xref: /freebsd/contrib/unbound/dnstap/unbound-dnstap-socket.c (revision 22d7dd834bc5cd189810e414701e3ad1e98102e4)
1 /*
2  * dnstap/unbound-dnstap-socket.c - debug program that listens for DNSTAP logs.
3  *
4  * Copyright (c) 2020, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This program listens on a DNSTAP socket for logged messages.
40  */
41 #include "config.h"
42 #ifdef HAVE_GETOPT_H
43 #include <getopt.h>
44 #endif
45 #include <signal.h>
46 #include <stdlib.h>
47 #include <unistd.h>
48 #include <signal.h>
49 #include <ctype.h>
50 #ifdef HAVE_SYS_UN_H
51 #include <sys/un.h>
52 #endif
53 #include <openssl/ssl.h>
54 #include <openssl/rand.h>
55 #include <openssl/err.h>
56 #include "dnstap/dtstream.h"
57 #include "dnstap/dnstap_fstrm.h"
58 #include "util/log.h"
59 #include "util/ub_event.h"
60 #include "util/net_help.h"
61 #include "services/listen_dnsport.h"
62 #include "sldns/sbuffer.h"
63 #include "sldns/wire2str.h"
64 #include "sldns/pkthdr.h"
65 #ifdef USE_DNSTAP
66 #include <protobuf-c/protobuf-c.h>
67 #include "dnstap/dnstap.pb-c.h"
68 #endif /* USE_DNSTAP */
69 #include "util/config_file.h"
70 
71 /** listen backlog on TCP connections for dnstap logs */
72 #define LISTEN_BACKLOG 16
73 
74 /** usage information for streamtcp */
75 static void usage(char* argv[])
76 {
77 	printf("usage: %s [options]\n", argv[0]);
78 	printf(" 	Listen to dnstap messages\n");
79 	printf("stdout has dnstap log, stderr has verbose server log\n");
80 	printf("-u <socketpath> listen to unix socket with this file name\n");
81 	printf("-s <serverip[@port]> listen for TCP on the IP and port\n");
82 	printf("-t <serverip[@port]> listen for TLS on IP and port\n");
83 	printf("-x <server.key> server key file for TLS service\n");
84 	printf("-y <server.pem> server cert file for TLS service\n");
85 	printf("-z <verify.pem> cert file to verify client connections\n");
86 	printf("-l 		long format for DNS printout\n");
87 	printf("-v 		more verbose log output\n");
88 	printf("-h 		this help text\n");
89 	exit(1);
90 }
91 
92 /** long format option, for multiline printout per message */
93 static int longformat = 0;
94 
95 struct tap_socket_list;
96 struct tap_socket;
97 /** main tap callback data */
98 struct main_tap_data {
99 	/** the event base (to loopexit) */
100 	struct ub_event_base* base;
101 	/** the list of accept sockets */
102 	struct tap_socket_list* acceptlist;
103 };
104 
105 /** tap callback variables */
106 struct tap_data {
107 	/** the fd */
108 	int fd;
109 	/** the ub event */
110 	struct ub_event* ev;
111 	/** the SSL for TLS streams */
112 	SSL* ssl;
113 	/** is the ssl handshake done */
114 	int ssl_handshake_done;
115 	/** we are briefly waiting to write (in the struct event) */
116 	int ssl_brief_write;
117 	/** string that identifies the socket (or NULL), like IP address */
118 	char* id;
119 	/** have we read the length, and how many bytes of it */
120 	int len_done;
121 	/** have we read the data, and how many bytes of it */
122 	size_t data_done;
123 	/** are we reading a control frame */
124 	int control_frame;
125 	/** are we bi-directional (if false, uni-directional) */
126 	int is_bidirectional;
127 	/** data of the frame */
128 	uint8_t* frame;
129 	/** length of this frame */
130 	size_t len;
131 };
132 
133 /** list of sockets */
134 struct tap_socket_list {
135 	/** next in list */
136 	struct tap_socket_list* next;
137 	/** the socket */
138 	struct tap_socket* s;
139 };
140 
141 /** tap socket */
142 struct tap_socket {
143 	/** fd of socket */
144 	int fd;
145 	/** the event for it */
146 	struct ub_event *ev;
147 	/** has the event been added */
148 	int ev_added;
149 	/** the callback, for the event, ev_cb(fd, bits, arg) */
150 	void (*ev_cb)(int, short, void*);
151 	/** data element, (arg for the tap_socket struct) */
152 	void* data;
153 	/** socketpath, if this is an AF_LOCAL socket */
154 	char* socketpath;
155 	/** IP, if this is a TCP socket */
156 	char* ip;
157 	/** for a TLS socket, the tls context */
158 	SSL_CTX* sslctx;
159 };
160 
161 /** del the tap event */
162 static void tap_socket_delev(struct tap_socket* s)
163 {
164 	if(!s) return;
165 	if(!s->ev) return;
166 	if(!s->ev_added) return;
167 	ub_event_del(s->ev);
168 	s->ev_added = 0;
169 }
170 
171 /** close the tap socket */
172 static void tap_socket_close(struct tap_socket* s)
173 {
174 	if(!s) return;
175 	if(s->fd == -1) return;
176 	close(s->fd);
177 	s->fd = -1;
178 }
179 
180 /** delete tap socket */
181 static void tap_socket_delete(struct tap_socket* s)
182 {
183 	if(!s) return;
184 #ifdef HAVE_SSL
185 	SSL_CTX_free(s->sslctx);
186 #endif
187 	ub_event_free(s->ev);
188 	free(s->socketpath);
189 	free(s->ip);
190 	free(s);
191 }
192 
193 /** create new socket (unconnected, not base-added), or NULL malloc fail */
194 static struct tap_socket* tap_socket_new_local(char* socketpath,
195 	void (*ev_cb)(int, short, void*), void* data)
196 {
197 	struct tap_socket* s = calloc(1, sizeof(*s));
198 	if(!s) {
199 		log_err("malloc failure");
200 		return NULL;
201 	}
202 	s->socketpath = strdup(socketpath);
203 	if(!s->socketpath) {
204 		free(s);
205 		log_err("malloc failure");
206 		return NULL;
207 	}
208 	s->fd = -1;
209 	s->ev_cb = ev_cb;
210 	s->data = data;
211 	return s;
212 }
213 
214 /** create new socket (unconnected, not base-added), or NULL malloc fail */
215 static struct tap_socket* tap_socket_new_tcpaccept(char* ip,
216 	void (*ev_cb)(int, short, void*), void* data)
217 {
218 	struct tap_socket* s = calloc(1, sizeof(*s));
219 	if(!s) {
220 		log_err("malloc failure");
221 		return NULL;
222 	}
223 	s->ip = strdup(ip);
224 	if(!s->ip) {
225 		free(s);
226 		log_err("malloc failure");
227 		return NULL;
228 	}
229 	s->fd = -1;
230 	s->ev_cb = ev_cb;
231 	s->data = data;
232 	return s;
233 }
234 
