authzone.c revision 356345
1/* 2 * services/authzone.c - authoritative zone that is locally hosted. 3 * 4 * Copyright (c) 2017, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36/** 37 * \file 38 * 39 * This file contains the functions for an authority zone. This zone 40 * is queried by the iterator, just like a stub or forward zone, but then 41 * the data is locally held. 42 */ 43 44#include "config.h" 45#include "services/authzone.h" 46#include "util/data/dname.h" 47#include "util/data/msgparse.h" 48#include "util/data/msgreply.h" 49#include "util/data/msgencode.h" 50#include "util/data/packed_rrset.h" 51#include "util/regional.h" 52#include "util/net_help.h" 53#include "util/netevent.h" 54#include "util/config_file.h" 55#include "util/log.h" 56#include "util/module.h" 57#include "util/random.h" 58#include "services/cache/dns.h" 59#include "services/outside_network.h" 60#include "services/listen_dnsport.h" 61#include "services/mesh.h" 62#include "sldns/rrdef.h" 63#include "sldns/pkthdr.h" 64#include "sldns/sbuffer.h" 65#include "sldns/str2wire.h" 66#include "sldns/wire2str.h" 67#include "sldns/parseutil.h" 68#include "sldns/keyraw.h" 69#include "validator/val_nsec3.h" 70#include "validator/val_secalgo.h" 71#include <ctype.h> 72 73/** bytes to use for NSEC3 hash buffer. 20 for sha1 */ 74#define N3HASHBUFLEN 32 75/** max number of CNAMEs we are willing to follow (in one answer) */ 76#define MAX_CNAME_CHAIN 8 77/** timeout for probe packets for SOA */ 78#define AUTH_PROBE_TIMEOUT 100 /* msec */ 79/** when to stop with SOA probes (when exponential timeouts exceed this) */ 80#define AUTH_PROBE_TIMEOUT_STOP 1000 /* msec */ 81/* auth transfer timeout for TCP connections, in msec */ 82#define AUTH_TRANSFER_TIMEOUT 10000 /* msec */ 83/* auth transfer max backoff for failed tranfers and probes */ 84#define AUTH_TRANSFER_MAX_BACKOFF 86400 /* sec */ 85/* auth http port number */ 86#define AUTH_HTTP_PORT 80 87/* auth https port number */ 88#define AUTH_HTTPS_PORT 443 89/* max depth for nested $INCLUDEs */ 90#define MAX_INCLUDE_DEPTH 10 91/** number of timeouts before we fallback from IXFR to AXFR, 92 * because some versions of servers (eg. dnsmasq) drop IXFR packets. */ 93#define NUM_TIMEOUTS_FALLBACK_IXFR 3 94 95/** pick up nextprobe task to start waiting to perform transfer actions */ 96static void xfr_set_timeout(struct auth_xfer* xfr, struct module_env* env, 97 int failure, int lookup_only); 98/** move to sending the probe packets, next if fails. task_probe */ 99static void xfr_probe_send_or_end(struct auth_xfer* xfr, 100 struct module_env* env); 101/** pick up probe task with specified(or NULL) destination first, 102 * or transfer task if nothing to probe, or false if already in progress */ 103static int xfr_start_probe(struct auth_xfer* xfr, struct module_env* env, 104 struct auth_master* spec); 105/** delete xfer structure (not its tree entry) */ 106static void auth_xfer_delete(struct auth_xfer* xfr); 107 108/** create new dns_msg */ 109static struct dns_msg* 110msg_create(struct regional* region, struct query_info* qinfo) 111{ 112 struct dns_msg* msg = (struct dns_msg*)regional_alloc(region, 113 sizeof(struct dns_msg)); 114 if(!msg) 115 return NULL; 116 msg->qinfo.qname = regional_alloc_init(region, qinfo->qname, 117 qinfo->qname_len); 118 if(!msg->qinfo.qname) 119 return NULL; 120 msg->qinfo.qname_len = qinfo->qname_len; 121 msg->qinfo.qtype = qinfo->qtype; 122 msg->qinfo.qclass = qinfo->qclass; 123 msg->qinfo.local_alias = NULL; 124 /* non-packed reply_info, because it needs to grow the array */ 125 msg->rep = (struct reply_info*)regional_alloc_zero(region, 126 sizeof(struct reply_info)-sizeof(struct rrset_ref)); 127 if(!msg->rep) 128 return NULL; 129 msg->rep->flags = (uint16_t)(BIT_QR | BIT_AA); 130 msg->rep->authoritative = 1; 131 msg->rep->qdcount = 1; 132 /* rrsets is NULL, no rrsets yet */ 133 return msg; 134} 135 136/** grow rrset array by one in msg */ 137static int 138msg_grow_array(struct regional* region, struct dns_msg* msg) 139{ 140 if(msg->rep->rrsets == NULL) { 141 msg->rep->rrsets = regional_alloc_zero(region, 142 sizeof(struct ub_packed_rrset_key*)*(msg->rep->rrset_count+1)); 143 if(!msg->rep->rrsets) 144 return 0; 145 } else { 146 struct ub_packed_rrset_key** rrsets_old = msg->rep->rrsets; 147 msg->rep->rrsets = regional_alloc_zero(region, 148 sizeof(struct ub_packed_rrset_key*)*(msg->rep->rrset_count+1)); 149 if(!msg->rep->rrsets) 150 return 0; 151 memmove(msg->rep->rrsets, rrsets_old, 152 sizeof(struct ub_packed_rrset_key*)*msg->rep->rrset_count); 153 } 154 return 1; 155} 156 157/** get ttl of rrset */ 158static time_t 159get_rrset_ttl(struct ub_packed_rrset_key* k) 160{ 161 struct packed_rrset_data* d = (struct packed_rrset_data*) 162 k->entry.data; 163 return d->ttl; 164} 165 166/** Copy rrset into region from domain-datanode and packet rrset */ 167static struct ub_packed_rrset_key* 168auth_packed_rrset_copy_region(struct auth_zone* z, struct auth_data* node, 169 struct auth_rrset* rrset, struct regional* region, time_t adjust) 170{ 171 struct ub_packed_rrset_key key; 172 memset(&key, 0, sizeof(key)); 173 key.entry.key = &key; 174 key.entry.data = rrset->data; 175 key.rk.dname = node->name; 176 key.rk.dname_len = node->namelen; 177 key.rk.type = htons(rrset->type); 178 key.rk.rrset_class = htons(z->dclass); 179 key.entry.hash = rrset_key_hash(&key.rk); 180 return packed_rrset_copy_region(&key, region, adjust); 181} 182 183/** fix up msg->rep TTL and prefetch ttl */ 184static void 185msg_ttl(struct dns_msg* msg) 186{ 187 if(msg->rep->rrset_count == 0) return; 188 if(msg->rep->rrset_count == 1) { 189 msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]); 190 msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl); 191 msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL; 192 } else if(get_rrset_ttl(msg->rep->rrsets[msg->rep->rrset_count-1]) < 193 msg->rep->ttl) { 194 msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[ 195 msg->rep->rrset_count-1]); 196 msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl); 197 msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL; 198 } 199} 200 201/** see if rrset is a duplicate in the answer message */ 202static int 203msg_rrset_duplicate(struct dns_msg* msg, uint8_t* nm, size_t nmlen, 204 uint16_t type, uint16_t dclass) 205{ 206 size_t i; 207 for(i=0; i<msg->rep->rrset_count; i++) { 208 struct ub_packed_rrset_key* k = msg->rep->rrsets[i]; 209 if(ntohs(k->rk.type) == type && k->rk.dname_len == nmlen && 210 ntohs(k->rk.rrset_class) == dclass && 211 query_dname_compare(k->rk.dname, nm) == 0) 212 return 1; 213 } 214 return 0; 215} 216 217/** add rrset to answer section (no auth, add rrsets yet) */ 218static int 219msg_add_rrset_an(struct auth_zone* z, struct regional* region, 220 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) 221{ 222 log_assert(msg->rep->ns_numrrsets == 0); 223 log_assert(msg->rep->ar_numrrsets == 0); 224 if(!rrset || !node) 225 return 1; 226 if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, 227 z->dclass)) 228 return 1; 229 /* grow array */ 230 if(!msg_grow_array(region, msg)) 231 return 0; 232 /* copy it */ 233 if(!(msg->rep->rrsets[msg->rep->rrset_count] = 234 auth_packed_rrset_copy_region(z, node, rrset, region, 0))) 235 return 0; 236 msg->rep->rrset_count++; 237 msg->rep->an_numrrsets++; 238 msg_ttl(msg); 239 return 1; 240} 241 242/** add rrset to authority section (no additonal section rrsets yet) */ 243static int 244msg_add_rrset_ns(struct auth_zone* z, struct regional* region, 245 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) 246{ 247 log_assert(msg->rep->ar_numrrsets == 0); 248 if(!rrset || !node) 249 return 1; 250 if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, 251 z->dclass)) 252 return 1; 253 /* grow array */ 254 if(!msg_grow_array(region, msg)) 255 return 0; 256 /* copy it */ 257 if(!(msg->rep->rrsets[msg->rep->rrset_count] = 258 auth_packed_rrset_copy_region(z, node, rrset, region, 0))) 259 return 0; 260 msg->rep->rrset_count++; 261 msg->rep->ns_numrrsets++; 262 msg_ttl(msg); 263 return 1; 264} 265 266/** add rrset to additional section */ 267static int 268msg_add_rrset_ar(struct auth_zone* z, struct regional* region, 269 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) 270{ 271 if(!rrset || !node) 272 return 1; 273 if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, 274 z->dclass)) 275 return 1; 276 /* grow array */ 277 if(!msg_grow_array(region, msg)) 278 return 0; 279 /* copy it */ 280 if(!(msg->rep->rrsets[msg->rep->rrset_count] = 281 auth_packed_rrset_copy_region(z, node, rrset, region, 0))) 282 return 0; 283 msg->rep->rrset_count++; 284 msg->rep->ar_numrrsets++; 285 msg_ttl(msg); 286 return 1; 287} 288 289struct auth_zones* auth_zones_create(void) 290{ 291 struct auth_zones* az = (struct auth_zones*)calloc(1, sizeof(*az)); 292 if(!az) { 293 log_err("out of memory"); 294 return NULL; 295 } 296 rbtree_init(&az->ztree, &auth_zone_cmp); 297 rbtree_init(&az->xtree, &auth_xfer_cmp); 298 lock_rw_init(&az->lock); 299 lock_protect(&az->lock, &az->ztree, sizeof(az->ztree)); 300 lock_protect(&az->lock, &az->xtree, sizeof(az->xtree)); 301 /* also lock protects the rbnode's in struct auth_zone, auth_xfer */ 302 return az; 303} 304 305int auth_zone_cmp(const void* z1, const void* z2) 306{ 307 /* first sort on class, so that hierarchy can be maintained within 308 * a class */ 309 struct auth_zone* a = (struct auth_zone*)z1; 310 struct auth_zone* b = (struct auth_zone*)z2; 311 int m; 312 if(a->dclass != b->dclass) { 313 if(a->dclass < b->dclass) 314 return -1; 315 return 1; 316 } 317 /* sorted such that higher zones sort before lower zones (their 318 * contents) */ 319 return dname_lab_cmp(a->name, a->namelabs, b->name, b->namelabs, &m); 320} 321 322int auth_data_cmp(const void* z1, const void* z2) 323{ 324 struct auth_data* a = (struct auth_data*)z1; 325 struct auth_data* b = (struct auth_data*)z2; 326 int m; 327 /* canonical sort, because DNSSEC needs that */ 328 return dname_canon_lab_cmp(a->name, a->namelabs, b->name, 329 b->namelabs, &m); 330} 331 332int auth_xfer_cmp(const void* z1, const void* z2) 333{ 334 /* first sort on class, so that hierarchy can be maintained within 335 * a class */ 336 struct auth_xfer* a = (struct auth_xfer*)z1; 337 struct auth_xfer* b = (struct auth_xfer*)z2; 338 int m; 339 if(a->dclass != b->dclass) { 340 if(a->dclass < b->dclass) 341 return -1; 342 return 1; 343 } 344 /* sorted such that higher zones sort before lower zones (their 345 * contents) */ 346 return dname_lab_cmp(a->name, a->namelabs, b->name, b->namelabs, &m); 347} 348 349/** delete auth rrset node */ 350static void 351auth_rrset_delete(struct auth_rrset* rrset) 352{ 353 if(!rrset) return; 354 free(rrset->data); 355 free(rrset); 356} 357 358/** delete auth data domain node */ 359static void 360auth_data_delete(struct auth_data* n) 361{ 362 struct auth_rrset* p, *np; 363 if(!n) return; 364 p = n->rrsets; 365 while(p) { 366 np = p->next; 367 auth_rrset_delete(p); 368 p = np; 369 } 370 free(n->name); 371 free(n); 372} 373 374/** helper traverse to delete zones */ 375static void 376auth_data_del(rbnode_type* n, void* ATTR_UNUSED(arg)) 377{ 378 struct auth_data* z = (struct auth_data*)n->key; 379 auth_data_delete(z); 380} 381 382/** delete an auth zone structure (tree remove must be done elsewhere) */ 383static void 384auth_zone_delete(struct auth_zone* z) 385{ 386 if(!z) return; 387 lock_rw_destroy(&z->lock); 388 traverse_postorder(&z->data, auth_data_del, NULL); 389 free(z->name); 390 free(z->zonefile); 391 free(z); 392} 393 394struct auth_zone* 395auth_zone_create(struct auth_zones* az, uint8_t* nm, size_t nmlen, 396 uint16_t dclass) 397{ 398 struct auth_zone* z = (struct auth_zone*)calloc(1, sizeof(*z)); 399 if(!z) { 400 return NULL; 401 } 402 z->node.key = z; 403 z->dclass = dclass; 404 z->namelen = nmlen; 405 z->namelabs = dname_count_labels(nm); 406 z->name = memdup(nm, nmlen); 407 if(!z->name) { 408 free(z); 409 return NULL; 410 } 411 rbtree_init(&z->data, &auth_data_cmp); 412 lock_rw_init(&z->lock); 413 lock_protect(&z->lock, &z->name, sizeof(*z)-sizeof(rbnode_type)); 414 lock_rw_wrlock(&z->lock); 415 /* z lock protects all, except rbtree itself, which is az->lock */ 416 if(!rbtree_insert(&az->ztree, &z->node)) { 417 lock_rw_unlock(&z->lock); 418 auth_zone_delete(z); 419 log_warn("duplicate auth zone"); 420 return NULL; 421 } 422 return z; 423} 424 425struct auth_zone* 426auth_zone_find(struct auth_zones* az, uint8_t* nm, size_t nmlen, 427 uint16_t dclass) 428{ 429 struct auth_zone key; 430 key.node.key = &key; 431 key.dclass = dclass; 432 key.name = nm; 433 key.namelen = nmlen; 434 key.namelabs = dname_count_labels(nm); 435 return (struct auth_zone*)rbtree_search(&az->ztree, &key); 436} 437 438struct auth_xfer* 439auth_xfer_find(struct auth_zones* az, uint8_t* nm, size_t nmlen, 440 uint16_t dclass) 441{ 442 struct auth_xfer key; 443 key.node.key = &key; 444 key.dclass = dclass; 445 key.name = nm; 446 key.namelen = nmlen; 447 key.namelabs = dname_count_labels(nm); 448 return (struct auth_xfer*)rbtree_search(&az->xtree, &key); 449} 450 451/** find an auth zone or sorted less-or-equal, return true if exact */ 452static int 453auth_zone_find_less_equal(struct auth_zones* az, uint8_t* nm, size_t nmlen, 454 uint16_t dclass, struct auth_zone** z) 455{ 456 struct auth_zone key; 457 key.node.key = &key; 458 key.dclass = dclass; 459 key.name = nm; 460 key.namelen = nmlen; 461 key.namelabs = dname_count_labels(nm); 462 return rbtree_find_less_equal(&az->ztree, &key, (rbnode_type**)z); 463} 464 465 466/** find the auth zone that is above the given name */ 467struct auth_zone* 468auth_zones_find_zone(struct auth_zones* az, uint8_t* name, size_t name_len, 469 uint16_t dclass) 470{ 471 uint8_t* nm = name; 472 size_t nmlen = name_len; 473 struct auth_zone* z; 474 if(auth_zone_find_less_equal(az, nm, nmlen, dclass, &z)) { 475 /* exact match */ 476 return z; 477 } else { 478 /* less-or-nothing */ 479 if(!z) return NULL; /* nothing smaller, nothing above it */ 480 /* we found smaller name; smaller may be above the name, 481 * but not below it. */ 482 nm = dname_get_shared_topdomain(z->name, name); 483 dname_count_size_labels(nm, &nmlen); 484 z = NULL; 485 } 486 487 /* search up */ 488 while(!z) { 489 z = auth_zone_find(az, nm, nmlen, dclass); 490 if(z) return z; 491 if(dname_is_root(nm)) break; 492 dname_remove_label(&nm, &nmlen); 493 } 494 return NULL; 495} 496 497/** find or create zone with name str. caller must have lock on az. 498 * returns a wrlocked zone */ 499static struct auth_zone* 500auth_zones_find_or_add_zone(struct auth_zones* az, char* name) 501{ 502 uint8_t nm[LDNS_MAX_DOMAINLEN+1]; 503 size_t nmlen = sizeof(nm); 504 struct auth_zone* z; 505 506 if(sldns_str2wire_dname_buf(name, nm, &nmlen) != 0) { 507 log_err("cannot parse auth zone name: %s", name); 508 return 0; 509 } 510 z = auth_zone_find(az, nm, nmlen, LDNS_RR_CLASS_IN); 511 if(!z) { 512 /* not found, create the zone */ 513 z = auth_zone_create(az, nm, nmlen, LDNS_RR_CLASS_IN); 514 } else { 515 lock_rw_wrlock(&z->lock); 516 } 517 return z; 518} 519 520/** find or create xfer zone with name str. caller must have lock on az. 521 * returns a locked xfer */ 522static struct auth_xfer* 523auth_zones_find_or_add_xfer(struct auth_zones* az, struct auth_zone* z) 524{ 525 struct auth_xfer* x; 526 x = auth_xfer_find(az, z->name, z->namelen, z->dclass); 527 if(!x) { 528 /* not found, create the zone */ 529 x = auth_xfer_create(az, z); 530 } else { 531 lock_basic_lock(&x->lock); 532 } 533 return x; 534} 535 536int 537auth_zone_set_zonefile(struct auth_zone* z, char* zonefile) 538{ 539 if(z->zonefile) free(z->zonefile); 540 if(zonefile == NULL) { 541 z->zonefile = NULL; 542 } else { 543 z->zonefile = strdup(zonefile); 544 if(!z->zonefile) { 545 log_err("malloc failure"); 546 return 0; 547 } 548 } 549 return 1; 550} 551 552/** set auth zone fallback. caller must have lock on zone */ 553int 554auth_zone_set_fallback(struct auth_zone* z, char* fallbackstr) 555{ 556 if(strcmp(fallbackstr, "yes") != 0 && strcmp(fallbackstr, "no") != 0){ 557 log_err("auth zone fallback, expected yes or no, got %s", 558 fallbackstr); 559 return 0; 560 } 561 z->fallback_enabled = (strcmp(fallbackstr, "yes")==0); 562 return 1; 563} 564 565/** create domain with the given name */ 566static struct auth_data* 567az_domain_create(struct auth_zone* z, uint8_t* nm, size_t nmlen) 568{ 569 struct auth_data* n = (struct auth_data*)malloc(sizeof(*n)); 570 if(!n) return NULL; 571 memset(n, 0, sizeof(*n)); 572 n->node.key = n; 573 n->name = memdup(nm, nmlen); 574 if(!n->name) { 575 free(n); 576 return NULL; 577 } 578 n->namelen = nmlen; 579 n->namelabs = dname_count_labels(nm); 580 if(!rbtree_insert(&z->data, &n->node)) { 581 log_warn("duplicate auth domain name"); 582 free(n->name); 583 free(n); 584 return NULL; 585 } 586 return n; 587} 588 589/** find domain with exactly the given name */ 590static struct auth_data* 591az_find_name(struct auth_zone* z, uint8_t* nm, size_t nmlen) 592{ 593 struct auth_zone key; 594 key.node.key = &key; 595 key.name = nm; 596 key.namelen = nmlen; 597 key.namelabs = dname_count_labels(nm); 598 return (struct auth_data*)rbtree_search(&z->data, &key); 599} 600 601/** Find domain name (or closest match) */ 602static void 603az_find_domain(struct auth_zone* z, struct query_info* qinfo, int* node_exact, 604 struct auth_data** node) 605{ 606 struct auth_zone key; 607 key.node.key = &key; 608 key.name = qinfo->qname; 609 key.namelen = qinfo->qname_len; 610 key.namelabs = dname_count_labels(key.name); 611 *node_exact = rbtree_find_less_equal(&z->data, &key, 612 (rbnode_type**)node); 613} 614 615/** find or create domain with name in zone */ 616static struct auth_data* 617az_domain_find_or_create(struct auth_zone* z, uint8_t* dname, 618 size_t dname_len) 619{ 620 struct auth_data* n = az_find_name(z, dname, dname_len); 621 if(!n) { 622 n = az_domain_create(z, dname, dname_len); 623 } 624 return n; 625} 626 627/** find rrset of given type in the domain */ 628static struct auth_rrset* 629az_domain_rrset(struct auth_data* n, uint16_t t) 630{ 631 struct auth_rrset* rrset; 632 if(!n) return NULL; 633 rrset = n->rrsets; 634 while(rrset) { 635 if(rrset->type == t) 636 return rrset; 637 rrset = rrset->next; 638 } 639 return NULL; 640} 641 642/** remove rrset of this type from domain */ 643static void 644domain_remove_rrset(struct auth_data* node, uint16_t rr_type) 645{ 646 struct auth_rrset* rrset, *prev; 647 if(!node) return; 648 prev = NULL; 649 rrset = node->rrsets; 650 while(rrset) { 651 if(rrset->type == rr_type) { 652 /* found it, now delete it */ 653 if(prev) prev->next = rrset->next; 654 else node->rrsets = rrset->next; 655 auth_rrset_delete(rrset); 656 return; 657 } 658 prev = rrset; 659 rrset = rrset->next; 660 } 661} 662 663/** find an rr index in the rrset. returns true if found */ 664static int 665az_rrset_find_rr(struct packed_rrset_data* d, uint8_t* rdata, size_t len, 666 size_t* index) 667{ 668 size_t i; 669 for(i=0; i<d->count; i++) { 670 if(d->rr_len[i] != len) 671 continue; 672 if(memcmp(d->rr_data[i], rdata, len) == 0) { 673 *index = i; 674 return 1; 675 } 676 } 677 return 0; 678} 679 680/** find an rrsig index in the rrset. returns true if found */ 681static int 682az_rrset_find_rrsig(struct packed_rrset_data* d, uint8_t* rdata, size_t len, 683 size_t* index) 684{ 685 size_t i; 686 for(i=d->count; i<d->count + d->rrsig_count; i++) { 687 if(d->rr_len[i] != len) 688 continue; 689 if(memcmp(d->rr_data[i], rdata, len) == 0) { 690 *index = i; 691 return 1; 692 } 693 } 694 return 0; 695} 696 697/** see if rdata is duplicate */ 698static int 699rdata_duplicate(struct packed_rrset_data* d, uint8_t* rdata, size_t len) 700{ 701 size_t i; 702 for(i=0; i<d->count + d->rrsig_count; i++) { 703 if(d->rr_len[i] != len) 704 continue; 705 if(memcmp(d->rr_data[i], rdata, len) == 0) 706 return 1; 707 } 708 return 0; 709} 710 711/** get rrsig type covered from rdata. 712 * @param rdata: rdata in wireformat, starting with 16bit rdlength. 713 * @param rdatalen: length of rdata buffer. 714 * @return type covered (or 0). 715 */ 716static uint16_t 717rrsig_rdata_get_type_covered(uint8_t* rdata, size_t rdatalen) 718{ 719 if(rdatalen < 4) 720 return 0; 721 return sldns_read_uint16(rdata+2); 722} 723 724/** remove RR from existing RRset. Also sig, if it is a signature. 725 * reallocates the packed rrset for a new one, false on alloc failure */ 726static int 727rrset_remove_rr(struct auth_rrset* rrset, size_t index) 728{ 729 struct packed_rrset_data* d, *old = rrset->data; 730 size_t i; 731 if(index >= old->count + old->rrsig_count) 732 return 0; /* index out of bounds */ 733 d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old) - ( 734 sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t) + 735 old->rr_len[index])); 736 if(!d) { 737 log_err("malloc failure"); 738 return 0; 739 } 740 d->ttl = old->ttl; 741 d->count = old->count; 742 d->rrsig_count = old->rrsig_count; 743 if(index < d->count) d->count--; 744 else d->rrsig_count--; 745 d->trust = old->trust; 746 d->security = old->security; 747 748 /* set rr_len, needed for ptr_fixup */ 749 d->rr_len = (size_t*)((uint8_t*)d + 750 sizeof(struct packed_rrset_data)); 751 if(index > 0) 752 memmove(d->rr_len, old->rr_len, (index)*sizeof(size_t)); 753 if(index+1 < old->count+old->rrsig_count) 754 memmove(&d->rr_len[index], &old->rr_len[index+1], 755 (old->count+old->rrsig_count - (index+1))*sizeof(size_t)); 756 packed_rrset_ptr_fixup(d); 757 758 /* move over ttls */ 759 if(index > 0) 760 memmove(d->rr_ttl, old->rr_ttl, (index)*sizeof(time_t)); 761 if(index+1 < old->count+old->rrsig_count) 762 memmove(&d->rr_ttl[index], &old->rr_ttl[index+1], 763 (old->count+old->rrsig_count - (index+1))*sizeof(time_t)); 764 765 /* move over rr_data */ 766 for(i=0; i<d->count+d->rrsig_count; i++) { 767 size_t oldi; 768 if(i < index) oldi = i; 769 else oldi = i+1; 770 memmove(d->rr_data[i], old->rr_data[oldi], d->rr_len[i]); 771 } 772 773 /* recalc ttl (lowest of remaining RR ttls) */ 774 if(d->count + d->rrsig_count > 0) 775 d->ttl = d->rr_ttl[0]; 776 for(i=0; i<d->count+d->rrsig_count; i++) { 777 if(d->rr_ttl[i] < d->ttl) 778 d->ttl = d->rr_ttl[i]; 779 } 780 781 free(rrset->data); 782 rrset->data = d; 783 return 1; 784} 785 786/** add RR to existing RRset. If insert_sig is true, add to rrsigs. 787 * This reallocates the packed rrset for a new one */ 788static int 789rrset_add_rr(struct auth_rrset* rrset, uint32_t rr_ttl, uint8_t* rdata, 790 size_t rdatalen, int insert_sig) 791{ 792 struct packed_rrset_data* d, *old = rrset->data; 793 size_t total, old_total; 794 795 d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old) 796 + sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t) 797 + rdatalen); 798 if(!d) { 799 log_err("out of memory"); 800 return 0; 801 } 802 /* copy base values */ 803 memcpy(d, old, sizeof(struct packed_rrset_data)); 804 if(!insert_sig) { 805 d->count++; 806 } else { 807 d->rrsig_count++; 808 } 809 old_total = old->count + old->rrsig_count; 810 total = d->count + d->rrsig_count; 811 /* set rr_len, needed for ptr_fixup */ 812 d->rr_len = (size_t*)((uint8_t*)d + 813 sizeof(struct packed_rrset_data)); 814 if(old->count != 0) 815 memmove(d->rr_len, old->rr_len, old->count*sizeof(size_t)); 816 if(old->rrsig_count != 0) 817 memmove(d->rr_len+d->count, old->rr_len+old->count, 818 old->rrsig_count*sizeof(size_t)); 819 if(!insert_sig) 820 d->rr_len[d->count-1] = rdatalen; 821 else d->rr_len[total-1] = rdatalen; 822 packed_rrset_ptr_fixup(d); 823 if((time_t)rr_ttl < d->ttl) 824 d->ttl = rr_ttl; 825 826 /* copy old values into new array */ 827 if(old->count != 0) { 828 memmove(d->rr_ttl, old->rr_ttl, old->count*sizeof(time_t)); 829 /* all the old rr pieces are allocated sequential, so we 830 * can copy them in one go */ 831 memmove(d->rr_data[0], old->rr_data[0], 832 (old->rr_data[old->count-1] - old->rr_data[0]) + 833 old->rr_len[old->count-1]); 834 } 835 if(old->rrsig_count != 0) { 836 memmove(d->rr_ttl+d->count, old->rr_ttl+old->count, 837 old->rrsig_count*sizeof(time_t)); 838 memmove(d->rr_data[d->count], old->rr_data[old->count], 839 (old->rr_data[old_total-1] - old->rr_data[old->count]) + 840 old->rr_len[old_total-1]); 841 } 842 843 /* insert new value */ 844 if(!insert_sig) { 845 d->rr_ttl[d->count-1] = rr_ttl; 846 memmove(d->rr_data[d->count-1], rdata, rdatalen); 847 } else { 848 d->rr_ttl[total-1] = rr_ttl; 849 memmove(d->rr_data[total-1], rdata, rdatalen); 850 } 851 852 rrset->data = d; 853 free(old); 854 return 1; 855} 856 857/** Create new rrset for node with packed rrset with one RR element */ 858static struct auth_rrset* 859rrset_create(struct auth_data* node, uint16_t rr_type, uint32_t rr_ttl, 860 uint8_t* rdata, size_t rdatalen) 861{ 862 struct auth_rrset* rrset = (struct auth_rrset*)calloc(1, 863 sizeof(*rrset)); 864 struct auth_rrset* p, *prev; 865 struct packed_rrset_data* d; 866 if(!rrset) { 867 log_err("out of memory"); 868 return NULL; 869 } 870 rrset->type = rr_type; 871 872 /* the rrset data structure, with one RR */ 873 d = (struct packed_rrset_data*)calloc(1, 874 sizeof(struct packed_rrset_data) + sizeof(size_t) + 875 sizeof(uint8_t*) + sizeof(time_t) + rdatalen); 876 if(!d) { 877 free(rrset); 878 log_err("out of memory"); 879 return NULL; 880 } 881 rrset->data = d; 882 d->ttl = rr_ttl; 883 d->trust = rrset_trust_prim_noglue; 884 d->rr_len = (size_t*)((uint8_t*)d + sizeof(struct packed_rrset_data)); 885 d->rr_data = (uint8_t**)&(d->rr_len[1]); 886 d->rr_ttl = (time_t*)&(d->rr_data[1]); 887 d->rr_data[0] = (uint8_t*)&(d->rr_ttl[1]); 888 889 /* insert the RR */ 890 d->rr_len[0] = rdatalen; 891 d->rr_ttl[0] = rr_ttl; 892 memmove(d->rr_data[0], rdata, rdatalen); 893 d->count++; 894 895 /* insert rrset into linked list for domain */ 896 /* find sorted place to link the rrset into the list */ 897 prev = NULL; 898 p = node->rrsets; 899 while(p && p->type<=rr_type) { 900 prev = p; 901 p = p->next; 902 } 903 /* so, prev is smaller, and p is larger than rr_type */ 904 rrset->next = p; 905 if(prev) prev->next = rrset; 906 else node->rrsets = rrset; 907 return rrset; 908} 909 910/** count number (and size) of rrsigs that cover a type */ 911static size_t 912rrsig_num_that_cover(struct auth_rrset* rrsig, uint16_t rr_type, size_t* sigsz) 913{ 914 struct packed_rrset_data* d = rrsig->data; 915 size_t i, num = 0; 916 *sigsz = 0; 917 log_assert(d && rrsig->type == LDNS_RR_TYPE_RRSIG); 918 for(i=0; i<d->count+d->rrsig_count; i++) { 919 if(rrsig_rdata_get_type_covered(d->rr_data[i], 920 d->rr_len[i]) == rr_type) { 921 num++; 922 (*sigsz) += d->rr_len[i]; 923 } 924 } 925 return num; 926} 927 928/** See if rrsig set has covered sigs for rrset and move them over */ 929static int 930rrset_moveover_rrsigs(struct auth_data* node, uint16_t rr_type, 931 struct auth_rrset* rrset, struct auth_rrset* rrsig) 932{ 933 size_t sigs, sigsz, i, j, total; 934 struct packed_rrset_data* sigold = rrsig->data; 935 struct packed_rrset_data* old = rrset->data; 936 struct packed_rrset_data* d, *sigd; 937 938 log_assert(rrset->type == rr_type); 939 log_assert(rrsig->type == LDNS_RR_TYPE_RRSIG); 940 sigs = rrsig_num_that_cover(rrsig, rr_type, &sigsz); 941 if(sigs == 0) { 942 /* 0 rrsigs to move over, done */ 943 return 1; 944 } 945 946 /* allocate rrset sigsz larger for extra sigs elements, and 947 * allocate rrsig sigsz smaller for less sigs elements. */ 948 d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old) 949 + sigs*(sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t)) 950 + sigsz); 951 if(!d) { 952 log_err("out of memory"); 953 return 0; 954 } 955 /* copy base values */ 956 total = old->count + old->rrsig_count; 957 memcpy(d, old, sizeof(struct packed_rrset_data)); 958 d->rrsig_count += sigs; 959 /* setup rr_len */ 960 d->rr_len = (size_t*)((uint8_t*)d + 961 sizeof(struct packed_rrset_data)); 962 if(total != 0) 963 memmove(d->rr_len, old->rr_len, total*sizeof(size_t)); 964 j = d->count+d->rrsig_count-sigs; 965 for(i=0; i<sigold->count+sigold->rrsig_count; i++) { 966 if(rrsig_rdata_get_type_covered(sigold->rr_data[i], 967 