add 127.0.0.1 as
1550 // fallback.
1551 }
1552 if (evdns_base_count_nameservers(the_evdns_base) == 0) {
1553 log_warn(LD_EXIT, "Unable to find any nameservers in '%s'.",
1554 conf_fname);
1555 }
1556
1558 resolv_conf_fname = tor_strdup(conf_fname);
1559 resolv_conf_mtime = st.st_mtime;
1560 } else {
1561 log_warn(LD_EXIT, "Could not read your DNS config from '%s' - "
1562 "please investigate your DNS configuration. "
1563 "This is possibly a problem. Meanwhile, falling"
1564 " back to local DNS at 127.0.0.1.", conf_fname);
1565 evdns_base_nameserver_ip_add(the_evdns_base, "127.0.0.1");
1566 }
1567
1569 evdns_base_resume(the_evdns_base);
1570 }
1571#ifdef _WIN32
1572 else {
1574 evdns_base_search_clear(the_evdns_base);
1575 evdns_base_clear_nameservers_and_suspend(the_evdns_base);
1576 }
1577 if (evdns_base_config_windows_nameservers(the_evdns_base)) {
1578 log_warn(LD_EXIT,"Could not config nameservers.");
1579 goto err;
1580 }
1581 if (evdns_base_count_nameservers(the_evdns_base) == 0) {
1582 log_warn(LD_EXIT, "Unable to find any platform nameservers in "
1583 "your Windows configuration.");
1584 goto err;
1585 }
1587 evdns_base_resume(the_evdns_base);
1590 }
1591#endif /* defined(_WIN32) */
1592
1593 /* Setup libevent options. */
1595
1596 /* Relaunch periodical DNS check event. */
1598
1602 /* XXX the three calls to republish the descriptor might be producing
1603 * descriptors that are only cosmetically different, especially on
1604 * non-exit relays! -RD */
1605 mark_my_descriptor_dirty("dns resolvers back");
1606 }
1607 return 0;
1608 err:
1612 mark_my_descriptor_dirty("dns resolvers failed");
1613 }
1614 return -1;
1615}
1616
1617/** For eventdns: Called when we get an answer for a request we launched.
1618 * See eventdns.h for arguments; 'arg' holds the address we tried to resolve.
1619 */
1620static void
1621evdns_callback(int result, char type, int count, int ttl, void *addresses,
1622 void *arg)
1623{
1624 char *arg_ = arg;
1625 uint8_t orig_query_type = arg_[0];
1626 char *string_address = arg_ + 1;
1627 tor_addr_t addr;
1628 const char *hostname = NULL;
1629 int was_wildcarded = 0;
1630
1631 tor_addr_make_unspec(&addr);
1632
1633 /* Keep track of whether IPv6 is working */
1634 if (type == DNS_IPv6_AAAA) {
1635 if (result == DNS_ERR_TIMEOUT) {
1636 ++n_ipv6_timeouts;
1637 }
1638
1639 if (n_ipv6_timeouts > 10 &&
1640 n_ipv6_timeouts > n_ipv6_requests_made / 2) {
1641 if (! dns_is_broken_for_ipv6) {
1642 log_notice(LD_EXIT, "More than half of our IPv6 requests seem to "
1643 "have timed out. I'm going to assume I can't get AAAA "
1644 "responses.");
1645 dns_is_broken_for_ipv6 = 1;
1646 }
1647 }
1648 }
1649
1650 if (result == DNS_ERR_NONE) {
1651 if (type == DNS_IPv4_A && count) {
1652 char answer_buf[INET_NTOA_BUF_LEN+1];
1653 char *escaped_address;
1654 uint32_t *addrs = addresses;
1655 tor_addr_from_ipv4n(&addr, addrs[0]);
1656
1657 tor_addr_to_str(answer_buf, &addr, sizeof(answer_buf), 0);
1658 escaped_address = esc_for_log(string_address);
1659
1660 if (answer_is_wildcarded(answer_buf)) {
1661 log_debug(LD_EXIT, "eventdns said that %s resolves to ISP-hijacked "
1662 "address %s; treating as a failure.",
1663 safe_str(escaped_address),
1664 escaped_safe_str(answer_buf));
1665 was_wildcarded = 1;
1666 tor_addr_make_unspec(&addr);
1667 result = DNS_ERR_NOTEXIST;
1668 } else {
1669 log_debug(LD_EXIT, "eventdns said that %s resolves to %s",
1670 safe_str(escaped_address),
1671 escaped_safe_str(answer_buf));
1672 }
1673 tor_free(escaped_address);
1674 } else if (type == DNS_IPv6_AAAA && count) {
1675 char answer_buf[TOR_ADDR_BUF_LEN];
1676 char *escaped_address;
1677 const char *ip_str;
1678 struct in6_addr *addrs = addresses;
1679 tor_addr_from_in6(&addr, &addrs[0]);
1680 ip_str = tor_inet_ntop(AF_INET6, &addrs[0], answer_buf,
1681 sizeof(answer_buf));
1682 escaped_address = esc_for_log(string_address);
1683
1684 if (BUG(ip_str == NULL)) {
1685 log_warn(LD_EXIT, "tor_inet_ntop() failed!");
1686 result = DNS_ERR_NOTEXIST;
1687 } else if (answer_is_wildcarded(answer_buf)) {
1688 log_debug(LD_EXIT, "eventdns said that %s resolves to ISP-hijacked "
1689 "address %s; treating as a failure.",
1690 safe_str(escaped_address),
1691 escaped_safe_str(answer_buf));
1692 was_wildcarded = 1;