235 /** create new socket (unconnected, not base-added), or NULL malloc fail */
236 static struct tap_socket* tap_socket_new_tlsaccept(char* ip,
237 	void (*ev_cb)(int, short, void*), void* data, char* server_key,
238 	char* server_cert, char* verifypem)
239 {
240 	struct tap_socket* s = calloc(1, sizeof(*s));
241 	if(!s) {
242 		log_err("malloc failure");
243 		return NULL;
244 	}
245 	s->ip = strdup(ip);
246 	if(!s->ip) {
247 		free(s);
248 		log_err("malloc failure");
249 		return NULL;
250 	}
251 	s->fd = -1;
252 	s->ev_cb = ev_cb;
253 	s->data = data;
254 	s->sslctx = listen_sslctx_create(server_key, server_cert, verifypem);
255 	if(!s->sslctx) {
256 		log_err("could not create ssl context");
257 		free(s->ip);
258 		free(s);
259 		return NULL;
260 	}
261 	return s;
262 }
263 
264 /** setup tcp accept socket on IP string */
265 static int make_tcp_accept(char* ip)
266 {
267 #ifdef SO_REUSEADDR
268 	int on = 1;
269 #endif
270 	struct sockaddr_storage addr;
271 	socklen_t len;
272 	int s;
273 
274 	memset(&addr, 0, sizeof(addr));
275 	len = (socklen_t)sizeof(addr);
276 	if(!extstrtoaddr(ip, &addr, &len, UNBOUND_DNS_PORT)) {
277 		log_err("could not parse IP '%s'", ip);
278 		return -1;
279 	}
280 
281 	if((s = socket(addr.ss_family, SOCK_STREAM, 0)) == -1) {
282 		log_err("can't create socket: %s", sock_strerror(errno));
283 		return -1;
284 	}
285 #ifdef SO_REUSEADDR
286 	if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void*)&on,
287 		(socklen_t)sizeof(on)) < 0) {
288 		log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s",
289 			sock_strerror(errno));
290 		sock_close(s);
291 		return -1;
292 	}
293 #endif /* SO_REUSEADDR */
294 	if(bind(s, (struct sockaddr*)&addr, len) != 0) {
295 		log_err_addr("can't bind socket", sock_strerror(errno),
296 			&addr, len);
297 		sock_close(s);
298 		return -1;
299 	}
300 	if(!fd_set_nonblock(s)) {
301 		sock_close(s);
302 		return -1;
303 	}
304 	if(listen(s, LISTEN_BACKLOG) == -1) {
305 		log_err("can't listen: %s", sock_strerror(errno));
306 		sock_close(s);
307 		return -1;
308 	}
309 	return s;
310 }
311 
312 /** setup socket on event base */
313 static int tap_socket_setup(struct tap_socket* s, struct ub_event_base* base)
314 {
315 	if(s->socketpath) {
316 		/* AF_LOCAL accept socket */
317 		s->fd = create_local_accept_sock(s->socketpath, NULL, 0);
318 		if(s->fd == -1) {
319 			log_err("could not create local socket");
320 			return 0;
321 		}
322 	} else if(s->ip || s->sslctx) {
323 		/* TCP accept socket */
324 		s->fd = make_tcp_accept(s->ip);
325 		if(s->fd == -1) {
326 			log_err("could not create tcp socket");
327 			return 0;
328 		}
329 	}
330 	s->ev = ub_event_new(base, s->fd, UB_EV_READ | UB_EV_PERSIST,
331 		s->ev_cb, s);
332 	if(!s->ev) {
333 		log_err("could not ub_event_new");
334 		return 0;
335 	}
336 	if(ub_event_add(s->ev, NULL) != 0) {
337 		log_err("could not ub_event_add");
338 		return 0;
339 	}
340 	s->ev_added = 1;
341 	return 1;
342 }
343 
344 /** add tap socket to list */
345 static int tap_socket_list_insert(struct tap_socket_list** liststart,
346 	struct tap_socket* s)
347 {
348 	struct tap_socket_list* entry = (struct tap_socket_list*)
349 		malloc(sizeof(*entry));
350 	if(!entry)
351 		return 0;
352 	entry->next = *liststart;
353 	entry->s = s;
354 	*liststart = entry;
355 	return 1;
356 }
357 
358 /** delete the list */
359 static void tap_socket_list_delete(struct tap_socket_list* list)
360 {
361 	struct tap_socket_list* e = list, *next;
362 	while(e) {
363 		next = e->next;
364 		tap_socket_delev(e->s);
365 		tap_socket_close(e->s);
366 		tap_socket_delete(e->s);
367 		free(e);
368 		e = next;
369 	}
370 }
371 
372 /** setup accept events */
373 static int tap_socket_list_addevs(struct tap_socket_list* list,
374 	struct ub_event_base* base)
375 {
376 	struct tap_socket_list* entry;
377 	for(entry = list; entry; entry = entry->next) {
378 		if(!tap_socket_setup(entry->s, base)) {
379 			log_err("could not setup socket");
380 			return 0;
381 		}
382 	}
383 	return 1;
384 }
385 
386 #ifdef USE_DNSTAP
387 /** log control frame contents */
388 static void log_control_frame(uint8_t* pkt, size_t len)
389 {
390 	char* desc;
391 	if(verbosity == 0) return;
392 	desc = fstrm_describe_control(pkt, len);
393 	if(!desc) {
394 		log_err("out of memory");
395 		return;
396 	}
397 	log_info("control frame %s", desc);
398 	free(desc);
399 }
400 
401 /** convert mtype to string */
402 static const char* mtype_to_str(enum _Dnstap__Message__Type mtype)
403 {
404 	switch(mtype) {
405 		case DNSTAP__MESSAGE__TYPE__AUTH_QUERY:
406 			return "AUTH_QUERY";
407 		case DNSTAP__MESSAGE__TYPE__AUTH_RESPONSE:
408 			return "AUTH_RESPONSE";
409 		case DNSTAP__MESSAGE__TYPE__RESOLVER_QUERY:
410 			return "RESOLVER_QUERY";
411 		case DNSTAP__MESSAGE__TYPE__RESOLVER_RESPONSE:
412 			return "RESOLVER_RESPONSE";
413 		case DNSTAP__MESSAGE__TYPE__CLIENT_QUERY:
414 			return "CLIENT_QUERY";
415 		case DNSTAP__MESSAGE__TYPE__CLIENT_RESPONSE:
416 			return "CLIENT_RESPONSE";
417 		case DNSTAP__MESSAGE__TYPE__FORWARDER_QUERY:
418 			return "FORWARDER_QUERY";
419 		case DNSTAP__MESSAGE__TYPE__FORWARDER_RESPONSE:
420 			return "FORWARDER_RESPONSE";
421 		case DNSTAP__MESSAGE__TYPE__STUB_QUERY:
422 			return "STUB_QUERY";
423 		case DNSTAP__MESSAGE__TYPE__STUB_RESPONSE:
424 			return "STUB_RESPONSE";
425 		default: break;
426 	}
427 	return "unknown_message_type";
428 }
429 
430 /** convert type address to a string ip4 or ip6, malloced or NULL on fail */
431 static char* str_of_addr(ProtobufCBinaryData address)
432 {
433 	char buf[64];
434 	socklen_t len = sizeof(buf);
435 	if(address.len == 4) {
436 		if(inet_ntop(AF_INET, address.data, buf, len)!=0)
437 			return strdup(buf);
438 	} else if(address.len == 16) {
439 		if(inet_ntop(AF_INET6, address.data, buf, len)!=0)
