1 /* 2 * services/authzone.c - authoritative zone that is locally hosted. 3 * 4 * Copyright (c) 2017, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains the functions for an authority zone. This zone 40 * is queried by the iterator, just like a stub or forward zone, but then 41 * the data is locally held. 42 */ 43 44 #include "config.h" 45 #include "services/authzone.h" 46 #include "util/data/dname.h" 47 #include "util/data/msgparse.h" 48 #include "util/data/msgreply.h" 49 #include "util/data/msgencode.h" 50 #include "util/data/packed_rrset.h" 51 #include "util/regional.h" 52 #include "util/net_help.h" 53 #include "util/netevent.h" 54 #include "util/config_file.h" 55 #include "util/log.h" 56 #include "util/module.h" 57 #include "util/random.h" 58 #include "services/cache/dns.h" 59 #include "services/outside_network.h" 60 #include "services/listen_dnsport.h" 61 #include "services/mesh.h" 62 #include "sldns/rrdef.h" 63 #include "sldns/pkthdr.h" 64 #include "sldns/sbuffer.h" 65 #include "sldns/str2wire.h" 66 #include "sldns/wire2str.h" 67 #include "sldns/parseutil.h" 68 #include "sldns/keyraw.h" 69 #include "validator/val_nsec3.h" 70 #include "validator/val_secalgo.h" 71 #include <ctype.h> 72 73 /** bytes to use for NSEC3 hash buffer. 20 for sha1 */ 74 #define N3HASHBUFLEN 32 75 /** max number of CNAMEs we are willing to follow (in one answer) */ 76 #define MAX_CNAME_CHAIN 8 77 /** timeout for probe packets for SOA */ 78 #define AUTH_PROBE_TIMEOUT 100 /* msec */ 79 /** when to stop with SOA probes (when exponential timeouts exceed this) */ 80 #define AUTH_PROBE_TIMEOUT_STOP 1000 /* msec */ 81 /* auth transfer timeout for TCP connections, in msec */ 82 #define AUTH_TRANSFER_TIMEOUT 10000 /* msec */ 83 /* auth transfer max backoff for failed tranfers and probes */ 84 #define AUTH_TRANSFER_MAX_BACKOFF 86400 /* sec */ 85 /* auth http port number */ 86 #define AUTH_HTTP_PORT 80 87 /* auth https port number */ 88 #define AUTH_HTTPS_PORT 443 89 /* max depth for nested $INCLUDEs */ 90 #define MAX_INCLUDE_DEPTH 10 91 /** number of timeouts before we fallback from IXFR to AXFR, 92 * because some versions of servers (eg. dnsmasq) drop IXFR packets. */ 93 #define NUM_TIMEOUTS_FALLBACK_IXFR 3 94 95 /** pick up nextprobe task to start waiting to perform transfer actions */ 96 static void xfr_set_timeout(struct auth_xfer* xfr, struct module_env* env, 97 int failure, int lookup_only); 98 /** move to sending the probe packets, next if fails. task_probe */ 99 static void xfr_probe_send_or_end(struct auth_xfer* xfr, 100 struct module_env* env); 101 /** pick up probe task with specified(or NULL) destination first, 102 * or transfer task if nothing to probe, or false if already in progress */ 103 static int xfr_start_probe(struct auth_xfer* xfr, struct module_env* env, 104 struct auth_master* spec); 105 /** delete xfer structure (not its tree entry) */ 106 static void auth_xfer_delete(struct auth_xfer* xfr); 107 108 /** create new dns_msg */ 109 static struct dns_msg* 110 msg_create(struct regional* region, struct query_info* qinfo) 111 { 112 struct dns_msg* msg = (struct dns_msg*)regional_alloc(region, 113 sizeof(struct dns_msg)); 114 if(!msg) 115 return NULL; 116 msg->qinfo.qname = regional_alloc_init(region, qinfo->qname, 117 qinfo->qname_len); 118 if(!msg->qinfo.qname) 119 return NULL; 120 msg->qinfo.qname_len = qinfo->qname_len; 121 msg->qinfo.qtype = qinfo->qtype; 122 msg->qinfo.qclass = qinfo->qclass; 123 msg->qinfo.local_alias = NULL; 124 /* non-packed reply_info, because it needs to grow the array */ 125 msg->rep = (struct reply_info*)regional_alloc_zero(region, 126 sizeof(struct reply_info)-sizeof(struct rrset_ref)); 127 if(!msg->rep) 128 return NULL; 129 msg->rep->flags = (uint16_t)(BIT_QR | BIT_AA); 130 msg->rep->authoritative = 1; 131 msg->rep->qdcount = 1; 132 /* rrsets is NULL, no rrsets yet */ 133 return msg; 134 } 135 136 /** grow rrset array by one in msg */ 137 static int 138 msg_grow_array(struct regional* region, struct dns_msg* msg) 139 { 140 if(msg->rep->rrsets == NULL) { 141 msg->rep->rrsets = regional_alloc_zero(region, 142 sizeof(struct ub_packed_rrset_key*)*(msg->rep->rrset_count+1)); 143 if(!msg->rep->rrsets) 144 return 0; 145 } else { 146 struct ub_packed_rrset_key** rrsets_old = msg->rep->rrsets; 147 msg->rep->rrsets = regional_alloc_zero(region, 148 sizeof(struct ub_packed_rrset_key*)*(msg->rep->rrset_count+1)); 149 if(!msg->rep->rrsets) 150 return 0; 151 memmove(msg->rep->rrsets, rrsets_old, 152 sizeof(struct ub_packed_rrset_key*)*msg->rep->rrset_count); 153 } 154 return 1; 155 } 156 157 /** get ttl of rrset */ 158 static time_t 159 get_rrset_ttl(struct ub_packed_rrset_key* k) 160 { 161 struct packed_rrset_data* d = (struct packed_rrset_data*) 162 k->entry.data; 163 return d->ttl; 164 } 165 166 /** Copy rrset into region from domain-datanode and packet rrset */ 167 static struct ub_packed_rrset_key* 168 auth_packed_rrset_copy_region(struct auth_zone* z, struct auth_data* node, 169 struct auth_rrset* rrset, struct regional* region, time_t adjust) 170 { 171 struct ub_packed_rrset_key key; 172 memset(&key, 0, sizeof(key)); 173 key.entry.key = &key; 174 key.entry.data = rrset->data; 175 key.rk.dname = node->name; 176 key.rk.dname_len = node->namelen; 177 key.rk.type = htons(rrset->type); 178 key.rk.rrset_class = htons(z->dclass); 179 key.entry.hash = rrset_key_hash(&key.rk); 180 return packed_rrset_copy_region(&key, region, adjust); 181 } 182 183 /** fix up msg->rep TTL and prefetch ttl */ 184 static void 185 msg_ttl(struct dns_msg* msg) 186 { 187 if(msg->rep->rrset_count == 0) return; 188 if(msg->rep->rrset_count == 1) { 189 msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]); 190 msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl); 191 msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL; 192 } else if(get_rrset_ttl(msg->rep->rrsets[msg->rep->rrset_count-1]) < 193 msg->rep->ttl) { 194 msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[ 195 msg->rep->rrset_count-1]); 196 msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl); 197 msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL; 198 } 199 } 200 201 /** see if rrset is a duplicate in the answer message */ 202 static int 203 msg_rrset_duplicate(struct dns_msg* msg, uint8_t* nm, size_t nmlen, 204 uint16_t type, uint16_t dclass) 205 { 206 size_t i; 207 for(i=0; i<msg->rep->rrset_count; i++) { 208 struct ub_packed_rrset_key* k = msg->rep->rrsets[i]; 209 if(ntohs(k->rk.type) == type && k->rk.dname_len == nmlen && 210 ntohs(k->rk.rrset_class) == dclass && 211 query_dname_compare(k->rk.dname, nm) == 0) 212 return 1; 213 } 214 return 0; 215 } 216 217 /** add rrset to answer section (no auth, add rrsets yet) */ 218 static int 219 msg_add_rrset_an(struct auth_zone* z, struct regional* region, 220 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) 221 { 222 log_assert(msg->rep->ns_numrrsets == 0); 223 log_assert(msg->rep->ar_numrrsets == 0); 224 if(!rrset || !node) 225 return 1; 226 if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, 227 z->dclass)) 228 return 1; 229 /* grow array */ 230 if(!msg_grow_array(region, msg)) 231 return 0; 232 /* copy it */ 233 if(!(msg->rep->rrsets[msg->rep->rrset_count] = 234 auth_packed_rrset_copy_region(z, node, rrset, region, 0))) 235 return 0; 236 msg->rep->rrset_count++; 237 msg->rep->an_numrrsets++; 238 msg_ttl(msg); 239 return 1; 240 } 241 242 /** add rrset to authority section (no additonal section rrsets yet) */ 243 static int 244 msg_add_rrset_ns(struct auth_zone* z, struct regional* region, 245 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) 246 { 247 log_assert(msg->rep->ar_numrrsets == 0); 248 if(!rrset || !node) 249 return 1; 250 if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, 251 z->dclass)) 252 return 1; 253 /* grow array */ 254 if(!msg_grow_array(region, msg)) 255 return 0; 256 /* copy it */ 257 if(!(msg->rep->rrsets[msg->rep->rrset_count] = 258 auth_packed_rrset_copy_region(z, node, rrset, region, 0))) 259 return 0; 260 msg->rep->rrset_count++; 261 msg->rep->ns_numrrsets++; 262 msg_ttl(msg); 263 return 1; 264 } 265 266 /** add rrset to additional section */ 267 static int 268 msg_add_rrset_ar(struct auth_zone* z, struct regional* region, 269 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) 270 { 271 if(!rrset || !node) 272 return 1; 273 if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, 274 z->dclass)) 275 return 1; 276 /* grow array */ 277 if(!msg_grow_array(region, msg)) 278 return 0; 279 /* copy it */ 280 if(!(msg->rep->rrsets[msg->rep->rrset_count] = 281 auth_packed_rrset_copy_region(z, node, rrset, region, 0))) 282 return 0; 283 msg->rep->rrset_count++; 284 msg->rep->ar_numrrsets++; 285 msg_ttl(msg); 286 return 1; 287 } 288 289 struct auth_zones* auth_zones_create(void) 290 { 291 struct auth_zones* az = (struct auth_zones*)calloc(1, sizeof(*az)); 292 if(!az) { 293 log_err("out of memory"); 294 return NULL; 295 } 296 rbtree_init(&az->ztree, &auth_zone_cmp); 297 rbtree_init(&az->xtree, &auth_xfer_cmp); 298 lock_rw_init(&az->lock); 299 lock_protect(&az->lock, &az->ztree, sizeof(az->ztree)); 300 lock_protect(&az->lock, &az->xtree, sizeof(az->xtree)); 301 /* also lock protects the rbnode's in struct auth_zone, auth_xfer */ 302 lock_rw_init(&az->rpz_lock); 303 lock_protect(&az->rpz_lock, &az->rpz_first, sizeof(az->rpz_first)); 304 return az; 305 } 306 307 int auth_zone_cmp(const void* z1, const void* z2) 308 { 309 /* first sort on class, so that hierarchy can be maintained within 310 * a class */ 311 struct auth_zone* a = (struct auth_zone*)z1; 312 struct auth_zone* b = (struct auth_zone*)z2; 313 int m; 314 if(a->dclass != b->dclass) { 315 if(a->dclass < b->dclass) 316 return -1; 317 return 1; 318 } 319 /* sorted such that higher zones sort before lower zones (their 320 * contents) */ 321 return dname_lab_cmp(a->name, a->namelabs, b->name, b->namelabs, &m); 322 } 323 324 int auth_data_cmp(const void* z1, const void* z2) 325 { 326 struct auth_data* a = (struct auth_data*)z1; 327 struct auth_data* b = (struct auth_data*)z2; 328 int m; 329 /* canonical sort, because DNSSEC needs that */ 330 return dname_canon_lab_cmp(a->name, a->namelabs, b->name, 331 b->namelabs, &m); 332 } 333 334 int auth_xfer_cmp(const void* z1, const void* z2) 335 { 336 /* first sort on class, so that hierarchy can be maintained within 337 * a class */ 338 struct auth_xfer* a = (struct auth_xfer*)z1; 339 struct auth_xfer* b = (struct auth_xfer*)z2; 340 int m; 341 if(a->dclass != b->dclass) { 342 if(a->dclass < b->dclass) 343 return -1; 344 return 1; 345 } 346 /* sorted such that higher zones sort before lower zones (their 347 * contents) */ 348 return dname_lab_cmp(a->name, a->namelabs, b->name, b->namelabs, &m); 349 } 350 351 /** delete auth rrset node */ 352 static void 353 auth_rrset_delete(struct auth_rrset* rrset) 354 { 355 if(!rrset) return; 356 free(rrset->data); 357 free(rrset); 358 } 359 360 /** delete auth data domain node */ 361 static void 362 auth_data_delete(struct auth_data* n) 363 { 364 struct auth_rrset* p, *np; 365 if(!n) return; 366 p = n->rrsets; 367 while(p) { 368 np = p->next; 369 auth_rrset_delete(p); 370 p = np; 371 } 372 free(n->name); 373 free(n); 374 } 375 376 /** helper traverse to delete zones */ 377 static void 378 auth_data_del(rbnode_type* n, void* ATTR_UNUSED(arg)) 379 { 380 struct auth_data* z = (struct auth_data*)n->key; 381 auth_data_delete(z); 382 } 383 384 /** delete an auth zone structure (tree remove must be done elsewhere) */ 385 static void 386 auth_zone_delete(struct auth_zone* z, struct auth_zones* az) 387 { 388 if(!z) return; 389 lock_rw_destroy(&z->lock); 390 traverse_postorder(&z->data, auth_data_del, NULL); 391 392 if(az && z->rpz) { 393 /* keep RPZ linked list intact */ 394 lock_rw_wrlock(&az->rpz_lock); 395 if(z->rpz->prev) 396 z->rpz->prev->next = z->rpz->next; 397 else 398 az->rpz_first = z->rpz->next; 399 if(z->rpz->next) 400 z->rpz->next->prev = z->rpz->prev; 401 lock_rw_unlock(&az->rpz_lock); 402 } 403 if(z->rpz) 404 rpz_delete(z->rpz); 405 free(z->name); 406 free(z->zonefile); 407 free(z); 408 } 409 410 struct auth_zone* 411 auth_zone_create(struct auth_zones* az, uint8_t* nm, size_t nmlen, 412 uint16_t dclass) 413 { 414 struct auth_zone* z = (struct auth_zone*)calloc(1, sizeof(*z)); 415 if(!z) { 416 return NULL; 417 } 418 z->node.key = z; 419 z->dclass = dclass; 420 z->namelen = nmlen; 421 z->namelabs = dname_count_labels(nm); 422 z->name = memdup(nm, nmlen); 423 if(!z->name) { 424 free(z); 425 return NULL; 426 } 427 rbtree_init(&z->data, &auth_data_cmp); 428 lock_rw_init(&z->lock); 429 lock_protect(&z->lock, &z->name, sizeof(*z)-sizeof(rbnode_type)); 430 lock_rw_wrlock(&z->lock); 431 /* z lock protects all, except rbtree itself, which is az->lock */ 432 if(!rbtree_insert(&az->ztree, &z->node)) { 433 lock_rw_unlock(&z->lock); 434 auth_zone_delete(z, NULL); 435 log_warn("duplicate auth zone"); 436 return NULL; 437 } 438 return z; 439 } 440 441 struct auth_zone* 442 auth_zone_find(struct auth_zones* az, uint8_t* nm, size_t nmlen, 443 uint16_t dclass) 444 { 445 struct auth_zone key; 446 key.node.key = &key; 447 key.dclass = dclass; 448 key.name = nm; 449 key.namelen = nmlen; 450 key.namelabs = dname_count_labels(nm); 451 return (struct auth_zone*)rbtree_search(&az->ztree, &key); 452 } 453 454 struct auth_xfer* 455 auth_xfer_find(struct auth_zones* az, uint8_t* nm, size_t nmlen, 456 uint16_t dclass) 457 { 458 struct auth_xfer key; 459 key.node.key = &key; 460 key.dclass = dclass; 461 key.name = nm; 462 key.namelen = nmlen; 463 key.namelabs = dname_count_labels(nm); 464 return (struct auth_xfer*)rbtree_search(&az->xtree, &key); 465 } 466 467 /** find an auth zone or sorted less-or-equal, return true if exact */ 468 static int 469 auth_zone_find_less_equal(struct auth_zones* az, uint8_t* nm, size_t nmlen, 470 uint16_t dclass, struct auth_zone** z) 471 { 472 struct auth_zone key; 473 key.node.key = &key; 474 key.dclass = dclass; 475 key.name = nm; 476 key.namelen = nmlen; 477 key.namelabs = dname_count_labels(nm); 478 return rbtree_find_less_equal(&az->ztree, &key, (rbnode_type**)z); 479 } 480 481 482 /** find the auth zone that is above the given name */ 483 struct auth_zone* 484 auth_zones_find_zone(struct auth_zones* az, uint8_t* name, size_t name_len, 485 uint16_t dclass) 486 { 487 uint8_t* nm = name; 488 size_t nmlen = name_len; 489 struct auth_zone* z; 490 if(auth_zone_find_less_equal(az, nm, nmlen, dclass, &z)) { 491 /* exact match */ 492 return z; 493 } else { 494 /* less-or-nothing */ 495 if(!z) return NULL; /* nothing smaller, nothing above it */ 496 /* we found smaller name; smaller may be above the name, 497 * but not below it. */ 498 nm = dname_get_shared_topdomain(z->name, name); 499 dname_count_size_labels(nm, &nmlen); 500 z = NULL; 501 } 502 503 /* search up */ 504 while(!z) { 505 z = auth_zone_find(az, nm, nmlen, dclass); 506 if(z) return z; 507 if(dname_is_root(nm)) break; 508 dname_remove_label(&nm, &nmlen); 509 } 510 return NULL; 511 } 512 513 /** find or create zone with name str. caller must have lock on az. 514 * returns a wrlocked zone */ 515 static struct auth_zone* 516 auth_zones_find_or_add_zone(struct auth_zones* az, char* name) 517 { 518 uint8_t nm[LDNS_MAX_DOMAINLEN+1]; 519 size_t nmlen = sizeof(nm); 520 struct auth_zone* z; 521 522 if(sldns_str2wire_dname_buf(name, nm, &nmlen) != 0) { 523 log_err("cannot parse auth zone name: %s", name); 524 return 0; 525 } 526 z = auth_zone_find(az, nm, nmlen, LDNS_RR_CLASS_IN); 527 if(!z) { 528 /* not found, create the zone */ 529 z = auth_zone_create(az, nm, nmlen, LDNS_RR_CLASS_IN); 530 } else { 531 lock_rw_wrlock(&z->lock); 532 } 533 return z; 534 } 535 536 /** find or create xfer zone with name str. caller must have lock on az. 537 * returns a locked xfer */ 538 static struct auth_xfer* 539 auth_zones_find_or_add_xfer(struct auth_zones* az, struct auth_zone* z) 540 { 541 struct auth_xfer* x; 542 x = auth_xfer_find(az, z->name, z->namelen, z->dclass); 543 if(!x) { 544 /* not found, create the zone */ 545 x = auth_xfer_create(az, z); 546 } else { 547 lock_basic_lock(&x->lock); 548 } 549 return x; 550 } 551 552 int 553 auth_zone_set_zonefile(struct auth_zone* z, char* zonefile) 554 { 555 if(z->zonefile) free(z->zonefile); 556 if(zonefile == NULL) { 557 z->zonefile = NULL; 558 } else { 559 z->zonefile = strdup(zonefile); 560 if(!z->zonefile) { 561 log_err("malloc failure"); 562 return 0; 563 } 564 } 565 return 1; 566 } 567 568 /** set auth zone fallback. caller must have lock on zone */ 569 int 570 auth_zone_set_fallback(struct auth_zone* z, char* fallbackstr) 571 { 572 if(strcmp(fallbackstr, "yes") != 0 && strcmp(fallbackstr, "no") != 0){ 573 log_err("auth zone fallback, expected yes or no, got %s", 574 fallbackstr); 575 return 0; 576 } 577 z->fallback_enabled = (strcmp(fallbackstr, "yes")==0); 578 return 1; 579 } 580 581 /** create domain with the given name */ 582 static struct auth_data* 583 az_domain_create(struct auth_zone* z, uint8_t* nm, size_t nmlen) 584 { 585 struct auth_data* n = (struct auth_data*)malloc(sizeof(*n)); 586 if(!n) return NULL; 587 memset(n, 0, sizeof(*n)); 588 n->node.key = n; 589 n->name = memdup(nm, nmlen); 590 if(!n->name) { 591 free(n); 592 return NULL; 593 } 594 n->namelen = nmlen; 595 n->namelabs = dname_count_labels(nm); 596 if(!rbtree_insert(&z->data, &n->node)) { 597 log_warn("duplicate auth domain name"); 598 free(n->name); 599 free(n); 600 return NULL; 601 } 602 return n; 603 } 604 605 /** find domain with exactly the given name */ 606 static struct auth_data* 607 az_find_name(struct auth_zone* z, uint8_t* nm, size_t nmlen) 608 { 609 struct auth_zone key; 610 key.node.key = &key; 611 key.name = nm; 612 key.namelen = nmlen; 613 key.namelabs = dname_count_labels(nm); 614 return (struct auth_data*)rbtree_search(&z->data, &key); 615 } 616 617 /** Find domain name (or closest match) */ 618 static void 619 az_find_domain(struct auth_zone* z, struct query_info* qinfo, int* node_exact, 620 struct auth_data** node) 621 { 622 struct auth_zone key; 623 key.node.key = &key; 624 key.name = qinfo->qname; 625 key.namelen = qinfo->qname_len; 626 key.namelabs = dname_count_labels(key.name); 627 *node_exact = rbtree_find_less_equal(&z->data, &key, 628 (rbnode_type**)node); 629 } 630 631 /** find or create domain with name in zone */ 632 static struct auth_data* 633 az_domain_find_or_create(struct auth_zone* z, uint8_t* dname, 634 size_t dname_len) 635 { 636 struct auth_data* n = az_find_name(z, dname, dname_len); 637 if(!n) { 638 n = az_domain_create(z, dname, dname_len); 639 } 640 return n; 641 } 642 643 /** find rrset of given type in the domain */ 644 static struct auth_rrset* 645 az_domain_rrset(struct auth_data* n, uint16_t t) 646 { 647 struct auth_rrset* rrset; 648 if(!n) return NULL; 649 rrset = n->rrsets; 650 while(rrset) { 651 if(rrset->type == t) 652 return rrset; 653 rrset = rrset->next; 654 } 655 return NULL; 656 } 657 658 /** remove rrset of this type from domain */ 659 static void 660 domain_remove_rrset(struct auth_data* node, uint16_t rr_type) 661 { 662 struct auth_rrset* rrset, *prev; 663 if(!node) return; 664 prev = NULL; 665 rrset = node->rrsets; 666 while(rrset) { 667 if(rrset->type == rr_type) { 668 /* found it, now delete it */ 669 if(prev) prev->next = rrset->next; 670 else node->rrsets = rrset->next; 671 auth_rrset_delete(rrset); 672 return; 673 } 674 prev = rrset; 675 rrset = rrset->next; 676 } 677 } 678 679 /** find an rrsig index in the rrset. returns true if found */ 680 static int 681 az_rrset_find_rrsig(struct packed_rrset_data* d, uint8_t* rdata, size_t len, 682 size_t* index) 683 { 684 size_t i; 685 for(i=d->count; i<d->count + d->rrsig_count; i++) { 686 if(d->rr_len[i] != len) 687 continue; 688 if(memcmp(d->rr_data[i], rdata, len) == 0) { 689 *index = i; 690 return 1; 691 } 692 } 693 return 0; 694 } 695 696 /** see if rdata is duplicate */ 697 static int 698 rdata_duplicate(struct packed_rrset_data* d, uint8_t* rdata, size_t len) 699 { 700 size_t i; 701 for(i=0; i<d->count + d->rrsig_count; i++) { 702 if(d->rr_len[i] != len) 703 continue; 704 if(memcmp(d->rr_data[i], rdata, len) == 0) 705 return 1; 706 } 707 return 0; 708 } 709 710 /** get rrsig type covered from rdata. 711 * @param rdata: rdata in wireformat, starting with 16bit rdlength. 712 * @param rdatalen: length of rdata buffer. 713 * @return type covered (or 0). 714 */ 715 static uint16_t 716 rrsig_rdata_get_type_covered(uint8_t* rdata, size_t rdatalen) 717 { 718 if(rdatalen < 4) 719 return 0; 720 return sldns_read_uint16(rdata+2); 721 } 722 723 /** remove RR from existing RRset. Also sig, if it is a signature. 724 * reallocates the packed rrset for a new one, false on alloc failure */ 725 static int 726 rrset_remove_rr(struct auth_rrset* rrset, size_t index) 727 { 728 struct packed_rrset_data* d, *old = rrset->data; 729 size_t i; 730 if(index >= old->count + old->rrsig_count) 731 return 0; /* index out of bounds */ 732 d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old) - ( 733 sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t) + 734 old->rr_len[index])); 735 if(!d) { 736 log_err("malloc failure"); 737 return 0; 738 } 739 d->ttl = old->ttl; 740 d->count = old->count; 741 d->rrsig_count = old->rrsig_count; 742 if(index < d->count) d->count--; 743 else d->rrsig_count--; 744 d->trust = old->trust; 745 d->security = old->security; 746 747 /* set rr_len, needed for ptr_fixup */ 748 d->rr_len = (size_t*)((uint8_t*)d + 749 sizeof(struct packed_rrset_data)); 750 if(index > 0) 751 memmove(d->rr_len, old->rr_len, (index)*sizeof(size_t)); 752 if(index+1 < old->count+old->rrsig_count) 753 memmove(&d->rr_len[index], &old->rr_len[index+1], 754 (old->count+old->rrsig_count - (index+1))*sizeof(size_t)); 755 packed_rrset_ptr_fixup(d); 756 757 /* move over ttls */ 758 if(index > 0) 759 memmove(d->rr_ttl, old->rr_ttl, (index)*sizeof(time_t)); 760 if(index+1 < old->count+old->rrsig_count) 761 memmove(&d->rr_ttl[index], &old->rr_ttl[index+1], 762 (old->count+old->rrsig_count - (index+1))*sizeof(time_t)); 763 764 /* move over rr_data */ 765 for(i=0; i<d->count+d->rrsig_count; i++) { 766 size_t oldi; 767 if(i < index) oldi = i; 768 else oldi = i+1; 769 memmove(d->rr_data[i], old->rr_data[oldi], d->rr_len[i]); 770 } 771 772 /* recalc ttl (lowest of remaining RR ttls) */ 773 if(d->count + d->rrsig_count > 0) 774 d->ttl = d->rr_ttl[0]; 775 for(i=0; i<d->count+d->rrsig_count; i++) { 776 if(d->rr_ttl[i] < d->ttl) 777 d->ttl = d->rr_ttl[i]; 778 } 779 780 free(rrset->data); 781 rrset->data = d; 782 return 1; 783 } 784 785 /** add RR to existing RRset. If insert_sig is true, add to rrsigs. 786 * This reallocates the packed rrset for a new one */ 787 static int 788 rrset_add_rr(struct auth_rrset* rrset, uint32_t rr_ttl, uint8_t* rdata, 789 size_t rdatalen, int insert_sig) 790 { 791 struct packed_rrset_data* d, *old = rrset->data; 792 size_t total, old_total; 793 794 d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old) 795 + sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t) 796 + rdatalen); 797 if(!d) { 798 log_err("out of memory"); 799 return 0; 800 } 801 /* copy base values */ 802 memcpy(d, old, sizeof(struct packed_rrset_data)); 803 if(!insert_sig) { 804 d->count++; 805 } else { 806 d->rrsig_count++; 807 } 808 old_total = old->count + old->rrsig_count; 809 total = d->count + d->rrsig_count; 810 /* set rr_len, needed for ptr_fixup */ 811 d->rr_len = (size_t*)((uint8_t*)d + 812 sizeof(struct packed_rrset_data)); 813 if(old->count != 0) 814 memmove(d->rr_len, old->rr_len, old->count*sizeof(size_t)); 815 if(old->rrsig_count != 0) 816 memmove(d->rr_len+d->count, old->rr_len+old->count, 817 old->rrsig_count*sizeof(size_t)); 818 if(!insert_sig) 819 d->rr_len[d->count-1] = rdatalen; 820 else d->rr_len[total-1] = rdatalen; 821 packed_rrset_ptr_fixup(d); 822 if((time_t)rr_ttl < d->ttl) 823 d->ttl = rr_ttl; 824 825 /* copy old values into new array */ 826 if(old->count != 0) { 827 memmove(d->rr_ttl, old->rr_ttl, old->count*sizeof(time_t)); 828 /* all the old rr pieces are allocated sequential, so we 829 * can copy them in one go */ 830 memmove(d->rr_data[0], old->rr_data[0], 831 (old->rr_data[old->count-1] - old->rr_data[0]) + 832 old->rr_len[old->count-1]); 833 } 834 if(old->rrsig_count != 0) { 835 memmove(d->rr_ttl+d->count, old->rr_ttl+old->count, 836 old->rrsig_count*sizeof(time_t)); 837 memmove(d->rr_data[d->count], old->rr_data[old->count], 838 (old->rr_data[old_total-1] - old->rr_data[old->count]) + 839 old->rr_len[old_total-1]); 840 } 841 842 /* insert new value */ 843 if(!insert_sig) { 844 d->rr_ttl[d->count-1] = rr_ttl; 845 memmove(d->rr_data[d->count-1], rdata, rdatalen); 846 } else { 847 d->rr_ttl[total-1] = rr_ttl; 848 memmove(d->rr_data[total-1], rdata, rdatalen); 849 } 850 851 rrset->data = d; 852 free(old); 853 return 1; 854 } 855 856 /** Create new rrset for node with packed rrset with one RR element */ 857 static struct auth_rrset* 858 rrset_create(struct auth_data* node, uint16_t rr_type, uint32_t rr_ttl, 859 uint8_t* rdata, size_t rdatalen) 860 { 861 struct auth_rrset* rrset = (struct auth_rrset*)calloc(1, 862 sizeof(*rrset)); 863 struct auth_rrset* p, *prev; 864 struct packed_rrset_data* d; 865 if(!rrset) { 866 log_err("out of memory"); 867 return NULL; 868 } 869 rrset->type = rr_type; 870 871 /* the rrset data structure, with one RR */ 872 d = (struct packed_rrset_data*)calloc(1, 873 sizeof(struct packed_rrset_data) + sizeof(size_t) + 874 sizeof(uint8_t*) + sizeof(time_t) + rdatalen); 875 if(!d) { 876 free(rrset); 877 log_err("out of memory"); 878 return NULL; 879 } 880 rrset->data = d; 881 d->ttl = rr_ttl; 882 d->trust = rrset_trust_prim_noglue; 883 d->rr_len = (size_t*)((uint8_t*)d + sizeof(struct packed_rrset_data)); 884 d->rr_data = (uint8_t**)&(d->rr_len[1]); 885 d->rr_ttl = (time_t*)&(d->rr_data[1]); 886 d->rr_data[0] = (uint8_t*)&(d->rr_ttl[1]); 887 888 /* insert the RR */ 889 d->rr_len[0] = rdatalen; 890 d->rr_ttl[0] = rr_ttl; 891 memmove(d->rr_data[0], rdata, rdatalen); 892 d->count++; 893 894 /* insert rrset into linked list for domain */ 895 /* find sorted place to link the rrset into the list */ 896 prev = NULL; 897 p = node->rrsets; 898 while(p && p->type<=rr_type) { 899 prev = p; 900 p = p->next; 901 } 902 /* so, prev is smaller, and p is larger than rr_type */ 903 rrset->next = p; 904 if(prev) prev->next = rrset; 905 else node->rrsets = rrset; 906 return rrset; 907 } 908 909 /** count number (and size) of rrsigs that cover a type */ 910 static size_t 911 rrsig_num_that_cover(struct auth_rrset* rrsig, uint16_t rr_type, size_t* sigsz) 912 { 913 struct packed_rrset_data* d = rrsig->data; 914 size_t i, num = 0; 915 *sigsz = 0; 916 log_assert(d && rrsig->type == LDNS_RR_TYPE_RRSIG); 917 for(i=0; i<d->count+d->rrsig_count; i++) { 918 if(rrsig_rdata_get_type_covered(d->rr_data[i], 919 d->rr_len[i]) == rr_type) { 920 num++; 921 (*sigsz) += d->rr_len[i]; 922 } 923 } 924 return num; 925 } 926 927 /** See if rrsig set has covered sigs for rrset and move them over */ 928 static int 929 rrset_moveover_rrsigs(struct auth_data* node, uint16_t rr_type, 930 struct auth_rrset* rrset, struct auth_rrset* rrsig) 931 { 932 size_t sigs, sigsz, i, j, total; 933 struct packed_rrset_data* sigold = rrsig->data; 934 struct packed_rrset_data* old = rrset->data; 935 struct packed_rrset_data* d, *sigd; 936 937 log_assert(rrset->type == rr_type); 938 log_assert(rrsig->type == LDNS_RR_TYPE_RRSIG); 939 sigs = rrsig_num_that_cover(rrsig, rr_type, &sigsz); 940 if(sigs == 0) { 941 /* 0 rrsigs to move over, done */ 942 return 1; 943 } 944 945 /* allocate rrset sigsz larger for extra sigs elements, and 946 * allocate rrsig sigsz smaller for less sigs elements. */ 947 d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old) 948 + sigs*(sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t)) 949 + sigsz); 950 if(!d) { 951 log_err("out of memory"); 952 return 0; 953 } 954 /* copy base values */ 955 total = old->count + old->rrsig_count; 956 memcpy(d, old, sizeof(struct packed_rrset_data)); 957 d->rrsig_count += sigs; 958 /* setup rr_len */ 959 d->rr_len = (size_t*)((uint8_t*)d + 960 sizeof(struct packed_rrset_data)); 961 if(total != 0) 962 memmove(d->rr_len, old->rr_len, total*sizeof(size_t)); 963 j = d->count+d->rrsig_count-sigs; 964 for(i=0; i<sigold->count+sigold->rrsig_count; i++) { 965 if(rrsig_rdata_get_type_covered(sigold->rr_data[i], 966 