openvpn3/macdns_8hpp_source.html

//    OpenVPN -- An application to securely tunnel IP networks

//               over a single port, with support for SSL/TLS-based

//               session authentication and key exchange,

//               packet encryption, packet authentication, and

//               packet compression.

//

//    Copyright (C) 2012- OpenVPN Inc.

//

//    SPDX-License-Identifier: MPL-2.0 OR AGPL-3.0-only WITH openvpn3-openssl-exception

//


// DNS utilities for Mac OS X.


#ifndef OPENVPN_TUN_MAC_MACDNS_H

#define OPENVPN_TUN_MAC_MACDNS_H


#include <string>

#include <sstream>

#include <memory>

#include <algorithm>


#include <openvpn/common/size.hpp>

#include <openvpn/common/exception.hpp>

#include <openvpn/common/string.hpp>

#include <openvpn/common/process.hpp>

#include <openvpn/apple/macver.hpp>

#include <openvpn/apple/scdynstore.hpp>

#include <openvpn/apple/cf/cfhelper.hpp>

#include <openvpn/tun/builder/capture.hpp>

#include <openvpn/tun/mac/dsdict.hpp>


namespace openvpn {


class MacDNS : public RC<thread_unsafe_refcount>

{

    class Info;


  public:

    typedef RCPtr<MacDNS> Ptr;


    OPENVPN_EXCEPTION(macdns_error);


    class Config : public RC<thread_safe_refcount>

    {

      public:

        typedef RCPtr<Config> Ptr;


        Config() = default;


        Config(const TunBuilderCapture &settings)

        {

            for (const auto &[priority, server] : settings.dns_options.servers)

            {

                bool dnssec = server.dnssec == DnsServer::Security::Yes;

                bool secure_transport = server.transport == DnsServer::Transport::HTTPS

                                        || server.transport == DnsServer::Transport::TLS;

                bool custom_port = std::any_of(server.addresses.begin(),

                                               server.addresses.end(),

                                               [&](const DnsAddress &a)

                                               { return a.port != 0 && a.port != 53; });

                if (dnssec || secure_transport || custom_port)

                {

                    continue; // unsupported, try next server

                }


                server_addresses = get_server_addresses(server);

                resolve_domains = get_resolve_domains(server);

                break;

            }


            if (!settings.dns_options.servers.empty() && !CF::array_len(server_addresses))

            {

                throw macdns_error("no applicable DNS server config found");

            }


            search_domains = get_search_domains(settings);


            if (!settings.dns_options.from_dhcp_options)

            {

                // With --dns options we redirect when there are no split domains

                redirect_dns = !CF::array_len(resolve_domains);

            }

            else

            {

                // We redirect DNS if either of the following is true:

                // 1. redirect-gateway (IPv4) is pushed, or

                // 2. DNS servers are pushed but no search domains are pushed

                redirect_dns = settings.reroute_gw.ipv4 || (CF::array_len(server_addresses) && !CF::array_len(resolve_domains));

            }

        }


        std::string to_string() const

        {

            std::ostringstream os;

            os << "RD=" << redirect_dns;

            os << " SO=" << search_order;

            os << " DNS=" << CF::array_to_string(server_addresses);

            os << " RSD=" << CF::array_to_string(resolve_domains);

            os << " DOM=" << CF::array_to_string(search_domains);

            return os.str();

        }


        bool redirect_dns = false;

        int search_order = 5000;

        CF::Array server_addresses;

        CF::Array resolve_domains;

        CF::Array search_domains;


      private:


        static CF::Array get_server_addresses(const DnsServer &server)

        {

            CF::MutableArray ret(CF::mutable_array());

            for (const auto &ip : server.addresses)

            {

                CF::array_append_str(ret, ip.address);

            }

            return CF::const_array(ret);

        }


        static CF::Array get_resolve_domains(const DnsServer &server)

        {

            CF::MutableArray ret(CF::mutable_array());

            for (const auto &rd : server.domains)

            {

                CF::array_append_str(ret, rd.domain);

            }

            return CF::const_array(ret);

        }


        static CF::Array get_search_domains(const TunBuilderCapture &settings)

        {

            CF::MutableArray ret(CF::mutable_array());

            if (!settings.dns_options.servers.empty())

            {

                for (const auto &sd : settings.dns_options.search_domains)

                {

                    CF::array_append_str(ret, sd.domain);

                }

            }

            return CF::const_array(ret);

        }


    };


