authzone.c revision 368693
1/* 2 * services/authzone.c - authoritative zone that is locally hosted. 3 * 4 * Copyright (c) 2017, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36/** 37 * \file 38 * 39 * This file contains the functions for an authority zone. This zone 40 * is queried by the iterator, just like a stub or forward zone, but then 41 * the data is locally held. 42 */ 43 44#include "config.h" 45#include "services/authzone.h" 46#include "util/data/dname.h" 47#include "util/data/msgparse.h" 48#include "util/data/msgreply.h" 49#include "util/data/msgencode.h" 50#include "util/data/packed_rrset.h" 51#include "util/regional.h" 52#include "util/net_help.h" 53#include "util/netevent.h" 54#include "util/config_file.h" 55#include "util/log.h" 56#include "util/module.h" 57#include "util/random.h" 58#include "services/cache/dns.h" 59#include "services/outside_network.h" 60#include "services/listen_dnsport.h" 61#include "services/mesh.h" 62#include "sldns/rrdef.h" 63#include "sldns/pkthdr.h" 64#include "sldns/sbuffer.h" 65#include "sldns/str2wire.h" 66#include "sldns/wire2str.h" 67#include "sldns/parseutil.h" 68#include "sldns/keyraw.h" 69#include "validator/val_nsec3.h" 70#include "validator/val_secalgo.h" 71#include <ctype.h> 72 73/** bytes to use for NSEC3 hash buffer. 20 for sha1 */ 74#define N3HASHBUFLEN 32 75/** max number of CNAMEs we are willing to follow (in one answer) */ 76#define MAX_CNAME_CHAIN 8 77/** timeout for probe packets for SOA */ 78#define AUTH_PROBE_TIMEOUT 100 /* msec */ 79/** when to stop with SOA probes (when exponential timeouts exceed this) */ 80#define AUTH_PROBE_TIMEOUT_STOP 1000 /* msec */ 81/* auth transfer timeout for TCP connections, in msec */ 82#define AUTH_TRANSFER_TIMEOUT 10000 /* msec */ 83/* auth transfer max backoff for failed tranfers and probes */ 84#define AUTH_TRANSFER_MAX_BACKOFF 86400 /* sec */ 85/* auth http port number */ 86#define AUTH_HTTP_PORT 80 87/* auth https port number */ 88#define AUTH_HTTPS_PORT 443 89/* max depth for nested $INCLUDEs */ 90#define MAX_INCLUDE_DEPTH 10 91/** number of timeouts before we fallback from IXFR to AXFR, 92 * because some versions of servers (eg. dnsmasq) drop IXFR packets. */ 93#define NUM_TIMEOUTS_FALLBACK_IXFR 3 94 95/** pick up nextprobe task to start waiting to perform transfer actions */ 96static void xfr_set_timeout(struct auth_xfer* xfr, struct module_env* env, 97 int failure, int lookup_only); 98/** move to sending the probe packets, next if fails. task_probe */ 99static void xfr_probe_send_or_end(struct auth_xfer* xfr, 100 struct module_env* env); 101/** pick up probe task with specified(or NULL) destination first, 102 * or transfer task if nothing to probe, or false if already in progress */ 103static int xfr_start_probe(struct auth_xfer* xfr, struct module_env* env, 104 struct auth_master* spec); 105/** delete xfer structure (not its tree entry) */ 106static void auth_xfer_delete(struct auth_xfer* xfr); 107 108/** create new dns_msg */ 109static struct dns_msg* 110msg_create(struct regional* region, struct query_info* qinfo) 111{ 112 struct dns_msg* msg = (struct dns_msg*)regional_alloc(region, 113 sizeof(struct dns_msg)); 114 if(!msg) 115 return NULL; 116 msg->qinfo.qname = regional_alloc_init(region, qinfo->qname, 117 qinfo->qname_len); 118 if(!msg->qinfo.qname) 119 return NULL; 120 msg->qinfo.qname_len = qinfo->qname_len; 121 msg->qinfo.qtype = qinfo->qtype; 122 msg->qinfo.qclass = qinfo->qclass; 123 msg->qinfo.local_alias = NULL; 124 /* non-packed reply_info, because it needs to grow the array */ 125 msg->rep = (struct reply_info*)regional_alloc_zero(region, 126 sizeof(struct reply_info)-sizeof(struct rrset_ref)); 127 if(!msg->rep) 128 return NULL; 129 msg->rep->flags = (uint16_t)(BIT_QR | BIT_AA); 130 msg->rep->authoritative = 1; 131 msg->rep->qdcount = 1; 132 /* rrsets is NULL, no rrsets yet */ 133 return msg; 134} 135 136/** grow rrset array by one in msg */ 137static int 138msg_grow_array(struct regional* region, struct dns_msg* msg) 139{ 140 if(msg->rep->rrsets == NULL) { 141 msg->rep->rrsets = regional_alloc_zero(region, 142 sizeof(struct ub_packed_rrset_key*)*(msg->rep->rrset_count+1)); 143 if(!msg->rep->rrsets) 144 return 0; 145 } else { 146 struct ub_packed_rrset_key** rrsets_old = msg->rep->rrsets; 147 msg->rep->rrsets = regional_alloc_zero(region, 148 sizeof(struct ub_packed_rrset_key*)*(msg->rep->rrset_count+1)); 149 if(!msg->rep->rrsets) 150 return 0; 151 memmove(msg->rep->rrsets, rrsets_old, 152 sizeof(struct ub_packed_rrset_key*)*msg->rep->rrset_count); 153 } 154 return 1; 155} 156 157/** get ttl of rrset */ 158static time_t 159get_rrset_ttl(struct ub_packed_rrset_key* k) 160{ 161 struct packed_rrset_data* d = (struct packed_rrset_data*) 162 k->entry.data; 163 return d->ttl; 164} 165 166/** Copy rrset into region from domain-datanode and packet rrset */ 167static struct ub_packed_rrset_key* 168auth_packed_rrset_copy_region(struct auth_zone* z, struct auth_data* node, 169 struct auth_rrset* rrset, struct regional* region, time_t adjust) 170{ 171 struct ub_packed_rrset_key key; 172 memset(&key, 0, sizeof(key)); 173 key.entry.key = &key; 174 key.entry.data = rrset->data; 175 key.rk.dname = node->name; 176 key.rk.dname_len = node->namelen; 177 key.rk.type = htons(rrset->type); 178 key.rk.rrset_class = htons(z->dclass); 179 key.entry.hash = rrset_key_hash(&key.rk); 180 return packed_rrset_copy_region(&key, region, adjust); 181} 182 183/** fix up msg->rep TTL and prefetch ttl */ 184static void 185msg_ttl(struct dns_msg* msg) 186{ 187 if(msg->rep->rrset_count == 0) return; 188 if(msg->rep->rrset_count == 1) { 189 msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]); 190 msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl); 191 msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL; 192 } else if(get_rrset_ttl(msg->rep->rrsets[msg->rep->rrset_count-1]) < 193 msg->rep->ttl) { 194 msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[ 195 msg->rep->rrset_count-1]); 196 msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl); 197 msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL; 198 } 199} 200 201/** see if rrset is a duplicate in the answer message */ 202static int 203msg_rrset_duplicate(struct dns_msg* msg, uint8_t* nm, size_t nmlen, 204 uint16_t type, uint16_t dclass) 205{ 206 size_t i; 207 for(i=0; i<msg->rep->rrset_count; i++) { 208 struct ub_packed_rrset_key* k = msg->rep->rrsets[i]; 209 if(ntohs(k->rk.type) == type && k->rk.dname_len == nmlen && 210 ntohs(k->rk.rrset_class) == dclass && 211 query_dname_compare(k->rk.dname, nm) == 0) 212 return 1; 213 } 214 return 0; 215} 216 217/** add rrset to answer section (no auth, add rrsets yet) */ 218static int 219msg_add_rrset_an(struct auth_zone* z, struct regional* region, 220 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) 221{ 222 log_assert(msg->rep->ns_numrrsets == 0); 223 log_assert(msg->rep->ar_numrrsets == 0); 224 if(!rrset || !node) 225 return 1; 226 if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, 227 z->dclass)) 228 return 1; 229 /* grow array */ 230 if(!msg_grow_array(region, msg)) 231 return 0; 232 /* copy it */ 233 if(!(msg->rep->rrsets[msg->rep->rrset_count] = 234 auth_packed_rrset_copy_region(z, node, rrset, region, 0))) 235 return 0; 236 msg->rep->rrset_count++; 237 msg->rep->an_numrrsets++; 238 msg_ttl(msg); 239 return 1; 240} 241 242/** add rrset to authority section (no additonal section rrsets yet) */ 243static int 244msg_add_rrset_ns(struct auth_zone* z, struct regional* region, 245 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) 246{ 247 log_assert(msg->rep->ar_numrrsets == 0); 248 if(!rrset || !node) 249 return 1; 250 if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, 251 z->dclass)) 252 return 1; 253 /* grow array */ 254 if(!msg_grow_array(region, msg)) 255 return 0; 256 /* copy it */ 257 if(!(msg->rep->rrsets[msg->rep->rrset_count] = 258 auth_packed_rrset_copy_region(z, node, rrset, region, 0))) 259 return 0; 260 msg->rep->rrset_count++; 261 msg->rep->ns_numrrsets++; 262 msg_ttl(msg); 263 return 1; 264} 265 266/** add rrset to additional section */ 267static int 268msg_add_rrset_ar(struct auth_zone* z, struct regional* region, 269 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) 270{ 271 if(!rrset || !node) 272 return 1; 273 if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type, 274 z->dclass)) 275 return 1; 276 /* grow array */ 277 if(!msg_grow_array(region, msg)) 278 return 0; 279 /* copy it */ 280 if(!(msg->rep->rrsets[msg->rep->rrset_count] = 281 auth_packed_rrset_copy_region(z, node, rrset, region, 0))) 282 return 0; 283 msg->rep->rrset_count++; 284 msg->rep->ar_numrrsets++; 285 msg_ttl(msg); 286 return 1; 287} 288 289struct auth_zones* auth_zones_create(void) 290{ 291 struct auth_zones* az = (struct auth_zones*)calloc(1, sizeof(*az)); 292 if(!az) { 293 log_err("out of memory"); 294 return NULL; 295 } 296 rbtree_init(&az->ztree, &auth_zone_cmp); 297 rbtree_init(&az->xtree, &auth_xfer_cmp); 298 lock_rw_init(&az->lock); 299 lock_protect(&az->lock, &az->ztree, sizeof(az->ztree)); 300 lock_protect(&az->lock, &az->xtree, sizeof(az->xtree)); 301 /* also lock protects the rbnode's in struct auth_zone, auth_xfer */ 302 lock_rw_init(&az->rpz_lock); 303 lock_protect(&az->rpz_lock, &az->rpz_first, sizeof(az->rpz_first)); 304 return az; 305} 306 307int auth_zone_cmp(const void* z1, const void* z2) 308{ 309 /* first sort on class, so that hierarchy can be maintained within 310 * a class */ 311 struct auth_zone* a = (struct auth_zone*)z1; 312 struct auth_zone* b = (struct auth_zone*)z2; 313 int m; 314 if(a->dclass != b->dclass) { 315 if(a->dclass < b->dclass) 316 return -1; 317 return 1; 318 } 319 /* sorted such that higher zones sort before lower zones (their 320 * contents) */ 321 return dname_lab_cmp(a->name, a->namelabs, b->name, b->namelabs, &m); 322} 323 324int auth_data_cmp(const void* z1, const void* z2) 325{ 326 struct auth_data* a = (struct auth_data*)z1; 327 struct auth_data* b = (struct auth_data*)z2; 328 int m; 329 /* canonical sort, because DNSSEC needs that */ 330 return dname_canon_lab_cmp(a->name, a->namelabs, b->name, 331 b->namelabs, &m); 332} 333 334int auth_xfer_cmp(const void* z1, const void* z2) 335{ 336 /* first sort on class, so that hierarchy can be maintained within 337 * a class */ 338 struct auth_xfer* a = (struct auth_xfer*)z1; 339 struct auth_xfer* b = (struct auth_xfer*)z2; 340 int m; 341 if(a->dclass != b->dclass) { 342 if(a->dclass < b->dclass) 343 return -1; 344 return 1; 345 } 346 /* sorted such that higher zones sort before lower zones (their 347 * contents) */ 348 return dname_lab_cmp(a->name, a->namelabs, b->name, b->namelabs, &m); 349} 350 351/** delete auth rrset node */ 352static void 353auth_rrset_delete(struct auth_rrset* rrset) 354{ 355 if(!rrset) return; 356 free(rrset->data); 357 free(rrset); 358} 359 360/** delete auth data domain node */ 361static void 362auth_data_delete(struct auth_data* n) 363{ 364 struct auth_rrset* p, *np; 365 if(!n) return; 366 p = n->rrsets; 367 while(p) { 368 np = p->next; 369 auth_rrset_delete(p); 370 p = np; 371 } 372 free(n->name); 373 free(n); 374} 375 376/** helper traverse to delete zones */ 377static void 378auth_data_del(rbnode_type* n, void* ATTR_UNUSED(arg)) 379{ 380 struct auth_data* z = (struct auth_data*)n->key; 381 auth_data_delete(z); 382} 383 384/** delete an auth zone structure (tree remove must be done elsewhere) */ 385static void 386auth_zone_delete(struct auth_zone* z, struct auth_zones* az) 387{ 388 if(!z) return; 389 lock_rw_destroy(&z->lock); 390 traverse_postorder(&z->data, auth_data_del, NULL); 391 392 if(az && z->rpz) { 393 /* keep RPZ linked list intact */ 394 lock_rw_wrlock(&az->rpz_lock); 395 if(z->rpz_az_prev) 396 z->rpz_az_prev->rpz_az_next = z->rpz_az_next; 397 else 398 az->rpz_first = z->rpz_az_next; 399 if(z->rpz_az_next) 400 z->rpz_az_next->rpz_az_prev = z->rpz_az_prev; 401 lock_rw_unlock(&az->rpz_lock); 402 } 403 if(z->rpz) 404 rpz_delete(z->rpz); 405 free(z->name); 406 free(z->zonefile); 407 free(z); 408} 409 410struct auth_zone* 411auth_zone_create(struct auth_zones* az, uint8_t* nm, size_t nmlen, 412 uint16_t dclass) 413{ 414 struct auth_zone* z = (struct auth_zone*)calloc(1, sizeof(*z)); 415 if(!z) { 416 return NULL; 417 } 418 z->node.key = z; 419 z->dclass = dclass; 420 z->namelen = nmlen; 421 z->namelabs = dname_count_labels(nm); 422 z->name = memdup(nm, nmlen); 423 if(!z->name) { 424 free(z); 425 return NULL; 426 } 427 rbtree_init(&z->data, &auth_data_cmp); 428 lock_rw_init(&z->lock); 429 lock_protect(&z->lock, &z->name, sizeof(*z)-sizeof(rbnode_type)- 430 sizeof(&z->rpz_az_next)-sizeof(&z->rpz_az_prev)); 431 lock_rw_wrlock(&z->lock); 432 /* z lock protects all, except rbtree itself and the rpz linked list 433 * pointers, which are protected using az->lock */ 434 if(!rbtree_insert(&az->ztree, &z->node)) { 435 lock_rw_unlock(&z->lock); 436 auth_zone_delete(z, NULL); 437 log_warn("duplicate auth zone"); 438 return NULL; 439 } 440 return z; 441} 442 443struct auth_zone* 444auth_zone_find(struct auth_zones* az, uint8_t* nm, size_t nmlen, 445 uint16_t dclass) 446{ 447 struct auth_zone key; 448 key.node.key = &key; 449 key.dclass = dclass; 450 key.name = nm; 451 key.namelen = nmlen; 452 key.namelabs = dname_count_labels(nm); 453 return (struct auth_zone*)rbtree_search(&az->ztree, &key); 454} 455 456struct auth_xfer* 457auth_xfer_find(struct auth_zones* az, uint8_t* nm, size_t nmlen, 458 uint16_t dclass) 459{ 460 struct auth_xfer key; 461 key.node.key = &key; 462 key.dclass = dclass; 463 key.name = nm; 464 key.namelen = nmlen; 465 key.namelabs = dname_count_labels(nm); 466 return (struct auth_xfer*)rbtree_search(&az->xtree, &key); 467} 468 469/** find an auth zone or sorted less-or-equal, return true if exact */ 470static int 471auth_zone_find_less_equal(struct auth_zones* az, uint8_t* nm, size_t nmlen, 472 uint16_t dclass, struct auth_zone** z) 473{ 474 struct auth_zone key; 475 key.node.key = &key; 476 key.dclass = dclass; 477 key.name = nm; 478 key.namelen = nmlen; 479 key.namelabs = dname_count_labels(nm); 480 return rbtree_find_less_equal(&az->ztree, &key, (rbnode_type**)z); 481} 482 483 484/** find the auth zone that is above the given name */ 485struct auth_zone* 486auth_zones_find_zone(struct auth_zones* az, uint8_t* name, size_t name_len, 487 uint16_t dclass) 488{ 489 uint8_t* nm = name; 490 size_t nmlen = name_len; 491 struct auth_zone* z; 492 if(auth_zone_find_less_equal(az, nm, nmlen, dclass, &z)) { 493 /* exact match */ 494 return z; 495 } else { 496 /* less-or-nothing */ 497 if(!z) return NULL; /* nothing smaller, nothing above it */ 498 /* we found smaller name; smaller may be above the name, 499 * but not below it. */ 500 nm = dname_get_shared_topdomain(z->name, name); 501 dname_count_size_labels(nm, &nmlen); 502 z = NULL; 503 } 504 505 /* search up */ 506 while(!z) { 507 z = auth_zone_find(az, nm, nmlen, dclass); 508 if(z) return z; 509 if(dname_is_root(nm)) break; 510 dname_remove_label(&nm, &nmlen); 511 } 512 return NULL; 513} 514 515/** find or create zone with name str. caller must have lock on az. 516 * returns a wrlocked zone */ 517static struct auth_zone* 518auth_zones_find_or_add_zone(struct auth_zones* az, char* name) 519{ 520 uint8_t nm[LDNS_MAX_DOMAINLEN+1]; 521 size_t nmlen = sizeof(nm); 522 struct auth_zone* z; 523 524 if(sldns_str2wire_dname_buf(name, nm, &nmlen) != 0) { 525 log_err("cannot parse auth zone name: %s", name); 526 return 0; 527 } 528 z = auth_zone_find(az, nm, nmlen, LDNS_RR_CLASS_IN); 529 if(!z) { 530 /* not found, create the zone */ 531 z = auth_zone_create(az, nm, nmlen, LDNS_RR_CLASS_IN); 532 } else { 533 lock_rw_wrlock(&z->lock); 534 } 535 return z; 536} 537 538/** find or create xfer zone with name str. caller must have lock on az. 539 * returns a locked xfer */ 540static struct auth_xfer* 541auth_zones_find_or_add_xfer(struct auth_zones* az, struct auth_zone* z) 542{ 543 struct auth_xfer* x; 544 x = auth_xfer_find(az, z->name, z->namelen, z->dclass); 545 if(!x) { 546 /* not found, create the zone */ 547 x = auth_xfer_create(az, z); 548 } else { 549 lock_basic_lock(&x->lock); 550 } 551 return x; 552} 553 554int 555auth_zone_set_zonefile(struct auth_zone* z, char* zonefile) 556{ 557 if(z->zonefile) free(z->zonefile); 558 if(zonefile == NULL) { 559 z->zonefile = NULL; 560 } else { 561 z->zonefile = strdup(zonefile); 562 if(!z->zonefile) { 563 log_err("malloc failure"); 564 return 0; 565 } 566 } 567 return 1; 568} 569 570/** set auth zone fallback. caller must have lock on zone */ 571int 572auth_zone_set_fallback(struct auth_zone* z, char* fallbackstr) 573{ 574 if(strcmp(fallbackstr, "yes") != 0 && strcmp(fallbackstr, "no") != 0){ 575 log_err("auth zone fallback, expected yes or no, got %s", 576 fallbackstr); 577 return 0; 578 } 579 z->fallback_enabled = (strcmp(fallbackstr, "yes")==0); 580 return 1; 581} 582 583/** create domain with the given name */ 584static struct auth_data* 585az_domain_create(struct auth_zone* z, uint8_t* nm, size_t nmlen) 586{ 587 struct auth_data* n = (struct auth_data*)malloc(sizeof(*n)); 588 if(!n) return NULL; 589 memset(n, 0, sizeof(*n)); 590 n->node.key = n; 591 n->name = memdup(nm, nmlen); 592 if(!n->name) { 593 free(n); 594 return NULL; 595 } 596 n->namelen = nmlen; 597 n->namelabs = dname_count_labels(nm); 598 if(!rbtree_insert(&z->data, &n->node)) { 599 log_warn("duplicate auth domain name"); 600 free(n->name); 601 free(n); 602 return NULL; 603 } 604 return n; 605} 606 607/** find domain with exactly the given name */ 608static struct auth_data* 609az_find_name(struct auth_zone* z, uint8_t* nm, size_t nmlen) 610{ 611 struct auth_zone key; 612 key.node.key = &key; 613 key.name = nm; 614 key.namelen = nmlen; 615 key.namelabs = dname_count_labels(nm); 616 return (struct auth_data*)rbtree_search(&z->data, &key); 617} 618 619/** Find domain name (or closest match) */ 620static void 621az_find_domain(struct auth_zone* z, struct query_info* qinfo, int* node_exact, 622 struct auth_data** node) 623{ 624 struct auth_zone key; 625 key.node.key = &key; 626 key.name = qinfo->qname; 627 key.namelen = qinfo->qname_len; 628 key.namelabs = dname_count_labels(key.name); 629 *node_exact = rbtree_find_less_equal(&z->data, &key, 630 (rbnode_type**)node); 631} 632 633/** find or create domain with name in zone */ 634static struct auth_data* 635az_domain_find_or_create(struct auth_zone* z, uint8_t* dname, 636 size_t dname_len) 637{ 638 struct auth_data* n = az_find_name(z, dname, dname_len); 639 if(!n) { 640 n = az_domain_create(z, dname, dname_len); 641 } 642 return n; 643} 644 645/** find rrset of given type in the domain */ 646static struct auth_rrset* 647az_domain_rrset(struct auth_data* n, uint16_t t) 648{ 649 struct auth_rrset* rrset; 650 if(!n) return NULL; 651 rrset = n->rrsets; 652 while(rrset) { 653 if(rrset->type == t) 654 return rrset; 655 rrset = rrset->next; 656 } 657 return NULL; 658} 659 660/** remove rrset of this type from domain */ 661static void 662domain_remove_rrset(struct auth_data* node, uint16_t rr_type) 663{ 664 struct auth_rrset* rrset, *prev; 665 if(!node) return; 666 prev = NULL; 667 rrset = node->rrsets; 668 while(rrset) { 669 if(rrset->type == rr_type) { 670 /* found it, now delete it */ 671 if(prev) prev->next = rrset->next; 672 else node->rrsets = rrset->next; 673 auth_rrset_delete(rrset); 674 return; 675 } 676 prev = rrset; 677 rrset = rrset->next; 678 } 679} 680 681/** find an rrsig index in the rrset. returns true if found */ 682static int 683az_rrset_find_rrsig(struct packed_rrset_data* d, uint8_t* rdata, size_t len, 684 size_t* index) 685{ 686 size_t i; 687 for(i=d->count; i<d->count + d->rrsig_count; i++) { 688 if(d->rr_len[i] != len) 689 continue; 690 if(memcmp(d->rr_data[i], rdata, len) == 0) { 691 *index = i; 692 return 1; 693 } 694 } 695 return 0; 696} 697 698/** see if rdata is duplicate */ 699static int 700rdata_duplicate(struct packed_rrset_data* d, uint8_t* rdata, size_t len) 701{ 702 size_t i; 703 for(i=0; i<d->count + d->rrsig_count; i++) { 704 if(d->rr_len[i] != len) 705 continue; 706 if(memcmp(d->rr_data[i], rdata, len) == 0) 707 return 1; 708 } 709 return 0; 710} 711 712/** get rrsig type covered from rdata. 713 * @param rdata: rdata in wireformat, starting with 16bit rdlength. 714 * @param rdatalen: length of rdata buffer. 715 * @return type covered (or 0). 716 */ 717static uint16_t 718rrsig_rdata_get_type_covered(uint8_t* rdata, size_t rdatalen) 719{ 720 if(rdatalen < 4) 721 return 0; 722 return sldns_read_uint16(rdata+2); 723} 724 725/** remove RR from existing RRset. Also sig, if it is a signature. 726 * reallocates the packed rrset for a new one, false on alloc failure */ 727static int 728rrset_remove_rr(struct auth_rrset* rrset, size_t index) 729{ 730 struct packed_rrset_data* d, *old = rrset->data; 731 size_t i; 732 if(index >= old->count + old->rrsig_count) 733 return 0; /* index out of bounds */ 734 d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old) - ( 735 sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t) + 736 old->rr_len[index])); 737 if(!d) { 738 log_err("malloc failure"); 739 return 0; 740 } 741 d->ttl = old->ttl; 742 d->count = old->count; 743 d->rrsig_count = old->rrsig_count; 744 if(index < d->count) d->count--; 745 else d->rrsig_count--; 746 d->trust = old->trust; 747 d->security = old->security; 748 749 /* set rr_len, needed for ptr_fixup */ 750 d->rr_len = (size_t*)((uint8_t*)d + 751 sizeof(struct packed_rrset_data)); 752 if(index > 0) 753 memmove(d->rr_len, old->rr_len, (index)*sizeof(size_t)); 754 if(index+1 < old->count+old->rrsig_count) 755 memmove(&d->rr_len[index], &old->rr_len[index+1], 756 (old->count+old->rrsig_count - (index+1))*sizeof(size_t)); 757 packed_rrset_ptr_fixup(d); 758 759 /* move over ttls */ 760 if(index > 0) 761 memmove(d->rr_ttl, old->rr_ttl, (index)*sizeof(time_t)); 762 if(index+1 < old->count+old->rrsig_count) 763 memmove(&d->rr_ttl[index], &old->rr_ttl[index+1], 764 (old->count+old->rrsig_count - (index+1))*sizeof(time_t)); 765 766 /* move over rr_data */ 767 for(i=0; i<d->count+d->rrsig_count; i++) { 768 size_t oldi; 769 if(i < index) oldi = i; 770 else oldi = i+1; 771 memmove(d->rr_data[i], old->rr_data[oldi], d->rr_len[i]); 772 } 773 774 /* recalc ttl (lowest of remaining RR ttls) */ 775 if(d->count + d->rrsig_count > 0) 776 d->ttl = d->rr_ttl[0]; 777 for(i=0; i<d->count+d->rrsig_count; i++) { 778 if(d->rr_ttl[i] < d->ttl) 779 d->ttl = d->rr_ttl[i]; 780 } 781 782 free(rrset->data); 783 rrset->data = d; 784 return 1; 785} 786 787/** add RR to existing RRset. If insert_sig is true, add to rrsigs. 