[Swan-dev] blocking DNS lookups in code

Paul Wouters paul at nohats.ca
Thu Mar 9 16:03:13 UTC 2017

I did an inventory of blocking DNS calls in our code to determine what
the dangers our for our pluto daemon to hang too long (and not have
DNSSEC support)

getaddrinfo is only called in our BSD code: ./lib/libbsdpfkey/policy_parse.y
so I'm ignoring that.

gethostbyname() and gethostbyname2() is only called in tryname()
tryname() is only called in ttoaddr()

There are two version of ttoaddr() that does not do DNS, ttoaddr_num()
and tnatoaddr().

ttoaddr() is called in:

lib/libswan/ttosubnet.c    converted to ttoaddr_num()
lib/libswan/ttosa.c        converted to ttoaddr_num()
lib/libswan/unbound.c      ifdef'ed code for non-unbound DNs lookups.  Required.
lib/libswan/rangetosubnet.c  only used when compiled as test program with main
lib/libswan/id.c           atoid() is a real call using it!! somewhat dubiously
lib/libswan/iprange.c   only used when compiled as test program with main
lib/libswan/ttorange.c     converted to ttoaddr_num()
lib/libswan/ttoaddr.c    the implementation itself.
lib/libipsecconf/confread.c   validate_end() with real call to ttoaddr()
     validate_end() called by load_conn() called by confread_load() (see below)
programs/whack/whack.c    not pluto, so okayish to block
programs/spigrp/spigrp.c   not pluto, could be converted but leaving
programs/spi/spi.c      not pluto, could be converted but leaving
programs/addconn/addconn.c  not pluto, known and acceptable use
programs/showhostkey/showhostkey.c   not pluto, known and acceptable use
programs/pluto/kernel_klips.c   listen= arg - converted because also rewhacked
programs/pluto/initiate.c   connection_check_ddns1  could become event/continue
programs/pluto/rcv_whack.c   whack_initiate could become event/continue
programs/pluto/connections.c  update_host_pairs() dyndns support must do dns,
                                extract_end() called by add_connection() could
                                 become event/continue for non-whack calls,
                                 whack call could do (does!) resolving already
programs/pluto/sysdep_linux.c converted
programs/pluto/kernel_netlink.c converted, is listen= arg
programs/pluto/kernel_mast.c converted, is listen= arg
programs/pluto/sysdep_cygwin.c converted, is listen= arg
programs/pluto/foodgroups.c   support for names in food groups??? Seems
                               dangerous, sine never refreshed. converted
programs/pluto/plutomain.c   listen= arg, converted

confread_load() called in:
./programs/addconn/addconn.c    not pluto, so okayish
./programs/readwriteconf/readwriteconf.c   test program only
./programs/pluto/plutomain.c   only called on startup in main() so okay

atoid(): used to fill in id->ip_addr from host name, used in build_id_payload()

defined in lib/libswan/id.c, used in:
/programs/pluto/rcv_whack.c:	safeish to block
./programs/pluto/connections.c:	 extract_end(), safeish
./programs/pluto/myid.c:probably does not need it - only runs on startup

So I don't expect too many problems from these days, but some the ones left
are not friendly for being converted to an event/continuation DNS


More information about the Swan-dev mailing list