sigold->rr_len[i]) == rr_type) { 968 d->rr_len[j] = sigold->rr_len[i]; 969 j++; 970 } 971 } 972 packed_rrset_ptr_fixup(d); 973 974 /* copy old values into new array */ 975 if(total != 0) { 976 memmove(d->rr_ttl, old->rr_ttl, total*sizeof(time_t)); 977 /* all the old rr pieces are allocated sequential, so we 978 * can copy them in one go */ 979 memmove(d->rr_data[0], old->rr_data[0], 980 (old->rr_data[total-1] - old->rr_data[0]) + 981 old->rr_len[total-1]); 982 } 983 984 /* move over the rrsigs to the larger rrset*/ 985 j = d->count+d->rrsig_count-sigs; 986 for(i=0; i<sigold->count+sigold->rrsig_count; i++) { 987 if(rrsig_rdata_get_type_covered(sigold->rr_data[i], 988 sigold->rr_len[i]) == rr_type) { 989 /* move this one over to location j */ 990 d->rr_ttl[j] = sigold->rr_ttl[i]; 991 memmove(d->rr_data[j], sigold->rr_data[i], 992 sigold->rr_len[i]); 993 if(d->rr_ttl[j] < d->ttl) 994 d->ttl = d->rr_ttl[j]; 995 j++; 996 } 997 } 998 999 /* put it in and deallocate the old rrset */ 1000 rrset->data = d; 1001 free(old); 1002 1003 /* now make rrsig set smaller */ 1004 if(sigold->count+sigold->rrsig_count == sigs) { 1005 /* remove all sigs from rrsig, remove it entirely */ 1006 domain_remove_rrset(node, LDNS_RR_TYPE_RRSIG); 1007 return 1; 1008 } 1009 log_assert(packed_rrset_sizeof(sigold) > sigs*(sizeof(size_t) + 1010 sizeof(uint8_t*) + sizeof(time_t)) + sigsz); 1011 sigd = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(sigold) 1012 - sigs*(sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t)) 1013 - sigsz); 1014 if(!sigd) { 1015 /* no need to free up d, it has already been placed in the 1016 * node->rrset structure */ 1017 log_err("out of memory"); 1018 return 0; 1019 } 1020 /* copy base values */ 1021 memcpy(sigd, sigold, sizeof(struct packed_rrset_data)); 1022 /* in sigd the RRSIGs are stored in the base of the RR, in count */ 1023 sigd->count -= sigs; 1024 /* setup rr_len */ 1025 sigd->rr_len = (size_t*)((uint8_t*)sigd + 1026 sizeof(struct packed_rrset_data)); 1027 j = 0; 1028 for(i=0; i<sigold->count+sigold->rrsig_count; i++) { 1029 if(rrsig_rdata_get_type_covered(sigold->rr_data[i], 1030 sigold->rr_len[i]) != rr_type) { 1031 sigd->rr_len[j] = sigold->rr_len[i]; 1032 j++; 1033 } 1034 } 1035 packed_rrset_ptr_fixup(sigd); 1036 1037 /* copy old values into new rrsig array */ 1038 j = 0; 1039 for(i=0; i<sigold->count+sigold->rrsig_count; i++) { 1040 if(rrsig_rdata_get_type_covered(sigold->rr_data[i], 1041 sigold->rr_len[i]) != rr_type) { 1042 /* move this one over to location j */ 1043 sigd->rr_ttl[j] = sigold->rr_ttl[i]; 1044 memmove(sigd->rr_data[j], sigold->rr_data[i], 1045 sigold->rr_len[i]); 1046 if(j==0) sigd->ttl = sigd->rr_ttl[j]; 1047 else { 1048 if(sigd->rr_ttl[j] < sigd->ttl) 1049 sigd->ttl = sigd->rr_ttl[j]; 1050 } 1051 j++; 1052 } 1053 } 1054 1055 /* put it in and deallocate the old rrset */ 1056 rrsig->data = sigd; 1057 free(sigold); 1058 1059 return 1; 1060} 1061 1062/** copy the rrsigs from the rrset to the rrsig rrset, because the rrset 1063 * is going to be deleted. reallocates the RRSIG rrset data. */ 1064static int 1065rrsigs_copy_from_rrset_to_rrsigset(struct auth_rrset* rrset, 1066 struct auth_rrset* rrsigset) 1067{ 1068 size_t i; 1069 if(rrset->data->rrsig_count == 0) 1070 return 1; 1071 1072 /* move them over one by one, because there might be duplicates, 1073 * duplicates are ignored */ 1074 for(i=rrset->data->count; 1075 i<rrset->data->count+rrset->data->rrsig_count; i++) { 1076 uint8_t* rdata = rrset->data->rr_data[i]; 1077 size_t rdatalen = rrset->data->rr_len[i]; 1078 time_t rr_ttl = rrset->data->rr_ttl[i]; 1079 1080 if(rdata_duplicate(rrsigset->data, rdata, rdatalen)) { 1081 continue; 1082 } 1083 if(!rrset_add_rr(rrsigset, rr_ttl, rdata, rdatalen, 0)) 1084 return 0; 1085 } 1086 return 1; 1087} 1088 1089/** Add rr to node, ignores duplicate RRs, 1090 * rdata points to buffer with rdatalen octets, starts with 2bytelength. */ 1091static int 1092az_domain_add_rr(struct auth_data* node, uint16_t rr_type, uint32_t rr_ttl, 1093 uint8_t* rdata, size_t rdatalen, int* duplicate) 1094{ 1095 struct auth_rrset* rrset; 1096 /* packed rrsets have their rrsigs along with them, sort them out */ 1097 if(rr_type == LDNS_RR_TYPE_RRSIG) { 1098 uint16_t ctype = rrsig_rdata_get_type_covered(rdata, rdatalen); 1099 if((rrset=az_domain_rrset(node, ctype))!= NULL) { 1100 /* a node of the correct type exists, add the RRSIG 1101 * to the rrset of the covered data type */ 1102 if(rdata_duplicate(rrset->data, rdata, rdatalen)) { 1103 if(duplicate) *duplicate = 1; 1104 return 1; 1105 } 1106 if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 1)) 1107 return 0; 1108 } else if((rrset=az_domain_rrset(node, rr_type))!= NULL) { 1109 /* add RRSIG to rrset of type RRSIG */ 1110 if(rdata_duplicate(rrset->data, rdata, rdatalen)) { 1111 if(duplicate) *duplicate = 1; 1112 return 1; 1113 } 1114 if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 0)) 1115 return 0; 1116 } else { 1117 /* create rrset of type RRSIG */ 1118 if(!rrset_create(node, rr_type, rr_ttl, rdata, 1119 rdatalen)) 1120 return 0; 1121 } 1122 } else { 1123 /* normal RR type */ 1124 if((rrset=az_domain_rrset(node, rr_type))!= NULL) { 1125 /* add data to existing node with data type */ 1126 if(rdata_duplicate(rrset->data, rdata, rdatalen)) { 1127 if(duplicate) *duplicate = 1; 1128 return 1; 1129 } 1130 if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 0)) 1131 return 0; 1132 } else { 1133 struct auth_rrset* rrsig; 1134 /* create new node with data type */ 1135 if(!(rrset=rrset_create(node, rr_type, rr_ttl, rdata, 1136 rdatalen))) 1137 return 0; 1138 1139 /* see if node of type RRSIG has signatures that 1140 * cover the data type, and move them over */ 1141 /* and then make the RRSIG type smaller */ 1142 if((rrsig=az_domain_rrset(node, LDNS_RR_TYPE_RRSIG)) 1143 != NULL) { 1144 if(!rrset_moveover_rrsigs(node, rr_type, 1145 rrset, rrsig)) 1146 return 0; 1147 } 1148 } 1149 } 1150 return 1; 1151} 1152 1153/** insert RR into zone, ignore duplicates */ 1154static int 1155az_insert_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len, 1156 size_t dname_len, int* duplicate) 1157{ 1158 struct auth_data* node; 1159 uint8_t* dname = rr; 1160 uint16_t rr_type = sldns_wirerr_get_type(rr, rr_len, dname_len); 1161 uint16_t rr_class = sldns_wirerr_get_class(rr, rr_len, dname_len); 1162 uint32_t rr_ttl = sldns_wirerr_get_ttl(rr, rr_len, dname_len); 1163 size_t rdatalen = ((size_t)sldns_wirerr_get_rdatalen(rr, rr_len, 1164 dname_len))+2; 1165 /* rdata points to rdata prefixed with uint16 rdatalength */ 1166 uint8_t* rdata = sldns_wirerr_get_rdatawl(rr, rr_len, dname_len); 1167 1168 if(rr_class != z->dclass) { 1169 log_err("wrong class for RR"); 1170 return 0; 1171 } 1172 if(!(node=az_domain_find_or_create(z, dname, dname_len))) { 1173 log_err("cannot create domain"); 1174 return 0; 1175 } 1176 if(!az_domain_add_rr(node, rr_type, rr_ttl, rdata, rdatalen, 1177 duplicate)) { 1178 log_err("cannot add RR to domain"); 1179 return 0; 1180 } 1181 return 1; 1182} 1183 1184/** Remove rr from node, ignores nonexisting RRs, 1185 * rdata points to buffer with rdatalen octets, starts with 2bytelength. */ 1186static int 1187az_domain_remove_rr(struct auth_data* node, uint16_t rr_type, 1188 uint8_t* rdata, size_t rdatalen, int* nonexist) 1189{ 1190 struct auth_rrset* rrset; 1191 size_t index = 0; 1192 1193 /* find the plain RR of the given type */ 1194 if((rrset=az_domain_rrset(node, rr_type))!= NULL) { 1195 if(az_rrset_find_rr(rrset->data, rdata, rdatalen, &index)) { 1196 if(rrset->data->count == 1 && 1197 rrset->data->rrsig_count == 0) { 1198 /* last RR, delete the rrset */ 1199 domain_remove_rrset(node, rr_type); 1200 } else if(rrset->data->count == 1 && 1201 rrset->data->rrsig_count != 0) { 1202 /* move RRSIGs to the RRSIG rrset, or 1203 * this one becomes that RRset */ 1204 struct auth_rrset* rrsigset = az_domain_rrset( 1205 node, LDNS_RR_TYPE_RRSIG); 1206 if(rrsigset) { 1207 /* move left over rrsigs to the 1208 * existing rrset of type RRSIG */ 1209 rrsigs_copy_from_rrset_to_rrsigset( 1210 rrset, rrsigset); 1211 /* and then delete the rrset */ 1212 domain_remove_rrset(node, rr_type); 1213 } else { 1214 /* no rrset of type RRSIG, this 1215 * set is now of that type, 1216 * just remove the rr */ 1217 if(!rrset_remove_rr(rrset, index)) 1218 return 0; 1219 rrset->type = LDNS_RR_TYPE_RRSIG; 1220 rrset->data->count = rrset->data->rrsig_count; 1221 rrset->data->rrsig_count = 0; 1222 } 1223 } else { 1224 /* remove the RR from the rrset */ 1225 if(!rrset_remove_rr(rrset, index)) 1226 return 0; 1227 } 1228 return 1; 1229 } 1230 /* rr not found in rrset */ 1231 } 1232 1233 /* is it a type RRSIG, look under the covered type */ 1234 if(rr_type == LDNS_RR_TYPE_RRSIG) { 1235 uint16_t ctype = rrsig_rdata_get_type_covered(rdata, rdatalen); 1236 if((rrset=az_domain_rrset(node, ctype))!= NULL) { 1237 if(az_rrset_find_rrsig(rrset->data, rdata, rdatalen, 1238 &index)) { 1239 /* rrsig should have d->count > 0, be 1240 * over some rr of that type */ 1241 /* remove the rrsig from the rrsigs list of the 1242 * rrset */ 1243 if(!rrset_remove_rr(rrset, index)) 1244 return 0; 1245 return 1; 1246 } 1247 } 1248 /* also RRSIG not found */ 1249 } 1250 1251 /* nothing found to delete */ 1252 if(nonexist) *nonexist = 1; 1253 return 1; 1254} 1255 1256/** remove RR from zone, ignore if it does not exist, false on alloc failure*/ 1257static int 1258az_remove_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len, 1259 size_t dname_len, int* nonexist) 1260{ 1261 struct auth_data* node; 1262 uint8_t* dname = rr; 1263 uint16_t rr_type = sldns_wirerr_get_type(rr, rr_len, dname_len); 1264 uint16_t rr_class = sldns_wirerr_get_class(rr, rr_len, dname_len); 1265 size_t rdatalen = ((size_t)sldns_wirerr_get_rdatalen(rr, rr_len, 1266 dname_len))+2; 1267 /* rdata points to rdata prefixed with uint16 rdatalength */ 1268 uint8_t* rdata = sldns_wirerr_get_rdatawl(rr, rr_len, dname_len); 1269 1270 if(rr_class != z->dclass) { 1271 log_err("wrong class for RR"); 1272 /* really also a nonexisting entry, because no records 1273 * of that class in the zone, but return an error because 1274 * getting records of the wrong class is a failure of the 1275 * zone transfer */ 1276 return 0; 1277 } 1278 node = az_find_name(z, dname, dname_len); 1279 if(!node) { 1280 /* node with that name does not exist */ 1281 /* nonexisting entry, because no such name */ 1282 *nonexist = 1; 1283 return 1; 1284 } 1285 if(!az_domain_remove_rr(node, rr_type, rdata, rdatalen, nonexist)) { 1286 /* alloc failure or so */ 1287 return 0; 1288 } 1289 /* remove the node, if necessary */ 1290 /* an rrsets==NULL entry is not kept around for empty nonterminals, 1291 * and also parent nodes are not kept around, so we just delete it */ 1292 if(node->rrsets == NULL) { 1293 (void)rbtree_delete(&z->data, node); 1294 auth_data_delete(node); 1295 } 1296 return 1; 1297} 1298 1299/** decompress an RR into the buffer where it'll be an uncompressed RR 1300 * with uncompressed dname and uncompressed rdata (dnames) */ 1301static int 1302decompress_rr_into_buffer(struct sldns_buffer* buf, uint8_t* pkt, 1303 size_t pktlen, uint8_t* dname, uint16_t rr_type, uint16_t rr_class, 1304 uint32_t rr_ttl, uint8_t* rr_data, uint16_t rr_rdlen) 1305{ 1306 sldns_buffer pktbuf; 1307 size_t dname_len = 0; 1308 size_t rdlenpos; 1309 size_t rdlen; 1310 uint8_t* rd; 1311 const sldns_rr_descriptor* desc; 1312 sldns_buffer_init_frm_data(&pktbuf, pkt, pktlen); 1313 sldns_buffer_clear(buf); 1314 1315 /* decompress dname */ 1316 sldns_buffer_set_position(&pktbuf, 1317 (size_t)(dname - sldns_buffer_current(&pktbuf))); 1318 dname_len = pkt_dname_len(&pktbuf); 1319 if(dname_len == 0) return 0; /* parse fail on dname */ 1320 if(!sldns_buffer_available(buf, dname_len)) return 0; 1321 dname_pkt_copy(&pktbuf, sldns_buffer_current(buf), dname); 1322 sldns_buffer_skip(buf, (ssize_t)dname_len); 1323 1324 /* type, class, ttl and rdatalength fields */ 1325 if(!sldns_buffer_available(buf, 10)) return 0; 1326 sldns_buffer_write_u16(buf, rr_type); 1327 sldns_buffer_write_u16(buf, rr_class); 1328 sldns_buffer_write_u32(buf, rr_ttl); 1329 rdlenpos = sldns_buffer_position(buf); 1330 sldns_buffer_write_u16(buf, 0); /* rd length position */ 1331 1332 /* decompress rdata */ 1333 desc = sldns_rr_descript(rr_type); 1334 rd = rr_data; 1335 rdlen = rr_rdlen; 1336 if(rdlen > 0 && desc && desc->_dname_count > 0) { 1337 int count = (int)desc->_dname_count; 1338 int rdf = 0; 1339 size_t len; /* how much rdata to plain copy */ 1340 size_t uncompressed_len, compressed_len; 1341 size_t oldpos; 1342 /* decompress dnames. */ 1343 while(rdlen > 0 && count) { 1344 switch(desc->_wireformat[rdf]) { 1345 case LDNS_RDF_TYPE_DNAME: 1346 sldns_buffer_set_position(&pktbuf, 1347 (size_t)(rd - 1348 sldns_buffer_begin(&pktbuf))); 1349 oldpos = sldns_buffer_position(&pktbuf); 1350 /* moves pktbuf to right after the 1351 * compressed dname, and returns uncompressed 1352 * dname length */ 1353 uncompressed_len = pkt_dname_len(&pktbuf); 1354 if(!uncompressed_len) 1355 return 0; /* parse error in dname */ 1356 if(!sldns_buffer_available(buf, 1357 uncompressed_len)) 1358 /* dname too long for buffer */ 1359 return 0; 1360 dname_pkt_copy(&pktbuf, 1361 sldns_buffer_current(buf), rd); 1362 sldns_buffer_skip(buf, (ssize_t)uncompressed_len); 1363 compressed_len = sldns_buffer_position( 1364 &pktbuf) - oldpos; 1365 rd += compressed_len; 1366 rdlen -= compressed_len; 1367 count--; 1368 len = 0; 1369 break; 1370 case LDNS_RDF_TYPE_STR: 1371 len = rd[0] + 1; 1372 break; 1373 default: 1374 len = get_rdf_size(desc->_wireformat[rdf]); 1375 break; 1376 } 1377 if(len) { 1378 if(!sldns_buffer_available(buf, len)) 1379 return 0; /* too long for buffer */ 1380 sldns_buffer_write(buf, rd, len); 1381 rd += len; 1382 rdlen -= len; 1383 } 1384 rdf++; 1385 } 1386 } 1387 /* copy remaining data */ 1388 if(rdlen > 0) { 1389 if(!sldns_buffer_available(buf, rdlen)) return 0; 1390 sldns_buffer_write(buf, rd, rdlen); 1391 } 1392 /* fixup rdlength */ 1393 sldns_buffer_write_u16_at(buf, rdlenpos, 1394 sldns_buffer_position(buf)-rdlenpos-2); 1395 sldns_buffer_flip(buf); 1396 return 1; 1397} 1398 1399/** insert RR into zone, from packet, decompress RR, 1400 * if duplicate is nonNULL set the flag but otherwise ignore duplicates */ 1401static int 1402az_insert_rr_decompress(struct auth_zone* z, uint8_t* pkt, size_t pktlen, 1403 struct sldns_buffer* scratch_buffer, uint8_t* dname, uint16_t rr_type, 1404 uint16_t rr_class, uint32_t rr_ttl, uint8_t* rr_data, 1405 uint16_t rr_rdlen, int* duplicate) 1406{ 1407 uint8_t* rr; 1408 size_t rr_len; 1409 size_t dname_len; 1410 if(!decompress_rr_into_buffer(scratch_buffer, pkt, pktlen, dname, 1411 rr_type, rr_class, rr_ttl, rr_data, rr_rdlen)) { 1412 log_err("could not decompress RR"); 1413 return 0; 1414 } 1415 rr = sldns_buffer_begin(scratch_buffer); 1416 rr_len = sldns_buffer_limit(scratch_buffer); 1417 dname_len = dname_valid(rr, rr_len); 1418 return az_insert_rr(z, rr, rr_len, dname_len, duplicate); 1419} 1420 1421/** remove RR from zone, from packet, decompress RR, 1422 * if nonexist is nonNULL set the flag but otherwise ignore nonexisting entries*/ 1423static int 1424az_remove_rr_decompress(struct auth_zone* z, uint8_t* pkt, size_t pktlen, 1425 struct sldns_buffer* scratch_buffer, uint8_t* dname, uint16_t rr_type, 1426 uint16_t rr_class, uint32_t rr_ttl, uint8_t* rr_data, 1427 uint16_t rr_rdlen, int* nonexist) 1428{ 1429 uint8_t* rr; 1430 size_t rr_len; 1431 size_t dname_len; 1432 if(!decompress_rr_into_buffer(scratch_buffer, pkt, pktlen, dname, 1433 rr_type, rr_class, rr_ttl, rr_data, rr_rdlen)) { 1434 log_err("could not decompress RR"); 1435 return 0; 1436 } 1437 rr = sldns_buffer_begin(scratch_buffer); 1438 rr_len = sldns_buffer_limit(scratch_buffer); 1439 dname_len = dname_valid(rr, rr_len); 1440 return az_remove_rr(z, rr, rr_len, dname_len, nonexist); 1441} 1442 1443/** 1444 * Parse zonefile 1445 * @param z: zone to read in. 1446 * @param in: file to read from (just opened). 1447 * @param rr: buffer to use for RRs, 64k. 1448 * passed so that recursive includes can use the same buffer and do 1449 * not grow the stack too much. 1450 * @param rrbuflen: sizeof rr buffer. 1451 * @param state: parse state with $ORIGIN, $TTL and 'prev-dname' and so on, 1452 * that is kept between includes. 1453 * The lineno is set at 1 and then increased by the function. 1454 * @param fname: file name. 1455 * @param depth: recursion depth for includes 1456 * @param cfg: config for chroot. 1457 * returns false on failure, has printed an error message 1458 */ 1459static int 1460az_parse_file(struct auth_zone* z, FILE* in, uint8_t* rr, size_t rrbuflen, 1461 struct sldns_file_parse_state* state, char* fname, int depth, 1462 struct config_file* cfg) 1463{ 1464 size_t rr_len, dname_len; 1465 int status; 1466 state->lineno = 1; 1467 1468 while(!feof(in)) { 1469 rr_len = rrbuflen; 1470 dname_len = 0; 1471 status = sldns_fp2wire_rr_buf(in, rr, &rr_len, &dname_len, 1472 state); 1473 if(status == LDNS_WIREPARSE_ERR_INCLUDE && rr_len == 0) { 1474 /* we have $INCLUDE or $something */ 1475 if(strncmp((char*)rr, "$INCLUDE ", 9) == 0 || 1476 strncmp((char*)rr, "$INCLUDE\t", 9) == 0) { 1477 FILE* inc; 1478 int lineno_orig = state->lineno; 1479 char* incfile = (char*)rr + 8; 1480 if(depth > MAX_INCLUDE_DEPTH) { 1481 log_err("%s:%d max include depth" 1482 "exceeded", fname, state->lineno); 1483 return 0; 1484 } 1485 /* skip spaces */ 1486 while(*incfile == ' ' || *incfile == '\t') 1487 incfile++; 1488 /* adjust for chroot on include file */ 1489 if(cfg->chrootdir && cfg->chrootdir[0] && 1490 strncmp(incfile, cfg->chrootdir, 1491 strlen(cfg->chrootdir)) == 0) 1492 incfile += strlen(cfg->chrootdir); 1493 incfile = strdup(incfile); 1494 if(!incfile) { 1495 log_err("malloc failure"); 1496 return 0; 1497 } 1498 verbose(VERB_ALGO, "opening $INCLUDE %s", 1499 incfile); 1500 inc = fopen(incfile, "r"); 1501 if(!inc) { 1502 log_err("%s:%d cannot open include " 1503 "file %s: %s", fname, 1504 lineno_orig, incfile, 1505 strerror(errno)); 1506 free(incfile); 1507 return 0; 1508 } 1509 /* recurse read that file now */ 1510 if(!az_parse_file(z, inc, rr, rrbuflen, 1511 state, incfile, depth+1, cfg)) { 1512 log_err("%s:%d cannot parse include " 1513 "file %s", fname, 1514 lineno_orig, incfile); 1515 fclose(inc); 1516 free(incfile); 1517 return 0; 1518 } 1519 fclose(inc); 1520 verbose(VERB_ALGO, "done with $INCLUDE %s", 1521 incfile); 1522 free(incfile); 1523 state->lineno = lineno_orig; 1524 } 1525 continue; 1526 } 1527 if(status != 0) { 1528 log_err("parse error %s %d:%d: %s", fname, 1529 state->lineno, LDNS_WIREPARSE_OFFSET(status), 1530 sldns_get_errorstr_parse(status)); 1531 return 0; 1532 } 1533 if(rr_len == 0) { 1534 /* EMPTY line, TTL or ORIGIN */ 1535 continue; 1536 } 1537 /* insert wirerr in rrbuf */ 1538 if(!az_insert_rr(z, rr, rr_len, dname_len, NULL)) { 1539 char buf[17]; 1540 sldns_wire2str_type_buf(sldns_wirerr_get_type(rr, 1541 rr_len, dname_len), buf, sizeof(buf)); 1542 log_err("%s:%d cannot insert RR of type %s", 1543 fname, state->lineno, buf); 1544 return 0; 1545 } 1546 } 1547 return 1; 1548} 1549 1550int 1551auth_zone_read_zonefile(struct auth_zone* z, struct config_file* cfg) 1552{ 1553 uint8_t rr[LDNS_RR_BUF_SIZE]; 1554 struct sldns_file_parse_state state; 1555 char* zfilename; 1556 FILE* in; 1557 if(!z || !z->zonefile || z->zonefile[0]==0) 1558 return 1; /* no file, or "", nothing to read */ 1559 1560 zfilename = z->zonefile; 1561 if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(zfilename, 1562 cfg->chrootdir, strlen(cfg->chrootdir)) == 0) 1563 zfilename += strlen(cfg->chrootdir); 1564 if(verbosity >= VERB_ALGO) { 1565 char nm[255+1]; 1566 dname_str(z->name, nm); 1567 verbose(VERB_ALGO, "read zonefile %s for %s", zfilename, nm); 1568 } 1569 in = fopen(zfilename, "r"); 1570 if(!in) { 1571 char* n = sldns_wire2str_dname(z->name, z->namelen); 1572 if(z->zone_is_slave && errno == ENOENT) { 1573 /* we fetch the zone contents later, no file yet */ 1574 verbose(VERB_ALGO, "no zonefile %s for %s", 1575 zfilename, n?n:"error"); 1576 free(n); 1577 return 1; 1578 } 1579 log_err("cannot open zonefile %s for %s: %s", 1580 zfilename, n?n:"error", strerror(errno)); 1581 free(n); 1582 return 0; 1583 } 1584 1585 /* clear the data tree */ 1586 traverse_postorder(&z->data, auth_data_del, NULL); 1587 rbtree_init(&z->data, &auth_data_cmp); 1588 1589 memset(&state, 0, sizeof(state)); 1590 /* default TTL to 3600 */ 1591 state.default_ttl = 3600; 1592 /* set $ORIGIN to the zone name */ 1593 if(z->namelen <= sizeof(state.origin)) { 1594 memcpy(state.origin, z->name, z->namelen); 1595 state.origin_len = z->namelen; 1596 } 1597 /* parse the (toplevel) file */ 1598 if(!az_parse_file(z, in, rr, sizeof(rr), &state, zfilename, 0, cfg)) { 1599 char* n = sldns_wire2str_dname(z->name, z->namelen); 1600 log_err("error parsing zonefile %s for %s", 1601 zfilename, n?n:"error"); 1602 free(n); 1603 fclose(in); 1604 return 0; 1605 } 1606 fclose(in); 1607 return 1; 1608} 1609 1610/** write buffer to file and check return codes */ 1611static int 1612write_out(FILE* out, const char* str, size_t len) 1613{ 1614 size_t r; 1615 if(len == 0) 1616 return 1; 1617 r = fwrite(str, 1, len, out); 1618 if(r == 0) { 1619 log_err("write failed: %s", strerror(errno)); 1620 return 0; 1621 } else if(r < len) { 1622 log_err("write failed: too short (disk full?)"); 1623 return 0; 1624 } 1625 return 1; 1626} 1627 1628/** convert auth rr to string */ 1629static int 1630auth_rr_to_string(uint8_t* nm, size_t nmlen, uint16_t tp, uint16_t cl, 1631 struct packed_rrset_data* data, size_t i, char* s, size_t buflen) 1632{ 1633 int w = 0; 1634 size_t slen = buflen, datlen; 1635 uint8_t* dat; 1636 if(i >= data->count) tp = LDNS_RR_TYPE_RRSIG; 1637 dat = nm; 1638 datlen = nmlen; 1639 w += sldns_wire2str_dname_scan(&dat, &datlen, &s, &slen, NULL, 0, NULL); 1640 w += sldns_str_print(&s, &slen, "\t"); 1641 w += sldns_str_print(&s, &slen, "%lu\t", (unsigned long)data->rr_ttl[i]); 1642 w += sldns_wire2str_class_print(&s, &slen, cl); 1643 w += sldns_str_print(&s, &slen, "\t"); 1644 w += sldns_wire2str_type_print(&s, &slen, tp); 1645 w += sldns_str_print(&s, &slen, "\t"); 1646 datlen = data->rr_len[i]-2; 1647 dat = data->rr_data[i]+2; 1648 w += sldns_wire2str_rdata_scan(&dat, &datlen, &s, &slen, tp, NULL, 0, NULL); 1649 1650 if(tp == LDNS_RR_TYPE_DNSKEY) { 1651 w += sldns_str_print(&s, &slen, " ;{id = %u}", 1652 sldns_calc_keytag_raw(data->rr_data[i]+2, 1653 data->rr_len[i]-2)); 1654 } 1655 w += sldns_str_print(&s, &slen, "\n"); 1656 1657 if(w >= (int)buflen) { 1658 log_nametypeclass(NO_VERBOSE, "RR too long to print", nm, tp, cl); 1659 return 0; 1660 } 1661 return 1; 1662} 1663 1664/** write rrset to file */ 1665static int 1666auth_zone_write_rrset(struct auth_zone* z, struct auth_data* node, 1667 struct auth_rrset* r, FILE* out) 1668{ 1669 size_t i, count = r->data->count + r->data->rrsig_count; 1670 char buf[LDNS_RR_BUF_SIZE]; 1671 for(i=0; i<count; i++) { 1672 if(!auth_rr_to_string(node->name, node->namelen, r->type, 1673 z->dclass, r->data, i, buf, sizeof(buf))) { 1674 verbose(VERB_ALGO, "failed to rr2str rr %d", (int)i); 1675 continue; 1676 } 1677 if(!write_out(out, buf, strlen(buf))) 1678 return 0; 1679 } 1680 return 1; 1681} 1682 1683/** write domain to file */ 1684static int 1685auth_zone_write_domain(struct auth_zone* z, struct auth_data* n, FILE* out) 1686{ 1687 struct auth_rrset* r; 1688 /* if this is zone apex, write SOA first */ 1689 if(z->namelen == n->namelen) { 1690 struct auth_rrset* soa = az_domain_rrset(n, LDNS_RR_TYPE_SOA); 1691 if(soa) { 1692 if(!auth_zone_write_rrset(z, n, soa, out)) 1693 return 0; 1694 } 1695 } 1696 /* write all the RRsets for this domain */ 1697 for(r = n->rrsets; r; r = r->next) { 1698 if(z->namelen == n->namelen && 1699 r->type == LDNS_RR_TYPE_SOA) 1700 continue; /* skip SOA here */ 1701 if(!auth_zone_write_rrset(z, n, r, out)) 1702 return 0; 1703 } 1704 return 1; 1705} 1706 1707int auth_zone_write_file(struct auth_zone* z, const char* fname) 1708{ 1709 FILE* out; 1710 struct auth_data* n; 1711 out = fopen(fname, "w"); 1712 if(!out) { 1713 log_err("could not open %s: %s", fname, strerror(errno)); 1714 return 0; 1715 } 1716 RBTREE_FOR(n, struct auth_data*, &z->data) { 1717 if(!auth_zone_write_domain(z, n, out)) { 1718 log_err("could not write domain to %s", fname); 1719 fclose(out); 1720 return 0; 1721 } 1722 } 1723 fclose(out); 1724 return 1; 1725} 1726 1727/** read all auth zones from file (if they have) */ 1728static int 1729auth_zones_read_zones(struct auth_zones* az, struct config_file* cfg) 1730{ 1731 struct auth_zone* z; 1732 lock_rw_wrlock(&az->lock); 1733 RBTREE_FOR(z, struct auth_zone*, &az->ztree) { 1734 lock_rw_wrlock(&z->lock); 1735 if(!auth_zone_read_zonefile(z, cfg)) { 1736 lock_rw_unlock(&z->lock); 1737 lock_rw_unlock(&az->lock); 1738 return 0; 1739 } 1740 lock_rw_unlock(&z->lock); 1741 } 1742 lock_rw_unlock(&az->lock); 1743 return 1; 1744} 1745 1746/** find serial number of zone or false if none */ 1747int 1748auth_zone_get_serial(struct auth_zone* z, uint32_t* serial) 1749{ 1750 struct auth_data* apex; 1751 struct auth_rrset* soa; 1752 struct packed_rrset_data* d; 1753 apex = az_find_name(z, z->name, z->namelen); 1754 if(!apex) return 0; 1755 soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA); 1756 if(!soa || soa->data->count==0) 1757 return 0; /* no RRset or no RRs in rrset */ 1758 if(soa->data->rr_len[0] < 2+4*5) return 0; /* SOA too short */ 1759 d = soa->data; 1760 *serial = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-20)); 1761 return 1; 1762} 1763 1764/** Find auth_zone SOA and populate the values in xfr(soa values). */ 1765static int 1766xfr_find_soa(struct auth_zone* z, struct auth_xfer* xfr) 1767{ 1768 struct auth_data* apex; 1769 struct auth_rrset* soa; 1770 struct packed_rrset_data* d; 1771 apex = az_find_name(z, z->name, z->namelen); 1772 if(!apex) return 0; 1773 soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA); 1774 if(!soa || soa->data->count==0) 1775 return 0; /* no RRset or no RRs in rrset */ 1776 if(soa->data->rr_len[0] < 2+4*5) return 0; /* SOA too short */ 1777 /* SOA record ends with serial, refresh, retry, expiry, minimum, 1778 * as 4 byte fields */ 1779 d = soa->data; 1780 xfr->have_zone = 1; 1781 xfr->serial = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-20)); 1782 xfr->refresh = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-16)); 1783 xfr->retry = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-12)); 1784 xfr->expiry = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-8)); 1785 /* soa minimum at d->rr_len[0]-4 */ 1786 return 1; 1787} 1788 1789/** 1790 * Setup auth_xfer zone 1791 * This populates the have_zone, soa values, and so on times. 1792 * Doesn't do network traffic yet, can set option flags. 1793 * @param z: locked by caller, and modified for setup 1794 * @param x: locked by caller, and modified. 1795 * @return false on failure. 1796 */ 1797static int 1798auth_xfer_setup(struct auth_zone* z, struct auth_xfer* x) 1799{ 1800 /* for a zone without zone transfers, x==NULL, so skip them, 1801 * i.e. the zone config is fixed with no masters or urls */ 1802 if(!z || !x) return 1; 1803 if(!xfr_find_soa(z, x)) { 1804 return 1; 1805 } 1806 /* nothing for probe, nextprobe and transfer tasks */ 1807 return 1; 1808} 1809 1810/** 1811 * Setup all zones 1812 * @param az: auth zones structure 1813 * @return false on failure. 1814 */ 1815static int 1816auth_zones_setup_zones(struct auth_zones* az) 1817{ 1818 struct auth_zone* z; 1819 struct auth_xfer* x; 1820 lock_rw_wrlock(&az->lock); 1821 RBTREE_FOR(z, struct auth_zone*, &az->ztree) { 1822 lock_rw_wrlock(&z->lock); 1823 x = auth_xfer_find(az, z->name, z->namelen, z->dclass); 1824 if(x) { 1825 lock_basic_lock(&x->lock); 1826 } 1827 if(!auth_xfer_setup(z, x)) { 1828 if(x) { 1829 lock_basic_unlock(&x->lock); 1830 } 1831 lock_rw_unlock(&z->lock); 1832 lock_rw_unlock(&az->lock); 1833 return 0; 1834 } 1835 if(x) { 1836 lock_basic_unlock(&x->lock); 1837 } 1838 lock_rw_unlock(&z->lock); 1839 } 1840 lock_rw_unlock(&az->lock); 1841 return 1; 1842} 1843 1844/** set config items and create zones */ 1845static int 1846auth_zones_cfg(struct auth_zones* az, struct config_auth* c) 1847{ 1848 struct auth_zone* z; 1849 struct auth_xfer* x = NULL; 1850 1851 /* create zone */ 1852 lock_rw_wrlock(&az->lock); 1853 if(!