440 			return strdup(buf);
441 	}
442 	return NULL;
443 }
444 
445 /** convert message buffer (of dns bytes) to the first qname, type, class,
446  * malloced or NULL on fail */
447 static char* q_of_msg(ProtobufCBinaryData message)
448 {
449 	char buf[300];
450 	/* header, name, type, class minimum to get the query tuple */
451 	if(message.len < 12 + 1 + 4 + 4) return NULL;
452 	if(LDNS_QDCOUNT(message.data) < 1) return NULL;
453 	if(sldns_wire2str_rrquestion_buf(message.data+12, message.len-12,
454 		buf, sizeof(buf)) != 0) {
455 		/* remove trailing newline, tabs to spaces */
456 		/* remove the newline: */
457 		if(buf[0] != 0) buf[strlen(buf)-1]=0;
458 		/* remove first tab (before type) */
459 		if(strrchr(buf, '\t')) *strrchr(buf, '\t')=' ';
460 		/* remove second tab (before class) */
461 		if(strrchr(buf, '\t')) *strrchr(buf, '\t')=' ';
462 		return strdup(buf);
463 	}
464 	return NULL;
465 }
466 
467 /** convert possible string or hex data to string. malloced or NULL */
468 static char* possible_str(ProtobufCBinaryData str)
469 {
470 	int is_str = 1;
471 	size_t i;
472 	for(i=0; i<str.len; i++) {
473 		if(!isprint((unsigned char)str.data[i]))
474 			is_str = 0;
475 	}
476 	if(is_str) {
477 		char* res = malloc(str.len+1);
478 		if(res) {
479 			memmove(res, str.data, str.len);
480 			res[str.len] = 0;
481 			return res;
482 		}
483 	} else {
484 		const char* hex = "0123456789ABCDEF";
485 		char* res = malloc(str.len*2+1);
486 		if(res) {
487 			for(i=0; i<str.len; i++) {
488 				res[i*2] = hex[(str.data[i]&0xf0)>>4];
489 				res[i*2+1] = hex[str.data[i]&0x0f];
490 			}
491 			res[str.len*2] = 0;
492 			return res;
493 		}
494 	}
495 	return NULL;
496 }
497 
498 /** convert timeval to string, malloced or NULL */
499 static char* tv_to_str(protobuf_c_boolean has_time_sec, uint64_t time_sec,
500 	protobuf_c_boolean has_time_nsec, uint32_t time_nsec)
501 {
502 	char buf[64], buf2[256];
503 	struct timeval tv;
504 	time_t time_t_sec;
505 	memset(&tv, 0, sizeof(tv));
506 	if(has_time_sec) tv.tv_sec = time_sec;
507 	if(has_time_nsec) tv.tv_usec = time_nsec/1000;
508 
509 	buf[0]=0;
510 	time_t_sec = tv.tv_sec;
511 	(void)ctime_r(&time_t_sec, buf);
512 	snprintf(buf2, sizeof(buf2), "%u.%9.9u %s",
513 		(unsigned)time_sec, (unsigned)time_nsec, buf);
514 	return strdup(buf2);
515 }
516 
517 /** log data frame contents */
518 static void log_data_frame(uint8_t* pkt, size_t len)
519 {
520 	Dnstap__Dnstap* d = dnstap__dnstap__unpack(NULL, len, pkt);
521 	const char* mtype = NULL;
522 	char* maddr=NULL, *qinf=NULL;
523 	if(!d) {
524 		log_err("could not unpack");
525 		return;
526 	}
527 	if(d->base.descriptor != &dnstap__dnstap__descriptor) {
528 		log_err("wrong base descriptor");
529 		dnstap__dnstap__free_unpacked(d, NULL);
530 		return;
531 	}
532 	if(d->type != DNSTAP__DNSTAP__TYPE__MESSAGE) {
533 		log_err("dnstap type not type_message");
534 		dnstap__dnstap__free_unpacked(d, NULL);
535 		return;
536 	}
537 	if(d->message) {
538 		mtype = mtype_to_str(d->message->type);
539 		if(d->message->has_query_address)
540 			maddr = str_of_addr(d->message->query_address);
541 		else if(d->message->has_response_address)
542 			maddr = str_of_addr(d->message->response_address);
543 		if(d->message->has_query_message)
544 			qinf = q_of_msg(d->message->query_message);
545 		else if(d->message->has_response_message)
546 			qinf = q_of_msg(d->message->response_message);
547 
548 	} else {
549 		mtype = "nomessage";
550 	}
551 
552 	printf("%s%s%s%s%s\n", mtype, (maddr?" ":""), (maddr?maddr:""),
553 		(qinf?" ":""), (qinf?qinf:""));
554 	free(maddr);
555 	free(qinf);
556 
557 	if(longformat) {
558 		char* id=NULL, *vs=NULL;
559 		if(d->has_identity) {
560 			id=possible_str(d->identity);
561 		}
562 		if(d->has_version) {
563 			vs=possible_str(d->version);
564 		}
565 		if(id || vs)
566 			printf("identity: %s%s%s\n", (id?id:""),
567 				(id&&vs?" ":""), (vs?vs:""));
568 		free(id);
569 		free(vs);
570 
571 		if(d->message && d->message->has_query_message &&
572 			d->message->query_message.data) {
573 			char* qmsg = sldns_wire2str_pkt(
574 				d->message->query_message.data,
575 				d->message->query_message.len);
576 			if(qmsg) {
577 				printf("query_message:\n%s", qmsg);
578 				free(qmsg);
579 			}
580 		}
581 		if(d->message && d->message->has_query_time_sec) {
582 			char* qtv = tv_to_str(d->message->has_query_time_sec,
583 				d->message->query_time_sec,
584 				d->message->has_query_time_nsec,
585 				d->message->query_time_nsec);
586 			if(qtv) {
587 				printf("query_time: %s\n", qtv);
588 				free(qtv);
589 			}
590 		}
591 		if(d->message && d->message->has_response_message &&
592 			d->message->response_message.data) {
593 			char* rmsg = sldns_wire2str_pkt(
594 				d->message->response_message.data,
595 				d->message->response_message.len);
596 			if(rmsg) {
597 				printf("response_message:\n%s", rmsg);
598 				free(rmsg);
599 			}
600 		}
601 		if(d->message && d->message->has_response_time_sec) {
602 			char* rtv = tv_to_str(d->message->has_response_time_sec,
603 				d->message->response_time_sec,
604 				d->message->has_response_time_nsec,
605 				d->message->response_time_nsec);
606 			if(rtv) {
607 				printf("response_time: %s\n", rtv);
608 				free(rtv);
609 			}
610 		}
611 	}
612 	fflush(stdout);
613 	dnstap__dnstap__free_unpacked(d, NULL);
614 }
615 #endif /* USE_DNSTAP */
616 
617 /** receive bytes from fd, prints errors if bad,
618  * returns 0: closed/error, -1: continue, >0 number of bytes */
619 static ssize_t receive_bytes(struct tap_data* data, int fd, void* buf,
620 	size_t len)
621 {
622 	ssize_t ret = recv(fd, buf, len, MSG_DONTWAIT);
623 	if(ret == 0) {
624 		/* closed */
625 		if(verbosity) log_info("dnstap client stream closed from %s",