788 * This reallocates the packed rrset for a new one */ 789static int 790rrset_add_rr(struct auth_rrset* rrset, uint32_t rr_ttl, uint8_t* rdata, 791 size_t rdatalen, int insert_sig) 792{ 793 struct packed_rrset_data* d, *old = rrset->data; 794 size_t total, old_total; 795 796 d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old) 797 + sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t) 798 + rdatalen); 799 if(!d) { 800 log_err("out of memory"); 801 return 0; 802 } 803 /* copy base values */ 804 memcpy(d, old, sizeof(struct packed_rrset_data)); 805 if(!insert_sig) { 806 d->count++; 807 } else { 808 d->rrsig_count++; 809 } 810 old_total = old->count + old->rrsig_count; 811 total = d->count + d->rrsig_count; 812 /* set rr_len, needed for ptr_fixup */ 813 d->rr_len = (size_t*)((uint8_t*)d + 814 sizeof(struct packed_rrset_data)); 815 if(old->count != 0) 816 memmove(d->rr_len, old->rr_len, old->count*sizeof(size_t)); 817 if(old->rrsig_count != 0) 818 memmove(d->rr_len+d->count, old->rr_len+old->count, 819 old->rrsig_count*sizeof(size_t)); 820 if(!insert_sig) 821 d->rr_len[d->count-1] = rdatalen; 822 else d->rr_len[total-1] = rdatalen; 823 packed_rrset_ptr_fixup(d); 824 if((time_t)rr_ttl < d->ttl) 825 d->ttl = rr_ttl; 826 827 /* copy old values into new array */ 828 if(old->count != 0) { 829 memmove(d->rr_ttl, old->rr_ttl, old->count*sizeof(time_t)); 830 /* all the old rr pieces are allocated sequential, so we 831 * can copy them in one go */ 832 memmove(d->rr_data[0], old->rr_data[0], 833 (old->rr_data[old->count-1] - old->rr_data[0]) + 834 old->rr_len[old->count-1]); 835 } 836 if(old->rrsig_count != 0) { 837 memmove(d->rr_ttl+d->count, old->rr_ttl+old->count, 838 old->rrsig_count*sizeof(time_t)); 839 memmove(d->rr_data[d->count], old->rr_data[old->count], 840 (old->rr_data[old_total-1] - old->rr_data[old->count]) + 841 old->rr_len[old_total-1]); 842 } 843 844 /* insert new value */ 845 if(!insert_sig) { 846 d->rr_ttl[d->count-1] = rr_ttl; 847 memmove(d->rr_data[d->count-1], rdata, rdatalen); 848 } else { 849 d->rr_ttl[total-1] = rr_ttl; 850 memmove(d->rr_data[total-1], rdata, rdatalen); 851 } 852 853 rrset->data = d; 854 free(old); 855 return 1; 856} 857 858/** Create new rrset for node with packed rrset with one RR element */ 859static struct auth_rrset* 860rrset_create(struct auth_data* node, uint16_t rr_type, uint32_t rr_ttl, 861 uint8_t* rdata, size_t rdatalen) 862{ 863 struct auth_rrset* rrset = (struct auth_rrset*)calloc(1, 864 sizeof(*rrset)); 865 struct auth_rrset* p, *prev; 866 struct packed_rrset_data* d; 867 if(!rrset) { 868 log_err("out of memory"); 869 return NULL; 870 } 871 rrset->type = rr_type; 872 873 /* the rrset data structure, with one RR */ 874 d = (struct packed_rrset_data*)calloc(1, 875 sizeof(struct packed_rrset_data) + sizeof(size_t) + 876 sizeof(uint8_t*) + sizeof(time_t) + rdatalen); 877 if(!d) { 878 free(rrset); 879 log_err("out of memory"); 880 return NULL; 881 } 882 rrset->data = d; 883 d->ttl = rr_ttl; 884 d->trust = rrset_trust_prim_noglue; 885 d->rr_len = (size_t*)((uint8_t*)d + sizeof(struct packed_rrset_data)); 886 d->rr_data = (uint8_t**)&(d->rr_len[1]); 887 d->rr_ttl = (time_t*)&(d->rr_data[1]); 888 d->rr_data[0] = (uint8_t*)&(d->rr_ttl[1]); 889 890 /* insert the RR */ 891 d->rr_len[0] = rdatalen; 892 d->rr_ttl[0] = rr_ttl; 893 memmove(d->rr_data[0], rdata, rdatalen); 894 d->count++; 895 896 /* insert rrset into linked list for domain */ 897 /* find sorted place to link the rrset into the list */ 898 prev = NULL; 899 p = node->rrsets; 900 while(p && p->type<=rr_type) { 901 prev = p; 902 p = p->next; 903 } 904 /* so, prev is smaller, and p is larger than rr_type */ 905 rrset->next = p; 906 if(prev) prev->next = rrset; 907 else node->rrsets = rrset; 908 return rrset; 909} 910 911/** count number (and size) of rrsigs that cover a type */ 912static size_t 913rrsig_num_that_cover(struct auth_rrset* rrsig, uint16_t rr_type, size_t* sigsz) 914{ 915 struct packed_rrset_data* d = rrsig->data; 916 size_t i, num = 0; 917 *sigsz = 0; 918 log_assert(d && rrsig->type == LDNS_RR_TYPE_RRSIG); 919 for(i=0; i<d->count+d->rrsig_count; i++) { 920 if(rrsig_rdata_get_type_covered(d->rr_data[i], 921 d->rr_len[i]) == rr_type) { 922 num++; 923 (*sigsz) += d->rr_len[i]; 924 } 925 } 926 return num; 927} 928 929/** See if rrsig set has covered sigs for rrset and move them over */ 930static int 931rrset_moveover_rrsigs(struct auth_data* node, uint16_t rr_type, 932 struct auth_rrset* rrset, struct auth_rrset* rrsig) 933{ 934 size_t sigs, sigsz, i, j, total; 935 struct packed_rrset_data* sigold = rrsig->data; 936 struct packed_rrset_data* old = rrset->data; 937 struct packed_rrset_data* d, *sigd; 938 939 log_assert(rrset->type == rr_type); 940 log_assert(rrsig->type == LDNS_RR_TYPE_RRSIG); 941 sigs = rrsig_num_that_cover(rrsig, rr_type, &sigsz); 942 if(sigs == 0) { 943 /* 0 rrsigs to move over, done */ 944 return 1; 945 } 946 947 /* allocate rrset sigsz larger for extra sigs elements, and 948 * allocate rrsig sigsz smaller for less sigs elements. */ 949 d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old) 950 + sigs*(sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t)) 951 + sigsz); 952 if(!d) { 953 log_err("out of memory"); 954 return 0; 955 } 956 /* copy base values */ 957 total = old->count + old->rrsig_count; 958 memcpy(d, old, sizeof(struct packed_rrset_data)); 959 d->rrsig_count += sigs; 960 /* setup rr_len */ 961 d->rr_len = (size_t*)((uint8_t*)d + 962 sizeof(struct packed_rrset_data)); 963 if(total != 0) 964 memmove(d->rr_len, old->rr_len, total*sizeof(size_t)); 965 j = d->count+d->rrsig_count-sigs; 966 for(i=0; i<sigold->count+sigold->rrsig_count; i++) { 967 if(rrsig_rdata_get_type_covered(sigold->rr_data[i], 968 sigold->rr_len[i]) == rr_type) { 969 d->rr_len[j] = sigold->rr_len[i]; 970 j++; 971 } 972 } 973 packed_rrset_ptr_fixup(d); 974 975 /* copy old values into new array */ 976 if(total != 0) { 977 memmove(d->rr_ttl, old->rr_ttl, total*sizeof(time_t)); 978 /* all the old rr pieces are allocated sequential, so we 979 * can copy them in one go */ 980 memmove(d->rr_data[0], old->rr_data[0], 981 (old->rr_data[total-1] - old->rr_data[0]) + 982 old->rr_len[total-1]); 983 } 984 985 /* move over the rrsigs to the larger rrset*/ 986 j = d->count+d->rrsig_count-sigs; 987 for(i=0; i<sigold->count+sigold->rrsig_count; i++) { 988 if(rrsig_rdata_get_type_covered(sigold->rr_data[i], 989 sigold->rr_len[i]) == rr_type) { 990 /* move this one over to location j */ 991 d->rr_ttl[j] = sigold->rr_ttl[i]; 992 memmove(d->rr_data[j], sigold->rr_data[i], 993 sigold->rr_len[i]); 994 if(d->rr_ttl[j] < d->ttl) 995 d->ttl = d->rr_ttl[j]; 996 j++; 997 } 998 } 999 1000 /* put it in and deallocate the old rrset */ 1001 rrset->data = d; 1002 free(old); 1003 1004 /* now make rrsig set smaller */ 1005 if(sigold->count+sigold->rrsig_count == sigs) { 1006 /* remove all sigs from rrsig, remove it entirely */ 1007 domain_remove_rrset(node, LDNS_RR_TYPE_RRSIG); 1008 return 1; 1009 } 1010 log_assert(packed_rrset_sizeof(sigold) > sigs*(sizeof(size_t) + 1011 sizeof(uint8_t*) + sizeof(time_t)) + sigsz); 1012 sigd = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(sigold) 1013 - sigs*(sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t)) 1014 - sigsz); 1015 if(!sigd) { 1016 /* no need to free up d, it has already been placed in the 1017 * node->rrset structure */ 1018 log_err("out of memory"); 1019 return 0; 1020 } 1021 /* copy base values */ 1022 memcpy(sigd, sigold, sizeof(struct packed_rrset_data)); 1023 /* in sigd the RRSIGs are stored in the base of the RR, in count */ 1024 sigd->count -= sigs; 1025 /* setup rr_len */ 1026 sigd->rr_len = (size_t*)((uint8_t*)sigd + 1027 sizeof(struct packed_rrset_data)); 1028 j = 0; 1029 for(i=0; i<sigold->count+sigold->rrsig_count; i++) { 1030 if(rrsig_rdata_get_type_covered(sigold->rr_data[i], 1031 sigold->rr_len[i]) != rr_type) { 1032 sigd->rr_len[j] = sigold->rr_len[i]; 1033 j++; 1034 } 1035 } 1036 packed_rrset_ptr_fixup(sigd); 1037 1038 /* copy old values into new rrsig array */ 1039 j = 0; 1040 for(i=0; i<sigold->count+sigold->rrsig_count; i++) { 1041 if(rrsig_rdata_get_type_covered(sigold->rr_data[i], 1042 sigold->rr_len[i]) != rr_type) { 1043 /* move this one over to location j */ 1044 sigd->rr_ttl[j] = sigold->rr_ttl[i]; 1045 memmove(sigd->rr_data[j], sigold->rr_data[i], 1046 sigold->rr_len[i]); 1047 if(j==0) sigd->ttl = sigd->rr_ttl[j]; 1048 else { 1049 if(sigd->rr_ttl[j] < sigd->ttl) 1050 sigd->ttl = sigd->rr_ttl[j]; 1051 } 1052 j++; 1053 } 1054 } 1055 1056 /* put it in and deallocate the old rrset */ 1057 rrsig->data = sigd; 1058 free(sigold); 1059 1060 return 1; 1061} 1062 1063/** copy the rrsigs from the rrset to the rrsig rrset, because the rrset 1064 * is going to be deleted. reallocates the RRSIG rrset data. */ 1065static int 1066rrsigs_copy_from_rrset_to_rrsigset(struct auth_rrset* rrset, 1067 struct auth_rrset* rrsigset) 1068{ 1069 size_t i; 1070 if(rrset->data->rrsig_count == 0) 1071 return 1; 1072 1073 /* move them over one by one, because there might be duplicates, 1074 * duplicates are ignored */ 1075 for(i=rrset->data->count; 1076 i<rrset->data->count+rrset->data->rrsig_count; i++) { 1077 uint8_t* rdata = rrset->data->rr_data[i]; 1078 size_t rdatalen = rrset->data->rr_len[i]; 1079 time_t rr_ttl = rrset->data->rr_ttl[i]; 1080 1081 if(rdata_duplicate(rrsigset->data, rdata, rdatalen)) { 1082 continue; 1083 } 1084 if(!rrset_add_rr(rrsigset, rr_ttl, rdata, rdatalen, 0)) 1085 return 0; 1086 } 1087 return 1; 1088} 1089 1090/** Add rr to node, ignores duplicate RRs, 1091 * rdata points to buffer with rdatalen octets, starts with 2bytelength. */ 1092static int 1093az_domain_add_rr(struct auth_data* node, uint16_t rr_type, uint32_t rr_ttl, 1094 uint8_t* rdata, size_t rdatalen, int* duplicate) 1095{ 1096 struct auth_rrset* rrset; 1097 /* packed rrsets have their rrsigs along with them, sort them out */ 1098 if(rr_type == LDNS_RR_TYPE_RRSIG) { 1099 uint16_t ctype = rrsig_rdata_get_type_covered(rdata, rdatalen); 1100 if((rrset=az_domain_rrset(node, ctype))!= NULL) { 1101 /* a node of the correct type exists, add the RRSIG 1102 * to the rrset of the covered data type */ 1103 if(rdata_duplicate(rrset->data, rdata, rdatalen)) { 1104 if(duplicate) *duplicate = 1; 1105 return 1; 1106 } 1107 if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 1)) 1108 return 0; 1109 } else if((rrset=az_domain_rrset(node, rr_type))!= NULL) { 1110 /* add RRSIG to rrset of type RRSIG */ 1111 if(rdata_duplicate(rrset->data, rdata, rdatalen)) { 1112 if(duplicate) *duplicate = 1; 1113 return 1; 1114 } 1115 if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 0)) 1116 return 0; 1117 } else { 1118 /* create rrset of type RRSIG */ 1119 if(!rrset_create(node, rr_type, rr_ttl, rdata, 1120 rdatalen)) 1121 return 0; 1122 } 1123 } else { 1124 /* normal RR type */ 1125 if((rrset=az_domain_rrset(node, rr_type))!= NULL) { 1126 /* add data to existing node with data type */ 1127 if(rdata_duplicate(rrset->data, rdata, rdatalen)) { 1128 if(duplicate) *duplicate = 1; 1129 return 1; 1130 } 1131 if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 0)) 1132 return 0; 1133 } else { 1134 struct auth_rrset* rrsig; 1135 /* create new node with data type */ 1136 if(!(rrset=rrset_create(node, rr_type, rr_ttl, rdata, 1137 rdatalen))) 1138 return 0; 1139 1140 /* see if node of type RRSIG has signatures that 1141 * cover the data type, and move them over */ 1142 /* and then make the RRSIG type smaller */ 1143 if((rrsig=az_domain_rrset(node, LDNS_RR_TYPE_RRSIG)) 1144 != NULL) { 1145 if(!rrset_moveover_rrsigs(node, rr_type, 1146 rrset, rrsig)) 1147 return 0; 1148 } 1149 } 1150 } 1151 return 1; 1152} 1153 1154/** insert RR into zone, ignore duplicates */ 1155static int 1156az_insert_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len, 1157 size_t dname_len, int* duplicate) 1158{ 1159 struct auth_data* node; 1160 uint8_t* dname = rr; 1161 uint16_t rr_type = sldns_wirerr_get_type(rr, rr_len, dname_len); 1162 uint16_t rr_class = sldns_wirerr_get_class(rr, rr_len, dname_len); 1163 uint32_t rr_ttl = sldns_wirerr_get_ttl(rr, rr_len, dname_len); 1164 size_t rdatalen = ((size_t)sldns_wirerr_get_rdatalen(rr, rr_len, 1165 dname_len))+2; 1166 /* rdata points to rdata prefixed with uint16 rdatalength */ 1167 uint8_t* rdata = sldns_wirerr_get_rdatawl(rr, rr_len, dname_len); 1168 1169 if(rr_class != z->dclass) { 1170 log_err("wrong class for RR"); 1171 return 0; 1172 } 1173 if(!(node=az_domain_find_or_create(z, dname, dname_len))) { 1174 log_err("cannot create domain"); 1175 return 0; 1176 } 1177 if(!az_domain_add_rr(node, rr_type, rr_ttl, rdata, rdatalen, 1178 duplicate)) { 1179 log_err("cannot add RR to domain"); 1180 return 0; 1181 } 1182 if(z->rpz) { 1183 if(!(rpz_insert_rr(z->rpz, z->name, z->namelen, dname, 1184 dname_len, rr_type, rr_class, rr_ttl, rdata, rdatalen, 1185 rr, rr_len))) 1186 return 0; 1187 } 1188 return 1; 1189} 1190 1191/** Remove rr from node, ignores nonexisting RRs, 1192 * rdata points to buffer with rdatalen octets, starts with 2bytelength. */ 1193static int 1194az_domain_remove_rr(struct auth_data* node, uint16_t rr_type, 1195 uint8_t* rdata, size_t rdatalen, int* nonexist) 1196{ 1197 struct auth_rrset* rrset; 1198 size_t index = 0; 1199 1200 /* find the plain RR of the given type */ 1201 if((rrset=az_domain_rrset(node, rr_type))!= NULL) { 1202 if(packed_rrset_find_rr(rrset->data, rdata, rdatalen, &index)) { 1203 if(rrset->data->count == 1 && 1204 rrset->data->rrsig_count == 0) { 1205 /* last RR, delete the rrset */ 1206 domain_remove_rrset(node, rr_type); 1207 } else if(rrset->data->count == 1 && 1208 rrset->data->rrsig_count != 0) { 1209 /* move RRSIGs to the RRSIG rrset, or 1210 * this one becomes that RRset */ 1211 struct auth_rrset* rrsigset = az_domain_rrset( 1212 node, LDNS_RR_TYPE_RRSIG); 1213 if(rrsigset) { 1214 /* move left over rrsigs to the 1215 * existing rrset of type RRSIG */ 1216 rrsigs_copy_from_rrset_to_rrsigset( 1217 rrset, rrsigset); 1218 /* and then delete the rrset */ 1219 domain_remove_rrset(node, rr_type); 1220 } else { 1221 /* no rrset of type RRSIG, this 1222 * set is now of that type, 1223 * just remove the rr */ 1224 if(!rrset_remove_rr(rrset, index)) 1225 return 0; 1226 rrset->type = LDNS_RR_TYPE_RRSIG; 1227 rrset->data->count = rrset->data->rrsig_count; 1228 rrset->data->rrsig_count = 0; 1229 } 1230 } else { 1231 /* remove the RR from the rrset */ 1232 if(!rrset_remove_rr(rrset, index)) 1233 return 0; 1234 } 1235 return 1; 1236 } 1237 /* rr not found in rrset */ 1238 } 1239 1240 /* is it a type RRSIG, look under the covered type */ 1241 if(rr_type == LDNS_RR_TYPE_RRSIG) { 1242 uint16_t ctype = rrsig_rdata_get_type_covered(rdata, rdatalen); 1243 if((rrset=az_domain_rrset(node, ctype))!= NULL) { 1244 if(az_rrset_find_rrsig(rrset->data, rdata, rdatalen, 1245 &index)) { 1246 /* rrsig should have d->count > 0, be 1247 * over some rr of that type */ 1248 /* remove the rrsig from the rrsigs list of the 1249 * rrset */ 1250 if(!rrset_remove_rr(rrset, index)) 1251 return 0; 1252 return 1; 1253 } 1254 } 1255 /* also RRSIG not found */ 1256 } 1257 1258 /* nothing found to delete */ 1259 if(nonexist) *nonexist = 1; 1260 return 1; 1261} 1262 1263/** remove RR from zone, ignore if it does not exist, false on alloc failure*/ 1264static int 1265az_remove_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len, 1266 size_t dname_len, int* nonexist) 1267{ 1268 struct auth_data* node; 1269 uint8_t* dname = rr; 1270 uint16_t rr_type = sldns_wirerr_get_type(rr, rr_len, dname_len); 1271 uint16_t rr_class = sldns_wirerr_get_class(rr, rr_len, dname_len); 1272 size_t rdatalen = ((size_t)sldns_wirerr_get_rdatalen(rr, rr_len, 1273 dname_len))+2; 1274 /* rdata points to rdata prefixed with uint16 rdatalength */ 1275 uint8_t* rdata = sldns_wirerr_get_rdatawl(rr, rr_len, dname_len); 1276 1277 if(rr_class != z->dclass) { 1278 log_err("wrong class for RR"); 1279 /* really also a nonexisting entry, because no records 1280 * of that class in the zone, but return an error because 1281 * getting records of the wrong class is a failure of the 1282 * zone transfer */ 1283 return 0; 1284 } 1285 node = az_find_name(z, dname, dname_len); 1286 if(!node) { 1287 /* node with that name does not exist */ 1288 /* nonexisting entry, because no such name */ 1289 *nonexist = 1; 1290 return 1; 1291 } 1292 if(!az_domain_remove_rr(node, rr_type, rdata, rdatalen, nonexist)) { 1293 /* alloc failure or so */ 1294 return 0; 1295 } 1296 /* remove the node, if necessary */ 1297 /* an rrsets==NULL entry is not kept around for empty nonterminals, 1298 * and also parent nodes are not kept around, so we just delete it */ 1299 if(node->rrsets == NULL) { 1300 (void)rbtree_delete(&z->data, node); 1301 auth_data_delete(node); 1302 } 1303 if(z->rpz) { 1304 rpz_remove_rr(z->rpz, z->namelen, dname, dname_len, rr_type, 1305 rr_class, rdata, rdatalen); 1306 } 1307 return 1; 1308} 1309 1310/** decompress an RR into the buffer where it'll be an uncompressed RR 1311 * with uncompressed dname and uncompressed rdata (dnames) */ 1312static int 1313decompress_rr_into_buffer(struct sldns_buffer* buf, uint8_t* pkt, 1314 size_t pktlen, uint8_t* dname, uint16_t rr_type, uint16_t rr_class, 1315 uint32_t rr_ttl, uint8_t* rr_data, uint16_t rr_rdlen) 1316{ 1317 sldns_buffer pktbuf; 1318 size_t dname_len = 0; 1319 size_t rdlenpos; 1320 size_t rdlen; 1321 uint8_t* rd; 1322 const sldns_rr_descriptor* desc; 1323 sldns_buffer_init_frm_data(&pktbuf, pkt, pktlen); 1324 sldns_buffer_clear(buf); 1325 1326 /* decompress dname */ 1327 sldns_buffer_set_position(&pktbuf, 1328 (size_t)(dname - sldns_buffer_current(&pktbuf))); 1329 dname_len = pkt_dname_len(&pktbuf); 1330 if(dname_len == 0) return 0; /* parse fail on dname */ 1331 if(!sldns_buffer_available(buf, dname_len)) return 0; 1332 dname_pkt_copy(&pktbuf, sldns_buffer_current(buf), dname); 1333 sldns_buffer_skip(buf, (ssize_t)dname_len); 1334 1335 /* type, class, ttl and rdatalength fields */ 1336 if(!sldns_buffer_available(buf, 10)) return 0; 1337 sldns_buffer_write_u16(buf, rr_type); 1338 sldns_buffer_write_u16(buf, rr_class); 1339 sldns_buffer_write_u32(buf, rr_ttl); 1340 rdlenpos = sldns_buffer_position(buf); 1341 sldns_buffer_write_u16(buf, 0); /* rd length position */ 1342 1343 /* decompress rdata */ 1344 desc = sldns_rr_descript(rr_type); 1345 rd = rr_data; 1346 rdlen = rr_rdlen; 1347 if(rdlen > 0 && desc && desc->_dname_count > 0) { 1348 int count = (int)desc->_dname_count; 1349 int rdf = 0; 1350 size_t len; /* how much rdata to plain copy */ 1351 size_t uncompressed_len, compressed_len; 1352 size_t oldpos; 1353 /* decompress dnames. */ 1354 while(rdlen > 0 && count) { 1355 switch(desc->_wireformat[rdf]) { 1356 case LDNS_RDF_TYPE_DNAME: 1357 sldns_buffer_set_position(&pktbuf, 1358 (size_t)(rd - 1359 sldns_buffer_begin(&pktbuf))); 1360 oldpos = sldns_buffer_position(&pktbuf); 1361 /* moves pktbuf to right after the 1362 * compressed dname, and returns uncompressed 1363 * dname length */ 1364 uncompressed_len = pkt_dname_len(&pktbuf); 1365 if(!uncompressed_len) 1366 return 0; /* parse error in dname */ 1367 if(!sldns_buffer_available(buf, 1368 uncompressed_len)) 1369 /* dname too long for buffer */ 1370 return 0; 1371 dname_pkt_copy(&pktbuf, 1372 sldns_buffer_current(buf), rd); 1373 sldns_buffer_skip(buf, (ssize_t)uncompressed_len); 1374 compressed_len = sldns_buffer_position( 1375 &pktbuf) - oldpos; 1376 rd += compressed_len; 1377 rdlen -= compressed_len; 1378 count--; 1379 len = 0; 1380 break; 1381 case LDNS_RDF_TYPE_STR: 1382 len = rd[0] + 1; 1383 break; 1384 default: 1385 len = get_rdf_size(desc->_wireformat[rdf]); 1386 break; 1387 } 1388 if(len) { 1389 if(!sldns_buffer_available(buf, len)) 1390 return 0; /* too long for buffer */ 1391 sldns_buffer_write(buf, rd, len); 1392 rd += len; 1393 rdlen -= len; 1394 } 1395 rdf++; 1396 } 1397 } 1398 /* copy remaining data */ 1399 if(rdlen > 0) { 1400 if(!sldns_buffer_available(buf, rdlen)) return 0; 1401 sldns_buffer_write(buf, rd, rdlen); 1402 } 1403 /* fixup rdlength */ 1404 sldns_buffer_write_u16_at(buf, rdlenpos, 1405 sldns_buffer_position(buf)-rdlenpos-2); 1406 sldns_buffer_flip(buf); 1407 return 1; 1408} 1409 1410/** insert RR into zone, from packet, decompress RR, 1411 * if duplicate is nonNULL set the flag but otherwise ignore duplicates */ 1412static int 1413az_insert_rr_decompress(struct auth_zone* z, uint8_t* pkt, size_t pktlen, 1414 struct sldns_buffer* scratch_buffer, uint8_t* dname, uint16_t rr_type, 1415 uint16_t rr_class, uint32_t rr_ttl, uint8_t* rr_data, 1416 uint16_t rr_rdlen, int* duplicate) 1417{ 1418 uint8_t* rr; 1419 size_t rr_len; 1420 size_t dname_len; 1421 if(!decompress_rr_into_buffer(scratch_buffer, pkt, pktlen, dname, 1422 rr_type, rr_class, rr_ttl, rr_data, rr_rdlen)) { 1423 log_err("could not decompress RR"); 1424 return 0; 1425 } 1426 rr = sldns_buffer_begin(scratch_buffer); 1427 rr_len = sldns_buffer_limit(scratch_buffer); 1428 dname_len = dname_valid(rr, rr_len); 1429 return az_insert_rr(z, rr, rr_len, dname_len, duplicate); 1430} 1431 1432/** remove RR from zone, from packet, decompress RR, 1433 * if nonexist is nonNULL set the flag but otherwise ignore nonexisting entries*/ 1434static int 1435az_remove_rr_decompress(struct auth_zone* z, uint8_t* pkt, size_t pktlen, 1436 struct sldns_buffer* scratch_buffer, uint8_t* dname, uint16_t rr_type, 1437 uint16_t rr_class, uint32_t rr_ttl, uint8_t* rr_data, 1438 uint16_t rr_rdlen, int* nonexist) 1439{ 1440 uint8_t* rr; 1441 size_t rr_len; 1442 size_t dname_len; 1443 if(!decompress_rr_into_buffer(scratch_buffer, pkt, pktlen, dname, 1444 rr_type, rr_class, rr_ttl, rr_data, rr_rdlen)) { 1445 log_err("could not decompress RR"); 1446 return 0; 1447 } 1448 rr = sldns_buffer_begin(scratch_buffer); 1449 rr_len = sldns_buffer_limit(scratch_buffer); 1450 dname_len = dname_valid(rr, rr_len); 1451 return az_remove_rr(z, rr, rr_len, dname_len, nonexist); 1452} 1453 1454/** 1455 * Parse zonefile 1456 * @param z: zone to read in. 1457 * @param in: file to read from (just opened). 1458 * @param rr: buffer to use for RRs, 64k. 1459 * passed so that recursive includes can use the same buffer and do 1460 * not grow the stack too much. 1461 * @param rrbuflen: sizeof rr buffer. 1462 * @param state: parse state with $ORIGIN, $TTL and 'prev-dname' and so on, 1463 * that is kept between includes. 1464 * The lineno is set at 1 and then increased by the function. 1465 * @param fname: file name. 1466 * @param depth: recursion depth for includes 1467 * @param cfg: config for chroot. 1468 * returns false on failure, has printed an error message 1469 */ 1470static int 1471az_parse_file(struct auth_zone* z, FILE* in, uint8_t* rr, size_t rrbuflen, 1472 struct sldns_file_parse_state* state, char* fname, int depth, 1473 struct config_file* cfg) 1474{ 1475 size_t rr_len, dname_len; 1476 int status; 1477 state->lineno = 1; 1478 1479 while(!feof(in)) { 1480 rr_len = rrbuflen; 1481 dname_len = 0; 1482 status = sldns_fp2wire_rr_buf(in, rr, &rr_len, &dname_len, 1483 state); 1484 if(status == LDNS_WIREPARSE_ERR_INCLUDE && rr_len == 0) { 1485 /* we have $INCLUDE or $something */ 1486 if(strncmp((char*)rr, "$INCLUDE ", 9) == 0 || 1487 strncmp((char*)rr, "$INCLUDE\t", 9) == 0) { 1488 FILE* inc; 1489 int lineno_orig = state->lineno; 1490 char* incfile = (char*)rr + 8; 1491 if(depth > MAX_INCLUDE_DEPTH) { 1492 log_err("%s:%d max include depth" 1493 "exceeded", fname, state->lineno); 1494 return 0; 1495 } 1496 /* skip spaces */ 1497 while(*incfile == ' ' || *incfile == '\t') 1498 incfile++; 1499 /* adjust for chroot on include file */ 1500 if(cfg->chrootdir && cfg->chrootdir[0] && 1501 strncmp(incfile, cfg->chrootdir, 1502 strlen(cfg->chrootdir)) == 0) 1503 incfile += strlen(cfg->chrootdir); 1504 incfile = strdup(incfile); 1505 if(!incfile) { 1506 log_err("malloc failure"); 1507 return 0; 1508 } 1509 verbose(VERB_ALGO, "opening $INCLUDE %s", 1510 incfile); 1511 inc = fopen(incfile, "r"); 1512 if(!inc) { 1513 log_err("%s:%d cannot open include " 1514 "file %s: %s", fname, 1515 lineno_orig, incfile, 1516 strerror(errno)); 1517 free(incfile); 1518 return 0; 1519 } 1520 /* recurse read that file now */ 1521 if(!az_parse_file(z, inc, rr, rrbuflen, 1522 state, incfile, depth+1, cfg)) { 1523 log_err("%s:%d cannot parse include " 1524 "file %s", fname, 1525 lineno_orig, incfile); 1526 fclose(inc); 1527 free(incfile); 1528 return 0; 1529 } 1530 fclose(inc); 1531 verbose(VERB_ALGO, "done with $INCLUDE %s", 1532 incfile); 1533 free(incfile); 1534 state->lineno = lineno_orig; 1535 } 1536 continue; 1537 } 1538 if(status != 0) { 1539 log_err("parse error %s %d:%d: %s", fname, 1540 state->lineno, LDNS_WIREPARSE_OFFSET(status), 1541 sldns_get_errorstr_parse(status)); 1542 return 0; 1543 } 1544 if(rr_len == 0) { 1545 /* EMPTY line, TTL or ORIGIN */ 1546 continue; 1547 } 1548 /* insert wirerr in rrbuf */ 1549 if(!az_insert_rr(z, rr, rr_len, dname_len, NULL)) { 1550 char buf[17]; 1551 sldns_wire2str_type_buf(sldns_wirerr_get_type(rr, 1552 rr_len, dname_len), buf, sizeof(buf)); 1553 log_err("%s:%d cannot insert RR of type %s", 1554 fname, state->lineno, buf); 1555 return 0; 1556 } 1557 } 1558 return 1; 1559} 1560 1561int 1562auth_zone_read_zonefile(struct auth_zone* z, struct config_file* cfg) 1563{ 1564 uint8_t rr[LDNS_RR_BUF_SIZE]; 1565 struct sldns_file_parse_state state; 1566 char* zfilename; 1567 FILE* in; 1568 if(!z || !z->zonefile || z->zonefile[0]==0) 1569 return 1; /* no file, or "", nothing to read */ 1570 1571 zfilename = z->zonefile; 1572 if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(zfilename, 1573 cfg->chrootdir, strlen(cfg->chrootdir)) == 0) 1574 zfilename += strlen(cfg->chrootdir); 1575 if(verbosity >= VERB_ALGO) { 1576 char nm[255+1]; 1577 dname_str(z->name, nm); 1578 verbose(VERB_ALGO, "read zonefile %s for %s", zfilename, nm); 1579 } 1580 in = fopen(zfilename, "r"); 1581 if(!in) { 1582 char* n = sldns_wire2str_dname(z->name, z->namelen); 1583 if(z->zone_is_slave && errno == ENOENT) { 1584 /* we fetch the zone contents later, no file yet */ 1585 verbose(VERB_ALGO, "no zonefile %s for %s", 1586 zfilename, n?n:"error"); 1587 free(n); 1588 return 1; 1589 } 1590 log_err("cannot open zonefile %s for %s: %s", 1591 zfilename, n?n:"error", strerror(errno)); 1592 free(n); 1593 return 0; 1594 } 1595 1596 /* clear the data tree */ 1597 traverse_postorder(&z->data, auth_data_del, NULL); 1598 rbtree_init(&z->data, &auth_data_cmp); 1599 /* clear the RPZ policies */ 1600 if(z->rpz) 1601 rpz_clear(z->rpz); 1602 1603 memset(&state, 0, sizeof(state)); 1604 /* default TTL to 3600 */ 1605 state.default_ttl = 3600; 1606 /* set $ORIGIN to the zone name */ 1607 if(z->namelen <= sizeof(state.origin)) { 1608 memcpy(state.origin, z->name, z->namelen); 1609 state.origin_len = z->namelen; 1610 } 1611 /* parse the (toplevel) file */ 1612 if(!az_parse_file(z, in, rr, sizeof(rr), &state, zfilename, 0, cfg)) { 1613 char* n = sldns_wire2str_dname(z->name, z->namelen); 1614 log_err("error parsing zonefile %s for %s", 1615 zfilename, n?n:"error"); 1616 free(n); 1617 fclose(in); 1618 return 0; 1619 } 1620 fclose(in); 1621 1622 if(z->rpz) 1623 rpz_finish_config(z->rpz); 1624 return 1; 1625} 1626 1627/** write buffer to file and check return codes */ 1628static int 1629write_out(FILE* out, const char* str, size_t len) 1630{ 1631 size_t r; 1632 if(len == 0) 1633 return 1; 1634 r = fwrite(str, 1, len, out); 1635 if(r == 0) { 1636 log_err("write failed: %s", strerror(errno)); 1637 return 0; 1638 } else if(r < len) { 1639 log_err("write failed: too short (disk full?)"); 1640 return 0; 1641 } 1642 return 1; 1643} 1644 1645/** convert auth rr to string */ 1646static int 1647auth_rr_to_string(uint8_t* nm, size_t nmlen, uint16_t tp, uint16_t cl, 1648 struct packed_rrset_data* data, size_t i, char* s, size_t buflen) 1649{ 1650 int w = 0; 1651 size_t slen = buflen, datlen; 1652 uint8_t* dat; 1653 if(i >= data->count) tp = LDNS_RR_TYPE_RRSIG; 1654 dat = nm; 1655 datlen = nmlen; 1656 w += sldns_wire2str_dname_scan(&dat, &datlen, &s, &slen, NULL, 0, NULL); 1657 w += sldns_str_print(&s, &slen, "\t"); 1658 w += sldns_str_print(&s, &slen, "%lu\t", (unsigned long)data->rr_ttl[i]); 1659 w += sldns_wire2str_class_print(&s, &slen, cl); 1660 w += sldns_str_print(&s, &slen, "\t"); 1661 w += sldns_wire2str_type_print(&s, &slen, tp); 1662 w += sldns_str_print(&s, &slen, "\t"); 1663 datlen = data->rr_len[i]-2; 1664 dat = data->rr_data[i]+2; 1665 w += sldns_wire2str_rdata_scan(&dat, &datlen, &s, &slen, tp, NULL, 0, NULL); 1666 1667 if(tp == LDNS_RR_TYPE_DNSKEY) { 1668 w += sldns_str_print(&s, &slen, " ;{id = %u}", 1669 sldns_calc_keytag_raw(data->rr_data[i]+2, 1670 data->rr_len[i]-2)); 1671 } 1672 w += sldns_str_print(&s, &slen, "\n"); 1673 1674 if(w >= (int)buflen) { 1675 log_nametypeclass(NO_VERBOSE, "RR too long to print", nm, tp, cl); 1676 return 0; 1677 } 1678 return 1; 1679} 1680 1681/** write rrset to file */ 1682static int 1683auth_zone_write_rrset(struct auth_zone* z, struct auth_data* node, 1684 struct auth_rrset* r, FILE* out) 1685{ 1686 size_t i, count = r->data->count + r->data->rrsig_count; 1687 char buf[LDNS_RR_BUF_SIZE]; 1688 for(i=0; i<count; i++) { 1689 if(!auth_rr_to_string(node->name, node->namelen, r->type, 1690 z->dclass, r->data, i, buf, sizeof(buf))) { 1691 verbose(VERB_ALGO, "failed to rr2str rr %d", (int)i); 1692 continue; 1693 } 1694 if(!write_out(out, buf, strlen(buf))) 1695 return 0; 1696 } 1697 return 1; 1698} 1699 1700/** write domain to file */ 1701static int 1702auth_zone_write_domain(struct auth_zone* z, struct auth_data* n, FILE* out) 1703{ 1704 struct auth_rrset* r; 1705 /* if this is zone apex, write SOA first */ 1706 if(z->namelen == n->namelen) { 1707 struct auth_rrset* soa = az_domain_rrset(n, LDNS_RR_TYPE_SOA); 1708 if(soa) { 1709 if(!auth_zone_write_rrset(z, n, soa, out)) 1710 return 0; 1711 } 1712 } 1713 /* write all the RRsets for this domain */ 1714 for(r = n->rrsets; r; r = r->next) { 1715 if(z->namelen == n->namelen && 1716 r->type == LDNS_RR_TYPE_SOA) 1717 continue; /* skip SOA here */ 1718 if(!auth_zone_write_rrset(z, n, r, out)) 1719 return 0; 1720 } 1721 return 1; 1722} 1723 1724int auth_zone_write_file(struct auth_zone* z, const char* fname) 1725{ 1726 FILE* out; 1727 struct auth_data* n; 1728 out = fopen(fname, "w"); 1729 if(!out) { 1730 log_err("could not open %s: %s", fname, strerror(errno)); 1731 return 0; 1732 } 1733 RBTREE_FOR(n, struct auth_data*, &z->data) { 1734 if(!auth_zone_write_domain(z, n, out)) { 1735 log_err("could not write domain to %s", fname); 1736 fclose(out); 1737 return 0; 1738 } 1739 } 1740 fclose(out); 1741 return 1; 1742} 1743 1744/** read all auth zones from file (if they have) */ 1745static int 1746auth_zones_read_zones(struct auth_zones* az, struct config_file* cfg) 1747{ 1748 struct auth_zone* z; 1749 lock_rw_wrlock(&az->lock); 1750 RBTREE_FOR(z, struct auth_zone*, &az->ztree) { 1751 lock_rw_wrlock(&z->lock); 1752 if(!auth_zone_read_zonefile(z, cfg)) { 1753 lock_rw_unlock(&z->lock); 1754 lock_rw_unlock(&az->lock); 1755 return 0; 1756 } 1757 lock_rw_unlock(&z->lock); 1758 } 1759 lock_rw_unlock(&az->lock); 1760 return 1; 1761} 1762 1763/** find serial number of zone or false if none */ 1764int 1765auth_zone_get_serial(struct auth_zone* z, uint32_t* serial) 1766{ 1767 struct auth_data* apex; 1768 struct auth_rrset* soa; 1769 struct packed_rrset_data* d; 1770 apex = az_find_name(z, z->name, z->namelen); 1771 if(!apex) return 0; 1772 soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA); 1773 if(!soa || soa->data->count==0) 1774 return 0; /* no RRset or no RRs in rrset */ 1775 if(soa->data->rr_len[0] < 2+4*5) return 0; /* SOA too short */ 1776 d = soa->data; 1777 *serial = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-20)); 1778 return 1; 1779} 1780 1781/** Find auth_zone SOA and populate the values in xfr(soa values). */ 1782static int 1783xfr_find_soa(struct auth_zone* z, struct auth_xfer* xfr) 1784{ 1785 struct auth_data* apex; 1786 struct auth_rrset* soa; 1787 struct packed_rrset_data* d; 1788 apex = az_find_name(z, z->name, z->namelen); 1789 if(!apex) return 0; 1790 soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA); 1791 if(!soa || soa->data->count==0) 1792 return 0; /* no RRset or no RRs in rrset */ 1793 if(soa->data->rr_len[0] < 2+4*5) return 0; /* SOA too short */ 1794 /* SOA record ends with serial, refresh, retry, expiry, minimum, 1795 * as 4 byte fields */ 1796 d = soa->data; 1797 xfr->have_zone = 1; 1798 xfr->serial = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-20)); 1799 xfr->refresh = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-16)); 1800 xfr->retry = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-12)); 1801 xfr->expiry = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-8)); 1802 /* soa minimum at d->rr_len[0]-4 */ 1803 return 1; 1804} 1805 1806/** 1807 * Setup auth_xfer zone 1808 * This populates the have_zone, soa values, and so on times. 1809 * Doesn't do network traffic yet, can set option flags. 1810 * @param z: locked by caller, and modified for setup 1811 * @param x: locked by caller, and modified. 1812 * @return false on failure. 1813 */ 1814static int 1815auth_xfer_setup(struct auth_zone* z, struct auth_xfer* x) 1816{ 1817 /* for a zone without zone transfers, x==NULL, so skip them, 1818 * i.e. the zone config is fixed with no masters or urls */ 1819 if(!z || !x) return 1; 1820 if(!xfr_find_soa(z, x)) { 1821 return 1; 1822 } 1823 /* nothing for probe, nextprobe and transfer tasks */ 1824 return 1; 1825} 1826 1827/** 1828 * Setup all zones 1829 * @param az: auth zones structure 1830 * @return false on failure. 1831 */ 1832static int 1833auth_zones_setup_zones(struct auth_zones* az) 1834{ 1835 struct auth_zone* z; 1836 struct auth_xfer* x; 1837 lock_rw_wrlock(&az->lock); 1838 RBTREE_FOR(z, struct auth_zone*, &az->ztree) { 1839 lock_rw_wrlock(&z->lock); 1840 x = auth_xfer_find(az, z->name, z->namelen, z->dclass); 1841 if(x) { 1842 lock_basic_lock(&x->lock); 1843 } 1844 if(!auth_xfer_setup(z, x)) { 1845 if(x) { 1846 lock_basic_unlock(&x->lock); 1847 } 1848 lock_rw_unlock(&z->lock); 1849 lock_rw_unlock(&az->lock); 1850 return 0; 1851 } 1852 if(x) { 1853 lock_basic_unlock(&x->lock); 1854 } 1855 lock_rw_unlock(&z->lock); 1856 } 1857 lock_rw_unlock(&az->lock); 1858 return 1; 1859} 1860 1861/** set config items and create zones */ 1862static int 1863auth_zones_cfg(struct auth_zones* az, struct config_auth* c) 1864{ 1865 struct auth_zone* z; 1866 struct auth_xfer* x = NULL; 1867 1868 /* create zone */ 1869 if(c->isrpz) { 1870 /* if the rpz lock is needed, grab it before the other 1871 * locks to avoid a lock dependency cycle */ 1872 lock_rw_wrlock(&az->rpz_lock); 1873 } 1874 lock_rw_wrlock(&az->lock); 1875 if(!(z=auth_zones_find_or_add_zone(az, c->name))) { 1876 lock_rw_unlock(&az->lock); 1877 if(c->isrpz) { 1878 lock_rw_unlock(&az->rpz_lock); 1879 } 1880 return 0; 1881 } 1882 if(c->masters || c->urls) { 1883 if(!(x=auth_zones_find_or_add_xfer(az, z))) { 1884 lock_rw_unlock(&az->lock); 1885 lock_rw_unlock(&z->lock); 1886 if(c->isrpz) { 1887 lock_rw_unlock(&az->rpz_lock); 1888 } 1889 return 0; 1890 } 1891 } 1892 if(c->for_downstream) 1893 az->have_downstream = 1; 1894 lock_rw_unlock(&az->lock); 1895 1896 /* set options */ 1897 z->zone_deleted = 0; 1898 if(!auth_zone_set_zonefile(z, c->zonefile)) { 1899 if(x) { 1900 lock_basic_unlock(&x->lock); 1901 } 1902 lock_rw_unlock(&z->lock); 1903 if(c->isrpz) { 1904 lock_rw_unlock(&az->rpz_lock); 1905 } 1906 return 0; 1907 } 1908 z->for_downstream = c->for_downstream; 1909 z->for_upstream = c->for_upstream; 1910 z->fallback_enabled = c->fallback_enabled; 1911 if(c->isrpz && !z->rpz){ 1912 if(!(z->rpz = rpz_create(c))){ 1913 fatal_exit("Could not setup RPZ zones"); 1914 return 0; 1915 } 1916 lock_protect(&z->lock, &z->rpz->local_zones, sizeof(*z->rpz)); 1917 /* the az->rpz_lock is locked above */ 1918 z->rpz_az_next = az->rpz_first; 1919 if(az->rpz_first) 1920 az->rpz_first->rpz_az_prev = z; 1921 az->rpz_first = z; 1922 } 1923 if(c->isrpz) { 1924 lock_rw_unlock(&az->rpz_lock); 1925 } 1926 1927 /* xfer zone */ 1928 if(x) { 1929 z->zone_is_slave = 1; 1930 /* set options on xfer zone */ 1931 if(!xfer_set_masters(&x->task_probe->masters, c, 0)) { 1932 lock_basic_unlock(&x->lock); 1933 lock_rw_unlock(&z->lock); 1934 return 0; 1935 } 1936 if(!xfer_set_masters(&x->task_transfer->masters, c, 1)) { 1937 lock_basic_unlock(&x->lock); 1938 lock_rw_unlock(&z->lock); 1939 return 0; 1940 } 1941 lock_basic_unlock(&x->lock); 1942 } 1943 1944 lock_rw_unlock(&z->lock); 1945 return 1; 1946} 1947 1948/** set all auth zones deleted, then in auth_zones_cfg, it marks them 1949 * as nondeleted (if they are still in the config), and then later 1950 * we can find deleted zones */ 1951static void 1952az_setall_deleted(struct auth_zones* az) 1953{ 1954 struct auth_zone* z; 1955 lock_rw_wrlock(&az->lock); 1956 RBTREE_FOR(z, struct auth_zone*, &az->ztree) { 1957 lock_rw_wrlock(&z->lock); 1958 z->zone_deleted = 1; 1959 lock_rw_unlock(&z->lock); 1960 } 1961 lock_rw_unlock(&az->lock); 1962} 1963 1964/** find zones that are marked deleted and delete them. 1965 * This is called from apply_cfg, and there are no threads and no 1966 * workers, so the xfr can just be deleted. */ 1967static void 1968az_delete_deleted_zones(struct auth_zones* az) 1969{ 1970 struct auth_zone* z; 1971 struct auth_zone* delete_list = NULL, *next; 1972 struct auth_xfer* xfr; 1973 lock_rw_wrlock(&az->lock); 1974 RBTREE_FOR(z, struct auth_zone*, &az->ztree) { 1975 lock_rw_wrlock(&z->lock); 1976 if(z->zone_deleted) { 1977 /* we cannot alter the rbtree right now, but 1978 * we can put it on a linked list and then 1979 * delete it */ 1980 z->delete_next = delete_list; 1981 delete_list = z; 1982 } 1983 lock_rw_unlock(&z->lock); 1984 } 1985 /* now we are out of the tree loop and we can loop and delete 1986 * the zones */ 1987 z = delete_list; 1988 while(z) { 1989 next = z->delete_next; 1990 xfr = auth_xfer_find(az, z->name, z->namelen, z->dclass); 1991 if(xfr) { 1992 (void)rbtree_delete(&az->xtree, &xfr->node); 1993 auth_xfer_delete(xfr); 1994 } 1995 (void)rbtree_delete(&az->ztree, &z->node); 1996 auth_zone_delete(z, az); 1997 z = next; 1998 } 1999 lock_rw_unlock(&az->lock); 2000} 2001 2002int auth_zones_apply_cfg(struct auth_zones* az, struct config_file* cfg, 2003 int setup, int* is_rpz) 2004{ 2005 struct config_auth* p; 2006 az_setall_deleted(az); 2007 for(p = cfg->auths; p; p = p->next) { 2008 if(!p->name || p->name[0] == 0) { 2009 log_warn("auth-zone without a name, skipped"); 2010 continue; 2011 } 2012 *is_rpz = (*is_rpz || p->isrpz); 2013 if(!auth_zones_cfg(az, p)) { 2014 log_err("cannot config auth zone %s", p->name); 2015 return 0; 2016 } 2017 } 2018 az_delete_deleted_zones(az); 2019 if(!auth_zones_read_zones(az, cfg)) 2020 return 0; 2021 if(setup) { 2022 if(!auth_zones_setup_zones(az)) 2023 return 0; 2024 } 2025 return 1; 2026} 2027 2028/** delete chunks 2029 * @param at: transfer structure with chunks list. The chunks and their 2030 * data are freed. 2031 */ 2032static void 2033auth_chunks_delete(struct auth_transfer* at) 2034{ 2035 if(at->chunks_first) { 2036 struct auth_chunk* c, *cn; 2037 c = at->chunks_first; 2038 while(c) { 2039 cn = c->next; 2040 free(c->data); 2041 free(c); 2042 c = cn; 2043 } 2044 } 2045 at->chunks_first = NULL; 2046 at->chunks_last = NULL; 2047} 2048 2049/** free master addr list */ 2050static void 2051auth_free_master_addrs(struct auth_addr* list) 2052{ 2053 struct auth_addr *n; 2054 while(list) { 2055 n = list->next; 2056 free(list); 2057 list = n; 2058 } 2059} 2060 2061/** free the masters list */ 2062static void 2063auth_free_masters(struct auth_master* list) 2064{ 2065 struct auth_master* n; 2066 while(list) { 2067 n = list->next; 2068 auth_free_master_addrs(list->list); 2069 free(list->host); 2070 free(list->file); 2071 free(list); 2072 list = n; 2073 } 2074} 2075 2076/** delete auth xfer structure 2077 * @param xfr: delete this xfer and its tasks. 2078 */ 2079static void 2080auth_xfer_delete(struct auth_xfer* xfr) 2081{ 2082 if(!xfr) return; 2083 lock_basic_destroy(&xfr->lock); 2084 free(xfr->name); 2085 if(xfr->task_nextprobe) { 2086 comm_timer_delete(xfr->task_nextprobe->timer); 2087 free(xfr->task_nextprobe); 2088 } 2089 if(xfr->task_probe) { 2090 auth_free_masters(xfr->task_probe->masters); 2091 comm_point_delete(xfr->task_probe->cp); 2092 comm_timer_delete(xfr->task_probe->timer); 2093 free(xfr->task_probe); 2094 } 2095 if(xfr->task_transfer) { 2096 auth_free_masters(xfr->task_transfer->masters); 2097 comm_point_delete(xfr->task_transfer->cp); 2098 comm_timer_delete(xfr->task_transfer->timer); 2099 if(xfr->task_transfer->chunks_first) { 2100 auth_chunks_delete(xfr->task_transfer); 2101 } 2102 free(xfr->task_transfer); 2103 } 2104 auth_free_masters(xfr->allow_notify_list); 2105 free(xfr); 2106} 2107 2108/** helper traverse to delete zones */ 2109static void 2110auth_zone_del(rbnode_type* n, void* ATTR_UNUSED(arg)) 2111{ 2112 struct auth_zone* z = (struct auth_zone*)n->key; 2113 auth_zone_delete(z, NULL); 2114} 2115 2116/** helper traverse to delete xfer zones */ 2117static void 2118auth_xfer_del(rbnode_type* n, void* ATTR_UNUSED(arg)) 2119{ 2120 struct auth_xfer* z = (struct auth_xfer*)n->key; 2121 auth_xfer_delete(z); 2122} 2123 2124void auth_zones_delete(struct auth_zones* az) 2125{ 2126 if(!az) return; 2127 lock_rw_destroy(&az->lock); 2128 lock_rw_destroy(&az->rpz_lock); 2129 traverse_postorder(&az->ztree, auth_zone_del, NULL); 2130 traverse_postorder(&az->xtree, auth_xfer_del, NULL); 2131 free(az); 2132} 2133 2134/** true if domain has only nsec3 */ 2135static int 2136domain_has_only_nsec3(struct auth_data* n) 2137{ 2138 struct auth_rrset* rrset = n->rrsets; 2139 int nsec3_seen = 0; 2140 while(rrset) { 2141 if(rrset->type == LDNS_RR_TYPE_NSEC3) { 2142 nsec3_seen = 1; 2143 } else if(rrset->type != LDNS_RR_TYPE_RRSIG) { 2144 return 0; 2145 } 2146 rrset = rrset->next; 2147 } 2148 return nsec3_seen; 2149} 2150 2151/** see if the domain has a wildcard child '*.domain' */ 2152static struct auth_data* 2153az_find_wildcard_domain(struct auth_zone* z, uint8_t* nm, size_t nmlen) 2154{ 2155 uint8_t wc[LDNS_MAX_DOMAINLEN]; 2156 if(nmlen+2 > sizeof(wc)) 2157 return NULL; /* result would be too long */ 2158 wc[0] = 1; /* length of wildcard label */ 2159 wc[1] = (uint8_t)'*'; /* wildcard label */ 2160 memmove(wc+2, nm, nmlen); 2161 return az_find_name(z, wc, nmlen+2); 2162} 2163 2164/** find wildcard between qname and cename */ 2165static struct auth_data* 2166az_find_wildcard(struct auth_zone* z, struct query_info* qinfo, 2167 struct auth_data* ce) 2168{ 2169 uint8_t* nm = qinfo->qname; 2170 size_t nmlen = qinfo->qname_len; 2171 struct auth_data* node; 2172 if(!dname_subdomain_c(nm, z->name)) 2173 return NULL; /* out of zone */ 2174 while((node=az_find_wildcard_domain(z, nm, nmlen))==NULL) { 2175 /* see if we can go up to find the wildcard */ 2176 if(nmlen == z->namelen) 2177 return NULL; /* top of zone reached */ 2178 if(ce && nmlen == ce->namelen) 2179 return NULL; /* ce reached */ 2180 if(dname_is_root(nm)) 2181 return NULL; /* cannot go up */ 2182 dname_remove_label(&nm, &nmlen); 2183 } 2184 return node; 2185} 2186 2187/** domain is not exact, find first candidate ce (name that matches 2188 * a part of qname) in tree */ 2189static struct auth_data* 2190az_find_candidate_ce(struct auth_zone* z, struct query_info* qinfo, 2191 struct auth_data* n) 2192{ 2193 uint8_t* nm; 2194 size_t nmlen; 2195 if(n) { 2196 nm = dname_get_shared_topdomain(qinfo->qname, n->name); 2197 } else { 2198 nm = qinfo->qname; 2199 } 2200 dname_count_size_labels(nm, &nmlen); 2201 n = az_find_name(z, nm, nmlen); 2202 /* delete labels and go up on name */ 2203 while(!n) { 2204 if(dname_is_root(nm)) 2205 return NULL; /* cannot go up */ 2206 dname_remove_label(&nm, &nmlen); 2207 n = az_find_name(z, nm, nmlen); 2208 } 2209 return n; 2210} 2211 2212/** go up the auth tree to next existing name. */ 2213static struct auth_data* 2214az_domain_go_up(struct auth_zone* z, struct auth_data* n) 2215{ 2216 uint8_t* nm = n->name; 2217 size_t nmlen = n->namelen; 2218 while(!dname_is_root(nm)) { 2219 dname_remove_label(&nm, &nmlen); 2220 if((n=az_find_name(z, nm, nmlen)) != NULL) 2221 return n; 2222 } 2223 return NULL; 2224} 2225 2226/** Find the closest encloser, an name that exists and is above the 2227 * qname. 2228 * return true if the node (param node) is existing, nonobscured and 2229 * can be used to generate answers from. It is then also node_exact. 2230 * returns false if the node is not good enough (or it wasn't node_exact) 2231 * in this case the ce can be filled. 2232 * if ce is NULL, no ce exists, and likely the zone is completely empty, 2233 * not even with a zone apex. 2234 * if ce is nonNULL it is the closest enclosing upper name (that exists 2235 * itself for answer purposes). That name may have DNAME, NS or wildcard 2236 * rrset is the closest DNAME or NS rrset that was found. 2237 */ 2238static int 2239az_find_ce(struct auth_zone* z, struct query_info* qinfo, 2240 struct auth_data* node, int node_exact, struct auth_data** ce, 2241 struct auth_rrset** rrset) 2242{ 2243 struct auth_data* n = node; 2244 *ce = NULL; 2245 *rrset = NULL; 2246 if(!node_exact) { 2247 /* if not exact, lookup closest exact match */ 2248 n = az_find_candidate_ce(z, qinfo, n); 2249 } else { 2250 /* if exact, the node itself is the first candidate ce */ 2251 *ce = n; 2252 } 2253 2254 /* no direct answer from nsec3-only domains */ 2255 if(n && domain_has_only_nsec3(n)) { 2256 node_exact = 0; 2257 *ce = NULL; 2258 } 2259 2260 /* with exact matches, walk up the labels until we find the 2261 * delegation, or DNAME or zone end */ 2262 while(n) { 2263 /* see if the current candidate has issues */ 2264 /* not zone apex and has type NS */ 2265 if(n->namelen != z->namelen && 2266 (*rrset=az_domain_rrset(n, LDNS_RR_TYPE_NS)) && 2267 /* delegate here, but DS at exact the dp has notype */ 2268 (qinfo->qtype != LDNS_RR_TYPE_DS || 2269 n->namelen != qinfo->qname_len)) { 2270 /* referral */ 2271 /* this is ce and the lowernode is nonexisting */ 2272 *ce = n; 2273 return 0; 2274 } 2275 /* not equal to qname and has type DNAME */ 2276 if(n->namelen != qinfo->qname_len && 2277 (*rrset=az_domain_rrset(n, LDNS_RR_TYPE_DNAME))) { 2278 /* this is ce and the lowernode is nonexisting */ 2279 *ce = n; 2280 return 0; 2281 } 2282 2283 if(*ce == NULL && !domain_has_only_nsec3(n)) { 2284 /* if not found yet, this exact name must be 2285 * our lowest match (but not nsec3onlydomain) */ 2286 *ce = n; 2287 } 2288 2289 /* walk up the tree by removing labels from name and lookup */ 2290 n = az_domain_go_up(z, n); 2291 } 2292 /* found no problems, if it was an exact node, it is fine to use */ 2293 return node_exact; 2294} 2295 2296/** add additional A/AAAA from domain names in rrset rdata (+offset) 2297 * offset is number of bytes in rdata where the dname is located. */ 2298static int 2299az_add_additionals_from(struct auth_zone* z, struct regional* region, 2300 struct dns_msg* msg, struct auth_rrset* rrset, size_t offset) 2301{ 2302 struct packed_rrset_data* d = rrset->data; 2303 size_t i; 2304 if(!d) return 0; 2305 for(i=0; i<d->count; i++) { 2306 size_t dlen; 2307 struct auth_data* domain; 2308 struct auth_rrset* ref; 2309 if(d->rr_len[i] < 2+offset) 2310 continue; /* too short */ 2311 if(!(dlen = dname_valid(d->rr_data[i]+2+offset, 2312 d->rr_len[i]-2-offset))) 2313 continue; /* malformed */ 2314 domain = az_find_name(z, d->rr_data[i]+2+offset, dlen); 2315 if(!domain) 2316 continue; 2317 if((ref=az_domain_rrset(domain, LDNS_RR_TYPE_A)) != NULL) { 2318 if(!msg_add_rrset_ar(z, region, msg, domain, ref)) 2319 return 0; 2320 } 2321 if((ref=az_domain_rrset(domain, LDNS_RR_TYPE_AAAA)) != NULL) { 2322 if(!msg_add_rrset_ar(z, region, msg, domain, ref)) 2323 return 0; 2324 } 2325 } 2326 return 1; 2327} 2328 2329/** add negative SOA record (with negative TTL) */ 2330static int 2331az_add_negative_soa(struct auth_zone* z, struct regional* region, 2332 struct dns_msg* msg) 2333{ 2334 uint32_t minimum; 2335 struct packed_rrset_data* d; 2336 struct auth_rrset* soa; 2337 struct auth_data* apex = az_find_name(z, z->name, z->namelen); 2338 if(!apex) return 0; 2339 soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA); 2340 if(!soa) return 0; 2341 /* must be first to put in message; we want to fix the TTL with 2342 * one RRset here, otherwise we'd need to loop over the RRs to get 2343 * the resulting lower TTL */ 2344 log_assert(msg->rep->rrset_count == 0); 2345 if(!msg_add_rrset_ns(z, region, msg, apex, soa)) return 0; 2346 /* fixup TTL */ 2347 d = (struct packed_rrset_data*)msg->rep->rrsets[msg->rep->rrset_count-1]->entry.data; 2348 /* last 4 bytes are minimum ttl in network format */ 2349 if(d->count == 0) return 0; 2350 if(d->rr_len[0] < 2+4) return 0; 2351 minimum = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-4)); 2352 d->ttl = (time_t)minimum; 2353 d->rr_ttl[0] = (time_t)minimum; 2354 msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]); 2355 msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl); 2356 msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL; 2357 return 1; 2358} 2359 2360/** See if the query goes to empty nonterminal (that has no auth_data, 2361 * but there are nodes underneath. We already checked that there are 2362 * not NS, or DNAME above, so that we only need to check if some node 2363 * exists below (with nonempty rr list), return true if emptynonterminal */ 2364static int 2365az_empty_nonterminal(struct auth_zone* z, struct query_info* qinfo, 2366 struct auth_data* node) 2367{ 2368 struct auth_data* next; 2369 if(!node) { 2370 /* no smaller was found, use first (smallest) node as the 2371 * next one */ 2372 next = (struct auth_data*)rbtree_first(&z->data); 2373 } else { 2374 next = (struct auth_data*)rbtree_next(&node->node); 2375 } 2376 while(next && (rbnode_type*)next != RBTREE_NULL && next->rrsets == NULL) { 2377 /* the next name has empty rrsets, is an empty nonterminal 2378 * itself, see if there exists something below it */ 2379 next = (struct auth_data*)rbtree_next(&node->node); 2380 } 2381 if((rbnode_type*)next == RBTREE_NULL || !next) { 2382 /* there is no next node, so something below it cannot 2383 * exist */ 2384 return 0; 2385 } 2386 /* a next node exists, if there was something below the query, 2387 * this node has to be it. See if it is below the query name */ 2388 if(dname_strict_subdomain_c(next->name, qinfo->qname)) 2389 return 1; 2390 return 0; 2391} 2392 2393/** create synth cname target name in buffer, or fail if too long */ 2394static size_t 2395synth_cname_buf(uint8_t* qname, size_t qname_len, size_t dname_len, 2396 uint8_t* dtarg, size_t dtarglen, uint8_t* buf, size_t buflen) 2397{ 2398 size_t newlen = qname_len + dtarglen - dname_len; 2399 if(newlen > buflen) { 2400 /* YXDOMAIN error */ 2401 return 0; 2402 } 2403 /* new name is concatenation of qname front (without DNAME owner) 2404 * and DNAME target name */ 2405 memcpy(buf, qname, qname_len-dname_len); 2406 memmove(buf+(qname_len-dname_len), dtarg, dtarglen); 2407 return newlen; 2408} 2409 2410/** create synthetic CNAME rrset for in a DNAME answer in region, 2411 * false on alloc failure, cname==NULL when name too long. */ 2412static int 2413create_synth_cname(uint8_t* qname, size_t qname_len, struct regional* region, 2414 struct auth_data* node, struct auth_rrset* dname, uint16_t dclass, 2415 struct ub_packed_rrset_key** cname) 2416{ 2417 uint8_t buf[LDNS_MAX_DOMAINLEN]; 2418 uint8_t* dtarg; 2419 size_t dtarglen, newlen; 2420 struct packed_rrset_data* d; 2421 2422 /* get DNAME target name */ 2423 if(dname->data->count < 1) return 0; 2424 if(dname->data->rr_len[0] < 3) return 0; /* at least rdatalen +1 */ 2425 dtarg = dname->data->rr_data[0]+2; 2426 dtarglen = dname->data->rr_len[0]-2; 2427 if(sldns_read_uint16(dname->data->rr_data[0]) != dtarglen) 2428 return 0; /* rdatalen in DNAME rdata is malformed */ 2429 if(dname_valid(dtarg, dtarglen) != dtarglen) 2430 return 0; /* DNAME RR has malformed rdata */ 2431 if(qname_len == 0) 2432 return 0; /* too short */ 2433 if(qname_len <= node->namelen) 2434 return 0; /* qname too short for dname removal */ 2435 2436 /* synthesize a CNAME */ 2437 newlen = synth_cname_buf(qname, qname_len, node->namelen, 2438 dtarg, dtarglen, buf, sizeof(buf)); 2439 if(newlen == 0) { 2440 /* YXDOMAIN error */ 2441 *cname = NULL; 2442 return 1; 2443 } 2444 *cname = (struct ub_packed_rrset_key*)regional_alloc(region, 2445 sizeof(struct ub_packed_rrset_key)); 2446 if(!