(z=auth_zones_find_or_add_zone(az, c->name))) { 1854 lock_rw_unlock(&az->lock); 1855 return 0; 1856 } 1857 if(c->masters || c->urls) { 1858 if(!(x=auth_zones_find_or_add_xfer(az, z))) { 1859 lock_rw_unlock(&az->lock); 1860 lock_rw_unlock(&z->lock); 1861 return 0; 1862 } 1863 } 1864 if(c->for_downstream) 1865 az->have_downstream = 1; 1866 lock_rw_unlock(&az->lock); 1867 1868 /* set options */ 1869 z->zone_deleted = 0; 1870 if(!auth_zone_set_zonefile(z, c->zonefile)) { 1871 if(x) { 1872 lock_basic_unlock(&x->lock); 1873 } 1874 lock_rw_unlock(&z->lock); 1875 return 0; 1876 } 1877 z->for_downstream = c->for_downstream; 1878 z->for_upstream = c->for_upstream; 1879 z->fallback_enabled = c->fallback_enabled; 1880 1881 /* xfer zone */ 1882 if(x) { 1883 z->zone_is_slave = 1; 1884 /* set options on xfer zone */ 1885 if(!xfer_set_masters(&x->task_probe->masters, c, 0)) { 1886 lock_basic_unlock(&x->lock); 1887 lock_rw_unlock(&z->lock); 1888 return 0; 1889 } 1890 if(!xfer_set_masters(&x->task_transfer->masters, c, 1)) { 1891 lock_basic_unlock(&x->lock); 1892 lock_rw_unlock(&z->lock); 1893 return 0; 1894 } 1895 lock_basic_unlock(&x->lock); 1896 } 1897 1898 lock_rw_unlock(&z->lock); 1899 return 1; 1900} 1901 1902/** set all auth zones deleted, then in auth_zones_cfg, it marks them 1903 * as nondeleted (if they are still in the config), and then later 1904 * we can find deleted zones */ 1905static void 1906az_setall_deleted(struct auth_zones* az) 1907{ 1908 struct auth_zone* z; 1909 lock_rw_wrlock(&az->lock); 1910 RBTREE_FOR(z, struct auth_zone*, &az->ztree) { 1911 lock_rw_wrlock(&z->lock); 1912 z->zone_deleted = 1; 1913 lock_rw_unlock(&z->lock); 1914 } 1915 lock_rw_unlock(&az->lock); 1916} 1917 1918/** find zones that are marked deleted and delete them. 1919 * This is called from apply_cfg, and there are no threads and no 1920 * workers, so the xfr can just be deleted. */ 1921static void 1922az_delete_deleted_zones(struct auth_zones* az) 1923{ 1924 struct auth_zone* z; 1925 struct auth_zone* delete_list = NULL, *next; 1926 struct auth_xfer* xfr; 1927 lock_rw_wrlock(&az->lock); 1928 RBTREE_FOR(z, struct auth_zone*, &az->ztree) { 1929 lock_rw_wrlock(&z->lock); 1930 if(z->zone_deleted) { 1931 /* we cannot alter the rbtree right now, but 1932 * we can put it on a linked list and then 1933 * delete it */ 1934 z->delete_next = delete_list; 1935 delete_list = z; 1936 } 1937 lock_rw_unlock(&z->lock); 1938 } 1939 /* now we are out of the tree loop and we can loop and delete 1940 * the zones */ 1941 z = delete_list; 1942 while(z) { 1943 next = z->delete_next; 1944 xfr = auth_xfer_find(az, z->name, z->namelen, z->dclass); 1945 if(xfr) { 1946 (void)rbtree_delete(&az->xtree, &xfr->node); 1947 auth_xfer_delete(xfr); 1948 } 1949 (void)rbtree_delete(&az->ztree, &z->node); 1950 auth_zone_delete(z); 1951 z = next; 1952 } 1953 lock_rw_unlock(&az->lock); 1954} 1955 1956int auth_zones_apply_cfg(struct auth_zones* az, struct config_file* cfg, 1957 int setup) 1958{ 1959 struct config_auth* p; 1960 az_setall_deleted(az); 1961 for(p = cfg->auths; p; p = p->next) { 1962 if(!p->name || p->name[0] == 0) { 1963 log_warn("auth-zone without a name, skipped"); 1964 continue; 1965 } 1966 if(!auth_zones_cfg(az, p)) { 1967 log_err("cannot config auth zone %s", p->name); 1968 return 0; 1969 } 1970 } 1971 az_delete_deleted_zones(az); 1972 if(!auth_zones_read_zones(az, cfg)) 1973 return 0; 1974 if(setup) { 1975 if(!auth_zones_setup_zones(az)) 1976 return 0; 1977 } 1978 return 1; 1979} 1980 1981/** delete chunks 1982 * @param at: transfer structure with chunks list. The chunks and their 1983 * data are freed. 1984 */ 1985static void 1986auth_chunks_delete(struct auth_transfer* at) 1987{ 1988 if(at->chunks_first) { 1989 struct auth_chunk* c, *cn; 1990 c = at->chunks_first; 1991 while(c) { 1992 cn = c->next; 1993 free(c->data); 1994 free(c); 1995 c = cn; 1996 } 1997 } 1998 at->chunks_first = NULL; 1999 at->chunks_last = NULL; 2000} 2001 2002/** free master addr list */ 2003static void 2004auth_free_master_addrs(struct auth_addr* list) 2005{ 2006 struct auth_addr *n; 2007 while(list) { 2008 n = list->next; 2009 free(list); 2010 list = n; 2011 } 2012} 2013 2014/** free the masters list */ 2015static void 2016auth_free_masters(struct auth_master* list) 2017{ 2018 struct auth_master* n; 2019 while(list) { 2020 n = list->next; 2021 auth_free_master_addrs(list->list); 2022 free(list->host); 2023 free(list->file); 2024 free(list); 2025 list = n; 2026 } 2027} 2028 2029/** delete auth xfer structure 2030 * @param xfr: delete this xfer and its tasks. 2031 */ 2032static void 2033auth_xfer_delete(struct auth_xfer* xfr) 2034{ 2035 if(!xfr) return; 2036 lock_basic_destroy(&xfr->lock); 2037 free(xfr->name); 2038 if(xfr->task_nextprobe) { 2039 comm_timer_delete(xfr->task_nextprobe->timer); 2040 free(xfr->task_nextprobe); 2041 } 2042 if(xfr->task_probe) { 2043 auth_free_masters(xfr->task_probe->masters); 2044 comm_point_delete(xfr->task_probe->cp); 2045 comm_timer_delete(xfr->task_probe->timer); 2046 free(xfr->task_probe); 2047 } 2048 if(xfr->task_transfer) { 2049 auth_free_masters(xfr->task_transfer->masters); 2050 comm_point_delete(xfr->task_transfer->cp); 2051 comm_timer_delete(xfr->task_transfer->timer); 2052 if(xfr->task_transfer->chunks_first) { 2053 auth_chunks_delete(xfr->task_transfer); 2054 } 2055 free(xfr->task_transfer); 2056 } 2057 auth_free_masters(xfr->allow_notify_list); 2058 free(xfr); 2059} 2060 2061/** helper traverse to delete zones */ 2062static void 2063auth_zone_del(rbnode_type* n, void* ATTR_UNUSED(arg)) 2064{ 2065 struct auth_zone* z = (struct auth_zone*)n->key; 2066 auth_zone_delete(z); 2067} 2068 2069/** helper traverse to delete xfer zones */ 2070static void 2071auth_xfer_del(rbnode_type* n, void* ATTR_UNUSED(arg)) 2072{ 2073 struct auth_xfer* z = (struct auth_xfer*)n->key; 2074 auth_xfer_delete(z); 2075} 2076 2077void auth_zones_delete(struct auth_zones* az) 2078{ 2079 if(!az) return; 2080 lock_rw_destroy(&az->lock); 2081 traverse_postorder(&az->ztree, auth_zone_del, NULL); 2082 traverse_postorder(&az->xtree, auth_xfer_del, NULL); 2083 free(az); 2084} 2085 2086/** true if domain has only nsec3 */ 2087static int 2088domain_has_only_nsec3(struct auth_data* n) 2089{ 2090 struct auth_rrset* rrset = n->rrsets; 2091 int nsec3_seen = 0; 2092 while(rrset) { 2093 if(rrset->type == LDNS_RR_TYPE_NSEC3) { 2094 nsec3_seen = 1; 2095 } else if(rrset->type != LDNS_RR_TYPE_RRSIG) { 2096 return 0; 2097 } 2098 rrset = rrset->next; 2099 } 2100 return nsec3_seen; 2101} 2102 2103/** see if the domain has a wildcard child '*.domain' */ 2104static struct auth_data* 2105az_find_wildcard_domain(struct auth_zone* z, uint8_t* nm, size_t nmlen) 2106{ 2107 uint8_t wc[LDNS_MAX_DOMAINLEN]; 2108 if(nmlen+2 > sizeof(wc)) 2109 return NULL; /* result would be too long */ 2110 wc[0] = 1; /* length of wildcard label */ 2111 wc[1] = (uint8_t)'*'; /* wildcard label */ 2112 memmove(wc+2, nm, nmlen); 2113 return az_find_name(z, wc, nmlen+2); 2114} 2115 2116/** find wildcard between qname and cename */ 2117static struct auth_data* 2118az_find_wildcard(struct auth_zone* z, struct query_info* qinfo, 2119 struct auth_data* ce) 2120{ 2121 uint8_t* nm = qinfo->qname; 2122 size_t nmlen = qinfo->qname_len; 2123 struct auth_data* node; 2124 if(!dname_subdomain_c(nm, z->name)) 2125 return NULL; /* out of zone */ 2126 while((node=az_find_wildcard_domain(z, nm, nmlen))==NULL) { 2127 /* see if we can go up to find the wildcard */ 2128 if(nmlen == z->namelen) 2129 return NULL; /* top of zone reached */ 2130 if(ce && nmlen == ce->namelen) 2131 return NULL; /* ce reached */ 2132 if(dname_is_root(nm)) 2133 return NULL; /* cannot go up */ 2134 dname_remove_label(&nm, &nmlen); 2135 } 2136 return node; 2137} 2138 2139/** domain is not exact, find first candidate ce (name that matches 2140 * a part of qname) in tree */ 2141static struct auth_data* 2142az_find_candidate_ce(struct auth_zone* z, struct query_info* qinfo, 2143 struct auth_data* n) 2144{ 2145 uint8_t* nm; 2146 size_t nmlen; 2147 if(n) { 2148 nm = dname_get_shared_topdomain(qinfo->qname, n->name); 2149 } else { 2150 nm = qinfo->qname; 2151 } 2152 dname_count_size_labels(nm, &nmlen); 2153 n = az_find_name(z, nm, nmlen); 2154 /* delete labels and go up on name */ 2155 while(!n) { 2156 if(dname_is_root(nm)) 2157 return NULL; /* cannot go up */ 2158 dname_remove_label(&nm, &nmlen); 2159 n = az_find_name(z, nm, nmlen); 2160 } 2161 return n; 2162} 2163 2164/** go up the auth tree to next existing name. */ 2165static struct auth_data* 2166az_domain_go_up(struct auth_zone* z, struct auth_data* n) 2167{ 2168 uint8_t* nm = n->name; 2169 size_t nmlen = n->namelen; 2170 while(!dname_is_root(nm)) { 2171 dname_remove_label(&nm, &nmlen); 2172 if((n=az_find_name(z, nm, nmlen)) != NULL) 2173 return n; 2174 } 2175 return NULL; 2176} 2177 2178/** Find the closest encloser, an name that exists and is above the 2179 * qname. 2180 * return true if the node (param node) is existing, nonobscured and 2181 * can be used to generate answers from. It is then also node_exact. 2182 * returns false if the node is not good enough (or it wasn't node_exact) 2183 * in this case the ce can be filled. 2184 * if ce is NULL, no ce exists, and likely the zone is completely empty, 2185 * not even with a zone apex. 2186 * if ce is nonNULL it is the closest enclosing upper name (that exists 2187 * itself for answer purposes). That name may have DNAME, NS or wildcard 2188 * rrset is the closest DNAME or NS rrset that was found. 2189 */ 2190static int 2191az_find_ce(struct auth_zone* z, struct query_info* qinfo, 2192 struct auth_data* node, int node_exact, struct auth_data** ce, 2193 struct auth_rrset** rrset) 2194{ 2195 struct auth_data* n = node; 2196 *ce = NULL; 2197 *rrset = NULL; 2198 if(!node_exact) { 2199 /* if not exact, lookup closest exact match */ 2200 n = az_find_candidate_ce(z, qinfo, n); 2201 } else { 2202 /* if exact, the node itself is the first candidate ce */ 2203 *ce = n; 2204 } 2205 2206 /* no direct answer from nsec3-only domains */ 2207 if(n && domain_has_only_nsec3(n)) { 2208 node_exact = 0; 2209 *ce = NULL; 2210 } 2211 2212 /* with exact matches, walk up the labels until we find the 2213 * delegation, or DNAME or zone end */ 2214 while(n) { 2215 /* see if the current candidate has issues */ 2216 /* not zone apex and has type NS */ 2217 if(n->namelen != z->namelen && 2218 (*rrset=az_domain_rrset(n, LDNS_RR_TYPE_NS)) && 2219 /* delegate here, but DS at exact the dp has notype */ 2220 (qinfo->qtype != LDNS_RR_TYPE_DS || 2221 n->namelen != qinfo->qname_len)) { 2222 /* referral */ 2223 /* this is ce and the lowernode is nonexisting */ 2224 *ce = n; 2225 return 0; 2226 } 2227 /* not equal to qname and has type DNAME */ 2228 if(n->namelen != qinfo->qname_len && 2229 (*rrset=az_domain_rrset(n, LDNS_RR_TYPE_DNAME))) { 2230 /* this is ce and the lowernode is nonexisting */ 2231 *ce = n; 2232 return 0; 2233 } 2234 2235 if(*ce == NULL && !domain_has_only_nsec3(n)) { 2236 /* if not found yet, this exact name must be 2237 * our lowest match (but not nsec3onlydomain) */ 2238 *ce = n; 2239 } 2240 2241 /* walk up the tree by removing labels from name and lookup */ 2242 n = az_domain_go_up(z, n); 2243 } 2244 /* found no problems, if it was an exact node, it is fine to use */ 2245 return node_exact; 2246} 2247 2248/** add additional A/AAAA from domain names in rrset rdata (+offset) 2249 * offset is number of bytes in rdata where the dname is located. */ 2250static int 2251az_add_additionals_from(struct auth_zone* z, struct regional* region, 2252 struct dns_msg* msg, struct auth_rrset* rrset, size_t offset) 2253{ 2254 struct packed_rrset_data* d = rrset->data; 2255 size_t i; 2256 if(!d) return 0; 2257 for(i=0; i<d->count; i++) { 2258 size_t dlen; 2259 struct auth_data* domain; 2260 struct auth_rrset* ref; 2261 if(d->rr_len[i] < 2+offset) 2262 continue; /* too short */ 2263 if(!(dlen = dname_valid(d->rr_data[i]+2+offset, 2264 d->rr_len[i]-2-offset))) 2265 continue; /* malformed */ 2266 domain = az_find_name(z, d->rr_data[i]+2+offset, dlen); 2267 if(!domain) 2268 continue; 2269 if((ref=az_domain_rrset(domain, LDNS_RR_TYPE_A)) != NULL) { 2270 if(!msg_add_rrset_ar(z, region, msg, domain, ref)) 2271 return 0; 2272 } 2273 if((ref=az_domain_rrset(domain, LDNS_RR_TYPE_AAAA)) != NULL) { 2274 if(!msg_add_rrset_ar(z, region, msg, domain, ref)) 2275 return 0; 2276 } 2277 } 2278 return 1; 2279} 2280 2281/** add negative SOA record (with negative TTL) */ 2282static int 2283az_add_negative_soa(struct auth_zone* z, struct regional* region, 2284 struct dns_msg* msg) 2285{ 2286 uint32_t minimum; 2287 struct packed_rrset_data* d; 2288 struct auth_rrset* soa; 2289 struct auth_data* apex = az_find_name(z, z->name, z->namelen); 2290 if(!apex) return 0; 2291 soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA); 2292 if(!soa) return 0; 2293 /* must be first to put in message; we want to fix the TTL with 2294 * one RRset here, otherwise we'd need to loop over the RRs to get 2295 * the resulting lower TTL */ 2296 log_assert(msg->rep->rrset_count == 0); 2297 if(!msg_add_rrset_ns(z, region, msg, apex, soa)) return 0; 2298 /* fixup TTL */ 2299 d = (struct packed_rrset_data*)msg->rep->rrsets[msg->rep->rrset_count-1]->entry.data; 2300 /* last 4 bytes are minimum ttl in network format */ 2301 if(d->count == 0) return 0; 2302 if(d->rr_len[0] < 2+4) return 0; 2303 minimum = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-4)); 2304 d->ttl = (time_t)minimum; 2305 d->rr_ttl[0] = (time_t)minimum; 2306 msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]); 2307 msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl); 2308 msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL; 2309 return 1; 2310} 2311 2312/** See if the query goes to empty nonterminal (that has no auth_data, 2313 * but there are nodes underneath. We already checked that there are 2314 * not NS, or DNAME above, so that we only need to check if some node 2315 * exists below (with nonempty rr list), return true if emptynonterminal */ 2316static int 2317az_empty_nonterminal(struct auth_zone* z, struct query_info* qinfo, 2318 struct auth_data* node) 2319{ 2320 struct auth_data* next; 2321 if(!node) { 2322 /* no smaller was found, use first (smallest) node as the 2323 * next one */ 2324 next = (struct auth_data*)rbtree_first(&z->data); 2325 } else { 2326 next = (struct auth_data*)rbtree_next(&node->node); 2327 } 2328 while(next && (rbnode_type*)next != RBTREE_NULL && next->rrsets == NULL) { 2329 /* the next name has empty rrsets, is an empty nonterminal 2330 * itself, see if there exists something below it */ 2331 next = (struct auth_data*)rbtree_next(&node->node); 2332 } 2333 if((rbnode_type*)next == RBTREE_NULL || !next) { 2334 /* there is no next node, so something below it cannot 2335 * exist */ 2336 return 0; 2337 } 2338 /* a next node exists, if there was something below the query, 2339 * this node has to be it. See if it is below the query name */ 2340 if(dname_strict_subdomain_c(next->name, qinfo->qname)) 2341 return 1; 2342 return 0; 2343} 2344 2345/** create synth cname target name in buffer, or fail if too long */ 2346static size_t 2347synth_cname_buf(uint8_t* qname, size_t qname_len, size_t dname_len, 2348 uint8_t* dtarg, size_t dtarglen, uint8_t* buf, size_t buflen) 2349{ 2350 size_t newlen = qname_len + dtarglen - dname_len; 2351 if(newlen > buflen) { 2352 /* YXDOMAIN error */ 2353 return 0; 2354 } 2355 /* new name is concatenation of qname front (without DNAME owner) 2356 * and DNAME target name */ 2357 memcpy(buf, qname, qname_len-dname_len); 2358 memmove(buf+(qname_len-dname_len), dtarg, dtarglen); 2359 return newlen; 2360} 2361 2362/** create synthetic CNAME rrset for in a DNAME answer in region, 2363 * false on alloc failure, cname==NULL when name too long. */ 2364static int 2365create_synth_cname(uint8_t* qname, size_t qname_len, struct regional* region, 2366 struct auth_data* node, struct auth_rrset* dname, uint16_t dclass, 2367 struct ub_packed_rrset_key** cname) 2368{ 2369 uint8_t buf[LDNS_MAX_DOMAINLEN]; 2370 uint8_t* dtarg; 2371 size_t dtarglen, newlen; 2372 struct packed_rrset_data* d; 2373 2374 /* get DNAME target name */ 2375 if(dname->data->count < 1) return 0; 2376 if(dname->data->rr_len[0] < 3) return 0; /* at least rdatalen +1 */ 2377 dtarg = dname->data->rr_data[0]+2; 2378 dtarglen = dname->data->rr_len[0]-2; 2379 if(sldns_read_uint16(dname->data->rr_data[0]) != dtarglen) 2380 return 0; /* rdatalen in DNAME rdata is malformed */ 2381 if(dname_valid(dtarg, dtarglen) != dtarglen) 2382 return 0; /* DNAME RR has malformed rdata */ 2383 if(qname_len == 0) 2384 return 0; /* too short */ 2385 if(qname_len <= node->namelen) 2386 return 0; /* qname too short for dname removal */ 2387 2388 /* synthesize a CNAME */ 2389 newlen = synth_cname_buf(qname, qname_len, node->namelen, 2390 dtarg, dtarglen, buf, sizeof(buf)); 2391 if(newlen == 0) { 2392 /* YXDOMAIN error */ 2393 *cname = NULL; 2394 return 1; 2395 } 2396 *cname = (struct ub_packed_rrset_key*)regional_alloc(region, 2397 sizeof(struct ub_packed_rrset_key)); 2398 if(!*cname) 2399 return 0; /* out of memory */ 2400 memset(&(*cname)->entry, 0, sizeof((*cname)->entry)); 2401 (*cname)->entry.key = (*cname); 2402 (*cname)->rk.type = htons(LDNS_RR_TYPE_CNAME); 2403 (*cname)->rk.rrset_class = htons(dclass); 2404 (*cname)->rk.flags = 0; 2405 (*cname)->rk.dname = regional_alloc_init(region, qname, qname_len); 2406 if(!(*cname)->rk.dname) 2407 return 0; /* out of memory */ 2408 (*cname)->rk.dname_len = qname_len; 2409 (*cname)->entry.hash = rrset_key_hash(&(*cname)->rk); 2410 d = (struct packed_rrset_data*)regional_alloc_zero(region, 2411 sizeof(struct packed_rrset_data) + sizeof(size_t) + 2412 sizeof(uint8_t*) + sizeof(time_t) + sizeof(uint16_t) 2413 + newlen); 2414 if(!d) 2415 return 0; /* out of memory */ 2416 (*cname)->entry.data = d; 2417 d->ttl = 0; /* 0 for synthesized CNAME TTL */ 2418 d->count = 1; 2419 d->rrsig_count = 0; 2420 d->trust = rrset_trust_ans_noAA; 2421 d->rr_len = (size_t*)((uint8_t*)d + 2422 sizeof(struct packed_rrset_data)); 2423 d->rr_len[0] = newlen + sizeof(uint16_t); 2424 packed_rrset_ptr_fixup(d); 2425 d->rr_ttl[0] = d->ttl; 2426 sldns_write_uint16(d->rr_data[0], newlen); 2427 memmove(d->rr_data[0] + sizeof(uint16_t), buf, newlen); 2428 return 1; 2429} 2430 2431/** add a synthesized CNAME to the answer section */ 2432static int 2433add_synth_cname(struct auth_zone* z, uint8_t* qname, size_t qname_len, 2434 struct regional* region, struct dns_msg* msg, struct auth_data* dname, 2435 struct auth_rrset* rrset) 2436{ 2437 struct ub_packed_rrset_key* cname; 2438 /* synthesize a CNAME */ 2439 if(!create_synth_cname(qname, qname_len, region, dname, rrset, 2440 z->dclass, &cname)) { 2441 /* out of memory */ 2442 return 0; 2443 } 2444 if(!cname) { 2445 /* cname cannot be create because of YXDOMAIN */ 2446 msg->rep->flags |= LDNS_RCODE_YXDOMAIN; 2447 return 1; 2448 } 2449 /* add cname to message */ 2450 if(!msg_grow_array(region, msg)) 2451 return 0; 2452 msg->rep->rrsets[msg->rep->rrset_count] = cname; 2453 msg->rep->rrset_count++; 2454 msg->rep->an_numrrsets++; 2455 msg_ttl(msg); 2456 return 1; 2457} 2458 2459/** Change a dname to a different one, for wildcard namechange */ 2460static void 2461az_change_dnames(struct dns_msg* msg, uint8_t* oldname, uint8_t* newname, 2462 size_t newlen, int an_only) 2463{ 2464 size_t i; 2465 size_t start = 0, end = msg->rep->rrset_count; 2466 if(!an_only) start = msg->rep->an_numrrsets; 2467 if(an_only) end = msg->rep->an_numrrsets; 2468 for(i=start; i<end; i++) { 2469 /* allocated in region so we can change the ptrs */ 2470 if(query_dname_compare(msg->rep->rrsets[i]->rk.dname, oldname) 2471 == 0) { 2472 msg->rep->rrsets[i]->rk.dname = newname; 2473 msg->rep->rrsets[i]->rk.dname_len = newlen; 2474 } 2475 } 2476} 2477 2478/** find NSEC record covering the query */ 2479static struct auth_rrset* 2480az_find_nsec_cover(struct auth_zone* z, struct auth_data** node) 2481{ 2482 uint8_t* nm = (*node)->name; 2483 size_t nmlen = (*node)->namelen; 2484 struct auth_rrset* rrset; 2485 /* find the NSEC for the smallest-or-equal node */ 2486 /* if node == NULL, we did not find a smaller name. But the zone 2487 * name is the smallest name and should have an NSEC. So there is 2488 * no NSEC to return (for a properly signed zone) */ 2489 /* for empty nonterminals, the auth-data node should not exist, 2490 * and thus we don't need to go rbtree_previous here to find 2491 * a domain with an NSEC record */ 2492 /* but there could be glue, and if this is node, then it has no NSEC. 2493 * Go up to find nonglue (previous) NSEC-holding nodes */ 2494 while((rrset=az_domain_rrset(*node, LDNS_RR_TYPE_NSEC)) == NULL) { 2495 if(dname_is_root(nm)) return NULL; 2496 if(nmlen == z->namelen) return NULL; 2497 dname_remove_label(&nm, &nmlen); 2498 /* adjust *node for the nsec rrset to find in */ 2499 *node = az_find_name(z, nm, nmlen); 2500 } 2501 return rrset; 2502} 2503 2504/** Find NSEC and add for wildcard denial */ 2505static int 2506az_nsec_wildcard_denial(struct auth_zone* z, struct regional* region, 2507 struct dns_msg* msg, uint8_t* cenm, size_t cenmlen) 2508{ 2509 struct query_info qinfo; 2510 int node_exact; 2511 struct auth_data* node; 2512 struct auth_rrset* nsec; 2513 uint8_t wc[LDNS_MAX_DOMAINLEN]; 2514 if(cenmlen+2 > sizeof(wc)) 2515 return 0; /* result would be too long */ 2516 wc[0] = 1; /* length of wildcard label */ 2517 wc[1] = (uint8_t)'*'; /* wildcard label */ 2518 memmove(wc+2, cenm, cenmlen); 2519 2520 /* we have '*.ce' in wc wildcard name buffer */ 2521 /* get nsec cover for that */ 2522 qinfo.qname = wc; 2523 qinfo.qname_len = cenmlen+2; 2524 qinfo.qtype = 0; 2525 qinfo.qclass = 0; 2526 az_find_domain(z, &qinfo, &node_exact, &node); 2527 if((nsec=az_find_nsec_cover(z, &node)) != NULL) { 2528 if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0; 2529 } 2530 return 1; 2531} 2532 2533/** Find the NSEC3PARAM rrset (if any) and if true you have the parameters */ 2534static int 2535az_nsec3_param(struct auth_zone* z, int* algo, size_t* iter, uint8_t** salt, 2536 size_t* saltlen) 2537{ 2538 struct auth_data* apex; 2539 struct auth_rrset* param; 2540 size_t i; 2541 apex = az_find_name(z, z->name, z->namelen); 2542 if(!apex) return 0; 2543 param = az_domain_rrset(apex, LDNS_RR_TYPE_NSEC3PARAM); 2544 if(!param || param->data->count==0) 2545 return 0; /* no RRset or no RRs in rrset */ 2546 /* find out which NSEC3PARAM RR has supported parameters */ 2547 /* skip unknown flags (dynamic signer is recalculating nsec3 chain) */ 2548 for(i=0; i<param->data->count; i++) { 2549 uint8_t* rdata = param->data->rr_data[i]+2; 2550 size_t rdatalen = param->data->rr_len[i]; 2551 if(rdatalen < 2+5) 2552 continue; /* too short */ 2553 if(!nsec3_hash_algo_size_supported((int)(rdata[0]))) 2554 continue; /* unsupported algo */ 2555 if(rdatalen < (size_t)(2+5+(size_t)rdata[4])) 2556 continue; /* salt missing */ 2557 if((rdata[1]&NSEC3_UNKNOWN_FLAGS)!=0) 2558 continue; /* unknown flags */ 2559 *algo = (int)(rdata[0]); 2560 *iter = sldns_read_uint16(rdata+2); 2561 *saltlen = rdata[4]; 2562 if(*saltlen == 0) 2563 *salt = NULL; 2564 else *salt = rdata+5; 2565 return 1; 2566 } 2567 /* no supported params */ 2568 return 0; 2569} 2570 2571/** Hash a name with nsec3param into buffer, it has zone name appended. 2572 * return length of hash */ 2573static size_t 2574az_nsec3_hash(uint8_t* buf, size_t buflen, uint8_t* nm, size_t nmlen, 2575 int algo, size_t iter, uint8_t* salt, size_t saltlen) 2576{ 2577 size_t hlen = nsec3_hash_algo_size_supported(algo); 2578 /* buffer has domain name, nsec3hash, and 256 is for max saltlen 2579 * (salt has 0-255 length) */ 2580 unsigned char p[LDNS_MAX_DOMAINLEN+1+N3HASHBUFLEN+256]; 2581 size_t i; 2582 if(nmlen+saltlen > sizeof(p) || hlen+saltlen > sizeof(p)) 2583 return 0; 2584 if(hlen > buflen) 2585 return 0; /* somehow too large for destination buffer */ 2586 /* hashfunc(name, salt) */ 2587 memmove(p, nm, nmlen); 2588 query_dname_tolower(p); 2589 memmove(p+nmlen, salt, saltlen); 2590 (void)secalgo_nsec3_hash(algo, p, nmlen+saltlen, (unsigned char*)buf); 2591 for(i=0; i<iter; i++) { 2592 /* hashfunc(hash, salt) */ 2593 memmove(p, buf, hlen); 2594 memmove(p+hlen, salt, saltlen); 2595 (void)secalgo_nsec3_hash(algo, p, hlen+saltlen, 2596 (unsigned char*)buf); 2597 } 2598 return hlen; 2599} 2600 2601/** Hash name and return b32encoded hashname for lookup, zone name appended */ 2602static int 2603az_nsec3_hashname(struct auth_zone* z, uint8_t* hashname, size_t* hashnmlen, 2604 uint8_t* nm, size_t nmlen, int algo, size_t iter, uint8_t* salt, 2605 size_t saltlen) 2606{ 2607 uint8_t hash[N3HASHBUFLEN]; 2608 size_t hlen; 2609 int ret; 2610 hlen = az_nsec3_hash(hash, sizeof(hash), nm, nmlen, algo, iter, 2611 salt, saltlen); 2612 if(!hlen) return 0; 2613 /* b32 encode */ 2614 if(*hashnmlen < hlen*2+1+z->namelen) /* approx b32 as hexb16 */ 2615 return 0; 2616 ret = sldns_b32_ntop_extended_hex(hash, hlen, (char*)(hashname+1), 2617 (*hashnmlen)-1); 2618 if(ret<1) 2619 return 0; 2620 hashname[0] = (uint8_t)ret; 2621 ret++; 2622 if((*hashnmlen) - ret < z->namelen) 2623 return 0; 2624 memmove(hashname+ret, z->name, z->namelen); 2625 *hashnmlen = z->namelen+(size_t)ret; 2626 return 1; 2627} 2628 2629/** Find the datanode that covers the nsec3hash-name */ 2630static struct auth_data* 2631az_nsec3_findnode(struct auth_zone* z, uint8_t* hashnm, size_t hashnmlen) 2632{ 2633 struct query_info qinfo; 2634 struct auth_data* node; 2635 int node_exact; 2636 qinfo.qclass = 0; 2637 qinfo.qtype = 0; 2638 qinfo.qname = hashnm; 2639 qinfo.qname_len = hashnmlen; 2640 /* because canonical ordering and b32 nsec3 ordering are the same. 2641 * this is a good lookup to find the nsec3 name. */ 2642 az_find_domain(z, &qinfo, &node_exact, &node); 2643 /* but we may have to skip non-nsec3 nodes */ 2644 /* this may be a lot, the way to speed that up is to have a 2645 * separate nsec3 tree with nsec3 nodes */ 2646 while(node && (rbnode_type*)node != RBTREE_NULL && 2647 !az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) { 2648 node = (struct auth_data*)rbtree_previous(&node->node); 2649 } 2650 if((rbnode_type*)node == RBTREE_NULL) 2651 node = NULL; 2652 return node; 2653} 2654 2655/** Find cover for hashed(nm, nmlen) (or NULL) */ 2656static struct auth_data* 2657az_nsec3_find_cover(struct auth_zone* z, uint8_t* nm, size_t nmlen, 2658 int algo, size_t iter, uint8_t* salt, size_t saltlen) 2659{ 2660 struct auth_data* node; 2661 uint8_t hname[LDNS_MAX_DOMAINLEN]; 2662 size_t hlen = sizeof(hname); 2663 if(!az_nsec3_hashname(z, hname, &hlen, nm, nmlen, algo, iter, 2664 salt, saltlen)) 2665 return NULL; 2666 node = az_nsec3_findnode(z, hname, hlen); 2667 if(node) 2668 return node; 2669 /* we did not find any, perhaps because the NSEC3 hash is before 2670 * the first hash, we have to find the 'last hash' in the zone */ 2671 node = (struct auth_data*)rbtree_last(&z->data); 2672 while(node && (rbnode_type*)node != RBTREE_NULL && 2673 !az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) { 2674 node = (struct auth_data*)rbtree_previous(&node->node); 2675 } 2676 if((rbnode_type*)node == RBTREE_NULL) 2677 node = NULL; 2678 return node; 2679} 2680 2681/** Find exact match for hashed(nm, nmlen) NSEC3 record or NULL */ 2682static struct auth_data* 2683az_nsec3_find_exact(struct auth_zone* z, uint8_t* nm, size_t nmlen, 2684 int algo, size_t iter, uint8_t* salt, size_t saltlen) 2685{ 2686 struct auth_data* node; 2687 uint8_t hname[LDNS_MAX_DOMAINLEN]; 2688 size_t hlen = sizeof(hname); 2689 if(!az_nsec3_hashname(z, hname, &hlen, nm, nmlen, algo, iter, 2690 salt, saltlen)) 2691 return NULL; 2692 node = az_find_name(z, hname, hlen); 2693 if(az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) 2694 return node; 2695 return NULL; 2696} 2697 2698/** Return nextcloser name (as a ref into the qname). This is one label 2699 * more than the cenm (cename must be a suffix of qname) */ 2700static void 2701az_nsec3_get_nextcloser(uint8_t* cenm, uint8_t* qname, size_t qname_len, 2702 uint8_t** nx, size_t* nxlen) 2703{ 2704 int celabs = dname_count_labels(cenm); 2705 int qlabs = dname_count_labels(qname); 2706 int strip = qlabs - celabs -1; 2707 log_assert(dname_strict_subdomain(qname, qlabs, cenm, celabs)); 2708 *nx = qname; 2709 *nxlen = qname_len; 2710 if(strip>0) 2711 dname_remove_labels(nx, nxlen, strip); 2712} 2713 2714/** Find the closest encloser that has exact NSEC3. 