1693 tor_addr_make_unspec(&addr);
1694 result = DNS_ERR_NOTEXIST;
1695 } else {
1696 log_debug(LD_EXIT, "eventdns said that %s resolves to %s",
1697 safe_str(escaped_address),
1698 escaped_safe_str(answer_buf));
1699 }
1700 tor_free(escaped_address);
1701 } else if (type == DNS_PTR && count) {
1702 char *escaped_address;
1703 hostname = ((char**)addresses)[0];
1704 escaped_address = esc_for_log(string_address);
1705 log_debug(LD_EXIT, "eventdns said that %s resolves to %s",
1706 safe_str(escaped_address),
1707 escaped_safe_str(hostname));
1708 tor_free(escaped_address);
1709 } else if (count) {
1710 log_info(LD_EXIT, "eventdns returned only unrecognized answer types "
1711 " for %s.",
1712 escaped_safe_str(string_address));
1713 } else {
1714 log_info(LD_EXIT, "eventdns returned no addresses or error for %s.",
1715 escaped_safe_str(string_address));
1716 }
1717 }
1718 if (was_wildcarded) {
1719 if (is_test_address(string_address)) {
1720 /* Ick. We're getting redirected on known-good addresses. Our DNS
1721 * server must really hate us. */
1722 add_wildcarded_test_address(string_address);
1723 }
1724 }
1725
1726 if (orig_query_type && type && orig_query_type != type) {
1727 log_warn(LD_BUG, "Weird; orig_query_type == %d but type == %d",
1728 (int)orig_query_type, (int)type);
1729 }
1730 if (result != DNS_ERR_SHUTDOWN)
1731 dns_found_answer(string_address, orig_query_type,
1732 result, &addr, hostname, clip_dns_fuzzy_ttl(ttl));
1733
1734 /* The result can be changed within this function thus why we note the result
1735 * at the end. */
1736 rep_hist_note_dns_error(type, result);
1737
1738 tor_free(arg_);
1739}
1740
1741/** Start a single DNS resolve for <b>address</b> (if <b>query_type</b> is
1742 * DNS_IPv4_A or DNS_IPv6_AAAA) <b>ptr_address</b> (if <b>query_type</b> is
1743 * DNS_PTR). Return 0 if we launched the request, -1 otherwise. */
1744static int
1745launch_one_resolve(const char *address, uint8_t query_type,
1746 const tor_addr_t *ptr_address)
1747{
1748 const int options = get_options()->ServerDNSSearchDomains ? 0
1749 : DNS_QUERY_NO_SEARCH;
1750 const size_t addr_len = strlen(address);
1751 struct evdns_request *req = 0;
1752 char *addr = tor_malloc(addr_len + 2);
1753 addr[0] = (char) query_type;
1754 memcpy(addr+1, address, addr_len + 1);
1755
1756 /* Note the query for our statistics. */
1757 rep_hist_note_dns_request(query_type);
1758
1759 switch (query_type) {
1760 case DNS_IPv4_A:
1761 req = evdns_base_resolve_ipv4(the_evdns_base,
1762 address, options, evdns_callback, addr);
1763 break;
1764 case DNS_IPv6_AAAA:
1765 req = evdns_base_resolve_ipv6(the_evdns_base,
1766 address, options, evdns_callback, addr);
1767 ++n_ipv6_requests_made;
1768 break;
1769 case DNS_PTR:
1770 if (tor_addr_family(ptr_address) == AF_INET)
1771 req = evdns_base_resolve_reverse(the_evdns_base,
1772 tor_addr_to_in(ptr_address),
1773 DNS_QUERY_NO_SEARCH,
1774 evdns_callback, addr);
1775 else if (tor_addr_family(ptr_address) == AF_INET6)
1776 req = evdns_base_resolve_reverse_ipv6(the_evdns_base,
1777 tor_addr_to_in6(ptr_address),
1778 DNS_QUERY_NO_SEARCH,
1779 evdns_callback, addr);
1780 else
1781 log_warn(LD_BUG, "Called with PTR query and unexpected address family");
1782 break;
1783 default:
1784 log_warn(LD_BUG, "Called with unexpected query type %d", (int)query_type);
1785 break;
1786 }
1787
1788 if (req) {
1789 return 0;
1790 } else {
1791 tor_free(addr);
1792 return -1;
1793 }
1794}
1795
1796/** For eventdns: start resolving as necessary to find the target for
1797 * <b>exitconn</b>. Returns -1 on error, -2 on transient error,
1798 * 0 on "resolve launched." */
1799MOCK_IMPL(STATIC int,
1801{
1802 tor_addr_t a;
1803 int r;
1804
1805 if (net_is_disabled())
1806 return -1;
1807
1808 /* What? Nameservers not configured? Sounds like a bug. */
1810 log_warn(LD_EXIT, "(Harmless.) Nameservers not configured, but resolve "
1811 "launched. Configuring.");
1812 if (configure_nameservers(1) < 0) {
1813 return -1;
1814 }
1815 }
1816
1818 &a, resolve->address, AF_UNSPEC, 0);
1819
1821 if (r == 0) {
1822 log_info(LD_EXIT, "Launching eventdns request for %s",
1823 escaped_safe_str(resolve->address));
1824 resolve->res_status_ipv4 = RES_STATUS_INFLIGHT;
1825 if (get_options()->IPv6Exit)
1826 resolve->res_status_ipv6 = RES_STATUS_INFLIGHT;