sigold->rr_len[i]) == rr_type) { 967 d->rr_len[j] = sigold->rr_len[i]; 968 j++; 969 } 970 } 971 packed_rrset_ptr_fixup(d); 972 973 /* copy old values into new array */ 974 if(total != 0) { 975 memmove(d->rr_ttl, old->rr_ttl, total*sizeof(time_t)); 976 /* all the old rr pieces are allocated sequential, so we 977 * can copy them in one go */ 978 memmove(d->rr_data[0], old->rr_data[0], 979 (old->rr_data[total-1] - old->rr_data[0]) + 980 old->rr_len[total-1]); 981 } 982 983 /* move over the rrsigs to the larger rrset*/ 984 j = d->count+d->rrsig_count-sigs; 985 for(i=0; i<sigold->count+sigold->rrsig_count; i++) { 986 if(rrsig_rdata_get_type_covered(sigold->rr_data[i], 987 sigold->rr_len[i]) == rr_type) { 988 /* move this one over to location j */ 989 d->rr_ttl[j] = sigold->rr_ttl[i]; 990 memmove(d->rr_data[j], sigold->rr_data[i], 991 sigold->rr_len[i]); 992 if(d->rr_ttl[j] < d->ttl) 993 d->ttl = d->rr_ttl[j]; 994 j++; 995 } 996 } 997 998 /* put it in and deallocate the old rrset */ 999 rrset->data = d; 1000 free(old); 1001 1002 /* now make rrsig set smaller */ 1003 if(sigold->count+sigold->rrsig_count == sigs) { 1004 /* remove all sigs from rrsig, remove it entirely */ 1005 domain_remove_rrset(node, LDNS_RR_TYPE_RRSIG); 1006 return 1; 1007 } 1008 log_assert(packed_rrset_sizeof(sigold) > sigs*(sizeof(size_t) + 1009 sizeof(uint8_t*) + sizeof(time_t)) + sigsz); 1010 sigd = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(sigold) 1011 - sigs*(sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t)) 1012 - sigsz); 1013 if(!sigd) { 1014 /* no need to free up d, it has already been placed in the 1015 * node->rrset structure */ 1016 log_err("out of memory"); 1017 return 0; 1018 } 1019 /* copy base values */ 1020 memcpy(sigd, sigold, sizeof(struct packed_rrset_data)); 1021 /* in sigd the RRSIGs are stored in the base of the RR, in count */ 1022 sigd->count -= sigs; 1023 /* setup rr_len */ 1024 sigd->rr_len = (size_t*)((uint8_t*)sigd + 1025 sizeof(struct packed_rrset_data)); 1026 j = 0; 1027 for(i=0; i<sigold->count+sigold->rrsig_count; i++) { 1028 if(rrsig_rdata_get_type_covered(sigold->rr_data[i], 1029 sigold->rr_len[i]) != rr_type) { 1030 sigd->rr_len[j] = sigold->rr_len[i]; 1031 j++; 1032 } 1033 } 1034 packed_rrset_ptr_fixup(sigd); 1035 1036 /* copy old values into new rrsig array */ 1037 j = 0; 1038 for(i=0; i<sigold->count+sigold->rrsig_count; i++) { 1039 if(rrsig_rdata_get_type_covered(sigold->rr_data[i], 1040 sigold->rr_len[i]) != rr_type) { 1041 /* move this one over to location j */ 1042 sigd->rr_ttl[j] = sigold->rr_ttl[i]; 1043 memmove(sigd->rr_data[j], sigold->rr_data[i], 1044 sigold->rr_len[i]); 1045 if(j==0) sigd->ttl = sigd->rr_ttl[j]; 1046 else { 1047 if(sigd->rr_ttl[j] < sigd->ttl) 1048 sigd->ttl = sigd->rr_ttl[j]; 1049 } 1050 j++; 1051 } 1052 } 1053 1054 /* put it in and deallocate the old rrset */ 1055 rrsig->data = sigd; 1056 free(sigold); 1057 1058 return 1; 1059 } 1060 1061 /** copy the rrsigs from the rrset to the rrsig rrset, because the rrset 1062 * is going to be deleted. reallocates the RRSIG rrset data. */ 1063 static int 1064 rrsigs_copy_from_rrset_to_rrsigset(struct auth_rrset* rrset, 1065 struct auth_rrset* rrsigset) 1066 { 1067 size_t i; 1068 if(rrset->data->rrsig_count == 0) 1069 return 1; 1070 1071 /* move them over one by one, because there might be duplicates, 1072 * duplicates are ignored */ 1073 for(i=rrset->data->count; 1074 i<rrset->data->count+rrset->data->rrsig_count; i++) { 1075 uint8_t* rdata = rrset->data->rr_data[i]; 1076 size_t rdatalen = rrset->data->rr_len[i]; 1077 time_t rr_ttl = rrset->data->rr_ttl[i]; 1078 1079 if(rdata_duplicate(rrsigset->data, rdata, rdatalen)) { 1080 continue; 1081 } 1082 if(!rrset_add_rr(rrsigset, rr_ttl, rdata, rdatalen, 0)) 1083 return 0; 1084 } 1085 return 1; 1086 } 1087 1088 /** Add rr to node, ignores duplicate RRs, 1089 * rdata points to buffer with rdatalen octets, starts with 2bytelength. */ 1090 static int 1091 az_domain_add_rr(struct auth_data* node, uint16_t rr_type, uint32_t rr_ttl, 1092 uint8_t* rdata, size_t rdatalen, int* duplicate) 1093 { 1094 struct auth_rrset* rrset; 1095 /* packed rrsets have their rrsigs along with them, sort them out */ 1096 if(rr_type == LDNS_RR_TYPE_RRSIG) { 1097 uint16_t ctype = rrsig_rdata_get_type_covered(rdata, rdatalen); 1098 if((rrset=az_domain_rrset(node, ctype))!= NULL) { 1099 /* a node of the correct type exists, add the RRSIG 1100 * to the rrset of the covered data type */ 1101 if(rdata_duplicate(rrset->data, rdata, rdatalen)) { 1102 if(duplicate) *duplicate = 1; 1103 return 1; 1104 } 1105 if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 1)) 1106 return 0; 1107 } else if((rrset=az_domain_rrset(node, rr_type))!= NULL) { 1108 /* add RRSIG to rrset of type RRSIG */ 1109 if(rdata_duplicate(rrset->data, rdata, rdatalen)) { 1110 if(duplicate) *duplicate = 1; 1111 return 1; 1112 } 1113 if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 0)) 1114 return 0; 1115 } else { 1116 /* create rrset of type RRSIG */ 1117 if(!rrset_create(node, rr_type, rr_ttl, rdata, 1118 rdatalen)) 1119 return 0; 1120 } 1121 } else { 1122 /* normal RR type */ 1123 if((rrset=az_domain_rrset(node, rr_type))!= NULL) { 1124 /* add data to existing node with data type */ 1125 if(rdata_duplicate(rrset->data, rdata, rdatalen)) { 1126 if(duplicate) *duplicate = 1; 1127 return 1; 1128 } 1129 if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 0)) 1130 return 0; 1131 } else { 1132 struct auth_rrset* rrsig; 1133 /* create new node with data type */ 1134 if(!(rrset=rrset_create(node, rr_type, rr_ttl, rdata, 1135 rdatalen))) 1136 return 0; 1137 1138 /* see if node of type RRSIG has signatures that 1139 * cover the data type, and move them over */ 1140 /* and then make the RRSIG type smaller */ 1141 if((rrsig=az_domain_rrset(node, LDNS_RR_TYPE_RRSIG)) 1142 != NULL) { 1143 if(!rrset_moveover_rrsigs(node, rr_type, 1144 rrset, rrsig)) 1145 return 0; 1146 } 1147 } 1148 } 1149 return 1; 1150 } 1151 1152 /** insert RR into zone, ignore duplicates */ 1153 static int 1154 az_insert_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len, 1155 size_t dname_len, int* duplicate) 1156 { 1157 struct auth_data* node; 1158 uint8_t* dname = rr; 1159 uint16_t rr_type = sldns_wirerr_get_type(rr, rr_len, dname_len); 1160 uint16_t rr_class = sldns_wirerr_get_class(rr, rr_len, dname_len); 1161 uint32_t rr_ttl = sldns_wirerr_get_ttl(rr, rr_len, dname_len); 1162 size_t rdatalen = ((size_t)sldns_wirerr_get_rdatalen(rr, rr_len, 1163 dname_len))+2; 1164 /* rdata points to rdata prefixed with uint16 rdatalength */ 1165 uint8_t* rdata = sldns_wirerr_get_rdatawl(rr, rr_len, dname_len); 1166 1167 if(rr_class != z->dclass) { 1168 log_err("wrong class for RR"); 1169 return 0; 1170 } 1171 if(!(node=az_domain_find_or_create(z, dname, dname_len))) { 1172 log_err("cannot create domain"); 1173 return 0; 1174 } 1175 if(!az_domain_add_rr(node, rr_type, rr_ttl, rdata, rdatalen, 1176 duplicate)) { 1177 log_err("cannot add RR to domain"); 1178 return 0; 1179 } 1180 if(z->rpz) { 1181 if(!(rpz_insert_rr(z->rpz, z->namelen, dname, dname_len, 1182 rr_type, rr_class, rr_ttl, rdata, rdatalen, rr, 1183 rr_len))) 1184 return 0; 1185 } 1186 return 1; 1187 } 1188 1189 /** Remove rr from node, ignores nonexisting RRs, 1190 * rdata points to buffer with rdatalen octets, starts with 2bytelength. */ 1191 static int 1192 az_domain_remove_rr(struct auth_data* node, uint16_t rr_type, 1193 uint8_t* rdata, size_t rdatalen, int* nonexist) 1194 { 1195 struct auth_rrset* rrset; 1196 size_t index = 0; 1197 1198 /* find the plain RR of the given type */ 1199 if((rrset=az_domain_rrset(node, rr_type))!= NULL) { 1200 if(packed_rrset_find_rr(rrset->data, rdata, rdatalen, &index)) { 1201 if(rrset->data->count == 1 && 1202 rrset->data->rrsig_count == 0) { 1203 /* last RR, delete the rrset */ 1204 domain_remove_rrset(node, rr_type); 1205 } else if(rrset->data->count == 1 && 1206 rrset->data->rrsig_count != 0) { 1207 /* move RRSIGs to the RRSIG rrset, or 1208 * this one becomes that RRset */ 1209 struct auth_rrset* rrsigset = az_domain_rrset( 1210 node, LDNS_RR_TYPE_RRSIG); 1211 if(rrsigset) { 1212 /* move left over rrsigs to the 1213 * existing rrset of type RRSIG */ 1214 rrsigs_copy_from_rrset_to_rrsigset( 1215 rrset, rrsigset); 1216 /* and then delete the rrset */ 1217 domain_remove_rrset(node, rr_type); 1218 } else { 1219 /* no rrset of type RRSIG, this 1220 * set is now of that type, 1221 * just remove the rr */ 1222 if(!rrset_remove_rr(rrset, index)) 1223 return 0; 1224 rrset->type = LDNS_RR_TYPE_RRSIG; 1225 rrset->data->count = rrset->data->rrsig_count; 1226 rrset->data->rrsig_count = 0; 1227 } 1228 } else { 1229 /* remove the RR from the rrset */ 1230 if(!rrset_remove_rr(rrset, index)) 1231 return 0; 1232 } 1233 return 1; 1234 } 1235 /* rr not found in rrset */ 1236 } 1237 1238 /* is it a type RRSIG, look under the covered type */ 1239 if(rr_type == LDNS_RR_TYPE_RRSIG) { 1240 uint16_t ctype = rrsig_rdata_get_type_covered(rdata, rdatalen); 1241 if((rrset=az_domain_rrset(node, ctype))!= NULL) { 1242 if(az_rrset_find_rrsig(rrset->data, rdata, rdatalen, 1243 &index)) { 1244 /* rrsig should have d->count > 0, be 1245 * over some rr of that type */ 1246 /* remove the rrsig from the rrsigs list of the 1247 * rrset */ 1248 if(!rrset_remove_rr(rrset, index)) 1249 return 0; 1250 return 1; 1251 } 1252 } 1253 /* also RRSIG not found */ 1254 } 1255 1256 /* nothing found to delete */ 1257 if(nonexist) *nonexist = 1; 1258 return 1; 1259 } 1260 1261 /** remove RR from zone, ignore if it does not exist, false on alloc failure*/ 1262 static int 1263 az_remove_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len, 1264 size_t dname_len, int* nonexist) 1265 { 1266 struct auth_data* node; 1267 uint8_t* dname = rr; 1268 uint16_t rr_type = sldns_wirerr_get_type(rr, rr_len, dname_len); 1269 uint16_t rr_class = sldns_wirerr_get_class(rr, rr_len, dname_len); 1270 size_t rdatalen = ((size_t)sldns_wirerr_get_rdatalen(rr, rr_len, 1271 dname_len))+2; 1272 /* rdata points to rdata prefixed with uint16 rdatalength */ 1273 uint8_t* rdata = sldns_wirerr_get_rdatawl(rr, rr_len, dname_len); 1274 1275 if(rr_class != z->dclass) { 1276 log_err("wrong class for RR"); 1277 /* really also a nonexisting entry, because no records 1278 * of that class in the zone, but return an error because 1279 * getting records of the wrong class is a failure of the 1280 * zone transfer */ 1281 return 0; 1282 } 1283 node = az_find_name(z, dname, dname_len); 1284 if(!node) { 1285 /* node with that name does not exist */ 1286 /* nonexisting entry, because no such name */ 1287 *nonexist = 1; 1288 return 1; 1289 } 1290 if(!az_domain_remove_rr(node, rr_type, rdata, rdatalen, nonexist)) { 1291 /* alloc failure or so */ 1292 return 0; 1293 } 1294 /* remove the node, if necessary */ 1295 /* an rrsets==NULL entry is not kept around for empty nonterminals, 1296 * and also parent nodes are not kept around, so we just delete it */ 1297 if(node->rrsets == NULL) { 1298 (void)rbtree_delete(&z->data, node); 1299 auth_data_delete(node); 1300 } 1301 if(z->rpz) { 1302 rpz_remove_rr(z->rpz, z->namelen, dname, dname_len, rr_type, 1303 rr_class, rdata, rdatalen); 1304 } 1305 return 1; 1306 } 1307 1308 /** decompress an RR into the buffer where it'll be an uncompressed RR 1309 * with uncompressed dname and uncompressed rdata (dnames) */ 1310 static int 1311 decompress_rr_into_buffer(struct sldns_buffer* buf, uint8_t* pkt, 1312 size_t pktlen, uint8_t* dname, uint16_t rr_type, uint16_t rr_class, 1313 uint32_t rr_ttl, uint8_t* rr_data, uint16_t rr_rdlen) 1314 { 1315 sldns_buffer pktbuf; 1316 size_t dname_len = 0; 1317 size_t rdlenpos; 1318 size_t rdlen; 1319 uint8_t* rd; 1320 const sldns_rr_descriptor* desc; 1321 sldns_buffer_init_frm_data(&pktbuf, pkt, pktlen); 1322 sldns_buffer_clear(buf); 1323 1324 /* decompress dname */ 1325 sldns_buffer_set_position(&pktbuf, 1326 (size_t)(dname - sldns_buffer_current(&pktbuf))); 1327 dname_len = pkt_dname_len(&pktbuf); 1328 if(dname_len == 0) return 0; /* parse fail on dname */ 1329 if(!sldns_buffer_available(buf, dname_len)) return 0; 1330 dname_pkt_copy(&pktbuf, sldns_buffer_current(buf), dname); 1331 sldns_buffer_skip(buf, (ssize_t)dname_len); 1332 1333 /* type, class, ttl and rdatalength fields */ 1334 if(!sldns_buffer_available(buf, 10)) return 0; 1335 sldns_buffer_write_u16(buf, rr_type); 1336 sldns_buffer_write_u16(buf, rr_class); 1337 sldns_buffer_write_u32(buf, rr_ttl); 1338 rdlenpos = sldns_buffer_position(buf); 1339 sldns_buffer_write_u16(buf, 0); /* rd length position */ 1340 1341 /* decompress rdata */ 1342 desc = sldns_rr_descript(rr_type); 1343 rd = rr_data; 1344 rdlen = rr_rdlen; 1345 if(rdlen > 0 && desc && desc->_dname_count > 0) { 1346 int count = (int)desc->_dname_count; 1347 int rdf = 0; 1348 size_t len; /* how much rdata to plain copy */ 1349 size_t uncompressed_len, compressed_len; 1350 size_t oldpos; 1351 /* decompress dnames. */ 1352 while(rdlen > 0 && count) { 1353 switch(desc->_wireformat[rdf]) { 1354 case LDNS_RDF_TYPE_DNAME: 1355 sldns_buffer_set_position(&pktbuf, 1356 (size_t)(rd - 1357 sldns_buffer_begin(&pktbuf))); 1358 oldpos = sldns_buffer_position(&pktbuf); 1359 /* moves pktbuf to right after the 1360 * compressed dname, and returns uncompressed 1361 * dname length */ 1362 uncompressed_len = pkt_dname_len(&pktbuf); 1363 if(!uncompressed_len) 1364 return 0; /* parse error in dname */ 1365 if(!sldns_buffer_available(buf, 1366 uncompressed_len)) 1367 /* dname too long for buffer */ 1368 return 0; 1369 dname_pkt_copy(&pktbuf, 1370 sldns_buffer_current(buf), rd); 1371 sldns_buffer_skip(buf, (ssize_t)uncompressed_len); 1372 compressed_len = sldns_buffer_position( 1373 &pktbuf) - oldpos; 1374 rd += compressed_len; 1375 rdlen -= compressed_len; 1376 count--; 1377 len = 0; 1378 break; 1379 case LDNS_RDF_TYPE_STR: 1380 len = rd[0] + 1; 1381 break; 1382 default: 1383 len = get_rdf_size(desc->_wireformat[rdf]); 1384 break; 1385 } 1386 if(len) { 1387 if(!sldns_buffer_available(buf, len)) 1388 return 0; /* too long for buffer */ 1389 sldns_buffer_write(buf, rd, len); 1390 rd += len; 1391 rdlen -= len; 1392 } 1393 rdf++; 1394 } 1395 } 1396 /* copy remaining data */ 1397 if(rdlen > 0) { 1398 if(!sldns_buffer_available(buf, rdlen)) return 0; 1399 sldns_buffer_write(buf, rd, rdlen); 1400 } 1401 /* fixup rdlength */ 1402 sldns_buffer_write_u16_at(buf, rdlenpos, 1403 sldns_buffer_position(buf)-rdlenpos-2); 1404 sldns_buffer_flip(buf); 1405 return 1; 1406 } 1407 1408 /** insert RR into zone, from packet, decompress RR, 1409 * if duplicate is nonNULL set the flag but otherwise ignore duplicates */ 1410 static int 1411 az_insert_rr_decompress(struct auth_zone* z, uint8_t* pkt, size_t pktlen, 1412 struct sldns_buffer* scratch_buffer, uint8_t* dname, uint16_t rr_type, 1413 uint16_t rr_class, uint32_t rr_ttl, uint8_t* rr_data, 1414 uint16_t rr_rdlen, int* duplicate) 1415 { 1416 uint8_t* rr; 1417 size_t rr_len; 1418 size_t dname_len; 1419 if(!decompress_rr_into_buffer(scratch_buffer, pkt, pktlen, dname, 1420 rr_type, rr_class, rr_ttl, rr_data, rr_rdlen)) { 1421 log_err("could not decompress RR"); 1422 return 0; 1423 } 1424 rr = sldns_buffer_begin(scratch_buffer); 1425 rr_len = sldns_buffer_limit(scratch_buffer); 1426 dname_len = dname_valid(rr, rr_len); 1427 return az_insert_rr(z, rr, rr_len, dname_len, duplicate); 1428 } 1429 1430 /** remove RR from zone, from packet, decompress RR, 1431 * if nonexist is nonNULL set the flag but otherwise ignore nonexisting entries*/ 1432 static int 1433 az_remove_rr_decompress(struct auth_zone* z, uint8_t* pkt, size_t pktlen, 1434 struct sldns_buffer* scratch_buffer, uint8_t* dname, uint16_t rr_type, 1435 uint16_t rr_class, uint32_t rr_ttl, uint8_t* rr_data, 1436 uint16_t rr_rdlen, int* nonexist) 1437 { 1438 uint8_t* rr; 1439 size_t rr_len; 1440 size_t dname_len; 1441 if(!decompress_rr_into_buffer(scratch_buffer, pkt, pktlen, dname, 1442 rr_type, rr_class, rr_ttl, rr_data, rr_rdlen)) { 1443 log_err("could not decompress RR"); 1444 return 0; 1445 } 1446 rr = sldns_buffer_begin(scratch_buffer); 1447 rr_len = sldns_buffer_limit(scratch_buffer); 1448 dname_len = dname_valid(rr, rr_len); 1449 return az_remove_rr(z, rr, rr_len, dname_len, nonexist); 1450 } 1451 1452 /** 1453 * Parse zonefile 1454 * @param z: zone to read in. 1455 * @param in: file to read from (just opened). 1456 * @param rr: buffer to use for RRs, 64k. 1457 * passed so that recursive includes can use the same buffer and do 1458 * not grow the stack too much. 1459 * @param rrbuflen: sizeof rr buffer. 1460 * @param state: parse state with $ORIGIN, $TTL and 'prev-dname' and so on, 1461 * that is kept between includes. 1462 * The lineno is set at 1 and then increased by the function. 1463 * @param fname: file name. 1464 * @param depth: recursion depth for includes 1465 * @param cfg: config for chroot. 1466 * returns false on failure, has printed an error message 1467 */ 1468 static int 1469 az_parse_file(struct auth_zone* z, FILE* in, uint8_t* rr, size_t rrbuflen, 1470 struct sldns_file_parse_state* state, char* fname, int depth, 1471 struct config_file* cfg) 1472 { 1473 size_t rr_len, dname_len; 1474 int status; 1475 state->lineno = 1; 1476 1477 while(!feof(in)) { 1478 rr_len = rrbuflen; 1479 dname_len = 0; 1480 status = sldns_fp2wire_rr_buf(in, rr, &rr_len, &dname_len, 1481 state); 1482 if(status == LDNS_WIREPARSE_ERR_INCLUDE && rr_len == 0) { 1483 /* we have $INCLUDE or $something */ 1484 if(strncmp((char*)rr, "$INCLUDE ", 9) == 0 || 1485 strncmp((char*)rr, "$INCLUDE\t", 9) == 0) { 1486 FILE* inc; 1487 int lineno_orig = state->lineno; 1488 char* incfile = (char*)rr + 8; 1489 if(depth > MAX_INCLUDE_DEPTH) { 1490 log_err("%s:%d max include depth" 1491 "exceeded", fname, state->lineno); 1492 return 0; 1493 } 1494 /* skip spaces */ 1495 while(*incfile == ' ' || *incfile == '\t') 1496 incfile++; 1497 /* adjust for chroot on include file */ 1498 if(cfg->chrootdir && cfg->chrootdir[0] && 1499 strncmp(incfile, cfg->chrootdir, 1500 strlen(cfg->chrootdir)) == 0) 1501 incfile += strlen(cfg->chrootdir); 1502 incfile = strdup(incfile); 1503 if(!incfile) { 1504 log_err("malloc failure"); 1505 return 0; 1506 } 1507 verbose(VERB_ALGO, "opening $INCLUDE %s", 1508 incfile); 1509 inc = fopen(incfile, "r"); 1510 if(!inc) { 1511 log_err("%s:%d cannot open include " 1512 "file %s: %s", fname, 1513 lineno_orig, incfile, 1514 strerror(errno)); 1515 free(incfile); 1516 return 0; 1517 } 1518 /* recurse read that file now */ 1519 if(!az_parse_file(z, inc, rr, rrbuflen, 1520 state, incfile, depth+1, cfg)) { 1521 log_err("%s:%d cannot parse include " 1522 "file %s", fname, 1523 lineno_orig, incfile); 1524 fclose(inc); 1525 free(incfile); 1526 return 0; 1527 } 1528 fclose(inc); 1529 verbose(VERB_ALGO, "done with $INCLUDE %s", 1530 incfile); 1531 free(incfile); 1532 state->lineno = lineno_orig; 1533 } 1534 continue; 1535 } 1536 if(status != 0) { 1537 log_err("parse error %s %d:%d: %s", fname, 1538 state->lineno, LDNS_WIREPARSE_OFFSET(status), 1539 sldns_get_errorstr_parse(status)); 1540 return 0; 1541 } 1542 if(rr_len == 0) { 1543 /* EMPTY line, TTL or ORIGIN */ 1544 continue; 1545 } 1546 /* insert wirerr in rrbuf */ 1547 if(!az_insert_rr(z, rr, rr_len, dname_len, NULL)) { 1548 char buf[17]; 1549 sldns_wire2str_type_buf(sldns_wirerr_get_type(rr, 1550 rr_len, dname_len), buf, sizeof(buf)); 1551 log_err("%s:%d cannot insert RR of type %s", 1552 fname, state->lineno, buf); 1553 return 0; 1554 } 1555 } 1556 return 1; 1557 } 1558 1559 int 1560 auth_zone_read_zonefile(struct auth_zone* z, struct config_file* cfg) 1561 { 1562 uint8_t rr[LDNS_RR_BUF_SIZE]; 1563 struct sldns_file_parse_state state; 1564 char* zfilename; 1565 FILE* in; 1566 if(!z || !z->zonefile || z->zonefile[0]==0) 1567 return 1; /* no file, or "", nothing to read */ 1568 1569 zfilename = z->zonefile; 1570 if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(zfilename, 1571 cfg->chrootdir, strlen(cfg->chrootdir)) == 0) 1572 zfilename += strlen(cfg->chrootdir); 1573 if(verbosity >= VERB_ALGO) { 1574 char nm[255+1]; 1575 dname_str(z->name, nm); 1576 verbose(VERB_ALGO, "read zonefile %s for %s", zfilename, nm); 1577 } 1578 in = fopen(zfilename, "r"); 1579 if(!in) { 1580 char* n = sldns_wire2str_dname(z->name, z->namelen); 1581 if(z->zone_is_slave && errno == ENOENT) { 1582 /* we fetch the zone contents later, no file yet */ 1583 verbose(VERB_ALGO, "no zonefile %s for %s", 1584 zfilename, n?n:"error"); 1585 free(n); 1586 return 1; 1587 } 1588 log_err("cannot open zonefile %s for %s: %s", 1589 zfilename, n?n:"error", strerror(errno)); 1590 free(n); 1591 return 0; 1592 } 1593 1594 /* clear the data tree */ 1595 traverse_postorder(&z->data, auth_data_del, NULL); 1596 rbtree_init(&z->data, &auth_data_cmp); 1597 /* clear the RPZ policies */ 1598 if(z->rpz) 1599 rpz_clear(z->rpz); 1600 1601 memset(&state, 0, sizeof(state)); 1602 /* default TTL to 3600 */ 1603 state.default_ttl = 3600; 1604 /* set $ORIGIN to the zone name */ 1605 if(z->namelen <= sizeof(state.origin)) { 1606 memcpy(state.origin, z->name, z->namelen); 1607 state.origin_len = z->namelen; 1608 } 1609 /* parse the (toplevel) file */ 1610 if(!az_parse_file(z, in, rr, sizeof(rr), &state, zfilename, 0, cfg)) { 1611 char* n = sldns_wire2str_dname(z->name, z->namelen); 1612 log_err("error parsing zonefile %s for %s", 1613 zfilename, n?n:"error"); 1614 free(n); 1615 fclose(in); 1616 return 0; 1617 } 1618 fclose(in); 1619 1620 if(z->rpz) 1621 rpz_finish_config(z->rpz); 1622 return 1; 1623 } 1624 1625 /** write buffer to file and check return codes */ 1626 static int 1627 write_out(FILE* out, const char* str, size_t len) 1628 { 1629 size_t r; 1630 if(len == 0) 1631 return 1; 1632 r = fwrite(str, 1, len, out); 1633 if(r == 0) { 1634 log_err("write failed: %s", strerror(errno)); 1635 return 0; 1636 } else if(r < len) { 1637 log_err("write failed: too short (disk full?)"); 1638 return 0; 1639 } 1640 return 1; 1641 } 1642 1643 /** convert auth rr to string */ 1644 static int 1645 auth_rr_to_string(uint8_t* nm, size_t nmlen, uint16_t tp, uint16_t cl, 1646 struct packed_rrset_data* data, size_t i, char* s, size_t buflen) 1647 { 1648 int w = 0; 1649 size_t slen = buflen, datlen; 1650 uint8_t* dat; 1651 if(i >= data->count) tp = LDNS_RR_TYPE_RRSIG; 1652 dat = nm; 1653 datlen = nmlen; 1654 w += sldns_wire2str_dname_scan(&dat, &datlen, &s, &slen, NULL, 0, NULL); 1655 w += sldns_str_print(&s, &slen, "\t"); 1656 w += sldns_str_print(&s, &slen, "%lu\t", (unsigned long)data->rr_ttl[i]); 1657 w += sldns_wire2str_class_print(&s, &slen, cl); 1658 w += sldns_str_print(&s, &slen, "\t"); 1659 w += sldns_wire2str_type_print(&s, &slen, tp); 1660 w += sldns_str_print(&s, &slen, "\t"); 1661 datlen = data->rr_len[i]-2; 1662 dat = data->rr_data[i]+2; 1663 w += sldns_wire2str_rdata_scan(&dat, &datlen, &s, &slen, tp, NULL, 0, NULL); 1664 1665 if(tp == LDNS_RR_TYPE_DNSKEY) { 1666 w += sldns_str_print(&s, &slen, " ;{id = %u}", 1667 sldns_calc_keytag_raw(data->rr_data[i]+2, 1668 data->rr_len[i]-2)); 1669 } 1670 w += sldns_str_print(&s, &slen, "\n"); 1671 1672 if(w >= (int)buflen) { 1673 log_nametypeclass(NO_VERBOSE, "RR too long to print", nm, tp, cl); 1674 return 0; 1675 } 1676 return 1; 1677 } 1678 1679 /** write rrset to file */ 1680 static int 1681 auth_zone_write_rrset(struct auth_zone* z, struct auth_data* node, 1682 struct auth_rrset* r, FILE* out) 1683 { 1684 size_t i, count = r->data->count + r->data->rrsig_count; 1685 char buf[LDNS_RR_BUF_SIZE]; 1686 for(i=0; i<count; i++) { 1687 if(!auth_rr_to_string(node->name, node->namelen, r->type, 1688 z->dclass, r->data, i, buf, sizeof(buf))) { 1689 verbose(VERB_ALGO, "failed to rr2str rr %d", (int)i); 1690 continue; 1691 } 1692 if(!write_out(out, buf, strlen(buf))) 1693 return 0; 1694 } 1695 return 1; 1696 } 1697 1698 /** write domain to file */ 1699 static int 1700 auth_zone_write_domain(struct auth_zone* z, struct auth_data* n, FILE* out) 1701 { 1702 struct auth_rrset* r; 1703 /* if this is zone apex, write SOA first */ 1704 if(z->namelen == n->namelen) { 1705 struct auth_rrset* soa = az_domain_rrset(n, LDNS_RR_TYPE_SOA); 1706 if(soa) { 1707 if(!auth_zone_write_rrset(z, n, soa, out)) 1708 return 0; 1709 } 1710 } 1711 /* write all the RRsets for this domain */ 1712 for(r = n->rrsets; r; r = r->next) { 1713 if(z->namelen == n->namelen && 1714 r->type == LDNS_RR_TYPE_SOA) 1715 continue; /* skip SOA here */ 1716 if(!auth_zone_write_rrset(z, n, r, out)) 1717 return 0; 1718 } 1719 return 1; 1720 } 1721 1722 int auth_zone_write_file(struct auth_zone* z, const char* fname) 1723 { 1724 FILE* out; 1725 struct auth_data* n; 1726 out = fopen(fname, "w"); 1727 if(!out) { 1728 log_err("could not open %s: %s", fname, strerror(errno)); 1729 return 0; 1730 } 1731 RBTREE_FOR(n, struct auth_data*, &z->data) { 1732 if(!auth_zone_write_domain(z, n, out)) { 1733 log_err("could not write domain to %s", fname); 1734 fclose(out); 1735 return 0; 1736 } 1737 } 1738 fclose(out); 1739 return 1; 1740 } 1741 1742 /** read all auth zones from file (if they have) */ 1743 static int 1744 auth_zones_read_zones(struct auth_zones* az, struct config_file* cfg) 1745 { 1746 struct auth_zone* z; 1747 lock_rw_wrlock(&az->lock); 1748 RBTREE_FOR(z, struct auth_zone*, &az->ztree) { 1749 lock_rw_wrlock(&z->lock); 1750 if(!auth_zone_read_zonefile(z, cfg)) { 1751 lock_rw_unlock(&z->lock); 1752 lock_rw_unlock(&az->lock); 1753 return 0; 1754 } 1755 lock_rw_unlock(&z->lock); 1756 } 1757 lock_rw_unlock(&az->lock); 1758 return 1; 1759 } 1760 1761 /** find serial number of zone or false if none */ 1762 int 1763 auth_zone_get_serial(struct auth_zone* z, uint32_t* serial) 1764 { 1765 struct auth_data* apex; 1766 struct auth_rrset* soa; 1767 struct packed_rrset_data* d; 1768 apex = az_find_name(z, z->name, z->namelen); 1769 if(!apex) return 0; 1770 soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA); 1771 if(!soa || soa->data->count==0) 1772 return 0; /* no RRset or no RRs in rrset */ 1773 if(soa->data->rr_len[0] < 2+4*5) return 0; /* SOA too short */ 1774 d = soa->data; 1775 *serial = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-20)); 1776 return 1; 1777 } 1778 1779 /** Find auth_zone SOA and populate the values in xfr(soa values). */ 1780 static int 1781 xfr_find_soa(struct auth_zone* z, struct auth_xfer* xfr) 1782 { 1783 struct auth_data* apex; 1784 struct auth_rrset* soa; 1785 struct packed_rrset_data* d; 1786 apex = az_find_name(z, z->name, z->namelen); 1787 if(!apex) return 0; 1788 soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA); 1789 if(!soa || soa->data->count==0) 1790 return 0; /* no RRset or no RRs in rrset */ 1791 if(soa->data->rr_len[0] < 2+4*5) return 0; /* SOA too short */ 1792 /* SOA record ends with serial, refresh, retry, expiry, minimum, 1793 * as 4 byte fields */ 1794 d = soa->data; 1795 xfr->have_zone = 1; 1796 xfr->serial = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-20)); 1797 xfr->refresh = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-16)); 1798 xfr->retry = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-12)); 1799 xfr->expiry = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-8)); 1800 /* soa minimum at d->rr_len[0]-4 */ 1801 return 1; 1802 } 1803 1804 /** 1805 * Setup auth_xfer zone 1806 * This populates the have_zone, soa values, and so on times. 1807 * Doesn't do network traffic yet, can set option flags. 1808 * @param z: locked by caller, and modified for setup 1809 * @param x: locked by caller, and modified. 1810 * @return false on failure. 1811 */ 1812 static int 1813 auth_xfer_setup(struct auth_zone* z, struct auth_xfer* x) 1814 { 1815 /* for a zone without zone transfers, x==NULL, so skip them, 1816 * i.e. the zone config is fixed with no masters or urls */ 1817 if(!z || !x) return 1; 1818 if(!xfr_find_soa(z, x)) { 1819 return 1; 1820 } 1821 /* nothing for probe, nextprobe and transfer tasks */ 1822 return 1; 1823 } 1824 1825 /** 1826 * Setup all zones 1827 * @param az: auth zones structure 1828 * @return false on failure. 