2715 * updated cenm to the new name. If it went up no-exact-ce is true. */ 2716static struct auth_data* 2717az_nsec3_find_ce(struct auth_zone* z, uint8_t** cenm, size_t* cenmlen, 2718 int* no_exact_ce, int algo, size_t iter, uint8_t* salt, size_t saltlen) 2719{ 2720 struct auth_data* node; 2721 while((node = az_nsec3_find_exact(z, *cenm, *cenmlen, 2722 algo, iter, salt, saltlen)) == NULL) { 2723 if(*cenmlen == z->namelen) { 2724 /* next step up would take us out of the zone. fail */ 2725 return NULL; 2726 } 2727 *no_exact_ce = 1; 2728 dname_remove_label(cenm, cenmlen); 2729 } 2730 return node; 2731} 2732 2733/* Insert NSEC3 record in authority section, if NULL does nothing */ 2734static int 2735az_nsec3_insert(struct auth_zone* z, struct regional* region, 2736 struct dns_msg* msg, struct auth_data* node) 2737{ 2738 struct auth_rrset* nsec3; 2739 if(!node) return 1; /* no node, skip this */ 2740 nsec3 = az_domain_rrset(node, LDNS_RR_TYPE_NSEC3); 2741 if(!nsec3) return 1; /* if no nsec3 RR, skip it */ 2742 if(!msg_add_rrset_ns(z, region, msg, node, nsec3)) return 0; 2743 return 1; 2744} 2745 2746/** add NSEC3 records to the zone for the nsec3 proof. 2747 * Specify with the flags with parts of the proof are required. 2748 * the ce is the exact matching name (for notype) but also delegation points. 2749 * qname is the one where the nextcloser name can be derived from. 2750 * If NSEC3 is not properly there (in the zone) nothing is added. 2751 * always enabled: include nsec3 proving about the Closest Encloser. 2752 * that is an exact match that should exist for it. 2753 * If that does not exist, a higher exact match + nxproof is enabled 2754 * (for some sort of opt-out empty nonterminal cases). 2755 * nodataproof: search for exact match and include that instead. 2756 * ceproof: include ce proof NSEC3 (omitted for wildcard replies). 2757 * nxproof: include denial of the qname. 2758 * wcproof: include denial of wildcard (wildcard.ce). 2759 */ 2760static int 2761az_add_nsec3_proof(struct auth_zone* z, struct regional* region, 2762 struct dns_msg* msg, uint8_t* cenm, size_t cenmlen, uint8_t* qname, 2763 size_t qname_len, int nodataproof, int ceproof, int nxproof, 2764 int wcproof) 2765{ 2766 int algo; 2767 size_t iter, saltlen; 2768 uint8_t* salt; 2769 int no_exact_ce = 0; 2770 struct auth_data* node; 2771 2772 /* find parameters of nsec3 proof */ 2773 if(!az_nsec3_param(z, &algo, &iter, &salt, &saltlen)) 2774 return 1; /* no nsec3 */ 2775 if(nodataproof) { 2776 /* see if the node has a hash of itself for the nodata 2777 * proof nsec3, this has to be an exact match nsec3. */ 2778 struct auth_data* match; 2779 match = az_nsec3_find_exact(z, qname, qname_len, algo, 2780 iter, salt, saltlen); 2781 if(match) { 2782 if(!az_nsec3_insert(z, region, msg, match)) 2783 return 0; 2784 /* only nodata NSEC3 needed, no CE or others. */ 2785 return 1; 2786 } 2787 } 2788 /* find ce that has an NSEC3 */ 2789 if(ceproof) { 2790 node = az_nsec3_find_ce(z, &cenm, &cenmlen, &no_exact_ce, 2791 algo, iter, salt, saltlen); 2792 if(no_exact_ce) nxproof = 1; 2793 if(!az_nsec3_insert(z, region, msg, node)) 2794 return 0; 2795 } 2796 2797 if(nxproof) { 2798 uint8_t* nx; 2799 size_t nxlen; 2800 /* create nextcloser domain name */ 2801 az_nsec3_get_nextcloser(cenm, qname, qname_len, &nx, &nxlen); 2802 /* find nsec3 that matches or covers it */ 2803 node = az_nsec3_find_cover(z, nx, nxlen, algo, iter, salt, 2804 saltlen); 2805 if(!az_nsec3_insert(z, region, msg, node)) 2806 return 0; 2807 } 2808 if(wcproof) { 2809 /* create wildcard name *.ce */ 2810 uint8_t wc[LDNS_MAX_DOMAINLEN]; 2811 size_t wclen; 2812 if(cenmlen+2 > sizeof(wc)) 2813 return 0; /* result would be too long */ 2814 wc[0] = 1; /* length of wildcard label */ 2815 wc[1] = (uint8_t)'*'; /* wildcard label */ 2816 memmove(wc+2, cenm, cenmlen); 2817 wclen = cenmlen+2; 2818 /* find nsec3 that matches or covers it */ 2819 node = az_nsec3_find_cover(z, wc, wclen, algo, iter, salt, 2820 saltlen); 2821 if(!az_nsec3_insert(z, region, msg, node)) 2822 return 0; 2823 } 2824 return 1; 2825} 2826 2827/** generate answer for positive answer */ 2828static int 2829az_generate_positive_answer(struct auth_zone* z, struct regional* region, 2830 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) 2831{ 2832 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2833 /* see if we want additional rrs */ 2834 if(rrset->type == LDNS_RR_TYPE_MX) { 2835 if(!az_add_additionals_from(z, region, msg, rrset, 2)) 2836 return 0; 2837 } else if(rrset->type == LDNS_RR_TYPE_SRV) { 2838 if(!az_add_additionals_from(z, region, msg, rrset, 6)) 2839 return 0; 2840 } else if(rrset->type == LDNS_RR_TYPE_NS) { 2841 if(!az_add_additionals_from(z, region, msg, rrset, 0)) 2842 return 0; 2843 } 2844 return 1; 2845} 2846 2847/** generate answer for type ANY answer */ 2848static int 2849az_generate_any_answer(struct auth_zone* z, struct regional* region, 2850 struct dns_msg* msg, struct auth_data* node) 2851{ 2852 struct auth_rrset* rrset; 2853 int added = 0; 2854 /* add a couple (at least one) RRs */ 2855 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_SOA)) != NULL) { 2856 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2857 added++; 2858 } 2859 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_MX)) != NULL) { 2860 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2861 added++; 2862 } 2863 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_A)) != NULL) { 2864 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2865 added++; 2866 } 2867 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_AAAA)) != NULL) { 2868 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2869 added++; 2870 } 2871 if(added == 0 && node && node->rrsets) { 2872 if(!msg_add_rrset_an(z, region, msg, node, 2873 node->rrsets)) return 0; 2874 } 2875 return 1; 2876} 2877 2878/** follow cname chain and add more data to the answer section */ 2879static int 2880follow_cname_chain(struct auth_zone* z, uint16_t qtype, 2881 struct regional* region, struct dns_msg* msg, 2882 struct packed_rrset_data* d) 2883{ 2884 int maxchain = 0; 2885 /* see if we can add the target of the CNAME into the answer */ 2886 while(maxchain++ < MAX_CNAME_CHAIN) { 2887 struct auth_data* node; 2888 struct auth_rrset* rrset; 2889 size_t clen; 2890 /* d has cname rdata */ 2891 if(d->count == 0) break; /* no CNAME */ 2892 if(d->rr_len[0] < 2+1) break; /* too small */ 2893 if((clen=dname_valid(d->rr_data[0]+2, d->rr_len[0]-2))==0) 2894 break; /* malformed */ 2895 if(!dname_subdomain_c(d->rr_data[0]+2, z->name)) 2896 break; /* target out of zone */ 2897 if((node = az_find_name(z, d->rr_data[0]+2, clen))==NULL) 2898 break; /* no such target name */ 2899 if((rrset=az_domain_rrset(node, qtype))!=NULL) { 2900 /* done we found the target */ 2901 if(!msg_add_rrset_an(z, region, msg, node, rrset)) 2902 return 0; 2903 break; 2904 } 2905 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_CNAME))==NULL) 2906 break; /* no further CNAME chain, notype */ 2907 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2908 d = rrset->data; 2909 } 2910 return 1; 2911} 2912 2913/** generate answer for cname answer */ 2914static int 2915az_generate_cname_answer(struct auth_zone* z, struct query_info* qinfo, 2916 struct regional* region, struct dns_msg* msg, 2917 struct auth_data* node, struct auth_rrset* rrset) 2918{ 2919 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2920 if(!rrset) return 1; 2921 if(!follow_cname_chain(z, qinfo->qtype, region, msg, rrset->data)) 2922 return 0; 2923 return 1; 2924} 2925 2926/** generate answer for notype answer */ 2927static int 2928az_generate_notype_answer(struct auth_zone* z, struct regional* region, 2929 struct dns_msg* msg, struct auth_data* node) 2930{ 2931 struct auth_rrset* rrset; 2932 if(!az_add_negative_soa(z, region, msg)) return 0; 2933 /* DNSSEC denial NSEC */ 2934 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_NSEC))!=NULL) { 2935 if(!msg_add_rrset_ns(z, region, msg, node, rrset)) return 0; 2936 } else if(node) { 2937 /* DNSSEC denial NSEC3 */ 2938 if(!az_add_nsec3_proof(z, region, msg, node->name, 2939 node->namelen, msg->qinfo.qname, 2940 msg->qinfo.qname_len, 1, 1, 0, 0)) 2941 return 0; 2942 } 2943 return 1; 2944} 2945 2946/** generate answer for referral answer */ 2947static int 2948az_generate_referral_answer(struct auth_zone* z, struct regional* region, 2949 struct dns_msg* msg, struct auth_data* ce, struct auth_rrset* rrset) 2950{ 2951 struct auth_rrset* ds, *nsec; 2952 /* turn off AA flag, referral is nonAA because it leaves the zone */ 2953 log_assert(ce); 2954 msg->rep->flags &= ~BIT_AA; 2955 if(!msg_add_rrset_ns(z, region, msg, ce, rrset)) return 0; 2956 /* add DS or deny it */ 2957 if((ds=az_domain_rrset(ce, LDNS_RR_TYPE_DS))!=NULL) { 2958 if(!msg_add_rrset_ns(z, region, msg, ce, ds)) return 0; 2959 } else { 2960 /* deny the DS */ 2961 if((nsec=az_domain_rrset(ce, LDNS_RR_TYPE_NSEC))!=NULL) { 2962 if(!msg_add_rrset_ns(z, region, msg, ce, nsec)) 2963 return 0; 2964 } else { 2965 if(!az_add_nsec3_proof(z, region, msg, ce->name, 2966 ce->namelen, msg->qinfo.qname, 2967 msg->qinfo.qname_len, 1, 1, 0, 0)) 2968 return 0; 2969 } 2970 } 2971 /* add additional rrs for type NS */ 2972 if(!az_add_additionals_from(z, region, msg, rrset, 0)) return 0; 2973 return 1; 2974} 2975 2976/** generate answer for DNAME answer */ 2977static int 2978az_generate_dname_answer(struct auth_zone* z, struct query_info* qinfo, 2979 struct regional* region, struct dns_msg* msg, struct auth_data* ce, 2980 struct auth_rrset* rrset) 2981{ 2982 log_assert(ce); 2983 /* add the DNAME and then a CNAME */ 2984 if(!msg_add_rrset_an(z, region, msg, ce, rrset)) return 0; 2985 if(!add_synth_cname(z, qinfo->qname, qinfo->qname_len, region, 2986 msg, ce, rrset)) return 0; 2987 if(FLAGS_GET_RCODE(msg->rep->flags) == LDNS_RCODE_YXDOMAIN) 2988 return 1; 2989 if(msg->rep->rrset_count == 0 || 2990 !msg->rep->rrsets[msg->rep->rrset_count-1]) 2991 return 0; 2992 if(!follow_cname_chain(z, qinfo->qtype, region, msg, 2993 (struct packed_rrset_data*)msg->rep->rrsets[ 2994 msg->rep->rrset_count-1]->entry.data)) 2995 return 0; 2996 return 1; 2997} 2998 2999/** generate answer for wildcard answer */ 3000static int 3001az_generate_wildcard_answer(struct auth_zone* z, struct query_info* qinfo, 3002 struct regional* region, struct dns_msg* msg, struct auth_data* ce, 3003 struct auth_data* wildcard, struct auth_data* node) 3004{ 3005 struct auth_rrset* rrset, *nsec; 3006 int insert_ce = 0; 3007 if((rrset=az_domain_rrset(wildcard, qinfo->qtype)) != NULL) { 3008 /* wildcard has type, add it */ 3009 if(!msg_add_rrset_an(z, region, msg, wildcard, rrset)) 3010 return 0; 3011 az_change_dnames(msg, wildcard->name, msg->qinfo.qname, 3012 msg->qinfo.qname_len, 1); 3013 } else if((rrset=az_domain_rrset(wildcard, LDNS_RR_TYPE_CNAME))!=NULL) { 3014 /* wildcard has cname instead, do that */ 3015 if(!msg_add_rrset_an(z, region, msg, wildcard, rrset)) 3016 return 0; 3017 az_change_dnames(msg, wildcard->name, msg->qinfo.qname, 3018 msg->qinfo.qname_len, 1); 3019 if(!follow_cname_chain(z, qinfo->qtype, region, msg, 3020 rrset->data)) 3021 return 0; 3022 } else if(qinfo->qtype == LDNS_RR_TYPE_ANY && wildcard->rrsets) { 3023 /* add ANY rrsets from wildcard node */ 3024 if(!az_generate_any_answer(z, region, msg, wildcard)) 3025 return 0; 3026 az_change_dnames(msg, wildcard->name, msg->qinfo.qname, 3027 msg->qinfo.qname_len, 1); 3028 } else { 3029 /* wildcard has nodata, notype answer */ 3030 /* call other notype routine for dnssec notype denials */ 3031 if(!az_generate_notype_answer(z, region, msg, wildcard)) 3032 return 0; 3033 /* because the notype, there is no positive data with an 3034 * RRSIG that indicates the wildcard position. Thus the 3035 * wildcard qname denial needs to have a CE nsec3. */ 3036 insert_ce = 1; 3037 } 3038 3039 /* ce and node for dnssec denial of wildcard original name */ 3040 if((nsec=az_find_nsec_cover(z, &node)) != NULL) { 3041 if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0; 3042 } else if(ce) { 3043 uint8_t* wildup = wildcard->name; 3044 size_t wilduplen= wildcard->namelen; 3045 dname_remove_label(&wildup, &wilduplen); 3046 if(!az_add_nsec3_proof(z, region, msg, wildup, 3047 wilduplen, msg->qinfo.qname, 3048 msg->qinfo.qname_len, 0, insert_ce, 1, 0)) 3049 return 0; 3050 } 3051 3052 /* fixup name of wildcard from *.zone to qname, use already allocated 3053 * pointer to msg qname */ 3054 az_change_dnames(msg, wildcard->name, msg->qinfo.qname, 3055 msg->qinfo.qname_len, 0); 3056 return 1; 3057} 3058 3059/** generate answer for nxdomain answer */ 3060static int 3061az_generate_nxdomain_answer(struct auth_zone* z, struct regional* region, 3062 struct dns_msg* msg, struct auth_data* ce, struct auth_data* node) 3063{ 3064 struct auth_rrset* nsec; 3065 msg->rep->flags |= LDNS_RCODE_NXDOMAIN; 3066 if(!az_add_negative_soa(z, region, msg)) return 0; 3067 if((nsec=az_find_nsec_cover(z, &node)) != NULL) { 3068 if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0; 3069 if(ce && !az_nsec_wildcard_denial(z, region, msg, ce->name, 3070 ce->namelen)) return 0; 3071 } else if(ce) { 3072 if(!az_add_nsec3_proof(z, region, msg, ce->name, 3073 ce->namelen, msg->qinfo.qname, 3074 msg->qinfo.qname_len, 0, 1, 1, 1)) 3075 return 0; 3076 } 3077 return 1; 3078} 3079 3080/** Create answers when an exact match exists for the domain name */ 3081static int 3082az_generate_answer_with_node(struct auth_zone* z, struct query_info* qinfo, 3083 struct regional* region, struct dns_msg* msg, struct auth_data* node) 3084{ 3085 struct auth_rrset* rrset; 3086 /* positive answer, rrset we are looking for exists */ 3087 if((rrset=az_domain_rrset(node, qinfo->qtype)) != NULL) { 3088 return az_generate_positive_answer(z, region, msg, node, rrset); 3089 } 3090 /* CNAME? */ 3091 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_CNAME)) != NULL) { 3092 return az_generate_cname_answer(z, qinfo, region, msg, 3093 node, rrset); 3094 } 3095 /* type ANY ? */ 3096 if(qinfo->qtype == LDNS_RR_TYPE_ANY) { 3097 return az_generate_any_answer(z, region, msg, node); 3098 } 3099 /* NOERROR/NODATA (no such type at domain name) */ 3100 return az_generate_notype_answer(z, region, msg, node); 3101} 3102 3103/** Generate answer without an existing-node that we can use. 3104 * So it'll be a referral, DNAME or nxdomain */ 3105static int 3106az_generate_answer_nonexistnode(struct auth_zone* z, struct query_info* qinfo, 3107 struct regional* region, struct dns_msg* msg, struct auth_data* ce, 3108 struct auth_rrset* rrset, struct auth_data* node) 3109{ 3110 struct auth_data* wildcard; 3111 3112 /* we do not have an exact matching name (that exists) */ 3113 /* see if we have a NS or DNAME in the ce */ 3114 if(ce && rrset && rrset->type == LDNS_RR_TYPE_NS) { 3115 return az_generate_referral_answer(z, region, msg, ce, rrset); 3116 } 3117 if(ce && rrset && rrset->type == LDNS_RR_TYPE_DNAME) { 3118 return az_generate_dname_answer(z, qinfo, region, msg, ce, 3119 rrset); 3120 } 3121 /* if there is an empty nonterminal, wildcard and nxdomain don't 3122 * happen, it is a notype answer */ 3123 if(az_empty_nonterminal(z, qinfo, node)) { 3124 return az_generate_notype_answer(z, region, msg, node); 3125 } 3126 /* see if we have a wildcard under the ce */ 3127 if((wildcard=az_find_wildcard(z, qinfo, ce)) != NULL) { 3128 return az_generate_wildcard_answer(z, qinfo, region, msg, 3129 ce, wildcard, node); 3130 } 3131 /* generate nxdomain answer */ 3132 return az_generate_nxdomain_answer(z, region, msg, ce, node); 3133} 3134 3135/** Lookup answer in a zone. */ 3136static int 3137auth_zone_generate_answer(struct auth_zone* z, struct query_info* qinfo, 3138 struct regional* region, struct dns_msg** msg, int* fallback) 3139{ 3140 struct auth_data* node, *ce; 3141 struct auth_rrset* rrset; 3142 int node_exact, node_exists; 3143 /* does the zone want fallback in case of failure? */ 3144 *fallback = z->fallback_enabled; 3145 if(!(*msg=msg_create(region, qinfo))) return 0; 3146 3147 /* lookup if there is a matching domain name for the query */ 3148 az_find_domain(z, qinfo, &node_exact, &node); 3149 3150 /* see if node exists for generating answers from (i.e. not glue and 3151 * obscured by NS or DNAME or NSEC3-only), and also return the 3152 * closest-encloser from that, closest node that should be used 3153 * to generate answers from that is above the query */ 3154 node_exists = az_find_ce(z, qinfo, node, node_exact, &ce, &rrset); 3155 3156 if(verbosity >= VERB_ALGO) { 3157 char zname[256], qname[256], nname[256], cename[256], 3158 tpstr[32], rrstr[32]; 3159 sldns_wire2str_dname_buf(qinfo->qname, qinfo->qname_len, qname, 3160 sizeof(qname)); 3161 sldns_wire2str_type_buf(qinfo->qtype, tpstr, sizeof(tpstr)); 3162 sldns_wire2str_dname_buf(z->name, z->namelen, zname, 3163 sizeof(zname)); 3164 if(node) 3165 sldns_wire2str_dname_buf(node->name, node->namelen, 3166 nname, sizeof(nname)); 3167 else snprintf(nname, sizeof(nname), "NULL"); 3168 if(ce) 3169 sldns_wire2str_dname_buf(ce->name, ce->namelen, 3170 cename, sizeof(cename)); 3171 else snprintf(cename, sizeof(cename), "NULL"); 3172 if(rrset) sldns_wire2str_type_buf(rrset->type, rrstr, 3173 sizeof(rrstr)); 3174 else snprintf(rrstr, sizeof(rrstr), "NULL"); 3175 log_info("auth_zone %s query %s %s, domain %s %s %s, " 3176 "ce %s, rrset %s", zname, qname, tpstr, nname, 3177 (node_exact?"exact":"notexact"), 3178 (node_exists?"exist":"notexist"), cename, rrstr); 3179 } 3180 3181 if(node_exists) { 3182 /* the node is fine, generate answer from node */ 3183 return az_generate_answer_with_node(z, qinfo, region, *msg, 3184 node); 3185 } 3186 return az_generate_answer_nonexistnode(z, qinfo, region, *msg, 3187 ce, rrset, node); 3188} 3189 3190int auth_zones_lookup(struct auth_zones* az, struct query_info* qinfo, 3191 struct regional* region, struct dns_msg** msg, int* fallback, 3192 uint8_t* dp_nm, size_t dp_nmlen) 3193{ 3194 int r; 3195 struct auth_zone* z; 3196 /* find the zone that should contain the answer. */ 3197 lock_rw_rdlock(&az->lock); 3198 z = auth_zone_find(az, dp_nm, dp_nmlen, qinfo->qclass); 3199 if(!z) { 3200 lock_rw_unlock(&az->lock); 3201 /* no auth zone, fallback to internet */ 3202 *fallback = 1; 3203 return 0; 3204 } 3205 lock_rw_rdlock(&z->lock); 3206 lock_rw_unlock(&az->lock); 3207 3208 /* if not for upstream queries, fallback */ 3209 if(!z->for_upstream) { 3210 lock_rw_unlock(&z->lock); 3211 *fallback = 1; 3212 return 0; 3213 } 3214 if(z->zone_expired) { 3215 *fallback = z->fallback_enabled; 3216 lock_rw_unlock(&z->lock); 3217 return 0; 3218 } 3219 /* see what answer that zone would generate */ 3220 r = auth_zone_generate_answer(z, qinfo, region, msg, fallback); 3221 lock_rw_unlock(&z->lock); 3222 return r; 3223} 3224 3225/** encode auth answer */ 3226static void 3227auth_answer_encode(struct query_info* qinfo, struct module_env* env, 3228 struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf, 3229 struct regional* temp, struct dns_msg* msg) 3230{ 3231 uint16_t udpsize; 3232 udpsize = edns->udp_size; 3233 edns->edns_version = EDNS_ADVERTISED_VERSION; 3234 edns->udp_size = EDNS_ADVERTISED_SIZE; 3235 edns->ext_rcode = 0; 3236 edns->bits &= EDNS_DO; 3237 3238 if(!inplace_cb_reply_local_call(env, qinfo, NULL, msg->rep, 3239 (int)FLAGS_GET_RCODE(msg->rep->flags), edns, repinfo, temp) 3240 || !reply_info_answer_encode(qinfo, msg->rep, 3241 *(uint16_t*)sldns_buffer_begin(buf), 3242 sldns_buffer_read_u16_at(buf, 2), 3243 buf, 0, 0, temp, udpsize, edns, 3244 (int)(edns->bits&EDNS_DO), 0)) { 3245 error_encode(buf, (LDNS_RCODE_SERVFAIL|BIT_AA), qinfo, 3246 *(uint16_t*)sldns_buffer_begin(buf), 3247 sldns_buffer_read_u16_at(buf, 2), edns); 3248 } 3249} 3250 3251/** encode auth error answer */ 3252static void 3253auth_error_encode(struct query_info* qinfo, struct module_env* env, 3254 struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf, 3255 struct regional* temp, int rcode) 3256{ 3257 edns->edns_version = EDNS_ADVERTISED_VERSION; 3258 edns->udp_size = EDNS_ADVERTISED_SIZE; 3259 edns->ext_rcode = 0; 3260 edns->bits &= EDNS_DO; 3261 3262 if(!inplace_cb_reply_local_call(env, qinfo, NULL, NULL, 3263 rcode, edns, repinfo, temp)) 3264 edns->opt_list = NULL; 3265 error_encode(buf, rcode|BIT_AA, qinfo, 3266 *(uint16_t*)sldns_buffer_begin(buf), 3267 sldns_buffer_read_u16_at(buf, 2), edns); 3268} 3269 3270int auth_zones_answer(struct auth_zones* az, struct module_env* env, 3271 struct query_info* qinfo, struct edns_data* edns, 3272 struct comm_reply* repinfo, struct sldns_buffer* buf, struct regional* temp) 3273{ 3274 struct dns_msg* msg = NULL; 3275 struct auth_zone* z; 3276 int r; 3277 int fallback = 0; 3278 3279 lock_rw_rdlock(&az->lock); 3280 if(!az->have_downstream) { 3281 /* no downstream auth zones */ 3282 lock_rw_unlock(&az->lock); 3283 return 0; 3284 } 3285 if(qinfo->qtype == LDNS_RR_TYPE_DS) { 3286 uint8_t* delname = qinfo->qname; 3287 size_t delnamelen = qinfo->qname_len; 3288 dname_remove_label(&delname, &delnamelen); 3289 z = auth_zones_find_zone(az, delname, delnamelen, 3290 qinfo->qclass); 3291 } else { 3292 z = auth_zones_find_zone(az, qinfo->qname, qinfo->qname_len, 3293 qinfo->qclass); 3294 } 3295 if(!z) { 3296 /* no zone above it */ 3297 lock_rw_unlock(&az->lock); 3298 return 0; 3299 } 3300 lock_rw_rdlock(&z->lock); 3301 lock_rw_unlock(&az->lock); 3302 if(!z->for_downstream) { 3303 lock_rw_unlock(&z->lock); 3304 return 0; 3305 } 3306 if(z->zone_expired) { 3307 if(z->fallback_enabled) { 3308 lock_rw_unlock(&z->lock); 3309 return 0; 3310 } 3311 lock_rw_unlock(&z->lock); 3312 lock_rw_wrlock(&az->lock); 3313 az->num_query_down++; 3314 lock_rw_unlock(&az->lock); 3315 auth_error_encode(qinfo, env, edns, repinfo, buf, temp, 3316 LDNS_RCODE_SERVFAIL); 3317 return 1; 3318 } 3319 3320 /* answer it from zone z */ 3321 r = auth_zone_generate_answer(z, qinfo, temp, &msg, &fallback); 3322 lock_rw_unlock(&z->lock); 3323 if(!r && fallback) { 3324 /* fallback to regular answering (recursive) */ 3325 return 0; 3326 } 3327 lock_rw_wrlock(&az->lock); 3328 az->num_query_down++; 3329 lock_rw_unlock(&az->lock); 3330 3331 /* encode answer */ 3332 if(!r) 3333 auth_error_encode(qinfo, env, edns, repinfo, buf, temp, 3334 LDNS_RCODE_SERVFAIL); 3335 else auth_answer_encode(qinfo, env, edns, repinfo, buf, temp, msg); 3336 3337 return 1; 3338} 3339 3340int auth_zones_can_fallback(struct auth_zones* az, uint8_t* nm, size_t nmlen, 3341 uint16_t dclass) 3342{ 3343 int r; 3344 struct auth_zone* z; 3345 lock_rw_rdlock(&az->lock); 3346 z = auth_zone_find(az, nm, nmlen, dclass); 3347 if(!z) { 3348 lock_rw_unlock(&az->lock); 3349 /* no such auth zone, fallback */ 3350 return 1; 3351 } 3352 lock_rw_rdlock(&z->lock); 3353 lock_rw_unlock(&az->lock); 3354 r = z->fallback_enabled || (!z->for_upstream); 3355 lock_rw_unlock(&z->lock); 3356 return r; 3357} 3358 3359int 3360auth_zone_parse_notify_serial(sldns_buffer* pkt, uint32_t *serial) 3361{ 3362 struct query_info q; 3363 uint16_t rdlen; 3364 memset(&q, 0, sizeof(q)); 3365 sldns_buffer_set_position(pkt, 0); 3366 if(!query_info_parse(&q, pkt)) return 0; 3367 if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) == 0) return 0; 3368 /* skip name of RR in answer section */ 3369 if(sldns_buffer_remaining(pkt) < 1) return 0; 3370 if(pkt_dname_len(pkt) == 0) return 0; 3371 /* check type */ 3372 if(sldns_buffer_remaining(pkt) < 10 /* type,class,ttl,rdatalen*/) 3373 return 0; 3374 if(sldns_buffer_read_u16(pkt) != LDNS_RR_TYPE_SOA) return 0; 3375 sldns_buffer_skip(pkt, 2); /* class */ 3376 sldns_buffer_skip(pkt, 4); /* ttl */ 3377 rdlen = sldns_buffer_read_u16(pkt); /* rdatalen */ 3378 if(sldns_buffer_remaining(pkt) < rdlen) return 0; 3379 if(rdlen < 22) return 0; /* bad soa length */ 3380 sldns_buffer_skip(pkt, (ssize_t)(rdlen-20)); 3381 *serial = sldns_buffer_read_u32(pkt); 3382 /* return true when has serial in answer section */ 3383 return 1; 3384} 3385 3386/** see if addr appears in the list */ 3387static int 3388addr_in_list(struct auth_addr* list, struct sockaddr_storage* addr, 3389 socklen_t addrlen) 3390{ 3391 struct auth_addr* p; 3392 for(p=list; p; p=p->next) { 3393 if(sockaddr_cmp_addr(addr, addrlen, &p->addr, p->addrlen)==0) 3394 return 1; 3395 } 3396 return 0; 3397} 3398 3399/** check if an address matches a master specification (or one of its 3400 * addresses in the addr list) */ 3401static int 3402addr_matches_master(struct auth_master* master, struct sockaddr_storage* addr, 3403 socklen_t addrlen, struct auth_master** fromhost) 3404{ 3405 struct sockaddr_storage a; 3406 socklen_t alen = 0; 3407 int net = 0; 3408 if(addr_in_list(master->list, addr, addrlen)) { 3409 *fromhost = master; 3410 return 1; 3411 } 3412 /* compare address (but not port number, that is the destination 3413 * port of the master, the port number of the received notify is 3414 * allowed to by any port on that master) */ 3415 if(extstrtoaddr(master->host, &a, &alen) && 3416 sockaddr_cmp_addr(addr, addrlen, &a, alen)==0) { 3417 *fromhost = master; 3418 return 1; 3419 } 3420 /* prefixes, addr/len, like 10.0.0.0/8 */ 3421 /* not http and has a / and there is one / */ 3422 if(master->allow_notify && !master->http && 3423 strchr(master->host, '/') != NULL && 3424 strchr(master->host, '/') == strrchr(master->host, '/') && 3425 netblockstrtoaddr(master->host, UNBOUND_DNS_PORT, &a, &alen, 3426 &net) && alen == addrlen) { 3427 if(addr_in_common(addr, (addr_is_ip6(addr, addrlen)?128:32), 3428 &a, net, alen) >= net) { 3429 *fromhost = NULL; /* prefix does not have destination 3430 to send the probe or transfer with */ 3431 return 1; /* matches the netblock */ 3432 } 3433 } 3434 return 0; 3435} 3436 3437/** check access list for notifies */ 3438static int 3439az_xfr_allowed_notify(struct auth_xfer* xfr, struct sockaddr_storage* addr, 3440 socklen_t addrlen, struct auth_master** fromhost) 3441{ 3442 struct auth_master* p; 3443 for(p=xfr->allow_notify_list; p; p=p->next) { 3444 if(addr_matches_master(p, addr, addrlen, fromhost)) { 3445 return 1; 3446 } 3447 } 3448 return 0; 3449} 3450 3451/** see if the serial means the zone has to be updated, i.e. the serial 3452 * is newer than the zone serial, or we have no zone */ 3453static int 3454xfr_serial_means_update(struct auth_xfer* xfr, uint32_t serial) 3455{ 3456 if(!xfr->have_zone) 3457 return 1; /* no zone, anything is better */ 3458 if(xfr->zone_expired) 3459 return 1; /* expired, the sent serial is better than expired 3460 data */ 3461 if(compare_serial(xfr->serial, serial) < 0) 3462 return 1; /* our serial is smaller than the sent serial, 3463 the data is newer, fetch it */ 3464 return 0; 3465} 3466 3467/** note notify serial, updates the notify information in the xfr struct */ 3468static void 3469xfr_note_notify_serial(struct auth_xfer* xfr, int has_serial, uint32_t serial) 3470{ 3471 if(xfr->notify_received && xfr->notify_has_serial && has_serial) { 3472 /* see if this serial is newer */ 3473 if(compare_serial(xfr->notify_serial, serial) < 0) 3474 xfr->notify_serial = serial; 3475 } else if(xfr->notify_received && xfr->notify_has_serial && 3476 !has_serial) { 3477 /* remove serial, we have notify without serial */ 3478 xfr->notify_has_serial = 0; 3479 xfr->notify_serial = 0; 3480 } else if(xfr->notify_received && !xfr->notify_has_serial) { 3481 /* we already have notify without serial, keep it 3482 * that way; no serial check when current operation 3483 * is done */ 3484 } else { 3485 xfr->notify_received = 1; 3486 xfr->notify_has_serial = has_serial; 3487 xfr->notify_serial = serial; 3488 } 3489} 3490 3491/** process a notify serial, start new probe or note serial. xfr is locked */ 3492static void 3493xfr_process_notify(struct auth_xfer* xfr, struct module_env* env, 3494 int has_serial, uint32_t serial, struct auth_master* fromhost) 3495{ 3496 /* if the serial of notify is older than we have, don't fetch 3497 * a zone, we already have it */ 3498 if(has_serial && !xfr_serial_means_update(xfr, serial)) { 3499 lock_basic_unlock(&xfr->lock); 3500 return; 3501 } 3502 /* start new probe with this addr src, or note serial */ 3503 if(!xfr_start_probe(xfr, env, fromhost)) { 3504 /* not started because already in progress, note the serial */ 3505 xfr_note_notify_serial(xfr, has_serial, serial); 3506 lock_basic_unlock(&xfr->lock); 3507 } 3508 /* successful end of start_probe unlocked xfr->lock */ 3509} 3510 3511int auth_zones_notify(struct auth_zones* az, struct module_env* env, 3512 uint8_t* nm, size_t nmlen, uint16_t dclass, 3513 struct sockaddr_storage* addr, socklen_t addrlen, int has_serial, 3514 uint32_t serial, int* refused) 3515{ 3516 struct auth_xfer* xfr; 3517 struct auth_master* fromhost = NULL; 3518 /* see which zone this is */ 3519 lock_rw_rdlock(&az->lock); 3520 xfr = auth_xfer_find(az, nm, nmlen, dclass); 3521 if(!xfr) { 3522 lock_rw_unlock(&az->lock); 3523 /* no such zone, refuse the notify */ 3524 *refused = 1; 3525 return 0; 3526 } 3527 lock_basic_lock(&xfr->lock); 3528 lock_rw_unlock(&az->lock); 3529 3530 /* check access list for notifies */ 3531 if(!az_xfr_allowed_notify(xfr, addr, addrlen, &fromhost)) { 3532 lock_basic_unlock(&xfr->lock); 3533 /* notify not allowed, refuse the notify */ 3534 *refused = 1; 3535 return 0; 3536 } 3537 3538 /* process the notify */ 3539 xfr_process_notify(xfr, env, has_serial, serial, fromhost); 3540 return 1; 3541} 3542 3543int auth_zones_startprobesequence(struct auth_zones* az, 3544 struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t dclass) 3545{ 3546 struct auth_xfer* xfr; 3547 lock_rw_rdlock(&az->lock); 3548 xfr = auth_xfer_find(az, nm, nmlen, dclass); 3549 if(!xfr) { 3550 lock_rw_unlock(&az->lock); 3551 return 0; 3552 } 3553 lock_basic_lock(&xfr->lock); 3554 lock_rw_unlock(&az->lock); 3555 3556 xfr_process_notify(xfr, env, 0, 0, NULL); 3557 return 1; 3558} 3559 3560/** set a zone expired */ 3561static void 3562auth_xfer_set_expired(struct auth_xfer* xfr, struct module_env* env, 3563 int expired) 3564{ 3565 struct auth_zone* z; 3566 3567 /* expire xfr */ 3568 lock_basic_lock(&xfr->lock); 3569 xfr->zone_expired = expired; 3570 lock_basic_unlock(&xfr->lock); 3571 3572 /* find auth_zone */ 3573 lock_rw_rdlock(&env->auth_zones->lock); 3574 z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen, 3575 xfr->dclass); 3576 if(!z) { 3577 lock_rw_unlock(&env->auth_zones->lock); 3578 return; 3579 } 3580 lock_rw_wrlock(&z->lock); 3581 lock_rw_unlock(&env->auth_zones->lock); 3582 3583 /* expire auth_zone */ 3584 z->zone_expired = expired; 3585 lock_rw_unlock(&z->lock); 3586} 3587 3588/** find master (from notify or probe) in list of masters */ 3589static struct auth_master* 3590find_master_by_host(struct auth_master* list, char* host) 3591{ 3592 struct auth_master* p; 3593 for(p=list; p; p=p->next) { 3594 if(strcmp(p->host, host) == 0) 3595 return p; 3596 } 3597 return NULL; 3598} 3599 3600/** delete the looked up auth_addrs for all the masters in the list */ 3601static void 3602xfr_masterlist_free_addrs(struct auth_master* list) 3603{ 3604 struct auth_master* m; 3605 for(m=list; m; m=m->next) { 3606 if(m->list) { 3607 auth_free_master_addrs(m->list); 3608 m->list = NULL; 3609 } 3610 } 3611} 3612 3613/** copy a list of auth_addrs */ 3614static struct auth_addr* 3615auth_addr_list_copy(struct auth_addr* source) 3616{ 3617 struct auth_addr* list = NULL, *last = NULL; 3618 struct auth_addr* p; 3619 for(p=source; p; p=p->next) { 3620 struct auth_addr* a = (struct auth_addr*)memdup(p, sizeof(*p)); 3621 if(!a) { 3622 log_err("malloc failure"); 3623 auth_free_master_addrs(list); 3624 return NULL; 3625 } 3626 a->next = NULL; 3627 if(last) last->next = a; 3628 if(!list) list = a; 3629 last = a; 3630 } 3631 return list; 3632} 3633 3634/** copy a master to a new structure, NULL on alloc failure */ 3635static struct auth_master* 3636auth_master_copy(struct auth_master* o) 3637{ 3638 struct auth_master* m; 3639 if(!o) return NULL; 3640 m = (struct auth_master*)memdup(o, sizeof(*o)); 3641 if(!m) { 3642 log_err("malloc failure"); 3643 return NULL; 3644 } 3645 m->next = NULL; 3646 if(m->host) { 3647 m->host = strdup(m->host); 3648 if(!m->host) { 3649 free(m); 3650 log_err("malloc failure"); 3651 return NULL; 3652 } 3653 } 3654 if(m->file) { 3655 m->file = strdup(m->file); 3656 if(!m->file) { 3657 free(m->host); 3658 free(m); 3659 log_err("malloc failure"); 3660 return NULL; 3661 } 3662 } 3663 if(m->list) { 3664 m->list = auth_addr_list_copy(m->list); 3665 if(!m->list) { 3666 free(m->file); 3667 free(m->host); 3668 free(m); 3669 return NULL; 3670 } 3671 } 3672 return m; 3673} 3674 3675/** copy the master addresses from the task_probe lookups to the allow_notify 3676 * list of masters */ 3677static void 3678probe_copy_masters_for_allow_notify(struct auth_xfer* xfr) 3679{ 3680 struct auth_master* list = NULL, *last = NULL; 3681 struct auth_master* p; 3682 /* build up new list with copies */ 3683 for(p = xfr->task_probe->masters; p; p=p->next) { 3684 struct auth_master* m = auth_master_copy(p); 3685 if(!m) { 3686 auth_free_masters(list); 3687 /* failed because of malloc failure, use old list */ 3688 return; 3689 } 3690 m->next = NULL; 3691 if(last) last->next = m; 3692 if(!list) list = m; 3693 last = m; 3694 } 3695 /* success, replace list */ 3696 auth_free_masters(xfr->allow_notify_list); 3697 xfr->allow_notify_list = list; 3698} 3699 3700/** start the lookups for task_transfer */ 3701static void 3702xfr_transfer_start_lookups(struct auth_xfer* xfr) 3703{ 3704 /* delete all the looked up addresses in the list */ 3705 xfr->task_transfer->scan_addr = NULL; 3706 xfr_masterlist_free_addrs(xfr->task_transfer->masters); 3707 3708 /* start lookup at the first master */ 3709 xfr->task_transfer->lookup_target = xfr->task_transfer->masters; 3710 xfr->task_transfer->lookup_aaaa = 0; 3711} 3712 3713/** move to the next lookup of hostname for task_transfer */ 3714static void 3715xfr_transfer_move_to_next_lookup(struct auth_xfer* xfr, struct module_env* env) 3716{ 3717 if(!xfr->task_transfer->lookup_target) 3718 return; /* already at end of list */ 3719 if(!xfr->task_transfer->lookup_aaaa && env->cfg->do_ip6) { 3720 /* move to lookup AAAA */ 3721 xfr->task_transfer->lookup_aaaa = 1; 3722 return; 3723 } 3724 xfr->task_transfer->lookup_target = 3725 xfr->task_transfer->lookup_target->next; 3726 xfr->task_transfer->lookup_aaaa = 0; 3727 if(!env->cfg->do_ip4 && xfr->task_transfer->lookup_target!=NULL) 3728 xfr->task_transfer->lookup_aaaa = 1; 3729} 3730 3731/** start the lookups for task_probe */ 3732static void 3733xfr_probe_start_lookups(struct auth_xfer* xfr) 3734{ 3735 /* delete all the looked up addresses in the list */ 3736 xfr->task_probe->scan_addr = NULL; 3737 xfr_masterlist_free_addrs(xfr->task_probe->masters); 3738 3739 /* start lookup at the first master */ 3740 xfr->task_probe->lookup_target = xfr->task_probe->masters; 3741 xfr->task_probe->lookup_aaaa = 0; 3742} 3743 3744/** move to the next lookup of hostname for task_probe */ 3745static void 3746xfr_probe_move_to_next_lookup(struct auth_xfer* xfr, struct module_env* env) 3747{ 3748 if(!xfr->task_probe->lookup_target) 3749 return; /* already at end of list */ 3750 if(!xfr->task_probe->lookup_aaaa && env->cfg->do_ip6) { 3751 /* move to lookup AAAA */ 3752 xfr->task_probe->lookup_aaaa = 1; 3753 return; 3754 } 3755 xfr->task_probe->lookup_target = xfr->task_probe->lookup_target->next; 3756 xfr->task_probe->lookup_aaaa = 0; 3757 if(!env->cfg->do_ip4 && xfr->task_probe->lookup_target!=NULL) 3758 xfr->task_probe->lookup_aaaa = 1; 3759} 3760 3761/** start the iteration of the task_transfer list of masters */ 3762static void 3763xfr_transfer_start_list(struct auth_xfer* xfr, struct auth_master* spec) 3764{ 3765 if(spec) { 3766 xfr->task_transfer->scan_specific = find_master_by_host( 3767 xfr->task_transfer->masters, spec->host); 3768 if(xfr->task_transfer->scan_specific) { 3769 xfr->task_transfer->scan_target = NULL; 3770 xfr->task_transfer->scan_addr = NULL; 3771 if(xfr->task_transfer->scan_specific->list) 3772 xfr->task_transfer->scan_addr = 3773 xfr->task_transfer->scan_specific->list; 3774 return; 3775 } 3776 } 3777 /* no specific (notified) host to scan */ 3778 xfr->task_transfer->scan_specific = NULL; 3779 xfr->task_transfer->scan_addr = NULL; 3780 /* pick up first scan target */ 3781 xfr->task_transfer->scan_target = xfr->task_transfer->masters; 3782 if(xfr->task_transfer->scan_target && xfr->task_transfer-> 3783 scan_target->list) 3784 xfr->task_transfer->scan_addr = 3785 xfr->task_transfer->scan_target->list; 3786} 3787 3788/** start the iteration of the task_probe list of masters */ 3789static void 3790xfr_probe_start_list(struct auth_xfer* xfr, struct auth_master* spec) 3791{ 3792 if(spec) { 3793 xfr->task_probe->scan_specific = find_master_by_host( 3794 xfr->task_probe->masters, spec->host); 3795 if(xfr->task_probe->scan_specific) { 3796 xfr->task_probe->scan_target = NULL; 3797 xfr->task_probe->scan_addr = NULL; 3798 if(xfr->task_probe->scan_specific->list) 3799 xfr->task_probe->scan_addr = 3800 xfr->task_probe->scan_specific->list; 3801 return; 3802 } 3803 } 3804 /* no specific (notified) host to scan */ 3805 xfr->task_probe->scan_specific = NULL; 3806 xfr->task_probe->scan_addr = NULL; 3807 /* pick up first scan target */ 3808 xfr->task_probe->scan_target = xfr->task_probe->masters; 3809 if(xfr->task_probe->scan_target && xfr->task_probe->scan_target->list) 3810 xfr->task_probe->scan_addr = 3811 xfr->task_probe->scan_target->list; 3812} 3813 3814/** pick up the master that is being scanned right now, task_transfer */ 3815static struct auth_master* 3816xfr_transfer_current_master(struct auth_xfer* xfr) 3817{ 3818 if(xfr->task_transfer->scan_specific) 3819 return xfr->task_transfer->scan_specific; 3820 return xfr->task_transfer->scan_target; 3821} 3822 3823/** pick up the master that is being scanned right now, task_probe */ 3824static struct auth_master* 3825xfr_probe_current_master(struct auth_xfer* xfr) 3826{ 3827 if(xfr->task_probe->scan_specific) 3828 return xfr->task_probe->scan_specific; 3829 return xfr->task_probe->scan_target; 3830} 3831 3832/** true if at end of list, task_transfer */ 3833static int 3834xfr_transfer_end_of_list(struct auth_xfer* xfr) 3835{ 3836 return !xfr->task_transfer->scan_specific && 3837 !xfr->task_transfer->scan_target; 3838} 3839 3840/** true if at end of list, task_probe */ 3841static int 3842xfr_probe_end_of_list(struct auth_xfer* xfr) 3843{ 3844 return !xfr->task_probe->scan_specific && !xfr->task_probe->scan_target; 3845} 3846 3847/** move to next master in list, task_transfer */ 3848static void 3849xfr_transfer_nextmaster(struct auth_xfer* xfr) 3850{ 3851 if(!xfr->task_transfer->scan_specific && 3852 !xfr->task_transfer->scan_target) 3853 return; 3854 if(xfr->task_transfer->scan_addr) { 3855 xfr->task_transfer->scan_addr = 3856 xfr->task_transfer->scan_addr->next; 3857 if(xfr->task_transfer->scan_addr) 3858 return; 3859 } 3860 if(xfr->task_transfer->scan_specific) { 3861 xfr->task_transfer->scan_specific = NULL; 3862 xfr->task_transfer->scan_target = xfr->task_transfer->masters; 3863 if(xfr->task_transfer->scan_target && xfr->task_transfer-> 3864 scan_target->list) 3865 xfr->task_transfer->scan_addr = 3866 xfr->task_transfer->scan_target->list; 3867 return; 3868 } 3869 if(!xfr->task_transfer->scan_target) 3870 return; 3871 xfr->task_transfer->scan_target = xfr->task_transfer->scan_target->next; 3872 if(xfr->task_transfer->scan_target && xfr->task_transfer-> 3873 scan_target->list) 3874 xfr->task_transfer->scan_addr = 3875 xfr->task_transfer->scan_target->list; 3876 return; 3877} 3878 3879/** move to next master in list, task_probe */ 3880static void 3881xfr_probe_nextmaster(struct auth_xfer* xfr) 3882{ 3883 if(!xfr->task_probe->scan_specific && !xfr->task_probe->scan_target) 3884 return; 3885 if(xfr->task_probe->scan_addr) { 3886 xfr->task_probe->scan_addr = xfr->task_probe->scan_addr->next; 3887 if(xfr->task_probe->scan_addr) 3888 return; 3889 } 3890 if(xfr->task_probe->scan_specific) { 3891 xfr->task_probe->scan_specific = NULL; 3892 xfr->task_probe->scan_target = xfr->task_probe->masters; 3893 if(xfr->task_probe->scan_target && xfr->task_probe-> 3894 scan_target->list) 3895 xfr->task_probe->scan_addr = 3896 xfr->task_probe->scan_target->list; 3897 return; 3898 } 3899 if(!xfr->task_probe->scan_target) 3900 return; 3901 xfr->task_probe->scan_target = xfr->task_probe->scan_target->next; 3902 if(xfr->task_probe->scan_target && xfr->task_probe-> 3903 scan_target->list) 3904 xfr->task_probe->scan_addr = 3905 xfr->task_probe->scan_target->list; 3906 return; 3907} 3908 3909/** create SOA probe packet for xfr */ 3910static void 3911xfr_create_soa_probe_packet(struct auth_xfer* xfr, sldns_buffer* buf, 3912 uint16_t id) 3913{ 3914 struct query_info qinfo; 3915 3916 memset(&qinfo, 0, sizeof(qinfo)); 3917 qinfo.qname = xfr->name; 3918 qinfo.qname_len = xfr->namelen; 3919 qinfo.qtype = LDNS_RR_TYPE_SOA; 3920 qinfo.qclass = xfr->dclass; 3921 qinfo_query_encode(buf, &qinfo); 3922 sldns_buffer_write_u16_at(buf, 0, id); 3923} 3924 3925/** create IXFR/AXFR packet for xfr */ 3926static void 3927xfr_create_ixfr_packet(struct auth_xfer* xfr, sldns_buffer* buf, uint16_t id, 3928 struct auth_master* master) 3929{ 3930 struct query_info qinfo; 3931 uint32_t serial; 3932 int have_zone; 3933 have_zone = xfr->have_zone; 3934 serial = xfr->serial; 3935 3936 memset(&qinfo, 0, sizeof(qinfo)); 3937 qinfo.qname = xfr->name; 3938 qinfo.qname_len = xfr->namelen; 3939 xfr->task_transfer->got_xfr_serial = 0; 3940 xfr->task_transfer->rr_scan_num = 0; 3941 xfr->task_transfer->incoming_xfr_serial = 0; 3942 xfr->task_transfer->on_ixfr_is_axfr = 0; 3943 xfr->task_transfer->on_ixfr = 1; 3944 qinfo.qtype = LDNS_RR_TYPE_IXFR; 3945 if(!have_zone || xfr->task_transfer->ixfr_fail || !master->ixfr) { 3946 qinfo.qtype = LDNS_RR_TYPE_AXFR; 3947 xfr->task_transfer->ixfr_fail = 0; 3948 xfr->task_transfer->on_ixfr = 0; 3949 } 3950 3951 qinfo.qclass = xfr->dclass; 3952 qinfo_query_encode(buf, &qinfo); 3953 sldns_buffer_write_u16_at(buf, 0, id); 3954 3955 /* append serial for IXFR */ 3956 if(qinfo.qtype == LDNS_RR_TYPE_IXFR) { 3957 size_t end = sldns_buffer_limit(buf); 3958 sldns_buffer_clear(buf); 3959 sldns_buffer_set_position(buf, end); 3960 /* auth section count 1 */ 3961 sldns_buffer_write_u16_at(buf, LDNS_NSCOUNT_OFF, 1); 3962 /* write SOA */ 3963 sldns_buffer_write_u8(buf, 0xC0); /* compressed ptr to qname */ 3964 sldns_buffer_write_u8(buf, 0x0C); 3965 sldns_buffer_write_u16(buf, LDNS_RR_TYPE_SOA); 3966 sldns_buffer_write_u16(buf, qinfo.qclass); 3967 sldns_buffer_write_u32(buf, 0); /* ttl */ 3968 sldns_buffer_write_u16(buf, 22); /* rdata length */ 3969 sldns_buffer_write_u8(buf, 0); /* . */ 3970 sldns_buffer_write_u8(buf, 0); /* . */ 3971 sldns_buffer_write_u32(buf, serial); /* serial */ 3972 sldns_buffer_write_u32(buf, 0); /* refresh */ 3973 sldns_buffer_write_u32(buf, 0); /* retry */ 3974 sldns_buffer_write_u32(buf, 0); /* expire */ 3975 sldns_buffer_write_u32(buf, 0); /* minimum */ 3976 sldns_buffer_flip(buf); 3977 } 3978} 3979 3980/** check if returned packet is OK */ 3981static int 3982check_packet_ok(sldns_buffer* pkt, uint16_t qtype, struct auth_xfer* xfr, 3983 uint32_t* serial) 3984{ 3985 /* parse to see if packet worked, valid reply */ 3986 3987 /* check serial number of SOA */ 3988 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) 3989 return 0; 3990 3991 /* check ID */ 3992 if(LDNS_ID_WIRE(sldns_buffer_begin(pkt)) != xfr->task_probe->id) 3993 return 0; 3994 3995 /* check flag bits and rcode */ 3996 if(!LDNS_QR_WIRE(sldns_buffer_begin(pkt))) 3997 return 0; 3998 if(LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_PACKET_QUERY) 3999 return 0; 4000 if(LDNS_RCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_RCODE_NOERROR) 4001 return 0; 4002 4003 /* check qname */ 4004 if(LDNS_QDCOUNT(sldns_buffer_begin(pkt)) != 1) 4005 return 0; 4006 sldns_buffer_skip(pkt, LDNS_HEADER_SIZE); 4007 if(sldns_buffer_remaining(pkt) < xfr->namelen) 4008 return 0; 4009 if(query_dname_compare(sldns_buffer_current(pkt), xfr->name) != 0) 4010 return 0; 4011 sldns_buffer_skip(pkt, (ssize_t)xfr->namelen); 4012 4013 /* check qtype, qclass */ 4014 if(sldns_buffer_remaining(pkt) < 4) 4015 return 0; 4016 if(sldns_buffer_read_u16(pkt) != qtype) 4017 return 0; 4018 if(sldns_buffer_read_u16(pkt) != xfr->dclass) 4019 return 0; 4020 4021 if(serial) { 4022 uint16_t rdlen; 4023 /* read serial number, from answer section SOA */ 4024 if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) == 0) 4025 return 0; 4026 /* read from first record SOA record */ 4027 if(sldns_buffer_remaining(pkt) < 1) 4028 return 0; 4029 if(dname_pkt_compare(pkt, sldns_buffer_current(pkt), 4030 xfr->name) != 0) 4031 return 0; 4032 if(!pkt_dname_len(pkt)) 4033 return 0; 4034 /* type, class, ttl, rdatalen */ 4035 if(sldns_buffer_remaining(pkt) < 4+4+2) 4036 return 0; 4037 if(sldns_buffer_read_u16(pkt) != qtype) 4038 return 0; 4039 if(sldns_buffer_read_u16(pkt) != xfr->dclass) 4040 return 0; 4041 sldns_buffer_skip(pkt, 4); /* ttl */ 4042 rdlen = sldns_buffer_read_u16(pkt); 4043 if(sldns_buffer_remaining(pkt) < rdlen) 4044 return 0; 4045 if(sldns_buffer_remaining(pkt) < 1) 4046 return 0; 4047 if(!pkt_dname_len(pkt)) /* soa name */ 4048 return 0; 4049 if(sldns_buffer_remaining(pkt) < 1) 4050 return 0; 4051 if(!pkt_dname_len(pkt)) /* soa name */ 4052 return 0; 4053 if(sldns_buffer_remaining(pkt) < 20) 4054 return 0; 4055 *serial = sldns_buffer_read_u32(pkt); 4056 } 4057 return 1; 4058} 4059 4060/** read one line from chunks into buffer at current position */ 4061static int 4062chunkline_get_line(struct auth_chunk** chunk, size_t* chunk_pos, 4063 sldns_buffer* buf) 4064{ 4065 int readsome = 0; 4066 while(*chunk) { 4067 /* more text in this chunk? */ 4068 if(*chunk_pos < (*chunk)->len) { 4069 readsome = 1; 4070 while(*chunk_pos < (*chunk)->len) { 4071 char c = (char)((*chunk)->data[*chunk_pos]); 4072 (*chunk_pos)++; 4073 if(sldns_buffer_remaining(buf) < 2) { 4074 /* buffer too short */ 4075 verbose(VERB_ALGO, "http chunkline, " 4076 "line too long"); 4077 return 0; 4078 } 4079 sldns_buffer_write_u8(buf, (uint8_t)c); 4080 if(c == '\n') { 4081 /* we are done */ 4082 return 1; 4083 } 4084 } 4085 } 4086 /* move to next chunk */ 4087 *chunk = (*chunk)->next; 4088 *chunk_pos = 0; 4089 } 4090 /* no more text */ 4091 if(readsome) return 1; 4092 return 0; 4093} 4094 4095/** count number of open and closed parenthesis in a chunkline */ 4096static int 4097chunkline_count_parens(sldns_buffer* buf, size_t start) 4098{ 4099 size_t end = sldns_buffer_position(buf); 4100 size_t i; 4101 int count = 0; 4102 int squote = 0, dquote = 0; 4103 for(i=start; i<end; i++) { 4104 char c = (char)sldns_buffer_read_u8_at(buf, i); 4105 if(squote && c != '\'') continue; 4106 if(dquote && c != '"') continue; 4107 if(c == '"') 4108 dquote = !dquote; /* skip quoted part */ 4109 else if(c == '\'') 4110 squote = !squote; /* skip quoted part */ 4111 else if(c == '(') 4112 count ++; 4113 else if(c == ')') 4114 count --; 4115 else if(c == ';') { 4116 /* rest is a comment */ 4117 return count; 4118 } 4119 } 4120 return count; 4121} 4122 4123/** remove trailing ;... comment from a line in the chunkline buffer */ 4124static void 4125chunkline_remove_trailcomment(sldns_buffer* buf, size_t start) 4126{ 4127 size_t end = sldns_buffer_position(buf); 4128 size_t i; 4129 int squote = 0, dquote = 0; 4130 for(i=start; i<end; i++) { 4131 char c = (char)sldns_buffer_read_u8_at(buf, i); 4132 if(squote && c != '\'') continue; 4133 if(dquote && c != '"') continue; 4134 if(c == '"') 4135 dquote = !dquote; /* skip quoted part */ 4136 else if(c == '\'') 4137 squote = !squote; /* skip quoted part */ 4138 else if(c == ';') { 4139 /* rest is a comment */ 4140 sldns_buffer_set_position(buf, i); 4141 return; 4142 } 4143 } 4144 /* nothing to remove */ 4145} 4146 4147/** see if a chunkline is a comment line (or empty line) */ 4148static int 4149chunkline_is_comment_line_or_empty(sldns_buffer* buf) 4150{ 4151 size_t i, end = sldns_buffer_limit(buf); 4152 for(i=0; i<end; i++) { 4153 char c = (char)sldns_buffer_read_u8_at(buf, i); 4154 if(c == ';') 4155 return 1; /* comment */ 4156 else if(c != ' ' && c != '\t' && c != '\r' && c != '\n') 4157 return 0; /* not a comment */ 4158 } 4159 return 1; /* empty */ 4160} 4161 4162/** find a line with ( ) collated */ 4163static int 4164chunkline_get_line_collated(struct auth_chunk** chunk, size_t* chunk_pos, 4165 sldns_buffer* buf) 4166{ 4167 size_t pos; 4168 int parens = 0; 4169 sldns_buffer_clear(buf); 4170 pos = sldns_buffer_position(buf); 4171 if(!chunkline_get_line(chunk, chunk_pos, buf)) { 4172 if(sldns_buffer_position(buf) < sldns_buffer_limit(buf)) 4173 sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0); 4174 else sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf)-1, 0); 4175 sldns_buffer_flip(buf); 4176 return 0; 4177 } 4178 parens += chunkline_count_parens(buf, pos); 4179 while(parens > 0) { 4180 chunkline_remove_trailcomment(buf, pos); 4181 pos = sldns_buffer_position(buf); 4182 if(!chunkline_get_line(chunk, chunk_pos, buf)) { 4183 if(sldns_buffer_position(buf) < sldns_buffer_limit(buf)) 4184 sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0); 4185 else sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf)-1, 0); 4186 sldns_buffer_flip(buf); 4187 return 0; 4188 } 4189 parens += chunkline_count_parens(buf, pos); 4190 } 4191 4192 if(sldns_buffer_remaining(buf) < 1) { 4193 verbose(VERB_ALGO, "http chunkline: " 4194 "line too long"); 4195 return 0; 4196 } 4197 sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0); 4198 sldns_buffer_flip(buf); 4199 return 1; 4200} 4201 4202/** process $ORIGIN for http */ 4203static int 4204http_parse_origin(sldns_buffer* buf, struct sldns_file_parse_state* pstate) 4205{ 4206 char* line = (char*)sldns_buffer_begin(buf); 4207 if(strncmp(line, "$ORIGIN", 7) == 0 && 4208 isspace((unsigned char)line[7])) { 4209 int s; 4210 pstate->origin_len = sizeof(pstate->origin); 4211 s = sldns_str2wire_dname_buf(sldns_strip_ws(line+8), 4212 pstate->origin, &pstate->origin_len); 4213 if(s) pstate->origin_len = 0; 4214 return 1; 4215 } 4216 return 0; 4217} 4218 4219/** process $TTL for http */ 4220static int 4221http_parse_ttl(sldns_buffer* buf, struct sldns_file_parse_state* pstate) 4222{ 4223 char* line = (char*)sldns_buffer_begin(buf); 4224 if(strncmp(line, "$TTL", 4) == 0 && 4225 isspace((unsigned char)line[4])) { 4226 const char* end = NULL; 4227 pstate->default_ttl = sldns_str2period( 4228 sldns_strip_ws(line+5), &end); 4229 return 1; 4230 } 4231 return 0; 4232} 4233 4234/** find noncomment RR line in chunks, collates lines if ( ) format */ 4235static int 4236chunkline_non_comment_RR(struct auth_chunk** chunk, size_t* chunk_pos, 4237 sldns_buffer* buf, struct sldns_file_parse_state* pstate) 4238{ 4239 while(chunkline_get_line_collated(chunk, chunk_pos, buf)) { 4240 if(chunkline_is_comment_line_or_empty(buf)) { 4241 /* a comment, go to next line */ 4242 continue; 4243 } 4244 if(http_parse_origin(buf, pstate)) { 4245 continue; /* $ORIGIN has been handled */ 4246 } 4247 if(http_parse_ttl(buf, pstate)) { 4248 continue; /* $TTL has been handled */ 4249 } 4250 return 1; 4251 } 4252 /* no noncomments, fail */ 4253 return 0; 4254} 4255 4256/** check syntax of chunklist zonefile, parse first RR, return false on 4257 * failure and return a string in the scratch buffer (first RR string) 4258 * on failure. */ 4259static int 4260http_zonefile_syntax_check(struct auth_xfer* xfr, sldns_buffer* buf) 4261{ 4262 uint8_t rr[LDNS_RR_BUF_SIZE]; 4263 size_t rr_len, dname_len = 0; 4264 struct sldns_file_parse_state pstate; 4265 struct auth_chunk* chunk; 4266 size_t chunk_pos; 4267 int e; 4268 memset(&pstate, 0, sizeof(pstate)); 4269 pstate.default_ttl = 3600; 4270 if(xfr->namelen < sizeof(pstate.origin)) { 4271 pstate.origin_len = xfr->namelen; 4272 memmove(pstate.origin, xfr->name, xfr->namelen); 4273 } 4274 chunk = xfr->task_transfer->chunks_first; 4275 chunk_pos = 0; 4276 if(!chunkline_non_comment_RR(&chunk, &chunk_pos, buf, &pstate)) { 4277 return 0; 4278 } 4279 rr_len = sizeof(rr); 4280 e=sldns_str2wire_rr_buf((char*)sldns_buffer_begin(buf), rr, &rr_len, 4281 &dname_len, pstate.default_ttl, 4282 pstate.origin_len?pstate.origin:NULL, pstate.origin_len, 4283 pstate.prev_rr_len?pstate.prev_rr:NULL, pstate.prev_rr_len); 4284 if(e != 0) { 4285 log_err("parse failure on first RR[%d]: %s", 4286 LDNS_WIREPARSE_OFFSET(e), 4287 sldns_get_errorstr_parse(LDNS_WIREPARSE_ERROR(e))); 4288 return 0; 4289 } 4290 /* check that class is correct */ 4291 if(sldns_wirerr_get_class(rr, rr_len, dname_len) != xfr->dclass) { 4292 log_err("parse failure: first record in downloaded zonefile " 4293 "from wrong RR class"); 4294 return 0; 4295 } 4296 return 1; 4297} 4298 4299/** sum sizes of chunklist */ 4300static size_t 4301chunklist_sum(struct auth_chunk* list) 4302{ 4303 struct auth_chunk* p; 4304 size_t s = 0; 4305 for(p=list; p; p=p->next) { 4306 s += p->len; 4307 } 4308 return s; 4309} 4310 4311/** remove newlines from collated line */ 4312static void 4313chunkline_newline_removal(sldns_buffer* buf) 4314{ 4315 size_t i, end=sldns_buffer_limit(buf); 4316 for(i=0; i<end; i++) { 4317 char c = (char)sldns_buffer_read_u8_at(buf, i); 4318 if(c == '\n' && i==end-1) { 4319 sldns_buffer_write_u8_at(buf, i, 0); 4320 sldns_buffer_set_limit(buf, end-1); 4321 return; 4322 } 4323 if(c == '\n') 4324 sldns_buffer_write_u8_at(buf, i, (uint8_t)' '); 4325 } 4326} 4327 4328/** for http download, parse and add RR to zone */ 4329static int 4330http_parse_add_rr(struct auth_xfer* xfr, struct auth_zone* z, 4331 sldns_buffer* buf, struct sldns_file_parse_state* pstate) 4332{ 4333 uint8_t rr[LDNS_RR_BUF_SIZE]; 4334 size_t rr_len, dname_len = 0; 4335 int e; 4336 char* line = (char*)sldns_buffer_begin(buf); 4337 rr_len = sizeof(rr); 4338 e = sldns_str2wire_rr_buf(line, rr, &rr_len, &dname_len, 4339 pstate->default_ttl, 4340 pstate->origin_len?pstate->origin:NULL, pstate->origin_len, 4341 pstate->prev_rr_len?pstate->prev_rr:NULL, pstate->prev_rr_len); 4342 if(e != 0) { 4343 log_err("%s/%s parse failure RR[%d]: %s in '%s'", 4344 xfr->task_transfer->master->host, 4345 xfr->task_transfer->master->file, 4346 LDNS_WIREPARSE_OFFSET(e), 4347 sldns_get_errorstr_parse(LDNS_WIREPARSE_ERROR(e)), 4348 line); 4349 return 0; 4350 } 4351 if(rr_len == 0) 4352 return 1; /* empty line or so */ 4353 4354 /* set prev */ 4355 if(dname_len < sizeof(pstate->prev_rr)) { 4356 memmove(pstate->prev_rr, rr, dname_len); 4357 pstate->prev_rr_len = dname_len; 4358 } 4359 4360 return az_insert_rr(z, rr, rr_len, dname_len, NULL); 4361} 4362 4363/** RR list iterator, returns RRs from answer section one by one from the 4364 * dns packets in the chunklist */ 4365static void 4366chunk_rrlist_start(struct auth_xfer* xfr, struct auth_chunk** rr_chunk, 4367 int* rr_num, size_t* rr_pos) 4368{ 4369 *rr_chunk = xfr->task_transfer->chunks_first; 4370 *rr_num = 0; 4371 *rr_pos = 0; 4372} 4373 4374/** RR list iterator, see if we are at the end of the list */ 4375static int 4376chunk_rrlist_end(struct auth_chunk* rr_chunk, int rr_num) 4377{ 4378 while(rr_chunk) { 4379 if(rr_chunk->len < LDNS_HEADER_SIZE) 4380 return 1; 4381 if(rr_num < (int)LDNS_ANCOUNT(rr_chunk->data)) 4382 return 0; 4383 /* no more RRs in this chunk */ 4384 /* continue with next chunk, see if it has RRs */ 4385 rr_chunk = rr_chunk->next; 4386 rr_num = 0; 4387 } 4388 return 1; 4389} 4390 4391/** RR list iterator, move to next RR */ 4392static void 4393chunk_rrlist_gonext(struct auth_chunk** rr_chunk, int* rr_num, 4394 size_t* rr_pos, size_t rr_nextpos) 4395{ 4396 /* already at end of chunks? */ 4397 if(!