1827
1828 if (launch_one_resolve(resolve->address, DNS_IPv4_A, NULL) < 0) {
1829 resolve->res_status_ipv4 = 0;
1830 r = -1;
1831 }
1832
1833 if (r==0 && get_options()->IPv6Exit) {
1834 /* We ask for an IPv6 address for *everything*. */
1835 if (launch_one_resolve(resolve->address, DNS_IPv6_AAAA, NULL) < 0) {
1836 resolve->res_status_ipv6 = 0;
1837 r = -1;
1838 }
1839 }
1840 } else if (r == 1) {
1841 r = 0;
1842 log_info(LD_EXIT, "Launching eventdns reverse request for %s",
1843 escaped_safe_str(resolve->address));
1844 resolve->res_status_hostname = RES_STATUS_INFLIGHT;
1845 if (launch_one_resolve(resolve->address, DNS_PTR, &a) < 0) {
1846 resolve->res_status_hostname = 0;
1847 r = -1;
1848 }
1849 } else if (r == -1) {
1850 log_warn(LD_BUG, "Somehow a malformed in-addr.arpa address reached here.");
1851 }
1852
1853 if (r < 0) {
1854 log_fn(LOG_PROTOCOL_WARN, LD_EXIT, "eventdns rejected address %s.",
1855 escaped_safe_str(resolve->address));
1856 }
1857 return r;
1858}
1859
1860/** How many requests for bogus addresses have we launched so far? */
1861static int n_wildcard_requests = 0;
1862
1863/** Map from dotted-quad IP address in response to an int holding how many
1864 * times we've seen it for a randomly generated (hopefully bogus) address. It
1865 * would be easier to use definitely-invalid addresses (as specified by
1866 * RFC2606), but see comment in dns_launch_wildcard_checks(). */
1867static strmap_t *dns_wildcard_response_count = NULL;
1868
1869/** If present, a list of dotted-quad IP addresses that we are pretty sure our
1870 * nameserver wants to return in response to requests for nonexistent domains.
1871 */
1873/** True iff we've logged about a single address getting wildcarded.
1874 * Subsequent warnings will be less severe. */
1876/** True iff we've warned that our DNS server is wildcarding too many failures.
1877 */
1879
1880/** List of supposedly good addresses that are getting wildcarded to the
1881 * same addresses as nonexistent addresses. */
1883/** True iff we've warned about a test address getting wildcarded */
1885/** True iff all addresses seem to be getting wildcarded. */
1887
1888/** Called when we see <b>id</b> (a dotted quad or IPv6 address) in response
1889 * to a request for a hopefully bogus address. */
1890static void
1892{
1893 int *ip;
1895 dns_wildcard_response_count = strmap_new();
1896
1897 ip = strmap_get(dns_wildcard_response_count, id); // may be null (0)
1898 if (!ip) {
1899 ip = tor_malloc_zero(sizeof(int));
1900 strmap_set(dns_wildcard_response_count, id, ip);
1901 }
1902 ++*ip;
1903
1904 if (*ip > 5 && n_wildcard_requests > 10) {
1908 "Your DNS provider has given \"%s\" as an answer for %d different "
1909 "invalid addresses. Apparently they are hijacking DNS failures. "
1910 "I'll try to correct for this by treating future occurrences of "
1911 "\"%s\" as 'not found'.", id, *ip, id);
1913 }
1915 control_event_server_status(LOG_NOTICE, "DNS_HIJACKED");
1917 }
1918}
1919
1920/** Note that a single test address (one believed to be good) seems to be
1921 * getting redirected to the same IP as failures are. */
1922static void
1924{
1925 int n, n_test_addrs;
1928
1930 address))
1931 return;
1932
1933 n_test_addrs = get_options()->ServerDNSTestAddresses ?
1934 smartlist_len(get_options()->ServerDNSTestAddresses) : 0;
1935
1937 n = smartlist_len(dns_wildcarded_test_address_list);
1938 if (n > n_test_addrs/2) {
1940 LD_EXIT, "Your DNS provider tried to redirect \"%s\" to a junk "
1941 "address. It has done this with %d test addresses so far. I'm "
1942 "going to stop being an exit node for now, since our DNS seems so "
1943 "broken.", address, n);
1946 mark_my_descriptor_dirty("dns hijacking confirmed");
1947 }
1949 control_event_server_status(LOG_WARN, "DNS_USELESS");
1951 }
1952}
1953
1954/** Callback function when we get an answer (possibly failing) for a request
1955 * for a (hopefully) nonexistent domain. */
1956static void
1957evdns_wildcard_check_callback(int result, char type, int count, int ttl,
1958 void *addresses, void *arg)
1959{
1960 (void)ttl;
1961 const char *ip_str;
1963 if (result == DNS_ERR_NONE && count) {
1964 char *string_address = arg;
1965 int i;
1966 if (type == DNS_IPv4_A) {
1967 const uint32_t *addrs = addresses;