    MacDNS(const std::string &sname_arg)

        : sname(sname_arg)

    {

    }


    void flush_cache()

    {

        const int v = ver.major();

        if (v < Mac::Version::OSX_10_6)

            OPENVPN_LOG("MacDNS: Error: No support for Mac OS X versions earlier than 10.6");

        if (v == Mac::Version::OSX_10_6 || v >= Mac::Version::OSX_10_9)

        {

            Argv args;

            args.push_back("/usr/bin/dscacheutil");

            args.push_back("-flushcache");

            OPENVPN_LOG(args.to_string());

            system_cmd(args);

        }

        if (v >= Mac::Version::OSX_10_7)

        {

            Argv args;

            args.push_back("/usr/bin/killall");

            args.push_back("-HUP");

            args.push_back("mDNSResponder");

            OPENVPN_LOG(args.to_string());

            system_cmd(args);

        }

    }


    bool signal_network_reconfiguration()

    {

        return DSDict::signal_network_reconfiguration(sname);

    }


    bool setdns(const Config &config)

    {

        bool mod = false;


        try

        {

            CF::DynamicStore sc = ds_create();

            Info::Ptr info(new Info(sc, sname));


            // cleanup settings applied to previous interface

            interface_change_cleanup(info.get());


            if (config.redirect_dns)

            {

                // redirect all DNS

                info->dns.will_modify();


                // set DNS servers

                if (CF::array_len(config.server_addresses))

                {

                    info->dns.backup_orig("ServerAddresses");

                    CF::dict_set_obj(info->dns.mod, "ServerAddresses", config.server_addresses());

                }


                // set search domains

                info->dns.backup_orig("SearchDomains");


                if (CF::array_len(config.search_domains))

                    CF::dict_set_obj(info->dns.mod, "SearchDomains", config.search_domains());


                // set search order

                info->dns.backup_orig("SearchOrder");

                CF::dict_set_int(info->dns.mod, "SearchOrder", config.search_order);


                // push it

                mod |= info->dns.push_to_store();

            }

            else

            {

                // split-DNS - resolve only specific domains

                info->ovpn.mod_reset();


                // set DNS servers

                CF::dict_set_obj(info->ovpn.mod, "ServerAddresses", config.server_addresses());


                // DNS will be used only for those domains

                CF::dict_set_obj(info->ovpn.mod, "SupplementalMatchDomains", config.resolve_domains());


                // do not use those domains in autocompletion

                CF::dict_set_int(info->ovpn.mod, "SupplementalMatchDomainsNoSearch", 1);


                // set search domains if there are any

                if (CF::array_len(config.search_domains))

                {

                    info->dns.backup_orig("SearchDomains");

                    CF::dict_set_obj(info->dns.mod, "SearchDomains", config.search_domains());

                    mod |= info->dns.push_to_store();

                }


                // in case of split-DNS macOS uses domain suffix of network adapter,

                // not the one provided by VPN (which we put to SearchDomains)


                // push it

                mod |= info->ovpn.push_to_store();

            }


            if (mod)

            {

                // As a backup, save PrimaryService in private dict (if network goes down while

                // we are set, we can lose info about PrimaryService in State:/Network/Global/IPv4

                // and be unable to reset ourselves).

                const CFTypeRef ps = CF::dict_get_obj(info->ipv4.dict, "PrimaryService");

                if (ps)

                {

                    info->info.mod_reset();

                    CF::dict_set_obj(info->info.mod, "PrimaryService", ps);

                    info->info.push_to_store();

                }

            }


            prev = info;

            if (mod)

                OPENVPN_LOG("MacDNS: SETDNS " << ver.to_string() << std::endl

                                              << info->to_string());

        }

        catch (const std::exception &e)

        {

            OPENVPN_LOG("MacDNS: setdns exception: " << e.what());

        }

        return mod;

    }


    bool resetdns()

    {

        bool mod = false;

        try

        {

            CF::DynamicStore sc = ds_create();

            Info::Ptr info(new Info(sc, sname));


            // cleanup settings applied to previous interface

            interface_change_cleanup(info.get());


            // undo primary dns changes

            mod |= reset_primary_dns(info.get());


            // undo non-redirect-gateway changes

            if (CF::dict_len(info->ovpn.dict))

                mod |= info->ovpn.remove_from_store();


            // remove private info dict

            if (CF::dict_len(info->info.dict))

                mod |= info->info.remove_from_store();


            if (mod)