*cname) 2447 return 0; /* out of memory */ 2448 memset(&(*cname)->entry, 0, sizeof((*cname)->entry)); 2449 (*cname)->entry.key = (*cname); 2450 (*cname)->rk.type = htons(LDNS_RR_TYPE_CNAME); 2451 (*cname)->rk.rrset_class = htons(dclass); 2452 (*cname)->rk.flags = 0; 2453 (*cname)->rk.dname = regional_alloc_init(region, qname, qname_len); 2454 if(!(*cname)->rk.dname) 2455 return 0; /* out of memory */ 2456 (*cname)->rk.dname_len = qname_len; 2457 (*cname)->entry.hash = rrset_key_hash(&(*cname)->rk); 2458 d = (struct packed_rrset_data*)regional_alloc_zero(region, 2459 sizeof(struct packed_rrset_data) + sizeof(size_t) + 2460 sizeof(uint8_t*) + sizeof(time_t) + sizeof(uint16_t) 2461 + newlen); 2462 if(!d) 2463 return 0; /* out of memory */ 2464 (*cname)->entry.data = d; 2465 d->ttl = 0; /* 0 for synthesized CNAME TTL */ 2466 d->count = 1; 2467 d->rrsig_count = 0; 2468 d->trust = rrset_trust_ans_noAA; 2469 d->rr_len = (size_t*)((uint8_t*)d + 2470 sizeof(struct packed_rrset_data)); 2471 d->rr_len[0] = newlen + sizeof(uint16_t); 2472 packed_rrset_ptr_fixup(d); 2473 d->rr_ttl[0] = d->ttl; 2474 sldns_write_uint16(d->rr_data[0], newlen); 2475 memmove(d->rr_data[0] + sizeof(uint16_t), buf, newlen); 2476 return 1; 2477} 2478 2479/** add a synthesized CNAME to the answer section */ 2480static int 2481add_synth_cname(struct auth_zone* z, uint8_t* qname, size_t qname_len, 2482 struct regional* region, struct dns_msg* msg, struct auth_data* dname, 2483 struct auth_rrset* rrset) 2484{ 2485 struct ub_packed_rrset_key* cname; 2486 /* synthesize a CNAME */ 2487 if(!create_synth_cname(qname, qname_len, region, dname, rrset, 2488 z->dclass, &cname)) { 2489 /* out of memory */ 2490 return 0; 2491 } 2492 if(!cname) { 2493 /* cname cannot be create because of YXDOMAIN */ 2494 msg->rep->flags |= LDNS_RCODE_YXDOMAIN; 2495 return 1; 2496 } 2497 /* add cname to message */ 2498 if(!msg_grow_array(region, msg)) 2499 return 0; 2500 msg->rep->rrsets[msg->rep->rrset_count] = cname; 2501 msg->rep->rrset_count++; 2502 msg->rep->an_numrrsets++; 2503 msg_ttl(msg); 2504 return 1; 2505} 2506 2507/** Change a dname to a different one, for wildcard namechange */ 2508static void 2509az_change_dnames(struct dns_msg* msg, uint8_t* oldname, uint8_t* newname, 2510 size_t newlen, int an_only) 2511{ 2512 size_t i; 2513 size_t start = 0, end = msg->rep->rrset_count; 2514 if(!an_only) start = msg->rep->an_numrrsets; 2515 if(an_only) end = msg->rep->an_numrrsets; 2516 for(i=start; i<end; i++) { 2517 /* allocated in region so we can change the ptrs */ 2518 if(query_dname_compare(msg->rep->rrsets[i]->rk.dname, oldname) 2519 == 0) { 2520 msg->rep->rrsets[i]->rk.dname = newname; 2521 msg->rep->rrsets[i]->rk.dname_len = newlen; 2522 } 2523 } 2524} 2525 2526/** find NSEC record covering the query */ 2527static struct auth_rrset* 2528az_find_nsec_cover(struct auth_zone* z, struct auth_data** node) 2529{ 2530 uint8_t* nm = (*node)->name; 2531 size_t nmlen = (*node)->namelen; 2532 struct auth_rrset* rrset; 2533 /* find the NSEC for the smallest-or-equal node */ 2534 /* if node == NULL, we did not find a smaller name. But the zone 2535 * name is the smallest name and should have an NSEC. So there is 2536 * no NSEC to return (for a properly signed zone) */ 2537 /* for empty nonterminals, the auth-data node should not exist, 2538 * and thus we don't need to go rbtree_previous here to find 2539 * a domain with an NSEC record */ 2540 /* but there could be glue, and if this is node, then it has no NSEC. 2541 * Go up to find nonglue (previous) NSEC-holding nodes */ 2542 while((rrset=az_domain_rrset(*node, LDNS_RR_TYPE_NSEC)) == NULL) { 2543 if(dname_is_root(nm)) return NULL; 2544 if(nmlen == z->namelen) return NULL; 2545 dname_remove_label(&nm, &nmlen); 2546 /* adjust *node for the nsec rrset to find in */ 2547 *node = az_find_name(z, nm, nmlen); 2548 } 2549 return rrset; 2550} 2551 2552/** Find NSEC and add for wildcard denial */ 2553static int 2554az_nsec_wildcard_denial(struct auth_zone* z, struct regional* region, 2555 struct dns_msg* msg, uint8_t* cenm, size_t cenmlen) 2556{ 2557 struct query_info qinfo; 2558 int node_exact; 2559 struct auth_data* node; 2560 struct auth_rrset* nsec; 2561 uint8_t wc[LDNS_MAX_DOMAINLEN]; 2562 if(cenmlen+2 > sizeof(wc)) 2563 return 0; /* result would be too long */ 2564 wc[0] = 1; /* length of wildcard label */ 2565 wc[1] = (uint8_t)'*'; /* wildcard label */ 2566 memmove(wc+2, cenm, cenmlen); 2567 2568 /* we have '*.ce' in wc wildcard name buffer */ 2569 /* get nsec cover for that */ 2570 qinfo.qname = wc; 2571 qinfo.qname_len = cenmlen+2; 2572 qinfo.qtype = 0; 2573 qinfo.qclass = 0; 2574 az_find_domain(z, &qinfo, &node_exact, &node); 2575 if((nsec=az_find_nsec_cover(z, &node)) != NULL) { 2576 if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0; 2577 } 2578 return 1; 2579} 2580 2581/** Find the NSEC3PARAM rrset (if any) and if true you have the parameters */ 2582static int 2583az_nsec3_param(struct auth_zone* z, int* algo, size_t* iter, uint8_t** salt, 2584 size_t* saltlen) 2585{ 2586 struct auth_data* apex; 2587 struct auth_rrset* param; 2588 size_t i; 2589 apex = az_find_name(z, z->name, z->namelen); 2590 if(!apex) return 0; 2591 param = az_domain_rrset(apex, LDNS_RR_TYPE_NSEC3PARAM); 2592 if(!param || param->data->count==0) 2593 return 0; /* no RRset or no RRs in rrset */ 2594 /* find out which NSEC3PARAM RR has supported parameters */ 2595 /* skip unknown flags (dynamic signer is recalculating nsec3 chain) */ 2596 for(i=0; i<param->data->count; i++) { 2597 uint8_t* rdata = param->data->rr_data[i]+2; 2598 size_t rdatalen = param->data->rr_len[i]; 2599 if(rdatalen < 2+5) 2600 continue; /* too short */ 2601 if(!nsec3_hash_algo_size_supported((int)(rdata[0]))) 2602 continue; /* unsupported algo */ 2603 if(rdatalen < (size_t)(2+5+(size_t)rdata[4])) 2604 continue; /* salt missing */ 2605 if((rdata[1]&NSEC3_UNKNOWN_FLAGS)!=0) 2606 continue; /* unknown flags */ 2607 *algo = (int)(rdata[0]); 2608 *iter = sldns_read_uint16(rdata+2); 2609 *saltlen = rdata[4]; 2610 if(*saltlen == 0) 2611 *salt = NULL; 2612 else *salt = rdata+5; 2613 return 1; 2614 } 2615 /* no supported params */ 2616 return 0; 2617} 2618 2619/** Hash a name with nsec3param into buffer, it has zone name appended. 2620 * return length of hash */ 2621static size_t 2622az_nsec3_hash(uint8_t* buf, size_t buflen, uint8_t* nm, size_t nmlen, 2623 int algo, size_t iter, uint8_t* salt, size_t saltlen) 2624{ 2625 size_t hlen = nsec3_hash_algo_size_supported(algo); 2626 /* buffer has domain name, nsec3hash, and 256 is for max saltlen 2627 * (salt has 0-255 length) */ 2628 unsigned char p[LDNS_MAX_DOMAINLEN+1+N3HASHBUFLEN+256]; 2629 size_t i; 2630 if(nmlen+saltlen > sizeof(p) || hlen+saltlen > sizeof(p)) 2631 return 0; 2632 if(hlen > buflen) 2633 return 0; /* somehow too large for destination buffer */ 2634 /* hashfunc(name, salt) */ 2635 memmove(p, nm, nmlen); 2636 query_dname_tolower(p); 2637 if(salt && saltlen > 0) 2638 memmove(p+nmlen, salt, saltlen); 2639 (void)secalgo_nsec3_hash(algo, p, nmlen+saltlen, (unsigned char*)buf); 2640 for(i=0; i<iter; i++) { 2641 /* hashfunc(hash, salt) */ 2642 memmove(p, buf, hlen); 2643 if(salt && saltlen > 0) 2644 memmove(p+hlen, salt, saltlen); 2645 (void)secalgo_nsec3_hash(algo, p, hlen+saltlen, 2646 (unsigned char*)buf); 2647 } 2648 return hlen; 2649} 2650 2651/** Hash name and return b32encoded hashname for lookup, zone name appended */ 2652static int 2653az_nsec3_hashname(struct auth_zone* z, uint8_t* hashname, size_t* hashnmlen, 2654 uint8_t* nm, size_t nmlen, int algo, size_t iter, uint8_t* salt, 2655 size_t saltlen) 2656{ 2657 uint8_t hash[N3HASHBUFLEN]; 2658 size_t hlen; 2659 int ret; 2660 hlen = az_nsec3_hash(hash, sizeof(hash), nm, nmlen, algo, iter, 2661 salt, saltlen); 2662 if(!hlen) return 0; 2663 /* b32 encode */ 2664 if(*hashnmlen < hlen*2+1+z->namelen) /* approx b32 as hexb16 */ 2665 return 0; 2666 ret = sldns_b32_ntop_extended_hex(hash, hlen, (char*)(hashname+1), 2667 (*hashnmlen)-1); 2668 if(ret<1) 2669 return 0; 2670 hashname[0] = (uint8_t)ret; 2671 ret++; 2672 if((*hashnmlen) - ret < z->namelen) 2673 return 0; 2674 memmove(hashname+ret, z->name, z->namelen); 2675 *hashnmlen = z->namelen+(size_t)ret; 2676 return 1; 2677} 2678 2679/** Find the datanode that covers the nsec3hash-name */ 2680static struct auth_data* 2681az_nsec3_findnode(struct auth_zone* z, uint8_t* hashnm, size_t hashnmlen) 2682{ 2683 struct query_info qinfo; 2684 struct auth_data* node; 2685 int node_exact; 2686 qinfo.qclass = 0; 2687 qinfo.qtype = 0; 2688 qinfo.qname = hashnm; 2689 qinfo.qname_len = hashnmlen; 2690 /* because canonical ordering and b32 nsec3 ordering are the same. 2691 * this is a good lookup to find the nsec3 name. */ 2692 az_find_domain(z, &qinfo, &node_exact, &node); 2693 /* but we may have to skip non-nsec3 nodes */ 2694 /* this may be a lot, the way to speed that up is to have a 2695 * separate nsec3 tree with nsec3 nodes */ 2696 while(node && (rbnode_type*)node != RBTREE_NULL && 2697 !az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) { 2698 node = (struct auth_data*)rbtree_previous(&node->node); 2699 } 2700 if((rbnode_type*)node == RBTREE_NULL) 2701 node = NULL; 2702 return node; 2703} 2704 2705/** Find cover for hashed(nm, nmlen) (or NULL) */ 2706static struct auth_data* 2707az_nsec3_find_cover(struct auth_zone* z, uint8_t* nm, size_t nmlen, 2708 int algo, size_t iter, uint8_t* salt, size_t saltlen) 2709{ 2710 struct auth_data* node; 2711 uint8_t hname[LDNS_MAX_DOMAINLEN]; 2712 size_t hlen = sizeof(hname); 2713 if(!az_nsec3_hashname(z, hname, &hlen, nm, nmlen, algo, iter, 2714 salt, saltlen)) 2715 return NULL; 2716 node = az_nsec3_findnode(z, hname, hlen); 2717 if(node) 2718 return node; 2719 /* we did not find any, perhaps because the NSEC3 hash is before 2720 * the first hash, we have to find the 'last hash' in the zone */ 2721 node = (struct auth_data*)rbtree_last(&z->data); 2722 while(node && (rbnode_type*)node != RBTREE_NULL && 2723 !az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) { 2724 node = (struct auth_data*)rbtree_previous(&node->node); 2725 } 2726 if((rbnode_type*)node == RBTREE_NULL) 2727 node = NULL; 2728 return node; 2729} 2730 2731/** Find exact match for hashed(nm, nmlen) NSEC3 record or NULL */ 2732static struct auth_data* 2733az_nsec3_find_exact(struct auth_zone* z, uint8_t* nm, size_t nmlen, 2734 int algo, size_t iter, uint8_t* salt, size_t saltlen) 2735{ 2736 struct auth_data* node; 2737 uint8_t hname[LDNS_MAX_DOMAINLEN]; 2738 size_t hlen = sizeof(hname); 2739 if(!az_nsec3_hashname(z, hname, &hlen, nm, nmlen, algo, iter, 2740 salt, saltlen)) 2741 return NULL; 2742 node = az_find_name(z, hname, hlen); 2743 if(az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) 2744 return node; 2745 return NULL; 2746} 2747 2748/** Return nextcloser name (as a ref into the qname). This is one label 2749 * more than the cenm (cename must be a suffix of qname) */ 2750static void 2751az_nsec3_get_nextcloser(uint8_t* cenm, uint8_t* qname, size_t qname_len, 2752 uint8_t** nx, size_t* nxlen) 2753{ 2754 int celabs = dname_count_labels(cenm); 2755 int qlabs = dname_count_labels(qname); 2756 int strip = qlabs - celabs -1; 2757 log_assert(dname_strict_subdomain(qname, qlabs, cenm, celabs)); 2758 *nx = qname; 2759 *nxlen = qname_len; 2760 if(strip>0) 2761 dname_remove_labels(nx, nxlen, strip); 2762} 2763 2764/** Find the closest encloser that has exact NSEC3. 2765 * updated cenm to the new name. If it went up no-exact-ce is true. */ 2766static struct auth_data* 2767az_nsec3_find_ce(struct auth_zone* z, uint8_t** cenm, size_t* cenmlen, 2768 int* no_exact_ce, int algo, size_t iter, uint8_t* salt, size_t saltlen) 2769{ 2770 struct auth_data* node; 2771 while((node = az_nsec3_find_exact(z, *cenm, *cenmlen, 2772 algo, iter, salt, saltlen)) == NULL) { 2773 if(*cenmlen == z->namelen) { 2774 /* next step up would take us out of the zone. fail */ 2775 return NULL; 2776 } 2777 *no_exact_ce = 1; 2778 dname_remove_label(cenm, cenmlen); 2779 } 2780 return node; 2781} 2782 2783/* Insert NSEC3 record in authority section, if NULL does nothing */ 2784static int 2785az_nsec3_insert(struct auth_zone* z, struct regional* region, 2786 struct dns_msg* msg, struct auth_data* node) 2787{ 2788 struct auth_rrset* nsec3; 2789 if(!node) return 1; /* no node, skip this */ 2790 nsec3 = az_domain_rrset(node, LDNS_RR_TYPE_NSEC3); 2791 if(!nsec3) return 1; /* if no nsec3 RR, skip it */ 2792 if(!msg_add_rrset_ns(z, region, msg, node, nsec3)) return 0; 2793 return 1; 2794} 2795 2796/** add NSEC3 records to the zone for the nsec3 proof. 2797 * Specify with the flags with parts of the proof are required. 2798 * the ce is the exact matching name (for notype) but also delegation points. 2799 * qname is the one where the nextcloser name can be derived from. 2800 * If NSEC3 is not properly there (in the zone) nothing is added. 2801 * always enabled: include nsec3 proving about the Closest Encloser. 2802 * that is an exact match that should exist for it. 2803 * If that does not exist, a higher exact match + nxproof is enabled 2804 * (for some sort of opt-out empty nonterminal cases). 2805 * nodataproof: search for exact match and include that instead. 2806 * ceproof: include ce proof NSEC3 (omitted for wildcard replies). 2807 * nxproof: include denial of the qname. 2808 * wcproof: include denial of wildcard (wildcard.ce). 2809 */ 2810static int 2811az_add_nsec3_proof(struct auth_zone* z, struct regional* region, 2812 struct dns_msg* msg, uint8_t* cenm, size_t cenmlen, uint8_t* qname, 2813 size_t qname_len, int nodataproof, int ceproof, int nxproof, 2814 int wcproof) 2815{ 2816 int algo; 2817 size_t iter, saltlen; 2818 uint8_t* salt; 2819 int no_exact_ce = 0; 2820 struct auth_data* node; 2821 2822 /* find parameters of nsec3 proof */ 2823 if(!az_nsec3_param(z, &algo, &iter, &salt, &saltlen)) 2824 return 1; /* no nsec3 */ 2825 if(nodataproof) { 2826 /* see if the node has a hash of itself for the nodata 2827 * proof nsec3, this has to be an exact match nsec3. */ 2828 struct auth_data* match; 2829 match = az_nsec3_find_exact(z, qname, qname_len, algo, 2830 iter, salt, saltlen); 2831 if(match) { 2832 if(!az_nsec3_insert(z, region, msg, match)) 2833 return 0; 2834 /* only nodata NSEC3 needed, no CE or others. */ 2835 return 1; 2836 } 2837 } 2838 /* find ce that has an NSEC3 */ 2839 if(ceproof) { 2840 node = az_nsec3_find_ce(z, &cenm, &cenmlen, &no_exact_ce, 2841 algo, iter, salt, saltlen); 2842 if(no_exact_ce) nxproof = 1; 2843 if(!az_nsec3_insert(z, region, msg, node)) 2844 return 0; 2845 } 2846 2847 if(nxproof) { 2848 uint8_t* nx; 2849 size_t nxlen; 2850 /* create nextcloser domain name */ 2851 az_nsec3_get_nextcloser(cenm, qname, qname_len, &nx, &nxlen); 2852 /* find nsec3 that matches or covers it */ 2853 node = az_nsec3_find_cover(z, nx, nxlen, algo, iter, salt, 2854 saltlen); 2855 if(!az_nsec3_insert(z, region, msg, node)) 2856 return 0; 2857 } 2858 if(wcproof) { 2859 /* create wildcard name *.ce */ 2860 uint8_t wc[LDNS_MAX_DOMAINLEN]; 2861 size_t wclen; 2862 if(cenmlen+2 > sizeof(wc)) 2863 return 0; /* result would be too long */ 2864 wc[0] = 1; /* length of wildcard label */ 2865 wc[1] = (uint8_t)'*'; /* wildcard label */ 2866 memmove(wc+2, cenm, cenmlen); 2867 wclen = cenmlen+2; 2868 /* find nsec3 that matches or covers it */ 2869 node = az_nsec3_find_cover(z, wc, wclen, algo, iter, salt, 2870 saltlen); 2871 if(!az_nsec3_insert(z, region, msg, node)) 2872 return 0; 2873 } 2874 return 1; 2875} 2876 2877/** generate answer for positive answer */ 2878static int 2879az_generate_positive_answer(struct auth_zone* z, struct regional* region, 2880 struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) 2881{ 2882 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2883 /* see if we want additional rrs */ 2884 if(rrset->type == LDNS_RR_TYPE_MX) { 2885 if(!az_add_additionals_from(z, region, msg, rrset, 2)) 2886 return 0; 2887 } else if(rrset->type == LDNS_RR_TYPE_SRV) { 2888 if(!az_add_additionals_from(z, region, msg, rrset, 6)) 2889 return 0; 2890 } else if(rrset->type == LDNS_RR_TYPE_NS) { 2891 if(!az_add_additionals_from(z, region, msg, rrset, 0)) 2892 return 0; 2893 } 2894 return 1; 2895} 2896 2897/** generate answer for type ANY answer */ 2898static int 2899az_generate_any_answer(struct auth_zone* z, struct regional* region, 2900 struct dns_msg* msg, struct auth_data* node) 2901{ 2902 struct auth_rrset* rrset; 2903 int added = 0; 2904 /* add a couple (at least one) RRs */ 2905 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_SOA)) != NULL) { 2906 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2907 added++; 2908 } 2909 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_MX)) != NULL) { 2910 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2911 added++; 2912 } 2913 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_A)) != NULL) { 2914 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2915 added++; 2916 } 2917 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_AAAA)) != NULL) { 2918 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2919 added++; 2920 } 2921 if(added == 0 && node && node->rrsets) { 2922 if(!msg_add_rrset_an(z, region, msg, node, 2923 node->rrsets)) return 0; 2924 } 2925 return 1; 2926} 2927 2928/** follow cname chain and add more data to the answer section */ 2929static int 2930follow_cname_chain(struct auth_zone* z, uint16_t qtype, 2931 struct regional* region, struct dns_msg* msg, 2932 struct packed_rrset_data* d) 2933{ 2934 int maxchain = 0; 2935 /* see if we can add the target of the CNAME into the answer */ 2936 while(maxchain++ < MAX_CNAME_CHAIN) { 2937 struct auth_data* node; 2938 struct auth_rrset* rrset; 2939 size_t clen; 2940 /* d has cname rdata */ 2941 if(d->count == 0) break; /* no CNAME */ 2942 if(d->rr_len[0] < 2+1) break; /* too small */ 2943 if((clen=dname_valid(d->rr_data[0]+2, d->rr_len[0]-2))==0) 2944 break; /* malformed */ 2945 if(!dname_subdomain_c(d->rr_data[0]+2, z->name)) 2946 break; /* target out of zone */ 2947 if((node = az_find_name(z, d->rr_data[0]+2, clen))==NULL) 2948 break; /* no such target name */ 2949 if((rrset=az_domain_rrset(node, qtype))!=NULL) { 2950 /* done we found the target */ 2951 if(!msg_add_rrset_an(z, region, msg, node, rrset)) 2952 return 0; 2953 break; 2954 } 2955 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_CNAME))==NULL) 2956 break; /* no further CNAME chain, notype */ 2957 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2958 d = rrset->data; 2959 } 2960 return 1; 2961} 2962 2963/** generate answer for cname answer */ 2964static int 2965az_generate_cname_answer(struct auth_zone* z, struct query_info* qinfo, 2966 struct regional* region, struct dns_msg* msg, 2967 struct auth_data* node, struct auth_rrset* rrset) 2968{ 2969 if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0; 2970 if(!rrset) return 1; 2971 if(!follow_cname_chain(z, qinfo->qtype, region, msg, rrset->data)) 2972 return 0; 2973 return 1; 2974} 2975 2976/** generate answer for notype answer */ 2977static int 2978az_generate_notype_answer(struct auth_zone* z, struct regional* region, 2979 struct dns_msg* msg, struct auth_data* node) 2980{ 2981 struct auth_rrset* rrset; 2982 if(!az_add_negative_soa(z, region, msg)) return 0; 2983 /* DNSSEC denial NSEC */ 2984 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_NSEC))!=NULL) { 2985 if(!msg_add_rrset_ns(z, region, msg, node, rrset)) return 0; 2986 } else if(node) { 2987 /* DNSSEC denial NSEC3 */ 2988 if(!az_add_nsec3_proof(z, region, msg, node->name, 2989 node->namelen, msg->qinfo.qname, 2990 msg->qinfo.qname_len, 1, 1, 0, 0)) 2991 return 0; 2992 } 2993 return 1; 2994} 2995 2996/** generate answer for referral answer */ 2997static int 2998az_generate_referral_answer(struct auth_zone* z, struct regional* region, 2999 struct dns_msg* msg, struct auth_data* ce, struct auth_rrset* rrset) 3000{ 3001 struct auth_rrset* ds, *nsec; 3002 /* turn off AA flag, referral is nonAA because it leaves the zone */ 3003 log_assert(ce); 3004 msg->rep->flags &= ~BIT_AA; 3005 if(!msg_add_rrset_ns(z, region, msg, ce, rrset)) return 0; 3006 /* add DS or deny it */ 3007 if((ds=az_domain_rrset(ce, LDNS_RR_TYPE_DS))!=NULL) { 3008 if(!msg_add_rrset_ns(z, region, msg, ce, ds)) return 0; 3009 } else { 3010 /* deny the DS */ 3011 if((nsec=az_domain_rrset(ce, LDNS_RR_TYPE_NSEC))!=NULL) { 3012 if(!msg_add_rrset_ns(z, region, msg, ce, nsec)) 3013 return 0; 3014 } else { 3015 if(!az_add_nsec3_proof(z, region, msg, ce->name, 3016 ce->namelen, msg->qinfo.qname, 3017 msg->qinfo.qname_len, 1, 1, 0, 0)) 3018 return 0; 3019 } 3020 } 3021 /* add additional rrs for type NS */ 3022 if(!az_add_additionals_from(z, region, msg, rrset, 0)) return 0; 3023 return 1; 3024} 3025 3026/** generate answer for DNAME answer */ 3027static int 3028az_generate_dname_answer(struct auth_zone* z, struct query_info* qinfo, 3029 struct regional* region, struct dns_msg* msg, struct auth_data* ce, 3030 struct auth_rrset* rrset) 3031{ 3032 log_assert(ce); 3033 /* add the DNAME and then a CNAME */ 3034 if(!msg_add_rrset_an(z, region, msg, ce, rrset)) return 0; 3035 if(!add_synth_cname(z, qinfo->qname, qinfo->qname_len, region, 3036 msg, ce, rrset)) return 0; 3037 if(FLAGS_GET_RCODE(msg->rep->flags) == LDNS_RCODE_YXDOMAIN) 3038 return 1; 3039 if(msg->rep->rrset_count == 0 || 3040 !msg->rep->rrsets[msg->rep->rrset_count-1]) 3041 return 0; 3042 if(!follow_cname_chain(z, qinfo->qtype, region, msg, 3043 (struct packed_rrset_data*)msg->rep->rrsets[ 3044 msg->rep->rrset_count-1]->entry.data)) 3045 return 0; 3046 return 1; 3047} 3048 3049/** generate answer for wildcard answer */ 3050static int 3051az_generate_wildcard_answer(struct auth_zone* z, struct query_info* qinfo, 3052 struct regional* region, struct dns_msg* msg, struct auth_data* ce, 3053 struct auth_data* wildcard, struct auth_data* node) 3054{ 3055 struct auth_rrset* rrset, *nsec; 3056 int insert_ce = 0; 3057 if((rrset=az_domain_rrset(wildcard, qinfo->qtype)) != NULL) { 3058 /* wildcard has type, add it */ 3059 if(!msg_add_rrset_an(z, region, msg, wildcard, rrset)) 3060 return 0; 3061 az_change_dnames(msg, wildcard->name, msg->qinfo.qname, 3062 msg->qinfo.qname_len, 1); 3063 } else if((rrset=az_domain_rrset(wildcard, LDNS_RR_TYPE_CNAME))!