626 			(data->id?data->id:""));
627 		return 0;
628 	} else if(ret == -1) {
629 		/* error */
630 #ifndef USE_WINSOCK
631 		if(errno == EINTR || errno == EAGAIN)
632 			return -1;
633 #else /* USE_WINSOCK */
634 		if(WSAGetLastError() == WSAEINPROGRESS)
635 			return -1;
636 		if(WSAGetLastError() == WSAEWOULDBLOCK) {
637 			ub_winsock_tcp_wouldblock(data->ev, UB_EV_READ);
638 			return -1;
639 		}
640 #endif
641 		log_err("could not recv: %s", sock_strerror(errno));
642 		if(verbosity) log_info("dnstap client stream closed from %s",
643 			(data->id?data->id:""));
644 		return 0;
645 	}
646 	return ret;
647 }
648 
649 /* define routine for have_ssl only to avoid unused function warning */
650 #ifdef HAVE_SSL
651 /** set to wait briefly for a write event, for one event call */
652 static void tap_enable_brief_write(struct tap_data* data)
653 {
654 	ub_event_del(data->ev);
655 	ub_event_del_bits(data->ev, UB_EV_READ);
656 	ub_event_add_bits(data->ev, UB_EV_WRITE);
657 	if(ub_event_add(data->ev, NULL) != 0)
658 		log_err("could not ub_event_add in tap_enable_brief_write");
659 	data->ssl_brief_write = 1;
660 }
661 #endif /* HAVE_SSL */
662 
663 /* define routine for have_ssl only to avoid unused function warning */
664 #ifdef HAVE_SSL
665 /** stop the brief wait for a write event. back to reading. */
666 static void tap_disable_brief_write(struct tap_data* data)
667 {
668 	ub_event_del(data->ev);
669 	ub_event_del_bits(data->ev, UB_EV_WRITE);
670 	ub_event_add_bits(data->ev, UB_EV_READ);
671 	if(ub_event_add(data->ev, NULL) != 0)
672 		log_err("could not ub_event_add in tap_disable_brief_write");
673 	data->ssl_brief_write = 0;
674 }
675 #endif /* HAVE_SSL */
676 
677 #ifdef HAVE_SSL
678 /** receive bytes over ssl stream, prints errors if bad,
679  * returns 0: closed/error, -1: continue, >0 number of bytes */
680 static ssize_t ssl_read_bytes(struct tap_data* data, void* buf, size_t len)
681 {
682 	int r;
683 	ERR_clear_error();
684 	r = SSL_read(data->ssl, buf, len);
685 	if(r <= 0) {
686 		int want = SSL_get_error(data->ssl, r);
687 		if(want == SSL_ERROR_ZERO_RETURN) {
688 			/* closed */
689 			if(verbosity) log_info("dnstap client stream closed from %s",
690 				(data->id?data->id:""));
691 			return 0;
692 		} else if(want == SSL_ERROR_WANT_READ) {
693 			/* continue later */
694 			return -1;
695 		} else if(want == SSL_ERROR_WANT_WRITE) {
696 			/* set to briefly write */
697 			tap_enable_brief_write(data);
698 			return -1;
699 		} else if(want == SSL_ERROR_SYSCALL) {
700 #ifdef ECONNRESET
701 			if(errno == ECONNRESET && verbosity < 2)
702 				return 0; /* silence reset by peer */
703 #endif
704 			if(errno != 0)
705 				log_err("SSL_read syscall: %s",
706 					strerror(errno));
707 			if(verbosity) log_info("dnstap client stream closed from %s",
708 				(data->id?data->id:""));
709 			return 0;
710 		}
711 		log_crypto_err("could not SSL_read");
712 		if(verbosity) log_info("dnstap client stream closed from %s",
713 			(data->id?data->id:""));
714 		return 0;
715 	}
716 	return r;
717 }
718 #endif /* HAVE_SSL */
719 
720 /** receive bytes on the tap connection, prints errors if bad,
721  * returns 0: closed/error, -1: continue, >0 number of bytes */
722 static ssize_t tap_receive(struct tap_data* data, void* buf, size_t len)
723 {
724 #ifdef HAVE_SSL
725 	if(data->ssl)
726 		return ssl_read_bytes(data, buf, len);
727 #endif
728 	return receive_bytes(data, data->fd, buf, len);
729 }
730 
731 /** delete the tap structure */
732 static void tap_data_free(struct tap_data* data)
733 {
734 	ub_event_del(data->ev);
735 	ub_event_free(data->ev);
736 #ifdef HAVE_SSL
737 	SSL_free(data->ssl);
738 #endif
739 	close(data->fd);
740 	free(data->id);
741 	free(data->frame);
742 	free(data);
743 }
744 
745 /** reply with ACCEPT control frame to bidirectional client,
746  * returns 0 on error */
747 static int reply_with_accept(struct tap_data* data)
748 {
749 #ifdef USE_DNSTAP
750 	/* len includes the escape and framelength */
751 	int r;
752 	size_t len = 0;
753 	void* acceptframe = fstrm_create_control_frame_accept(
754 		DNSTAP_CONTENT_TYPE, &len);
755 	if(!acceptframe) {
756 		log_err("out of memory");
757 		return 0;
758 	}
759 
760 	fd_set_block(data->fd);
761 	if(data->ssl) {
762 		if((r=SSL_write(data->ssl, acceptframe, len)) <= 0) {
763 			if(SSL_get_error(data->ssl, r) == SSL_ERROR_ZERO_RETURN)
764 				log_err("SSL_write, peer closed connection");
765 			else
766 				log_err("could not SSL_write");
767 			fd_set_nonblock(data->fd);
768 			free(acceptframe);
769 			return 0;
770 		}
771 	} else {
772 		if(send(data->fd, acceptframe, len, 0) == -1) {
773 			log_err("send failed: %s", sock_strerror(errno));
774 			fd_set_nonblock(data->fd);
775 			free(acceptframe);
776 			return 0;
777 		}
778 	}
779 	if(verbosity) log_info("sent control frame(accept) content-type:(%s)",
780 			DNSTAP_CONTENT_TYPE);
781 
782 	fd_set_nonblock(data->fd);
783 	free(acceptframe);
784 	return 1;
785 #else
786 	log_err("no dnstap compiled, no reply");
787 	(void)data;
788 	return 0;
789 #endif
790 }
791 
792 /** reply with FINISH control frame to bidirectional client,
793  * returns 0 on error */
794 static int reply_with_finish(struct tap_data* data)
795 {
796 #ifdef USE_DNSTAP
797 	size_t len = 0;
798 	void* finishframe = fstrm_create_control_frame_finish(&len);
799 	if(!finishframe) {
800 		log_err("out of memory");
801 		return 0;
802 	}
803 
804 	fd_set_block(data->fd);
805 	if(data->ssl) {
806 		int r;
807 		if((r=SSL_write(data->ssl, finishframe, len)) <= 0) {
808 			if(SSL_get_error(data->ssl, r) == SSL_ERROR_ZERO_RETURN)
809 				log_err("SSL_write, peer closed connection");
810 			else
811 				log_err("could not SSL_write");
812 			fd_set_nonblock(data->fd);
813 			free(finishframe);
814 			return 0;
815 		}
816 	} else {
