1 /* 2 * services/authzone.c - authoritative zone that is locally hosted. 3 * 4 * Copyright (c) 2017, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains the functions for an authority zone. This zone 40 * is queried by the iterator, just like a stub or forward zone, but then 41 * the data is locally held. 42 */ 43 44 #include "config.h" 45 #include "services/authzone.h" 46 #include "util/data/dname.h" 47 #include "util/data/msgparse.h" 48 #include "util/data/msgreply.h" 49 #include "util/data/msgencode.h" 50 #include "util/data/packed_rrset.h" 51 #include "util/regional.h" 52 #include "util/net_help.h" 53 #include "util/netevent.h" 54 #include "util/config_file.h" 55 #include "util/log.h" 56 #include "util/module.h" 57 #include "util/random.h" 58 #include "services/cache/dns.h" 59 #include "services/outside_network.h" 60 #include "services/listen_dnsport.h" 61 #include "services/mesh.h" 62 #include "sldns/rrdef.h" 63 #include "sldns/pkthdr.h" 64 #include "sldns/sbuffer.h" 65 #include "sldns/str2wire.h" 66 #include "sldns/wire2str.h" 67 #include "sldns/parseutil.h" 68 #include "sldns/keyraw.h" 69 #include "validator/val_nsec3.h" 70 #include "validator/val_secalgo.h" 71 #include <ctype.h> 72 73 /** bytes to use for NSEC3 hash buffer. 20 for sha1 */ 74 #define N3HASHBUFLEN 32 75 /** max number of CNAMEs we are willing to follow (in one answer) */ 76 #define MAX_CNAME_CHAIN 8 77 /** timeout for probe packets for SOA */ 78 #define AUTH_PROBE_TIMEOUT 100 /* msec */ 79 /** when to stop with SOA probes (when exponential timeouts exceed this) */ 80 #define AUTH_PROBE_TIMEOUT_STOP 1000 /* msec */ 81 /* auth transfer timeout for TCP connections, in msec */ 82 #define AUTH_TRANSFER_TIMEOUT 10000 /* msec */ 83 /* auth transfer max backoff for failed tranfers and probes */ 84 #define AUTH_TRANSFER_MAX_BACKOFF 86400 /* sec */ 85 /* auth http port number */ 86 #define AUTH_HTTP_PORT 80 87 /* auth https port number */ 88 #define AUTH_HTTPS_PORT 443 89 /* max depth for nested $INCLUDEs */ 90 #define MAX_INCLUDE_DEPTH 10 91 /** number of timeouts before we fallback from IXFR to AXFR, 92 * because some versions of servers (eg. dnsmasq) drop IXFR packets. */ 93 #define NUM_TIMEOUTS_FALLBACK_IXFR 3 94 95 /** pick up nextprobe task to start waiting to perform transfer actions */ 96 static void xfr_set_timeout(struct auth_xfer* xfr, struct module_env* env, 97 int failure, int lookup_only); 98 /** move to sending the probe packets, next if fails. task_probe */ 99 static void xfr_probe_send_or_end(struct auth_xfer* xfr, 100 struct module_env* env); 101 /** pick up probe task with specified(or NULL) destination first, 102 * or transfer task if nothing to probe, or false if already in progress */ 103 static int xfr_start_probe(struct auth_xfer* xfr, struct module_env* env, 104 struct auth_master* spec); 105 /** delete xfer structure (not its tree entry) */ 106 static void auth_xfer_delete(struct auth_xfer* xfr); 107 108 /** create new dns_msg */ 109 static struct dns_msg* 110 msg_create(struct regional* region, struct query_info* qinfo) 111 { 112 struct dns_msg* msg = (struct dns_msg*)regional_alloc(region, 113 sizeof(struct dns_msg)); 114 if(!msg) 115 return NULL; 116 msg->qinfo.qname = regional_alloc_init(region, qinfo->qname, 117 qinfo->qname_len); 118 if(!msg->qinfo.qname) 119 return NULL; 120 msg->qinfo.qname_len = qinfo->qname_len; 121 msg->qinfo.qtype = qinfo->qtype; 122 msg->qinfo.qclass = qinfo->qclass; 123 msg->qinfo.local_alias = NULL; 124 /* non-packed reply_info, because it needs to grow the array */ 125 msg->rep = (struct reply_info*)regional_alloc_zero(region, 126 sizeof(struct reply_info)-sizeof(struct rrset_ref)); 127 if(!msg->rep) 128 return NULL; 129 msg->rep->flags = (uint16_t)(BIT_QR | BIT_AA); 130 msg->rep->authoritative = 1; 131 msg->rep->qdcount = 1; 132 /* rrsets is NULL, no rrsets yet */ 133 return msg; 134 } 135 136 /** grow rrset array by one in msg */ 137 static int 138 msg_grow_array(struct regional* region, struct dns_msg* msg) 139 { 140 if(msg->rep->rrsets == NULL) { 141 msg->rep->rrsets = regional_alloc_zero(region, 142 sizeof(struct ub_packed_rrset_key*)*(msg->rep->rrset_count+1)); 143 if(!msg->rep->rrsets) 144 return 0; 145 } else { 146 struct ub_packed_rrset_key** rrsets_old = msg->rep->rrsets; 147 msg->rep->rrsets = regional_alloc_zero(region, 148 sizeof(struct ub_packed_rrset_key*)*(msg->rep->rrset_count+1)); 149 if(!msg->rep->rrsets) 150 return 0; 151 memmove(msg->rep->rrsets, rrsets_old, 152 sizeof(struct ub_packed_rrset_key*)*msg->rep->rrset_count); 153 } 154 return 1; 155 } 156 157 /** get ttl of rrset */ 158 static time_t 159 get_rrset_ttl(struct ub_packed_rrset_key* k) 160 { 161 struct packed_rrset_data* d = (struct packed_rrset_data*) 162 k->entry.data; 163 return d->ttl; 164 } 165 166 /** Copy rrset into region from domain-datanode and packet rrset */ 167 static struct ub_packed_rrset_key* 168 auth_packed_rrset_copy_region(struct auth_zone* z, struct auth_data* node, 169 struct auth_rrset* rrset, struct regional* region, time_t adjust) 170 { 171 struct ub_packed_rrset_key key; 172 memset(&key, 0, sizeof(key)); 173 key.entry.key = &key; 174 key.entry.data = rrset->data; 175 key.rk.dname = node->name; 176 key.rk.dname_len = node->namelen; 177 key.rk.type = htons(rrset->type); 178 key.rk.rrset_class = htons(z->dclass); 179 key.entry.hash = rrset_key_hash(&key.rk); 180 return packed_rrset_copy_region(&key, region, adjust); 181 } 182 183 /** fix up msg->rep TTL and prefetch ttl */ 184 static void 185 msg_ttl(struct dns_msg* msg) 186 { 187 if(msg->rep->rrset_count == 0) return; 188 if(msg->rep->rrset_count == 1) { 189 msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]); 190 msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl); 191 msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL; 192 } else if(get_rrset_ttl(msg->rep->rrsets[msg->rep->rrset_count-1]) < 193 msg->rep->ttl) { 194 msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[ 195 msg->rep->rrset_count-1]); 196 msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl); 197 msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL; 198 } 199 } 200 201 /** see if rrset is a duplicate in the answer message */ 202 static int 203 msg_rrset_duplicate(struct dns_msg* msg, uint8_t* nm, size_t nmlen, 204 uint16_t type, uint16_t dclass) 205 { 206 size_t i; 207 for(i=0; i<msg->rep->rrset_count; i++) { 208 struct ub_packed_rrset_key* k = msg->rep->rrsets[i]; 209 if(ntohs(k->rk.type) == type && k->rk.dname_len == nmlen && 210 ntohs(k->rk.rrset_class) == dclass && 211 query_dname_compare(k->rk.dname, nm) == 0) 212 return 1; 213 } 214 return 0; 215 } 216 217 /** add rrset to answer section (no auth, add rrsets yet) */ 218 static int 219 msg_add_rrset_an(struct auth_zone* z, struct regional* region, 220 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) 221 { 222 log_assert(msg->rep->ns_numrrsets == 0); 223 log_assert(msg->rep->ar_numrrsets == 0); 224 if(!rrset || !node) 225 return 1; 226 if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, 227 z->dclass)) 228 return 1; 229 /* grow array */ 230 if(!msg_grow_array(region, msg)) 231 return 0; 232 /* copy it */ 233 if(!(msg->rep->rrsets[msg->rep->rrset_count] = 234 auth_packed_rrset_copy_region(z, node, rrset, region, 0))) 235 return 0; 236 msg->rep->rrset_count++; 237 msg->rep->an_numrrsets++; 238 msg_ttl(msg); 239 return 1; 240 } 241 242 /** add rrset to authority section (no additonal section rrsets yet) */ 243 static int 244 msg_add_rrset_ns(struct auth_zone* z, struct regional* region, 245 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) 246 { 247 log_assert(msg->rep->ar_numrrsets == 0); 248 if(!rrset || !node) 249 return 1; 250 if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, 251 z->dclass)) 252 return 1; 253 /* grow array */ 254 if(!msg_grow_array(region, msg)) 255 return 0; 256 /* copy it */ 257 if(!(msg->rep->rrsets[msg->rep->rrset_count] = 258 auth_packed_rrset_copy_region(z, node, rrset, region, 0))) 259 return 0; 260 msg->rep->rrset_count++; 261 msg->rep->ns_numrrsets++; 262 msg_ttl(msg); 263 return 1; 264 } 265 266 /** add rrset to additional section */ 267 static int 268 msg_add_rrset_ar(struct auth_zone* z, struct regional* region, 269 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) 270 { 271 if(!rrset || !node) 272 return 1; 273 if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, 274 z->dclass)) 275 return 1; 276 /* grow array */ 277 if(!msg_grow_array(region, msg)) 278 return 0; 279 /* copy it */ 280 if(!(msg->rep->rrsets[msg->rep->rrset_count] = 281 auth_packed_rrset_copy_region(z, node, rrset, region, 0))) 282 return 0; 283 msg->rep->rrset_count++; 284 msg->rep->ar_numrrsets++; 285 msg_ttl(msg); 286 return 1; 287 } 288 289 struct auth_zones* auth_zones_create(void) 290 { 291 struct auth_zones* az = (struct auth_zones*)calloc(1, sizeof(*az)); 292 if(!az) { 293 log_err("out of memory"); 294 return NULL; 295 } 296 rbtree_init(&az->ztree, &auth_zone_cmp); 297 rbtree_init(&az->xtree, &auth_xfer_cmp); 298 lock_rw_init(&az->lock); 299 lock_protect(&az->lock, &az->ztree, sizeof(az->ztree)); 300 lock_protect(&az->lock, &az->xtree, sizeof(az->xtree)); 301 /* also lock protects the rbnode's in struct auth_zone, auth_xfer */ 302 return az; 303 } 304 305 int auth_zone_cmp(const void* z1, const void* z2) 306 { 307 /* first sort on class, so that hierarchy can be maintained within 308 * a class */ 309 struct auth_zone* a = (struct auth_zone*)z1; 310 struct auth_zone* b = (struct auth_zone*)z2; 311 int m; 312 if(a->dclass != b->dclass) { 313 if(a->dclass < b->dclass) 314 return -1; 315 return 1; 316 } 317 /* sorted such that higher zones sort before lower zones (their 318 * contents) */ 319 return dname_lab_cmp(a->name, a->namelabs, b->name, b->namelabs, &m); 320 } 321 322 int auth_data_cmp(const void* z1, const void* z2) 323 { 324 struct auth_data* a = (struct auth_data*)z1; 325 struct auth_data* b = (struct auth_data*)z2; 326 int m; 327 /* canonical sort, because DNSSEC needs that */ 328 return dname_canon_lab_cmp(a->name, a->namelabs, b->name, 329 b->namelabs, &m); 330 } 331 332 int auth_xfer_cmp(const void* z1, const void* z2) 333 { 334 /* first sort on class, so that hierarchy can be maintained within 335 * a class */ 336 struct auth_xfer* a = (struct auth_xfer*)z1; 337 struct auth_xfer* b = (struct auth_xfer*)z2; 338 int m; 339 if(a->dclass != b->dclass) { 340 if(a->dclass < b->dclass) 341 return -1; 342 return 1; 343 } 344 /* sorted such that higher zones sort before lower zones (their 345 * contents) */ 346 return dname_lab_cmp(a->name, a->namelabs, b->name, b->namelabs, &m); 347 } 348 349 /** delete auth rrset node */ 350 static void 351 auth_rrset_delete(struct auth_rrset* rrset) 352 { 353 if(!rrset) return; 354 free(rrset->data); 355 free(rrset); 356 } 357 358 /** delete auth data domain node */ 359 static void 360 auth_data_delete(struct auth_data* n) 361 { 362 struct auth_rrset* p, *np; 363 if(!n) return; 364 p = n->rrsets; 365 while(p) { 366 np = p->next; 367 auth_rrset_delete(p); 368 p = np; 369 } 370 free(n->name); 371 free(n); 372 } 373 374 /** helper traverse to delete zones */ 375 static void 376 auth_data_del(rbnode_type* n, void* ATTR_UNUSED(arg)) 377 { 378 struct auth_data* z = (struct auth_data*)n->key; 379 auth_data_delete(z); 380 } 381 382 /** delete an auth zone structure (tree remove must be done elsewhere) */ 383 static void 384 auth_zone_delete(struct auth_zone* z) 385 { 386 if(!z) return; 387 lock_rw_destroy(&z->lock); 388 traverse_postorder(&z->data, auth_data_del, NULL); 389 free(z->name); 390 free(z->zonefile); 391 free(z); 392 } 393 394 struct auth_zone* 395 auth_zone_create(struct auth_zones* az, uint8_t* nm, size_t nmlen, 396 uint16_t dclass) 397 { 398 struct auth_zone* z = (struct auth_zone*)calloc(1, sizeof(*z)); 399 if(!z) { 400 return NULL; 401 } 402 z->node.key = z; 403 z->dclass = dclass; 404 z->namelen = nmlen; 405 z->namelabs = dname_count_labels(nm); 406 z->name = memdup(nm, nmlen); 407 if(!z->name) { 408 free(z); 409 return NULL; 410 } 411 rbtree_init(&z->data, &auth_data_cmp); 412 lock_rw_init(&z->lock); 413 lock_protect(&z->lock, &z->name, sizeof(*z)-sizeof(rbnode_type)); 414 lock_rw_wrlock(&z->lock); 415 /* z lock protects all, except rbtree itself, which is az->lock */ 416 if(!rbtree_insert(&az->ztree, &z->node)) { 417 lock_rw_unlock(&z->lock); 418 auth_zone_delete(z); 419 log_warn("duplicate auth zone"); 420 return NULL; 421 } 422 return z; 423 } 424 425 struct auth_zone* 426 auth_zone_find(struct auth_zones* az, uint8_t* nm, size_t nmlen, 427 uint16_t dclass) 428 { 429 struct auth_zone key; 430 key.node.key = &key; 431 key.dclass = dclass; 432 key.name = nm; 433 key.namelen = nmlen; 434 key.namelabs = dname_count_labels(nm); 435 return (struct auth_zone*)rbtree_search(&az->ztree, &key); 436 } 437 438 struct auth_xfer* 439 auth_xfer_find(struct auth_zones* az, uint8_t* nm, size_t nmlen, 440 uint16_t dclass) 441 { 442 struct auth_xfer key; 443 key.node.key = &key; 444 key.dclass = dclass; 445 key.name = nm; 446 key.namelen = nmlen; 447 key.namelabs = dname_count_labels(nm); 448 return (struct auth_xfer*)rbtree_search(&az->xtree, &key); 449 } 450 451 /** find an auth zone or sorted less-or-equal, return true if exact */ 452 static int 453 auth_zone_find_less_equal(struct auth_zones* az, uint8_t* nm, size_t nmlen, 454 uint16_t dclass, struct auth_zone** z) 455 { 456 struct auth_zone key; 457 key.node.key = &key; 458 key.dclass = dclass; 459 key.name = nm; 460 key.namelen = nmlen; 461 key.namelabs = dname_count_labels(nm); 462 return rbtree_find_less_equal(&az->ztree, &key, (rbnode_type**)z); 463 } 464 465 466 /** find the auth zone that is above the given name */ 467 struct auth_zone* 468 auth_zones_find_zone(struct auth_zones* az, uint8_t* name, size_t name_len, 469 uint16_t dclass) 470 { 471 uint8_t* nm = name; 472 size_t nmlen = name_len; 473 struct auth_zone* z; 474 if(auth_zone_find_less_equal(az, nm, nmlen, dclass, &z)) { 475 /* exact match */ 476 return z; 477 } else { 478 /* less-or-nothing */ 479 if(!z) return NULL; /* nothing smaller, nothing above it */ 480 /* we found smaller name; smaller may be above the name, 481 * but not below it. */ 482 nm = dname_get_shared_topdomain(z->name, name); 483 dname_count_size_labels(nm, &nmlen); 484 z = NULL; 485 } 486 487 /* search up */ 488 while(!z) { 489 z = auth_zone_find(az, nm, nmlen, dclass); 490 if(z) return z; 491 if(dname_is_root(nm)) break; 492 dname_remove_label(&nm, &nmlen); 493 } 494 return NULL; 495 } 496 497 /** find or create zone with name str. caller must have lock on az. 498 * returns a wrlocked zone */ 499 static struct auth_zone* 500 auth_zones_find_or_add_zone(struct auth_zones* az, char* name) 501 { 502 uint8_t nm[LDNS_MAX_DOMAINLEN+1]; 503 size_t nmlen = sizeof(nm); 504 struct auth_zone* z; 505 506 if(sldns_str2wire_dname_buf(name, nm, &nmlen) != 0) { 507 log_err("cannot parse auth zone name: %s", name); 508 return 0; 509 } 510 z = auth_zone_find(az, nm, nmlen, LDNS_RR_CLASS_IN); 511 if(!z) { 512 /* not found, create the zone */ 513 z = auth_zone_create(az, nm, nmlen, LDNS_RR_CLASS_IN); 514 } else { 515 lock_rw_wrlock(&z->lock); 516 } 517 return z; 518 } 519 520 /** find or create xfer zone with name str. caller must have lock on az. 521 * returns a locked xfer */ 522 static struct auth_xfer* 523 auth_zones_find_or_add_xfer(struct auth_zones* az, struct auth_zone* z) 524 { 525 struct auth_xfer* x; 526 x = auth_xfer_find(az, z->name, z->namelen, z->dclass); 527 if(!x) { 528 /* not found, create the zone */ 529 x = auth_xfer_create(az, z); 530 } else { 531 lock_basic_lock(&x->lock); 532 } 533 return x; 534 } 535 536 int 537 auth_zone_set_zonefile(struct auth_zone* z, char* zonefile) 538 { 539 if(z->zonefile) free(z->zonefile); 540 if(zonefile == NULL) { 541 z->zonefile = NULL; 542 } else { 543 z->zonefile = strdup(zonefile); 544 if(!z->zonefile) { 545 log_err("malloc failure"); 546 return 0; 547 } 548 } 549 return 1; 550 } 551 552 /** set auth zone fallback. caller must have lock on zone */ 553 int 554 auth_zone_set_fallback(struct auth_zone* z, char* fallbackstr) 555 { 556 if(strcmp(fallbackstr, "yes") != 0 && strcmp(fallbackstr, "no") != 0){ 557 log_err("auth zone fallback, expected yes or no, got %s", 558 fallbackstr); 559 return 0; 560 } 561 z->fallback_enabled = (strcmp(fallbackstr, "yes")==0); 562 return 1; 563 } 564 565 /** create domain with the given name */ 566 static struct auth_data* 567 az_domain_create(struct auth_zone* z, uint8_t* nm, size_t nmlen) 568 { 569 struct auth_data* n = (struct auth_data*)malloc(sizeof(*n)); 570 if(!n) return NULL; 571 memset(n, 0, sizeof(*n)); 572 n->node.key = n; 573 n->name = memdup(nm, nmlen); 574 if(!n->name) { 575 free(n); 576 return NULL; 577 } 578 n->namelen = nmlen; 579 n->namelabs = dname_count_labels(nm); 580 if(!rbtree_insert(&z->data, &n->node)) { 581 log_warn("duplicate auth domain name"); 582 free(n->name); 583 free(n); 584 return NULL; 585 } 586 return n; 587 } 588 589 /** find domain with exactly the given name */ 590 static struct auth_data* 591 az_find_name(struct auth_zone* z, uint8_t* nm, size_t nmlen) 592 { 593 struct auth_zone key; 594 key.node.key = &key; 595 key.name = nm; 596 key.namelen = nmlen; 597 key.namelabs = dname_count_labels(nm); 598 return (struct auth_data*)rbtree_search(&z->data, &key); 599 } 600 601 /** Find domain name (or closest match) */ 602 static void 603 az_find_domain(struct auth_zone* z, struct query_info* qinfo, int* node_exact, 604 struct auth_data** node) 605 { 606 struct auth_zone key; 607 key.node.key = &key; 608 key.name = qinfo->qname; 609 key.namelen = qinfo->qname_len; 610 key.namelabs = dname_count_labels(key.name); 611 *node_exact = rbtree_find_less_equal(&z->data, &key, 612 (rbnode_type**)node); 613 } 614 615 /** find or create domain with name in zone */ 616 static struct auth_data* 617 az_domain_find_or_create(struct auth_zone* z, uint8_t* dname, 618 size_t dname_len) 619 { 620 struct auth_data* n = az_find_name(z, dname, dname_len); 621 if(!n) { 622 n = az_domain_create(z, dname, dname_len); 623 } 624 return n; 625 } 626 627 /** find rrset of given type in the domain */ 628 static struct auth_rrset* 629 az_domain_rrset(struct auth_data* n, uint16_t t) 630 { 631 struct auth_rrset* rrset; 632 if(!n) return NULL; 633 rrset = n->rrsets; 634 while(rrset) { 635 if(rrset->type == t) 636 return rrset; 637 rrset = rrset->next; 638 } 639 return NULL; 640 } 641 642 /** remove rrset of this type from domain */ 643 static void 644 domain_remove_rrset(struct auth_data* node, uint16_t rr_type) 645 { 646 struct auth_rrset* rrset, *prev; 647 if(!node) return; 648 prev = NULL; 649 rrset = node->rrsets; 650 while(rrset) { 651 if(rrset->type == rr_type) { 652 /* found it, now delete it */ 653 if(prev) prev->next = rrset->next; 654 else node->rrsets = rrset->next; 655 auth_rrset_delete(rrset); 656 return; 657 } 658 prev = rrset; 659 rrset = rrset->next; 660 } 661 } 662 663 /** find an rr index in the rrset. returns true if found */ 664 static int 665 az_rrset_find_rr(struct packed_rrset_data* d, uint8_t* rdata, size_t len, 666 size_t* index) 667 { 668 size_t i; 669 for(i=0; i<d->count; i++) { 670 if(d->rr_len[i] != len) 671 continue; 672 if(memcmp(d->rr_data[i], rdata, len) == 0) { 673 *index = i; 674 return 1; 675 } 676 } 677 return 0; 678 } 679 680 /** find an rrsig index in the rrset. returns true if found */ 681 static int 682 az_rrset_find_rrsig(struct packed_rrset_data* d, uint8_t* rdata, size_t len, 683 size_t* index) 684 { 685 size_t i; 686 for(i=d->count; i<d->count + d->rrsig_count; i++) { 687 if(d->rr_len[i] != len) 688 continue; 689 if(memcmp(d->rr_data[i], rdata, len) == 0) { 690 *index = i; 691 return 1; 692 } 693 } 694 return 0; 695 } 696 697 /** see if rdata is duplicate */ 698 static int 699 rdata_duplicate(struct packed_rrset_data* d, uint8_t* rdata, size_t len) 700 { 701 size_t i; 702 for(i=0; i<d->count + d->rrsig_count; i++) { 703 if(d->rr_len[i] != len) 704 continue; 705 if(memcmp(d->rr_data[i], rdata, len) == 0) 706 return 1; 707 } 708 return 0; 709 } 710 711 /** get rrsig type covered from rdata. 712 * @param rdata: rdata in wireformat, starting with 16bit rdlength. 713 * @param rdatalen: length of rdata buffer. 714 * @return type covered (or 0). 715 */ 716 static uint16_t 717 rrsig_rdata_get_type_covered(uint8_t* rdata, size_t rdatalen) 718 { 719 if(rdatalen < 4) 720 return 0; 721 return sldns_read_uint16(rdata+2); 722 } 723 724 /** remove RR from existing RRset. Also sig, if it is a signature. 725 * reallocates the packed rrset for a new one, false on alloc failure */ 726 static int 727 rrset_remove_rr(struct auth_rrset* rrset, size_t index) 728 { 729 struct packed_rrset_data* d, *old = rrset->data; 730 size_t i; 731 if(index >= old->count + old->rrsig_count) 732 return 0; /* index out of bounds */ 733 d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old) - ( 734 sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t) + 735 old->rr_len[index])); 736 if(!d) { 737 log_err("malloc failure"); 738 return 0; 739 } 740 d->ttl = old->ttl; 741 d->count = old->count; 742 d->rrsig_count = old->rrsig_count; 743 if(index < d->count) d->count--; 744 else d->rrsig_count--; 745 d->trust = old->trust; 746 d->security = old->security; 747 748 /* set rr_len, needed for ptr_fixup */ 749 d->rr_len = (size_t*)((uint8_t*)d + 750 sizeof(struct packed_rrset_data)); 751 if(index > 0) 752 memmove(d->rr_len, old->rr_len, (index)*sizeof(size_t)); 753 if(index+1 < old->count+old->rrsig_count) 754 memmove(&d->rr_len[index], &old->rr_len[index+1], 755 (old->count+old->rrsig_count - (index+1))*sizeof(size_t)); 756 packed_rrset_ptr_fixup(d); 757 758 /* move over ttls */ 759 if(index > 0) 760 memmove(d->rr_ttl, old->rr_ttl, (index)*sizeof(time_t)); 761 if(index+1 < old->count+old->rrsig_count) 762 memmove(&d->rr_ttl[index], &old->rr_ttl[index+1], 763 (old->count+old->rrsig_count - (index+1))*sizeof(time_t)); 764 765 /* move over rr_data */ 766 for(i=0; i<d->count+d->rrsig_count; i++) { 767 size_t oldi; 768 if(i < index) oldi = i; 769 else oldi = i+1; 770 memmove(d->rr_data[i], old->rr_data[oldi], d->rr_len[i]); 771 } 772 773 /* recalc ttl (lowest of remaining RR ttls) */ 774 if(d->count + d->rrsig_count > 0) 775 d->ttl = d->rr_ttl[0]; 776 for(i=0; i<d->count+d->rrsig_count; i++) { 777 if(d->rr_ttl[i] < d->ttl) 778 d->ttl = d->rr_ttl[i]; 779 } 780 781 free(rrset->data); 782 rrset->data = d; 783 return 1; 784 } 785 786 /** add RR to existing RRset. If insert_sig is true, add to rrsigs. 787 * This reallocates the packed rrset for a new one */ 788 static int 789 rrset_add_rr(struct auth_rrset* rrset, uint32_t rr_ttl, uint8_t* rdata, 790 size_t rdatalen, int insert_sig) 791 { 792 struct packed_rrset_data* d, *old = rrset->data; 793 size_t total, old_total; 794 795 d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old) 796 + sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t) 797 + rdatalen); 798 if(!d) { 799 log_err("out of memory"); 800 return 0; 801 } 802 /* copy base values */ 803 memcpy(d, old, sizeof(struct packed_rrset_data)); 804 if(!insert_sig) { 805 d->count++; 806 } else { 807 d->rrsig_count++; 808 } 809 old_total = old->count + old->rrsig_count; 810 total = d->count + d->rrsig_count; 811 /* set rr_len, needed for ptr_fixup */ 812 d->rr_len = (size_t*)((uint8_t*)d + 813 sizeof(struct packed_rrset_data)); 814 if(old->count != 0) 815 memmove(d->rr_len, old->rr_len, old->count*sizeof(size_t)); 816 if(old->rrsig_count != 0) 817 memmove(d->rr_len+d->count, old->rr_len+old->count, 818 old->rrsig_count*sizeof(size_t)); 819 if(!insert_sig) 820 d->rr_len[d->count-1] = rdatalen; 821 else d->rr_len[total-1] = rdatalen; 822 packed_rrset_ptr_fixup(d); 823 if((time_t)rr_ttl < d->ttl) 824 d->ttl = rr_ttl; 825 826 /* copy old values into new array */ 827 if(old->count != 0) { 828 memmove(d->rr_ttl, old->rr_ttl, old->count*sizeof(time_t)); 829 /* all the old rr pieces are allocated sequential, so we 830 * can copy them in one go */ 831 memmove(d->rr_data[0], old->rr_data[0], 832 (old->rr_data[old->count-1] - old->rr_data[0]) + 833 old->rr_len[old->count-1]); 834 } 835 if(old->rrsig_count != 0) { 836 memmove(d->rr_ttl+d->count, old->rr_ttl+old->count, 837 old->rrsig_count*sizeof(time_t)); 838 memmove(d->rr_data[d->count], old->rr_data[old->count], 839 (old->rr_data[old_total-1] - old->rr_data[old->count]) + 840 old->rr_len[old_total-1]); 841 } 842 843 /* insert new value */ 844 if(!insert_sig) { 845 d->rr_ttl[d->count-1] = rr_ttl; 846 memmove(d->rr_data[d->count-1], rdata, rdatalen); 847 } else { 848 d->rr_ttl[total-1] = rr_ttl; 849 memmove(d->rr_data[total-1], rdata, rdatalen); 850 } 851 852 rrset->data = d; 853 free(old); 854 return 1; 855 } 856 857 /** Create new rrset for node with packed rrset with one RR element */ 858 static struct auth_rrset* 859 rrset_create(struct auth_data* node, uint16_t rr_type, uint32_t rr_ttl, 860 uint8_t* rdata, size_t rdatalen) 861 { 862 struct auth_rrset* rrset = (struct auth_rrset*)calloc(1, 863 sizeof(*rrset)); 864 struct auth_rrset* p, *prev; 865 struct packed_rrset_data* d; 866 if(!rrset) { 867 log_err("out of memory"); 868 return NULL; 869 } 870 rrset->type = rr_type; 871 872 /* the rrset data structure, with one RR */ 873 d = (struct packed_rrset_data*)calloc(1, 874 sizeof(struct packed_rrset_data) + sizeof(size_t) + 875 sizeof(uint8_t*) + sizeof(time_t) + rdatalen); 876 if(!d) { 877 free(rrset); 878 log_err("out of memory"); 879 return NULL; 880 } 881 rrset->data = d; 882 d->ttl = rr_ttl; 883 d->trust = rrset_trust_prim_noglue; 884 d->rr_len = (size_t*)((uint8_t*)d + sizeof(struct packed_rrset_data)); 885 d->rr_data = (uint8_t**)&(d->rr_len[1]); 886 d->rr_ttl = (time_t*)&(d->rr_data[1]); 887 d->rr_data[0] = (uint8_t*)&(d->rr_ttl[1]); 888 889 /* insert the RR */ 890 d->rr_len[0] = rdatalen; 891 d->rr_ttl[0] = rr_ttl; 892 memmove(d->rr_data[0], rdata, rdatalen); 893 d->count++; 894 895 /* insert rrset into linked list for domain */ 896 /* find sorted place to link the rrset into the list */ 897 prev = NULL; 898 p = node->rrsets; 899 while(p && p->type<=rr_type) { 900 prev = p; 901 p = p->next; 902 } 903 /* so, prev is smaller, and p is larger than rr_type */ 904 rrset->next = p; 905 if(prev) prev->next = rrset; 906 else node->rrsets = rrset; 907 return rrset; 908 } 909 910 /** count number (and size) of rrsigs that cover a type */ 911 static size_t 912 rrsig_num_that_cover(struct auth_rrset* rrsig, uint16_t rr_type, size_t* sigsz) 913 { 914 struct packed_rrset_data* d = rrsig->data; 915 size_t i, num = 0; 916 *sigsz = 0; 917 log_assert(d && rrsig->type == LDNS_RR_TYPE_RRSIG); 918 for(i=0; i<d->count+d->rrsig_count; i++) { 919 if(rrsig_rdata_get_type_covered(d->rr_data[i], 920 d->rr_len[i]) == rr_type) { 921 num++; 922 (*sigsz) += d->rr_len[i]; 923 } 924 } 925 return num; 926 } 927 928 /** See if rrsig set has covered sigs for rrset and move them over */ 929 static int 930 rrset_moveover_rrsigs(struct auth_data* node, uint16_t rr_type, 931 struct auth_rrset* rrset, struct auth_rrset* rrsig) 932 { 933 size_t sigs, sigsz, i, j, total; 934 struct packed_rrset_data* sigold = rrsig->data; 935 struct packed_rrset_data* old = rrset->data; 936 struct packed_rrset_data* d, *sigd; 937 938 log_assert(rrset->type == rr_type); 939 log_assert(rrsig->type == LDNS_RR_TYPE_RRSIG); 940 sigs = rrsig_num_that_cover(rrsig, rr_type, &sigsz); 941 if(sigs == 0) { 942 /* 0 rrsigs to move over, done */ 943 return 1; 944 } 945 946 /* allocate rrset sigsz larger for extra sigs elements, and 947 * allocate rrsig sigsz smaller for less sigs elements. */ 948 d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old) 949 + sigs*(sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t)) 950 + sigsz); 951 if(!d) { 952 log_err("out of memory"); 953 return 0; 954 } 955 /* copy base values */ 956 total = old->count + old->rrsig_count; 957 memcpy(d, old, sizeof(struct packed_rrset_data)); 958 d->rrsig_count += sigs; 959 /* setup rr_len */ 960 d->rr_len = (size_t*)((uint8_t*)d + 961 sizeof(struct packed_rrset_data)); 962 if(total != 0) 963 memmove(d->rr_len, old->rr_len, total*sizeof(size_t)); 964 j = d->count+d->rrsig_count-sigs; 965 