=NULL) { 3064 /* wildcard has cname instead, do that */ 3065 if(!msg_add_rrset_an(z, region, msg, wildcard, rrset)) 3066 return 0; 3067 az_change_dnames(msg, wildcard->name, msg->qinfo.qname, 3068 msg->qinfo.qname_len, 1); 3069 if(!follow_cname_chain(z, qinfo->qtype, region, msg, 3070 rrset->data)) 3071 return 0; 3072 } else if(qinfo->qtype == LDNS_RR_TYPE_ANY && wildcard->rrsets) { 3073 /* add ANY rrsets from wildcard node */ 3074 if(!az_generate_any_answer(z, region, msg, wildcard)) 3075 return 0; 3076 az_change_dnames(msg, wildcard->name, msg->qinfo.qname, 3077 msg->qinfo.qname_len, 1); 3078 } else { 3079 /* wildcard has nodata, notype answer */ 3080 /* call other notype routine for dnssec notype denials */ 3081 if(!az_generate_notype_answer(z, region, msg, wildcard)) 3082 return 0; 3083 /* because the notype, there is no positive data with an 3084 * RRSIG that indicates the wildcard position. Thus the 3085 * wildcard qname denial needs to have a CE nsec3. */ 3086 insert_ce = 1; 3087 } 3088 3089 /* ce and node for dnssec denial of wildcard original name */ 3090 if((nsec=az_find_nsec_cover(z, &node)) != NULL) { 3091 if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0; 3092 } else if(ce) { 3093 uint8_t* wildup = wildcard->name; 3094 size_t wilduplen= wildcard->namelen; 3095 dname_remove_label(&wildup, &wilduplen); 3096 if(!az_add_nsec3_proof(z, region, msg, wildup, 3097 wilduplen, msg->qinfo.qname, 3098 msg->qinfo.qname_len, 0, insert_ce, 1, 0)) 3099 return 0; 3100 } 3101 3102 /* fixup name of wildcard from *.zone to qname, use already allocated 3103 * pointer to msg qname */ 3104 az_change_dnames(msg, wildcard->name, msg->qinfo.qname, 3105 msg->qinfo.qname_len, 0); 3106 return 1; 3107} 3108 3109/** generate answer for nxdomain answer */ 3110static int 3111az_generate_nxdomain_answer(struct auth_zone* z, struct regional* region, 3112 struct dns_msg* msg, struct auth_data* ce, struct auth_data* node) 3113{ 3114 struct auth_rrset* nsec; 3115 msg->rep->flags |= LDNS_RCODE_NXDOMAIN; 3116 if(!az_add_negative_soa(z, region, msg)) return 0; 3117 if((nsec=az_find_nsec_cover(z, &node)) != NULL) { 3118 if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0; 3119 if(ce && !az_nsec_wildcard_denial(z, region, msg, ce->name, 3120 ce->namelen)) return 0; 3121 } else if(ce) { 3122 if(!az_add_nsec3_proof(z, region, msg, ce->name, 3123 ce->namelen, msg->qinfo.qname, 3124 msg->qinfo.qname_len, 0, 1, 1, 1)) 3125 return 0; 3126 } 3127 return 1; 3128} 3129 3130/** Create answers when an exact match exists for the domain name */ 3131static int 3132az_generate_answer_with_node(struct auth_zone* z, struct query_info* qinfo, 3133 struct regional* region, struct dns_msg* msg, struct auth_data* node) 3134{ 3135 struct auth_rrset* rrset; 3136 /* positive answer, rrset we are looking for exists */ 3137 if((rrset=az_domain_rrset(node, qinfo->qtype)) != NULL) { 3138 return az_generate_positive_answer(z, region, msg, node, rrset); 3139 } 3140 /* CNAME? */ 3141 if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_CNAME)) != NULL) { 3142 return az_generate_cname_answer(z, qinfo, region, msg, 3143 node, rrset); 3144 } 3145 /* type ANY ? */ 3146 if(qinfo->qtype == LDNS_RR_TYPE_ANY) { 3147 return az_generate_any_answer(z, region, msg, node); 3148 } 3149 /* NOERROR/NODATA (no such type at domain name) */ 3150 return az_generate_notype_answer(z, region, msg, node); 3151} 3152 3153/** Generate answer without an existing-node that we can use. 3154 * So it'll be a referral, DNAME or nxdomain */ 3155static int 3156az_generate_answer_nonexistnode(struct auth_zone* z, struct query_info* qinfo, 3157 struct regional* region, struct dns_msg* msg, struct auth_data* ce, 3158 struct auth_rrset* rrset, struct auth_data* node) 3159{ 3160 struct auth_data* wildcard; 3161 3162 /* we do not have an exact matching name (that exists) */ 3163 /* see if we have a NS or DNAME in the ce */ 3164 if(ce && rrset && rrset->type == LDNS_RR_TYPE_NS) { 3165 return az_generate_referral_answer(z, region, msg, ce, rrset); 3166 } 3167 if(ce && rrset && rrset->type == LDNS_RR_TYPE_DNAME) { 3168 return az_generate_dname_answer(z, qinfo, region, msg, ce, 3169 rrset); 3170 } 3171 /* if there is an empty nonterminal, wildcard and nxdomain don't 3172 * happen, it is a notype answer */ 3173 if(az_empty_nonterminal(z, qinfo, node)) { 3174 return az_generate_notype_answer(z, region, msg, node); 3175 } 3176 /* see if we have a wildcard under the ce */ 3177 if((wildcard=az_find_wildcard(z, qinfo, ce)) != NULL) { 3178 return az_generate_wildcard_answer(z, qinfo, region, msg, 3179 ce, wildcard, node); 3180 } 3181 /* generate nxdomain answer */ 3182 return az_generate_nxdomain_answer(z, region, msg, ce, node); 3183} 3184 3185/** Lookup answer in a zone. */ 3186static int 3187auth_zone_generate_answer(struct auth_zone* z, struct query_info* qinfo, 3188 struct regional* region, struct dns_msg** msg, int* fallback) 3189{ 3190 struct auth_data* node, *ce; 3191 struct auth_rrset* rrset; 3192 int node_exact, node_exists; 3193 /* does the zone want fallback in case of failure? */ 3194 *fallback = z->fallback_enabled; 3195 if(!(*msg=msg_create(region, qinfo))) return 0; 3196 3197 /* lookup if there is a matching domain name for the query */ 3198 az_find_domain(z, qinfo, &node_exact, &node); 3199 3200 /* see if node exists for generating answers from (i.e. not glue and 3201 * obscured by NS or DNAME or NSEC3-only), and also return the 3202 * closest-encloser from that, closest node that should be used 3203 * to generate answers from that is above the query */ 3204 node_exists = az_find_ce(z, qinfo, node, node_exact, &ce, &rrset); 3205 3206 if(verbosity >= VERB_ALGO) { 3207 char zname[256], qname[256], nname[256], cename[256], 3208 tpstr[32], rrstr[32]; 3209 sldns_wire2str_dname_buf(qinfo->qname, qinfo->qname_len, qname, 3210 sizeof(qname)); 3211 sldns_wire2str_type_buf(qinfo->qtype, tpstr, sizeof(tpstr)); 3212 sldns_wire2str_dname_buf(z->name, z->namelen, zname, 3213 sizeof(zname)); 3214 if(node) 3215 sldns_wire2str_dname_buf(node->name, node->namelen, 3216 nname, sizeof(nname)); 3217 else snprintf(nname, sizeof(nname), "NULL"); 3218 if(ce) 3219 sldns_wire2str_dname_buf(ce->name, ce->namelen, 3220 cename, sizeof(cename)); 3221 else snprintf(cename, sizeof(cename), "NULL"); 3222 if(rrset) sldns_wire2str_type_buf(rrset->type, rrstr, 3223 sizeof(rrstr)); 3224 else snprintf(rrstr, sizeof(rrstr), "NULL"); 3225 log_info("auth_zone %s query %s %s, domain %s %s %s, " 3226 "ce %s, rrset %s", zname, qname, tpstr, nname, 3227 (node_exact?"exact":"notexact"), 3228 (node_exists?"exist":"notexist"), cename, rrstr); 3229 } 3230 3231 if(node_exists) { 3232 /* the node is fine, generate answer from node */ 3233 return az_generate_answer_with_node(z, qinfo, region, *msg, 3234 node); 3235 } 3236 return az_generate_answer_nonexistnode(z, qinfo, region, *msg, 3237 ce, rrset, node); 3238} 3239 3240int auth_zones_lookup(struct auth_zones* az, struct query_info* qinfo, 3241 struct regional* region, struct dns_msg** msg, int* fallback, 3242 uint8_t* dp_nm, size_t dp_nmlen) 3243{ 3244 int r; 3245 struct auth_zone* z; 3246 /* find the zone that should contain the answer. */ 3247 lock_rw_rdlock(&az->lock); 3248 z = auth_zone_find(az, dp_nm, dp_nmlen, qinfo->qclass); 3249 if(!z) { 3250 lock_rw_unlock(&az->lock); 3251 /* no auth zone, fallback to internet */ 3252 *fallback = 1; 3253 return 0; 3254 } 3255 lock_rw_rdlock(&z->lock); 3256 lock_rw_unlock(&az->lock); 3257 3258 /* if not for upstream queries, fallback */ 3259 if(!z->for_upstream) { 3260 lock_rw_unlock(&z->lock); 3261 *fallback = 1; 3262 return 0; 3263 } 3264 if(z->zone_expired) { 3265 *fallback = z->fallback_enabled; 3266 lock_rw_unlock(&z->lock); 3267 return 0; 3268 } 3269 /* see what answer that zone would generate */ 3270 r = auth_zone_generate_answer(z, qinfo, region, msg, fallback); 3271 lock_rw_unlock(&z->lock); 3272 return r; 3273} 3274 3275/** encode auth answer */ 3276static void 3277auth_answer_encode(struct query_info* qinfo, struct module_env* env, 3278 struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf, 3279 struct regional* temp, struct dns_msg* msg) 3280{ 3281 uint16_t udpsize; 3282 udpsize = edns->udp_size; 3283 edns->edns_version = EDNS_ADVERTISED_VERSION; 3284 edns->udp_size = EDNS_ADVERTISED_SIZE; 3285 edns->ext_rcode = 0; 3286 edns->bits &= EDNS_DO; 3287 3288 if(!inplace_cb_reply_local_call(env, qinfo, NULL, msg->rep, 3289 (int)FLAGS_GET_RCODE(msg->rep->flags), edns, repinfo, temp) 3290 || !reply_info_answer_encode(qinfo, msg->rep, 3291 *(uint16_t*)sldns_buffer_begin(buf), 3292 sldns_buffer_read_u16_at(buf, 2), 3293 buf, 0, 0, temp, udpsize, edns, 3294 (int)(edns->bits&EDNS_DO), 0)) { 3295 error_encode(buf, (LDNS_RCODE_SERVFAIL|BIT_AA), qinfo, 3296 *(uint16_t*)sldns_buffer_begin(buf), 3297 sldns_buffer_read_u16_at(buf, 2), edns); 3298 } 3299} 3300 3301/** encode auth error answer */ 3302static void 3303auth_error_encode(struct query_info* qinfo, struct module_env* env, 3304 struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf, 3305 struct regional* temp, int rcode) 3306{ 3307 edns->edns_version = EDNS_ADVERTISED_VERSION; 3308 edns->udp_size = EDNS_ADVERTISED_SIZE; 3309 edns->ext_rcode = 0; 3310 edns->bits &= EDNS_DO; 3311 3312 if(!inplace_cb_reply_local_call(env, qinfo, NULL, NULL, 3313 rcode, edns, repinfo, temp)) 3314 edns->opt_list = NULL; 3315 error_encode(buf, rcode|BIT_AA, qinfo, 3316 *(uint16_t*)sldns_buffer_begin(buf), 3317 sldns_buffer_read_u16_at(buf, 2), edns); 3318} 3319 3320int auth_zones_answer(struct auth_zones* az, struct module_env* env, 3321 struct query_info* qinfo, struct edns_data* edns, 3322 struct comm_reply* repinfo, struct sldns_buffer* buf, struct regional* temp) 3323{ 3324 struct dns_msg* msg = NULL; 3325 struct auth_zone* z; 3326 int r; 3327 int fallback = 0; 3328 3329 lock_rw_rdlock(&az->lock); 3330 if(!az->have_downstream) { 3331 /* no downstream auth zones */ 3332 lock_rw_unlock(&az->lock); 3333 return 0; 3334 } 3335 if(qinfo->qtype == LDNS_RR_TYPE_DS) { 3336 uint8_t* delname = qinfo->qname; 3337 size_t delnamelen = qinfo->qname_len; 3338 dname_remove_label(&delname, &delnamelen); 3339 z = auth_zones_find_zone(az, delname, delnamelen, 3340 qinfo->qclass); 3341 } else { 3342 z = auth_zones_find_zone(az, qinfo->qname, qinfo->qname_len, 3343 qinfo->qclass); 3344 } 3345 if(!z) { 3346 /* no zone above it */ 3347 lock_rw_unlock(&az->lock); 3348 return 0; 3349 } 3350 lock_rw_rdlock(&z->lock); 3351 lock_rw_unlock(&az->lock); 3352 if(!z->for_downstream) { 3353 lock_rw_unlock(&z->lock); 3354 return 0; 3355 } 3356 if(z->zone_expired) { 3357 if(z->fallback_enabled) { 3358 lock_rw_unlock(&z->lock); 3359 return 0; 3360 } 3361 lock_rw_unlock(&z->lock); 3362 lock_rw_wrlock(&az->lock); 3363 az->num_query_down++; 3364 lock_rw_unlock(&az->lock); 3365 auth_error_encode(qinfo, env, edns, repinfo, buf, temp, 3366 LDNS_RCODE_SERVFAIL); 3367 return 1; 3368 } 3369 3370 /* answer it from zone z */ 3371 r = auth_zone_generate_answer(z, qinfo, temp, &msg, &fallback); 3372 lock_rw_unlock(&z->lock); 3373 if(!r && fallback) { 3374 /* fallback to regular answering (recursive) */ 3375 return 0; 3376 } 3377 lock_rw_wrlock(&az->lock); 3378 az->num_query_down++; 3379 lock_rw_unlock(&az->lock); 3380 3381 /* encode answer */ 3382 if(!r) 3383 auth_error_encode(qinfo, env, edns, repinfo, buf, temp, 3384 LDNS_RCODE_SERVFAIL); 3385 else auth_answer_encode(qinfo, env, edns, repinfo, buf, temp, msg); 3386 3387 return 1; 3388} 3389 3390int auth_zones_can_fallback(struct auth_zones* az, uint8_t* nm, size_t nmlen, 3391 uint16_t dclass) 3392{ 3393 int r; 3394 struct auth_zone* z; 3395 lock_rw_rdlock(&az->lock); 3396 z = auth_zone_find(az, nm, nmlen, dclass); 3397 if(!z) { 3398 lock_rw_unlock(&az->lock); 3399 /* no such auth zone, fallback */ 3400 return 1; 3401 } 3402 lock_rw_rdlock(&z->lock); 3403 lock_rw_unlock(&az->lock); 3404 r = z->fallback_enabled || (!z->for_upstream); 3405 lock_rw_unlock(&z->lock); 3406 return r; 3407} 3408 3409int 3410auth_zone_parse_notify_serial(sldns_buffer* pkt, uint32_t *serial) 3411{ 3412 struct query_info q; 3413 uint16_t rdlen; 3414 memset(&q, 0, sizeof(q)); 3415 sldns_buffer_set_position(pkt, 0); 3416 if(!query_info_parse(&q, pkt)) return 0; 3417 if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) == 0) return 0; 3418 /* skip name of RR in answer section */ 3419 if(sldns_buffer_remaining(pkt) < 1) return 0; 3420 if(pkt_dname_len(pkt) == 0) return 0; 3421 /* check type */ 3422 if(sldns_buffer_remaining(pkt) < 10 /* type,class,ttl,rdatalen*/) 3423 return 0; 3424 if(sldns_buffer_read_u16(pkt) != LDNS_RR_TYPE_SOA) return 0; 3425 sldns_buffer_skip(pkt, 2); /* class */ 3426 sldns_buffer_skip(pkt, 4); /* ttl */ 3427 rdlen = sldns_buffer_read_u16(pkt); /* rdatalen */ 3428 if(sldns_buffer_remaining(pkt) < rdlen) return 0; 3429 if(rdlen < 22) return 0; /* bad soa length */ 3430 sldns_buffer_skip(pkt, (ssize_t)(rdlen-20)); 3431 *serial = sldns_buffer_read_u32(pkt); 3432 /* return true when has serial in answer section */ 3433 return 1; 3434} 3435 3436/** see if addr appears in the list */ 3437static int 3438addr_in_list(struct auth_addr* list, struct sockaddr_storage* addr, 3439 socklen_t addrlen) 3440{ 3441 struct auth_addr* p; 3442 for(p=list; p; p=p->next) { 3443 if(sockaddr_cmp_addr(addr, addrlen, &p->addr, p->addrlen)==0) 3444 return 1; 3445 } 3446 return 0; 3447} 3448 3449/** check if an address matches a master specification (or one of its 3450 * addresses in the addr list) */ 3451static int 3452addr_matches_master(struct auth_master* master, struct sockaddr_storage* addr, 3453 socklen_t addrlen, struct auth_master** fromhost) 3454{ 3455 struct sockaddr_storage a; 3456 socklen_t alen = 0; 3457 int net = 0; 3458 if(addr_in_list(master->list, addr, addrlen)) { 3459 *fromhost = master; 3460 return 1; 3461 } 3462 /* compare address (but not port number, that is the destination 3463 * port of the master, the port number of the received notify is 3464 * allowed to by any port on that master) */ 3465 if(extstrtoaddr(master->host, &a, &alen) && 3466 sockaddr_cmp_addr(addr, addrlen, &a, alen)==0) { 3467 *fromhost = master; 3468 return 1; 3469 } 3470 /* prefixes, addr/len, like 10.0.0.0/8 */ 3471 /* not http and has a / and there is one / */ 3472 if(master->allow_notify && !master->http && 3473 strchr(master->host, '/') != NULL && 3474 strchr(master->host, '/') == strrchr(master->host, '/') && 3475 netblockstrtoaddr(master->host, UNBOUND_DNS_PORT, &a, &alen, 3476 &net) && alen == addrlen) { 3477 if(addr_in_common(addr, (addr_is_ip6(addr, addrlen)?128:32), 3478 &a, net, alen) >= net) { 3479 *fromhost = NULL; /* prefix does not have destination 3480 to send the probe or transfer with */ 3481 return 1; /* matches the netblock */ 3482 } 3483 } 3484 return 0; 3485} 3486 3487/** check access list for notifies */ 3488static int 3489az_xfr_allowed_notify(struct auth_xfer* xfr, struct sockaddr_storage* addr, 3490 socklen_t addrlen, struct auth_master** fromhost) 3491{ 3492 struct auth_master* p; 3493 for(p=xfr->allow_notify_list; p; p=p->next) { 3494 if(addr_matches_master(p, addr, addrlen, fromhost)) { 3495 return 1; 3496 } 3497 } 3498 return 0; 3499} 3500 3501/** see if the serial means the zone has to be updated, i.e. the serial 3502 * is newer than the zone serial, or we have no zone */ 3503static int 3504xfr_serial_means_update(struct auth_xfer* xfr, uint32_t serial) 3505{ 3506 if(!xfr->have_zone) 3507 return 1; /* no zone, anything is better */ 3508 if(xfr->zone_expired) 3509 return 1; /* expired, the sent serial is better than expired 3510 data */ 3511 if(compare_serial(xfr->serial, serial) < 0) 3512 return 1; /* our serial is smaller than the sent serial, 3513 the data is newer, fetch it */ 3514 return 0; 3515} 3516 3517/** note notify serial, updates the notify information in the xfr struct */ 3518static void 3519xfr_note_notify_serial(struct auth_xfer* xfr, int has_serial, uint32_t serial) 3520{ 3521 if(xfr->notify_received && xfr->notify_has_serial && has_serial) { 3522 /* see if this serial is newer */ 3523 if(compare_serial(xfr->notify_serial, serial) < 0) 3524 xfr->notify_serial = serial; 3525 } else if(xfr->notify_received && xfr->notify_has_serial && 3526 !has_serial) { 3527 /* remove serial, we have notify without serial */ 3528 xfr->notify_has_serial = 0; 3529 xfr->notify_serial = 0; 3530 } else if(xfr->notify_received && !xfr->notify_has_serial) { 3531 /* we already have notify without serial, keep it 3532 * that way; no serial check when current operation 3533 * is done */ 3534 } else { 3535 xfr->notify_received = 1; 3536 xfr->notify_has_serial = has_serial; 3537 xfr->notify_serial = serial; 3538 } 3539} 3540 3541/** process a notify serial, start new probe or note serial. xfr is locked */ 3542static void 3543xfr_process_notify(struct auth_xfer* xfr, struct module_env* env, 3544 int has_serial, uint32_t serial, struct auth_master* fromhost) 3545{ 3546 /* if the serial of notify is older than we have, don't fetch 3547 * a zone, we already have it */ 3548 if(has_serial && !xfr_serial_means_update(xfr, serial)) { 3549 lock_basic_unlock(&xfr->lock); 3550 return; 3551 } 3552 /* start new probe with this addr src, or note serial */ 3553 if(!xfr_start_probe(xfr, env, fromhost)) { 3554 /* not started because already in progress, note the serial */ 3555 xfr_note_notify_serial(xfr, has_serial, serial); 3556 lock_basic_unlock(&xfr->lock); 3557 } 3558 /* successful end of start_probe unlocked xfr->lock */ 3559} 3560 3561int auth_zones_notify(struct auth_zones* az, struct module_env* env, 3562 uint8_t* nm, size_t nmlen, uint16_t dclass, 3563 struct sockaddr_storage* addr, socklen_t addrlen, int has_serial, 3564 uint32_t serial, int* refused) 3565{ 3566 struct auth_xfer* xfr; 3567 struct auth_master* fromhost = NULL; 3568 /* see which zone this is */ 3569 lock_rw_rdlock(&az->lock); 3570 xfr = auth_xfer_find(az, nm, nmlen, dclass); 3571 if(!xfr) { 3572 lock_rw_unlock(&az->lock); 3573 /* no such zone, refuse the notify */ 3574 *refused = 1; 3575 return 0; 3576 } 3577 lock_basic_lock(&xfr->lock); 3578 lock_rw_unlock(&az->lock); 3579 3580 /* check access list for notifies */ 3581 if(!az_xfr_allowed_notify(xfr, addr, addrlen, &fromhost)) { 3582 lock_basic_unlock(&xfr->lock); 3583 /* notify not allowed, refuse the notify */ 3584 *refused = 1; 3585 return 0; 3586 } 3587 3588 /* process the notify */ 3589 xfr_process_notify(xfr, env, has_serial, serial, fromhost); 3590 return 1; 3591} 3592 3593int auth_zones_startprobesequence(struct auth_zones* az, 3594 struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t dclass) 3595{ 3596 struct auth_xfer* xfr; 3597 lock_rw_rdlock(&az->lock); 3598 xfr = auth_xfer_find(az, nm, nmlen, dclass); 3599 if(!xfr) { 3600 lock_rw_unlock(&az->lock); 3601 return 0; 3602 } 3603 lock_basic_lock(&xfr->lock); 3604 lock_rw_unlock(&az->lock); 3605 3606 xfr_process_notify(xfr, env, 0, 0, NULL); 3607 return 1; 3608} 3609 3610/** set a zone expired */ 3611static void 3612auth_xfer_set_expired(struct auth_xfer* xfr, struct module_env* env, 3613 int expired) 3614{ 3615 struct auth_zone* z; 3616 3617 /* expire xfr */ 3618 lock_basic_lock(&xfr->lock); 3619 xfr->zone_expired = expired; 3620 lock_basic_unlock(&xfr->lock); 3621 3622 /* find auth_zone */ 3623 lock_rw_rdlock(&env->auth_zones->lock); 3624 z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen, 3625 xfr->dclass); 3626 if(!z) { 3627 lock_rw_unlock(&env->auth_zones->lock); 3628 return; 3629 } 3630 lock_rw_wrlock(&z->lock); 3631 lock_rw_unlock(&env->auth_zones->lock); 3632 3633 /* expire auth_zone */ 3634 z->zone_expired = expired; 3635 lock_rw_unlock(&z->lock); 3636} 3637 3638/** find master (from notify or probe) in list of masters */ 3639static struct auth_master* 3640find_master_by_host(struct auth_master* list, char* host) 3641{ 3642 struct auth_master* p; 3643 for(p=list; p; p=p->next) { 3644 if(strcmp(p->host, host) == 0) 3645 return p; 3646 } 3647 return NULL; 3648} 3649 3650/** delete the looked up auth_addrs for all the masters in the list */ 3651static void 3652xfr_masterlist_free_addrs(struct auth_master* list) 3653{ 3654 struct auth_master* m; 3655 for(m=list; m; m=m->next) { 3656 if(m->list) { 3657 auth_free_master_addrs(m->list); 3658 m->list = NULL; 3659 } 3660 } 3661} 3662 3663/** copy a list of auth_addrs */ 3664static struct auth_addr* 3665auth_addr_list_copy(struct auth_addr* source) 3666{ 3667 struct auth_addr* list = NULL, *last = NULL; 3668 struct auth_addr* p; 3669 for(p=source; p; p=p->next) { 3670 struct auth_addr* a = (struct auth_addr*)memdup(p, sizeof(*p)); 3671 if(!a) { 3672 log_err("malloc failure"); 3673 auth_free_master_addrs(list); 3674 return NULL; 3675 } 3676 a->next = NULL; 3677 if(last) last->next = a; 3678 if(!list) list = a; 3679 last = a; 3680 } 3681 return list; 3682} 3683 3684/** copy a master to a new structure, NULL on alloc failure */ 3685static struct auth_master* 3686auth_master_copy(struct auth_master* o) 3687{ 3688 struct auth_master* m; 3689 if(!o) return NULL; 3690 m = (struct auth_master*)memdup(o, sizeof(*o)); 3691 if(!m) { 3692 log_err("malloc failure"); 3693 return NULL; 3694 } 3695 m->next = NULL; 3696 if(m->host) { 3697 m->host = strdup(m->host); 3698 if(!m->host) { 3699 free(m); 3700 log_err("malloc failure"); 3701 return NULL; 3702 } 3703 } 3704 if(m->file) { 3705 m->file = strdup(m->file); 3706 if(!m->file) { 3707 free(m->host); 3708 free(m); 3709 log_err("malloc failure"); 3710 return NULL; 3711 } 3712 } 3713 if(m->list) { 3714 m->list = auth_addr_list_copy(m->list); 3715 if(!m->list) { 3716 free(m->file); 3717 free(m->host); 3718 free(m); 3719 return NULL; 3720 } 3721 } 3722 return m; 3723} 3724 3725/** copy the master addresses from the task_probe lookups to the allow_notify 3726 * list of masters */ 3727static void 3728probe_copy_masters_for_allow_notify(struct auth_xfer* xfr) 3729{ 3730 struct auth_master* list = NULL, *last = NULL; 3731 struct auth_master* p; 3732 /* build up new list with copies */ 3733 for(p = xfr->task_probe->masters; p; p=p->next) { 3734 struct auth_master* m = auth_master_copy(p); 3735 if(!m) { 3736 auth_free_masters(list); 3737 /* failed because of malloc failure, use old list */ 3738 return; 3739 } 3740 m->next = NULL; 3741 if(last) last->next = m; 3742 if(!list) list = m; 3743 last = m; 3744 } 3745 /* success, replace list */ 3746 auth_free_masters(xfr->allow_notify_list); 3747 xfr->allow_notify_list = list; 3748} 3749 3750/** start the lookups for task_transfer */ 3751static void 3752xfr_transfer_start_lookups(struct auth_xfer* xfr) 3753{ 3754 /* delete all the looked up addresses in the list */ 3755 xfr->task_transfer->scan_addr = NULL; 3756 xfr_masterlist_free_addrs(xfr->task_transfer->masters); 3757 3758 /* start lookup at the first master */ 3759 xfr->task_transfer->lookup_target = xfr->task_transfer->masters; 3760 xfr->task_transfer->lookup_aaaa = 0; 3761} 3762 3763/** move to the next lookup of hostname for task_transfer */ 3764static void 3765xfr_transfer_move_to_next_lookup(struct auth_xfer* xfr, struct module_env* env) 3766{ 3767 if(!xfr->task_transfer->lookup_target) 3768 return; /* already at end of list */ 3769 if(!xfr->task_transfer->lookup_aaaa && env->cfg->do_ip6) { 3770 /* move to lookup AAAA */ 3771 xfr->task_transfer->lookup_aaaa = 1; 3772 return; 3773 } 3774 xfr->task_transfer->lookup_target = 3775 xfr->task_transfer->lookup_target->next; 3776 xfr->task_transfer->lookup_aaaa = 0; 3777 if(!env->cfg->do_ip4 && xfr->task_transfer->lookup_target!=NULL) 3778 xfr->task_transfer->lookup_aaaa = 1; 3779} 3780 3781/** start the lookups for task_probe */ 3782static void 3783xfr_probe_start_lookups(struct auth_xfer* xfr) 3784{ 3785 /* delete all the looked up addresses in the list */ 3786 xfr->task_probe->scan_addr = NULL; 3787 xfr_masterlist_free_addrs(xfr->task_probe->masters); 3788 3789 /* start lookup at the first master */ 3790 xfr->task_probe->lookup_target = xfr->task_probe->masters; 3791 xfr->task_probe->lookup_aaaa = 0; 3792} 3793 3794/** move to the next lookup of hostname for task_probe */ 3795static void 3796xfr_probe_move_to_next_lookup(struct auth_xfer* xfr, struct module_env* env) 3797{ 3798 if(!xfr->task_probe->lookup_target) 3799 return; /* already at end of list */ 3800 if(!xfr->task_probe->lookup_aaaa && env->cfg->do_ip6) { 3801 /* move to lookup AAAA */ 3802 xfr->task_probe->lookup_aaaa = 1; 3803 return; 3804 } 3805 xfr->task_probe->lookup_target = xfr->task_probe->lookup_target->next; 3806 xfr->task_probe->lookup_aaaa = 0; 3807 if(!env->cfg->do_ip4 && xfr->task_probe->lookup_target!