817 		if(send(data->fd, finishframe, len, 0) == -1) {
818 			log_err("send failed: %s", sock_strerror(errno));
819 			fd_set_nonblock(data->fd);
820 			free(finishframe);
821 			return 0;
822 		}
823 	}
824 	if(verbosity) log_info("sent control frame(finish)");
825 
826 	fd_set_nonblock(data->fd);
827 	free(finishframe);
828 	return 1;
829 #else
830 	log_err("no dnstap compiled, no reply");
831 	(void)data;
832 	return 0;
833 #endif
834 }
835 
836 #ifdef HAVE_SSL
837 /** check SSL peer certificate, return 0 on fail */
838 static int tap_check_peer(struct tap_data* data)
839 {
840 	if((SSL_get_verify_mode(data->ssl)&SSL_VERIFY_PEER)) {
841 		/* verification */
842 		if(SSL_get_verify_result(data->ssl) == X509_V_OK) {
843 			X509* x = SSL_get_peer_certificate(data->ssl);
844 			if(!x) {
845 				if(verbosity) log_info("SSL connection %s"
846 					" failed no certificate", data->id);
847 				return 0;
848 			}
849 			if(verbosity)
850 				log_cert(VERB_ALGO, "peer certificate", x);
851 #ifdef HAVE_SSL_GET0_PEERNAME
852 			if(SSL_get0_peername(data->ssl)) {
853 				if(verbosity) log_info("SSL connection %s "
854 					"to %s authenticated", data->id,
855 					SSL_get0_peername(data->ssl));
856 			} else {
857 #endif
858 				if(verbosity) log_info("SSL connection %s "
859 					"authenticated", data->id);
860 #ifdef HAVE_SSL_GET0_PEERNAME
861 			}
862 #endif
863 			X509_free(x);
864 		} else {
865 			X509* x = SSL_get_peer_certificate(data->ssl);
866 			if(x) {
867 				if(verbosity)
868 					log_cert(VERB_ALGO, "peer certificate", x);
869 				X509_free(x);
870 			}
871 			if(verbosity) log_info("SSL connection %s failed: "
872 				"failed to authenticate", data->id);
873 			return 0;
874 		}
875 	} else {
876 		/* unauthenticated, the verify peer flag was not set
877 		 * in ssl when the ssl object was created from ssl_ctx */
878 		if(verbosity) log_info("SSL connection %s", data->id);
879 	}
880 	return 1;
881 }
882 #endif /* HAVE_SSL */
883 
884 #ifdef HAVE_SSL
885 /** perform SSL handshake, return 0 to wait for events, 1 if done */
886 static int tap_handshake(struct tap_data* data)
887 {
888 	int r;
889 	if(data->ssl_brief_write) {
890 		/* write condition has been satisfied, back to reading */
891 		tap_disable_brief_write(data);
892 	}
893 	if(data->ssl_handshake_done)
894 		return 1;
895 
896 	ERR_clear_error();
897 	r = SSL_do_handshake(data->ssl);
898 	if(r != 1) {
899 		int want = SSL_get_error(data->ssl, r);
900 		if(want == SSL_ERROR_WANT_READ) {
901 			return 0;
902 		} else if(want == SSL_ERROR_WANT_WRITE) {
903 			tap_enable_brief_write(data);
904 			return 0;
905 		} else if(r == 0) {
906 			/* closed */
907 			tap_data_free(data);
908 			return 0;
909 		} else if(want == SSL_ERROR_SYSCALL) {
910 			/* SYSCALL and errno==0 means closed uncleanly */
911 			int silent = 0;
912 #ifdef EPIPE
913 			if(errno == EPIPE && verbosity < 2)
914 				silent = 1; /* silence 'broken pipe' */
915 #endif
916 #ifdef ECONNRESET
917 			if(errno == ECONNRESET && verbosity < 2)
918 				silent = 1; /* silence reset by peer */
919 #endif
920 			if(errno == 0)
921 				silent = 1;
922 			if(!silent)
923 				log_err("SSL_handshake syscall: %s",
924 					strerror(errno));
925 			tap_data_free(data);
926 			return 0;
927 		} else {
928 			unsigned long err = ERR_get_error();
929 			if(!squelch_err_ssl_handshake(err)) {
930 				log_crypto_err_code("ssl handshake failed",
931 					err);
932 				verbose(VERB_OPS, "ssl handshake failed "
933 					"from %s", data->id);
934 			}
935 			tap_data_free(data);
936 			return 0;
937 		}
938 	}
939 	/* check peer verification */
940 	data->ssl_handshake_done = 1;
941 	if(!tap_check_peer(data)) {
942 		/* closed */
943 		tap_data_free(data);
944 		return 0;
945 	}
946 	return 1;
947 }
948 #endif /* HAVE_SSL */
949 
950 /** callback for dnstap listener */
951 void dtio_tap_callback(int ATTR_UNUSED(fd), short ATTR_UNUSED(bits), void* arg)
952 {
953 	struct tap_data* data = (struct tap_data*)arg;
954 	if(verbosity>=3) log_info("tap callback");
955 #ifdef HAVE_SSL
956 	if(data->ssl && (!data->ssl_handshake_done ||
957 		data->ssl_brief_write)) {
958 		if(!tap_handshake(data))
959 			return;
960 	}
961 #endif
962 	while(data->len_done < 4) {
963 		uint32_t l = (uint32_t)data->len;
964 		ssize_t ret = tap_receive(data,
965 			((uint8_t*)&l)+data->len_done, 4-data->len_done);
966 		if(verbosity>=4) log_info("s recv %d", (int)ret);
967 		if(ret == 0) {
968 			/* closed or error */
969 			tap_data_free(data);
970 			return;
971 		} else if(ret == -1) {
972 			/* continue later */
973 			return;
974 		}
975 		data->len_done += ret;
976 		data->len = (size_t)l;
977 		if(data->len_done < 4)
978 			return; /* continue later */
979 		data->len = (size_t)(ntohl(l));
980 		if(verbosity>=3) log_info("length is %d", (int)data->len);
981 		if(data->len == 0) {
982 			/* it is a control frame */
983 			data->control_frame = 1;
984 			/* read controlframelen */
985 			data->len_done = 0;
986 		} else {
987 			/* allocate frame size */
988 			data->frame = calloc(1, data->len);
989 			if(!data->frame) {
990 				log_err("out of memory");
991 				tap_data_free(data);
992 				return;
993 			}
994 		}
995 	}
996 
997 	/* we want to read the full length now */
998 	if(data->data_done < data->len) {
999 		ssize_t r = tap_receive(data, data->frame + data->data_done,
1000 			data->len - data->data_done);
1001 		if(verbosity>=4) log_info("f recv %d", (int)r);
1002 		if(r == 0) {
1003 			/* closed or error */
1004 			tap_data_free(data);
1005 			return;
1006 		} else if(r == -1) {
1007 			/* continue later */
1008 			return;
1009 		}
1010 		data->data_done += r;
1011 		if(data->data_done < data->len)
1012 			return; /* continue later */
1013 	}
1014 
1015 	/* we are done with a frame */
1016 	if(verbosity>=3) log_info("received %sframe len %d",