for(i=0; i<sigold->count+sigold->rrsig_count; i++) { 966 if(rrsig_rdata_get_type_covered(sigold->rr_data[i], 967 sigold->rr_len[i]) == rr_type) { 968 d->rr_len[j] = sigold->rr_len[i]; 969 j++; 970 } 971 } 972 packed_rrset_ptr_fixup(d); 973 974 /* copy old values into new array */ 975 if(total != 0) { 976 memmove(d->rr_ttl, old->rr_ttl, total*sizeof(time_t)); 977 /* all the old rr pieces are allocated sequential, so we 978 * can copy them in one go */ 979 memmove(d->rr_data[0], old->rr_data[0], 980 (old->rr_data[total-1] - old->rr_data[0]) + 981 old->rr_len[total-1]); 982 } 983 984 /* move over the rrsigs to the larger rrset*/ 985 j = d->count+d->rrsig_count-sigs; 986 for(i=0; i<sigold->count+sigold->rrsig_count; i++) { 987 if(rrsig_rdata_get_type_covered(sigold->rr_data[i], 988 sigold->rr_len[i]) == rr_type) { 989 /* move this one over to location j */ 990 d->rr_ttl[j] = sigold->rr_ttl[i]; 991 memmove(d->rr_data[j], sigold->rr_data[i], 992 sigold->rr_len[i]); 993 if(d->rr_ttl[j] < d->ttl) 994 d->ttl = d->rr_ttl[j]; 995 j++; 996 } 997 } 998 999 /* put it in and deallocate the old rrset */ 1000 rrset->data = d; 1001 free(old); 1002 1003 /* now make rrsig set smaller */ 1004 if(sigold->count+sigold->rrsig_count == sigs) { 1005 /* remove all sigs from rrsig, remove it entirely */ 1006 domain_remove_rrset(node, LDNS_RR_TYPE_RRSIG); 1007 return 1; 1008 } 1009 log_assert(packed_rrset_sizeof(sigold) > sigs*(sizeof(size_t) + 1010 sizeof(uint8_t*) + sizeof(time_t)) + sigsz); 1011 sigd = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(sigold) 1012 - sigs*(sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t)) 1013 - sigsz); 1014 if(!sigd) { 1015 /* no need to free up d, it has already been placed in the 1016 * node->rrset structure */ 1017 log_err("out of memory"); 1018 return 0; 1019 } 1020 /* copy base values */ 1021 memcpy(sigd, sigold, sizeof(struct packed_rrset_data)); 1022 /* in sigd the RRSIGs are stored in the base of the RR, in count */ 1023 sigd->count -= sigs; 1024 /* setup rr_len */ 1025 sigd->rr_len = (size_t*)((uint8_t*)sigd + 1026 sizeof(struct packed_rrset_data)); 1027 j = 0; 1028 for(i=0; i<sigold->count+sigold->rrsig_count; i++) { 1029 if(rrsig_rdata_get_type_covered(sigold->rr_data[i], 1030 sigold->rr_len[i]) != rr_type) { 1031 sigd->rr_len[j] = sigold->rr_len[i]; 1032 j++; 1033 } 1034 } 1035 packed_rrset_ptr_fixup(sigd); 1036 1037 /* copy old values into new rrsig array */ 1038 j = 0; 1039 for(i=0; i<sigold->count+sigold->rrsig_count; i++) { 1040 if(rrsig_rdata_get_type_covered(sigold->rr_data[i], 1041 sigold->rr_len[i]) != rr_type) { 1042 /* move this one over to location j */ 1043 sigd->rr_ttl[j] = sigold->rr_ttl[i]; 1044 memmove(sigd->rr_data[j], sigold->rr_data[i], 1045 sigold->rr_len[i]); 1046 if(j==0) sigd->ttl = sigd->rr_ttl[j]; 1047 else { 1048 if(sigd->rr_ttl[j] < sigd->ttl) 1049 sigd->ttl = sigd->rr_ttl[j]; 1050 } 1051 j++; 1052 } 1053 } 1054 1055 /* put it in and deallocate the old rrset */ 1056 rrsig->data = sigd; 1057 free(sigold); 1058 1059 return 1; 1060 } 1061 1062 /** copy the rrsigs from the rrset to the rrsig rrset, because the rrset 1063 * is going to be deleted. reallocates the RRSIG rrset data. */ 1064 static int 1065 rrsigs_copy_from_rrset_to_rrsigset(struct auth_rrset* rrset, 1066 struct auth_rrset* rrsigset) 1067 { 1068 size_t i; 1069 if(rrset->data->rrsig_count == 0) 1070 return 1; 1071 1072 /* move them over one by one, because there might be duplicates, 1073 * duplicates are ignored */ 1074 for(i=rrset->data->count; 1075 i<rrset->data->count+rrset->data->rrsig_count; i++) { 1076 uint8_t* rdata = rrset->data->rr_data[i]; 1077 size_t rdatalen = rrset->data->rr_len[i]; 1078 time_t rr_ttl = rrset->data->rr_ttl[i]; 1079 1080 if(rdata_duplicate(rrsigset->data, rdata, rdatalen)) { 1081 continue; 1082 } 1083 if(!rrset_add_rr(rrsigset, rr_ttl, rdata, rdatalen, 0)) 1084 return 0; 1085 } 1086 return 1; 1087 } 1088 1089 /** Add rr to node, ignores duplicate RRs, 1090 * rdata points to buffer with rdatalen octets, starts with 2bytelength. */ 1091 static int 1092 az_domain_add_rr(struct auth_data* node, uint16_t rr_type, uint32_t rr_ttl, 1093 uint8_t* rdata, size_t rdatalen, int* duplicate) 1094 { 1095 struct auth_rrset* rrset; 1096 /* packed rrsets have their rrsigs along with them, sort them out */ 1097 if(rr_type == LDNS_RR_TYPE_RRSIG) { 1098 uint16_t ctype = rrsig_rdata_get_type_covered(rdata, rdatalen); 1099 if((rrset=az_domain_rrset(node, ctype))!= NULL) { 1100 /* a node of the correct type exists, add the RRSIG 1101 * to the rrset of the covered data type */ 1102 if(rdata_duplicate(rrset->data, rdata, rdatalen)) { 1103 if(duplicate) *duplicate = 1; 1104 return 1; 1105 } 1106 if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 1)) 1107 return 0; 1108 } else if((rrset=az_domain_rrset(node, rr_type))!= NULL) { 1109 /* add RRSIG to rrset of type RRSIG */ 1110 if(rdata_duplicate(rrset->data, rdata, rdatalen)) { 1111 if(duplicate) *duplicate = 1; 1112 return 1; 1113 } 1114 if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 0)) 1115 return 0; 1116 } else { 1117 /* create rrset of type RRSIG */ 1118 if(!rrset_create(node, rr_type, rr_ttl, rdata, 1119 rdatalen)) 1120 return 0; 1121 } 1122 } else { 1123 /* normal RR type */ 1124 if((rrset=az_domain_rrset(node, rr_type))!= NULL) { 1125 /* add data to existing node with data type */ 1126 if(rdata_duplicate(rrset->data, rdata, rdatalen)) { 1127 if(duplicate) *duplicate = 1; 1128 return 1; 1129 } 1130 if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 0)) 1131 return 0; 1132 } else { 1133 struct auth_rrset* rrsig; 1134 /* create new node with data type */ 1135 if(!(rrset=rrset_create(node, rr_type, rr_ttl, rdata, 1136 rdatalen))) 1137 return 0; 1138 1139 /* see if node of type RRSIG has signatures that 1140 * cover the data type, and move them over */ 1141 /* and then make the RRSIG type smaller */ 1142 if((rrsig=az_domain_rrset(node, LDNS_RR_TYPE_RRSIG)) 1143 != NULL) { 1144 if(!rrset_moveover_rrsigs(node, rr_type, 1145 rrset, rrsig)) 1146 return 0; 1147 } 1148 } 1149 } 1150 return 1; 1151 } 1152 1153 /** insert RR into zone, ignore duplicates */ 1154 static int 1155 az_insert_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len, 1156 size_t dname_len, int* duplicate) 1157 { 1158 struct auth_data* node; 1159 uint8_t* dname = rr; 1160 uint16_t rr_type = sldns_wirerr_get_type(rr, rr_len, dname_len); 1161 uint16_t rr_class = sldns_wirerr_get_class(rr, rr_len, dname_len); 1162 uint32_t rr_ttl = sldns_wirerr_get_ttl(rr, rr_len, dname_len); 1163 size_t rdatalen = ((size_t)sldns_wirerr_get_rdatalen(rr, rr_len, 1164 dname_len))+2; 1165 /* rdata points to rdata prefixed with uint16 rdatalength */ 1166 uint8_t* rdata = sldns_wirerr_get_rdatawl(rr, rr_len, dname_len); 1167 1168 if(rr_class != z->dclass) { 1169 log_err("wrong class for RR"); 1170 return 0; 1171 } 1172 if(!(node=az_domain_find_or_create(z, dname, dname_len))) { 1173 log_err("cannot create domain"); 1174 return 0; 1175 } 1176 if(!az_domain_add_rr(node, rr_type, rr_ttl, rdata, rdatalen, 1177 duplicate)) { 1178 log_err("cannot add RR to domain"); 1179 return 0; 1180 } 1181 return 1; 1182 } 1183 1184 /** Remove rr from node, ignores nonexisting RRs, 1185 * rdata points to buffer with rdatalen octets, starts with 2bytelength. */ 1186 static int 1187 az_domain_remove_rr(struct auth_data* node, uint16_t rr_type, 1188 uint8_t* rdata, size_t rdatalen, int* nonexist) 1189 { 1190 struct auth_rrset* rrset; 1191 size_t index = 0; 1192 1193 /* find the plain RR of the given type */ 1194 if((rrset=az_domain_rrset(node, rr_type))!= NULL) { 1195 if(az_rrset_find_rr(rrset->data, rdata, rdatalen, &index)) { 1196 if(rrset->data->count == 1 && 1197 rrset->data->rrsig_count == 0) { 1198 /* last RR, delete the rrset */ 1199 domain_remove_rrset(node, rr_type); 1200 } else if(rrset->data->count == 1 && 1201 rrset->data->rrsig_count != 0) { 1202 /* move RRSIGs to the RRSIG rrset, or 1203 * this one becomes that RRset */ 1204 struct auth_rrset* rrsigset = az_domain_rrset( 1205 node, LDNS_RR_TYPE_RRSIG); 1206 if(rrsigset) { 1207 /* move left over rrsigs to the 1208 * existing rrset of type RRSIG */ 1209 rrsigs_copy_from_rrset_to_rrsigset( 1210 rrset, rrsigset); 1211 /* and then delete the rrset */ 1212 domain_remove_rrset(node, rr_type); 1213 } else { 1214 /* no rrset of type RRSIG, this 1215 * set is now of that type, 1216 * just remove the rr */ 1217 if(!rrset_remove_rr(rrset, index)) 1218 return 0; 1219 rrset->type = LDNS_RR_TYPE_RRSIG; 1220 rrset->data->count = rrset->data->rrsig_count; 1221 rrset->data->rrsig_count = 0; 1222 } 1223 } else { 1224 /* remove the RR from the rrset */ 1225 if(!rrset_remove_rr(rrset, index)) 1226 return 0; 1227 } 1228 return 1; 1229 } 1230 /* rr not found in rrset */ 1231 } 1232 1233 /* is it a type RRSIG, look under the covered type */ 1234 if(rr_type == LDNS_RR_TYPE_RRSIG) { 1235 uint16_t ctype = rrsig_rdata_get_type_covered(rdata, rdatalen); 1236 if((rrset=az_domain_rrset(node, ctype))!= NULL) { 1237 if(az_rrset_find_rrsig(rrset->data, rdata, rdatalen, 1238 &index)) { 1239 /* rrsig should have d->count > 0, be 1240 * over some rr of that type */ 1241 /* remove the rrsig from the rrsigs list of the 1242 * rrset */ 1243 if(!rrset_remove_rr(rrset, index)) 1244 return 0; 1245 return 1; 1246 } 1247 } 1248 /* also RRSIG not found */ 1249 } 1250 1251 /* nothing found to delete */ 1252 if(nonexist) *nonexist = 1; 1253 return 1; 1254 } 1255 1256 /** remove RR from zone, ignore if it does not exist, false on alloc failure*/ 1257 static int 1258 az_remove_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len, 1259 size_t dname_len, int* nonexist) 1260 { 1261 struct auth_data* node; 1262 uint8_t* dname = rr; 1263 uint16_t rr_type = sldns_wirerr_get_type(rr, rr_len, dname_len); 1264 uint16_t rr_class = sldns_wirerr_get_class(rr, rr_len, dname_len); 1265 size_t rdatalen = ((size_t)sldns_wirerr_get_rdatalen(rr, rr_len, 1266 dname_len))+2; 1267 /* rdata points to rdata prefixed with uint16 rdatalength */ 1268 uint8_t* rdata = sldns_wirerr_get_rdatawl(rr, rr_len, dname_len); 1269 1270 if(rr_class != z->dclass) { 1271 log_err("wrong class for RR"); 1272 /* really also a nonexisting entry, because no records 1273 * of that class in the zone, but return an error because 1274 * getting records of the wrong class is a failure of the 1275 * zone transfer */ 1276 return 0; 1277 } 1278 node = az_find_name(z, dname, dname_len); 1279 if(!node) { 1280 /* node with that name does not exist */ 1281 /* nonexisting entry, because no such name */ 1282 *nonexist = 1; 1283 return 1; 1284 } 1285 if(!az_domain_remove_rr(node, rr_type, rdata, rdatalen, nonexist)) { 1286 /* alloc failure or so */ 1287 return 0; 1288 } 1289 /* remove the node, if necessary */ 1290 /* an rrsets==NULL entry is not kept around for empty nonterminals, 1291 * and also parent nodes are not kept around, so we just delete it */ 1292 if(node->rrsets == NULL) { 1293 (void)rbtree_delete(&z->data, node); 1294 auth_data_delete(node); 1295 } 1296 return 1; 1297 } 1298 1299 /** decompress an RR into the buffer where it'll be an uncompressed RR 1300 * with uncompressed dname and uncompressed rdata (dnames) */ 1301 static int 1302 decompress_rr_into_buffer(struct sldns_buffer* buf, uint8_t* pkt, 1303 size_t pktlen, uint8_t* dname, uint16_t rr_type, uint16_t rr_class, 1304 uint32_t rr_ttl, uint8_t* rr_data, uint16_t rr_rdlen) 1305 { 1306 sldns_buffer pktbuf; 1307 size_t dname_len = 0; 1308 size_t rdlenpos; 1309 size_t rdlen; 1310 uint8_t* rd; 1311 const sldns_rr_descriptor* desc; 1312 sldns_buffer_init_frm_data(&pktbuf, pkt, pktlen); 1313 sldns_buffer_clear(buf); 1314 1315 /* decompress dname */ 1316 sldns_buffer_set_position(&pktbuf, 1317 (size_t)(dname - sldns_buffer_current(&pktbuf))); 1318 dname_len = pkt_dname_len(&pktbuf); 1319 if(dname_len == 0) return 0; /* parse fail on dname */ 1320 if(!sldns_buffer_available(buf, dname_len)) return 0; 1321 dname_pkt_copy(&pktbuf, sldns_buffer_current(buf), dname); 1322 sldns_buffer_skip(buf, (ssize_t)dname_len); 1323 1324 /* type, class, ttl and rdatalength fields */ 1325 if(!sldns_buffer_available(buf, 10)) return 0; 1326 sldns_buffer_write_u16(buf, rr_type); 1327 sldns_buffer_write_u16(buf, rr_class); 1328 sldns_buffer_write_u32(buf, rr_ttl); 1329 rdlenpos = sldns_buffer_position(buf); 1330 sldns_buffer_write_u16(buf, 0); /* rd length position */ 1331 1332 /* decompress rdata */ 1333 desc = sldns_rr_descript(rr_type); 1334 rd = rr_data; 1335 rdlen = rr_rdlen; 1336 if(rdlen > 0 && desc && desc->_dname_count > 0) { 1337 int count = (int)desc->_dname_count; 1338 int rdf = 0; 1339 size_t len; /* how much rdata to plain copy */ 1340 size_t uncompressed_len, compressed_len; 1341 size_t oldpos; 1342 /* decompress dnames. */ 1343 while(rdlen > 0 && count) { 1344 switch(desc->_wireformat[rdf]) { 1345 case LDNS_RDF_TYPE_DNAME: 1346 sldns_buffer_set_position(&pktbuf, 1347 (size_t)(rd - 1348 sldns_buffer_begin(&pktbuf))); 1349 oldpos = sldns_buffer_position(&pktbuf); 1350 /* moves pktbuf to right after the 1351 * compressed dname, and returns uncompressed 1352 * dname length */ 1353 uncompressed_len = pkt_dname_len(&pktbuf); 1354 if(!uncompressed_len) 1355 return 0; /* parse error in dname */ 1356 if(!sldns_buffer_available(buf, 1357 uncompressed_len)) 1358 /* dname too long for buffer */ 1359 return 0; 1360 dname_pkt_copy(&pktbuf, 1361 sldns_buffer_current(buf), rd); 1362 sldns_buffer_skip(buf, (ssize_t)uncompressed_len); 1363 compressed_len = sldns_buffer_position( 1364 &pktbuf) - oldpos; 1365 rd += compressed_len; 1366 rdlen -= compressed_len; 1367 count--; 1368 len = 0; 1369 break; 1370 case LDNS_RDF_TYPE_STR: 1371 len = rd[0] + 1; 1372 break; 1373 default: 1374 len = get_rdf_size(desc->_wireformat[rdf]); 1375 break; 1376 } 1377 if(len) { 1378 if(!sldns_buffer_available(buf, len)) 1379 return 0; /* too long for buffer */ 1380 sldns_buffer_write(buf, rd, len); 1381 rd += len; 1382 rdlen -= len; 1383 } 1384 rdf++; 1385 } 1386 } 1387 /* copy remaining data */ 1388 if(rdlen > 0) { 1389 if(!sldns_buffer_available(buf, rdlen)) return 0; 1390 sldns_buffer_write(buf, rd, rdlen); 1391 } 1392 /* fixup rdlength */ 1393 sldns_buffer_write_u16_at(buf, rdlenpos, 1394 sldns_buffer_position(buf)-rdlenpos-2); 1395 sldns_buffer_flip(buf); 1396 return 1; 1397 } 1398 1399 /** insert RR into zone, from packet, decompress RR, 1400 * if duplicate is nonNULL set the flag but otherwise ignore duplicates */ 1401 static int 1402 az_insert_rr_decompress(struct auth_zone* z, uint8_t* pkt, size_t pktlen, 1403 struct sldns_buffer* scratch_buffer, uint8_t* dname, uint16_t rr_type, 1404 uint16_t rr_class, uint32_t rr_ttl, uint8_t* rr_data, 1405 uint16_t rr_rdlen, int* duplicate) 1406 { 1407 uint8_t* rr; 1408 size_t rr_len; 1409 size_t dname_len; 1410 if(!decompress_rr_into_buffer(scratch_buffer, pkt, pktlen, dname, 1411 rr_type, rr_class, rr_ttl, rr_data, rr_rdlen)) { 1412 log_err("could not decompress RR"); 1413 return 0; 1414 } 1415 rr = sldns_buffer_begin(scratch_buffer); 1416 rr_len = sldns_buffer_limit(scratch_buffer); 1417 dname_len = dname_valid(rr, rr_len); 1418 return az_insert_rr(z, rr, rr_len, dname_len, duplicate); 1419 } 1420 1421 /** remove RR from zone, from packet, decompress RR, 1422 * if nonexist is nonNULL set the flag but otherwise ignore nonexisting entries*/ 1423 static int 1424 az_remove_rr_decompress(struct auth_zone* z, uint8_t* pkt, size_t pktlen, 1425 struct sldns_buffer* scratch_buffer, uint8_t* dname, uint16_t rr_type, 1426 uint16_t rr_class, uint32_t rr_ttl, uint8_t* rr_data, 1427 uint16_t rr_rdlen, int* nonexist) 1428 { 1429 uint8_t* rr; 1430 size_t rr_len; 1431 size_t dname_len; 1432 if(!decompress_rr_into_buffer(scratch_buffer, pkt, pktlen, dname, 1433 rr_type, rr_class, rr_ttl, rr_data, rr_rdlen)) { 1434 log_err("could not decompress RR"); 1435 return 0; 1436 } 1437 rr = sldns_buffer_begin(scratch_buffer); 1438 rr_len = sldns_buffer_limit(scratch_buffer); 1439 dname_len = dname_valid(rr, rr_len); 1440 return az_remove_rr(z, rr, rr_len, dname_len, nonexist); 1441 } 1442 1443 /** 1444 * Parse zonefile 1445 * @param z: zone to read in. 1446 * @param in: file to read from (just opened). 1447 * @param rr: buffer to use for RRs, 64k. 1448 * passed so that recursive includes can use the same buffer and do 1449 * not grow the stack too much. 1450 * @param rrbuflen: sizeof rr buffer. 1451 * @param state: parse state with $ORIGIN, $TTL and 'prev-dname' and so on, 1452 * that is kept between includes. 1453 * The lineno is set at 1 and then increased by the function. 1454 * @param fname: file name. 1455 * @param depth: recursion depth for includes 1456 * @param cfg: config for chroot. 1457 * returns false on failure, has printed an error message 1458 */ 1459 static int 1460 az_parse_file(struct auth_zone* z, FILE* in, uint8_t* rr, size_t rrbuflen, 1461 struct sldns_file_parse_state* state, char* fname, int depth, 1462 struct config_file* cfg) 1463 { 1464 size_t rr_len, dname_len; 1465 int status; 1466 state->lineno = 1; 1467 1468 while(!feof(in)) { 1469 rr_len = rrbuflen; 1470 dname_len = 0; 1471 status = sldns_fp2wire_rr_buf(in, rr, &rr_len, &dname_len, 1472 state); 1473 if(status == LDNS_WIREPARSE_ERR_INCLUDE && rr_len == 0) { 1474 /* we have $INCLUDE or $something */ 1475 if(strncmp((char*)rr, "$INCLUDE ", 9) == 0 || 1476 strncmp((char*)rr, "$INCLUDE\t", 9) == 0) { 1477 FILE* inc; 1478 int lineno_orig = state->lineno; 1479 char* incfile = (char*)rr + 8; 1480 if(depth > MAX_INCLUDE_DEPTH) { 1481 log_err("%s:%d max include depth" 1482 "exceeded", fname, state->lineno); 1483 return 0; 1484 } 1485 /* skip spaces */ 1486 while(*incfile == ' ' || *incfile == '\t') 1487 incfile++; 1488 /* adjust for chroot on include file */ 1489 if(cfg->chrootdir && cfg->chrootdir[0] && 1490 strncmp(incfile, cfg->chrootdir, 1491 strlen(cfg->chrootdir)) == 0) 1492 incfile += strlen(cfg->chrootdir); 1493 incfile = strdup(incfile); 1494 if(!incfile) { 1495 log_err("malloc failure"); 1496 return 0; 1497 } 1498 verbose(VERB_ALGO, "opening $INCLUDE %s", 1499 incfile); 1500 inc = fopen(incfile, "r"); 1501 if(!inc) { 1502 log_err("%s:%d cannot open include " 1503 "file %s: %s", fname, 1504 lineno_orig, incfile, 1505 strerror(errno)); 1506 free(incfile); 1507 return 0; 1508 } 1509 /* recurse read that file now */ 1510 if(!az_parse_file(z, inc, rr, rrbuflen, 1511 state, incfile, depth+1, cfg)) { 1512 log_err("%s:%d cannot parse include " 1513 "file %s", fname, 1514 lineno_orig, incfile); 1515 fclose(inc); 1516 free(incfile); 1517 return 0; 1518 } 1519 fclose(inc); 1520 verbose(VERB_ALGO, "done with $INCLUDE %s", 1521 incfile); 1522 free(incfile); 1523 state->lineno = lineno_orig; 1524 } 1525 continue; 1526 } 1527 if(status != 0) { 1528 log_err("parse error %s %d:%d: %s", fname, 1529 state->lineno, LDNS_WIREPARSE_OFFSET(status), 1530 sldns_get_errorstr_parse(status)); 1531 return 0; 1532 } 1533 if(rr_len == 0) { 1534 /* EMPTY line, TTL or ORIGIN */ 1535 continue; 1536 } 1537 /* insert wirerr in rrbuf */ 1538 if(!az_insert_rr(z, rr, rr_len, dname_len, NULL)) { 1539 char buf[17]; 1540 sldns_wire2str_type_buf(sldns_wirerr_get_type(rr, 1541 rr_len, dname_len), buf, sizeof(buf)); 1542 log_err("%s:%d cannot insert RR of type %s", 1543 fname, state->lineno, buf); 1544 return 0; 1545 } 1546 } 1547 return 1; 1548 } 1549 1550 int 1551 auth_zone_read_zonefile(struct auth_zone* z, struct config_file* cfg) 1552 { 1553 uint8_t rr[LDNS_RR_BUF_SIZE]; 1554 struct sldns_file_parse_state state; 1555 char* zfilename; 1556 FILE* in; 1557 if(!z || !z->zonefile || z->zonefile[0]==0) 1558 return 1; /* no file, or "", nothing to read */ 1559 1560 zfilename = z->zonefile; 1561 if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(zfilename, 1562 cfg->chrootdir, strlen(cfg->chrootdir)) == 0) 1563 zfilename += strlen(cfg->chrootdir); 1564 if(verbosity >= VERB_ALGO) { 1565 char nm[255+1]; 1566 dname_str(z->name, nm); 1567 verbose(VERB_ALGO, "read zonefile %s for %s", zfilename, nm); 1568 } 1569 in = fopen(zfilename, "r"); 1570 if(!in) { 1571 char* n = sldns_wire2str_dname(z->name, z->namelen); 1572 if(z->zone_is_slave && errno == ENOENT) { 1573 /* we fetch the zone contents later, no file yet */ 1574 verbose(VERB_ALGO, "no zonefile %s for %s", 1575 zfilename, n?n:"error"); 1576 free(n); 1577 return 1; 1578 } 1579 log_err("cannot open zonefile %s for %s: %s", 1580 zfilename, n?n:"error", strerror(errno)); 1581 free(n); 1582 return 0; 1583 } 1584 1585 /* clear the data tree */ 1586 traverse_postorder(&z->data, auth_data_del, NULL); 1587 rbtree_init(&z->data, &auth_data_cmp); 1588 1589 memset(&state, 0, sizeof(state)); 1590 /* default TTL to 3600 */ 1591 state.default_ttl = 3600; 1592 /* set $ORIGIN to the zone name */ 1593 if(z->namelen <= sizeof(state.origin)) { 1594 memcpy(state.origin, z->name, z->namelen); 1595 state.origin_len = z->namelen; 1596 } 1597 /* parse the (toplevel) file */ 1598 if(!az_parse_file(z, in, rr, sizeof(rr), &state, zfilename, 0, cfg)) { 1599 char* n = sldns_wire2str_dname(z->name, z->namelen); 1600 log_err("error parsing zonefile %s for %s", 1601 zfilename, n?n:"error"); 1602 free(n); 1603 fclose(in); 1604 return 0; 1605 } 1606 fclose(in); 1607 return 1; 1608 } 1609 1610 /** write buffer to file and check return codes */ 1611 static int 1612 write_out(FILE* out, const char* str, size_t len) 1613 { 1614 size_t r; 1615 if(len == 0) 1616 return 1; 1617 r = fwrite(str, 1, len, out); 1618 if(r == 0) { 1619 log_err("write failed: %s", strerror(errno)); 1620 return 0; 1621 } else if(r < len) { 1622 log_err("write failed: too short (disk full?)"); 1623 return 0; 1624 } 1625 return 1; 1626 } 1627 1628 /** convert auth rr to string */ 1629 static int 1630 auth_rr_to_string(uint8_t* nm, size_t nmlen, uint16_t tp, uint16_t cl, 1631 struct packed_rrset_data* data, size_t i, char* s, size_t buflen) 1632 { 1633 int w = 0; 1634 size_t slen = buflen, datlen; 1635 uint8_t* dat; 1636 if(i >= data->count) tp = LDNS_RR_TYPE_RRSIG; 1637 dat = nm; 1638 datlen = nmlen; 1639 w += sldns_wire2str_dname_scan(&dat, &datlen, &s, &slen, NULL, 0); 1640 w += sldns_str_print(&s, &slen, "\t"); 1641 w += sldns_str_print(&s, &slen, "%lu\t", (unsigned long)data->rr_ttl[i]); 1642 w += sldns_wire2str_class_print(&s, &slen, cl); 1643 w += sldns_str_print(&s, &slen, "\t"); 1644 w += sldns_wire2str_type_print(&s, &slen, tp); 1645 w += sldns_str_print(&s, &slen, "\t"); 1646 datlen = data->rr_len[i]-2; 1647 dat = data->rr_data[i]+2; 1648 w += sldns_wire2str_rdata_scan(&dat, &datlen, &s, &slen, tp, NULL, 0); 1649 1650 if(tp == LDNS_RR_TYPE_DNSKEY) { 1651 w += sldns_str_print(&s, &slen, " ;{id = %u}", 1652 sldns_calc_keytag_raw(data->rr_data[i]+2, 1653 data->rr_len[i]-2)); 1654 } 1655 w += sldns_str_print(&s, &slen, "\n"); 1656 1657 if(w > (int)buflen) { 1658 log_nametypeclass(0, "RR too long to print", nm, tp, cl); 1659 return 0; 1660 } 1661 return 1; 1662 } 1663 1664 /** write rrset to file */ 1665 static int 1666 auth_zone_write_rrset(struct auth_zone* z, struct auth_data* node, 1667 struct auth_rrset* r, FILE* out) 1668 { 1669 size_t i, count = r->data->count + r->data->rrsig_count; 1670 char buf[LDNS_RR_BUF_SIZE]; 1671 for(i=0; i<count; i++) { 1672 if(!auth_rr_to_string(node->name, node->namelen, r->type, 1673 z->dclass, r->data, i, buf, sizeof(buf))) { 1674 verbose(VERB_ALGO, "failed to rr2str rr %d", (int)i); 1675 continue; 1676 } 1677 if(!write_out(out, buf, strlen(buf))) 1678 return 0; 1679 } 1680 return 1; 1681 } 1682 1683 /** write domain to file */ 1684 static int 1685 auth_zone_write_domain(struct auth_zone* z, struct auth_data* n, FILE* out) 1686 { 1687 struct auth_rrset* r; 1688 /* if this is zone apex, write SOA first */ 1689 if(z->namelen == n->namelen) { 1690 struct auth_rrset* soa = az_domain_rrset(n, LDNS_RR_TYPE_SOA); 1691 if(soa) { 1692 if(!auth_zone_write_rrset(z, n, soa, out)) 1693 return 0; 1694 } 1695 } 1696 /* write all the RRsets for this domain */ 1697 for(r = n->rrsets; r; r = r->next) { 1698 if(z->namelen == n->namelen && 1699 r->type == LDNS_RR_TYPE_SOA) 1700 continue; /* skip SOA here */ 1701 if(!auth_zone_write_rrset(z, n, r, out)) 1702 return 0; 1703 } 1704 return 1; 1705 } 1706 1707 int auth_zone_write_file(struct auth_zone* z, const char* fname) 1708 { 1709 FILE* out; 1710 struct auth_data* n; 1711 out = fopen(fname, "w"); 1712 if(!out) { 1713 log_err("could not open %s: %s", fname, strerror(errno)); 1714 return 0; 1715 } 1716 RBTREE_FOR(n, struct auth_data*, &z->data) { 1717 if(!auth_zone_write_domain(z, n, out)) { 1718 log_err("could not write domain to %s", fname); 1719 fclose(out); 1720 return 0; 1721 } 1722 } 1723 fclose(out); 1724 return 1; 1725 } 1726 1727 /** read all auth zones from file (if they have) */ 1728 static int 1729 auth_zones_read_zones(struct auth_zones* az, struct config_file* cfg) 1730 { 1731 struct auth_zone* z; 1732 lock_rw_wrlock(&az->lock); 1733 RBTREE_FOR(z, struct auth_zone*, &az->ztree) { 1734 lock_rw_wrlock(&z->lock); 1735 if(!auth_zone_read_zonefile(z, cfg)) { 1736 lock_rw_unlock(&z->lock); 1737 lock_rw_unlock(&az->lock); 1738 return 0; 1739 } 1740 lock_rw_unlock(&z->lock); 1741 } 1742 lock_rw_unlock(&az->lock); 1743 return 1; 1744 } 1745 1746 /** find serial number of zone or false if none */ 1747 int 1748 auth_zone_get_serial(struct auth_zone* z, uint32_t* serial) 1749 { 1750 struct auth_data* apex; 1751 struct auth_rrset* soa; 1752 struct packed_rrset_data* d; 1753 apex = az_find_name(z, z->name, z->namelen); 1754 if(!apex) return 0; 1755 soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA); 1756 if(!soa || soa->data->count==0) 1757 return 0; /* no RRset or no RRs in rrset */ 1758 if(soa->data->rr_len[0] < 2+4*5) return 0; /* SOA too short */ 1759 d = soa->data; 1760 *serial = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-20)); 1761 return 1; 1762 } 1763 1764 /** Find auth_zone SOA and populate the values in xfr(soa values). */ 1765 static int 1766 xfr_find_soa(struct auth_zone* z, struct auth_xfer* xfr) 1767 { 1768 struct auth_data* apex; 1769 struct auth_rrset* soa; 1770 struct packed_rrset_data* d; 1771 apex = az_find_name(z, z->name, z->namelen); 1772 if(!apex) return 0; 1773 soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA); 1774 if(!soa || soa->data->count==0) 1775 return 0; /* no RRset or no RRs in rrset */ 1776 if(soa->data->rr_len[0] < 2+4*5) return 0; /* SOA too short */ 1777 /* SOA record ends with serial, refresh, retry, expiry, minimum, 1778 * as 4 byte fields */ 1779 d = soa->data; 1780 xfr->have_zone = 1; 1781 xfr->serial = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-20)); 1782 xfr->refresh = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-16)); 1783 xfr->retry = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-12)); 1784 xfr->expiry = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-8)); 1785 /* soa minimum at d->rr_len[0]-4 */ 1786 return 1; 1787 } 1788 1789 /** 1790 * Setup auth_xfer zone 1791 * This populates the have_zone, soa values, and so on times. 1792 * Doesn't do network traffic yet, can set option flags. 1793 * @param z: locked by caller, and modified for setup 1794 * @param x: locked by caller, and modified. 1795 * @return false on failure. 1796 */ 1797 static int 1798 auth_xfer_setup(struct auth_zone* z, struct auth_xfer* x) 1799 { 1800 /* for a zone without zone transfers, x==NULL, so skip them, 1801 * i.e. the zone config is fixed with no masters or urls */ 1802 if(!z || !x) return 1; 1803 if(!xfr_find_soa(z, x)) { 1804 return 1; 1805 } 1806 /* nothing for probe, nextprobe and transfer tasks */ 1807 return 1; 1808 } 1809 1810 /** 1811 * Setup all zones 1812 * @param az: auth zones structure 1813 * @return false on failure. 1814 */ 1815 static int 1816 auth_zones_setup_zones(struct auth_zones* az) 1817 { 1818 struct auth_zone* z; 1819 struct auth_xfer* x; 1820 lock_rw_wrlock(&az->lock); 1821 RBTREE_FOR(z, struct auth_zone*, &az->ztree) { 1822 lock_rw_wrlock(&z->lock); 1823 x = auth_xfer_find(az, z->name, z->namelen, z->dclass); 1824 if(x) { 1825 lock_basic_lock(&x->lock); 1826 } 1827 if(!auth_xfer_setup(z, x)) { 1828 if(x) { 1829 lock_basic_unlock(&x->lock); 1830 } 1831 lock_rw_unlock(&z->lock); 1832 lock_rw_unlock(&az->lock); 1833 return 0; 1834 } 1835 if(x) { 1836 lock_basic_unlock(&x->lock); 1837 } 1838 lock_rw_unlock(&z->lock); 1839 } 1840 lock_rw_unlock(&az->lock); 1841 return 1; 1842 } 1843 1844 /** set config items and create zones */ 1845 static int 1846 auth_zones_cfg(struct auth_zones* az, struct config_auth* c) 1847 { 1848 struct auth_zone* z; 1849 struct auth_xfer* x = NULL; 1850 1851 /* create zone */ 1852 lock_rw_wrlock(&az->lock); 1853 if(!