1829 */ 1830 static int 1831 auth_zones_setup_zones(struct auth_zones* az) 1832 { 1833 struct auth_zone* z; 1834 struct auth_xfer* x; 1835 lock_rw_wrlock(&az->lock); 1836 RBTREE_FOR(z, struct auth_zone*, &az->ztree) { 1837 lock_rw_wrlock(&z->lock); 1838 x = auth_xfer_find(az, z->name, z->namelen, z->dclass); 1839 if(x) { 1840 lock_basic_lock(&x->lock); 1841 } 1842 if(!auth_xfer_setup(z, x)) { 1843 if(x) { 1844 lock_basic_unlock(&x->lock); 1845 } 1846 lock_rw_unlock(&z->lock); 1847 lock_rw_unlock(&az->lock); 1848 return 0; 1849 } 1850 if(x) { 1851 lock_basic_unlock(&x->lock); 1852 } 1853 lock_rw_unlock(&z->lock); 1854 } 1855 lock_rw_unlock(&az->lock); 1856 return 1; 1857 } 1858 1859 /** set config items and create zones */ 1860 static int 1861 auth_zones_cfg(struct auth_zones* az, struct config_auth* c) 1862 { 1863 struct auth_zone* z; 1864 struct auth_xfer* x = NULL; 1865 1866 /* create zone */ 1867 lock_rw_wrlock(&az->lock); 1868 if(!(z=auth_zones_find_or_add_zone(az, c->name))) { 1869 lock_rw_unlock(&az->lock); 1870 return 0; 1871 } 1872 if(c->masters || c->urls) { 1873 if(!(x=auth_zones_find_or_add_xfer(az, z))) { 1874 lock_rw_unlock(&az->lock); 1875 lock_rw_unlock(&z->lock); 1876 return 0; 1877 } 1878 } 1879 if(c->for_downstream) 1880 az->have_downstream = 1; 1881 lock_rw_unlock(&az->lock); 1882 1883 /* set options */ 1884 z->zone_deleted = 0; 1885 if(!auth_zone_set_zonefile(z, c->zonefile)) { 1886 if(x) { 1887 lock_basic_unlock(&x->lock); 1888 } 1889 lock_rw_unlock(&z->lock); 1890 return 0; 1891 } 1892 z->for_downstream = c->for_downstream; 1893 z->for_upstream = c->for_upstream; 1894 z->fallback_enabled = c->fallback_enabled; 1895 if(c->isrpz && !z->rpz){ 1896 if(!(z->rpz = rpz_create(c))){ 1897 fatal_exit("Could not setup RPZ zones"); 1898 return 0; 1899 } 1900 lock_rw_wrlock(&az->rpz_lock); 1901 z->rpz->next = az->rpz_first; 1902 if(az->rpz_first) 1903 az->rpz_first->prev = z->rpz; 1904 az->rpz_first = z->rpz; 1905 lock_rw_unlock(&az->rpz_lock); 1906 } 1907 1908 /* xfer zone */ 1909 if(x) { 1910 z->zone_is_slave = 1; 1911 /* set options on xfer zone */ 1912 if(!xfer_set_masters(&x->task_probe->masters, c, 0)) { 1913 lock_basic_unlock(&x->lock); 1914 lock_rw_unlock(&z->lock); 1915 return 0; 1916 } 1917 if(!xfer_set_masters(&x->task_transfer->masters, c, 1)) { 1918 lock_basic_unlock(&x->lock); 1919 lock_rw_unlock(&z->lock); 1920 return 0; 1921 } 1922 lock_basic_unlock(&x->lock); 1923 } 1924 1925 lock_rw_unlock(&z->lock); 1926 return 1; 1927 } 1928 1929 /** set all auth zones deleted, then in auth_zones_cfg, it marks them 1930 * as nondeleted (if they are still in the config), and then later 1931 * we can find deleted zones */ 1932 static void 1933 az_setall_deleted(struct auth_zones* az) 1934 { 1935 struct auth_zone* z; 1936 lock_rw_wrlock(&az->lock); 1937 RBTREE_FOR(z, struct auth_zone*, &az->ztree) { 1938 lock_rw_wrlock(&z->lock); 1939 z->zone_deleted = 1; 1940 lock_rw_unlock(&z->lock); 1941 } 1942 lock_rw_unlock(&az->lock); 1943 } 1944 1945 /** find zones that are marked deleted and delete them. 1946 * This is called from apply_cfg, and there are no threads and no 1947 * workers, so the xfr can just be deleted. */ 1948 static void 1949 az_delete_deleted_zones(struct auth_zones* az) 1950 { 1951 struct auth_zone* z; 1952 struct auth_zone* delete_list = NULL, *next; 1953 struct auth_xfer* xfr; 1954 lock_rw_wrlock(&az->lock); 1955 RBTREE_FOR(z, struct auth_zone*, &az->ztree) { 1956 lock_rw_wrlock(&z->lock); 1957 if(z->zone_deleted) { 1958 /* we cannot alter the rbtree right now, but 1959 * we can put it on a linked list and then 1960 * delete it */ 1961 z->delete_next = delete_list; 1962 delete_list = z; 1963 } 1964 lock_rw_unlock(&z->lock); 1965 } 1966 /* now we are out of the tree loop and we can loop and delete 1967 * the zones */ 1968 z = delete_list; 1969 while(z) { 1970 next = z->delete_next; 1971 xfr = auth_xfer_find(az, z->name, z->namelen, z->dclass); 1972 if(xfr) { 1973 (void)rbtree_delete(&az->xtree, &xfr->node); 1974 auth_xfer_delete(xfr); 1975 } 1976 (void)rbtree_delete(&az->ztree, &z->node); 1977 auth_zone_delete(z, az); 1978 z = next; 1979 } 1980 lock_rw_unlock(&az->lock); 1981 } 1982 1983 int auth_zones_apply_cfg(struct auth_zones* az, struct config_file* cfg, 1984 int setup, int* is_rpz) 1985 { 1986 struct config_auth* p; 1987 az_setall_deleted(az); 1988 for(p = cfg->auths; p; p = p->next) { 1989 if(!p->name || p->name[0] == 0) { 1990 log_warn("auth-zone without a name, skipped"); 1991 continue; 1992 } 1993 *is_rpz = (*is_rpz || p->isrpz); 1994 if(!auth_zones_cfg(az, p)) { 1995 log_err("cannot config auth zone %s", p->name); 1996 return 0; 1997 } 1998 } 1999 az_delete_deleted_zones(az); 2000 if(!auth_zones_read_zones(az, cfg)) 2001 return 0; 2002 if(setup) { 2003 if(!auth_zones_setup_zones(az)) 2004 return 0; 2005 } 2006 return 1; 2007 } 2008 2009 /** delete chunks 2010 * @param at: transfer structure with chunks list. The chunks and their 2011 * data are freed. 2012 */ 2013 static void 2014 auth_chunks_delete(struct auth_transfer* at) 2015 { 2016 if(at->chunks_first) { 2017 struct auth_chunk* c, *cn; 2018 c = at->chunks_first; 2019 while(c) { 2020 cn = c->next; 2021 free(c->data); 2022 free(c); 2023 c = cn; 2024 } 2025 } 2026 at->chunks_first = NULL; 2027 at->chunks_last = NULL; 2028 } 2029 2030 /** free master addr list */ 2031 static void 2032 auth_free_master_addrs(struct auth_addr* list) 2033 { 2034 struct auth_addr *n; 2035 while(list) { 2036 n = list->next; 2037 free(list); 2038 list = n; 2039 } 2040 } 2041 2042 /** free the masters list */ 2043 static void 2044 auth_free_masters(struct auth_master* list) 2045 { 2046 struct auth_master* n; 2047 while(list) { 2048 n = list->next; 2049 auth_free_master_addrs(list->list); 2050 free(list->host); 2051 free(list->file); 2052 free(list); 2053 list = n; 2054 } 2055 } 2056 2057 /** delete auth xfer structure 2058 * @param xfr: delete this xfer and its tasks. 2059 */ 2060 static void 2061 auth_xfer_delete(struct auth_xfer* xfr) 2062 { 2063 if(!xfr) return; 2064 lock_basic_destroy(&xfr->lock); 2065 free(xfr->name); 2066 if(xfr->task_nextprobe) { 2067 comm_timer_delete(xfr->task_nextprobe->timer); 2068 free(xfr->task_nextprobe); 2069 } 2070 if(xfr->task_probe) { 2071 auth_free_masters(xfr->task_probe->masters); 2072 comm_point_delete(xfr->task_probe->cp); 2073 comm_timer_delete(xfr->task_probe->timer); 2074 free(xfr->task_probe); 2075 } 2076 if(xfr->task_transfer) { 2077 auth_free_masters(xfr->task_transfer->masters); 2078 comm_point_delete(xfr->task_transfer->cp); 2079 comm_timer_delete(xfr->task_transfer->timer); 2080 if(xfr->task_transfer->chunks_first) { 2081 auth_chunks_delete(xfr->task_transfer); 2082 } 2083 free(xfr->task_transfer); 2084 } 2085 auth_free_masters(xfr->allow_notify_list); 2086 free(xfr); 2087 } 2088 2089 /** helper traverse to delete zones */ 2090 static void 2091 auth_zone_del(rbnode_type* n, void* ATTR_UNUSED(arg)) 2092 { 2093 struct auth_zone* z = (struct auth_zone*)n->key; 2094 auth_zone_delete(z, NULL); 2095 } 2096 2097 /** helper traverse to delete xfer zones */ 2098 static void 2099 auth_xfer_del(rbnode_type* n, void* ATTR_UNUSED(arg)) 2100 { 2101 struct auth_xfer* z = (struct auth_xfer*)n->key; 2102 auth_xfer_delete(z); 2103 } 2104 2105 void auth_zones_delete(struct auth_zones* az) 2106 { 2107 if(!az) return; 2108 lock_rw_destroy(&az->lock); 2109 lock_rw_destroy(&az->rpz_lock); 2110 traverse_postorder(&az->ztree, auth_zone_del, NULL); 2111 traverse_postorder(&az->xtree, auth_xfer_del, NULL); 2112 free(az); 2113 } 2114 2115 /** true if domain has only nsec3 */ 2116 static int 2117 domain_has_only_nsec3(struct auth_data* n) 2118 { 2119 struct auth_rrset* rrset = n->rrsets; 2120 int nsec3_seen = 0; 2121 while(rrset) { 2122 if(rrset->type == LDNS_RR_TYPE_NSEC3) { 2123 nsec3_seen = 1; 2124 } else if(rrset->type != LDNS_RR_TYPE_RRSIG) { 2125 return 0; 2126 } 2127 rrset = rrset->next; 2128 } 2129 return nsec3_seen; 2130 } 2131 2132 /** see if the domain has a wildcard child '*.domain' */ 2133 static struct auth_data* 2134 az_find_wildcard_domain(struct auth_zone* z, uint8_t* nm, size_t nmlen) 2135 { 2136 uint8_t wc[LDNS_MAX_DOMAINLEN]; 2137 if(nmlen+2 > sizeof(wc)) 2138 return NULL; /* result would be too long */ 2139 wc[0] = 1; /* length of wildcard label */ 2140 wc[1] = (uint8_t)'*'; /* wildcard label */ 2141 memmove(wc+2, nm, nmlen); 2142 return az_find_name(z, wc, nmlen+2); 2143 } 2144 2145 /** find wildcard between qname and cename */ 2146 static struct auth_data* 2147 az_find_wildcard(struct auth_zone* z, struct query_info* qinfo, 2148 struct auth_data* ce) 2149 { 2150 uint8_t* nm = qinfo->qname; 2151 size_t nmlen = qinfo->qname_len; 2152 struct auth_data* node; 2153 if(!dname_subdomain_c(nm, z->name)) 2154 return NULL; /* out of zone */ 2155 while((node=az_find_wildcard_domain(z, nm, nmlen))==NULL) { 2156 /* see if we can go up to find the wildcard */ 2157 if(nmlen == z->namelen) 2158 return NULL; /* top of zone reached */ 2159 if(ce && nmlen == ce->namelen) 2160 return NULL; /* ce reached */ 2161 if(dname_is_root(nm)) 2162 return NULL; /* cannot go up */ 2163 dname_remove_label(&nm, &nmlen); 2164 } 2165 return node; 2166 } 2167 2168 /** domain is not exact, find first candidate ce (name that matches 2169 * a part of qname) in tree */ 2170 static struct auth_data* 2171 az_find_candidate_ce(struct auth_zone* z, struct query_info* qinfo, 2172 struct auth_data* n) 2173 { 2174 uint8_t* nm; 2175 size_t nmlen; 2176 if(n) { 2177 nm = dname_get_shared_topdomain(qinfo->qname, n->name); 2178 } else { 2179 nm = qinfo->qname; 2180 } 2181 dname_count_size_labels(nm, &nmlen); 2182 n = az_find_name(z, nm, nmlen); 2183 /* delete labels and go up on name */ 2184 while(!n) { 2185 if(dname_is_root(nm)) 2186 return NULL; /* cannot go up */ 2187 dname_remove_label(&nm, &nmlen); 2188 n = az_find_name(z, nm, nmlen); 2189 } 2190 return n; 2191 } 2192 2193 /** go up the auth tree to next existing name. */ 2194 static struct auth_data* 2195 az_domain_go_up(struct auth_zone* z, struct auth_data* n) 2196 { 2197 uint8_t* nm = n->name; 2198 size_t nmlen = n->namelen; 2199 while(!dname_is_root(nm)) { 2200 dname_remove_label(&nm, &nmlen); 2201 if((n=az_find_name(z, nm, nmlen)) != NULL) 2202 return n; 2203 } 2204 return NULL; 2205 } 2206 2207 /** Find the closest encloser, an name that exists and is above the 2208 * qname. 2209 * return true if the node (param node) is existing, nonobscured and 2210 * can be used to generate answers from. It is then also node_exact. 2211 * returns false if the node is not good enough (or it wasn't node_exact) 2212 * in this case the ce can be filled. 2213 * if ce is NULL, no ce exists, and likely the zone is completely empty, 2214 * not even with a zone apex. 2215 * if ce is nonNULL it is the closest enclosing upper name (that exists 2216 * itself for answer purposes). That name may have DNAME, NS or wildcard 2217 * rrset is the closest DNAME or NS rrset that was found. 2218 */ 2219 static int 2220 az_find_ce(struct auth_zone* z, struct query_info* qinfo, 2221 struct auth_data* node, int node_exact, struct auth_data** ce, 2222 struct auth_rrset** rrset) 2223 { 2224 struct auth_data* n = node; 2225 *ce = NULL; 2226 *rrset = NULL; 2227 if(!node_exact) { 2228 /* if not exact, lookup closest exact match */ 2229 n = az_find_candidate_ce(z, qinfo, n); 2230 } else { 2231 /* if exact, the node itself is the first candidate ce */ 2232 *ce = n; 2233 } 2234 2235 /* no direct answer from nsec3-only domains */ 2236 if(n && domain_has_only_nsec3(n)) { 2237 node_exact = 0; 2238 *ce = NULL; 2239 } 2240 2241 /* with exact matches, walk up the labels until we find the 2242 * delegation, or DNAME or zone end */ 2243 while(n) { 2244 /* see if the current candidate has issues */ 2245 /* not zone apex and has type NS */ 2246 if(n->namelen != z->namelen && 2247 (*rrset=az_domain_rrset(n, LDNS_RR_TYPE_NS)) && 2248 /* delegate here, but DS at exact the dp has notype */ 2249 (qinfo->qtype != LDNS_RR_TYPE_DS || 2250 n->namelen != qinfo->qname_len)) { 2251 /* referral */ 2252 /* this is ce and the lowernode is nonexisting */ 2253 *ce = n; 2254 return 0; 2255 } 2256 /* not equal to qname and has type DNAME */ 2257 if(n->namelen != qinfo->qname_len && 2258 (*rrset=az_domain_rrset(n, LDNS_RR_TYPE_DNAME))) { 2259 /* this is ce and the lowernode is nonexisting */ 2260 *ce = n; 2261 return 0; 2262 } 2263 2264 if(*ce == NULL && !domain_has_only_nsec3(n)) { 2265 /* if not found yet, this exact name must be 2266 * our lowest match (but not nsec3onlydomain) */ 2267 *ce = n; 2268 } 2269 2270 /* walk up the tree by removing labels from name and lookup */ 2271 n = az_domain_go_up(z, n); 2272 } 2273 /* found no problems, if it was an exact node, it is fine to use */ 2274 return node_exact; 2275 } 2276 2277 /** add additional A/AAAA from domain names in rrset rdata (+offset) 2278 * offset is number of bytes in rdata where the dname is located. */ 2279 static int 2280 az_add_additionals_from(struct auth_zone* z, struct regional* region, 2281 struct dns_msg* msg, struct auth_rrset* rrset, size_t offset) 2282 { 2283 struct packed_rrset_data* d = rrset->data; 2284 size_t i; 2285 if(!d) return 0; 2286 for(i=0; i<d->count; i++) { 2287 size_t dlen; 2288 struct auth_data* domain; 2289 struct auth_rrset* ref; 2290 if(d->rr_len[i] < 2+offset) 2291 continue; /* too short */ 2292 if(!(dlen = dname_valid(d->rr_data[i]+2+offset, 2293 d->rr_len[i]-2-offset))) 2294 continue; /* malformed */ 2295 domain = az_find_name(z, d->rr_data[i]+2+offset, dlen); 2296 if(!domain) 2297 continue; 2298 if((ref=az_domain_rrset(domain, LDNS_RR_TYPE_A)) != NULL) { 2299 if(!msg_add_rrset_ar(z, region, msg, domain, ref)) 2300 return 0; 2301 } 2302 if((ref=az_domain_rrset(domain, LDNS_RR_TYPE_AAAA)) != NULL) { 2303 if(!msg_add_rrset_ar(z, region, msg, domain, ref)) 2304 return 0; 2305 } 2306 } 2307 return 1; 2308 } 2309 2310 /** add negative SOA record (with negative TTL) */ 2311 static int 2312 az_add_negative_soa(struct auth_zone* z, struct regional* region, 2313 struct dns_msg* msg) 2314 { 2315 uint32_t minimum; 2316 struct packed_rrset_data* d; 2317 struct auth_rrset* soa; 2318 struct auth_data* apex = az_find_name(z, z->name, z->namelen); 2319 if(!apex) return 0; 2320 soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA); 2321 if(!soa) return 0; 2322 /* must be first to put in message; we want to fix the TTL with 2323 * one RRset here, otherwise we'd need to loop over the RRs to get 2324 * the resulting lower TTL */ 2325 log_assert(msg->rep->rrset_count == 0); 2326 if(!msg_add_rrset_ns(z, region, msg, apex, soa)) return 0; 2327 /* fixup TTL */ 2328 d = (struct packed_rrset_data*)msg->rep->rrsets[msg->rep->rrset_count-1]->entry.data; 2329 /* last 4 bytes are minimum ttl in network format */ 2330 if(d->count == 0) return 0; 2331 if(d->rr_len[0] < 2+4) return 0; 2332 minimum = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-4)); 2333 d->ttl = (time_t)minimum; 2334 d->rr_ttl[0] = (time_t)minimum; 2335 msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]); 2336 msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl); 2337 msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL; 2338 return 1; 2339 } 2340 2341 /** See if the query goes to empty nonterminal (that has no auth_data, 2342 * but there are nodes underneath. We already checked that there are 2343 * not NS, or DNAME above, so that we only need to check if some node 2344 * exists below (with nonempty rr list), return true if emptynonterminal */ 2345 static int 2346 az_empty_nonterminal(struct auth_zone* z, struct query_info* qinfo, 2347 struct auth_data* node) 2348 { 2349 struct auth_data* next; 2350 if(!node) { 2351 /* no smaller was found, use first (smallest) node as the 2352 * next one */ 2353 next = (struct auth_data*)rbtree_first(&z->data); 2354 } else { 2355 next = (struct auth_data*)rbtree_next(&node->node); 2356 } 2357 while(next && (rbnode_type*)next != RBTREE_NULL && next->rrsets == NULL) { 2358 /* the next name has empty rrsets, is an empty nonterminal 2359 * itself, see if there exists something below it */ 2360 next = (struct auth_data*)rbtree_next(&node->node); 2361 } 2362 if((rbnode_type*)next == RBTREE_NULL || !next) { 2363 /* there is no next node, so something below it cannot 2364 * exist */ 2365 return 0; 2366 } 2367 /* a next node exists, if there was something below the query, 2368 * this node has to be it. See if it is below the query name */ 2369 if(dname_strict_subdomain_c(next->name, qinfo->qname)) 2370 return 1; 2371 return 0; 2372 } 2373 2374 /** create synth cname target name in buffer, or fail if too long */ 2375 static size_t 2376 synth_cname_buf(uint8_t* qname, size_t qname_len, size_t dname_len, 2377 uint8_t* dtarg, size_t dtarglen, uint8_t* buf, size_t buflen) 2378 { 2379 size_t newlen = qname_len + dtarglen - dname_len; 2380 if(newlen > buflen) { 2381 /* YXDOMAIN error */ 2382 return 0; 2383 } 2384 /* new name is concatenation of qname front (without DNAME owner) 2385 * and DNAME target name */ 2386 memcpy(buf, qname, qname_len-dname_len); 2387 memmove(buf+(qname_len-dname_len), dtarg, dtarglen); 2388 return newlen; 2389 } 2390 2391 /** create synthetic CNAME rrset for in a DNAME answer in region, 2392 * false on alloc failure, cname==NULL when name too long. */ 2393 static int 2394 create_synth_cname(uint8_t* qname, size_t qname_len, struct regional* region, 2395 struct auth_data* node, struct auth_rrset* dname, uint16_t dclass, 2396 struct ub_packed_rrset_key** cname) 2397 { 2398 uint8_t buf[LDNS_MAX_DOMAINLEN]; 2399 uint8_t* dtarg; 2400 size_t dtarglen, newlen; 2401 struct packed_rrset_data* d; 2402 2403 /* get DNAME target name */ 2404 if(dname->data->count < 1) return 0; 2405 if(dname->data->rr_len[0] < 3) return 0; /* at least rdatalen +1 */ 2406 dtarg = dname->data->rr_data[0]+2; 2407 dtarglen = dname->data->rr_len[0]-2; 2408 if(sldns_read_uint16(dname->data->rr_data[0]) != dtarglen) 2409 return 0; /* rdatalen in DNAME rdata is malformed */ 2410 if(dname_valid(dtarg, dtarglen) != dtarglen) 2411 return 0; /* DNAME RR has malformed rdata */ 2412 if(qname_len == 0) 2413 return 0; /* too short */ 2414 if(qname_len <= node->namelen) 2415 return 0; /* qname too short for dname removal */ 2416 2417 /* synthesize a CNAME */ 2418 newlen = synth_cname_buf(qname, qname_len, node->namelen, 2419 dtarg, dtarglen, buf, sizeof(buf)); 2420 if(newlen == 0) { 2421 /* YXDOMAIN error */ 2422 *cname = NULL; 2423 return 1; 2424 } 2425 *cname = (struct ub_packed_rrset_key*)regional_alloc(region, 2426 sizeof(struct ub_packed_rrset_key)); 2427 if(!*cname) 2428 return 0; /* out of memory */ 2429 memset(&(*cname)->entry, 0, sizeof((*cname)->entry)); 2430 (*cname)->entry.key = (*cname); 2431 (*cname)->rk.type = htons(LDNS_RR_TYPE_CNAME); 2432 (*cname)->rk.rrset_class = htons(dclass); 2433 (*cname)->rk.flags = 0; 2434 (*cname)->rk.dname = regional_alloc_init(region, qname, qname_len); 2435 if(!(*cname)->rk.dname) 2436 return 0; /* out of memory */ 2437 (*cname)->rk.dname_len = qname_len; 2438 (*cname)->entry.hash = rrset_key_hash(&(*cname)->rk); 2439 d = (struct packed_rrset_data*)regional_alloc_zero(region, 2440 sizeof(struct packed_rrset_data) + sizeof(size_t) + 2441 sizeof(uint8_t*) + sizeof(time_t) + sizeof(uint16_t) 2442 + newlen); 2443 if(!d) 2444 return 0; /* out of memory */ 2445 (*cname)->entry.data = d; 2446 d->ttl = 0; /* 0 for synthesized CNAME TTL */ 2447 d->count = 1; 2448 d->rrsig_count = 0; 2449 d->trust = rrset_trust_ans_noAA; 2450 d->rr_len = (size_t*)((uint8_t*)d + 2451 sizeof(struct packed_rrset_data)); 2452 d->rr_len[0] = newlen + sizeof(uint16_t); 2453 packed_rrset_ptr_fixup(d); 2454 d->rr_ttl[0] = d->ttl; 2455 sldns_write_uint16(d->rr_data[0], newlen); 2456 memmove(d->rr_data[0] + sizeof(uint16_t), buf, newlen); 2457 return 1; 2458 } 2459 2460 /** add a synthesized CNAME to the answer section */ 2461 static int 2462 add_synth_cname(struct auth_zone* z, uint8_t* qname, size_t qname_len, 2463 struct regional* region, struct dns_msg* msg, struct auth_data* dname, 2464 struct auth_rrset* rrset) 2465 { 2466 struct ub_packed_rrset_key* cname; 2467 /* synthesize a CNAME */ 2468 if(!create_synth_cname(qname, qname_len, region, dname, rrset, 2469 z->dclass, &cname)) { 2470 /* out of memory */ 2471 return 0; 2472 } 2473 if(!cname) { 2474 /* cname cannot be create because of YXDOMAIN */ 2475 msg->rep->flags |= LDNS_RCODE_YXDOMAIN; 2476 return 1; 2477 } 2478 /* add cname to message */ 2479 if(!msg_grow_array(region, msg)) 2480 return 0; 2481 msg->rep->rrsets[msg->rep->rrset_count] = cname; 2482 msg->rep->rrset_count++; 2483 msg->rep->an_numrrsets++; 2484 msg_ttl(msg); 2485 return 1; 2486 } 2487 2488 /** Change a dname to a different one, for wildcard namechange */ 2489 static void 2490 az_change_dnames(struct dns_msg* msg, uint8_t* oldname, uint8_t* newname, 2491 size_t newlen, int an_only) 2492 { 2493 size_t i; 2494 size_t start = 0, end = msg->rep->rrset_count; 2495 if(!an_only) start = msg->rep->an_numrrsets; 2496 if(an_only) end = msg->rep->an_numrrsets; 2497 for(i=start; i<end; i++) { 2498 /* allocated in region so we can change the ptrs */ 2499 if(query_dname_compare(msg->rep->rrsets[i]->rk.dname, oldname) 2500 == 0) { 2501 msg->rep->rrsets[i]->rk.dname = newname; 2502 msg->rep->rrsets[i]->rk.dname_len = newlen; 2503 } 2504 } 2505 } 2506 2507 /** find NSEC record covering the query */ 2508 static struct auth_rrset* 2509 az_find_nsec_cover(struct auth_zone* z, struct auth_data** node) 2510 { 2511 uint8_t* nm = (*node)->name; 2512 size_t nmlen = (*node)->namelen; 2513 struct auth_rrset* rrset; 2514 /* find the NSEC for the smallest-or-equal node */ 2515 /* if node == NULL, we did not find a smaller name. But the zone 2516 * name is the smallest name and should have an NSEC. So there is 2517 * no NSEC to return (for a properly signed zone) */ 2518 /* for empty nonterminals, the auth-data node should not exist, 2519 * and thus we don't need to go rbtree_previous here to find 2520 * a domain with an NSEC record */ 2521 /* but there could be glue, and if this is node, then it has no NSEC. 2522 * Go up to find nonglue (previous) NSEC-holding nodes */ 2523 while((rrset=az_domain_rrset(*node, LDNS_RR_TYPE_NSEC)) == NULL) { 2524 if(dname_is_root(nm)) return NULL; 2525 if(nmlen == z->namelen) return NULL; 2526 dname_remove_label(&nm, &nmlen); 2527 /* adjust *node for the nsec rrset to find in */ 2528 *node = az_find_name(z, nm, nmlen); 2529 } 2530 return rrset; 2531 } 2532 2533 /** Find NSEC and add for wildcard denial */ 2534 static int 2535 az_nsec_wildcard_denial(struct auth_zone* z, struct regional* region, 2536 struct dns_msg* msg, uint8_t* cenm, size_t cenmlen) 2537 { 2538 struct query_info qinfo; 2539 int node_exact; 2540 struct auth_data* node; 2541 struct auth_rrset* nsec; 2542 uint8_t wc[LDNS_MAX_DOMAINLEN]; 2543 if(cenmlen+2 > sizeof(wc)) 2544 return 0; /* result would be too long */ 2545 wc[0] = 1; /* length of wildcard label */ 2546 wc[1] = (uint8_t)'*'; /* wildcard label */ 2547 memmove(wc+2, cenm, cenmlen); 2548 2549 /* we have '*.ce' in wc wildcard name buffer */ 2550 /* get nsec cover for that */ 2551 qinfo.qname = wc; 2552 qinfo.qname_len = cenmlen+2; 2553 qinfo.qtype = 0; 2554 qinfo.qclass = 0; 2555 az_find_domain(z, &qinfo, &node_exact, &node); 2556 if((nsec=az_find_nsec_cover(z, &node)) != NULL) { 2557 if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0; 2558 } 2559 return 1; 2560 } 2561 2562 /** Find the NSEC3PARAM rrset (if any) and if true you have the parameters */ 2563 static int 2564 az_nsec3_param(struct auth_zone* z, int* algo, size_t* iter, uint8_t** salt, 2565 size_t* saltlen) 2566 { 2567 struct auth_data* apex; 2568 struct auth_rrset* param; 2569 size_t i; 2570 apex = az_find_name(z, z->name, z->namelen); 2571 if(!apex) return 0; 2572 param = az_domain_rrset(apex, LDNS_RR_TYPE_NSEC3PARAM); 2573 if(!param || param->data->count==0) 2574 return 0; /* no RRset or no RRs in rrset */ 2575 /* find out which NSEC3PARAM RR has supported parameters */ 2576 /* skip unknown flags (dynamic signer is recalculating nsec3 chain) */ 2577 for(i=0; i<param->data->count; i++) { 2578 uint8_t* rdata = param->data->rr_data[i]+2; 2579 size_t rdatalen = param->data->rr_len[i]; 2580 if(rdatalen < 2+5) 2581 continue; /* too short */ 2582 if(!nsec3_hash_algo_size_supported((int)(rdata[0]))) 2583 continue; /* unsupported algo */ 2584 if(rdatalen < (size_t)(2+5+(size_t)rdata[4])) 2585 continue; /* salt missing */ 2586 if((rdata[1]&NSEC3_UNKNOWN_FLAGS)!=0) 2587 continue; /* unknown flags */ 2588 *algo = (int)(rdata[0]); 2589 *iter = sldns_read_uint16(rdata+2); 2590 *saltlen = rdata[4]; 2591 if(*saltlen == 0) 2592 *salt = NULL; 2593 else *salt = rdata+5; 2594 return 1; 2595 } 2596 /* no supported params */ 2597 return 0; 2598 } 2599 2600 /** Hash a name with nsec3param into buffer, it has zone name appended. 2601 * return length of hash */ 2602 static size_t 2603 az_nsec3_hash(uint8_t* buf, size_t buflen, uint8_t* nm, size_t nmlen, 2604 int algo, size_t iter, uint8_t* salt, size_t saltlen) 2605 { 2606 size_t hlen = nsec3_hash_algo_size_supported(algo); 2607 /* buffer has domain name, nsec3hash, and 256 is for max saltlen 2608 * (salt has 0-255 length) */ 2609 unsigned char p[LDNS_MAX_DOMAINLEN+1+N3HASHBUFLEN+256]; 2610 size_t i; 2611 if(nmlen+saltlen > sizeof(p) || hlen+saltlen > sizeof(p)) 2612 return 0; 2613 if(hlen > buflen) 2614 return 0; /* somehow too large for destination buffer */ 2615 /* hashfunc(name, salt) */ 2616 memmove(p, nm, nmlen); 2617 query_dname_tolower(p); 2618 if(salt && saltlen > 0) 2619 memmove(p+nmlen, salt, saltlen); 2620 (void)secalgo_nsec3_hash(algo, p, nmlen+saltlen, (unsigned char*)buf); 2621 for(i=0; i<iter; i++) { 2622 /* hashfunc(hash, salt) */ 2623 memmove(p, buf, hlen); 2624 if(salt && saltlen > 0) 2625 memmove(p+hlen, salt, saltlen); 2626 (void)secalgo_nsec3_hash(algo, p, hlen+saltlen, 2627 (unsigned char*)buf); 2628 } 2629 return hlen; 2630 } 2631 2632 /** Hash name and return b32encoded hashname for lookup, zone name appended */ 2633 static int 2634 az_nsec3_hashname(struct auth_zone* z, uint8_t* hashname, size_t* hashnmlen, 2635 uint8_t* nm, size_t nmlen, int algo, size_t iter, uint8_t* salt, 2636 size_t saltlen) 2637 { 2638 uint8_t hash[N3HASHBUFLEN]; 2639 size_t hlen; 2640 int ret; 2641 hlen = az_nsec3_hash(hash, sizeof(hash), nm, nmlen, algo, iter, 2642 salt, saltlen); 2643 if(!hlen) return 0; 2644 /* b32 encode */ 2645 if(*hashnmlen < hlen*2+1+z->namelen) /* approx b32 as hexb16 */ 2646 return 0; 2647 ret = sldns_b32_ntop_extended_hex(hash, hlen, (char*)(hashname+1), 2648 (*hashnmlen)-1); 2649 if(ret<1) 2650 return 0; 2651 hashname[0] = (uint8_t)ret; 2652 ret++; 2653 if((*hashnmlen) - ret < z->namelen) 2654 return 0; 2655 memmove(hashname+ret, z->name, z->namelen); 2656 *hashnmlen = z->namelen+(size_t)ret; 2657 return 1; 2658 } 2659 2660 /** Find the datanode that covers the nsec3hash-name */ 2661 static struct auth_data* 2662 az_nsec3_findnode(struct auth_zone* z, uint8_t* hashnm, size_t hashnmlen) 2663 { 2664 struct query_info qinfo; 2665 struct auth_data* node; 2666 int node_exact; 2667 qinfo.qclass = 0; 2668 qinfo.qtype = 0; 2669 qinfo.qname = hashnm; 2670 qinfo.qname_len = hashnmlen; 2671 /* because canonical ordering and b32 nsec3 ordering are the same. 2672 * this is a good lookup to find the nsec3 name. */ 2673 az_find_domain(z, &qinfo, &node_exact, &node); 2674 /* but we may have to skip non-nsec3 nodes */ 2675 /* this may be a lot, the way to speed that up is to have a 2676 * separate nsec3 tree with nsec3 nodes */ 2677 while(node && (rbnode_type*)node != RBTREE_NULL && 2678 !az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) { 2679 node = (struct auth_data*)rbtree_previous(&node->node); 2680 } 2681 if((rbnode_type*)node == RBTREE_NULL) 2682 node = NULL; 2683 return node; 2684 } 2685 2686 /** Find cover for hashed(nm, nmlen) (or NULL) */ 2687 static struct auth_data* 2688 az_nsec3_find_cover(struct auth_zone* z, uint8_t* nm, size_t nmlen, 2689 int algo, size_t iter, uint8_t* salt, size_t saltlen) 2690 { 2691 struct auth_data* node; 2692 uint8_t hname[LDNS_MAX_DOMAINLEN]; 2693 size_t hlen = sizeof(hname); 2694 if(!az_nsec3_hashname(z, hname, &hlen, nm, nmlen, algo, iter, 2695 salt, saltlen)) 2696 return NULL; 2697 node = az_nsec3_findnode(z, hname, hlen); 2698 if(node) 2699 return node; 2700 /* we did not find any, perhaps because the NSEC3 hash is before 2701 * the first hash, we have to find the 'last hash' in the zone */ 2702 node = (struct auth_data*)rbtree_last(&z->data); 2703 while(node && (rbnode_type*)node != RBTREE_NULL && 2704 !az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) { 2705 node = (struct auth_data*)rbtree_previous(&node->node); 2706 } 2707 if((rbnode_type*)node == RBTREE_NULL) 2708 node = NULL; 2709 return node; 2710 } 2711 2712 /** Find exact match for hashed(nm, nmlen) NSEC3 record or NULL */ 2713 static struct auth_data* 2714 az_nsec3_find_exact(struct auth_zone* z, uint8_t* nm, size_t nmlen, 2715 int algo, size_t iter, uint8_t* salt, size_t saltlen) 2716 { 2717 struct auth_data* node; 2718 uint8_t hname[LDNS_MAX_DOMAINLEN]; 2719 size_t hlen = sizeof(hname); 2720 if(!az_nsec3_hashname(z, hname, &hlen, nm, nmlen, algo, iter, 2721 salt, saltlen)) 2722 return NULL; 2723 node = az_find_name(z, hname, hlen); 2724 if(az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) 2725 return node; 2726 return NULL; 2727 } 2728 2729 /** Return nextcloser name (as a ref into the qname). This is one label 2730 * more than the cenm (cename must be a suffix of qname) */ 2731 static void 2732 az_nsec3_get_nextcloser(uint8_t* cenm, uint8_t* qname, size_t qname_len, 2733 uint8_t** nx, size_t* nxlen) 2734 { 2735 int celabs = dname_count_labels(cenm); 2736 int qlabs = dname_count_labels(qname); 2737 int strip = qlabs - celabs -1; 2738 log_assert(dname_strict_subdomain(qname, qlabs, cenm, celabs)); 2739 *nx = qname; 2740 *nxlen = qname_len; 2741 if(strip>0) 2742 dname_remove_labels(nx, nxlen, strip); 2743 } 2744 2745 /** Find the closest encloser that has exact NSEC3. 