1968 for (i = 0; i < count; ++i) {
1969 char answer_buf[INET_NTOA_BUF_LEN+1];
1970 struct in_addr in;
1971 int ntoa_res;
1972 in.s_addr = addrs[i];
1973 ntoa_res = tor_inet_ntoa(&in, answer_buf, sizeof(answer_buf));
1974 tor_assert_nonfatal(ntoa_res >= 0);
1975 if (ntoa_res > 0)
1976 wildcard_increment_answer(answer_buf);
1977 }
1978 } else if (type == DNS_IPv6_AAAA) {
1979 const struct in6_addr *addrs = addresses;
1980 for (i = 0; i < count; ++i) {
1981 char answer_buf[TOR_ADDR_BUF_LEN+1];
1982 ip_str = tor_inet_ntop(AF_INET6, &addrs[i], answer_buf,
1983 sizeof(answer_buf));
1984 tor_assert_nonfatal(ip_str);
1985 if (ip_str)
1986 wildcard_increment_answer(answer_buf);
1987 }
1988 }
1989
1991 "Your DNS provider gave an answer for \"%s\", which "
1992 "is not supposed to exist. Apparently they are hijacking "
1993 "DNS failures. Trying to correct for this. We've noticed %d "
1994 "possibly bad address%s so far.",
1995 string_address, strmap_size(dns_wildcard_response_count),
1996 (strmap_size(dns_wildcard_response_count) == 1) ? "" : "es");
1998 }
1999 tor_free(arg);
2000}
2001
2002/** Launch a single request for a nonexistent hostname consisting of between
2003 * <b>min_len</b> and <b>max_len</b> random (plausible) characters followed by
2004 * <b>suffix</b> */
2005static void
2006launch_wildcard_check(int min_len, int max_len, int is_ipv6,
2007 const char *suffix)
2008{
2009 char *addr;
2010 struct evdns_request *req;
2011
2012 addr = crypto_random_hostname(min_len, max_len, "", suffix);
2013 log_info(LD_EXIT, "Testing whether our DNS server is hijacking nonexistent "
2014 "domains with request for bogus hostname \"%s\"", addr);
2015
2017 if (is_ipv6)
2018 req = evdns_base_resolve_ipv6(
2020 /* This "addr" tells us which address to resolve */
2021 addr,
2022 DNS_QUERY_NO_SEARCH, evdns_wildcard_check_callback,
2023 /* This "addr" is an argument to the callback*/ addr);
2024 else
2025 req = evdns_base_resolve_ipv4(
2027 /* This "addr" tells us which address to resolve */
2028 addr,
2029 DNS_QUERY_NO_SEARCH, evdns_wildcard_check_callback,
2030 /* This "addr" is an argument to the callback*/ addr);
2031 if (!req) {
2032 /* There is no evdns request in progress; stop addr from getting leaked */
2033 tor_free(addr);
2034 }
2035}
2036
2037/** Launch attempts to resolve a bunch of known-good addresses (configured in
2038 * ServerDNSTestAddresses). [Callback for a libevent timer] */
2039static void
2040launch_test_addresses(evutil_socket_t fd, short event, void *args)
2041{
2042 const or_options_t *options = get_options();
2043 (void)fd;
2044 (void)event;
2045 (void)args;
2046
2047 if (net_is_disabled())
2048 return;
2049
2050 log_info(LD_EXIT, "Launching checks to see whether our nameservers like to "
2051 "hijack *everything*.");
2052 /* This situation is worse than the failure-hijacking situation. When this
2053 * happens, we're no good for DNS requests at all, and we shouldn't really
2054 * be an exit server.*/
2055 if (options->ServerDNSTestAddresses) {
2056
2059 const char *, address) {
2060 if (launch_one_resolve(address, DNS_IPv4_A, NULL) < 0) {
2061 log_info(LD_EXIT, "eventdns rejected test address %s",
2062 escaped_safe_str(address));
2063 }
2064
2065 if (launch_one_resolve(address, DNS_IPv6_AAAA, NULL) < 0) {
2066 log_info(LD_EXIT, "eventdns rejected test address %s",
2067 escaped_safe_str(address));
2068 }
2069 } SMARTLIST_FOREACH_END(address);
2070 }
2071}
2072
2073#define N_WILDCARD_CHECKS 2
2074
2075/** Launch DNS requests for a few nonexistent hostnames and a few well-known
2076 * hostnames, and see if we can catch our nameserver trying to hijack them and
2077 * map them to a stupid "I couldn't find ggoogle.com but maybe you'd like to
2078 * buy these lovely encyclopedias" page. */
2079static void
2081{
2082 int i, ipv6;
2083 log_info(LD_EXIT, "Launching checks to see whether our nameservers like "
2084 "to hijack DNS failures.");
2085 for (ipv6 = 0; ipv6 <= 1; ++ipv6) {
2086 for (i = 0; i < N_WILDCARD_CHECKS; ++i) {
2087 /* RFC2606 reserves these. Sadly, some DNS hijackers, in a silly
2088 * attempt to 'comply' with rfc2606, refrain from giving A records for
2089 * these. This is the standards-compliance equivalent of making sure
2090 * that your crackhouse's elevator inspection certificate is up to date.