                OPENVPN_LOG("MacDNS: RESETDNS " << ver.to_string() << std::endl

                                                << info->to_string());

        }

        catch (const std::exception &e)

        {

            OPENVPN_LOG("MacDNS: resetdns exception: " << e.what());

        }

        return mod;

    }


    std::string to_string() const

    {

        CF::DynamicStore sc = ds_create();

        Info::Ptr info(new Info(sc, sname));

        return info->to_string();

    }


    CF::Array dskey_array() const

    {

        CF::DynamicStore sc = ds_create();

        Info::Ptr info(new Info(sc, sname));

        CF::MutableArray ret(CF::mutable_array());

        CF::array_append_str(ret, info->ipv4.dskey);

        CF::array_append_str(ret, info->info.dskey);

        CF::array_append_str(ret, info->ovpn.dskey);

        CF::array_append_str(ret, info->dns.dskey);

        return CF::const_array(ret);

    }


  private:


    void interface_change_cleanup(Info *info)

    {

        if (info->interface_change(prev.get()))

        {

            reset_primary_dns(prev.get());

            prev.reset();

        }

    }


    bool reset_primary_dns(Info *info)

    {

        bool mod = false;

        if (info)

        {

#if 1

            // Restore previous DNS settings.

            // Recommended for production.

            info->dns.will_modify();

            info->dns.restore_orig();

            mod |= info->dns.push_to_store();

#else

            // Wipe DNS settings without restore.

            // This can potentially wipe static IP/DNS settings.

            info->dns.mod_reset();

            mod |= info->dns.push_to_store();

#endif

        }

        return mod;

    }


    class Info : public RC<thread_unsafe_refcount>

    {

      public:

        typedef RCPtr<Info> Ptr;


        Info(CF::DynamicStore &sc, const std::string &sname)

            : ipv4(sc, sname, "State:/Network/Global/IPv4"),

              info(sc, sname, "State:/Network/Service/" + sname + "/Info"),

              ovpn(sc, sname, "State:/Network/Service/" + sname + "/DNS"),

              dns(sc, sname, primary_dns(ipv4.dict, info.dict))

        {

        }


        std::string to_string() const

        {

            std::ostringstream os;

            os << ipv4.to_string();

            os << info.to_string();

            os << ovpn.to_string();

            os << dns.to_string();

            return os.str();

        }


        bool interface_change(Info *other) const

        {

            return other && dns.dskey != other->dns.dskey;

        }


        DSDict ipv4;

        DSDict info; // we may modify

        DSDict ovpn; // we may modify

        DSDict dns;  // we may modify


      private:


        static std::string primary_dns(const CF::Dict &ipv4, const CF::Dict &info)

        {

            std::string serv = CF::dict_get_str(ipv4, "PrimaryService");

            if (serv.empty())

                serv = CF::dict_get_str(info, "PrimaryService");

            if (serv.empty())

                throw macdns_error("no primary service");

            return "Setup:/Network/Service/" + serv + "/DNS";

        }


    };


    CF::DynamicStore ds_create() const

    {

        return DSDict::ds_create(sname);

    }


    const std::string sname;

    Mac::Version ver;

    Info::Ptr prev;

};


} // namespace openvpn


#endif

capture.hpp

cfhelper.hpp

openvpn::AppleVersion::to_string
std::string to_string() const
Definition ver.hpp:42

openvpn::AppleVersion::major
int major() const
Definition ver.hpp:29

openvpn::Argv
Definition argv.hpp:23

openvpn::Argv::to_string
std::string to_string() const
Definition argv.hpp:30

openvpn::DSDict
Definition dsdict.hpp:16

openvpn::DSDict::signal_network_reconfiguration
static bool signal_network_reconfiguration(const std::string &sname)
Definition dsdict.hpp:151

openvpn::DSDict::push_to_store
bool push_to_store()
Definition dsdict.hpp:33

openvpn::DSDict::ds_create
static CF::DynamicStore ds_create(const std::string &sname)
Definition dsdict.hpp:145

openvpn::DSDict::will_modify
void will_modify()
Definition dsdict.hpp:66

openvpn::DSDict::to_string
std::string to_string() const
Definition dsdict.hpp:129

openvpn::DSDict::mod
CF::MutableDict mod
Definition dsdict.hpp:164

openvpn::DSDict::dskey
const std::string dskey
Definition dsdict.hpp:162

openvpn::DSDict::restore_orig
void restore_orig()
Definition dsdict.hpp:97

openvpn::DSDict::remove_from_store
bool remove_from_store()
Definition dsdict.hpp:49