(z=auth_zones_find_or_add_zone(az, c->name))) { 1854 lock_rw_unlock(&az->lock); 1855 return 0; 1856 } 1857 if(c->masters || c->urls) { 1858 if(!(x=auth_zones_find_or_add_xfer(az, z))) { 1859 lock_rw_unlock(&az->lock); 1860 lock_rw_unlock(&z->lock); 1861 return 0; 1862 } 1863 } 1864 if(c->for_downstream) 1865 az->have_downstream = 1; 1866 lock_rw_unlock(&az->lock); 1867 1868 /* set options */ 1869 z->zone_deleted = 0; 1870 if(!auth_zone_set_zonefile(z, c->zonefile)) { 1871 if(x) { 1872 lock_basic_unlock(&x->lock); 1873 } 1874 lock_rw_unlock(&z->lock); 1875 return 0; 1876 } 1877 z->for_downstream = c->for_downstream; 1878 z->for_upstream = c->for_upstream; 1879 z->fallback_enabled = c->fallback_enabled; 1880 1881 /* xfer zone */ 1882 if(x) { 1883 z->zone_is_slave = 1; 1884 /* set options on xfer zone */ 1885 if(!xfer_set_masters(&x->task_probe->masters, c, 0)) { 1886 lock_basic_unlock(&x->lock); 1887 lock_rw_unlock(&z->lock); 1888 return 0; 1889 } 1890 if(!xfer_set_masters(&x->task_transfer->masters, c, 1)) { 1891 lock_basic_unlock(&x->lock); 1892 lock_rw_unlock(&z->lock); 1893 return 0; 1894 } 1895 lock_basic_unlock(&x->lock); 1896 } 1897 1898 lock_rw_unlock(&z->lock); 1899 return 1; 1900 } 1901 1902 /** set all auth zones deleted, then in auth_zones_cfg, it marks them 1903 * as nondeleted (if they are still in the config), and then later 1904 * we can find deleted zones */ 1905 static void 1906 az_setall_deleted(struct auth_zones* az) 1907 { 1908 struct auth_zone* z; 1909 lock_rw_wrlock(&az->lock); 1910 RBTREE_FOR(z, struct auth_zone*, &az->ztree) { 1911 lock_rw_wrlock(&z->lock); 1912 z->zone_deleted = 1; 1913 lock_rw_unlock(&z->lock); 1914 } 1915 lock_rw_unlock(&az->lock); 1916 } 1917 1918 /** find zones that are marked deleted and delete them. 1919 * This is called from apply_cfg, and there are no threads and no 1920 * workers, so the xfr can just be deleted. */ 1921 static void 1922 az_delete_deleted_zones(struct auth_zones* az) 1923 { 1924 struct auth_zone* z; 1925 struct auth_zone* delete_list = NULL, *next; 1926 struct auth_xfer* xfr; 1927 lock_rw_wrlock(&az->lock); 1928 RBTREE_FOR(z, struct auth_zone*, &az->ztree) { 1929 lock_rw_wrlock(&z->lock); 1930 if(z->zone_deleted) { 1931 /* we cannot alter the rbtree right now, but 1932 * we can put it on a linked list and then 1933 * delete it */ 1934 z->delete_next = delete_list; 1935 delete_list = z; 1936 } 1937 lock_rw_unlock(&z->lock); 1938 } 1939 /* now we are out of the tree loop and we can loop and delete 1940 * the zones */ 1941 z = delete_list; 1942 while(z) { 1943 next = z->delete_next; 1944 xfr = auth_xfer_find(az, z->name, z->namelen, z->dclass); 1945 if(xfr) { 1946 (void)rbtree_delete(&az->xtree, &xfr->node); 1947 auth_xfer_delete(xfr); 1948 } 1949 (void)rbtree_delete(&az->ztree, &z->node); 1950 auth_zone_delete(z); 1951 z = next; 1952 } 1953 lock_rw_unlock(&az->lock); 1954 } 1955 1956 int auth_zones_apply_cfg(struct auth_zones* az, struct config_file* cfg, 1957 int setup) 1958 { 1959 struct config_auth* p; 1960 az_setall_deleted(az); 1961 for(p = cfg->auths; p; p = p->next) { 1962 if(!p->name || p->name[0] == 0) { 1963 log_warn("auth-zone without a name, skipped"); 1964 continue; 1965 } 1966 if(!auth_zones_cfg(az, p)) { 1967 log_err("cannot config auth zone %s", p->name); 1968 return 0; 1969 } 1970 } 1971 az_delete_deleted_zones(az); 1972 if(!auth_zones_read_zones(az, cfg)) 1973 return 0; 1974 if(setup) { 1975 if(!auth_zones_setup_zones(az)) 1976 return 0; 1977 } 1978 return 1; 1979 } 1980 1981 /** delete chunks 1982 * @param at: transfer structure with chunks list. The chunks and their 1983 * data are freed. 1984 */ 1985 static void 1986 auth_chunks_delete(struct auth_transfer* at) 1987 { 1988 if(at->chunks_first) { 1989 struct auth_chunk* c, *cn; 1990 c = at->chunks_first; 1991 while(c) { 1992 cn = c->next; 1993 free(c->data); 1994 free(c); 1995 c = cn; 1996 } 1997 } 1998 at->chunks_first = NULL; 1999 at->chunks_last = NULL; 2000 } 2001 2002 /** free master addr list */ 2003 static void 2004 auth_free_master_addrs(struct auth_addr* list) 2005 { 2006 struct auth_addr *n; 2007 while(list) { 2008 n = list->next; 2009 free(list); 2010 list = n; 2011 } 2012 } 2013 2014 /** free the masters list */ 2015 static void 2016 auth_free_masters(struct auth_master* list) 2017 { 2018 struct auth_master* n; 2019 while(list) { 2020 n = list->next; 2021 auth_free_master_addrs(list->list); 2022 free(list->host); 2023 free(list->file); 2024 free(list); 2025 list = n; 2026 } 2027 } 2028 2029 /** delete auth xfer structure 2030 * @param xfr: delete this xfer and its tasks. 2031 */ 2032 static void 2033 auth_xfer_delete(struct auth_xfer* xfr) 2034 { 2035 if(!xfr) return; 2036 lock_basic_destroy(&xfr->lock); 2037 free(xfr->name); 2038 if(xfr->task_nextprobe) { 2039 comm_timer_delete(xfr->task_nextprobe->timer); 2040 free(xfr->task_nextprobe); 2041 } 2042 if(xfr->task_probe) { 2043 auth_free_masters(xfr->task_probe->masters); 2044 comm_point_delete(xfr->task_probe->cp); 2045 comm_timer_delete(xfr->task_probe->timer); 2046 free(xfr->task_probe); 2047 } 2048 if(xfr->task_transfer) { 2049 auth_free_masters(xfr->task_transfer->masters); 2050 comm_point_delete(xfr->task_transfer->cp); 2051 comm_timer_delete(xfr->task_transfer->timer); 2052 if(xfr->task_transfer->chunks_first) { 2053 auth_chunks_delete(xfr->task_transfer); 2054 } 2055 free(xfr->task_transfer); 2056 } 2057 auth_free_masters(xfr->allow_notify_list); 2058 free(xfr); 2059 } 2060 2061 /** helper traverse to delete zones */ 2062 static void 2063 auth_zone_del(rbnode_type* n, void* ATTR_UNUSED(arg)) 2064 { 2065 struct auth_zone* z = (struct auth_zone*)n->key; 2066 auth_zone_delete(z); 2067 } 2068 2069 /** helper traverse to delete xfer zones */ 2070 static void 2071 auth_xfer_del(rbnode_type* n, void* ATTR_UNUSED(arg)) 2072 { 2073 struct auth_xfer* z = (struct auth_xfer*)n->key; 2074 auth_xfer_delete(z); 2075 } 2076 2077 void auth_zones_delete(struct auth_zones* az) 2078 { 2079 if(!az) return; 2080 lock_rw_destroy(&az->lock); 2081 traverse_postorder(&az->ztree, auth_zone_del, NULL); 2082 traverse_postorder(&az->xtree, auth_xfer_del, NULL); 2083 free(az); 2084 } 2085 2086 /** true if domain has only nsec3 */ 2087 static int 2088 domain_has_only_nsec3(struct auth_data* n) 2089 { 2090 struct auth_rrset* rrset = n->rrsets; 2091 int nsec3_seen = 0; 2092 while(rrset) { 2093 if(rrset->type == LDNS_RR_TYPE_NSEC3) { 2094 nsec3_seen = 1; 2095 } else if(rrset->type != LDNS_RR_TYPE_RRSIG) { 2096 return 0; 2097 } 2098 rrset = rrset->next; 2099 } 2100 return nsec3_seen; 2101 } 2102 2103 /** see if the domain has a wildcard child '*.domain' */ 2104 static struct auth_data* 2105 az_find_wildcard_domain(struct auth_zone* z, uint8_t* nm, size_t nmlen) 2106 { 2107 uint8_t wc[LDNS_MAX_DOMAINLEN]; 2108 if(nmlen+2 > sizeof(wc)) 2109 return NULL; /* result would be too long */ 2110 wc[0] = 1; /* length of wildcard label */ 2111 wc[1] = (uint8_t)'*'; /* wildcard label */ 2112 memmove(wc+2, nm, nmlen); 2113 return az_find_name(z, wc, nmlen+2); 2114 } 2115 2116 /** find wildcard between qname and cename */ 2117 static struct auth_data* 2118 az_find_wildcard(struct auth_zone* z, struct query_info* qinfo, 2119 struct auth_data* ce) 2120 { 2121 uint8_t* nm = qinfo->qname; 2122 size_t nmlen = qinfo->qname_len; 2123 struct auth_data* node; 2124 if(!dname_subdomain_c(nm, z->name)) 2125 return NULL; /* out of zone */ 2126 while((node=az_find_wildcard_domain(z, nm, nmlen))==NULL) { 2127 /* see if we can go up to find the wildcard */ 2128 if(nmlen == z->namelen) 2129 return NULL; /* top of zone reached */ 2130 if(ce && nmlen == ce->namelen) 2131 return NULL; /* ce reached */ 2132 if(dname_is_root(nm)) 2133 return NULL; /* cannot go up */ 2134 dname_remove_label(&nm, &nmlen); 2135 } 2136 return node; 2137 } 2138 2139 /** domain is not exact, find first candidate ce (name that matches 2140 * a part of qname) in tree */ 2141 static struct auth_data* 2142 az_find_candidate_ce(struct auth_zone* z, struct query_info* qinfo, 2143 struct auth_data* n) 2144 { 2145 uint8_t* nm; 2146 size_t nmlen; 2147 if(n) { 2148 nm = dname_get_shared_topdomain(qinfo->qname, n->name); 2149 } else { 2150 nm = qinfo->qname; 2151 } 2152 dname_count_size_labels(nm, &nmlen); 2153 n = az_find_name(z, nm, nmlen); 2154 /* delete labels and go up on name */ 2155 while(!n) { 2156 if(dname_is_root(nm)) 2157 return NULL; /* cannot go up */ 2158 dname_remove_label(&nm, &nmlen); 2159 n = az_find_name(z, nm, nmlen); 2160 } 2161 return n; 2162 } 2163 2164 /** go up the auth tree to next existing name. */ 2165 static struct auth_data* 2166 az_domain_go_up(struct auth_zone* z, struct auth_data* n) 2167 { 2168 uint8_t* nm = n->name; 2169 size_t nmlen = n->namelen; 2170 while(!dname_is_root(nm)) { 2171 dname_remove_label(&nm, &nmlen); 2172 if((n=az_find_name(z, nm, nmlen)) != NULL) 2173 return n; 2174 } 2175 return NULL; 2176 } 2177 2178 /** Find the closest encloser, an name that exists and is above the 2179 * qname. 2180 * return true if the node (param node) is existing, nonobscured and 2181 * can be used to generate answers from. It is then also node_exact. 2182 * returns false if the node is not good enough (or it wasn't node_exact) 2183 * in this case the ce can be filled. 2184 * if ce is NULL, no ce exists, and likely the zone is completely empty, 2185 * not even with a zone apex. 2186 * if ce is nonNULL it is the closest enclosing upper name (that exists 2187 * itself for answer purposes). That name may have DNAME, NS or wildcard 2188 * rrset is the closest DNAME or NS rrset that was found. 2189 */ 2190 static int 2191 az_find_ce(struct auth_zone* z, struct query_info* qinfo, 2192 struct auth_data* node, int node_exact, struct auth_data** ce, 2193 struct auth_rrset** rrset) 2194 { 2195 struct auth_data* n = node; 2196 *ce = NULL; 2197 *rrset = NULL; 2198 if(!node_exact) { 2199 /* if not exact, lookup closest exact match */ 2200 n = az_find_candidate_ce(z, qinfo, n); 2201 } else { 2202 /* if exact, the node itself is the first candidate ce */ 2203 *ce = n; 2204 } 2205 2206 /* no direct answer from nsec3-only domains */ 2207 if(n && domain_has_only_nsec3(n)) { 2208 node_exact = 0; 2209 *ce = NULL; 2210 } 2211 2212 /* with exact matches, walk up the labels until we find the 2213 * delegation, or DNAME or zone end */ 2214 while(n) { 2215 /* see if the current candidate has issues */ 2216 /* not zone apex and has type NS */ 2217 if(n->namelen != z->namelen && 2218 (*rrset=az_domain_rrset(n, LDNS_RR_TYPE_NS)) && 2219 /* delegate here, but DS at exact the dp has notype */ 2220 (qinfo->qtype != LDNS_RR_TYPE_DS || 2221 n->namelen != qinfo->qname_len)) { 2222 /* referral */ 2223 /* this is ce and the lowernode is nonexisting */ 2224 *ce = n; 2225 return 0; 2226 } 2227 /* not equal to qname and has type DNAME */ 2228 if(n->namelen != qinfo->qname_len && 2229 (*rrset=az_domain_rrset(n, LDNS_RR_TYPE_DNAME))) { 2230 /* this is ce and the lowernode is nonexisting */ 2231 *ce = n; 2232 return 0; 2233 } 2234 2235 if(*ce == NULL && !domain_has_only_nsec3(n)) { 2236 /* if not found yet, this exact name must be 2237 * our lowest match (but not nsec3onlydomain) */ 2238 *ce = n; 2239 } 2240 2241 /* walk up the tree by removing labels from name and lookup */ 2242 n = az_domain_go_up(z, n); 2243 } 2244 /* found no problems, if it was an exact node, it is fine to use */ 2245 return node_exact; 2246 } 2247 2248 /** add additional A/AAAA from domain names in rrset rdata (+offset) 2249 * offset is number of bytes in rdata where the dname is located. */ 2250 static int 2251 az_add_additionals_from(struct auth_zone* z, struct regional* region, 2252 struct dns_msg* msg, struct auth_rrset* rrset, size_t offset) 2253 { 2254 struct packed_rrset_data* d = rrset->data; 2255 size_t i; 2256 if(!d) return 0; 2257 for(i=0; i<d->count; i++) { 2258 size_t dlen; 2259 struct auth_data* domain; 2260 struct auth_rrset* ref; 2261 if(d->rr_len[i] < 2+offset) 2262 continue; /* too short */ 2263 if(!(dlen = dname_valid(d->rr_data[i]+2+offset, 2264 d->rr_len[i]-2-offset))) 2265 continue; /* malformed */ 2266 domain = az_find_name(z, d->rr_data[i]+2+offset, dlen); 2267 if(!domain) 2268 continue; 2269 if((ref=az_domain_rrset(domain, LDNS_RR_TYPE_A)) != NULL) { 2270 if(!msg_add_rrset_ar(z, region, msg, domain, ref)) 2271 return 0; 2272 } 2273 if((ref=az_domain_rrset(domain, LDNS_RR_TYPE_AAAA)) != NULL) { 2274 if(!msg_add_rrset_ar(z, region, msg, domain, ref)) 2275 return 0; 2276 } 2277 } 2278 return 1; 2279 } 2280 2281 /** add negative SOA record (with negative TTL) */ 2282 static int 2283 az_add_negative_soa(struct auth_zone* z, struct regional* region, 2284 struct dns_msg* msg) 2285 { 2286 uint32_t minimum; 2287 struct packed_rrset_data* d; 2288 struct auth_rrset* soa; 2289 struct auth_data* apex = az_find_name(z, z->name, z->namelen); 2290 if(!apex) return 0; 2291 soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA); 2292 if(!soa) return 0; 2293 /* must be first to put in message; we want to fix the TTL with 2294 * one RRset here, otherwise we'd need to loop over the RRs to get 2295 * the resulting lower TTL */ 2296 log_assert(msg->rep->rrset_count == 0); 2297 if(!msg_add_rrset_ns(z, region, msg, apex, soa)) return 0; 2298 /* fixup TTL */ 2299 d = (struct packed_rrset_data*)msg->rep->rrsets[msg->rep->rrset_count-1]->entry.data; 2300 /* last 4 bytes are minimum ttl in network format */ 2301 if(d->count == 0) return 0; 2302 if(d->rr_len[0] < 2+4) return 0; 2303 minimum = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-4)); 2304 d->ttl = (time_t)minimum; 2305 d->rr_ttl[0] = (time_t)minimum; 2306 msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]); 2307 msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl); 2308 msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL; 2309 return 1; 2310 } 2311 2312 /** See if the query goes to empty nonterminal (that has no auth_data, 2313 * but there are nodes underneath. We already checked that there are 2314 * not NS, or DNAME above, so that we only need to check if some node 2315 * exists below (with nonempty rr list), return true if emptynonterminal */ 2316 static int 2317 az_empty_nonterminal(struct auth_zone* z, struct query_info* qinfo, 2318 struct auth_data* node) 2319 { 2320 struct auth_data* next; 2321 if(!node) { 2322 /* no smaller was found, use first (smallest) node as the 2323 * next one */ 2324 next = (struct auth_data*)rbtree_first(&z->data); 2325 } else { 2326 next = (struct auth_data*)rbtree_next(&node->node); 2327 } 2328 while(next && (rbnode_type*)next != RBTREE_NULL && next->rrsets == NULL) { 2329 /* the next name has empty rrsets, is an empty nonterminal 2330 * itself, see if there exists something below it */ 2331 next = (struct auth_data*)rbtree_next(&node->node); 2332 } 2333 if((rbnode_type*)next == RBTREE_NULL || !next) { 2334 /* there is no next node, so something below it cannot 2335 * exist */ 2336 return 0; 2337 } 2338 /* a next node exists, if there was something below the query, 2339 * this node has to be it. See if it is below the query name */ 2340 if(dname_strict_subdomain_c(next->name, qinfo->qname)) 2341 return 1; 2342 return 0; 2343 } 2344 2345 /** create synth cname target name in buffer, or fail if too long */ 2346 static size_t 2347 synth_cname_buf(uint8_t* qname, size_t qname_len, size_t dname_len, 2348 uint8_t* dtarg, size_t dtarglen, uint8_t* buf, size_t buflen) 2349 { 2350 size_t newlen = qname_len + dtarglen - dname_len; 2351 if(newlen > buflen) { 2352 /* YXDOMAIN error */ 2353 return 0; 2354 } 2355 /* new name is concatenation of qname front (without DNAME owner) 2356 * and DNAME target name */ 2357 memcpy(buf, qname, qname_len-dname_len); 2358 memmove(buf+(qname_len-dname_len), dtarg, dtarglen); 2359 return newlen; 2360 } 2361 2362 /** create synthetic CNAME rrset for in a DNAME answer in region, 2363 * false on alloc failure, cname==NULL when name too long. */ 2364 static int 2365 create_synth_cname(uint8_t* qname, size_t qname_len, struct regional* region, 2366 struct auth_data* node, struct auth_rrset* dname, uint16_t dclass, 2367 struct ub_packed_rrset_key** cname) 2368 { 2369 uint8_t buf[LDNS_MAX_DOMAINLEN]; 2370 uint8_t* dtarg; 2371 size_t dtarglen, newlen; 2372 struct packed_rrset_data* d; 2373 2374 /* get DNAME target name */ 2375 if(dname->data->count < 1) return 0; 2376 if(dname->data->rr_len[0] < 3) return 0; /* at least rdatalen +1 */ 2377 dtarg = dname->data->rr_data[0]+2; 2378 dtarglen = dname->data->rr_len[0]-2; 2379 if(sldns_read_uint16(dname->data->rr_data[0]) != dtarglen) 2380 return 0; /* rdatalen in DNAME rdata is malformed */ 2381 if(dname_valid(dtarg, dtarglen) != dtarglen) 2382 return 0; /* DNAME RR has malformed rdata */ 2383 2384 /* synthesize a CNAME */ 2385 newlen = synth_cname_buf(qname, qname_len, node->namelen, 2386 dtarg, dtarglen, buf, sizeof(buf)); 2387 if(newlen == 0) { 2388 /* YXDOMAIN error */ 2389 *cname = NULL; 2390 return 1; 2391 } 2392 *cname = (struct ub_packed_rrset_key*)regional_alloc(region, 2393 sizeof(struct ub_packed_rrset_key)); 2394 if(!*cname) 2395 return 0; /* out of memory */ 2396 memset(&(*cname)->entry, 0, sizeof((*cname)->entry)); 2397 (*cname)->entry.key = (*cname); 2398 (*cname)->rk.type = htons(LDNS_RR_TYPE_CNAME); 2399 (*cname)->rk.rrset_class = htons(dclass); 2400 (*cname)->rk.flags = 0; 2401 (*cname)->rk.dname = regional_alloc_init(region, qname, qname_len); 2402 if(!(*cname)->rk.dname) 2403 return 0; /* out of memory */ 2404 (*cname)->rk.dname_len = qname_len; 2405 (*cname)->entry.hash = rrset_key_hash(&(*cname)->rk); 2406 d = (struct packed_rrset_data*)regional_alloc_zero(region, 2407 sizeof(struct packed_rrset_data) + sizeof(size_t) + 2408 sizeof(uint8_t*) + sizeof(time_t) + sizeof(uint16_t) 2409 + newlen); 2410 if(!d) 2411 return 0; /* out of memory */ 2412 (*cname)->entry.data = d; 2413 d->ttl = 0; /* 0 for synthesized CNAME TTL */ 2414 d->count = 1; 2415 d->rrsig_count = 0; 2416 d->trust = rrset_trust_ans_noAA; 2417 d->rr_len = (size_t*)((uint8_t*)d + 2418 sizeof(struct packed_rrset_data)); 2419 d->rr_len[0] = newlen + sizeof(uint16_t); 2420 packed_rrset_ptr_fixup(d); 2421 d->rr_ttl[0] = d->ttl; 2422 sldns_write_uint16(d->rr_data[0], newlen); 2423 memmove(d->rr_data[0] + sizeof(uint16_t), buf, newlen); 2424 return 1; 2425 } 2426 2427 /** add a synthesized CNAME to the answer section */ 2428 static int 2429 add_synth_cname(struct auth_zone* z, uint8_t* qname, size_t qname_len, 2430 struct regional* region, struct dns_msg* msg, struct auth_data* dname, 2431 struct auth_rrset* rrset) 2432 { 2433 struct ub_packed_rrset_key* cname; 2434 /* synthesize a CNAME */ 2435 if(!create_synth_cname(qname, qname_len, region, dname, rrset, 2436 z->dclass, &cname)) { 2437 /* out of memory */ 2438 return 0; 2439 } 2440 if(!cname) { 2441 /* cname cannot be create because of YXDOMAIN */ 2442 msg->rep->flags |= LDNS_RCODE_YXDOMAIN; 2443 return 1; 2444 } 2445 /* add cname to message */ 2446 if(!msg_grow_array(region, msg)) 2447 return 0; 2448 msg->rep->rrsets[msg->rep->rrset_count] = cname; 2449 msg->rep->rrset_count++; 2450 msg->rep->an_numrrsets++; 2451 msg_ttl(msg); 2452 return 1; 2453 } 2454 2455 /** Change a dname to a different one, for wildcard namechange */ 2456 static void 2457 az_change_dnames(struct dns_msg* msg, uint8_t* oldname, uint8_t* newname, 2458 size_t newlen, int an_only) 2459 { 2460 size_t i; 2461 size_t start = 0, end = msg->rep->rrset_count; 2462 if(!an_only) start = msg->rep->an_numrrsets; 2463 if(an_only) end = msg->rep->an_numrrsets; 2464 for(i=start; i<end; i++) { 2465 /* allocated in region so we can change the ptrs */ 2466 if(query_dname_compare(msg->rep->rrsets[i]->rk.dname, oldname) 2467 == 0) { 2468 msg->rep->rrsets[i]->rk.dname = newname; 2469 msg->rep->rrsets[i]->rk.dname_len = newlen; 2470 } 2471 } 2472 } 2473 2474 /** find NSEC record covering the query */ 2475 static struct auth_rrset* 2476 az_find_nsec_cover(struct auth_zone* z, struct auth_data** node) 2477 { 2478 uint8_t* nm = (*node)->name; 2479 size_t nmlen = (*node)->namelen; 2480 struct auth_rrset* rrset; 2481 /* find the NSEC for the smallest-or-equal node */ 2482 /* if node == NULL, we did not find a smaller name. But the zone 2483 * name is the smallest name and should have an NSEC. So there is 2484 * no NSEC to return (for a properly signed zone) */ 2485 /* for empty nonterminals, the auth-data node should not exist, 2486 * and thus we don't need to go rbtree_previous here to find 2487 * a domain with an NSEC record */ 2488 /* but there could be glue, and if this is node, then it has no NSEC. 2489 * Go up to find nonglue (previous) NSEC-holding nodes */ 2490 while((rrset=az_domain_rrset(*node, LDNS_RR_TYPE_NSEC)) == NULL) { 2491 if(dname_is_root(nm)) return NULL; 2492 if(nmlen == z->namelen) return NULL; 2493 dname_remove_label(&nm, &nmlen); 2494 /* adjust *node for the nsec rrset to find in */ 2495 *node = az_find_name(z, nm, nmlen); 2496 } 2497 return rrset; 2498 } 2499 2500 /** Find NSEC and add for wildcard denial */ 2501 static int 2502 az_nsec_wildcard_denial(struct auth_zone* z, struct regional* region, 2503 struct dns_msg* msg, uint8_t* cenm, size_t cenmlen) 2504 { 2505 struct query_info qinfo; 2506 int node_exact; 2507 struct auth_data* node; 2508 struct auth_rrset* nsec; 2509 uint8_t wc[LDNS_MAX_DOMAINLEN]; 2510 if(cenmlen+2 > sizeof(wc)) 2511 return 0; /* result would be too long */ 2512 wc[0] = 1; /* length of wildcard label */ 2513 wc[1] = (uint8_t)'*'; /* wildcard label */ 2514 memmove(wc+2, cenm, cenmlen); 2515 2516 /* we have '*.ce' in wc wildcard name buffer */ 2517 /* get nsec cover for that */ 2518 qinfo.qname = wc; 2519 qinfo.qname_len = cenmlen+2; 2520 qinfo.qtype = 0; 2521 qinfo.qclass = 0; 2522 az_find_domain(z, &qinfo, &node_exact, &node); 2523 if((nsec=az_find_nsec_cover(z, &node)) != NULL) { 2524 if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0; 2525 } 2526 return 1; 2527 } 2528 2529 /** Find the NSEC3PARAM rrset (if any) and if true you have the parameters */ 2530 static int 2531 az_nsec3_param(struct auth_zone* z, int* algo, size_t* iter, uint8_t** salt, 2532 size_t* saltlen) 2533 { 2534 struct auth_data* apex; 2535 struct auth_rrset* param; 2536 size_t i; 2537 apex = az_find_name(z, z->name, z->namelen); 2538 if(!apex) return 0; 2539 param = az_domain_rrset(apex, LDNS_RR_TYPE_NSEC3PARAM); 2540 if(!param || param->data->count==0) 2541 return 0; /* no RRset or no RRs in rrset */ 2542 /* find out which NSEC3PARAM RR has supported parameters */ 2543 /* skip unknown flags (dynamic signer is recalculating nsec3 chain) */ 2544 for(i=0; i<param->data->count; i++) { 2545 uint8_t* rdata = param->data->rr_data[i]+2; 2546 size_t rdatalen = param->data->rr_len[i]; 2547 if(rdatalen < 2+5) 2548 continue; /* too short */ 2549 if(!nsec3_hash_algo_size_supported((int)(rdata[0]))) 2550 continue; /* unsupported algo */ 2551 if(rdatalen < (size_t)(2+5+(size_t)rdata[4])) 2552 continue; /* salt missing */ 2553 if((rdata[1]&NSEC3_UNKNOWN_FLAGS)!=0) 2554 continue; /* unknown flags */ 2555 *algo = (int)(rdata[0]); 2556 *iter = sldns_read_uint16(rdata+2); 2557 *saltlen = rdata[4]; 2558 if(*saltlen == 0) 2559 *salt = NULL; 2560 else *salt = rdata+5; 2561 return 1; 2562 } 2563 /* no supported params */ 2564 return 0; 2565 } 2566 2567 /** Hash a name with nsec3param into buffer, it has zone name appended. 2568 * return length of hash */ 2569 static size_t 2570 az_nsec3_hash(uint8_t* buf, size_t buflen, uint8_t* nm, size_t nmlen, 2571 int algo, size_t iter, uint8_t* salt, size_t saltlen) 2572 { 2573 size_t hlen = nsec3_hash_algo_size_supported(algo); 2574 /* buffer has domain name, nsec3hash, and 256 is for max saltlen 2575 * (salt has 0-255 length) */ 2576 unsigned char p[LDNS_MAX_DOMAINLEN+1+N3HASHBUFLEN+256]; 2577 size_t i; 2578 if(nmlen+saltlen > sizeof(p) || hlen+saltlen > sizeof(p)) 2579 return 0; 2580 if(hlen > buflen) 2581 return 0; /* somehow too large for destination buffer */ 2582 /* hashfunc(name, salt) */ 2583 memmove(p, nm, nmlen); 2584 query_dname_tolower(p); 2585 memmove(p+nmlen, salt, saltlen); 2586 (void)secalgo_nsec3_hash(algo, p, nmlen+saltlen, (unsigned char*)buf); 2587 for(i=0; i<iter; i++) { 2588 /* hashfunc(hash, salt) */ 2589 memmove(p, buf, hlen); 2590 memmove(p+hlen, salt, saltlen); 2591 (void)secalgo_nsec3_hash(algo, p, hlen+saltlen, 2592 (unsigned char*)buf); 2593 } 2594 return hlen; 2595 } 2596 2597 /** Hash name and return b32encoded hashname for lookup, zone name appended */ 2598 static int 2599 az_nsec3_hashname(struct auth_zone* z, uint8_t* hashname, size_t* hashnmlen, 2600 uint8_t* nm, size_t nmlen, int algo, size_t iter, uint8_t* salt, 2601 size_t saltlen) 2602 { 2603 uint8_t hash[N3HASHBUFLEN]; 2604 size_t hlen; 2605 int ret; 2606 hlen = az_nsec3_hash(hash, sizeof(hash), nm, nmlen, algo, iter, 2607 salt, saltlen); 2608 if(!hlen) return 0; 2609 /* b32 encode */ 2610 if(*hashnmlen < hlen*2+1+z->namelen) /* approx b32 as hexb16 */ 2611 return 0; 2612 ret = sldns_b32_ntop_extended_hex(hash, hlen, (char*)(hashname+1), 2613 (*hashnmlen)-1); 2614 if(ret<1) 2615 return 0; 2616 hashname[0] = (uint8_t)ret; 2617 ret++; 2618 if((*hashnmlen) - ret < z->namelen) 2619 return 0; 2620 memmove(hashname+ret, z->name, z->namelen); 2621 *hashnmlen = z->namelen+(size_t)ret; 2622 return 1; 2623 } 2624 2625 /** Find the datanode that covers the nsec3hash-name */ 2626 static struct auth_data* 2627 az_nsec3_findnode(struct auth_zone* z, uint8_t* hashnm, size_t hashnmlen) 2628 { 2629 struct query_info qinfo; 2630 struct auth_data* node; 2631 int node_exact; 2632 qinfo.qclass = 0; 2633 qinfo.qtype = 0; 2634 qinfo.qname = hashnm; 2635 qinfo.qname_len = hashnmlen; 2636 /* because canonical ordering and b32 nsec3 ordering are the same. 2637 * this is a good lookup to find the nsec3 name. */ 2638 az_find_domain(z, &qinfo, &node_exact, &node); 2639 /* but we may have to skip non-nsec3 nodes */ 2640 /* this may be a lot, the way to speed that up is to have a 2641 * separate nsec3 tree with nsec3 nodes */ 2642 while(node && (rbnode_type*)node != RBTREE_NULL && 2643 !az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) { 2644 node = (struct auth_data*)rbtree_previous(&node->node); 2645 } 2646 if((rbnode_type*)node == RBTREE_NULL) 2647 node = NULL; 2648 return node; 2649 } 2650 2651 /** Find cover for hashed(nm, nmlen) (or NULL) */ 2652 static struct auth_data* 2653 az_nsec3_find_cover(struct auth_zone* z, uint8_t* nm, size_t nmlen, 2654 int algo, size_t iter, uint8_t* salt, size_t saltlen) 2655 { 2656 struct auth_data* node; 2657 uint8_t hname[LDNS_MAX_DOMAINLEN]; 2658 size_t hlen = sizeof(hname); 2659 if(!az_nsec3_hashname(z, hname, &hlen, nm, nmlen, algo, iter, 2660 salt, saltlen)) 2661 return NULL; 2662 node = az_nsec3_findnode(z, hname, hlen); 2663 if(node) 2664 return node; 2665 /* we did not find any, perhaps because the NSEC3 hash is before 2666 * the first hash, we have to find the 'last hash' in the zone */ 2667 node = (struct auth_data*)rbtree_last(&z->data); 2668 while(node && (rbnode_type*)node != RBTREE_NULL && 2669 !az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) { 2670 node = (struct auth_data*)rbtree_previous(&node->node); 2671 } 2672 if((rbnode_type*)node == RBTREE_NULL) 2673 node = NULL; 2674 return node; 2675 } 2676 2677 /** Find exact match for hashed(nm, nmlen) NSEC3 record or NULL */ 2678 static struct auth_data* 2679 az_nsec3_find_exact(struct auth_zone* z, uint8_t* nm, size_t nmlen, 2680 int algo, size_t iter, uint8_t* salt, size_t saltlen) 2681 { 2682 struct auth_data* node; 2683 uint8_t hname[LDNS_MAX_DOMAINLEN]; 2684 size_t hlen = sizeof(hname); 2685 if(!az_nsec3_hashname(z, hname, &hlen, nm, nmlen, algo, iter, 2686 salt, saltlen)) 2687 return NULL; 2688 node = az_find_name(z, hname, hlen); 2689 if(az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) 2690 return node; 2691 return NULL; 2692 } 2693 2694 /** Return nextcloser name (as a ref into the qname). This is one label 2695 * more than the cenm (cename must be a suffix of qname) */ 2696 static void 2697 az_nsec3_get_nextcloser(uint8_t* cenm, uint8_t* qname, size_t qname_len, 2698 uint8_t** nx, size_t* nxlen) 2699 { 2700 int celabs = dname_count_labels(cenm); 2701 int qlabs = dname_count_labels(qname); 2702 int strip = qlabs - celabs -1; 2703 log_assert(dname_strict_subdomain(qname, qlabs, cenm, celabs)); 2704 *nx = qname; 2705 *nxlen = qname_len; 2706 if(strip>0) 2707 dname_remove_labels(nx, nxlen, strip); 2708 } 2709 2710 /** Find the closest encloser that has exact NSEC3. 