2091 */
2092 launch_wildcard_check(2, 16, ipv6, ".invalid");
2093 launch_wildcard_check(2, 16, ipv6, ".test");
2094
2095 /* These will break specs if there are ever any number of
2096 * 8+-character top-level domains. */
2097 launch_wildcard_check(8, 16, ipv6, "");
2098
2099 /* Try some random .com/org/net domains. This will work fine so long as
2100 * not too many resolve to the same place. */
2101 launch_wildcard_check(8, 16, ipv6, ".com");
2102 launch_wildcard_check(8, 16, ipv6, ".org");
2103 launch_wildcard_check(8, 16, ipv6, ".net");
2104 }
2105 }
2106}
2107
2108/** If appropriate, start testing whether our DNS servers tend to lie to
2109 * us. */
2110void
2112{
2113 static struct event *launch_event = NULL;
2114 struct timeval timeout;
2115 if (!get_options()->ServerDNSDetectHijacking)
2116 return;
2118
2119 /* Wait a while before launching requests for test addresses, so we can
2120 * get the results from checking for wildcarding. */
2121 if (!launch_event)
2122 launch_event = tor_evtimer_new(tor_libevent_get_base(),
2123 launch_test_addresses, NULL);
2124 timeout.tv_sec = 30;
2125 timeout.tv_usec = 0;
2126 if (evtimer_add(launch_event, &timeout) < 0) {
2127 log_warn(LD_BUG, "Couldn't add timer for checking for dns hijacking");
2128 }
2129}
2130
2131/** Return true iff our DNS servers lie to us too much to be trusted. */
2132int
2134{
2136}
2137
2138/** Return true iff we think that IPv6 hostname lookup is broken */
2139int
2141{
2142 return dns_is_broken_for_ipv6;
2143}
2144
2145/** Forget what we've previously learned about our DNS servers' correctness. */
2146void
2148{
2151
2153
2154 n_ipv6_requests_made = n_ipv6_timeouts = 0;
2155
2156 if (dns_wildcard_list) {
2159 }
2162 tor_free(cp));
2164 }
2167 dns_is_broken_for_ipv6 = 0;
2168}
2169
2170/** Return true iff we have noticed that the dotted-quad <b>ip</b> has been
2171 * returned in response to requests for nonexistent hostnames. */
2172static int
2174{
2176}
2177
2178/** Exit with an assertion if <b>resolve</b> is corrupt. */
2179static void
2181{
2182 tor_assert(resolve);
2184 tor_assert(strlen(resolve->address) < MAX_ADDRESSLEN);
2186 if (resolve->state != CACHE_STATE_PENDING) {
2188 }
2189 if (resolve->state == CACHE_STATE_PENDING ||
2190 resolve->state == CACHE_STATE_DONE) {
2191#if 0
2192 tor_assert(!resolve->ttl);
2193 if (resolve->is_reverse)
2194 tor_assert(!resolve->hostname);
2195 else
2196 tor_assert(!resolve->result_ipv4.addr_ipv4);
2197#endif /* 0 */
2198 /*XXXXX ADD MORE */
2199 }
2200}
2201
2202/** Return the number of DNS cache entries as an int */
2203static int
2205{
2206 return HT_SIZE(&cache_root);
2207}
2208
2209/* Return the total size in bytes of the DNS cache. */
2210size_t
2211dns_cache_total_allocation(void)
2212{
2213 return sizeof(struct cached_resolve_t) * dns_cache_entry_count() +
2214 HT_MEM_USAGE(&cache_root);
2215}
2216
2217/** Log memory information about our internal DNS cache at level 'severity'. */
2218void
2220{
2221 /* This should never be larger than INT_MAX. */
2222 int hash_count = dns_cache_entry_count();
2223 size_t hash_mem = dns_cache_total_allocation();
2224
2225 /* Print out the count and estimated size of our &cache_root. It undercounts
2226 hostnames in cached reverse resolves.
2227 */
2228 tor_log(severity, LD_MM, "Our DNS cache has %d entries.", hash_count);
2229 tor_log(severity, LD_MM, "Our DNS cache size is approximately %u bytes.",
2230 (unsigned)hash_mem);
2231}
2232
2233/* Do a round of OOM cleanup on all DNS entries. Return the amount of removed
2234 * bytes. It is possible that the returned value is lower than min_remove_bytes
2235 * if the caches get emptied out so the caller should be aware of this. */
2236size_t
2237dns_cache_handle_oom(time_t now, size_t min_remove_bytes)
2238{
2239 time_t time_inc = 0;
2240 size_t total_bytes_removed = 0;
2241 size_t current_size = dns_cache_total_allocation();
2242
2243 do {
2244 /* If no DNS entries left, break loop. */
2245 if (!dns_cache_entry_count())
2246 break;
2247
2248 /* Get cutoff interval and remove entries. */
2249 time_t cutoff = now + time_inc;
2250 purge_expired_resolves(cutoff);
2251
2252 /* Update amount of bytes removed and array size. */
2253 size_t bytes_removed = current_size - dns_cache_total_allocation();
2254 current_size -= bytes_removed;
2255 total_bytes_removed += bytes_removed;
2256
2257 /* Increase time_inc by a reasonable fraction. */
2258 time_inc += (MAX_DNS_TTL / 4);
2259 } while (total_bytes_removed < min_remove_bytes);
2260
2261 return total_bytes_removed;
