1 /* 2 * services/authzone.c - authoritative zone that is locally hosted. 3 * 4 * Copyright (c) 2017, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains the functions for an authority zone. This zone 40 * is queried by the iterator, just like a stub or forward zone, but then 41 * the data is locally held. 42 */ 43 44 #include "config.h" 45 #include "services/authzone.h" 46 #include "util/data/dname.h" 47 #include "util/data/msgparse.h" 48 #include "util/data/msgreply.h" 49 #include "util/data/msgencode.h" 50 #include "util/data/packed_rrset.h" 51 #include "util/regional.h" 52 #include "util/net_help.h" 53 #include "util/netevent.h" 54 #include "util/config_file.h" 55 #include "util/log.h" 56 #include "util/module.h" 57 #include "util/random.h" 58 #include "services/cache/dns.h" 59 #include "services/outside_network.h" 60 #include "services/listen_dnsport.h" 61 #include "services/mesh.h" 62 #include "sldns/rrdef.h" 63 #include "sldns/pkthdr.h" 64 #include "sldns/sbuffer.h" 65 #include "sldns/str2wire.h" 66 #include "sldns/wire2str.h" 67 #include "sldns/parseutil.h" 68 #include "sldns/keyraw.h" 69 #include "validator/val_nsec3.h" 70 #include "validator/val_secalgo.h" 71 #include <ctype.h> 72 73 /** bytes to use for NSEC3 hash buffer. 20 for sha1 */ 74 #define N3HASHBUFLEN 32 75 /** max number of CNAMEs we are willing to follow (in one answer) */ 76 #define MAX_CNAME_CHAIN 8 77 /** timeout for probe packets for SOA */ 78 #define AUTH_PROBE_TIMEOUT 100 /* msec */ 79 /** when to stop with SOA probes (when exponential timeouts exceed this) */ 80 #define AUTH_PROBE_TIMEOUT_STOP 1000 /* msec */ 81 /* auth transfer timeout for TCP connections, in msec */ 82 #define AUTH_TRANSFER_TIMEOUT 10000 /* msec */ 83 /* auth transfer max backoff for failed tranfers and probes */ 84 #define AUTH_TRANSFER_MAX_BACKOFF 86400 /* sec */ 85 /* auth http port number */ 86 #define AUTH_HTTP_PORT 80 87 /* auth https port number */ 88 #define AUTH_HTTPS_PORT 443 89 /* max depth for nested $INCLUDEs */ 90 #define MAX_INCLUDE_DEPTH 10 91 92 /** pick up nextprobe task to start waiting to perform transfer actions */ 93 static void xfr_set_timeout(struct auth_xfer* xfr, struct module_env* env, 94 int failure, int lookup_only); 95 /** move to sending the probe packets, next if fails. task_probe */ 96 static void xfr_probe_send_or_end(struct auth_xfer* xfr, 97 struct module_env* env); 98 /** pick up probe task with specified(or NULL) destination first, 99 * or transfer task if nothing to probe, or false if already in progress */ 100 static int xfr_start_probe(struct auth_xfer* xfr, struct module_env* env, 101 struct auth_master* spec); 102 /** delete xfer structure (not its tree entry) */ 103 static void auth_xfer_delete(struct auth_xfer* xfr); 104 105 /** create new dns_msg */ 106 static struct dns_msg* 107 msg_create(struct regional* region, struct query_info* qinfo) 108 { 109 struct dns_msg* msg = (struct dns_msg*)regional_alloc(region, 110 sizeof(struct dns_msg)); 111 if(!msg) 112 return NULL; 113 msg->qinfo.qname = regional_alloc_init(region, qinfo->qname, 114 qinfo->qname_len); 115 if(!msg->qinfo.qname) 116 return NULL; 117 msg->qinfo.qname_len = qinfo->qname_len; 118 msg->qinfo.qtype = qinfo->qtype; 119 msg->qinfo.qclass = qinfo->qclass; 120 msg->qinfo.local_alias = NULL; 121 /* non-packed reply_info, because it needs to grow the array */ 122 msg->rep = (struct reply_info*)regional_alloc_zero(region, 123 sizeof(struct reply_info)-sizeof(struct rrset_ref)); 124 if(!msg->rep) 125 return NULL; 126 msg->rep->flags = (uint16_t)(BIT_QR | BIT_AA); 127 msg->rep->authoritative = 1; 128 msg->rep->qdcount = 1; 129 /* rrsets is NULL, no rrsets yet */ 130 return msg; 131 } 132 133 /** grow rrset array by one in msg */ 134 static int 135 msg_grow_array(struct regional* region, struct dns_msg* msg) 136 { 137 if(msg->rep->rrsets == NULL) { 138 msg->rep->rrsets = regional_alloc_zero(region, 139 sizeof(struct ub_packed_rrset_key*)*(msg->rep->rrset_count+1)); 140 if(!msg->rep->rrsets) 141 return 0; 142 } else { 143 struct ub_packed_rrset_key** rrsets_old = msg->rep->rrsets; 144 msg->rep->rrsets = regional_alloc_zero(region, 145 sizeof(struct ub_packed_rrset_key*)*(msg->rep->rrset_count+1)); 146 if(!msg->rep->rrsets) 147 return 0; 148 memmove(msg->rep->rrsets, rrsets_old, 149 sizeof(struct ub_packed_rrset_key*)*msg->rep->rrset_count); 150 } 151 return 1; 152 } 153 154 /** get ttl of rrset */ 155 static time_t 156 get_rrset_ttl(struct ub_packed_rrset_key* k) 157 { 158 struct packed_rrset_data* d = (struct packed_rrset_data*) 159 k->entry.data; 160 return d->ttl; 161 } 162 163 /** Copy rrset into region from domain-datanode and packet rrset */ 164 static struct ub_packed_rrset_key* 165 auth_packed_rrset_copy_region(struct auth_zone* z, struct auth_data* node, 166 struct auth_rrset* rrset, struct regional* region, time_t adjust) 167 { 168 struct ub_packed_rrset_key key; 169 memset(&key, 0, sizeof(key)); 170 key.entry.key = &key; 171 key.entry.data = rrset->data; 172 key.rk.dname = node->name; 173 key.rk.dname_len = node->namelen; 174 key.rk.type = htons(rrset->type); 175 key.rk.rrset_class = htons(z->dclass); 176 key.entry.hash = rrset_key_hash(&key.rk); 177 return packed_rrset_copy_region(&key, region, adjust); 178 } 179 180 /** fix up msg->rep TTL and prefetch ttl */ 181 static void 182 msg_ttl(struct dns_msg* msg) 183 { 184 if(msg->rep->rrset_count == 0) return; 185 if(msg->rep->rrset_count == 1) { 186 msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]); 187 msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl); 188 } else if(get_rrset_ttl(msg->rep->rrsets[msg->rep->rrset_count-1]) < 189 msg->rep->ttl) { 190 msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[ 191 msg->rep->rrset_count-1]); 192 msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl); 193 } 194 } 195 196 /** see if rrset is a duplicate in the answer message */ 197 static int 198 msg_rrset_duplicate(struct dns_msg* msg, uint8_t* nm, size_t nmlen, 199 uint16_t type, uint16_t dclass) 200 { 201 size_t i; 202 for(i=0; i<msg->rep->rrset_count; i++) { 203 struct ub_packed_rrset_key* k = msg->rep->rrsets[i]; 204 if(ntohs(k->rk.type) == type && k->rk.dname_len == nmlen && 205 ntohs(k->rk.rrset_class) == dclass && 206 query_dname_compare(k->rk.dname, nm) == 0) 207 return 1; 208 } 209 return 0; 210 } 211 212 /** add rrset to answer section (no auth, add rrsets yet) */ 213 static int 214 msg_add_rrset_an(struct auth_zone* z, struct regional* region, 215 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) 216 { 217 log_assert(msg->rep->ns_numrrsets == 0); 218 log_assert(msg->rep->ar_numrrsets == 0); 219 if(!rrset) 220 return 1; 221 if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, 222 z->dclass)) 223 return 1; 224 /* grow array */ 225 if(!msg_grow_array(region, msg)) 226 return 0; 227 /* copy it */ 228 if(!(msg->rep->rrsets[msg->rep->rrset_count] = 229 auth_packed_rrset_copy_region(z, node, rrset, region, 0))) 230 return 0; 231 msg->rep->rrset_count++; 232 msg->rep->an_numrrsets++; 233 msg_ttl(msg); 234 return 1; 235 } 236 237 /** add rrset to authority section (no additonal section rrsets yet) */ 238 static int 239 msg_add_rrset_ns(struct auth_zone* z, struct regional* region, 240 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) 241 { 242 log_assert(msg->rep->ar_numrrsets == 0); 243 if(!rrset) 244 return 1; 245 if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, 246 z->dclass)) 247 return 1; 248 /* grow array */ 249 if(!msg_grow_array(region, msg)) 250 return 0; 251 /* copy it */ 252 if(!(msg->rep->rrsets[msg->rep->rrset_count] = 253 auth_packed_rrset_copy_region(z, node, rrset, region, 0))) 254 return 0; 255 msg->rep->rrset_count++; 256 msg->rep->ns_numrrsets++; 257 msg_ttl(msg); 258 return 1; 259 } 260 261 /** add rrset to additional section */ 262 static int 263 msg_add_rrset_ar(struct auth_zone* z, struct regional* region, 264 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) 265 { 266 if(!rrset) 267 return 1; 268 if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, 269 z->dclass)) 270 return 1; 271 /* grow array */ 272 if(!msg_grow_array(region, msg)) 273 return 0; 274 /* copy it */ 275 if(!(msg->rep->rrsets[msg->rep->rrset_count] = 276 auth_packed_rrset_copy_region(z, node, rrset, region, 0))) 277 return 0; 278 msg->rep->rrset_count++; 279 msg->rep->ar_numrrsets++; 280 msg_ttl(msg); 281 return 1; 282 } 283 284 struct auth_zones* auth_zones_create(void) 285 { 286 struct auth_zones* az = (struct auth_zones*)calloc(1, sizeof(*az)); 287 if(!az) { 288 log_err("out of memory"); 289 return NULL; 290 } 291 rbtree_init(&az->ztree, &auth_zone_cmp); 292 rbtree_init(&az->xtree, &auth_xfer_cmp); 293 lock_rw_init(&az->lock); 294 lock_protect(&az->lock, &az->ztree, sizeof(az->ztree)); 295 lock_protect(&az->lock, &az->xtree, sizeof(az->xtree)); 296 /* also lock protects the rbnode's in struct auth_zone, auth_xfer */ 297 return az; 298 } 299 300 int auth_zone_cmp(const void* z1, const void* z2) 301 { 302 /* first sort on class, so that hierarchy can be maintained within 303 * a class */ 304 struct auth_zone* a = (struct auth_zone*)z1; 305 struct auth_zone* b = (struct auth_zone*)z2; 306 int m; 307 if(a->dclass != b->dclass) { 308 if(a->dclass < b->dclass) 309 return -1; 310 return 1; 311 } 312 /* sorted such that higher zones sort before lower zones (their 313 * contents) */ 314 return dname_lab_cmp(a->name, a->namelabs, b->name, b->namelabs, &m); 315 } 316 317 int auth_data_cmp(const void* z1, const void* z2) 318 { 319 struct auth_data* a = (struct auth_data*)z1; 320 struct auth_data* b = (struct auth_data*)z2; 321 int m; 322 /* canonical sort, because DNSSEC needs that */ 323 return dname_canon_lab_cmp(a->name, a->namelabs, b->name, 324 b->namelabs, &m); 325 } 326 327 int auth_xfer_cmp(const void* z1, const void* z2) 328 { 329 /* first sort on class, so that hierarchy can be maintained within 330 * a class */ 331 struct auth_xfer* a = (struct auth_xfer*)z1; 332 struct auth_xfer* b = (struct auth_xfer*)z2; 333 int m; 334 if(a->dclass != b->dclass) { 335 if(a->dclass < b->dclass) 336 return -1; 337 return 1; 338 } 339 /* sorted such that higher zones sort before lower zones (their 340 * contents) */ 341 return dname_lab_cmp(a->name, a->namelabs, b->name, b->namelabs, &m); 342 } 343 344 /** delete auth rrset node */ 345 static void 346 auth_rrset_delete(struct auth_rrset* rrset) 347 { 348 if(!rrset) return; 349 free(rrset->data); 350 free(rrset); 351 } 352 353 /** delete auth data domain node */ 354 static void 355 auth_data_delete(struct auth_data* n) 356 { 357 struct auth_rrset* p, *np; 358 if(!n) return; 359 p = n->rrsets; 360 while(p) { 361 np = p->next; 362 auth_rrset_delete(p); 363 p = np; 364 } 365 free(n->name); 366 free(n); 367 } 368 369 /** helper traverse to delete zones */ 370 static void 371 auth_data_del(rbnode_type* n, void* ATTR_UNUSED(arg)) 372 { 373 struct auth_data* z = (struct auth_data*)n->key; 374 auth_data_delete(z); 375 } 376 377 /** delete an auth zone structure (tree remove must be done elsewhere) */ 378 static void 379 auth_zone_delete(struct auth_zone* z) 380 { 381 if(!z) return; 382 lock_rw_destroy(&z->lock); 383 traverse_postorder(&z->data, auth_data_del, NULL); 384 free(z->name); 385 free(z->zonefile); 386 free(z); 387 } 388 389 struct auth_zone* 390 auth_zone_create(struct auth_zones* az, uint8_t* nm, size_t nmlen, 391 uint16_t dclass) 392 { 393 struct auth_zone* z = (struct auth_zone*)calloc(1, sizeof(*z)); 394 if(!z) { 395 return NULL; 396 } 397 z->node.key = z; 398 z->dclass = dclass; 399 z->namelen = nmlen; 400 z->namelabs = dname_count_labels(nm); 401 z->name = memdup(nm, nmlen); 402 if(!z->name) { 403 free(z); 404 return NULL; 405 } 406 rbtree_init(&z->data, &auth_data_cmp); 407 lock_rw_init(&z->lock); 408 lock_protect(&z->lock, &z->name, sizeof(*z)-sizeof(rbnode_type)); 409 lock_rw_wrlock(&z->lock); 410 /* z lock protects all, except rbtree itself, which is az->lock */ 411 if(!rbtree_insert(&az->ztree, &z->node)) { 412 lock_rw_unlock(&z->lock); 413 auth_zone_delete(z); 414 log_warn("duplicate auth zone"); 415 return NULL; 416 } 417 return z; 418 } 419 420 struct auth_zone* 421 auth_zone_find(struct auth_zones* az, uint8_t* nm, size_t nmlen, 422 uint16_t dclass) 423 { 424 struct auth_zone key; 425 key.node.key = &key; 426 key.dclass = dclass; 427 key.name = nm; 428 key.namelen = nmlen; 429 key.namelabs = dname_count_labels(nm); 430 return (struct auth_zone*)rbtree_search(&az->ztree, &key); 431 } 432 433 struct auth_xfer* 434 auth_xfer_find(struct auth_zones* az, uint8_t* nm, size_t nmlen, 435 uint16_t dclass) 436 { 437 struct auth_xfer key; 438 key.node.key = &key; 439 key.dclass = dclass; 440 key.name = nm; 441 key.namelen = nmlen; 442 key.namelabs = dname_count_labels(nm); 443 return (struct auth_xfer*)rbtree_search(&az->xtree, &key); 444 } 445 446 /** find an auth zone or sorted less-or-equal, return true if exact */ 447 static int 448 auth_zone_find_less_equal(struct auth_zones* az, uint8_t* nm, size_t nmlen, 449 uint16_t dclass, struct auth_zone** z) 450 { 451 struct auth_zone key; 452 key.node.key = &key; 453 key.dclass = dclass; 454 key.name = nm; 455 key.namelen = nmlen; 456 key.namelabs = dname_count_labels(nm); 457 return rbtree_find_less_equal(&az->ztree, &key, (rbnode_type**)z); 458 } 459 460 461 /** find the auth zone that is above the given name */ 462 struct auth_zone* 463 auth_zones_find_zone(struct auth_zones* az, uint8_t* name, size_t name_len, 464 uint16_t dclass) 465 { 466 uint8_t* nm = name; 467 size_t nmlen = name_len; 468 struct auth_zone* z; 469 if(auth_zone_find_less_equal(az, nm, nmlen, dclass, &z)) { 470 /* exact match */ 471 return z; 472 } else { 473 /* less-or-nothing */ 474 if(!z) return NULL; /* nothing smaller, nothing above it */ 475 /* we found smaller name; smaller may be above the name, 476 * but not below it. */ 477 nm = dname_get_shared_topdomain(z->name, name); 478 dname_count_size_labels(nm, &nmlen); 479 z = NULL; 480 } 481 482 /* search up */ 483 while(!z) { 484 z = auth_zone_find(az, nm, nmlen, dclass); 485 if(z) return z; 486 if(dname_is_root(nm)) break; 487 dname_remove_label(&nm, &nmlen); 488 } 489 return NULL; 490 } 491 492 /** find or create zone with name str. caller must have lock on az. 493 * returns a wrlocked zone */ 494 static struct auth_zone* 495 auth_zones_find_or_add_zone(struct auth_zones* az, char* name) 496 { 497 uint8_t nm[LDNS_MAX_DOMAINLEN+1]; 498 size_t nmlen = sizeof(nm); 499 struct auth_zone* z; 500 501 if(sldns_str2wire_dname_buf(name, nm, &nmlen) != 0) { 502 log_err("cannot parse auth zone name: %s", name); 503 return 0; 504 } 505 z = auth_zone_find(az, nm, nmlen, LDNS_RR_CLASS_IN); 506 if(!z) { 507 /* not found, create the zone */ 508 z = auth_zone_create(az, nm, nmlen, LDNS_RR_CLASS_IN); 509 } else { 510 lock_rw_wrlock(&z->lock); 511 } 512 return z; 513 } 514 515 /** find or create xfer zone with name str. caller must have lock on az. 516 * returns a locked xfer */ 517 static struct auth_xfer* 518 auth_zones_find_or_add_xfer(struct auth_zones* az, struct auth_zone* z) 519 { 520 struct auth_xfer* x; 521 x = auth_xfer_find(az, z->name, z->namelen, z->dclass); 522 if(!x) { 523 /* not found, create the zone */ 524 x = auth_xfer_create(az, z); 525 } else { 526 lock_basic_lock(&x->lock); 527 } 528 return x; 529 } 530 531 int 532 auth_zone_set_zonefile(struct auth_zone* z, char* zonefile) 533 { 534 if(z->zonefile) free(z->zonefile); 535 if(zonefile == NULL) { 536 z->zonefile = NULL; 537 } else { 538 z->zonefile = strdup(zonefile); 539 if(!z->zonefile) { 540 log_err("malloc failure"); 541 return 0; 542 } 543 } 544 return 1; 545 } 546 547 /** set auth zone fallback. caller must have lock on zone */ 548 int 549 auth_zone_set_fallback(struct auth_zone* z, char* fallbackstr) 550 { 551 if(strcmp(fallbackstr, "yes") != 0 && strcmp(fallbackstr, "no") != 0){ 552 log_err("auth zone fallback, expected yes or no, got %s", 553 fallbackstr); 554 return 0; 555 } 556 z->fallback_enabled = (strcmp(fallbackstr, "yes")==0); 557 return 1; 558 } 559 560 /** create domain with the given name */ 561 static struct auth_data* 562 az_domain_create(struct auth_zone* z, uint8_t* nm, size_t nmlen) 563 { 564 struct auth_data* n = (struct auth_data*)malloc(sizeof(*n)); 565 if(!n) return NULL; 566 memset(n, 0, sizeof(*n)); 567 n->node.key = n; 568 n->name = memdup(nm, nmlen); 569 if(!n->name) { 570 free(n); 571 return NULL; 572 } 573 n->namelen = nmlen; 574 n->namelabs = dname_count_labels(nm); 575 if(!rbtree_insert(&z->data, &n->node)) { 576 log_warn("duplicate auth domain name"); 577 free(n->name); 578 free(n); 579 return NULL; 580 } 581 return n; 582 } 583 584 /** find domain with exactly the given name */ 585 static struct auth_data* 586 az_find_name(struct auth_zone* z, uint8_t* nm, size_t nmlen) 587 { 588 struct auth_zone key; 589 key.node.key = &key; 590 key.name = nm; 591 key.namelen = nmlen; 592 key.namelabs = dname_count_labels(nm); 593 return (struct auth_data*)rbtree_search(&z->data, &key); 594 } 595 596 /** Find domain name (or closest match) */ 597 static void 598 az_find_domain(struct auth_zone* z, struct query_info* qinfo, int* node_exact, 599 struct auth_data** node) 600 { 601 struct auth_zone key; 602 key.node.key = &key; 603 key.name = qinfo->qname; 604 key.namelen = qinfo->qname_len; 605 key.namelabs = dname_count_labels(key.name); 606 *node_exact = rbtree_find_less_equal(&z->data, &key, 607 (rbnode_type**)node); 608 } 609 610 /** find or create domain with name in zone */ 611 static struct auth_data* 612 az_domain_find_or_create(struct auth_zone* z, uint8_t* dname, 613 size_t dname_len) 614 { 615 struct auth_data* n = az_find_name(z, dname, dname_len); 616 if(!n) { 617 n = az_domain_create(z, dname, dname_len); 618 } 619 return n; 620 } 621 622 /** find rrset of given type in the domain */ 623 static struct auth_rrset* 624 az_domain_rrset(struct auth_data* n, uint16_t t) 625 { 626 struct auth_rrset* rrset; 627 if(!n) return NULL; 628 rrset = n->rrsets; 629 while(rrset) { 630 if(rrset->type == t) 631 return rrset; 632 rrset = rrset->next; 633 } 634 return NULL; 635 } 636 637 /** remove rrset of this type from domain */ 638 static void 639 domain_remove_rrset(struct auth_data* node, uint16_t rr_type) 640 { 641 struct auth_rrset* rrset, *prev; 642 if(!node) return; 643 prev = NULL; 644 rrset = node->rrsets; 645 while(rrset) { 646 if(rrset->type == rr_type) { 647 /* found it, now delete it */ 648 if(prev) prev->next = rrset->next; 649 else node->rrsets = rrset->next; 650 auth_rrset_delete(rrset); 651 return; 652 } 653 prev = rrset; 654 rrset = rrset->next; 655 } 656 } 657 658 /** find an rr index in the rrset. returns true if found */ 659 static int 660 az_rrset_find_rr(struct packed_rrset_data* d, uint8_t* rdata, size_t len, 661 size_t* index) 662 { 663 size_t i; 664 for(i=0; i<d->count; i++) { 665 if(d->rr_len[i] != len) 666 continue; 667 if(memcmp(d->rr_data[i], rdata, len) == 0) { 668 *index = i; 669 return 1; 670 } 671 } 672 return 0; 673 } 674 675 /** find an rrsig index in the rrset. returns true if found */ 676 static int 677 az_rrset_find_rrsig(struct packed_rrset_data* d, uint8_t* rdata, size_t len, 678 size_t* index) 679 { 680 size_t i; 681 for(i=d->count; i<d->count + d->rrsig_count; i++) { 682 if(d->rr_len[i] != len) 683 continue; 684 if(memcmp(d->rr_data[i], rdata, len) == 0) { 685 *index = i; 686 return 1; 687 } 688 } 689 return 0; 690 } 691 692 /** see if rdata is duplicate */ 693 static int 694 rdata_duplicate(struct packed_rrset_data* d, uint8_t* rdata, size_t len) 695 { 696 size_t i; 697 for(i=0; i<d->count + d->rrsig_count; i++) { 698 if(d->rr_len[i] != len) 699 continue; 700 if(memcmp(d->rr_data[i], rdata, len) == 0) 701 return 1; 702 } 703 return 0; 704 } 705 706 /** get rrsig type covered from rdata. 707 * @param rdata: rdata in wireformat, starting with 16bit rdlength. 708 * @param rdatalen: length of rdata buffer. 709 * @return type covered (or 0). 710 */ 711 static uint16_t 712 rrsig_rdata_get_type_covered(uint8_t* rdata, size_t rdatalen) 713 { 714 if(rdatalen < 4) 715 return 0; 716 return sldns_read_uint16(rdata+2); 717 } 718 719 /** remove RR from existing RRset. Also sig, if it is a signature. 720 * reallocates the packed rrset for a new one, false on alloc failure */ 721 static int 722 rrset_remove_rr(struct auth_rrset* rrset, size_t index) 723 { 724 struct packed_rrset_data* d, *old = rrset->data; 725 size_t i; 726 if(index >= old->count + old->rrsig_count) 727 return 0; /* index out of bounds */ 728 d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old) - ( 729 sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t) + 730 old->rr_len[index])); 731 if(!d) { 732 log_err("malloc failure"); 733 return 0; 734 } 735 d->ttl = old->ttl; 736 d->count = old->count; 737 d->rrsig_count = old->rrsig_count; 738 if(index < d->count) d->count--; 739 else d->rrsig_count--; 740 d->trust = old->trust; 741 d->security = old->security; 742 743 /* set rr_len, needed for ptr_fixup */ 744 d->rr_len = (size_t*)((uint8_t*)d + 745 sizeof(struct packed_rrset_data)); 746 if(index > 0) 747 memmove(d->rr_len, old->rr_len, (index)*sizeof(size_t)); 748 if(index+1 < old->count+old->rrsig_count) 749 memmove(&d->rr_len[index], &old->rr_len[index+1], 750 (old->count+old->rrsig_count - (index+1))*sizeof(size_t)); 751 packed_rrset_ptr_fixup(d); 752 753 /* move over ttls */ 754 if(index > 0) 755 memmove(d->rr_ttl, old->rr_ttl, (index)*sizeof(time_t)); 756 if(index+1 < old->count+old->rrsig_count) 757 memmove(&d->rr_ttl[index], &old->rr_ttl[index+1], 758 (old->count+old->rrsig_count - (index+1))*sizeof(time_t)); 759 760 /* move over rr_data */ 761 for(i=0; i<d->count+d->rrsig_count; i++) { 762 size_t oldi; 763 if(i < index) oldi = i; 764 else oldi = i+1; 765 memmove(d->rr_data[i], old->rr_data[oldi], d->rr_len[i]); 766 } 767 768 /* recalc ttl (lowest of remaining RR ttls) */ 769 if(d->count + d->rrsig_count > 0) 770 d->ttl = d->rr_ttl[0]; 771 for(i=0; i<d->count+d->rrsig_count; i++) { 772 if(d->rr_ttl[i] < d->ttl) 773 d->ttl = d->rr_ttl[i]; 774 } 775 776 free(rrset->data); 777 rrset->data = d; 778 return 1; 779 } 780 781 /** add RR to existing RRset. If insert_sig is true, add to rrsigs. 782 * This reallocates the packed rrset for a new one */ 783 static int 784 rrset_add_rr(struct auth_rrset* rrset, uint32_t rr_ttl, uint8_t* rdata, 785 size_t rdatalen, int insert_sig) 786 { 787 struct packed_rrset_data* d, *old = rrset->data; 788 size_t total, old_total; 789 790 d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old) 791 + sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t) 792 + rdatalen); 793 if(!d) { 794 log_err("out of memory"); 795 return 0; 796 } 797 /* copy base values */ 798 memcpy(d, old, sizeof(struct packed_rrset_data)); 799 if(!insert_sig) { 800 d->count++; 801 } else { 802 d->rrsig_count++; 803 } 804 old_total = old->count + old->rrsig_count; 805 total = d->count + d->rrsig_count; 806 /* set rr_len, needed for ptr_fixup */ 807 d->rr_len = (size_t*)((uint8_t*)d + 808 sizeof(struct packed_rrset_data)); 809 if(old->count != 0) 810 memmove(d->rr_len, old->rr_len, old->count*sizeof(size_t)); 811 if(old->rrsig_count != 0) 812 memmove(d->rr_len+d->count, old->rr_len+old->count, 813 old->rrsig_count*sizeof(size_t)); 814 if(!insert_sig) 815 d->rr_len[d->count-1] = rdatalen; 816 else d->rr_len[total-1] = rdatalen; 817 packed_rrset_ptr_fixup(d); 818 if((time_t)rr_ttl < d->ttl) 819 d->ttl = rr_ttl; 820 821 /* copy old values into new array */ 822 if(old->count != 0) { 823 memmove(d->rr_ttl, old->rr_ttl, old->count*sizeof(time_t)); 824 /* all the old rr pieces are allocated sequential, so we 825 * can copy them in one go */ 826 memmove(d->rr_data[0], old->rr_data[0], 827 (old->rr_data[old->count-1] - old->rr_data[0]) + 828 old->rr_len[old->count-1]); 829 } 830 if(old->rrsig_count != 0) { 831 memmove(d->rr_ttl+d->count, old->rr_ttl+old->count, 832 old->rrsig_count*sizeof(time_t)); 833 memmove(d->rr_data[d->count], old->rr_data[old->count], 834 (old->rr_data[old_total-1] - old->rr_data[old->count]) + 835 old->rr_len[old_total-1]); 836 } 837 838 /* insert new value */ 839 if(!insert_sig) { 840 d->rr_ttl[d->count-1] = rr_ttl; 841 memmove(d->rr_data[d->count-1], rdata, rdatalen); 842 } else { 843 d->rr_ttl[total-1] = rr_ttl; 844 memmove(d->rr_data[total-1], rdata, rdatalen); 845 } 846 847 rrset->data = d; 848 free(old); 849 return 1; 850 } 851 852 /** Create new rrset for node with packed rrset with one RR element */ 853 static struct auth_rrset* 854 rrset_create(struct auth_data* node, uint16_t rr_type, uint32_t rr_ttl, 855 uint8_t* rdata, size_t rdatalen) 856 { 857 struct auth_rrset* rrset = (struct auth_rrset*)calloc(1, 858 sizeof(*rrset)); 859 struct auth_rrset* p, *prev; 860 struct packed_rrset_data* d; 861 if(!rrset) { 862 log_err("out of memory"); 863 return NULL; 864 } 865 rrset->type = rr_type; 866 867 /* the rrset data structure, with one RR */ 868 d = (struct packed_rrset_data*)calloc(1, 869 sizeof(struct packed_rrset_data) + sizeof(size_t) + 870 sizeof(uint8_t*) + sizeof(time_t) + rdatalen); 871 if(!d) { 872 free(rrset); 873 log_err("out of memory"); 874 return NULL; 875 } 876 rrset->data = d; 877 d->ttl = rr_ttl; 878 d->trust = rrset_trust_prim_noglue; 879 d->rr_len = (size_t*)((uint8_t*)d + sizeof(struct packed_rrset_data)); 880 d->rr_data = (uint8_t**)&(d->rr_len[1]); 881 d->rr_ttl = (time_t*)&(d->rr_data[1]); 882 d->rr_data[0] = (uint8_t*)&(d->rr_ttl[1]); 883 884 /* insert the RR */ 885 d->rr_len[0] = rdatalen; 886 d->rr_ttl[0] = rr_ttl; 887 memmove(d->rr_data[0], rdata, rdatalen); 888 d->count++; 889 890 /* insert rrset into linked list for domain */ 891 /* find sorted place to link the rrset into the list */ 892 prev = NULL; 893 p = node->rrsets; 894 while(p && p->type<=rr_type) { 895 prev = p; 896 p = p->next; 897 } 898 /* so, prev is smaller, and p is larger than rr_type */ 899 rrset->next = p; 900 if(prev) prev->next = rrset; 901 else node->rrsets = rrset; 902 return rrset; 903 } 904 905 /** count number (and size) of rrsigs that cover a type */ 906 static size_t 907 rrsig_num_that_cover(struct auth_rrset* rrsig, uint16_t rr_type, size_t* sigsz) 908 { 909 struct packed_rrset_data* d = rrsig->data; 910 size_t i, num = 0; 911 *sigsz = 0; 912 log_assert(d && rrsig->type == LDNS_RR_TYPE_RRSIG); 913 for(i=0; i<d->count+d->rrsig_count; i++) { 914 if(rrsig_rdata_get_type_covered(d->rr_data[i], 915 d->rr_len[i]) == rr_type) { 916 num++; 917 (*sigsz) += d->rr_len[i]; 918 } 919 } 920 return num; 921 } 922 923 /** See if rrsig set has covered sigs for rrset and move them over */ 924 static int 925 rrset_moveover_rrsigs(struct auth_data* node, uint16_t rr_type, 926 struct