2711 * updated cenm to the new name. If it went up no-exact-ce is true. */ 2712 static struct auth_data* 2713 az_nsec3_find_ce(struct auth_zone* z, uint8_t** cenm, size_t* cenmlen, 2714 int* no_exact_ce, int algo, size_t iter, uint8_t* salt, size_t saltlen) 2715 { 2716 struct auth_data* node; 2717 while((node = az_nsec3_find_exact(z, *cenm, *cenmlen, 2718 algo, iter, salt, saltlen)) == NULL) { 2719 if(*cenmlen == z->namelen) { 2720 /* next step up would take us out of the zone. fail */ 2721 return NULL; 2722 } 2723 *no_exact_ce = 1; 2724 dname_remove_label(cenm, cenmlen); 2725 } 2726 return node; 2727 } 2728 2729 /* Insert NSEC3 record in authority section, if NULL does nothing */ 2730 static int 2731 az_nsec3_insert(struct auth_zone* z, struct regional* region, 2732 struct dns_msg* msg, struct auth_data* node) 2733 { 2734 struct auth_rrset* nsec3; 2735 if(!node) return 1; /* no node, skip this */ 2736 nsec3 = az_domain_rrset(node, LDNS_RR_TYPE_NSEC3); 2737 if(!nsec3) return 1; /* if no nsec3 RR, skip it */ 2738 if(!msg_add_rrset_ns(z, region, msg, node, nsec3)) return 0; 2739 return 1; 2740 } 2741 2742 /** add NSEC3 records to the zone for the nsec3 proof. 2743 * Specify with the flags with parts of the proof are required. 2744 * the ce is the exact matching name (for notype) but also delegation points. 2745 * qname is the one where the nextcloser name can be derived from. 2746 * If NSEC3 is not properly there (in the zone) nothing is added. 2747 * always enabled: include nsec3 proving about the Closest Encloser. 2748 * that is an exact match that should exist for it. 2749 * If that does not exist, a higher exact match + nxproof is enabled 2750 * (for some sort of opt-out empty nonterminal cases). 2751 * nodataproof: search for exact match and include that instead. 2752 * ceproof: include ce proof NSEC3 (omitted for wildcard replies). 2753 * nxproof: include denial of the qname. 2754 * wcproof: include denial of wildcard (wildcard.ce). 2755 */ 2756 static int 2757 az_add_nsec3_proof(struct auth_zone* z, struct regional* region, 2758 struct dns_msg* msg, uint8_t* cenm, size_t cenmlen, uint8_t* qname, 2759 size_t qname_len, int nodataproof, int ceproof, int nxproof, 2760 int wcproof) 2761 { 2762 int algo; 2763 size_t iter, saltlen; 2764 uint8_t* salt; 2765 int no_exact_ce = 0; 2766 struct auth_data* node; 2767 2768 /* find parameters of nsec3 proof */ 2769 if(!az_nsec3_param(z, &algo, &iter, &salt, &saltlen)) 2770 return 1; /* no nsec3 */ 2771 if(nodataproof) { 2772 /* see if the node has a hash of itself for the nodata 2773 * proof nsec3, this has to be an exact match nsec3. */ 2774 struct auth_data* match; 2775 match = az_nsec3_find_exact(z, qname, qname_len, algo, 2776 iter, salt, saltlen); 2777 if(match) { 2778 if(!az_nsec3_insert(z, region, msg, match)) 2779 return 0; 2780 /* only nodata NSEC3 needed, no CE or others. */ 2781 return 1; 2782 } 2783 } 2784 /* find ce that has an NSEC3 */ 2785 if(ceproof) { 2786 node = az_nsec3_find_ce(z, &cenm, &cenmlen, &no_exact_ce, 2787 algo, iter, salt, saltlen); 2788 if(no_exact_ce) nxproof = 1; 2789 if(!az_nsec3_insert(z, region, msg, node)) 2790 return 0; 2791 } 2792 2793 if(nxproof) { 2794 uint8_t* nx; 2795 size_t nxlen; 2796 /* create nextcloser domain name */ 2797 az_nsec3_get_nextcloser(cenm, qname, qname_len, &nx, &nxlen); 2798 /* find nsec3 that matches or covers it */ 2799 node = az_nsec3_find_cover(z, nx, nxlen, algo, iter, salt, 2800 saltlen); 2801 if(!az_nsec3_insert(z, region, msg, node)) 2802 return 0; 2803 } 2804 if(wcproof) { 2805 /* create wildcard name *.ce */ 2806 uint8_t wc[LDNS_MAX_DOMAINLEN]; 2807 size_t wclen; 2808 if(cenmlen+2 > sizeof(wc)) 2809 return 0; /* result would be too long */ 2810 wc[0] = 1; /* length of wildcard label */ 2811 wc[1] = (uint8_t)'*'; /* wildcard label */ 2812 memmove(wc+2, cenm, cenmlen); 2813 wclen = cenmlen+2; 2814 /* find nsec3 that matches or covers it */ 2815 node = az_nsec3_find_cover(z, wc, wclen, algo, iter, salt, 2816 saltlen); 2817 if(!az_nsec3_insert(z, region, msg, node)) 2818 return 0; 2819 } 2820 return 1; 2821 } 2822 2823 /** generate answer for positive answer */ 2824 static int 2825 az_generate_positive_answer(struct auth_zone* z, struct regional* region, 2826 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) 2827 { 2828 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2829 /* see if we want additional rrs */ 2830 if(rrset->type == LDNS_RR_TYPE_MX) { 2831 if(!az_add_additionals_from(z, region, msg, rrset, 2)) 2832 return 0; 2833 } else if(rrset->type == LDNS_RR_TYPE_SRV) { 2834 if(!az_add_additionals_from(z, region, msg, rrset, 6)) 2835 return 0; 2836 } else if(rrset->type == LDNS_RR_TYPE_NS) { 2837 if(!az_add_additionals_from(z, region, msg, rrset, 0)) 2838 return 0; 2839 } 2840 return 1; 2841 } 2842 2843 /** generate answer for type ANY answer */ 2844 static int 2845 az_generate_any_answer(struct auth_zone* z, struct regional* region, 2846 struct dns_msg* msg, struct auth_data* node) 2847 { 2848 struct auth_rrset* rrset; 2849 int added = 0; 2850 /* add a couple (at least one) RRs */ 2851 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_SOA)) != NULL) { 2852 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2853 added++; 2854 } 2855 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_MX)) != NULL) { 2856 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2857 added++; 2858 } 2859 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_A)) != NULL) { 2860 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2861 added++; 2862 } 2863 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_AAAA)) != NULL) { 2864 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2865 added++; 2866 } 2867 if(added == 0 && node && node->rrsets) { 2868 if(!msg_add_rrset_an(z, region, msg, node, 2869 node->rrsets)) return 0; 2870 } 2871 return 1; 2872 } 2873 2874 /** follow cname chain and add more data to the answer section */ 2875 static int 2876 follow_cname_chain(struct auth_zone* z, uint16_t qtype, 2877 struct regional* region, struct dns_msg* msg, 2878 struct packed_rrset_data* d) 2879 { 2880 int maxchain = 0; 2881 /* see if we can add the target of the CNAME into the answer */ 2882 while(maxchain++ < MAX_CNAME_CHAIN) { 2883 struct auth_data* node; 2884 struct auth_rrset* rrset; 2885 size_t clen; 2886 /* d has cname rdata */ 2887 if(d->count == 0) break; /* no CNAME */ 2888 if(d->rr_len[0] < 2+1) break; /* too small */ 2889 if((clen=dname_valid(d->rr_data[0]+2, d->rr_len[0]-2))==0) 2890 break; /* malformed */ 2891 if(!dname_subdomain_c(d->rr_data[0]+2, z->name)) 2892 break; /* target out of zone */ 2893 if((node = az_find_name(z, d->rr_data[0]+2, clen))==NULL) 2894 break; /* no such target name */ 2895 if((rrset=az_domain_rrset(node, qtype))!=NULL) { 2896 /* done we found the target */ 2897 if(!msg_add_rrset_an(z, region, msg, node, rrset)) 2898 return 0; 2899 break; 2900 } 2901 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_CNAME))==NULL) 2902 break; /* no further CNAME chain, notype */ 2903 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2904 d = rrset->data; 2905 } 2906 return 1; 2907 } 2908 2909 /** generate answer for cname answer */ 2910 static int 2911 az_generate_cname_answer(struct auth_zone* z, struct query_info* qinfo, 2912 struct regional* region, struct dns_msg* msg, 2913 struct auth_data* node, struct auth_rrset* rrset) 2914 { 2915 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2916 if(!rrset) return 1; 2917 if(!follow_cname_chain(z, qinfo->qtype, region, msg, rrset->data)) 2918 return 0; 2919 return 1; 2920 } 2921 2922 /** generate answer for notype answer */ 2923 static int 2924 az_generate_notype_answer(struct auth_zone* z, struct regional* region, 2925 struct dns_msg* msg, struct auth_data* node) 2926 { 2927 struct auth_rrset* rrset; 2928 if(!az_add_negative_soa(z, region, msg)) return 0; 2929 /* DNSSEC denial NSEC */ 2930 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_NSEC))!=NULL) { 2931 if(!msg_add_rrset_ns(z, region, msg, node, rrset)) return 0; 2932 } else if(node) { 2933 /* DNSSEC denial NSEC3 */ 2934 if(!az_add_nsec3_proof(z, region, msg, node->name, 2935 node->namelen, msg->qinfo.qname, 2936 msg->qinfo.qname_len, 1, 1, 0, 0)) 2937 return 0; 2938 } 2939 return 1; 2940 } 2941 2942 /** generate answer for referral answer */ 2943 static int 2944 az_generate_referral_answer(struct auth_zone* z, struct regional* region, 2945 struct dns_msg* msg, struct auth_data* ce, struct auth_rrset* rrset) 2946 { 2947 struct auth_rrset* ds, *nsec; 2948 /* turn off AA flag, referral is nonAA because it leaves the zone */ 2949 log_assert(ce); 2950 msg->rep->flags &= ~BIT_AA; 2951 if(!msg_add_rrset_ns(z, region, msg, ce, rrset)) return 0; 2952 /* add DS or deny it */ 2953 if((ds=az_domain_rrset(ce, LDNS_RR_TYPE_DS))!=NULL) { 2954 if(!msg_add_rrset_ns(z, region, msg, ce, ds)) return 0; 2955 } else { 2956 /* deny the DS */ 2957 if((nsec=az_domain_rrset(ce, LDNS_RR_TYPE_NSEC))!=NULL) { 2958 if(!msg_add_rrset_ns(z, region, msg, ce, nsec)) 2959 return 0; 2960 } else { 2961 if(!az_add_nsec3_proof(z, region, msg, ce->name, 2962 ce->namelen, msg->qinfo.qname, 2963 msg->qinfo.qname_len, 1, 1, 0, 0)) 2964 return 0; 2965 } 2966 } 2967 /* add additional rrs for type NS */ 2968 if(!az_add_additionals_from(z, region, msg, rrset, 0)) return 0; 2969 return 1; 2970 } 2971 2972 /** generate answer for DNAME answer */ 2973 static int 2974 az_generate_dname_answer(struct auth_zone* z, struct query_info* qinfo, 2975 struct regional* region, struct dns_msg* msg, struct auth_data* ce, 2976 struct auth_rrset* rrset) 2977 { 2978 log_assert(ce); 2979 /* add the DNAME and then a CNAME */ 2980 if(!msg_add_rrset_an(z, region, msg, ce, rrset)) return 0; 2981 if(!add_synth_cname(z, qinfo->qname, qinfo->qname_len, region, 2982 msg, ce, rrset)) return 0; 2983 if(FLAGS_GET_RCODE(msg->rep->flags) == LDNS_RCODE_YXDOMAIN) 2984 return 1; 2985 if(msg->rep->rrset_count == 0 || 2986 !msg->rep->rrsets[msg->rep->rrset_count-1]) 2987 return 0; 2988 if(!follow_cname_chain(z, qinfo->qtype, region, msg, 2989 (struct packed_rrset_data*)msg->rep->rrsets[ 2990 msg->rep->rrset_count-1]->entry.data)) 2991 return 0; 2992 return 1; 2993 } 2994 2995 /** generate answer for wildcard answer */ 2996 static int 2997 az_generate_wildcard_answer(struct auth_zone* z, struct query_info* qinfo, 2998 struct regional* region, struct dns_msg* msg, struct auth_data* ce, 2999 struct auth_data* wildcard, struct auth_data* node) 3000 { 3001 struct auth_rrset* rrset, *nsec; 3002 int insert_ce = 0; 3003 if((rrset=az_domain_rrset(wildcard, qinfo->qtype)) != NULL) { 3004 /* wildcard has type, add it */ 3005 if(!msg_add_rrset_an(z, region, msg, wildcard, rrset)) 3006 return 0; 3007 az_change_dnames(msg, wildcard->name, msg->qinfo.qname, 3008 msg->qinfo.qname_len, 1); 3009 } else if((rrset=az_domain_rrset(wildcard, LDNS_RR_TYPE_CNAME))!=NULL) { 3010 /* wildcard has cname instead, do that */ 3011 if(!msg_add_rrset_an(z, region, msg, wildcard, rrset)) 3012 return 0; 3013 az_change_dnames(msg, wildcard->name, msg->qinfo.qname, 3014 msg->qinfo.qname_len, 1); 3015 if(!follow_cname_chain(z, qinfo->qtype, region, msg, 3016 rrset->data)) 3017 return 0; 3018 } else if(qinfo->qtype == LDNS_RR_TYPE_ANY && wildcard->rrsets) { 3019 /* add ANY rrsets from wildcard node */ 3020 if(!az_generate_any_answer(z, region, msg, wildcard)) 3021 return 0; 3022 az_change_dnames(msg, wildcard->name, msg->qinfo.qname, 3023 msg->qinfo.qname_len, 1); 3024 } else { 3025 /* wildcard has nodata, notype answer */ 3026 /* call other notype routine for dnssec notype denials */ 3027 if(!az_generate_notype_answer(z, region, msg, wildcard)) 3028 return 0; 3029 /* because the notype, there is no positive data with an 3030 * RRSIG that indicates the wildcard position. Thus the 3031 * wildcard qname denial needs to have a CE nsec3. */ 3032 insert_ce = 1; 3033 } 3034 3035 /* ce and node for dnssec denial of wildcard original name */ 3036 if((nsec=az_find_nsec_cover(z, &node)) != NULL) { 3037 if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0; 3038 } else if(ce) { 3039 uint8_t* wildup = wildcard->name; 3040 size_t wilduplen= wildcard->namelen; 3041 dname_remove_label(&wildup, &wilduplen); 3042 if(!az_add_nsec3_proof(z, region, msg, wildup, 3043 wilduplen, msg->qinfo.qname, 3044 msg->qinfo.qname_len, 0, insert_ce, 1, 0)) 3045 return 0; 3046 } 3047 3048 /* fixup name of wildcard from *.zone to qname, use already allocated 3049 * pointer to msg qname */ 3050 az_change_dnames(msg, wildcard->name, msg->qinfo.qname, 3051 msg->qinfo.qname_len, 0); 3052 return 1; 3053 } 3054 3055 /** generate answer for nxdomain answer */ 3056 static int 3057 az_generate_nxdomain_answer(struct auth_zone* z, struct regional* region, 3058 struct dns_msg* msg, struct auth_data* ce, struct auth_data* node) 3059 { 3060 struct auth_rrset* nsec; 3061 msg->rep->flags |= LDNS_RCODE_NXDOMAIN; 3062 if(!az_add_negative_soa(z, region, msg)) return 0; 3063 if((nsec=az_find_nsec_cover(z, &node)) != NULL) { 3064 if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0; 3065 if(ce && !az_nsec_wildcard_denial(z, region, msg, ce->name, 3066 ce->namelen)) return 0; 3067 } else if(ce) { 3068 if(!az_add_nsec3_proof(z, region, msg, ce->name, 3069 ce->namelen, msg->qinfo.qname, 3070 msg->qinfo.qname_len, 0, 1, 1, 1)) 3071 return 0; 3072 } 3073 return 1; 3074 } 3075 3076 /** Create answers when an exact match exists for the domain name */ 3077 static int 3078 az_generate_answer_with_node(struct auth_zone* z, struct query_info* qinfo, 3079 struct regional* region, struct dns_msg* msg, struct auth_data* node) 3080 { 3081 struct auth_rrset* rrset; 3082 /* positive answer, rrset we are looking for exists */ 3083 if((rrset=az_domain_rrset(node, qinfo->qtype)) != NULL) { 3084 return az_generate_positive_answer(z, region, msg, node, rrset); 3085 } 3086 /* CNAME? */ 3087 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_CNAME)) != NULL) { 3088 return az_generate_cname_answer(z, qinfo, region, msg, 3089 node, rrset); 3090 } 3091 /* type ANY ? */ 3092 if(qinfo->qtype == LDNS_RR_TYPE_ANY) { 3093 return az_generate_any_answer(z, region, msg, node); 3094 } 3095 /* NOERROR/NODATA (no such type at domain name) */ 3096 return az_generate_notype_answer(z, region, msg, node); 3097 } 3098 3099 /** Generate answer without an existing-node that we can use. 3100 * So it'll be a referral, DNAME or nxdomain */ 3101 static int 3102 az_generate_answer_nonexistnode(struct auth_zone* z, struct query_info* qinfo, 3103 struct regional* region, struct dns_msg* msg, struct auth_data* ce, 3104 struct auth_rrset* rrset, struct auth_data* node) 3105 { 3106 struct auth_data* wildcard; 3107 3108 /* we do not have an exact matching name (that exists) */ 3109 /* see if we have a NS or DNAME in the ce */ 3110 if(ce && rrset && rrset->type == LDNS_RR_TYPE_NS) { 3111 return az_generate_referral_answer(z, region, msg, ce, rrset); 3112 } 3113 if(ce && rrset && rrset->type == LDNS_RR_TYPE_DNAME) { 3114 return az_generate_dname_answer(z, qinfo, region, msg, ce, 3115 rrset); 3116 } 3117 /* if there is an empty nonterminal, wildcard and nxdomain don't 3118 * happen, it is a notype answer */ 3119 if(az_empty_nonterminal(z, qinfo, node)) { 3120 return az_generate_notype_answer(z, region, msg, node); 3121 } 3122 /* see if we have a wildcard under the ce */ 3123 if((wildcard=az_find_wildcard(z, qinfo, ce)) != NULL) { 3124 return az_generate_wildcard_answer(z, qinfo, region, msg, 3125 ce, wildcard, node); 3126 } 3127 /* generate nxdomain answer */ 3128 return az_generate_nxdomain_answer(z, region, msg, ce, node); 3129 } 3130 3131 /** Lookup answer in a zone. */ 3132 static int 3133 auth_zone_generate_answer(struct auth_zone* z, struct query_info* qinfo, 3134 struct regional* region, struct dns_msg** msg, int* fallback) 3135 { 3136 struct auth_data* node, *ce; 3137 struct auth_rrset* rrset; 3138 int node_exact, node_exists; 3139 /* does the zone want fallback in case of failure? */ 3140 *fallback = z->fallback_enabled; 3141 if(!(*msg=msg_create(region, qinfo))) return 0; 3142 3143 /* lookup if there is a matching domain name for the query */ 3144 az_find_domain(z, qinfo, &node_exact, &node); 3145 3146 /* see if node exists for generating answers from (i.e. not glue and 3147 * obscured by NS or DNAME or NSEC3-only), and also return the 3148 * closest-encloser from that, closest node that should be used 3149 * to generate answers from that is above the query */ 3150 node_exists = az_find_ce(z, qinfo, node, node_exact, &ce, &rrset); 3151 3152 if(verbosity >= VERB_ALGO) { 3153 char zname[256], qname[256], nname[256], cename[256], 3154 tpstr[32], rrstr[32]; 3155 sldns_wire2str_dname_buf(qinfo->qname, qinfo->qname_len, qname, 3156 sizeof(qname)); 3157 sldns_wire2str_type_buf(qinfo->qtype, tpstr, sizeof(tpstr)); 3158 sldns_wire2str_dname_buf(z->name, z->namelen, zname, 3159 sizeof(zname)); 3160 if(node) 3161 sldns_wire2str_dname_buf(node->name, node->namelen, 3162 nname, sizeof(nname)); 3163 else snprintf(nname, sizeof(nname), "NULL"); 3164 if(ce) 3165 sldns_wire2str_dname_buf(ce->name, ce->namelen, 3166 cename, sizeof(cename)); 3167 else snprintf(cename, sizeof(cename), "NULL"); 3168 if(rrset) sldns_wire2str_type_buf(rrset->type, rrstr, 3169 sizeof(rrstr)); 3170 else snprintf(rrstr, sizeof(rrstr), "NULL"); 3171 log_info("auth_zone %s query %s %s, domain %s %s %s, " 3172 "ce %s, rrset %s", zname, qname, tpstr, nname, 3173 (node_exact?"exact":"notexact"), 3174 (node_exists?"exist":"notexist"), cename, rrstr); 3175 } 3176 3177 if(node_exists) { 3178 /* the node is fine, generate answer from node */ 3179 return az_generate_answer_with_node(z, qinfo, region, *msg, 3180 node); 3181 } 3182 return az_generate_answer_nonexistnode(z, qinfo, region, *msg, 3183 ce, rrset, node); 3184 } 3185 3186 int auth_zones_lookup(struct auth_zones* az, struct query_info* qinfo, 3187 struct regional* region, struct dns_msg** msg, int* fallback, 3188 uint8_t* dp_nm, size_t dp_nmlen) 3189 { 3190 int r; 3191 struct auth_zone* z; 3192 /* find the zone that should contain the answer. */ 3193 lock_rw_rdlock(&az->lock); 3194 z = auth_zone_find(az, dp_nm, dp_nmlen, qinfo->qclass); 3195 if(!z) { 3196 lock_rw_unlock(&az->lock); 3197 /* no auth zone, fallback to internet */ 3198 *fallback = 1; 3199 return 0; 3200 } 3201 lock_rw_rdlock(&z->lock); 3202 lock_rw_unlock(&az->lock); 3203 3204 /* if not for upstream queries, fallback */ 3205 if(!z->for_upstream) { 3206 lock_rw_unlock(&z->lock); 3207 *fallback = 1; 3208 return 0; 3209 } 3210 if(z->zone_expired) { 3211 *fallback = z->fallback_enabled; 3212 lock_rw_unlock(&z->lock); 3213 return 0; 3214 } 3215 /* see what answer that zone would generate */ 3216 r = auth_zone_generate_answer(z, qinfo, region, msg, fallback); 3217 lock_rw_unlock(&z->lock); 3218 return r; 3219 } 3220 3221 /** encode auth answer */ 3222 static void 3223 auth_answer_encode(struct query_info* qinfo, struct module_env* env, 3224 struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf, 3225 struct regional* temp, struct dns_msg* msg) 3226 { 3227 uint16_t udpsize; 3228 udpsize = edns->udp_size; 3229 edns->edns_version = EDNS_ADVERTISED_VERSION; 3230 edns->udp_size = EDNS_ADVERTISED_SIZE; 3231 edns->ext_rcode = 0; 3232 edns->bits &= EDNS_DO; 3233 3234 if(!inplace_cb_reply_local_call(env, qinfo, NULL, msg->rep, 3235 (int)FLAGS_GET_RCODE(msg->rep->flags), edns, repinfo, temp) 3236 || !reply_info_answer_encode(qinfo, msg->rep, 3237 *(uint16_t*)sldns_buffer_begin(buf), 3238 sldns_buffer_read_u16_at(buf, 2), 3239 buf, 0, 0, temp, udpsize, edns, 3240 (int)(edns->bits&EDNS_DO), 0)) { 3241 error_encode(buf, (LDNS_RCODE_SERVFAIL|BIT_AA), qinfo, 3242 *(uint16_t*)sldns_buffer_begin(buf), 3243 sldns_buffer_read_u16_at(buf, 2), edns); 3244 } 3245 } 3246 3247 /** encode auth error answer */ 3248 static void 3249 auth_error_encode(struct query_info* qinfo, struct module_env* env, 3250 struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf, 3251 struct regional* temp, int rcode) 3252 { 3253 edns->edns_version = EDNS_ADVERTISED_VERSION; 3254 edns->udp_size = EDNS_ADVERTISED_SIZE; 3255 edns->ext_rcode = 0; 3256 edns->bits &= EDNS_DO; 3257 3258 if(!inplace_cb_reply_local_call(env, qinfo, NULL, NULL, 3259 rcode, edns, repinfo, temp)) 3260 edns->opt_list = NULL; 3261 error_encode(buf, rcode|BIT_AA, qinfo, 3262 *(uint16_t*)sldns_buffer_begin(buf), 3263 sldns_buffer_read_u16_at(buf, 2), edns); 3264 } 3265 3266 int auth_zones_answer(struct auth_zones* az, struct module_env* env, 3267 struct query_info* qinfo, struct edns_data* edns, 3268 struct comm_reply* repinfo, struct sldns_buffer* buf, struct regional* temp) 3269 { 3270 struct dns_msg* msg = NULL; 3271 struct auth_zone* z; 3272 int r; 3273 int fallback = 0; 3274 3275 lock_rw_rdlock(&az->lock); 3276 if(!az->have_downstream) { 3277 /* no downstream auth zones */ 3278 lock_rw_unlock(&az->lock); 3279 return 0; 3280 } 3281 if(qinfo->qtype == LDNS_RR_TYPE_DS) { 3282 uint8_t* delname = qinfo->qname; 3283 size_t delnamelen = qinfo->qname_len; 3284 dname_remove_label(&delname, &delnamelen); 3285 z = auth_zones_find_zone(az, delname, delnamelen, 3286 qinfo->qclass); 3287 } else { 3288 z = auth_zones_find_zone(az, qinfo->qname, qinfo->qname_len, 3289 qinfo->qclass); 3290 } 3291 if(!z) { 3292 /* no zone above it */ 3293 lock_rw_unlock(&az->lock); 3294 return 0; 3295 } 3296 lock_rw_rdlock(&z->lock); 3297 lock_rw_unlock(&az->lock); 3298 if(!z->for_downstream) { 3299 lock_rw_unlock(&z->lock); 3300 return 0; 3301 } 3302 if(z->zone_expired) { 3303 if(z->fallback_enabled) { 3304 lock_rw_unlock(&z->lock); 3305 return 0; 3306 } 3307 lock_rw_unlock(&z->lock); 3308 lock_rw_wrlock(&az->lock); 3309 az->num_query_down++; 3310 lock_rw_unlock(&az->lock); 3311 auth_error_encode(qinfo, env, edns, repinfo, buf, temp, 3312 LDNS_RCODE_SERVFAIL); 3313 return 1; 3314 } 3315 3316 /* answer it from zone z */ 3317 r = auth_zone_generate_answer(z, qinfo, temp, &msg, &fallback); 3318 lock_rw_unlock(&z->lock); 3319 if(!r && fallback) { 3320 /* fallback to regular answering (recursive) */ 3321 return 0; 3322 } 3323 lock_rw_wrlock(&az->lock); 3324 az->num_query_down++; 3325 lock_rw_unlock(&az->lock); 3326 3327 /* encode answer */ 3328 if(!r) 3329 auth_error_encode(qinfo, env, edns, repinfo, buf, temp, 3330 LDNS_RCODE_SERVFAIL); 3331 else auth_answer_encode(qinfo, env, edns, repinfo, buf, temp, msg); 3332 3333 return 1; 3334 } 3335 3336 int auth_zones_can_fallback(struct auth_zones* az, uint8_t* nm, size_t nmlen, 3337 uint16_t dclass) 3338 { 3339 int r; 3340 struct auth_zone* z; 3341 lock_rw_rdlock(&az->lock); 3342 z = auth_zone_find(az, nm, nmlen, dclass); 3343 if(!z) { 3344 lock_rw_unlock(&az->lock); 3345 /* no such auth zone, fallback */ 3346 return 1; 3347 } 3348 lock_rw_rdlock(&z->lock); 3349 lock_rw_unlock(&az->lock); 3350 r = z->fallback_enabled || (!z->for_upstream); 3351 lock_rw_unlock(&z->lock); 3352 return r; 3353 } 3354 3355 int 3356 auth_zone_parse_notify_serial(sldns_buffer* pkt, uint32_t *serial) 3357 { 3358 struct query_info q; 3359 uint16_t rdlen; 3360 memset(&q, 0, sizeof(q)); 3361 sldns_buffer_set_position(pkt, 0); 3362 if(!query_info_parse(&q, pkt)) return 0; 3363 if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) == 0) return 0; 3364 /* skip name of RR in answer section */ 3365 if(sldns_buffer_remaining(pkt) < 1) return 0; 3366 if(pkt_dname_len(pkt) == 0) return 0; 3367 /* check type */ 3368 if(sldns_buffer_remaining(pkt) < 10 /* type,class,ttl,rdatalen*/) 3369 return 0; 3370 if(sldns_buffer_read_u16(pkt) != LDNS_RR_TYPE_SOA) return 0; 3371 sldns_buffer_skip(pkt, 2); /* class */ 3372 sldns_buffer_skip(pkt, 4); /* ttl */ 3373 rdlen = sldns_buffer_read_u16(pkt); /* rdatalen */ 3374 if(sldns_buffer_remaining(pkt) < rdlen) return 0; 3375 if(rdlen < 22) return 0; /* bad soa length */ 3376 sldns_buffer_skip(pkt, (ssize_t)(rdlen-20)); 3377 *serial = sldns_buffer_read_u32(pkt); 3378 /* return true when has serial in answer section */ 3379 return 1; 3380 } 3381 3382 /** see if addr appears in the list */ 3383 static int 3384 addr_in_list(struct auth_addr* list, struct sockaddr_storage* addr, 3385 socklen_t addrlen) 3386 { 3387 struct auth_addr* p; 3388 for(p=list; p; p=p->next) { 3389 if(sockaddr_cmp_addr(addr, addrlen, &p->addr, p->addrlen)==0) 3390 return 1; 3391 } 3392 return 0; 3393 } 3394 3395 /** check if an address matches a master specification (or one of its 3396 * addresses in the addr list) */ 3397 static int 3398 addr_matches_master(struct auth_master* master, struct sockaddr_storage* addr, 3399 socklen_t addrlen, struct auth_master** fromhost) 3400 { 3401 struct sockaddr_storage a; 3402 socklen_t alen = 0; 3403 int net = 0; 3404 if(addr_in_list(master->list, addr, addrlen)) { 3405 *fromhost = master; 3406 return 1; 3407 } 3408 /* compare address (but not port number, that is the destination 3409 * port of the master, the port number of the received notify is 3410 * allowed to by any port on that master) */ 3411 if(extstrtoaddr(master->host, &a, &alen) && 3412 sockaddr_cmp_addr(addr, addrlen, &a, alen)==0) { 3413 *fromhost = master; 3414 return 1; 3415 } 3416 /* prefixes, addr/len, like 10.0.0.0/8 */ 3417 /* not http and has a / and there is one / */ 3418 if(master->allow_notify && !master->http && 3419 strchr(master->host, '/') != NULL && 3420 strchr(master->host, '/') == strrchr(master->host, '/') && 3421 netblockstrtoaddr(master->host, UNBOUND_DNS_PORT, &a, &alen, 3422 &net) && alen == addrlen) { 3423 if(addr_in_common(addr, (addr_is_ip6(addr, addrlen)?128:32), 3424 &a, net, alen) >= net) { 3425 *fromhost = NULL; /* prefix does not have destination 3426 to send the probe or transfer with */ 3427 return 1; /* matches the netblock */ 3428 } 3429 } 3430 return 0; 3431 } 3432 3433 /** check access list for notifies */ 3434 static int 3435 az_xfr_allowed_notify(struct auth_xfer* xfr, struct sockaddr_storage* addr, 3436 socklen_t addrlen, struct auth_master** fromhost) 3437 { 3438 struct auth_master* p; 3439 for(p=xfr->allow_notify_list; p; p=p->next) { 3440 if(addr_matches_master(p, addr, addrlen, fromhost)) { 3441 return 1; 3442 } 3443 } 3444 return 0; 3445 } 3446 3447 /** see if the serial means the zone has to be updated, i.e. the serial 3448 * is newer than the zone serial, or we have no zone */ 3449 static int 3450 xfr_serial_means_update(struct auth_xfer* xfr, uint32_t serial) 3451 { 3452 if(!xfr->have_zone) 3453 return 1; /* no zone, anything is better */ 3454 if(xfr->zone_expired) 3455 return 1; /* expired, the sent serial is better than expired 3456 data */ 3457 if(compare_serial(xfr->serial, serial) < 0) 3458 return 1; /* our serial is smaller than the sent serial, 3459 the data is newer, fetch it */ 3460 return 0; 3461 } 3462 3463 /** note notify serial, updates the notify information in the xfr struct */ 3464 static void 3465 xfr_note_notify_serial(struct auth_xfer* xfr, int has_serial, uint32_t serial) 3466 { 3467 if(xfr->notify_received && xfr->notify_has_serial && has_serial) { 3468 /* see if this serial is newer */ 3469 if(compare_serial(xfr->notify_serial, serial) < 0) 3470 xfr->notify_serial = serial; 3471 } else if(xfr->notify_received && xfr->notify_has_serial && 3472 !has_serial) { 3473 /* remove serial, we have notify without serial */ 3474 xfr->notify_has_serial = 0; 3475 xfr->notify_serial = 0; 3476 } else if(xfr->notify_received && !xfr->notify_has_serial) { 3477 /* we already have notify without