=NULL) 3808 xfr->task_probe->lookup_aaaa = 1; 3809} 3810 3811/** start the iteration of the task_transfer list of masters */ 3812static void 3813xfr_transfer_start_list(struct auth_xfer* xfr, struct auth_master* spec) 3814{ 3815 if(spec) { 3816 xfr->task_transfer->scan_specific = find_master_by_host( 3817 xfr->task_transfer->masters, spec->host); 3818 if(xfr->task_transfer->scan_specific) { 3819 xfr->task_transfer->scan_target = NULL; 3820 xfr->task_transfer->scan_addr = NULL; 3821 if(xfr->task_transfer->scan_specific->list) 3822 xfr->task_transfer->scan_addr = 3823 xfr->task_transfer->scan_specific->list; 3824 return; 3825 } 3826 } 3827 /* no specific (notified) host to scan */ 3828 xfr->task_transfer->scan_specific = NULL; 3829 xfr->task_transfer->scan_addr = NULL; 3830 /* pick up first scan target */ 3831 xfr->task_transfer->scan_target = xfr->task_transfer->masters; 3832 if(xfr->task_transfer->scan_target && xfr->task_transfer-> 3833 scan_target->list) 3834 xfr->task_transfer->scan_addr = 3835 xfr->task_transfer->scan_target->list; 3836} 3837 3838/** start the iteration of the task_probe list of masters */ 3839static void 3840xfr_probe_start_list(struct auth_xfer* xfr, struct auth_master* spec) 3841{ 3842 if(spec) { 3843 xfr->task_probe->scan_specific = find_master_by_host( 3844 xfr->task_probe->masters, spec->host); 3845 if(xfr->task_probe->scan_specific) { 3846 xfr->task_probe->scan_target = NULL; 3847 xfr->task_probe->scan_addr = NULL; 3848 if(xfr->task_probe->scan_specific->list) 3849 xfr->task_probe->scan_addr = 3850 xfr->task_probe->scan_specific->list; 3851 return; 3852 } 3853 } 3854 /* no specific (notified) host to scan */ 3855 xfr->task_probe->scan_specific = NULL; 3856 xfr->task_probe->scan_addr = NULL; 3857 /* pick up first scan target */ 3858 xfr->task_probe->scan_target = xfr->task_probe->masters; 3859 if(xfr->task_probe->scan_target && xfr->task_probe->scan_target->list) 3860 xfr->task_probe->scan_addr = 3861 xfr->task_probe->scan_target->list; 3862} 3863 3864/** pick up the master that is being scanned right now, task_transfer */ 3865static struct auth_master* 3866xfr_transfer_current_master(struct auth_xfer* xfr) 3867{ 3868 if(xfr->task_transfer->scan_specific) 3869 return xfr->task_transfer->scan_specific; 3870 return xfr->task_transfer->scan_target; 3871} 3872 3873/** pick up the master that is being scanned right now, task_probe */ 3874static struct auth_master* 3875xfr_probe_current_master(struct auth_xfer* xfr) 3876{ 3877 if(xfr->task_probe->scan_specific) 3878 return xfr->task_probe->scan_specific; 3879 return xfr->task_probe->scan_target; 3880} 3881 3882/** true if at end of list, task_transfer */ 3883static int 3884xfr_transfer_end_of_list(struct auth_xfer* xfr) 3885{ 3886 return !xfr->task_transfer->scan_specific && 3887 !xfr->task_transfer->scan_target; 3888} 3889 3890/** true if at end of list, task_probe */ 3891static int 3892xfr_probe_end_of_list(struct auth_xfer* xfr) 3893{ 3894 return !xfr->task_probe->scan_specific && !xfr->task_probe->scan_target; 3895} 3896 3897/** move to next master in list, task_transfer */ 3898static void 3899xfr_transfer_nextmaster(struct auth_xfer* xfr) 3900{ 3901 if(!xfr->task_transfer->scan_specific && 3902 !xfr->task_transfer->scan_target) 3903 return; 3904 if(xfr->task_transfer->scan_addr) { 3905 xfr->task_transfer->scan_addr = 3906 xfr->task_transfer->scan_addr->next; 3907 if(xfr->task_transfer->scan_addr) 3908 return; 3909 } 3910 if(xfr->task_transfer->scan_specific) { 3911 xfr->task_transfer->scan_specific = NULL; 3912 xfr->task_transfer->scan_target = xfr->task_transfer->masters; 3913 if(xfr->task_transfer->scan_target && xfr->task_transfer-> 3914 scan_target->list) 3915 xfr->task_transfer->scan_addr = 3916 xfr->task_transfer->scan_target->list; 3917 return; 3918 } 3919 if(!xfr->task_transfer->scan_target) 3920 return; 3921 xfr->task_transfer->scan_target = xfr->task_transfer->scan_target->next; 3922 if(xfr->task_transfer->scan_target && xfr->task_transfer-> 3923 scan_target->list) 3924 xfr->task_transfer->scan_addr = 3925 xfr->task_transfer->scan_target->list; 3926 return; 3927} 3928 3929/** move to next master in list, task_probe */ 3930static void 3931xfr_probe_nextmaster(struct auth_xfer* xfr) 3932{ 3933 if(!xfr->task_probe->scan_specific && !xfr->task_probe->scan_target) 3934 return; 3935 if(xfr->task_probe->scan_addr) { 3936 xfr->task_probe->scan_addr = xfr->task_probe->scan_addr->next; 3937 if(xfr->task_probe->scan_addr) 3938 return; 3939 } 3940 if(xfr->task_probe->scan_specific) { 3941 xfr->task_probe->scan_specific = NULL; 3942 xfr->task_probe->scan_target = xfr->task_probe->masters; 3943 if(xfr->task_probe->scan_target && xfr->task_probe-> 3944 scan_target->list) 3945 xfr->task_probe->scan_addr = 3946 xfr->task_probe->scan_target->list; 3947 return; 3948 } 3949 if(!xfr->task_probe->scan_target) 3950 return; 3951 xfr->task_probe->scan_target = xfr->task_probe->scan_target->next; 3952 if(xfr->task_probe->scan_target && xfr->task_probe-> 3953 scan_target->list) 3954 xfr->task_probe->scan_addr = 3955 xfr->task_probe->scan_target->list; 3956 return; 3957} 3958 3959/** create SOA probe packet for xfr */ 3960static void 3961xfr_create_soa_probe_packet(struct auth_xfer* xfr, sldns_buffer* buf, 3962 uint16_t id) 3963{ 3964 struct query_info qinfo; 3965 3966 memset(&qinfo, 0, sizeof(qinfo)); 3967 qinfo.qname = xfr->name; 3968 qinfo.qname_len = xfr->namelen; 3969 qinfo.qtype = LDNS_RR_TYPE_SOA; 3970 qinfo.qclass = xfr->dclass; 3971 qinfo_query_encode(buf, &qinfo); 3972 sldns_buffer_write_u16_at(buf, 0, id); 3973} 3974 3975/** create IXFR/AXFR packet for xfr */ 3976static void 3977xfr_create_ixfr_packet(struct auth_xfer* xfr, sldns_buffer* buf, uint16_t id, 3978 struct auth_master* master) 3979{ 3980 struct query_info qinfo; 3981 uint32_t serial; 3982 int have_zone; 3983 have_zone = xfr->have_zone; 3984 serial = xfr->serial; 3985 3986 memset(&qinfo, 0, sizeof(qinfo)); 3987 qinfo.qname = xfr->name; 3988 qinfo.qname_len = xfr->namelen; 3989 xfr->task_transfer->got_xfr_serial = 0; 3990 xfr->task_transfer->rr_scan_num = 0; 3991 xfr->task_transfer->incoming_xfr_serial = 0; 3992 xfr->task_transfer->on_ixfr_is_axfr = 0; 3993 xfr->task_transfer->on_ixfr = 1; 3994 qinfo.qtype = LDNS_RR_TYPE_IXFR; 3995 if(!have_zone || xfr->task_transfer->ixfr_fail || !master->ixfr) { 3996 qinfo.qtype = LDNS_RR_TYPE_AXFR; 3997 xfr->task_transfer->ixfr_fail = 0; 3998 xfr->task_transfer->on_ixfr = 0; 3999 } 4000 4001 qinfo.qclass = xfr->dclass; 4002 qinfo_query_encode(buf, &qinfo); 4003 sldns_buffer_write_u16_at(buf, 0, id); 4004 4005 /* append serial for IXFR */ 4006 if(qinfo.qtype == LDNS_RR_TYPE_IXFR) { 4007 size_t end = sldns_buffer_limit(buf); 4008 sldns_buffer_clear(buf); 4009 sldns_buffer_set_position(buf, end); 4010 /* auth section count 1 */ 4011 sldns_buffer_write_u16_at(buf, LDNS_NSCOUNT_OFF, 1); 4012 /* write SOA */ 4013 sldns_buffer_write_u8(buf, 0xC0); /* compressed ptr to qname */ 4014 sldns_buffer_write_u8(buf, 0x0C); 4015 sldns_buffer_write_u16(buf, LDNS_RR_TYPE_SOA); 4016 sldns_buffer_write_u16(buf, qinfo.qclass); 4017 sldns_buffer_write_u32(buf, 0); /* ttl */ 4018 sldns_buffer_write_u16(buf, 22); /* rdata length */ 4019 sldns_buffer_write_u8(buf, 0); /* . */ 4020 sldns_buffer_write_u8(buf, 0); /* . */ 4021 sldns_buffer_write_u32(buf, serial); /* serial */ 4022 sldns_buffer_write_u32(buf, 0); /* refresh */ 4023 sldns_buffer_write_u32(buf, 0); /* retry */ 4024 sldns_buffer_write_u32(buf, 0); /* expire */ 4025 sldns_buffer_write_u32(buf, 0); /* minimum */ 4026 sldns_buffer_flip(buf); 4027 } 4028} 4029 4030/** check if returned packet is OK */ 4031static int 4032check_packet_ok(sldns_buffer* pkt, uint16_t qtype, struct auth_xfer* xfr, 4033 uint32_t* serial) 4034{ 4035 /* parse to see if packet worked, valid reply */ 4036 4037 /* check serial number of SOA */ 4038 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) 4039 return 0; 4040 4041 /* check ID */ 4042 if(LDNS_ID_WIRE(sldns_buffer_begin(pkt)) != xfr->task_probe->id) 4043 return 0; 4044 4045 /* check flag bits and rcode */ 4046 if(!LDNS_QR_WIRE(sldns_buffer_begin(pkt))) 4047 return 0; 4048 if(LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_PACKET_QUERY) 4049 return 0; 4050 if(LDNS_RCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_RCODE_NOERROR) 4051 return 0; 4052 4053 /* check qname */ 4054 if(LDNS_QDCOUNT(sldns_buffer_begin(pkt)) != 1) 4055 return 0; 4056 sldns_buffer_skip(pkt, LDNS_HEADER_SIZE); 4057 if(sldns_buffer_remaining(pkt) < xfr->namelen) 4058 return 0; 4059 if(query_dname_compare(sldns_buffer_current(pkt), xfr->name) != 0) 4060 return 0; 4061 sldns_buffer_skip(pkt, (ssize_t)xfr->namelen); 4062 4063 /* check qtype, qclass */ 4064 if(sldns_buffer_remaining(pkt) < 4) 4065 return 0; 4066 if(sldns_buffer_read_u16(pkt) != qtype) 4067 return 0; 4068 if(sldns_buffer_read_u16(pkt) != xfr->dclass) 4069 return 0; 4070 4071 if(serial) { 4072 uint16_t rdlen; 4073 /* read serial number, from answer section SOA */ 4074 if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) == 0) 4075 return 0; 4076 /* read from first record SOA record */ 4077 if(sldns_buffer_remaining(pkt) < 1) 4078 return 0; 4079 if(dname_pkt_compare(pkt, sldns_buffer_current(pkt), 4080 xfr->name) != 0) 4081 return 0; 4082 if(!pkt_dname_len(pkt)) 4083 return 0; 4084 /* type, class, ttl, rdatalen */ 4085 if(sldns_buffer_remaining(pkt) < 4+4+2) 4086 return 0; 4087 if(sldns_buffer_read_u16(pkt) != qtype) 4088 return 0; 4089 if(sldns_buffer_read_u16(pkt) != xfr->dclass) 4090 return 0; 4091 sldns_buffer_skip(pkt, 4); /* ttl */ 4092 rdlen = sldns_buffer_read_u16(pkt); 4093 if(sldns_buffer_remaining(pkt) < rdlen) 4094 return 0; 4095 if(sldns_buffer_remaining(pkt) < 1) 4096 return 0; 4097 if(!pkt_dname_len(pkt)) /* soa name */ 4098 return 0; 4099 if(sldns_buffer_remaining(pkt) < 1) 4100 return 0; 4101 if(!pkt_dname_len(pkt)) /* soa name */ 4102 return 0; 4103 if(sldns_buffer_remaining(pkt) < 20) 4104 return 0; 4105 *serial = sldns_buffer_read_u32(pkt); 4106 } 4107 return 1; 4108} 4109 4110/** read one line from chunks into buffer at current position */ 4111static int 4112chunkline_get_line(struct auth_chunk** chunk, size_t* chunk_pos, 4113 sldns_buffer* buf) 4114{ 4115 int readsome = 0; 4116 while(*chunk) { 4117 /* more text in this chunk? */ 4118 if(*chunk_pos < (*chunk)->len) { 4119 readsome = 1; 4120 while(*chunk_pos < (*chunk)->len) { 4121 char c = (char)((*chunk)->data[*chunk_pos]); 4122 (*chunk_pos)++; 4123 if(sldns_buffer_remaining(buf) < 2) { 4124 /* buffer too short */ 4125 verbose(VERB_ALGO, "http chunkline, " 4126 "line too long"); 4127 return 0; 4128 } 4129 sldns_buffer_write_u8(buf, (uint8_t)c); 4130 if(c == '\n') { 4131 /* we are done */ 4132 return 1; 4133 } 4134 } 4135 } 4136 /* move to next chunk */ 4137 *chunk = (*chunk)->next; 4138 *chunk_pos = 0; 4139 } 4140 /* no more text */ 4141 if(readsome) return 1; 4142 return 0; 4143} 4144 4145/** count number of open and closed parenthesis in a chunkline */ 4146static int 4147chunkline_count_parens(sldns_buffer* buf, size_t start) 4148{ 4149 size_t end = sldns_buffer_position(buf); 4150 size_t i; 4151 int count = 0; 4152 int squote = 0, dquote = 0; 4153 for(i=start; i<end; i++) { 4154 char c = (char)sldns_buffer_read_u8_at(buf, i); 4155 if(squote && c != '\'') continue; 4156 if(dquote && c != '"') continue; 4157 if(c == '"') 4158 dquote = !dquote; /* skip quoted part */ 4159 else if(c == '\'') 4160 squote = !squote; /* skip quoted part */ 4161 else if(c == '(') 4162 count ++; 4163 else if(c == ')') 4164 count --; 4165 else if(c == ';') { 4166 /* rest is a comment */ 4167 return count; 4168 } 4169 } 4170 return count; 4171} 4172 4173/** remove trailing ;... comment from a line in the chunkline buffer */ 4174static void 4175chunkline_remove_trailcomment(sldns_buffer* buf, size_t start) 4176{ 4177 size_t end = sldns_buffer_position(buf); 4178 size_t i; 4179 int squote = 0, dquote = 0; 4180 for(i=start; i<end; i++) { 4181 char c = (char)sldns_buffer_read_u8_at(buf, i); 4182 if(squote && c != '\'') continue; 4183 if(dquote && c != '"') continue; 4184 if(c == '"') 4185 dquote = !dquote; /* skip quoted part */ 4186 else if(c == '\'') 4187 squote = !squote; /* skip quoted part */ 4188 else if(c == ';') { 4189 /* rest is a comment */ 4190 sldns_buffer_set_position(buf, i); 4191 return; 4192 } 4193 } 4194 /* nothing to remove */ 4195} 4196 4197/** see if a chunkline is a comment line (or empty line) */ 4198static int 4199chunkline_is_comment_line_or_empty(sldns_buffer* buf) 4200{ 4201 size_t i, end = sldns_buffer_limit(buf); 4202 for(i=0; i<end; i++) { 4203 char c = (char)sldns_buffer_read_u8_at(buf, i); 4204 if(c == ';') 4205 return 1; /* comment */ 4206 else if(c != ' ' && c != '\t' && c != '\r' && c != '\n') 4207 return 0; /* not a comment */ 4208 } 4209 return 1; /* empty */ 4210} 4211 4212/** find a line with ( ) collated */ 4213static int 4214chunkline_get_line_collated(struct auth_chunk** chunk, size_t* chunk_pos, 4215 sldns_buffer* buf) 4216{ 4217 size_t pos; 4218 int parens = 0; 4219 sldns_buffer_clear(buf); 4220 pos = sldns_buffer_position(buf); 4221 if(!chunkline_get_line(chunk, chunk_pos, buf)) { 4222 if(sldns_buffer_position(buf) < sldns_buffer_limit(buf)) 4223 sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0); 4224 else sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf)-1, 0); 4225 sldns_buffer_flip(buf); 4226 return 0; 4227 } 4228 parens += chunkline_count_parens(buf, pos); 4229 while(parens > 0) { 4230 chunkline_remove_trailcomment(buf, pos); 4231 pos = sldns_buffer_position(buf); 4232 if(!chunkline_get_line(chunk, chunk_pos, buf)) { 4233 if(sldns_buffer_position(buf) < sldns_buffer_limit(buf)) 4234 sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0); 4235 else sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf)-1, 0); 4236 sldns_buffer_flip(buf); 4237 return 0; 4238 } 4239 parens += chunkline_count_parens(buf, pos); 4240 } 4241 4242 if(sldns_buffer_remaining(buf) < 1) { 4243 verbose(VERB_ALGO, "http chunkline: " 4244 "line too long"); 4245 return 0; 4246 } 4247 sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0); 4248 sldns_buffer_flip(buf); 4249 return 1; 4250} 4251 4252/** process $ORIGIN for http */ 4253static int 4254http_parse_origin(sldns_buffer* buf, struct sldns_file_parse_state* pstate) 4255{ 4256 char* line = (char*)sldns_buffer_begin(buf); 4257 if(strncmp(line, "$ORIGIN", 7) == 0 && 4258 isspace((unsigned char)line[7])) { 4259 int s; 4260 pstate->origin_len = sizeof(pstate->origin); 4261 s = sldns_str2wire_dname_buf(sldns_strip_ws(line+8), 4262 pstate->origin, &pstate->origin_len); 4263 if(s) pstate->origin_len = 0; 4264 return 1; 4265 } 4266 return 0; 4267} 4268 4269/** process $TTL for http */ 4270static int 4271http_parse_ttl(sldns_buffer* buf, struct sldns_file_parse_state* pstate) 4272{ 4273 char* line = (char*)sldns_buffer_begin(buf); 4274 if(strncmp(line, "$TTL", 4) == 0 && 4275 isspace((unsigned char)line[4])) { 4276 const char* end = NULL; 4277 pstate->default_ttl = sldns_str2period( 4278 sldns_strip_ws(line+5), &end); 4279 return 1; 4280 } 4281 return 0; 4282} 4283 4284/** find noncomment RR line in chunks, collates lines if ( ) format */ 4285static int 4286chunkline_non_comment_RR(struct auth_chunk** chunk, size_t* chunk_pos, 4287 sldns_buffer* buf, struct sldns_file_parse_state* pstate) 4288{ 4289 while(chunkline_get_line_collated(chunk, chunk_pos, buf)) { 4290 if(chunkline_is_comment_line_or_empty(buf)) { 4291 /* a comment, go to next line */ 4292 continue; 4293 } 4294 if(http_parse_origin(buf, pstate)) { 4295 continue; /* $ORIGIN has been handled */ 4296 } 4297 if(http_parse_ttl(buf, pstate)) { 4298 continue; /* $TTL has been handled */ 4299 } 4300 return 1; 4301 } 4302 /* no noncomments, fail */ 4303 return 0; 4304} 4305 4306/** check syntax of chunklist zonefile, parse first RR, return false on 4307 * failure and return a string in the scratch buffer (first RR string) 4308 * on failure. */ 4309static int 4310http_zonefile_syntax_check(struct auth_xfer* xfr, sldns_buffer* buf) 4311{ 4312 uint8_t rr[LDNS_RR_BUF_SIZE]; 4313 size_t rr_len, dname_len = 0; 4314 struct sldns_file_parse_state pstate; 4315 struct auth_chunk* chunk; 4316 size_t chunk_pos; 4317 int e; 4318 memset(&pstate, 0, sizeof(pstate)); 4319 pstate.default_ttl = 3600; 4320 if(xfr->namelen < sizeof(pstate.origin)) { 4321 pstate.origin_len = xfr->namelen; 4322 memmove(pstate.origin, xfr->name, xfr->namelen); 4323 } 4324 chunk = xfr->task_transfer->chunks_first; 4325 chunk_pos = 0; 4326 if(!chunkline_non_comment_RR(&chunk, &chunk_pos, buf, &pstate)) { 4327 return 0; 4328 } 4329 rr_len = sizeof(rr); 4330 e=sldns_str2wire_rr_buf((char*)sldns_buffer_begin(buf), rr, &rr_len, 4331 &dname_len, pstate.default_ttl, 4332 pstate.origin_len?pstate.origin:NULL, pstate.origin_len, 4333 pstate.prev_rr_len?pstate.prev_rr:NULL, pstate.prev_rr_len); 4334 if(e != 0) { 4335 log_err("parse failure on first RR[%d]: %s", 4336 LDNS_WIREPARSE_OFFSET(e), 4337 sldns_get_errorstr_parse(LDNS_WIREPARSE_ERROR(e))); 4338 return 0; 4339 } 4340 /* check that class is correct */ 4341 if(sldns_wirerr_get_class(rr, rr_len, dname_len) != xfr->dclass) { 4342 log_err("parse failure: first record in downloaded zonefile " 4343 "from wrong RR class"); 4344 return 0; 4345 } 4346 return 1; 4347} 4348 4349/** sum sizes of chunklist */ 4350static size_t 4351chunklist_sum(struct auth_chunk* list) 4352{ 4353 struct auth_chunk* p; 4354 size_t s = 0; 4355 for(p=list; p; p=p->next) { 4356 s += p->len; 4357 } 4358 return s; 4359} 4360 4361/** remove newlines from collated line */ 4362static void 4363chunkline_newline_removal(sldns_buffer* buf) 4364{ 4365 size_t i, end=sldns_buffer_limit(buf); 4366 for(i=0; i<end; i++) { 4367 char c = (char)sldns_buffer_read_u8_at(buf, i); 4368 if(c == '\n' && i==end-1) { 4369 sldns_buffer_write_u8_at(buf, i, 0); 4370 sldns_buffer_set_limit(buf, end-1); 4371 return; 4372 } 4373 if(c == '\n') 4374 sldns_buffer_write_u8_at(buf, i, (uint8_t)' '); 4375 } 4376} 4377 4378/** for http download, parse and add RR to zone */ 4379static int 4380http_parse_add_rr(struct auth_xfer* xfr, struct auth_zone* z, 4381 sldns_buffer* buf, struct sldns_file_parse_state* pstate) 4382{ 4383 uint8_t rr[LDNS_RR_BUF_SIZE]; 4384 size_t rr_len, dname_len = 0; 4385 int e; 4386 char* line = (char*)sldns_buffer_begin(buf); 4387 rr_len = sizeof(rr); 4388 e = sldns_str2wire_rr_buf(line, rr, &rr_len, &dname_len, 4389 pstate->default_ttl, 4390 pstate->origin_len?pstate->origin:NULL, pstate->origin_len, 4391 pstate->prev_rr_len?pstate->prev_rr:NULL, pstate->prev_rr_len); 4392 if(e != 0) { 4393 log_err("%s/%s parse failure RR[%d]: %s in '%s'", 4394 xfr->task_transfer->master->host, 4395 xfr->task_transfer->master->file, 4396 LDNS_WIREPARSE_OFFSET(e), 4397 sldns_get_errorstr_parse(LDNS_WIREPARSE_ERROR(e)), 4398 line); 4399 return 0; 4400 } 4401 if(rr_len == 0) 4402 return 1; /* empty line or so */ 4403 4404 /* set prev */ 4405 if(dname_len < sizeof(pstate->prev_rr)) { 4406 memmove(pstate->prev_rr, rr, dname_len); 4407 pstate->prev_rr_len = dname_len; 4408 } 4409 4410 return az_insert_rr(z, rr, rr_len, dname_len, NULL); 4411} 4412 4413/** RR list iterator, returns RRs from answer section one by one from the 4414 * dns packets in the chunklist */ 4415static void 4416chunk_rrlist_start(struct auth_xfer* xfr, struct auth_chunk** rr_chunk, 4417 int* rr_num, size_t* rr_pos) 4418{ 4419 *rr_chunk = xfr->task_transfer->chunks_first; 4420 *rr_num = 0; 4421 *rr_pos = 0; 4422} 4423 4424/** RR list iterator, see if we are at the end of the list */ 4425static int 4426chunk_rrlist_end(struct auth_chunk* rr_chunk, int rr_num) 4427{ 4428 while(rr_chunk) { 4429 if(rr_chunk->len < LDNS_HEADER_SIZE) 4430 return 1; 4431 if(rr_num < (int)LDNS_ANCOUNT(rr_chunk->data)) 4432 return 0; 4433 /* no more RRs in this chunk */ 4434 /* continue with next chunk, see if it has RRs */ 4435 rr_chunk = rr_chunk->next; 4436 rr_num = 0; 4437 } 4438 return 1; 4439} 4440 4441/** RR list iterator, move to next RR */ 4442static void 4443chunk_rrlist_gonext(struct auth_chunk** rr_chunk, int* rr_num, 4444 size_t* rr_pos, size_t rr_nextpos) 4445{ 4446 /* already at end of chunks? */ 4447 if(!*rr_chunk) 4448 return; 4449 /* move within this chunk */ 4450 if((*rr_chunk)->len >= LDNS_HEADER_SIZE && 4451 (*rr_num)+1 < (int)LDNS_ANCOUNT((*rr_chunk)->data)) { 4452 (*rr_num) += 1; 4453 *rr_pos = rr_nextpos; 4454 return; 4455 } 4456 /* no more RRs in this chunk */ 4457 /* continue with next chunk, see if it has RRs */ 4458 if(*rr_chunk) 4459 *rr_chunk = (*rr_chunk)->next; 4460 while(*rr_chunk) { 4461 *rr_num = 0; 4462 *rr_pos = 0; 4463 if((*rr_chunk)->len >= LDNS_HEADER_SIZE && 4464 LDNS_ANCOUNT((*rr_chunk)->data) > 0) { 4465 return; 4466 } 4467 *rr_chunk = (*rr_chunk)->next; 4468 } 4469} 4470 4471/** RR iterator, get current RR information, false on parse error */ 4472static int 4473chunk_rrlist_get_current(struct auth_chunk* rr_chunk, int rr_num, 4474 size_t rr_pos, uint8_t** rr_dname, uint16_t* rr_type, 4475 uint16_t* rr_class, uint32_t* rr_ttl, uint16_t* rr_rdlen, 4476 uint8_t** rr_rdata, size_t* rr_nextpos) 4477{ 4478 sldns_buffer pkt; 4479 /* integrity checks on position */ 4480 if(!rr_chunk) return 0; 4481 if(rr_chunk->len < LDNS_HEADER_SIZE) return 0; 4482 if(rr_num >= (int)LDNS_ANCOUNT(rr_chunk->data)) return 0; 4483 if(rr_pos >= rr_chunk->len) return 0; 4484 4485 /* fetch rr information */ 4486 sldns_buffer_init_frm_data(&pkt, rr_chunk->data, rr_chunk->len); 4487 if(rr_pos == 0) { 4488 size_t i; 4489 /* skip question section */ 4490 sldns_buffer_set_position(&pkt, LDNS_HEADER_SIZE); 4491 for(i=0; i<LDNS_QDCOUNT(rr_chunk->data); i++) { 4492 if(pkt_dname_len(&pkt) == 0) return 0; 4493 if(sldns_buffer_remaining(&pkt) < 4) return 0; 4494 sldns_buffer_skip(&pkt, 4); /* type and class */ 4495 } 4496 } else { 4497 sldns_buffer_set_position(&pkt, rr_pos); 4498 } 4499 *rr_dname = sldns_buffer_current(&pkt); 4500 if(pkt_dname_len(&pkt) == 0) return 0; 4501 if(sldns_buffer_remaining(&pkt) < 10) return 0; 4502 *rr_type = sldns_buffer_read_u16(&pkt); 4503 *rr_class = sldns_buffer_read_u16(&pkt); 4504 *rr_ttl = sldns_buffer_read_u32(&pkt); 4505 *rr_rdlen = sldns_buffer_read_u16(&pkt); 4506 if(sldns_buffer_remaining(&pkt) < (*rr_rdlen)) return 0; 4507 *rr_rdata = sldns_buffer_current(&pkt); 4508 sldns_buffer_skip(&pkt, (ssize_t)(*rr_rdlen)); 4509 *rr_nextpos = sldns_buffer_position(&pkt); 4510 return 1; 4511} 4512 4513/** print log message where we are in parsing the zone transfer */ 4514static void 4515log_rrlist_position(const char* label, struct auth_chunk* rr_chunk, 4516 uint8_t* rr_dname, uint16_t rr_type, size_t rr_counter) 4517{ 4518 sldns_buffer pkt; 4519 size_t dlen; 4520 uint8_t buf[256]; 4521 char str[256]; 4522 char typestr[32]; 4523 sldns_buffer_init_frm_data(&pkt, rr_chunk->data, rr_chunk->len); 4524 sldns_buffer_set_position(&pkt, (size_t)(rr_dname - 4525 sldns_buffer_begin(&pkt))); 4526 if((dlen=pkt_dname_len(&pkt)) == 0) return; 4527 if(dlen >= sizeof(buf)) return; 4528 dname_pkt_copy(&pkt, buf, rr_dname); 4529 dname_str(buf, str); 4530 (void)sldns_wire2str_type_buf(rr_type, typestr, sizeof(typestr)); 4531 verbose(VERB_ALGO, "%s at[%d] %s %s", label, (int)rr_counter, 4532 str, typestr); 4533} 4534 4535/** check that start serial is OK for ixfr. we are at rr_counter == 0, 4536 * and we are going to check rr_counter == 1 (has to be type SOA) serial */ 4537static int 4538ixfr_start_serial(struct auth_chunk* rr_chunk, int rr_num, size_t rr_pos, 4539 uint8_t* rr_dname, uint16_t rr_type, uint16_t rr_class, 4540 uint32_t rr_ttl, uint16_t rr_rdlen, uint8_t* rr_rdata, 4541 size_t rr_nextpos, uint32_t transfer_serial, uint32_t xfr_serial) 4542{ 4543 uint32_t startserial; 4544 /* move forward on RR */ 4545 chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos); 4546 if(chunk_rrlist_end(rr_chunk, rr_num)) { 4547 /* no second SOA */ 4548 verbose(VERB_OPS, "IXFR has no second SOA record"); 4549 return 0; 4550 } 4551 if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos, 4552 &rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen, 4553 &rr_rdata, &rr_nextpos)) { 4554 verbose(VERB_OPS, "IXFR cannot parse second SOA record"); 4555 /* failed to parse RR */ 4556 return 0; 4557 } 4558 if(rr_type != LDNS_RR_TYPE_SOA) { 4559 verbose(VERB_OPS, "IXFR second record is not type SOA"); 4560 return 0; 4561 } 4562 if(rr_rdlen < 22) { 4563 verbose(VERB_OPS, "IXFR, second SOA has short rdlength"); 4564 return 0; /* bad SOA rdlen */ 4565 } 4566 startserial = sldns_read_uint32(rr_rdata+rr_rdlen-20); 4567 if(startserial == transfer_serial) { 4568 /* empty AXFR, not an IXFR */ 4569 verbose(VERB_OPS, "IXFR second serial same as first"); 4570 return 0; 4571 } 4572 if(startserial != xfr_serial) { 4573 /* wrong start serial, it does not match the serial in 4574 * memory */ 4575 verbose(VERB_OPS, "IXFR is from serial %u to %u but %u " 4576 "in memory, rejecting the zone transfer", 4577 (unsigned)startserial, (unsigned)transfer_serial, 4578 (unsigned)xfr_serial); 4579 return 0; 4580 } 4581 /* everything OK in second SOA serial */ 4582 return 1; 4583} 4584 4585/** apply IXFR to zone in memory. z is locked. false on failure(mallocfail) */ 4586static int 4587apply_ixfr(struct auth_xfer* xfr, struct auth_zone* z, 4588 struct sldns_buffer* scratch_buffer) 4589{ 4590 struct auth_chunk* rr_chunk; 4591 int rr_num; 4592 size_t rr_pos; 4593 uint8_t* rr_dname, *rr_rdata; 4594 uint16_t rr_type, rr_class, rr_rdlen; 4595 uint32_t rr_ttl; 4596 size_t rr_nextpos; 4597 int have_transfer_serial = 0; 4598 uint32_t transfer_serial = 0; 4599 size_t rr_counter = 0; 4600 int delmode = 0; 4601 int softfail = 0; 4602 4603 /* start RR iterator over chunklist of packets */ 4604 chunk_rrlist_start(xfr, &rr_chunk, &rr_num, &rr_pos); 4605 while(!chunk_rrlist_end(rr_chunk, rr_num)) { 4606 if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos, 4607 &rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen, 4608 &rr_rdata, &rr_nextpos)) { 4609 /* failed to parse RR */ 4610 return 0; 4611 } 4612 if(verbosity>=7) log_rrlist_position("apply ixfr", 4613 rr_chunk, rr_dname, rr_type, rr_counter); 4614 /* twiddle add/del