2746 * updated cenm to the new name. If it went up no-exact-ce is true. */ 2747 static struct auth_data* 2748 az_nsec3_find_ce(struct auth_zone* z, uint8_t** cenm, size_t* cenmlen, 2749 int* no_exact_ce, int algo, size_t iter, uint8_t* salt, size_t saltlen) 2750 { 2751 struct auth_data* node; 2752 while((node = az_nsec3_find_exact(z, *cenm, *cenmlen, 2753 algo, iter, salt, saltlen)) == NULL) { 2754 if(*cenmlen == z->namelen) { 2755 /* next step up would take us out of the zone. fail */ 2756 return NULL; 2757 } 2758 *no_exact_ce = 1; 2759 dname_remove_label(cenm, cenmlen); 2760 } 2761 return node; 2762 } 2763 2764 /* Insert NSEC3 record in authority section, if NULL does nothing */ 2765 static int 2766 az_nsec3_insert(struct auth_zone* z, struct regional* region, 2767 struct dns_msg* msg, struct auth_data* node) 2768 { 2769 struct auth_rrset* nsec3; 2770 if(!node) return 1; /* no node, skip this */ 2771 nsec3 = az_domain_rrset(node, LDNS_RR_TYPE_NSEC3); 2772 if(!nsec3) return 1; /* if no nsec3 RR, skip it */ 2773 if(!msg_add_rrset_ns(z, region, msg, node, nsec3)) return 0; 2774 return 1; 2775 } 2776 2777 /** add NSEC3 records to the zone for the nsec3 proof. 2778 * Specify with the flags with parts of the proof are required. 2779 * the ce is the exact matching name (for notype) but also delegation points. 2780 * qname is the one where the nextcloser name can be derived from. 2781 * If NSEC3 is not properly there (in the zone) nothing is added. 2782 * always enabled: include nsec3 proving about the Closest Encloser. 2783 * that is an exact match that should exist for it. 2784 * If that does not exist, a higher exact match + nxproof is enabled 2785 * (for some sort of opt-out empty nonterminal cases). 2786 * nodataproof: search for exact match and include that instead. 2787 * ceproof: include ce proof NSEC3 (omitted for wildcard replies). 2788 * nxproof: include denial of the qname. 2789 * wcproof: include denial of wildcard (wildcard.ce). 2790 */ 2791 static int 2792 az_add_nsec3_proof(struct auth_zone* z, struct regional* region, 2793 struct dns_msg* msg, uint8_t* cenm, size_t cenmlen, uint8_t* qname, 2794 size_t qname_len, int nodataproof, int ceproof, int nxproof, 2795 int wcproof) 2796 { 2797 int algo; 2798 size_t iter, saltlen; 2799 uint8_t* salt; 2800 int no_exact_ce = 0; 2801 struct auth_data* node; 2802 2803 /* find parameters of nsec3 proof */ 2804 if(!az_nsec3_param(z, &algo, &iter, &salt, &saltlen)) 2805 return 1; /* no nsec3 */ 2806 if(nodataproof) { 2807 /* see if the node has a hash of itself for the nodata 2808 * proof nsec3, this has to be an exact match nsec3. */ 2809 struct auth_data* match; 2810 match = az_nsec3_find_exact(z, qname, qname_len, algo, 2811 iter, salt, saltlen); 2812 if(match) { 2813 if(!az_nsec3_insert(z, region, msg, match)) 2814 return 0; 2815 /* only nodata NSEC3 needed, no CE or others. */ 2816 return 1; 2817 } 2818 } 2819 /* find ce that has an NSEC3 */ 2820 if(ceproof) { 2821 node = az_nsec3_find_ce(z, &cenm, &cenmlen, &no_exact_ce, 2822 algo, iter, salt, saltlen); 2823 if(no_exact_ce) nxproof = 1; 2824 if(!az_nsec3_insert(z, region, msg, node)) 2825 return 0; 2826 } 2827 2828 if(nxproof) { 2829 uint8_t* nx; 2830 size_t nxlen; 2831 /* create nextcloser domain name */ 2832 az_nsec3_get_nextcloser(cenm, qname, qname_len, &nx, &nxlen); 2833 /* find nsec3 that matches or covers it */ 2834 node = az_nsec3_find_cover(z, nx, nxlen, algo, iter, salt, 2835 saltlen); 2836 if(!az_nsec3_insert(z, region, msg, node)) 2837 return 0; 2838 } 2839 if(wcproof) { 2840 /* create wildcard name *.ce */ 2841 uint8_t wc[LDNS_MAX_DOMAINLEN]; 2842 size_t wclen; 2843 if(cenmlen+2 > sizeof(wc)) 2844 return 0; /* result would be too long */ 2845 wc[0] = 1; /* length of wildcard label */ 2846 wc[1] = (uint8_t)'*'; /* wildcard label */ 2847 memmove(wc+2, cenm, cenmlen); 2848 wclen = cenmlen+2; 2849 /* find nsec3 that matches or covers it */ 2850 node = az_nsec3_find_cover(z, wc, wclen, algo, iter, salt, 2851 saltlen); 2852 if(!az_nsec3_insert(z, region, msg, node)) 2853 return 0; 2854 } 2855 return 1; 2856 } 2857 2858 /** generate answer for positive answer */ 2859 static int 2860 az_generate_positive_answer(struct auth_zone* z, struct regional* region, 2861 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) 2862 { 2863 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2864 /* see if we want additional rrs */ 2865 if(rrset->type == LDNS_RR_TYPE_MX) { 2866 if(!az_add_additionals_from(z, region, msg, rrset, 2)) 2867 return 0; 2868 } else if(rrset->type == LDNS_RR_TYPE_SRV) { 2869 if(!az_add_additionals_from(z, region, msg, rrset, 6)) 2870 return 0; 2871 } else if(rrset->type == LDNS_RR_TYPE_NS) { 2872 if(!az_add_additionals_from(z, region, msg, rrset, 0)) 2873 return 0; 2874 } 2875 return 1; 2876 } 2877 2878 /** generate answer for type ANY answer */ 2879 static int 2880 az_generate_any_answer(struct auth_zone* z, struct regional* region, 2881 struct dns_msg* msg, struct auth_data* node) 2882 { 2883 struct auth_rrset* rrset; 2884 int added = 0; 2885 /* add a couple (at least one) RRs */ 2886 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_SOA)) != NULL) { 2887 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2888 added++; 2889 } 2890 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_MX)) != NULL) { 2891 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2892 added++; 2893 } 2894 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_A)) != NULL) { 2895 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2896 added++; 2897 } 2898 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_AAAA)) != NULL) { 2899 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2900 added++; 2901 } 2902 if(added == 0 && node && node->rrsets) { 2903 if(!msg_add_rrset_an(z, region, msg, node, 2904 node->rrsets)) return 0; 2905 } 2906 return 1; 2907 } 2908 2909 /** follow cname chain and add more data to the answer section */ 2910 static int 2911 follow_cname_chain(struct auth_zone* z, uint16_t qtype, 2912 struct regional* region, struct dns_msg* msg, 2913 struct packed_rrset_data* d) 2914 { 2915 int maxchain = 0; 2916 /* see if we can add the target of the CNAME into the answer */ 2917 while(maxchain++ < MAX_CNAME_CHAIN) { 2918 struct auth_data* node; 2919 struct auth_rrset* rrset; 2920 size_t clen; 2921 /* d has cname rdata */ 2922 if(d->count == 0) break; /* no CNAME */ 2923 if(d->rr_len[0] < 2+1) break; /* too small */ 2924 if((clen=dname_valid(d->rr_data[0]+2, d->rr_len[0]-2))==0) 2925 break; /* malformed */ 2926 if(!dname_subdomain_c(d->rr_data[0]+2, z->name)) 2927 break; /* target out of zone */ 2928 if((node = az_find_name(z, d->rr_data[0]+2, clen))==NULL) 2929 break; /* no such target name */ 2930 if((rrset=az_domain_rrset(node, qtype))!=NULL) { 2931 /* done we found the target */ 2932 if(!msg_add_rrset_an(z, region, msg, node, rrset)) 2933 return 0; 2934 break; 2935 } 2936 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_CNAME))==NULL) 2937 break; /* no further CNAME chain, notype */ 2938 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2939 d = rrset->data; 2940 } 2941 return 1; 2942 } 2943 2944 /** generate answer for cname answer */ 2945 static int 2946 az_generate_cname_answer(struct auth_zone* z, struct query_info* qinfo, 2947 struct regional* region, struct dns_msg* msg, 2948 struct auth_data* node, struct auth_rrset* rrset) 2949 { 2950 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2951 if(!rrset) return 1; 2952 if(!follow_cname_chain(z, qinfo->qtype, region, msg, rrset->data)) 2953 return 0; 2954 return 1; 2955 } 2956 2957 /** generate answer for notype answer */ 2958 static int 2959 az_generate_notype_answer(struct auth_zone* z, struct regional* region, 2960 struct dns_msg* msg, struct auth_data* node) 2961 { 2962 struct auth_rrset* rrset; 2963 if(!az_add_negative_soa(z, region, msg)) return 0; 2964 /* DNSSEC denial NSEC */ 2965 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_NSEC))!=NULL) { 2966 if(!msg_add_rrset_ns(z, region, msg, node, rrset)) return 0; 2967 } else if(node) { 2968 /* DNSSEC denial NSEC3 */ 2969 if(!az_add_nsec3_proof(z, region, msg, node->name, 2970 node->namelen, msg->qinfo.qname, 2971 msg->qinfo.qname_len, 1, 1, 0, 0)) 2972 return 0; 2973 } 2974 return 1; 2975 } 2976 2977 /** generate answer for referral answer */ 2978 static int 2979 az_generate_referral_answer(struct auth_zone* z, struct regional* region, 2980 struct dns_msg* msg, struct auth_data* ce, struct auth_rrset* rrset) 2981 { 2982 struct auth_rrset* ds, *nsec; 2983 /* turn off AA flag, referral is nonAA because it leaves the zone */ 2984 log_assert(ce); 2985 msg->rep->flags &= ~BIT_AA; 2986 if(!msg_add_rrset_ns(z, region, msg, ce, rrset)) return 0; 2987 /* add DS or deny it */ 2988 if((ds=az_domain_rrset(ce, LDNS_RR_TYPE_DS))!=NULL) { 2989 if(!msg_add_rrset_ns(z, region, msg, ce, ds)) return 0; 2990 } else { 2991 /* deny the DS */ 2992 if((nsec=az_domain_rrset(ce, LDNS_RR_TYPE_NSEC))!=NULL) { 2993 if(!msg_add_rrset_ns(z, region, msg, ce, nsec)) 2994 return 0; 2995 } else { 2996 if(!az_add_nsec3_proof(z, region, msg, ce->name, 2997 ce->namelen, msg->qinfo.qname, 2998 msg->qinfo.qname_len, 1, 1, 0, 0)) 2999 return 0; 3000 } 3001 } 3002 /* add additional rrs for type NS */ 3003 if(!az_add_additionals_from(z, region, msg, rrset, 0)) return 0; 3004 return 1; 3005 } 3006 3007 /** generate answer for DNAME answer */ 3008 static int 3009 az_generate_dname_answer(struct auth_zone* z, struct query_info* qinfo, 3010 struct regional* region, struct dns_msg* msg, struct auth_data* ce, 3011 struct auth_rrset* rrset) 3012 { 3013 log_assert(ce); 3014 /* add the DNAME and then a CNAME */ 3015 if(!msg_add_rrset_an(z, region, msg, ce, rrset)) return 0; 3016 if(!add_synth_cname(z, qinfo->qname, qinfo->qname_len, region, 3017 msg, ce, rrset)) return 0; 3018 if(FLAGS_GET_RCODE(msg->rep->flags) == LDNS_RCODE_YXDOMAIN) 3019 return 1; 3020 if(msg->rep->rrset_count == 0 || 3021 !msg->rep->rrsets[msg->rep->rrset_count-1]) 3022 return 0; 3023 if(!follow_cname_chain(z, qinfo->qtype, region, msg, 3024 (struct packed_rrset_data*)msg->rep->rrsets[ 3025 msg->rep->rrset_count-1]->entry.data)) 3026 return 0; 3027 return 1; 3028 } 3029 3030 /** generate answer for wildcard answer */ 3031 static int 3032 az_generate_wildcard_answer(struct auth_zone* z, struct query_info* qinfo, 3033 struct regional* region, struct dns_msg* msg, struct auth_data* ce, 3034 struct auth_data* wildcard, struct auth_data* node) 3035 { 3036 struct auth_rrset* rrset, *nsec; 3037 int insert_ce = 0; 3038 if((rrset=az_domain_rrset(wildcard, qinfo->qtype)) != NULL) { 3039 /* wildcard has type, add it */ 3040 if(!msg_add_rrset_an(z, region, msg, wildcard, rrset)) 3041 return 0; 3042 az_change_dnames(msg, wildcard->name, msg->qinfo.qname, 3043 msg->qinfo.qname_len, 1); 3044 } else if((rrset=az_domain_rrset(wildcard, LDNS_RR_TYPE_CNAME))!=NULL) { 3045 /* wildcard has cname instead, do that */ 3046 if(!msg_add_rrset_an(z, region, msg, wildcard, rrset)) 3047 return 0; 3048 az_change_dnames(msg, wildcard->name, msg->qinfo.qname, 3049 msg->qinfo.qname_len, 1); 3050 if(!follow_cname_chain(z, qinfo->qtype, region, msg, 3051 rrset->data)) 3052 return 0; 3053 } else if(qinfo->qtype == LDNS_RR_TYPE_ANY && wildcard->rrsets) { 3054 /* add ANY rrsets from wildcard node */ 3055 if(!az_generate_any_answer(z, region, msg, wildcard)) 3056 return 0; 3057 az_change_dnames(msg, wildcard->name, msg->qinfo.qname, 3058 msg->qinfo.qname_len, 1); 3059 } else { 3060 /* wildcard has nodata, notype answer */ 3061 /* call other notype routine for dnssec notype denials */ 3062 if(!az_generate_notype_answer(z, region, msg, wildcard)) 3063 return 0; 3064 /* because the notype, there is no positive data with an 3065 * RRSIG that indicates the wildcard position. Thus the 3066 * wildcard qname denial needs to have a CE nsec3. */ 3067 insert_ce = 1; 3068 } 3069 3070 /* ce and node for dnssec denial of wildcard original name */ 3071 if((nsec=az_find_nsec_cover(z, &node)) != NULL) { 3072 if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0; 3073 } else if(ce) { 3074 uint8_t* wildup = wildcard->name; 3075 size_t wilduplen= wildcard->namelen; 3076 dname_remove_label(&wildup, &wilduplen); 3077 if(!az_add_nsec3_proof(z, region, msg, wildup, 3078 wilduplen, msg->qinfo.qname, 3079 msg->qinfo.qname_len, 0, insert_ce, 1, 0)) 3080 return 0; 3081 } 3082 3083 /* fixup name of wildcard from *.zone to qname, use already allocated 3084 * pointer to msg qname */ 3085 az_change_dnames(msg, wildcard->name, msg->qinfo.qname, 3086 msg->qinfo.qname_len, 0); 3087 return 1; 3088 } 3089 3090 /** generate answer for nxdomain answer */ 3091 static int 3092 az_generate_nxdomain_answer(struct auth_zone* z, struct regional* region, 3093 struct dns_msg* msg, struct auth_data* ce, struct auth_data* node) 3094 { 3095 struct auth_rrset* nsec; 3096 msg->rep->flags |= LDNS_RCODE_NXDOMAIN; 3097 if(!az_add_negative_soa(z, region, msg)) return 0; 3098 if((nsec=az_find_nsec_cover(z, &node)) != NULL) { 3099 if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0; 3100 if(ce && !az_nsec_wildcard_denial(z, region, msg, ce->name, 3101 ce->namelen)) return 0; 3102 } else if(ce) { 3103 if(!az_add_nsec3_proof(z, region, msg, ce->name, 3104 ce->namelen, msg->qinfo.qname, 3105 msg->qinfo.qname_len, 0, 1, 1, 1)) 3106 return 0; 3107 } 3108 return 1; 3109 } 3110 3111 /** Create answers when an exact match exists for the domain name */ 3112 static int 3113 az_generate_answer_with_node(struct auth_zone* z, struct query_info* qinfo, 3114 struct regional* region, struct dns_msg* msg, struct auth_data* node) 3115 { 3116 struct auth_rrset* rrset; 3117 /* positive answer, rrset we are looking for exists */ 3118 if((rrset=az_domain_rrset(node, qinfo->qtype)) != NULL) { 3119 return az_generate_positive_answer(z, region, msg, node, rrset); 3120 } 3121 /* CNAME? */ 3122 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_CNAME)) != NULL) { 3123 return az_generate_cname_answer(z, qinfo, region, msg, 3124 node, rrset); 3125 } 3126 /* type ANY ? */ 3127 if(qinfo->qtype == LDNS_RR_TYPE_ANY) { 3128 return az_generate_any_answer(z, region, msg, node); 3129 } 3130 /* NOERROR/NODATA (no such type at domain name) */ 3131 return az_generate_notype_answer(z, region, msg, node); 3132 } 3133 3134 /** Generate answer without an existing-node that we can use. 3135 * So it'll be a referral, DNAME or nxdomain */ 3136 static int 3137 az_generate_answer_nonexistnode(struct auth_zone* z, struct query_info* qinfo, 3138 struct regional* region, struct dns_msg* msg, struct auth_data* ce, 3139 struct auth_rrset* rrset, struct auth_data* node) 3140 { 3141 struct auth_data* wildcard; 3142 3143 /* we do not have an exact matching name (that exists) */ 3144 /* see if we have a NS or DNAME in the ce */ 3145 if(ce && rrset && rrset->type == LDNS_RR_TYPE_NS) { 3146 return az_generate_referral_answer(z, region, msg, ce, rrset); 3147 } 3148 if(ce && rrset && rrset->type == LDNS_RR_TYPE_DNAME) { 3149 return az_generate_dname_answer(z, qinfo, region, msg, ce, 3150 rrset); 3151 } 3152 /* if there is an empty nonterminal, wildcard and nxdomain don't 3153 * happen, it is a notype answer */ 3154 if(az_empty_nonterminal(z, qinfo, node)) { 3155 return az_generate_notype_answer(z, region, msg, node); 3156 } 3157 /* see if we have a wildcard under the ce */ 3158 if((wildcard=az_find_wildcard(z, qinfo, ce)) != NULL) { 3159 return az_generate_wildcard_answer(z, qinfo, region, msg, 3160 ce, wildcard, node); 3161 } 3162 /* generate nxdomain answer */ 3163 return az_generate_nxdomain_answer(z, region, msg, ce, node); 3164 } 3165 3166 /** Lookup answer in a zone. */ 3167 static int 3168 auth_zone_generate_answer(struct auth_zone* z, struct query_info* qinfo, 3169 struct regional* region, struct dns_msg** msg, int* fallback) 3170 { 3171 struct auth_data* node, *ce; 3172 struct auth_rrset* rrset; 3173 int node_exact, node_exists; 3174 /* does the zone want fallback in case of failure? */ 3175 *fallback = z->fallback_enabled; 3176 if(!(*msg=msg_create(region, qinfo))) return 0; 3177 3178 /* lookup if there is a matching domain name for the query */ 3179 az_find_domain(z, qinfo, &node_exact, &node); 3180 3181 /* see if node exists for generating answers from (i.e. not glue and 3182 * obscured by NS or DNAME or NSEC3-only), and also return the 3183 * closest-encloser from that, closest node that should be used 3184 * to generate answers from that is above the query */ 3185 node_exists = az_find_ce(z, qinfo, node, node_exact, &ce, &rrset); 3186 3187 if(verbosity >= VERB_ALGO) { 3188 char zname[256], qname[256], nname[256], cename[256], 3189 tpstr[32], rrstr[32]; 3190 sldns_wire2str_dname_buf(qinfo->qname, qinfo->qname_len, qname, 3191 sizeof(qname)); 3192 sldns_wire2str_type_buf(qinfo->qtype, tpstr, sizeof(tpstr)); 3193 sldns_wire2str_dname_buf(z->name, z->namelen, zname, 3194 sizeof(zname)); 3195 if(node) 3196 sldns_wire2str_dname_buf(node->name, node->namelen, 3197 nname, sizeof(nname)); 3198 else snprintf(nname, sizeof(nname), "NULL"); 3199 if(ce) 3200 sldns_wire2str_dname_buf(ce->name, ce->namelen, 3201 cename, sizeof(cename)); 3202 else snprintf(cename, sizeof(cename), "NULL"); 3203 if(rrset) sldns_wire2str_type_buf(rrset->type, rrstr, 3204 sizeof(rrstr)); 3205 else snprintf(rrstr, sizeof(rrstr), "NULL"); 3206 log_info("auth_zone %s query %s %s, domain %s %s %s, " 3207 "ce %s, rrset %s", zname, qname, tpstr, nname, 3208 (node_exact?"exact":"notexact"), 3209 (node_exists?"exist":"notexist"), cename, rrstr); 3210 } 3211 3212 if(node_exists) { 3213 /* the node is fine, generate answer from node */ 3214 return az_generate_answer_with_node(z, qinfo, region, *msg, 3215 node); 3216 } 3217 return az_generate_answer_nonexistnode(z, qinfo, region, *msg, 3218 ce, rrset, node); 3219 } 3220 3221 int auth_zones_lookup(struct auth_zones* az, struct query_info* qinfo, 3222 struct regional* region, struct dns_msg** msg, int* fallback, 3223 uint8_t* dp_nm, size_t dp_nmlen) 3224 { 3225 int r; 3226 struct auth_zone* z; 3227 /* find the zone that should contain the answer. */ 3228 lock_rw_rdlock(&az->lock); 3229 z = auth_zone_find(az, dp_nm, dp_nmlen, qinfo->qclass); 3230 if(!z) { 3231 lock_rw_unlock(&az->lock); 3232 /* no auth zone, fallback to internet */ 3233 *fallback = 1; 3234 return 0; 3235 } 3236 lock_rw_rdlock(&z->lock); 3237 lock_rw_unlock(&az->lock); 3238 3239 /* if not for upstream queries, fallback */ 3240 if(!z->for_upstream) { 3241 lock_rw_unlock(&z->lock); 3242 *fallback = 1; 3243 return 0; 3244 } 3245 if(z->zone_expired) { 3246 *fallback = z->fallback_enabled; 3247 lock_rw_unlock(&z->lock); 3248 return 0; 3249 } 3250 /* see what answer that zone would generate */ 3251 r = auth_zone_generate_answer(z, qinfo, region, msg, fallback); 3252 lock_rw_unlock(&z->lock); 3253 return r; 3254 } 3255 3256 /** encode auth answer */ 3257 static void 3258 auth_answer_encode(struct query_info* qinfo, struct module_env* env, 3259 struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf, 3260 struct regional* temp, struct dns_msg* msg) 3261 { 3262 uint16_t udpsize; 3263 udpsize = edns->udp_size; 3264 edns->edns_version = EDNS_ADVERTISED_VERSION; 3265 edns->udp_size = EDNS_ADVERTISED_SIZE; 3266 edns->ext_rcode = 0; 3267 edns->bits &= EDNS_DO; 3268 3269 if(!inplace_cb_reply_local_call(env, qinfo, NULL, msg->rep, 3270 (int)FLAGS_GET_RCODE(msg->rep->flags), edns, repinfo, temp) 3271 || !reply_info_answer_encode(qinfo, msg->rep, 3272 *(uint16_t*)sldns_buffer_begin(buf), 3273 sldns_buffer_read_u16_at(buf, 2), 3274 buf, 0, 0, temp, udpsize, edns, 3275 (int)(edns->bits&EDNS_DO), 0)) { 3276 error_encode(buf, (LDNS_RCODE_SERVFAIL|BIT_AA), qinfo, 3277 *(uint16_t*)sldns_buffer_begin(buf), 3278 sldns_buffer_read_u16_at(buf, 2), edns); 3279 } 3280 } 3281 3282 /** encode auth error answer */ 3283 static void 3284 auth_error_encode(struct query_info* qinfo, struct module_env* env, 3285 struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf, 3286 struct regional* temp, int rcode) 3287 { 3288 edns->edns_version = EDNS_ADVERTISED_VERSION; 3289 edns->udp_size = EDNS_ADVERTISED_SIZE; 3290 edns->ext_rcode = 0; 3291 edns->bits &= EDNS_DO; 3292 3293 if(!inplace_cb_reply_local_call(env, qinfo, NULL, NULL, 3294 rcode, edns, repinfo, temp)) 3295 edns->opt_list = NULL; 3296 error_encode(buf, rcode|BIT_AA, qinfo, 3297 *(uint16_t*)sldns_buffer_begin(buf), 3298 sldns_buffer_read_u16_at(buf, 2), edns); 3299 } 3300 3301 int auth_zones_answer(struct auth_zones* az, struct module_env* env, 3302 struct query_info* qinfo, struct edns_data* edns, 3303 struct comm_reply* repinfo, struct sldns_buffer* buf, struct regional* temp) 3304 { 3305 struct dns_msg* msg = NULL; 3306 struct auth_zone* z; 3307 int r; 3308 int fallback = 0; 3309 3310 lock_rw_rdlock(&az->lock); 3311 if(!az->have_downstream) { 3312 /* no downstream auth zones */ 3313 lock_rw_unlock(&az->lock); 3314 return 0; 3315 } 3316 if(qinfo->qtype == LDNS_RR_TYPE_DS) { 3317 uint8_t* delname = qinfo->qname; 3318 size_t delnamelen = qinfo->qname_len; 3319 dname_remove_label(&delname, &delnamelen); 3320 z = auth_zones_find_zone(az, delname, delnamelen, 3321 qinfo->qclass); 3322 } else { 3323 z = auth_zones_find_zone(az, qinfo->qname, qinfo->qname_len, 3324 qinfo->qclass); 3325 } 3326 if(!z) { 3327 /* no zone above it */ 3328 lock_rw_unlock(&az->lock); 3329 return 0; 3330 } 3331 lock_rw_rdlock(&z->lock); 3332 lock_rw_unlock(&az->lock); 3333 if(!z->for_downstream) { 3334 lock_rw_unlock(&z->lock); 3335 return 0; 3336 } 3337 if(z->zone_expired) { 3338 if(z->fallback_enabled) { 3339 lock_rw_unlock(&z->lock); 3340 return 0; 3341 } 3342 lock_rw_unlock(&z->lock); 3343 lock_rw_wrlock(&az->lock); 3344 az->num_query_down++; 3345 lock_rw_unlock(&az->lock); 3346 auth_error_encode(qinfo, env, edns, repinfo, buf, temp, 3347 LDNS_RCODE_SERVFAIL); 3348 return 1; 3349 } 3350 3351 /* answer it from zone z */ 3352 r = auth_zone_generate_answer(z, qinfo, temp, &msg, &fallback); 3353 lock_rw_unlock(&z->lock); 3354 if(!r && fallback) { 3355 /* fallback to regular answering (recursive) */ 3356 return 0; 3357 } 3358 lock_rw_wrlock(&az->lock); 3359 az->num_query_down++; 3360 lock_rw_unlock(&az->lock); 3361 3362 /* encode answer */ 3363 if(!r) 3364 auth_error_encode(qinfo, env, edns, repinfo, buf, temp, 3365 LDNS_RCODE_SERVFAIL); 3366 else auth_answer_encode(qinfo, env, edns, repinfo, buf, temp, msg); 3367 3368 return 1; 3369 } 3370 3371 int auth_zones_can_fallback(struct auth_zones* az, uint8_t* nm, size_t nmlen, 3372 uint16_t dclass) 3373 { 3374 int r; 3375 struct auth_zone* z; 3376 lock_rw_rdlock(&az->lock); 3377 z = auth_zone_find(az, nm, nmlen, dclass); 3378 if(!z) { 3379 lock_rw_unlock(&az->lock); 3380 /* no such auth zone, fallback */ 3381 return 1; 3382 } 3383 lock_rw_rdlock(&z->lock); 3384 lock_rw_unlock(&az->lock); 3385 r = z->fallback_enabled || (!z->for_upstream); 3386 lock_rw_unlock(&z->lock); 3387 return r; 3388 } 3389 3390 int 3391 auth_zone_parse_notify_serial(sldns_buffer* pkt, uint32_t *serial) 3392 { 3393 struct query_info q; 3394 uint16_t rdlen; 3395 memset(&q, 0, sizeof(q)); 3396 sldns_buffer_set_position(pkt, 0); 3397 if(!query_info_parse(&q, pkt)) return 0; 3398 if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) == 0) return 0; 3399 /* skip name of RR in answer section */ 3400 if(sldns_buffer_remaining(pkt) < 1) return 0; 3401 if(pkt_dname_len(pkt) == 0) return 0; 3402 /* check type */ 3403 if(sldns_buffer_remaining(pkt) < 10 /* type,class,ttl,rdatalen*/) 3404 return 0; 3405 if(sldns_buffer_read_u16(pkt) != LDNS_RR_TYPE_SOA) return 0; 3406 sldns_buffer_skip(pkt, 2); /* class */ 3407 sldns_buffer_skip(pkt, 4); /* ttl */ 3408 rdlen = sldns_buffer_read_u16(pkt); /* rdatalen */ 3409 if(sldns_buffer_remaining(pkt) < rdlen) return 0; 3410 if(rdlen < 22) return 0; /* bad soa length */ 3411 sldns_buffer_skip(pkt, (ssize_t)(rdlen-20)); 3412 *serial = sldns_buffer_read_u32(pkt); 3413 /* return true when has serial in answer section */ 3414 return 1; 3415 } 3416 3417 /** see if addr appears in the list */ 3418 static int 3419 addr_in_list(struct auth_addr* list, struct sockaddr_storage* addr, 3420 socklen_t addrlen) 3421 { 3422 struct auth_addr* p; 3423 for(p=list; p; p=p->next) { 3424 if(sockaddr_cmp_addr(addr, addrlen, &p->addr, p->addrlen)==0) 3425 return 1; 3426 } 3427 return 0; 3428 } 3429 3430 /** check if an address matches a master specification (or one of its 3431 * addresses in the addr list) */ 3432 static int 3433 addr_matches_master(struct auth_master* master, struct sockaddr_storage* addr, 3434 socklen_t addrlen, struct auth_master** fromhost) 3435 { 3436 struct sockaddr_storage a; 3437 socklen_t alen = 0; 3438 int net = 0; 3439 if(addr_in_list(master->list, addr, addrlen)) { 3440 *fromhost = master; 3441 return 1; 3442 } 3443 /* compare address (but not port number, that is the destination 3444 * port of the master, the port number of the received notify is 3445 * allowed to by any port on that master) */ 3446 if(extstrtoaddr(master->host, &a, &alen) && 3447 sockaddr_cmp_addr(addr, addrlen, &a, alen)==0) { 3448 *fromhost = master; 3449 return 1; 3450 } 3451 /* prefixes, addr/len, like 10.0.0.0/8 */ 3452 /* not http and has a / and there is one / */ 3453 if(master->allow_notify && !master->http && 3454 strchr(master->host, '/') != NULL && 3455 strchr(master->host, '/') == strrchr(master->host, '/') && 3456 netblockstrtoaddr(master->host, UNBOUND_DNS_PORT, &a, &alen, 3457 &net) && alen == addrlen) { 3458 if(addr_in_common(addr, (addr_is_ip6(addr, addrlen)?128:32), 3459 &a, net, alen) >= net) { 3460 *fromhost = NULL; /* prefix does not have destination 3461 to send the probe or transfer with */ 3462 return 1; /* matches the netblock */ 3463 } 3464 } 3465 return 0; 3466 } 3467 3468 /** check access list for notifies */ 3469 static int 3470 az_xfr_allowed_notify(struct auth_xfer* xfr, struct sockaddr_storage* addr, 3471 socklen_t addrlen, struct auth_master** fromhost) 3472 { 3473 struct auth_master* p; 3474 for(p=xfr->allow_notify_list; p; p=p->next) { 3475 if(addr_matches_master(p, addr, addrlen, fromhost)) { 3476 return 1; 3477 } 3478 } 3479 return 0; 3480 } 3481 3482 /** see if the serial means the zone has to be updated, i.e. the serial 3483 * is newer than the zone serial, or we have no zone */ 3484 static int 3485 xfr_serial_means_update(struct auth_xfer* xfr, uint32_t serial) 3486 { 3487 if(!xfr->have_zone) 3488 return 1; /* no zone, anything is better */ 3489 if(xfr->zone_expired) 3490 return 1; /* expired, the sent serial is better than expired 3491 data */ 3492 if(compare_serial(xfr->serial, serial) < 0) 3493 return 1; /* our serial is smaller than the sent serial, 3494 the data is newer, fetch it */ 3495 return 0; 3496 } 3497 3498 /** note notify serial, updates the notify information in the xfr struct */ 3499 static void 3500 xfr_note_notify_serial(struct auth_xfer* xfr, int has_serial, uint32_t serial) 3501 { 3502 if(xfr->notify_received && xfr->notify_has_serial && has_serial) { 3503 /* see if this serial is newer */ 3504 if(compare_serial(xfr->notify_serial, serial) < 0) 3505 xfr->notify_serial = serial; 3506 } else