2262}
2263
2264#ifdef DEBUG_DNS_CACHE
2265/** Exit with an assertion if the DNS cache is corrupt. */
2266static void
2267assert_cache_ok_(void)
2268{
2269 cached_resolve_t **resolve;
2270 int bad_rep = HT_REP_IS_BAD_(cache_map, &cache_root);
2271 if (bad_rep) {
2272 log_err(LD_BUG, "Bad rep type %d on dns cache hash table", bad_rep);
2273 tor_assert(!bad_rep);
2274 }
2275
2276 HT_FOREACH(resolve, cache_map, &cache_root) {
2277 assert_resolve_ok(*resolve);
2278 tor_assert((*resolve)->state != CACHE_STATE_DONE);
2279 }
2281 return;
2282
2285 offsetof(cached_resolve_t, minheap_idx));
2286
2288 {
2289 if (res->state == CACHE_STATE_DONE) {
2290 cached_resolve_t *found = HT_FIND(cache_map, &cache_root, res);
2291 tor_assert(!found || found != res);
2292 } else {
2293 cached_resolve_t *found = HT_FIND(cache_map, &cache_root, res);
2294 tor_assert(found);
2295 }
2296 });
2297}
2298
2299#endif /* defined(DEBUG_DNS_CACHE) */
2300
2302dns_get_cache_entry(cached_resolve_t *query)
2303{
2304 return HT_FIND(cache_map, &cache_root, query);
2305}
2306
2307void
2308dns_insert_cache_entry(cached_resolve_t *new_entry)
2309{
2310 HT_INSERT(cache_map, &cache_root, new_entry);
2311}
void tor_addr_copy(tor_addr_t *dest, const tor_addr_t *src)
Definition: address.c:933
void tor_addr_from_ipv4n(tor_addr_t *dest, uint32_t v4addr)
Definition: address.c:889
void tor_addr_make_unspec(tor_addr_t *a)
Definition: address.c:225
int tor_addr_parse(tor_addr_t *addr, const char *src)
Definition: address.c:1349
int tor_addr_parse_PTR_name(tor_addr_t *result, const char *address, int family, int accept_regular)
Definition: address.c:380
void tor_addr_from_in6(tor_addr_t *dest, const struct in6_addr *in6)
Definition: address.c:911
const char * tor_addr_to_str(char *dest, const tor_addr_t *addr, size_t len, int decorate)
Definition: address.c:328
int tor_addr_from_sockaddr(tor_addr_t *a, const struct sockaddr *sa, uint16_t *port_out)
Definition: address.c:165
static const struct in_addr * tor_addr_to_in(const tor_addr_t *a)
Definition: address.h:204
static sa_family_t tor_addr_family(const tor_addr_t *a)
Definition: address.h:187
static uint32_t tor_addr_to_ipv4h(const tor_addr_t *a)
Definition: address.h:160
static const struct in6_addr * tor_addr_to_in6(const tor_addr_t *a)
Definition: address.h:117
#define tor_addr_from_ipv4h(dest, v4addr)
Definition: address.h:327
#define TOR_ADDR_BUF_LEN
Definition: address.h:224
static void set_uint32(void *cp, uint32_t v)
Definition: bytes.h:87
circuit_t * circuit_get_by_edge_conn(edge_connection_t *conn)
Definition: circuitlist.c:1600
or_circuit_t * TO_OR_CIRCUIT(circuit_t *x)
Definition: circuitlist.c:168
Header file for circuitlist.c.
#define CIRCUIT_IS_ORIGIN(c)
Definition: circuitlist.h:154
void circuit_detach_stream(circuit_t *circ, edge_connection_t *conn)
Definition: circuituse.c:1352
Header file for circuituse.c.
#define MAX(a, b)
Definition: cmp.h:22
struct event_base * tor_libevent_get_base(void)
Header for compat_libevent.c.
const char * escaped_safe_str(const char *address)
Definition: config.c:1148
const or_options_t * get_options(void)
Definition: config.c:944
Header file for config.c.
void conflux_update_resolving_streams(or_circuit_t *circ, edge_connection_t *stream)
Definition: conflux_util.c:333
void conflux_update_n_streams(or_circuit_t *circ, edge_connection_t *stream)
Definition: conflux_util.c:317
Header file for conflux_util.c.
void assert_connection_ok(connection_t *conn, time_t now)
Definition: connection.c:5673
void connection_free_(connection_t *conn)
Definition: connection.c:972
Header file for connection.c.
#define CONN_TYPE_EXIT
Definition: connection.h:46
uint32_t clip_dns_fuzzy_ttl(uint32_t ttl)
void connection_exit_connect(edge_connection_t *edge_conn)
int connection_edge_end(edge_connection_t *conn, uint8_t reason)
Header file for connection_edge.c.
#define EXIT_CONN_STATE_CONNECTING
int address_is_invalid_destination(const char *address, int client)
Definition: addressmap.c:1082
#define BEGIN_FLAG_IPV6_PREFERRED
#define EXIT_CONN_STATE_RESOLVEFAILED
#define EXIT_PURPOSE_CONNECT
#define BEGIN_FLAG_IPV4_NOT_OK
#define EXIT_CONN_STATE_RESOLVING
#define DEFAULT_DNS_TTL
#define BEGIN_FLAG_IPV6_OK
#define EXIT_PURPOSE_RESOLVE
#define MAX_DNS_TTL
int control_event_server_status(int severity, const char *format,...)
Header file for control_events.c.
char * crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix, const char *suffix)
Definition: crypto_rand.c:554
Common functions for using (pseudo-)random number generators.