mode and check for start and end */ 4615 if(rr_counter == 0 && rr_type != LDNS_RR_TYPE_SOA) 4616 return 0; 4617 if(rr_counter == 1 && rr_type != LDNS_RR_TYPE_SOA) { 4618 /* this is an AXFR returned from the IXFR master */ 4619 /* but that should already have been detected, by 4620 * on_ixfr_is_axfr */ 4621 return 0; 4622 } 4623 if(rr_type == LDNS_RR_TYPE_SOA) { 4624 uint32_t serial; 4625 if(rr_rdlen < 22) return 0; /* bad SOA rdlen */ 4626 serial = sldns_read_uint32(rr_rdata+rr_rdlen-20); 4627 if(have_transfer_serial == 0) { 4628 have_transfer_serial = 1; 4629 transfer_serial = serial; 4630 delmode = 1; /* gets negated below */ 4631 /* check second RR before going any further */ 4632 if(!ixfr_start_serial(rr_chunk, rr_num, rr_pos, 4633 rr_dname, rr_type, rr_class, rr_ttl, 4634 rr_rdlen, rr_rdata, rr_nextpos, 4635 transfer_serial, xfr->serial)) { 4636 return 0; 4637 } 4638 } else if(transfer_serial == serial) { 4639 have_transfer_serial++; 4640 if(rr_counter == 1) { 4641 /* empty AXFR, with SOA; SOA; */ 4642 /* should have been detected by 4643 * on_ixfr_is_axfr */ 4644 return 0; 4645 } 4646 if(have_transfer_serial == 3) { 4647 /* see serial three times for end */ 4648 /* eg. IXFR: 4649 * SOA 3 start 4650 * SOA 1 second RR, followed by del 4651 * SOA 2 followed by add 4652 * SOA 2 followed by del 4653 * SOA 3 followed by add 4654 * SOA 3 end */ 4655 /* ended by SOA record */ 4656 xfr->serial = transfer_serial; 4657 break; 4658 } 4659 } 4660 /* twiddle add/del mode */ 4661 /* switch from delete part to add part and back again 4662 * just before the soa, it gets deleted and added too 4663 * this means we switch to delete mode for the final 4664 * SOA(so skip that one) */ 4665 delmode = !delmode; 4666 } 4667 /* process this RR */ 4668 /* if the RR is deleted twice or added twice, then we 4669 * softfail, and continue with the rest of the IXFR, so 4670 * that we serve something fairly nice during the refetch */ 4671 if(verbosity>=7) log_rrlist_position((delmode?"del":"add"), 4672 rr_chunk, rr_dname, rr_type, rr_counter); 4673 if(delmode) { 4674 /* delete this RR */ 4675 int nonexist = 0; 4676 if(!az_remove_rr_decompress(z, rr_chunk->data, 4677 rr_chunk->len, scratch_buffer, rr_dname, 4678 rr_type, rr_class, rr_ttl, rr_rdata, rr_rdlen, 4679 &nonexist)) { 4680 /* failed, malloc error or so */ 4681 return 0; 4682 } 4683 if(nonexist) { 4684 /* it was removal of a nonexisting RR */ 4685 if(verbosity>=4) log_rrlist_position( 4686 "IXFR error nonexistent RR", 4687 rr_chunk, rr_dname, rr_type, rr_counter); 4688 softfail = 1; 4689 } 4690 } else if(rr_counter != 0) { 4691 /* skip first SOA RR for addition, it is added in 4692 * the addition part near the end of the ixfr, when 4693 * that serial is seen the second time. */ 4694 int duplicate = 0; 4695 /* add this RR */ 4696 if(!az_insert_rr_decompress(z, rr_chunk->data, 4697 rr_chunk->len, scratch_buffer, rr_dname, 4698 rr_type, rr_class, rr_ttl, rr_rdata, rr_rdlen, 4699 &duplicate)) { 4700 /* failed, malloc error or so */ 4701 return 0; 4702 } 4703 if(duplicate) { 4704 /* it was a duplicate */ 4705 if(verbosity>=4) log_rrlist_position( 4706 "IXFR error duplicate RR", 4707 rr_chunk, rr_dname, rr_type, rr_counter); 4708 softfail = 1; 4709 } 4710 } 4711 4712 rr_counter++; 4713 chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos); 4714 } 4715 if(softfail) { 4716 verbose(VERB_ALGO, "IXFR did not apply cleanly, fetching full zone"); 4717 return 0; 4718 } 4719 return 1; 4720} 4721 4722/** apply AXFR to zone in memory. z is locked. false on failure(mallocfail) */ 4723static int 4724apply_axfr(struct auth_xfer* xfr, struct auth_zone* z, 4725 struct sldns_buffer* scratch_buffer) 4726{ 4727 struct auth_chunk* rr_chunk; 4728 int rr_num; 4729 size_t rr_pos; 4730 uint8_t* rr_dname, *rr_rdata; 4731 uint16_t rr_type, rr_class, rr_rdlen; 4732 uint32_t rr_ttl; 4733 uint32_t serial = 0; 4734 size_t rr_nextpos; 4735 size_t rr_counter = 0; 4736 int have_end_soa = 0; 4737 4738 /* clear the data tree */ 4739 traverse_postorder(&z->data, auth_data_del, NULL); 4740 rbtree_init(&z->data, &auth_data_cmp); 4741 /* clear the RPZ policies */ 4742 if(z->rpz) 4743 rpz_clear(z->rpz); 4744 4745 xfr->have_zone = 0; 4746 xfr->serial = 0; 4747 4748 /* insert all RRs in to the zone */ 4749 /* insert the SOA only once, skip the last one */ 4750 /* start RR iterator over chunklist of packets */ 4751 chunk_rrlist_start(xfr, &rr_chunk, &rr_num, &rr_pos); 4752 while(!chunk_rrlist_end(rr_chunk, rr_num)) { 4753 if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos, 4754 &rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen, 4755 &rr_rdata, &rr_nextpos)) { 4756 /* failed to parse RR */ 4757 return 0; 4758 } 4759 if(verbosity>=7) log_rrlist_position("apply_axfr", 4760 rr_chunk, rr_dname, rr_type, rr_counter); 4761 if(rr_type == LDNS_RR_TYPE_SOA) { 4762 if(rr_counter != 0) { 4763 /* end of the axfr */ 4764 have_end_soa = 1; 4765 break; 4766 } 4767 if(rr_rdlen < 22) return 0; /* bad SOA rdlen */ 4768 serial = sldns_read_uint32(rr_rdata+rr_rdlen-20); 4769 } 4770 4771 /* add this RR */ 4772 if(!az_insert_rr_decompress(z, rr_chunk->data, rr_chunk->len, 4773 scratch_buffer, rr_dname, rr_type, rr_class, rr_ttl, 4774 rr_rdata, rr_rdlen, NULL)) { 4775 /* failed, malloc error or so */ 4776 return 0; 4777 } 4778 4779 rr_counter++; 4780 chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos); 4781 } 4782 if(!have_end_soa) { 4783 log_err("no end SOA record for AXFR"); 4784 return 0; 4785 } 4786 4787 xfr->serial = serial; 4788 xfr->have_zone = 1; 4789 return 1; 4790} 4791 4792/** apply HTTP to zone in memory. z is locked. false on failure(mallocfail) */ 4793static int 4794apply_http(struct auth_xfer* xfr, struct auth_zone* z, 4795 struct sldns_buffer* scratch_buffer) 4796{ 4797 /* parse data in chunks */ 4798 /* parse RR's and read into memory. ignore $INCLUDE from the 4799 * downloaded file*/ 4800 struct sldns_file_parse_state pstate; 4801 struct auth_chunk* chunk; 4802 size_t chunk_pos; 4803 memset(&pstate, 0, sizeof(pstate)); 4804 pstate.default_ttl = 3600; 4805 if(xfr->namelen < sizeof(pstate.origin)) { 4806 pstate.origin_len = xfr->namelen; 4807 memmove(pstate.origin, xfr->name, xfr->namelen); 4808 } 4809 4810 if(verbosity >= VERB_ALGO) 4811 verbose(VERB_ALGO, "http download %s of size %d", 4812 xfr->task_transfer->master->file, 4813 (int)chunklist_sum(xfr->task_transfer->chunks_first)); 4814 if(xfr->task_transfer->chunks_first && verbosity >= VERB_ALGO) { 4815 char preview[1024]; 4816 if(xfr->task_transfer->chunks_first->len+1 > sizeof(preview)) { 4817 memmove(preview, xfr->task_transfer->chunks_first->data, 4818 sizeof(preview)-1); 4819 preview[sizeof(preview)-1]=0; 4820 } else { 4821 memmove(preview, xfr->task_transfer->chunks_first->data, 4822 xfr->task_transfer->chunks_first->len); 4823 preview[xfr->task_transfer->chunks_first->len]=0; 4824 } 4825 log_info("auth zone http downloaded content preview: %s", 4826 preview); 4827 } 4828 4829 /* perhaps a little syntax check before we try to apply the data? */ 4830 if(!http_zonefile_syntax_check(xfr, scratch_buffer)) { 4831 log_err("http download %s/%s does not contain a zonefile, " 4832 "but got '%s'", xfr->task_transfer->master->host, 4833 xfr->task_transfer->master->file, 4834 sldns_buffer_begin(scratch_buffer)); 4835 return 0; 4836 } 4837 4838 /* clear the data tree */ 4839 traverse_postorder(&z->data, auth_data_del, NULL); 4840 rbtree_init(&z->data, &auth_data_cmp); 4841 /* clear the RPZ policies */ 4842 if(z->rpz) 4843 rpz_clear(z->rpz); 4844 4845 xfr->have_zone = 0; 4846 xfr->serial = 0; 4847 4848 chunk = xfr->task_transfer->chunks_first; 4849 chunk_pos = 0; 4850 pstate.lineno = 0; 4851 while(chunkline_get_line_collated(&chunk, &chunk_pos, scratch_buffer)) { 4852 /* process this line */ 4853 pstate.lineno++; 4854 chunkline_newline_removal(scratch_buffer); 4855 if(chunkline_is_comment_line_or_empty(scratch_buffer)) { 4856 continue; 4857 } 4858 /* parse line and add RR */ 4859 if(http_parse_origin(scratch_buffer, &pstate)) { 4860 continue; /* $ORIGIN has been handled */ 4861 } 4862 if(http_parse_ttl(scratch_buffer, &pstate)) { 4863 continue; /* $TTL has been handled */ 4864 } 4865 if(!http_parse_add_rr(xfr, z, scratch_buffer, &pstate)) { 4866 verbose(VERB_ALGO, "error parsing line [%s:%d] %s", 4867 xfr->task_transfer->master->file, 4868 pstate.lineno, 4869 sldns_buffer_begin(scratch_buffer)); 4870 return 0; 4871 } 4872 } 4873 return 1; 4874} 4875 4876/** write http chunks to zonefile to create downloaded file */ 4877static int 4878auth_zone_write_chunks(struct auth_xfer* xfr, const char* fname) 4879{ 4880 FILE* out; 4881 struct auth_chunk* p; 4882 out = fopen(fname, "w"); 4883 if(!out) { 4884 log_err("could not open %s: %s", fname, strerror(errno)); 4885 return 0; 4886 } 4887 for(p = xfr->task_transfer->chunks_first; p ; p = p->next) { 4888 if(!write_out(out, (char*)p->data, p->len)) { 4889 log_err("could not write http download to %s", fname); 4890 fclose(out); 4891 return 0; 4892 } 4893 } 4894 fclose(out); 4895 return 1; 4896} 4897 4898/** write to zonefile after zone has been updated */ 4899static void 4900xfr_write_after_update(struct auth_xfer* xfr, struct module_env* env) 4901{ 4902 struct config_file* cfg = env->cfg; 4903 struct auth_zone* z; 4904 char tmpfile[1024]; 4905 char* zfilename; 4906 lock_basic_unlock(&xfr->lock); 4907 4908 /* get lock again, so it is a readlock and concurrently queries 4909 * can be answered */ 4910 lock_rw_rdlock(&env->auth_zones->lock); 4911 z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen, 4912 xfr->dclass); 4913 if(!z) { 4914 lock_rw_unlock(&env->auth_zones->lock); 4915 /* the zone is gone, ignore xfr results */ 4916 lock_basic_lock(&xfr->lock); 4917 return; 4918 } 4919 lock_rw_rdlock(&z->lock); 4920 lock_basic_lock(&xfr->lock); 4921 lock_rw_unlock(&env->auth_zones->lock); 4922 4923 if(z->zonefile == NULL || z->zonefile[0] == 0) { 4924 lock_rw_unlock(&z->lock); 4925 /* no write needed, no zonefile set */ 4926 return; 4927 } 4928 zfilename = z->zonefile; 4929 if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(zfilename, 4930 cfg->chrootdir, strlen(cfg->chrootdir)) == 0) 4931 zfilename += strlen(cfg->chrootdir); 4932 if(verbosity >= VERB_ALGO) { 4933 char nm[255+1]; 4934 dname_str(z->name, nm); 4935 verbose(VERB_ALGO, "write zonefile %s for %s", zfilename, nm); 4936 } 4937 4938 /* write to tempfile first */ 4939 if((size_t)strlen(zfilename) + 16 > sizeof(tmpfile)) { 4940 verbose(VERB_ALGO, "tmpfilename too long, cannot update " 4941 " zonefile %s", zfilename); 4942 lock_rw_unlock(&z->lock); 4943 return; 4944 } 4945 snprintf(tmpfile, sizeof(tmpfile), "%s.tmp%u", zfilename, 4946 (unsigned)getpid()); 4947 if(xfr->task_transfer->master->http) { 4948 /* use the stored chunk list to write them */ 4949 if(!auth_zone_write_chunks(xfr, tmpfile)) { 4950 unlink(tmpfile); 4951 lock_rw_unlock(&z->lock); 4952 return; 4953 } 4954 } else if(!auth_zone_write_file(z, tmpfile)) { 4955 unlink(tmpfile); 4956 lock_rw_unlock(&z->lock); 4957 return; 4958 } 4959 if(rename(tmpfile, zfilename) < 0) { 4960 log_err("could not rename(%s, %s): %s", tmpfile, zfilename, 4961 strerror(errno)); 4962 unlink(tmpfile); 4963 lock_rw_unlock(&z->lock); 4964 return; 4965 } 4966 lock_rw_unlock(&z->lock); 4967} 4968 4969/** process chunk list and update zone in memory, 4970 * return false if it did not work */ 4971static int 4972xfr_process_chunk_list(struct auth_xfer* xfr, struct module_env* env, 4973 int* ixfr_fail) 4974{ 4975 struct auth_zone* z; 4976 4977 /* obtain locks and structures */ 4978 /* release xfr lock, then, while holding az->lock grab both 4979 * z->lock and xfr->lock */ 4980 lock_basic_unlock(&xfr->lock); 4981 lock_rw_rdlock(&env->auth_zones->lock); 4982 z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen, 4983 xfr->dclass); 4984 if(!z) { 4985 lock_rw_unlock(&env->auth_zones->lock); 4986 /* the zone is gone, ignore xfr results */ 4987 lock_basic_lock(&xfr->lock); 4988 return 0; 4989 } 4990 lock_rw_wrlock(&z->lock); 4991 lock_basic_lock(&xfr->lock); 4992 lock_rw_unlock(&env->auth_zones->lock); 4993 4994 /* apply data */ 4995 if(xfr->task_transfer->master->http) { 4996 if(!apply_http(xfr, z, env->scratch_buffer)) { 4997 lock_rw_unlock(&z->lock); 4998 verbose(VERB_ALGO, "http from %s: could not store data", 4999 xfr->task_transfer->master->host); 5000 return 0; 5001 } 5002 } else if(xfr->task_transfer->on_ixfr && 5003 !xfr->task_transfer->on_ixfr_is_axfr) { 5004 if(!apply_ixfr(xfr, z, env->scratch_buffer)) { 5005 lock_rw_unlock(&z->lock); 5006 verbose(VERB_ALGO, "xfr from %s: could not store IXFR" 5007 " data", xfr->task_transfer->master->host); 5008 *ixfr_fail = 1; 5009 return 0; 5010 } 5011 } else { 5012 if(!apply_axfr(xfr, z, env->scratch_buffer)) { 5013 lock_rw_unlock(&z->lock); 5014 verbose(VERB_ALGO, "xfr from %s: could not store AXFR" 5015 " data", xfr->task_transfer->master->host); 5016 return 0; 5017 } 5018 } 5019 xfr->zone_expired = 0; 5020 z->zone_expired = 0; 5021 if(!xfr_find_soa(z, xfr)) { 5022 lock_rw_unlock(&z->lock); 5023 verbose(VERB_ALGO, "xfr from %s: no SOA in zone after update" 5024 " (or malformed RR)", xfr->task_transfer->master->host); 5025 return 0; 5026 } 5027 if(xfr->have_zone) 5028 xfr->lease_time = *env->now; 5029 5030 if(z->rpz) 5031 rpz_finish_config(z->rpz); 5032 5033 /* unlock */ 5034 lock_rw_unlock(&z->lock); 5035 5036 if(verbosity >= VERB_QUERY && xfr->have_zone) { 5037 char zname[256]; 5038 dname_str(xfr->name, zname); 5039 verbose(VERB_QUERY, "auth zone %s updated to serial %u", zname, 5040 (unsigned)xfr->serial); 5041 } 5042 /* see if we need to write to a zonefile */ 5043 xfr_write_after_update(xfr, env); 5044 return 1; 5045} 5046 5047/** disown task_transfer. caller must hold xfr.lock */ 5048static void 5049xfr_transfer_disown(struct auth_xfer* xfr) 5050{ 5051 /* remove timer (from this worker's event base) */ 5052 comm_timer_delete(xfr->task_transfer->timer); 5053 xfr->task_transfer->timer = NULL; 5054 /* remove the commpoint */ 5055 comm_point_delete(xfr->task_transfer->cp); 5056 xfr->task_transfer->cp = NULL; 5057 /* we don't own this item anymore */ 5058 xfr->task_transfer->worker = NULL; 5059 xfr->task_transfer->env = NULL; 5060} 5061 5062/** lookup a host name for its addresses, if needed */ 5063static int 5064xfr_transfer_lookup_host(struct auth_xfer* xfr, struct module_env* env) 5065{ 5066 struct sockaddr_storage addr; 5067 socklen_t addrlen = 0; 5068 struct auth_master* master = xfr->task_transfer->lookup_target; 5069 struct query_info qinfo; 5070 uint16_t qflags = BIT_RD; 5071 uint8_t dname[LDNS_MAX_DOMAINLEN+1]; 5072 struct edns_data edns; 5073 sldns_buffer* buf = env->scratch_buffer; 5074 if(!master) return 0; 5075 if(extstrtoaddr(master->host, &addr, &addrlen)) { 5076 /* not needed, host is in IP addr format */ 5077 return 0; 5078 } 5079 if(master->allow_notify) 5080 return 0; /* allow-notifies are not transferred from, no 5081 lookup is needed */ 5082 5083 /* use mesh_new_callback to probe for non-addr hosts, 5084 * and then wait for them to be looked up (in cache, or query) */ 5085 qinfo.qname_len = sizeof(dname); 5086 if(sldns_str2wire_dname_buf(master->host, dname, &qinfo.qname_len) 5087 != 0) { 5088 log_err("cannot parse host name of master %s", master->host); 5089 return 0; 5090 } 5091 qinfo.qname = dname; 5092 qinfo.qclass = xfr->dclass; 5093 qinfo.qtype = LDNS_RR_TYPE_A; 5094 if(xfr->task_transfer->lookup_aaaa) 5095 qinfo.qtype = LDNS_RR_TYPE_AAAA; 5096 qinfo.local_alias = NULL; 5097 if(verbosity >= VERB_ALGO) { 5098 char buf1[512]; 5099 char buf2[LDNS_MAX_DOMAINLEN+1]; 5100 dname_str(xfr->name, buf2); 5101 snprintf(buf1, sizeof(buf1), "auth zone %s: master lookup" 5102 " for task_transfer", buf2); 5103 log_query_info(VERB_ALGO, buf1, &qinfo); 5104 } 5105 edns.edns_present = 1; 5106 edns.ext_rcode = 0; 5107 edns.edns_version = 0; 5108 edns.bits = EDNS_DO; 5109 edns.opt_list = NULL; 5110 if(sldns_buffer_capacity(buf) < 65535) 5111 edns.udp_size = (uint16_t)sldns_buffer_capacity(buf); 5112 else edns.udp_size = 65535; 5113 5114 /* unlock xfr during mesh_new_callback() because the callback can be 5115 * called straight away */ 5116 lock_basic_unlock(&xfr->lock); 5117 if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0, 5118 &auth_xfer_transfer_lookup_callback, xfr)) { 5119 lock_basic_lock(&xfr->lock); 5120 log_err("out of memory lookup up master %s", master->host); 5121 return 0; 5122 } 5123 lock_basic_lock(&xfr->lock); 5124 return 1; 5125} 5126 5127/** initiate TCP to the target and fetch zone. 5128 * returns true if that was successfully started, and timeout setup. */ 5129static int 5130xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env) 5131{ 5132 struct sockaddr_storage addr; 5133 socklen_t addrlen = 0; 5134 struct auth_master* master = xfr->task_transfer->master; 5135 char *auth_name = NULL; 5136 struct timeval t; 5137 int timeout; 5138 if(!master) return 0; 5139 if(master->allow_notify) return 0; /* only for notify */ 5140 5141 /* get master addr */ 5142 if(xfr->task_transfer->scan_addr) { 5143 addrlen = xfr->task_transfer->scan_addr->addrlen; 5144 memmove(&addr, &xfr->task_transfer->scan_addr->addr, addrlen); 5145 } else { 5146 if(!authextstrtoaddr(master->host, &addr, &addrlen, &auth_name)) { 5147 /* the ones that are not in addr format are supposed 5148 * to be looked up. The lookup has failed however, 5149 * so skip them */ 5150 char zname[255+1]; 5151 dname_str(xfr->name, zname); 5152 log_err("%s: failed lookup, cannot transfer from master %s", 5153 zname, master->host); 5154 return 0; 5155 } 5156 } 5157 5158 /* remove previous TCP connection (if any) */ 5159 if(xfr->task_transfer->cp) { 5160 comm_point_delete(xfr->task_transfer->cp); 5161 xfr->task_transfer->cp = NULL; 5162 } 5163 if(!xfr->task_transfer->timer) { 5164 xfr->task_transfer->timer = comm_timer_create(env->worker_base, 5165 auth_xfer_transfer_timer_callback, xfr); 5166 if(!xfr->task_transfer->timer) { 5167 log_err("malloc failure"); 5168 return 0; 5169 } 5170 } 5171 timeout = AUTH_TRANSFER_TIMEOUT; 5172#ifndef S_SPLINT_S 5173 t.tv_sec = timeout/1000; 5174 t.tv_usec = (timeout%1000)*1000; 5175#endif 5176 5177 if(master->http) { 5178 /* perform http fetch */ 5179 /* store http port number into sockaddr, 5180 * unless someone used unbound's host@port notation */ 5181 xfr->task_transfer->on_ixfr = 0; 5182 if(strchr(master->host, '@') == NULL) 5183 sockaddr_store_port(&addr, addrlen, master->port); 5184 xfr->task_transfer->cp = outnet_comm_point_for_http( 5185 env->outnet, auth_xfer_transfer_http_callback, xfr, 5186 &addr, addrlen, -1, master->ssl, master->host, 5187 master->file); 5188 if(!xfr->task_transfer->cp) { 5189 char zname[255+1], as[256]; 5190 dname_str(xfr->name, zname); 5191 addr_to_str(&addr, addrlen, as, sizeof(as)); 5192 verbose(VERB_ALGO, "cannot create http cp " 5193 "connection for %s to %s", zname, as); 5194 return 0; 5195 } 5196 comm_timer_set(xfr->task_transfer->timer, &t); 5197 if(verbosity >= VERB_ALGO) { 5198 char zname[255+1], as[256]; 5199 dname_str(xfr->name, zname); 5200 addr_to_str(&addr, addrlen, as, sizeof(as)); 5201 verbose(VERB_ALGO, "auth zone %s transfer next HTTP fetch from %s started", zname, as); 5202 } 5203 return 1; 5204 } 5205 5206 /* perform AXFR/IXFR */ 5207 /* set the packet to be written */ 5208 /* create new ID */ 5209 xfr->task_transfer->id = (uint16_t)(ub_random(env->rnd)&0xffff); 5210 xfr_create_ixfr_packet(xfr, env->scratch_buffer, 5211 xfr->task_transfer->id, master); 5212 5213 /* connect on fd */ 5214 xfr->task_transfer->cp = outnet_comm_point_for_tcp(env->outnet, 5215 auth_xfer_transfer_tcp_callback, xfr, &addr, addrlen, 5216 env->scratch_buffer, -1, 5217 auth_name != NULL, auth_name); 5218 if(!xfr->task_transfer->cp) { 5219 char zname[255+1], as[256]; 5220 dname_str(xfr->name, zname); 5221 addr_to_str(&addr, addrlen, as, sizeof(as)); 5222 verbose(VERB_ALGO, "cannot create tcp cp connection for " 5223 "xfr %s to %s", zname, as); 5224 return 0; 5225 } 5226 comm_timer_set(xfr->task_transfer->timer, &t); 5227 if(verbosity >= VERB_ALGO) { 5228 char zname[255+1], as[256]; 5229 dname_str(xfr->name, zname); 5230 addr_to_str(&addr, addrlen, as, sizeof(as)); 5231 verbose(VERB_ALGO, "auth zone %s transfer next %s fetch from %s started", zname, 5232 (xfr->task_transfer->on_ixfr?"IXFR":"AXFR"), as); 5233 } 5234 return 1; 5235} 5236 5237/** perform next lookup, next transfer TCP, or end and resume wait time task */ 5238static void 5239xfr_transfer_nexttarget_or_end(struct auth_xfer* xfr, struct module_env* env) 5240{ 5241 log_assert(xfr->task_transfer->worker == env->worker); 5242 5243 /* are we performing lookups? */ 5244 while(xfr->task_transfer->lookup_target) { 5245 if(xfr_transfer_lookup_host(xfr, env)) { 5246 /* wait for lookup to finish, 5247 * note that the hostname may be in unbound's cache 5248 * and we may then get an instant cache response, 5249 * and that calls the callback just like a full 5250 * lookup and lookup failures also call callback */ 5251 if(verbosity >= VERB_ALGO) { 5252 char zname[255+1]; 5253 dname_str(xfr->name, zname); 5254 verbose(VERB_ALGO, "auth zone %s transfer next target lookup", zname); 5255 } 5256 lock_basic_unlock(&xfr->lock); 5257 return; 5258 } 5259 xfr_transfer_move_to_next_lookup(xfr, env); 5260 } 5261 5262 /* initiate TCP and fetch the zone from the master */ 5263 /* and set timeout on it */ 5264 while(!xfr_transfer_end_of_list(xfr)) { 5265 xfr->task_transfer->master = xfr_transfer_current_master(xfr); 5266 if(xfr_transfer_init_fetch(xfr, env)) { 5267 /* successfully started, wait for callback */ 5268 lock_basic_unlock(&xfr->lock); 5269 return; 5270 } 5271 /* failed to fetch, next master */ 5272 xfr_transfer_nextmaster(xfr); 5273 } 5274 if(verbosity >= VERB_ALGO) { 5275 char zname[255+1]; 5276 dname_str(xfr->name, zname); 5277 verbose(VERB_ALGO, "auth zone %s transfer failed, wait", zname); 5278 } 5279 5280 /* we failed to fetch the zone, move to wait task 5281 * use the shorter retry timeout */ 5282 xfr_transfer_disown(xfr); 5283 5284 /* pick up the nextprobe task and wait */ 5285 if(xfr->task_nextprobe->worker == NULL) 5286 xfr_set_timeout(xfr, env, 1, 0); 5287 lock_basic_unlock(&xfr->lock); 5288} 5289 5290/** add addrs from A or AAAA rrset to the master */ 5291static void 5292xfr_master_add_addrs(struct auth_master* m, struct ub_packed_rrset_key* rrset, 5293 uint16_t rrtype) 5294{ 5295 size_t i; 5296 struct packed_rrset_data* data; 5297 if(!m || !rrset) return; 5298 if(rrtype != LDNS_RR_TYPE_A && rrtype != LDNS_RR_TYPE_AAAA) 5299 return; 5300 data = (struct packed_rrset_data*)rrset->entry.data; 5301 for(i=0; i<data->count; i++) { 5302 struct auth_addr* a; 5303 size_t len = data->rr_len[i] - 2; 5304 uint8_t* rdata = data->rr_data[i]+2; 5305 if(rrtype == LDNS_RR_TYPE_A && len != INET_SIZE) 5306 continue; /* wrong length for A */ 5307 if(rrtype == LDNS_RR_TYPE_AAAA && len != INET6_SIZE) 5308 continue; /* wrong length for AAAA */ 5309 5310 /* add and alloc it */ 5311 a = (struct auth_addr*)calloc(1, sizeof(*a)); 5312 if(!a) { 5313 log_err("out of memory"); 5314 return; 5315 } 5316 if(rrtype == LDNS_RR_TYPE_A) { 5317 struct sockaddr_in* sa; 5318 a->addrlen = (socklen_t)sizeof(*sa); 5319 sa = (struct sockaddr_in*)&a->addr; 5320 sa->sin_family = AF_INET; 5321 sa->sin_port = (in_port_t)htons(UNBOUND_DNS_PORT); 5322 memmove(&sa->sin_addr, rdata, INET_SIZE); 5323 } else { 5324 struct sockaddr_in6* sa; 5325 a->addrlen = (socklen_t)sizeof(*sa); 5326 sa = (struct sockaddr_in6*)&a->addr; 5327 sa->sin6_family = AF_INET6; 5328 sa->sin6_port = (in_port_t)htons(UNBOUND_DNS_PORT); 5329 memmove(&sa->sin6_addr, rdata, INET6_SIZE); 5330 } 5331 if(verbosity >= VERB_ALGO) { 5332 char s[64]; 5333 addr_to_str(&a->addr, a->addrlen, s, sizeof(s)); 5334 verbose(VERB_ALGO, "auth host %s lookup %s", 5335 m->host, s); 5336 } 5337 /* append to list */ 5338 a->next = m->list; 5339 m->list = a; 5340 } 5341} 5342 5343/** callback for task_transfer lookup of host name, of A or AAAA */ 5344void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf, 5345 enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus), 5346 int ATTR_UNUSED(was_ratelimited)) 5347{ 5348 struct auth_xfer* xfr = (struct auth_xfer*)arg; 5349 struct module_env* env; 5350 log_assert(xfr->task_transfer); 5351 lock_basic_lock(&xfr->lock); 5352 env = xfr->task_transfer->env; 5353 if(!env || env->outnet->want_to_quit) { 5354 lock_basic_unlock(&xfr->lock); 5355 return; /* stop on quit */ 5356 } 5357 5358 /* process result */ 5359 if(rcode == LDNS_RCODE_NOERROR) { 5360 uint16_t wanted_qtype = LDNS_RR_TYPE_A; 5361 struct regional* temp = env->scratch; 5362 struct query_info rq; 5363 struct reply_info* rep; 5364 if(xfr->task_transfer->lookup_aaaa) 5365 wanted_qtype = LDNS_RR_TYPE_AAAA; 5366 memset(&rq, 0, sizeof(rq)); 5367 rep = parse_reply_in_temp_region(buf, temp, &rq); 5368 if(rep && rq.qtype == wanted_qtype && 5369 FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) { 5370 /* parsed successfully */ 5371 struct ub_packed_rrset_key* answer = 5372 reply_find_answer_rrset(&rq, rep); 5373 if(answer) { 5374 xfr_master_add_addrs(xfr->task_transfer-> 5375 lookup_target, answer, wanted_qtype); 5376 } else { 5377 if(verbosity >= VERB_ALGO) { 5378 char zname[255+1]; 5379 dname_str(xfr->name, zname); 5380 verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup has nodata", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A")); 5381 } 5382 } 5383 } else { 5384 if(verbosity >= VERB_ALGO) { 5385 char zname[255+1]; 5386 dname_str(xfr->name, zname); 5387 verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup has no answer", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A")); 5388 } 5389 } 5390 regional_free_all(temp); 5391 } else { 5392 if(verbosity >= VERB_ALGO) { 5393 char zname[255+1]; 5394 dname_str(xfr->name, zname); 5395 verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup failed", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A")); 5396 } 5397 } 5398 if(xfr->task_transfer->lookup_target->list && 5399 xfr->task_transfer->lookup_target == xfr_transfer_current_master(xfr)) 5400 xfr->task_transfer->scan_addr = xfr->task_transfer->lookup_target->list; 5401 5402 /* move to lookup AAAA after A lookup, move to next hostname lookup, 5403 * or move to fetch the zone, or, if nothing to do, end task_transfer */ 5404 xfr_transfer_move_to_next_lookup(xfr, env); 5405 xfr_transfer_nexttarget_or_end(xfr, env); 5406} 5407 5408/** check if xfer (AXFR or IXFR) packet is OK. 5409 * return false if we lost connection (SERVFAIL, or unreadable). 