if(xfr->notify_received && xfr->notify_has_serial && 3507 !has_serial) { 3508 /* remove serial, we have notify without serial */ 3509 xfr->notify_has_serial = 0; 3510 xfr->notify_serial = 0; 3511 } else if(xfr->notify_received && !xfr->notify_has_serial) { 3512 /* we already have notify without serial, keep it 3513 * that way; no serial check when current operation 3514 * is done */ 3515 } else { 3516 xfr->notify_received = 1; 3517 xfr->notify_has_serial = has_serial; 3518 xfr->notify_serial = serial; 3519 } 3520 } 3521 3522 /** process a notify serial, start new probe or note serial. xfr is locked */ 3523 static void 3524 xfr_process_notify(struct auth_xfer* xfr, struct module_env* env, 3525 int has_serial, uint32_t serial, struct auth_master* fromhost) 3526 { 3527 /* if the serial of notify is older than we have, don't fetch 3528 * a zone, we already have it */ 3529 if(has_serial && !xfr_serial_means_update(xfr, serial)) { 3530 lock_basic_unlock(&xfr->lock); 3531 return; 3532 } 3533 /* start new probe with this addr src, or note serial */ 3534 if(!xfr_start_probe(xfr, env, fromhost)) { 3535 /* not started because already in progress, note the serial */ 3536 xfr_note_notify_serial(xfr, has_serial, serial); 3537 lock_basic_unlock(&xfr->lock); 3538 } 3539 /* successful end of start_probe unlocked xfr->lock */ 3540 } 3541 3542 int auth_zones_notify(struct auth_zones* az, struct module_env* env, 3543 uint8_t* nm, size_t nmlen, uint16_t dclass, 3544 struct sockaddr_storage* addr, socklen_t addrlen, int has_serial, 3545 uint32_t serial, int* refused) 3546 { 3547 struct auth_xfer* xfr; 3548 struct auth_master* fromhost = NULL; 3549 /* see which zone this is */ 3550 lock_rw_rdlock(&az->lock); 3551 xfr = auth_xfer_find(az, nm, nmlen, dclass); 3552 if(!xfr) { 3553 lock_rw_unlock(&az->lock); 3554 /* no such zone, refuse the notify */ 3555 *refused = 1; 3556 return 0; 3557 } 3558 lock_basic_lock(&xfr->lock); 3559 lock_rw_unlock(&az->lock); 3560 3561 /* check access list for notifies */ 3562 if(!az_xfr_allowed_notify(xfr, addr, addrlen, &fromhost)) { 3563 lock_basic_unlock(&xfr->lock); 3564 /* notify not allowed, refuse the notify */ 3565 *refused = 1; 3566 return 0; 3567 } 3568 3569 /* process the notify */ 3570 xfr_process_notify(xfr, env, has_serial, serial, fromhost); 3571 return 1; 3572 } 3573 3574 int auth_zones_startprobesequence(struct auth_zones* az, 3575 struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t dclass) 3576 { 3577 struct auth_xfer* xfr; 3578 lock_rw_rdlock(&az->lock); 3579 xfr = auth_xfer_find(az, nm, nmlen, dclass); 3580 if(!xfr) { 3581 lock_rw_unlock(&az->lock); 3582 return 0; 3583 } 3584 lock_basic_lock(&xfr->lock); 3585 lock_rw_unlock(&az->lock); 3586 3587 xfr_process_notify(xfr, env, 0, 0, NULL); 3588 return 1; 3589 } 3590 3591 /** set a zone expired */ 3592 static void 3593 auth_xfer_set_expired(struct auth_xfer* xfr, struct module_env* env, 3594 int expired) 3595 { 3596 struct auth_zone* z; 3597 3598 /* expire xfr */ 3599 lock_basic_lock(&xfr->lock); 3600 xfr->zone_expired = expired; 3601 lock_basic_unlock(&xfr->lock); 3602 3603 /* find auth_zone */ 3604 lock_rw_rdlock(&env->auth_zones->lock); 3605 z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen, 3606 xfr->dclass); 3607 if(!z) { 3608 lock_rw_unlock(&env->auth_zones->lock); 3609 return; 3610 } 3611 lock_rw_wrlock(&z->lock); 3612 lock_rw_unlock(&env->auth_zones->lock); 3613 3614 /* expire auth_zone */ 3615 z->zone_expired = expired; 3616 lock_rw_unlock(&z->lock); 3617 } 3618 3619 /** find master (from notify or probe) in list of masters */ 3620 static struct auth_master* 3621 find_master_by_host(struct auth_master* list, char* host) 3622 { 3623 struct auth_master* p; 3624 for(p=list; p; p=p->next) { 3625 if(strcmp(p->host, host) == 0) 3626 return p; 3627 } 3628 return NULL; 3629 } 3630 3631 /** delete the looked up auth_addrs for all the masters in the list */ 3632 static void 3633 xfr_masterlist_free_addrs(struct auth_master* list) 3634 { 3635 struct auth_master* m; 3636 for(m=list; m; m=m->next) { 3637 if(m->list) { 3638 auth_free_master_addrs(m->list); 3639 m->list = NULL; 3640 } 3641 } 3642 } 3643 3644 /** copy a list of auth_addrs */ 3645 static struct auth_addr* 3646 auth_addr_list_copy(struct auth_addr* source) 3647 { 3648 struct auth_addr* list = NULL, *last = NULL; 3649 struct auth_addr* p; 3650 for(p=source; p; p=p->next) { 3651 struct auth_addr* a = (struct auth_addr*)memdup(p, sizeof(*p)); 3652 if(!a) { 3653 log_err("malloc failure"); 3654 auth_free_master_addrs(list); 3655 return NULL; 3656 } 3657 a->next = NULL; 3658 if(last) last->next = a; 3659 if(!list) list = a; 3660 last = a; 3661 } 3662 return list; 3663 } 3664 3665 /** copy a master to a new structure, NULL on alloc failure */ 3666 static struct auth_master* 3667 auth_master_copy(struct auth_master* o) 3668 { 3669 struct auth_master* m; 3670 if(!o) return NULL; 3671 m = (struct auth_master*)memdup(o, sizeof(*o)); 3672 if(!m) { 3673 log_err("malloc failure"); 3674 return NULL; 3675 } 3676 m->next = NULL; 3677 if(m->host) { 3678 m->host = strdup(m->host); 3679 if(!m->host) { 3680 free(m); 3681 log_err("malloc failure"); 3682 return NULL; 3683 } 3684 } 3685 if(m->file) { 3686 m->file = strdup(m->file); 3687 if(!m->file) { 3688 free(m->host); 3689 free(m); 3690 log_err("malloc failure"); 3691 return NULL; 3692 } 3693 } 3694 if(m->list) { 3695 m->list = auth_addr_list_copy(m->list); 3696 if(!m->list) { 3697 free(m->file); 3698 free(m->host); 3699 free(m); 3700 return NULL; 3701 } 3702 } 3703 return m; 3704 } 3705 3706 /** copy the master addresses from the task_probe lookups to the allow_notify 3707 * list of masters */ 3708 static void 3709 probe_copy_masters_for_allow_notify(struct auth_xfer* xfr) 3710 { 3711 struct auth_master* list = NULL, *last = NULL; 3712 struct auth_master* p; 3713 /* build up new list with copies */ 3714 for(p = xfr->task_probe->masters; p; p=p->next) { 3715 struct auth_master* m = auth_master_copy(p); 3716 if(!m) { 3717 auth_free_masters(list); 3718 /* failed because of malloc failure, use old list */ 3719 return; 3720 } 3721 m->next = NULL; 3722 if(last) last->next = m; 3723 if(!list) list = m; 3724 last = m; 3725 } 3726 /* success, replace list */ 3727 auth_free_masters(xfr->allow_notify_list); 3728 xfr->allow_notify_list = list; 3729 } 3730 3731 /** start the lookups for task_transfer */ 3732 static void 3733 xfr_transfer_start_lookups(struct auth_xfer* xfr) 3734 { 3735 /* delete all the looked up addresses in the list */ 3736 xfr->task_transfer->scan_addr = NULL; 3737 xfr_masterlist_free_addrs(xfr->task_transfer->masters); 3738 3739 /* start lookup at the first master */ 3740 xfr->task_transfer->lookup_target = xfr->task_transfer->masters; 3741 xfr->task_transfer->lookup_aaaa = 0; 3742 } 3743 3744 /** move to the next lookup of hostname for task_transfer */ 3745 static void 3746 xfr_transfer_move_to_next_lookup(struct auth_xfer* xfr, struct module_env* env) 3747 { 3748 if(!xfr->task_transfer->lookup_target) 3749 return; /* already at end of list */ 3750 if(!xfr->task_transfer->lookup_aaaa && env->cfg->do_ip6) { 3751 /* move to lookup AAAA */ 3752 xfr->task_transfer->lookup_aaaa = 1; 3753 return; 3754 } 3755 xfr->task_transfer->lookup_target = 3756 xfr->task_transfer->lookup_target->next; 3757 xfr->task_transfer->lookup_aaaa = 0; 3758 if(!env->cfg->do_ip4 && xfr->task_transfer->lookup_target!=NULL) 3759 xfr->task_transfer->lookup_aaaa = 1; 3760 } 3761 3762 /** start the lookups for task_probe */ 3763 static void 3764 xfr_probe_start_lookups(struct auth_xfer* xfr) 3765 { 3766 /* delete all the looked up addresses in the list */ 3767 xfr->task_probe->scan_addr = NULL; 3768 xfr_masterlist_free_addrs(xfr->task_probe->masters); 3769 3770 /* start lookup at the first master */ 3771 xfr->task_probe->lookup_target = xfr->task_probe->masters; 3772 xfr->task_probe->lookup_aaaa = 0; 3773 } 3774 3775 /** move to the next lookup of hostname for task_probe */ 3776 static void 3777 xfr_probe_move_to_next_lookup(struct auth_xfer* xfr, struct module_env* env) 3778 { 3779 if(!xfr->task_probe->lookup_target) 3780 return; /* already at end of list */ 3781 if(!xfr->task_probe->lookup_aaaa && env->cfg->do_ip6) { 3782 /* move to lookup AAAA */ 3783 xfr->task_probe->lookup_aaaa = 1; 3784 return; 3785 } 3786 xfr->task_probe->lookup_target = xfr->task_probe->lookup_target->next; 3787 xfr->task_probe->lookup_aaaa = 0; 3788 if(!env->cfg->do_ip4 && xfr->task_probe->lookup_target!=NULL) 3789 xfr->task_probe->lookup_aaaa = 1; 3790 } 3791 3792 /** start the iteration of the task_transfer list of masters */ 3793 static void 3794 xfr_transfer_start_list(struct auth_xfer* xfr, struct auth_master* spec) 3795 { 3796 if(spec) { 3797 xfr->task_transfer->scan_specific = find_master_by_host( 3798 xfr->task_transfer->masters, spec->host); 3799 if(xfr->task_transfer->scan_specific) { 3800 xfr->task_transfer->scan_target = NULL; 3801 xfr->task_transfer->scan_addr = NULL; 3802 if(xfr->task_transfer->scan_specific->list) 3803 xfr->task_transfer->scan_addr = 3804 xfr->task_transfer->scan_specific->list; 3805 return; 3806 } 3807 } 3808 /* no specific (notified) host to scan */ 3809 xfr->task_transfer->scan_specific = NULL; 3810 xfr->task_transfer->scan_addr = NULL; 3811 /* pick up first scan target */ 3812 xfr->task_transfer->scan_target = xfr->task_transfer->masters; 3813 if(xfr->task_transfer->scan_target && xfr->task_transfer-> 3814 scan_target->list) 3815 xfr->task_transfer->scan_addr = 3816 xfr->task_transfer->scan_target->list; 3817 } 3818 3819 /** start the iteration of the task_probe list of masters */ 3820 static void 3821 xfr_probe_start_list(struct auth_xfer* xfr, struct auth_master* spec) 3822 { 3823 if(spec) { 3824 xfr->task_probe->scan_specific = find_master_by_host( 3825 xfr->task_probe->masters, spec->host); 3826 if(xfr->task_probe->scan_specific) { 3827 xfr->task_probe->scan_target = NULL; 3828 xfr->task_probe->scan_addr = NULL; 3829 if(xfr->task_probe->scan_specific->list) 3830 xfr->task_probe->scan_addr = 3831 xfr->task_probe->scan_specific->list; 3832 return; 3833 } 3834 } 3835 /* no specific (notified) host to scan */ 3836 xfr->task_probe->scan_specific = NULL; 3837 xfr->task_probe->scan_addr = NULL; 3838 /* pick up first scan target */ 3839 xfr->task_probe->scan_target = xfr->task_probe->masters; 3840 if(xfr->task_probe->scan_target && xfr->task_probe->scan_target->list) 3841 xfr->task_probe->scan_addr = 3842 xfr->task_probe->scan_target->list; 3843 } 3844 3845 /** pick up the master that is being scanned right now, task_transfer */ 3846 static struct auth_master* 3847 xfr_transfer_current_master(struct auth_xfer* xfr) 3848 { 3849 if(xfr->task_transfer->scan_specific) 3850 return xfr->task_transfer->scan_specific; 3851 return xfr->task_transfer->scan_target; 3852 } 3853 3854 /** pick up the master that is being scanned right now, task_probe */ 3855 static struct auth_master* 3856 xfr_probe_current_master(struct auth_xfer* xfr) 3857 { 3858 if(xfr->task_probe->scan_specific) 3859 return xfr->task_probe->scan_specific; 3860 return xfr->task_probe->scan_target; 3861 } 3862 3863 /** true if at end of list, task_transfer */ 3864 static int 3865 xfr_transfer_end_of_list(struct auth_xfer* xfr) 3866 { 3867 return !xfr->task_transfer->scan_specific && 3868 !xfr->task_transfer->scan_target; 3869 } 3870 3871 /** true if at end of list, task_probe */ 3872 static int 3873 xfr_probe_end_of_list(struct auth_xfer* xfr) 3874 { 3875 return !xfr->task_probe->scan_specific && !xfr->task_probe->scan_target; 3876 } 3877 3878 /** move to next master in list, task_transfer */ 3879 static void 3880 xfr_transfer_nextmaster(struct auth_xfer* xfr) 3881 { 3882 if(!xfr->task_transfer->scan_specific && 3883 !xfr->task_transfer->scan_target) 3884 return; 3885 if(xfr->task_transfer->scan_addr) { 3886 xfr->task_transfer->scan_addr = 3887 xfr->task_transfer->scan_addr->next; 3888 if(xfr->task_transfer->scan_addr) 3889 return; 3890 } 3891 if(xfr->task_transfer->scan_specific) { 3892 xfr->task_transfer->scan_specific = NULL; 3893 xfr->task_transfer->scan_target = xfr->task_transfer->masters; 3894 if(xfr->task_transfer->scan_target && xfr->task_transfer-> 3895 scan_target->list) 3896 xfr->task_transfer->scan_addr = 3897 xfr->task_transfer->scan_target->list; 3898 return; 3899 } 3900 if(!xfr->task_transfer->scan_target) 3901 return; 3902 xfr->task_transfer->scan_target = xfr->task_transfer->scan_target->next; 3903 if(xfr->task_transfer->scan_target && xfr->task_transfer-> 3904 scan_target->list) 3905 xfr->task_transfer->scan_addr = 3906 xfr->task_transfer->scan_target->list; 3907 return; 3908 } 3909 3910 /** move to next master in list, task_probe */ 3911 static void 3912 xfr_probe_nextmaster(struct auth_xfer* xfr) 3913 { 3914 if(!xfr->task_probe->scan_specific && !xfr->task_probe->scan_target) 3915 return; 3916 if(xfr->task_probe->scan_addr) { 3917 xfr->task_probe->scan_addr = xfr->task_probe->scan_addr->next; 3918 if(xfr->task_probe->scan_addr) 3919 return; 3920 } 3921 if(xfr->task_probe->scan_specific) { 3922 xfr->task_probe->scan_specific = NULL; 3923 xfr->task_probe->scan_target = xfr->task_probe->masters; 3924 if(xfr->task_probe->scan_target && xfr->task_probe-> 3925 scan_target->list) 3926 xfr->task_probe->scan_addr = 3927 xfr->task_probe->scan_target->list; 3928 return; 3929 } 3930 if(!xfr->task_probe->scan_target) 3931 return; 3932 xfr->task_probe->scan_target = xfr->task_probe->scan_target->next; 3933 if(xfr->task_probe->scan_target && xfr->task_probe-> 3934 scan_target->list) 3935 xfr->task_probe->scan_addr = 3936 xfr->task_probe->scan_target->list; 3937 return; 3938 } 3939 3940 /** create SOA probe packet for xfr */ 3941 static void 3942 xfr_create_soa_probe_packet(struct auth_xfer* xfr, sldns_buffer* buf, 3943 uint16_t id) 3944 { 3945 struct query_info qinfo; 3946 3947 memset(&qinfo, 0, sizeof(qinfo)); 3948 qinfo.qname = xfr->name; 3949 qinfo.qname_len = xfr->namelen; 3950 qinfo.qtype = LDNS_RR_TYPE_SOA; 3951 qinfo.qclass = xfr->dclass; 3952 qinfo_query_encode(buf, &qinfo); 3953 sldns_buffer_write_u16_at(buf, 0, id); 3954 } 3955 3956 /** create IXFR/AXFR packet for xfr */ 3957 static void 3958 xfr_create_ixfr_packet(struct auth_xfer* xfr, sldns_buffer* buf, uint16_t id, 3959 struct auth_master* master) 3960 { 3961 struct query_info qinfo; 3962 uint32_t serial; 3963 int have_zone; 3964 have_zone = xfr->have_zone; 3965 serial = xfr->serial; 3966 3967 memset(&qinfo, 0, sizeof(qinfo)); 3968 qinfo.qname = xfr->name; 3969 qinfo.qname_len = xfr->namelen; 3970 xfr->task_transfer->got_xfr_serial = 0; 3971 xfr->task_transfer->rr_scan_num = 0; 3972 xfr->task_transfer->incoming_xfr_serial = 0; 3973 xfr->task_transfer->on_ixfr_is_axfr = 0; 3974 xfr->task_transfer->on_ixfr = 1; 3975 qinfo.qtype = LDNS_RR_TYPE_IXFR; 3976 if(!have_zone || xfr->task_transfer->ixfr_fail || !master->ixfr) { 3977 qinfo.qtype = LDNS_RR_TYPE_AXFR; 3978 xfr->task_transfer->ixfr_fail = 0; 3979 xfr->task_transfer->on_ixfr = 0; 3980 } 3981 3982 qinfo.qclass = xfr->dclass; 3983 qinfo_query_encode(buf, &qinfo); 3984 sldns_buffer_write_u16_at(buf, 0, id); 3985 3986 /* append serial for IXFR */ 3987 if(qinfo.qtype == LDNS_RR_TYPE_IXFR) { 3988 size_t end = sldns_buffer_limit(buf); 3989 sldns_buffer_clear(buf); 3990 sldns_buffer_set_position(buf, end); 3991 /* auth section count 1 */ 3992 sldns_buffer_write_u16_at(buf, LDNS_NSCOUNT_OFF, 1); 3993 /* write SOA */ 3994 sldns_buffer_write_u8(buf, 0xC0); /* compressed ptr to qname */ 3995 sldns_buffer_write_u8(buf, 0x0C); 3996 sldns_buffer_write_u16(buf, LDNS_RR_TYPE_SOA); 3997 sldns_buffer_write_u16(buf, qinfo.qclass); 3998 sldns_buffer_write_u32(buf, 0); /* ttl */ 3999 sldns_buffer_write_u16(buf, 22); /* rdata length */ 4000 sldns_buffer_write_u8(buf, 0); /* . */ 4001 sldns_buffer_write_u8(buf, 0); /* . */ 4002 sldns_buffer_write_u32(buf, serial); /* serial */ 4003 sldns_buffer_write_u32(buf, 0); /* refresh */ 4004 sldns_buffer_write_u32(buf, 0); /* retry */ 4005 sldns_buffer_write_u32(buf, 0); /* expire */ 4006 sldns_buffer_write_u32(buf, 0); /* minimum */ 4007 sldns_buffer_flip(buf); 4008 } 4009 } 4010 4011 /** check if returned packet is OK */ 4012 static int 4013 check_packet_ok(sldns_buffer* pkt, uint16_t qtype, struct auth_xfer* xfr, 4014 uint32_t* serial) 4015 { 4016 /* parse to see if packet worked, valid reply */ 4017 4018 /* check serial number of SOA */ 4019 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) 4020 return 0; 4021 4022 /* check ID */ 4023 if(LDNS_ID_WIRE(sldns_buffer_begin(pkt)) != xfr->task_probe->id) 4024 return 0; 4025 4026 /* check flag bits and rcode */ 4027 if(!LDNS_QR_WIRE(sldns_buffer_begin(pkt))) 4028 return 0; 4029 if(LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_PACKET_QUERY) 4030 return 0; 4031 if(LDNS_RCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_RCODE_NOERROR) 4032 return 0; 4033 4034 /* check qname */ 4035 if(LDNS_QDCOUNT(sldns_buffer_begin(pkt)) != 1) 4036 return 0; 4037 sldns_buffer_skip(pkt, LDNS_HEADER_SIZE); 4038 if(sldns_buffer_remaining(pkt) < xfr->namelen) 4039 return 0; 4040 if(query_dname_compare(sldns_buffer_current(pkt), xfr->name) != 0) 4041 return 0; 4042 sldns_buffer_skip(pkt, (ssize_t)xfr->namelen); 4043 4044 /* check qtype, qclass */ 4045 if(sldns_buffer_remaining(pkt) < 4) 4046 return 0; 4047 if(sldns_buffer_read_u16(pkt) != qtype) 4048 return 0; 4049 if(sldns_buffer_read_u16(pkt) != xfr->dclass) 4050 return 0; 4051 4052 if(serial) { 4053 uint16_t rdlen; 4054 /* read serial number, from answer section SOA */ 4055 if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) == 0) 4056 return 0; 4057 /* read from first record SOA record */ 4058 if(sldns_buffer_remaining(pkt) < 1) 4059 return 0; 4060 if(dname_pkt_compare(pkt, sldns_buffer_current(pkt), 4061 xfr->name) != 0) 4062 return 0; 4063 if(!pkt_dname_len(pkt)) 4064 return 0; 4065 /* type, class, ttl, rdatalen */ 4066 if(sldns_buffer_remaining(pkt) < 4+4+2) 4067 return 0; 4068 if(sldns_buffer_read_u16(pkt) != qtype) 4069 return 0; 4070 if(sldns_buffer_read_u16(pkt) != xfr->dclass) 4071 return 0; 4072 sldns_buffer_skip(pkt, 4); /* ttl */ 4073 rdlen = sldns_buffer_read_u16(pkt); 4074 if(sldns_buffer_remaining(pkt) < rdlen) 4075 return 0; 4076 if(sldns_buffer_remaining(pkt) < 1) 4077 return 0; 4078 if(!pkt_dname_len(pkt)) /* soa name */ 4079 return 0; 4080 if(sldns_buffer_remaining(pkt) < 1) 4081 return 0; 4082 if(!pkt_dname_len(pkt)) /* soa name */ 4083 return 0; 4084 if(sldns_buffer_remaining(pkt) < 20) 4085 return 0; 4086 *serial = sldns_buffer_read_u32(pkt); 4087 } 4088 return 1; 4089 } 4090 4091 /** read one line from chunks into buffer at current position */ 4092 static int 4093 chunkline_get_line(struct auth_chunk** chunk, size_t* chunk_pos, 4094 sldns_buffer* buf) 4095 { 4096 int readsome = 0; 4097 while(*chunk) { 4098 /* more text in this chunk? */ 4099 if(*chunk_pos < (*chunk)->len) { 4100 readsome = 1; 4101 while(*chunk_pos < (*chunk)->len) { 4102 char c = (char)((*chunk)->data[*chunk_pos]); 4103 (*chunk_pos)++; 4104 if(sldns_buffer_remaining(buf) < 2) { 4105 /* buffer too short */ 4106 verbose(VERB_ALGO, "http chunkline, " 4107 "line too long"); 4108 return 0; 4109 } 4110 sldns_buffer_write_u8(buf, (uint8_t)c); 4111 if(c == '\n') { 4112 /* we are done */ 4113 return 1; 4114 } 4115 } 4116 } 4117 /* move to next chunk */ 4118 *chunk = (*chunk)->next; 4119 *chunk_pos = 0; 4120 } 4121 /* no more text */ 4122 if(readsome) return 1; 4123 return 0; 4124 } 4125 4126 /** count number of open and closed parenthesis in a chunkline */ 4127 static int 4128 chunkline_count_parens(sldns_buffer* buf, size_t start) 4129 { 4130 size_t end = sldns_buffer_position(buf); 4131 size_t i; 4132 int count = 0; 4133 int squote = 0, dquote = 0; 4134 for(i=start; i<end; i++) { 4135 char c = (char)sldns_buffer_read_u8_at(buf, i); 4136 if(squote && c != '\'') continue; 4137 if(dquote && c != '"') continue; 4138 if(c == '"') 4139 dquote = !dquote; /* skip quoted part */ 4140 else if(c == '\'') 4141 squote = !squote; /* skip quoted part */ 4142 else if(c == '(') 4143 count ++; 4144 else if(c == ')') 4145 count --; 4146 else if(c == ';') { 4147 /* rest is a comment */ 4148 return count; 4149 } 4150 } 4151 return count; 4152 } 4153 4154 /** remove trailing ;... comment from a line in the chunkline buffer */ 4155 static void 4156 chunkline_remove_trailcomment(sldns_buffer* buf, size_t start) 4157 { 4158 size_t end = sldns_buffer_position(buf); 4159 size_t i; 4160 int squote = 0, dquote = 0; 4161 for(i=start; i<end; i++) { 4162 char c = (char)sldns_buffer_read_u8_at(buf, i); 4163 if(squote && c != '\'') continue; 4164 if(dquote && c != '"') continue; 4165 if(c == '"') 4166 dquote = !dquote; /* skip quoted part */ 4167 else if(c == '\'') 4168 squote = !squote; /* skip quoted part */ 4169 else if(c == ';') { 4170 /* rest is a comment */ 4171 sldns_buffer_set_position(buf, i); 4172 return; 4173 } 4174 } 4175 /* nothing to remove */ 4176 } 4177 4178 /** see if a chunkline is a comment line (or empty line) */ 4179 static int 4180 chunkline_is_comment_line_or_empty(sldns_buffer* buf) 4181 { 4182 size_t i, end = sldns_buffer_limit(buf); 4183 for(i=0; i<end; i++) { 4184 char c = (char)sldns_buffer_read_u8_at(buf, i); 4185 if(c == ';') 4186 return 1; /* comment */ 4187 else if(c != ' ' && c != '\t' && c != '\r' && c != '\n') 4188 return 0; /* not a comment */ 4189 } 4190 return 1; /* empty */ 4191 } 4192 4193 /** find a line with ( ) collated */ 4194 static int 4195 chunkline_get_line_collated(struct auth_chunk** chunk, size_t* chunk_pos, 4196 sldns_buffer* buf) 4197 { 4198 size_t pos; 4199 int parens = 0; 4200 sldns_buffer_clear(buf); 4201 pos = sldns_buffer_position(buf); 4202 if(!chunkline_get_line(chunk, chunk_pos, buf)) { 4203 if(sldns_buffer_position(buf) < sldns_buffer_limit(buf)) 4204 sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0); 4205 else sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf)-1, 0); 4206 sldns_buffer_flip(buf); 4207 return 0; 4208 } 4209 parens += chunkline_count_parens(buf, pos); 4210 while(parens > 0) { 4211 chunkline_remove_trailcomment(buf, pos); 4212 pos = sldns_buffer_position(buf); 4213 if(!chunkline_get_line(chunk, chunk_pos, buf)) { 4214 if(sldns_buffer_position(buf) < sldns_buffer_limit(buf)) 4215 sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0); 4216 else sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf)-1, 0); 4217 sldns_buffer_flip(buf); 4218 return 0; 4219 } 4220 parens += chunkline_count_parens(buf, pos); 4221 } 4222 4223 if(sldns_buffer_remaining(buf) < 1) { 4224 verbose(VERB_ALGO, "http chunkline: " 4225 "line too long"); 4226 return 0; 4227 } 4228 sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0); 4229 sldns_buffer_flip(buf); 4230 return 1; 4231 } 4232 4233 /** process $ORIGIN for http */ 4234 static int 4235 http_parse_origin(sldns_buffer* buf, struct sldns_file_parse_state* pstate) 4236 { 4237 char* line = (char*)sldns_buffer_begin(buf); 4238 if(strncmp(line, "$ORIGIN", 7) == 0 && 4239 isspace((unsigned char)line[7])) { 4240 int s; 4241 pstate->origin_len = sizeof(pstate->origin); 4242 s = sldns_str2wire_dname_buf(sldns_strip_ws(line+8), 4243 pstate->origin, &pstate->origin_len); 4244 if(s) pstate->origin_len = 0; 4245 return 1; 4246 } 4247 return 0; 4248 } 4249 4250 /** process $TTL for http */ 4251 static int 4252 http_parse_ttl(sldns_buffer* buf, struct sldns_file_parse_state* pstate) 4253 { 4254 char* line = (char*)sldns_buffer_begin(buf); 4255 if(strncmp(line, "$TTL", 4) == 0 && 4256 isspace((unsigned char)line[4])) { 4257 const char* end = NULL; 4258 pstate->default_ttl = sldns_str2period( 4259 sldns_strip_ws(line+5), &end); 4260 return 1; 4261 } 4262 return 0; 4263 } 4264 4265 /** find noncomment RR line in chunks, collates lines if ( ) format */ 4266 static int 4267 chunkline_non_comment_RR(struct auth_chunk** chunk, size_t* chunk_pos, 4268 sldns_buffer* buf, struct sldns_file_parse_state* pstate) 4269 { 4270 while(chunkline_get_line_collated(chunk, chunk_pos, buf)) { 4271 if(chunkline_is_comment_line_or_empty(buf)) { 4272 /* a comment, go to next line */ 4273 continue; 4274 } 4275 if(http_parse_origin(buf, pstate)) { 4276 continue; /* $ORIGIN has been handled */ 4277 } 4278 if(http_parse_ttl(buf, pstate)) { 4279 continue; /* $TTL has been handled */ 4280 } 4281 return 1; 4282 } 4283 /* no noncomments, fail */ 4284 return 0; 4285 } 4286 4287 /** check syntax of chunklist zonefile, parse first RR, return false on 4288 * failure and return a string in the scratch buffer (first RR string) 4289 * on failure. */ 4290 static int 4291 http_zonefile_syntax_check(struct auth_xfer* xfr, sldns_buffer* buf) 4292 { 4293 uint8_t rr[LDNS_RR_BUF_SIZE]; 4294 size_t rr_len, dname_len = 0; 4295 struct sldns_file_parse_state pstate; 4296 struct auth_chunk* chunk; 4297 size_t chunk_pos; 4298 int e; 4299 memset(&pstate, 0, sizeof(pstate)); 4300 pstate.default_ttl = 3600; 4301 if(xfr->namelen < sizeof(pstate.origin)) { 4302 pstate.origin_len = xfr->namelen; 4303 memmove(pstate.origin, xfr->name, xfr->namelen); 4304 } 4305 chunk = xfr->task_transfer->chunks_first; 4306 chunk_pos = 0; 4307 if(!chunkline_non_comment_RR(&chunk, &chunk_pos, buf, &pstate)) { 4308 return 0; 4309 } 4310 rr_len = sizeof(rr); 4311 e=sldns_str2wire_rr_buf((char*)sldns_buffer_begin(buf), rr, &rr_len, 4312 &dname_len, pstate.default_ttl, 4313 pstate.origin_len?pstate.origin:NULL, pstate.origin_len, 4314 pstate.prev_rr_len?pstate.prev_rr:NULL, pstate.prev_rr_len); 4315 if(e != 0) { 4316 log_err("parse failure on first RR[%d]: %s", 4317 LDNS_WIREPARSE_OFFSET(e), 4318 sldns_get_errorstr_parse(LDNS_WIREPARSE_ERROR(e))); 4319 return 0; 4320 } 4321 /* check that class is correct */ 4322 if(sldns_wirerr_get_class(rr, rr_len, dname_len) != xfr->dclass) { 4323 log_err("parse failure: first record in downloaded zonefile " 4324 "from wrong RR class"); 4325 return 0; 4326 } 4327 return 1; 4328 } 4329 4330 /** sum sizes of chunklist */ 4331 static size_t 4332 chunklist_sum(struct auth_chunk* list) 4333 { 4334 struct auth_chunk* p; 4335 size_t s = 0; 4336 for(p=list; p; p=p->next) { 4337 s += p->len; 4338 } 4339 return s; 4340 } 4341 4342 /** remove newlines from collated line */ 4343 static void 4344 chunkline_newline_removal(sldns_buffer* buf) 4345 { 4346 size_t i, end=sldns_buffer_limit(buf); 4347 for(i=0; i<end; i++) { 4348 char c = (char)sldns_buffer_read_u8_at(buf, i); 4349 if(c == '\n' && i==end-1) { 4350 sldns_buffer_write_u8_at(buf, i, 0); 4351 sldns_buffer_set_limit(buf, end-1); 4352 return; 4353 } 4354 if(c == '\n') 4355 sldns_buffer_write_u8_at(buf, i, (uint8_t)' '); 4356 } 4357 } 4358 4359 /** for http download, parse and add RR to zone */ 4360 static int 4361 http_parse_add_rr(struct auth_xfer* xfr, struct auth_zone* z, 4362 sldns_buffer* buf, struct sldns_file_parse_state* pstate) 4363 { 4364 uint8_t rr[LDNS_RR_BUF_SIZE]; 4365 size_t rr_len, dname_len = 0; 4366 int e; 4367 char* line = (char*)sldns_buffer_begin(buf); 4368 rr_len = sizeof(rr); 4369 e = sldns_str2wire_rr_buf(line, rr, &rr_len, &dname_len, 4370 pstate->default_ttl, 4371 pstate->origin_len?pstate->origin:NULL, pstate->origin_len, 4372 pstate->prev_rr_len?pstate->prev_rr:NULL, pstate->prev_rr_len); 4373 if(e != 0) { 4374 log_err("%s/%s parse failure RR[%d]: %s in '%s'", 4375 xfr->task_transfer->master->host, 4376 xfr->task_transfer->master->file, 4377 LDNS_WIREPARSE_OFFSET(e), 4378 sldns_get_errorstr_parse(LDNS_WIREPARSE_ERROR(e)), 4379 line); 4380 return 0; 4381 } 4382 if(rr_len == 0) 4383 return 1; /* empty line or so */ 4384 4385 /* set prev */ 4386 if(dname_len < sizeof(pstate->prev_rr)) { 4387 memmove(pstate->prev_rr, rr, dname_len); 4388 pstate->prev_rr_len = dname_len; 4389 } 4390 4391 return az_insert_rr(z, rr, rr_len, dname_len, NULL); 4392 } 4393 4394 /** RR list iterator, returns RRs from answer section one by one from the 4395 * dns packets in the chunklist */ 4396 static void 4397 chunk_rrlist_start(struct auth_xfer* xfr, struct auth_chunk** rr_chunk, 4398 int* rr_num, size_t* rr_pos) 4399 { 4400 *rr_chunk = xfr->task_transfer->chunks_first; 4401 *rr_num = 0; 4402 *rr_pos = 0; 4403 } 4404 4405 /** RR list iterator, see if we are at the end of the list */ 4406 static int 4407 chunk_rrlist_end(struct auth_chunk* rr_chunk, int rr_num) 4408 { 4409 while(rr_chunk) { 4410 if(rr_chunk->len < LDNS_HEADER_SIZE) 4411 return 1; 4412 if(rr_num < (int)LDNS_ANCOUNT(rr_chunk->data)) 4413 return 0; 4414 /* no more RRs in this chunk */ 4415 /* continue with next chunk, see if it has RRs */ 4416 rr_chunk = rr_chunk->next; 4417 rr_num = 0; 4418 } 4419 return 1; 4420 } 4421 4422 /** RR list iterator, move to next RR */ 4423 static void 4424 chunk_rrlist_gonext(struct auth_chunk** rr_chunk, int* rr_num, 4425 size_t* rr_pos, size_t rr_nextpos) 4426 { 4427 /* already at end of chunks? */ 4428 if(!