static int dns_wildcard_notice_given
Definition: dns.c:1878
STATIC int set_exitconn_info_from_resolve(edge_connection_t *exitconn, const cached_resolve_t *resolve, char **hostname_out)
Definition: dns.c:865
static const char * get_consensus_param_exit_dns_attempts(void)
Definition: dns.c:1407
static int dns_wildcard_one_notice_given
Definition: dns.c:1875
static int nameservers_configured
Definition: dns.c:93
int dns_init(void)
Definition: dns.c:233
static unsigned int cached_resolve_hash(cached_resolve_t *a)
Definition: dns.c:147
static void add_wildcarded_test_address(const char *address)
Definition: dns.c:1923
static int nameserver_config_failed
Definition: dns.c:95
static void dns_launch_wildcard_checks(void)
Definition: dns.c:2080
static void assert_resolve_ok(cached_resolve_t *resolve)
Definition: dns.c:2180
static char * resolv_conf_fname
Definition: dns.c:98
void dns_new_consensus_params(const networkstatus_t *ns)
Definition: dns.c:220
static int dns_cache_entry_count(void)
Definition: dns.c:2204
int dns_seems_to_be_broken(void)
Definition: dns.c:2133
STATIC void send_resolved_cell(edge_connection_t *conn, uint8_t answer_type, const cached_resolve_t *resolved)
Definition: dns.c:509
void dns_reset_correctness_checks(void)
Definition: dns.c:2147
STATIC void send_resolved_hostname_cell(edge_connection_t *conn, const char *hostname)
Definition: dns.c:576
static int n_wildcard_requests
Definition: dns.c:1861
static void init_cache_map(void)
Definition: dns.c:159
static struct evdns_base * the_evdns_base
Definition: dns.c:90
static void evdns_callback(int result, char type, int count, int ttl, void *addresses, void *arg)
Definition: dns.c:1621
static int configure_nameservers(int force)
Definition: dns.c:1487
static void inform_pending_connections(cached_resolve_t *resolve)
Definition: dns.c:1185
static smartlist_t * dns_wildcard_list
Definition: dns.c:1872
static void evdns_wildcard_check_callback(int result, char type, int count, int ttl, void *addresses, void *arg)
Definition: dns.c:1957
#define RESOLVE_MAX_TIMEOUT
Definition: dns.c:87
static void purge_expired_resolves(time_t now)
Definition: dns.c:417
STATIC void dns_cancel_pending_resolve(const char *address)
Definition: dns.c:1042
static int evdns_err_is_transient(int err)
Definition: dns.c:1326
size_t number_of_configured_nameservers(void)
Definition: dns.c:1343
void connection_dns_remove(edge_connection_t *conn)
Definition: dns.c:987
static smartlist_t * dns_wildcarded_test_address_list
Definition: dns.c:1882
int has_dns_init_failed(void)
Definition: dns.c:274
static int dns_is_completely_invalid
Definition: dns.c:1886
void dump_dns_mem_usage(int severity)
Definition: dns.c:2219
static void free_cached_resolve_(cached_resolve_t *r)
Definition: dns.c:281
void dns_free_all(void)
Definition: dns.c:392
STATIC int dns_resolve_impl(edge_connection_t *exitconn, int is_resolve, or_circuit_t *oncirc, char **hostname_out, int *made_connection_pending_out, cached_resolve_t **resolve_out)
Definition: dns.c:713
static void launch_test_addresses(evutil_socket_t fd, short event, void *args)
Definition: dns.c:2040
static int dns_wildcarded_test_address_notice_given
Definition: dns.c:1884
static int launch_one_resolve(const char *address, uint8_t query_type, const tor_addr_t *ptr_address)
Definition: dns.c:1745
static void evdns_log_cb(int warn, const char *msg)
Definition: dns.c:166
static int answer_is_wildcarded(const char *ip)
Definition: dns.c:2173
STATIC int launch_resolve(cached_resolve_t *resolve)
Definition: dns.c:1800
int dns_seems_to_be_broken_for_ipv6(void)
Definition: dns.c:2140
int dns_resolve(edge_connection_t *exitconn)
Definition: dns.c:626
static strmap_t * dns_wildcard_response_count
Definition: dns.c:1867
static const char * get_consensus_param_exit_dns_timeout(void)
Definition: dns.c:1378
static time_t resolv_conf_mtime
Definition: dns.c:101
int dns_reset(void)
Definition: dns.c:246
static void launch_wildcard_check(int min_len, int max_len, int is_ipv6, const char *suffix)
Definition: dns.c:2006
static int is_test_address(const char *address)
Definition: dns.c:1115
static void configure_libevent_options(void)
Definition: dns.c:1426
static int compare_cached_resolves_by_expiry_(const void *_a, const void *_b)
Definition: dns.c:300
static void make_pending_resolve_cached(cached_resolve_t *cached)
Definition: dns.c:1270
void dns_launch_correctness_checks(void)
Definition: dns.c:2111
static smartlist_t * cached_resolve_pqueue
Definition: dns.c:313
static int cached_resolve_have_all_answers(const cached_resolve_t *resolve)
Definition: dns.c:368
static void set_expiry(cached_resolve_t *resolve, time_t expires)
Definition: dns.c:378
static void dns_found_answer(const char *address, uint8_t query_type, int dns_answer, const tor_addr_t *addr, const char *hostname, uint32_t ttl)
Definition: dns.c:1132
static HT_HEAD(cache_map, cached_resolve_t)
Definition: dns.c:126
void assert_connection_edge_not_dns_pending(edge_connection_t *conn)
Definition: dns.c:960
static void wildcard_increment_answer(const char *id)
Definition: dns.c:1891
Header file for dns.c.
#define CACHE_STATE_PENDING
Definition: dns_structs.h:38
#define RES_STATUS_DONE_OK
Definition: dns_structs.h:53
#define MAX_ADDRESSLEN
Definition: dns_structs.h:19
#define CACHED_RESOLVE_MAGIC
Definition: dns_structs.h:29
#define CACHE_STATE_CACHED
Definition: dns_structs.h:45
#define RES_STATUS_DONE_ERR
Definition: dns_structs.h:55
#define RES_STATUS_INFLIGHT
Definition: dns_structs.h:51
#define CACHE_STATE_DONE
Definition: dns_structs.h:42
Edge-connection structure.
char * esc_for_log(const char *s)
Definition: escape.c:30
const char * escaped(const char *s)
Definition: escape.c:126
HT_PROTOTYPE(hs_circuitmap_ht, circuit_t, hs_circuitmap_node, hs_circuit_hash_token, hs_circuits_have_same_token)
int tor_inet_ntoa(const struct in_addr *in, char *buf, size_t buf_len)
Definition: inaddr.c:79
const char * tor_inet_ntop(int af, const void *src, char *dst, size_t len)
Definition: inaddr.c:98
#define INET_NTOA_BUF_LEN
Definition: inaddr.h:21
void tor_log(int severity, log_domain_mask_t domain, const char *format,...)