serial, keep it 3478 * that way; no serial check when current operation 3479 * is done */ 3480 } else { 3481 xfr->notify_received = 1; 3482 xfr->notify_has_serial = has_serial; 3483 xfr->notify_serial = serial; 3484 } 3485 } 3486 3487 /** process a notify serial, start new probe or note serial. xfr is locked */ 3488 static void 3489 xfr_process_notify(struct auth_xfer* xfr, struct module_env* env, 3490 int has_serial, uint32_t serial, struct auth_master* fromhost) 3491 { 3492 /* if the serial of notify is older than we have, don't fetch 3493 * a zone, we already have it */ 3494 if(has_serial && !xfr_serial_means_update(xfr, serial)) { 3495 lock_basic_unlock(&xfr->lock); 3496 return; 3497 } 3498 /* start new probe with this addr src, or note serial */ 3499 if(!xfr_start_probe(xfr, env, fromhost)) { 3500 /* not started because already in progress, note the serial */ 3501 xfr_note_notify_serial(xfr, has_serial, serial); 3502 lock_basic_unlock(&xfr->lock); 3503 } 3504 /* successful end of start_probe unlocked xfr->lock */ 3505 } 3506 3507 int auth_zones_notify(struct auth_zones* az, struct module_env* env, 3508 uint8_t* nm, size_t nmlen, uint16_t dclass, 3509 struct sockaddr_storage* addr, socklen_t addrlen, int has_serial, 3510 uint32_t serial, int* refused) 3511 { 3512 struct auth_xfer* xfr; 3513 struct auth_master* fromhost = NULL; 3514 /* see which zone this is */ 3515 lock_rw_rdlock(&az->lock); 3516 xfr = auth_xfer_find(az, nm, nmlen, dclass); 3517 if(!xfr) { 3518 lock_rw_unlock(&az->lock); 3519 /* no such zone, refuse the notify */ 3520 *refused = 1; 3521 return 0; 3522 } 3523 lock_basic_lock(&xfr->lock); 3524 lock_rw_unlock(&az->lock); 3525 3526 /* check access list for notifies */ 3527 if(!az_xfr_allowed_notify(xfr, addr, addrlen, &fromhost)) { 3528 lock_basic_unlock(&xfr->lock); 3529 /* notify not allowed, refuse the notify */ 3530 *refused = 1; 3531 return 0; 3532 } 3533 3534 /* process the notify */ 3535 xfr_process_notify(xfr, env, has_serial, serial, fromhost); 3536 return 1; 3537 } 3538 3539 int auth_zones_startprobesequence(struct auth_zones* az, 3540 struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t dclass) 3541 { 3542 struct auth_xfer* xfr; 3543 lock_rw_rdlock(&az->lock); 3544 xfr = auth_xfer_find(az, nm, nmlen, dclass); 3545 if(!xfr) { 3546 lock_rw_unlock(&az->lock); 3547 return 0; 3548 } 3549 lock_basic_lock(&xfr->lock); 3550 lock_rw_unlock(&az->lock); 3551 3552 xfr_process_notify(xfr, env, 0, 0, NULL); 3553 return 1; 3554 } 3555 3556 /** set a zone expired */ 3557 static void 3558 auth_xfer_set_expired(struct auth_xfer* xfr, struct module_env* env, 3559 int expired) 3560 { 3561 struct auth_zone* z; 3562 3563 /* expire xfr */ 3564 lock_basic_lock(&xfr->lock); 3565 xfr->zone_expired = expired; 3566 lock_basic_unlock(&xfr->lock); 3567 3568 /* find auth_zone */ 3569 lock_rw_rdlock(&env->auth_zones->lock); 3570 z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen, 3571 xfr->dclass); 3572 if(!z) { 3573 lock_rw_unlock(&env->auth_zones->lock); 3574 return; 3575 } 3576 lock_rw_wrlock(&z->lock); 3577 lock_rw_unlock(&env->auth_zones->lock); 3578 3579 /* expire auth_zone */ 3580 z->zone_expired = expired; 3581 lock_rw_unlock(&z->lock); 3582 } 3583 3584 /** find master (from notify or probe) in list of masters */ 3585 static struct auth_master* 3586 find_master_by_host(struct auth_master* list, char* host) 3587 { 3588 struct auth_master* p; 3589 for(p=list; p; p=p->next) { 3590 if(strcmp(p->host, host) == 0) 3591 return p; 3592 } 3593 return NULL; 3594 } 3595 3596 /** delete the looked up auth_addrs for all the masters in the list */ 3597 static void 3598 xfr_masterlist_free_addrs(struct auth_master* list) 3599 { 3600 struct auth_master* m; 3601 for(m=list; m; m=m->next) { 3602 if(m->list) { 3603 auth_free_master_addrs(m->list); 3604 m->list = NULL; 3605 } 3606 } 3607 } 3608 3609 /** copy a list of auth_addrs */ 3610 static struct auth_addr* 3611 auth_addr_list_copy(struct auth_addr* source) 3612 { 3613 struct auth_addr* list = NULL, *last = NULL; 3614 struct auth_addr* p; 3615 for(p=source; p; p=p->next) { 3616 struct auth_addr* a = (struct auth_addr*)memdup(p, sizeof(*p)); 3617 if(!a) { 3618 log_err("malloc failure"); 3619 auth_free_master_addrs(list); 3620 return NULL; 3621 } 3622 a->next = NULL; 3623 if(last) last->next = a; 3624 if(!list) list = a; 3625 last = a; 3626 } 3627 return list; 3628 } 3629 3630 /** copy a master to a new structure, NULL on alloc failure */ 3631 static struct auth_master* 3632 auth_master_copy(struct auth_master* o) 3633 { 3634 struct auth_master* m; 3635 if(!o) return NULL; 3636 m = (struct auth_master*)memdup(o, sizeof(*o)); 3637 if(!m) { 3638 log_err("malloc failure"); 3639 return NULL; 3640 } 3641 m->next = NULL; 3642 if(m->host) { 3643 m->host = strdup(m->host); 3644 if(!m->host) { 3645 free(m); 3646 log_err("malloc failure"); 3647 return NULL; 3648 } 3649 } 3650 if(m->file) { 3651 m->file = strdup(m->file); 3652 if(!m->file) { 3653 free(m->host); 3654 free(m); 3655 log_err("malloc failure"); 3656 return NULL; 3657 } 3658 } 3659 if(m->list) { 3660 m->list = auth_addr_list_copy(m->list); 3661 if(!m->list) { 3662 free(m->file); 3663 free(m->host); 3664 free(m); 3665 return NULL; 3666 } 3667 } 3668 return m; 3669 } 3670 3671 /** copy the master addresses from the task_probe lookups to the allow_notify 3672 * list of masters */ 3673 static void 3674 probe_copy_masters_for_allow_notify(struct auth_xfer* xfr) 3675 { 3676 struct auth_master* list = NULL, *last = NULL; 3677 struct auth_master* p; 3678 /* build up new list with copies */ 3679 for(p = xfr->task_probe->masters; p; p=p->next) { 3680 struct auth_master* m = auth_master_copy(p); 3681 if(!m) { 3682 auth_free_masters(list); 3683 /* failed because of malloc failure, use old list */ 3684 return; 3685 } 3686 m->next = NULL; 3687 if(last) last->next = m; 3688 if(!list) list = m; 3689 last = m; 3690 } 3691 /* success, replace list */ 3692 auth_free_masters(xfr->allow_notify_list); 3693 xfr->allow_notify_list = list; 3694 } 3695 3696 /** start the lookups for task_transfer */ 3697 static void 3698 xfr_transfer_start_lookups(struct auth_xfer* xfr) 3699 { 3700 /* delete all the looked up addresses in the list */ 3701 xfr_masterlist_free_addrs(xfr->task_transfer->masters); 3702 3703 /* start lookup at the first master */ 3704 xfr->task_transfer->lookup_target = xfr->task_transfer->masters; 3705 xfr->task_transfer->lookup_aaaa = 0; 3706 } 3707 3708 /** move to the next lookup of hostname for task_transfer */ 3709 static void 3710 xfr_transfer_move_to_next_lookup(struct auth_xfer* xfr, struct module_env* env) 3711 { 3712 if(!xfr->task_transfer->lookup_target) 3713 return; /* already at end of list */ 3714 if(!xfr->task_transfer->lookup_aaaa && env->cfg->do_ip6) { 3715 /* move to lookup AAAA */ 3716 xfr->task_transfer->lookup_aaaa = 1; 3717 return; 3718 } 3719 xfr->task_transfer->lookup_target = 3720 xfr->task_transfer->lookup_target->next; 3721 xfr->task_transfer->lookup_aaaa = 0; 3722 if(!env->cfg->do_ip4 && xfr->task_transfer->lookup_target!=NULL) 3723 xfr->task_transfer->lookup_aaaa = 1; 3724 } 3725 3726 /** start the lookups for task_probe */ 3727 static void 3728 xfr_probe_start_lookups(struct auth_xfer* xfr) 3729 { 3730 /* delete all the looked up addresses in the list */ 3731 xfr_masterlist_free_addrs(xfr->task_probe->masters); 3732 3733 /* start lookup at the first master */ 3734 xfr->task_probe->lookup_target = xfr->task_probe->masters; 3735 xfr->task_probe->lookup_aaaa = 0; 3736 } 3737 3738 /** move to the next lookup of hostname for task_probe */ 3739 static void 3740 xfr_probe_move_to_next_lookup(struct auth_xfer* xfr, struct module_env* env) 3741 { 3742 if(!xfr->task_probe->lookup_target) 3743 return; /* already at end of list */ 3744 if(!xfr->task_probe->lookup_aaaa && env->cfg->do_ip6) { 3745 /* move to lookup AAAA */ 3746 xfr->task_probe->lookup_aaaa = 1; 3747 return; 3748 } 3749 xfr->task_probe->lookup_target = xfr->task_probe->lookup_target->next; 3750 xfr->task_probe->lookup_aaaa = 0; 3751 if(!env->cfg->do_ip4 && xfr->task_probe->lookup_target!=NULL) 3752 xfr->task_probe->lookup_aaaa = 1; 3753 } 3754 3755 /** start the iteration of the task_transfer list of masters */ 3756 static void 3757 xfr_transfer_start_list(struct auth_xfer* xfr, struct auth_master* spec) 3758 { 3759 if(spec) { 3760 xfr->task_transfer->scan_specific = find_master_by_host( 3761 xfr->task_transfer->masters, spec->host); 3762 if(xfr->task_transfer->scan_specific) { 3763 xfr->task_transfer->scan_target = NULL; 3764 xfr->task_transfer->scan_addr = NULL; 3765 if(xfr->task_transfer->scan_specific->list) 3766 xfr->task_transfer->scan_addr = 3767 xfr->task_transfer->scan_specific->list; 3768 return; 3769 } 3770 } 3771 /* no specific (notified) host to scan */ 3772 xfr->task_transfer->scan_specific = NULL; 3773 xfr->task_transfer->scan_addr = NULL; 3774 /* pick up first scan target */ 3775 xfr->task_transfer->scan_target = xfr->task_transfer->masters; 3776 if(xfr->task_transfer->scan_target && xfr->task_transfer-> 3777 scan_target->list) 3778 xfr->task_transfer->scan_addr = 3779 xfr->task_transfer->scan_target->list; 3780 } 3781 3782 /** start the iteration of the task_probe list of masters */ 3783 static void 3784 xfr_probe_start_list(struct auth_xfer* xfr, struct auth_master* spec) 3785 { 3786 if(spec) { 3787 xfr->task_probe->scan_specific = find_master_by_host( 3788 xfr->task_probe->masters, spec->host); 3789 if(xfr->task_probe->scan_specific) { 3790 xfr->task_probe->scan_target = NULL; 3791 xfr->task_probe->scan_addr = NULL; 3792 if(xfr->task_probe->scan_specific->list) 3793 xfr->task_probe->scan_addr = 3794 xfr->task_probe->scan_specific->list; 3795 return; 3796 } 3797 } 3798 /* no specific (notified) host to scan */ 3799 xfr->task_probe->scan_specific = NULL; 3800 xfr->task_probe->scan_addr = NULL; 3801 /* pick up first scan target */ 3802 xfr->task_probe->scan_target = xfr->task_probe->masters; 3803 if(xfr->task_probe->scan_target && xfr->task_probe->scan_target->list) 3804 xfr->task_probe->scan_addr = 3805 xfr->task_probe->scan_target->list; 3806 } 3807 3808 /** pick up the master that is being scanned right now, task_transfer */ 3809 static struct auth_master* 3810 xfr_transfer_current_master(struct auth_xfer* xfr) 3811 { 3812 if(xfr->task_transfer->scan_specific) 3813 return xfr->task_transfer->scan_specific; 3814 return xfr->task_transfer->scan_target; 3815 } 3816 3817 /** pick up the master that is being scanned right now, task_probe */ 3818 static struct auth_master* 3819 xfr_probe_current_master(struct auth_xfer* xfr) 3820 { 3821 if(xfr->task_probe->scan_specific) 3822 return xfr->task_probe->scan_specific; 3823 return xfr->task_probe->scan_target; 3824 } 3825 3826 /** true if at end of list, task_transfer */ 3827 static int 3828 xfr_transfer_end_of_list(struct auth_xfer* xfr) 3829 { 3830 return !xfr->task_transfer->scan_specific && 3831 !xfr->task_transfer->scan_target; 3832 } 3833 3834 /** true if at end of list, task_probe */ 3835 static int 3836 xfr_probe_end_of_list(struct auth_xfer* xfr) 3837 { 3838 return !xfr->task_probe->scan_specific && !xfr->task_probe->scan_target; 3839 } 3840 3841 /** move to next master in list, task_transfer */ 3842 static void 3843 xfr_transfer_nextmaster(struct auth_xfer* xfr) 3844 { 3845 if(!xfr->task_transfer->scan_specific && 3846 !xfr->task_transfer->scan_target) 3847 return; 3848 if(xfr->task_transfer->scan_addr) { 3849 xfr->task_transfer->scan_addr = 3850 xfr->task_transfer->scan_addr->next; 3851 if(xfr->task_transfer->scan_addr) 3852 return; 3853 } 3854 if(xfr->task_transfer->scan_specific) { 3855 xfr->task_transfer->scan_specific = NULL; 3856 xfr->task_transfer->scan_target = xfr->task_transfer->masters; 3857 if(xfr->task_transfer->scan_target && xfr->task_transfer-> 3858 scan_target->list) 3859 xfr->task_transfer->scan_addr = 3860 xfr->task_transfer->scan_target->list; 3861 return; 3862 } 3863 if(!xfr->task_transfer->scan_target) 3864 return; 3865 xfr->task_transfer->scan_target = xfr->task_transfer->scan_target->next; 3866 if(xfr->task_transfer->scan_target && xfr->task_transfer-> 3867 scan_target->list) 3868 xfr->task_transfer->scan_addr = 3869 xfr->task_transfer->scan_target->list; 3870 return; 3871 } 3872 3873 /** move to next master in list, task_probe */ 3874 static void 3875 xfr_probe_nextmaster(struct auth_xfer* xfr) 3876 { 3877 if(!xfr->task_probe->scan_specific && !xfr->task_probe->scan_target) 3878 return; 3879 if(xfr->task_probe->scan_addr) { 3880 xfr->task_probe->scan_addr = xfr->task_probe->scan_addr->next; 3881 if(xfr->task_probe->scan_addr) 3882 return; 3883 } 3884 if(xfr->task_probe->scan_specific) { 3885 xfr->task_probe->scan_specific = NULL; 3886 xfr->task_probe->scan_target = xfr->task_probe->masters; 3887 if(xfr->task_probe->scan_target && xfr->task_probe-> 3888 scan_target->list) 3889 xfr->task_probe->scan_addr = 3890 xfr->task_probe->scan_target->list; 3891 return; 3892 } 3893 if(!xfr->task_probe->scan_target) 3894 return; 3895 xfr->task_probe->scan_target = xfr->task_probe->scan_target->next; 3896 if(xfr->task_probe->scan_target && xfr->task_probe-> 3897 scan_target->list) 3898 xfr->task_probe->scan_addr = 3899 xfr->task_probe->scan_target->list; 3900 return; 3901 } 3902 3903 /** create SOA probe packet for xfr */ 3904 static void 3905 xfr_create_soa_probe_packet(struct auth_xfer* xfr, sldns_buffer* buf, 3906 uint16_t id) 3907 { 3908 struct query_info qinfo; 3909 3910 memset(&qinfo, 0, sizeof(qinfo)); 3911 qinfo.qname = xfr->name; 3912 qinfo.qname_len = xfr->namelen; 3913 qinfo.qtype = LDNS_RR_TYPE_SOA; 3914 qinfo.qclass = xfr->dclass; 3915 qinfo_query_encode(buf, &qinfo); 3916 sldns_buffer_write_u16_at(buf, 0, id); 3917 } 3918 3919 /** create IXFR/AXFR packet for xfr */ 3920 static void 3921 xfr_create_ixfr_packet(struct auth_xfer* xfr, sldns_buffer* buf, uint16_t id, 3922 struct auth_master* master) 3923 { 3924 struct query_info qinfo; 3925 uint32_t serial; 3926 int have_zone; 3927 have_zone = xfr->have_zone; 3928 serial = xfr->serial; 3929 3930 memset(&qinfo, 0, sizeof(qinfo)); 3931 qinfo.qname = xfr->name; 3932 qinfo.qname_len = xfr->namelen; 3933 xfr->task_transfer->got_xfr_serial = 0; 3934 xfr->task_transfer->rr_scan_num = 0; 3935 xfr->task_transfer->incoming_xfr_serial = 0; 3936 xfr->task_transfer->on_ixfr_is_axfr = 0; 3937 xfr->task_transfer->on_ixfr = 1; 3938 qinfo.qtype = LDNS_RR_TYPE_IXFR; 3939 if(!have_zone || xfr->task_transfer->ixfr_fail || !master->ixfr) { 3940 qinfo.qtype = LDNS_RR_TYPE_AXFR; 3941 xfr->task_transfer->ixfr_fail = 0; 3942 xfr->task_transfer->on_ixfr = 0; 3943 } 3944 3945 qinfo.qclass = xfr->dclass; 3946 qinfo_query_encode(buf, &qinfo); 3947 sldns_buffer_write_u16_at(buf, 0, id); 3948 3949 /* append serial for IXFR */ 3950 if(qinfo.qtype == LDNS_RR_TYPE_IXFR) { 3951 size_t end = sldns_buffer_limit(buf); 3952 sldns_buffer_clear(buf); 3953 sldns_buffer_set_position(buf, end); 3954 /* auth section count 1 */ 3955 sldns_buffer_write_u16_at(buf, LDNS_NSCOUNT_OFF, 1); 3956 /* write SOA */ 3957 sldns_buffer_write_u8(buf, 0xC0); /* compressed ptr to qname */ 3958 sldns_buffer_write_u8(buf, 0x0C); 3959 sldns_buffer_write_u16(buf, LDNS_RR_TYPE_SOA); 3960 sldns_buffer_write_u16(buf, qinfo.qclass); 3961 sldns_buffer_write_u32(buf, 0); /* ttl */ 3962 sldns_buffer_write_u16(buf, 22); /* rdata length */ 3963 sldns_buffer_write_u8(buf, 0); /* . */ 3964 sldns_buffer_write_u8(buf, 0); /* . */ 3965 sldns_buffer_write_u32(buf, serial); /* serial */ 3966 sldns_buffer_write_u32(buf, 0); /* refresh */ 3967 sldns_buffer_write_u32(buf, 0); /* retry */ 3968 sldns_buffer_write_u32(buf, 0); /* expire */ 3969 sldns_buffer_write_u32(buf, 0); /* minimum */ 3970 sldns_buffer_flip(buf); 3971 } 3972 } 3973 3974 /** check if returned packet is OK */ 3975 static int 3976 check_packet_ok(sldns_buffer* pkt, uint16_t qtype, struct auth_xfer* xfr, 3977 uint32_t* serial) 3978 { 3979 /* parse to see if packet worked, valid reply */ 3980 3981 /* check serial number of SOA */ 3982 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) 3983 return 0; 3984 3985 /* check ID */ 3986 if(LDNS_ID_WIRE(sldns_buffer_begin(pkt)) != xfr->task_probe->id) 3987 return 0; 3988 3989 /* check flag bits and rcode */ 3990 if(!LDNS_QR_WIRE(sldns_buffer_begin(pkt))) 3991 return 0; 3992 if(LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_PACKET_QUERY) 3993 return 0; 3994 if(LDNS_RCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_RCODE_NOERROR) 3995 return 0; 3996 3997 /* check qname */ 3998 if(LDNS_QDCOUNT(sldns_buffer_begin(pkt)) != 1) 3999 return 0; 4000 sldns_buffer_skip(pkt, LDNS_HEADER_SIZE); 4001 if(sldns_buffer_remaining(pkt) < xfr->namelen) 4002 return 0; 4003 if(query_dname_compare(sldns_buffer_current(pkt), xfr->name) != 0) 4004 return 0; 4005 sldns_buffer_skip(pkt, (ssize_t)xfr->namelen); 4006 4007 /* check qtype, qclass */ 4008 if(sldns_buffer_remaining(pkt) < 4) 4009 return 0; 4010 if(sldns_buffer_read_u16(pkt) != qtype) 4011 return 0; 4012 if(sldns_buffer_read_u16(pkt) != xfr->dclass) 4013 return 0; 4014 4015 if(serial) { 4016 uint16_t rdlen; 4017 /* read serial number, from answer section SOA */ 4018 if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) == 0) 4019 return 0; 4020 /* read from first record SOA record */ 4021 if(sldns_buffer_remaining(pkt) < 1) 4022 return 0; 4023 if(dname_pkt_compare(pkt, sldns_buffer_current(pkt), 4024 xfr->name) != 0) 4025 return 0; 4026 if(!pkt_dname_len(pkt)) 4027 return 0; 4028 /* type, class, ttl, rdatalen */ 4029 if(sldns_buffer_remaining(pkt) < 4+4+2) 4030 return 0; 4031 if(sldns_buffer_read_u16(pkt) != qtype) 4032 return 0; 4033 if(sldns_buffer_read_u16(pkt) != xfr->dclass) 4034 return 0; 4035 sldns_buffer_skip(pkt, 4); /* ttl */ 4036 rdlen = sldns_buffer_read_u16(pkt); 4037 if(sldns_buffer_remaining(pkt) < rdlen) 4038 return 0; 4039 if(sldns_buffer_remaining(pkt) < 1) 4040 return 0; 4041 if(!pkt_dname_len(pkt)) /* soa name */ 4042 return 0; 4043 if(sldns_buffer_remaining(pkt) < 1) 4044 return 0; 4045 if(!pkt_dname_len(pkt)) /* soa name */ 4046 return 0; 4047 if(sldns_buffer_remaining(pkt) < 20) 4048 return 0; 4049 *serial = sldns_buffer_read_u32(pkt); 4050 } 4051 return 1; 4052 } 4053 4054 /** read one line from chunks into buffer at current position */ 4055 static int 4056 chunkline_get_line(struct auth_chunk** chunk, size_t* chunk_pos, 4057 sldns_buffer* buf) 4058 { 4059 int readsome = 0; 4060 while(*chunk) { 4061 /* more text in this chunk? */ 4062 if(*chunk_pos < (*chunk)->len) { 4063 readsome = 1; 4064 while(*chunk_pos < (*chunk)->len) { 4065 char c = (char)((*chunk)->data[*chunk_pos]); 4066 (*chunk_pos)++; 4067 if(sldns_buffer_remaining(buf) < 2) { 4068 /* buffer too short */ 4069 verbose(VERB_ALGO, "http chunkline, " 4070 "line too long"); 4071 return 0; 4072 } 4073 sldns_buffer_write_u8(buf, (uint8_t)c); 4074 if(c == '\n') { 4075 /* we are done */ 4076 return 1; 4077 } 4078 } 4079 } 4080 /* move to next chunk */ 4081 *chunk = (*chunk)->next; 4082 *chunk_pos = 0; 4083 } 4084 /* no more text */ 4085 if(readsome) return 1; 4086 return 0; 4087 } 4088 4089 /** count number of open and closed parenthesis in a chunkline */ 4090 static int 4091 chunkline_count_parens(sldns_buffer* buf, size_t start) 4092 { 4093 size_t end = sldns_buffer_position(buf); 4094 size_t i; 4095 int count = 0; 4096 int squote = 0, dquote = 0; 4097 for(i=start; i<end; i++) { 4098 char c = (char)sldns_buffer_read_u8_at(buf, i); 4099 if(squote && c != '\'') continue; 4100 if(dquote && c != '"') continue; 4101 if(c == '"') 4102 dquote = !dquote; /* skip quoted part */ 4103 else if(c == '\'') 4104 squote = !squote; /* skip quoted part */ 4105 else if(c == '(') 4106 count ++; 4107 else if(c == ')') 4108 count --; 4109 else if(c == ';') { 4110 /* rest is a comment */ 4111 return count; 4112 } 4113 } 4114 return count; 4115 } 4116 4117 /** remove trailing ;... comment from a line in the chunkline buffer */ 4118 static void 4119 chunkline_remove_trailcomment(sldns_buffer* buf, size_t start) 4120 { 4121 size_t end = sldns_buffer_position(buf); 4122 size_t i; 4123 int squote = 0, dquote = 0; 4124 for(i=start; i<end; i++) { 4125 char c = (char)sldns_buffer_read_u8_at(buf, i); 4126 if(squote && c != '\'') continue; 4127 if(dquote && c != '"') continue; 4128 if(c == '"') 4129 dquote = !dquote; /* skip quoted part */ 4130 else if(c == '\'') 4131 squote = !squote; /* skip quoted part */ 4132 else if(c == ';') { 4133 /* rest is a comment */ 4134 sldns_buffer_set_position(buf, i); 4135 return; 4136 } 4137 } 4138 /* nothing to remove */ 4139 } 4140 4141 /** see if a chunkline is a comment line (or empty line) */ 4142 static int 4143 chunkline_is_comment_line_or_empty(sldns_buffer* buf) 4144 { 4145 size_t i, end = sldns_buffer_limit(buf); 4146 for(i=0; i<end; i++) { 4147 char c = (char)sldns_buffer_read_u8_at(buf, i); 4148 if(c == ';') 4149 return 1; /* comment */ 4150 else if(c != ' ' && c != '\t' && c != '\r' && c != '\n') 4151 return 0; /* not a comment */ 4152 } 4153 return 1; /* empty */ 4154 } 4155 4156 /** find a line with ( ) collated */ 4157 static int 4158 chunkline_get_line_collated(struct auth_chunk** chunk, size_t* chunk_pos, 4159 sldns_buffer* buf) 4160 { 4161 size_t pos; 4162 int parens = 0; 4163 sldns_buffer_clear(buf); 4164 pos = sldns_buffer_position(buf); 4165 if(!chunkline_get_line(chunk, chunk_pos, buf)) { 4166 if(sldns_buffer_position(buf) < sldns_buffer_limit(buf)) 4167 sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0); 4168 else sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf)-1, 0); 4169 sldns_buffer_flip(buf); 4170 return 0; 4171 } 4172 parens += chunkline_count_parens(buf, pos); 4173 while(parens > 0) { 4174 chunkline_remove_trailcomment(buf, pos); 4175 pos = sldns_buffer_position(buf); 4176 if(!chunkline_get_line(chunk, chunk_pos, buf)) { 4177 if(sldns_buffer_position(buf) < sldns_buffer_limit(buf)) 4178 sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0); 4179 else sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf)-1, 0); 4180 sldns_buffer_flip(buf); 4181 return 0; 4182 } 4183 parens += chunkline_count_parens(buf, pos); 4184 } 4185 4186 if(sldns_buffer_remaining(buf) < 1) { 4187 verbose(VERB_ALGO, "http chunkline: " 4188 "line too long"); 4189 return 0; 4190 } 4191 sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0); 4192 sldns_buffer_flip(buf); 4193 return 1; 4194 } 4195 4196 /** process $ORIGIN for http */ 4197 static int 4198 http_parse_origin(sldns_buffer* buf, struct sldns_file_parse_state* pstate) 4199 { 4200 char* line = (char*)sldns_buffer_begin(buf); 4201 if(strncmp(line, "$ORIGIN", 7) == 0 && 4202 isspace((unsigned char)line[7])) { 4203 int s; 4204 pstate->origin_len = sizeof(pstate->origin); 4205 s = sldns_str2wire_dname_buf(sldns_strip_ws(line+8), 4206 pstate->origin, &pstate->origin_len); 4207 if(s) pstate->origin_len = 0; 4208 return 1; 4209 } 4210 return 0; 4211 } 4212 4213 /** process $TTL for http */ 4214 static int 4215 http_parse_ttl(sldns_buffer* buf, struct sldns_file_parse_state* pstate) 4216 { 4217 char* line = (char*)sldns_buffer_begin(buf); 4218 if(strncmp(line, "$TTL", 4) == 0 && 4219 isspace((unsigned char)line[4])) { 4220 const char* end = NULL; 4221 pstate->default_ttl = sldns_str2period( 4222 sldns_strip_ws(line+5), &end); 4223 return 1; 4224 } 4225 return 0; 4226 } 4227 4228 /** find noncomment RR line in chunks, collates lines if ( ) format */ 4229 static int 4230 chunkline_non_comment_RR(struct auth_chunk** chunk, size_t* chunk_pos, 4231 sldns_buffer* buf, struct sldns_file_parse_state* pstate) 4232 { 4233 while(chunkline_get_line_collated(chunk, chunk_pos, buf)) { 4234 if(chunkline_is_comment_line_or_empty(buf)) { 4235 /* a comment, go to next line */ 4236 continue; 4237 } 4238 if(http_parse_origin(buf, pstate)) { 4239 continue; /* $ORIGIN has been handled */ 4240 } 4241 if(http_parse_ttl(buf, pstate)) { 4242 continue; /* $TTL has been handled */ 4243 } 4244 return 1; 4245 } 4246 /* no noncomments, fail */ 4247 return 0; 4248 } 4249 4250 /** check syntax of chunklist zonefile, parse first RR, return false on 4251 * failure and return a string in the scratch buffer (first RR string) 4252 * on failure. */ 4253 static int 4254 http_zonefile_syntax_check(struct auth_xfer* xfr, sldns_buffer* buf) 4255 { 4256 uint8_t rr[LDNS_RR_BUF_SIZE]; 4257 size_t rr_len, dname_len = 0; 4258 struct sldns_file_parse_state pstate; 4259 struct auth_chunk* chunk; 4260 size_t chunk_pos; 4261 int e; 4262 memset(&pstate, 0, sizeof(pstate)); 4263 pstate.default_ttl = 3600; 4264 if(xfr->namelen < sizeof(pstate.origin)) { 4265 pstate.origin_len = xfr->namelen; 4266 memmove(pstate.origin, xfr->name, xfr->namelen); 4267 } 4268 chunk = xfr->task_transfer->chunks_first; 4269 chunk_pos = 0; 4270 if(!chunkline_non_comment_RR(&chunk, &chunk_pos, buf, &pstate)) { 4271 return 0; 4272 } 4273 rr_len = sizeof(rr); 4274 e=sldns_str2wire_rr_buf((char*)sldns_buffer_begin(buf), rr, &rr_len, 4275 &dname_len, pstate.default_ttl, 4276 pstate.origin_len?pstate.origin:NULL, pstate.origin_len, 4277 pstate.prev_rr_len?pstate.prev_rr:NULL, pstate.prev_rr_len); 4278 if(e != 0) { 4279 log_err("parse failure on first RR[%d]: %s", 4280 LDNS_WIREPARSE_OFFSET(e), 4281 sldns_get_errorstr_parse(LDNS_WIREPARSE_ERROR(e))); 4282 return 0; 4283 } 4284 /* check that class is correct */ 4285 if(sldns_wirerr_get_class(rr, rr_len, dname_len) != xfr->dclass) { 4286 log_err("parse failure: first record in downloaded zonefile " 4287 "from wrong RR class"); 4288 return 0; 4289 } 4290 return 1; 4291 } 4292 4293 /** sum sizes of chunklist */ 4294 static size_t 4295 chunklist_sum(struct auth_chunk* list) 4296 { 4297 struct auth_chunk* p; 4298 size_t s = 0; 4299 for(p=list; p; p=p->next) { 4300 s += p->len; 4301 } 4302 return s; 4303 } 4304 4305 /** remove newlines from collated line */ 4306 static void 4307 chunkline_newline_removal(sldns_buffer* buf) 4308 { 4309 size_t i, end=sldns_buffer_limit(buf); 4310 for(i=0; i<end; i++) { 4311 char c = (char)sldns_buffer_read_u8_at(buf, i); 4312 if(c == '\n' && i==end-1) { 4313 sldns_buffer_write_u8_at(buf, i, 0); 4314 sldns_buffer_set_limit(buf, end-1); 4315 return; 4316 } 4317 if(c == '\n') 4318 sldns_buffer_write_u8_at(buf, i, (uint8_t)' '); 4319 } 4320 } 4321 4322 /** for http download, parse and add RR to zone */ 4323 static int 4324 http_parse_add_rr(struct auth_xfer* xfr, struct auth_zone* z, 4325 sldns_buffer* buf, struct sldns_file_parse_state* pstate) 4326 { 4327 uint8_t rr[LDNS_RR_BUF_SIZE]; 4328 size_t rr_len, dname_len = 0; 4329 int e; 4330 char* line = (char*)sldns_buffer_begin(buf); 4331 rr_len = sizeof(rr); 4332 e = sldns_str2wire_rr_buf(line, rr, &rr_len, &dname_len, 4333 pstate->default_ttl, 4334 pstate->origin_len?pstate->origin:NULL, pstate->origin_len, 4335 pstate->prev_rr_len?pstate->prev_rr:NULL, pstate->prev_rr_len); 4336 if(e != 0) { 4337 log_err("%s/%s parse failure RR[%d]: %s in '%s'", 4338 xfr->task_transfer->master->host, 4339 xfr->task_transfer->master->file, 4340 LDNS_WIREPARSE_OFFSET(e), 4341 sldns_get_errorstr_parse(LDNS_WIREPARSE_ERROR(e)), 4342 line); 4343 return 0; 4344 } 4345 if(rr_len == 0) 4346 return 1; /* empty line or so */ 4347 4348 /* set prev */ 4349 if(dname_len < sizeof(pstate->prev_rr)) { 4350 memmove(pstate->prev_rr, rr, dname_len); 4351 pstate->prev_rr_len = dname_len; 4352 } 4353 4354 return az_insert_rr(z, rr, rr_len, dname_len, NULL); 4355 } 4356 4357 /** RR list iterator, returns RRs from answer section one by one from the 4358 * dns packets in the chunklist */ 4359 static void 4360 chunk_rrlist_start(struct auth_xfer* xfr, struct auth_chunk** rr_chunk, 4361 int* rr_num, size_t* rr_pos) 4362 { 4363 *rr_chunk = xfr->task_transfer->chunks_first; 4364 *rr_num = 0; 4365 *rr_pos = 0; 4366 } 4367 4368 /** RR list iterator, see if we are at the end of the list */ 4369 static int 4370 chunk_rrlist_end(struct auth_chunk* rr_chunk, int rr_num) 4371 { 4372 while(rr_chunk) { 4373 if(rr_chunk->len < LDNS_HEADER_SIZE) 4374 return 1; 4375 if(rr_num < (int)LDNS_ANCOUNT(rr_chunk->data)) 4376 return 0; 4377 /* no more RRs in this chunk */ 4378 /* continue with next chunk, see if it has RRs */ 4379 rr_chunk = rr_chunk->next; 4380 rr_num = 0; 4381 } 4382 return 1; 4383 } 4384 4385 /** RR list iterator, move to next RR */ 4386 static void 4387 chunk_rrlist_gonext(struct auth_chunk** rr_chunk, int* rr_num, 4388 size_t* rr_pos, size_t rr_nextpos) 4389 { 4390 /* already at end of chunks? */ 4391 if(!