*rr_chunk) 4429 return; 4430 /* move within this chunk */ 4431 if((*rr_chunk)->len >= LDNS_HEADER_SIZE && 4432 (*rr_num)+1 < (int)LDNS_ANCOUNT((*rr_chunk)->data)) { 4433 (*rr_num) += 1; 4434 *rr_pos = rr_nextpos; 4435 return; 4436 } 4437 /* no more RRs in this chunk */ 4438 /* continue with next chunk, see if it has RRs */ 4439 if(*rr_chunk) 4440 *rr_chunk = (*rr_chunk)->next; 4441 while(*rr_chunk) { 4442 *rr_num = 0; 4443 *rr_pos = 0; 4444 if((*rr_chunk)->len >= LDNS_HEADER_SIZE && 4445 LDNS_ANCOUNT((*rr_chunk)->data) > 0) { 4446 return; 4447 } 4448 *rr_chunk = (*rr_chunk)->next; 4449 } 4450 } 4451 4452 /** RR iterator, get current RR information, false on parse error */ 4453 static int 4454 chunk_rrlist_get_current(struct auth_chunk* rr_chunk, int rr_num, 4455 size_t rr_pos, uint8_t** rr_dname, uint16_t* rr_type, 4456 uint16_t* rr_class, uint32_t* rr_ttl, uint16_t* rr_rdlen, 4457 uint8_t** rr_rdata, size_t* rr_nextpos) 4458 { 4459 sldns_buffer pkt; 4460 /* integrity checks on position */ 4461 if(!rr_chunk) return 0; 4462 if(rr_chunk->len < LDNS_HEADER_SIZE) return 0; 4463 if(rr_num >= (int)LDNS_ANCOUNT(rr_chunk->data)) return 0; 4464 if(rr_pos >= rr_chunk->len) return 0; 4465 4466 /* fetch rr information */ 4467 sldns_buffer_init_frm_data(&pkt, rr_chunk->data, rr_chunk->len); 4468 if(rr_pos == 0) { 4469 size_t i; 4470 /* skip question section */ 4471 sldns_buffer_set_position(&pkt, LDNS_HEADER_SIZE); 4472 for(i=0; i<LDNS_QDCOUNT(rr_chunk->data); i++) { 4473 if(pkt_dname_len(&pkt) == 0) return 0; 4474 if(sldns_buffer_remaining(&pkt) < 4) return 0; 4475 sldns_buffer_skip(&pkt, 4); /* type and class */ 4476 } 4477 } else { 4478 sldns_buffer_set_position(&pkt, rr_pos); 4479 } 4480 *rr_dname = sldns_buffer_current(&pkt); 4481 if(pkt_dname_len(&pkt) == 0) return 0; 4482 if(sldns_buffer_remaining(&pkt) < 10) return 0; 4483 *rr_type = sldns_buffer_read_u16(&pkt); 4484 *rr_class = sldns_buffer_read_u16(&pkt); 4485 *rr_ttl = sldns_buffer_read_u32(&pkt); 4486 *rr_rdlen = sldns_buffer_read_u16(&pkt); 4487 if(sldns_buffer_remaining(&pkt) < (*rr_rdlen)) return 0; 4488 *rr_rdata = sldns_buffer_current(&pkt); 4489 sldns_buffer_skip(&pkt, (ssize_t)(*rr_rdlen)); 4490 *rr_nextpos = sldns_buffer_position(&pkt); 4491 return 1; 4492 } 4493 4494 /** print log message where we are in parsing the zone transfer */ 4495 static void 4496 log_rrlist_position(const char* label, struct auth_chunk* rr_chunk, 4497 uint8_t* rr_dname, uint16_t rr_type, size_t rr_counter) 4498 { 4499 sldns_buffer pkt; 4500 size_t dlen; 4501 uint8_t buf[256]; 4502 char str[256]; 4503 char typestr[32]; 4504 sldns_buffer_init_frm_data(&pkt, rr_chunk->data, rr_chunk->len); 4505 sldns_buffer_set_position(&pkt, (size_t)(rr_dname - 4506 sldns_buffer_begin(&pkt))); 4507 if((dlen=pkt_dname_len(&pkt)) == 0) return; 4508 if(dlen >= sizeof(buf)) return; 4509 dname_pkt_copy(&pkt, buf, rr_dname); 4510 dname_str(buf, str); 4511 (void)sldns_wire2str_type_buf(rr_type, typestr, sizeof(typestr)); 4512 verbose(VERB_ALGO, "%s at[%d] %s %s", label, (int)rr_counter, 4513 str, typestr); 4514 } 4515 4516 /** check that start serial is OK for ixfr. we are at rr_counter == 0, 4517 * and we are going to check rr_counter == 1 (has to be type SOA) serial */ 4518 static int 4519 ixfr_start_serial(struct auth_chunk* rr_chunk, int rr_num, size_t rr_pos, 4520 uint8_t* rr_dname, uint16_t rr_type, uint16_t rr_class, 4521 uint32_t rr_ttl, uint16_t rr_rdlen, uint8_t* rr_rdata, 4522 size_t rr_nextpos, uint32_t transfer_serial, uint32_t xfr_serial) 4523 { 4524 uint32_t startserial; 4525 /* move forward on RR */ 4526 chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos); 4527 if(chunk_rrlist_end(rr_chunk, rr_num)) { 4528 /* no second SOA */ 4529 verbose(VERB_OPS, "IXFR has no second SOA record"); 4530 return 0; 4531 } 4532 if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos, 4533 &rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen, 4534 &rr_rdata, &rr_nextpos)) { 4535 verbose(VERB_OPS, "IXFR cannot parse second SOA record"); 4536 /* failed to parse RR */ 4537 return 0; 4538 } 4539 if(rr_type != LDNS_RR_TYPE_SOA) { 4540 verbose(VERB_OPS, "IXFR second record is not type SOA"); 4541 return 0; 4542 } 4543 if(rr_rdlen < 22) { 4544 verbose(VERB_OPS, "IXFR, second SOA has short rdlength"); 4545 return 0; /* bad SOA rdlen */ 4546 } 4547 startserial = sldns_read_uint32(rr_rdata+rr_rdlen-20); 4548 if(startserial == transfer_serial) { 4549 /* empty AXFR, not an IXFR */ 4550 verbose(VERB_OPS, "IXFR second serial same as first"); 4551 return 0; 4552 } 4553 if(startserial != xfr_serial) { 4554 /* wrong start serial, it does not match the serial in 4555 * memory */ 4556 verbose(VERB_OPS, "IXFR is from serial %u to %u but %u " 4557 "in memory, rejecting the zone transfer", 4558 (unsigned)startserial, (unsigned)transfer_serial, 4559 (unsigned)xfr_serial); 4560 return 0; 4561 } 4562 /* everything OK in second SOA serial */ 4563 return 1; 4564 } 4565 4566 /** apply IXFR to zone in memory. z is locked. false on failure(mallocfail) */ 4567 static int 4568 apply_ixfr(struct auth_xfer* xfr, struct auth_zone* z, 4569 struct sldns_buffer* scratch_buffer) 4570 { 4571 struct auth_chunk* rr_chunk; 4572 int rr_num; 4573 size_t rr_pos; 4574 uint8_t* rr_dname, *rr_rdata; 4575 uint16_t rr_type, rr_class, rr_rdlen; 4576 uint32_t rr_ttl; 4577 size_t rr_nextpos; 4578 int have_transfer_serial = 0; 4579 uint32_t transfer_serial = 0; 4580 size_t rr_counter = 0; 4581 int delmode = 0; 4582 int softfail = 0; 4583 4584 /* start RR iterator over chunklist of packets */ 4585 chunk_rrlist_start(xfr, &rr_chunk, &rr_num, &rr_pos); 4586 while(!chunk_rrlist_end(rr_chunk, rr_num)) { 4587 if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos, 4588 &rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen, 4589 &rr_rdata, &rr_nextpos)) { 4590 /* failed to parse RR */ 4591 return 0; 4592 } 4593 if(verbosity>=7) log_rrlist_position("apply ixfr", 4594 rr_chunk, rr_dname, rr_type, rr_counter); 4595 /* twiddle add/del mode and check for start and end */ 4596 if(rr_counter == 0 && rr_type != LDNS_RR_TYPE_SOA) 4597 return 0; 4598 if(rr_counter == 1 && rr_type != LDNS_RR_TYPE_SOA) { 4599 /* this is an AXFR returned from the IXFR master */ 4600 /* but that should already have been detected, by 4601 * on_ixfr_is_axfr */ 4602 return 0; 4603 } 4604 if(rr_type == LDNS_RR_TYPE_SOA) { 4605 uint32_t serial; 4606 if(rr_rdlen < 22) return 0; /* bad SOA rdlen */ 4607 serial = sldns_read_uint32(rr_rdata+rr_rdlen-20); 4608 if(have_transfer_serial == 0) { 4609 have_transfer_serial = 1; 4610 transfer_serial = serial; 4611 delmode = 1; /* gets negated below */ 4612 /* check second RR before going any further */ 4613 if(!ixfr_start_serial(rr_chunk, rr_num, rr_pos, 4614 rr_dname, rr_type, rr_class, rr_ttl, 4615 rr_rdlen, rr_rdata, rr_nextpos, 4616 transfer_serial, xfr->serial)) { 4617 return 0; 4618 } 4619 } else if(transfer_serial == serial) { 4620 have_transfer_serial++; 4621 if(rr_counter == 1) { 4622 /* empty AXFR, with SOA; SOA; */ 4623 /* should have been detected by 4624 * on_ixfr_is_axfr */ 4625 return 0; 4626 } 4627 if(have_transfer_serial == 3) { 4628 /* see serial three times for end */ 4629 /* eg. IXFR: 4630 * SOA 3 start 4631 * SOA 1 second RR, followed by del 4632 * SOA 2 followed by add 4633 * SOA 2 followed by del 4634 * SOA 3 followed by add 4635 * SOA 3 end */ 4636 /* ended by SOA record */ 4637 xfr->serial = transfer_serial; 4638 break; 4639 } 4640 } 4641 /* twiddle add/del mode */ 4642 /* switch from delete part to add part and back again 4643 * just before the soa, it gets deleted and added too 4644 * this means we switch to delete mode for the final 4645 * SOA(so skip that one) */ 4646 delmode = !delmode; 4647 } 4648 /* process this RR */ 4649 /* if the RR is deleted twice or added twice, then we 4650 * softfail, and continue with the rest of the IXFR, so 4651 * that we serve something fairly nice during the refetch */ 4652 if(verbosity>=7) log_rrlist_position((delmode?"del":"add"), 4653 rr_chunk, rr_dname, rr_type, rr_counter); 4654 if(delmode) { 4655 /* delete this RR */ 4656 int nonexist = 0; 4657 if(!az_remove_rr_decompress(z, rr_chunk->data, 4658 rr_chunk->len, scratch_buffer, rr_dname, 4659 rr_type, rr_class, rr_ttl, rr_rdata, rr_rdlen, 4660 &nonexist)) { 4661 /* failed, malloc error or so */ 4662 return 0; 4663 } 4664 if(nonexist) { 4665 /* it was removal of a nonexisting RR */ 4666 if(verbosity>=4) log_rrlist_position( 4667 "IXFR error nonexistent RR", 4668 rr_chunk, rr_dname, rr_type, rr_counter); 4669 softfail = 1; 4670 } 4671 } else if(rr_counter != 0) { 4672 /* skip first SOA RR for addition, it is added in 4673 * the addition part near the end of the ixfr, when 4674 * that serial is seen the second time. */ 4675 int duplicate = 0; 4676 /* add this RR */ 4677 if(!az_insert_rr_decompress(z, rr_chunk->data, 4678 rr_chunk->len, scratch_buffer, rr_dname, 4679 rr_type, rr_class, rr_ttl, rr_rdata, rr_rdlen, 4680 &duplicate)) { 4681 /* failed, malloc error or so */ 4682 return 0; 4683 } 4684 if(duplicate) { 4685 /* it was a duplicate */ 4686 if(verbosity>=4) log_rrlist_position( 4687 "IXFR error duplicate RR", 4688 rr_chunk, rr_dname, rr_type, rr_counter); 4689 softfail = 1; 4690 } 4691 } 4692 4693 rr_counter++; 4694 chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos); 4695 } 4696 if(softfail) { 4697 verbose(VERB_ALGO, "IXFR did not apply cleanly, fetching full zone"); 4698 return 0; 4699 } 4700 return 1; 4701 } 4702 4703 /** apply AXFR to zone in memory. z is locked. false on failure(mallocfail) */ 4704 static int 4705 apply_axfr(struct auth_xfer* xfr, struct auth_zone* z, 4706 struct sldns_buffer* scratch_buffer) 4707 { 4708 struct auth_chunk* rr_chunk; 4709 int rr_num; 4710 size_t rr_pos; 4711 uint8_t* rr_dname, *rr_rdata; 4712 uint16_t rr_type, rr_class, rr_rdlen; 4713 uint32_t rr_ttl; 4714 uint32_t serial = 0; 4715 size_t rr_nextpos; 4716 size_t rr_counter = 0; 4717 int have_end_soa = 0; 4718 4719 /* clear the data tree */ 4720 traverse_postorder(&z->data, auth_data_del, NULL); 4721 rbtree_init(&z->data, &auth_data_cmp); 4722 /* clear the RPZ policies */ 4723 if(z->rpz) 4724 rpz_clear(z->rpz); 4725 4726 xfr->have_zone = 0; 4727 xfr->serial = 0; 4728 4729 /* insert all RRs in to the zone */ 4730 /* insert the SOA only once, skip the last one */ 4731 /* start RR iterator over chunklist of packets */ 4732 chunk_rrlist_start(xfr, &rr_chunk, &rr_num, &rr_pos); 4733 while(!chunk_rrlist_end(rr_chunk, rr_num)) { 4734 if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos, 4735 &rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen, 4736 &rr_rdata, &rr_nextpos)) { 4737 /* failed to parse RR */ 4738 return 0; 4739 } 4740 if(verbosity>=7) log_rrlist_position("apply_axfr", 4741 rr_chunk, rr_dname, rr_type, rr_counter); 4742 if(rr_type == LDNS_RR_TYPE_SOA) { 4743 if(rr_counter != 0) { 4744 /* end of the axfr */ 4745 have_end_soa = 1; 4746 break; 4747 } 4748 if(rr_rdlen < 22) return 0; /* bad SOA rdlen */ 4749 serial = sldns_read_uint32(rr_rdata+rr_rdlen-20); 4750 } 4751 4752 /* add this RR */ 4753 if(!az_insert_rr_decompress(z, rr_chunk->data, rr_chunk->len, 4754 scratch_buffer, rr_dname, rr_type, rr_class, rr_ttl, 4755 rr_rdata, rr_rdlen, NULL)) { 4756 /* failed, malloc error or so */ 4757 return 0; 4758 } 4759 4760 rr_counter++; 4761 chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos); 4762 } 4763 if(!have_end_soa) { 4764 log_err("no end SOA record for AXFR"); 4765 return 0; 4766 } 4767 4768 xfr->serial = serial; 4769 xfr->have_zone = 1; 4770 return 1; 4771 } 4772 4773 /** apply HTTP to zone in memory. z is locked. false on failure(mallocfail) */ 4774 static int 4775 apply_http(struct auth_xfer* xfr, struct auth_zone* z, 4776 struct sldns_buffer* scratch_buffer) 4777 { 4778 /* parse data in chunks */ 4779 /* parse RR's and read into memory. ignore $INCLUDE from the 4780 * downloaded file*/ 4781 struct sldns_file_parse_state pstate; 4782 struct auth_chunk* chunk; 4783 size_t chunk_pos; 4784 memset(&pstate, 0, sizeof(pstate)); 4785 pstate.default_ttl = 3600; 4786 if(xfr->namelen < sizeof(pstate.origin)) { 4787 pstate.origin_len = xfr->namelen; 4788 memmove(pstate.origin, xfr->name, xfr->namelen); 4789 } 4790 4791 if(verbosity >= VERB_ALGO) 4792 verbose(VERB_ALGO, "http download %s of size %d", 4793 xfr->task_transfer->master->file, 4794 (int)chunklist_sum(xfr->task_transfer->chunks_first)); 4795 if(xfr->task_transfer->chunks_first && verbosity >= VERB_ALGO) { 4796 char preview[1024]; 4797 if(xfr->task_transfer->chunks_first->len+1 > sizeof(preview)) { 4798 memmove(preview, xfr->task_transfer->chunks_first->data, 4799 sizeof(preview)-1); 4800 preview[sizeof(preview)-1]=0; 4801 } else { 4802 memmove(preview, xfr->task_transfer->chunks_first->data, 4803 xfr->task_transfer->chunks_first->len); 4804 preview[xfr->task_transfer->chunks_first->len]=0; 4805 } 4806 log_info("auth zone http downloaded content preview: %s", 4807 preview); 4808 } 4809 4810 /* perhaps a little syntax check before we try to apply the data? */ 4811 if(!http_zonefile_syntax_check(xfr, scratch_buffer)) { 4812 log_err("http download %s/%s does not contain a zonefile, " 4813 "but got '%s'", xfr->task_transfer->master->host, 4814 xfr->task_transfer->master->file, 4815 sldns_buffer_begin(scratch_buffer)); 4816 return 0; 4817 } 4818 4819 /* clear the data tree */ 4820 traverse_postorder(&z->data, auth_data_del, NULL); 4821 rbtree_init(&z->data, &auth_data_cmp); 4822 /* clear the RPZ policies */ 4823 if(z->rpz) 4824 rpz_clear(z->rpz); 4825 4826 xfr->have_zone = 0; 4827 xfr->serial = 0; 4828 4829 chunk = xfr->task_transfer->chunks_first; 4830 chunk_pos = 0; 4831 pstate.lineno = 0; 4832 while(chunkline_get_line_collated(&chunk, &chunk_pos, scratch_buffer)) { 4833 /* process this line */ 4834 pstate.lineno++; 4835 chunkline_newline_removal(scratch_buffer); 4836 if(chunkline_is_comment_line_or_empty(scratch_buffer)) { 4837 continue; 4838 } 4839 /* parse line and add RR */ 4840 if(http_parse_origin(scratch_buffer, &pstate)) { 4841 continue; /* $ORIGIN has been handled */ 4842 } 4843 if(http_parse_ttl(scratch_buffer, &pstate)) { 4844 continue; /* $TTL has been handled */ 4845 } 4846 if(!http_parse_add_rr(xfr, z, scratch_buffer, &pstate)) { 4847 verbose(VERB_ALGO, "error parsing line [%s:%d] %s", 4848 xfr->task_transfer->master->file, 4849 pstate.lineno, 4850 sldns_buffer_begin(scratch_buffer)); 4851 return 0; 4852 } 4853 } 4854 return 1; 4855 } 4856 4857 /** write http chunks to zonefile to create downloaded file */ 4858 static int 4859 auth_zone_write_chunks(struct auth_xfer* xfr, const char* fname) 4860 { 4861 FILE* out; 4862 struct auth_chunk* p; 4863 out = fopen(fname, "w"); 4864 if(!out) { 4865 log_err("could not open %s: %s", fname, strerror(errno)); 4866 return 0; 4867 } 4868 for(p = xfr->task_transfer->chunks_first; p ; p = p->next) { 4869 if(!write_out(out, (char*)p->data, p->len)) { 4870 log_err("could not write http download to %s", fname); 4871 fclose(out); 4872 return 0; 4873 } 4874 } 4875 fclose(out); 4876 return 1; 4877 } 4878 4879 /** write to zonefile after zone has been updated */ 4880 static void 4881 xfr_write_after_update(struct auth_xfer* xfr, struct module_env* env) 4882 { 4883 struct config_file* cfg = env->cfg; 4884 struct auth_zone* z; 4885 char tmpfile[1024]; 4886 char* zfilename; 4887 lock_basic_unlock(&xfr->lock); 4888 4889 /* get lock again, so it is a readlock and concurrently queries 4890 * can be answered */ 4891 lock_rw_rdlock(&env->auth_zones->lock); 4892 z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen, 4893 xfr->dclass); 4894 if(!z) { 4895 lock_rw_unlock(&env->auth_zones->lock); 4896 /* the zone is gone, ignore xfr results */ 4897 lock_basic_lock(&xfr->lock); 4898 return; 4899 } 4900 lock_rw_rdlock(&z->lock); 4901 lock_basic_lock(&xfr->lock); 4902 lock_rw_unlock(&env->auth_zones->lock); 4903 4904 if(z->zonefile == NULL || z->zonefile[0] == 0) { 4905 lock_rw_unlock(&z->lock); 4906 /* no write needed, no zonefile set */ 4907 return; 4908 } 4909 zfilename = z->zonefile; 4910 if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(zfilename, 4911 cfg->chrootdir, strlen(cfg->chrootdir)) == 0) 4912 zfilename += strlen(cfg->chrootdir); 4913 if(verbosity >= VERB_ALGO) { 4914 char nm[255+1]; 4915 dname_str(z->name, nm); 4916 verbose(VERB_ALGO, "write zonefile %s for %s", zfilename, nm); 4917 } 4918 4919 /* write to tempfile first */ 4920 if((size_t)strlen(zfilename) + 16 > sizeof(tmpfile)) { 4921 verbose(VERB_ALGO, "tmpfilename too long, cannot update " 4922 " zonefile %s", zfilename); 4923 lock_rw_unlock(&z->lock); 4924 return; 4925 } 4926 snprintf(tmpfile, sizeof(tmpfile), "%s.tmp%u", zfilename, 4927 (unsigned)getpid()); 4928 if(xfr->task_transfer->master->http) { 4929 /* use the stored chunk list to write them */ 4930 if(!auth_zone_write_chunks(xfr, tmpfile)) { 4931 unlink(tmpfile); 4932 lock_rw_unlock(&z->lock); 4933 return; 4934 } 4935 } else if(!auth_zone_write_file(z, tmpfile)) { 4936 unlink(tmpfile); 4937 lock_rw_unlock(&z->lock); 4938 return; 4939 } 4940 if(rename(tmpfile, zfilename) < 0) { 4941 log_err("could not rename(%s, %s): %s", tmpfile, zfilename, 4942 strerror(errno)); 4943 unlink(tmpfile); 4944 lock_rw_unlock(&z->lock); 4945 return; 4946 } 4947 lock_rw_unlock(&z->lock); 4948 } 4949 4950 /** process chunk list and update zone in memory, 4951 * return false if it did not work */ 4952 static int 4953 xfr_process_chunk_list(struct auth_xfer* xfr, struct module_env* env, 4954 int* ixfr_fail) 4955 { 4956 struct auth_zone* z; 4957 4958 /* obtain locks and structures */ 4959 /* release xfr lock, then, while holding az->lock grab both 4960 * z->lock and xfr->lock */ 4961 lock_basic_unlock(&xfr->lock); 4962 lock_rw_rdlock(&env->auth_zones->lock); 4963 z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen, 4964 xfr->dclass); 4965 if(!z) { 4966 lock_rw_unlock(&env->auth_zones->lock); 4967 /* the zone is gone, ignore xfr results */ 4968 lock_basic_lock(&xfr->lock); 4969 return 0; 4970 } 4971 lock_rw_wrlock(&z->lock); 4972 lock_basic_lock(&xfr->lock); 4973 lock_rw_unlock(&env->auth_zones->lock); 4974 4975 /* apply data */ 4976 if(xfr->task_transfer->master->http) { 4977 if(!apply_http(xfr, z, env->scratch_buffer)) { 4978 lock_rw_unlock(&z->lock); 4979 verbose(VERB_ALGO, "http from %s: could not store data", 4980 xfr->task_transfer->master->host); 4981 return 0; 4982 } 4983 } else if(xfr->task_transfer->on_ixfr && 4984 !xfr->task_transfer->on_ixfr_is_axfr) { 4985 if(!apply_ixfr(xfr, z, env->scratch_buffer)) { 4986 lock_rw_unlock(&z->lock); 4987 verbose(VERB_ALGO, "xfr from %s: could not store IXFR" 4988 " data", xfr->task_transfer->master->host); 4989 *ixfr_fail = 1; 4990 return 0; 4991 } 4992 } else { 4993 if(!apply_axfr(xfr, z, env->scratch_buffer)) { 4994 lock_rw_unlock(&z->lock); 4995 verbose(VERB_ALGO, "xfr from %s: could not store AXFR" 4996 " data", xfr->task_transfer->master->host); 4997 return 0; 4998 } 4999 } 5000 xfr->zone_expired = 0; 5001 z->zone_expired = 0; 5002 if(!xfr_find_soa(z, xfr)) { 5003 lock_rw_unlock(&z->lock); 5004 verbose(VERB_ALGO, "xfr from %s: no SOA in zone after update" 5005 " (or malformed RR)", xfr->task_transfer->master->host); 5006 return 0; 5007 } 5008 if(xfr->have_zone) 5009 xfr->lease_time = *env->now; 5010 5011 if(z->rpz) 5012 rpz_finish_config(z->rpz); 5013 5014 /* unlock */ 5015 lock_rw_unlock(&z->lock); 5016 5017 if(verbosity >= VERB_QUERY && xfr->have_zone) { 5018 char zname[256]; 5019 dname_str(xfr->name, zname); 5020 verbose(VERB_QUERY, "auth zone %s updated to serial %u", zname, 5021 (unsigned)xfr->serial); 5022 } 5023 /* see if we need to write to a zonefile */ 5024 xfr_write_after_update(xfr, env); 5025 return 1; 5026 } 5027 5028 /** disown task_transfer. caller must hold xfr.lock */ 5029 static void 5030 xfr_transfer_disown(struct auth_xfer* xfr) 5031 { 5032 /* remove timer (from this worker's event base) */ 5033 comm_timer_delete(xfr->task_transfer->timer); 5034 xfr->task_transfer->timer = NULL; 5035 /* remove the commpoint */ 5036 comm_point_delete(xfr->task_transfer->cp); 5037 xfr->task_transfer->cp = NULL; 5038 /* we don't own this item anymore */ 5039 xfr->task_transfer->worker = NULL; 5040 xfr->task_transfer->env = NULL; 5041 } 5042 5043 /** lookup a host name for its addresses, if needed */ 5044 static int 5045 xfr_transfer_lookup_host(struct auth_xfer* xfr, struct module_env* env) 5046 { 5047 struct sockaddr_storage addr; 5048 socklen_t addrlen = 0; 5049 struct auth_master* master = xfr->task_transfer->lookup_target; 5050 struct query_info qinfo; 5051 uint16_t qflags = BIT_RD; 5052 uint8_t dname[LDNS_MAX_DOMAINLEN+1]; 5053 struct edns_data edns; 5054 sldns_buffer* buf = env->scratch_buffer; 5055 if(!master) return 0; 5056 if(extstrtoaddr(master->host, &addr, &addrlen)) { 5057 /* not needed, host is in IP addr format */ 5058 return 0; 5059 } 5060 if(master->allow_notify) 5061 return 0; /* allow-notifies are not transferred from, no 5062 lookup is needed */ 5063 5064 /* use mesh_new_callback to probe for non-addr hosts, 5065 * and then wait for them to be looked up (in cache, or query) */ 5066 qinfo.qname_len = sizeof(dname); 5067 if(sldns_str2wire_dname_buf(master->host, dname, &qinfo.qname_len) 5068 != 0) { 5069 log_err("cannot parse host name of master %s", master->host); 5070 return 0; 5071 } 5072 qinfo.qname = dname; 5073 qinfo.qclass = xfr->dclass; 5074 qinfo.qtype = LDNS_RR_TYPE_A; 5075 if(xfr->task_transfer->lookup_aaaa) 5076 qinfo.qtype = LDNS_RR_TYPE_AAAA; 5077 qinfo.local_alias = NULL; 5078 if(verbosity >= VERB_ALGO) { 5079 char buf1[512]; 5080 char buf2[LDNS_MAX_DOMAINLEN+1]; 5081 dname_str(xfr->name, buf2); 5082 snprintf(buf1, sizeof(buf1), "auth zone %s: master lookup" 5083 " for task_transfer", buf2); 5084 log_query_info(VERB_ALGO, buf1, &qinfo); 5085 } 5086 edns.edns_present = 1; 5087 edns.ext_rcode = 0; 5088 edns.edns_version = 0; 5089 edns.bits = EDNS_DO; 5090 edns.opt_list = NULL; 5091 if(sldns_buffer_capacity(buf) < 65535) 5092 edns.udp_size = (uint16_t)sldns_buffer_capacity(buf); 5093 else edns.udp_size = 65535; 5094 5095 /* unlock xfr during mesh_new_callback() because the callback can be 5096 * called straight away */ 5097 lock_basic_unlock(&xfr->lock); 5098 if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0, 5099 &auth_xfer_transfer_lookup_callback, xfr)) { 5100 lock_basic_lock(&xfr->lock); 5101 log_err("out of memory lookup up master %s", master->host); 5102 return 0; 5103 } 5104 lock_basic_lock(&xfr->lock); 5105 return 1; 5106 } 5107 5108 /** initiate TCP to the target and fetch zone. 5109 * returns true if that was successfully started, and timeout setup. */ 5110 static int 5111 xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env) 5112 { 5113 struct sockaddr_storage addr; 5114 socklen_t addrlen = 0; 5115 struct auth_master* master = xfr->task_transfer->master; 5116 char *auth_name = NULL; 5117 struct timeval t; 5118 int timeout; 5119 if(!master) return 0; 5120 if(master->allow_notify) return 0; /* only for notify */ 5121 5122 /* get master addr */ 5123 if(xfr->task_transfer->scan_addr) { 5124 addrlen = xfr->task_transfer->scan_addr->addrlen; 5125 memmove(&addr, &xfr->task_transfer->scan_addr->addr, addrlen); 5126 } else { 5127 if(!authextstrtoaddr(master->host, &addr, &addrlen, &auth_name)) { 5128 /* the ones that are not in addr format are supposed 5129 * to be looked up. The lookup has failed however, 5130 * so skip them */ 5131 char zname[255+1]; 5132 dname_str(xfr->name, zname); 5133 log_err("%s: failed lookup, cannot transfer from master %s", 5134 zname, master->host); 5135 return 0; 5136 } 5137 } 5138 5139 /* remove previous TCP connection (if any) */ 5140 if(xfr->task_transfer->cp) { 5141 comm_point_delete(xfr->task_transfer->cp); 5142 xfr->task_transfer->cp = NULL; 5143 } 5144 if(!xfr->task_transfer->timer) { 5145 xfr->task_transfer->timer = comm_timer_create(env->worker_base, 5146 auth_xfer_transfer_timer_callback, xfr); 5147 if(!xfr->task_transfer->timer) { 5148 log_err("malloc failure"); 5149 return 0; 5150 } 5151 } 5152 timeout = AUTH_TRANSFER_TIMEOUT; 5153 #ifndef S_SPLINT_S 5154 t.tv_sec = timeout/1000; 5155 t.tv_usec = (timeout%1000)*1000; 5156 #endif 5157 5158 if(master->http) { 5159 /* perform http fetch */ 5160 /* store http port number into sockaddr, 5161 * unless someone used unbound's host@port notation */ 5162 xfr->task_transfer->on_ixfr = 0; 5163 if(strchr(master->host, '@') == NULL) 5164 sockaddr_store_port(&addr, addrlen, master->port); 5165 xfr->task_transfer->cp = outnet_comm_point_for_http( 5166 env->outnet, auth_xfer_transfer_http_callback, xfr, 5167 &addr, addrlen, -1, master->ssl, master->host, 5168 master->file); 5169 if(!xfr->task_transfer->cp) { 5170 char zname[255+1], as[256]; 5171 dname_str(xfr->name, zname); 5172 addr_to_str(&addr, addrlen, as, sizeof(as)); 5173 verbose(VERB_ALGO, "cannot create http cp " 5174 "connection for %s to %s", zname, as); 5175 return 0; 5176 } 5177 comm_timer_set(xfr->task_transfer->timer, &t); 5178 if(verbosity >= VERB_ALGO) { 5179 char zname[255+1], as[256]; 5180 dname_str(xfr->name, zname); 5181 addr_to_str(&addr, addrlen, as, sizeof(as)); 5182 verbose(VERB_ALGO, "auth zone %s transfer next HTTP fetch from %s started", zname, as); 5183 } 5184 return 1; 5185 } 5186 5187 /* perform AXFR/IXFR */ 5188 /* set the packet to be written */ 5189 /* create new ID */ 5190 xfr->task_transfer->id = (uint16_t)(ub_random(env->rnd)&0xffff); 5191 xfr_create_ixfr_packet(xfr, env->scratch_buffer, 5192 xfr->task_transfer->id, master); 5193 5194 /* connect on fd */ 5195 xfr->task_transfer->cp = outnet_comm_point_for_tcp(env->outnet, 5196 auth_xfer_transfer_tcp_callback, xfr, &addr, addrlen, 5197 env->scratch_buffer, -1, 5198 auth_name != NULL, auth_name); 5199 if(!xfr->task_transfer->cp) { 5200 char zname[255+1], as[256]; 5201 dname_str(xfr->name, zname); 5202 addr_to_str(&addr, addrlen, as, sizeof(as)); 5203 verbose(VERB_ALGO, "cannot create tcp cp connection for " 5204 "xfr %s to %s", zname, as); 5205 return 0; 5206 } 5207 comm_timer_set(xfr->task_transfer->timer, &t); 5208 if(verbosity >= VERB_ALGO) { 5209 char zname[255+1], as[256]; 5210 dname_str(xfr->name, zname); 5211 addr_to_str(&addr, addrlen, as, sizeof(as)); 5212 verbose(VERB_ALGO, "auth zone %s transfer next %s fetch from %s started", zname, 5213 (xfr->task_transfer->on_ixfr?"IXFR":"AXFR"), as); 5214 } 5215 return 1; 5216 } 5217 5218 /** perform next lookup, next transfer TCP, or end and resume wait time task */ 5219 static void 5220 xfr_transfer_nexttarget_or_end(struct auth_xfer* xfr, struct module_env* env) 5221 { 5222 log_assert(xfr->task_transfer->worker == env->worker); 5223 5224 /* are we performing lookups? */ 5225 while(xfr->task_transfer->lookup_target) { 5226 if(xfr_transfer_lookup_host(xfr, env)) { 5227 /* wait for lookup to finish, 5228 * note that the hostname may be in unbound's cache 5229 * and we may then get an instant cache response, 5230 * and that calls the callback just like a full 5231 * lookup and lookup failures also call callback */ 5232 if(verbosity >= VERB_ALGO) { 5233 char zname[255+1]; 5234 dname_str(xfr->name, zname); 5235 verbose(VERB_ALGO, "auth zone %s transfer next target lookup", zname); 5236 } 5237 lock_basic_unlock(&xfr->lock); 5238 return; 5239 } 5240 xfr_transfer_move_to_next_lookup(xfr, env); 5241 } 5242 5243 /* initiate TCP and fetch the zone from the master */ 5244 /* and set timeout on it */ 5245 while(!xfr_transfer_end_of_list(xfr)) { 5246 xfr->task_transfer->master = xfr_transfer_current_master(xfr); 5247 if(xfr_transfer_init_fetch(xfr, env)) { 5248 /* successfully started, wait for callback */ 5249 lock_basic_unlock(&xfr->lock); 5250 return; 5251 } 5252 /* failed to fetch, next master */ 5253 xfr_transfer_nextmaster(xfr); 5254 } 5255 if(verbosity >= VERB_ALGO) { 5256 char zname[255+1]; 5257 dname_str(xfr->name, zname); 5258 verbose(VERB_ALGO, "auth zone %s transfer failed, wait", zname); 5259 } 5260 5261 /* we failed to fetch the zone, move to wait task 5262 * use