openvpn::DSDict::mod_reset
void mod_reset()
Definition dsdict.hpp:72

openvpn::DSDict::backup_orig
void backup_orig(const std::string &key, const bool wipe_orig=true)
Definition dsdict.hpp:77

openvpn::DSDict::dict
const CF::Dict dict
Definition dsdict.hpp:163

openvpn::MacDNS::Config
Definition macdns.hpp:43

openvpn::MacDNS::Config::search_domains
CF::Array search_domains
Definition macdns.hpp:106

openvpn::MacDNS::Config::redirect_dns
bool redirect_dns
Definition macdns.hpp:102

openvpn::MacDNS::Config::search_order
int search_order
Definition macdns.hpp:103

openvpn::MacDNS::Config::Ptr
RCPtr< Config > Ptr
Definition macdns.hpp:45

openvpn::MacDNS::Config::Config
Config(const TunBuilderCapture &settings)
Definition macdns.hpp:49

openvpn::MacDNS::Config::Config
Config()=default

openvpn::MacDNS::Config::to_string
std::string to_string() const
Definition macdns.hpp:91

openvpn::MacDNS::Config::resolve_domains
CF::Array resolve_domains
Definition macdns.hpp:105

openvpn::MacDNS::Config::get_resolve_domains
static CF::Array get_resolve_domains(const DnsServer &server)
Definition macdns.hpp:119

openvpn::MacDNS::Config::get_search_domains
static CF::Array get_search_domains(const TunBuilderCapture &settings)
Definition macdns.hpp:129

openvpn::MacDNS::Config::server_addresses
CF::Array server_addresses
Definition macdns.hpp:104

openvpn::MacDNS::Config::get_server_addresses
static CF::Array get_server_addresses(const DnsServer &server)
Definition macdns.hpp:109

openvpn::MacDNS::Info
Definition macdns.hpp:353

openvpn::MacDNS::Info::Info
Info(CF::DynamicStore &sc, const std::string &sname)
Definition macdns.hpp:357

openvpn::MacDNS::Info::primary_dns
static std::string primary_dns(const CF::Dict &ipv4, const CF::Dict &info)
Definition macdns.hpp:386

openvpn::MacDNS::Info::Ptr
RCPtr< Info > Ptr
Definition macdns.hpp:355

openvpn::MacDNS::Info::dns
DSDict dns
Definition macdns.hpp:383

openvpn::MacDNS::Info::ipv4
DSDict ipv4
Definition macdns.hpp:380

openvpn::MacDNS::Info::info
DSDict info
Definition macdns.hpp:381

openvpn::MacDNS::Info::interface_change
bool interface_change(Info *other) const
Definition macdns.hpp:375

openvpn::MacDNS::Info::to_string
std::string to_string() const
Definition macdns.hpp:365

openvpn::MacDNS::Info::ovpn
DSDict ovpn
Definition macdns.hpp:382

openvpn::MacDNS
Definition macdns.hpp:34

openvpn::MacDNS::OPENVPN_EXCEPTION
OPENVPN_EXCEPTION(macdns_error)

openvpn::MacDNS::Ptr
RCPtr< MacDNS > Ptr
Definition macdns.hpp:38

openvpn::MacDNS::dskey_array
CF::Array dskey_array() const
Definition macdns.hpp:309

openvpn::MacDNS::ds_create
CF::DynamicStore ds_create() const
Definition macdns.hpp:397

openvpn::MacDNS::setdns
bool setdns(const Config &config)
Definition macdns.hpp:177

openvpn::MacDNS::to_string
std::string to_string() const
Definition macdns.hpp:302

openvpn::MacDNS::flush_cache
void flush_cache()
Definition macdns.hpp:148

openvpn::MacDNS::sname
const std::string sname
Definition macdns.hpp:402

openvpn::MacDNS::reset_primary_dns
bool reset_primary_dns(Info *info)
Definition macdns.hpp:331

openvpn::MacDNS::prev
Info::Ptr prev
Definition macdns.hpp:404

openvpn::MacDNS::signal_network_reconfiguration
bool signal_network_reconfiguration()
Definition macdns.hpp:172

openvpn::MacDNS::interface_change_cleanup
void interface_change_cleanup(Info *info)
Definition macdns.hpp:322