auth_rrset* rrset, struct auth_rrset* rrsig) 927 { 928 size_t sigs, sigsz, i, j, total; 929 struct packed_rrset_data* sigold = rrsig->data; 930 struct packed_rrset_data* old = rrset->data; 931 struct packed_rrset_data* d, *sigd; 932 933 log_assert(rrset->type == rr_type); 934 log_assert(rrsig->type == LDNS_RR_TYPE_RRSIG); 935 sigs = rrsig_num_that_cover(rrsig, rr_type, &sigsz); 936 if(sigs == 0) { 937 /* 0 rrsigs to move over, done */ 938 return 1; 939 } 940 941 /* allocate rrset sigsz larger for extra sigs elements, and 942 * allocate rrsig sigsz smaller for less sigs elements. */ 943 d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old) 944 + sigs*(sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t)) 945 + sigsz); 946 if(!d) { 947 log_err("out of memory"); 948 return 0; 949 } 950 /* copy base values */ 951 total = old->count + old->rrsig_count; 952 memcpy(d, old, sizeof(struct packed_rrset_data)); 953 d->rrsig_count += sigs; 954 /* setup rr_len */ 955 d->rr_len = (size_t*)((uint8_t*)d + 956 sizeof(struct packed_rrset_data)); 957 if(total != 0) 958 memmove(d->rr_len, old->rr_len, total*sizeof(size_t)); 959 j = d->count+d->rrsig_count-sigs; 960 for(i=0; i<sigold->count+sigold->rrsig_count; i++) { 961 if(rrsig_rdata_get_type_covered(sigold->rr_data[i], 962 sigold->rr_len[i]) == rr_type) { 963 d->rr_len[j] = sigold->rr_len[i]; 964 j++; 965 } 966 } 967 packed_rrset_ptr_fixup(d); 968 969 /* copy old values into new array */ 970 if(total != 0) { 971 memmove(d->rr_ttl, old->rr_ttl, total*sizeof(time_t)); 972 /* all the old rr pieces are allocated sequential, so we 973 * can copy them in one go */ 974 memmove(d->rr_data[0], old->rr_data[0], 975 (old->rr_data[total-1] - old->rr_data[0]) + 976 old->rr_len[total-1]); 977 } 978 979 /* move over the rrsigs to the larger rrset*/ 980 j = d->count+d->rrsig_count-sigs; 981 for(i=0; i<sigold->count+sigold->rrsig_count; i++) { 982 if(rrsig_rdata_get_type_covered(sigold->rr_data[i], 983 sigold->rr_len[i]) == rr_type) { 984 /* move this one over to location j */ 985 d->rr_ttl[j] = sigold->rr_ttl[i]; 986 memmove(d->rr_data[j], sigold->rr_data[i], 987 sigold->rr_len[i]); 988 if(d->rr_ttl[j] < d->ttl) 989 d->ttl = d->rr_ttl[j]; 990 j++; 991 } 992 } 993 994 /* put it in and deallocate the old rrset */ 995 rrset->data = d; 996 free(old); 997 998 /* now make rrsig set smaller */ 999 if(sigold->count+sigold->rrsig_count == sigs) { 1000 /* remove all sigs from rrsig, remove it entirely */ 1001 domain_remove_rrset(node, LDNS_RR_TYPE_RRSIG); 1002 return 1; 1003 } 1004 log_assert(packed_rrset_sizeof(sigold) > sigs*(sizeof(size_t) + 1005 sizeof(uint8_t*) + sizeof(time_t)) + sigsz); 1006 sigd = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(sigold) 1007 - sigs*(sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t)) 1008 - sigsz); 1009 if(!sigd) { 1010 /* no need to free up d, it has already been placed in the 1011 * node->rrset structure */ 1012 log_err("out of memory"); 1013 return 0; 1014 } 1015 /* copy base values */ 1016 memcpy(sigd, sigold, sizeof(struct packed_rrset_data)); 1017 sigd->rrsig_count -= sigs; 1018 /* setup rr_len */ 1019 sigd->rr_len = (size_t*)((uint8_t*)sigd + 1020 sizeof(struct packed_rrset_data)); 1021 j = 0; 1022 for(i=0; i<sigold->count+sigold->rrsig_count; i++) { 1023 if(rrsig_rdata_get_type_covered(sigold->rr_data[i], 1024 sigold->rr_len[i]) != rr_type) { 1025 sigd->rr_len[j] = sigold->rr_len[i]; 1026 j++; 1027 } 1028 } 1029 packed_rrset_ptr_fixup(sigd); 1030 1031 /* copy old values into new rrsig array */ 1032 j = 0; 1033 for(i=0; i<sigold->count+sigold->rrsig_count; i++) { 1034 if(rrsig_rdata_get_type_covered(sigold->rr_data[i], 1035 sigold->rr_len[i]) != rr_type) { 1036 /* move this one over to location j */ 1037 sigd->rr_ttl[j] = sigold->rr_ttl[i]; 1038 memmove(sigd->rr_data[j], sigold->rr_data[i], 1039 sigold->rr_len[i]); 1040 if(j==0) sigd->ttl = sigd->rr_ttl[j]; 1041 else { 1042 if(sigd->rr_ttl[j] < sigd->ttl) 1043 sigd->ttl = sigd->rr_ttl[j]; 1044 } 1045 j++; 1046 } 1047 } 1048 1049 /* put it in and deallocate the old rrset */ 1050 rrsig->data = sigd; 1051 free(sigold); 1052 1053 return 1; 1054 } 1055 1056 /** copy the rrsigs from the rrset to the rrsig rrset, because the rrset 1057 * is going to be deleted. reallocates the RRSIG rrset data. */ 1058 static int 1059 rrsigs_copy_from_rrset_to_rrsigset(struct auth_rrset* rrset, 1060 struct auth_rrset* rrsigset) 1061 { 1062 size_t i; 1063 if(rrset->data->rrsig_count == 0) 1064 return 1; 1065 1066 /* move them over one by one, because there might be duplicates, 1067 * duplicates are ignored */ 1068 for(i=rrset->data->count; 1069 i<rrset->data->count+rrset->data->rrsig_count; i++) { 1070 uint8_t* rdata = rrset->data->rr_data[i]; 1071 size_t rdatalen = rrset->data->rr_len[i]; 1072 time_t rr_ttl = rrset->data->rr_ttl[i]; 1073 1074 if(rdata_duplicate(rrsigset->data, rdata, rdatalen)) { 1075 continue; 1076 } 1077 if(!rrset_add_rr(rrsigset, rr_ttl, rdata, rdatalen, 0)) 1078 return 0; 1079 } 1080 return 1; 1081 } 1082 1083 /** Add rr to node, ignores duplicate RRs, 1084 * rdata points to buffer with rdatalen octets, starts with 2bytelength. */ 1085 static int 1086 az_domain_add_rr(struct auth_data* node, uint16_t rr_type, uint32_t rr_ttl, 1087 uint8_t* rdata, size_t rdatalen, int* duplicate) 1088 { 1089 struct auth_rrset* rrset; 1090 /* packed rrsets have their rrsigs along with them, sort them out */ 1091 if(rr_type == LDNS_RR_TYPE_RRSIG) { 1092 uint16_t ctype = rrsig_rdata_get_type_covered(rdata, rdatalen); 1093 if((rrset=az_domain_rrset(node, ctype))!= NULL) { 1094 /* a node of the correct type exists, add the RRSIG 1095 * to the rrset of the covered data type */ 1096 if(rdata_duplicate(rrset->data, rdata, rdatalen)) { 1097 if(duplicate) *duplicate = 1; 1098 return 1; 1099 } 1100 if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 1)) 1101 return 0; 1102 } else if((rrset=az_domain_rrset(node, rr_type))!= NULL) { 1103 /* add RRSIG to rrset of type RRSIG */ 1104 if(rdata_duplicate(rrset->data, rdata, rdatalen)) { 1105 if(duplicate) *duplicate = 1; 1106 return 1; 1107 } 1108 if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 0)) 1109 return 0; 1110 } else { 1111 /* create rrset of type RRSIG */ 1112 if(!rrset_create(node, rr_type, rr_ttl, rdata, 1113 rdatalen)) 1114 return 0; 1115 } 1116 } else { 1117 /* normal RR type */ 1118 if((rrset=az_domain_rrset(node, rr_type))!= NULL) { 1119 /* add data to existing node with data type */ 1120 if(rdata_duplicate(rrset->data, rdata, rdatalen)) { 1121 if(duplicate) *duplicate = 1; 1122 return 1; 1123 } 1124 if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 0)) 1125 return 0; 1126 } else { 1127 struct auth_rrset* rrsig; 1128 /* create new node with data type */ 1129 if(!(rrset=rrset_create(node, rr_type, rr_ttl, rdata, 1130 rdatalen))) 1131 return 0; 1132 1133 /* see if node of type RRSIG has signatures that 1134 * cover the data type, and move them over */ 1135 /* and then make the RRSIG type smaller */ 1136 if((rrsig=az_domain_rrset(node, LDNS_RR_TYPE_RRSIG)) 1137 != NULL) { 1138 if(!rrset_moveover_rrsigs(node, rr_type, 1139 rrset, rrsig)) 1140 return 0; 1141 } 1142 } 1143 } 1144 return 1; 1145 } 1146 1147 /** insert RR into zone, ignore duplicates */ 1148 static int 1149 az_insert_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len, 1150 size_t dname_len, int* duplicate) 1151 { 1152 struct auth_data* node; 1153 uint8_t* dname = rr; 1154 uint16_t rr_type = sldns_wirerr_get_type(rr, rr_len, dname_len); 1155 uint16_t rr_class = sldns_wirerr_get_class(rr, rr_len, dname_len); 1156 uint32_t rr_ttl = sldns_wirerr_get_ttl(rr, rr_len, dname_len); 1157 size_t rdatalen = ((size_t)sldns_wirerr_get_rdatalen(rr, rr_len, 1158 dname_len))+2; 1159 /* rdata points to rdata prefixed with uint16 rdatalength */ 1160 uint8_t* rdata = sldns_wirerr_get_rdatawl(rr, rr_len, dname_len); 1161 1162 if(rr_class != z->dclass) { 1163 log_err("wrong class for RR"); 1164 return 0; 1165 } 1166 if(!(node=az_domain_find_or_create(z, dname, dname_len))) { 1167 log_err("cannot create domain"); 1168 return 0; 1169 } 1170 if(!az_domain_add_rr(node, rr_type, rr_ttl, rdata, rdatalen, 1171 duplicate)) { 1172 log_err("cannot add RR to domain"); 1173 return 0; 1174 } 1175 return 1; 1176 } 1177 1178 /** Remove rr from node, ignores nonexisting RRs, 1179 * rdata points to buffer with rdatalen octets, starts with 2bytelength. */ 1180 static int 1181 az_domain_remove_rr(struct auth_data* node, uint16_t rr_type, 1182 uint8_t* rdata, size_t rdatalen, int* nonexist) 1183 { 1184 struct auth_rrset* rrset; 1185 size_t index = 0; 1186 1187 /* find the plain RR of the given type */ 1188 if((rrset=az_domain_rrset(node, rr_type))!= NULL) { 1189 if(az_rrset_find_rr(rrset->data, rdata, rdatalen, &index)) { 1190 if(rrset->data->count == 1 && 1191 rrset->data->rrsig_count == 0) { 1192 /* last RR, delete the rrset */ 1193 domain_remove_rrset(node, rr_type); 1194 } else if(rrset->data->count == 1 && 1195 rrset->data->rrsig_count != 0) { 1196 /* move RRSIGs to the RRSIG rrset, or 1197 * this one becomes that RRset */ 1198 struct auth_rrset* rrsigset = az_domain_rrset( 1199 node, LDNS_RR_TYPE_RRSIG); 1200 if(rrsigset) { 1201 /* move left over rrsigs to the 1202 * existing rrset of type RRSIG */ 1203 rrsigs_copy_from_rrset_to_rrsigset( 1204 rrset, rrsigset); 1205 /* and then delete the rrset */ 1206 domain_remove_rrset(node, rr_type); 1207 } else { 1208 /* no rrset of type RRSIG, this 1209 * set is now of that type, 1210 * just remove the rr */ 1211 if(!rrset_remove_rr(rrset, index)) 1212 return 0; 1213 rrset->type = LDNS_RR_TYPE_RRSIG; 1214 rrset->data->count = rrset->data->rrsig_count; 1215 rrset->data->rrsig_count = 0; 1216 } 1217 } else { 1218 /* remove the RR from the rrset */ 1219 if(!rrset_remove_rr(rrset, index)) 1220 return 0; 1221 } 1222 return 1; 1223 } 1224 /* rr not found in rrset */ 1225 } 1226 1227 /* is it a type RRSIG, look under the covered type */ 1228 if(rr_type == LDNS_RR_TYPE_RRSIG) { 1229 uint16_t ctype = rrsig_rdata_get_type_covered(rdata, rdatalen); 1230 if((rrset=az_domain_rrset(node, ctype))!= NULL) { 1231 if(az_rrset_find_rrsig(rrset->data, rdata, rdatalen, 1232 &index)) { 1233 /* rrsig should have d->count > 0, be 1234 * over some rr of that type */ 1235 /* remove the rrsig from the rrsigs list of the 1236 * rrset */ 1237 if(!rrset_remove_rr(rrset, index)) 1238 return 0; 1239 return 1; 1240 } 1241 } 1242 /* also RRSIG not found */ 1243 } 1244 1245 /* nothing found to delete */ 1246 if(nonexist) *nonexist = 1; 1247 return 1; 1248 } 1249 1250 /** remove RR from zone, ignore if it does not exist, false on alloc failure*/ 1251 static int 1252 az_remove_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len, 1253 size_t dname_len, int* nonexist) 1254 { 1255 struct auth_data* node; 1256 uint8_t* dname = rr; 1257 uint16_t rr_type = sldns_wirerr_get_type(rr, rr_len, dname_len); 1258 uint16_t rr_class = sldns_wirerr_get_class(rr, rr_len, dname_len); 1259 size_t rdatalen = ((size_t)sldns_wirerr_get_rdatalen(rr, rr_len, 1260 dname_len))+2; 1261 /* rdata points to rdata prefixed with uint16 rdatalength */ 1262 uint8_t* rdata = sldns_wirerr_get_rdatawl(rr, rr_len, dname_len); 1263 1264 if(rr_class != z->dclass) { 1265 log_err("wrong class for RR"); 1266 /* really also a nonexisting entry, because no records 1267 * of that class in the zone, but return an error because 1268 * getting records of the wrong class is a failure of the 1269 * zone transfer */ 1270 return 0; 1271 } 1272 node = az_find_name(z, dname, dname_len); 1273 if(!node) { 1274 /* node with that name does not exist */ 1275 /* nonexisting entry, because no such name */ 1276 *nonexist = 1; 1277 return 1; 1278 } 1279 if(!az_domain_remove_rr(node, rr_type, rdata, rdatalen, nonexist)) { 1280 /* alloc failure or so */ 1281 return 0; 1282 } 1283 /* remove the node, if necessary */ 1284 /* an rrsets==NULL entry is not kept around for empty nonterminals, 1285 * and also parent nodes are not kept around, so we just delete it */ 1286 if(node->rrsets == NULL) { 1287 (void)rbtree_delete(&z->data, node); 1288 auth_data_delete(node); 1289 } 1290 return 1; 1291 } 1292 1293 /** decompress an RR into the buffer where it'll be an uncompressed RR 1294 * with uncompressed dname and uncompressed rdata (dnames) */ 1295 static int 1296 decompress_rr_into_buffer(struct sldns_buffer* buf, uint8_t* pkt, 1297 size_t pktlen, uint8_t* dname, uint16_t rr_type, uint16_t rr_class, 1298 uint32_t rr_ttl, uint8_t* rr_data, uint16_t rr_rdlen) 1299 { 1300 sldns_buffer pktbuf; 1301 size_t dname_len = 0; 1302 size_t rdlenpos; 1303 size_t rdlen; 1304 uint8_t* rd; 1305 const sldns_rr_descriptor* desc; 1306 sldns_buffer_init_frm_data(&pktbuf, pkt, pktlen); 1307 sldns_buffer_clear(buf); 1308 1309 /* decompress dname */ 1310 sldns_buffer_set_position(&pktbuf, 1311 (size_t)(dname - sldns_buffer_current(&pktbuf))); 1312 dname_len = pkt_dname_len(&pktbuf); 1313 if(dname_len == 0) return 0; /* parse fail on dname */ 1314 if(!sldns_buffer_available(buf, dname_len)) return 0; 1315 dname_pkt_copy(&pktbuf, sldns_buffer_current(buf), dname); 1316 sldns_buffer_skip(buf, (ssize_t)dname_len); 1317 1318 /* type, class, ttl and rdatalength fields */ 1319 if(!sldns_buffer_available(buf, 10)) return 0; 1320 sldns_buffer_write_u16(buf, rr_type); 1321 sldns_buffer_write_u16(buf, rr_class); 1322 sldns_buffer_write_u32(buf, rr_ttl); 1323 rdlenpos = sldns_buffer_position(buf); 1324 sldns_buffer_write_u16(buf, 0); /* rd length position */ 1325 1326 /* decompress rdata */ 1327 desc = sldns_rr_descript(rr_type); 1328 rd = rr_data; 1329 rdlen = rr_rdlen; 1330 if(rdlen > 0 && desc && desc->_dname_count > 0) { 1331 int count = (int)desc->_dname_count; 1332 int rdf = 0; 1333 size_t len; /* how much rdata to plain copy */ 1334 size_t uncompressed_len, compressed_len; 1335 size_t oldpos; 1336 /* decompress dnames. */ 1337 while(rdlen > 0 && count) { 1338 switch(desc->_wireformat[rdf]) { 1339 case LDNS_RDF_TYPE_DNAME: 1340 sldns_buffer_set_position(&pktbuf, 1341 (size_t)(rd - 1342 sldns_buffer_begin(&pktbuf))); 1343 oldpos = sldns_buffer_position(&pktbuf); 1344 /* moves pktbuf to right after the 1345 * compressed dname, and returns uncompressed 1346 * dname length */ 1347 uncompressed_len = pkt_dname_len(&pktbuf); 1348 if(!uncompressed_len) 1349 return 0; /* parse error in dname */ 1350 if(!sldns_buffer_available(buf, 1351 uncompressed_len)) 1352 /* dname too long for buffer */ 1353 return 0; 1354 dname_pkt_copy(&pktbuf, 1355 sldns_buffer_current(buf), rd); 1356 sldns_buffer_skip(buf, (ssize_t)uncompressed_len); 1357 compressed_len = sldns_buffer_position( 1358 &pktbuf) - oldpos; 1359 rd += compressed_len; 1360 rdlen -= compressed_len; 1361 count--; 1362 len = 0; 1363 break; 1364 case LDNS_RDF_TYPE_STR: 1365 len = rd[0] + 1; 1366 break; 1367 default: 1368 len = get_rdf_size(desc->_wireformat[rdf]); 1369 break; 1370 } 1371 if(len) { 1372 if(!sldns_buffer_available(buf, len)) 1373 return 0; /* too long for buffer */ 1374 sldns_buffer_write(buf, rd, len); 1375 rd += len; 1376 rdlen -= len; 1377 } 1378 rdf++; 1379 } 1380 } 1381 /* copy remaining data */ 1382 if(rdlen > 0) { 1383 if(!sldns_buffer_available(buf, rdlen)) return 0; 1384 sldns_buffer_write(buf, rd, rdlen); 1385 } 1386 /* fixup rdlength */ 1387 sldns_buffer_write_u16_at(buf, rdlenpos, 1388 sldns_buffer_position(buf)-rdlenpos-2); 1389 sldns_buffer_flip(buf); 1390 return 1; 1391 } 1392 1393 /** insert RR into zone, from packet, decompress RR, 1394 * if duplicate is nonNULL set the flag but otherwise ignore duplicates */ 1395 static int 1396 az_insert_rr_decompress(struct auth_zone* z, uint8_t* pkt, size_t pktlen, 1397 struct sldns_buffer* scratch_buffer, uint8_t* dname, uint16_t rr_type, 1398 uint16_t rr_class, uint32_t rr_ttl, uint8_t* rr_data, 1399 uint16_t rr_rdlen, int* duplicate) 1400 { 1401 uint8_t* rr; 1402 size_t rr_len; 1403 size_t dname_len; 1404 if(!decompress_rr_into_buffer(scratch_buffer, pkt, pktlen, dname, 1405 rr_type, rr_class, rr_ttl, rr_data, rr_rdlen)) { 1406 log_err("could not decompress RR"); 1407 return 0; 1408 } 1409 rr = sldns_buffer_begin(scratch_buffer); 1410 rr_len = sldns_buffer_limit(scratch_buffer); 1411 dname_len = dname_valid(rr, rr_len); 1412 return az_insert_rr(z, rr, rr_len, dname_len, duplicate); 1413 } 1414 1415 /** remove RR from zone, from packet, decompress RR, 1416 * if nonexist is nonNULL set the flag but otherwise ignore nonexisting entries*/ 1417 static int 1418 az_remove_rr_decompress(struct auth_zone* z, uint8_t* pkt, size_t pktlen, 1419 struct sldns_buffer* scratch_buffer, uint8_t* dname, uint16_t rr_type, 1420 uint16_t rr_class, uint32_t rr_ttl, uint8_t* rr_data, 1421 uint16_t rr_rdlen, int* nonexist) 1422 { 1423 uint8_t* rr; 1424 size_t rr_len; 1425 size_t dname_len; 1426 if(!decompress_rr_into_buffer(scratch_buffer, pkt, pktlen, dname, 1427 rr_type, rr_class, rr_ttl, rr_data, rr_rdlen)) { 1428 log_err("could not decompress RR"); 1429 return 0; 1430 } 1431 rr = sldns_buffer_begin(scratch_buffer); 1432 rr_len = sldns_buffer_limit(scratch_buffer); 1433 dname_len = dname_valid(rr, rr_len); 1434 return az_remove_rr(z, rr, rr_len, dname_len, nonexist); 1435 } 1436 1437 /** 1438 * Parse zonefile 1439 * @param z: zone to read in. 1440 * @param in: file to read from (just opened). 1441 * @param rr: buffer to use for RRs, 64k. 1442 * passed so that recursive includes can use the same buffer and do 1443 * not grow the stack too much. 1444 * @param rrbuflen: sizeof rr buffer. 1445 * @param state: parse state with $ORIGIN, $TTL and 'prev-dname' and so on, 1446 * that is kept between includes. 1447 * The lineno is set at 1 and then increased by the function. 1448 * @param fname: file name. 1449 * @param depth: recursion depth for includes 1450 * returns false on failure, has printed an error message 1451 */ 1452 static int 1453 az_parse_file(struct auth_zone* z, FILE* in, uint8_t* rr, size_t rrbuflen, 1454 struct sldns_file_parse_state* state, char* fname, int depth) 1455 { 1456 size_t rr_len, dname_len; 1457 int status; 1458 state->lineno = 1; 1459 1460 while(!feof(in)) { 1461 rr_len = rrbuflen; 1462 dname_len = 0; 1463 status = sldns_fp2wire_rr_buf(in, rr, &rr_len, &dname_len, 1464 state); 1465 if(status == LDNS_WIREPARSE_ERR_INCLUDE && rr_len == 0) { 1466 /* we have $INCLUDE or $something */ 1467 if(strncmp((char*)rr, "$INCLUDE ", 9) == 0 || 1468 strncmp((char*)rr, "$INCLUDE\t", 9) == 0) { 1469 FILE* inc; 1470 int lineno_orig = state->lineno; 1471 char* incfile = (char*)rr + 8; 1472 if(depth > MAX_INCLUDE_DEPTH) { 1473 log_err("%s:%d max include depth" 1474 "exceeded", fname, state->lineno); 1475 return 0; 1476 } 1477 /* skip spaces */ 1478 while(*incfile == ' ' || *incfile == '\t') 1479 incfile++; 1480 incfile = strdup(incfile); 1481 if(!incfile) { 1482 log_err("malloc failure"); 1483 return 0; 1484 } 1485 verbose(VERB_ALGO, "opening $INCLUDE %s", 1486 incfile); 1487 inc = fopen(incfile, "r"); 1488 if(!inc) { 1489 log_err("%s:%d cannot open include " 1490 "file %s: %s", z->zonefile, 1491 lineno_orig, incfile, 1492 strerror(errno)); 1493 free(incfile); 1494 return 0; 1495 } 1496 /* recurse read that file now */ 1497 if(!az_parse_file(z, inc, rr, rrbuflen, 1498 state, incfile, depth+1)) { 1499 log_err("%s:%d cannot parse include " 1500 "file %s", fname, 1501 lineno_orig, incfile); 1502 fclose(inc); 1503 free(incfile); 1504 return 0; 1505 } 1506 fclose(inc); 1507 verbose(VERB_ALGO, "done with $INCLUDE %s", 1508 incfile); 1509 free(incfile); 1510 state->lineno = lineno_orig; 1511 } 1512 continue; 1513 } 1514 if(status != 0) { 1515 log_err("parse error %s %d:%d: %s", fname, 1516 state->lineno, LDNS_WIREPARSE_OFFSET(status), 1517 sldns_get_errorstr_parse(status)); 1518 return 0; 1519 } 1520 if(rr_len == 0) { 1521 /* EMPTY line, TTL or ORIGIN */ 1522 continue; 1523 } 1524 /* insert wirerr in rrbuf */ 1525 if(!az_insert_rr(z, rr, rr_len, dname_len, NULL)) { 1526 char buf[17]; 1527 sldns_wire2str_type_buf(sldns_wirerr_get_type(rr, 1528 rr_len, dname_len), buf, sizeof(buf)); 1529 log_err("%s:%d cannot insert RR of type %s", 1530 fname, state->lineno, buf); 1531 return 0; 1532 } 1533 } 1534 return 1; 1535 } 1536 1537 int 1538 auth_zone_read_zonefile(struct auth_zone* z) 1539 { 1540 uint8_t rr[LDNS_RR_BUF_SIZE]; 1541 struct sldns_file_parse_state state; 1542 FILE* in; 1543 if(!z || !z->zonefile || z->zonefile[0]==0) 1544 return 1; /* no file, or "", nothing to read */ 1545 if(verbosity >= VERB_ALGO) { 1546 char nm[255+1]; 1547 dname_str(z->name, nm); 1548 verbose(VERB_ALGO, "read zonefile %s for %s", z->zonefile, nm); 1549 } 1550 in = fopen(z->zonefile, "r"); 1551 if(!in) { 1552 char* n = sldns_wire2str_dname(z->name, z->namelen); 1553 if(z->zone_is_slave && errno == ENOENT) { 1554 /* we fetch the zone contents later, no file yet */ 1555 verbose(VERB_ALGO, "no zonefile %s for %s", 1556 z->zonefile, n?n:"error"); 1557 free(n); 1558 return 1; 1559 } 1560 log_err("cannot open zonefile %s for %s: %s", 1561 z->zonefile, n?n:"error", strerror(errno)); 1562 free(n); 1563 return 0; 1564 } 1565 1566 /* clear the data tree */ 1567 traverse_postorder(&z->data, auth_data_del, NULL); 1568 rbtree_init(&z->data, &auth_data_cmp); 1569 1570 memset(&state, 0, sizeof(state)); 1571 /* default TTL to 3600 */ 1572 state.default_ttl = 3600; 1573 /* set $ORIGIN to the zone name */ 1574 if(z->namelen <= sizeof(state.origin)) { 1575 memcpy(state.origin, z->name, z->namelen); 1576 state.origin_len = z->namelen; 1577 } 1578 /* parse the (toplevel) file */ 1579 if(!az_parse_file(z, in, rr, sizeof(rr), &state, z->zonefile, 0)) { 1580 char* n = sldns_wire2str_dname(z->name, z->namelen); 1581 log_err("error parsing zonefile %s for %s", 1582 z->zonefile, n?n:"error"); 1583 free(n); 1584 fclose(in); 1585 return 0; 1586 } 1587 fclose(in); 1588 return 1; 1589 } 1590 1591 /** write buffer to file and check return codes */ 1592 static int 1593 write_out(FILE* out, const char* str, size_t len) 1594 { 1595 size_t r; 1596 if(len == 0) 1597 return 1; 1598 r = fwrite(str, 1, len, out); 1599 if(r == 0) { 1600 log_err("write failed: %s", strerror(errno)); 1601 return 0; 1602 } else if(r < len) { 1603 log_err("write failed: too short (disk full?)"); 1604 return 0; 1605 } 1606 return 1; 1607 } 1608 1609 /** convert auth rr to string */ 1610 static int 1611 auth_rr_to_string(uint8_t* nm, size_t nmlen, uint16_t tp, uint16_t cl, 1612 struct packed_rrset_data* data, size_t i, char* s, size_t buflen) 1613 { 1614 int w = 0; 1615 size_t slen = buflen, datlen; 1616 uint8_t* dat; 1617 if(i >= data->count) tp = LDNS_RR_TYPE_RRSIG; 1618 dat = nm; 1619 datlen = nmlen; 1620 w += sldns_wire2str_dname_scan(&dat, &datlen, &s, &slen, NULL, 0); 1621 w += sldns_str_print(&s, &slen, "\t"); 1622 w += sldns_str_print(&s, &slen, "%lu\t", (unsigned long)data->rr_ttl[i]); 1623 w += sldns_wire2str_class_print(&s, &slen, cl); 1624 w += sldns_str_print(&s, &slen, "\t"); 1625 w += sldns_wire2str_type_print(&s, &slen, tp); 1626 w += sldns_str_print(&s, &slen, "\t"); 1627 datlen = data->rr_len[i]-2; 1628 dat = data->rr_data[i]+2; 1629 w += sldns_wire2str_rdata_scan(&dat, &datlen, &s, &slen, tp, NULL, 0); 1630 1631 if(tp == LDNS_RR_TYPE_DNSKEY) { 1632 w += sldns_str_print(&s, &slen, " ;{id = %u}", 1633 sldns_calc_keytag_raw(data->rr_data[i]+2, 1634 data->rr_len[i]-2)); 1635 } 1636 w += sldns_str_print(&s, &slen, "\n"); 1637 1638 if(w > (int)buflen) { 1639 log_nametypeclass(0, "RR too long to print", nm, tp, cl); 1640 return 0; 1641 } 1642 return 1; 1643 } 1644 1645 /** write rrset to file */ 1646 static int 1647 auth_zone_write_rrset(struct auth_zone* z, struct auth_data* node, 1648 struct auth_rrset* r, FILE* out) 1649 { 1650 size_t i, count = r->data->count + r->data->rrsig_count; 1651 char buf[LDNS_RR_BUF_SIZE]; 1652 for(i=0; i<count; i++) { 1653 if(!auth_rr_to_string(node->name, node->namelen, r->type, 1654 z->dclass, r->data, i, buf, sizeof(buf))) { 1655 verbose(VERB_ALGO, "failed to rr2str rr %d", (int)i); 1656 continue; 1657 } 1658 if(!write_out(out, buf, strlen(buf))) 1659 return 0; 1660 } 1661 return 1; 1662 } 1663 1664 /** write domain to file */ 1665 static int 1666 auth_zone_write_domain(struct auth_zone* z, struct auth_data* n, FILE* out) 1667 { 1668 struct auth_rrset* r; 1669 /* if this is zone apex, write SOA first */ 1670 if(z->namelen == n->namelen) { 1671 struct auth_rrset* soa = az_domain_rrset(n, LDNS_RR_TYPE_SOA); 1672 if(soa) { 1673 if(!auth_zone_write_rrset(z, n, soa, out)) 1674 return 0; 1675 } 1676 } 1677 /* write all the RRsets for this domain */ 1678 for(r = n->rrsets; r; r = r->next) { 1679 if(z->namelen == n->namelen && 1680 r->type == LDNS_RR_TYPE_SOA) 1681 continue; /* skip SOA here */ 1682 if(!auth_zone_write_rrset(z, n, r, out)) 1683 return 0; 1684 } 1685 return 1; 1686 } 1687 1688 int auth_zone_write_file(struct auth_zone* z, const char* fname) 1689 { 1690 FILE* out; 1691 struct auth_data* n; 1692 out = fopen(fname, "w"); 1693 if(!out) { 1694 log_err("could not open %s: %s", fname, strerror(errno)); 1695 return 0; 1696 } 1697 RBTREE_FOR(n, struct auth_data*, &z->data) { 1698 if(!auth_zone_write_domain(z, n, out)) { 1699 log_err("could not write domain to %s", fname); 1700 fclose(out); 1701 return 0; 1702 } 1703 } 1704 fclose(out); 1705 return 1; 1706 } 1707 1708 /** read all auth zones from file (if they have) */ 1709 static int 1710 auth_zones_read_zones(struct auth_zones* az) 1711 { 1712 struct auth_zone* z; 1713 lock_rw_wrlock(&az->lock); 1714 RBTREE_FOR(z, struct auth_zone*, &az->ztree) { 1715 lock_rw_wrlock(&z->lock); 1716 if(!auth_zone_read_zonefile(z)) { 1717 lock_rw_unlock(&z->lock); 1718 lock_rw_unlock(&az->lock); 1719 return 0; 1720 } 1721 lock_rw_unlock(&z->lock); 1722 } 1723 lock_rw_unlock(&az->lock); 1724 return 1; 1725 } 1726 1727 /** find serial number of zone or false if none */ 1728 int 1729 auth_zone_get_serial(struct auth_zone* z, uint32_t* serial) 1730 { 1731 struct auth_data* apex; 1732 struct auth_rrset* soa; 1733 struct packed_rrset_data* d; 1734 apex = az_find_name(z, z->name, z->namelen); 1735 if(!apex) return 0; 1736 soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA); 1737 if(!soa || soa->data->count==0) 1738 return 0; /* no RRset or no RRs in rrset */ 1739 if(soa->data->rr_len[0] < 2+4*5) return 0; /* SOA too short */ 1740 d = soa->data; 1741 *serial = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-20)); 1742 return 1; 1743 } 1744 1745 /** Find auth_zone SOA and populate the values in xfr(soa values). */ 1746 static int 1747 xfr_find_soa(struct auth_zone* z, struct auth_xfer* xfr) 1748 { 1749 struct auth_data* apex; 1750 struct auth_rrset* soa; 1751 struct packed_rrset_data* d; 1752 apex = az_find_name(z, z->name, z->namelen); 1753 if(!apex) return 0; 1754 soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA); 1755 if(!soa || soa->data->count==0) 1756 return 0; /* no RRset or no RRs in rrset */ 1757 if(soa->data->rr_len[0] < 2+4*5) return 0; /* SOA too short */ 1758 /* SOA record ends with serial, refresh, retry, expiry, minimum, 1759 * as 4 byte fields */ 1760 d = soa->data; 1761 xfr->have_zone = 1; 1762 xfr->serial = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-20)); 1763 xfr->refresh = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-16)); 1764 xfr->retry = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-12)); 1765 xfr->expiry = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-8)); 1766 /* soa minimum at d->rr_len[0]-4 */ 1767 return 1; 1768 } 1769 1770 /** 1771 * Setup auth_xfer zone 1772 * This populates the have_zone, soa values, and so on times. 