the shorter retry timeout */ 5263 xfr_transfer_disown(xfr); 5264 5265 /* pick up the nextprobe task and wait */ 5266 if(xfr->task_nextprobe->worker == NULL) 5267 xfr_set_timeout(xfr, env, 1, 0); 5268 lock_basic_unlock(&xfr->lock); 5269 } 5270 5271 /** add addrs from A or AAAA rrset to the master */ 5272 static void 5273 xfr_master_add_addrs(struct auth_master* m, struct ub_packed_rrset_key* rrset, 5274 uint16_t rrtype) 5275 { 5276 size_t i; 5277 struct packed_rrset_data* data; 5278 if(!m || !rrset) return; 5279 if(rrtype != LDNS_RR_TYPE_A && rrtype != LDNS_RR_TYPE_AAAA) 5280 return; 5281 data = (struct packed_rrset_data*)rrset->entry.data; 5282 for(i=0; i<data->count; i++) { 5283 struct auth_addr* a; 5284 size_t len = data->rr_len[i] - 2; 5285 uint8_t* rdata = data->rr_data[i]+2; 5286 if(rrtype == LDNS_RR_TYPE_A && len != INET_SIZE) 5287 continue; /* wrong length for A */ 5288 if(rrtype == LDNS_RR_TYPE_AAAA && len != INET6_SIZE) 5289 continue; /* wrong length for AAAA */ 5290 5291 /* add and alloc it */ 5292 a = (struct auth_addr*)calloc(1, sizeof(*a)); 5293 if(!a) { 5294 log_err("out of memory"); 5295 return; 5296 } 5297 if(rrtype == LDNS_RR_TYPE_A) { 5298 struct sockaddr_in* sa; 5299 a->addrlen = (socklen_t)sizeof(*sa); 5300 sa = (struct sockaddr_in*)&a->addr; 5301 sa->sin_family = AF_INET; 5302 sa->sin_port = (in_port_t)htons(UNBOUND_DNS_PORT); 5303 memmove(&sa->sin_addr, rdata, INET_SIZE); 5304 } else { 5305 struct sockaddr_in6* sa; 5306 a->addrlen = (socklen_t)sizeof(*sa); 5307 sa = (struct sockaddr_in6*)&a->addr; 5308 sa->sin6_family = AF_INET6; 5309 sa->sin6_port = (in_port_t)htons(UNBOUND_DNS_PORT); 5310 memmove(&sa->sin6_addr, rdata, INET6_SIZE); 5311 } 5312 if(verbosity >= VERB_ALGO) { 5313 char s[64]; 5314 addr_to_str(&a->addr, a->addrlen, s, sizeof(s)); 5315 verbose(VERB_ALGO, "auth host %s lookup %s", 5316 m->host, s); 5317 } 5318 /* append to list */ 5319 a->next = m->list; 5320 m->list = a; 5321 } 5322 } 5323 5324 /** callback for task_transfer lookup of host name, of A or AAAA */ 5325 void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf, 5326 enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus), 5327 int ATTR_UNUSED(was_ratelimited)) 5328 { 5329 struct auth_xfer* xfr = (struct auth_xfer*)arg; 5330 struct module_env* env; 5331 log_assert(xfr->task_transfer); 5332 lock_basic_lock(&xfr->lock); 5333 env = xfr->task_transfer->env; 5334 if(env->outnet->want_to_quit) { 5335 lock_basic_unlock(&xfr->lock); 5336 return; /* stop on quit */ 5337 } 5338 5339 /* process result */ 5340 if(rcode == LDNS_RCODE_NOERROR) { 5341 uint16_t wanted_qtype = LDNS_RR_TYPE_A; 5342 struct regional* temp = env->scratch; 5343 struct query_info rq; 5344 struct reply_info* rep; 5345 if(xfr->task_transfer->lookup_aaaa) 5346 wanted_qtype = LDNS_RR_TYPE_AAAA; 5347 memset(&rq, 0, sizeof(rq)); 5348 rep = parse_reply_in_temp_region(buf, temp, &rq); 5349 if(rep && rq.qtype == wanted_qtype && 5350 FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) { 5351 /* parsed successfully */ 5352 struct ub_packed_rrset_key* answer = 5353 reply_find_answer_rrset(&rq, rep); 5354 if(answer) { 5355 xfr_master_add_addrs(xfr->task_transfer-> 5356 lookup_target, answer, wanted_qtype); 5357 } else { 5358 if(verbosity >= VERB_ALGO) { 5359 char zname[255+1]; 5360 dname_str(xfr->name, zname); 5361 verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup has nodata", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A")); 5362 } 5363 } 5364 } else { 5365 if(verbosity >= VERB_ALGO) { 5366 char zname[255+1]; 5367 dname_str(xfr->name, zname); 5368 verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup has no answer", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A")); 5369 } 5370 } 5371 } else { 5372 if(verbosity >= VERB_ALGO) { 5373 char zname[255+1]; 5374 dname_str(xfr->name, zname); 5375 verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup failed", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A")); 5376 } 5377 } 5378 if(xfr->task_transfer->lookup_target->list && 5379 xfr->task_transfer->lookup_target == xfr_transfer_current_master(xfr)) 5380 xfr->task_transfer->scan_addr = xfr->task_transfer->lookup_target->list; 5381 5382 /* move to lookup AAAA after A lookup, move to next hostname lookup, 5383 * or move to fetch the zone, or, if nothing to do, end task_transfer */ 5384 xfr_transfer_move_to_next_lookup(xfr, env); 5385 xfr_transfer_nexttarget_or_end(xfr, env); 5386 } 5387 5388 /** check if xfer (AXFR or IXFR) packet is OK. 5389 * return false if we lost connection (SERVFAIL, or unreadable). 5390 * return false if we need to move from IXFR to AXFR, with gonextonfail 5391 * set to false, so the same master is tried again, but with AXFR. 5392 * return true if fine to link into data. 5393 * return true with transferdone=true when the transfer has ended. 5394 */ 5395 static int 5396 check_xfer_packet(sldns_buffer* pkt, struct auth_xfer* xfr, 5397 int* gonextonfail, int* transferdone) 5398 { 5399 uint8_t* wire = sldns_buffer_begin(pkt); 5400 int i; 5401 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) { 5402 verbose(VERB_ALGO, "xfr to %s failed, packet too small", 5403 xfr->task_transfer->master->host); 5404 return 0; 5405 } 5406 if(!LDNS_QR_WIRE(wire)) { 5407 verbose(VERB_ALGO, "xfr to %s failed, packet has no QR flag", 5408 xfr->task_transfer->master->host); 5409 return 0; 5410 } 5411 if(LDNS_TC_WIRE(wire)) { 5412 verbose(VERB_ALGO, "xfr to %s failed, packet has TC flag", 5413 xfr->task_transfer->master->host); 5414 return 0; 5415 } 5416 /* check ID */ 5417 if(LDNS_ID_WIRE(wire) != xfr->task_transfer->id) { 5418 verbose(VERB_ALGO, "xfr to %s failed, packet wrong ID", 5419 xfr->task_transfer->master->host); 5420 return 0; 5421 } 5422 if(LDNS_RCODE_WIRE(wire) != LDNS_RCODE_NOERROR) { 5423 char rcode[32]; 5424 sldns_wire2str_rcode_buf((int)LDNS_RCODE_WIRE(wire), rcode, 5425 sizeof(rcode)); 5426 /* if we are doing IXFR, check for fallback */ 5427 if(xfr->task_transfer->on_ixfr) { 5428 if(LDNS_RCODE_WIRE(wire) == LDNS_RCODE_NOTIMPL || 5429 LDNS_RCODE_WIRE(wire) == LDNS_RCODE_SERVFAIL || 5430 LDNS_RCODE_WIRE(wire) == LDNS_RCODE_REFUSED || 5431 LDNS_RCODE_WIRE(wire) == LDNS_RCODE_FORMERR) { 5432 verbose(VERB_ALGO, "xfr to %s, fallback " 5433 "from IXFR to AXFR (with rcode %s)", 5434 xfr->task_transfer->master->host, 5435 rcode); 5436 xfr->task_transfer->ixfr_fail = 1; 5437 *gonextonfail = 0; 5438 return 0; 5439 } 5440 } 5441 verbose(VERB_ALGO, "xfr to %s failed, packet with rcode %s", 5442 xfr->task_transfer->master->host, rcode); 5443 return 0; 5444 } 5445 if(LDNS_OPCODE_WIRE(wire) != LDNS_PACKET_QUERY) { 5446 verbose(VERB_ALGO, "xfr to %s failed, packet with bad opcode", 5447 xfr->task_transfer->master->host); 5448 return 0; 5449 } 5450 if(LDNS_QDCOUNT(wire) > 1) { 5451 verbose(VERB_ALGO, "xfr to %s failed, packet has qdcount %d", 5452 xfr->task_transfer->master->host, 5453 (int)LDNS_QDCOUNT(wire)); 5454 return 0; 5455 } 5456 5457 /* check qname */ 5458 sldns_buffer_set_position(pkt, LDNS_HEADER_SIZE); 5459 for(i=0; i<(int)LDNS_QDCOUNT(wire); i++) { 5460 size_t pos = sldns_buffer_position(pkt); 5461 uint16_t qtype, qclass; 5462 if(pkt_dname_len(pkt) == 0) { 5463 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5464 "malformed dname", 5465 xfr->task_transfer->master->host); 5466 return 0; 5467 } 5468 if(dname_pkt_compare(pkt, sldns_buffer_at(pkt, pos), 5469 xfr->name) != 0) { 5470 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5471 "wrong qname", 5472 xfr->task_transfer->master->host); 5473 return 0; 5474 } 5475 if(sldns_buffer_remaining(pkt) < 4) { 5476 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5477 "truncated query RR", 5478 xfr->task_transfer->master->host); 5479 return 0; 5480 } 5481 qtype = sldns_buffer_read_u16(pkt); 5482 qclass = sldns_buffer_read_u16(pkt); 5483 if(qclass != xfr->dclass) { 5484 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5485 "wrong qclass", 5486 xfr->task_transfer->master->host); 5487 return 0; 5488 } 5489 if(xfr->task_transfer->on_ixfr) { 5490 if(qtype != LDNS_RR_TYPE_IXFR) { 5491 verbose(VERB_ALGO, "xfr to %s failed, packet " 5492 "with wrong qtype, expected IXFR", 5493 xfr->task_transfer->master->host); 5494 return 0; 5495 } 5496 } else { 5497 if(qtype != LDNS_RR_TYPE_AXFR) { 5498 verbose(VERB_ALGO, "xfr to %s failed, packet " 5499 "with wrong qtype, expected AXFR", 5500 xfr->task_transfer->master->host); 5501 return 0; 5502 } 5503 } 5504 } 5505 5506 /* check parse of RRs in packet, store first SOA serial 5507 * to be able to detect last SOA (with that serial) to see if done */ 5508 /* also check for IXFR 'zone up to date' reply */ 5509 for(i=0; i<(int)LDNS_ANCOUNT(wire); i++) { 5510 size_t pos = sldns_buffer_position(pkt); 5511 uint16_t tp, rdlen; 5512 if(pkt_dname_len(pkt) == 0) { 5513 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5514 "malformed dname in answer section", 5515 xfr->task_transfer->master->host); 5516 return 0; 5517 } 5518 if(sldns_buffer_remaining(pkt) < 10) { 5519 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5520 "truncated RR", 5521 xfr->task_transfer->master->host); 5522 return 0; 5523 } 5524 tp = sldns_buffer_read_u16(pkt); 5525 (void)sldns_buffer_read_u16(pkt); /* class */ 5526 (void)sldns_buffer_read_u32(pkt); /* ttl */ 5527 rdlen = sldns_buffer_read_u16(pkt); 5528 if(sldns_buffer_remaining(pkt) < rdlen) { 5529 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5530 "truncated RR rdata", 5531 xfr->task_transfer->master->host); 5532 return 0; 5533 } 5534 5535 /* RR parses (haven't checked rdata itself), now look at 5536 * SOA records to see serial number */ 5537 if(xfr->task_transfer->rr_scan_num == 0 && 5538 tp != LDNS_RR_TYPE_SOA) { 5539 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5540 "malformed zone transfer, no start SOA", 5541 xfr->task_transfer->master->host); 5542 return 0; 5543 } 5544 if(xfr->task_transfer->rr_scan_num == 1 && 5545 tp != LDNS_RR_TYPE_SOA) { 5546 /* second RR is not a SOA record, this is not an IXFR 5547 * the master is replying with an AXFR */ 5548 xfr->task_transfer->on_ixfr_is_axfr = 1; 5549 } 5550 if(tp == LDNS_RR_TYPE_SOA) { 5551 uint32_t serial; 5552 if(rdlen < 22) { 5553 verbose(VERB_ALGO, "xfr to %s failed, packet " 5554 "with SOA with malformed rdata", 5555 xfr->task_transfer->master->host); 5556 return 0; 5557 } 5558 if(dname_pkt_compare(pkt, sldns_buffer_at(pkt, pos), 5559 xfr->name) != 0) { 5560 verbose(VERB_ALGO, "xfr to %s failed, packet " 5561 "with SOA with wrong dname", 5562 xfr->task_transfer->master->host); 5563 return 0; 5564 } 5565 5566 /* read serial number of SOA */ 5567 serial = sldns_buffer_read_u32_at(pkt, 5568 sldns_buffer_position(pkt)+rdlen-20); 5569 5570 /* check for IXFR 'zone has SOA x' reply */ 5571 if(xfr->task_transfer->on_ixfr && 5572 xfr->task_transfer->rr_scan_num == 0 && 5573 LDNS_ANCOUNT(wire)==1) { 5574 verbose(VERB_ALGO, "xfr to %s ended, " 5575 "IXFR reply that zone has serial %u," 5576 " fallback from IXFR to AXFR", 5577 xfr->task_transfer->master->host, 5578 (unsigned)serial); 5579 xfr->task_transfer->ixfr_fail = 1; 5580 *gonextonfail = 0; 5581 return 0; 5582 } 5583 5584 /* if first SOA, store serial number */ 5585 if(xfr->task_transfer->got_xfr_serial == 0) { 5586 xfr->task_transfer->got_xfr_serial = 1; 5587 xfr->task_transfer->incoming_xfr_serial = 5588 serial; 5589 verbose(VERB_ALGO, "xfr %s: contains " 5590 "SOA serial %u", 5591 xfr->task_transfer->master->host, 5592 (unsigned)serial); 5593 /* see if end of AXFR */ 5594 } else if(!xfr->task_transfer->on_ixfr || 5595 xfr->task_transfer->on_ixfr_is_axfr) { 5596 /* second SOA with serial is the end 5597 * for AXFR */ 5598 *transferdone = 1; 5599 verbose(VERB_ALGO, "xfr %s: last AXFR packet", 5600 xfr->task_transfer->master->host); 5601 /* for IXFR, count SOA records with that serial */ 5602 } else if(xfr->task_transfer->incoming_xfr_serial == 5603 serial && xfr->task_transfer->got_xfr_serial 5604 == 1) { 5605 xfr->task_transfer->got_xfr_serial++; 5606 /* if not first soa, if serial==firstserial, the 5607 * third time we are at the end, for IXFR */ 5608 } else if(xfr->task_transfer->incoming_xfr_serial == 5609 serial && xfr->task_transfer->got_xfr_serial 5610 == 2) { 5611 verbose(VERB_ALGO, "xfr %s: last IXFR packet", 5612 xfr->task_transfer->master->host); 5613 *transferdone = 1; 5614 /* continue parse check, if that succeeds, 5615 * transfer is done */ 5616 } 5617 } 5618 xfr->task_transfer->rr_scan_num++; 5619 5620 /* skip over RR rdata to go to the next RR */ 5621 sldns_buffer_skip(pkt, (ssize_t)rdlen); 5622 } 5623 5624 /* check authority section */ 5625 /* we skip over the RRs checking packet format */ 5626 for(i=0; i<(int)LDNS_NSCOUNT(wire); i++) { 5627 uint16_t rdlen; 5628 if(pkt_dname_len(pkt) == 0) { 5629 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5630 "malformed dname in authority section", 5631 xfr->task_transfer->master->host); 5632 return 0; 5633 } 5634 if(sldns_buffer_remaining(pkt) < 10) { 5635 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5636 "truncated RR", 5637 xfr->task_transfer->master->host); 5638 return 0; 5639 } 5640 (void)sldns_buffer_read_u16(pkt); /* type */ 5641 (void)sldns_buffer_read_u16(pkt); /* class */ 5642 (void)sldns_buffer_read_u32(pkt); /* ttl */ 5643 rdlen = sldns_buffer_read_u16(pkt); 5644 if(sldns_buffer_remaining(pkt) < rdlen) { 5645 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5646 "truncated RR rdata", 5647 xfr->task_transfer->master->host); 5648 return 0; 5649 } 5650 /* skip over RR rdata to go to the next RR */ 5651 sldns_buffer_skip(pkt, (ssize_t)rdlen); 5652 } 5653 5654 /* check additional section */ 5655 for(i=0; i<(int)LDNS_ARCOUNT(wire); i++) { 5656 uint16_t rdlen; 5657 if(pkt_dname_len(pkt) == 0) { 5658 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5659 "malformed dname in additional section", 5660 xfr->task_transfer->master->host); 5661 return 0; 5662 } 5663 if(sldns_buffer_remaining(pkt) < 10) { 5664 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5665 "truncated RR", 5666 xfr->task_transfer->master->host); 5667 return 0; 5668 } 5669 (void)sldns_buffer_read_u16(pkt); /* type */ 5670 (void)sldns_buffer_read_u16(pkt); /* class */ 5671 (void)sldns_buffer_read_u32(pkt); /* ttl */ 5672 rdlen = sldns_buffer_read_u16(pkt); 5673 if(sldns_buffer_remaining(pkt) < rdlen) { 5674 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5675 "truncated RR rdata", 5676 xfr->task_transfer->master->host); 5677 return 0; 5678 } 5679 /* skip over RR rdata to go to the next RR */ 5680 sldns_buffer_skip(pkt, (ssize_t)rdlen); 5681 } 5682 5683 return 1; 5684 } 5685 5686 /** Link the data from this packet into the worklist of transferred data */ 5687 static int 5688 xfer_link_data(sldns_buffer* pkt, struct auth_xfer* xfr) 5689 { 5690 /* alloc it */ 5691 struct auth_chunk* e; 5692 e = (struct auth_chunk*)calloc(1, sizeof(*e)); 5693 if(!e) return 0; 5694 e->next = NULL; 5695 e->len = sldns_buffer_limit(pkt); 5696 e->data = memdup(sldns_buffer_begin(pkt), e->len); 5697 if(!e->data) { 5698 free(e); 5699 return 0; 5700 } 5701 5702 /* alloc succeeded, link into list */ 5703 if(!xfr->task_transfer->chunks_first) 5704 xfr->task_transfer->chunks_first = e; 5705 if(xfr->task_transfer->chunks_last) 5706 xfr->task_transfer->chunks_last->next = e; 5707 xfr->task_transfer->chunks_last = e; 5708 return 1; 5709 } 5710 5711 /** task transfer. the list of data is complete. process it and if failed 5712 * move to next master, if succeeded, end the task transfer */ 5713 static void 5714 process_list_end_transfer(struct auth_xfer* xfr, struct module_env* env) 5715 { 5716 int ixfr_fail = 0; 5717 if(xfr_process_chunk_list(xfr, env, &ixfr_fail)) { 5718 /* it worked! */ 5719 auth_chunks_delete(xfr->task_transfer); 5720 5721 /* we fetched the zone, move to wait task */ 5722 xfr_transfer_disown(xfr); 5723 5724 if(xfr->notify_received && (!xfr->notify_has_serial || 5725 (xfr->notify_has_serial && 5726 xfr_serial_means_update(xfr, xfr->notify_serial)))) { 5727 uint32_t sr = xfr->notify_serial; 5728 int has_sr = xfr->notify_has_serial; 5729 /* we received a notify while probe/transfer was 5730 * in progress. start a new probe and transfer */ 5731 xfr->notify_received = 0; 5732 xfr->notify_has_serial = 0; 5733 xfr->notify_serial = 0; 5734 if(!xfr_start_probe(xfr, env, NULL)) { 5735 /* if we couldn't start it, already in 5736 * progress; restore notify serial, 5737 * while xfr still locked */ 5738 xfr->notify_received = 1; 5739 xfr->notify_has_serial = has_sr; 5740 xfr->notify_serial = sr; 5741 lock_basic_unlock(&xfr->lock); 5742 } 5743 return; 5744 } else { 5745 /* pick up the nextprobe task and wait (normail wait time) */ 5746 if(xfr->task_nextprobe->worker == NULL) 5747 xfr_set_timeout(xfr, env, 0, 0); 5748 } 5749 lock_basic_unlock(&xfr->lock); 5750 return; 5751 } 5752 /* processing failed */ 5753 /* when done, delete data from list */ 5754 auth_chunks_delete(xfr->task_transfer); 5755 if(ixfr_fail) { 5756 xfr->task_transfer->ixfr_fail = 1; 5757 } else { 5758 xfr_transfer_nextmaster(xfr); 5759 } 5760 xfr_transfer_nexttarget_or_end(xfr, env); 5761 } 5762 5763 /** callback for the task_transfer timer */ 5764 void 5765 auth_xfer_transfer_timer_callback(void* arg) 5766 { 5767 struct auth_xfer* xfr = (struct auth_xfer*)arg; 5768 struct module_env* env; 5769 int gonextonfail = 1; 5770 log_assert(xfr->task_transfer); 5771 lock_basic_lock(&xfr->lock); 5772 env = xfr->task_transfer->env; 5773 if(env->outnet->want_to_quit) { 5774 lock_basic_unlock(&xfr->lock); 5775 return; /* stop on quit */ 5776 } 5777 5778 verbose(VERB_ALGO, "xfr stopped, connection timeout to %s", 5779 xfr->task_transfer->master->host); 5780 5781 /* see if IXFR caused the failure, if so, try AXFR */ 5782 if(xfr->task_transfer->on_ixfr) { 5783 xfr->task_transfer->ixfr_possible_timeout_count++; 5784 if(xfr->task_transfer->ixfr_possible_timeout_count >= 5785 NUM_TIMEOUTS_FALLBACK_IXFR) { 5786 verbose(VERB_ALGO, "xfr to %s, fallback " 5787 "from IXFR to AXFR (because of timeouts)", 5788 xfr->task_transfer->master->host); 5789 xfr->task_transfer->ixfr_fail = 1; 5790 gonextonfail = 0; 5791 } 5792 } 5793 5794 /* delete transferred data from list */ 5795 auth_chunks_delete(xfr->task_transfer); 5796 comm_point_delete(xfr->task_transfer->cp); 5797 xfr->task_transfer->cp = NULL; 5798 if(gonextonfail) 5799 xfr_transfer_nextmaster(xfr); 5800 xfr_transfer_nexttarget_or_end(xfr, env); 5801 } 5802 5803 /** callback for task_transfer tcp connections */ 5804 int 5805 auth_xfer_transfer_tcp_callback(struct comm_point* c, void* arg, int err, 5806 struct comm_reply* ATTR_UNUSED(repinfo)) 5807 { 5808 struct auth_xfer* xfr = (struct auth_xfer*)arg; 5809 struct module_env* env; 5810 int gonextonfail = 1; 5811 int transferdone = 0; 5812 log_assert(xfr->task_transfer); 5813 lock_basic_lock(&xfr->lock); 5814 env = xfr->task_transfer->env; 5815 if(env->outnet->want_to_quit) { 5816 lock_basic_unlock(&xfr->lock); 5817 return 0; /* stop on quit */ 5818 } 5819 /* stop the timer */ 5820 comm_timer_disable(xfr->task_transfer->timer); 5821 5822 if(err != NETEVENT_NOERROR) { 5823 /* connection failed, closed, or timeout */ 5824 /* stop this transfer, cleanup 5825 * and continue task_transfer*/ 5826 verbose(VERB_ALGO, "xfr stopped, connection lost to %s", 5827 xfr->task_transfer->master->host); 5828 5829 /* see if IXFR caused the failure, if so, try AXFR */ 5830 if(xfr->task_transfer->on_ixfr) { 5831 xfr->task_transfer->ixfr_possible_timeout_count++; 5832 if(xfr->task_transfer->ixfr_possible_timeout_count >= 5833 NUM_TIMEOUTS_FALLBACK_IXFR) { 5834 verbose(VERB_ALGO, "xfr to %s, fallback " 5835 "from IXFR to AXFR (because of timeouts)", 5836 xfr->task_transfer->master->host); 5837 xfr->task_transfer->ixfr_fail = 1; 5838 gonextonfail = 0; 5839 } 5840 } 5841 5842 failed: 5843 /* delete transferred data from list */ 5844 auth_chunks_delete(xfr->task_transfer); 5845 comm_point_delete(xfr->task_transfer->cp); 5846 xfr->task_transfer->cp = NULL; 5847 if(gonextonfail) 5848 xfr_transfer_nextmaster(xfr); 5849 xfr_transfer_nexttarget_or_end(xfr, env); 5850 return 0; 5851 } 5852 /* note that IXFR worked without timeout */ 5853 if(xfr->task_transfer->on_ixfr) 5854 xfr->task_transfer->ixfr_possible_timeout_count = 0; 5855 5856 /* handle returned packet */ 5857 /* if it fails, cleanup and end this transfer */ 5858 /* if it needs to fallback from IXFR to AXFR, do that */ 5859 if(!check_xfer_packet(c->buffer, xfr, &gonextonfail, &transferdone)) { 5860 goto failed; 5861 } 5862 /* if it is good, link it into the list of data */ 5863 /* if the link into list of data fails (malloc fail) cleanup and end */ 5864 if(!xfer_link_data(c->buffer, xfr)) { 5865 verbose(VERB_ALGO, "xfr stopped to %s, malloc failed", 5866 xfr->task_transfer->master->host); 5867 goto failed; 5868 } 5869 /* if the transfer is done now, disconnect and process the list */ 5870 if(transferdone) { 5871 comm_point_delete(xfr->task_transfer->cp); 5872 xfr->task_transfer->cp = NULL; 5873 process_list_end_transfer(xfr, env); 5874 return 0; 5875 } 5876 5877 /* if we want to read more messages, setup the commpoint to read 5878 * a DNS packet, and the timeout */ 5879 lock_basic_unlock(&xfr->lock); 5880 c->tcp_is_reading = 1; 5881 sldns_buffer_clear(c->buffer); 5882 comm_point_start_listening(c, -1, AUTH_TRANSFER_TIMEOUT); 5883 return 0; 5884 } 5885 5886 /** callback for task_transfer http connections */ 5887 int 5888 auth_xfer_transfer_http_callback(struct comm_point* c, void* arg, int err, 5889 struct comm_reply* repinfo) 5890 { 5891 struct auth_xfer* xfr = (struct auth_xfer*)arg; 5892 struct module_env* env; 5893 log_assert(xfr->task_transfer); 5894 lock_basic_lock(&xfr->lock); 5895 env = xfr->task_transfer->env; 5896 if(env->outnet->want_to_quit) { 5897 lock_basic_unlock(&xfr->lock); 5898 return 0; /* stop on quit */ 5899 } 5900 verbose(VERB_ALGO, "auth zone transfer http callback"); 5901 /* stop the timer */ 5902 comm_timer_disable(xfr->task_transfer->timer); 5903 5904 if(err != NETEVENT_NOERROR && err != NETEVENT_DONE) { 5905 /* connection failed, closed, or timeout */ 5906 /* stop this transfer, cleanup 5907 * and continue task_transfer*/ 5908 verbose(VERB_ALGO, "http stopped, connection lost to %s", 5909 xfr->task_transfer->master->host); 5910 failed: 5911 /* delete transferred data from list */ 5912 auth_chunks_delete(xfr->task_transfer); 5913 if(repinfo) repinfo->c = NULL; /* signal cp deleted to 5914 the routine calling this callback */ 5915 comm_point_delete(xfr->task_transfer->cp); 5916 xfr->task_transfer->cp = NULL; 5917 xfr_transfer_nextmaster(xfr); 5918 xfr_transfer_nexttarget_or_end(xfr, env); 5919 return 0; 5920 } 5921 5922 /* if it is good, link it into the list of data */ 5923 /* if the link into list of data fails (malloc fail) cleanup and end */ 5924 if(sldns_buffer_limit(c->buffer) > 0) { 5925 verbose(VERB_ALGO, "auth zone http queued up %d bytes", 5926 (int)sldns_buffer_limit(c->buffer)); 5927 if(!xfer_link_data(c->buffer, xfr)) { 5928 verbose(VERB_ALGO, "http stopped to %s, malloc failed", 5929 xfr->task_transfer->master->host); 5930 goto failed; 5931 } 5932 } 5933 /* if the transfer is done now, disconnect and process the list */ 5934 if(err == NETEVENT_DONE) { 5935 if(repinfo) repinfo->c = NULL; /* signal cp deleted to 5936 the routine calling this callback */ 5937 comm_point_delete(xfr->task_transfer->cp); 5938 xfr->task_transfer->cp = NULL; 5939 process_list_end_transfer(xfr, env); 5940 return 0; 5941 } 5942 5943 /* if we want to read more messages, setup the commpoint to read 5944 * a DNS packet, and the timeout */ 5945 lock_basic_unlock(&xfr->lock); 5946 c->tcp_is_reading = 1; 5947 sldns_buffer_clear(c->buffer); 5948 comm_point_start_listening(c, -1, AUTH_TRANSFER_TIMEOUT); 5949 return 0; 5950 } 5951 5952 5953 /** start transfer task by this worker , xfr is locked. */ 5954 static void 5955 xfr_start_transfer(struct auth_xfer* xfr, struct module_env* env, 5956 struct auth_master* master) 5957 { 5958 log_assert(xfr->task_transfer != NULL); 5959 log_assert(xfr->task_transfer->worker == NULL); 5960 log_assert(xfr->task_transfer->chunks_first == NULL); 5961 log_assert(xfr->task_transfer->chunks_last == NULL); 5962 xfr->task_transfer->worker = env->worker; 5963 xfr->task_transfer->env = env; 5964 5965 /* init transfer process */ 5966 /* find that master in the transfer's list of masters? */ 5967 xfr_transfer_start_list(xfr, master); 5968 /* start lookup for hostnames in transfer master list */ 5969 xfr_transfer_start_lookups(xfr); 5970 5971 /* initiate TCP, and set timeout on it */ 5972 xfr_transfer_nexttarget_or_end(xfr, env); 5973 } 5974 5975 /** disown task_probe. caller must hold xfr.lock */ 5976 static void 5977 xfr_probe_disown(struct auth_xfer* xfr) 5978 { 5979 /* remove timer (from this worker's event base) */ 5980 comm_timer_delete(xfr->task_probe->timer); 5981 xfr->task_probe->timer = NULL; 5982 /* remove the commpoint */ 5983 comm_point_delete(xfr->task_probe->cp); 5984 xfr->task_probe->cp = NULL; 5985 /* we don't own this item anymore */ 5986 xfr->task_probe->worker = NULL; 5987 xfr->task_probe->env = NULL; 5988 } 5989 5990 /** send the UDP probe to the master, this is part of task_probe */ 5991 static int 5992 xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env, 5993 int timeout) 5994 { 5995 struct sockaddr_storage addr; 5996 socklen_t addrlen = 0; 5997 struct timeval t; 5998 /* pick master */ 5999 struct auth_master* master = xfr_probe_current_master(xfr); 6000 char *auth_name = NULL; 6001 if(!master) return 0; 6002 if(master->allow_notify) return 0; /* only for notify */ 6003 if(master->http) return 0; /* only masters get SOA UDP probe, 6004 not urls, if those are in this list */ 6005 6006 /* get master addr */ 6007 if(xfr->task_probe->scan_addr) { 6008 addrlen = xfr->task_probe->scan_addr->addrlen; 6009 memmove(&addr, &xfr->task_probe->scan_addr->addr, addrlen); 6010 } else { 6011 if(!authextstrtoaddr(master->host, &addr, &addrlen, &auth_name)) { 6012 /* the ones that are not in addr format are supposed 6013 * to be looked up. The lookup has failed however, 6014 * so skip them */ 6015 char zname[255+1]; 6016 dname_str(xfr->name, zname); 6017 log_err("%s: failed lookup, cannot probe to master %s", 6018 zname, master->host); 6019 return 0; 6020 } 6021 if (auth_name != NULL) { 6022 if (addr.ss_family == AF_INET 6023 && (int)ntohs(((struct sockaddr_in *)&addr)->sin_port) 6024 == env->cfg->ssl_port) 6025 ((struct sockaddr_in *)&addr)->sin_port 6026 = htons((uint16_t)env->cfg->port); 6027 else if (addr.ss_family == AF_INET6 6028 && (int)ntohs(((struct sockaddr_in6 *)&addr)->sin6_port) 6029 == env->cfg->ssl_port) 6030 ((struct sockaddr_in6 *)&addr)->sin6_port 6031 = htons((uint16_t)env->cfg->port); 6032 } 6033 } 6034 6035 /* create packet */ 6036 /* create new ID for new probes, but not on timeout retries, 6037 * this means we'll accept replies to previous retries to same ip */ 6038 if(timeout == AUTH_PROBE_TIMEOUT) 6039 xfr->task_probe->id = (uint16_t)(ub_random(env->rnd)&0xffff); 6040 xfr_create_soa_probe_packet(xfr, env->scratch_buffer, 6041 xfr->task_probe->id); 6042 /* we need to remove the cp if we have a different ip4/ip6 type now */ 6043 if(xfr->task_probe->cp && 6044 ((xfr->task_probe->cp_is_ip6 && !addr_is_ip6(&addr, addrlen)) || 6045 (!xfr->task_probe->cp_is_ip6 && addr_is_ip6(&addr, addrlen))) 6046 ) { 6047 comm_point_delete(xfr->task_probe->cp); 6048 xfr->task_probe->cp = NULL; 6049 } 6050 if(!xfr->task_probe->cp) { 6051 if(addr_is_ip6(&addr, addrlen)) 6052 xfr->task_probe->cp_is_ip6 = 1; 6053 else xfr->task_probe->cp_is_ip6 = 0; 6054 xfr->task_probe->cp = outnet_comm_point_for_udp(env->outnet, 6055 auth_xfer_probe_udp_callback, xfr, &addr, addrlen); 6056 if(!xfr->task_probe->cp) { 6057 char zname[255+1], as[256]; 6058 dname_str(xfr->name, zname); 6059 addr_to_str(&addr, addrlen, as, sizeof(as)); 6060 verbose(VERB_ALGO, "cannot create udp cp for " 6061 "probe %s to %s", zname, as); 6062 return 0; 6063 } 6064 } 6065 if(!xfr->task_probe->timer) { 6066 xfr->task_probe->timer = comm_timer_create(env->worker_base, 6067 auth_xfer_probe_timer_callback, xfr); 6068 if(!xfr->task_probe->timer) { 6069 log_err("malloc failure"); 6070 return 0; 6071 } 6072 } 6073 6074 /* send udp packet */ 6075 if(!comm_point_send_udp_msg(xfr->task_probe->cp, env->scratch_buffer, 6076 (struct sockaddr*)&addr, addrlen)) { 6077 char zname[255+1], as[256]; 6078 