*rr_chunk) 4392 return; 4393 /* move within this chunk */ 4394 if((*rr_chunk)->len >= LDNS_HEADER_SIZE && 4395 (*rr_num)+1 < (int)LDNS_ANCOUNT((*rr_chunk)->data)) { 4396 (*rr_num) += 1; 4397 *rr_pos = rr_nextpos; 4398 return; 4399 } 4400 /* no more RRs in this chunk */ 4401 /* continue with next chunk, see if it has RRs */ 4402 if(*rr_chunk) 4403 *rr_chunk = (*rr_chunk)->next; 4404 while(*rr_chunk) { 4405 *rr_num = 0; 4406 *rr_pos = 0; 4407 if((*rr_chunk)->len >= LDNS_HEADER_SIZE && 4408 LDNS_ANCOUNT((*rr_chunk)->data) > 0) { 4409 return; 4410 } 4411 *rr_chunk = (*rr_chunk)->next; 4412 } 4413 } 4414 4415 /** RR iterator, get current RR information, false on parse error */ 4416 static int 4417 chunk_rrlist_get_current(struct auth_chunk* rr_chunk, int rr_num, 4418 size_t rr_pos, uint8_t** rr_dname, uint16_t* rr_type, 4419 uint16_t* rr_class, uint32_t* rr_ttl, uint16_t* rr_rdlen, 4420 uint8_t** rr_rdata, size_t* rr_nextpos) 4421 { 4422 sldns_buffer pkt; 4423 /* integrity checks on position */ 4424 if(!rr_chunk) return 0; 4425 if(rr_chunk->len < LDNS_HEADER_SIZE) return 0; 4426 if(rr_num >= (int)LDNS_ANCOUNT(rr_chunk->data)) return 0; 4427 if(rr_pos >= rr_chunk->len) return 0; 4428 4429 /* fetch rr information */ 4430 sldns_buffer_init_frm_data(&pkt, rr_chunk->data, rr_chunk->len); 4431 if(rr_pos == 0) { 4432 size_t i; 4433 /* skip question section */ 4434 sldns_buffer_set_position(&pkt, LDNS_HEADER_SIZE); 4435 for(i=0; i<LDNS_QDCOUNT(rr_chunk->data); i++) { 4436 if(pkt_dname_len(&pkt) == 0) return 0; 4437 if(sldns_buffer_remaining(&pkt) < 4) return 0; 4438 sldns_buffer_skip(&pkt, 4); /* type and class */ 4439 } 4440 } else { 4441 sldns_buffer_set_position(&pkt, rr_pos); 4442 } 4443 *rr_dname = sldns_buffer_current(&pkt); 4444 if(pkt_dname_len(&pkt) == 0) return 0; 4445 if(sldns_buffer_remaining(&pkt) < 10) return 0; 4446 *rr_type = sldns_buffer_read_u16(&pkt); 4447 *rr_class = sldns_buffer_read_u16(&pkt); 4448 *rr_ttl = sldns_buffer_read_u32(&pkt); 4449 *rr_rdlen = sldns_buffer_read_u16(&pkt); 4450 if(sldns_buffer_remaining(&pkt) < (*rr_rdlen)) return 0; 4451 *rr_rdata = sldns_buffer_current(&pkt); 4452 sldns_buffer_skip(&pkt, (ssize_t)(*rr_rdlen)); 4453 *rr_nextpos = sldns_buffer_position(&pkt); 4454 return 1; 4455 } 4456 4457 /** print log message where we are in parsing the zone transfer */ 4458 static void 4459 log_rrlist_position(const char* label, struct auth_chunk* rr_chunk, 4460 uint8_t* rr_dname, uint16_t rr_type, size_t rr_counter) 4461 { 4462 sldns_buffer pkt; 4463 size_t dlen; 4464 uint8_t buf[256]; 4465 char str[256]; 4466 char typestr[32]; 4467 sldns_buffer_init_frm_data(&pkt, rr_chunk->data, rr_chunk->len); 4468 sldns_buffer_set_position(&pkt, (size_t)(rr_dname - 4469 sldns_buffer_begin(&pkt))); 4470 if((dlen=pkt_dname_len(&pkt)) == 0) return; 4471 if(dlen >= sizeof(buf)) return; 4472 dname_pkt_copy(&pkt, buf, rr_dname); 4473 dname_str(buf, str); 4474 (void)sldns_wire2str_type_buf(rr_type, typestr, sizeof(typestr)); 4475 verbose(VERB_ALGO, "%s at[%d] %s %s", label, (int)rr_counter, 4476 str, typestr); 4477 } 4478 4479 /** check that start serial is OK for ixfr. we are at rr_counter == 0, 4480 * and we are going to check rr_counter == 1 (has to be type SOA) serial */ 4481 static int 4482 ixfr_start_serial(struct auth_chunk* rr_chunk, int rr_num, size_t rr_pos, 4483 uint8_t* rr_dname, uint16_t rr_type, uint16_t rr_class, 4484 uint32_t rr_ttl, uint16_t rr_rdlen, uint8_t* rr_rdata, 4485 size_t rr_nextpos, uint32_t transfer_serial, uint32_t xfr_serial) 4486 { 4487 uint32_t startserial; 4488 /* move forward on RR */ 4489 chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos); 4490 if(chunk_rrlist_end(rr_chunk, rr_num)) { 4491 /* no second SOA */ 4492 verbose(VERB_OPS, "IXFR has no second SOA record"); 4493 return 0; 4494 } 4495 if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos, 4496 &rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen, 4497 &rr_rdata, &rr_nextpos)) { 4498 verbose(VERB_OPS, "IXFR cannot parse second SOA record"); 4499 /* failed to parse RR */ 4500 return 0; 4501 } 4502 if(rr_type != LDNS_RR_TYPE_SOA) { 4503 verbose(VERB_OPS, "IXFR second record is not type SOA"); 4504 return 0; 4505 } 4506 if(rr_rdlen < 22) { 4507 verbose(VERB_OPS, "IXFR, second SOA has short rdlength"); 4508 return 0; /* bad SOA rdlen */ 4509 } 4510 startserial = sldns_read_uint32(rr_rdata+rr_rdlen-20); 4511 if(startserial == transfer_serial) { 4512 /* empty AXFR, not an IXFR */ 4513 verbose(VERB_OPS, "IXFR second serial same as first"); 4514 return 0; 4515 } 4516 if(startserial != xfr_serial) { 4517 /* wrong start serial, it does not match the serial in 4518 * memory */ 4519 verbose(VERB_OPS, "IXFR is from serial %u to %u but %u " 4520 "in memory, rejecting the zone transfer", 4521 (unsigned)startserial, (unsigned)transfer_serial, 4522 (unsigned)xfr_serial); 4523 return 0; 4524 } 4525 /* everything OK in second SOA serial */ 4526 return 1; 4527 } 4528 4529 /** apply IXFR to zone in memory. z is locked. false on failure(mallocfail) */ 4530 static int 4531 apply_ixfr(struct auth_xfer* xfr, struct auth_zone* z, 4532 struct sldns_buffer* scratch_buffer) 4533 { 4534 struct auth_chunk* rr_chunk; 4535 int rr_num; 4536 size_t rr_pos; 4537 uint8_t* rr_dname, *rr_rdata; 4538 uint16_t rr_type, rr_class, rr_rdlen; 4539 uint32_t rr_ttl; 4540 size_t rr_nextpos; 4541 int have_transfer_serial = 0; 4542 uint32_t transfer_serial = 0; 4543 size_t rr_counter = 0; 4544 int delmode = 0; 4545 int softfail = 0; 4546 4547 /* start RR iterator over chunklist of packets */ 4548 chunk_rrlist_start(xfr, &rr_chunk, &rr_num, &rr_pos); 4549 while(!chunk_rrlist_end(rr_chunk, rr_num)) { 4550 if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos, 4551 &rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen, 4552 &rr_rdata, &rr_nextpos)) { 4553 /* failed to parse RR */ 4554 return 0; 4555 } 4556 if(verbosity>=7) log_rrlist_position("apply ixfr", 4557 rr_chunk, rr_dname, rr_type, rr_counter); 4558 /* twiddle add/del mode and check for start and end */ 4559 if(rr_counter == 0 && rr_type != LDNS_RR_TYPE_SOA) 4560 return 0; 4561 if(rr_counter == 1 && rr_type != LDNS_RR_TYPE_SOA) { 4562 /* this is an AXFR returned from the IXFR master */ 4563 /* but that should already have been detected, by 4564 * on_ixfr_is_axfr */ 4565 return 0; 4566 } 4567 if(rr_type == LDNS_RR_TYPE_SOA) { 4568 uint32_t serial; 4569 if(rr_rdlen < 22) return 0; /* bad SOA rdlen */ 4570 serial = sldns_read_uint32(rr_rdata+rr_rdlen-20); 4571 if(have_transfer_serial == 0) { 4572 have_transfer_serial = 1; 4573 transfer_serial = serial; 4574 delmode = 1; /* gets negated below */ 4575 /* check second RR before going any further */ 4576 if(!ixfr_start_serial(rr_chunk, rr_num, rr_pos, 4577 rr_dname, rr_type, rr_class, rr_ttl, 4578 rr_rdlen, rr_rdata, rr_nextpos, 4579 transfer_serial, xfr->serial)) { 4580 return 0; 4581 } 4582 } else if(transfer_serial == serial) { 4583 have_transfer_serial++; 4584 if(rr_counter == 1) { 4585 /* empty AXFR, with SOA; SOA; */ 4586 /* should have been detected by 4587 * on_ixfr_is_axfr */ 4588 return 0; 4589 } 4590 if(have_transfer_serial == 3) { 4591 /* see serial three times for end */ 4592 /* eg. IXFR: 4593 * SOA 3 start 4594 * SOA 1 second RR, followed by del 4595 * SOA 2 followed by add 4596 * SOA 2 followed by del 4597 * SOA 3 followed by add 4598 * SOA 3 end */ 4599 /* ended by SOA record */ 4600 xfr->serial = transfer_serial; 4601 break; 4602 } 4603 } 4604 /* twiddle add/del mode */ 4605 /* switch from delete part to add part and back again 4606 * just before the soa, it gets deleted and added too 4607 * this means we switch to delete mode for the final 4608 * SOA(so skip that one) */ 4609 delmode = !delmode; 4610 } 4611 /* process this RR */ 4612 /* if the RR is deleted twice or added twice, then we 4613 * softfail, and continue with the rest of the IXFR, so 4614 * that we serve something fairly nice during the refetch */ 4615 if(verbosity>=7) log_rrlist_position((delmode?"del":"add"), 4616 rr_chunk, rr_dname, rr_type, rr_counter); 4617 if(delmode) { 4618 /* delete this RR */ 4619 int nonexist = 0; 4620 if(!az_remove_rr_decompress(z, rr_chunk->data, 4621 rr_chunk->len, scratch_buffer, rr_dname, 4622 rr_type, rr_class, rr_ttl, rr_rdata, rr_rdlen, 4623 &nonexist)) { 4624 /* failed, malloc error or so */ 4625 return 0; 4626 } 4627 if(nonexist) { 4628 /* it was removal of a nonexisting RR */ 4629 if(verbosity>=4) log_rrlist_position( 4630 "IXFR error nonexistent RR", 4631 rr_chunk, rr_dname, rr_type, rr_counter); 4632 softfail = 1; 4633 } 4634 } else if(rr_counter != 0) { 4635 /* skip first SOA RR for addition, it is added in 4636 * the addition part near the end of the ixfr, when 4637 * that serial is seen the second time. */ 4638 int duplicate = 0; 4639 /* add this RR */ 4640 if(!az_insert_rr_decompress(z, rr_chunk->data, 4641 rr_chunk->len, scratch_buffer, rr_dname, 4642 rr_type, rr_class, rr_ttl, rr_rdata, rr_rdlen, 4643 &duplicate)) { 4644 /* failed, malloc error or so */ 4645 return 0; 4646 } 4647 if(duplicate) { 4648 /* it was a duplicate */ 4649 if(verbosity>=4) log_rrlist_position( 4650 "IXFR error duplicate RR", 4651 rr_chunk, rr_dname, rr_type, rr_counter); 4652 softfail = 1; 4653 } 4654 } 4655 4656 rr_counter++; 4657 chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos); 4658 } 4659 if(softfail) { 4660 verbose(VERB_ALGO, "IXFR did not apply cleanly, fetching full zone"); 4661 return 0; 4662 } 4663 return 1; 4664 } 4665 4666 /** apply AXFR to zone in memory. z is locked. false on failure(mallocfail) */ 4667 static int 4668 apply_axfr(struct auth_xfer* xfr, struct auth_zone* z, 4669 struct sldns_buffer* scratch_buffer) 4670 { 4671 struct auth_chunk* rr_chunk; 4672 int rr_num; 4673 size_t rr_pos; 4674 uint8_t* rr_dname, *rr_rdata; 4675 uint16_t rr_type, rr_class, rr_rdlen; 4676 uint32_t rr_ttl; 4677 uint32_t serial = 0; 4678 size_t rr_nextpos; 4679 size_t rr_counter = 0; 4680 int have_end_soa = 0; 4681 4682 /* clear the data tree */ 4683 traverse_postorder(&z->data, auth_data_del, NULL); 4684 rbtree_init(&z->data, &auth_data_cmp); 4685 xfr->have_zone = 0; 4686 xfr->serial = 0; 4687 4688 /* insert all RRs in to the zone */ 4689 /* insert the SOA only once, skip the last one */ 4690 /* start RR iterator over chunklist of packets */ 4691 chunk_rrlist_start(xfr, &rr_chunk, &rr_num, &rr_pos); 4692 while(!chunk_rrlist_end(rr_chunk, rr_num)) { 4693 if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos, 4694 &rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen, 4695 &rr_rdata, &rr_nextpos)) { 4696 /* failed to parse RR */ 4697 return 0; 4698 } 4699 if(verbosity>=7) log_rrlist_position("apply_axfr", 4700 rr_chunk, rr_dname, rr_type, rr_counter); 4701 if(rr_type == LDNS_RR_TYPE_SOA) { 4702 if(rr_counter != 0) { 4703 /* end of the axfr */ 4704 have_end_soa = 1; 4705 break; 4706 } 4707 if(rr_rdlen < 22) return 0; /* bad SOA rdlen */ 4708 serial = sldns_read_uint32(rr_rdata+rr_rdlen-20); 4709 } 4710 4711 /* add this RR */ 4712 if(!az_insert_rr_decompress(z, rr_chunk->data, rr_chunk->len, 4713 scratch_buffer, rr_dname, rr_type, rr_class, rr_ttl, 4714 rr_rdata, rr_rdlen, NULL)) { 4715 /* failed, malloc error or so */ 4716 return 0; 4717 } 4718 4719 rr_counter++; 4720 chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos); 4721 } 4722 if(!have_end_soa) { 4723 log_err("no end SOA record for AXFR"); 4724 return 0; 4725 } 4726 4727 xfr->serial = serial; 4728 xfr->have_zone = 1; 4729 return 1; 4730 } 4731 4732 /** apply HTTP to zone in memory. z is locked. false on failure(mallocfail) */ 4733 static int 4734 apply_http(struct auth_xfer* xfr, struct auth_zone* z, 4735 struct sldns_buffer* scratch_buffer) 4736 { 4737 /* parse data in chunks */ 4738 /* parse RR's and read into memory. ignore $INCLUDE from the 4739 * downloaded file*/ 4740 struct sldns_file_parse_state pstate; 4741 struct auth_chunk* chunk; 4742 size_t chunk_pos; 4743 memset(&pstate, 0, sizeof(pstate)); 4744 pstate.default_ttl = 3600; 4745 if(xfr->namelen < sizeof(pstate.origin)) { 4746 pstate.origin_len = xfr->namelen; 4747 memmove(pstate.origin, xfr->name, xfr->namelen); 4748 } 4749 4750 if(verbosity >= VERB_ALGO) 4751 verbose(VERB_ALGO, "http download %s of size %d", 4752 xfr->task_transfer->master->file, 4753 (int)chunklist_sum(xfr->task_transfer->chunks_first)); 4754 if(xfr->task_transfer->chunks_first && verbosity >= VERB_ALGO) { 4755 char preview[1024]; 4756 if(xfr->task_transfer->chunks_first->len+1 > sizeof(preview)) { 4757 memmove(preview, xfr->task_transfer->chunks_first->data, 4758 sizeof(preview)-1); 4759 preview[sizeof(preview)-1]=0; 4760 } else { 4761 memmove(preview, xfr->task_transfer->chunks_first->data, 4762 xfr->task_transfer->chunks_first->len); 4763 preview[xfr->task_transfer->chunks_first->len]=0; 4764 } 4765 log_info("auth zone http downloaded content preview: %s", 4766 preview); 4767 } 4768 4769 /* perhaps a little syntax check before we try to apply the data? */ 4770 if(!http_zonefile_syntax_check(xfr, scratch_buffer)) { 4771 log_err("http download %s/%s does not contain a zonefile, " 4772 "but got '%s'", xfr->task_transfer->master->host, 4773 xfr->task_transfer->master->file, 4774 sldns_buffer_begin(scratch_buffer)); 4775 return 0; 4776 } 4777 4778 /* clear the data tree */ 4779 traverse_postorder(&z->data, auth_data_del, NULL); 4780 rbtree_init(&z->data, &auth_data_cmp); 4781 xfr->have_zone = 0; 4782 xfr->serial = 0; 4783 4784 chunk = xfr->task_transfer->chunks_first; 4785 chunk_pos = 0; 4786 pstate.lineno = 0; 4787 while(chunkline_get_line_collated(&chunk, &chunk_pos, scratch_buffer)) { 4788 /* process this line */ 4789 pstate.lineno++; 4790 chunkline_newline_removal(scratch_buffer); 4791 if(chunkline_is_comment_line_or_empty(scratch_buffer)) { 4792 continue; 4793 } 4794 /* parse line and add RR */ 4795 if(http_parse_origin(scratch_buffer, &pstate)) { 4796 continue; /* $ORIGIN has been handled */ 4797 } 4798 if(http_parse_ttl(scratch_buffer, &pstate)) { 4799 continue; /* $TTL has been handled */ 4800 } 4801 if(!http_parse_add_rr(xfr, z, scratch_buffer, &pstate)) { 4802 verbose(VERB_ALGO, "error parsing line [%s:%d] %s", 4803 xfr->task_transfer->master->file, 4804 pstate.lineno, 4805 sldns_buffer_begin(scratch_buffer)); 4806 return 0; 4807 } 4808 } 4809 return 1; 4810 } 4811 4812 /** write http chunks to zonefile to create downloaded file */ 4813 static int 4814 auth_zone_write_chunks(struct auth_xfer* xfr, const char* fname) 4815 { 4816 FILE* out; 4817 struct auth_chunk* p; 4818 out = fopen(fname, "w"); 4819 if(!out) { 4820 log_err("could not open %s: %s", fname, strerror(errno)); 4821 return 0; 4822 } 4823 for(p = xfr->task_transfer->chunks_first; p ; p = p->next) { 4824 if(!write_out(out, (char*)p->data, p->len)) { 4825 log_err("could not write http download to %s", fname); 4826 fclose(out); 4827 return 0; 4828 } 4829 } 4830 fclose(out); 4831 return 1; 4832 } 4833 4834 /** write to zonefile after zone has been updated */ 4835 static void 4836 xfr_write_after_update(struct auth_xfer* xfr, struct module_env* env) 4837 { 4838 struct config_file* cfg = env->cfg; 4839 struct auth_zone* z; 4840 char tmpfile[1024]; 4841 char* zfilename; 4842 lock_basic_unlock(&xfr->lock); 4843 4844 /* get lock again, so it is a readlock and concurrently queries 4845 * can be answered */ 4846 lock_rw_rdlock(&env->auth_zones->lock); 4847 z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen, 4848 xfr->dclass); 4849 if(!z) { 4850 lock_rw_unlock(&env->auth_zones->lock); 4851 /* the zone is gone, ignore xfr results */ 4852 lock_basic_lock(&xfr->lock); 4853 return; 4854 } 4855 lock_rw_rdlock(&z->lock); 4856 lock_basic_lock(&xfr->lock); 4857 lock_rw_unlock(&env->auth_zones->lock); 4858 4859 if(z->zonefile == NULL || z->zonefile[0] == 0) { 4860 lock_rw_unlock(&z->lock); 4861 /* no write needed, no zonefile set */ 4862 return; 4863 } 4864 zfilename = z->zonefile; 4865 if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(zfilename, 4866 cfg->chrootdir, strlen(cfg->chrootdir)) == 0) 4867 zfilename += strlen(cfg->chrootdir); 4868 4869 /* write to tempfile first */ 4870 if((size_t)strlen(zfilename) + 16 > sizeof(tmpfile)) { 4871 verbose(VERB_ALGO, "tmpfilename too long, cannot update " 4872 " zonefile %s", zfilename); 4873 lock_rw_unlock(&z->lock); 4874 return; 4875 } 4876 snprintf(tmpfile, sizeof(tmpfile), "%s.tmp%u", zfilename, 4877 (unsigned)getpid()); 4878 if(xfr->task_transfer->master->http) { 4879 /* use the stored chunk list to write them */ 4880 if(!auth_zone_write_chunks(xfr, tmpfile)) { 4881 unlink(tmpfile); 4882 lock_rw_unlock(&z->lock); 4883 } 4884 } else if(!auth_zone_write_file(z, tmpfile)) { 4885 unlink(tmpfile); 4886 lock_rw_unlock(&z->lock); 4887 return; 4888 } 4889 if(rename(tmpfile, zfilename) < 0) { 4890 log_err("could not rename(%s, %s): %s", tmpfile, zfilename, 4891 strerror(errno)); 4892 unlink(tmpfile); 4893 lock_rw_unlock(&z->lock); 4894 return; 4895 } 4896 lock_rw_unlock(&z->lock); 4897 } 4898 4899 /** process chunk list and update zone in memory, 4900 * return false if it did not work */ 4901 static int 4902 xfr_process_chunk_list(struct auth_xfer* xfr, struct module_env* env, 4903 int* ixfr_fail) 4904 { 4905 struct auth_zone* z; 4906 4907 /* obtain locks and structures */ 4908 /* release xfr lock, then, while holding az->lock grab both 4909 * z->lock and xfr->lock */ 4910 lock_basic_unlock(&xfr->lock); 4911 lock_rw_rdlock(&env->auth_zones->lock); 4912 z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen, 4913 xfr->dclass); 4914 if(!z) { 4915 lock_rw_unlock(&env->auth_zones->lock); 4916 /* the zone is gone, ignore xfr results */ 4917 lock_basic_lock(&xfr->lock); 4918 return 0; 4919 } 4920 lock_rw_wrlock(&z->lock); 4921 lock_basic_lock(&xfr->lock); 4922 lock_rw_unlock(&env->auth_zones->lock); 4923 4924 /* apply data */ 4925 if(xfr->task_transfer->master->http) { 4926 if(!apply_http(xfr, z, env->scratch_buffer)) { 4927 lock_rw_unlock(&z->lock); 4928 verbose(VERB_ALGO, "http from %s: could not store data", 4929 xfr->task_transfer->master->host); 4930 return 0; 4931 } 4932 } else if(xfr->task_transfer->on_ixfr && 4933 !xfr->task_transfer->on_ixfr_is_axfr) { 4934 if(!apply_ixfr(xfr, z, env->scratch_buffer)) { 4935 lock_rw_unlock(&z->lock); 4936 verbose(VERB_ALGO, "xfr from %s: could not store IXFR" 4937 " data", xfr->task_transfer->master->host); 4938 *ixfr_fail = 1; 4939 return 0; 4940 } 4941 } else { 4942 if(!apply_axfr(xfr, z, env->scratch_buffer)) { 4943 lock_rw_unlock(&z->lock); 4944 verbose(VERB_ALGO, "xfr from %s: could not store AXFR" 4945 " data", xfr->task_transfer->master->host); 4946 return 0; 4947 } 4948 } 4949 xfr->zone_expired = 0; 4950 z->zone_expired = 0; 4951 if(!xfr_find_soa(z, xfr)) { 4952 lock_rw_unlock(&z->lock); 4953 verbose(VERB_ALGO, "xfr from %s: no SOA in zone after update" 4954 " (or malformed RR)", xfr->task_transfer->master->host); 4955 return 0; 4956 } 4957 if(xfr->have_zone) 4958 xfr->lease_time = *env->now; 4959 4960 /* unlock */ 4961 lock_rw_unlock(&z->lock); 4962 4963 if(verbosity >= VERB_QUERY && xfr->have_zone) { 4964 char zname[256]; 4965 dname_str(xfr->name, zname); 4966 verbose(VERB_QUERY, "auth zone %s updated to serial %u", zname, 4967 (unsigned)xfr->serial); 4968 } 4969 /* see if we need to write to a zonefile */ 4970 xfr_write_after_update(xfr, env); 4971 return 1; 4972 } 4973 4974 /** disown task_transfer. caller must hold xfr.lock */ 4975 static void 4976 xfr_transfer_disown(struct auth_xfer* xfr) 4977 { 4978 /* remove timer (from this worker's event base) */ 4979 comm_timer_delete(xfr->task_transfer->timer); 4980 xfr->task_transfer->timer = NULL; 4981 /* remove the commpoint */ 4982 comm_point_delete(xfr->task_transfer->cp); 4983 xfr->task_transfer->cp = NULL; 4984 /* we don't own this item anymore */ 4985 xfr->task_transfer->worker = NULL; 4986 xfr->task_transfer->env = NULL; 4987 } 4988 4989 /** lookup a host name for its addresses, if needed */ 4990 static int 4991 xfr_transfer_lookup_host(struct auth_xfer* xfr, struct module_env* env) 4992 { 4993 struct sockaddr_storage addr; 4994 socklen_t addrlen = 0; 4995 struct auth_master* master = xfr->task_transfer->lookup_target; 4996 struct query_info qinfo; 4997 uint16_t qflags = BIT_RD; 4998 uint8_t dname[LDNS_MAX_DOMAINLEN+1]; 4999 struct edns_data edns; 5000 sldns_buffer* buf = env->scratch_buffer; 5001 if(!master) return 0; 5002 if(extstrtoaddr(master->host, &addr, &addrlen)) { 5003 /* not needed, host is in IP addr format */ 5004 return 0; 5005 } 5006 if(master->allow_notify) 5007 return 0; /* allow-notifies are not transferred from, no 5008 lookup is needed */ 5009 5010 /* use mesh_new_callback to probe for non-addr hosts, 5011 * and then wait for them to be looked up (in cache, or query) */ 5012 qinfo.qname_len = sizeof(dname); 5013 if(sldns_str2wire_dname_buf(master->host, dname, &qinfo.qname_len) 5014 != 0) { 5015 log_err("cannot parse host name of master %s", master->host); 5016 return 0; 5017 } 5018 qinfo.qname = dname; 5019 qinfo.qclass = xfr->dclass; 5020 qinfo.qtype = LDNS_RR_TYPE_A; 5021 if(xfr->task_transfer->lookup_aaaa) 5022 qinfo.qtype = LDNS_RR_TYPE_AAAA; 5023 qinfo.local_alias = NULL; 5024 if(verbosity >= VERB_ALGO) { 5025 char buf1[512]; 5026 char buf2[LDNS_MAX_DOMAINLEN+1]; 5027 dname_str(xfr->name, buf2); 5028 snprintf(buf1, sizeof(buf1), "auth zone %s: master lookup" 5029 " for task_transfer", buf2); 5030 log_query_info(VERB_ALGO, buf1, &qinfo); 5031 } 5032 edns.edns_present = 1; 5033 edns.ext_rcode = 0; 5034 edns.edns_version = 0; 5035 edns.bits = EDNS_DO; 5036 edns.opt_list = NULL; 5037 if(sldns_buffer_capacity(buf) < 65535) 5038 edns.udp_size = (uint16_t)sldns_buffer_capacity(buf); 5039 else edns.udp_size = 65535; 5040 5041 /* unlock xfr during mesh_new_callback() because the callback can be 5042 * called straight away */ 5043 lock_basic_unlock(&xfr->lock); 5044 if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0, 5045 &auth_xfer_transfer_lookup_callback, xfr)) { 5046 lock_basic_lock(&xfr->lock); 5047 log_err("out of memory lookup up master %s", master->host); 5048 return 0; 5049 } 5050 lock_basic_lock(&xfr->lock); 5051 return 1; 5052 } 5053 5054 /** initiate TCP to the target and fetch zone. 5055 * returns true if that was successfully started, and timeout setup. */ 5056 static int 5057 xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env) 5058 { 5059 struct sockaddr_storage addr; 5060 socklen_t addrlen = 0; 5061 struct auth_master* master = xfr->task_transfer->master; 5062 char *auth_name = NULL; 5063 struct timeval t; 5064 int timeout; 5065 if(!master) return 0; 5066 if(master->allow_notify) return 0; /* only for notify */ 5067 5068 /* get master addr */ 5069 if(xfr->task_transfer->scan_addr) { 5070 addrlen = xfr->task_transfer->scan_addr->addrlen; 5071 memmove(&addr, &xfr->task_transfer->scan_addr->addr, addrlen); 5072 } else { 5073 if(!authextstrtoaddr(master->host, &addr, &addrlen, &auth_name)) { 5074 /* the ones that are not in addr format are supposed 5075 * to be looked up. The lookup has failed however, 5076 * so skip them */ 5077 char zname[255+1]; 5078 dname_str(xfr->name, zname); 5079 log_err("%s: failed lookup, cannot transfer from master %s", 5080 zname, master->host); 5081 return 0; 5082 } 5083 } 5084 5085 /* remove previous TCP connection (if any) */ 5086 if(xfr->task_transfer->cp) { 5087 comm_point_delete(xfr->task_transfer->cp); 5088 xfr->task_transfer->cp = NULL; 5089 } 5090 if(!xfr->task_transfer->timer) { 5091 xfr->task_transfer->timer = comm_timer_create(env->worker_base, 5092 auth_xfer_transfer_timer_callback, xfr); 5093 if(!xfr->task_transfer->timer) { 5094 log_err("malloc failure"); 5095 return 0; 5096 } 5097 } 5098 timeout = AUTH_TRANSFER_TIMEOUT; 5099 #ifndef S_SPLINT_S 5100 t.tv_sec = timeout/1000; 5101 t.tv_usec = (timeout%1000)*1000; 5102 #endif 5103 5104 if(master->http) { 5105 /* perform http fetch */ 5106 /* store http port number into sockaddr, 5107 * unless someone used unbound's host@port notation */ 5108 xfr->task_transfer->on_ixfr = 0; 5109 if(strchr(master->host, '@') == NULL) 5110 sockaddr_store_port(&addr, addrlen, master->port); 5111 xfr->task_transfer->cp = outnet_comm_point_for_http( 5112 env->outnet, auth_xfer_transfer_http_callback, xfr, 5113 &addr, addrlen, -1, master->ssl, master->host, 5114 master->file); 5115 if(!xfr->task_transfer->cp) { 5116 char zname[255+1], as[256]; 5117 dname_str(xfr->name, zname); 5118 addr_to_str(&addr, addrlen, as, sizeof(as)); 5119 verbose(VERB_ALGO, "cannot create http cp " 5120 "connection for %s to %s", zname, as); 5121 return 0; 5122 } 5123 comm_timer_set(xfr->task_transfer->timer, &t); 5124 if(verbosity >= VERB_ALGO) { 5125 char zname[255+1], as[256]; 5126 dname_str(xfr->name, zname); 5127 addr_to_str(&addr, addrlen, as, sizeof(as)); 5128 verbose(VERB_ALGO, "auth zone %s transfer next HTTP fetch from %s started", zname, as); 5129 } 5130 return 1; 5131 } 5132 5133 /* perform AXFR/IXFR */ 5134 /* set the packet to be written */ 5135 /* create new ID */ 5136 xfr->task_transfer->id = (uint16_t)(ub_random(env->rnd)&0xffff); 5137 xfr_create_ixfr_packet(xfr, env->scratch_buffer, 5138 xfr->task_transfer->id, master); 5139 5140 /* connect on fd */ 5141 xfr->task_transfer->cp = outnet_comm_point_for_tcp(env->outnet, 5142 auth_xfer_transfer_tcp_callback, xfr, &addr, addrlen, 5143 env->scratch_buffer, -1, 5144 auth_name != NULL, auth_name); 5145 if(!xfr->task_transfer->cp) { 5146 char zname[255+1], as[256]; 5147 dname_str(xfr->name, zname); 5148 addr_to_str(&addr, addrlen, as, sizeof(as)); 5149 verbose(VERB_ALGO, "cannot create tcp cp connection for " 5150 "xfr %s to %s", zname, as); 5151 return 0; 5152 } 5153 comm_timer_set(xfr->task_transfer->timer, &t); 5154 if(verbosity >= VERB_ALGO) { 5155 char zname[255+1], as[256]; 5156 dname_str(xfr->name, zname); 5157 addr_to_str(&addr, addrlen, as, sizeof(as)); 5158 verbose(VERB_ALGO, "auth zone %s transfer next %s fetch from %s started", zname, 5159 (xfr->task_transfer->on_ixfr?"IXFR":"AXFR"), as); 5160 } 5161 return 1; 5162 } 5163 5164 /** perform next lookup, next transfer TCP, or end and resume wait time task */ 5165 static void 5166 xfr_transfer_nexttarget_or_end(struct auth_xfer* xfr, struct module_env* env) 5167 { 5168 log_assert(xfr->task_transfer->worker == env->worker); 5169 5170 /* are we performing lookups? */ 5171 while(xfr->task_transfer->lookup_target) { 5172 if(xfr_transfer_lookup_host(xfr, env)) { 5173 /* wait for lookup to finish, 5174 * note that the hostname may be in unbound's cache 5175 * and we may then get an instant cache response, 5176 * and that calls the callback just like a full 5177 * lookup and lookup failures also call callback */ 5178 if(verbosity >= VERB_ALGO) { 5179 char zname[255+1]; 5180 dname_str(xfr->name, zname); 5181 verbose(VERB_ALGO, "auth zone %s transfer next target lookup", zname); 5182 } 5183 lock_basic_unlock(&xfr->lock); 5184 return; 5185 } 5186 xfr_transfer_move_to_next_lookup(xfr, env); 5187 } 5188 5189 /* initiate TCP and fetch the zone from the master */ 5190 /* and set timeout on it */ 5191 while(!xfr_transfer_end_of_list(xfr)) { 5192 xfr->task_transfer->master = xfr_transfer_current_master(xfr); 5193 if(xfr_transfer_init_fetch(xfr, env)) { 5194 /* successfully started, wait for callback */ 5195 lock_basic_unlock(&xfr->lock); 5196 return; 5197 } 5198 /* failed to fetch, next master */ 5199 xfr_transfer_nextmaster(xfr); 5200 } 5201 if(verbosity >= VERB_ALGO) { 5202 char zname[255+1]; 5203 dname_str(xfr->name, zname); 5204 verbose(VERB_ALGO, "auth zone %s transfer failed, wait", zname); 5205 } 5206 5207 /* we failed to fetch the zone, move to wait task 5208 * use the shorter retry timeout */ 5209 xfr_transfer_disown(xfr); 5210 5211 /* pick up the nextprobe task and wait */ 5212 if(xfr->task_nextprobe->worker == NULL) 5213 xfr_set_timeout(xfr, env, 1, 0); 5214 lock_basic_unlock(&xfr->lock); 5215 } 5216 5217 /** add addrs from A or AAAA rrset to the master */ 5218 static void 5219 