Definition: log.c:590
#define log_fn(severity, domain, args,...)
Definition: log.h:283
#define log_fn_ratelim(ratelim, severity, domain, args,...)
Definition: log.h:288
#define LD_MM
Definition: log.h:74
#define LD_FS
Definition: log.h:70
#define LD_BUG
Definition: log.h:86
#define LOG_NOTICE
Definition: log.h:50
#define LOG_WARN
Definition: log.h:53
#define LOG_INFO
Definition: log.h:45
void dns_servers_relaunch_checks(void)
Definition: mainloop.c:2349
Header file for mainloop.c.
void * tor_reallocarray_(void *ptr, size_t sz1, size_t sz2)
Definition: malloc.c:146
void tor_free_(void *mem)
Definition: malloc.c:227
#define tor_free(p)
Definition: malloc.h:56
int net_is_disabled(void)
Definition: netstatus.c:25
Header for netstatus.c.
#define SOCKET_OK(s)
Definition: nettypes.h:39
int32_t networkstatus_get_param(const networkstatus_t *ns, const char *param_name, int32_t default_val, int32_t min_val, int32_t max_val)
Header file for networkstatus.c.
Master header file for Tor-specific functionality.
#define RELAY_PAYLOAD_SIZE
Definition: or.h:494
#define TO_CONN(c)
Definition: or.h:612
Header file for policies.c.
int tor_snprintf(char *str, size_t size, const char *format,...)
Definition: printf.c:27
int connection_edge_send_command(edge_connection_t *fromconn, uint8_t relay_command, const char *payload, size_t payload_len)
Definition: relay.c:785
Header file for relay.c.
void rep_hist_note_dns_error(int type, uint8_t error)
Definition: rephist.c:372
void rep_hist_note_dns_request(int type)
Definition: rephist.c:431
Header file for rephist.c.
int router_compare_to_my_exit_policy(const tor_addr_t *addr, uint16_t port)
Definition: router.c:1697
void mark_my_descriptor_dirty(const char *reason)
Definition: router.c:2572
int router_my_exit_policy_is_reject_star(void)
Definition: router.c:1732
Header file for router.c.
int server_mode(const or_options_t *options)
Definition: routermode.c:34
Header file for routermode.c.
Header file for sandbox.c.
#define sandbox_intern_string(s)
Definition: sandbox.h:110
void smartlist_pqueue_assert_ok(smartlist_t *sl, int(*compare)(const void *a, const void *b), ptrdiff_t idx_field_offset)
Definition: smartlist.c:803
int smartlist_contains_string_case(const smartlist_t *sl, const char *element)
Definition: smartlist.c:133
void * smartlist_pqueue_pop(smartlist_t *sl, int(*compare)(const void *a, const void *b), ptrdiff_t idx_field_offset)
Definition: smartlist.c:755
void smartlist_pqueue_add(smartlist_t *sl, int(*compare)(const void *a, const void *b), ptrdiff_t idx_field_offset, void *item)
Definition: smartlist.c:726
int smartlist_contains_string(const smartlist_t *sl, const char *element)
Definition: smartlist.c:93
void smartlist_add_strdup(struct smartlist_t *sl, const char *string)
smartlist_t * smartlist_new(void)
void smartlist_clear(smartlist_t *sl)
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
#define SMARTLIST_FOREACH(sl, type, var, cmd)
union cached_resolve_t::@24 result_ipv4
struct in6_addr addr_ipv6
Definition: dns_structs.h:73
uint32_t magic
Definition: dns_structs.h:64
union cached_resolve_t::@25 result_ipv6
uint32_t addr_ipv4
Definition: dns_structs.h:68
uint32_t ttl_ipv6
Definition: dns_structs.h:95
char address[MAX_ADDRESSLEN]
Definition: dns_structs.h:65
uint32_t ttl_ipv4
Definition: dns_structs.h:94
uint32_t ttl_hostname
Definition: dns_structs.h:96
pending_connection_t * pending_connections
Definition: dns_structs.h:98
uint8_t state
Definition: connection_st.h:49
unsigned int type
Definition: connection_st.h:50
uint16_t marked_for_close
uint16_t port
unsigned int purpose
Definition: connection_st.h:51
tor_socket_t s
tor_addr_t addr
unsigned int is_reverse_dns_lookup
struct edge_connection_t * next_stream
struct circuit_t * on_circuit
edge_connection_t * resolving_streams
Definition: or_circuit_st.h:50
edge_connection_t * n_streams
Definition: or_circuit_st.h:43
char * ServerDNSResolvConfFile
struct smartlist_t * ServerDNSTestAddresses
int ServerDNSSearchDomains
#define STATIC
Definition: testsupport.h:32
#define MOCK_IMPL(rv, funcname, arglist)
Definition: testsupport.h:133
#define tor_assert(expr)
Definition: util_bug.h:102
#define tor_fragile_assert()
Definition: util_bug.h:270
void tor_strlower(char *s)
Definition: util_string.c:127
int strcmpstart(const char *s1, const char *s2)
Definition: util_string.c:215
int tor_strisnonupper(const char *s)
Definition: util_string.c:171