1773 * Doesn't do network traffic yet, can set option flags. 1774 * @param z: locked by caller, and modified for setup 1775 * @param x: locked by caller, and modified. 1776 * @return false on failure. 1777 */ 1778 static int 1779 auth_xfer_setup(struct auth_zone* z, struct auth_xfer* x) 1780 { 1781 /* for a zone without zone transfers, x==NULL, so skip them, 1782 * i.e. the zone config is fixed with no masters or urls */ 1783 if(!z || !x) return 1; 1784 if(!xfr_find_soa(z, x)) { 1785 return 1; 1786 } 1787 /* nothing for probe, nextprobe and transfer tasks */ 1788 return 1; 1789 } 1790 1791 /** 1792 * Setup all zones 1793 * @param az: auth zones structure 1794 * @return false on failure. 1795 */ 1796 static int 1797 auth_zones_setup_zones(struct auth_zones* az) 1798 { 1799 struct auth_zone* z; 1800 struct auth_xfer* x; 1801 lock_rw_wrlock(&az->lock); 1802 RBTREE_FOR(z, struct auth_zone*, &az->ztree) { 1803 lock_rw_wrlock(&z->lock); 1804 x = auth_xfer_find(az, z->name, z->namelen, z->dclass); 1805 if(x) { 1806 lock_basic_lock(&x->lock); 1807 } 1808 if(!auth_xfer_setup(z, x)) { 1809 if(x) { 1810 lock_basic_unlock(&x->lock); 1811 } 1812 lock_rw_unlock(&z->lock); 1813 lock_rw_unlock(&az->lock); 1814 return 0; 1815 } 1816 if(x) { 1817 lock_basic_unlock(&x->lock); 1818 } 1819 lock_rw_unlock(&z->lock); 1820 } 1821 lock_rw_unlock(&az->lock); 1822 return 1; 1823 } 1824 1825 /** set config items and create zones */ 1826 static int 1827 auth_zones_cfg(struct auth_zones* az, struct config_auth* c) 1828 { 1829 struct auth_zone* z; 1830 struct auth_xfer* x = NULL; 1831 1832 /* create zone */ 1833 lock_rw_wrlock(&az->lock); 1834 if(!(z=auth_zones_find_or_add_zone(az, c->name))) { 1835 lock_rw_unlock(&az->lock); 1836 return 0; 1837 } 1838 if(c->masters || c->urls) { 1839 if(!(x=auth_zones_find_or_add_xfer(az, z))) { 1840 lock_rw_unlock(&az->lock); 1841 lock_rw_unlock(&z->lock); 1842 return 0; 1843 } 1844 } 1845 if(c->for_downstream) 1846 az->have_downstream = 1; 1847 lock_rw_unlock(&az->lock); 1848 1849 /* set options */ 1850 z->zone_deleted = 0; 1851 if(!auth_zone_set_zonefile(z, c->zonefile)) { 1852 if(x) { 1853 lock_basic_unlock(&x->lock); 1854 } 1855 lock_rw_unlock(&z->lock); 1856 return 0; 1857 } 1858 z->for_downstream = c->for_downstream; 1859 z->for_upstream = c->for_upstream; 1860 z->fallback_enabled = c->fallback_enabled; 1861 1862 /* xfer zone */ 1863 if(x) { 1864 z->zone_is_slave = 1; 1865 /* set options on xfer zone */ 1866 if(!xfer_set_masters(&x->task_probe->masters, c, 0)) { 1867 lock_basic_unlock(&x->lock); 1868 lock_rw_unlock(&z->lock); 1869 return 0; 1870 } 1871 if(!xfer_set_masters(&x->task_transfer->masters, c, 1)) { 1872 lock_basic_unlock(&x->lock); 1873 lock_rw_unlock(&z->lock); 1874 return 0; 1875 } 1876 lock_basic_unlock(&x->lock); 1877 } 1878 1879 lock_rw_unlock(&z->lock); 1880 return 1; 1881 } 1882 1883 /** set all auth zones deleted, then in auth_zones_cfg, it marks them 1884 * as nondeleted (if they are still in the config), and then later 1885 * we can find deleted zones */ 1886 static void 1887 az_setall_deleted(struct auth_zones* az) 1888 { 1889 struct auth_zone* z; 1890 lock_rw_wrlock(&az->lock); 1891 RBTREE_FOR(z, struct auth_zone*, &az->ztree) { 1892 lock_rw_wrlock(&z->lock); 1893 z->zone_deleted = 1; 1894 lock_rw_unlock(&z->lock); 1895 } 1896 lock_rw_unlock(&az->lock); 1897 } 1898 1899 /** find zones that are marked deleted and delete them. 1900 * This is called from apply_cfg, and there are no threads and no 1901 * workers, so the xfr can just be deleted. */ 1902 static void 1903 az_delete_deleted_zones(struct auth_zones* az) 1904 { 1905 struct auth_zone* z; 1906 struct auth_zone* delete_list = NULL, *next; 1907 struct auth_xfer* xfr; 1908 lock_rw_wrlock(&az->lock); 1909 RBTREE_FOR(z, struct auth_zone*, &az->ztree) { 1910 lock_rw_wrlock(&z->lock); 1911 if(z->zone_deleted) { 1912 /* we cannot alter the rbtree right now, but 1913 * we can put it on a linked list and then 1914 * delete it */ 1915 z->delete_next = delete_list; 1916 delete_list = z; 1917 } 1918 lock_rw_unlock(&z->lock); 1919 } 1920 /* now we are out of the tree loop and we can loop and delete 1921 * the zones */ 1922 z = delete_list; 1923 while(z) { 1924 next = z->delete_next; 1925 xfr = auth_xfer_find(az, z->name, z->namelen, z->dclass); 1926 if(xfr) { 1927 (void)rbtree_delete(&az->xtree, &xfr->node); 1928 auth_xfer_delete(xfr); 1929 } 1930 (void)rbtree_delete(&az->ztree, &z->node); 1931 auth_zone_delete(z); 1932 z = next; 1933 } 1934 lock_rw_unlock(&az->lock); 1935 } 1936 1937 int auth_zones_apply_cfg(struct auth_zones* az, struct config_file* cfg, 1938 int setup) 1939 { 1940 struct config_auth* p; 1941 az_setall_deleted(az); 1942 for(p = cfg->auths; p; p = p->next) { 1943 if(!p->name || p->name[0] == 0) { 1944 log_warn("auth-zone without a name, skipped"); 1945 continue; 1946 } 1947 if(!auth_zones_cfg(az, p)) { 1948 log_err("cannot config auth zone %s", p->name); 1949 return 0; 1950 } 1951 } 1952 az_delete_deleted_zones(az); 1953 if(!auth_zones_read_zones(az)) 1954 return 0; 1955 if(setup) { 1956 if(!auth_zones_setup_zones(az)) 1957 return 0; 1958 } 1959 return 1; 1960 } 1961 1962 /** delete chunks 1963 * @param at: transfer structure with chunks list. The chunks and their 1964 * data are freed. 1965 */ 1966 static void 1967 auth_chunks_delete(struct auth_transfer* at) 1968 { 1969 if(at->chunks_first) { 1970 struct auth_chunk* c, *cn; 1971 c = at->chunks_first; 1972 while(c) { 1973 cn = c->next; 1974 free(c->data); 1975 free(c); 1976 c = cn; 1977 } 1978 } 1979 at->chunks_first = NULL; 1980 at->chunks_last = NULL; 1981 } 1982 1983 /** free master addr list */ 1984 static void 1985 auth_free_master_addrs(struct auth_addr* list) 1986 { 1987 struct auth_addr *n; 1988 while(list) { 1989 n = list->next; 1990 free(list); 1991 list = n; 1992 } 1993 } 1994 1995 /** free the masters list */ 1996 static void 1997 auth_free_masters(struct auth_master* list) 1998 { 1999 struct auth_master* n; 2000 while(list) { 2001 n = list->next; 2002 auth_free_master_addrs(list->list); 2003 free(list->host); 2004 free(list->file); 2005 free(list); 2006 list = n; 2007 } 2008 } 2009 2010 /** delete auth xfer structure 2011 * @param xfr: delete this xfer and its tasks. 2012 */ 2013 static void 2014 auth_xfer_delete(struct auth_xfer* xfr) 2015 { 2016 if(!xfr) return; 2017 lock_basic_destroy(&xfr->lock); 2018 free(xfr->name); 2019 if(xfr->task_nextprobe) { 2020 comm_timer_delete(xfr->task_nextprobe->timer); 2021 free(xfr->task_nextprobe); 2022 } 2023 if(xfr->task_probe) { 2024 auth_free_masters(xfr->task_probe->masters); 2025 comm_point_delete(xfr->task_probe->cp); 2026 free(xfr->task_probe); 2027 } 2028 if(xfr->task_transfer) { 2029 auth_free_masters(xfr->task_transfer->masters); 2030 comm_point_delete(xfr->task_transfer->cp); 2031 if(xfr->task_transfer->chunks_first) { 2032 auth_chunks_delete(xfr->task_transfer); 2033 } 2034 free(xfr->task_transfer); 2035 } 2036 auth_free_masters(xfr->allow_notify_list); 2037 free(xfr); 2038 } 2039 2040 /** helper traverse to delete zones */ 2041 static void 2042 auth_zone_del(rbnode_type* n, void* ATTR_UNUSED(arg)) 2043 { 2044 struct auth_zone* z = (struct auth_zone*)n->key; 2045 auth_zone_delete(z); 2046 } 2047 2048 /** helper traverse to delete xfer zones */ 2049 static void 2050 auth_xfer_del(rbnode_type* n, void* ATTR_UNUSED(arg)) 2051 { 2052 struct auth_xfer* z = (struct auth_xfer*)n->key; 2053 auth_xfer_delete(z); 2054 } 2055 2056 void auth_zones_delete(struct auth_zones* az) 2057 { 2058 if(!az) return; 2059 lock_rw_destroy(&az->lock); 2060 traverse_postorder(&az->ztree, auth_zone_del, NULL); 2061 traverse_postorder(&az->xtree, auth_xfer_del, NULL); 2062 free(az); 2063 } 2064 2065 /** true if domain has only nsec3 */ 2066 static int 2067 domain_has_only_nsec3(struct auth_data* n) 2068 { 2069 struct auth_rrset* rrset = n->rrsets; 2070 int nsec3_seen = 0; 2071 while(rrset) { 2072 if(rrset->type == LDNS_RR_TYPE_NSEC3) { 2073 nsec3_seen = 1; 2074 } else if(rrset->type != LDNS_RR_TYPE_RRSIG) { 2075 return 0; 2076 } 2077 rrset = rrset->next; 2078 } 2079 return nsec3_seen; 2080 } 2081 2082 /** see if the domain has a wildcard child '*.domain' */ 2083 static struct auth_data* 2084 az_find_wildcard_domain(struct auth_zone* z, uint8_t* nm, size_t nmlen) 2085 { 2086 uint8_t wc[LDNS_MAX_DOMAINLEN]; 2087 if(nmlen+2 > sizeof(wc)) 2088 return NULL; /* result would be too long */ 2089 wc[0] = 1; /* length of wildcard label */ 2090 wc[1] = (uint8_t)'*'; /* wildcard label */ 2091 memmove(wc+2, nm, nmlen); 2092 return az_find_name(z, wc, nmlen+2); 2093 } 2094 2095 /** find wildcard between qname and cename */ 2096 static struct auth_data* 2097 az_find_wildcard(struct auth_zone* z, struct query_info* qinfo, 2098 struct auth_data* ce) 2099 { 2100 uint8_t* nm = qinfo->qname; 2101 size_t nmlen = qinfo->qname_len; 2102 struct auth_data* node; 2103 if(!dname_subdomain_c(nm, z->name)) 2104 return NULL; /* out of zone */ 2105 while((node=az_find_wildcard_domain(z, nm, nmlen))==NULL) { 2106 /* see if we can go up to find the wildcard */ 2107 if(nmlen == z->namelen) 2108 return NULL; /* top of zone reached */ 2109 if(ce && nmlen == ce->namelen) 2110 return NULL; /* ce reached */ 2111 if(dname_is_root(nm)) 2112 return NULL; /* cannot go up */ 2113 dname_remove_label(&nm, &nmlen); 2114 } 2115 return node; 2116 } 2117 2118 /** domain is not exact, find first candidate ce (name that matches 2119 * a part of qname) in tree */ 2120 static struct auth_data* 2121 az_find_candidate_ce(struct auth_zone* z, struct query_info* qinfo, 2122 struct auth_data* n) 2123 { 2124 uint8_t* nm; 2125 size_t nmlen; 2126 if(n) { 2127 nm = dname_get_shared_topdomain(qinfo->qname, n->name); 2128 } else { 2129 nm = qinfo->qname; 2130 } 2131 dname_count_size_labels(nm, &nmlen); 2132 n = az_find_name(z, nm, nmlen); 2133 /* delete labels and go up on name */ 2134 while(!n) { 2135 if(dname_is_root(nm)) 2136 return NULL; /* cannot go up */ 2137 dname_remove_label(&nm, &nmlen); 2138 n = az_find_name(z, nm, nmlen); 2139 } 2140 return n; 2141 } 2142 2143 /** go up the auth tree to next existing name. */ 2144 static struct auth_data* 2145 az_domain_go_up(struct auth_zone* z, struct auth_data* n) 2146 { 2147 uint8_t* nm = n->name; 2148 size_t nmlen = n->namelen; 2149 while(!dname_is_root(nm)) { 2150 dname_remove_label(&nm, &nmlen); 2151 if((n=az_find_name(z, nm, nmlen)) != NULL) 2152 return n; 2153 } 2154 return NULL; 2155 } 2156 2157 /** Find the closest encloser, an name that exists and is above the 2158 * qname. 2159 * return true if the node (param node) is existing, nonobscured and 2160 * can be used to generate answers from. It is then also node_exact. 2161 * returns false if the node is not good enough (or it wasn't node_exact) 2162 * in this case the ce can be filled. 2163 * if ce is NULL, no ce exists, and likely the zone is completely empty, 2164 * not even with a zone apex. 2165 * if ce is nonNULL it is the closest enclosing upper name (that exists 2166 * itself for answer purposes). That name may have DNAME, NS or wildcard 2167 * rrset is the closest DNAME or NS rrset that was found. 2168 */ 2169 static int 2170 az_find_ce(struct auth_zone* z, struct query_info* qinfo, 2171 struct auth_data* node, int node_exact, struct auth_data** ce, 2172 struct auth_rrset** rrset) 2173 { 2174 struct auth_data* n = node; 2175 *ce = NULL; 2176 *rrset = NULL; 2177 if(!node_exact) { 2178 /* if not exact, lookup closest exact match */ 2179 n = az_find_candidate_ce(z, qinfo, n); 2180 } else { 2181 /* if exact, the node itself is the first candidate ce */ 2182 *ce = n; 2183 } 2184 2185 /* no direct answer from nsec3-only domains */ 2186 if(n && domain_has_only_nsec3(n)) { 2187 node_exact = 0; 2188 *ce = NULL; 2189 } 2190 2191 /* with exact matches, walk up the labels until we find the 2192 * delegation, or DNAME or zone end */ 2193 while(n) { 2194 /* see if the current candidate has issues */ 2195 /* not zone apex and has type NS */ 2196 if(n->namelen != z->namelen && 2197 (*rrset=az_domain_rrset(n, LDNS_RR_TYPE_NS)) && 2198 /* delegate here, but DS at exact the dp has notype */ 2199 (qinfo->qtype != LDNS_RR_TYPE_DS || 2200 n->namelen != qinfo->qname_len)) { 2201 /* referral */ 2202 /* this is ce and the lowernode is nonexisting */ 2203 *ce = n; 2204 return 0; 2205 } 2206 /* not equal to qname and has type DNAME */ 2207 if(n->namelen != qinfo->qname_len && 2208 (*rrset=az_domain_rrset(n, LDNS_RR_TYPE_DNAME))) { 2209 /* this is ce and the lowernode is nonexisting */ 2210 *ce = n; 2211 return 0; 2212 } 2213 2214 if(*ce == NULL && !domain_has_only_nsec3(n)) { 2215 /* if not found yet, this exact name must be 2216 * our lowest match (but not nsec3onlydomain) */ 2217 *ce = n; 2218 } 2219 2220 /* walk up the tree by removing labels from name and lookup */ 2221 n = az_domain_go_up(z, n); 2222 } 2223 /* found no problems, if it was an exact node, it is fine to use */ 2224 return node_exact; 2225 } 2226 2227 /** add additional A/AAAA from domain names in rrset rdata (+offset) 2228 * offset is number of bytes in rdata where the dname is located. */ 2229 static int 2230 az_add_additionals_from(struct auth_zone* z, struct regional* region, 2231 struct dns_msg* msg, struct auth_rrset* rrset, size_t offset) 2232 { 2233 struct packed_rrset_data* d = rrset->data; 2234 size_t i; 2235 if(!d) return 0; 2236 for(i=0; i<d->count; i++) { 2237 size_t dlen; 2238 struct auth_data* domain; 2239 struct auth_rrset* ref; 2240 if(d->rr_len[i] < 2+offset) 2241 continue; /* too short */ 2242 if(!(dlen = dname_valid(d->rr_data[i]+2+offset, 2243 d->rr_len[i]-2-offset))) 2244 continue; /* malformed */ 2245 domain = az_find_name(z, d->rr_data[i]+2+offset, dlen); 2246 if(!domain) 2247 continue; 2248 if((ref=az_domain_rrset(domain, LDNS_RR_TYPE_A)) != NULL) { 2249 if(!msg_add_rrset_ar(z, region, msg, domain, ref)) 2250 return 0; 2251 } 2252 if((ref=az_domain_rrset(domain, LDNS_RR_TYPE_AAAA)) != NULL) { 2253 if(!msg_add_rrset_ar(z, region, msg, domain, ref)) 2254 return 0; 2255 } 2256 } 2257 return 1; 2258 } 2259 2260 /** add negative SOA record (with negative TTL) */ 2261 static int 2262 az_add_negative_soa(struct auth_zone* z, struct regional* region, 2263 struct dns_msg* msg) 2264 { 2265 uint32_t minimum; 2266 struct packed_rrset_data* d; 2267 struct auth_rrset* soa; 2268 struct auth_data* apex = az_find_name(z, z->name, z->namelen); 2269 if(!apex) return 0; 2270 soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA); 2271 if(!soa) return 0; 2272 /* must be first to put in message; we want to fix the TTL with 2273 * one RRset here, otherwise we'd need to loop over the RRs to get 2274 * the resulting lower TTL */ 2275 log_assert(msg->rep->rrset_count == 0); 2276 if(!msg_add_rrset_ns(z, region, msg, apex, soa)) return 0; 2277 /* fixup TTL */ 2278 d = (struct packed_rrset_data*)msg->rep->rrsets[msg->rep->rrset_count-1]->entry.data; 2279 /* last 4 bytes are minimum ttl in network format */ 2280 if(d->count == 0) return 0; 2281 if(d->rr_len[0] < 2+4) return 0; 2282 minimum = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-4)); 2283 d->ttl = (time_t)minimum; 2284 d->rr_ttl[0] = (time_t)minimum; 2285 msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]); 2286 msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl); 2287 return 1; 2288 } 2289 2290 /** See if the query goes to empty nonterminal (that has no auth_data, 2291 * but there are nodes underneath. We already checked that there are 2292 * not NS, or DNAME above, so that we only need to check if some node 2293 * exists below (with nonempty rr list), return true if emptynonterminal */ 2294 static int 2295 az_empty_nonterminal(struct auth_zone* z, struct query_info* qinfo, 2296 struct auth_data* node) 2297 { 2298 struct auth_data* next; 2299 if(!node) { 2300 /* no smaller was found, use first (smallest) node as the 2301 * next one */ 2302 next = (struct auth_data*)rbtree_first(&z->data); 2303 } else { 2304 next = (struct auth_data*)rbtree_next(&node->node); 2305 } 2306 while(next && (rbnode_type*)next != RBTREE_NULL && next->rrsets == NULL) { 2307 /* the next name has empty rrsets, is an empty nonterminal 2308 * itself, see if there exists something below it */ 2309 next = (struct auth_data*)rbtree_next(&node->node); 2310 } 2311 if((rbnode_type*)next == RBTREE_NULL || !next) { 2312 /* there is no next node, so something below it cannot 2313 * exist */ 2314 return 0; 2315 } 2316 /* a next node exists, if there was something below the query, 2317 * this node has to be it. See if it is below the query name */ 2318 if(dname_strict_subdomain_c(next->name, qinfo->qname)) 2319 return 1; 2320 return 0; 2321 } 2322 2323 /** create synth cname target name in buffer, or fail if too long */ 2324 static size_t 2325 synth_cname_buf(uint8_t* qname, size_t qname_len, size_t dname_len, 2326 uint8_t* dtarg, size_t dtarglen, uint8_t* buf, size_t buflen) 2327 { 2328 size_t newlen = qname_len + dtarglen - dname_len; 2329 if(newlen > buflen) { 2330 /* YXDOMAIN error */ 2331 return 0; 2332 } 2333 /* new name is concatenation of qname front (without DNAME owner) 2334 * and DNAME target name */ 2335 memcpy(buf, qname, qname_len-dname_len); 2336 memmove(buf+(qname_len-dname_len), dtarg, dtarglen); 2337 return newlen; 2338 } 2339 2340 /** create synthetic CNAME rrset for in a DNAME answer in region, 2341 * false on alloc failure, cname==NULL when name too long. */ 2342 static int 2343 create_synth_cname(uint8_t* qname, size_t qname_len, struct regional* region, 2344 struct auth_data* node, struct auth_rrset* dname, uint16_t dclass, 2345 struct ub_packed_rrset_key** cname) 2346 { 2347 uint8_t buf[LDNS_MAX_DOMAINLEN]; 2348 uint8_t* dtarg; 2349 size_t dtarglen, newlen; 2350 struct packed_rrset_data* d; 2351 2352 /* get DNAME target name */ 2353 if(dname->data->count < 1) return 0; 2354 if(dname->data->rr_len[0] < 3) return 0; /* at least rdatalen +1 */ 2355 dtarg = dname->data->rr_data[0]+2; 2356 dtarglen = dname->data->rr_len[0]-2; 2357 if(sldns_read_uint16(dname->data->rr_data[0]) != dtarglen) 2358 return 0; /* rdatalen in DNAME rdata is malformed */ 2359 if(dname_valid(dtarg, dtarglen) != dtarglen) 2360 return 0; /* DNAME RR has malformed rdata */ 2361 2362 /* synthesize a CNAME */ 2363 newlen = synth_cname_buf(qname, qname_len, node->namelen, 2364 dtarg, dtarglen, buf, sizeof(buf)); 2365 if(newlen == 0) { 2366 /* YXDOMAIN error */ 2367 *cname = NULL; 2368 return 1; 2369 } 2370 *cname = (struct ub_packed_rrset_key*)regional_alloc(region, 2371 sizeof(struct ub_packed_rrset_key)); 2372 if(!*cname) 2373 return 0; /* out of memory */ 2374 memset(&(*cname)->entry, 0, sizeof((*cname)->entry)); 2375 (*cname)->entry.key = (*cname); 2376 (*cname)->rk.type = htons(LDNS_RR_TYPE_CNAME); 2377 (*cname)->rk.rrset_class = htons(dclass); 2378 (*cname)->rk.flags = 0; 2379 (*cname)->rk.dname = regional_alloc_init(region, qname, qname_len); 2380 if(!(*cname)->rk.dname) 2381 return 0; /* out of memory */ 2382 (*cname)->rk.dname_len = qname_len; 2383 (*cname)->entry.hash = rrset_key_hash(&(*cname)->rk); 2384 d = (struct packed_rrset_data*)regional_alloc_zero(region, 2385 sizeof(struct packed_rrset_data) + sizeof(size_t) + 2386 sizeof(uint8_t*) + sizeof(time_t) + sizeof(uint16_t) 2387 + newlen); 2388 if(!d) 2389 return 0; /* out of memory */ 2390 (*cname)->entry.data = d; 2391 d->ttl = 0; /* 0 for synthesized CNAME TTL */ 2392 d->count = 1; 2393 d->rrsig_count = 0; 2394 d->trust = rrset_trust_ans_noAA; 2395 d->rr_len = (size_t*)((uint8_t*)d + 2396 sizeof(struct packed_rrset_data)); 2397 d->rr_len[0] = newlen + sizeof(uint16_t); 2398 packed_rrset_ptr_fixup(d); 2399 d->rr_ttl[0] = d->ttl; 2400 sldns_write_uint16(d->rr_data[0], newlen); 2401 memmove(d->rr_data[0] + sizeof(uint16_t), buf, newlen); 2402 return 1; 2403 } 2404 2405 /** add a synthesized CNAME to the answer section */ 2406 static int 2407 add_synth_cname(struct auth_zone* z, uint8_t* qname, size_t qname_len, 2408 struct regional* region, struct dns_msg* msg, struct auth_data* dname, 2409 struct auth_rrset* rrset) 2410 { 2411 struct ub_packed_rrset_key* cname; 2412 /* synthesize a CNAME */ 2413 if(!create_synth_cname(qname, qname_len, region, dname, rrset, 2414 z->dclass, &cname)) { 2415 /* out of memory */ 2416 return 0; 2417 } 2418 if(!cname) { 2419 /* cname cannot be create because of YXDOMAIN */ 2420 msg->rep->flags |= LDNS_RCODE_YXDOMAIN; 2421 return 1; 2422 } 2423 /* add cname to message */ 2424 if(!msg_grow_array(region, msg)) 2425 return 0; 2426 msg->rep->rrsets[msg->rep->rrset_count] = cname; 2427 msg->rep->rrset_count++; 2428 msg->rep->an_numrrsets++; 2429 msg_ttl(msg); 2430 return 1; 2431 } 2432 2433 /** Change a dname to a different one, for wildcard namechange */ 2434 static void 2435 az_change_dnames(struct dns_msg* msg, uint8_t* oldname, uint8_t* newname, 2436 size_t newlen, int an_only) 2437 { 2438 size_t i; 2439 size_t start = 0, end = msg->rep->rrset_count; 2440 if(!an_only) start = msg->rep->an_numrrsets; 2441 if(an_only) end = msg->rep->an_numrrsets; 2442 for(i=start; i<end; i++) { 2443 /* allocated in region so we can change the ptrs */ 2444 if(query_dname_compare(msg->rep->rrsets[i]->rk.dname, oldname) 2445 == 0) { 2446 msg->rep->rrsets[i]->rk.dname = newname; 2447 msg->rep->rrsets[i]->rk.dname_len = newlen; 2448 } 2449 } 2450 } 2451 2452 /** find NSEC record covering the query */ 2453 static struct auth_rrset* 2454 az_find_nsec_cover(struct auth_zone* z, struct auth_data** node) 2455 { 2456 uint8_t* nm = (*node)->name; 2457 size_t nmlen = (*node)->namelen; 2458 struct auth_rrset* rrset; 2459 /* find the NSEC for the smallest-or-equal node */ 2460 /* if node == NULL, we did not find a smaller name. But the zone 2461 * name is the smallest name and should have an NSEC. So there is 2462 * no NSEC to return (for a properly signed zone) */ 2463 /* for empty nonterminals, the auth-data node should not exist, 2464 * and thus we don't need to go rbtree_previous here to find 2465 * a domain with an NSEC record */ 2466 /* but there could be glue, and if this is node, then it has no NSEC. 2467 * Go up to find nonglue (previous) NSEC-holding nodes */ 2468 while((rrset=az_domain_rrset(*node, LDNS_RR_TYPE_NSEC)) == NULL) { 2469 if(dname_is_root(nm)) return NULL; 2470 if(nmlen == z->namelen) return NULL; 2471 dname_remove_label(&nm, &nmlen); 2472 /* adjust *node for the nsec rrset to find in */ 2473 *node = az_find_name(z, nm, nmlen); 2474 } 2475 return rrset; 2476 } 2477 2478 /** Find NSEC and add for wildcard denial */ 2479 static int 2480 az_nsec_wildcard_denial(struct auth_zone* z, struct regional* region, 2481 struct dns_msg* msg, uint8_t* cenm, size_t cenmlen) 2482 { 2483 struct query_info qinfo; 2484 int node_exact; 2485 struct auth_data* node; 2486 struct auth_rrset* nsec; 2487 uint8_t wc[LDNS_MAX_DOMAINLEN]; 2488 if(cenmlen+2 > sizeof(wc)) 2489 return 0; /* result would be too long */ 2490 wc[0] = 1; /* length of wildcard label */ 2491 wc[1] = (uint8_t)'*'; /* wildcard label */ 2492 memmove(wc+2, cenm, cenmlen); 2493 2494 /* we have '*.ce' in wc wildcard name buffer */ 2495 /* get nsec cover for that */ 2496 qinfo.qname = wc; 2497 qinfo.qname_len = cenmlen+2; 2498 qinfo.qtype = 0; 2499 qinfo.qclass = 0; 2500 az_find_domain(z, &qinfo, &node_exact, &node); 2501 if((nsec=az_find_nsec_cover(z, &node)) != NULL) { 2502 if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0; 2503 } 2504 return 1; 2505 } 2506 2507 /** Find the NSEC3PARAM rrset (if any) and if true you have the parameters */ 2508 static int 2509 az_nsec3_param(struct auth_zone* z, int* algo, size_t* iter, uint8_t** salt, 2510 size_t* saltlen) 2511 { 2512 struct auth_data* apex; 2513 struct auth_rrset* param; 2514 size_t i; 2515 apex = az_find_name(z, z->name, z->namelen); 2516 if(!apex) return 0; 2517 param = az_domain_rrset(apex, LDNS_RR_TYPE_NSEC3PARAM); 2518 if(!param || param->data->count==0) 2519 return 0; /* no RRset or no RRs in rrset */ 2520 /* find out which NSEC3PARAM RR has supported parameters */ 2521 /* skip unknown flags (dynamic signer is recalculating nsec3 chain) */ 2522 for(i=0; i<param->data->count; i++) { 2523 uint8_t* rdata = param->data->rr_data[i]+2; 2524 size_t rdatalen = param->data->rr_len[i]; 2525 if(rdatalen < 2+5) 2526 continue; /* too short */ 2527 if(!nsec3_hash_algo_size_supported((int)(rdata[0]))) 2528 continue; /* unsupported algo */ 2529 if(rdatalen < (size_t)(2+5+(size_t)rdata[4])) 2530 continue; /* salt missing */ 2531 if((rdata[1]&NSEC3_UNKNOWN_FLAGS)!=0) 2532 continue; /* unknown flags */ 2533 *algo = (int)(rdata[0]); 2534 *iter = sldns_read_uint16(rdata+2); 2535 *saltlen = rdata[4]; 2536 if(*saltlen == 0) 2537 *salt = NULL; 2538 else *salt = rdata+5; 2539 return 1; 2540 } 2541 /* no supported params */ 2542 return 0; 2543 } 2544 2545 /** Hash a name with nsec3param into buffer, it has zone name appended. 