xfr_master_add_addrs(struct auth_master* m, struct ub_packed_rrset_key* rrset, 5220 uint16_t rrtype) 5221 { 5222 size_t i; 5223 struct packed_rrset_data* data; 5224 if(!m || !rrset) return; 5225 if(rrtype != LDNS_RR_TYPE_A && rrtype != LDNS_RR_TYPE_AAAA) 5226 return; 5227 data = (struct packed_rrset_data*)rrset->entry.data; 5228 for(i=0; i<data->count; i++) { 5229 struct auth_addr* a; 5230 size_t len = data->rr_len[i] - 2; 5231 uint8_t* rdata = data->rr_data[i]+2; 5232 if(rrtype == LDNS_RR_TYPE_A && len != INET_SIZE) 5233 continue; /* wrong length for A */ 5234 if(rrtype == LDNS_RR_TYPE_AAAA && len != INET6_SIZE) 5235 continue; /* wrong length for AAAA */ 5236 5237 /* add and alloc it */ 5238 a = (struct auth_addr*)calloc(1, sizeof(*a)); 5239 if(!a) { 5240 log_err("out of memory"); 5241 return; 5242 } 5243 if(rrtype == LDNS_RR_TYPE_A) { 5244 struct sockaddr_in* sa; 5245 a->addrlen = (socklen_t)sizeof(*sa); 5246 sa = (struct sockaddr_in*)&a->addr; 5247 sa->sin_family = AF_INET; 5248 sa->sin_port = (in_port_t)htons(UNBOUND_DNS_PORT); 5249 memmove(&sa->sin_addr, rdata, INET_SIZE); 5250 } else { 5251 struct sockaddr_in6* sa; 5252 a->addrlen = (socklen_t)sizeof(*sa); 5253 sa = (struct sockaddr_in6*)&a->addr; 5254 sa->sin6_family = AF_INET6; 5255 sa->sin6_port = (in_port_t)htons(UNBOUND_DNS_PORT); 5256 memmove(&sa->sin6_addr, rdata, INET6_SIZE); 5257 } 5258 if(verbosity >= VERB_ALGO) { 5259 char s[64]; 5260 addr_to_str(&a->addr, a->addrlen, s, sizeof(s)); 5261 verbose(VERB_ALGO, "auth host %s lookup %s", 5262 m->host, s); 5263 } 5264 /* append to list */ 5265 a->next = m->list; 5266 m->list = a; 5267 } 5268 } 5269 5270 /** callback for task_transfer lookup of host name, of A or AAAA */ 5271 void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf, 5272 enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus), 5273 int ATTR_UNUSED(was_ratelimited)) 5274 { 5275 struct auth_xfer* xfr = (struct auth_xfer*)arg; 5276 struct module_env* env; 5277 log_assert(xfr->task_transfer); 5278 lock_basic_lock(&xfr->lock); 5279 env = xfr->task_transfer->env; 5280 if(env->outnet->want_to_quit) { 5281 lock_basic_unlock(&xfr->lock); 5282 return; /* stop on quit */ 5283 } 5284 5285 /* process result */ 5286 if(rcode == LDNS_RCODE_NOERROR) { 5287 uint16_t wanted_qtype = LDNS_RR_TYPE_A; 5288 struct regional* temp = env->scratch; 5289 struct query_info rq; 5290 struct reply_info* rep; 5291 if(xfr->task_transfer->lookup_aaaa) 5292 wanted_qtype = LDNS_RR_TYPE_AAAA; 5293 memset(&rq, 0, sizeof(rq)); 5294 rep = parse_reply_in_temp_region(buf, temp, &rq); 5295 if(rep && rq.qtype == wanted_qtype && 5296 FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) { 5297 /* parsed successfully */ 5298 struct ub_packed_rrset_key* answer = 5299 reply_find_answer_rrset(&rq, rep); 5300 if(answer) { 5301 xfr_master_add_addrs(xfr->task_transfer-> 5302 lookup_target, answer, wanted_qtype); 5303 } else { 5304 if(verbosity >= VERB_ALGO) { 5305 char zname[255+1]; 5306 dname_str(xfr->name, zname); 5307 verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup has nodata", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A")); 5308 } 5309 } 5310 } else { 5311 if(verbosity >= VERB_ALGO) { 5312 char zname[255+1]; 5313 dname_str(xfr->name, zname); 5314 verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup has no answer", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A")); 5315 } 5316 } 5317 } else { 5318 if(verbosity >= VERB_ALGO) { 5319 char zname[255+1]; 5320 dname_str(xfr->name, zname); 5321 verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup failed", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A")); 5322 } 5323 } 5324 if(xfr->task_transfer->lookup_target->list && 5325 xfr->task_transfer->lookup_target == xfr_transfer_current_master(xfr)) 5326 xfr->task_transfer->scan_addr = xfr->task_transfer->lookup_target->list; 5327 5328 /* move to lookup AAAA after A lookup, move to next hostname lookup, 5329 * or move to fetch the zone, or, if nothing to do, end task_transfer */ 5330 xfr_transfer_move_to_next_lookup(xfr, env); 5331 xfr_transfer_nexttarget_or_end(xfr, env); 5332 } 5333 5334 /** check if xfer (AXFR or IXFR) packet is OK. 5335 * return false if we lost connection (SERVFAIL, or unreadable). 5336 * return false if we need to move from IXFR to AXFR, with gonextonfail 5337 * set to false, so the same master is tried again, but with AXFR. 5338 * return true if fine to link into data. 5339 * return true with transferdone=true when the transfer has ended. 5340 */ 5341 static int 5342 check_xfer_packet(sldns_buffer* pkt, struct auth_xfer* xfr, 5343 int* gonextonfail, int* transferdone) 5344 { 5345 uint8_t* wire = sldns_buffer_begin(pkt); 5346 int i; 5347 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) { 5348 verbose(VERB_ALGO, "xfr to %s failed, packet too small", 5349 xfr->task_transfer->master->host); 5350 return 0; 5351 } 5352 if(!LDNS_QR_WIRE(wire)) { 5353 verbose(VERB_ALGO, "xfr to %s failed, packet has no QR flag", 5354 xfr->task_transfer->master->host); 5355 return 0; 5356 } 5357 if(LDNS_TC_WIRE(wire)) { 5358 verbose(VERB_ALGO, "xfr to %s failed, packet has TC flag", 5359 xfr->task_transfer->master->host); 5360 return 0; 5361 } 5362 /* check ID */ 5363 if(LDNS_ID_WIRE(wire) != xfr->task_transfer->id) { 5364 verbose(VERB_ALGO, "xfr to %s failed, packet wrong ID", 5365 xfr->task_transfer->master->host); 5366 return 0; 5367 } 5368 if(LDNS_RCODE_WIRE(wire) != LDNS_RCODE_NOERROR) { 5369 char rcode[32]; 5370 sldns_wire2str_rcode_buf((int)LDNS_RCODE_WIRE(wire), rcode, 5371 sizeof(rcode)); 5372 /* if we are doing IXFR, check for fallback */ 5373 if(xfr->task_transfer->on_ixfr) { 5374 if(LDNS_RCODE_WIRE(wire) == LDNS_RCODE_NOTIMPL || 5375 LDNS_RCODE_WIRE(wire) == LDNS_RCODE_SERVFAIL || 5376 LDNS_RCODE_WIRE(wire) == LDNS_RCODE_REFUSED || 5377 LDNS_RCODE_WIRE(wire) == LDNS_RCODE_FORMERR) { 5378 verbose(VERB_ALGO, "xfr to %s, fallback " 5379 "from IXFR to AXFR (with rcode %s)", 5380 xfr->task_transfer->master->host, 5381 rcode); 5382 xfr->task_transfer->ixfr_fail = 1; 5383 *gonextonfail = 0; 5384 return 0; 5385 } 5386 } 5387 verbose(VERB_ALGO, "xfr to %s failed, packet with rcode %s", 5388 xfr->task_transfer->master->host, rcode); 5389 return 0; 5390 } 5391 if(LDNS_OPCODE_WIRE(wire) != LDNS_PACKET_QUERY) { 5392 verbose(VERB_ALGO, "xfr to %s failed, packet with bad opcode", 5393 xfr->task_transfer->master->host); 5394 return 0; 5395 } 5396 if(LDNS_QDCOUNT(wire) > 1) { 5397 verbose(VERB_ALGO, "xfr to %s failed, packet has qdcount %d", 5398 xfr->task_transfer->master->host, 5399 (int)LDNS_QDCOUNT(wire)); 5400 return 0; 5401 } 5402 5403 /* check qname */ 5404 sldns_buffer_set_position(pkt, LDNS_HEADER_SIZE); 5405 for(i=0; i<(int)LDNS_QDCOUNT(wire); i++) { 5406 size_t pos = sldns_buffer_position(pkt); 5407 uint16_t qtype, qclass; 5408 if(pkt_dname_len(pkt) == 0) { 5409 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5410 "malformed dname", 5411 xfr->task_transfer->master->host); 5412 return 0; 5413 } 5414 if(dname_pkt_compare(pkt, sldns_buffer_at(pkt, pos), 5415 xfr->name) != 0) { 5416 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5417 "wrong qname", 5418 xfr->task_transfer->master->host); 5419 return 0; 5420 } 5421 if(sldns_buffer_remaining(pkt) < 4) { 5422 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5423 "truncated query RR", 5424 xfr->task_transfer->master->host); 5425 return 0; 5426 } 5427 qtype = sldns_buffer_read_u16(pkt); 5428 qclass = sldns_buffer_read_u16(pkt); 5429 if(qclass != xfr->dclass) { 5430 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5431 "wrong qclass", 5432 xfr->task_transfer->master->host); 5433 return 0; 5434 } 5435 if(xfr->task_transfer->on_ixfr) { 5436 if(qtype != LDNS_RR_TYPE_IXFR) { 5437 verbose(VERB_ALGO, "xfr to %s failed, packet " 5438 "with wrong qtype, expected IXFR", 5439 xfr->task_transfer->master->host); 5440 return 0; 5441 } 5442 } else { 5443 if(qtype != LDNS_RR_TYPE_AXFR) { 5444 verbose(VERB_ALGO, "xfr to %s failed, packet " 5445 "with wrong qtype, expected AXFR", 5446 xfr->task_transfer->master->host); 5447 return 0; 5448 } 5449 } 5450 } 5451 5452 /* check parse of RRs in packet, store first SOA serial 5453 * to be able to detect last SOA (with that serial) to see if done */ 5454 /* also check for IXFR 'zone up to date' reply */ 5455 for(i=0; i<(int)LDNS_ANCOUNT(wire); i++) { 5456 size_t pos = sldns_buffer_position(pkt); 5457 uint16_t tp, rdlen; 5458 if(pkt_dname_len(pkt) == 0) { 5459 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5460 "malformed dname in answer section", 5461 xfr->task_transfer->master->host); 5462 return 0; 5463 } 5464 if(sldns_buffer_remaining(pkt) < 10) { 5465 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5466 "truncated RR", 5467 xfr->task_transfer->master->host); 5468 return 0; 5469 } 5470 tp = sldns_buffer_read_u16(pkt); 5471 (void)sldns_buffer_read_u16(pkt); /* class */ 5472 (void)sldns_buffer_read_u32(pkt); /* ttl */ 5473 rdlen = sldns_buffer_read_u16(pkt); 5474 if(sldns_buffer_remaining(pkt) < rdlen) { 5475 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5476 "truncated RR rdata", 5477 xfr->task_transfer->master->host); 5478 return 0; 5479 } 5480 5481 /* RR parses (haven't checked rdata itself), now look at 5482 * SOA records to see serial number */ 5483 if(xfr->task_transfer->rr_scan_num == 0 && 5484 tp != LDNS_RR_TYPE_SOA) { 5485 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5486 "malformed zone transfer, no start SOA", 5487 xfr->task_transfer->master->host); 5488 return 0; 5489 } 5490 if(xfr->task_transfer->rr_scan_num == 1 && 5491 tp != LDNS_RR_TYPE_SOA) { 5492 /* second RR is not a SOA record, this is not an IXFR 5493 * the master is replying with an AXFR */ 5494 xfr->task_transfer->on_ixfr_is_axfr = 1; 5495 } 5496 if(tp == LDNS_RR_TYPE_SOA) { 5497 uint32_t serial; 5498 if(rdlen < 22) { 5499 verbose(VERB_ALGO, "xfr to %s failed, packet " 5500 "with SOA with malformed rdata", 5501 xfr->task_transfer->master->host); 5502 return 0; 5503 } 5504 if(dname_pkt_compare(pkt, sldns_buffer_at(pkt, pos), 5505 xfr->name) != 0) { 5506 verbose(VERB_ALGO, "xfr to %s failed, packet " 5507 "with SOA with wrong dname", 5508 xfr->task_transfer->master->host); 5509 return 0; 5510 } 5511 5512 /* read serial number of SOA */ 5513 serial = sldns_buffer_read_u32_at(pkt, 5514 sldns_buffer_position(pkt)+rdlen-20); 5515 5516 /* check for IXFR 'zone has SOA x' reply */ 5517 if(xfr->task_transfer->on_ixfr && 5518 xfr->task_transfer->rr_scan_num == 0 && 5519 LDNS_ANCOUNT(wire)==1) { 5520 verbose(VERB_ALGO, "xfr to %s ended, " 5521 "IXFR reply that zone has serial %u", 5522 xfr->task_transfer->master->host, 5523 (unsigned)serial); 5524 return 0; 5525 } 5526 5527 /* if first SOA, store serial number */ 5528 if(xfr->task_transfer->got_xfr_serial == 0) { 5529 xfr->task_transfer->got_xfr_serial = 1; 5530 xfr->task_transfer->incoming_xfr_serial = 5531 serial; 5532 verbose(VERB_ALGO, "xfr %s: contains " 5533 "SOA serial %u", 5534 xfr->task_transfer->master->host, 5535 (unsigned)serial); 5536 /* see if end of AXFR */ 5537 } else if(!xfr->task_transfer->on_ixfr || 5538 xfr->task_transfer->on_ixfr_is_axfr) { 5539 /* second SOA with serial is the end 5540 * for AXFR */ 5541 *transferdone = 1; 5542 verbose(VERB_ALGO, "xfr %s: last AXFR packet", 5543 xfr->task_transfer->master->host); 5544 /* for IXFR, count SOA records with that serial */ 5545 } else if(xfr->task_transfer->incoming_xfr_serial == 5546 serial && xfr->task_transfer->got_xfr_serial 5547 == 1) { 5548 xfr->task_transfer->got_xfr_serial++; 5549 /* if not first soa, if serial==firstserial, the 5550 * third time we are at the end, for IXFR */ 5551 } else if(xfr->task_transfer->incoming_xfr_serial == 5552 serial && xfr->task_transfer->got_xfr_serial 5553 == 2) { 5554 verbose(VERB_ALGO, "xfr %s: last IXFR packet", 5555 xfr->task_transfer->master->host); 5556 *transferdone = 1; 5557 /* continue parse check, if that succeeds, 5558 * transfer is done */ 5559 } 5560 } 5561 xfr->task_transfer->rr_scan_num++; 5562 5563 /* skip over RR rdata to go to the next RR */ 5564 sldns_buffer_skip(pkt, (ssize_t)rdlen); 5565 } 5566 5567 /* check authority section */ 5568 /* we skip over the RRs checking packet format */ 5569 for(i=0; i<(int)LDNS_NSCOUNT(wire); i++) { 5570 uint16_t rdlen; 5571 if(pkt_dname_len(pkt) == 0) { 5572 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5573 "malformed dname in authority section", 5574 xfr->task_transfer->master->host); 5575 return 0; 5576 } 5577 if(sldns_buffer_remaining(pkt) < 10) { 5578 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5579 "truncated RR", 5580 xfr->task_transfer->master->host); 5581 return 0; 5582 } 5583 (void)sldns_buffer_read_u16(pkt); /* type */ 5584 (void)sldns_buffer_read_u16(pkt); /* class */ 5585 (void)sldns_buffer_read_u32(pkt); /* ttl */ 5586 rdlen = sldns_buffer_read_u16(pkt); 5587 if(sldns_buffer_remaining(pkt) < rdlen) { 5588 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5589 "truncated RR rdata", 5590 xfr->task_transfer->master->host); 5591 return 0; 5592 } 5593 /* skip over RR rdata to go to the next RR */ 5594 sldns_buffer_skip(pkt, (ssize_t)rdlen); 5595 } 5596 5597 /* check additional section */ 5598 for(i=0; i<(int)LDNS_ARCOUNT(wire); i++) { 5599 uint16_t rdlen; 5600 if(pkt_dname_len(pkt) == 0) { 5601 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5602 "malformed dname in additional section", 5603 xfr->task_transfer->master->host); 5604 return 0; 5605 } 5606 if(sldns_buffer_remaining(pkt) < 10) { 5607 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5608 "truncated RR", 5609 xfr->task_transfer->master->host); 5610 return 0; 5611 } 5612 (void)sldns_buffer_read_u16(pkt); /* type */ 5613 (void)sldns_buffer_read_u16(pkt); /* class */ 5614 (void)sldns_buffer_read_u32(pkt); /* ttl */ 5615 rdlen = sldns_buffer_read_u16(pkt); 5616 if(sldns_buffer_remaining(pkt) < rdlen) { 5617 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5618 "truncated RR rdata", 5619 xfr->task_transfer->master->host); 5620 return 0; 5621 } 5622 /* skip over RR rdata to go to the next RR */ 5623 sldns_buffer_skip(pkt, (ssize_t)rdlen); 5624 } 5625 5626 return 1; 5627 } 5628 5629 /** Link the data from this packet into the worklist of transferred data */ 5630 static int 5631 xfer_link_data(sldns_buffer* pkt, struct auth_xfer* xfr) 5632 { 5633 /* alloc it */ 5634 struct auth_chunk* e; 5635 e = (struct auth_chunk*)calloc(1, sizeof(*e)); 5636 if(!e) return 0; 5637 e->next = NULL; 5638 e->len = sldns_buffer_limit(pkt); 5639 e->data = memdup(sldns_buffer_begin(pkt), e->len); 5640 if(!e->data) { 5641 free(e); 5642 return 0; 5643 } 5644 5645 /* alloc succeeded, link into list */ 5646 if(!xfr->task_transfer->chunks_first) 5647 xfr->task_transfer->chunks_first = e; 5648 if(xfr->task_transfer->chunks_last) 5649 xfr->task_transfer->chunks_last->next = e; 5650 xfr->task_transfer->chunks_last = e; 5651 return 1; 5652 } 5653 5654 /** task transfer. the list of data is complete. process it and if failed 5655 * move to next master, if succeeded, end the task transfer */ 5656 static void 5657 process_list_end_transfer(struct auth_xfer* xfr, struct module_env* env) 5658 { 5659 int ixfr_fail = 0; 5660 if(xfr_process_chunk_list(xfr, env, &ixfr_fail)) { 5661 /* it worked! */ 5662 auth_chunks_delete(xfr->task_transfer); 5663 5664 /* we fetched the zone, move to wait task */ 5665 xfr_transfer_disown(xfr); 5666 5667 if(xfr->notify_received && (!xfr->notify_has_serial || 5668 (xfr->notify_has_serial && 5669 xfr_serial_means_update(xfr, xfr->notify_serial)))) { 5670 uint32_t sr = xfr->notify_serial; 5671 int has_sr = xfr->notify_has_serial; 5672 /* we received a notify while probe/transfer was 5673 * in progress. start a new probe and transfer */ 5674 xfr->notify_received = 0; 5675 xfr->notify_has_serial = 0; 5676 xfr->notify_serial = 0; 5677 if(!xfr_start_probe(xfr, env, NULL)) { 5678 /* if we couldn't start it, already in 5679 * progress; restore notify serial, 5680 * while xfr still locked */ 5681 xfr->notify_received = 1; 5682 xfr->notify_has_serial = has_sr; 5683 xfr->notify_serial = sr; 5684 lock_basic_unlock(&xfr->lock); 5685 } 5686 return; 5687 } else { 5688 /* pick up the nextprobe task and wait (normail wait time) */ 5689 if(xfr->task_nextprobe->worker == NULL) 5690 xfr_set_timeout(xfr, env, 0, 0); 5691 } 5692 lock_basic_unlock(&xfr->lock); 5693 return; 5694 } 5695 /* processing failed */ 5696 /* when done, delete data from list */ 5697 auth_chunks_delete(xfr->task_transfer); 5698 if(ixfr_fail) { 5699 xfr->task_transfer->ixfr_fail = 1; 5700 } else { 5701 xfr_transfer_nextmaster(xfr); 5702 } 5703 xfr_transfer_nexttarget_or_end(xfr, env); 5704 } 5705 5706 /** callback for the task_transfer timer */ 5707 void 5708 auth_xfer_transfer_timer_callback(void* arg) 5709 { 5710 struct auth_xfer* xfr = (struct auth_xfer*)arg; 5711 struct module_env* env; 5712 int gonextonfail = 1; 5713 log_assert(xfr->task_transfer); 5714 lock_basic_lock(&xfr->lock); 5715 env = xfr->task_transfer->env; 5716 if(env->outnet->want_to_quit) { 5717 lock_basic_unlock(&xfr->lock); 5718 return; /* stop on quit */ 5719 } 5720 5721 verbose(VERB_ALGO, "xfr stopped, connection timeout to %s", 5722 xfr->task_transfer->master->host); 5723 5724 /* see if IXFR caused the failure, if so, try AXFR */ 5725 if(xfr->task_transfer->on_ixfr) { 5726 xfr->task_transfer->ixfr_possible_timeout_count++; 5727 if(xfr->task_transfer->ixfr_possible_timeout_count >= 5728 NUM_TIMEOUTS_FALLBACK_IXFR) { 5729 verbose(VERB_ALGO, "xfr to %s, fallback " 5730 "from IXFR to AXFR (because of timeouts)", 5731 xfr->task_transfer->master->host); 5732 xfr->task_transfer->ixfr_fail = 1; 5733 gonextonfail = 0; 5734 } 5735 } 5736 5737 /* delete transferred data from list */ 5738 auth_chunks_delete(xfr->task_transfer); 5739 comm_point_delete(xfr->task_transfer->cp); 5740 xfr->task_transfer->cp = NULL; 5741 if(gonextonfail) 5742 xfr_transfer_nextmaster(xfr); 5743 xfr_transfer_nexttarget_or_end(xfr, env); 5744 } 5745 5746 /** callback for task_transfer tcp connections */ 5747 int 5748 auth_xfer_transfer_tcp_callback(struct comm_point* c, void* arg, int err, 5749 struct comm_reply* ATTR_UNUSED(repinfo)) 5750 { 5751 struct auth_xfer* xfr = (struct auth_xfer*)arg; 5752 struct module_env* env; 5753 int gonextonfail = 1; 5754 int transferdone = 0; 5755 log_assert(xfr->task_transfer); 5756 lock_basic_lock(&xfr->lock); 5757 env = xfr->task_transfer->env; 5758 if(env->outnet->want_to_quit) { 5759 lock_basic_unlock(&xfr->lock); 5760 return 0; /* stop on quit */ 5761 } 5762 /* stop the timer */ 5763 comm_timer_disable(xfr->task_transfer->timer); 5764 5765 if(err != NETEVENT_NOERROR) { 5766 /* connection failed, closed, or timeout */ 5767 /* stop this transfer, cleanup 5768 * and continue task_transfer*/ 5769 verbose(VERB_ALGO, "xfr stopped, connection lost to %s", 5770 xfr->task_transfer->master->host); 5771 5772 /* see if IXFR caused the failure, if so, try AXFR */ 5773 if(xfr->task_transfer->on_ixfr) { 5774 xfr->task_transfer->ixfr_possible_timeout_count++; 5775 if(xfr->task_transfer->ixfr_possible_timeout_count >= 5776 NUM_TIMEOUTS_FALLBACK_IXFR) { 5777 verbose(VERB_ALGO, "xfr to %s, fallback " 5778 "from IXFR to AXFR (because of timeouts)", 5779 xfr->task_transfer->master->host); 5780 xfr->task_transfer->ixfr_fail = 1; 5781 gonextonfail = 0; 5782 } 5783 } 5784 5785 failed: 5786 /* delete transferred data from list */ 5787 auth_chunks_delete(xfr->task_transfer); 5788 comm_point_delete(xfr->task_transfer->cp); 5789 xfr->task_transfer->cp = NULL; 5790 if(gonextonfail) 5791 xfr_transfer_nextmaster(xfr); 5792 xfr_transfer_nexttarget_or_end(xfr, env); 5793 return 0; 5794 } 5795 /* note that IXFR worked without timeout */ 5796 if(xfr->task_transfer->on_ixfr) 5797 xfr->task_transfer->ixfr_possible_timeout_count = 0; 5798 5799 /* handle returned packet */ 5800 /* if it fails, cleanup and end this transfer */ 5801 /* if it needs to fallback from IXFR to AXFR, do that */ 5802 if(!check_xfer_packet(c->buffer, xfr, &gonextonfail, &transferdone)) { 5803 goto failed; 5804 } 5805 /* if it is good, link it into the list of data */ 5806 /* if the link into list of data fails (malloc fail) cleanup and end */ 5807 if(!xfer_link_data(c->buffer, xfr)) { 5808 verbose(VERB_ALGO, "xfr stopped to %s, malloc failed", 5809 xfr->task_transfer->master->host); 5810 goto failed; 5811 } 5812 /* if the transfer is done now, disconnect and process the list */ 5813 if(transferdone) { 5814 comm_point_delete(xfr->task_transfer->cp); 5815 xfr->task_transfer->cp = NULL; 5816 process_list_end_transfer(xfr, env); 5817 return 0; 5818 } 5819 5820 /* if we want to read more messages, setup the commpoint to read 5821 * a DNS packet, and the timeout */ 5822 lock_basic_unlock(&xfr->lock); 5823 c->tcp_is_reading = 1; 5824 sldns_buffer_clear(c->buffer); 5825 comm_point_start_listening(c, -1, AUTH_TRANSFER_TIMEOUT); 5826 return 0; 5827 } 5828 5829 /** callback for task_transfer http connections */ 5830 int 5831 auth_xfer_transfer_http_callback(struct comm_point* c, void* arg, int err, 5832 struct comm_reply* repinfo) 5833 { 5834 struct auth_xfer* xfr = (struct auth_xfer*)arg; 5835 struct module_env* env; 5836 log_assert(xfr->task_transfer); 5837 lock_basic_lock(&xfr->lock); 5838 env = xfr->task_transfer->env; 5839 if(env->outnet->want_to_quit) { 5840 lock_basic_unlock(&xfr->lock); 5841 return 0; /* stop on quit */ 5842 } 5843 verbose(VERB_ALGO, "auth zone transfer http callback"); 5844 /* stop the timer */ 5845 comm_timer_disable(xfr->task_transfer->timer); 5846 5847 if(err != NETEVENT_NOERROR && err != NETEVENT_DONE) { 5848 /* connection failed, closed, or timeout */ 5849 /* stop this transfer, cleanup 5850 * and continue task_transfer*/ 5851 verbose(VERB_ALGO, "http stopped, connection lost to %s", 5852 xfr->task_transfer->master->host); 5853 failed: 5854 /* delete transferred data from list */ 5855 auth_chunks_delete(xfr->task_transfer); 5856 if(repinfo) repinfo->c = NULL; /* signal cp deleted to 5857 the routine calling this callback */ 5858 comm_point_delete(xfr->task_transfer->cp); 5859 xfr->task_transfer->cp = NULL; 5860 xfr_transfer_nextmaster(xfr); 5861 xfr_transfer_nexttarget_or_end(xfr, env); 5862 return 0; 5863 } 5864 5865 /* if it is good, link it into the list of data */ 5866 /* if the link into list of data fails (malloc fail) cleanup and end */ 5867 if(sldns_buffer_limit(c->buffer) > 0) { 5868 verbose(VERB_ALGO, "auth zone http queued up %d bytes", 5869 (int)sldns_buffer_limit(c->buffer)); 5870 if(!xfer_link_data(c->buffer, xfr)) { 5871 verbose(VERB_ALGO, "http stopped to %s, malloc failed", 5872 xfr->task_transfer->master->host); 5873 goto failed; 5874 } 5875 } 5876 /* if the transfer is done now, disconnect and process the list */ 5877 if(err == NETEVENT_DONE) { 5878 if(repinfo) repinfo->c = NULL; /* signal cp deleted to 5879 the routine calling this callback */ 5880 comm_point_delete(xfr->task_transfer->cp); 5881 xfr->task_transfer->cp = NULL; 5882 process_list_end_transfer(xfr, env); 5883 return 0; 5884 } 5885 5886 /* if we want to read more messages, setup the commpoint to read 5887 * a DNS packet, and the timeout */ 5888 lock_basic_unlock(&xfr->lock); 5889 c->tcp_is_reading = 1; 5890 sldns_buffer_clear(c->buffer); 5891 comm_point_start_listening(c, -1, AUTH_TRANSFER_TIMEOUT); 5892 return 0; 5893 } 5894 5895 5896 /** start transfer task by this worker , xfr is locked. */ 5897 static void 5898 xfr_start_transfer(struct auth_xfer* xfr, struct module_env* env, 5899 struct auth_master* master) 5900 { 5901 log_assert(xfr->task_transfer != NULL); 5902 log_assert(xfr->task_transfer->worker == NULL); 5903 log_assert(xfr->task_transfer->chunks_first == NULL); 5904 log_assert(xfr->task_transfer->chunks_last == NULL); 5905 xfr->task_transfer->worker = env->worker; 5906 xfr->task_transfer->env = env; 5907 5908 /* init transfer process */ 5909 /* find that master in the transfer's list of masters? */ 5910 xfr_transfer_start_list(xfr, master); 5911 /* start lookup for hostnames in transfer master list */ 5912 xfr_transfer_start_lookups(xfr); 5913 5914 /* initiate TCP, and set timeout on it */ 5915 xfr_transfer_nexttarget_or_end(xfr, env); 5916 } 5917 5918 /** disown task_probe. caller must hold xfr.lock */ 5919 static void 5920 xfr_probe_disown(struct auth_xfer* xfr) 5921 { 5922 /* remove timer (from this worker's event base) */ 5923 comm_timer_delete(xfr->task_probe->timer); 5924 xfr->task_probe->timer = NULL; 5925 /* remove the commpoint */ 5926 comm_point_delete(xfr->task_probe->cp); 5927 xfr->task_probe->cp = NULL; 5928 /* we don't own this item anymore */ 5929 xfr->task_probe->worker = NULL; 5930 xfr->task_probe->env = NULL; 5931 } 5932 5933 /** send the UDP probe to the master, this is part of task_probe */ 5934 static int 5935 xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env, 5936 int timeout) 5937 { 5938 struct sockaddr_storage addr; 5939 socklen_t addrlen = 0; 5940 struct timeval t; 5941 /* pick master */ 5942 struct auth_master* master = xfr_probe_current_master(xfr); 5943 char *auth_name = NULL; 5944 if(!master) return 0; 5945 if(master->allow_notify) return 0; /* only for notify */ 5946 if(master->http) return 0; /* only masters get SOA UDP probe, 5947 not urls, if those are in this list */ 5948 5949 /* get master addr */ 5950 if(xfr->task_probe->scan_addr) { 5951 addrlen = xfr->task_probe->scan_addr->addrlen; 5952 memmove(&addr, &xfr->task_probe->scan_addr->addr, addrlen); 5953 } else { 5954 if(!authextstrtoaddr(master->host, &addr, &addrlen, &auth_name)) { 5955 /* the ones that are not in addr format are supposed 5956 * to be looked up. The lookup has failed however, 5957 * so skip them */ 5958 char zname[255+1]; 5959 dname_str(xfr->name, zname); 5960 log_err("%s: failed lookup, cannot probe to master %s", 5961 zname, master->host); 5962 return 0; 5963 } 5964 if (auth_name != NULL) { 5965 if (addr.ss_family == AF_INET 5966 && ntohs(((struct sockaddr_in *)&addr)->sin_port) 5967 == env->cfg->ssl_port) 5968 ((struct sockaddr_in *)&addr)->sin_port 5969 = htons(env->cfg->port); 5970 else if (addr.ss_family == AF_INET6 5971 && ntohs(((struct sockaddr_in6 *)&addr)->sin6_port) 5972 == env->cfg->ssl_port) 5973 ((struct sockaddr_in6 *)&addr)->sin6_port 5974 = htons(env->cfg->port); 5975 } 5976 } 5977 5978 /* create packet */ 5979 /* create new ID for new probes, but not on timeout retries, 5980 * this means we'll accept replies to previous retries to same ip */ 5981 if(timeout == AUTH_PROBE_TIMEOUT) 5982 xfr->task_probe->id = (uint16_t)(ub_random(env->rnd)&0xffff); 5983 xfr_create_soa_probe_packet(xfr, env->scratch_buffer, 5984 xfr->task_probe->id); 5985 /* we need to remove the cp if we have a different ip4/ip6 type now */ 5986 if(xfr->task_probe->cp && 5987 ((xfr->task_probe->cp_is_ip6 && !addr_is_ip6(&addr, addrlen)) || 5988 (!xfr->task_probe->cp_is_ip6 && addr_is_ip6(&addr, addrlen))) 5989 ) { 5990 comm_point_delete(xfr->task_probe->cp); 5991 xfr->task_probe->cp = NULL; 5992 } 5993 if(!xfr->task_probe->cp) { 5994 if(addr_is_ip6(&addr, addrlen)) 5995 xfr->task_probe->cp_is_ip6 = 1; 5996 else xfr->task_probe->cp_is_ip6 = 0; 5997 xfr->task_probe->cp = outnet_comm_point_for_udp(env->outnet, 5998 auth_xfer_probe_udp_callback, xfr, &addr, addrlen); 5999 if(!xfr->task_probe->cp) { 6000 char zname[255+1], as[256]; 6001 dname_str(xfr->name, zname); 6002 addr_to_str(&addr, addrlen, as, sizeof(as)); 6003 verbose(VERB_ALGO, "cannot create udp cp for " 6004 "probe %s to %s", zname, as); 6005 return 0; 6006 } 6007 } 6008 if(!xfr->task_probe->timer) { 6009 xfr->task_probe->timer = comm_timer_create(env->worker_base, 6010 auth_xfer_probe_timer_callback, xfr); 6011 if(!xfr->task_probe->timer) { 6012 log_err("malloc failure"); 6013 return 0; 6014 } 6015 } 6016 6017 /* send udp packet */ 6018 if(!comm_point_send_udp_msg(xfr->task_probe->cp, env->scratch_buffer, 6019 (struct sockaddr*)&addr, addrlen)) { 6020 char zname[255+1], as[256]; 6021 dname_str(xfr->name, zname); 6022 addr_to_str(&addr, addrlen, as, sizeof(as)); 6023 verbose(VERB_ALGO, "failed to send soa probe for %s to %s", 6024 zname, as); 6025 return 0; 6026 } 6027 if(verbosity >= VERB_ALGO) { 6028 char zname[255+1], as[256]; 