*rr_chunk) 4398 return; 4399 /* move within this chunk */ 4400 if((*rr_chunk)->len >= LDNS_HEADER_SIZE && 4401 (*rr_num)+1 < (int)LDNS_ANCOUNT((*rr_chunk)->data)) { 4402 (*rr_num) += 1; 4403 *rr_pos = rr_nextpos; 4404 return; 4405 } 4406 /* no more RRs in this chunk */ 4407 /* continue with next chunk, see if it has RRs */ 4408 if(*rr_chunk) 4409 *rr_chunk = (*rr_chunk)->next; 4410 while(*rr_chunk) { 4411 *rr_num = 0; 4412 *rr_pos = 0; 4413 if((*rr_chunk)->len >= LDNS_HEADER_SIZE && 4414 LDNS_ANCOUNT((*rr_chunk)->data) > 0) { 4415 return; 4416 } 4417 *rr_chunk = (*rr_chunk)->next; 4418 } 4419} 4420 4421/** RR iterator, get current RR information, false on parse error */ 4422static int 4423chunk_rrlist_get_current(struct auth_chunk* rr_chunk, int rr_num, 4424 size_t rr_pos, uint8_t** rr_dname, uint16_t* rr_type, 4425 uint16_t* rr_class, uint32_t* rr_ttl, uint16_t* rr_rdlen, 4426 uint8_t** rr_rdata, size_t* rr_nextpos) 4427{ 4428 sldns_buffer pkt; 4429 /* integrity checks on position */ 4430 if(!rr_chunk) return 0; 4431 if(rr_chunk->len < LDNS_HEADER_SIZE) return 0; 4432 if(rr_num >= (int)LDNS_ANCOUNT(rr_chunk->data)) return 0; 4433 if(rr_pos >= rr_chunk->len) return 0; 4434 4435 /* fetch rr information */ 4436 sldns_buffer_init_frm_data(&pkt, rr_chunk->data, rr_chunk->len); 4437 if(rr_pos == 0) { 4438 size_t i; 4439 /* skip question section */ 4440 sldns_buffer_set_position(&pkt, LDNS_HEADER_SIZE); 4441 for(i=0; i<LDNS_QDCOUNT(rr_chunk->data); i++) { 4442 if(pkt_dname_len(&pkt) == 0) return 0; 4443 if(sldns_buffer_remaining(&pkt) < 4) return 0; 4444 sldns_buffer_skip(&pkt, 4); /* type and class */ 4445 } 4446 } else { 4447 sldns_buffer_set_position(&pkt, rr_pos); 4448 } 4449 *rr_dname = sldns_buffer_current(&pkt); 4450 if(pkt_dname_len(&pkt) == 0) return 0; 4451 if(sldns_buffer_remaining(&pkt) < 10) return 0; 4452 *rr_type = sldns_buffer_read_u16(&pkt); 4453 *rr_class = sldns_buffer_read_u16(&pkt); 4454 *rr_ttl = sldns_buffer_read_u32(&pkt); 4455 *rr_rdlen = sldns_buffer_read_u16(&pkt); 4456 if(sldns_buffer_remaining(&pkt) < (*rr_rdlen)) return 0; 4457 *rr_rdata = sldns_buffer_current(&pkt); 4458 sldns_buffer_skip(&pkt, (ssize_t)(*rr_rdlen)); 4459 *rr_nextpos = sldns_buffer_position(&pkt); 4460 return 1; 4461} 4462 4463/** print log message where we are in parsing the zone transfer */ 4464static void 4465log_rrlist_position(const char* label, struct auth_chunk* rr_chunk, 4466 uint8_t* rr_dname, uint16_t rr_type, size_t rr_counter) 4467{ 4468 sldns_buffer pkt; 4469 size_t dlen; 4470 uint8_t buf[256]; 4471 char str[256]; 4472 char typestr[32]; 4473 sldns_buffer_init_frm_data(&pkt, rr_chunk->data, rr_chunk->len); 4474 sldns_buffer_set_position(&pkt, (size_t)(rr_dname - 4475 sldns_buffer_begin(&pkt))); 4476 if((dlen=pkt_dname_len(&pkt)) == 0) return; 4477 if(dlen >= sizeof(buf)) return; 4478 dname_pkt_copy(&pkt, buf, rr_dname); 4479 dname_str(buf, str); 4480 (void)sldns_wire2str_type_buf(rr_type, typestr, sizeof(typestr)); 4481 verbose(VERB_ALGO, "%s at[%d] %s %s", label, (int)rr_counter, 4482 str, typestr); 4483} 4484 4485/** check that start serial is OK for ixfr. we are at rr_counter == 0, 4486 * and we are going to check rr_counter == 1 (has to be type SOA) serial */ 4487static int 4488ixfr_start_serial(struct auth_chunk* rr_chunk, int rr_num, size_t rr_pos, 4489 uint8_t* rr_dname, uint16_t rr_type, uint16_t rr_class, 4490 uint32_t rr_ttl, uint16_t rr_rdlen, uint8_t* rr_rdata, 4491 size_t rr_nextpos, uint32_t transfer_serial, uint32_t xfr_serial) 4492{ 4493 uint32_t startserial; 4494 /* move forward on RR */ 4495 chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos); 4496 if(chunk_rrlist_end(rr_chunk, rr_num)) { 4497 /* no second SOA */ 4498 verbose(VERB_OPS, "IXFR has no second SOA record"); 4499 return 0; 4500 } 4501 if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos, 4502 &rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen, 4503 &rr_rdata, &rr_nextpos)) { 4504 verbose(VERB_OPS, "IXFR cannot parse second SOA record"); 4505 /* failed to parse RR */ 4506 return 0; 4507 } 4508 if(rr_type != LDNS_RR_TYPE_SOA) { 4509 verbose(VERB_OPS, "IXFR second record is not type SOA"); 4510 return 0; 4511 } 4512 if(rr_rdlen < 22) { 4513 verbose(VERB_OPS, "IXFR, second SOA has short rdlength"); 4514 return 0; /* bad SOA rdlen */ 4515 } 4516 startserial = sldns_read_uint32(rr_rdata+rr_rdlen-20); 4517 if(startserial == transfer_serial) { 4518 /* empty AXFR, not an IXFR */ 4519 verbose(VERB_OPS, "IXFR second serial same as first"); 4520 return 0; 4521 } 4522 if(startserial != xfr_serial) { 4523 /* wrong start serial, it does not match the serial in 4524 * memory */ 4525 verbose(VERB_OPS, "IXFR is from serial %u to %u but %u " 4526 "in memory, rejecting the zone transfer", 4527 (unsigned)startserial, (unsigned)transfer_serial, 4528 (unsigned)xfr_serial); 4529 return 0; 4530 } 4531 /* everything OK in second SOA serial */ 4532 return 1; 4533} 4534 4535/** apply IXFR to zone in memory. z is locked. false on failure(mallocfail) */ 4536static int 4537apply_ixfr(struct auth_xfer* xfr, struct auth_zone* z, 4538 struct sldns_buffer* scratch_buffer) 4539{ 4540 struct auth_chunk* rr_chunk; 4541 int rr_num; 4542 size_t rr_pos; 4543 uint8_t* rr_dname, *rr_rdata; 4544 uint16_t rr_type, rr_class, rr_rdlen; 4545 uint32_t rr_ttl; 4546 size_t rr_nextpos; 4547 int have_transfer_serial = 0; 4548 uint32_t transfer_serial = 0; 4549 size_t rr_counter = 0; 4550 int delmode = 0; 4551 int softfail = 0; 4552 4553 /* start RR iterator over chunklist of packets */ 4554 chunk_rrlist_start(xfr, &rr_chunk, &rr_num, &rr_pos); 4555 while(!chunk_rrlist_end(rr_chunk, rr_num)) { 4556 if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos, 4557 &rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen, 4558 &rr_rdata, &rr_nextpos)) { 4559 /* failed to parse RR */ 4560 return 0; 4561 } 4562 if(verbosity>=7) log_rrlist_position("apply ixfr", 4563 rr_chunk, rr_dname, rr_type, rr_counter); 4564 /* twiddle add/del mode and check for start and end */ 4565 if(rr_counter == 0 && rr_type != LDNS_RR_TYPE_SOA) 4566 return 0; 4567 if(rr_counter == 1 && rr_type != LDNS_RR_TYPE_SOA) { 4568 /* this is an AXFR returned from the IXFR master */ 4569 /* but that should already have been detected, by 4570 * on_ixfr_is_axfr */ 4571 return 0; 4572 } 4573 if(rr_type == LDNS_RR_TYPE_SOA) { 4574 uint32_t serial; 4575 if(rr_rdlen < 22) return 0; /* bad SOA rdlen */ 4576 serial = sldns_read_uint32(rr_rdata+rr_rdlen-20); 4577 if(have_transfer_serial == 0) { 4578 have_transfer_serial = 1; 4579 transfer_serial = serial; 4580 delmode = 1; /* gets negated below */ 4581 /* check second RR before going any further */ 4582 if(!ixfr_start_serial(rr_chunk, rr_num, rr_pos, 4583 rr_dname, rr_type, rr_class, rr_ttl, 4584 rr_rdlen, rr_rdata, rr_nextpos, 4585 transfer_serial, xfr->serial)) { 4586 return 0; 4587 } 4588 } else if(transfer_serial == serial) { 4589 have_transfer_serial++; 4590 if(rr_counter == 1) { 4591 /* empty AXFR, with SOA; SOA; */ 4592 /* should have been detected by 4593 * on_ixfr_is_axfr */ 4594 return 0; 4595 } 4596 if(have_transfer_serial == 3) { 4597 /* see serial three times for end */ 4598 /* eg. IXFR: 4599 * SOA 3 start 4600 * SOA 1 second RR, followed by del 4601 * SOA 2 followed by add 4602 * SOA 2 followed by del 4603 * SOA 3 followed by add 4604 * SOA 3 end */ 4605 /* ended by SOA record */ 4606 xfr->serial = transfer_serial; 4607 break; 4608 } 4609 } 4610 /* twiddle add/del mode */ 4611 /* switch from delete part to add part and back again 4612 * just before the soa, it gets deleted and added too 4613 * this means we switch to delete mode for the final 4614 * SOA(so skip that one) */ 4615 delmode = !delmode; 4616 } 4617 /* process this RR */ 4618 /* if the RR is deleted twice or added twice, then we 4619 * softfail, and continue with the rest of the IXFR, so 4620 * that we serve something fairly nice during the refetch */ 4621 if(verbosity>=7) log_rrlist_position((delmode?"del":"add"), 4622 rr_chunk, rr_dname, rr_type, rr_counter); 4623 if(delmode) { 4624 /* delete this RR */ 4625 int nonexist = 0; 4626 if(!az_remove_rr_decompress(z, rr_chunk->data, 4627 rr_chunk->len, scratch_buffer, rr_dname, 4628 rr_type, rr_class, rr_ttl, rr_rdata, rr_rdlen, 4629 &nonexist)) { 4630 /* failed, malloc error or so */ 4631 return 0; 4632 } 4633 if(nonexist) { 4634 /* it was removal of a nonexisting RR */ 4635 if(verbosity>=4) log_rrlist_position( 4636 "IXFR error nonexistent RR", 4637 rr_chunk, rr_dname, rr_type, rr_counter); 4638 softfail = 1; 4639 } 4640 } else if(rr_counter != 0) { 4641 /* skip first SOA RR for addition, it is added in 4642 * the addition part near the end of the ixfr, when 4643 * that serial is seen the second time. */ 4644 int duplicate = 0; 4645 /* add this RR */ 4646 if(!az_insert_rr_decompress(z, rr_chunk->data, 4647 rr_chunk->len, scratch_buffer, rr_dname, 4648 rr_type, rr_class, rr_ttl, rr_rdata, rr_rdlen, 4649 &duplicate)) { 4650 /* failed, malloc error or so */ 4651 return 0; 4652 } 4653 if(duplicate) { 4654 /* it was a duplicate */ 4655 if(verbosity>=4) log_rrlist_position( 4656 "IXFR error duplicate RR", 4657 rr_chunk, rr_dname, rr_type, rr_counter); 4658 softfail = 1; 4659 } 4660 } 4661 4662 rr_counter++; 4663 chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos); 4664 } 4665 if(softfail) { 4666 verbose(VERB_ALGO, "IXFR did not apply cleanly, fetching full zone"); 4667 return 0; 4668 } 4669 return 1; 4670} 4671 4672/** apply AXFR to zone in memory. z is locked. false on failure(mallocfail) */ 4673static int 4674apply_axfr(struct auth_xfer* xfr, struct auth_zone* z, 4675 struct sldns_buffer* scratch_buffer) 4676{ 4677 struct auth_chunk* rr_chunk; 4678 int rr_num; 4679 size_t rr_pos; 4680 uint8_t* rr_dname, *rr_rdata; 4681 uint16_t rr_type, rr_class, rr_rdlen; 4682 uint32_t rr_ttl; 4683 uint32_t serial = 0; 4684 size_t rr_nextpos; 4685 size_t rr_counter = 0; 4686 int have_end_soa = 0; 4687 4688 /* clear the data tree */ 4689 traverse_postorder(&z->data, auth_data_del, NULL); 4690 rbtree_init(&z->data, &auth_data_cmp); 4691 xfr->have_zone = 0; 4692 xfr->serial = 0; 4693 4694 /* insert all RRs in to the zone */ 4695 /* insert the SOA only once, skip the last one */ 4696 /* start RR iterator over chunklist of packets */ 4697 chunk_rrlist_start(xfr, &rr_chunk, &rr_num, &rr_pos); 4698 while(!chunk_rrlist_end(rr_chunk, rr_num)) { 4699 if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos, 4700 &rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen, 4701 &rr_rdata, &rr_nextpos)) { 4702 /* failed to parse RR */ 4703 return 0; 4704 } 4705 if(verbosity>=7) log_rrlist_position("apply_axfr", 4706 rr_chunk, rr_dname, rr_type, rr_counter); 4707 if(rr_type == LDNS_RR_TYPE_SOA) { 4708 if(rr_counter != 0) { 4709 /* end of the axfr */ 4710 have_end_soa = 1; 4711 break; 4712 } 4713 if(rr_rdlen < 22) return 0; /* bad SOA rdlen */ 4714 serial = sldns_read_uint32(rr_rdata+rr_rdlen-20); 4715 } 4716 4717 /* add this RR */ 4718 if(!az_insert_rr_decompress(z, rr_chunk->data, rr_chunk->len, 4719 scratch_buffer, rr_dname, rr_type, rr_class, rr_ttl, 4720 rr_rdata, rr_rdlen, NULL)) { 4721 /* failed, malloc error or so */ 4722 return 0; 4723 } 4724 4725 rr_counter++; 4726 chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos); 4727 } 4728 if(!have_end_soa) { 4729 log_err("no end SOA record for AXFR"); 4730 return 0; 4731 } 4732 4733 xfr->serial = serial; 4734 xfr->have_zone = 1; 4735 return 1; 4736} 4737 4738/** apply HTTP to zone in memory. z is locked. false on failure(mallocfail) */ 4739static int 4740apply_http(struct auth_xfer* xfr, struct auth_zone* z, 4741 struct sldns_buffer* scratch_buffer) 4742{ 4743 /* parse data in chunks */ 4744 /* parse RR's and read into memory. ignore $INCLUDE from the 4745 * downloaded file*/ 4746 struct sldns_file_parse_state pstate; 4747 struct auth_chunk* chunk; 4748 size_t chunk_pos; 4749 memset(&pstate, 0, sizeof(pstate)); 4750 pstate.default_ttl = 3600; 4751 if(xfr->namelen < sizeof(pstate.origin)) { 4752 pstate.origin_len = xfr->namelen; 4753 memmove(pstate.origin, xfr->name, xfr->namelen); 4754 } 4755 4756 if(verbosity >= VERB_ALGO) 4757 verbose(VERB_ALGO, "http download %s of size %d", 4758 xfr->task_transfer->master->file, 4759 (int)chunklist_sum(xfr->task_transfer->chunks_first)); 4760 if(xfr->task_transfer->chunks_first && verbosity >= VERB_ALGO) { 4761 char preview[1024]; 4762 if(xfr->task_transfer->chunks_first->len+1 > sizeof(preview)) { 4763 memmove(preview, xfr->task_transfer->chunks_first->data, 4764 sizeof(preview)-1); 4765 preview[sizeof(preview)-1]=0; 4766 } else { 4767 memmove(preview, xfr->task_transfer->chunks_first->data, 4768 xfr->task_transfer->chunks_first->len); 4769 preview[xfr->task_transfer->chunks_first->len]=0; 4770 } 4771 log_info("auth zone http downloaded content preview: %s", 4772 preview); 4773 } 4774 4775 /* perhaps a little syntax check before we try to apply the data? */ 4776 if(!http_zonefile_syntax_check(xfr, scratch_buffer)) { 4777 log_err("http download %s/%s does not contain a zonefile, " 4778 "but got '%s'", xfr->task_transfer->master->host, 4779 xfr->task_transfer->master->file, 4780 sldns_buffer_begin(scratch_buffer)); 4781 return 0; 4782 } 4783 4784 /* clear the data tree */ 4785 traverse_postorder(&z->data, auth_data_del, NULL); 4786 rbtree_init(&z->data, &auth_data_cmp); 4787 xfr->have_zone = 0; 4788 xfr->serial = 0; 4789 4790 chunk = xfr->task_transfer->chunks_first; 4791 chunk_pos = 0; 4792 pstate.lineno = 0; 4793 while(chunkline_get_line_collated(&chunk, &chunk_pos, scratch_buffer)) { 4794 /* process this line */ 4795 pstate.lineno++; 4796 chunkline_newline_removal(scratch_buffer); 4797 if(chunkline_is_comment_line_or_empty(scratch_buffer)) { 4798 continue; 4799 } 4800 /* parse line and add RR */ 4801 if(http_parse_origin(scratch_buffer, &pstate)) { 4802 continue; /* $ORIGIN has been handled */ 4803 } 4804 if(http_parse_ttl(scratch_buffer, &pstate)) { 4805 continue; /* $TTL has been handled */ 4806 } 4807 if(!http_parse_add_rr(xfr, z, scratch_buffer, &pstate)) { 4808 verbose(VERB_ALGO, "error parsing line [%s:%d] %s", 4809 xfr->task_transfer->master->file, 4810 pstate.lineno, 4811 sldns_buffer_begin(scratch_buffer)); 4812 return 0; 4813 } 4814 } 4815 return 1; 4816} 4817 4818/** write http chunks to zonefile to create downloaded file */ 4819static int 4820auth_zone_write_chunks(struct auth_xfer* xfr, const char* fname) 4821{ 4822 FILE* out; 4823 struct auth_chunk* p; 4824 out = fopen(fname, "w"); 4825 if(!out) { 4826 log_err("could not open %s: %s", fname, strerror(errno)); 4827 return 0; 4828 } 4829 for(p = xfr->task_transfer->chunks_first; p ; p = p->next) { 4830 if(!write_out(out, (char*)p->data, p->len)) { 4831 log_err("could not write http download to %s", fname); 4832 fclose(out); 4833 return 0; 4834 } 4835 } 4836 fclose(out); 4837 return 1; 4838} 4839 4840/** write to zonefile after zone has been updated */ 4841static void 4842xfr_write_after_update(struct auth_xfer* xfr, struct module_env* env) 4843{ 4844 struct config_file* cfg = env->cfg; 4845 struct auth_zone* z; 4846 char tmpfile[1024]; 4847 char* zfilename; 4848 lock_basic_unlock(&xfr->lock); 4849 4850 /* get lock again, so it is a readlock and concurrently queries 4851 * can be answered */ 4852 lock_rw_rdlock(&env->auth_zones->lock); 4853 z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen, 4854 xfr->dclass); 4855 if(!z) { 4856 lock_rw_unlock(&env->auth_zones->lock); 4857 /* the zone is gone, ignore xfr results */ 4858 lock_basic_lock(&xfr->lock); 4859 return; 4860 } 4861 lock_rw_rdlock(&z->lock); 4862 lock_basic_lock(&xfr->lock); 4863 lock_rw_unlock(&env->auth_zones->lock); 4864 4865 if(z->zonefile == NULL || z->zonefile[0] == 0) { 4866 lock_rw_unlock(&z->lock); 4867 /* no write needed, no zonefile set */ 4868 return; 4869 } 4870 zfilename = z->zonefile; 4871 if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(zfilename, 4872 cfg->chrootdir, strlen(cfg->chrootdir)) == 0) 4873 zfilename += strlen(cfg->chrootdir); 4874 if(verbosity >= VERB_ALGO) { 4875 char nm[255+1]; 4876 dname_str(z->name, nm); 4877 verbose(VERB_ALGO, "write zonefile %s for %s", zfilename, nm); 4878 } 4879 4880 /* write to tempfile first */ 4881 if((size_t)strlen(zfilename) + 16 > sizeof(tmpfile)) { 4882 verbose(VERB_ALGO, "tmpfilename too long, cannot update " 4883 " zonefile %s", zfilename); 4884 lock_rw_unlock(&z->lock); 4885 return; 4886 } 4887 snprintf(tmpfile, sizeof(tmpfile), "%s.tmp%u", zfilename, 4888 (unsigned)getpid()); 4889 if(xfr->task_transfer->master->http) { 4890 /* use the stored chunk list to write them */ 4891 if(!auth_zone_write_chunks(xfr, tmpfile)) { 4892 unlink(tmpfile); 4893 lock_rw_unlock(&z->lock); 4894 return; 4895 } 4896 } else if(!auth_zone_write_file(z, tmpfile)) { 4897 unlink(tmpfile); 4898 lock_rw_unlock(&z->lock); 4899 return; 4900 } 4901 if(rename(tmpfile, zfilename) < 0) { 4902 log_err("could not rename(%s, %s): %s", tmpfile, zfilename, 4903 strerror(errno)); 4904 unlink(tmpfile); 4905 lock_rw_unlock(&z->lock); 4906 return; 4907 } 4908 lock_rw_unlock(&z->lock); 4909} 4910 4911/** process chunk list and update zone in memory, 4912 * return false if it did not work */ 4913static int 4914xfr_process_chunk_list(struct auth_xfer* xfr, struct module_env* env, 4915 int* ixfr_fail) 4916{ 4917 struct auth_zone* z; 4918 4919 /* obtain locks and structures */ 4920 /* release xfr lock, then, while holding az->lock grab both 4921 * z->lock and xfr->lock */ 4922 lock_basic_unlock(&xfr->lock); 4923 lock_rw_rdlock(&env->auth_zones->lock); 4924 z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen, 4925 xfr->dclass); 4926 if(!z) { 4927 lock_rw_unlock(&env->auth_zones->lock); 4928 /* the zone is gone, ignore xfr results */ 4929 lock_basic_lock(&xfr->lock); 4930 return 0; 4931 } 4932 lock_rw_wrlock(&z->lock); 4933 lock_basic_lock(&xfr->lock); 4934 lock_rw_unlock(&env->auth_zones->lock); 4935 4936 /* apply data */ 4937 if(xfr->task_transfer->master->http) { 4938 if(!apply_http(xfr, z, env->scratch_buffer)) { 4939 lock_rw_unlock(&z->lock); 4940 verbose(VERB_ALGO, "http from %s: could not store data", 4941 xfr->task_transfer->master->host); 4942 return 0; 4943 } 4944 } else if(xfr->task_transfer->on_ixfr && 4945 !xfr->task_transfer->on_ixfr_is_axfr) { 4946 if(!apply_ixfr(xfr, z, env->scratch_buffer)) { 4947 lock_rw_unlock(&z->lock); 4948 verbose(VERB_ALGO, "xfr from %s: could not store IXFR" 4949 " data", xfr->task_transfer->master->host); 4950 *ixfr_fail = 1; 4951 return 0; 4952 } 4953 } else { 4954 if(!apply_axfr(xfr, z, env->scratch_buffer)) { 4955 lock_rw_unlock(&z->lock); 4956 verbose(VERB_ALGO, "xfr from %s: could not store AXFR" 4957 " data", xfr->task_transfer->master->host); 4958 return 0; 4959 } 4960 } 4961 xfr->zone_expired = 0; 4962 z->zone_expired = 0; 4963 if(!xfr_find_soa(z, xfr)) { 4964 lock_rw_unlock(&z->lock); 4965 verbose(VERB_ALGO, "xfr from %s: no SOA in zone after update" 4966 " (or malformed RR)", xfr->task_transfer->master->host); 4967 return 0; 4968 } 4969 if(xfr->have_zone) 4970 xfr->lease_time = *env->now; 4971 4972 /* unlock */ 4973 lock_rw_unlock(&z->lock); 4974 4975 if(verbosity >= VERB_QUERY && xfr->have_zone) { 4976 char zname[256]; 4977 dname_str(xfr->name, zname); 4978 verbose(VERB_QUERY, "auth zone %s updated to serial %u", zname, 4979 (unsigned)xfr->serial); 4980 } 4981 /* see if we need to write to a zonefile */ 4982 xfr_write_after_update(xfr, env); 4983 return 1; 4984} 4985 4986/** disown task_transfer. caller must hold xfr.lock */ 4987static void 4988xfr_transfer_disown(struct auth_xfer* xfr) 4989{ 4990 /* remove timer (from this worker's event base) */ 4991 comm_timer_delete(xfr->task_transfer->timer); 4992 xfr->task_transfer->timer = NULL; 4993 /* remove the commpoint */ 4994 comm_point_delete(xfr->task_transfer->cp); 4995 xfr->task_transfer->cp = NULL; 4996 /* we don't own this item anymore */ 4997 xfr->task_transfer->worker = NULL; 4998 xfr->task_transfer->env = NULL; 4999} 5000 5001/** lookup a host name for its addresses, if needed */ 5002static int 5003xfr_transfer_lookup_host(struct auth_xfer* xfr, struct module_env* env) 5004{ 5005 struct sockaddr_storage addr; 5006 socklen_t addrlen = 0; 5007 struct auth_master* master = xfr->task_transfer->lookup_target; 5008 struct query_info qinfo; 5009 uint16_t qflags = BIT_RD; 5010 uint8_t dname[LDNS_MAX_DOMAINLEN+1]; 5011 struct edns_data edns; 5012 sldns_buffer* buf = env->scratch_buffer; 5013 if(!master) return 0; 5014 if(extstrtoaddr(master->host, &addr, &addrlen)) { 5015 /* not needed, host is in IP addr format */ 5016 return 0; 5017 } 5018 if(master->allow_notify) 5019 return 0; /* allow-notifies are not transferred from, no 5020 lookup is needed */ 5021 5022 /* use mesh_new_callback to probe for non-addr hosts, 5023 * and then wait for them to be looked up (in cache, or query) */ 5024 qinfo.qname_len = sizeof(dname); 5025 if(sldns_str2wire_dname_buf(master->host, dname, &qinfo.qname_len) 5026 != 0) { 5027 log_err("cannot parse host name of master %s", master->host); 5028 return 0; 5029 } 5030 qinfo.qname = dname; 5031 qinfo.qclass = xfr->dclass; 5032 qinfo.qtype = LDNS_RR_TYPE_A; 5033 if(xfr->task_transfer->lookup_aaaa) 5034 qinfo.qtype = LDNS_RR_TYPE_AAAA; 5035 qinfo.local_alias = NULL; 5036 if(verbosity >= VERB_ALGO) { 5037 char buf1[512]; 5038 char buf2[LDNS_MAX_DOMAINLEN+1]; 5039 dname_str(xfr->name, buf2); 5040 snprintf(buf1, sizeof(buf1), "auth zone %s: master lookup" 5041 " for task_transfer", buf2); 5042 log_query_info(VERB_ALGO, buf1, &qinfo); 5043 } 5044 edns.edns_present = 1; 5045 edns.ext_rcode = 0; 5046 edns.edns_version = 0; 5047 edns.bits = EDNS_DO; 5048 edns.opt_list = NULL; 5049 if(sldns_buffer_capacity(buf) < 65535) 5050 edns.udp_size = (uint16_t)sldns_buffer_capacity(buf); 5051 else edns.udp_size = 65535; 5052 5053 /* unlock xfr during mesh_new_callback() because the callback can be 5054 * called straight away */ 5055 lock_basic_unlock(&xfr->lock); 5056 if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0, 5057 &auth_xfer_transfer_lookup_callback, xfr)) { 5058 lock_basic_lock(&xfr->lock); 5059 log_err("out of memory lookup up master %s", master->host); 5060 return 0; 5061 } 5062 lock_basic_lock(&xfr->lock); 5063 return 1; 5064} 5065 5066/** initiate TCP to the target and fetch zone. 5067 * returns true if that was successfully started, and timeout setup. */ 5068static int 5069xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env) 5070{ 5071 struct sockaddr_storage addr; 5072 socklen_t addrlen = 0; 5073 struct auth_master* master = xfr->task_transfer->master; 5074 char *auth_name = NULL; 5075 struct timeval t; 5076 int timeout; 5077 if(!master) return 0; 5078 if(master->allow_notify) return 0; /* only for notify */ 5079 5080 /* get master addr */ 5081 if(xfr->task_transfer->scan_addr) { 5082 addrlen = xfr->task_transfer->scan_addr->addrlen; 5083 memmove(&addr, &xfr->task_transfer->scan_addr->addr, addrlen); 5084 } else { 5085 if(!authextstrtoaddr(master->host, &addr, &addrlen, &auth_name)) { 5086 /* the ones that are not in addr format are supposed 5087 * to be looked up. The lookup has failed however, 5088 * so skip them */ 5089 char zname[255+1]; 5090 dname_str(xfr->name, zname); 5091 log_err("%s: failed lookup, cannot transfer from master %s", 5092 zname, master->host); 5093 return 0; 5094 } 5095 } 5096 5097 /* remove previous TCP connection (if any) */ 5098 if(xfr->task_transfer->cp) { 5099 comm_point_delete(xfr->task_transfer->cp); 5100 xfr->task_transfer->cp = NULL; 5101 } 5102 if(!xfr->task_transfer->timer) { 5103 xfr->task_transfer->timer = comm_timer_create(env->worker_base, 5104 auth_xfer_transfer_timer_callback, xfr); 5105 if(!xfr->task_transfer->timer) { 5106 log_err("malloc failure"); 5107 return 0; 5108 } 5109 } 5110 timeout = AUTH_TRANSFER_TIMEOUT; 5111#ifndef S_SPLINT_S 5112 t.tv_sec = timeout/1000; 5113 t.tv_usec = (timeout%1000)*1000; 5114#endif 5115 5116 if(master->http) { 5117 /* perform http fetch */ 5118 /* store http port number into sockaddr, 5119 * unless someone used unbound's host@port notation */ 5120 xfr->task_transfer->on_ixfr = 0; 5121 if(strchr(master->host, '@') == NULL) 5122 sockaddr_store_port(&addr, addrlen, master->port); 5123 xfr->task_transfer->cp = outnet_comm_point_for_http( 5124 env->outnet, auth_xfer_transfer_http_callback, xfr, 5125 &addr, addrlen, -1, master->ssl, master->host, 5126 master->file); 5127 if(!xfr->task_transfer->cp) { 5128 char zname[255+1], as[256]; 5129 dname_str(xfr->name, zname); 5130 addr_to_str(&addr, addrlen, as, sizeof(as)); 5131 verbose(VERB_ALGO, "cannot create http cp " 5132 "connection for %s to %s", zname, as); 5133 return 0; 5134 } 5135 comm_timer_set(xfr->task_transfer->timer, &t); 5136 if(verbosity >= VERB_ALGO) { 5137 char zname[255+1], as[256]; 5138 dname_str(xfr->name, zname); 5139 addr_to_str(&addr, addrlen, as, sizeof(as)); 5140 verbose(VERB_ALGO, "auth zone %s transfer next HTTP fetch from %s started", zname, as); 5141 } 5142 return 1; 5143 } 5144 5145 /* perform AXFR/IXFR */ 5146 /* set the packet to be written */ 5147 /* create new ID */ 5148 xfr->task_transfer->id = (uint16_t)(ub_random(env->rnd)&0xffff); 5149 xfr_create_ixfr_packet(xfr, env->scratch_buffer, 5150 xfr->task_transfer->id, master); 5151 5152 /* connect on fd */ 5153 xfr->task_transfer->cp = outnet_comm_point_for_tcp(env->outnet, 5154 auth_xfer_transfer_tcp_callback, xfr, &addr, addrlen, 5155 env->scratch_buffer, -1, 5156 auth_name != NULL, auth_name); 5157 if(!xfr->task_transfer->cp) { 5158 char zname[255+1], as[256]; 5159 dname_str(xfr->name, zname); 5160 addr_to_str(&addr, addrlen, as, sizeof(as)); 5161 verbose(VERB_ALGO, "cannot create tcp cp connection for " 5162 "xfr %s to %s", zname, as); 5163 return 0; 5164 } 5165 comm_timer_set(xfr->task_transfer->timer, &t); 5166 if(verbosity >= VERB_ALGO) { 5167 char zname[255+1], as[256]; 5168 dname_str(xfr->name, zname); 5169 addr_to_str(&addr, addrlen, as, sizeof(as)); 5170 verbose(VERB_ALGO, "auth zone %s transfer next %s fetch from %s started", zname, 5171 (xfr->task_transfer->on_ixfr?"IXFR":"AXFR"), as); 5172 } 5173 return 1; 5174} 5175 5176/** perform next lookup, next transfer TCP, or end and resume wait time task */ 5177static void 5178xfr_transfer_nexttarget_or_end(struct auth_xfer* xfr, struct module_env* env) 5179{ 5180 log_assert(xfr->task_transfer->worker == env->worker); 5181 5182 /* are we performing lookups? */ 5183 while(xfr->task_transfer->lookup_target) { 5184 if(xfr_transfer_lookup_host(xfr, env)) { 5185 /* wait for lookup to finish, 5186 * note that the hostname may be in unbound's cache 5187 * and we may then get an instant cache response, 5188 * and that calls the callback just like a full 5189 * lookup and lookup failures also call callback */ 5190 if(verbosity >= VERB_ALGO) { 5191 char zname[255+1]; 5192 dname_str(xfr->name, zname); 5193 verbose(VERB_ALGO, "auth zone %s transfer next target lookup", zname); 5194 } 5195 lock_basic_unlock(&xfr->lock); 5196 return; 5197 } 5198 xfr_transfer_move_to_next_lookup(xfr, env); 5199 } 5200 5201 /* initiate TCP and fetch the zone from the master */ 5202 /* and set timeout on it */ 5203 while(!xfr_transfer_end_of_list(xfr)) { 5204 xfr->task_transfer->master = xfr_transfer_current_master(xfr); 5205 if(xfr_transfer_init_fetch(xfr, env)) { 5206 /* successfully started, wait for callback */ 5207 lock_basic_unlock(&xfr->lock); 5208 return; 5209 } 5210 /* failed to fetch, next master */ 5211 xfr_transfer_nextmaster(xfr); 5212 } 5213 if(verbosity >= VERB_ALGO) { 5214 char zname[255+1]; 5215 dname_str(xfr->name, zname); 5216 verbose(VERB_ALGO, "auth zone %s transfer failed, wait", zname); 5217 } 5218 5219 /* we failed to fetch the zone, move to wait task 5220 * use the shorter retry timeout */ 5221 xfr_transfer_disown(xfr); 5222 5223 /* pick up the nextprobe task and wait */ 5224 if(xfr->task_nextprobe->worker == NULL) 5225 xfr_set_timeout(xfr, env, 1, 0); 5226 lock_basic_unlock(&xfr->lock); 5227} 5228 5229/** add addrs from A or AAAA rrset to the master */ 5230static void 