2546 * return length of hash */ 2547 static size_t 2548 az_nsec3_hash(uint8_t* buf, size_t buflen, uint8_t* nm, size_t nmlen, 2549 int algo, size_t iter, uint8_t* salt, size_t saltlen) 2550 { 2551 size_t hlen = nsec3_hash_algo_size_supported(algo); 2552 /* buffer has domain name, nsec3hash, and 256 is for max saltlen 2553 * (salt has 0-255 length) */ 2554 unsigned char p[LDNS_MAX_DOMAINLEN+1+N3HASHBUFLEN+256]; 2555 size_t i; 2556 if(nmlen+saltlen > sizeof(p) || hlen+saltlen > sizeof(p)) 2557 return 0; 2558 if(hlen > buflen) 2559 return 0; /* somehow too large for destination buffer */ 2560 /* hashfunc(name, salt) */ 2561 memmove(p, nm, nmlen); 2562 query_dname_tolower(p); 2563 memmove(p+nmlen, salt, saltlen); 2564 (void)secalgo_nsec3_hash(algo, p, nmlen+saltlen, (unsigned char*)buf); 2565 for(i=0; i<iter; i++) { 2566 /* hashfunc(hash, salt) */ 2567 memmove(p, buf, hlen); 2568 memmove(p+hlen, salt, saltlen); 2569 (void)secalgo_nsec3_hash(algo, p, hlen+saltlen, 2570 (unsigned char*)buf); 2571 } 2572 return hlen; 2573 } 2574 2575 /** Hash name and return b32encoded hashname for lookup, zone name appended */ 2576 static int 2577 az_nsec3_hashname(struct auth_zone* z, uint8_t* hashname, size_t* hashnmlen, 2578 uint8_t* nm, size_t nmlen, int algo, size_t iter, uint8_t* salt, 2579 size_t saltlen) 2580 { 2581 uint8_t hash[N3HASHBUFLEN]; 2582 size_t hlen; 2583 int ret; 2584 hlen = az_nsec3_hash(hash, sizeof(hash), nm, nmlen, algo, iter, 2585 salt, saltlen); 2586 if(!hlen) return 0; 2587 /* b32 encode */ 2588 if(*hashnmlen < hlen*2+1+z->namelen) /* approx b32 as hexb16 */ 2589 return 0; 2590 ret = sldns_b32_ntop_extended_hex(hash, hlen, (char*)(hashname+1), 2591 (*hashnmlen)-1); 2592 if(ret<1) 2593 return 0; 2594 hashname[0] = (uint8_t)ret; 2595 ret++; 2596 if((*hashnmlen) - ret < z->namelen) 2597 return 0; 2598 memmove(hashname+ret, z->name, z->namelen); 2599 *hashnmlen = z->namelen+(size_t)ret; 2600 return 1; 2601 } 2602 2603 /** Find the datanode that covers the nsec3hash-name */ 2604 static struct auth_data* 2605 az_nsec3_findnode(struct auth_zone* z, uint8_t* hashnm, size_t hashnmlen) 2606 { 2607 struct query_info qinfo; 2608 struct auth_data* node; 2609 int node_exact; 2610 qinfo.qclass = 0; 2611 qinfo.qtype = 0; 2612 qinfo.qname = hashnm; 2613 qinfo.qname_len = hashnmlen; 2614 /* because canonical ordering and b32 nsec3 ordering are the same. 2615 * this is a good lookup to find the nsec3 name. */ 2616 az_find_domain(z, &qinfo, &node_exact, &node); 2617 /* but we may have to skip non-nsec3 nodes */ 2618 /* this may be a lot, the way to speed that up is to have a 2619 * separate nsec3 tree with nsec3 nodes */ 2620 while(node && (rbnode_type*)node != RBTREE_NULL && 2621 !az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) { 2622 node = (struct auth_data*)rbtree_previous(&node->node); 2623 } 2624 if((rbnode_type*)node == RBTREE_NULL) 2625 node = NULL; 2626 return node; 2627 } 2628 2629 /** Find cover for hashed(nm, nmlen) (or NULL) */ 2630 static struct auth_data* 2631 az_nsec3_find_cover(struct auth_zone* z, uint8_t* nm, size_t nmlen, 2632 int algo, size_t iter, uint8_t* salt, size_t saltlen) 2633 { 2634 struct auth_data* node; 2635 uint8_t hname[LDNS_MAX_DOMAINLEN]; 2636 size_t hlen = sizeof(hname); 2637 if(!az_nsec3_hashname(z, hname, &hlen, nm, nmlen, algo, iter, 2638 salt, saltlen)) 2639 return NULL; 2640 node = az_nsec3_findnode(z, hname, hlen); 2641 if(node) 2642 return node; 2643 /* we did not find any, perhaps because the NSEC3 hash is before 2644 * the first hash, we have to find the 'last hash' in the zone */ 2645 node = (struct auth_data*)rbtree_last(&z->data); 2646 while(node && (rbnode_type*)node != RBTREE_NULL && 2647 !az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) { 2648 node = (struct auth_data*)rbtree_previous(&node->node); 2649 } 2650 if((rbnode_type*)node == RBTREE_NULL) 2651 node = NULL; 2652 return node; 2653 } 2654 2655 /** Find exact match for hashed(nm, nmlen) NSEC3 record or NULL */ 2656 static struct auth_data* 2657 az_nsec3_find_exact(struct auth_zone* z, uint8_t* nm, size_t nmlen, 2658 int algo, size_t iter, uint8_t* salt, size_t saltlen) 2659 { 2660 struct auth_data* node; 2661 uint8_t hname[LDNS_MAX_DOMAINLEN]; 2662 size_t hlen = sizeof(hname); 2663 if(!az_nsec3_hashname(z, hname, &hlen, nm, nmlen, algo, iter, 2664 salt, saltlen)) 2665 return NULL; 2666 node = az_find_name(z, hname, hlen); 2667 if(az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) 2668 return node; 2669 return NULL; 2670 } 2671 2672 /** Return nextcloser name (as a ref into the qname). This is one label 2673 * more than the cenm (cename must be a suffix of qname) */ 2674 static void 2675 az_nsec3_get_nextcloser(uint8_t* cenm, uint8_t* qname, size_t qname_len, 2676 uint8_t** nx, size_t* nxlen) 2677 { 2678 int celabs = dname_count_labels(cenm); 2679 int qlabs = dname_count_labels(qname); 2680 int strip = qlabs - celabs -1; 2681 log_assert(dname_strict_subdomain(qname, qlabs, cenm, celabs)); 2682 *nx = qname; 2683 *nxlen = qname_len; 2684 if(strip>0) 2685 dname_remove_labels(nx, nxlen, strip); 2686 } 2687 2688 /** Find the closest encloser that has exact NSEC3. 2689 * updated cenm to the new name. If it went up no-exact-ce is true. */ 2690 static struct auth_data* 2691 az_nsec3_find_ce(struct auth_zone* z, uint8_t** cenm, size_t* cenmlen, 2692 int* no_exact_ce, int algo, size_t iter, uint8_t* salt, size_t saltlen) 2693 { 2694 struct auth_data* node; 2695 while((node = az_nsec3_find_exact(z, *cenm, *cenmlen, 2696 algo, iter, salt, saltlen)) == NULL) { 2697 if(*cenmlen == z->namelen) { 2698 /* next step up would take us out of the zone. fail */ 2699 return NULL; 2700 } 2701 *no_exact_ce = 1; 2702 dname_remove_label(cenm, cenmlen); 2703 } 2704 return node; 2705 } 2706 2707 /* Insert NSEC3 record in authority section, if NULL does nothing */ 2708 static int 2709 az_nsec3_insert(struct auth_zone* z, struct regional* region, 2710 struct dns_msg* msg, struct auth_data* node) 2711 { 2712 struct auth_rrset* nsec3; 2713 if(!node) return 1; /* no node, skip this */ 2714 nsec3 = az_domain_rrset(node, LDNS_RR_TYPE_NSEC3); 2715 if(!nsec3) return 1; /* if no nsec3 RR, skip it */ 2716 if(!msg_add_rrset_ns(z, region, msg, node, nsec3)) return 0; 2717 return 1; 2718 } 2719 2720 /** add NSEC3 records to the zone for the nsec3 proof. 2721 * Specify with the flags with parts of the proof are required. 2722 * the ce is the exact matching name (for notype) but also delegation points. 2723 * qname is the one where the nextcloser name can be derived from. 2724 * If NSEC3 is not properly there (in the zone) nothing is added. 2725 * always enabled: include nsec3 proving about the Closest Encloser. 2726 * that is an exact match that should exist for it. 2727 * If that does not exist, a higher exact match + nxproof is enabled 2728 * (for some sort of opt-out empty nonterminal cases). 2729 * nxproof: include denial of the qname. 2730 * wcproof: include denial of wildcard (wildcard.ce). 2731 */ 2732 static int 2733 az_add_nsec3_proof(struct auth_zone* z, struct regional* region, 2734 struct dns_msg* msg, uint8_t* cenm, size_t cenmlen, uint8_t* qname, 2735 size_t qname_len, int nxproof, int wcproof) 2736 { 2737 int algo; 2738 size_t iter, saltlen; 2739 uint8_t* salt; 2740 int no_exact_ce = 0; 2741 struct auth_data* node; 2742 2743 /* find parameters of nsec3 proof */ 2744 if(!az_nsec3_param(z, &algo, &iter, &salt, &saltlen)) 2745 return 1; /* no nsec3 */ 2746 /* find ce that has an NSEC3 */ 2747 node = az_nsec3_find_ce(z, &cenm, &cenmlen, &no_exact_ce, 2748 algo, iter, salt, saltlen); 2749 if(no_exact_ce) nxproof = 1; 2750 if(!az_nsec3_insert(z, region, msg, node)) 2751 return 0; 2752 2753 if(nxproof) { 2754 uint8_t* nx; 2755 size_t nxlen; 2756 /* create nextcloser domain name */ 2757 az_nsec3_get_nextcloser(cenm, qname, qname_len, &nx, &nxlen); 2758 /* find nsec3 that matches or covers it */ 2759 node = az_nsec3_find_cover(z, nx, nxlen, algo, iter, salt, 2760 saltlen); 2761 if(!az_nsec3_insert(z, region, msg, node)) 2762 return 0; 2763 } 2764 if(wcproof) { 2765 /* create wildcard name *.ce */ 2766 uint8_t wc[LDNS_MAX_DOMAINLEN]; 2767 size_t wclen; 2768 if(cenmlen+2 > sizeof(wc)) 2769 return 0; /* result would be too long */ 2770 wc[0] = 1; /* length of wildcard label */ 2771 wc[1] = (uint8_t)'*'; /* wildcard label */ 2772 memmove(wc+2, cenm, cenmlen); 2773 wclen = cenmlen+2; 2774 /* find nsec3 that matches or covers it */ 2775 node = az_nsec3_find_cover(z, wc, wclen, algo, iter, salt, 2776 saltlen); 2777 if(!az_nsec3_insert(z, region, msg, node)) 2778 return 0; 2779 } 2780 return 1; 2781 } 2782 2783 /** generate answer for positive answer */ 2784 static int 2785 az_generate_positive_answer(struct auth_zone* z, struct regional* region, 2786 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) 2787 { 2788 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2789 /* see if we want additional rrs */ 2790 if(rrset->type == LDNS_RR_TYPE_MX) { 2791 if(!az_add_additionals_from(z, region, msg, rrset, 2)) 2792 return 0; 2793 } else if(rrset->type == LDNS_RR_TYPE_SRV) { 2794 if(!az_add_additionals_from(z, region, msg, rrset, 6)) 2795 return 0; 2796 } else if(rrset->type == LDNS_RR_TYPE_NS) { 2797 if(!az_add_additionals_from(z, region, msg, rrset, 0)) 2798 return 0; 2799 } 2800 return 1; 2801 } 2802 2803 /** generate answer for type ANY answer */ 2804 static int 2805 az_generate_any_answer(struct auth_zone* z, struct regional* region, 2806 struct dns_msg* msg, struct auth_data* node) 2807 { 2808 struct auth_rrset* rrset; 2809 int added = 0; 2810 /* add a couple (at least one) RRs */ 2811 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_SOA)) != NULL) { 2812 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2813 added++; 2814 } 2815 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_MX)) != NULL) { 2816 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2817 added++; 2818 } 2819 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_A)) != NULL) { 2820 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2821 added++; 2822 } 2823 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_AAAA)) != NULL) { 2824 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2825 added++; 2826 } 2827 if(added == 0 && node->rrsets) { 2828 if(!msg_add_rrset_an(z, region, msg, node, 2829 node->rrsets)) return 0; 2830 } 2831 return 1; 2832 } 2833 2834 /** follow cname chain and add more data to the answer section */ 2835 static int 2836 follow_cname_chain(struct auth_zone* z, uint16_t qtype, 2837 struct regional* region, struct dns_msg* msg, 2838 struct packed_rrset_data* d) 2839 { 2840 int maxchain = 0; 2841 /* see if we can add the target of the CNAME into the answer */ 2842 while(maxchain++ < MAX_CNAME_CHAIN) { 2843 struct auth_data* node; 2844 struct auth_rrset* rrset; 2845 size_t clen; 2846 /* d has cname rdata */ 2847 if(d->count == 0) break; /* no CNAME */ 2848 if(d->rr_len[0] < 2+1) break; /* too small */ 2849 if((clen=dname_valid(d->rr_data[0]+2, d->rr_len[0]-2))==0) 2850 break; /* malformed */ 2851 if(!dname_subdomain_c(d->rr_data[0]+2, z->name)) 2852 break; /* target out of zone */ 2853 if((node = az_find_name(z, d->rr_data[0]+2, clen))==NULL) 2854 break; /* no such target name */ 2855 if((rrset=az_domain_rrset(node, qtype))!=NULL) { 2856 /* done we found the target */ 2857 if(!msg_add_rrset_an(z, region, msg, node, rrset)) 2858 return 0; 2859 break; 2860 } 2861 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_CNAME))==NULL) 2862 break; /* no further CNAME chain, notype */ 2863 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2864 d = rrset->data; 2865 } 2866 return 1; 2867 } 2868 2869 /** generate answer for cname answer */ 2870 static int 2871 az_generate_cname_answer(struct auth_zone* z, struct query_info* qinfo, 2872 struct regional* region, struct dns_msg* msg, 2873 struct auth_data* node, struct auth_rrset* rrset) 2874 { 2875 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2876 if(!rrset) return 1; 2877 if(!follow_cname_chain(z, qinfo->qtype, region, msg, rrset->data)) 2878 return 0; 2879 return 1; 2880 } 2881 2882 /** generate answer for notype answer */ 2883 static int 2884 az_generate_notype_answer(struct auth_zone* z, struct regional* region, 2885 struct dns_msg* msg, struct auth_data* node) 2886 { 2887 struct auth_rrset* rrset; 2888 if(!az_add_negative_soa(z, region, msg)) return 0; 2889 /* DNSSEC denial NSEC */ 2890 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_NSEC))!=NULL) { 2891 if(!msg_add_rrset_ns(z, region, msg, node, rrset)) return 0; 2892 } else if(node) { 2893 /* DNSSEC denial NSEC3 */ 2894 if(!az_add_nsec3_proof(z, region, msg, node->name, 2895 node->namelen, msg->qinfo.qname, 2896 msg->qinfo.qname_len, 0, 0)) 2897 return 0; 2898 } 2899 return 1; 2900 } 2901 2902 /** generate answer for referral answer */ 2903 static int 2904 az_generate_referral_answer(struct auth_zone* z, struct regional* region, 2905 struct dns_msg* msg, struct auth_data* ce, struct auth_rrset* rrset) 2906 { 2907 struct auth_rrset* ds, *nsec; 2908 /* turn off AA flag, referral is nonAA because it leaves the zone */ 2909 log_assert(ce); 2910 msg->rep->flags &= ~BIT_AA; 2911 if(!msg_add_rrset_ns(z, region, msg, ce, rrset)) return 0; 2912 /* add DS or deny it */ 2913 if((ds=az_domain_rrset(ce, LDNS_RR_TYPE_DS))!=NULL) { 2914 if(!msg_add_rrset_ns(z, region, msg, ce, ds)) return 0; 2915 } else { 2916 /* deny the DS */ 2917 if((nsec=az_domain_rrset(ce, LDNS_RR_TYPE_NSEC))!=NULL) { 2918 if(!msg_add_rrset_ns(z, region, msg, ce, nsec)) 2919 return 0; 2920 } else { 2921 if(!az_add_nsec3_proof(z, region, msg, ce->name, 2922 ce->namelen, msg->qinfo.qname, 2923 msg->qinfo.qname_len, 0, 0)) 2924 return 0; 2925 } 2926 } 2927 /* add additional rrs for type NS */ 2928 if(!az_add_additionals_from(z, region, msg, rrset, 0)) return 0; 2929 return 1; 2930 } 2931 2932 /** generate answer for DNAME answer */ 2933 static int 2934 az_generate_dname_answer(struct auth_zone* z, struct query_info* qinfo, 2935 struct regional* region, struct dns_msg* msg, struct auth_data* ce, 2936 struct auth_rrset* rrset) 2937 { 2938 log_assert(ce); 2939 /* add the DNAME and then a CNAME */ 2940 if(!msg_add_rrset_an(z, region, msg, ce, rrset)) return 0; 2941 if(!add_synth_cname(z, qinfo->qname, qinfo->qname_len, region, 2942 msg, ce, rrset)) return 0; 2943 if(FLAGS_GET_RCODE(msg->rep->flags) == LDNS_RCODE_YXDOMAIN) 2944 return 1; 2945 if(msg->rep->rrset_count == 0 || 2946 !msg->rep->rrsets[msg->rep->rrset_count-1]) 2947 return 0; 2948 if(!follow_cname_chain(z, qinfo->qtype, region, msg, 2949 (struct packed_rrset_data*)msg->rep->rrsets[ 2950 msg->rep->rrset_count-1]->entry.data)) 2951 return 0; 2952 return 1; 2953 } 2954 2955 /** generate answer for wildcard answer */ 2956 static int 2957 az_generate_wildcard_answer(struct auth_zone* z, struct query_info* qinfo, 2958 struct regional* region, struct dns_msg* msg, struct auth_data* ce, 2959 struct auth_data* wildcard, struct auth_data* node) 2960 { 2961 struct auth_rrset* rrset, *nsec; 2962 if((rrset=az_domain_rrset(wildcard, qinfo->qtype)) != NULL) { 2963 /* wildcard has type, add it */ 2964 if(!msg_add_rrset_an(z, region, msg, wildcard, rrset)) 2965 return 0; 2966 az_change_dnames(msg, wildcard->name, msg->qinfo.qname, 2967 msg->qinfo.qname_len, 1); 2968 } else if((rrset=az_domain_rrset(wildcard, LDNS_RR_TYPE_CNAME))!=NULL) { 2969 /* wildcard has cname instead, do that */ 2970 if(!msg_add_rrset_an(z, region, msg, wildcard, rrset)) 2971 return 0; 2972 az_change_dnames(msg, wildcard->name, msg->qinfo.qname, 2973 msg->qinfo.qname_len, 1); 2974 if(!follow_cname_chain(z, qinfo->qtype, region, msg, 2975 rrset->data)) 2976 return 0; 2977 } else if(qinfo->qtype == LDNS_RR_TYPE_ANY && wildcard->rrsets) { 2978 /* add ANY rrsets from wildcard node */ 2979 if(!az_generate_any_answer(z, region, msg, wildcard)) 2980 return 0; 2981 az_change_dnames(msg, wildcard->name, msg->qinfo.qname, 2982 msg->qinfo.qname_len, 1); 2983 } else { 2984 /* wildcard has nodata, notype answer */ 2985 /* call other notype routine for dnssec notype denials */ 2986 if(!az_generate_notype_answer(z, region, msg, wildcard)) 2987 return 0; 2988 } 2989 2990 /* ce and node for dnssec denial of wildcard original name */ 2991 if((nsec=az_find_nsec_cover(z, &node)) != NULL) { 2992 if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0; 2993 } else if(ce) { 2994 if(!az_add_nsec3_proof(z, region, msg, ce->name, 2995 ce->namelen, msg->qinfo.qname, 2996 msg->qinfo.qname_len, 1, 0)) 2997 return 0; 2998 } 2999 3000 /* fixup name of wildcard from *.zone to qname, use already allocated 3001 * pointer to msg qname */ 3002 az_change_dnames(msg, wildcard->name, msg->qinfo.qname, 3003 msg->qinfo.qname_len, 0); 3004 return 1; 3005 } 3006 3007 /** generate answer for nxdomain answer */ 3008 static int 3009 az_generate_nxdomain_answer(struct auth_zone* z, struct regional* region, 3010 struct dns_msg* msg, struct auth_data* ce, struct auth_data* node) 3011 { 3012 struct auth_rrset* nsec; 3013 msg->rep->flags |= LDNS_RCODE_NXDOMAIN; 3014 if(!az_add_negative_soa(z, region, msg)) return 0; 3015 if((nsec=az_find_nsec_cover(z, &node)) != NULL) { 3016 if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0; 3017 if(ce && !az_nsec_wildcard_denial(z, region, msg, ce->name, 3018 ce->namelen)) return 0; 3019 } else if(ce) { 3020 if(!az_add_nsec3_proof(z, region, msg, ce->name, 3021 ce->namelen, msg->qinfo.qname, 3022 msg->qinfo.qname_len, 1, 1)) 3023 return 0; 3024 } 3025 return 1; 3026 } 3027 3028 /** Create answers when an exact match exists for the domain name */ 3029 static int 3030 az_generate_answer_with_node(struct auth_zone* z, struct query_info* qinfo, 3031 struct regional* region, struct dns_msg* msg, struct auth_data* node) 3032 { 3033 struct auth_rrset* rrset; 3034 /* positive answer, rrset we are looking for exists */ 3035 if((rrset=az_domain_rrset(node, qinfo->qtype)) != NULL) { 3036 return az_generate_positive_answer(z, region, msg, node, rrset); 3037 } 3038 /* CNAME? */ 3039 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_CNAME)) != NULL) { 3040 return az_generate_cname_answer(z, qinfo, region, msg, 3041 node, rrset); 3042 } 3043 /* type ANY ? */ 3044 if(qinfo->qtype == LDNS_RR_TYPE_ANY) { 3045 return az_generate_any_answer(z, region, msg, node); 3046 } 3047 /* NOERROR/NODATA (no such type at domain name) */ 3048 return az_generate_notype_answer(z, region, msg, node); 3049 } 3050 3051 /** Generate answer without an existing-node that we can use. 3052 * So it'll be a referral, DNAME or nxdomain */ 3053 static int 3054 az_generate_answer_nonexistnode(struct auth_zone* z, struct query_info* qinfo, 3055 struct regional* region, struct dns_msg* msg, struct auth_data* ce, 3056 struct auth_rrset* rrset, struct auth_data* node) 3057 { 3058 struct auth_data* wildcard; 3059 3060 /* we do not have an exact matching name (that exists) */ 3061 /* see if we have a NS or DNAME in the ce */ 3062 if(ce && rrset && rrset->type == LDNS_RR_TYPE_NS) { 3063 return az_generate_referral_answer(z, region, msg, ce, rrset); 3064 } 3065 if(ce && rrset && rrset->type == LDNS_RR_TYPE_DNAME) { 3066 return az_generate_dname_answer(z, qinfo, region, msg, ce, 3067 rrset); 3068 } 3069 /* if there is an empty nonterminal, wildcard and nxdomain don't 3070 * happen, it is a notype answer */ 3071 if(az_empty_nonterminal(z, qinfo, node)) { 3072 return az_generate_notype_answer(z, region, msg, node); 3073 } 3074 /* see if we have a wildcard under the ce */ 3075 if((wildcard=az_find_wildcard(z, qinfo, ce)) != NULL) { 3076 return az_generate_wildcard_answer(z, qinfo, region, msg, 3077 ce, wildcard, node); 3078 } 3079 /* generate nxdomain answer */ 3080 return az_generate_nxdomain_answer(z, region, msg, ce, node); 3081 } 3082 3083 /** Lookup answer in a zone. */ 3084 static int 3085 auth_zone_generate_answer(struct auth_zone* z, struct query_info* qinfo, 3086 struct regional* region, struct dns_msg** msg, int* fallback) 3087 { 3088 struct auth_data* node, *ce; 3089 struct auth_rrset* rrset; 3090 int node_exact, node_exists; 3091 /* does the zone want fallback in case of failure? */ 3092 *fallback = z->fallback_enabled; 3093 if(!(*msg=msg_create(region, qinfo))) return 0; 3094 3095 /* lookup if there is a matching domain name for the query */ 3096 az_find_domain(z, qinfo, &node_exact, &node); 3097 3098 /* see if node exists for generating answers from (i.e. not glue and 3099 * obscured by NS or DNAME or NSEC3-only), and also return the 3100 * closest-encloser from that, closest node that should be used 3101 * to generate answers from that is above the query */ 3102 node_exists = az_find_ce(z, qinfo, node, node_exact, &ce, &rrset); 3103 3104 if(verbosity >= VERB_ALGO) { 3105 char zname[256], qname[256], nname[256], cename[256], 3106 tpstr[32], rrstr[32]; 3107 sldns_wire2str_dname_buf(qinfo->qname, qinfo->qname_len, qname, 3108 sizeof(qname)); 3109 sldns_wire2str_type_buf(qinfo->qtype, tpstr, sizeof(tpstr)); 3110 sldns_wire2str_dname_buf(z->name, z->namelen, zname, 3111 sizeof(zname)); 3112 if(node) 3113 sldns_wire2str_dname_buf(node->name, node->namelen, 3114 nname, sizeof(nname)); 3115 else snprintf(nname, sizeof(nname), "NULL"); 3116 if(ce) 3117 sldns_wire2str_dname_buf(ce->name, ce->namelen, 3118 cename, sizeof(cename)); 3119 else snprintf(cename, sizeof(cename), "NULL"); 3120 if(rrset) sldns_wire2str_type_buf(rrset->type, rrstr, 3121 sizeof(rrstr)); 3122 else snprintf(rrstr, sizeof(rrstr), "NULL"); 3123 log_info("auth_zone %s query %s %s, domain %s %s %s, " 3124 "ce %s, rrset %s", zname, qname, tpstr, nname, 3125 (node_exact?"exact":"notexact"), 3126 (node_exists?"exist":"notexist"), cename, rrstr); 3127 } 3128 3129 if(node_exists) { 3130 /* the node is fine, generate answer from node */ 3131 return az_generate_answer_with_node(z, qinfo, region, *msg, 3132 node); 3133 } 3134 return az_generate_answer_nonexistnode(z, qinfo, region, *msg, 3135 ce, rrset, node); 3136 } 3137 3138 int auth_zones_lookup(struct auth_zones* az, struct query_info* qinfo, 3139 struct regional* region, struct dns_msg** msg, int* fallback, 3140 uint8_t* dp_nm, size_t dp_nmlen) 3141 { 3142 int r; 3143 struct auth_zone* z; 3144 /* find the zone that should contain the answer. */ 3145 lock_rw_rdlock(&az->lock); 3146 z = auth_zone_find(az, dp_nm, dp_nmlen, qinfo->qclass); 3147 if(!z) { 3148 lock_rw_unlock(&az->lock); 3149 /* no auth zone, fallback to internet */ 3150 *fallback = 1; 3151 return 0; 3152 } 3153 lock_rw_rdlock(&z->lock); 3154 lock_rw_unlock(&az->lock); 3155 3156 /* if not for upstream queries, fallback */ 3157 if(!z->for_upstream) { 3158 lock_rw_unlock(&z->lock); 3159 *fallback = 1; 3160 return 0; 3161 } 3162 /* see what answer that zone would generate */ 3163 r = auth_zone_generate_answer(z, qinfo, region, msg, fallback); 3164 lock_rw_unlock(&z->lock); 3165 return r; 3166 } 3167 3168 /** encode auth answer */ 3169 static void 3170 auth_answer_encode(struct query_info* qinfo, struct module_env* env, 3171 struct edns_data* edns, sldns_buffer* buf, struct regional* temp, 3172 struct dns_msg* msg) 3173 { 3174 uint16_t udpsize; 3175 udpsize = edns->udp_size; 3176 edns->edns_version = EDNS_ADVERTISED_VERSION; 3177 edns->udp_size = EDNS_ADVERTISED_SIZE; 3178 edns->ext_rcode = 0; 3179 edns->bits &= EDNS_DO; 3180 3181 if(!inplace_cb_reply_local_call(env, qinfo, NULL, msg->rep, 3182 (int)FLAGS_GET_RCODE(msg->rep->flags), edns, temp) 3183 || !reply_info_answer_encode(qinfo, msg->rep, 3184 *(uint16_t*)sldns_buffer_begin(buf), 3185 sldns_buffer_read_u16_at(buf, 2), 3186 buf, 0, 0, temp, udpsize, edns, 3187 (int)(edns->bits&EDNS_DO), 0)) { 3188 error_encode(buf, (LDNS_RCODE_SERVFAIL|BIT_AA), qinfo, 3189 *(uint16_t*)sldns_buffer_begin(buf), 3190 sldns_buffer_read_u16_at(buf, 2), edns); 3191 } 3192 } 3193 3194 /** encode auth error answer */ 3195 static void 3196 auth_error_encode(struct query_info* qinfo, struct module_env* env, 3197 struct edns_data* edns, sldns_buffer* buf, struct regional* temp, 3198 int rcode) 3199 { 3200 edns->edns_version = EDNS_ADVERTISED_VERSION; 3201 edns->udp_size = EDNS_ADVERTISED_SIZE; 3202 edns->ext_rcode = 0; 3203 edns->bits &= EDNS_DO; 3204 3205 if(!inplace_cb_reply_local_call(env, qinfo, NULL, NULL, 3206 rcode, edns, temp)) 3207 edns->opt_list = NULL; 3208 error_encode(buf, rcode|BIT_AA, qinfo, 3209 *(uint16_t*)sldns_buffer_begin(buf), 3210 sldns_buffer_read_u16_at(buf, 2), edns); 3211 } 3212 3213 int auth_zones_answer(struct auth_zones* az, struct module_env* env, 3214 struct query_info* qinfo, struct edns_data* edns, struct sldns_buffer* buf, 3215 struct regional* temp) 3216 { 3217 struct dns_msg* msg = NULL; 3218 struct auth_zone* z; 3219 int r; 3220 int fallback = 0; 3221 3222 lock_rw_rdlock(&az->lock); 3223 if(!az->have_downstream) { 3224 /* no downstream auth zones */ 3225 lock_rw_unlock(&az->lock); 3226 return 0; 3227 } 3228 if(qinfo->qtype == LDNS_RR_TYPE_DS) { 3229 uint8_t* delname = qinfo->qname; 3230 size_t delnamelen = qinfo->qname_len; 3231 dname_remove_label(&delname, &delnamelen); 3232 z = auth_zones_find_zone(az, delname, delnamelen, 3233 qinfo->qclass); 3234 } else { 3235 z = auth_zones_find_zone(az, qinfo->qname, qinfo->qname_len, 3236 qinfo->qclass); 3237 } 3238 if(!z) { 3239 /* no zone above it */ 3240 lock_rw_unlock(&az->lock); 3241 return 0; 3242 } 3243 lock_rw_rdlock(&z->lock); 3244 lock_rw_unlock(&az->lock); 3245 if(!z->for_downstream) { 3246 lock_rw_unlock(&z->lock); 3247 return 0; 3248 } 3249 3250 /* answer it from zone z */ 3251 r = auth_zone_generate_answer(z, qinfo, temp, &msg, &fallback); 3252 lock_rw_unlock(&z->lock); 3253 if(!r && fallback) { 3254 /* fallback to regular answering (recursive) */ 3255 return 0; 3256 } 3257 lock_rw_wrlock(&az->lock); 3258 az->num_query_down++; 3259 lock_rw_unlock(&az->lock); 3260 3261 /* encode answer */ 3262 if(!r) 3263 auth_error_encode(qinfo, env, edns, buf, temp, 3264 LDNS_RCODE_SERVFAIL); 3265 else auth_answer_encode(qinfo, env, edns, buf, temp, msg); 3266 3267 return 1; 3268 } 3269 3270 int auth_zones_can_fallback(struct auth_zones* az, uint8_t* nm, size_t nmlen, 3271 uint16_t dclass) 3272 { 3273 int r; 3274 struct auth_zone* z; 3275 lock_rw_rdlock(&az->lock); 3276 z = auth_zone_find(az, nm, nmlen, dclass); 3277 if(!z) { 3278 lock_rw_unlock(&az->lock); 3279 /* no such auth zone, fallback */ 3280 return 1; 3281 } 3282 lock_rw_rdlock(&z->lock); 3283 lock_rw_unlock(&az->lock); 3284 r = z->fallback_enabled || (!z->for_upstream); 3285 lock_rw_unlock(&z->lock); 3286 return r; 3287 } 3288 3289 int 3290 auth_zone_parse_notify_serial(sldns_buffer* pkt, uint32_t *serial) 3291 { 3292 struct query_info q; 3293 uint16_t rdlen; 3294 memset(&q, 0, sizeof(q)); 3295 sldns_buffer_set_position(pkt, 0); 3296 if(!query_info_parse(&q, pkt)) return 0; 3297 if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) == 0) return 0; 3298 /* skip name of RR in answer section */ 3299 if(sldns_buffer_remaining(pkt) < 1) return 0; 3300 if(pkt_dname_len(pkt) == 0) return 0; 3301 /* check type */ 3302 if(sldns_buffer_remaining(pkt) < 10 /* type,class,ttl,rdatalen*/) 3303 return 0; 3304 if(sldns_buffer_read_u16(pkt) != LDNS_RR_TYPE_SOA) return 0; 3305 sldns_buffer_skip(pkt, 2); /* class */ 3306 sldns_buffer_skip(pkt, 4); /* ttl */ 3307 rdlen = sldns_buffer_read_u16(pkt); /* rdatalen */ 3308 if(sldns_buffer_remaining(pkt) < rdlen) return 0; 3309 if(rdlen < 22) return 0; /* bad soa length */ 3310 sldns_buffer_skip(pkt, (ssize_t)(rdlen-20)); 3311 *serial = sldns_buffer_read_u32(pkt); 3312 /* return true when has serial in answer section */ 3313 return 1; 3314 } 3315 3316 /** see if addr appears in the list */ 3317 static int 3318 addr_in_list(struct auth_addr* list, struct sockaddr_storage* addr, 3319 socklen_t