6029 dname_str(xfr->name, zname); 6030 addr_to_str(&addr, addrlen, as, sizeof(as)); 6031 verbose(VERB_ALGO, "auth zone %s soa probe sent to %s", zname, 6032 as); 6033 } 6034 xfr->task_probe->timeout = timeout; 6035 #ifndef S_SPLINT_S 6036 t.tv_sec = timeout/1000; 6037 t.tv_usec = (timeout%1000)*1000; 6038 #endif 6039 comm_timer_set(xfr->task_probe->timer, &t); 6040 6041 return 1; 6042 } 6043 6044 /** callback for task_probe timer */ 6045 void 6046 auth_xfer_probe_timer_callback(void* arg) 6047 { 6048 struct auth_xfer* xfr = (struct auth_xfer*)arg; 6049 struct module_env* env; 6050 log_assert(xfr->task_probe); 6051 lock_basic_lock(&xfr->lock); 6052 env = xfr->task_probe->env; 6053 if(env->outnet->want_to_quit) { 6054 lock_basic_unlock(&xfr->lock); 6055 return; /* stop on quit */ 6056 } 6057 6058 if(verbosity >= VERB_ALGO) { 6059 char zname[255+1]; 6060 dname_str(xfr->name, zname); 6061 verbose(VERB_ALGO, "auth zone %s soa probe timeout", zname); 6062 } 6063 if(xfr->task_probe->timeout <= AUTH_PROBE_TIMEOUT_STOP) { 6064 /* try again with bigger timeout */ 6065 if(xfr_probe_send_probe(xfr, env, xfr->task_probe->timeout*2)) { 6066 lock_basic_unlock(&xfr->lock); 6067 return; 6068 } 6069 } 6070 /* delete commpoint so a new one is created, with a fresh port nr */ 6071 comm_point_delete(xfr->task_probe->cp); 6072 xfr->task_probe->cp = NULL; 6073 6074 /* too many timeouts (or fail to send), move to next or end */ 6075 xfr_probe_nextmaster(xfr); 6076 xfr_probe_send_or_end(xfr, env); 6077 } 6078 6079 /** callback for task_probe udp packets */ 6080 int 6081 auth_xfer_probe_udp_callback(struct comm_point* c, void* arg, int err, 6082 struct comm_reply* repinfo) 6083 { 6084 struct auth_xfer* xfr = (struct auth_xfer*)arg; 6085 struct module_env* env; 6086 log_assert(xfr->task_probe); 6087 lock_basic_lock(&xfr->lock); 6088 env = xfr->task_probe->env; 6089 if(env->outnet->want_to_quit) { 6090 lock_basic_unlock(&xfr->lock); 6091 return 0; /* stop on quit */ 6092 } 6093 6094 /* the comm_point_udp_callback is in a for loop for NUM_UDP_PER_SELECT 6095 * and we set rep.c=NULL to stop if from looking inside the commpoint*/ 6096 repinfo->c = NULL; 6097 /* stop the timer */ 6098 comm_timer_disable(xfr->task_probe->timer); 6099 6100 /* see if we got a packet and what that means */ 6101 if(err == NETEVENT_NOERROR) { 6102 uint32_t serial = 0; 6103 if(check_packet_ok(c->buffer, LDNS_RR_TYPE_SOA, xfr, 6104 &serial)) { 6105 /* successful lookup */ 6106 if(verbosity >= VERB_ALGO) { 6107 char buf[256]; 6108 dname_str(xfr->name, buf); 6109 verbose(VERB_ALGO, "auth zone %s: soa probe " 6110 "serial is %u", buf, (unsigned)serial); 6111 } 6112 /* see if this serial indicates that the zone has 6113 * to be updated */ 6114 if(xfr_serial_means_update(xfr, serial)) { 6115 /* if updated, start the transfer task, if needed */ 6116 verbose(VERB_ALGO, "auth_zone updated, start transfer"); 6117 if(xfr->task_transfer->worker == NULL) { 6118 struct auth_master* master = 6119 xfr_probe_current_master(xfr); 6120 /* if we have download URLs use them 6121 * in preference to this master we 6122 * just probed the SOA from */ 6123 if(xfr->task_transfer->masters && 6124 xfr->task_transfer->masters->http) 6125 master = NULL; 6126 xfr_probe_disown(xfr); 6127 xfr_start_transfer(xfr, env, master); 6128 return 0; 6129 6130 } 6131 /* other tasks are running, we don't do this anymore */ 6132 xfr_probe_disown(xfr); 6133 lock_basic_unlock(&xfr->lock); 6134 /* return, we don't sent a reply to this udp packet, 6135 * and we setup the tasks to do next */ 6136 return 0; 6137 } else { 6138 verbose(VERB_ALGO, "auth_zone master reports unchanged soa serial"); 6139 /* we if cannot find updates amongst the 6140 * masters, this means we then have a new lease 6141 * on the zone */ 6142 xfr->task_probe->have_new_lease = 1; 6143 } 6144 } else { 6145 if(verbosity >= VERB_ALGO) { 6146 char buf[256]; 6147 dname_str(xfr->name, buf); 6148 verbose(VERB_ALGO, "auth zone %s: bad reply to soa probe", buf); 6149 } 6150 } 6151 } else { 6152 if(verbosity >= VERB_ALGO) { 6153 char buf[256]; 6154 dname_str(xfr->name, buf); 6155 verbose(VERB_ALGO, "auth zone %s: soa probe failed", buf); 6156 } 6157 } 6158 6159 /* failed lookup or not an update */ 6160 /* delete commpoint so a new one is created, with a fresh port nr */ 6161 comm_point_delete(xfr->task_probe->cp); 6162 xfr->task_probe->cp = NULL; 6163 6164 /* if the result was not a successfull probe, we need 6165 * to send the next one */ 6166 xfr_probe_nextmaster(xfr); 6167 xfr_probe_send_or_end(xfr, env); 6168 return 0; 6169 } 6170 6171 /** lookup a host name for its addresses, if needed */ 6172 static int 6173 xfr_probe_lookup_host(struct auth_xfer* xfr, struct module_env* env) 6174 { 6175 struct sockaddr_storage addr; 6176 socklen_t addrlen = 0; 6177 struct auth_master* master = xfr->task_probe->lookup_target; 6178 struct query_info qinfo; 6179 uint16_t qflags = BIT_RD; 6180 uint8_t dname[LDNS_MAX_DOMAINLEN+1]; 6181 struct edns_data edns; 6182 sldns_buffer* buf = env->scratch_buffer; 6183 if(!master) return 0; 6184 if(extstrtoaddr(master->host, &addr, &addrlen)) { 6185 /* not needed, host is in IP addr format */ 6186 return 0; 6187 } 6188 if(master->allow_notify && !master->http && 6189 strchr(master->host, '/') != NULL && 6190 strchr(master->host, '/') == strrchr(master->host, '/')) { 6191 return 0; /* is IP/prefix format, not something to look up */ 6192 } 6193 6194 /* use mesh_new_callback to probe for non-addr hosts, 6195 * and then wait for them to be looked up (in cache, or query) */ 6196 qinfo.qname_len = sizeof(dname); 6197 if(sldns_str2wire_dname_buf(master->host, dname, &qinfo.qname_len) 6198 != 0) { 6199 log_err("cannot parse host name of master %s", master->host); 6200 return 0; 6201 } 6202 qinfo.qname = dname; 6203 qinfo.qclass = xfr->dclass; 6204 qinfo.qtype = LDNS_RR_TYPE_A; 6205 if(xfr->task_probe->lookup_aaaa) 6206 qinfo.qtype = LDNS_RR_TYPE_AAAA; 6207 qinfo.local_alias = NULL; 6208 if(verbosity >= VERB_ALGO) { 6209 char buf1[512]; 6210 char buf2[LDNS_MAX_DOMAINLEN+1]; 6211 dname_str(xfr->name, buf2); 6212 snprintf(buf1, sizeof(buf1), "auth zone %s: master lookup" 6213 " for task_probe", buf2); 6214 log_query_info(VERB_ALGO, buf1, &qinfo); 6215 } 6216 edns.edns_present = 1; 6217 edns.ext_rcode = 0; 6218 edns.edns_version = 0; 6219 edns.bits = EDNS_DO; 6220 edns.opt_list = NULL; 6221 if(sldns_buffer_capacity(buf) < 65535) 6222 edns.udp_size = (uint16_t)sldns_buffer_capacity(buf); 6223 else edns.udp_size = 65535; 6224 6225 /* unlock xfr during mesh_new_callback() because the callback can be 6226 * called straight away */ 6227 lock_basic_unlock(&xfr->lock); 6228 if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0, 6229 &auth_xfer_probe_lookup_callback, xfr)) { 6230 lock_basic_lock(&xfr->lock); 6231 log_err("out of memory lookup up master %s", master->host); 6232 return 0; 6233 } 6234 lock_basic_lock(&xfr->lock); 6235 return 1; 6236 } 6237 6238 /** move to sending the probe packets, next if fails. task_probe */ 6239 static void 6240 xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env) 6241 { 6242 /* are we doing hostname lookups? */ 6243 while(xfr->task_probe->lookup_target) { 6244 if(xfr_probe_lookup_host(xfr, env)) { 6245 /* wait for lookup to finish, 6246 * note that the hostname may be in unbound's cache 6247 * and we may then get an instant cache response, 6248 * and that calls the callback just like a full 6249 * lookup and lookup failures also call callback */ 6250 if(verbosity >= VERB_ALGO) { 6251 char zname[255+1]; 6252 dname_str(xfr->name, zname); 6253 verbose(VERB_ALGO, "auth zone %s probe next target lookup", zname); 6254 } 6255 lock_basic_unlock(&xfr->lock); 6256 return; 6257 } 6258 xfr_probe_move_to_next_lookup(xfr, env); 6259 } 6260 /* probe of list has ended. Create or refresh the list of of 6261 * allow_notify addrs */ 6262 probe_copy_masters_for_allow_notify(xfr); 6263 if(verbosity >= VERB_ALGO) { 6264 char zname[255+1]; 6265 dname_str(xfr->name, zname); 6266 verbose(VERB_ALGO, "auth zone %s probe: notify addrs updated", zname); 6267 } 6268 if(xfr->task_probe->only_lookup) { 6269 /* only wanted lookups for copy, stop probe and start wait */ 6270 xfr->task_probe->only_lookup = 0; 6271 if(verbosity >= VERB_ALGO) { 6272 char zname[255+1]; 6273 dname_str(xfr->name, zname); 6274 verbose(VERB_ALGO, "auth zone %s probe: finished only_lookup", zname); 6275 } 6276 xfr_probe_disown(xfr); 6277 if(xfr->task_nextprobe->worker == NULL) 6278 xfr_set_timeout(xfr, env, 0, 0); 6279 lock_basic_unlock(&xfr->lock); 6280 return; 6281 } 6282 6283 /* send probe packets */ 6284 while(!xfr_probe_end_of_list(xfr)) { 6285 if(xfr_probe_send_probe(xfr, env, AUTH_PROBE_TIMEOUT)) { 6286 /* successfully sent probe, wait for callback */ 6287 lock_basic_unlock(&xfr->lock); 6288 return; 6289 } 6290 /* failed to send probe, next master */ 6291 xfr_probe_nextmaster(xfr); 6292 } 6293 6294 /* done with probe sequence, wait */ 6295 if(xfr->task_probe->have_new_lease) { 6296 /* if zone not updated, start the wait timer again */ 6297 if(verbosity >= VERB_ALGO) { 6298 char zname[255+1]; 6299 dname_str(xfr->name, zname); 6300 verbose(VERB_ALGO, "auth_zone %s unchanged, new lease, wait", zname); 6301 } 6302 xfr_probe_disown(xfr); 6303 if(xfr->have_zone) 6304 xfr->lease_time = *env->now; 6305 if(xfr->task_nextprobe->worker == NULL) 6306 xfr_set_timeout(xfr, env, 0, 0); 6307 } else { 6308 if(verbosity >= VERB_ALGO) { 6309 char zname[255+1]; 6310 dname_str(xfr->name, zname); 6311 verbose(VERB_ALGO, "auth zone %s soa probe failed, wait to retry", zname); 6312 } 6313 /* we failed to send this as well, move to the wait task, 6314 * use the shorter retry timeout */ 6315 xfr_probe_disown(xfr); 6316 /* pick up the nextprobe task and wait */ 6317 if(xfr->task_nextprobe->worker == NULL) 6318 xfr_set_timeout(xfr, env, 1, 0); 6319 } 6320 6321 lock_basic_unlock(&xfr->lock); 6322 } 6323 6324 /** callback for task_probe lookup of host name, of A or AAAA */ 6325 void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf, 6326 enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus), 6327 int ATTR_UNUSED(was_ratelimited)) 6328 { 6329 struct auth_xfer* xfr = (struct auth_xfer*)arg; 6330 struct module_env* env; 6331 log_assert(xfr->task_probe); 6332 lock_basic_lock(&xfr->lock); 6333 env = xfr->task_probe->env; 6334 if(env->outnet->want_to_quit) { 6335 lock_basic_unlock(&xfr->lock); 6336 return; /* stop on quit */ 6337 } 6338 6339 /* process result */ 6340 if(rcode == LDNS_RCODE_NOERROR) { 6341 uint16_t wanted_qtype = LDNS_RR_TYPE_A; 6342 struct regional* temp = env->scratch; 6343 struct query_info rq; 6344 struct reply_info* rep; 6345 if(xfr->task_probe->lookup_aaaa) 6346 wanted_qtype = LDNS_RR_TYPE_AAAA; 6347 memset(&rq, 0, sizeof(rq)); 6348 rep = parse_reply_in_temp_region(buf, temp, &rq); 6349 if(rep && rq.qtype == wanted_qtype && 6350 FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) { 6351 /* parsed successfully */ 6352 struct ub_packed_rrset_key* answer = 6353 reply_find_answer_rrset(&rq, rep); 6354 if(answer) { 6355 xfr_master_add_addrs(xfr->task_probe-> 6356 lookup_target, answer, wanted_qtype); 6357 } else { 6358 if(verbosity >= VERB_ALGO) { 6359 char zname[255+1]; 6360 dname_str(xfr->name, zname); 6361 verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup has nodata", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A")); 6362 } 6363 } 6364 } else { 6365 if(verbosity >= VERB_ALGO) { 6366 char zname[255+1]; 6367 dname_str(xfr->name, zname); 6368 verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup has no address", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A")); 6369 } 6370 } 6371 } else { 6372 if(verbosity >= VERB_ALGO) { 6373 char zname[255+1]; 6374 dname_str(xfr->name, zname); 6375 verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup failed", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A")); 6376 } 6377 } 6378 if(xfr->task_probe->lookup_target->list && 6379 xfr->task_probe->lookup_target == xfr_probe_current_master(xfr)) 6380 xfr->task_probe->scan_addr = xfr->task_probe->lookup_target->list; 6381 6382 /* move to lookup AAAA after A lookup, move to next hostname lookup, 6383 * or move to send the probes, or, if nothing to do, end task_probe */ 6384 xfr_probe_move_to_next_lookup(xfr, env); 6385 xfr_probe_send_or_end(xfr, env); 6386 } 6387 6388 /** disown task_nextprobe. caller must hold xfr.lock */ 6389 static void 6390 xfr_nextprobe_disown(struct auth_xfer* xfr) 6391 { 6392 /* delete the timer, because the next worker to pick this up may 6393 * not have the same event base */ 6394 comm_timer_delete(xfr->task_nextprobe->timer); 6395 xfr->task_nextprobe->timer = NULL; 6396 xfr->task_nextprobe->next_probe = 0; 6397 /* we don't own this item anymore */ 6398 xfr->task_nextprobe->worker = NULL; 6399 xfr->task_nextprobe->env = NULL; 6400 } 6401 6402 /** xfer nextprobe timeout callback, this is part of task_nextprobe */ 6403 void 6404 auth_xfer_timer(void* arg) 6405 { 6406 struct auth_xfer* xfr = (struct auth_xfer*)arg; 6407 struct module_env* env; 6408 log_assert(xfr->task_nextprobe); 6409 lock_basic_lock(&xfr->lock); 6410 env = xfr->task_nextprobe->env; 6411 if(env->outnet->want_to_quit) { 6412 lock_basic_unlock(&xfr->lock); 6413 return; /* stop on quit */ 6414 } 6415 6416 /* see if zone has expired, and if so, also set auth_zone expired */ 6417 if(xfr->have_zone && !xfr->zone_expired && 6418 *env->now >= xfr->lease_time + xfr->expiry) { 6419 lock_basic_unlock(&xfr->lock); 6420 auth_xfer_set_expired(xfr, env, 1); 6421 lock_basic_lock(&xfr->lock); 6422 } 6423 6424 xfr_nextprobe_disown(xfr); 6425 6426 if(!xfr_start_probe(xfr, env, NULL)) { 6427 /* not started because already in progress */ 6428 lock_basic_unlock(&xfr->lock); 6429 } 6430 } 6431 6432 /** return true if there are probe (SOA UDP query) targets in the master list*/ 6433 static int 6434 have_probe_targets(struct auth_master* list) 6435 { 6436 struct auth_master* p; 6437 for(p=list; p; p = p->next) { 6438 if(!p->allow_notify && p->host) 6439 return 1; 6440 } 6441 return 0; 6442 } 6443 6444 /** start task_probe if possible, if no masters for probe start task_transfer 6445 * returns true if task has been started, and false if the task is already 6446 * in progress. */ 6447 static int 6448 xfr_start_probe(struct auth_xfer* xfr, struct module_env* env, 6449 struct auth_master* spec) 6450 { 6451 /* see if we need to start a probe (or maybe it is already in 6452 * progress (due to notify)) */ 6453 if(xfr->task_probe->worker == NULL) { 6454 if(!have_probe_targets(xfr->task_probe->masters) && 6455 !(xfr->task_probe->only_lookup && 6456 xfr->task_probe->masters != NULL)) { 6457 /* useless to pick up task_probe, no masters to 6458 * probe. Instead attempt to pick up task transfer */ 6459 if(xfr->task_transfer->worker == NULL) { 6460 xfr_start_transfer(xfr, env, spec); 6461 return 1; 6462 } 6463 /* task transfer already in progress */ 6464 return 0; 6465 } 6466 6467 /* pick up the probe task ourselves */ 6468 xfr->task_probe->worker = env->worker; 6469 xfr->task_probe->env = env; 6470 xfr->task_probe->cp = NULL; 6471 6472 /* start the task */ 6473 /* have not seen a new lease yet, this scan */ 6474 xfr->task_probe->have_new_lease = 0; 6475 /* if this was a timeout, no specific first master to scan */ 6476 /* otherwise, spec is nonNULL the notified master, scan 6477 * first and also transfer first from it */ 6478 xfr_probe_start_list(xfr, spec); 6479 /* setup to start the lookup of hostnames of masters afresh */ 6480 xfr_probe_start_lookups(xfr); 6481 /* send the probe packet or next send, or end task */ 6482 xfr_probe_send_or_end(xfr, env); 6483 return 1; 6484 } 6485 return 0; 6486 } 6487 6488 /** for task_nextprobe. 6489 * determine next timeout for auth_xfer. Also (re)sets timer. 6490 * @param xfr: task structure 6491 * @param env: module environment, with worker and time. 6492 * @param failure: set true if timer should be set for failure retry. 6493 * @param lookup_only: only perform lookups when timer done, 0 sec timeout 6494 */ 6495 static void 6496 xfr_set_timeout(struct auth_xfer* xfr, struct module_env* env, 6497 int failure, int lookup_only) 6498 { 6499 struct timeval tv; 6500 log_assert(xfr->task_nextprobe != NULL); 6501 log_assert(xfr->task_nextprobe->worker == NULL || 6502 xfr->task_nextprobe->worker == env->worker); 6503 /* normally, nextprobe = startoflease + refresh, 6504 * but if expiry is sooner, use that one. 6505 * after a failure, use the retry timer instead. */ 6506 xfr->task_nextprobe->next_probe = *env->now; 6507 if(xfr->lease_time && !failure) 6508 xfr->task_nextprobe->next_probe = xfr->lease_time; 6509 6510 if(!failure) { 6511 xfr->task_nextprobe->backoff = 0; 6512 } else { 6513 if(xfr->task_nextprobe->backoff == 0) 6514 xfr->task_nextprobe->backoff = 3; 6515 else xfr->task_nextprobe->backoff *= 2; 6516 if(xfr->task_nextprobe->backoff > AUTH_TRANSFER_MAX_BACKOFF) 6517 xfr->task_nextprobe->backoff = 6518 AUTH_TRANSFER_MAX_BACKOFF; 6519 } 6520 6521 if(xfr->have_zone) { 6522 time_t wait = xfr->refresh; 6523 if(failure) wait = xfr->retry; 6524 if(xfr->expiry < wait) 6525 xfr->task_nextprobe->next_probe += xfr->expiry; 6526 else xfr->task_nextprobe->next_probe += wait; 6527 if(failure) 6528 xfr->task_nextprobe->next_probe += 6529 xfr->task_nextprobe->backoff; 6530 /* put the timer exactly on expiry, if possible */ 6531 if(xfr->lease_time && xfr->lease_time+xfr->expiry < 6532 xfr->task_nextprobe->next_probe && 6533 xfr->lease_time+xfr->expiry > *env->now) 6534 xfr->task_nextprobe->next_probe = 6535 xfr->lease_time+xfr->expiry; 6536 } else { 6537 xfr->task_nextprobe->next_probe += 6538 xfr->task_nextprobe->backoff; 6539 } 6540 6541 if(!xfr->task_nextprobe->timer) { 6542 xfr->task_nextprobe->timer = comm_timer_create( 6543 env->worker_base, auth_xfer_timer, xfr); 6544 if(!xfr->task_nextprobe->timer) { 6545 /* failed to malloc memory. likely zone transfer 6546 * also fails for that. skip the timeout */ 6547 char zname[255+1]; 6548 dname_str(xfr->name, zname); 6549 log_err("cannot allocate timer, no refresh for %s", 6550 zname); 6551 return; 6552 } 6553 } 6554 xfr->task_nextprobe->worker = env->worker; 6555 xfr->task_nextprobe->env = env; 6556 if(*(xfr->task_nextprobe->env->now) <= xfr->task_nextprobe->next_probe) 6557 tv.tv_sec = xfr->task_nextprobe->next_probe - 6558 *(xfr->task_nextprobe->env->now); 6559 else tv.tv_sec = 0; 6560 if(tv.tv_sec != 0 && lookup_only && xfr->task_probe->masters) { 6561 /* don't lookup_only, if lookup timeout is 0 anyway, 6562 * or if we don't have masters to lookup */ 6563 tv.tv_sec = 0; 6564 if(xfr->task_probe && xfr->task_probe->worker == NULL) 6565 xfr->task_probe->only_lookup = 1; 6566 } 6567 if(verbosity >= VERB_ALGO) { 6568 char zname[255+1]; 6569 dname_str(xfr->name, zname); 6570 verbose(VERB_ALGO, "auth zone %s timeout in %d seconds", 6571 zname, (int)tv.tv_sec); 6572 } 6573 tv.tv_usec = 0; 6574 comm_timer_set(xfr->task_nextprobe->timer, &tv); 6575 } 6576 6577 /** initial pick up of worker timeouts, ties events to worker event loop */ 6578 void 6579 auth_xfer_pickup_initial(struct auth_zones* az, struct module_env* env) 6580 { 6581 struct auth_xfer* x; 6582 lock_rw_wrlock(&az->lock); 6583 RBTREE_FOR(x, struct auth_xfer*, &az->xtree) { 6584 lock_basic_lock(&x->lock); 6585 /* set lease_time, because we now have timestamp in env, 6586 * (not earlier during startup and apply_cfg), and this 6587 * notes the start time when the data was acquired */ 6588 if(x->have_zone) 6589 x->lease_time = *env->now; 6590 if(x->task_nextprobe && x->task_nextprobe->worker == NULL) { 6591 xfr_set_timeout(x, env, 0, 1); 6592 } 6593 lock_basic_unlock(&x->lock); 6594 } 6595 lock_rw_unlock(&az->lock); 6596 } 6597 6598 void auth_zones_cleanup(struct auth_zones* az) 6599 { 6600 struct auth_xfer* x; 6601 lock_rw_wrlock(&az->lock); 6602 RBTREE_FOR(x, struct auth_xfer*, &az->xtree) { 6603 lock_basic_lock(&x->lock); 6604 if(x->task_nextprobe && x->task_nextprobe->worker != NULL) { 6605 xfr_nextprobe_disown(x); 6606 } 6607 if(x->task_probe && x->task_probe->worker != NULL) { 6608 xfr_probe_disown(x); 6609 } 6610 if(x->task_transfer && x->task_transfer->worker != NULL) { 6611 auth_chunks_delete(x->task_transfer); 6612 xfr_transfer_disown(x); 6613 } 6614 lock_basic_unlock(&x->lock); 6615 } 6616 lock_rw_unlock(&az->lock); 6617 } 6618 6619 /** 6620 * malloc the xfer and tasks 6621 * @param z: auth_zone with name of zone. 6622 */ 6623 static struct auth_xfer* 6624 auth_xfer_new(struct auth_zone* z) 6625 { 6626 struct auth_xfer* xfr; 6627 xfr = (struct auth_xfer*)calloc(1, sizeof(*xfr)); 6628 if(!xfr) return NULL; 6629 xfr->name = memdup(z->name, z->namelen); 6630 if(!xfr->name) { 6631 free(xfr); 6632 return NULL; 6633 } 6634 xfr->node.key = xfr; 6635 xfr->namelen = z->namelen; 6636 xfr->namelabs = z->namelabs; 6637 xfr->dclass = z->dclass; 6638 6639 xfr->task_nextprobe = (struct auth_nextprobe*)calloc(1, 6640 sizeof(struct auth_nextprobe)); 6641 if(!xfr->task_nextprobe) { 6642 free(xfr->name); 6643 free(xfr); 6644 return NULL; 6645 } 6646 xfr->task_probe = (struct auth_probe*)calloc(1, 6647 sizeof(struct auth_probe)); 6648 if(!xfr->task_probe) { 6649 free(xfr->task_nextprobe); 6650 free(xfr->name); 6651 free(xfr); 6652 return NULL; 6653 } 6654 xfr->task_transfer = (struct auth_transfer*)calloc(1, 6655 sizeof(struct auth_transfer)); 6656 if(!xfr->task_transfer) { 6657 free(xfr->task_probe); 6658 free(xfr->task_nextprobe); 6659 free(xfr->name); 6660 free(xfr); 6661 return NULL; 6662 } 6663 6664 lock_basic_init(&xfr->lock); 6665 lock_protect(&xfr->lock, &xfr->name, sizeof(xfr->name)); 6666 lock_protect(&xfr->lock, &xfr->namelen, sizeof(xfr->namelen)); 6667 lock_protect(&xfr->lock, xfr->name, xfr->namelen); 6668 lock_protect(&xfr->lock, &xfr->namelabs, sizeof(xfr->namelabs)); 6669 lock_protect(&xfr->lock, &xfr->dclass, sizeof(xfr->dclass)); 6670 lock_protect(&xfr->lock, &xfr->notify_received, sizeof(xfr->notify_received)); 6671 lock_protect(&xfr->lock, &xfr->notify_serial, sizeof(xfr->notify_serial)); 6672 lock_protect(&xfr->lock, &xfr->zone_expired, sizeof(xfr->zone_expired)); 6673 lock_protect(&xfr->lock, &xfr->have_zone, sizeof(xfr->have_zone)); 6674 lock_protect(&xfr->lock, &xfr->serial, sizeof(xfr->serial)); 6675 lock_protect(&xfr->lock, &xfr->retry, sizeof(xfr->retry)); 6676 lock_protect(&xfr->lock, &xfr->refresh, sizeof(xfr->refresh)); 6677 lock_protect(&xfr->lock, &xfr->expiry, sizeof(xfr->expiry)); 6678 lock_protect(&xfr->lock, &xfr->lease_time, sizeof(xfr->lease_time)); 6679 lock_protect(&xfr->lock, &xfr->task_nextprobe->worker, 6680 sizeof(xfr->task_nextprobe->worker)); 6681 lock_protect(&xfr->lock, &xfr->task_probe->worker, 6682 sizeof(xfr->task_probe->worker)); 6683 lock_protect(&xfr->lock, &xfr->task_transfer->worker, 6684 sizeof(xfr->task_transfer->worker)); 6685 lock_basic_lock(&xfr->lock); 6686 return xfr; 6687 } 6688 6689 /** Create auth_xfer structure. 6690 * This populates the have_zone, soa values, and so on times. 6691 * and sets the timeout, if a zone transfer is needed a short timeout is set. 6692 * For that the auth_zone itself must exist (and read in zonefile) 6693 * returns false on alloc failure. */ 6694 struct auth_xfer* 6695 auth_xfer_create(struct auth_zones* az, struct auth_zone* z) 6696 { 6697 struct auth_xfer* xfr; 6698 6699 /* malloc it */ 6700 xfr = auth_xfer_new(z); 6701 if(!xfr) { 6702 log_err("malloc failure"); 6703 return NULL; 6704 } 6705 /* insert in tree */ 6706 (void)rbtree_insert(&az->xtree, &xfr->node); 6707 return xfr; 6708 } 6709 6710 /** create new auth_master structure */ 6711 static struct auth_master* 6712 auth_master_new(struct auth_master*** list) 6713 { 6714 struct auth_master *m; 6715 m = (struct auth_master*)calloc(1, sizeof(*m)); 6716 if(!m) { 6717 log_err("malloc failure"); 6718 return NULL; 6719 } 6720 /* set first pointer to m, or next pointer of previous element to m */ 6721 (**list) = m; 6722 /* store m's next pointer as future point to store at */ 6723 (*list) = &(m->next); 6724 return m; 6725 } 6726 6727 /** dup_prefix : create string from initial part of other string, malloced */ 6728 static char* 6729 dup_prefix(char* str, size_t num) 6730 { 6731 char* result; 6732 size_t len = strlen(str); 6733 if(len < num) num = len; /* not more than strlen */ 6734 result = (char*)malloc(num+1); 6735 if(!result) { 6736 log_err("malloc failure"); 6737 return result; 6738 } 6739 memmove(result, str, num); 6740 result[num] = 0; 6741 return result; 6742 } 6743 6744 /** dup string and print error on error */ 6745 static char* 6746 dup_all(char* str) 6747 { 6748 char* result = strdup(str); 6749 if(!result) { 6750 log_err("malloc failure"); 6751 return NULL; 6752 } 6753 return result; 6754 } 6755 6756 /** find first of two characters */ 6757 static char* 6758 str_find_first_of_chars(char* s, char a, char b) 6759 { 6760 char* ra = strchr(s, a); 6761 char* rb = strchr(s, b); 6762 if(!ra) return rb; 6763 if(!rb) return ra; 6764 if(ra < rb) return ra; 6765 return rb; 6766 } 6767 6768 /** parse URL into host and file parts, false on malloc or parse error */ 6769 static int 6770 parse_url(char* url, char** host, char** file, int* port, int* ssl) 6771 { 6772 char* p = url; 6773 /* parse http://www.example.com/file.htm 6774 * or http://127.0.0.1 (index.html) 6775 * or https://[::1@1234]/a/b/c/d */ 6776 *ssl = 1; 6777 *port = AUTH_HTTPS_PORT; 6778 6779 /* parse http:// or https:// */ 6780 if(strncmp(p, "http://", 7) == 0) { 6781 p += 7; 6782 *ssl = 0; 6783 *port = AUTH_HTTP_PORT; 6784 } else if(strncmp(p, "https://", 8) == 0) { 6785 p += 8; 6786 } else if(strstr(p, "://") && strchr(p, '/') > strstr(p, "://") && 6787 strchr(p, ':') >= strstr(p, "://")) { 6788 char* uri = dup_prefix(p, (size_t)(strstr(p, "://")-p)); 6789 log_err("protocol %s:// not supported (for url %s)", 6790 uri?uri:"", p); 6791 free(uri); 6792 return 0; 6793 } 6794 6795 /* parse hostname part */ 6796 if(p[0] == '[') { 6797 char* end = strchr(p, ']'); 6798 p++; /* skip over [ */ 6799 if(end) { 6800 *host = dup_prefix(p, (size_t)(end-p)); 6801 if(!*host) return 0; 6802 p = end+1; /* skip over ] */ 6803 } else { 6804 *host = dup_all(p); 6805 if(!*host) return 0; 6806 p = end; 6807 } 6808 } else { 6809 char* end = str_find_first_of_chars(p, ':', '/'); 6810 if(end) { 6811 *host = dup_prefix(p, (size_t)(end-p)); 6812 if(!*host) return 0; 6813 } else { 6814 *host = dup_all(p); 6815 if(!*host) return 0; 6816 } 6817 p = end; /* at next : or / or NULL */ 6818 } 6819 6820 /* parse port number */ 6821 if(p && p[0] == ':') { 6822 char* end = NULL; 6823 *port = strtol(p+1, &end, 10); 6824 p = end; 6825 } 6826 6827 /* parse filename part */ 6828 while(p && *p == '/') 6829 p++; 6830 if(!p || p[0] == 0) 6831 *file = strdup("index.html"); 6832 else *file = strdup(p); 6833 if(!*file) { 6834 log_err("malloc failure"); 6835 return 0; 6836 } 6837 return 1; 6838 } 6839 6840 int 6841 xfer_set_masters(struct auth_master** list, struct config_auth* c, 6842 int with_http) 6843 { 6844 struct auth_master* m; 6845 struct config_strlist* p; 6846 /* list points to the first, or next pointer for the new element */ 6847 while(*list) { 6848 list = &( (*list)->next ); 6849 } 6850 if(with_http) 6851 for(p = c->urls; p; p = p->next) { 6852 m = auth_master_new(&list); 6853 m->http = 1; 6854 if(!parse_url(p->str, &m->host, &m->file, &m->port, &m->ssl)) 6855 return 0; 6856 } 6857 for(p = c->masters; p; p = p->next) { 6858 m = auth_master_new(&list); 6859 m->ixfr = 1; /* this flag is not configurable */ 6860 m->host = strdup(p->str); 6861 if(!m->host) { 6862 log_err("malloc failure"); 6863 return 0; 6864 } 6865 } 6866 for(p = c->allow_notify; p; p = p->next) { 6867 m = auth_master_new(&list); 6868 m->allow_notify = 1; 6869 m->host = strdup(p->str); 6870 if(!m->host) { 6871 log_err("malloc failure"); 6872 return 0; 6873 } 6874 } 6875 return 1; 6876 } 6877 6878 #define SERIAL_BITS 32 6879 int 6880 compare_serial(uint32_t a, uint32_t b) 6881 { 6882 const uint32_t cutoff = ((uint32_t) 1 << (SERIAL_BITS - 1)); 6883 6884 if (a == b) { 6885 return 0; 6886 } else if ((a < b && b - a < cutoff) || (a > b && a - b > cutoff)) { 6887 return -1; 6888 } else { 6889 return 1; 6890 } 6891 } 6892