1017 		(data->control_frame?"control ":""), (int)data->len);
1018 #ifdef USE_DNSTAP
1019 	if(data->control_frame)
1020 		log_control_frame(data->frame, data->len);
1021 	else	log_data_frame(data->frame, data->len);
1022 #endif
1023 
1024 	if(data->len >= 4 && sldns_read_uint32(data->frame) ==
1025 		FSTRM_CONTROL_FRAME_READY) {
1026 		data->is_bidirectional = 1;
1027 		if(verbosity) log_info("bidirectional stream");
1028 		if(!reply_with_accept(data)) {
1029 			tap_data_free(data);
1030 			return;
1031 		}
1032 	} else if(data->len >= 4 && sldns_read_uint32(data->frame) ==
1033 		FSTRM_CONTROL_FRAME_STOP && data->is_bidirectional) {
1034 		if(!reply_with_finish(data)) {
1035 			tap_data_free(data);
1036 			return;
1037 		}
1038 	}
1039 
1040 	/* prepare for next frame */
1041 	free(data->frame);
1042 	data->frame = NULL;
1043 	data->control_frame = 0;
1044 	data->len = 0;
1045 	data->len_done = 0;
1046 	data->data_done = 0;
1047 
1048 }
1049 
1050 /** callback for main listening file descriptor */
1051 void dtio_mainfdcallback(int fd, short ATTR_UNUSED(bits), void* arg)
1052 {
1053 	struct tap_socket* tap_sock = (struct tap_socket*)arg;
1054 	struct main_tap_data* maindata = (struct main_tap_data*)
1055 		tap_sock->data;
1056 	struct tap_data* data;
1057 	char* id = NULL;
1058 	struct sockaddr_storage addr;
1059 	socklen_t addrlen = (socklen_t)sizeof(addr);
1060 	int s = accept(fd, (struct sockaddr*)&addr, &addrlen);
1061 	if(s == -1) {
1062 #ifndef USE_WINSOCK
1063 		/* EINTR is signal interrupt. others are closed connection. */
1064 		if(     errno == EINTR || errno == EAGAIN
1065 #ifdef EWOULDBLOCK
1066 			|| errno == EWOULDBLOCK
1067 #endif
1068 #ifdef ECONNABORTED
1069 			|| errno == ECONNABORTED
1070 #endif
1071 #ifdef EPROTO
1072 			|| errno == EPROTO
1073 #endif /* EPROTO */
1074 			)
1075 			return;
1076 #else /* USE_WINSOCK */
1077 		if(WSAGetLastError() == WSAEINPROGRESS ||
1078 			WSAGetLastError() == WSAECONNRESET)
1079 			return;
1080 		if(WSAGetLastError() == WSAEWOULDBLOCK) {
1081 			ub_winsock_tcp_wouldblock(maindata->ev, UB_EV_READ);
1082 			return;
1083 		}
1084 #endif
1085 		log_err_addr("accept failed", sock_strerror(errno), &addr,
1086 			addrlen);
1087 		return;
1088 	}
1089 	fd_set_nonblock(s);
1090 	if(verbosity) {
1091 		if(addr.ss_family == AF_LOCAL) {
1092 #ifdef HAVE_SYS_UN_H
1093 			struct sockaddr_un* usock = calloc(1, sizeof(struct sockaddr_un) + 1);
1094 			if(usock) {
1095 				socklen_t ulen = sizeof(struct sockaddr_un);
1096 				if(getsockname(fd, (struct sockaddr*)usock, &ulen) != -1) {
1097 					log_info("accepted new dnstap client from %s", usock->sun_path);
1098 					id = strdup(usock->sun_path);
1099 				} else {
1100 					log_info("accepted new dnstap client");
1101 				}
1102 				free(usock);
1103 			} else {
1104 				log_info("accepted new dnstap client");
1105 			}
1106 #endif /* HAVE_SYS_UN_H */
1107 		} else if(addr.ss_family == AF_INET ||
1108 			addr.ss_family == AF_INET6) {
1109 			char ip[256];
1110 			addr_to_str(&addr, addrlen, ip, sizeof(ip));
1111 			log_info("accepted new dnstap client from %s", ip);
1112 			id = strdup(ip);
1113 		} else {
1114 			log_info("accepted new dnstap client");
1115 		}
1116 	}
1117 
1118 	data = calloc(1, sizeof(*data));
1119 	if(!data) fatal_exit("out of memory");
1120 	data->fd = s;
1121 	data->id = id;
1122 	if(tap_sock->sslctx) {
1123 		data->ssl = incoming_ssl_fd(tap_sock->sslctx, data->fd);
1124 		if(!data->ssl) fatal_exit("could not SSL_new");
1125 	}
1126 	data->ev = ub_event_new(maindata->base, s, UB_EV_READ | UB_EV_PERSIST,
1127 		&dtio_tap_callback, data);
1128 	if(!data->ev) fatal_exit("could not ub_event_new");
1129 	if(ub_event_add(data->ev, NULL) != 0) fatal_exit("could not ub_event_add");
1130 }
1131 
1132 /** setup local accept sockets */
1133 static void setup_local_list(struct main_tap_data* maindata,
1134 	struct config_strlist_head* local_list)
1135 {
1136 	struct config_strlist* item;
1137 	for(item = local_list->first; item; item = item->next) {
1138 		struct tap_socket* s;
1139 		s = tap_socket_new_local(item->str, &dtio_mainfdcallback,
1140 			maindata);
1141 		if(!s) fatal_exit("out of memory");
1142 		if(!tap_socket_list_insert(&maindata->acceptlist, s))
1143 			fatal_exit("out of memory");
1144 	}
1145 }
1146 
1147 /** setup tcp accept sockets */
1148 static void setup_tcp_list(struct main_tap_data* maindata,
1149 	struct config_strlist_head* tcp_list)
1150 {
1151 	struct config_strlist* item;
1152 	for(item = tcp_list->first; item; item = item->next) {
1153 		struct tap_socket* s;
1154 		s = tap_socket_new_tcpaccept(item->str, &dtio_mainfdcallback,
1155 			maindata);
1156 		if(!s) fatal_exit("out of memory");
1157 		if(!tap_socket_list_insert(&maindata->acceptlist, s))
1158 			fatal_exit("out of memory");
1159 	}
1160 }
1161 
1162 /** setup tls accept sockets */
1163 static void setup_tls_list(struct main_tap_data* maindata,
1164 	struct config_strlist_head* tls_list, char* server_key,
1165 	char* server_cert, char* verifypem)
1166 {
1167 	struct config_strlist* item;
1168 	for(item = tls_list->first; item; item = item->next) {
1169 		struct tap_socket* s;
1170 		s = tap_socket_new_tlsaccept(item->str, &dtio_mainfdcallback,
1171 			maindata, server_key, server_cert, verifypem);
1172 		if(!s) fatal_exit("out of memory");
1173 		if(!tap_socket_list_insert(&maindata->acceptlist, s))
1174 			fatal_exit("out of memory");
1175 	}
1176 }
1177 
1178 /** signal variable */
1179 static struct ub_event_base* sig_base = NULL;
1180 /** do we have to quit */
1181 int sig_quit = 0;
1182 /** signal handler for user quit */
1183 static RETSIGTYPE main_sigh(int sig)
1184 {
1185 	if(!sig_quit) {
1186 		char str[] = "exit on signal   \n";
1187 		str[15] = '0' + (sig/10)%10;