addrlen) 3320 { 3321 struct auth_addr* p; 3322 for(p=list; p; p=p->next) { 3323 if(sockaddr_cmp_addr(addr, addrlen, &p->addr, p->addrlen)==0) 3324 return 1; 3325 } 3326 return 0; 3327 } 3328 3329 /** check if an address matches a master specification (or one of its 3330 * addresses in the addr list) */ 3331 static int 3332 addr_matches_master(struct auth_master* master, struct sockaddr_storage* addr, 3333 socklen_t addrlen, struct auth_master** fromhost) 3334 { 3335 struct sockaddr_storage a; 3336 socklen_t alen = 0; 3337 int net = 0; 3338 if(addr_in_list(master->list, addr, addrlen)) { 3339 *fromhost = master; 3340 return 1; 3341 } 3342 /* compare address (but not port number, that is the destination 3343 * port of the master, the port number of the received notify is 3344 * allowed to by any port on that master) */ 3345 if(extstrtoaddr(master->host, &a, &alen) && 3346 sockaddr_cmp_addr(addr, addrlen, &a, alen)==0) { 3347 *fromhost = master; 3348 return 1; 3349 } 3350 /* prefixes, addr/len, like 10.0.0.0/8 */ 3351 /* not http and has a / and there is one / */ 3352 if(master->allow_notify && !master->http && 3353 strchr(master->host, '/') != NULL && 3354 strchr(master->host, '/') == strrchr(master->host, '/') && 3355 netblockstrtoaddr(master->host, UNBOUND_DNS_PORT, &a, &alen, 3356 &net) && alen == addrlen) { 3357 if(addr_in_common(addr, (addr_is_ip6(addr, addrlen)?128:32), 3358 &a, net, alen) >= net) { 3359 *fromhost = NULL; /* prefix does not have destination 3360 to send the probe or transfer with */ 3361 return 1; /* matches the netblock */ 3362 } 3363 } 3364 return 0; 3365 } 3366 3367 /** check access list for notifies */ 3368 static int 3369 az_xfr_allowed_notify(struct auth_xfer* xfr, struct sockaddr_storage* addr, 3370 socklen_t addrlen, struct auth_master** fromhost) 3371 { 3372 struct auth_master* p; 3373 for(p=xfr->allow_notify_list; p; p=p->next) { 3374 if(addr_matches_master(p, addr, addrlen, fromhost)) { 3375 return 1; 3376 } 3377 } 3378 return 0; 3379 } 3380 3381 /** see if the serial means the zone has to be updated, i.e. the serial 3382 * is newer than the zone serial, or we have no zone */ 3383 static int 3384 xfr_serial_means_update(struct auth_xfer* xfr, uint32_t serial) 3385 { 3386 if(!xfr->have_zone) 3387 return 1; /* no zone, anything is better */ 3388 if(xfr->zone_expired) 3389 return 1; /* expired, the sent serial is better than expired 3390 data */ 3391 if(compare_serial(xfr->serial, serial) < 0) 3392 return 1; /* our serial is smaller than the sent serial, 3393 the data is newer, fetch it */ 3394 return 0; 3395 } 3396 3397 /** note notify serial, updates the notify information in the xfr struct */ 3398 static void 3399 xfr_note_notify_serial(struct auth_xfer* xfr, int has_serial, uint32_t serial) 3400 { 3401 if(xfr->notify_received && xfr->notify_has_serial && has_serial) { 3402 /* see if this serial is newer */ 3403 if(compare_serial(xfr->notify_serial, serial) < 0) 3404 xfr->notify_serial = serial; 3405 } else if(xfr->notify_received && xfr->notify_has_serial && 3406 !has_serial) { 3407 /* remove serial, we have notify without serial */ 3408 xfr->notify_has_serial = 0; 3409 xfr->notify_serial = 0; 3410 } else if(xfr->notify_received && !xfr->notify_has_serial) { 3411 /* we already have notify without serial, keep it 3412 * that way; no serial check when current operation 3413 * is done */ 3414 } else { 3415 xfr->notify_received = 1; 3416 xfr->notify_has_serial = has_serial; 3417 xfr->notify_serial = serial; 3418 } 3419 } 3420 3421 /** process a notify serial, start new probe or note serial. xfr is locked */ 3422 static void 3423 xfr_process_notify(struct auth_xfer* xfr, struct module_env* env, 3424 int has_serial, uint32_t serial, struct auth_master* fromhost) 3425 { 3426 /* if the serial of notify is older than we have, don't fetch 3427 * a zone, we already have it */ 3428 if(has_serial && !xfr_serial_means_update(xfr, serial)) { 3429 lock_basic_unlock(&xfr->lock); 3430 return; 3431 } 3432 /* start new probe with this addr src, or note serial */ 3433 if(!xfr_start_probe(xfr, env, fromhost)) { 3434 /* not started because already in progress, note the serial */ 3435 xfr_note_notify_serial(xfr, has_serial, serial); 3436 lock_basic_unlock(&xfr->lock); 3437 } 3438 /* successful end of start_probe unlocked xfr->lock */ 3439 } 3440 3441 int auth_zones_notify(struct auth_zones* az, struct module_env* env, 3442 uint8_t* nm, size_t nmlen, uint16_t dclass, 3443 struct sockaddr_storage* addr, socklen_t addrlen, int has_serial, 3444 uint32_t serial, int* refused) 3445 { 3446 struct auth_xfer* xfr; 3447 struct auth_master* fromhost = NULL; 3448 /* see which zone this is */ 3449 lock_rw_rdlock(&az->lock); 3450 xfr = auth_xfer_find(az, nm, nmlen, dclass); 3451 if(!xfr) { 3452 lock_rw_unlock(&az->lock); 3453 /* no such zone, refuse the notify */ 3454 *refused = 1; 3455 return 0; 3456 } 3457 lock_basic_lock(&xfr->lock); 3458 lock_rw_unlock(&az->lock); 3459 3460 /* check access list for notifies */ 3461 if(!az_xfr_allowed_notify(xfr, addr, addrlen, &fromhost)) { 3462 lock_basic_unlock(&xfr->lock); 3463 /* notify not allowed, refuse the notify */ 3464 *refused = 1; 3465 return 0; 3466 } 3467 3468 /* process the notify */ 3469 xfr_process_notify(xfr, env, has_serial, serial, fromhost); 3470 return 1; 3471 } 3472 3473 /** set a zone expired */ 3474 static void 3475 auth_xfer_set_expired(struct auth_xfer* xfr, struct module_env* env, 3476 int expired) 3477 { 3478 struct auth_zone* z; 3479 3480 /* expire xfr */ 3481 lock_basic_lock(&xfr->lock); 3482 xfr->zone_expired = expired; 3483 lock_basic_unlock(&xfr->lock); 3484 3485 /* find auth_zone */ 3486 lock_rw_rdlock(&env->auth_zones->lock); 3487 z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen, 3488 xfr->dclass); 3489 if(!z) { 3490 lock_rw_unlock(&env->auth_zones->lock); 3491 return; 3492 } 3493 lock_rw_wrlock(&z->lock); 3494 lock_rw_unlock(&env->auth_zones->lock); 3495 3496 /* expire auth_zone */ 3497 z->zone_expired = expired; 3498 lock_rw_unlock(&z->lock); 3499 } 3500 3501 /** find master (from notify or probe) in list of masters */ 3502 static struct auth_master* 3503 find_master_by_host(struct auth_master* list, char* host) 3504 { 3505 struct auth_master* p; 3506 for(p=list; p; p=p->next) { 3507 if(strcmp(p->host, host) == 0) 3508 return p; 3509 } 3510 return NULL; 3511 } 3512 3513 /** delete the looked up auth_addrs for all the masters in the list */ 3514 static void 3515 xfr_masterlist_free_addrs(struct auth_master* list) 3516 { 3517 struct auth_master* m; 3518 for(m=list; m; m=m->next) { 3519 if(m->list) { 3520 auth_free_master_addrs(m->list); 3521 m->list = NULL; 3522 } 3523 } 3524 } 3525 3526 /** copy a list of auth_addrs */ 3527 static struct auth_addr* 3528 auth_addr_list_copy(struct auth_addr* source) 3529 { 3530 struct auth_addr* list = NULL, *last = NULL; 3531 struct auth_addr* p; 3532 for(p=source; p; p=p->next) { 3533 struct auth_addr* a = (struct auth_addr*)memdup(p, sizeof(*p)); 3534 if(!a) { 3535 log_err("malloc failure"); 3536 auth_free_master_addrs(list); 3537 return NULL; 3538 } 3539 a->next = NULL; 3540 if(last) last->next = a; 3541 if(!list) list = a; 3542 last = a; 3543 } 3544 return list; 3545 } 3546 3547 /** copy a master to a new structure, NULL on alloc failure */ 3548 static struct auth_master* 3549 auth_master_copy(struct auth_master* o) 3550 { 3551 struct auth_master* m; 3552 if(!o) return NULL; 3553 m = (struct auth_master*)memdup(o, sizeof(*o)); 3554 if(!m) { 3555 log_err("malloc failure"); 3556 return NULL; 3557 } 3558 m->next = NULL; 3559 if(m->host) { 3560 m->host = strdup(m->host); 3561 if(!m->host) { 3562 free(m); 3563 log_err("malloc failure"); 3564 return NULL; 3565 } 3566 } 3567 if(m->file) { 3568 m->file = strdup(m->file); 3569 if(!m->file) { 3570 free(m->host); 3571 free(m); 3572 log_err("malloc failure"); 3573 return NULL; 3574 } 3575 } 3576 if(m->list) { 3577 m->list = auth_addr_list_copy(m->list); 3578 if(!m->list) { 3579 free(m->file); 3580 free(m->host); 3581 free(m); 3582 return NULL; 3583 } 3584 } 3585 return m; 3586 } 3587 3588 /** copy the master addresses from the task_probe lookups to the allow_notify 3589 * list of masters */ 3590 static void 3591 probe_copy_masters_for_allow_notify(struct auth_xfer* xfr) 3592 { 3593 struct auth_master* list = NULL, *last = NULL; 3594 struct auth_master* p; 3595 /* build up new list with copies */ 3596 for(p = xfr->task_probe->masters; p; p=p->next) { 3597 struct auth_master* m = auth_master_copy(p); 3598 if(!m) { 3599 auth_free_masters(list); 3600 /* failed because of malloc failure, use old list */ 3601 return; 3602 } 3603 m->next = NULL; 3604 if(last) last->next = m; 3605 if(!list) list = m; 3606 last = m; 3607 } 3608 /* success, replace list */ 3609 auth_free_masters(xfr->allow_notify_list); 3610 xfr->allow_notify_list = list; 3611 } 3612 3613 /** start the lookups for task_transfer */ 3614 static void 3615 xfr_transfer_start_lookups(struct auth_xfer* xfr) 3616 { 3617 /* delete all the looked up addresses in the list */ 3618 xfr_masterlist_free_addrs(xfr->task_transfer->masters); 3619 3620 /* start lookup at the first master */ 3621 xfr->task_transfer->lookup_target = xfr->task_transfer->masters; 3622 xfr->task_transfer->lookup_aaaa = 0; 3623 } 3624 3625 /** move to the next lookup of hostname for task_transfer */ 3626 static void 3627 xfr_transfer_move_to_next_lookup(struct auth_xfer* xfr, struct module_env* env) 3628 { 3629 if(!xfr->task_transfer->lookup_target) 3630 return; /* already at end of list */ 3631 if(!xfr->task_transfer->lookup_aaaa && env->cfg->do_ip6) { 3632 /* move to lookup AAAA */ 3633 xfr->task_transfer->lookup_aaaa = 1; 3634 return; 3635 } 3636 xfr->task_transfer->lookup_target = 3637 xfr->task_transfer->lookup_target->next; 3638 xfr->task_transfer->lookup_aaaa = 0; 3639 if(!env->cfg->do_ip4 && xfr->task_transfer->lookup_target!=NULL) 3640 xfr->task_transfer->lookup_aaaa = 1; 3641 } 3642 3643 /** start the lookups for task_probe */ 3644 static void 3645 xfr_probe_start_lookups(struct auth_xfer* xfr) 3646 { 3647 /* delete all the looked up addresses in the list */ 3648 xfr_masterlist_free_addrs(xfr->task_probe->masters); 3649 3650 /* start lookup at the first master */ 3651 xfr->task_probe->lookup_target = xfr->task_probe->masters; 3652 xfr->task_probe->lookup_aaaa = 0; 3653 } 3654 3655 /** move to the next lookup of hostname for task_probe */ 3656 static void 3657 xfr_probe_move_to_next_lookup(struct auth_xfer* xfr, struct module_env* env) 3658 { 3659 if(!xfr->task_probe->lookup_target) 3660 return; /* already at end of list */ 3661 if(!xfr->task_probe->lookup_aaaa && env->cfg->do_ip6) { 3662 /* move to lookup AAAA */ 3663 xfr->task_probe->lookup_aaaa = 1; 3664 return; 3665 } 3666 xfr->task_probe->lookup_target = xfr->task_probe->lookup_target->next; 3667 xfr->task_probe->lookup_aaaa = 0; 3668 if(!env->cfg->do_ip4 && xfr->task_probe->lookup_target!=NULL) 3669 xfr->task_probe->lookup_aaaa = 1; 3670 } 3671 3672 /** start the iteration of the task_transfer list of masters */ 3673 static void 3674 xfr_transfer_start_list(struct auth_xfer* xfr, struct auth_master* spec) 3675 { 3676 if(spec) { 3677 xfr->task_transfer->scan_specific = find_master_by_host( 3678 xfr->task_transfer->masters, spec->host); 3679 if(xfr->task_transfer->scan_specific) { 3680 xfr->task_transfer->scan_target = NULL; 3681 xfr->task_transfer->scan_addr = NULL; 3682 if(xfr->task_transfer->scan_specific->list) 3683 xfr->task_transfer->scan_addr = 3684 xfr->task_transfer->scan_specific->list; 3685 return; 3686 } 3687 } 3688 /* no specific (notified) host to scan */ 3689 xfr->task_transfer->scan_specific = NULL; 3690 xfr->task_transfer->scan_addr = NULL; 3691 /* pick up first scan target */ 3692 xfr->task_transfer->scan_target = xfr->task_transfer->masters; 3693 if(xfr->task_transfer->scan_target && xfr->task_transfer-> 3694 scan_target->list) 3695 xfr->task_transfer->scan_addr = 3696 xfr->task_transfer->scan_target->list; 3697 } 3698 3699 /** start the iteration of the task_probe list of masters */ 3700 static void 3701 xfr_probe_start_list(struct auth_xfer* xfr, struct auth_master* spec) 3702 { 3703 if(spec) { 3704 xfr->task_probe->scan_specific = find_master_by_host( 3705 xfr->task_probe->masters, spec->host); 3706 if(xfr->task_probe->scan_specific) { 3707 xfr->task_probe->scan_target = NULL; 3708 xfr->task_probe->scan_addr = NULL; 3709 if(xfr->task_probe->scan_specific->list) 3710 xfr->task_probe->scan_addr = 3711 xfr->task_probe->scan_specific->list; 3712 return; 3713 } 3714 } 3715 /* no specific (notified) host to scan */ 3716 xfr->task_probe->scan_specific = NULL; 3717 xfr->task_probe->scan_addr = NULL; 3718 /* pick up first scan target */ 3719 xfr->task_probe->scan_target = xfr->task_probe->masters; 3720 if(xfr->task_probe->scan_target && xfr->task_probe->scan_target->list) 3721 xfr->task_probe->scan_addr = 3722 xfr->task_probe->scan_target->list; 3723 } 3724 3725 /** pick up the master that is being scanned right now, task_transfer */ 3726 static struct auth_master* 3727 xfr_transfer_current_master(struct auth_xfer* xfr) 3728 { 3729 if(xfr->task_transfer->scan_specific) 3730 return xfr->task_transfer->scan_specific; 3731 return xfr->task_transfer->scan_target; 3732 } 3733 3734 /** pick up the master that is being scanned right now, task_probe */ 3735 static struct auth_master* 3736 xfr_probe_current_master(struct auth_xfer* xfr) 3737 { 3738 if(xfr->task_probe->scan_specific) 3739 return xfr->task_probe->scan_specific; 3740 return xfr->task_probe->scan_target; 3741 } 3742 3743 /** true if at end of list, task_transfer */ 3744 static int 3745 xfr_transfer_end_of_list(struct auth_xfer* xfr) 3746 { 3747 return !xfr->task_transfer->scan_specific && 3748 !xfr->task_transfer->scan_target; 3749 } 3750 3751 /** true if at end of list, task_probe */ 3752 static int 3753 xfr_probe_end_of_list(struct auth_xfer* xfr) 3754 { 3755 return !xfr->task_probe->scan_specific && !xfr->task_probe->scan_target; 3756 } 3757 3758 /** move to next master in list, task_transfer */ 3759 static void 3760 xfr_transfer_nextmaster(struct auth_xfer* xfr) 3761 { 3762 if(!xfr->task_transfer->scan_specific && 3763 !xfr->task_transfer->scan_target) 3764 return; 3765 if(xfr->task_transfer->scan_addr) { 3766 xfr->task_transfer->scan_addr = 3767 xfr->task_transfer->scan_addr->next; 3768 if(xfr->task_transfer->scan_addr) 3769 return; 3770 } 3771 if(xfr->task_transfer->scan_specific) { 3772 xfr->task_transfer->scan_specific = NULL; 3773 xfr->task_transfer->scan_target = xfr->task_transfer->masters; 3774 if(xfr->task_transfer->scan_target && xfr->task_transfer-> 3775 scan_target->list) 3776 xfr->task_transfer->scan_addr = 3777 xfr->task_transfer->scan_target->list; 3778 return; 3779 } 3780 if(!xfr->task_transfer->scan_target) 3781 return; 3782 xfr->task_transfer->scan_target = xfr->task_transfer->scan_target->next; 3783 if(xfr->task_transfer->scan_target && xfr->task_transfer-> 3784 scan_target->list) 3785 xfr->task_transfer->scan_addr = 3786 xfr->task_transfer->scan_target->list; 3787 return; 3788 } 3789 3790 /** move to next master in list, task_probe */ 3791 static void 3792 xfr_probe_nextmaster(struct auth_xfer* xfr) 3793 { 3794 if(!xfr->task_probe->scan_specific && !xfr->task_probe->scan_target) 3795 return; 3796 if(xfr->task_probe->scan_addr) { 3797 xfr->task_probe->scan_addr = xfr->task_probe->scan_addr->next; 3798 if(xfr->task_probe->scan_addr) 3799 return; 3800 } 3801 if(xfr->task_probe->scan_specific) { 3802 xfr->task_probe->scan_specific = NULL; 3803 xfr->task_probe->scan_target = xfr->task_probe->masters; 3804 if(xfr->task_probe->scan_target && xfr->task_probe-> 3805 scan_target->list) 3806 xfr->task_probe->scan_addr = 3807 xfr->task_probe->scan_target->list; 3808 return; 3809 } 3810 if(!xfr->task_probe->scan_target) 3811 return; 3812 xfr->task_probe->scan_target = xfr->task_probe->scan_target->next; 3813 if(xfr->task_probe->scan_target && xfr->task_probe-> 3814 scan_target->list) 3815 xfr->task_probe->scan_addr = 3816 xfr->task_probe->scan_target->list; 3817 return; 3818 } 3819 3820 /** create SOA probe packet for xfr */ 3821 static void 3822 xfr_create_soa_probe_packet(struct auth_xfer* xfr, sldns_buffer* buf, 3823 uint16_t id) 3824 { 3825 struct query_info qinfo; 3826 3827 memset(&qinfo, 0, sizeof(qinfo)); 3828 qinfo.qname = xfr->name; 3829 qinfo.qname_len = xfr->namelen; 3830 qinfo.qtype = LDNS_RR_TYPE_SOA; 3831 qinfo.qclass = xfr->dclass; 3832 qinfo_query_encode(buf, &qinfo); 3833 sldns_buffer_write_u16_at(buf, 0, id); 3834 } 3835 3836 /** create IXFR/AXFR packet for xfr */ 3837 static void 3838 xfr_create_ixfr_packet(struct auth_xfer* xfr, sldns_buffer* buf, uint16_t id, 3839 struct auth_master* master) 3840 { 3841 struct query_info qinfo; 3842 uint32_t serial; 3843 int have_zone; 3844 have_zone = xfr->have_zone; 3845 serial = xfr->serial; 3846 3847 memset(&qinfo, 0, sizeof(qinfo)); 3848 qinfo.qname = xfr->name; 3849 qinfo.qname_len = xfr->namelen; 3850 xfr->task_transfer->got_xfr_serial = 0; 3851 xfr->task_transfer->rr_scan_num = 0; 3852 xfr->task_transfer->incoming_xfr_serial = 0; 3853 xfr->task_transfer->on_ixfr_is_axfr = 0; 3854 xfr->task_transfer->on_ixfr = 1; 3855 qinfo.qtype = LDNS_RR_TYPE_IXFR; 3856 if(!have_zone || xfr->task_transfer->ixfr_fail || !master->ixfr) { 3857 qinfo.qtype = LDNS_RR_TYPE_AXFR; 3858 xfr->task_transfer->ixfr_fail = 0; 3859 xfr->task_transfer->on_ixfr = 0; 3860 } 3861 3862 qinfo.qclass = xfr->dclass; 3863 qinfo_query_encode(buf, &qinfo); 3864 sldns_buffer_write_u16_at(buf, 0, id); 3865 3866 /* append serial for IXFR */ 3867 if(qinfo.qtype == LDNS_RR_TYPE_IXFR) { 3868 size_t end = sldns_buffer_limit(buf); 3869 sldns_buffer_clear(buf); 3870 sldns_buffer_set_position(buf, end); 3871 /* auth section count 1 */ 3872 sldns_buffer_write_u16_at(buf, LDNS_NSCOUNT_OFF, 1); 3873 /* write SOA */ 3874 sldns_buffer_write_u8(buf, 0xC0); /* compressed ptr to qname */ 3875 sldns_buffer_write_u8(buf, 0x0C); 3876 sldns_buffer_write_u16(buf, LDNS_RR_TYPE_SOA); 3877 sldns_buffer_write_u16(buf, qinfo.qclass); 3878 sldns_buffer_write_u32(buf, 0); /* ttl */ 3879 sldns_buffer_write_u16(buf, 22); /* rdata length */ 3880 sldns_buffer_write_u8(buf, 0); /* . */ 3881 sldns_buffer_write_u8(buf, 0); /* . */ 3882 sldns_buffer_write_u32(buf, serial); /* serial */ 3883 sldns_buffer_write_u32(buf, 0); /* refresh */ 3884 sldns_buffer_write_u32(buf, 0); /* retry */ 3885 sldns_buffer_write_u32(buf, 0); /* expire */ 3886 sldns_buffer_write_u32(buf, 0); /* minimum */ 3887 sldns_buffer_flip(buf); 3888 } 3889 } 3890 3891 /** check if returned packet is OK */ 3892 static int 3893 check_packet_ok(sldns_buffer* pkt, uint16_t qtype, struct auth_xfer* xfr, 3894 uint32_t* serial) 3895 { 3896 /* parse to see if packet worked, valid reply */ 3897 3898 /* check serial number of SOA */ 3899 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) 3900 return 0; 3901 3902 /* check ID */ 3903 if(LDNS_ID_WIRE(sldns_buffer_begin(pkt)) != xfr->task_probe->id) 3904 return 0; 3905 3906 /* check flag bits and rcode */ 3907 if(!LDNS_QR_WIRE(sldns_buffer_begin(pkt))) 3908 return 0; 3909 if(LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_PACKET_QUERY) 3910 return 0; 3911 if(LDNS_RCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_RCODE_NOERROR) 3912 return 0; 3913 3914 /* check qname */ 3915 if(LDNS_QDCOUNT(sldns_buffer_begin(pkt)) != 1) 3916 return 0; 3917 sldns_buffer_skip(pkt, LDNS_HEADER_SIZE); 3918 if(sldns_buffer_remaining(pkt) < xfr->namelen) 3919 return 0; 3920 if(query_dname_compare(sldns_buffer_current(pkt), xfr->name) != 0) 3921 return 0; 3922 sldns_buffer_skip(pkt, (ssize_t)xfr->namelen); 3923 3924 /* check qtype, qclass */ 3925 if(sldns_buffer_remaining(pkt) < 4) 3926 return 0; 3927 if(sldns_buffer_read_u16(pkt) != qtype) 3928 return 0; 3929 if(sldns_buffer_read_u16(pkt) != xfr->dclass) 3930 return 0; 3931 3932 if(serial) { 3933 uint16_t rdlen; 3934 /* read serial number, from answer section SOA */ 3935 if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) == 0) 3936 return 0; 3937 /* read from first record SOA record */ 3938 if(sldns_buffer_remaining(pkt) < 1) 3939 return 0; 3940 if(dname_pkt_compare(pkt, sldns_buffer_current(pkt), 3941 xfr->name) != 0) 3942 return 0; 3943 if(!pkt_dname_len(pkt)) 3944 return 0; 3945 /* type, class, ttl, rdatalen */ 3946 if(sldns_buffer_remaining(pkt) < 4+4+2) 3947 return 0; 3948 if(sldns_buffer_read_u16(pkt) != qtype) 3949 return 0; 3950 if(sldns_buffer_read_u16(pkt) != xfr->dclass) 3951 return 0; 3952 sldns_buffer_skip(pkt, 4); /* ttl */ 3953 rdlen = sldns_buffer_read_u16(pkt); 3954 if(sldns_buffer_remaining(pkt) < rdlen) 3955 return 0; 3956 if(sldns_buffer_remaining(pkt) < 1) 3957 return 0; 3958 if(!pkt_dname_len(pkt)) /* soa name */ 3959 return 0; 3960 if(sldns_buffer_remaining(pkt) < 1) 3961 return 0; 3962 if(!pkt_dname_len(pkt)) /* soa name */ 3963 return 0; 3964 if(sldns_buffer_remaining(pkt) < 20) 3965 return 0; 3966 *serial = sldns_buffer_read_u32(pkt); 3967 } 3968 return 1; 3969 } 3970 3971 /** read one line from chunks into buffer at current position */ 3972 static int 3973 chunkline_get_line(struct auth_chunk** chunk, size_t* chunk_pos, 3974 sldns_buffer* buf) 3975 { 3976 int readsome = 0; 3977 while(*chunk) { 3978 /* more text in this chunk? */ 3979 if(*chunk_pos < (*chunk)->len) { 3980 readsome = 1; 3981 while(*chunk_pos < (*chunk)->len) { 3982 char c = (char)((*chunk)->data[*chunk_pos]); 3983 (*chunk_pos)++; 3984 if(sldns_buffer_remaining(buf) < 2) { 3985 /* buffer too short */ 3986 verbose(VERB_ALGO, "http chunkline, " 3987 "line too long"); 3988 return 0; 3989 } 3990 sldns_buffer_write_u8(buf, (uint8_t)c); 3991 if(c == '\n') { 3992 /* we are done */ 3993 return 1; 3994 } 3995 } 3996 } 3997 /* move to next chunk */ 3998 *chunk = (*chunk)->next; 3999 *chunk_pos = 0; 4000 } 4001 /* no more text */ 4002 if(readsome) return 1; 4003 return 0; 4004 } 4005 4006 /** count number of open and closed parenthesis in a chunkline */ 4007 static int 4008 chunkline_count_parens(sldns_buffer* buf, size_t start) 4009 { 4010 size_t end = sldns_buffer_position(buf); 4011 size_t i; 4012 int count = 0; 4013 int squote = 0, dquote = 0; 4014 for(i=start; i<end; i++) { 4015 char c = (char)sldns_buffer_read_u8_at(buf, i); 4016 if(squote && c != '\'') continue; 4017 if(dquote && c != '"') continue; 4018 if(c == '"') 4019 dquote = !dquote; /* skip quoted part */ 4020 else if(c == '\'') 4021 squote = !squote; /* skip quoted part */ 4022 else if(c == '(') 4023 count ++; 4024 else if(c == ')') 4025 count --; 4026 else if(c == ';') { 4027 /* rest is a comment */ 4028 return count; 4029 } 4030 } 4031 return count; 4032 } 4033 4034 /** remove trailing ;... comment from a line in the chunkline buffer */ 4035 static void 4036 chunkline_remove_trailcomment(sldns_buffer* buf, size_t start) 4037 { 4038 size_t end = sldns_buffer_position(buf); 4039 size_t i; 4040 int squote = 0, dquote = 0; 4041 for(i=start; i<end; i++) { 4042 char c = (char)sldns_buffer_read_u8_at(buf, i); 4043 if(squote && c != '\'') continue; 4044 if(dquote && c != '"') continue; 4045 if(c == '"') 4046 dquote = !dquote; /* skip quoted part */ 4047 else if(c == '\'') 4048 squote = !squote; /* skip quoted part */ 4049 else if(c == ';') { 4050 /* rest is a comment */ 4051 sldns_buffer_set_position(buf, i); 4052 return; 4053 } 4054 } 4055 /* nothing to remove */ 4056 } 4057 4058 /** see if a chunkline is a comment line (or empty line) */ 4059 static int 4060 chunkline_is_comment_line_or_empty(sldns_buffer* buf) 4061 { 4062 size_t i, end = sldns_buffer_limit(buf); 4063 for(i=0; i<end; i++) { 4064 char c = (char)sldns_buffer_read_u8_at(buf, i); 4065 if(c == ';') 4066 return 1; /* comment */ 4067 else if(c != ' ' && c != '\t' && c != '\r' && c != '\n') 4068 return 0; /* not a comment */ 4069 } 4070 return 1; /* empty */ 4071 } 4072 4073 /** find a line with ( ) collated */ 4074 static int 4075 chunkline_get_line_collated(struct auth_chunk** chunk, size_t* chunk_pos, 4076 sldns_buffer* buf) 4077 { 4078 size_t pos; 4079 int parens = 0; 4080 sldns_buffer_clear(buf); 4081 pos = sldns_buffer_position(buf); 4082 if(!chunkline_get_line(chunk, chunk_pos, buf)) { 4083 if(sldns_buffer_position(buf) < sldns_buffer_limit(buf)) 4084 sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0); 4085 else sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf)-1, 0); 4086 sldns_buffer_flip(buf); 4087 return 0; 4088 } 4089 parens += chunkline_count_parens(buf, pos); 4090 while(parens > 0) { 4091 chunkline_remove_trailcomment(buf, pos); 4092 pos = sldns_buffer_position(buf); 4093 if(!chunkline_get_line(chunk, chunk_pos, buf)) { 4094 if(sldns_buffer_position(buf) < sldns_buffer_limit(buf)) 4095 sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0); 4096 else sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf)-1, 0); 4097 sldns_buffer_flip(buf); 4098 return 0; 4099 } 4100 parens += chunkline_count_parens(buf, pos); 4101 } 4102 4103 if(sldns_buffer_remaining(buf) < 1) { 4104 verbose(VERB_ALGO, "http chunkline: " 4105 "line too long"); 4106 return 0; 4107 } 4108 sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0); 4109 sldns_buffer_flip(buf); 4110 return 1; 4111 } 4112 4113 /** process $ORIGIN for http */ 4114 static int 4115 http_parse_origin(sldns_buffer* buf, struct sldns_file_parse_state* pstate) 4116 { 4117 char* line = (char*)sldns_buffer_begin(buf); 4118 if(strncmp(line, "$ORIGIN", 7) == 0 && 4119 isspace((unsigned char)line[7])) { 4120 int s; 4121 pstate->origin_len = sizeof(pstate->origin); 4122 s = sldns_str2wire_dname_buf(sldns_strip_ws(line+8), 4123 pstate->origin, &pstate->origin_len); 4124 if(s) pstate->origin_len = 0; 4125 return 1; 4126 } 4127 return 0; 4128 } 4129 4130 /** process $TTL for http */ 4131 static int 4132 http_parse_ttl(sldns_buffer* buf, struct sldns_file_parse_state* pstate) 4133 { 4134 char* line = (char*)sldns_buffer_begin(buf); 4135 if(strncmp(line, "$TTL", 4) == 0 && 4136 isspace((unsigned char)line[4])) { 4137 const char* end = NULL; 4138 pstate->default_ttl = sldns_str2period( 4139 sldns_strip_ws(line+5), &end); 4140 return 1; 4141 } 4142 return 0; 4143 } 4144 4145 /** find noncomment RR line in chunks, collates lines if ( ) format */ 4146 static int 4147 chunkline_non_comment_RR(struct auth_chunk** chunk, size_t* chunk_pos, 4148 sldns_buffer* buf, struct sldns_file_parse_state* pstate) 4149 { 4150 while(chunkline_get_line_collated(chunk, chunk_pos, buf)) { 4151 if(chunkline_is_comment_line_or_empty(buf)) { 4152 /* a comment, go to next line */ 4153 continue; 4154 } 4155 if(http_parse_origin(buf, pstate)) { 4156 continue; /* $ORIGIN has been handled */ 4157 } 4158 if(http_parse_ttl(buf, pstate)) { 4159 continue; /* $TTL