openvpn::MacDNS::resetdns
bool resetdns()
Definition macdns.hpp:269

openvpn::MacDNS::MacDNS
MacDNS(const std::string &sname_arg)
Definition macdns.hpp:143

openvpn::MacDNS::ver
Mac::Version ver
Definition macdns.hpp:403

openvpn::Mac::Version
Definition macver.hpp:28

openvpn::Mac::Version::OSX_10_7
@ OSX_10_7
Definition macver.hpp:49

openvpn::Mac::Version::OSX_10_6
@ OSX_10_6
Definition macver.hpp:50

openvpn::Mac::Version::OSX_10_9
@ OSX_10_9
Definition macver.hpp:47

openvpn::RCPtr
The smart pointer class.
Definition rc.hpp:119

openvpn::RCPtr::reset
void reset() noexcept
Points this RCPtr<T> to nullptr safely.
Definition rc.hpp:290

openvpn::RCPtr::get
T * get() const noexcept
Returns the raw pointer to the object T, or nullptr.
Definition rc.hpp:321

openvpn::RC
Reference count base class for objects tracked by RCPtr. Disallows copying and assignment.
Definition rc.hpp:912

openvpn::TunBuilderCapture::RerouteGW::ipv4
bool ipv4
Definition capture.hpp:135

openvpn::TunBuilderCapture
Definition capture.hpp:42

openvpn::TunBuilderCapture::dns_options
DnsOptions dns_options
Definition capture.hpp:1093

openvpn::TunBuilderCapture::reroute_gw
RerouteGW reroute_gw
Definition capture.hpp:1086

dsdict.hpp

exception.hpp

OPENVPN_LOG
#define OPENVPN_LOG(args)
Definition logdatetime.hpp:23

macver.hpp

openvpn::CF::array_len
CFIndex array_len(const ARRAY &array)
Definition cf.hpp:333

openvpn::CF::dict_set_int
void dict_set_int(MutableDict &dict, const KEY &key, int value)
Definition cfhelper.hpp:173

openvpn::CF::mutable_array
MutableArray mutable_array(const CFIndex capacity=0)
Definition cf.hpp:306

openvpn::CF::array_to_string
std::string array_to_string(const ARRAY &array, const char delim=',')
Definition cf.hpp:426

openvpn::CF::const_array
Array const_array(MutableArray &marray)
Definition cf.hpp:291

openvpn::CF::dict_len
CFIndex dict_len(const DICT &dict)
Definition cf.hpp:342

openvpn::CF::dict_get_obj
CFTypeRef dict_get_obj(const DICT &dict, const KEY &key)
Definition cfhelper.hpp:88

openvpn::CF::dict_set_obj
void dict_set_obj(MutableDict &dict, const KEY &key, CFTypeRef value)
Definition cfhelper.hpp:154

openvpn::CF::array_append_str
void array_append_str(MutableArray &array, const VALUE &value)
Definition cfhelper.hpp:217

openvpn::CF::dict_get_str
std::string dict_get_str(const DICT &dict, const KEY &key)
Definition cfhelper.hpp:95

openvpn
Definition ovpncli.cpp:97

openvpn::system_cmd
int system_cmd(const std::string &cmd, const Argv &argv, RedirectBase *redir, const Environ *env, const sigset_t *sigmask)
Definition process.hpp:90

process.hpp

scdynstore.hpp

size.hpp

string.hpp

openvpn::DnsAddress
A name server address and optional port.
Definition dns_options.hpp:36

openvpn::DnsOptions::servers
std::map< int, DnsServer > servers
Definition dns_options.hpp:360

openvpn::DnsOptions::search_domains
std::vector< DnsDomain > search_domains
Definition dns_options.hpp:359

openvpn::DnsOptions::from_dhcp_options
bool from_dhcp_options
Definition dns_options.hpp:358

openvpn::DnsServer
DNS settings for a name server.
Definition dns_options.hpp:134

openvpn::DnsServer::addresses
std::vector< DnsAddress > addresses
Definition dns_options.hpp:292

openvpn::DnsServer::domains
std::vector< DnsDomain > domains
Definition dns_options.hpp:293

openvpn::DnsServer::Security::Yes
@ Yes

openvpn::DnsServer::Transport::TLS
@ TLS

openvpn::DnsServer::Transport::HTTPS
@ HTTPS

ret
std::string ret
Definition test_capture.cpp:268

os
std::ostringstream os
Definition test_capture.cpp:1086

config
static const char config[]
Definition test_parseargv.cpp:65