1188 		str[16] = '0' + sig%10;
1189 		/* simple cast to void will not silence Wunused-result */
1190 		(void)!write(STDERR_FILENO, str, strlen(str));
1191 	}
1192 	if(sig_base) {
1193 		ub_event_base_loopexit(sig_base);
1194 		sig_base = NULL;
1195 	}
1196 	sig_quit = 1;
1197 }
1198 
1199 /** setup and run the server to listen to DNSTAP messages */
1200 static void
1201 setup_and_run(struct config_strlist_head* local_list,
1202 	struct config_strlist_head* tcp_list,
1203 	struct config_strlist_head* tls_list, char* server_key,
1204 	char* server_cert, char* verifypem)
1205 {
1206 	time_t secs = 0;
1207 	struct timeval now;
1208 	struct main_tap_data* maindata;
1209 	struct ub_event_base* base;
1210 	const char *evnm="event", *evsys="", *evmethod="";
1211 
1212 	maindata = calloc(1, sizeof(*maindata));
1213 	if(!maindata) fatal_exit("out of memory");
1214 	memset(&now, 0, sizeof(now));
1215 	base = ub_default_event_base(1, &secs, &now);
1216 	if(!base) fatal_exit("could not create ub_event base");
1217 	maindata->base = base;
1218 	sig_base = base;
1219 	if(sig_quit) {
1220 		ub_event_base_free(base);
1221 		free(maindata);
1222 		return;
1223 	}
1224 	ub_get_event_sys(base, &evnm, &evsys, &evmethod);
1225 	if(verbosity) log_info("%s %s uses %s method", evnm, evsys, evmethod);
1226 
1227 	setup_local_list(maindata, local_list);
1228 	setup_tcp_list(maindata, tcp_list);
1229 	setup_tls_list(maindata, tls_list, server_key, server_cert,
1230 		verifypem);
1231 	if(!tap_socket_list_addevs(maindata->acceptlist, base))
1232 		fatal_exit("could not setup accept events");
1233 	if(verbosity) log_info("start of service");
1234 
1235 	ub_event_base_dispatch(base);
1236 	sig_base = NULL;
1237 
1238 	if(verbosity) log_info("end of service");
1239 	tap_socket_list_delete(maindata->acceptlist);
1240 	ub_event_base_free(base);
1241 	free(maindata);
1242 }
1243 
1244 /** getopt global, in case header files fail to declare it. */
1245 extern int optind;
1246 /** getopt global, in case header files fail to declare it. */
1247 extern char* optarg;
1248 
1249 /** main program for streamtcp */
1250 int main(int argc, char** argv)
1251 {
1252 	int c;
1253 	int usessl = 0;
1254 	struct config_strlist_head local_list;
1255 	struct config_strlist_head tcp_list;
1256 	struct config_strlist_head tls_list;
1257 	char* server_key = NULL, *server_cert = NULL, *verifypem = NULL;
1258 #ifdef USE_WINSOCK
1259 	WSADATA wsa_data;
1260 	if(WSAStartup(MAKEWORD(2,2), &wsa_data) != 0) {
1261 		printf("WSAStartup failed\n");
1262 		return 1;
1263 	}
1264 #endif
1265 	if(signal(SIGINT, main_sigh) == SIG_ERR ||
1266 #ifdef SIGQUIT
1267 		signal(SIGQUIT, main_sigh) == SIG_ERR ||
1268 #endif
1269 #ifdef SIGHUP
1270 		signal(SIGHUP, main_sigh) == SIG_ERR ||
1271 #endif
1272 #ifdef SIGBREAK
1273 		signal(SIGBREAK, main_sigh) == SIG_ERR ||
1274 #endif
1275 		signal(SIGTERM, main_sigh) == SIG_ERR)
1276 		fatal_exit("could not bind to signal");
1277 	memset(&local_list, 0, sizeof(local_list));
1278 	memset(&tcp_list, 0, sizeof(tcp_list));
1279 	memset(&tls_list, 0, sizeof(tls_list));
1280 
1281 	/* lock debug start (if any) */
1282 	checklock_start();
1283 	log_ident_set("unbound-dnstap-socket");
1284 	log_init(0, 0, 0);
1285 
1286 #ifdef SIGPIPE
1287 	if(signal(SIGPIPE, SIG_IGN) == SIG_ERR) {
1288 		perror("could not install signal handler for SIGPIPE");
1289 		return 1;
1290 	}
1291 #endif
1292 
1293 	/* command line options */
1294 	while( (c=getopt(argc, argv, "hls:t:u:vx:y:z:")) != -1) {
1295 		switch(c) {
1296 			case 'u':
1297 				if(!cfg_strlist_append(&local_list,
1298 					strdup(optarg)))
1299 					fatal_exit("out of memory");
1300 				break;
1301 			case 's':
1302 				if(!cfg_strlist_append(&tcp_list,
1303 					strdup(optarg)))
1304 					fatal_exit("out of memory");
1305 				break;
1306 			case 't':
1307 				if(!cfg_strlist_append(&tls_list,
1308 					strdup(optarg)))
1309 					fatal_exit("out of memory");
1310 				usessl = 1;
1311 				break;
1312 			case 'x':
1313 				server_key = optarg;
1314 				usessl = 1;
1315 				break;
1316 			case 'y':
1317 				server_cert = optarg;
1318 				usessl = 1;
1319 				break;
1320 			case 'z':
1321 				verifypem = optarg;
1322 				usessl = 1;
1323 				break;
1324 			case 'l':
1325 				longformat = 1;
1326 				break;
1327 			case 'v':
1328 				verbosity++;
1329 				break;
1330 			case 'h':
1331 			case '?':
1332 			default:
1333 				usage(argv);
1334 		}
1335 	}
1336 	argc -= optind;
1337 	argv += optind;
1338 
1339 	if(usessl) {
1340 #ifdef HAVE_SSL
1341 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
1342 		ERR_load_SSL_strings();
1343 #endif
1344 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
1345 #  ifndef S_SPLINT_S
1346 		OpenSSL_add_all_algorithms();
1347 #  endif
1348 #else
1349 		OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
1350 			| OPENSSL_INIT_ADD_ALL_DIGESTS
1351 			| OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
1352 #endif
1353 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
1354 		(void)SSL_library_init();
1355 #else
1356 		(void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
1357 #endif
1358 #endif /* HAVE_SSL */
1359 	}
1360 	setup_and_run(&local_list, &tcp_list, &tls_list, server_key,
1361 		server_cert, verifypem);
1362 	config_delstrlist(local_list.first);
1363 	config_delstrlist(tcp_list.first);
1364 	config_delstrlist(tls_list.first);
1365 
1366 	checklock_stop();
1367 #ifdef USE_WINSOCK
1368 	WSACleanup();
1369 #endif
1370 	return 0;
1371 }
1372 
1373 /***--- definitions to make fptr_wlist work. ---***/
1374 /* These are callbacks, similar to smallapp callbacks, except the debug
1375  * tool callbacks are not in it */
1376 struct tube;
1377 struct query_info;
1378 #include "util/data/packed_rrset.h"
1379 #include "daemon/worker.h"
1380 #include "daemon/remote.h"