has been handled */ 4160 } 4161 return 1; 4162 } 4163 /* no noncomments, fail */ 4164 return 0; 4165 } 4166 4167 /** check syntax of chunklist zonefile, parse first RR, return false on 4168 * failure and return a string in the scratch buffer (first RR string) 4169 * on failure. */ 4170 static int 4171 http_zonefile_syntax_check(struct auth_xfer* xfr, sldns_buffer* buf) 4172 { 4173 uint8_t rr[LDNS_RR_BUF_SIZE]; 4174 size_t rr_len, dname_len = 0; 4175 struct sldns_file_parse_state pstate; 4176 struct auth_chunk* chunk; 4177 size_t chunk_pos; 4178 int e; 4179 memset(&pstate, 0, sizeof(pstate)); 4180 pstate.default_ttl = 3600; 4181 if(xfr->namelen < sizeof(pstate.origin)) { 4182 pstate.origin_len = xfr->namelen; 4183 memmove(pstate.origin, xfr->name, xfr->namelen); 4184 } 4185 chunk = xfr->task_transfer->chunks_first; 4186 chunk_pos = 0; 4187 if(!chunkline_non_comment_RR(&chunk, &chunk_pos, buf, &pstate)) { 4188 return 0; 4189 } 4190 rr_len = sizeof(rr); 4191 e=sldns_str2wire_rr_buf((char*)sldns_buffer_begin(buf), rr, &rr_len, 4192 &dname_len, pstate.default_ttl, 4193 pstate.origin_len?pstate.origin:NULL, pstate.origin_len, 4194 pstate.prev_rr_len?pstate.prev_rr:NULL, pstate.prev_rr_len); 4195 if(e != 0) { 4196 log_err("parse failure on first RR[%d]: %s", 4197 LDNS_WIREPARSE_OFFSET(e), 4198 sldns_get_errorstr_parse(LDNS_WIREPARSE_ERROR(e))); 4199 return 0; 4200 } 4201 /* check that class is correct */ 4202 if(sldns_wirerr_get_class(rr, rr_len, dname_len) != xfr->dclass) { 4203 log_err("parse failure: first record in downloaded zonefile " 4204 "from wrong RR class"); 4205 return 0; 4206 } 4207 return 1; 4208 } 4209 4210 /** sum sizes of chunklist */ 4211 static size_t 4212 chunklist_sum(struct auth_chunk* list) 4213 { 4214 struct auth_chunk* p; 4215 size_t s = 0; 4216 for(p=list; p; p=p->next) { 4217 s += p->len; 4218 } 4219 return s; 4220 } 4221 4222 /** remove newlines from collated line */ 4223 static void 4224 chunkline_newline_removal(sldns_buffer* buf) 4225 { 4226 size_t i, end=sldns_buffer_limit(buf); 4227 for(i=0; i<end; i++) { 4228 char c = (char)sldns_buffer_read_u8_at(buf, i); 4229 if(c == '\n' && i==end-1) { 4230 sldns_buffer_write_u8_at(buf, i, 0); 4231 sldns_buffer_set_limit(buf, end-1); 4232 return; 4233 } 4234 if(c == '\n') 4235 sldns_buffer_write_u8_at(buf, i, (uint8_t)' '); 4236 } 4237 } 4238 4239 /** for http download, parse and add RR to zone */ 4240 static int 4241 http_parse_add_rr(struct auth_xfer* xfr, struct auth_zone* z, 4242 sldns_buffer* buf, struct sldns_file_parse_state* pstate) 4243 { 4244 uint8_t rr[LDNS_RR_BUF_SIZE]; 4245 size_t rr_len, dname_len = 0; 4246 int e; 4247 char* line = (char*)sldns_buffer_begin(buf); 4248 rr_len = sizeof(rr); 4249 e = sldns_str2wire_rr_buf(line, rr, &rr_len, &dname_len, 4250 pstate->default_ttl, 4251 pstate->origin_len?pstate->origin:NULL, pstate->origin_len, 4252 pstate->prev_rr_len?pstate->prev_rr:NULL, pstate->prev_rr_len); 4253 if(e != 0) { 4254 log_err("%s/%s parse failure RR[%d]: %s in '%s'", 4255 xfr->task_transfer->master->host, 4256 xfr->task_transfer->master->file, 4257 LDNS_WIREPARSE_OFFSET(e), 4258 sldns_get_errorstr_parse(LDNS_WIREPARSE_ERROR(e)), 4259 line); 4260 return 0; 4261 } 4262 if(rr_len == 0) 4263 return 1; /* empty line or so */ 4264 4265 /* set prev */ 4266 if(dname_len < sizeof(pstate->prev_rr)) { 4267 memmove(pstate->prev_rr, rr, dname_len); 4268 pstate->prev_rr_len = dname_len; 4269 } 4270 4271 return az_insert_rr(z, rr, rr_len, dname_len, NULL); 4272 } 4273 4274 /** RR list iterator, returns RRs from answer section one by one from the 4275 * dns packets in the chunklist */ 4276 static void 4277 chunk_rrlist_start(struct auth_xfer* xfr, struct auth_chunk** rr_chunk, 4278 int* rr_num, size_t* rr_pos) 4279 { 4280 *rr_chunk = xfr->task_transfer->chunks_first; 4281 *rr_num = 0; 4282 *rr_pos = 0; 4283 } 4284 4285 /** RR list iterator, see if we are at the end of the list */ 4286 static int 4287 chunk_rrlist_end(struct auth_chunk* rr_chunk, int rr_num) 4288 { 4289 while(rr_chunk) { 4290 if(rr_chunk->len < LDNS_HEADER_SIZE) 4291 return 1; 4292 if(rr_num < (int)LDNS_ANCOUNT(rr_chunk->data)) 4293 return 0; 4294 /* no more RRs in this chunk */ 4295 /* continue with next chunk, see if it has RRs */ 4296 rr_chunk = rr_chunk->next; 4297 rr_num = 0; 4298 } 4299 return 1; 4300 } 4301 4302 /** RR list iterator, move to next RR */ 4303 static void 4304 chunk_rrlist_gonext(struct auth_chunk** rr_chunk, int* rr_num, 4305 size_t* rr_pos, size_t rr_nextpos) 4306 { 4307 /* already at end of chunks? */ 4308 if(!*rr_chunk) 4309 return; 4310 /* move within this chunk */ 4311 if((*rr_chunk)->len >= LDNS_HEADER_SIZE && 4312 (*rr_num)+1 < (int)LDNS_ANCOUNT((*rr_chunk)->data)) { 4313 (*rr_num) += 1; 4314 *rr_pos = rr_nextpos; 4315 return; 4316 } 4317 /* no more RRs in this chunk */ 4318 /* continue with next chunk, see if it has RRs */ 4319 if(*rr_chunk) 4320 *rr_chunk = (*rr_chunk)->next; 4321 while(*rr_chunk) { 4322 *rr_num = 0; 4323 *rr_pos = 0; 4324 if((*rr_chunk)->len >= LDNS_HEADER_SIZE && 4325 LDNS_ANCOUNT((*rr_chunk)->data) > 0) { 4326 return; 4327 } 4328 *rr_chunk = (*rr_chunk)->next; 4329 } 4330 } 4331 4332 /** RR iterator, get current RR information, false on parse error */ 4333 static int 4334 chunk_rrlist_get_current(struct auth_chunk* rr_chunk, int rr_num, 4335 size_t rr_pos, uint8_t** rr_dname, uint16_t* rr_type, 4336 uint16_t* rr_class, uint32_t* rr_ttl, uint16_t* rr_rdlen, 4337 uint8_t** rr_rdata, size_t* rr_nextpos) 4338 { 4339 sldns_buffer pkt; 4340 /* integrity checks on position */ 4341 if(!rr_chunk) return 0; 4342 if(rr_chunk->len < LDNS_HEADER_SIZE) return 0; 4343 if(rr_num >= (int)LDNS_ANCOUNT(rr_chunk->data)) return 0; 4344 if(rr_pos >= rr_chunk->len) return 0; 4345 4346 /* fetch rr information */ 4347 sldns_buffer_init_frm_data(&pkt, rr_chunk->data, rr_chunk->len); 4348 if(rr_pos == 0) { 4349 size_t i; 4350 /* skip question section */ 4351 sldns_buffer_set_position(&pkt, LDNS_HEADER_SIZE); 4352 for(i=0; i<LDNS_QDCOUNT(rr_chunk->data); i++) { 4353 if(pkt_dname_len(&pkt) == 0) return 0; 4354 if(sldns_buffer_remaining(&pkt) < 4) return 0; 4355 sldns_buffer_skip(&pkt, 4); /* type and class */ 4356 } 4357 } else { 4358 sldns_buffer_set_position(&pkt, rr_pos); 4359 } 4360 *rr_dname = sldns_buffer_current(&pkt); 4361 if(pkt_dname_len(&pkt) == 0) return 0; 4362 if(sldns_buffer_remaining(&pkt) < 10) return 0; 4363 *rr_type = sldns_buffer_read_u16(&pkt); 4364 *rr_class = sldns_buffer_read_u16(&pkt); 4365 *rr_ttl = sldns_buffer_read_u32(&pkt); 4366 *rr_rdlen = sldns_buffer_read_u16(&pkt); 4367 if(sldns_buffer_remaining(&pkt) < (*rr_rdlen)) return 0; 4368 *rr_rdata = sldns_buffer_current(&pkt); 4369 sldns_buffer_skip(&pkt, (ssize_t)(*rr_rdlen)); 4370 *rr_nextpos = sldns_buffer_position(&pkt); 4371 return 1; 4372 } 4373 4374 /** print log message where we are in parsing the zone transfer */ 4375 static void 4376 log_rrlist_position(const char* label, struct auth_chunk* rr_chunk, 4377 uint8_t* rr_dname, uint16_t rr_type, size_t rr_counter) 4378 { 4379 sldns_buffer pkt; 4380 size_t dlen; 4381 uint8_t buf[256]; 4382 char str[256]; 4383 char typestr[32]; 4384 sldns_buffer_init_frm_data(&pkt, rr_chunk->data, rr_chunk->len); 4385 sldns_buffer_set_position(&pkt, (size_t)(rr_dname - 4386 sldns_buffer_begin(&pkt))); 4387 if((dlen=pkt_dname_len(&pkt)) == 0) return; 4388 if(dlen >= sizeof(buf)) return; 4389 dname_pkt_copy(&pkt, buf, rr_dname); 4390 dname_str(buf, str); 4391 (void)sldns_wire2str_type_buf(rr_type, typestr, sizeof(typestr)); 4392 verbose(VERB_ALGO, "%s at[%d] %s %s", label, (int)rr_counter, 4393 str, typestr); 4394 } 4395 4396 /** check that start serial is OK for ixfr. we are at rr_counter == 0, 4397 * and we are going to check rr_counter == 1 (has to be type SOA) serial */ 4398 static int 4399 ixfr_start_serial(struct auth_chunk* rr_chunk, int rr_num, size_t rr_pos, 4400 uint8_t* rr_dname, uint16_t rr_type, uint16_t rr_class, 4401 uint32_t rr_ttl, uint16_t rr_rdlen, uint8_t* rr_rdata, 4402 size_t rr_nextpos, uint32_t transfer_serial, uint32_t xfr_serial) 4403 { 4404 uint32_t startserial; 4405 /* move forward on RR */ 4406 chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos); 4407 if(chunk_rrlist_end(rr_chunk, rr_num)) { 4408 /* no second SOA */ 4409 verbose(VERB_OPS, "IXFR has no second SOA record"); 4410 return 0; 4411 } 4412 if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos, 4413 &rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen, 4414 &rr_rdata, &rr_nextpos)) { 4415 verbose(VERB_OPS, "IXFR cannot parse second SOA record"); 4416 /* failed to parse RR */ 4417 return 0; 4418 } 4419 if(rr_type != LDNS_RR_TYPE_SOA) { 4420 verbose(VERB_OPS, "IXFR second record is not type SOA"); 4421 return 0; 4422 } 4423 if(rr_rdlen < 22) { 4424 verbose(VERB_OPS, "IXFR, second SOA has short rdlength"); 4425 return 0; /* bad SOA rdlen */ 4426 } 4427 startserial = sldns_read_uint32(rr_rdata+rr_rdlen-20); 4428 if(startserial == transfer_serial) { 4429 /* empty AXFR, not an IXFR */ 4430 verbose(VERB_OPS, "IXFR second serial same as first"); 4431 return 0; 4432 } 4433 if(startserial != xfr_serial) { 4434 /* wrong start serial, it does not match the serial in 4435 * memory */ 4436 verbose(VERB_OPS, "IXFR is from serial %u to %u but %u " 4437 "in memory, rejecting the zone transfer", 4438 (unsigned)startserial, (unsigned)transfer_serial, 4439 (unsigned)xfr_serial); 4440 return 0; 4441 } 4442 /* everything OK in second SOA serial */ 4443 return 1; 4444 } 4445 4446 /** apply IXFR to zone in memory. z is locked. false on failure(mallocfail) */ 4447 static int 4448 apply_ixfr(struct auth_xfer* xfr, struct auth_zone* z, 4449 struct sldns_buffer* scratch_buffer) 4450 { 4451 struct auth_chunk* rr_chunk; 4452 int rr_num; 4453 size_t rr_pos; 4454 uint8_t* rr_dname, *rr_rdata; 4455 uint16_t rr_type, rr_class, rr_rdlen; 4456 uint32_t rr_ttl; 4457 size_t rr_nextpos; 4458 int have_transfer_serial = 0; 4459 uint32_t transfer_serial = 0; 4460 size_t rr_counter = 0; 4461 int delmode = 0; 4462 int softfail = 0; 4463 4464 /* start RR iterator over chunklist of packets */ 4465 chunk_rrlist_start(xfr, &rr_chunk, &rr_num, &rr_pos); 4466 while(!chunk_rrlist_end(rr_chunk, rr_num)) { 4467 if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos, 4468 &rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen, 4469 &rr_rdata, &rr_nextpos)) { 4470 /* failed to parse RR */ 4471 return 0; 4472 } 4473 if(verbosity>=7) log_rrlist_position("apply ixfr", 4474 rr_chunk, rr_dname, rr_type, rr_counter); 4475 /* twiddle add/del mode and check for start and end */ 4476 if(rr_counter == 0 && rr_type != LDNS_RR_TYPE_SOA) 4477 return 0; 4478 if(rr_counter == 1 && rr_type != LDNS_RR_TYPE_SOA) { 4479 /* this is an AXFR returned from the IXFR master */ 4480 /* but that should already have been detected, by 4481 * on_ixfr_is_axfr */ 4482 return 0; 4483 } 4484 if(rr_type == LDNS_RR_TYPE_SOA) { 4485 uint32_t serial; 4486 if(rr_rdlen < 22) return 0; /* bad SOA rdlen */ 4487 serial = sldns_read_uint32(rr_rdata+rr_rdlen-20); 4488 if(have_transfer_serial == 0) { 4489 have_transfer_serial = 1; 4490 transfer_serial = serial; 4491 delmode = 1; /* gets negated below */ 4492 /* check second RR before going any further */ 4493 if(!ixfr_start_serial(rr_chunk, rr_num, rr_pos, 4494 rr_dname, rr_type, rr_class, rr_ttl, 4495 rr_rdlen, rr_rdata, rr_nextpos, 4496 transfer_serial, xfr->serial)) { 4497 return 0; 4498 } 4499 } else if(transfer_serial == serial) { 4500 have_transfer_serial++; 4501 if(rr_counter == 1) { 4502 /* empty AXFR, with SOA; SOA; */ 4503 /* should have been detected by 4504 * on_ixfr_is_axfr */ 4505 return 0; 4506 } 4507 if(have_transfer_serial == 3) { 4508 /* see serial three times for end */ 4509 /* eg. IXFR: 4510 * SOA 3 start 4511 * SOA 1 second RR, followed by del 4512 * SOA 2 followed by add 4513 * SOA 2 followed by del 4514 * SOA 3 followed by add 4515 * SOA 3 end */ 4516 /* ended by SOA record */ 4517 xfr->serial = transfer_serial; 4518 break; 4519 } 4520 } 4521 /* twiddle add/del mode */ 4522 /* switch from delete part to add part and back again 4523 * just before the soa, it gets deleted and added too 4524 * this means we switch to delete mode for the final 4525 * SOA(so skip that one) */ 4526 delmode = !delmode; 4527 } 4528 /* process this RR */ 4529 /* if the RR is deleted twice or added twice, then we 4530 * softfail, and continue with the rest of the IXFR, so 4531 * that we serve something fairly nice during the refetch */ 4532 if(verbosity>=7) log_rrlist_position((delmode?"del":"add"), 4533 rr_chunk, rr_dname, rr_type, rr_counter); 4534 if(delmode) { 4535 /* delete this RR */ 4536 int nonexist = 0; 4537 if(!az_remove_rr_decompress(z, rr_chunk->data, 4538 rr_chunk->len, scratch_buffer, rr_dname, 4539 rr_type, rr_class, rr_ttl, rr_rdata, rr_rdlen, 4540 &nonexist)) { 4541 /* failed, malloc error or so */ 4542 return 0; 4543 } 4544 if(nonexist) { 4545 /* it was removal of a nonexisting RR */ 4546 if(verbosity>=4) log_rrlist_position( 4547 "IXFR error nonexistent RR", 4548 rr_chunk, rr_dname, rr_type, rr_counter); 4549 softfail = 1; 4550 } 4551 } else if(rr_counter != 0) { 4552 /* skip first SOA RR for addition, it is added in 4553 * the addition part near the end of the ixfr, when 4554 * that serial is seen the second time. */ 4555 int duplicate = 0; 4556 /* add this RR */ 4557 if(!az_insert_rr_decompress(z, rr_chunk->data, 4558 rr_chunk->len, scratch_buffer, rr_dname, 4559 rr_type, rr_class, rr_ttl, rr_rdata, rr_rdlen, 4560 &duplicate)) { 4561 /* failed, malloc error or so */ 4562 return 0; 4563 } 4564 if(duplicate) { 4565 /* it was a duplicate */ 4566 if(verbosity>=4) log_rrlist_position( 4567 "IXFR error duplicate RR", 4568 rr_chunk, rr_dname, rr_type, rr_counter); 4569 softfail = 1; 4570 } 4571 } 4572 4573 rr_counter++; 4574 chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos); 4575 } 4576 if(softfail) { 4577 verbose(VERB_ALGO, "IXFR did not apply cleanly, fetching full zone"); 4578 return 0; 4579 } 4580 return 1; 4581 } 4582 4583 /** apply AXFR to zone in memory. z is locked. false on failure(mallocfail) */ 4584 static int 4585 apply_axfr(struct auth_xfer* xfr, struct auth_zone* z, 4586 struct sldns_buffer* scratch_buffer) 4587 { 4588 struct auth_chunk* rr_chunk; 4589 int rr_num; 4590 size_t rr_pos; 4591 uint8_t* rr_dname, *rr_rdata; 4592 uint16_t rr_type, rr_class, rr_rdlen; 4593 uint32_t rr_ttl; 4594 uint32_t serial = 0; 4595 size_t rr_nextpos; 4596 size_t rr_counter = 0; 4597 int have_end_soa = 0; 4598 4599 /* clear the data tree */ 4600 traverse_postorder(&z->data, auth_data_del, NULL); 4601 rbtree_init(&z->data, &auth_data_cmp); 4602 xfr->have_zone = 0; 4603 xfr->serial = 0; 4604 4605 /* insert all RRs in to the zone */ 4606 /* insert the SOA only once, skip the last one */ 4607 /* start RR iterator over chunklist of packets */ 4608 chunk_rrlist_start(xfr, &rr_chunk, &rr_num, &rr_pos); 4609 while(!chunk_rrlist_end(rr_chunk, rr_num)) { 4610 if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos, 4611 &rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen, 4612 &rr_rdata, &rr_nextpos)) { 4613 /* failed to parse RR */ 4614 return 0; 4615 } 4616 if(verbosity>=7) log_rrlist_position("apply_axfr", 4617 rr_chunk, rr_dname, rr_type, rr_counter); 4618 if(rr_type == LDNS_RR_TYPE_SOA) { 4619 if(rr_counter != 0) { 4620 /* end of the axfr */ 4621 have_end_soa = 1; 4622 break; 4623 } 4624 if(rr_rdlen < 22) return 0; /* bad SOA rdlen */ 4625 serial = sldns_read_uint32(rr_rdata+rr_rdlen-20); 4626 } 4627 4628 /* add this RR */ 4629 if(!az_insert_rr_decompress(z, rr_chunk->data, rr_chunk->len, 4630 scratch_buffer, rr_dname, rr_type, rr_class, rr_ttl, 4631 rr_rdata, rr_rdlen, NULL)) { 4632 /* failed, malloc error or so */ 4633 return 0; 4634 } 4635 4636 rr_counter++; 4637 chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos); 4638 } 4639 if(!have_end_soa) { 4640 log_err("no end SOA record for AXFR"); 4641 return 0; 4642 } 4643 4644 xfr->serial = serial; 4645 xfr->have_zone = 1; 4646 return 1; 4647 } 4648 4649 /** apply HTTP to zone in memory. z is locked. false on failure(mallocfail) */ 4650 static int 4651 apply_http(struct auth_xfer* xfr, struct auth_zone* z, 4652 struct sldns_buffer* scratch_buffer) 4653 { 4654 /* parse data in chunks */ 4655 /* parse RR's and read into memory. ignore $INCLUDE from the 4656 * downloaded file*/ 4657 struct sldns_file_parse_state pstate; 4658 struct auth_chunk* chunk; 4659 size_t chunk_pos; 4660 memset(&pstate, 0, sizeof(pstate)); 4661 pstate.default_ttl = 3600; 4662 if(xfr->namelen < sizeof(pstate.origin)) { 4663 pstate.origin_len = xfr->namelen; 4664 memmove(pstate.origin, xfr->name, xfr->namelen); 4665 } 4666 4667 if(verbosity >= VERB_ALGO) 4668 verbose(VERB_ALGO, "http download %s of size %d", 4669 xfr->task_transfer->master->file, 4670 (int)chunklist_sum(xfr->task_transfer->chunks_first)); 4671 if(xfr->task_transfer->chunks_first && verbosity >= VERB_ALGO) { 4672 char preview[1024]; 4673 if(xfr->task_transfer->chunks_first->len+1 > sizeof(preview)) { 4674 memmove(preview, xfr->task_transfer->chunks_first->data, 4675 sizeof(preview)-1); 4676 preview[sizeof(preview)-1]=0; 4677 } else { 4678 memmove(preview, xfr->task_transfer->chunks_first->data, 4679 xfr->task_transfer->chunks_first->len); 4680 preview[xfr->task_transfer->chunks_first->len]=0; 4681 } 4682 log_info("auth zone http downloaded content preview: %s", 4683 preview); 4684 } 4685 4686 /* perhaps a little syntax check before we try to apply the data? */ 4687 if(!http_zonefile_syntax_check(xfr, scratch_buffer)) { 4688 log_err("http download %s/%s does not contain a zonefile, " 4689 "but got '%s'", xfr->task_transfer->master->host, 4690 xfr->task_transfer->master->file, 4691 sldns_buffer_begin(scratch_buffer)); 4692 return 0; 4693 } 4694 4695 /* clear the data tree */ 4696 traverse_postorder(&z->data, auth_data_del, NULL); 4697 rbtree_init(&z->data, &auth_data_cmp); 4698 xfr->have_zone = 0; 4699 xfr->serial = 0; 4700 4701 chunk = xfr->task_transfer->chunks_first; 4702 chunk_pos = 0; 4703 pstate.lineno = 0; 4704 while(chunkline_get_line_collated(&chunk, &chunk_pos, scratch_buffer)) { 4705 /* process this line */ 4706 pstate.lineno++; 4707 chunkline_newline_removal(scratch_buffer); 4708 if(chunkline_is_comment_line_or_empty(scratch_buffer)) { 4709 continue; 4710 } 4711 /* parse line and add RR */ 4712 if(http_parse_origin(scratch_buffer, &pstate)) { 4713 continue; /* $ORIGIN has been handled */ 4714 } 4715 if(http_parse_ttl(scratch_buffer, &pstate)) { 4716 continue; /* $TTL has been handled */ 4717 } 4718 if(!http_parse_add_rr(xfr, z, scratch_buffer, &pstate)) { 4719 verbose(VERB_ALGO, "error parsing line [%s:%d] %s", 4720 xfr->task_transfer->master->file, 4721 pstate.lineno, 4722 sldns_buffer_begin(scratch_buffer)); 4723 return 0; 4724 } 4725 } 4726 return 1; 4727 } 4728 4729 /** write http chunks to zonefile to create downloaded file */ 4730 static int 4731 auth_zone_write_chunks(struct auth_xfer* xfr, const char* fname) 4732 { 4733 FILE* out; 4734 struct auth_chunk* p; 4735 out = fopen(fname, "w"); 4736 if(!out) { 4737 log_err("could not open %s: %s", fname, strerror(errno)); 4738 return 0; 4739 } 4740 for(p = xfr->task_transfer->chunks_first; p ; p = p->next) { 4741 if(!write_out(out, (char*)p->data, p->len)) { 4742 log_err("could not write http download to %s", fname); 4743 fclose(out); 4744 return 0; 4745 } 4746 } 4747 fclose(out); 4748 return 1; 4749 } 4750 4751 /** write to zonefile after zone has been updated */ 4752 static void 4753 xfr_write_after_update(struct auth_xfer* xfr, struct module_env* env) 4754 { 4755 struct auth_zone* z; 4756 char tmpfile[1024]; 4757 lock_basic_unlock(&xfr->lock); 4758 4759 /* get lock again, so it is a readlock and concurrently queries 4760 * can be answered */ 4761 lock_rw_rdlock(&env->auth_zones->lock); 4762 z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen, 4763 xfr->dclass); 4764 if(!z) { 4765 lock_rw_unlock(&env->auth_zones->lock); 4766 /* the zone is gone, ignore xfr results */ 4767 lock_basic_lock(&xfr->lock); 4768 return; 4769 } 4770 lock_rw_rdlock(&z->lock); 4771 lock_basic_lock(&xfr->lock); 4772 lock_rw_unlock(&env->auth_zones->lock); 4773 4774 if(z->zonefile == NULL) { 4775 lock_rw_unlock(&z->lock); 4776 /* no write needed, no zonefile set */ 4777 return; 4778 } 4779 4780 /* write to tempfile first */ 4781 if((size_t)strlen(z->zonefile) + 16 > sizeof(tmpfile)) { 4782 verbose(VERB_ALGO, "tmpfilename too long, cannot update " 4783 " zonefile %s", z->zonefile); 4784 lock_rw_unlock(&z->lock); 4785 return; 4786 } 4787 snprintf(tmpfile, sizeof(tmpfile), "%s.tmp%u", z->zonefile, 4788 (unsigned)getpid()); 4789 if(xfr->task_transfer->master->http) { 4790 /* use the stored chunk list to write them */ 4791 if(!auth_zone_write_chunks(xfr, tmpfile)) { 4792 unlink(tmpfile); 4793 lock_rw_unlock(&z->lock); 4794 } 4795 } else if(!auth_zone_write_file(z, tmpfile)) { 4796 unlink(tmpfile); 4797 lock_rw_unlock(&z->lock); 4798 return; 4799 } 4800 if(rename(tmpfile, z->zonefile) < 0) { 4801 log_err("could not rename(%s, %s): %s", tmpfile, z->zonefile, 4802 strerror(errno)); 4803 unlink(tmpfile); 4804 lock_rw_unlock(&z->lock); 4805 return; 4806 } 4807 lock_rw_unlock(&z->lock); 4808 } 4809 4810 /** process chunk list and update zone in memory, 4811 * return false if it did not work */ 4812 static int 4813 xfr_process_chunk_list(struct auth_xfer* xfr, struct module_env* env, 4814 int* ixfr_fail) 4815 { 4816 struct auth_zone* z; 4817 4818 /* obtain locks and structures */ 4819 /* release xfr lock, then, while holding az->lock grab both 4820 * z->lock and xfr->lock */ 4821 lock_basic_unlock(&xfr->lock); 4822 lock_rw_rdlock(&env->auth_zones->lock); 4823 z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen, 4824 xfr->dclass); 4825 if(!z) { 4826 lock_rw_unlock(&env->auth_zones->lock); 4827 /* the zone is gone, ignore xfr results */ 4828 lock_basic_lock(&xfr->lock); 4829 return 0; 4830 } 4831 lock_rw_wrlock(&z->lock); 4832 lock_basic_lock(&xfr->lock); 4833 lock_rw_unlock(&env->auth_zones->lock); 4834 4835 /* apply data */ 4836 if(xfr->task_transfer->master->http) { 4837 if(!apply_http(xfr, z, env->scratch_buffer)) { 4838 lock_rw_unlock(&z->lock); 4839 verbose(VERB_ALGO, "http from %s: could not store data", 4840 xfr->task_transfer->master->host); 4841 return 0; 4842 } 4843 } else if(xfr->task_transfer->on_ixfr && 4844 !xfr->task_transfer->on_ixfr_is_axfr) { 4845 if(!apply_ixfr(xfr, z, env->scratch_buffer)) { 4846 lock_rw_unlock(&z->lock); 4847 verbose(VERB_ALGO, "xfr from %s: could not store IXFR" 4848 " data", xfr->task_transfer->master->host); 4849 *ixfr_fail = 1; 4850 return 0; 4851 } 4852 } else { 4853 if(!apply_axfr(xfr, z, env->scratch_buffer)) { 4854 lock_rw_unlock(&z->lock); 4855 verbose(VERB_ALGO, "xfr from %s: could not store AXFR" 4856 " data", xfr->task_transfer->master->host); 4857 return 0; 4858 } 4859 } 4860 xfr->zone_expired = 0; 4861 z->zone_expired = 0; 4862 if(!xfr_find_soa(z, xfr)) { 4863 lock_rw_unlock(&z->lock); 4864 verbose(VERB_ALGO, "xfr from %s: no SOA in zone after update" 4865 " (or malformed RR)", xfr->task_transfer->master->host); 4866 return 0; 4867 } 4868 if(xfr->have_zone) 4869 xfr->lease_time = *env->now; 4870 4871 /* unlock */ 4872 lock_rw_unlock(&z->lock); 4873 4874 if(verbosity >= VERB_QUERY && xfr->have_zone) { 4875 char zname[256]; 4876 dname_str(xfr->name, zname); 4877 verbose(VERB_QUERY, "auth zone %s updated to serial %u", zname, 4878 (unsigned)xfr->serial); 4879 } 4880 /* see if we need to write to a zonefile */ 4881 xfr_write_after_update(xfr, env); 4882 return 1; 4883 } 4884 4885 /** disown task_transfer. caller must hold xfr.lock */ 4886 static void 4887 xfr_transfer_disown(struct auth_xfer* xfr) 4888 { 4889 /* remove the commpoint */ 4890 comm_point_delete(xfr->task_transfer->cp); 4891 xfr->task_transfer->cp = NULL; 4892 /* we don't own this item anymore */ 4893 xfr->task_transfer->worker = NULL; 4894 xfr->task_transfer->env = NULL; 4895 } 4896 4897 /** lookup a host name for its addresses, if needed */ 4898 static int 4899 xfr_transfer_lookup_host(struct auth_xfer* xfr, struct module_env* env) 4900 { 4901 struct sockaddr_storage addr; 4902 socklen_t addrlen = 0; 4903 struct auth_master* master = xfr->task_transfer->lookup_target; 4904 struct query_info qinfo; 4905 uint16_t qflags = BIT_RD; 4906 uint8_t dname[LDNS_MAX_DOMAINLEN+1]; 4907 struct edns_data edns; 4908 sldns_buffer* buf = env->scratch_buffer; 4909 if(!master) return 0; 4910 if(extstrtoaddr(master->host, &addr, &addrlen)) { 4911 /* not needed, host is in IP addr format */ 4912 return 0; 4913 } 4914 if(master->allow_notify) 4915 return 0; /* allow-notifies are not transferred from, no 4916 lookup is needed */ 4917 4918 /* use mesh_new_callback to probe for non-addr hosts, 4919 * and then wait for them to be looked up (in cache, or query) */ 4920 qinfo.qname_len = sizeof(dname); 4921 if(sldns_str2wire_dname_buf(master->host, dname, &qinfo.qname_len) 4922 != 0) { 4923 log_err("cannot parse host name of master %s", master->host); 4924 return 0; 4925 } 4926 qinfo.qname = dname; 4927 qinfo.qclass = xfr->dclass; 4928 qinfo.qtype = LDNS_RR_TYPE_A; 4929 if(xfr->task_transfer->lookup_aaaa) 4930 qinfo.qtype = LDNS_RR_TYPE_AAAA; 4931 qinfo.local_alias = NULL; 4932 if(verbosity >= VERB_ALGO) { 4933 char buf[512]; 4934 char buf2[LDNS_MAX_DOMAINLEN+1]; 4935 dname_str(xfr->name, buf2); 4936 snprintf(buf, sizeof(buf), "auth zone %s: master lookup" 4937 " for task_transfer", buf2); 4938 log_query_info(VERB_ALGO, buf, &qinfo); 4939 } 4940 edns.edns_present = 1; 4941 edns.ext_rcode = 0; 4942 edns.edns_version = 0; 4943 edns.bits = EDNS_DO; 4944 edns.opt_list = NULL; 4945 if(sldns_buffer_capacity(buf) < 65535) 4946 edns.udp_size = (uint16_t)sldns_buffer_capacity(buf); 4947 else edns.udp_size = 65535; 4948 4949 /* unlock xfr during mesh_new_callback() because the callback can be 4950 * called straight away */ 4951 lock_basic_unlock(&xfr->lock); 4952 if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0, 4953 &auth_xfer_transfer_lookup_callback, xfr)) { 4954 lock_basic_lock(&xfr->lock); 4955 log_err("out of memory lookup up master %s", master->host); 4956 return 0; 4957 } 4958 lock_basic_lock(&xfr->lock); 4959 return 1; 4960 } 4961 4962 /** initiate TCP to the target and fetch zone. 4963 * returns true if that was successfully started, and timeout setup. */ 4964 static int 4965 xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env) 4966 { 4967 struct sockaddr_storage addr; 4968 socklen_t addrlen = 0; 4969 struct auth_master* master = xfr->task_transfer->master; 4970 if(!master) return 0; 4971 if(master->allow_notify) return 0; /* only for notify */ 4972 4973 /* get master addr */ 4974 if(xfr->task_transfer->scan_addr) { 4975 addrlen = xfr->task_transfer->scan_addr->addrlen; 4976 memmove(&addr, &xfr->task_transfer->scan_addr->addr, addrlen); 4977 } else { 4978 if(!extstrtoaddr(master->host, &addr, &addrlen)) { 4979 /* the ones that are not in addr format are supposed 4980 * to be looked up. The lookup has failed however, 4981 * so skip them */ 4982 char zname[255+1]; 4983 dname_str(xfr->name, zname); 4984 log_err("%s: failed lookup, cannot transfer from master %s", 4985 zname, master->host); 4986 return 0; 4987 } 4988 } 4989 4990 /* remove previous TCP connection (if any) */ 4991 if(xfr->task_transfer->cp) { 4992 comm_point_delete(xfr->task_transfer->cp); 4993 xfr->task_transfer->cp = NULL; 4994 } 4995 4996 if(master->http) { 4997 /* perform http fetch */ 4998 /* store http port number into sockaddr, 4999 * unless someone used unbound's host@port notation */ 5000 if(strchr(master->host, '@') == NULL) 5001 sockaddr_store_port(&addr, addrlen, master->port); 5002 xfr->task_transfer->cp = outnet_comm_point_for_http( 5003 env->outnet, auth_xfer_transfer_http_callback, xfr, 5004 &addr, addrlen, AUTH_TRANSFER_TIMEOUT, master->ssl, 5005 master->host, master->file); 5006 if(!xfr->task_transfer->cp) { 5007 char zname[255+1]; 5008 dname_str(xfr->name, zname); 5009 verbose(VERB_ALGO, "cannot create http cp " 5010 "connection for %s to %s", zname, 5011 master->host); 5012 return 0; 5013 } 5014 return 1; 5015 } 5016 5017 /* perform AXFR/IXFR */ 5018 /* set the packet to be written */ 5019 /* create new ID */ 5020 xfr->task_transfer->id = (uint16_t)(ub_random(env->rnd)&0xffff); 5021 xfr_create_ixfr_packet(xfr, env->scratch_buffer, 5022 xfr->task_transfer->id, master); 5023 5024 /* connect on fd */ 5025 xfr->task_transfer->cp = outnet_comm_point_for_tcp(env->outnet, 5026 auth_xfer_transfer_tcp_callback, xfr, &addr, addrlen, 5027 env->scratch_buffer, AUTH_TRANSFER_TIMEOUT); 5028 if(!xfr->task_transfer->cp) { 5029 char zname[255+1]; 5030 dname_str(xfr->name, zname); 5031 verbose(VERB_ALGO, "cannot create tcp cp connection for " 5032 "xfr %s to %s", zname, master->host); 5033 return 0; 5034 } 5035 return 1; 5036 } 5037 5038 /** perform next lookup, next transfer TCP, or end and resume wait time task */ 5039 static void 5040 xfr_transfer_nexttarget_or_end(struct auth_xfer* xfr, struct module_env* env) 5041 { 5042 log_assert(xfr->task_transfer->worker == env->worker); 5043 5044 /* are we performing lookups? */ 5045 while(xfr->task_transfer->lookup_target) { 5046 if(xfr_transfer_lookup_host(xfr, env)) { 5047 /* wait for lookup to finish, 5048 * note that the hostname may be in unbound's cache 5049 * and we may then get an instant cache response, 5050 * and that calls the callback just like a full 5051 * lookup and lookup failures also call callback */ 5052 lock_basic_unlock(&xfr->lock); 5053 return; 5054 } 5055 xfr_transfer_move_to_next_lookup(xfr, env); 5056 } 5057 5058 /* initiate TCP and fetch the zone from the master */ 5059 /* and set timeout on it */ 5060 while(!xfr_transfer_end_of_list(xfr)) { 5061 xfr->task_transfer->master = xfr_transfer_current_master(xfr); 5062 if(xfr_transfer_init_fetch(xfr, env)) { 5063 /* successfully started, wait for callback */ 5064 lock_basic_unlock(&xfr->lock); 5065 return; 5066 } 5067 /* failed to fetch, next master */ 5068 xfr_transfer_nextmaster(xfr); 5069 } 5070 5071 /* we failed to fetch the zone, move to wait task 5072 * use the shorter retry timeout */ 5073 xfr_transfer_disown(xfr); 5074 5075 /* pick up the nextprobe task and wait */ 5076 xfr_set_timeout(xfr, env, 1, 0); 5077 lock_basic_unlock(&xfr->lock); 5078 } 5079 5080 /** add addrs from A or AAAA rrset to the master */ 5081 static void 5082 xfr_master_add_addrs(struct auth_master* m, struct ub_packed_rrset_key* rrset, 5083 uint16_t rrtype) 5084 { 5085 size_t i; 5086 struct packed_rrset_data* data; 5087 if(!m || !rrset) return; 5088 if(rrtype != LDNS_RR_TYPE_A && rrtype != LDNS_RR_TYPE_AAAA) 5089 return; 5090 data = (struct packed_rrset_data*)rrset->entry.data; 5091 for(i=0; i<data->count; i++) { 5092 struct auth_addr* a; 5093 size_t len = data->rr_len[i] - 2; 5094 uint8_t* rdata = data->rr_data[i]+2; 5095 if(rrtype == LDNS_RR_TYPE_A && len != INET_SIZE) 5096 continue; /* wrong length for A */ 5097 if(rrtype == LDNS_RR_TYPE_AAAA && len != INET6_SIZE) 5098 continue; /* wrong length for AAAA */ 5099 5100 /* add and alloc it */ 5101 a = (struct auth_addr*)calloc(1, sizeof(*a)); 5102 if(!a) { 5103 log_err("out of memory"); 5104 return; 5105 } 5106 if(rrtype == LDNS_RR_TYPE_A) { 5107 struct sockaddr_in* sa; 5108 a->addrlen = (socklen_t)sizeof(*sa); 5109 sa = (struct sockaddr_in*)&a->addr; 5110 sa->sin_family = AF_INET; 5111 sa->sin_port = (in_port_t)htons(UNBOUND_DNS_PORT); 5112 memmove(&sa->sin_addr, rdata, INET_SIZE); 5113 } else { 5114 struct sockaddr_in6* sa; 5115 a->addrlen = (socklen_t)sizeof(*sa); 5116 sa = (struct sockaddr_in6*)&a->addr; 5117 sa->sin6_family = AF_INET6; 5118 sa->sin6_port = (in_port_t)htons(UNBOUND_DNS_PORT); 5119 memmove(&sa->sin6_addr, rdata, INET6_SIZE); 5120 } 5121 if(verbosity >= VERB_ALGO) { 5122 char s[64]; 5123 addr_to_str(&a->addr, a->addrlen, s, sizeof(s)); 5124 verbose(VERB_ALGO, "auth host %s lookup %s", 5125 m->host, s); 5126 } 5127 /* append to list */ 5128 a->next = m->list; 5129 m->list = a; 5130 } 5131 } 5132 5133 /** callback for task_transfer lookup of host name, of A or AAAA */ 5134 void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf, 5135 enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus)) 5136 { 5137 struct auth_xfer* xfr = (struct auth_xfer*)arg; 5138 struct module_env* env; 5139 log_assert(xfr->task_transfer); 5140 lock_basic_lock(&xfr->lock); 5141 env = xfr->task_transfer->env; 5142 if(env->outnet->want_to_quit) { 5143 lock_basic_unlock(&xfr->lock); 5144 return; /* stop on quit */ 5145 } 5146 5147 /* process result */ 5148 if(rcode == LDNS_RCODE_NOERROR) { 5149 uint16_t wanted_qtype = LDNS_RR_TYPE_A; 5150 struct regional* temp = env->scratch; 5151 struct query_info rq; 5152 struct reply_info* rep; 5153 if(xfr->task_transfer->lookup_aaaa) 5154 wanted_qtype = LDNS_RR_TYPE_AAAA; 5155 memset(&rq, 0, sizeof(rq)); 5156 rep = parse_reply_in_temp_region(buf, temp, &rq); 5157 if(rep && rq.qtype == wanted_qtype && 5158 FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) { 5159 /* parsed successfully */ 5160 struct ub_packed_rrset_key* answer = 5161 reply_find_answer_rrset(&rq, rep); 5162 if(answer) { 5163 xfr_master_add_addrs(xfr->task_transfer-> 5164 lookup_target, answer, wanted_qtype); 5165 } 5166 } 5167 } 5168 if(xfr->task_transfer->lookup_target->list && 5169 xfr->task_transfer->lookup_target == xfr_transfer_current_master(xfr)) 5170 xfr->task_transfer->scan_addr = xfr->task_transfer->lookup_target->list; 5171 5172 /* move to lookup AAAA after A lookup, move to next hostname lookup, 5173 * or move to fetch the zone, or, if nothing to do, end task_transfer */ 5174 xfr_transfer_move_to_next_lookup(xfr, env); 5175 xfr_transfer_nexttarget_or_end(xfr, env); 5176 } 5177 5178 /** check if xfer (AXFR or IXFR) packet is OK. 5179 * return false if we lost connection (SERVFAIL, or unreadable). 5180 * return false if we need to move from IXFR to AXFR, with gonextonfail 5181 * set to false, so the same master is tried again, but with AXFR. 5182 * return true if fine to link into data. 5183 * return true with transferdone=true when the transfer has ended. 5184 */ 5185 static int 5186 check_xfer_packet(sldns_buffer* pkt, struct auth_xfer* xfr, 5187 int* gonextonfail, int* transferdone) 5188 { 5189 uint8_t* wire = sldns_buffer_begin(pkt); 5190 int i; 5191 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) { 5192 verbose(VERB_ALGO, "xfr to %s failed, packet too small", 5193 xfr->task_transfer->master->host); 5194 return 0; 5195 } 5196 if(!LDNS_QR_WIRE(wire)) { 5197 verbose(VERB_ALGO, "xfr to %s failed, packet has no QR flag", 5198 xfr->task_transfer->master->host); 5199 return 0; 5200 } 5201 if(LDNS_TC_WIRE(wire)) { 5202 verbose(VERB_ALGO, "xfr to %s failed, packet has TC flag", 5203 xfr->task_transfer->master->host); 5204 return 0; 5205 } 5206 /* check ID */ 5207 if(LDNS_ID_WIRE(wire) != xfr->task_transfer->id) { 5208 verbose(VERB_ALGO, "xfr to %s failed, packet wrong ID", 5209 xfr->task_transfer->master->host); 5210 return 0; 5211 } 5212 if(LDNS_RCODE_WIRE(wire) != LDNS_RCODE_NOERROR) { 5213 char rcode[32]; 5214 sldns_wire2str_rcode_buf((int)LDNS_RCODE_WIRE(wire), rcode, 5215 sizeof(rcode)); 5216 /* if we are doing IXFR, check for fallback */ 5217 if(xfr->task_transfer->on_ixfr) { 5218 if(LDNS_RCODE_WIRE(wire) == LDNS_RCODE_NOTIMPL || 5219 LDNS_RCODE_WIRE(wire) == LDNS_RCODE_SERVFAIL || 5220 LDNS_RCODE_WIRE(wire) == LDNS_RCODE_REFUSED || 5221 LDNS_RCODE_WIRE(wire) == LDNS_RCODE_FORMERR) { 5222 verbose(VERB_ALGO, "xfr to %s, fallback " 5223 "from IXFR to AXFR (with rcode %s)", 5224 xfr->task_transfer->master->host, 5225 rcode); 5226 xfr->task_transfer->ixfr_fail = 1; 5227 *gonextonfail = 0; 5228 return 0; 5229 } 5230 } 5231 verbose(VERB_ALGO, "xfr to %s failed, packet with rcode %s", 5232 xfr->task_transfer->master->host, rcode); 5233 return 0; 5234 } 5235 if(LDNS_OPCODE_WIRE(wire) != LDNS_PACKET_QUERY) { 5236 verbose(VERB_ALGO, "xfr to %s failed, packet with bad opcode", 5237 xfr->task_transfer->master->host); 5238 return 0; 5239 } 5240 if(LDNS_QDCOUNT(wire) > 1) { 5241 verbose(VERB_ALGO, "xfr to %s failed, packet has qdcount %d", 5242 xfr->task_transfer->master->host, 5243 (int)LDNS_QDCOUNT(wire)); 5244 return 0; 5245 } 5246 5247 /* check qname */ 5248 sldns_buffer_set_position(pkt, LDNS_HEADER_SIZE); 5249 for(i=0; i<(int)LDNS_QDCOUNT(wire); i++) { 5250 size_t pos = sldns_buffer_position(pkt); 5251 uint16_t qtype, qclass; 5252 if(pkt_dname_len(pkt) == 0) { 5253 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5254 "malformed dname", 5255 xfr->task_transfer->master->host); 5256 return 0; 5257 } 5258 if(dname_pkt_compare(pkt, sldns_buffer_at(pkt, pos), 5259 xfr->name) != 0) { 5260 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5261 "wrong qname", 5262 xfr->task_transfer->master->host); 5263 return 0; 5264 } 5265 if(sldns_buffer_remaining(pkt) < 4) { 5266 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5267 "truncated query RR", 5268 xfr->task_transfer->master->host); 5269 return 0; 5270 } 5271 qtype = sldns_buffer_read_u16(pkt); 5272 qclass = sldns_buffer_read_u16(pkt); 5273 if(qclass != xfr->dclass) { 5274 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5275 "wrong qclass", 5276 xfr->task_transfer->master->host); 5277 return 0; 5278 } 5279 if(xfr->task_transfer->on_ixfr) { 5280 if(qtype != LDNS_RR_TYPE_IXFR) { 5281 verbose(VERB_ALGO, "xfr to %s failed, packet " 5282 "with wrong qtype, expected IXFR", 5283 xfr->task_transfer->master->host); 5284 return 0; 5285 } 5286 } else { 5287 if(qtype != LDNS_RR_TYPE_AXFR) { 5288 verbose(VERB_ALGO, "xfr to %s failed, packet " 5289 "with wrong qtype, expected AXFR", 5290 xfr->task_transfer->master->host); 5291 return 0; 5292 } 5293 } 5294 } 5295 5296 /* check parse of RRs in packet, store first SOA serial 5297 * to be able to detect last SOA (with that serial) to see if done */ 5298 /* also check for IXFR 'zone up to date' reply */ 5299 for(i=0; i<(int)LDNS_ANCOUNT(wire); i++) { 5300 size_t pos = sldns_buffer_position(pkt); 5301 uint16_t tp, rdlen; 5302 if(pkt_dname_len(pkt) == 0) { 5303 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5304 "malformed dname in answer section", 5305 xfr->task_transfer->master->host); 5306 return 0; 5307 } 5308 if(sldns_buffer_remaining(pkt) < 10) { 5309 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5310 "truncated RR", 5311 xfr->task_transfer->master->host); 5312 return 0; 5313 } 5314 tp = sldns_buffer_read_u16(pkt); 5315 (void)sldns_buffer_read_u16(pkt); /* class */ 5316 (void)sldns_buffer_read_u32(pkt); /* ttl */ 5317 rdlen = sldns_buffer_read_u16(pkt); 5318 if(sldns_buffer_remaining(pkt) < rdlen) { 5319 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5320 "truncated RR rdata", 5321 xfr->task_transfer->master->host); 5322 return 0; 5323 } 5324 5325 /* RR parses (haven't checked rdata itself), now look at 5326 * SOA records to see serial number */ 5327 if(xfr->task_transfer->rr_scan_num == 0 && 5328 tp != LDNS_RR_TYPE_SOA) { 5329 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5330 "malformed zone transfer, no start SOA", 5331 xfr->task_transfer->master->host); 5332 return 0; 5333 } 5334 if(xfr->task_transfer->rr_scan_num == 1 && 5335 tp != LDNS_RR_TYPE_SOA) { 5336 /* second RR is not a SOA record, this is not an IXFR 5337 * the master is replying with an AXFR */ 5338 xfr->task_transfer->on_ixfr_is_axfr = 1; 5339 } 5340 if(tp == LDNS_RR_TYPE_SOA) { 5341 uint32_t serial; 5342 if(rdlen < 22) { 5343 verbose(VERB_ALGO, "xfr to %s failed, packet " 5344 "with SOA with malformed rdata", 5345 xfr->task_transfer->master->host); 5346 return 0; 5347 } 5348 if(dname_pkt_compare(pkt, sldns_buffer_at(pkt, pos), 5349 xfr->name) != 0) { 5350 verbose(VERB_ALGO, "xfr to %s failed, packet " 5351 "with SOA with wrong dname", 5352 xfr->task_transfer->master->host); 5353 return 0; 5354 } 5355 5356 /* read serial number of SOA */ 5357 serial = sldns_buffer_read_u32_at(pkt, 5358 sldns_buffer_position(pkt)+rdlen-20); 5359 5360 /* check for IXFR 'zone has SOA x' reply */ 5361 if(xfr->task_transfer->on_ixfr && 5362 xfr->task_transfer->rr_scan_num == 0 && 5363 LDNS_ANCOUNT(wire)==1) { 5364 verbose(VERB_ALGO, "xfr to %s ended, " 5365 "IXFR reply that zone has serial %u", 5366 xfr->task_transfer->master->host, 5367 (unsigned)serial); 5368 return 0; 5369 } 5370 5371 /* if first SOA, store serial number */ 5372 if(xfr->task_transfer->got_xfr_serial == 0) { 5373 xfr->task_transfer->got_xfr_serial = 1; 5374 xfr->task_transfer->incoming_xfr_serial = 5375 serial; 5376 verbose(VERB_ALGO, "xfr %s: contains " 5377 "SOA serial %u", 5378 xfr->task_transfer->master->host, 5379 (unsigned)serial); 5380 /* see if end of AXFR */ 5381 } else if(!xfr->task_transfer->on_ixfr || 5382 xfr->task_transfer->on_ixfr_is_axfr) { 5383 /* second SOA with serial is the end 5384 * for AXFR */ 5385 *transferdone = 1; 5386 verbose(VERB_ALGO, "xfr %s: last AXFR packet", 5387 xfr->task_transfer->master->host); 5388 /* for IXFR, count SOA records with that serial */ 5389 } else if(xfr->task_transfer->incoming_xfr_serial == 5390 serial && xfr->task_transfer->got_xfr_serial 5391 == 1) { 5392 xfr->task_transfer->got_xfr_serial++; 5393 /* if not first soa, if serial==firstserial, the 5394 * third time we are at the end, for IXFR */ 5395 } else if(xfr->task_transfer->incoming_xfr_serial == 5396 serial && xfr->task_transfer->got_xfr_serial 5397 == 2) { 5398 verbose(VERB_ALGO, "xfr %s: last IXFR packet", 5399 xfr->task_transfer->master->host); 5400 *transferdone = 1; 5401 /* continue parse check, if that succeeds, 5402 * transfer is done */ 5403 } 5404 } 5405 xfr->task_transfer->rr_scan_num++; 5406 5407 /* skip over RR rdata to go to the next RR */ 5408 sldns_buffer_skip(pkt, (ssize_t)rdlen); 5409 } 5410 5411 /* check authority section */ 5412 /* we skip over the RRs checking packet format */ 5413 for(i=0; i<(int)LDNS_NSCOUNT(wire); i++) { 5414 uint16_t rdlen; 5415 if(pkt_dname_len(pkt) == 0) { 5416 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5417 "malformed dname in authority section", 5418 xfr->task_transfer->master->host); 5419 return 0; 5420 } 5421 if(sldns_buffer_remaining(pkt) < 10) { 5422 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5423 "truncated RR", 5424 xfr->task_transfer->master->host); 5425 return 0; 5426 } 5427 (void)sldns_buffer_read_u16(pkt); /* type */ 5428 (void)sldns_buffer_read_u16(pkt); /* class */ 5429 (void)sldns_buffer_read_u32(pkt); /* ttl */ 5430 rdlen = sldns_buffer_read_u16(pkt); 5431 if(sldns_buffer_remaining(pkt) < rdlen) { 5432 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5433 "truncated RR rdata", 5434 xfr->task_transfer->master->host); 5435 return 0; 5436 } 5437 /* skip over RR rdata to go to the next RR */ 5438 sldns_buffer_skip(pkt, (ssize_t)rdlen); 5439 } 5440 5441 /* check additional section */ 5442 for(i=0; i<(int)LDNS_ARCOUNT(wire); i++) { 5443 uint16_t rdlen; 5444 if(pkt_dname_len(pkt) == 0) { 5445 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5446 "malformed dname in additional section", 5447 xfr->task_transfer->master->host); 5448 return 0; 5449 } 5450 if(sldns_buffer_remaining(pkt) < 10) { 5451 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5452 "truncated RR", 5453 xfr->task_transfer->master->host); 5454 return 0; 5455 } 5456 (void)sldns_buffer_read_u16(pkt); /* type */ 5457 (void)sldns_buffer_read_u16(pkt); /* class */ 5458 (void)sldns_buffer_read_u32(pkt); /* ttl */ 5459 rdlen = sldns_buffer_read_u16(pkt); 5460 if(sldns_buffer_remaining(pkt) < rdlen) { 5461 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5462 "truncated RR rdata", 5463 xfr->task_transfer->master->host); 5464 return 0; 5465 } 5466 /* skip over RR rdata to go to the next RR */ 5467 sldns_buffer_skip(pkt, (ssize_t)rdlen); 5468 } 5469 5470 return 1; 5471 } 5472 5473 /** Link the data from this packet into the worklist of transferred data */ 5474 static int 5475 xfer_link_data(sldns_buffer* pkt, struct auth_xfer* xfr) 5476 { 5477 /* alloc it */ 5478 struct auth_chunk* e; 5479 e = (struct auth_chunk*)calloc(1, sizeof(*e)); 5480 if(!e) return 0; 5481 e->next = NULL; 5482 e->len = sldns_buffer_limit(pkt); 5483 e->data = memdup(sldns_buffer_begin(pkt), e->len); 5484 if(!e->data) { 5485 free(e); 5486 return 0; 5487 } 5488 5489 /* alloc succeeded, link into list */ 5490 if(!xfr->task_transfer->chunks_first) 5491 xfr->task_transfer->chunks_first = e; 5492 if(xfr->task_transfer->chunks_last) 5493 xfr->task_transfer->chunks_last->next = e; 5494 xfr->task_transfer->chunks_last = e; 5495 return 1; 5496 } 5497 5498 /** task transfer. the list of data is complete. process it and if failed 5499 * move to next master, if succeeded, end the task transfer */ 5500 static void 5501 process_list_end_transfer(struct auth_xfer* xfr, struct module_env* env) 5502 { 5503 int ixfr_fail = 0; 5504 if(xfr_process_chunk_list(xfr, env, &ixfr_fail)) { 5505 /* it worked! */ 5506 auth_chunks_delete(xfr->task_transfer); 5507 5508 /* we fetched the zone, move to wait task */ 5509 xfr_transfer_disown(xfr); 5510 5511 if(xfr->notify_received && (!xfr->notify_has_serial || 5512 (xfr->notify_has_serial && 5513 xfr_serial_means_update(xfr, xfr->notify_serial)))) { 5514 uint32_t sr = xfr->notify_serial; 5515 int has_sr = xfr->notify_has_serial; 5516 /* we received a notify while probe/transfer was 5517 * in progress. start a new probe and transfer */ 5518 xfr->notify_received = 0; 5519 xfr->notify_has_serial = 0; 5520 xfr->notify_serial = 0; 5521 if(!xfr_start_probe(xfr, env, NULL)) { 5522 /* if we couldn't start it, already in 5523 * progress; restore notify serial, 5524 * while xfr still locked */ 5525 xfr->notify_received = 1; 5526 xfr->notify_has_serial = has_sr; 5527 xfr->notify_serial = sr; 5528 lock_basic_unlock(&xfr->lock); 5529 } 5530 return; 5531 } else { 5532 /* pick up the nextprobe task and wait (normail wait time) */ 5533 xfr_set_timeout(xfr, env, 0, 0); 5534 } 5535 lock_basic_unlock(&xfr->lock); 5536 return; 5537 } 5538 /* processing failed */ 5539 /* when done, delete data from list */ 5540 auth_chunks_delete(xfr->task_transfer); 5541 if(ixfr_fail) { 5542 xfr->task_transfer->ixfr_fail = 1; 5543 } else { 5544 xfr_transfer_nextmaster(xfr); 5545 } 5546 xfr_transfer_nexttarget_or_end(xfr, env); 5547 } 5548 5549 /** callback for task_transfer tcp connections */ 5550 int 5551 auth_xfer_transfer_tcp_callback(struct comm_point* c, void* arg, int err, 5552 struct comm_reply* ATTR_UNUSED(repinfo)) 5553 { 5554 struct auth_xfer* xfr = (struct auth_xfer*)arg; 5555 struct module_env* env; 5556 int gonextonfail = 1; 5557 int transferdone = 0; 5558 log_assert(xfr->task_transfer); 5559 lock_basic_lock(&xfr->lock); 5560 env = xfr->task_transfer->env; 5561 if(env->outnet->want_to_quit) { 5562 lock_basic_unlock(&xfr->lock); 5563 return 0; /* stop on quit */ 5564 } 5565 5566 if(err != NETEVENT_NOERROR) { 5567 /* connection failed, closed, or timeout */ 5568 /* stop this transfer, cleanup 5569 * and continue task_transfer*/ 5570 verbose(VERB_ALGO, "xfr stopped, connection lost to %s", 5571 xfr->task_transfer->master->host); 5572 failed: 5573 /* delete transferred data from list */ 5574 auth_chunks_delete(xfr->task_transfer); 5575 comm_point_delete(xfr->task_transfer->cp); 5576 xfr->task_transfer->cp = NULL; 5577 xfr_transfer_nextmaster(xfr); 5578 xfr_transfer_nexttarget_or_end(xfr, env); 5579 return 0; 5580 } 5581 5582 /* handle returned packet */ 5583 /* if it fails, cleanup and end this transfer */ 5584 /* if it needs to fallback from IXFR to AXFR, do that */ 5585 if(!check_xfer_packet(c->buffer, xfr, &gonextonfail, &transferdone)) { 5586 goto failed; 5587 } 5588 /* if it is good, link it into the list of data */ 5589 /* if the link into list of data fails (malloc fail) cleanup and end */ 5590 if(!xfer_link_data(c->buffer, xfr)) { 5591 verbose(VERB_ALGO, "xfr stopped to %s, malloc failed", 5592 xfr->task_transfer->master->host); 5593 goto failed; 5594 } 5595 /* if the transfer is done now, disconnect and process the list */ 5596 if(transferdone) { 5597 comm_point_delete(xfr->task_transfer->cp); 5598 xfr->task_transfer->cp = NULL; 5599 process_list_end_transfer(xfr, env); 5600 return 0; 5601 } 5602 5603 /* if we want to read more messages, setup the commpoint to read 5604 * a DNS packet, and the timeout */ 5605 lock_basic_unlock(&xfr->lock); 5606 c->tcp_is_reading = 1; 5607 sldns_buffer_clear(c->buffer); 5608 comm_point_start_listening(c, -1, AUTH_TRANSFER_TIMEOUT); 5609 return 0; 5610 } 5611 5612 /** callback for task_transfer http connections */ 5613 int 5614 auth_xfer_transfer_http_callback(struct comm_point* c, void* arg, int err, 5615 struct comm_reply* repinfo) 5616 { 5617 struct auth_xfer* xfr = (struct auth_xfer*)arg; 5618 struct module_env* env; 5619 log_assert(xfr->task_transfer); 5620 lock_basic_lock(&xfr->lock); 5621 env = xfr->task_transfer->env; 5622 if(env->outnet->want_to_quit) { 5623 lock_basic_unlock(&xfr->lock); 5624 return 0; /* stop on quit */ 5625 } 5626 verbose(VERB_ALGO, "auth zone transfer http callback"); 5627 5628 if(err != NETEVENT_NOERROR && err != NETEVENT_DONE) { 5629 /* connection failed, closed, or timeout */ 5630 /* stop this transfer, cleanup 5631 * and continue task_transfer*/ 5632 verbose(VERB_ALGO, "http stopped, connection lost to %s", 5633 xfr->task_transfer->master->host); 5634 failed: 5635 /* delete transferred data from list */ 5636 auth_chunks_delete(xfr->task_transfer); 5637 if(repinfo) repinfo->c = NULL; /* signal cp deleted to 5638 the routine calling this callback */ 5639 comm_point_delete(xfr->task_transfer->cp); 5640 xfr->task_transfer->cp = NULL; 5641 xfr_transfer_nextmaster(xfr); 5642 xfr_transfer_nexttarget_or_end(xfr, env); 5643 return 0; 5644 } 5645 5646 /* if it is good, link it into the list of data */ 5647 /* if the link into list of data fails (malloc fail) cleanup and end */ 5648 if(sldns_buffer_limit(c->buffer) > 0) { 5649 verbose(VERB_ALGO, "auth zone http queued up %d bytes", 5650 (int)sldns_buffer_limit(c->buffer)); 5651 if(!xfer_link_data(c->buffer, xfr)) { 5652 verbose(VERB_ALGO, "http stopped to %s, malloc failed", 5653 xfr->task_transfer->master->host); 5654 goto failed; 5655 } 5656 } 5657 /* if the transfer is done now, disconnect and process the list */ 5658 if(err == NETEVENT_DONE) { 5659 if(repinfo) repinfo->c = NULL; /* signal cp deleted to 5660 the routine calling this callback */ 5661 comm_point_delete(xfr->task_transfer->cp); 5662 xfr->task_transfer->cp = NULL; 5663 process_list_end_transfer(xfr, env); 5664 return 0; 5665 } 5666 5667 /* if we want to read more messages, setup the commpoint to read 5668 * a DNS packet, and the timeout */ 5669 lock_basic_unlock(&xfr->lock); 5670 c->tcp_is_reading = 1; 5671 sldns_buffer_clear(c->buffer); 5672 comm_point_start_listening(c, -1, AUTH_TRANSFER_TIMEOUT); 5673 return 0; 5674 } 5675 5676 5677 /** start transfer task by this worker , xfr is locked. */ 5678 static void 5679 xfr_start_transfer(struct auth_xfer* xfr, struct module_env* env, 5680 struct auth_master* master) 5681 { 5682 log_assert(xfr->task_transfer != NULL); 5683 log_assert(xfr->task_transfer->worker == NULL); 5684 log_assert(xfr->task_transfer->chunks_first == NULL); 5685 log_assert(xfr->task_transfer->chunks_last == NULL); 5686 xfr->task_transfer->worker = env->worker; 5687 xfr->task_transfer->env = env; 5688 5689 /* init transfer process */ 5690 /* find that master in the transfer's list of masters? */ 5691 xfr_transfer_start_list(xfr, master); 5692 /* start lookup for hostnames in transfer master list */ 5693 xfr_transfer_start_lookups(xfr); 5694 5695 /* initiate TCP, and set timeout on it */ 5696 xfr_transfer_nexttarget_or_end(xfr, env); 5697 } 5698 5699 /** disown task_probe. caller must hold xfr.lock */ 5700 static void 5701 xfr_probe_disown(struct auth_xfer* xfr) 5702 { 5703 /* remove timer (from this worker's event base) */ 5704 comm_timer_delete(xfr->task_probe->timer); 5705 xfr->task_probe->timer = NULL; 5706 /* remove the commpoint */ 5707 comm_point_delete(xfr->task_probe->cp); 5708 xfr->task_probe->cp = NULL; 5709 /* we don't own this item anymore */ 5710 xfr->task_probe->worker = NULL; 5711 xfr->task_probe->env = NULL; 5712 } 5713 5714 /** send the UDP probe to the master, this is part of task_probe */ 5715 static int 5716 xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env, 5717 int timeout) 5718 { 5719 struct sockaddr_storage addr; 5720 socklen_t addrlen = 0; 5721 struct timeval t; 5722 /* pick master */ 5723 struct auth_master* master = xfr_probe_current_master(xfr); 5724 if(!master) return 0; 5725 if(master->allow_notify) return 0; /* only for notify */ 5726 if(master->http) return 0; /* only masters get SOA UDP probe, 5727 not urls, if those are in this list */ 5728 5729 /* get master addr */ 5730 if(xfr->task_probe->scan_addr) { 5731 addrlen = xfr->task_probe->scan_addr->addrlen; 5732 memmove(&addr, &xfr->task_probe->scan_addr->addr, addrlen); 5733 } else { 5734 if(!extstrtoaddr(master->host, &addr, &addrlen)) { 5735 /* the ones that are not in addr format are supposed 5736 * to be looked up. The lookup has failed however, 5737 * so skip them */ 5738 char zname[255+1]; 5739 dname_str(xfr->name, zname); 5740 log_err("%s: failed lookup, cannot probe to master %s", 5741 zname, master->host); 5742 return 0; 5743 } 5744 } 5745 5746 /* create packet */ 5747 /* create new ID for new probes, but not on timeout retries, 