dname_str(xfr->name, zname); 6079 addr_to_str(&addr, addrlen, as, sizeof(as)); 6080 verbose(VERB_ALGO, "failed to send soa probe for %s to %s", 6081 zname, as); 6082 return 0; 6083 } 6084 if(verbosity >= VERB_ALGO) { 6085 char zname[255+1], as[256]; 6086 dname_str(xfr->name, zname); 6087 addr_to_str(&addr, addrlen, as, sizeof(as)); 6088 verbose(VERB_ALGO, "auth zone %s soa probe sent to %s", zname, 6089 as); 6090 } 6091 xfr->task_probe->timeout = timeout; 6092 #ifndef S_SPLINT_S 6093 t.tv_sec = timeout/1000; 6094 t.tv_usec = (timeout%1000)*1000; 6095 #endif 6096 comm_timer_set(xfr->task_probe->timer, &t); 6097 6098 return 1; 6099 } 6100 6101 /** callback for task_probe timer */ 6102 void 6103 auth_xfer_probe_timer_callback(void* arg) 6104 { 6105 struct auth_xfer* xfr = (struct auth_xfer*)arg; 6106 struct module_env* env; 6107 log_assert(xfr->task_probe); 6108 lock_basic_lock(&xfr->lock); 6109 env = xfr->task_probe->env; 6110 if(env->outnet->want_to_quit) { 6111 lock_basic_unlock(&xfr->lock); 6112 return; /* stop on quit */ 6113 } 6114 6115 if(verbosity >= VERB_ALGO) { 6116 char zname[255+1]; 6117 dname_str(xfr->name, zname); 6118 verbose(VERB_ALGO, "auth zone %s soa probe timeout", zname); 6119 } 6120 if(xfr->task_probe->timeout <= AUTH_PROBE_TIMEOUT_STOP) { 6121 /* try again with bigger timeout */ 6122 if(xfr_probe_send_probe(xfr, env, xfr->task_probe->timeout*2)) { 6123 lock_basic_unlock(&xfr->lock); 6124 return; 6125 } 6126 } 6127 /* delete commpoint so a new one is created, with a fresh port nr */ 6128 comm_point_delete(xfr->task_probe->cp); 6129 xfr->task_probe->cp = NULL; 6130 6131 /* too many timeouts (or fail to send), move to next or end */ 6132 xfr_probe_nextmaster(xfr); 6133 xfr_probe_send_or_end(xfr, env); 6134 } 6135 6136 /** callback for task_probe udp packets */ 6137 int 6138 auth_xfer_probe_udp_callback(struct comm_point* c, void* arg, int err, 6139 struct comm_reply* repinfo) 6140 { 6141 struct auth_xfer* xfr = (struct auth_xfer*)arg; 6142 struct module_env* env; 6143 log_assert(xfr->task_probe); 6144 lock_basic_lock(&xfr->lock); 6145 env = xfr->task_probe->env; 6146 if(env->outnet->want_to_quit) { 6147 lock_basic_unlock(&xfr->lock); 6148 return 0; /* stop on quit */ 6149 } 6150 6151 /* the comm_point_udp_callback is in a for loop for NUM_UDP_PER_SELECT 6152 * and we set rep.c=NULL to stop if from looking inside the commpoint*/ 6153 repinfo->c = NULL; 6154 /* stop the timer */ 6155 comm_timer_disable(xfr->task_probe->timer); 6156 6157 /* see if we got a packet and what that means */ 6158 if(err == NETEVENT_NOERROR) { 6159 uint32_t serial = 0; 6160 if(check_packet_ok(c->buffer, LDNS_RR_TYPE_SOA, xfr, 6161 &serial)) { 6162 /* successful lookup */ 6163 if(verbosity >= VERB_ALGO) { 6164 char buf[256]; 6165 dname_str(xfr->name, buf); 6166 verbose(VERB_ALGO, "auth zone %s: soa probe " 6167 "serial is %u", buf, (unsigned)serial); 6168 } 6169 /* see if this serial indicates that the zone has 6170 * to be updated */ 6171 if(xfr_serial_means_update(xfr, serial)) { 6172 /* if updated, start the transfer task, if needed */ 6173 verbose(VERB_ALGO, "auth_zone updated, start transfer"); 6174 if(xfr->task_transfer->worker == NULL) { 6175 struct auth_master* master = 6176 xfr_probe_current_master(xfr); 6177 /* if we have download URLs use them 6178 * in preference to this master we 6179 * just probed the SOA from */ 6180 if(xfr->task_transfer->masters && 6181 xfr->task_transfer->masters->http) 6182 master = NULL; 6183 xfr_probe_disown(xfr); 6184 xfr_start_transfer(xfr, env, master); 6185 return 0; 6186 6187 } 6188 /* other tasks are running, we don't do this anymore */ 6189 xfr_probe_disown(xfr); 6190 lock_basic_unlock(&xfr->lock); 6191 /* return, we don't sent a reply to this udp packet, 6192 * and we setup the tasks to do next */ 6193 return 0; 6194 } else { 6195 verbose(VERB_ALGO, "auth_zone master reports unchanged soa serial"); 6196 /* we if cannot find updates amongst the 6197 * masters, this means we then have a new lease 6198 * on the zone */ 6199 xfr->task_probe->have_new_lease = 1; 6200 } 6201 } else { 6202 if(verbosity >= VERB_ALGO) { 6203 char buf[256]; 6204 dname_str(xfr->name, buf); 6205 verbose(VERB_ALGO, "auth zone %s: bad reply to soa probe", buf); 6206 } 6207 } 6208 } else { 6209 if(verbosity >= VERB_ALGO) { 6210 char buf[256]; 6211 dname_str(xfr->name, buf); 6212 verbose(VERB_ALGO, "auth zone %s: soa probe failed", buf); 6213 } 6214 } 6215 6216 /* failed lookup or not an update */ 6217 /* delete commpoint so a new one is created, with a fresh port nr */ 6218 comm_point_delete(xfr->task_probe->cp); 6219 xfr->task_probe->cp = NULL; 6220 6221 /* if the result was not a successfull probe, we need 6222 * to send the next one */ 6223 xfr_probe_nextmaster(xfr); 6224 xfr_probe_send_or_end(xfr, env); 6225 return 0; 6226 } 6227 6228 /** lookup a host name for its addresses, if needed */ 6229 static int 6230 xfr_probe_lookup_host(struct auth_xfer* xfr, struct module_env* env) 6231 { 6232 struct sockaddr_storage addr; 6233 socklen_t addrlen = 0; 6234 struct auth_master* master = xfr->task_probe->lookup_target; 6235 struct query_info qinfo; 6236 uint16_t qflags = BIT_RD; 6237 uint8_t dname[LDNS_MAX_DOMAINLEN+1]; 6238 struct edns_data edns; 6239 sldns_buffer* buf = env->scratch_buffer; 6240 if(!master) return 0; 6241 if(extstrtoaddr(master->host, &addr, &addrlen)) { 6242 /* not needed, host is in IP addr format */ 6243 return 0; 6244 } 6245 if(master->allow_notify && !master->http && 6246 strchr(master->host, '/') != NULL && 6247 strchr(master->host, '/') == strrchr(master->host, '/')) { 6248 return 0; /* is IP/prefix format, not something to look up */ 6249 } 6250 6251 /* use mesh_new_callback to probe for non-addr hosts, 6252 * and then wait for them to be looked up (in cache, or query) */ 6253 qinfo.qname_len = sizeof(dname); 6254 if(sldns_str2wire_dname_buf(master->host, dname, &qinfo.qname_len) 6255 != 0) { 6256 log_err("cannot parse host name of master %s", master->host); 6257 return 0; 6258 } 6259 qinfo.qname = dname; 6260 qinfo.qclass = xfr->dclass; 6261 qinfo.qtype = LDNS_RR_TYPE_A; 6262 if(xfr->task_probe->lookup_aaaa) 6263 qinfo.qtype = LDNS_RR_TYPE_AAAA; 6264 qinfo.local_alias = NULL; 6265 if(verbosity >= VERB_ALGO) { 6266 char buf1[512]; 6267 char buf2[LDNS_MAX_DOMAINLEN+1]; 6268 dname_str(xfr->name, buf2); 6269 snprintf(buf1, sizeof(buf1), "auth zone %s: master lookup" 6270 " for task_probe", buf2); 6271 log_query_info(VERB_ALGO, buf1, &qinfo); 6272 } 6273 edns.edns_present = 1; 6274 edns.ext_rcode = 0; 6275 edns.edns_version = 0; 6276 edns.bits = EDNS_DO; 6277 edns.opt_list = NULL; 6278 if(sldns_buffer_capacity(buf) < 65535) 6279 edns.udp_size = (uint16_t)sldns_buffer_capacity(buf); 6280 else edns.udp_size = 65535; 6281 6282 /* unlock xfr during mesh_new_callback() because the callback can be 6283 * called straight away */ 6284 lock_basic_unlock(&xfr->lock); 6285 if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0, 6286 &auth_xfer_probe_lookup_callback, xfr)) { 6287 lock_basic_lock(&xfr->lock); 6288 log_err("out of memory lookup up master %s", master->host); 6289 return 0; 6290 } 6291 lock_basic_lock(&xfr->lock); 6292 return 1; 6293 } 6294 6295 /** move to sending the probe packets, next if fails. task_probe */ 6296 static void 6297 xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env) 6298 { 6299 /* are we doing hostname lookups? */ 6300 while(xfr->task_probe->lookup_target) { 6301 if(xfr_probe_lookup_host(xfr, env)) { 6302 /* wait for lookup to finish, 6303 * note that the hostname may be in unbound's cache 6304 * and we may then get an instant cache response, 6305 * and that calls the callback just like a full 6306 * lookup and lookup failures also call callback */ 6307 if(verbosity >= VERB_ALGO) { 6308 char zname[255+1]; 6309 dname_str(xfr->name, zname); 6310 verbose(VERB_ALGO, "auth zone %s probe next target lookup", zname); 6311 } 6312 lock_basic_unlock(&xfr->lock); 6313 return; 6314 } 6315 xfr_probe_move_to_next_lookup(xfr, env); 6316 } 6317 /* probe of list has ended. Create or refresh the list of of 6318 * allow_notify addrs */ 6319 probe_copy_masters_for_allow_notify(xfr); 6320 if(verbosity >= VERB_ALGO) { 6321 char zname[255+1]; 6322 dname_str(xfr->name, zname); 6323 verbose(VERB_ALGO, "auth zone %s probe: notify addrs updated", zname); 6324 } 6325 if(xfr->task_probe->only_lookup) { 6326 /* only wanted lookups for copy, stop probe and start wait */ 6327 xfr->task_probe->only_lookup = 0; 6328 if(verbosity >= VERB_ALGO) { 6329 char zname[255+1]; 6330 dname_str(xfr->name, zname); 6331 verbose(VERB_ALGO, "auth zone %s probe: finished only_lookup", zname); 6332 } 6333 xfr_probe_disown(xfr); 6334 if(xfr->task_nextprobe->worker == NULL) 6335 xfr_set_timeout(xfr, env, 0, 0); 6336 lock_basic_unlock(&xfr->lock); 6337 return; 6338 } 6339 6340 /* send probe packets */ 6341 while(!xfr_probe_end_of_list(xfr)) { 6342 if(xfr_probe_send_probe(xfr, env, AUTH_PROBE_TIMEOUT)) { 6343 /* successfully sent probe, wait for callback */ 6344 lock_basic_unlock(&xfr->lock); 6345 return; 6346 } 6347 /* failed to send probe, next master */ 6348 xfr_probe_nextmaster(xfr); 6349 } 6350 6351 /* done with probe sequence, wait */ 6352 if(xfr->task_probe->have_new_lease) { 6353 /* if zone not updated, start the wait timer again */ 6354 if(verbosity >= VERB_ALGO) { 6355 char zname[255+1]; 6356 dname_str(xfr->name, zname); 6357 verbose(VERB_ALGO, "auth_zone %s unchanged, new lease, wait", zname); 6358 } 6359 xfr_probe_disown(xfr); 6360 if(xfr->have_zone) 6361 xfr->lease_time = *env->now; 6362 if(xfr->task_nextprobe->worker == NULL) 6363 xfr_set_timeout(xfr, env, 0, 0); 6364 } else { 6365 if(verbosity >= VERB_ALGO) { 6366 char zname[255+1]; 6367 dname_str(xfr->name, zname); 6368 verbose(VERB_ALGO, "auth zone %s soa probe failed, wait to retry", zname); 6369 } 6370 /* we failed to send this as well, move to the wait task, 6371 * use the shorter retry timeout */ 6372 xfr_probe_disown(xfr); 6373 /* pick up the nextprobe task and wait */ 6374 if(xfr->task_nextprobe->worker == NULL) 6375 xfr_set_timeout(xfr, env, 1, 0); 6376 } 6377 6378 lock_basic_unlock(&xfr->lock); 6379 } 6380 6381 /** callback for task_probe lookup of host name, of A or AAAA */ 6382 void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf, 6383 enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus), 6384 int ATTR_UNUSED(was_ratelimited)) 6385 { 6386 struct auth_xfer* xfr = (struct auth_xfer*)arg; 6387 struct module_env* env; 6388 log_assert(xfr->task_probe); 6389 lock_basic_lock(&xfr->lock); 6390 env = xfr->task_probe->env; 6391 if(env->outnet->want_to_quit) { 6392 lock_basic_unlock(&xfr->lock); 6393 return; /* stop on quit */ 6394 } 6395 6396 /* process result */ 6397 if(rcode == LDNS_RCODE_NOERROR) { 6398 uint16_t wanted_qtype = LDNS_RR_TYPE_A; 6399 struct regional* temp = env->scratch; 6400 struct query_info rq; 6401 struct reply_info* rep; 6402 if(xfr->task_probe->lookup_aaaa) 6403 wanted_qtype = LDNS_RR_TYPE_AAAA; 6404 memset(&rq, 0, sizeof(rq)); 6405 rep = parse_reply_in_temp_region(buf, temp, &rq); 6406 if(rep && rq.qtype == wanted_qtype && 6407 FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) { 6408 /* parsed successfully */ 6409 struct ub_packed_rrset_key* answer = 6410 reply_find_answer_rrset(&rq, rep); 6411 if(answer) { 6412 xfr_master_add_addrs(xfr->task_probe-> 6413 lookup_target, answer, wanted_qtype); 6414 } else { 6415 if(verbosity >= VERB_ALGO) { 6416 char zname[255+1]; 6417 dname_str(xfr->name, zname); 6418 verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup has nodata", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A")); 6419 } 6420 } 6421 } else { 6422 if(verbosity >= VERB_ALGO) { 6423 char zname[255+1]; 6424 dname_str(xfr->name, zname); 6425 verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup has no address", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A")); 6426 } 6427 } 6428 } else { 6429 if(verbosity >= VERB_ALGO) { 6430 char zname[255+1]; 6431 dname_str(xfr->name, zname); 6432 verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup failed", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A")); 6433 } 6434 } 6435 if(xfr->task_probe->lookup_target->list && 6436 xfr->task_probe->lookup_target == xfr_probe_current_master(xfr)) 6437 xfr->task_probe->scan_addr = xfr->task_probe->lookup_target->list; 6438 6439 /* move to lookup AAAA after A lookup, move to next hostname lookup, 6440 * or move to send the probes, or, if nothing to do, end task_probe */ 6441 xfr_probe_move_to_next_lookup(xfr, env); 6442 xfr_probe_send_or_end(xfr, env); 6443 } 6444 6445 /** disown task_nextprobe. caller must hold xfr.lock */ 6446 static void 6447 xfr_nextprobe_disown(struct auth_xfer* xfr) 6448 { 6449 /* delete the timer, because the next worker to pick this up may 6450 * not have the same event base */ 6451 comm_timer_delete(xfr->task_nextprobe->timer); 6452 xfr->task_nextprobe->timer = NULL; 6453 xfr->task_nextprobe->next_probe = 0; 6454 /* we don't own this item anymore */ 6455 xfr->task_nextprobe->worker = NULL; 6456 xfr->task_nextprobe->env = NULL; 6457 } 6458 6459 /** xfer nextprobe timeout callback, this is part of task_nextprobe */ 6460 void 6461 auth_xfer_timer(void* arg) 6462 { 6463 struct auth_xfer* xfr = (struct auth_xfer*)arg; 6464 struct module_env* env; 6465 log_assert(xfr->task_nextprobe); 6466 lock_basic_lock(&xfr->lock); 6467 env = xfr->task_nextprobe->env; 6468 if(env->outnet->want_to_quit) { 6469 lock_basic_unlock(&xfr->lock); 6470 return; /* stop on quit */ 6471 } 6472 6473 /* see if zone has expired, and if so, also set auth_zone expired */ 6474 if(xfr->have_zone && !xfr->zone_expired && 6475 *env->now >= xfr->lease_time + xfr->expiry) { 6476 lock_basic_unlock(&xfr->lock); 6477 auth_xfer_set_expired(xfr, env, 1); 6478 lock_basic_lock(&xfr->lock); 6479 } 6480 6481 xfr_nextprobe_disown(xfr); 6482 6483 if(!xfr_start_probe(xfr, env, NULL)) { 6484 /* not started because already in progress */ 6485 lock_basic_unlock(&xfr->lock); 6486 } 6487 } 6488 6489 /** return true if there are probe (SOA UDP query) targets in the master list*/ 6490 static int 6491 have_probe_targets(struct auth_master* list) 6492 { 6493 struct auth_master* p; 6494 for(p=list; p; p = p->next) { 6495 if(!p->allow_notify && p->host) 6496 return 1; 6497 } 6498 return 0; 6499 } 6500 6501 /** start task_probe if possible, if no masters for probe start task_transfer 6502 * returns true if task has been started, and false if the task is already 6503 * in progress. */ 6504 static int 6505 xfr_start_probe(struct auth_xfer* xfr, struct module_env* env, 6506 struct auth_master* spec) 6507 { 6508 /* see if we need to start a probe (or maybe it is already in 6509 * progress (due to notify)) */ 6510 if(xfr->task_probe->worker == NULL) { 6511 if(!have_probe_targets(xfr->task_probe->masters) && 6512 !(xfr->task_probe->only_lookup && 6513 xfr->task_probe->masters != NULL)) { 6514 /* useless to pick up task_probe, no masters to 6515 * probe. Instead attempt to pick up task transfer */ 6516 if(xfr->task_transfer->worker == NULL) { 6517 xfr_start_transfer(xfr, env, spec); 6518 return 1; 6519 } 6520 /* task transfer already in progress */ 6521 return 0; 6522 } 6523 6524 /* pick up the probe task ourselves */ 6525 xfr->task_probe->worker = env->worker; 6526 xfr->task_probe->env = env; 6527 xfr->task_probe->cp = NULL; 6528 6529 /* start the task */ 6530 /* have not seen a new lease yet, this scan */ 6531 xfr->task_probe->have_new_lease = 0; 6532 /* if this was a timeout, no specific first master to scan */ 6533 /* otherwise, spec is nonNULL the notified master, scan 6534 * first and also transfer first from it */ 6535 xfr_probe_start_list(xfr, spec); 6536 /* setup to start the lookup of hostnames of masters afresh */ 6537 xfr_probe_start_lookups(xfr); 6538 /* send the probe packet or next send, or end task */ 6539 xfr_probe_send_or_end(xfr, env); 6540 return 1; 6541 } 6542 return 0; 6543 } 6544 6545 /** for task_nextprobe. 6546 * determine next timeout for auth_xfer. Also (re)sets timer. 6547 * @param xfr: task structure 6548 * @param env: module environment, with worker and time. 6549 * @param failure: set true if timer should be set for failure retry. 6550 * @param lookup_only: only perform lookups when timer done, 0 sec timeout 6551 */ 6552 static void 6553 xfr_set_timeout(struct auth_xfer* xfr, struct module_env* env, 6554 int failure, int lookup_only) 6555 { 6556 struct timeval tv; 6557 log_assert(xfr->task_nextprobe != NULL); 6558 log_assert(xfr->task_nextprobe->worker == NULL || 6559 xfr->task_nextprobe->worker == env->worker); 6560 /* normally, nextprobe = startoflease + refresh, 6561 * but if expiry is sooner, use that one. 6562 * after a failure, use the retry timer instead. */ 6563 xfr->task_nextprobe->next_probe = *env->now; 6564 if(xfr->lease_time && !failure) 6565 xfr->task_nextprobe->next_probe = xfr->lease_time; 6566 6567 if(!failure) { 6568 xfr->task_nextprobe->backoff = 0; 6569 } else { 6570 if(xfr->task_nextprobe->backoff == 0) 6571 xfr->task_nextprobe->backoff = 3; 6572 else xfr->task_nextprobe->backoff *= 2; 6573 if(xfr->task_nextprobe->backoff > AUTH_TRANSFER_MAX_BACKOFF) 6574 xfr->task_nextprobe->backoff = 6575 AUTH_TRANSFER_MAX_BACKOFF; 6576 } 6577 6578 if(xfr->have_zone) { 6579 time_t wait = xfr->refresh; 6580 if(failure) wait = xfr->retry; 6581 if(xfr->expiry < wait) 6582 xfr->task_nextprobe->next_probe += xfr->expiry; 6583 else xfr->task_nextprobe->next_probe += wait; 6584 if(failure) 6585 xfr->task_nextprobe->next_probe += 6586 xfr->task_nextprobe->backoff; 6587 /* put the timer exactly on expiry, if possible */ 6588 if(xfr->lease_time && xfr->lease_time+xfr->expiry < 6589 xfr->task_nextprobe->next_probe && 6590 xfr->lease_time+xfr->expiry > *env->now) 6591 xfr->task_nextprobe->next_probe = 6592 xfr->lease_time+xfr->expiry; 6593 } else { 6594 xfr->task_nextprobe->next_probe += 6595 xfr->task_nextprobe->backoff; 6596 } 6597 6598 if(!xfr->task_nextprobe->timer) { 6599 xfr->task_nextprobe->timer = comm_timer_create( 6600 env->worker_base, auth_xfer_timer, xfr); 6601 if(!xfr->task_nextprobe->timer) { 6602 /* failed to malloc memory. likely zone transfer 6603 * also fails for that. skip the timeout */ 6604 char zname[255+1]; 6605 dname_str(xfr->name, zname); 6606 log_err("cannot allocate timer, no refresh for %s", 6607 zname); 6608 return; 6609 } 6610 } 6611 xfr->task_nextprobe->worker = env->worker; 6612 xfr->task_nextprobe->env = env; 6613 if(*(xfr->task_nextprobe->env->now) <= xfr->task_nextprobe->next_probe) 6614 tv.tv_sec = xfr->task_nextprobe->next_probe - 6615 *(xfr->task_nextprobe->env->now); 6616 else tv.tv_sec = 0; 6617 if(tv.tv_sec != 0 && lookup_only && xfr->task_probe->masters) { 6618 /* don't lookup_only, if lookup timeout is 0 anyway, 6619 * or if we don't have masters to lookup */ 6620 tv.tv_sec = 0; 6621 if(xfr->task_probe->worker == NULL) 6622 xfr->task_probe->only_lookup = 1; 6623 } 6624 if(verbosity >= VERB_ALGO) { 6625 char zname[255+1]; 6626 dname_str(xfr->name, zname); 6627 verbose(VERB_ALGO, "auth zone %s timeout in %d seconds", 6628 zname, (int)tv.tv_sec); 6629 } 6630 tv.tv_usec = 0; 6631 comm_timer_set(xfr->task_nextprobe->timer, &tv); 6632 } 6633 6634 /** initial pick up of worker timeouts, ties events to worker event loop */ 6635 void 6636 auth_xfer_pickup_initial(struct auth_zones* az, struct module_env* env) 6637 { 6638 struct auth_xfer* x; 6639 lock_rw_wrlock(&az->lock); 6640 RBTREE_FOR(x, struct auth_xfer*, &az->xtree) { 6641 lock_basic_lock(&x->lock); 6642 /* set lease_time, because we now have timestamp in env, 6643 * (not earlier during startup and apply_cfg), and this 6644 * notes the start time when the data was acquired */ 6645 if(x->have_zone) 6646 x->lease_time = *env->now; 6647 if(x->task_nextprobe && x->task_nextprobe->worker == NULL) { 6648 xfr_set_timeout(x, env, 0, 1); 6649 } 6650 lock_basic_unlock(&x->lock); 6651 } 6652 lock_rw_unlock(&az->lock); 6653 } 6654 6655 void auth_zones_cleanup(struct auth_zones* az) 6656 { 6657 struct auth_xfer* x; 6658 lock_rw_wrlock(&az->lock); 6659 RBTREE_FOR(x, struct auth_xfer*, &az->xtree) { 6660 lock_basic_lock(&x->lock); 6661 if(x->task_nextprobe && x->task_nextprobe->worker != NULL) { 6662 xfr_nextprobe_disown(x); 6663 } 6664 if(x->task_probe && x->task_probe->worker != NULL) { 6665 xfr_probe_disown(x); 6666 } 6667 if(x->task_transfer && x->task_transfer->worker != NULL) { 6668 auth_chunks_delete(x->task_transfer); 6669 xfr_transfer_disown(x); 6670 } 6671 lock_basic_unlock(&x->lock); 6672 } 6673 lock_rw_unlock(&az->lock); 6674 } 6675 6676 /** 6677 * malloc the xfer and tasks 6678 * @param z: auth_zone with name of zone. 6679 */ 6680 static struct auth_xfer* 6681 auth_xfer_new(struct auth_zone* z) 6682 { 6683 struct auth_xfer* xfr; 6684 xfr = (struct auth_xfer*)calloc(1, sizeof(*xfr)); 6685 if(!xfr) return NULL; 6686 xfr->name = memdup(z->name, z->namelen); 6687 if(!xfr->name) { 6688 free(xfr); 6689 return NULL; 6690 } 6691 xfr->node.key = xfr; 6692 xfr->namelen = z->namelen; 6693 xfr->namelabs = z->namelabs; 6694 xfr->dclass = z->dclass; 6695 6696 xfr->task_nextprobe = (struct auth_nextprobe*)calloc(1, 6697 sizeof(struct auth_nextprobe)); 6698 if(!xfr->task_nextprobe) { 6699 free(xfr->name); 6700 free(xfr); 6701 return NULL; 6702 } 6703 xfr->task_probe = (struct auth_probe*)calloc(1, 6704 sizeof(struct auth_probe)); 6705 if(!xfr->task_probe) { 6706 free(xfr->task_nextprobe); 6707 free(xfr->name); 6708 free(xfr); 6709 return NULL; 6710 } 6711 xfr->task_transfer = (struct auth_transfer*)calloc(1, 6712 sizeof(struct auth_transfer)); 6713 if(!xfr->task_transfer) { 6714 free(xfr->task_probe); 6715 free(xfr->task_nextprobe); 6716 free(xfr->name); 6717 free(xfr); 6718 return NULL; 6719 } 6720 6721 lock_basic_init(&xfr->lock); 6722 lock_protect(&xfr->lock, &xfr->name, sizeof(xfr->name)); 6723 lock_protect(&xfr->lock, &xfr->namelen, sizeof(xfr->namelen)); 6724 lock_protect(&xfr->lock, xfr->name, xfr->namelen); 6725 lock_protect(&xfr->lock, &xfr->namelabs, sizeof(xfr->namelabs)); 6726 lock_protect(&xfr->lock, &xfr->dclass, sizeof(xfr->dclass)); 6727 lock_protect(&xfr->lock, &xfr->notify_received, sizeof(xfr->notify_received)); 6728 lock_protect(&xfr->lock, &xfr->notify_serial, sizeof(xfr->notify_serial)); 6729 lock_protect(&xfr->lock, &xfr->zone_expired, sizeof(xfr->zone_expired)); 6730 lock_protect(&xfr->lock, &xfr->have_zone, sizeof(xfr->have_zone)); 6731 lock_protect(&xfr->lock, &xfr->serial, sizeof(xfr->serial)); 6732 lock_protect(&xfr->lock, &xfr->retry, sizeof(xfr->retry)); 6733 lock_protect(&xfr->lock, &xfr->refresh, sizeof(xfr->refresh)); 6734 lock_protect(&xfr->lock, &xfr->expiry, sizeof(xfr->expiry)); 6735 lock_protect(&xfr->lock, &xfr->lease_time, sizeof(xfr->lease_time)); 6736 lock_protect(&xfr->lock, &xfr->task_nextprobe->worker, 6737 sizeof(xfr->task_nextprobe->worker)); 6738 lock_protect(&xfr->lock, &xfr->task_probe->worker, 6739 sizeof(xfr->task_probe->worker)); 6740 lock_protect(&xfr->lock, &xfr->task_transfer->worker, 6741 sizeof(xfr->task_transfer->worker)); 6742 lock_basic_lock(&xfr->lock); 6743 return xfr; 6744 } 6745 6746 /** Create auth_xfer structure. 6747 * This populates the have_zone, soa values, and so on times. 6748 * and sets the timeout, if a zone transfer is needed a short timeout is set. 6749 * For that the auth_zone itself must exist (and read in zonefile) 6750 * returns false on alloc failure. */ 6751 struct auth_xfer* 6752 auth_xfer_create(struct auth_zones* az, struct auth_zone* z) 6753 { 6754 struct auth_xfer* xfr; 6755 6756 /* malloc it */ 6757 xfr = auth_xfer_new(z); 6758 if(!xfr) { 6759 log_err("malloc failure"); 6760 return NULL; 6761 } 6762 /* insert in tree */ 6763 (void)rbtree_insert(&az->xtree, &xfr->node); 6764 return xfr; 6765 } 6766 6767 /** create new auth_master structure */ 6768 static struct auth_master* 6769 auth_master_new(struct auth_master*** list) 6770 { 6771 struct auth_master *m; 6772 m = (struct auth_master*)calloc(1, sizeof(*m)); 6773 if(!m) { 6774 log_err("malloc failure"); 6775 return NULL; 6776 } 6777 /* set first pointer to m, or next pointer of previous element to m */ 6778 (**list) = m; 6779 /* store m's next pointer as future point to store at */ 6780 (*list) = &(m->next); 6781 return m; 6782 } 6783 6784 /** dup_prefix : create string from initial part of other string, malloced */ 6785 static char* 6786 dup_prefix(char* str, size_t num) 6787 { 6788 char* result; 6789 size_t len = strlen(str); 6790 if(len < num) num = len; /* not more than strlen */ 6791 result = (char*)malloc(num+1); 6792 if(!result) { 6793 log_err("malloc failure"); 6794 return result; 6795 } 6796 memmove(result, str, num); 6797 result[num] = 0; 6798 return result; 6799 } 6800 6801 /** dup string and print error on error */ 6802 static char* 6803 dup_all(char* str) 6804 { 6805 char* result = strdup(str); 6806 if(!result) { 6807 log_err("malloc failure"); 6808 return NULL; 6809 } 6810 return result; 6811 } 6812 6813 /** find first of two characters */ 6814 static char* 6815 str_find_first_of_chars(char* s, char a, char b) 6816 { 6817 char* ra = strchr(s, a); 6818 char* rb = strchr(s, b); 6819 if(!ra) return rb; 6820 if(!rb) return ra; 6821 if(ra < rb) return ra; 6822 return rb; 6823 } 6824 6825 /** parse URL into host and file parts, false on malloc or parse error */ 6826 static int 6827 parse_url(char* url, char** host, char** file, int* port, int* ssl) 6828 { 6829 char* p = url; 6830 /* parse http://www.example.com/file.htm 6831 * or http://127.0.0.1 (index.html) 6832 * or https://[::1@1234]/a/b/c/d */ 6833 *ssl = 1; 6834 *port = AUTH_HTTPS_PORT; 6835 6836 /* parse http:// or https:// */ 6837 if(strncmp(p, "http://", 7) == 0) { 6838 p += 7; 6839 *ssl = 0; 6840 *port = AUTH_HTTP_PORT; 6841 } else if(strncmp(p, "https://", 8) == 0) { 6842 p += 8; 6843 } else if(strstr(p, "://") && strchr(p, '/') > strstr(p, "://") && 6844 strchr(p, ':') >= strstr(p, "://")) { 6845 char* uri = dup_prefix(p, (size_t)(strstr(p, "://")-p)); 6846 log_err("protocol %s:// not supported (for url %s)", 6847 uri?uri:"", p); 6848 free(uri); 6849 return 0; 6850 } 6851 6852 /* parse hostname part */ 6853 if(p[0] == '[') { 6854 char* end = strchr(p, ']'); 6855 p++; /* skip over [ */ 6856 if(end) { 6857 *host = dup_prefix(p, (size_t)(end-p)); 6858 if(!*host) return 0; 6859 p = end+1; /* skip over ] */ 6860 } else { 6861 *host = dup_all(p); 6862 if(!*host) return 0; 6863 p = end; 6864 } 6865 } else { 6866 char* end = str_find_first_of_chars(p, ':', '/'); 6867 if(end) { 6868 *host = dup_prefix(p, (size_t)(end-p)); 6869 if(!*host) return 0; 6870 } else { 6871 *host = dup_all(p); 6872 if(!*host) return 0; 6873 } 6874 p = end; /* at next : or / or NULL */ 6875 } 6876 6877 /* parse port number */ 6878 if(p && p[0] == ':') { 6879 char* end = NULL; 6880 *port = strtol(p+1, &end, 10); 6881 p = end; 6882 } 6883 6884 /* parse filename part */ 6885 while(p && *p == '/') 6886 p++; 6887 if(!p || p[0] == 0) 6888 *file = strdup("index.html"); 6889 else *file = strdup(p); 6890 if(!*file) { 6891 log_err("malloc failure"); 6892 return 0; 6893 } 6894 return 1; 6895 } 6896 6897 int 6898 xfer_set_masters(struct auth_master** list, struct config_auth* c, 6899 int with_http) 6900 { 6901 struct auth_master* m; 6902 struct config_strlist* p; 6903 /* list points to the first, or next pointer for the new element */ 6904 while(*list) { 6905 list = &( (*list)->next ); 6906 } 6907 if(with_http) 6908 for(p = c->urls; p; p = p->next) { 6909 m = auth_master_new(&list); 6910 m->http = 1; 6911 if(!parse_url(p->str, &m->host, &m->file, &m->port, &m->ssl)) 6912 return 0; 6913 } 6914 for(p = c->masters; p; p = p->next) { 6915 m = auth_master_new(&list); 6916 m->ixfr = 1; /* this flag is not configurable */ 6917 m->host = strdup(p->str); 6918 if(!m->host) { 6919 log_err("malloc failure"); 6920 return 0; 6921 } 6922 } 6923 for(p = c->allow_notify; p; p = p->next) { 6924 m = auth_master_new(&list); 6925 m->allow_notify = 1; 6926 m->host = strdup(p->str); 6927 if(!m->host) { 6928 log_err("malloc failure"); 6929 return 0; 6930 } 6931 } 6932 return 1; 6933 } 6934 6935 #define SERIAL_BITS 32 6936 int 6937 compare_serial(uint32_t a, uint32_t b) 6938 { 6939 const uint32_t cutoff = ((uint32_t) 1 << (SERIAL_BITS - 1)); 6940 6941 if (a == b) { 6942 return 0; 6943 } else if ((a < b && b - a < cutoff) || (a > b && a - b > cutoff)) { 6944 return -1; 6945 } else { 6946 return 1; 6947 } 6948 } 6949