1381 #include "util/fptr_wlist.h"
1382 #include "libunbound/context.h"
1383 
1384 void worker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
1385 	uint8_t* ATTR_UNUSED(buffer), size_t ATTR_UNUSED(len),
1386 	int ATTR_UNUSED(error), void* ATTR_UNUSED(arg))
1387 {
1388 	log_assert(0);
1389 }
1390 
1391 int worker_handle_request(struct comm_point* ATTR_UNUSED(c),
1392 	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
1393         struct comm_reply* ATTR_UNUSED(repinfo))
1394 {
1395 	log_assert(0);
1396 	return 0;
1397 }
1398 
1399 int worker_handle_service_reply(struct comm_point* ATTR_UNUSED(c),
1400 	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
1401         struct comm_reply* ATTR_UNUSED(reply_info))
1402 {
1403 	log_assert(0);
1404 	return 0;
1405 }
1406 
1407 int remote_accept_callback(struct comm_point* ATTR_UNUSED(c),
1408 	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
1409         struct comm_reply* ATTR_UNUSED(repinfo))
1410 {
1411 	log_assert(0);
1412 	return 0;
1413 }
1414 
1415 int remote_control_callback(struct comm_point* ATTR_UNUSED(c),
1416 	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
1417         struct comm_reply* ATTR_UNUSED(repinfo))
1418 {
1419 	log_assert(0);
1420 	return 0;
1421 }
1422 
1423 void worker_sighandler(int ATTR_UNUSED(sig), void* ATTR_UNUSED(arg))
1424 {
1425 	log_assert(0);
1426 }
1427 
1428 struct outbound_entry* worker_send_query(
1429 	struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags),
1430 	int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
1431 	int ATTR_UNUSED(nocaps), int ATTR_UNUSED(check_ratelimit),
1432 	struct sockaddr_storage* ATTR_UNUSED(addr),
1433 	socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
1434 	size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream),
1435 	int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name),
1436 	struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited))
1437 {
1438 	log_assert(0);
1439 	return 0;
1440 }
1441 
1442 #ifdef UB_ON_WINDOWS
1443 void
1444 worker_win_stop_cb(int ATTR_UNUSED(fd), short ATTR_UNUSED(ev), void*
1445 	ATTR_UNUSED(arg)) {
1446 	log_assert(0);
1447 }
1448 
1449 void
1450 wsvc_cron_cb(void* ATTR_UNUSED(arg))
1451 {
1452 	log_assert(0);
1453 }
1454 #endif /* UB_ON_WINDOWS */
1455 
1456 void
1457 worker_alloc_cleanup(void* ATTR_UNUSED(arg))
1458 {
1459 	log_assert(0);
1460 }
1461 
1462 struct outbound_entry* libworker_send_query(
1463 	struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags),
1464 	int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
1465 	int ATTR_UNUSED(nocaps), int ATTR_UNUSED(check_ratelimit),
1466 	struct sockaddr_storage* ATTR_UNUSED(addr),
1467 	socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
1468 	size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream),
1469 	int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name),
1470 	struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited))
1471 {
1472 	log_assert(0);
1473 	return 0;
1474 }
1475 
1476 int libworker_handle_service_reply(struct comm_point* ATTR_UNUSED(c),
1477 	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
1478         struct comm_reply* ATTR_UNUSED(reply_info))
1479 {
1480 	log_assert(0);
1481 	return 0;
1482 }
1483 
1484 void libworker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
1485         uint8_t* ATTR_UNUSED(buffer), size_t ATTR_UNUSED(len),
1486         int ATTR_UNUSED(error), void* ATTR_UNUSED(arg))
1487 {
1488         log_assert(0);
1489 }
1490 
1491 void libworker_fg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
1492 	struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
1493 	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
1494 {
1495 	log_assert(0);
1496 }
1497 
1498 void libworker_bg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
1499 	struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
1500 	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
1501 {
1502 	log_assert(0);
1503 }
1504 
1505 void libworker_event_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
1506 	struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
1507 	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
1508 {
1509 	log_assert(0);
1510 }
1511 
1512 int context_query_cmp(const void* ATTR_UNUSED(a), const void* ATTR_UNUSED(b))
1513 {
1514 	log_assert(0);
1515 	return 0;
1516 }
1517 
1518 void worker_stat_timer_cb(void* ATTR_UNUSED(arg))
1519 {
1520 	log_assert(0);
1521 }
1522 
1523 void worker_probe_timer_cb(void* ATTR_UNUSED(arg))
1524 {
1525 	log_assert(0);
1526 }
1527 
1528 void worker_start_accept(void* ATTR_UNUSED(arg))
1529 {
1530 	log_assert(0);
1531 }
1532 
1533 void worker_stop_accept(void* ATTR_UNUSED(arg))
1534 {
1535 	log_assert(0);
1536 }
1537 
1538 /** keep track of lock id in lock-verify application */
1539 struct order_id {
1540         /** the thread id that created it */
1541         int thr;
1542         /** the instance number of creation */
1543         int instance;
1544 };
1545 
1546 int order_lock_cmp(const void* e1, const void* e2)
1547 {
1548         const struct order_id* o1 = e1;
1549         const struct order_id* o2 = e2;
1550         if(o1->thr < o2->thr) return -1;
1551         if(o1->thr > o2->thr) return 1;
1552         if(o1->instance < o2->instance) return -1;
1553         if(o1->instance > o2->instance) return 1;
1554         return 0;
1555 }
1556 
1557 int
1558 codeline_cmp(const void* a, const void* b)
1559 {
1560         return strcmp(a, b);
1561 }
1562 
1563 int replay_var_compare(const void* ATTR_UNUSED(a), const void* ATTR_UNUSED(b))
1564 {
1565         log_assert(0);
1566         return 0;
1567 }
1568 
1569 void remote_get_opt_ssl(char* ATTR_UNUSED(str), void* ATTR_UNUSED(arg))
1570 {
1571         log_assert(0);
1572 }
1573