5748 * this means we'll accept replies to previous retries to same ip */ 5749 if(timeout == AUTH_PROBE_TIMEOUT) 5750 xfr->task_probe->id = (uint16_t)(ub_random(env->rnd)&0xffff); 5751 xfr_create_soa_probe_packet(xfr, env->scratch_buffer, 5752 xfr->task_probe->id); 5753 if(!xfr->task_probe->cp) { 5754 xfr->task_probe->cp = outnet_comm_point_for_udp(env->outnet, 5755 auth_xfer_probe_udp_callback, xfr, &addr, addrlen); 5756 if(!xfr->task_probe->cp) { 5757 char zname[255+1]; 5758 dname_str(xfr->name, zname); 5759 verbose(VERB_ALGO, "cannot create udp cp for " 5760 "probe %s to %s", zname, master->host); 5761 return 0; 5762 } 5763 } 5764 if(!xfr->task_probe->timer) { 5765 xfr->task_probe->timer = comm_timer_create(env->worker_base, 5766 auth_xfer_probe_timer_callback, xfr); 5767 if(!xfr->task_probe->timer) { 5768 log_err("malloc failure"); 5769 return 0; 5770 } 5771 } 5772 5773 /* send udp packet */ 5774 if(!comm_point_send_udp_msg(xfr->task_probe->cp, env->scratch_buffer, 5775 (struct sockaddr*)&addr, addrlen)) { 5776 char zname[255+1]; 5777 dname_str(xfr->name, zname); 5778 verbose(VERB_ALGO, "failed to send soa probe for %s to %s", 5779 zname, master->host); 5780 return 0; 5781 } 5782 xfr->task_probe->timeout = timeout; 5783 #ifndef S_SPLINT_S 5784 t.tv_sec = timeout/1000; 5785 t.tv_usec = (timeout%1000)*1000; 5786 #endif 5787 comm_timer_set(xfr->task_probe->timer, &t); 5788 5789 return 1; 5790 } 5791 5792 /** callback for task_probe timer */ 5793 void 5794 auth_xfer_probe_timer_callback(void* arg) 5795 { 5796 struct auth_xfer* xfr = (struct auth_xfer*)arg; 5797 struct module_env* env; 5798 log_assert(xfr->task_probe); 5799 lock_basic_lock(&xfr->lock); 5800 env = xfr->task_probe->env; 5801 if(env->outnet->want_to_quit) { 5802 lock_basic_unlock(&xfr->lock); 5803 return; /* stop on quit */ 5804 } 5805 5806 if(xfr->task_probe->timeout <= AUTH_PROBE_TIMEOUT_STOP) { 5807 /* try again with bigger timeout */ 5808 if(xfr_probe_send_probe(xfr, env, xfr->task_probe->timeout*2)) { 5809 lock_basic_unlock(&xfr->lock); 5810 return; 5811 } 5812 } 5813 /* delete commpoint so a new one is created, with a fresh port nr */ 5814 comm_point_delete(xfr->task_probe->cp); 5815 xfr->task_probe->cp = NULL; 5816 5817 /* too many timeouts (or fail to send), move to next or end */ 5818 xfr_probe_nextmaster(xfr); 5819 xfr_probe_send_or_end(xfr, env); 5820 } 5821 5822 /** callback for task_probe udp packets */ 5823 int 5824 auth_xfer_probe_udp_callback(struct comm_point* c, void* arg, int err, 5825 struct comm_reply* repinfo) 5826 { 5827 struct auth_xfer* xfr = (struct auth_xfer*)arg; 5828 struct module_env* env; 5829 log_assert(xfr->task_probe); 5830 lock_basic_lock(&xfr->lock); 5831 env = xfr->task_probe->env; 5832 if(env->outnet->want_to_quit) { 5833 lock_basic_unlock(&xfr->lock); 5834 return 0; /* stop on quit */ 5835 } 5836 5837 /* the comm_point_udp_callback is in a for loop for NUM_UDP_PER_SELECT 5838 * and we set rep.c=NULL to stop if from looking inside the commpoint*/ 5839 repinfo->c = NULL; 5840 /* stop the timer */ 5841 comm_timer_disable(xfr->task_probe->timer); 5842 5843 /* see if we got a packet and what that means */ 5844 if(err == NETEVENT_NOERROR) { 5845 uint32_t serial = 0; 5846 if(check_packet_ok(c->buffer, LDNS_RR_TYPE_SOA, xfr, 5847 &serial)) { 5848 /* successful lookup */ 5849 if(verbosity >= VERB_ALGO) { 5850 char buf[256]; 5851 dname_str(xfr->name, buf); 5852 verbose(VERB_ALGO, "auth zone %s: soa probe " 5853 "serial is %u", buf, (unsigned)serial); 5854 } 5855 /* see if this serial indicates that the zone has 5856 * to be updated */ 5857 if(xfr_serial_means_update(xfr, serial)) { 5858 /* if updated, start the transfer task, if needed */ 5859 verbose(VERB_ALGO, "auth_zone updated, start transfer"); 5860 if(xfr->task_transfer->worker == NULL) { 5861 struct auth_master* master = 5862 xfr_probe_current_master(xfr); 5863 /* if we have download URLs use them 5864 * in preference to this master we 5865 * just probed the SOA from */ 5866 if(xfr->task_transfer->masters && 5867 xfr->task_transfer->masters->http) 5868 master = NULL; 5869 xfr_probe_disown(xfr); 5870 xfr_start_transfer(xfr, env, master); 5871 return 0; 5872 5873 } 5874 } else { 5875 /* if zone not updated, start the wait timer again */ 5876 verbose(VERB_ALGO, "auth_zone unchanged, new lease, wait"); 5877 if(xfr->have_zone) 5878 xfr->lease_time = *env->now; 5879 if(xfr->task_nextprobe->worker == NULL) 5880 xfr_set_timeout(xfr, env, 0, 0); 5881 } 5882 /* other tasks are running, we don't do this anymore */ 5883 xfr_probe_disown(xfr); 5884 lock_basic_unlock(&xfr->lock); 5885 /* return, we don't sent a reply to this udp packet, 5886 * and we setup the tasks to do next */ 5887 return 0; 5888 } 5889 } 5890 if(verbosity >= VERB_ALGO) { 5891 char buf[256]; 5892 dname_str(xfr->name, buf); 5893 verbose(VERB_ALGO, "auth zone %s: soa probe failed", buf); 5894 } 5895 5896 /* failed lookup */ 5897 /* delete commpoint so a new one is created, with a fresh port nr */ 5898 comm_point_delete(xfr->task_probe->cp); 5899 xfr->task_probe->cp = NULL; 5900 5901 /* if the result was not a successfull probe, we need 5902 * to send the next one */ 5903 xfr_probe_nextmaster(xfr); 5904 xfr_probe_send_or_end(xfr, env); 5905 return 0; 5906 } 5907 5908 /** lookup a host name for its addresses, if needed */ 5909 static int 5910 xfr_probe_lookup_host(struct auth_xfer* xfr, struct module_env* env) 5911 { 5912 struct sockaddr_storage addr; 5913 socklen_t addrlen = 0; 5914 struct auth_master* master = xfr->task_probe->lookup_target; 5915 struct query_info qinfo; 5916 uint16_t qflags = BIT_RD; 5917 uint8_t dname[LDNS_MAX_DOMAINLEN+1]; 5918 struct edns_data edns; 5919 sldns_buffer* buf = env->scratch_buffer; 5920 if(!master) return 0; 5921 if(extstrtoaddr(master->host, &addr, &addrlen)) { 5922 /* not needed, host is in IP addr format */ 5923 return 0; 5924 } 5925 if(master->allow_notify && !master->http && 5926 strchr(master->host, '/') != NULL && 5927 strchr(master->host, '/') == strrchr(master->host, '/')) { 5928 return 0; /* is IP/prefix format, not something to look up */ 5929 } 5930 5931 /* use mesh_new_callback to probe for non-addr hosts, 5932 * and then wait for them to be looked up (in cache, or query) */ 5933 qinfo.qname_len = sizeof(dname); 5934 if(sldns_str2wire_dname_buf(master->host, dname, &qinfo.qname_len) 5935 != 0) { 5936 log_err("cannot parse host name of master %s", master->host); 5937 return 0; 5938 } 5939 qinfo.qname = dname; 5940 qinfo.qclass = xfr->dclass; 5941 qinfo.qtype = LDNS_RR_TYPE_A; 5942 if(xfr->task_probe->lookup_aaaa) 5943 qinfo.qtype = LDNS_RR_TYPE_AAAA; 5944 qinfo.local_alias = NULL; 5945 if(verbosity >= VERB_ALGO) { 5946 char buf[512]; 5947 char buf2[LDNS_MAX_DOMAINLEN+1]; 5948 dname_str(xfr->name, buf2); 5949 snprintf(buf, sizeof(buf), "auth zone %s: master lookup" 5950 " for task_probe", buf2); 5951 log_query_info(VERB_ALGO, buf, &qinfo); 5952 } 5953 edns.edns_present = 1; 5954 edns.ext_rcode = 0; 5955 edns.edns_version = 0; 5956 edns.bits = EDNS_DO; 5957 edns.opt_list = NULL; 5958 if(sldns_buffer_capacity(buf) < 65535) 5959 edns.udp_size = (uint16_t)sldns_buffer_capacity(buf); 5960 else edns.udp_size = 65535; 5961 5962 /* unlock xfr during mesh_new_callback() because the callback can be 5963 * called straight away */ 5964 lock_basic_unlock(&xfr->lock); 5965 if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0, 5966 &auth_xfer_probe_lookup_callback, xfr)) { 5967 lock_basic_lock(&xfr->lock); 5968 log_err("out of memory lookup up master %s", master->host); 5969 return 0; 5970 } 5971 lock_basic_lock(&xfr->lock); 5972 return 1; 5973 } 5974 5975 /** move to sending the probe packets, next if fails. task_probe */ 5976 static void 5977 xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env) 5978 { 5979 /* are we doing hostname lookups? */ 5980 while(xfr->task_probe->lookup_target) { 5981 if(xfr_probe_lookup_host(xfr, env)) { 5982 /* wait for lookup to finish, 5983 * note that the hostname may be in unbound's cache 5984 * and we may then get an instant cache response, 5985 * and that calls the callback just like a full 5986 * lookup and lookup failures also call callback */ 5987 lock_basic_unlock(&xfr->lock); 5988 return; 5989 } 5990 xfr_probe_move_to_next_lookup(xfr, env); 5991 } 5992 /* probe of list has ended. Create or refresh the list of of 5993 * allow_notify addrs */ 5994 probe_copy_masters_for_allow_notify(xfr); 5995 if(xfr->task_probe->only_lookup) { 5996 /* only wanted lookups for copy, stop probe and start wait */ 5997 xfr->task_probe->only_lookup = 0; 5998 xfr_probe_disown(xfr); 5999 xfr_set_timeout(xfr, env, 0, 0); 6000 lock_basic_unlock(&xfr->lock); 6001 return; 6002 } 6003 6004 /* send probe packets */ 6005 while(!xfr_probe_end_of_list(xfr)) { 6006 if(xfr_probe_send_probe(xfr, env, AUTH_PROBE_TIMEOUT)) { 6007 /* successfully sent probe, wait for callback */ 6008 lock_basic_unlock(&xfr->lock); 6009 return; 6010 } 6011 /* failed to send probe, next master */ 6012 xfr_probe_nextmaster(xfr); 6013 } 6014 6015 /* we failed to send this as well, move to the wait task, 6016 * use the shorter retry timeout */ 6017 xfr_probe_disown(xfr); 6018 6019 /* pick up the nextprobe task and wait */ 6020 xfr_set_timeout(xfr, env, 1, 0); 6021 lock_basic_unlock(&xfr->lock); 6022 } 6023 6024 /** callback for task_probe lookup of host name, of A or AAAA */ 6025 void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf, 6026 enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus)) 6027 { 6028 struct auth_xfer* xfr = (struct auth_xfer*)arg; 6029 struct module_env* env; 6030 log_assert(xfr->task_probe); 6031 lock_basic_lock(&xfr->lock); 6032 env = xfr->task_probe->env; 6033 if(env->outnet->want_to_quit) { 6034 lock_basic_unlock(&xfr->lock); 6035 return; /* stop on quit */ 6036 } 6037 6038 /* process result */ 6039 if(rcode == LDNS_RCODE_NOERROR) { 6040 uint16_t wanted_qtype = LDNS_RR_TYPE_A; 6041 struct regional* temp = env->scratch; 6042 struct query_info rq; 6043 struct reply_info* rep; 6044 if(xfr->task_probe->lookup_aaaa) 6045 wanted_qtype = LDNS_RR_TYPE_AAAA; 6046 memset(&rq, 0, sizeof(rq)); 6047 rep = parse_reply_in_temp_region(buf, temp, &rq); 6048 if(rep && rq.qtype == wanted_qtype && 6049 FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) { 6050 /* parsed successfully */ 6051 struct ub_packed_rrset_key* answer = 6052 reply_find_answer_rrset(&rq, rep); 6053 if(answer) { 6054 xfr_master_add_addrs(xfr->task_probe-> 6055 lookup_target, answer, wanted_qtype); 6056 } 6057 } 6058 } 6059 if(xfr->task_probe->lookup_target->list && 6060 xfr->task_probe->lookup_target == xfr_probe_current_master(xfr)) 6061 xfr->task_probe->scan_addr = xfr->task_probe->lookup_target->list; 6062 6063 /* move to lookup AAAA after A lookup, move to next hostname lookup, 6064 * or move to send the probes, or, if nothing to do, end task_probe */ 6065 xfr_probe_move_to_next_lookup(xfr, env); 6066 xfr_probe_send_or_end(xfr, env); 6067 } 6068 6069 /** disown task_nextprobe. caller must hold xfr.lock */ 6070 static void 6071 xfr_nextprobe_disown(struct auth_xfer* xfr) 6072 { 6073 /* delete the timer, because the next worker to pick this up may 6074 * not have the same event base */ 6075 comm_timer_delete(xfr->task_nextprobe->timer); 6076 xfr->task_nextprobe->timer = NULL; 6077 xfr->task_nextprobe->next_probe = 0; 6078 /* we don't own this item anymore */ 6079 xfr->task_nextprobe->worker = NULL; 6080 xfr->task_nextprobe->env = NULL; 6081 } 6082 6083 /** xfer nextprobe timeout callback, this is part of task_nextprobe */ 6084 void 6085 auth_xfer_timer(void* arg) 6086 { 6087 struct auth_xfer* xfr = (struct auth_xfer*)arg; 6088 struct module_env* env; 6089 log_assert(xfr->task_nextprobe); 6090 lock_basic_lock(&xfr->lock); 6091 env = xfr->task_nextprobe->env; 6092 if(env->outnet->want_to_quit) { 6093 lock_basic_unlock(&xfr->lock); 6094 return; /* stop on quit */ 6095 } 6096 6097 /* see if zone has expired, and if so, also set auth_zone expired */ 6098 if(xfr->have_zone && !xfr->zone_expired && 6099 *env->now >= xfr->lease_time + xfr->expiry) { 6100 lock_basic_unlock(&xfr->lock); 6101 auth_xfer_set_expired(xfr, env, 1); 6102 lock_basic_lock(&xfr->lock); 6103 } 6104 6105 xfr_nextprobe_disown(xfr); 6106 6107 if(!xfr_start_probe(xfr, env, NULL)) { 6108 /* not started because already in progress */ 6109 lock_basic_unlock(&xfr->lock); 6110 } 6111 } 6112 6113 /** return true if there are probe (SOA UDP query) targets in the master list*/ 6114 static int 6115 have_probe_targets(struct auth_master* list) 6116 { 6117 struct auth_master* p; 6118 for(p=list; p; p = p->next) { 6119 if(!p->allow_notify && p->host) 6120 return 1; 6121 } 6122 return 0; 6123 } 6124 6125 /** start task_probe if possible, if no masters for probe start task_transfer 6126 * returns true if task has been started, and false if the task is already 6127 * in progress. */ 6128 static int 6129 xfr_start_probe(struct auth_xfer* xfr, struct module_env* env, 6130 struct auth_master* spec) 6131 { 6132 /* see if we need to start a probe (or maybe it is already in 6133 * progress (due to notify)) */ 6134 if(xfr->task_probe->worker == NULL) { 6135 if(!have_probe_targets(xfr->task_probe->masters) && 6136 !(xfr->task_probe->only_lookup && 6137 xfr->task_probe->masters != NULL)) { 6138 /* useless to pick up task_probe, no masters to 6139 * probe. Instead attempt to pick up task transfer */ 6140 if(xfr->task_transfer->worker == NULL) { 6141 xfr_start_transfer(xfr, env, spec); 6142 return 1; 6143 } 6144 /* task transfer already in progress */ 6145 return 0; 6146 } 6147 6148 /* pick up the probe task ourselves */ 6149 xfr->task_probe->worker = env->worker; 6150 xfr->task_probe->env = env; 6151 xfr->task_probe->cp = NULL; 6152 6153 /* start the task */ 6154 /* if this was a timeout, no specific first master to scan */ 6155 /* otherwise, spec is nonNULL the notified master, scan 6156 * first and also transfer first from it */ 6157 xfr_probe_start_list(xfr, spec); 6158 /* setup to start the lookup of hostnames of masters afresh */ 6159 xfr_probe_start_lookups(xfr); 6160 /* send the probe packet or next send, or end task */ 6161 xfr_probe_send_or_end(xfr, env); 6162 return 1; 6163 } 6164 return 0; 6165 } 6166 6167 /** for task_nextprobe. 6168 * determine next timeout for auth_xfer. Also (re)sets timer. 6169 * @param xfr: task structure 6170 * @param env: module environment, with worker and time. 6171 * @param failure: set true if timer should be set for failure retry. 6172 * @param lookup_only: only perform lookups when timer done, 0 sec timeout 6173 */ 6174 static void 6175 xfr_set_timeout(struct auth_xfer* xfr, struct module_env* env, 6176 int failure, int lookup_only) 6177 { 6178 struct timeval tv; 6179 log_assert(xfr->task_nextprobe != NULL); 6180 log_assert(xfr->task_nextprobe->worker == NULL || 6181 xfr->task_nextprobe->worker == env->worker); 6182 /* normally, nextprobe = startoflease + refresh, 6183 * but if expiry is sooner, use that one. 6184 * after a failure, use the retry timer instead. */ 6185 xfr->task_nextprobe->next_probe = *env->now; 6186 if(xfr->lease_time && !failure) 6187 xfr->task_nextprobe->next_probe = xfr->lease_time; 6188 6189 if(!failure) { 6190 xfr->task_nextprobe->backoff = 0; 6191 } else { 6192 if(xfr->task_nextprobe->backoff == 0) 6193 xfr->task_nextprobe->backoff = 3; 6194 else xfr->task_nextprobe->backoff *= 2; 6195 if(xfr->task_nextprobe->backoff > AUTH_TRANSFER_MAX_BACKOFF) 6196 xfr->task_nextprobe->backoff = 6197 AUTH_TRANSFER_MAX_BACKOFF; 6198 } 6199 6200 if(xfr->have_zone) { 6201 time_t wait = xfr->refresh; 6202 if(failure) wait = xfr->retry; 6203 if(xfr->expiry < wait) 6204 xfr->task_nextprobe->next_probe += xfr->expiry; 6205 else xfr->task_nextprobe->next_probe += wait; 6206 if(failure) 6207 xfr->task_nextprobe->next_probe += 6208 xfr->task_nextprobe->backoff; 6209 /* put the timer exactly on expiry, if possible */ 6210 if(xfr->lease_time && xfr->lease_time+xfr->expiry < 6211 xfr->task_nextprobe->next_probe && 6212 xfr->lease_time+xfr->expiry > *env->now) 6213 xfr->task_nextprobe->next_probe = 6214 xfr->lease_time+xfr->expiry; 6215 } else { 6216 xfr->task_nextprobe->next_probe += 6217 xfr->task_nextprobe->backoff; 6218 } 6219 6220 if(!xfr->task_nextprobe->timer) { 6221 xfr->task_nextprobe->timer = comm_timer_create( 6222 env->worker_base, auth_xfer_timer, xfr); 6223 if(!xfr->task_nextprobe->timer) { 6224 /* failed to malloc memory. likely zone transfer 6225 * also fails for that. skip the timeout */ 6226 char zname[255+1]; 6227 dname_str(xfr->name, zname); 6228 log_err("cannot allocate timer, no refresh for %s", 6229 zname); 6230 return; 6231 } 6232 } 6233 xfr->task_nextprobe->worker = env->worker; 6234 xfr->task_nextprobe->env = env; 6235 if(*(xfr->task_nextprobe->env->now) <= xfr->task_nextprobe->next_probe) 6236 tv.tv_sec = xfr->task_nextprobe->next_probe - 6237 *(xfr->task_nextprobe->env->now); 6238 else tv.tv_sec = 0; 6239 if(tv.tv_sec != 0 && lookup_only && xfr->task_probe->masters) { 6240 /* don't lookup_only, if lookup timeout is 0 anyway, 6241 * or if we don't have masters to lookup */ 6242 tv.tv_sec = 0; 6243 if(xfr->task_probe && xfr->task_probe->worker == NULL) 6244 xfr->task_probe->only_lookup = 1; 6245 } 6246 if(verbosity >= VERB_ALGO) { 6247 char zname[255+1]; 6248 dname_str(xfr->name, zname); 6249 verbose(VERB_ALGO, "auth zone %s timeout in %d seconds", 6250 zname, (int)tv.tv_sec); 6251 } 6252 tv.tv_usec = 0; 6253 comm_timer_set(xfr->task_nextprobe->timer, &tv); 6254 } 6255 6256 /** initial pick up of worker timeouts, ties events to worker event loop */ 6257 void 6258 auth_xfer_pickup_initial(struct auth_zones* az, struct module_env* env) 6259 { 6260 struct auth_xfer* x; 6261 lock_rw_wrlock(&az->lock); 6262 RBTREE_FOR(x, struct auth_xfer*, &az->xtree) { 6263 lock_basic_lock(&x->lock); 6264 /* set lease_time, because we now have timestamp in env, 6265 * (not earlier during startup and apply_cfg), and this 6266 * notes the start time when the data was acquired */ 6267 if(x->have_zone) 6268 x->lease_time = *env->now; 6269 if(x->task_nextprobe && x->task_nextprobe->worker == NULL) { 6270 xfr_set_timeout(x, env, 0, 1); 6271 } 6272 lock_basic_unlock(&x->lock); 6273 } 6274 lock_rw_unlock(&az->lock); 6275 } 6276 6277 void auth_zones_cleanup(struct auth_zones* az) 6278 { 6279 struct auth_xfer* x; 6280 lock_rw_wrlock(&az->lock); 6281 RBTREE_FOR(x, struct auth_xfer*, &az->xtree) { 6282 lock_basic_lock(&x->lock); 6283 if(x->task_nextprobe && x->task_nextprobe->worker != NULL) { 6284 xfr_nextprobe_disown(x); 6285 } 6286 if(x->task_probe && x->task_probe->worker != NULL) { 6287 xfr_probe_disown(x); 6288 } 6289 if(x->task_transfer && x->task_transfer->worker != NULL) { 6290 auth_chunks_delete(x->task_transfer); 6291 xfr_transfer_disown(x); 6292 } 6293 lock_basic_unlock(&x->lock); 6294 } 6295 lock_rw_unlock(&az->lock); 6296 } 6297 6298 /** 6299 * malloc the xfer and tasks 6300 * @param z: auth_zone with name of zone. 6301 */ 6302 static struct auth_xfer* 6303 auth_xfer_new(struct auth_zone* z) 6304 { 6305 struct auth_xfer* xfr; 6306 xfr = (struct auth_xfer*)calloc(1, sizeof(*xfr)); 6307 if(!xfr) return NULL; 6308 xfr->name = memdup(z->name, z->namelen); 6309 if(!xfr->name) { 6310 free(xfr); 6311 return NULL; 6312 } 6313 xfr->node.key = xfr; 6314 xfr->namelen = z->namelen; 6315 xfr->namelabs = z->namelabs; 6316 xfr->dclass = z->dclass; 6317 6318 xfr->task_nextprobe = (struct auth_nextprobe*)calloc(1, 6319 sizeof(struct auth_nextprobe)); 6320 if(!xfr->task_nextprobe) { 6321 free(xfr->name); 6322 free(xfr); 6323 return NULL; 6324 } 6325 xfr->task_probe = (struct auth_probe*)calloc(1, 6326 sizeof(struct auth_probe)); 6327 if(!xfr->task_probe) { 6328 free(xfr->task_nextprobe); 6329 free(xfr->name); 6330 free(xfr); 6331 return NULL; 6332 } 6333 xfr->task_transfer = (struct auth_transfer*)calloc(1, 6334 sizeof(struct auth_transfer)); 6335 if(!xfr->task_transfer) { 6336 free(xfr->task_probe); 6337 free(xfr->task_nextprobe); 6338 free(xfr->name); 6339 free(xfr); 6340 return NULL; 6341 } 6342 6343 lock_basic_init(&xfr->lock); 6344 lock_protect(&xfr->lock, &xfr->name, sizeof(xfr->name)); 6345 lock_protect(&xfr->lock, &xfr->namelen, sizeof(xfr->namelen)); 6346 lock_protect(&xfr->lock, xfr->name, xfr->namelen); 6347 lock_protect(&xfr->lock, &xfr->namelabs, sizeof(xfr->namelabs)); 6348 lock_protect(&xfr->lock, &xfr->dclass, sizeof(xfr->dclass)); 6349 lock_protect(&xfr->lock, &xfr->notify_received, sizeof(xfr->notify_received)); 6350 lock_protect(&xfr->lock, &xfr->notify_serial, sizeof(xfr->notify_serial)); 6351 lock_protect(&xfr->lock, &xfr->zone_expired, sizeof(xfr->zone_expired)); 6352 lock_protect(&xfr->lock, &xfr->have_zone, sizeof(xfr->have_zone)); 6353 lock_protect(&xfr->lock, &xfr->serial, sizeof(xfr->serial)); 6354 lock_protect(&xfr->lock, &xfr->retry, sizeof(xfr->retry)); 6355 lock_protect(&xfr->lock, &xfr->refresh, sizeof(xfr->refresh)); 6356 lock_protect(&xfr->lock, &xfr->expiry, sizeof(xfr->expiry)); 6357 lock_protect(&xfr->lock, &xfr->lease_time, sizeof(xfr->lease_time)); 6358 lock_protect(&xfr->lock, &xfr->task_nextprobe->worker, 6359 sizeof(xfr->task_nextprobe->worker)); 6360 lock_protect(&xfr->lock, &xfr->task_probe->worker, 6361 sizeof(xfr->task_probe->worker)); 6362 lock_protect(&xfr->lock, &xfr->task_transfer->worker, 6363 sizeof(xfr->task_transfer->worker)); 6364 lock_basic_lock(&xfr->lock); 6365 return xfr; 6366 } 6367 6368 /** Create auth_xfer structure. 6369 * This populates the have_zone, soa values, and so on times. 6370 * and sets the timeout, if a zone transfer is needed a short timeout is set. 6371 * For that the auth_zone itself must exist (and read in zonefile) 6372 * returns false on alloc failure. */ 6373 struct auth_xfer* 6374 auth_xfer_create(struct auth_zones* az, struct auth_zone* z) 6375 { 6376 struct auth_xfer* xfr; 6377 6378 /* malloc it */ 6379 xfr = auth_xfer_new(z); 6380 if(!xfr) { 6381 log_err("malloc failure"); 6382 return NULL; 6383 } 6384 /* insert in tree */ 6385 (void)rbtree_insert(&az->xtree, &xfr->node); 6386 return xfr; 6387 } 6388 6389 /** create new auth_master structure */ 6390 static struct auth_master* 6391 auth_master_new(struct auth_master*** list) 6392 { 6393 struct auth_master *m; 6394 m = (struct auth_master*)calloc(1, sizeof(*m)); 6395 if(!m) { 6396 log_err("malloc failure"); 6397 return NULL; 6398 } 6399 /* set first pointer to m, or next pointer of previous element to m */ 6400 (**list) = m; 6401 /* store m's next pointer as future point to store at */ 6402 (*list) = &(m->next); 6403 return m; 6404 } 6405 6406 /** dup_prefix : create string from initial part of other string, malloced */ 6407 static char* 6408 dup_prefix(char* str, size_t num) 6409 { 6410 char* result; 6411 size_t len = strlen(str); 6412 if(len < num) num = len; /* not more than strlen */ 6413 result = (char*)malloc(num+1); 6414 if(!result) { 6415 log_err("malloc failure"); 6416 return result; 6417 } 6418 memmove(result, str, num); 6419 result[num] = 0; 6420 return result; 6421 } 6422 6423 /** dup string and print error on error */ 6424 static char* 6425 dup_all(char* str) 6426 { 6427 char* result = strdup(str); 6428 if(!result) { 6429 log_err("malloc failure"); 6430 return NULL; 6431 } 6432 return result; 6433 } 6434 6435 /** find first of two characters */ 6436 static char* 6437 str_find_first_of_chars(char* s, char a, char b) 6438 { 6439 char* ra = strchr(s, a); 6440 char* rb = strchr(s, b); 6441 if(!ra) return rb; 6442 if(!rb) return ra; 6443 if(ra < rb) return ra; 6444 return rb; 6445 } 6446 6447 /** parse URL into host and file parts, false on malloc or parse error */ 6448 static int 6449 parse_url(char* url, char** host, char** file, int* port, int* ssl) 6450 { 6451 char* p = url; 6452 /* parse http://www.example.com/file.htm 6453 * or http://127.0.0.1 (index.html) 6454 * or https://[::1@1234]/a/b/c/d */ 6455 *ssl = 1; 6456 *port = AUTH_HTTPS_PORT; 6457 6458 /* parse http:// or https:// */ 6459 if(strncmp(p, "http://", 7) == 0) { 6460 p += 7; 6461 *ssl = 0; 6462 *port = AUTH_HTTP_PORT; 6463 } else if(strncmp(p, "https://", 8) == 0) { 6464 p += 8; 6465 } else if(strstr(p, "://") && strchr(p, '/') > strstr(p, "://") && 6466 strchr(p, ':') >= strstr(p, "://")) { 6467 char* uri = dup_prefix(p, (size_t)(strstr(p, "://")-p)); 6468 log_err("protocol %s:// not supported (for url %s)", 6469 uri?uri:"", p); 6470 free(uri); 6471 return 0; 6472 } 6473 6474 /* parse hostname part */ 6475 if(p[0] == '[') { 6476 char* end = strchr(p, ']'); 6477 p++; /* skip over [ */ 6478 if(end) { 6479 *host = dup_prefix(p, (size_t)(end-p)); 6480 if(!*host) return 0; 6481 p = end+1; /* skip over ] */ 6482 } else { 6483 *host = dup_all(p); 6484 if(!*host) return 0; 6485 p = end; 6486 } 6487 } else { 6488 char* end = str_find_first_of_chars(p, ':', '/'); 6489 if(end) { 6490 *host = dup_prefix(p, (size_t)(end-p)); 6491 if(!*host) return 0; 6492 } else { 6493 *host = dup_all(p); 6494 if(!*host) return 0; 6495 } 6496 p = end; /* at next : or / or NULL */ 6497 } 6498 6499 /* parse port number */ 6500 if(p && p[0] == ':') { 6501 char* end = NULL; 6502 *port = strtol(p+1, &end, 10); 6503 p = end; 6504 } 6505 6506 /* parse filename part */ 6507 while(p && *p == '/') 6508 p++; 6509 if(!p || p[0] == 0) 6510 *file = strdup("index.html"); 6511 else *file = strdup(p); 6512 if(!*file) { 6513 log_err("malloc failure"); 6514 return 0; 6515 } 6516 return 1; 6517 } 6518 6519 int 6520 xfer_set_masters(struct auth_master** list, struct config_auth* c, 6521 int with_http) 6522 { 6523 struct auth_master* m; 6524 struct config_strlist* p; 6525 /* list points to the first, or next pointer for the new element */ 6526 while(*list) { 6527 list = &( (*list)->next ); 6528 } 6529 if(with_http) 6530 for(p = c->urls; p; p = p->next) { 6531 m = auth_master_new(&list); 6532 m->http = 1; 6533 if(!parse_url(p->str, &m->host, &m->file, &m->port, &m->ssl)) 6534 return 0; 6535 } 6536 for(p = c->masters; p; p = p->next) { 6537 m = auth_master_new(&list); 6538 m->ixfr = 1; /* this flag is not configurable */ 6539 m->host = strdup(p->str); 6540 if(!m->host) { 6541 log_err("malloc failure"); 6542 return 0; 6543 } 6544 } 6545 for(p = c->allow_notify; p; p = p->next) { 6546 m = auth_master_new(&list); 6547 m->allow_notify = 1; 6548 m->host = strdup(p->str); 6549 if(!m->host) { 6550 log_err("malloc failure"); 6551 return 0; 6552 } 6553 } 6554 return 1; 6555 } 6556 6557 #define SERIAL_BITS 32 6558 int 6559 compare_serial(uint32_t a, uint32_t b) 6560 { 6561 const uint32_t cutoff = ((uint32_t) 1 << (SERIAL_BITS - 1)); 6562 6563 if (a == b) { 6564 return 0; 6565 } else if ((a < b && b - a < cutoff) || (a > b && a - b > cutoff)) { 6566 return -1; 6567 } else { 6568 return 1; 6569 } 6570 } 6571