5231xfr_master_add_addrs(struct auth_master* m, struct ub_packed_rrset_key* rrset, 5232 uint16_t rrtype) 5233{ 5234 size_t i; 5235 struct packed_rrset_data* data; 5236 if(!m || !rrset) return; 5237 if(rrtype != LDNS_RR_TYPE_A && rrtype != LDNS_RR_TYPE_AAAA) 5238 return; 5239 data = (struct packed_rrset_data*)rrset->entry.data; 5240 for(i=0; i<data->count; i++) { 5241 struct auth_addr* a; 5242 size_t len = data->rr_len[i] - 2; 5243 uint8_t* rdata = data->rr_data[i]+2; 5244 if(rrtype == LDNS_RR_TYPE_A && len != INET_SIZE) 5245 continue; /* wrong length for A */ 5246 if(rrtype == LDNS_RR_TYPE_AAAA && len != INET6_SIZE) 5247 continue; /* wrong length for AAAA */ 5248 5249 /* add and alloc it */ 5250 a = (struct auth_addr*)calloc(1, sizeof(*a)); 5251 if(!a) { 5252 log_err("out of memory"); 5253 return; 5254 } 5255 if(rrtype == LDNS_RR_TYPE_A) { 5256 struct sockaddr_in* sa; 5257 a->addrlen = (socklen_t)sizeof(*sa); 5258 sa = (struct sockaddr_in*)&a->addr; 5259 sa->sin_family = AF_INET; 5260 sa->sin_port = (in_port_t)htons(UNBOUND_DNS_PORT); 5261 memmove(&sa->sin_addr, rdata, INET_SIZE); 5262 } else { 5263 struct sockaddr_in6* sa; 5264 a->addrlen = (socklen_t)sizeof(*sa); 5265 sa = (struct sockaddr_in6*)&a->addr; 5266 sa->sin6_family = AF_INET6; 5267 sa->sin6_port = (in_port_t)htons(UNBOUND_DNS_PORT); 5268 memmove(&sa->sin6_addr, rdata, INET6_SIZE); 5269 } 5270 if(verbosity >= VERB_ALGO) { 5271 char s[64]; 5272 addr_to_str(&a->addr, a->addrlen, s, sizeof(s)); 5273 verbose(VERB_ALGO, "auth host %s lookup %s", 5274 m->host, s); 5275 } 5276 /* append to list */ 5277 a->next = m->list; 5278 m->list = a; 5279 } 5280} 5281 5282/** callback for task_transfer lookup of host name, of A or AAAA */ 5283void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf, 5284 enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus), 5285 int ATTR_UNUSED(was_ratelimited)) 5286{ 5287 struct auth_xfer* xfr = (struct auth_xfer*)arg; 5288 struct module_env* env; 5289 log_assert(xfr->task_transfer); 5290 lock_basic_lock(&xfr->lock); 5291 env = xfr->task_transfer->env; 5292 if(env->outnet->want_to_quit) { 5293 lock_basic_unlock(&xfr->lock); 5294 return; /* stop on quit */ 5295 } 5296 5297 /* process result */ 5298 if(rcode == LDNS_RCODE_NOERROR) { 5299 uint16_t wanted_qtype = LDNS_RR_TYPE_A; 5300 struct regional* temp = env->scratch; 5301 struct query_info rq; 5302 struct reply_info* rep; 5303 if(xfr->task_transfer->lookup_aaaa) 5304 wanted_qtype = LDNS_RR_TYPE_AAAA; 5305 memset(&rq, 0, sizeof(rq)); 5306 rep = parse_reply_in_temp_region(buf, temp, &rq); 5307 if(rep && rq.qtype == wanted_qtype && 5308 FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) { 5309 /* parsed successfully */ 5310 struct ub_packed_rrset_key* answer = 5311 reply_find_answer_rrset(&rq, rep); 5312 if(answer) { 5313 xfr_master_add_addrs(xfr->task_transfer-> 5314 lookup_target, answer, wanted_qtype); 5315 } else { 5316 if(verbosity >= VERB_ALGO) { 5317 char zname[255+1]; 5318 dname_str(xfr->name, zname); 5319 verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup has nodata", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A")); 5320 } 5321 } 5322 } else { 5323 if(verbosity >= VERB_ALGO) { 5324 char zname[255+1]; 5325 dname_str(xfr->name, zname); 5326 verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup has no answer", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A")); 5327 } 5328 } 5329 } else { 5330 if(verbosity >= VERB_ALGO) { 5331 char zname[255+1]; 5332 dname_str(xfr->name, zname); 5333 verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup failed", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A")); 5334 } 5335 } 5336 if(xfr->task_transfer->lookup_target->list && 5337 xfr->task_transfer->lookup_target == xfr_transfer_current_master(xfr)) 5338 xfr->task_transfer->scan_addr = xfr->task_transfer->lookup_target->list; 5339 5340 /* move to lookup AAAA after A lookup, move to next hostname lookup, 5341 * or move to fetch the zone, or, if nothing to do, end task_transfer */ 5342 xfr_transfer_move_to_next_lookup(xfr, env); 5343 xfr_transfer_nexttarget_or_end(xfr, env); 5344} 5345 5346/** check if xfer (AXFR or IXFR) packet is OK. 5347 * return false if we lost connection (SERVFAIL, or unreadable). 5348 * return false if we need to move from IXFR to AXFR, with gonextonfail 5349 * set to false, so the same master is tried again, but with AXFR. 5350 * return true if fine to link into data. 5351 * return true with transferdone=true when the transfer has ended. 5352 */ 5353static int 5354check_xfer_packet(sldns_buffer* pkt, struct auth_xfer* xfr, 5355 int* gonextonfail, int* transferdone) 5356{ 5357 uint8_t* wire = sldns_buffer_begin(pkt); 5358 int i; 5359 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) { 5360 verbose(VERB_ALGO, "xfr to %s failed, packet too small", 5361 xfr->task_transfer->master->host); 5362 return 0; 5363 } 5364 if(!LDNS_QR_WIRE(wire)) { 5365 verbose(VERB_ALGO, "xfr to %s failed, packet has no QR flag", 5366 xfr->task_transfer->master->host); 5367 return 0; 5368 } 5369 if(LDNS_TC_WIRE(wire)) { 5370 verbose(VERB_ALGO, "xfr to %s failed, packet has TC flag", 5371 xfr->task_transfer->master->host); 5372 return 0; 5373 } 5374 /* check ID */ 5375 if(LDNS_ID_WIRE(wire) != xfr->task_transfer->id) { 5376 verbose(VERB_ALGO, "xfr to %s failed, packet wrong ID", 5377 xfr->task_transfer->master->host); 5378 return 0; 5379 } 5380 if(LDNS_RCODE_WIRE(wire) != LDNS_RCODE_NOERROR) { 5381 char rcode[32]; 5382 sldns_wire2str_rcode_buf((int)LDNS_RCODE_WIRE(wire), rcode, 5383 sizeof(rcode)); 5384 /* if we are doing IXFR, check for fallback */ 5385 if(xfr->task_transfer->on_ixfr) { 5386 if(LDNS_RCODE_WIRE(wire) == LDNS_RCODE_NOTIMPL || 5387 LDNS_RCODE_WIRE(wire) == LDNS_RCODE_SERVFAIL || 5388 LDNS_RCODE_WIRE(wire) == LDNS_RCODE_REFUSED || 5389 LDNS_RCODE_WIRE(wire) == LDNS_RCODE_FORMERR) { 5390 verbose(VERB_ALGO, "xfr to %s, fallback " 5391 "from IXFR to AXFR (with rcode %s)", 5392 xfr->task_transfer->master->host, 5393 rcode); 5394 xfr->task_transfer->ixfr_fail = 1; 5395 *gonextonfail = 0; 5396 return 0; 5397 } 5398 } 5399 verbose(VERB_ALGO, "xfr to %s failed, packet with rcode %s", 5400 xfr->task_transfer->master->host, rcode); 5401 return 0; 5402 } 5403 if(LDNS_OPCODE_WIRE(wire) != LDNS_PACKET_QUERY) { 5404 verbose(VERB_ALGO, "xfr to %s failed, packet with bad opcode", 5405 xfr->task_transfer->master->host); 5406 return 0; 5407 } 5408 if(LDNS_QDCOUNT(wire) > 1) { 5409 verbose(VERB_ALGO, "xfr to %s failed, packet has qdcount %d", 5410 xfr->task_transfer->master->host, 5411 (int)LDNS_QDCOUNT(wire)); 5412 return 0; 5413 } 5414 5415 /* check qname */ 5416 sldns_buffer_set_position(pkt, LDNS_HEADER_SIZE); 5417 for(i=0; i<(int)LDNS_QDCOUNT(wire); i++) { 5418 size_t pos = sldns_buffer_position(pkt); 5419 uint16_t qtype, qclass; 5420 if(pkt_dname_len(pkt) == 0) { 5421 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5422 "malformed dname", 5423 xfr->task_transfer->master->host); 5424 return 0; 5425 } 5426 if(dname_pkt_compare(pkt, sldns_buffer_at(pkt, pos), 5427 xfr->name) != 0) { 5428 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5429 "wrong qname", 5430 xfr->task_transfer->master->host); 5431 return 0; 5432 } 5433 if(sldns_buffer_remaining(pkt) < 4) { 5434 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5435 "truncated query RR", 5436 xfr->task_transfer->master->host); 5437 return 0; 5438 } 5439 qtype = sldns_buffer_read_u16(pkt); 5440 qclass = sldns_buffer_read_u16(pkt); 5441 if(qclass != xfr->dclass) { 5442 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5443 "wrong qclass", 5444 xfr->task_transfer->master->host); 5445 return 0; 5446 } 5447 if(xfr->task_transfer->on_ixfr) { 5448 if(qtype != LDNS_RR_TYPE_IXFR) { 5449 verbose(VERB_ALGO, "xfr to %s failed, packet " 5450 "with wrong qtype, expected IXFR", 5451 xfr->task_transfer->master->host); 5452 return 0; 5453 } 5454 } else { 5455 if(qtype != LDNS_RR_TYPE_AXFR) { 5456 verbose(VERB_ALGO, "xfr to %s failed, packet " 5457 "with wrong qtype, expected AXFR", 5458 xfr->task_transfer->master->host); 5459 return 0; 5460 } 5461 } 5462 } 5463 5464 /* check parse of RRs in packet, store first SOA serial 5465 * to be able to detect last SOA (with that serial) to see if done */ 5466 /* also check for IXFR 'zone up to date' reply */ 5467 for(i=0; i<(int)LDNS_ANCOUNT(wire); i++) { 5468 size_t pos = sldns_buffer_position(pkt); 5469 uint16_t tp, rdlen; 5470 if(pkt_dname_len(pkt) == 0) { 5471 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5472 "malformed dname in answer section", 5473 xfr->task_transfer->master->host); 5474 return 0; 5475 } 5476 if(sldns_buffer_remaining(pkt) < 10) { 5477 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5478 "truncated RR", 5479 xfr->task_transfer->master->host); 5480 return 0; 5481 } 5482 tp = sldns_buffer_read_u16(pkt); 5483 (void)sldns_buffer_read_u16(pkt); /* class */ 5484 (void)sldns_buffer_read_u32(pkt); /* ttl */ 5485 rdlen = sldns_buffer_read_u16(pkt); 5486 if(sldns_buffer_remaining(pkt) < rdlen) { 5487 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5488 "truncated RR rdata", 5489 xfr->task_transfer->master->host); 5490 return 0; 5491 } 5492 5493 /* RR parses (haven't checked rdata itself), now look at 5494 * SOA records to see serial number */ 5495 if(xfr->task_transfer->rr_scan_num == 0 && 5496 tp != LDNS_RR_TYPE_SOA) { 5497 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5498 "malformed zone transfer, no start SOA", 5499 xfr->task_transfer->master->host); 5500 return 0; 5501 } 5502 if(xfr->task_transfer->rr_scan_num == 1 && 5503 tp != LDNS_RR_TYPE_SOA) { 5504 /* second RR is not a SOA record, this is not an IXFR 5505 * the master is replying with an AXFR */ 5506 xfr->task_transfer->on_ixfr_is_axfr = 1; 5507 } 5508 if(tp == LDNS_RR_TYPE_SOA) { 5509 uint32_t serial; 5510 if(rdlen < 22) { 5511 verbose(VERB_ALGO, "xfr to %s failed, packet " 5512 "with SOA with malformed rdata", 5513 xfr->task_transfer->master->host); 5514 return 0; 5515 } 5516 if(dname_pkt_compare(pkt, sldns_buffer_at(pkt, pos), 5517 xfr->name) != 0) { 5518 verbose(VERB_ALGO, "xfr to %s failed, packet " 5519 "with SOA with wrong dname", 5520 xfr->task_transfer->master->host); 5521 return 0; 5522 } 5523 5524 /* read serial number of SOA */ 5525 serial = sldns_buffer_read_u32_at(pkt, 5526 sldns_buffer_position(pkt)+rdlen-20); 5527 5528 /* check for IXFR 'zone has SOA x' reply */ 5529 if(xfr->task_transfer->on_ixfr && 5530 xfr->task_transfer->rr_scan_num == 0 && 5531 LDNS_ANCOUNT(wire)==1) { 5532 verbose(VERB_ALGO, "xfr to %s ended, " 5533 "IXFR reply that zone has serial %u", 5534 xfr->task_transfer->master->host, 5535 (unsigned)serial); 5536 return 0; 5537 } 5538 5539 /* if first SOA, store serial number */ 5540 if(xfr->task_transfer->got_xfr_serial == 0) { 5541 xfr->task_transfer->got_xfr_serial = 1; 5542 xfr->task_transfer->incoming_xfr_serial = 5543 serial; 5544 verbose(VERB_ALGO, "xfr %s: contains " 5545 "SOA serial %u", 5546 xfr->task_transfer->master->host, 5547 (unsigned)serial); 5548 /* see if end of AXFR */ 5549 } else if(!xfr->task_transfer->on_ixfr || 5550 xfr->task_transfer->on_ixfr_is_axfr) { 5551 /* second SOA with serial is the end 5552 * for AXFR */ 5553 *transferdone = 1; 5554 verbose(VERB_ALGO, "xfr %s: last AXFR packet", 5555 xfr->task_transfer->master->host); 5556 /* for IXFR, count SOA records with that serial */ 5557 } else if(xfr->task_transfer->incoming_xfr_serial == 5558 serial && xfr->task_transfer->got_xfr_serial 5559 == 1) { 5560 xfr->task_transfer->got_xfr_serial++; 5561 /* if not first soa, if serial==firstserial, the 5562 * third time we are at the end, for IXFR */ 5563 } else if(xfr->task_transfer->incoming_xfr_serial == 5564 serial && xfr->task_transfer->got_xfr_serial 5565 == 2) { 5566 verbose(VERB_ALGO, "xfr %s: last IXFR packet", 5567 xfr->task_transfer->master->host); 5568 *transferdone = 1; 5569 /* continue parse check, if that succeeds, 5570 * transfer is done */ 5571 } 5572 } 5573 xfr->task_transfer->rr_scan_num++; 5574 5575 /* skip over RR rdata to go to the next RR */ 5576 sldns_buffer_skip(pkt, (ssize_t)rdlen); 5577 } 5578 5579 /* check authority section */ 5580 /* we skip over the RRs checking packet format */ 5581 for(i=0; i<(int)LDNS_NSCOUNT(wire); i++) { 5582 uint16_t rdlen; 5583 if(pkt_dname_len(pkt) == 0) { 5584 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5585 "malformed dname in authority section", 5586 xfr->task_transfer->master->host); 5587 return 0; 5588 } 5589 if(sldns_buffer_remaining(pkt) < 10) { 5590 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5591 "truncated RR", 5592 xfr->task_transfer->master->host); 5593 return 0; 5594 } 5595 (void)sldns_buffer_read_u16(pkt); /* type */ 5596 (void)sldns_buffer_read_u16(pkt); /* class */ 5597 (void)sldns_buffer_read_u32(pkt); /* ttl */ 5598 rdlen = sldns_buffer_read_u16(pkt); 5599 if(sldns_buffer_remaining(pkt) < rdlen) { 5600 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5601 "truncated RR rdata", 5602 xfr->task_transfer->master->host); 5603 return 0; 5604 } 5605 /* skip over RR rdata to go to the next RR */ 5606 sldns_buffer_skip(pkt, (ssize_t)rdlen); 5607 } 5608 5609 /* check additional section */ 5610 for(i=0; i<(int)LDNS_ARCOUNT(wire); i++) { 5611 uint16_t rdlen; 5612 if(pkt_dname_len(pkt) == 0) { 5613 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5614 "malformed dname in additional section", 5615 xfr->task_transfer->master->host); 5616 return 0; 5617 } 5618 if(sldns_buffer_remaining(pkt) < 10) { 5619 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5620 "truncated RR", 5621 xfr->task_transfer->master->host); 5622 return 0; 5623 } 5624 (void)sldns_buffer_read_u16(pkt); /* type */ 5625 (void)sldns_buffer_read_u16(pkt); /* class */ 5626 (void)sldns_buffer_read_u32(pkt); /* ttl */ 5627 rdlen = sldns_buffer_read_u16(pkt); 5628 if(sldns_buffer_remaining(pkt) < rdlen) { 5629 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5630 "truncated RR rdata", 5631 xfr->task_transfer->master->host); 5632 return 0; 5633 } 5634 /* skip over RR rdata to go to the next RR */ 5635 sldns_buffer_skip(pkt, (ssize_t)rdlen); 5636 } 5637 5638 return 1; 5639} 5640 5641/** Link the data from this packet into the worklist of transferred data */ 5642static int 5643xfer_link_data(sldns_buffer* pkt, struct auth_xfer* xfr) 5644{ 5645 /* alloc it */ 5646 struct auth_chunk* e; 5647 e = (struct auth_chunk*)calloc(1, sizeof(*e)); 5648 if(!e) return 0; 5649 e->next = NULL; 5650 e->len = sldns_buffer_limit(pkt); 5651 e->data = memdup(sldns_buffer_begin(pkt), e->len); 5652 if(!e->data) { 5653 free(e); 5654 return 0; 5655 } 5656 5657 /* alloc succeeded, link into list */ 5658 if(!xfr->task_transfer->chunks_first) 5659 xfr->task_transfer->chunks_first = e; 5660 if(xfr->task_transfer->chunks_last) 5661 xfr->task_transfer->chunks_last->next = e; 5662 xfr->task_transfer->chunks_last = e; 5663 return 1; 5664} 5665 5666/** task transfer. the list of data is complete. process it and if failed 5667 * move to next master, if succeeded, end the task transfer */ 5668static void 5669process_list_end_transfer(struct auth_xfer* xfr, struct module_env* env) 5670{ 5671 int ixfr_fail = 0; 5672 if(xfr_process_chunk_list(xfr, env, &ixfr_fail)) { 5673 /* it worked! */ 5674 auth_chunks_delete(xfr->task_transfer); 5675 5676 /* we fetched the zone, move to wait task */ 5677 xfr_transfer_disown(xfr); 5678 5679 if(xfr->notify_received && (!xfr->notify_has_serial || 5680 (xfr->notify_has_serial && 5681 xfr_serial_means_update(xfr, xfr->notify_serial)))) { 5682 uint32_t sr = xfr->notify_serial; 5683 int has_sr = xfr->notify_has_serial; 5684 /* we received a notify while probe/transfer was 5685 * in progress. start a new probe and transfer */ 5686 xfr->notify_received = 0; 5687 xfr->notify_has_serial = 0; 5688 xfr->notify_serial = 0; 5689 if(!xfr_start_probe(xfr, env, NULL)) { 5690 /* if we couldn't start it, already in 5691 * progress; restore notify serial, 5692 * while xfr still locked */ 5693 xfr->notify_received = 1; 5694 xfr->notify_has_serial = has_sr; 5695 xfr->notify_serial = sr; 5696 lock_basic_unlock(&xfr->lock); 5697 } 5698 return; 5699 } else { 5700 /* pick up the nextprobe task and wait (normail wait time) */ 5701 if(xfr->task_nextprobe->worker == NULL) 5702 xfr_set_timeout(xfr, env, 0, 0); 5703 } 5704 lock_basic_unlock(&xfr->lock); 5705 return; 5706 } 5707 /* processing failed */ 5708 /* when done, delete data from list */ 5709 auth_chunks_delete(xfr->task_transfer); 5710 if(ixfr_fail) { 5711 xfr->task_transfer->ixfr_fail = 1; 5712 } else { 5713 xfr_transfer_nextmaster(xfr); 5714 } 5715 xfr_transfer_nexttarget_or_end(xfr, env); 5716} 5717 5718/** callback for the task_transfer timer */ 5719void 5720auth_xfer_transfer_timer_callback(void* arg) 5721{ 5722 struct auth_xfer* xfr = (struct auth_xfer*)arg; 5723 struct module_env* env; 5724 int gonextonfail = 1; 5725 log_assert(xfr->task_transfer); 5726 lock_basic_lock(&xfr->lock); 5727 env = xfr->task_transfer->env; 5728 if(env->outnet->want_to_quit) { 5729 lock_basic_unlock(&xfr->lock); 5730 return; /* stop on quit */ 5731 } 5732 5733 verbose(VERB_ALGO, "xfr stopped, connection timeout to %s", 5734 xfr->task_transfer->master->host); 5735 5736 /* see if IXFR caused the failure, if so, try AXFR */ 5737 if(xfr->task_transfer->on_ixfr) { 5738 xfr->task_transfer->ixfr_possible_timeout_count++; 5739 if(xfr->task_transfer->ixfr_possible_timeout_count >= 5740 NUM_TIMEOUTS_FALLBACK_IXFR) { 5741 verbose(VERB_ALGO, "xfr to %s, fallback " 5742 "from IXFR to AXFR (because of timeouts)", 5743 xfr->task_transfer->master->host); 5744 xfr->task_transfer->ixfr_fail = 1; 5745 gonextonfail = 0; 5746 } 5747 } 5748 5749 /* delete transferred data from list */ 5750 auth_chunks_delete(xfr->task_transfer); 5751 comm_point_delete(xfr->task_transfer->cp); 5752 xfr->task_transfer->cp = NULL; 5753 if(gonextonfail) 5754 xfr_transfer_nextmaster(xfr); 5755 xfr_transfer_nexttarget_or_end(xfr, env); 5756} 5757 5758/** callback for task_transfer tcp connections */ 5759int 5760auth_xfer_transfer_tcp_callback(struct comm_point* c, void* arg, int err, 5761 struct comm_reply* ATTR_UNUSED(repinfo)) 5762{ 5763 struct auth_xfer* xfr = (struct auth_xfer*)arg; 5764 struct module_env* env; 5765 int gonextonfail = 1; 5766 int transferdone = 0; 5767 log_assert(xfr->task_transfer); 5768 lock_basic_lock(&xfr->lock); 5769 env = xfr->task_transfer->env; 5770 if(env->outnet->want_to_quit) { 5771 lock_basic_unlock(&xfr->lock); 5772 return 0; /* stop on quit */ 5773 } 5774 /* stop the timer */ 5775 comm_timer_disable(xfr->task_transfer->timer); 5776 5777 if(err != NETEVENT_NOERROR) { 5778 /* connection failed, closed, or timeout */ 5779 /* stop this transfer, cleanup 5780 * and continue task_transfer*/ 5781 verbose(VERB_ALGO, "xfr stopped, connection lost to %s", 5782 xfr->task_transfer->master->host); 5783 5784 /* see if IXFR caused the failure, if so, try AXFR */ 5785 if(xfr->task_transfer->on_ixfr) { 5786 xfr->task_transfer->ixfr_possible_timeout_count++; 5787 if(xfr->task_transfer->ixfr_possible_timeout_count >= 5788 NUM_TIMEOUTS_FALLBACK_IXFR) { 5789 verbose(VERB_ALGO, "xfr to %s, fallback " 5790 "from IXFR to AXFR (because of timeouts)", 5791 xfr->task_transfer->master->host); 5792 xfr->task_transfer->ixfr_fail = 1; 5793 gonextonfail = 0; 5794 } 5795 } 5796 5797 failed: 5798 /* delete transferred data from list */ 5799 auth_chunks_delete(xfr->task_transfer); 5800 comm_point_delete(xfr->task_transfer->cp); 5801 xfr->task_transfer->cp = NULL; 5802 if(gonextonfail) 5803 xfr_transfer_nextmaster(xfr); 5804 xfr_transfer_nexttarget_or_end(xfr, env); 5805 return 0; 5806 } 5807 /* note that IXFR worked without timeout */ 5808 if(xfr->task_transfer->on_ixfr) 5809 xfr->task_transfer->ixfr_possible_timeout_count = 0; 5810 5811 /* handle returned packet */ 5812 /* if it fails, cleanup and end this transfer */ 5813 /* if it needs to fallback from IXFR to AXFR, do that */ 5814 if(!check_xfer_packet(c->buffer, xfr, &gonextonfail, &transferdone)) { 5815 goto failed; 5816 } 5817 /* if it is good, link it into the list of data */ 5818 /* if the link into list of data fails (malloc fail) cleanup and end */ 5819 if(!xfer_link_data(c->buffer, xfr)) { 5820 verbose(VERB_ALGO, "xfr stopped to %s, malloc failed", 5821 xfr->task_transfer->master->host); 5822 goto failed; 5823 } 5824 /* if the transfer is done now, disconnect and process the list */ 5825 if(transferdone) { 5826 comm_point_delete(xfr->task_transfer->cp); 5827 xfr->task_transfer->cp = NULL; 5828 process_list_end_transfer(xfr, env); 5829 return 0; 5830 } 5831 5832 /* if we want to read more messages, setup the commpoint to read 5833 * a DNS packet, and the timeout */ 5834 lock_basic_unlock(&xfr->lock); 5835 c->tcp_is_reading = 1; 5836 sldns_buffer_clear(c->buffer); 5837 comm_point_start_listening(c, -1, AUTH_TRANSFER_TIMEOUT); 5838 return 0; 5839} 5840 5841/** callback for task_transfer http connections */ 5842int 5843auth_xfer_transfer_http_callback(struct comm_point* c, void* arg, int err, 5844 struct comm_reply* repinfo) 5845{ 5846 struct auth_xfer* xfr = (struct auth_xfer*)arg; 5847 struct module_env* env; 5848 log_assert(xfr->task_transfer); 5849 lock_basic_lock(&xfr->lock); 5850 env = xfr->task_transfer->env; 5851 if(env->outnet->want_to_quit) { 5852 lock_basic_unlock(&xfr->lock); 5853 return 0; /* stop on quit */ 5854 } 5855 verbose(VERB_ALGO, "auth zone transfer http callback"); 5856 /* stop the timer */ 5857 comm_timer_disable(xfr->task_transfer->timer); 5858 5859 if(err != NETEVENT_NOERROR && err != NETEVENT_DONE) { 5860 /* connection failed, closed, or timeout */ 5861 /* stop this transfer, cleanup 5862 * and continue task_transfer*/ 5863 verbose(VERB_ALGO, "http stopped, connection lost to %s", 5864 xfr->task_transfer->master->host); 5865 failed: 5866 /* delete transferred data from list */ 5867 auth_chunks_delete(xfr->task_transfer); 5868 if(repinfo) repinfo->c = NULL; /* signal cp deleted to 5869 the routine calling this callback */ 5870 comm_point_delete(xfr->task_transfer->cp); 5871 xfr->task_transfer->cp = NULL; 5872 xfr_transfer_nextmaster(xfr); 5873 xfr_transfer_nexttarget_or_end(xfr, env); 5874 return 0; 5875 } 5876 5877 /* if it is good, link it into the list of data */ 5878 /* if the link into list of data fails (malloc fail) cleanup and end */ 5879 if(sldns_buffer_limit(c->buffer) > 0) { 5880 verbose(VERB_ALGO, "auth zone http queued up %d bytes", 5881 (int)sldns_buffer_limit(c->buffer)); 5882 if(!xfer_link_data(c->buffer, xfr)) { 5883 verbose(VERB_ALGO, "http stopped to %s, malloc failed", 5884 xfr->task_transfer->master->host); 5885 goto failed; 5886 } 5887 } 5888 /* if the transfer is done now, disconnect and process the list */ 5889 if(err == NETEVENT_DONE) { 5890 if(repinfo) repinfo->c = NULL; /* signal cp deleted to 5891 the routine calling this callback */ 5892 comm_point_delete(xfr->task_transfer->cp); 5893 xfr->task_transfer->cp = NULL; 5894 process_list_end_transfer(xfr, env); 5895 return 0; 5896 } 5897 5898 /* if we want to read more messages, setup the commpoint to read 5899 * a DNS packet, and the timeout */ 5900 lock_basic_unlock(&xfr->lock); 5901 c->tcp_is_reading = 1; 5902 sldns_buffer_clear(c->buffer); 5903 comm_point_start_listening(c, -1, AUTH_TRANSFER_TIMEOUT); 5904 return 0; 5905} 5906 5907 5908/** start transfer task by this worker , xfr is locked. */ 5909static void 5910xfr_start_transfer(struct auth_xfer* xfr, struct module_env* env, 5911 struct auth_master* master) 5912{ 5913 log_assert(xfr->task_transfer != NULL); 5914 log_assert(xfr->task_transfer->worker == NULL); 5915 log_assert(xfr->task_transfer->chunks_first == NULL); 5916 log_assert(xfr->task_transfer->chunks_last == NULL); 5917 xfr->task_transfer->worker = env->worker; 5918 xfr->task_transfer->env = env; 5919 5920 /* init transfer process */ 5921 /* find that master in the transfer's list of masters? */ 5922 xfr_transfer_start_list(xfr, master); 5923 /* start lookup for hostnames in transfer master list */ 5924 xfr_transfer_start_lookups(xfr); 5925 5926 /* initiate TCP, and set timeout on it */ 5927 xfr_transfer_nexttarget_or_end(xfr, env); 5928} 5929 5930/** disown task_probe. caller must hold xfr.lock */ 5931static void 5932xfr_probe_disown(struct auth_xfer* xfr) 5933{ 5934 /* remove timer (from this worker's event base) */ 5935 comm_timer_delete(xfr->task_probe->timer); 5936 xfr->task_probe->timer = NULL; 5937 /* remove the commpoint */ 5938 comm_point_delete(xfr->task_probe->cp); 5939 xfr->task_probe->cp = NULL; 5940 /* we don't own this item anymore */ 5941 xfr->task_probe->worker = NULL; 5942 xfr->task_probe->env = NULL; 5943} 5944 5945/** send the UDP probe to the master, this is part of task_probe */ 5946static int 5947xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env, 5948 int timeout) 5949{ 5950 struct sockaddr_storage addr; 5951 socklen_t addrlen = 0; 5952 struct timeval t; 5953 /* pick master */ 5954 struct auth_master* master = xfr_probe_current_master(xfr); 5955 char *auth_name = NULL; 5956 if(!master) return 0; 5957 if(master->allow_notify) return 0; /* only for notify */ 5958 if(master->http) return 0; /* only masters get SOA UDP probe, 5959 not urls, if those are in this list */ 5960 5961 /* get master addr */ 5962 if(xfr->task_probe->scan_addr) { 5963 addrlen = xfr->task_probe->scan_addr->addrlen; 5964 memmove(&addr, &xfr->task_probe->scan_addr->addr, addrlen); 5965 } else { 5966 if(!authextstrtoaddr(master->host, &addr, &addrlen, &auth_name)) { 5967 /* the ones that are not in addr format are supposed 5968 * to be looked up. The lookup has failed however, 5969 * so skip them */ 5970 char zname[255+1]; 5971 dname_str(xfr->name, zname); 5972 log_err("%s: failed lookup, cannot probe to master %s", 5973 zname, master->host); 5974 return 0; 5975 } 5976 if (auth_name != NULL) { 5977 if (addr.ss_family == AF_INET 5978 && (int)ntohs(((struct sockaddr_in *)&addr)->sin_port) 5979 == env->cfg->ssl_port) 5980 ((struct sockaddr_in *)&addr)->sin_port 5981 = htons((uint16_t)env->cfg->port); 5982 else if (addr.ss_family == AF_INET6 5983 && (int)ntohs(((struct sockaddr_in6 *)&addr)->sin6_port) 5984 == env->cfg->ssl_port) 5985 ((struct sockaddr_in6 *)&addr)->sin6_port 5986 = htons((uint16_t)env->cfg->port); 5987 } 5988 } 5989 5990 /* create packet */ 5991 /* create new ID for new probes, but not on timeout retries, 5992 * this means we'll accept replies to previous retries to same ip */ 5993 if(timeout == AUTH_PROBE_TIMEOUT) 5994 xfr->task_probe->id = (uint16_t)(ub_random(env->rnd)&0xffff); 5995 xfr_create_soa_probe_packet(xfr, env->scratch_buffer, 5996 xfr->task_probe->id); 5997 /* we need to remove the cp if we have a different ip4/ip6 type now */ 5998 if(xfr->task_probe->cp && 5999 ((xfr->task_probe->cp_is_ip6 && !addr_is_ip6(&addr, addrlen)) || 6000 (!xfr->task_probe->cp_is_ip6 && addr_is_ip6(&addr, addrlen))) 6001 ) { 6002 comm_point_delete(xfr->task_probe->cp); 6003 xfr->task_probe->cp = NULL; 6004 } 6005 if(!xfr->task_probe->cp) { 6006 if(addr_is_ip6(&addr, addrlen)) 6007 xfr->task_probe->cp_is_ip6 = 1; 6008 else xfr->task_probe->cp_is_ip6 = 0; 6009 xfr->task_probe->cp = outnet_comm_point_for_udp(env->outnet, 6010 auth_xfer_probe_udp_callback, xfr, &addr, addrlen); 6011 if(!xfr->task_probe->cp) { 6012 char zname[255+1], as[256]; 6013 dname_str(xfr->name, zname); 6014 addr_to_str(&addr, addrlen, as, sizeof(as)); 6015 verbose(VERB_ALGO, "cannot create udp cp for " 6016 "probe %s to %s", zname, as); 6017 return 0; 6018 } 6019 } 6020 if(!xfr->task_probe->timer) { 6021 xfr->task_probe->timer = comm_timer_create(env->worker_base, 6022 auth_xfer_probe_timer_callback, xfr); 6023 if(!xfr->task_probe->timer) { 6024 log_err("malloc failure"); 6025 return 0; 6026 } 6027 } 6028 6029 /* send udp packet */ 6030 if(!comm_point_send_udp_msg(xfr->task_probe->cp, env->scratch_buffer, 6031 (struct sockaddr*)&addr, addrlen)) { 6032 char zname[255+1], as[256]; 6033 dname_str(xfr->name, zname); 6034 addr_to_str(&addr, addrlen, as, sizeof(as)); 6035 verbose(VERB_ALGO, "failed to send soa probe for %s to %s", 6036 zname, as); 6037 return 0; 6038 } 6039 if(verbosity >= VERB_ALGO) { 6040 char zname[255+1], as[256]; 6041 dname_str(xfr->name, zname); 6042 addr_to_str(&addr, addrlen, as, sizeof(as)); 6043 verbose(VERB_ALGO, "auth zone %s soa probe sent to %s", zname, 6044 as); 6045 } 6046 xfr->task_probe->timeout = timeout; 6047#ifndef S_SPLINT_S 6048 t.tv_sec = timeout/1000; 6049 t.tv_usec = (timeout%1000)*1000; 6050#endif 6051 comm_timer_set(xfr->task_probe->timer, &t); 6052 6053 return 1; 6054} 6055 6056/** callback for task_probe timer */ 6057void 6058auth_xfer_probe_timer_callback(void* arg) 6059{ 6060 struct auth_xfer* xfr = (struct auth_xfer*)arg; 6061 struct module_env* env; 6062 log_assert(xfr->task_probe); 6063 lock_basic_lock(&xfr->lock); 6064 env = xfr->task_probe->env; 6065 if(env->outnet->want_to_quit) { 6066 lock_basic_unlock(&xfr->lock); 6067 return; /* stop on quit */ 6068 } 6069 6070 if(verbosity >= VERB_ALGO) { 6071 char zname[255+1]; 6072 dname_str(xfr->name, zname); 6073 verbose(VERB_ALGO, "auth zone %s soa probe timeout", zname); 6074 } 6075 if(xfr->task_probe->timeout <= AUTH_PROBE_TIMEOUT_STOP) { 6076 /* try again with bigger timeout */ 6077 if(xfr_probe_send_probe(xfr, env, xfr->task_probe->timeout*2)) { 6078 lock_basic_unlock(&xfr->lock); 6079 return; 6080 } 6081 } 6082 /* delete commpoint so a new one is created, with a fresh port nr */ 6083 comm_point_delete(xfr->task_probe->cp); 6084 xfr->task_probe->cp = NULL; 6085 6086 /* too many timeouts (or fail to send), move to next or end */ 6087 xfr_probe_nextmaster(xfr); 6088 xfr_probe_send_or_end(xfr, env); 6089} 6090 6091/** callback for task_probe udp packets */ 6092int 6093auth_xfer_probe_udp_callback(struct comm_point* c, void* arg, int err, 6094 struct comm_reply* repinfo) 6095{ 6096 struct auth_xfer* xfr = (struct auth_xfer*)arg; 6097 struct module_env* env; 6098 log_assert(xfr->task_probe); 6099 lock_basic_lock(&xfr->lock); 6100 env = xfr->task_probe->env; 6101 if(env->outnet->want_to_quit) { 6102 lock_basic_unlock(&xfr->lock); 6103 return 0; /* stop on quit */ 6104 } 6105 6106 /* the comm_point_udp_callback is in a for loop for NUM_UDP_PER_SELECT 6107 * and we set rep.c=NULL to stop if from looking inside the commpoint*/ 6108 repinfo->c = NULL; 6109 /* stop the timer */ 6110 comm_timer_disable(xfr->task_probe->timer); 6111 6112 /* see if we got a packet and what that means */ 6113 if(err == NETEVENT_NOERROR) { 6114 uint32_t serial = 0; 6115 if(check_packet_ok(c->buffer, LDNS_RR_TYPE_SOA, xfr, 6116 &serial)) { 6117 /* successful lookup */ 6118 if(verbosity >= VERB_ALGO) { 6119 char buf[256]; 6120 dname_str(xfr->name, buf); 6121 verbose(VERB_ALGO, "auth zone %s: soa probe " 6122 "serial is %u", buf, (unsigned)serial); 6123 } 6124 /* see if this serial indicates that the zone has 6125 * to be updated */ 6126 if(xfr_serial_means_update(xfr, serial)) { 6127 /* if updated, start the transfer task, if needed */ 6128 verbose(VERB_ALGO, "auth_zone updated, start transfer"); 6129 if(xfr->task_transfer->worker == NULL) { 6130 struct auth_master* master = 6131 xfr_probe_current_master(xfr); 6132 /* if we have download URLs use them 6133 * in preference to this master we 6134 * just probed the SOA from */ 6135 if(xfr->task_transfer->masters && 6136 xfr->task_transfer->masters->http) 6137 master = NULL; 6138 xfr_probe_disown(xfr); 6139 xfr_start_transfer(xfr, env, master); 6140 return 0; 6141 6142 } 6143 /* other tasks are running, we don't do this anymore */ 6144 xfr_probe_disown(xfr); 6145 lock_basic_unlock(&xfr->lock); 6146 /* return, we don't sent a reply to this udp packet, 6147 * and we setup the tasks to do next */ 6148 return 0; 6149 } else { 6150 verbose(VERB_ALGO, "auth_zone master reports unchanged soa serial"); 6151 /* we if cannot find updates amongst the 6152 * masters, this means we then have a new lease 6153 * on the zone */ 6154 xfr->task_probe->have_new_lease = 1; 6155 } 6156 } else { 6157 if(verbosity >= VERB_ALGO) { 6158 char buf[256]; 6159 dname_str(xfr->name, buf); 6160 verbose(VERB_ALGO, "auth zone %s: bad reply to soa probe", buf); 6161 } 6162 } 6163 } else { 6164 if(verbosity >= VERB_ALGO) { 6165 char buf[256]; 6166 dname_str(xfr->name, buf); 6167 verbose(VERB_ALGO, "auth zone %s: soa probe failed", buf); 6168 } 6169 } 6170 6171 /* failed lookup or not an update */ 6172 /* delete commpoint so a new one is created, with a fresh port nr */ 6173 comm_point_delete(xfr->task_probe->cp); 6174 xfr->task_probe->cp = NULL; 6175 6176 /* if the result was not a successfull probe, we need 6177 * to send the next one */ 6178 xfr_probe_nextmaster(xfr); 6179 xfr_probe_send_or_end(xfr, env); 6180 return 0; 6181} 6182 6183/** lookup a host name for its addresses, if needed */ 6184static int 6185xfr_probe_lookup_host(struct auth_xfer* xfr, struct module_env* env) 6186{ 6187 struct sockaddr_storage addr; 6188 socklen_t addrlen = 0; 6189 struct auth_master* master = xfr->task_probe->lookup_target; 6190 struct query_info qinfo; 6191 uint16_t qflags = BIT_RD; 6192 uint8_t dname[LDNS_MAX_DOMAINLEN+1]; 6193 struct edns_data edns; 6194 sldns_buffer* buf = env->scratch_buffer; 6195 if(!master) return 0; 6196 if(extstrtoaddr(master->host, &addr, &addrlen)) { 6197 /* not needed, host is in IP addr format */ 6198 return 0; 6199 } 6200 if(master->allow_notify && !master->http && 6201 strchr(master->host, '/') != NULL && 6202 strchr(master->host, '/') == strrchr(master->host, '/')) { 6203 return 0; /* is IP/prefix format, not something to look up */ 6204 } 6205 6206 /* use mesh_new_callback to probe for non-addr hosts, 6207 * and then wait for them to be looked up (in cache, or query) */ 6208 qinfo.qname_len = sizeof(dname); 6209 if(sldns_str2wire_dname_buf(master->host, dname, &qinfo.qname_len) 6210 != 0) { 6211 log_err("cannot parse host name of master %s", master->host); 6212 return 0; 6213 } 6214 qinfo.qname = dname; 6215 qinfo.qclass = xfr->dclass; 6216 qinfo.qtype = LDNS_RR_TYPE_A; 6217 if(xfr->task_probe->lookup_aaaa) 6218 qinfo.qtype = LDNS_RR_TYPE_AAAA; 6219 qinfo.local_alias = NULL; 6220 if(verbosity >= VERB_ALGO) { 6221 char buf1[512]; 6222 char buf2[LDNS_MAX_DOMAINLEN+1]; 6223 dname_str(xfr->name, buf2); 6224 snprintf(buf1, sizeof(buf1), "auth zone %s: master lookup" 6225 " for task_probe", buf2); 6226 log_query_info(VERB_ALGO, buf1, &qinfo); 6227 } 6228 edns.edns_present = 1; 6229 edns.ext_rcode = 0; 6230 edns.edns_version = 0; 6231 edns.bits = EDNS_DO; 6232 edns.opt_list = NULL; 6233 if(sldns_buffer_capacity(buf) < 65535) 6234 edns.udp_size = (uint16_t)sldns_buffer_capacity(buf); 6235 else edns.udp_size = 65535; 6236 6237 /* unlock xfr during mesh_new_callback() because the callback can be 6238 * called straight away */ 6239 lock_basic_unlock(&xfr->lock); 6240 if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0, 6241 &auth_xfer_probe_lookup_callback, xfr)) { 6242 lock_basic_lock(&xfr->lock); 6243 log_err("out of memory lookup up master %s", master->host); 6244 return 0; 6245 } 6246 lock_basic_lock(&xfr->lock); 6247 return 1; 6248} 6249 6250/** move to sending the probe packets, next if fails. task_probe */ 6251static void 6252xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env) 6253{ 6254 /* are we doing hostname lookups? */ 6255 while(xfr->task_probe->lookup_target) { 6256 if(xfr_probe_lookup_host(xfr, env)) { 6257 /* wait for lookup to finish, 6258 * note that the hostname may be in unbound's cache 6259 * and we may then get an instant cache response, 6260 * and that calls the callback just like a full 6261 * lookup and lookup failures also call callback */ 6262 if(verbosity >= VERB_ALGO) { 6263 char zname[255+1]; 6264 dname_str(xfr->name, zname); 6265 verbose(VERB_ALGO, "auth zone %s probe next target lookup", zname); 6266 } 6267 lock_basic_unlock(&xfr->lock); 6268 return; 6269 } 6270 xfr_probe_move_to_next_lookup(xfr, env); 6271 } 6272 /* probe of list has ended. Create or refresh the list of of 6273 * allow_notify addrs */ 6274 probe_copy_masters_for_allow_notify(xfr); 6275 if(verbosity >= VERB_ALGO) { 6276 char zname[255+1]; 6277 dname_str(xfr->name, zname); 6278 verbose(VERB_ALGO, "auth zone %s probe: notify addrs updated", zname); 6279 } 6280 if(xfr->task_probe->only_lookup) { 6281 /* only wanted lookups for copy, stop probe and start wait */ 6282 xfr->task_probe->only_lookup = 0; 6283 if(verbosity >= VERB_ALGO) { 6284 char zname[255+1]; 6285 dname_str(xfr->name, zname); 6286 verbose(VERB_ALGO, "auth zone %s probe: finished only_lookup", zname); 6287 } 6288 xfr_probe_disown(xfr); 6289 if(xfr->task_nextprobe->worker == NULL) 6290 xfr_set_timeout(xfr, env, 0, 0); 6291 lock_basic_unlock(&xfr->lock); 6292 return; 6293 } 6294 6295 /* send probe packets */ 6296 while(!xfr_probe_end_of_list(xfr)) { 6297 if(xfr_probe_send_probe(xfr, env, AUTH_PROBE_TIMEOUT)) { 6298 /* successfully sent probe, wait for callback */ 6299 lock_basic_unlock(&xfr->lock); 6300 return; 6301 } 6302 /* failed to send probe, next master */ 6303 xfr_probe_nextmaster(xfr); 6304 } 6305 6306 /* done with probe sequence, wait */ 6307 if(xfr->task_probe->have_new_lease) { 6308 /* if zone not updated, start the wait timer again */ 6309 if(verbosity >= VERB_ALGO) { 6310 char zname[255+1]; 6311 dname_str(xfr->name, zname); 6312 verbose(VERB_ALGO, "auth_zone %s unchanged, new lease, wait", zname); 6313 } 6314 xfr_probe_disown(xfr); 6315 if(xfr->have_zone) 6316 xfr->lease_time = *env->now; 6317 if(xfr->task_nextprobe->worker == NULL) 6318 xfr_set_timeout(xfr, env, 0, 0); 6319 } else { 6320 if(verbosity >= VERB_ALGO) { 6321 char zname[255+1]; 6322 dname_str(xfr->name, zname); 6323 verbose(VERB_ALGO, "auth zone %s soa probe failed, wait to retry", zname); 6324 } 6325 /* we failed to send this as well, move to the wait task, 6326 * use the shorter retry timeout */ 6327 xfr_probe_disown(xfr); 6328 /* pick up the nextprobe task and wait */ 6329 if(xfr->task_nextprobe->worker == NULL) 6330 xfr_set_timeout(xfr, env, 1, 0); 6331 } 6332 6333 lock_basic_unlock(&xfr->lock); 6334} 6335 6336/** callback for task_probe lookup of host name, of A or AAAA */ 6337void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf, 6338 enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus), 6339 int ATTR_UNUSED(was_ratelimited)) 6340{ 6341 struct auth_xfer* xfr = (struct auth_xfer*)arg; 6342 struct module_env* env; 6343 log_assert(xfr->task_probe); 6344 lock_basic_lock(&xfr->lock); 6345 env = xfr->task_probe->env; 6346 if(env->outnet->want_to_quit) { 6347 lock_basic_unlock(&xfr->lock); 6348 return; /* stop on quit */ 6349 } 6350 6351 /* process result */ 6352 if(rcode == LDNS_RCODE_NOERROR) { 6353 uint16_t wanted_qtype = LDNS_RR_TYPE_A; 6354 struct regional* temp = env->scratch; 6355 struct query_info rq; 6356 struct reply_info* rep; 6357 if(xfr->task_probe->lookup_aaaa) 6358 wanted_qtype = LDNS_RR_TYPE_AAAA; 6359 memset(&rq, 0, sizeof(rq)); 6360 rep = parse_reply_in_temp_region(buf, temp, &rq); 6361 if(rep && rq.qtype == wanted_qtype && 6362 FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) { 6363 /* parsed successfully */ 6364 struct ub_packed_rrset_key* answer = 6365 reply_find_answer_rrset(&rq, rep); 6366 if(answer) { 6367 xfr_master_add_addrs(xfr->task_probe-> 6368 lookup_target, answer, wanted_qtype); 6369 } else { 6370 if(verbosity >= VERB_ALGO) { 6371 char zname[255+1]; 6372 dname_str(xfr->name, zname); 6373 verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup has nodata", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A")); 6374 } 6375 } 6376 } else { 6377 if(verbosity >= VERB_ALGO) { 6378 char zname[255+1]; 6379 dname_str(xfr->name, zname); 6380 verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup has no address", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A")); 6381 } 6382 } 6383 } else { 6384 if(verbosity >= VERB_ALGO) { 6385 char zname[255+1]; 6386 dname_str(xfr->name, zname); 6387 verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup failed", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A")); 6388 } 6389 } 6390 if(xfr->task_probe->lookup_target->list && 6391 xfr->task_probe->lookup_target == xfr_probe_current_master(xfr)) 6392 xfr->task_probe->scan_addr = xfr->task_probe->lookup_target->list; 6393 6394 /* move to lookup AAAA after A lookup, move to next hostname lookup, 6395 * or move to send the probes, or, if nothing to do, end task_probe */ 6396 xfr_probe_move_to_next_lookup(xfr, env); 6397 xfr_probe_send_or_end(xfr, env); 6398} 6399 6400/** disown task_nextprobe. caller must hold xfr.lock */ 6401static void 6402xfr_nextprobe_disown(struct auth_xfer* xfr) 6403{ 6404 /* delete the timer, because the next worker to pick this up may 6405 * not have the same event base */ 6406 comm_timer_delete(xfr->task_nextprobe->timer); 6407 xfr->task_nextprobe->timer = NULL; 6408 xfr->task_nextprobe->next_probe = 0; 6409 /* we don't own this item anymore */ 6410 xfr->task_nextprobe->worker = NULL; 6411 xfr->task_nextprobe->env = NULL; 6412} 6413 6414/** xfer nextprobe timeout callback, this is part of task_nextprobe */ 6415void 6416auth_xfer_timer(void* arg) 6417{ 6418 struct auth_xfer* xfr = (struct auth_xfer*)arg; 6419 struct module_env* env; 6420 log_assert(xfr->task_nextprobe); 6421 lock_basic_lock(&xfr->lock); 6422 env = xfr->task_nextprobe->env; 6423 if(env->outnet->want_to_quit) { 6424 lock_basic_unlock(&xfr->lock); 6425 return; /* stop on quit */ 6426 } 6427 6428 /* see if zone has expired, and if so, also set auth_zone expired */ 6429 if(xfr->have_zone && !xfr->zone_expired && 6430 *env->now >= xfr->lease_time + xfr->expiry) { 6431 lock_basic_unlock(&xfr->lock); 6432 auth_xfer_set_expired(xfr, env, 1); 6433 lock_basic_lock(&xfr->lock); 6434 } 6435 6436 xfr_nextprobe_disown(xfr); 6437 6438 if(!xfr_start_probe(xfr, env, NULL)) { 6439 /* not started because already in progress */ 6440 lock_basic_unlock(&xfr->lock); 6441 } 6442} 6443 6444/** return true if there are probe (SOA UDP query) targets in the master list*/ 6445static int 6446have_probe_targets(struct auth_master* list) 6447{ 6448 struct auth_master* p; 6449 for(p=list; p; p = p->next) { 6450 if(!p->allow_notify && p->host) 6451 return 1; 6452 } 6453 return 0; 6454} 6455 6456/** start task_probe if possible, if no masters for probe start task_transfer 6457 * returns true if task has been started, and false if the task is already 6458 * in progress. */ 6459static int 6460xfr_start_probe(struct auth_xfer* xfr, struct module_env* env, 6461 struct auth_master* spec) 6462{ 6463 /* see if we need to start a probe (or maybe it is already in 6464 * progress (due to notify)) */ 6465 if(xfr->task_probe->worker == NULL) { 6466 if(!have_probe_targets(xfr->task_probe->masters) && 6467 !(xfr->task_probe->only_lookup && 6468 xfr->task_probe->masters != NULL)) { 6469 /* useless to pick up task_probe, no masters to 6470 * probe. Instead attempt to pick up task transfer */ 6471 if(xfr->task_transfer->worker == NULL) { 6472 xfr_start_transfer(xfr, env, spec); 6473 return 1; 6474 } 6475 /* task transfer already in progress */ 6476 return 0; 6477 } 6478 6479 /* pick up the probe task ourselves */ 6480 xfr->task_probe->worker = env->worker; 6481 xfr->task_probe->env = env; 6482 xfr->task_probe->cp = NULL; 6483 6484 /* start the task */ 6485 /* have not seen a new lease yet, this scan */ 6486 xfr->task_probe->have_new_lease = 0; 6487 /* if this was a timeout, no specific first master to scan */ 6488 /* otherwise, spec is nonNULL the notified master, scan 6489 * first and also transfer first from it */ 6490 xfr_probe_start_list(xfr, spec); 6491 /* setup to start the lookup of hostnames of masters afresh */ 6492 xfr_probe_start_lookups(xfr); 6493 /* send the probe packet or next send, or end task */ 6494 xfr_probe_send_or_end(xfr, env); 6495 return 1; 6496 } 6497 return 0; 6498} 6499 6500/** for task_nextprobe. 6501 * determine next timeout for auth_xfer. Also (re)sets timer. 6502 * @param xfr: task structure 6503 * @param env: module environment, with worker and time. 6504 * @param failure: set true if timer should be set for failure retry. 6505 * @param lookup_only: only perform lookups when timer done, 0 sec timeout 6506 */ 6507static void 6508xfr_set_timeout(struct auth_xfer* xfr, struct module_env* env, 6509 int failure, int lookup_only) 6510{ 6511 struct timeval tv; 6512 log_assert(xfr->task_nextprobe != NULL); 6513 log_assert(xfr->task_nextprobe->worker == NULL || 6514 xfr->task_nextprobe->worker == env->worker); 6515 /* normally, nextprobe = startoflease + refresh, 6516 * but if expiry is sooner, use that one. 6517 * after a failure, use the retry timer instead. */ 6518 xfr->task_nextprobe->next_probe = *env->now; 6519 if(xfr->lease_time && !failure) 6520 xfr->task_nextprobe->next_probe = xfr->lease_time; 6521 6522 if(!failure) { 6523 xfr->task_nextprobe->backoff = 0; 6524 } else { 6525 if(xfr->task_nextprobe->backoff == 0) 6526 xfr->task_nextprobe->backoff = 3; 6527 else xfr->task_nextprobe->backoff *= 2; 6528 if(xfr->task_nextprobe->backoff > AUTH_TRANSFER_MAX_BACKOFF) 6529 xfr->task_nextprobe->backoff = 6530 AUTH_TRANSFER_MAX_BACKOFF; 6531 } 6532 6533 if(xfr->have_zone) { 6534 time_t wait = xfr->refresh; 6535 if(failure) wait = xfr->retry; 6536 if(xfr->expiry < wait) 6537 xfr->task_nextprobe->next_probe += xfr->expiry; 6538 else xfr->task_nextprobe->next_probe += wait; 6539 if(failure) 6540 xfr->task_nextprobe->next_probe += 6541 xfr->task_nextprobe->backoff; 6542 /* put the timer exactly on expiry, if possible */ 6543 if(xfr->lease_time && xfr->lease_time+xfr->expiry < 6544 xfr->task_nextprobe->next_probe && 6545 xfr->lease_time+xfr->expiry > *env->now) 6546 xfr->task_nextprobe->next_probe = 6547 xfr->lease_time+xfr->expiry; 6548 } else { 6549 xfr->task_nextprobe->next_probe += 6550 xfr->task_nextprobe->backoff; 6551 } 6552 6553 if(!xfr->task_nextprobe->timer) { 6554 xfr->task_nextprobe->timer = comm_timer_create( 6555 env->worker_base, auth_xfer_timer, xfr); 6556 if(!xfr->task_nextprobe->timer) { 6557 /* failed to malloc memory. likely zone transfer 6558 * also fails for that. skip the timeout */ 6559 char zname[255+1]; 6560 dname_str(xfr->name, zname); 6561 log_err("cannot allocate timer, no refresh for %s", 6562 zname); 6563 return; 6564 } 6565 } 6566 xfr->task_nextprobe->worker = env->worker; 6567 xfr->task_nextprobe->env = env; 6568 if(*(xfr->task_nextprobe->env->now) <= xfr->task_nextprobe->next_probe) 6569 tv.tv_sec = xfr->task_nextprobe->next_probe - 6570 *(xfr->task_nextprobe->env->now); 6571 else tv.tv_sec = 0; 6572 if(tv.tv_sec != 0 && lookup_only && xfr->task_probe->masters) { 6573 /* don't lookup_only, if lookup timeout is 0 anyway, 6574 * or if we don't have masters to lookup */ 6575 tv.tv_sec = 0; 6576 if(xfr->task_probe->worker == NULL) 6577 xfr->task_probe->only_lookup = 1; 6578 } 6579 if(verbosity >= VERB_ALGO) { 6580 char zname[255+1]; 6581 dname_str(xfr->name, zname); 6582 verbose(VERB_ALGO, "auth zone %s timeout in %d seconds", 6583 zname, (int)tv.tv_sec); 6584 } 6585 tv.tv_usec = 0; 6586 comm_timer_set(xfr->task_nextprobe->timer, &tv); 6587} 6588 6589/** initial pick up of worker timeouts, ties events to worker event loop */ 6590void 6591auth_xfer_pickup_initial(struct auth_zones* az, struct module_env* env) 6592{ 6593 struct auth_xfer* x; 6594 lock_rw_wrlock(&az->lock); 6595 RBTREE_FOR(x, struct auth_xfer*, &az->xtree) { 6596 lock_basic_lock(&x->lock); 6597 /* set lease_time, because we now have timestamp in env, 6598 * (not earlier during startup and apply_cfg), and this 6599 * notes the start time when the data was acquired */ 6600 if(x->have_zone) 6601 x->lease_time = *env->now; 6602 if(x->task_nextprobe && x->task_nextprobe->worker == NULL) { 6603 xfr_set_timeout(x, env, 0, 1); 6604 } 6605 lock_basic_unlock(&x->lock); 6606 } 6607 lock_rw_unlock(&az->lock); 6608} 6609 6610void auth_zones_cleanup(struct auth_zones* az) 6611{ 6612 struct auth_xfer* x; 6613 lock_rw_wrlock(&az->lock); 6614 RBTREE_FOR(x, struct auth_xfer*, &az->xtree) { 6615 lock_basic_lock(&x->lock); 6616 if(x->task_nextprobe && x->task_nextprobe->worker != NULL) { 6617 xfr_nextprobe_disown(x); 6618 } 6619 if(x->task_probe && x->task_probe->worker != NULL) { 6620 xfr_probe_disown(x); 6621 } 6622 if(x->task_transfer && x->task_transfer->worker != NULL) { 6623 auth_chunks_delete(x->task_transfer); 6624 xfr_transfer_disown(x); 6625 } 6626 lock_basic_unlock(&x->lock); 6627 } 6628 lock_rw_unlock(&az->lock); 6629} 6630 6631/** 6632 * malloc the xfer and tasks 6633 * @param z: auth_zone with name of zone. 6634 */ 6635static struct auth_xfer* 6636auth_xfer_new(struct auth_zone* z) 6637{ 6638 struct auth_xfer* xfr; 6639 xfr = (struct auth_xfer*)calloc(1, sizeof(*xfr)); 6640 if(!xfr) return NULL; 6641 xfr->name = memdup(z->name, z->namelen); 6642 if(!xfr->name) { 6643 free(xfr); 6644 return NULL; 6645 } 6646 xfr->node.key = xfr; 6647 xfr->namelen = z->namelen; 6648 xfr->namelabs = z->namelabs; 6649 xfr->dclass = z->dclass; 6650 6651 xfr->task_nextprobe = (struct auth_nextprobe*)calloc(1, 6652 sizeof(struct auth_nextprobe)); 6653 if(!xfr->task_nextprobe) { 6654 free(xfr->name); 6655 free(xfr); 6656 return NULL; 6657 } 6658 xfr->task_probe = (struct auth_probe*)calloc(1, 6659 sizeof(struct auth_probe)); 6660 if(!xfr->task_probe) { 6661 free(xfr->task_nextprobe); 6662 free(xfr->name); 6663 free(xfr); 6664 return NULL; 6665 } 6666 xfr->task_transfer = (struct auth_transfer*)calloc(1, 6667 sizeof(struct auth_transfer)); 6668 if(!xfr->task_transfer) { 6669 free(xfr->task_probe); 6670 free(xfr->task_nextprobe); 6671 free(xfr->name); 6672 free(xfr); 6673 return NULL; 6674 } 6675 6676 lock_basic_init(&xfr->lock); 6677 lock_protect(&xfr->lock, &xfr->name, sizeof(xfr->name)); 6678 lock_protect(&xfr->lock, &xfr->namelen, sizeof(xfr->namelen)); 6679 lock_protect(&xfr->lock, xfr->name, xfr->namelen); 6680 lock_protect(&xfr->lock, &xfr->namelabs, sizeof(xfr->namelabs)); 6681 lock_protect(&xfr->lock, &xfr->dclass, sizeof(xfr->dclass)); 6682 lock_protect(&xfr->lock, &xfr->notify_received, sizeof(xfr->notify_received)); 6683 lock_protect(&xfr->lock, &xfr->notify_serial, sizeof(xfr->notify_serial)); 6684 lock_protect(&xfr->lock, &xfr->zone_expired, sizeof(xfr->zone_expired)); 6685 lock_protect(&xfr->lock, &xfr->have_zone, sizeof(xfr->have_zone)); 6686 lock_protect(&xfr->lock, &xfr->serial, sizeof(xfr->serial)); 6687 lock_protect(&xfr->lock, &xfr->retry, sizeof(xfr->retry)); 6688 lock_protect(&xfr->lock, &xfr->refresh, sizeof(xfr->refresh)); 6689 lock_protect(&xfr->lock, &xfr->expiry, sizeof(xfr->expiry)); 6690 lock_protect(&xfr->lock, &xfr->lease_time, sizeof(xfr->lease_time)); 6691 lock_protect(&xfr->lock, &xfr->task_nextprobe->worker, 6692 sizeof(xfr->task_nextprobe->worker)); 6693 lock_protect(&xfr->lock, &xfr->task_probe->worker, 6694 sizeof(xfr->task_probe->worker)); 6695 lock_protect(&xfr->lock, &xfr->task_transfer->worker, 6696 sizeof(xfr->task_transfer->worker)); 6697 lock_basic_lock(&xfr->lock); 6698 return xfr; 6699} 6700 6701/** Create auth_xfer structure. 6702 * This populates the have_zone, soa values, and so on times. 6703 * and sets the timeout, if a zone transfer is needed a short timeout is set. 6704 * For that the auth_zone itself must exist (and read in zonefile) 6705 * returns false on alloc failure. */ 6706struct auth_xfer* 6707auth_xfer_create(struct auth_zones* az, struct auth_zone* z) 6708{ 6709 struct auth_xfer* xfr; 6710 6711 /* malloc it */ 6712 xfr = auth_xfer_new(z); 6713 if(!xfr) { 6714 log_err("malloc failure"); 6715 return NULL; 6716 } 6717 /* insert in tree */ 6718 (void)rbtree_insert(&az->xtree, &xfr->node); 6719 return xfr; 6720} 6721 6722/** create new auth_master structure */ 6723static struct auth_master* 6724auth_master_new(struct auth_master*** list) 6725{ 6726 struct auth_master *m; 6727 m = (struct auth_master*)calloc(1, sizeof(*m)); 6728 if(!m) { 6729 log_err("malloc failure"); 6730 return NULL; 6731 } 6732 /* set first pointer to m, or next pointer of previous element to m */ 6733 (**list) = m; 6734 /* store m's next pointer as future point to store at */ 6735 (*list) = &(m->next); 6736 return m; 6737} 6738 6739/** dup_prefix : create string from initial part of other string, malloced */ 6740static char* 6741dup_prefix(char* str, size_t num) 6742{ 6743 char* result; 6744 size_t len = strlen(str); 6745 if(len < num) num = len; /* not more than strlen */ 6746 result = (char*)malloc(num+1); 6747 if(!result) { 6748 log_err("malloc failure"); 6749 return result; 6750 } 6751 memmove(result, str, num); 6752 result[num] = 0; 6753 return result; 6754} 6755 6756/** dup string and print error on error */ 6757static char* 6758dup_all(char* str) 6759{ 6760 char* result = strdup(str); 6761 if(!result) { 6762 log_err("malloc failure"); 6763 return NULL; 6764 } 6765 return result; 6766} 6767 6768/** find first of two characters */ 6769static char* 6770str_find_first_of_chars(char* s, char a, char b) 6771{ 6772 char* ra = strchr(s, a); 6773 char* rb = strchr(s, b); 6774 if(!ra) return rb; 6775 if(!rb) return ra; 6776 if(ra < rb) return ra; 6777 return rb; 6778} 6779 6780/** parse URL into host and file parts, false on malloc or parse error */ 6781static int 6782parse_url(char* url, char** host, char** file, int* port, int* ssl) 6783{ 6784 char* p = url; 6785 /* parse http://www.example.com/file.htm 6786 * or http://127.0.0.1 (index.html) 6787 * or https://[::1@1234]/a/b/c/d */ 6788 *ssl = 1; 6789 *port = AUTH_HTTPS_PORT; 6790 6791 /* parse http:// or https:// */ 6792 if(strncmp(p, "http://", 7) == 0) { 6793 p += 7; 6794 *ssl = 0; 6795 *port = AUTH_HTTP_PORT; 6796 } else if(strncmp(p, "https://", 8) == 0) { 6797 p += 8; 6798 } else if(strstr(p, "://") && strchr(p, '/') > strstr(p, "://") && 6799 strchr(p, ':') >= strstr(p, "://")) { 6800 char* uri = dup_prefix(p, (size_t)(strstr(p, "://")-p)); 6801 log_err("protocol %s:// not supported (for url %s)", 6802 uri?uri:"", p); 6803 free(uri); 6804 return 0; 6805 } 6806 6807 /* parse hostname part */ 6808 if(p[0] == '[') { 6809 char* end = strchr(p, ']'); 6810 p++; /* skip over [ */ 6811 if(end) { 6812 *host = dup_prefix(p, (size_t)(end-p)); 6813 if(!*host) return 0; 6814 p = end+1; /* skip over ] */ 6815 } else { 6816 *host = dup_all(p); 6817 if(!*host) return 0; 6818 p = end; 6819 } 6820 } else { 6821 char* end = str_find_first_of_chars(p, ':', '/'); 6822 if(end) { 6823 *host = dup_prefix(p, (size_t)(end-p)); 6824 if(!*host) return 0; 6825 } else { 6826 *host = dup_all(p); 6827 if(!*host) return 0; 6828 } 6829 p = end; /* at next : or / or NULL */ 6830 } 6831 6832 /* parse port number */ 6833 if(p && p[0] == ':') { 6834 char* end = NULL; 6835 *port = strtol(p+1, &end, 10); 6836 p = end; 6837 } 6838 6839 /* parse filename part */ 6840 while(p && *p == '/') 6841 p++; 6842 if(!p || p[0] == 0) 6843 *file = strdup("index.html"); 6844 else *file = strdup(p); 6845 if(!*file) { 6846 log_err("malloc failure"); 6847 return 0; 6848 } 6849 return 1; 6850} 6851 6852int 6853xfer_set_masters(struct auth_master** list, struct config_auth* c, 6854 int with_http) 6855{ 6856 struct auth_master* m; 6857 struct config_strlist* p; 6858 /* list points to the first, or next pointer for the new element */ 6859 while(*list) { 6860 list = &( (*list)->next ); 6861 } 6862 if(with_http) 6863 for(p = c->urls; p; p = p->next) { 6864 m = auth_master_new(&list); 6865 m->http = 1; 6866 if(!parse_url(p->str, &m->host, &m->file, &m->port, &m->ssl)) 6867 return 0; 6868 } 6869 for(p = c->masters; p; p = p->next) { 6870 m = auth_master_new(&list); 6871 m->ixfr = 1; /* this flag is not configurable */ 6872 m->host = strdup(p->str); 6873 if(!m->host) { 6874 log_err("malloc failure"); 6875 return 0; 6876 } 6877 } 6878 for(p = c->allow_notify; p; p = p->next) { 6879 m = auth_master_new(&list); 6880 m->allow_notify = 1; 6881 m->host = strdup(p->str); 6882 if(!m->host) { 6883 log_err("malloc failure"); 6884 return 0; 6885 } 6886 } 6887 return 1; 6888} 6889 6890#define SERIAL_BITS 32 6891int 6892compare_serial(uint32_t a, uint32_t b) 6893{ 6894 const uint32_t cutoff = ((uint32_t) 1 << (SERIAL_BITS - 1)); 6895 6896 if (a == b) { 6897 return 0; 6898 } else if ((a < b && b - a < cutoff) || (a > b && a - b > cutoff)) { 6899 return -1; 6900 } else { 6901 return 1; 6902 } 6903} 6904