5410 * return false if we need to move from IXFR to AXFR, with gonextonfail 5411 * set to false, so the same master is tried again, but with AXFR. 5412 * return true if fine to link into data. 5413 * return true with transferdone=true when the transfer has ended. 5414 */ 5415static int 5416check_xfer_packet(sldns_buffer* pkt, struct auth_xfer* xfr, 5417 int* gonextonfail, int* transferdone) 5418{ 5419 uint8_t* wire = sldns_buffer_begin(pkt); 5420 int i; 5421 if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) { 5422 verbose(VERB_ALGO, "xfr to %s failed, packet too small", 5423 xfr->task_transfer->master->host); 5424 return 0; 5425 } 5426 if(!LDNS_QR_WIRE(wire)) { 5427 verbose(VERB_ALGO, "xfr to %s failed, packet has no QR flag", 5428 xfr->task_transfer->master->host); 5429 return 0; 5430 } 5431 if(LDNS_TC_WIRE(wire)) { 5432 verbose(VERB_ALGO, "xfr to %s failed, packet has TC flag", 5433 xfr->task_transfer->master->host); 5434 return 0; 5435 } 5436 /* check ID */ 5437 if(LDNS_ID_WIRE(wire) != xfr->task_transfer->id) { 5438 verbose(VERB_ALGO, "xfr to %s failed, packet wrong ID", 5439 xfr->task_transfer->master->host); 5440 return 0; 5441 } 5442 if(LDNS_RCODE_WIRE(wire) != LDNS_RCODE_NOERROR) { 5443 char rcode[32]; 5444 sldns_wire2str_rcode_buf((int)LDNS_RCODE_WIRE(wire), rcode, 5445 sizeof(rcode)); 5446 /* if we are doing IXFR, check for fallback */ 5447 if(xfr->task_transfer->on_ixfr) { 5448 if(LDNS_RCODE_WIRE(wire) == LDNS_RCODE_NOTIMPL || 5449 LDNS_RCODE_WIRE(wire) == LDNS_RCODE_SERVFAIL || 5450 LDNS_RCODE_WIRE(wire) == LDNS_RCODE_REFUSED || 5451 LDNS_RCODE_WIRE(wire) == LDNS_RCODE_FORMERR) { 5452 verbose(VERB_ALGO, "xfr to %s, fallback " 5453 "from IXFR to AXFR (with rcode %s)", 5454 xfr->task_transfer->master->host, 5455 rcode); 5456 xfr->task_transfer->ixfr_fail = 1; 5457 *gonextonfail = 0; 5458 return 0; 5459 } 5460 } 5461 verbose(VERB_ALGO, "xfr to %s failed, packet with rcode %s", 5462 xfr->task_transfer->master->host, rcode); 5463 return 0; 5464 } 5465 if(LDNS_OPCODE_WIRE(wire) != LDNS_PACKET_QUERY) { 5466 verbose(VERB_ALGO, "xfr to %s failed, packet with bad opcode", 5467 xfr->task_transfer->master->host); 5468 return 0; 5469 } 5470 if(LDNS_QDCOUNT(wire) > 1) { 5471 verbose(VERB_ALGO, "xfr to %s failed, packet has qdcount %d", 5472 xfr->task_transfer->master->host, 5473 (int)LDNS_QDCOUNT(wire)); 5474 return 0; 5475 } 5476 5477 /* check qname */ 5478 sldns_buffer_set_position(pkt, LDNS_HEADER_SIZE); 5479 for(i=0; i<(int)LDNS_QDCOUNT(wire); i++) { 5480 size_t pos = sldns_buffer_position(pkt); 5481 uint16_t qtype, qclass; 5482 if(pkt_dname_len(pkt) == 0) { 5483 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5484 "malformed dname", 5485 xfr->task_transfer->master->host); 5486 return 0; 5487 } 5488 if(dname_pkt_compare(pkt, sldns_buffer_at(pkt, pos), 5489 xfr->name) != 0) { 5490 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5491 "wrong qname", 5492 xfr->task_transfer->master->host); 5493 return 0; 5494 } 5495 if(sldns_buffer_remaining(pkt) < 4) { 5496 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5497 "truncated query RR", 5498 xfr->task_transfer->master->host); 5499 return 0; 5500 } 5501 qtype = sldns_buffer_read_u16(pkt); 5502 qclass = sldns_buffer_read_u16(pkt); 5503 if(qclass != xfr->dclass) { 5504 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5505 "wrong qclass", 5506 xfr->task_transfer->master->host); 5507 return 0; 5508 } 5509 if(xfr->task_transfer->on_ixfr) { 5510 if(qtype != LDNS_RR_TYPE_IXFR) { 5511 verbose(VERB_ALGO, "xfr to %s failed, packet " 5512 "with wrong qtype, expected IXFR", 5513 xfr->task_transfer->master->host); 5514 return 0; 5515 } 5516 } else { 5517 if(qtype != LDNS_RR_TYPE_AXFR) { 5518 verbose(VERB_ALGO, "xfr to %s failed, packet " 5519 "with wrong qtype, expected AXFR", 5520 xfr->task_transfer->master->host); 5521 return 0; 5522 } 5523 } 5524 } 5525 5526 /* check parse of RRs in packet, store first SOA serial 5527 * to be able to detect last SOA (with that serial) to see if done */ 5528 /* also check for IXFR 'zone up to date' reply */ 5529 for(i=0; i<(int)LDNS_ANCOUNT(wire); i++) { 5530 size_t pos = sldns_buffer_position(pkt); 5531 uint16_t tp, rdlen; 5532 if(pkt_dname_len(pkt) == 0) { 5533 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5534 "malformed dname in answer section", 5535 xfr->task_transfer->master->host); 5536 return 0; 5537 } 5538 if(sldns_buffer_remaining(pkt) < 10) { 5539 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5540 "truncated RR", 5541 xfr->task_transfer->master->host); 5542 return 0; 5543 } 5544 tp = sldns_buffer_read_u16(pkt); 5545 (void)sldns_buffer_read_u16(pkt); /* class */ 5546 (void)sldns_buffer_read_u32(pkt); /* ttl */ 5547 rdlen = sldns_buffer_read_u16(pkt); 5548 if(sldns_buffer_remaining(pkt) < rdlen) { 5549 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5550 "truncated RR rdata", 5551 xfr->task_transfer->master->host); 5552 return 0; 5553 } 5554 5555 /* RR parses (haven't checked rdata itself), now look at 5556 * SOA records to see serial number */ 5557 if(xfr->task_transfer->rr_scan_num == 0 && 5558 tp != LDNS_RR_TYPE_SOA) { 5559 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5560 "malformed zone transfer, no start SOA", 5561 xfr->task_transfer->master->host); 5562 return 0; 5563 } 5564 if(xfr->task_transfer->rr_scan_num == 1 && 5565 tp != LDNS_RR_TYPE_SOA) { 5566 /* second RR is not a SOA record, this is not an IXFR 5567 * the master is replying with an AXFR */ 5568 xfr->task_transfer->on_ixfr_is_axfr = 1; 5569 } 5570 if(tp == LDNS_RR_TYPE_SOA) { 5571 uint32_t serial; 5572 if(rdlen < 22) { 5573 verbose(VERB_ALGO, "xfr to %s failed, packet " 5574 "with SOA with malformed rdata", 5575 xfr->task_transfer->master->host); 5576 return 0; 5577 } 5578 if(dname_pkt_compare(pkt, sldns_buffer_at(pkt, pos), 5579 xfr->name) != 0) { 5580 verbose(VERB_ALGO, "xfr to %s failed, packet " 5581 "with SOA with wrong dname", 5582 xfr->task_transfer->master->host); 5583 return 0; 5584 } 5585 5586 /* read serial number of SOA */ 5587 serial = sldns_buffer_read_u32_at(pkt, 5588 sldns_buffer_position(pkt)+rdlen-20); 5589 5590 /* check for IXFR 'zone has SOA x' reply */ 5591 if(xfr->task_transfer->on_ixfr && 5592 xfr->task_transfer->rr_scan_num == 0 && 5593 LDNS_ANCOUNT(wire)==1) { 5594 verbose(VERB_ALGO, "xfr to %s ended, " 5595 "IXFR reply that zone has serial %u," 5596 " fallback from IXFR to AXFR", 5597 xfr->task_transfer->master->host, 5598 (unsigned)serial); 5599 xfr->task_transfer->ixfr_fail = 1; 5600 *gonextonfail = 0; 5601 return 0; 5602 } 5603 5604 /* if first SOA, store serial number */ 5605 if(xfr->task_transfer->got_xfr_serial == 0) { 5606 xfr->task_transfer->got_xfr_serial = 1; 5607 xfr->task_transfer->incoming_xfr_serial = 5608 serial; 5609 verbose(VERB_ALGO, "xfr %s: contains " 5610 "SOA serial %u", 5611 xfr->task_transfer->master->host, 5612 (unsigned)serial); 5613 /* see if end of AXFR */ 5614 } else if(!xfr->task_transfer->on_ixfr || 5615 xfr->task_transfer->on_ixfr_is_axfr) { 5616 /* second SOA with serial is the end 5617 * for AXFR */ 5618 *transferdone = 1; 5619 verbose(VERB_ALGO, "xfr %s: last AXFR packet", 5620 xfr->task_transfer->master->host); 5621 /* for IXFR, count SOA records with that serial */ 5622 } else if(xfr->task_transfer->incoming_xfr_serial == 5623 serial && xfr->task_transfer->got_xfr_serial 5624 == 1) { 5625 xfr->task_transfer->got_xfr_serial++; 5626 /* if not first soa, if serial==firstserial, the 5627 * third time we are at the end, for IXFR */ 5628 } else if(xfr->task_transfer->incoming_xfr_serial == 5629 serial && xfr->task_transfer->got_xfr_serial 5630 == 2) { 5631 verbose(VERB_ALGO, "xfr %s: last IXFR packet", 5632 xfr->task_transfer->master->host); 5633 *transferdone = 1; 5634 /* continue parse check, if that succeeds, 5635 * transfer is done */ 5636 } 5637 } 5638 xfr->task_transfer->rr_scan_num++; 5639 5640 /* skip over RR rdata to go to the next RR */ 5641 sldns_buffer_skip(pkt, (ssize_t)rdlen); 5642 } 5643 5644 /* check authority section */ 5645 /* we skip over the RRs checking packet format */ 5646 for(i=0; i<(int)LDNS_NSCOUNT(wire); i++) { 5647 uint16_t rdlen; 5648 if(pkt_dname_len(pkt) == 0) { 5649 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5650 "malformed dname in authority section", 5651 xfr->task_transfer->master->host); 5652 return 0; 5653 } 5654 if(sldns_buffer_remaining(pkt) < 10) { 5655 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5656 "truncated RR", 5657 xfr->task_transfer->master->host); 5658 return 0; 5659 } 5660 (void)sldns_buffer_read_u16(pkt); /* type */ 5661 (void)sldns_buffer_read_u16(pkt); /* class */ 5662 (void)sldns_buffer_read_u32(pkt); /* ttl */ 5663 rdlen = sldns_buffer_read_u16(pkt); 5664 if(sldns_buffer_remaining(pkt) < rdlen) { 5665 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5666 "truncated RR rdata", 5667 xfr->task_transfer->master->host); 5668 return 0; 5669 } 5670 /* skip over RR rdata to go to the next RR */ 5671 sldns_buffer_skip(pkt, (ssize_t)rdlen); 5672 } 5673 5674 /* check additional section */ 5675 for(i=0; i<(int)LDNS_ARCOUNT(wire); i++) { 5676 uint16_t rdlen; 5677 if(pkt_dname_len(pkt) == 0) { 5678 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5679 "malformed dname in additional section", 5680 xfr->task_transfer->master->host); 5681 return 0; 5682 } 5683 if(sldns_buffer_remaining(pkt) < 10) { 5684 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5685 "truncated RR", 5686 xfr->task_transfer->master->host); 5687 return 0; 5688 } 5689 (void)sldns_buffer_read_u16(pkt); /* type */ 5690 (void)sldns_buffer_read_u16(pkt); /* class */ 5691 (void)sldns_buffer_read_u32(pkt); /* ttl */ 5692 rdlen = sldns_buffer_read_u16(pkt); 5693 if(sldns_buffer_remaining(pkt) < rdlen) { 5694 verbose(VERB_ALGO, "xfr to %s failed, packet with " 5695 "truncated RR rdata", 5696 xfr->task_transfer->master->host); 5697 return 0; 5698 } 5699 /* skip over RR rdata to go to the next RR */ 5700 sldns_buffer_skip(pkt, (ssize_t)rdlen); 5701 } 5702 5703 return 1; 5704} 5705 5706/** Link the data from this packet into the worklist of transferred data */ 5707static int 5708xfer_link_data(sldns_buffer* pkt, struct auth_xfer* xfr) 5709{ 5710 /* alloc it */ 5711 struct auth_chunk* e; 5712 e = (struct auth_chunk*)calloc(1, sizeof(*e)); 5713 if(!e) return 0; 5714 e->next = NULL; 5715 e->len = sldns_buffer_limit(pkt); 5716 e->data = memdup(sldns_buffer_begin(pkt), e->len); 5717 if(!e->data) { 5718 free(e); 5719 return 0; 5720 } 5721 5722 /* alloc succeeded, link into list */ 5723 if(!xfr->task_transfer->chunks_first) 5724 xfr->task_transfer->chunks_first = e; 5725 if(xfr->task_transfer->chunks_last) 5726 xfr->task_transfer->chunks_last->next = e; 5727 xfr->task_transfer->chunks_last = e; 5728 return 1; 5729} 5730 5731/** task transfer. the list of data is complete. process it and if failed 5732 * move to next master, if succeeded, end the task transfer */ 5733static void 5734process_list_end_transfer(struct auth_xfer* xfr, struct module_env* env) 5735{ 5736 int ixfr_fail = 0; 5737 if(xfr_process_chunk_list(xfr, env, &ixfr_fail)) { 5738 /* it worked! */ 5739 auth_chunks_delete(xfr->task_transfer); 5740 5741 /* we fetched the zone, move to wait task */ 5742 xfr_transfer_disown(xfr); 5743 5744 if(xfr->notify_received && (!xfr->notify_has_serial || 5745 (xfr->notify_has_serial && 5746 xfr_serial_means_update(xfr, xfr->notify_serial)))) { 5747 uint32_t sr = xfr->notify_serial; 5748 int has_sr = xfr->notify_has_serial; 5749 /* we received a notify while probe/transfer was 5750 * in progress. start a new probe and transfer */ 5751 xfr->notify_received = 0; 5752 xfr->notify_has_serial = 0; 5753 xfr->notify_serial = 0; 5754 if(!xfr_start_probe(xfr, env, NULL)) { 5755 /* if we couldn't start it, already in 5756 * progress; restore notify serial, 5757 * while xfr still locked */ 5758 xfr->notify_received = 1; 5759 xfr->notify_has_serial = has_sr; 5760 xfr->notify_serial = sr; 5761 lock_basic_unlock(&xfr->lock); 5762 } 5763 return; 5764 } else { 5765 /* pick up the nextprobe task and wait (normail wait time) */ 5766 if(xfr->task_nextprobe->worker == NULL) 5767 xfr_set_timeout(xfr, env, 0, 0); 5768 } 5769 lock_basic_unlock(&xfr->lock); 5770 return; 5771 } 5772 /* processing failed */ 5773 /* when done, delete data from list */ 5774 auth_chunks_delete(xfr->task_transfer); 5775 if(ixfr_fail) { 5776 xfr->task_transfer->ixfr_fail = 1; 5777 } else { 5778 xfr_transfer_nextmaster(xfr); 5779 } 5780 xfr_transfer_nexttarget_or_end(xfr, env); 5781} 5782 5783/** callback for the task_transfer timer */ 5784void 5785auth_xfer_transfer_timer_callback(void* arg) 5786{ 5787 struct auth_xfer* xfr = (struct auth_xfer*)arg; 5788 struct module_env* env; 5789 int gonextonfail = 1; 5790 log_assert(xfr->task_transfer); 5791 lock_basic_lock(&xfr->lock); 5792 env = xfr->task_transfer->env; 5793 if(!env || env->outnet->want_to_quit) { 5794 lock_basic_unlock(&xfr->lock); 5795 return; /* stop on quit */ 5796 } 5797 5798 verbose(VERB_ALGO, "xfr stopped, connection timeout to %s", 5799 xfr->task_transfer->master->host); 5800 5801 /* see if IXFR caused the failure, if so, try AXFR */ 5802 if(xfr->task_transfer->on_ixfr) { 5803 xfr->task_transfer->ixfr_possible_timeout_count++; 5804 if(xfr->task_transfer->ixfr_possible_timeout_count >= 5805 NUM_TIMEOUTS_FALLBACK_IXFR) { 5806 verbose(VERB_ALGO, "xfr to %s, fallback " 5807 "from IXFR to AXFR (because of timeouts)", 5808 xfr->task_transfer->master->host); 5809 xfr->task_transfer->ixfr_fail = 1; 5810 gonextonfail = 0; 5811 } 5812 } 5813 5814 /* delete transferred data from list */ 5815 auth_chunks_delete(xfr->task_transfer); 5816 comm_point_delete(xfr->task_transfer->cp); 5817 xfr->task_transfer->cp = NULL; 5818 if(gonextonfail) 5819 xfr_transfer_nextmaster(xfr); 5820 xfr_transfer_nexttarget_or_end(xfr, env); 5821} 5822 5823/** callback for task_transfer tcp connections */ 5824int 5825auth_xfer_transfer_tcp_callback(struct comm_point* c, void* arg, int err, 5826 struct comm_reply* ATTR_UNUSED(repinfo)) 5827{ 5828 struct auth_xfer* xfr = (struct auth_xfer*)arg; 5829 struct module_env* env; 5830 int gonextonfail = 1; 5831 int transferdone = 0; 5832 log_assert(xfr->task_transfer); 5833 lock_basic_lock(&xfr->lock); 5834 env = xfr->task_transfer->env; 5835 if(!env || env->outnet->want_to_quit) { 5836 lock_basic_unlock(&xfr->lock); 5837 return 0; /* stop on quit */ 5838 } 5839 /* stop the timer */ 5840 comm_timer_disable(xfr->task_transfer->timer); 5841 5842 if(err != NETEVENT_NOERROR) { 5843 /* connection failed, closed, or timeout */ 5844 /* stop this transfer, cleanup 5845 * and continue task_transfer*/ 5846 verbose(VERB_ALGO, "xfr stopped, connection lost to %s", 5847 xfr->task_transfer->master->host); 5848 5849 /* see if IXFR caused the failure, if so, try AXFR */ 5850 if(xfr->task_transfer->on_ixfr) { 5851 xfr->task_transfer->ixfr_possible_timeout_count++; 5852 if(xfr->task_transfer->ixfr_possible_timeout_count >= 5853 NUM_TIMEOUTS_FALLBACK_IXFR) { 5854 verbose(VERB_ALGO, "xfr to %s, fallback " 5855 "from IXFR to AXFR (because of timeouts)", 5856 xfr->task_transfer->master->host); 5857 xfr->task_transfer->ixfr_fail = 1; 5858 gonextonfail = 0; 5859 } 5860 } 5861 5862 failed: 5863 /* delete transferred data from list */ 5864 auth_chunks_delete(xfr->task_transfer); 5865 comm_point_delete(xfr->task_transfer->cp); 5866 xfr->task_transfer->cp = NULL; 5867 if(gonextonfail) 5868 xfr_transfer_nextmaster(xfr); 5869 xfr_transfer_nexttarget_or_end(xfr, env); 5870 return 0; 5871 } 5872 /* note that IXFR worked without timeout */ 5873 if(xfr->task_transfer->on_ixfr) 5874 xfr->task_transfer->ixfr_possible_timeout_count = 0; 5875 5876 /* handle returned packet */ 5877 /* if it fails, cleanup and end this transfer */ 5878 /* if it needs to fallback from IXFR to AXFR, do that */ 5879 if(!check_xfer_packet(c->buffer, xfr, &gonextonfail, &transferdone)) { 5880 goto failed; 5881 } 5882 /* if it is good, link it into the list of data */ 5883 /* if the link into list of data fails (malloc fail) cleanup and end */ 5884 if(!xfer_link_data(c->buffer, xfr)) { 5885 verbose(VERB_ALGO, "xfr stopped to %s, malloc failed", 5886 xfr->task_transfer->master->host); 5887 goto failed; 5888 } 5889 /* if the transfer is done now, disconnect and process the list */ 5890 if(transferdone) { 5891 comm_point_delete(xfr->task_transfer->cp); 5892 xfr->task_transfer->cp = NULL; 5893 process_list_end_transfer(xfr, env); 5894 return 0; 5895 } 5896 5897 /* if we want to read more messages, setup the commpoint to read 5898 * a DNS packet, and the timeout */ 5899 lock_basic_unlock(&xfr->lock); 5900 c->tcp_is_reading = 1; 5901 sldns_buffer_clear(c->buffer); 5902 comm_point_start_listening(c, -1, AUTH_TRANSFER_TIMEOUT); 5903 return 0; 5904} 5905 5906/** callback for task_transfer http connections */ 5907int 5908auth_xfer_transfer_http_callback(struct comm_point* c, void* arg, int err, 5909 struct comm_reply* repinfo) 5910{ 5911 struct auth_xfer* xfr = (struct auth_xfer*)arg; 5912 struct module_env* env; 5913 log_assert(xfr->task_transfer); 5914 lock_basic_lock(&xfr->lock); 5915 env = xfr->task_transfer->env; 5916 if(!env || env->outnet->want_to_quit) { 5917 lock_basic_unlock(&xfr->lock); 5918 return 0; /* stop on quit */ 5919 } 5920 verbose(VERB_ALGO, "auth zone transfer http callback"); 5921 /* stop the timer */ 5922 comm_timer_disable(xfr->task_transfer->timer); 5923 5924 if(err != NETEVENT_NOERROR && err != NETEVENT_DONE) { 5925 /* connection failed, closed, or timeout */ 5926 /* stop this transfer, cleanup 5927 * and continue task_transfer*/ 5928 verbose(VERB_ALGO, "http stopped, connection lost to %s", 5929 xfr->task_transfer->master->host); 5930 failed: 5931 /* delete transferred data from list */ 5932 auth_chunks_delete(xfr->task_transfer); 5933 if(repinfo) repinfo->c = NULL; /* signal cp deleted to 5934 the routine calling this callback */ 5935 comm_point_delete(xfr->task_transfer->cp); 5936 xfr->task_transfer->cp = NULL; 5937 xfr_transfer_nextmaster(xfr); 5938 xfr_transfer_nexttarget_or_end(xfr, env); 5939 return 0; 5940 } 5941 5942 /* if it is good, link it into the list of data */ 5943 /* if the link into list of data fails (malloc fail) cleanup and end */ 5944 if(sldns_buffer_limit(c->buffer) > 0) { 5945 verbose(VERB_ALGO, "auth zone http queued up %d bytes", 5946 (int)sldns_buffer_limit(c->buffer)); 5947 if(!xfer_link_data(c->buffer, xfr)) { 5948 verbose(VERB_ALGO, "http stopped to %s, malloc failed", 5949 xfr->task_transfer->master->host); 5950 goto failed; 5951 } 5952 } 5953 /* if the transfer is done now, disconnect and process the list */ 5954 if(err == NETEVENT_DONE) { 5955 if(repinfo) repinfo->c = NULL; /* signal cp deleted to 5956 the routine calling this callback */ 5957 comm_point_delete(xfr->task_transfer->cp); 5958 xfr->task_transfer->cp = NULL; 5959 process_list_end_transfer(xfr, env); 5960 return 0; 5961 } 5962 5963 /* if we want to read more messages, setup the commpoint to read 5964 * a DNS packet, and the timeout */ 5965 lock_basic_unlock(&xfr->lock); 5966 c->tcp_is_reading = 1; 5967 sldns_buffer_clear(c->buffer); 5968 comm_point_start_listening(c, -1, AUTH_TRANSFER_TIMEOUT); 5969 return 0; 5970} 5971 5972 5973/** start transfer task by this worker , xfr is locked. */ 5974static void 5975xfr_start_transfer(struct auth_xfer* xfr, struct module_env* env, 5976 struct auth_master* master) 5977{ 5978 log_assert(xfr->task_transfer != NULL); 5979 log_assert(xfr->task_transfer->worker == NULL); 5980 log_assert(xfr->task_transfer->chunks_first == NULL); 5981 log_assert(xfr->task_transfer->chunks_last == NULL); 5982 xfr->task_transfer->worker = env->worker; 5983 xfr->task_transfer->env = env; 5984 5985 /* init transfer process */ 5986 /* find that master in the transfer's list of masters? */ 5987 xfr_transfer_start_list(xfr, master); 5988 /* start lookup for hostnames in transfer master list */ 5989 xfr_transfer_start_lookups(xfr); 5990 5991 /* initiate TCP, and set timeout on it */ 5992 xfr_transfer_nexttarget_or_end(xfr, env); 5993} 5994 5995/** disown task_probe. caller must hold xfr.lock */ 5996static void 5997xfr_probe_disown(struct auth_xfer* xfr) 5998{ 5999 /* remove timer (from this worker's event base) */ 6000 comm_timer_delete(xfr->task_probe->timer); 6001 xfr->task_probe->timer = NULL; 6002 /* remove the commpoint */ 6003 comm_point_delete(xfr->task_probe->cp); 6004 xfr->task_probe->cp = NULL; 6005 /* we don't own this item anymore */ 6006 xfr->task_probe->worker = NULL; 6007 xfr->task_probe->env = NULL; 6008} 6009 6010/** send the UDP probe to the master, this is part of task_probe */ 6011static int 6012xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env, 6013 int timeout) 6014{ 6015 struct sockaddr_storage addr; 6016 socklen_t addrlen = 0; 6017 struct timeval t; 6018 /* pick master */ 6019 struct auth_master* master = xfr_probe_current_master(xfr); 6020 char *auth_name = NULL; 6021 if(!master) return 0; 6022 if(master->allow_notify) return 0; /* only for notify */ 6023 if(master->http) return 0; /* only masters get SOA UDP probe, 6024 not urls, if those are in this list */ 6025 6026 /* get master addr */ 6027 if(xfr->task_probe->scan_addr) { 6028 addrlen = xfr->task_probe->scan_addr->addrlen; 6029 memmove(&addr, &xfr->task_probe->scan_addr->addr, addrlen); 6030 } else { 6031 if(!authextstrtoaddr(master->host, &addr, &addrlen, &auth_name)) { 6032 /* the ones that are not in addr format are supposed 6033 * to be looked up. The lookup has failed however, 6034 * so skip them */ 6035 char zname[255+1]; 6036 dname_str(xfr->name, zname); 6037 log_err("%s: failed lookup, cannot probe to master %s", 6038 zname, master->host); 6039 return 0; 6040 } 6041 if (auth_name != NULL) { 6042 if (addr.ss_family == AF_INET 6043 && (int)ntohs(((struct sockaddr_in *)&addr)->sin_port) 6044 == env->cfg->ssl_port) 6045 ((struct sockaddr_in *)&addr)->sin_port 6046 = htons((uint16_t)env->cfg->port); 6047 else if (addr.ss_family == AF_INET6 6048 && (int)ntohs(((struct sockaddr_in6 *)&addr)->sin6_port) 6049 == env->cfg->ssl_port) 6050 ((struct sockaddr_in6 *)&addr)->sin6_port 6051 = htons((uint16_t)env->cfg->port); 6052 } 6053 } 6054 6055 /* create packet */ 6056 /* create new ID for new probes, but not on timeout retries, 6057 * this means we'll accept replies to previous retries to same ip */ 6058 if(timeout == AUTH_PROBE_TIMEOUT) 6059 xfr->task_probe->id = (uint16_t)(ub_random(env->rnd)&0xffff); 6060 xfr_create_soa_probe_packet(xfr, env->scratch_buffer, 6061 xfr->task_probe->id); 6062 /* we need to remove the cp if we have a different ip4/ip6 type now */ 6063 if(xfr->task_probe->cp && 6064 ((xfr->task_probe->cp_is_ip6 && !addr_is_ip6(&addr, addrlen)) || 6065 (!xfr->task_probe->cp_is_ip6 && addr_is_ip6(&addr, addrlen))) 6066 ) { 6067 comm_point_delete(xfr->task_probe->cp); 6068 xfr->task_probe->cp = NULL; 6069 } 6070 if(!xfr->task_probe->cp) { 6071 if(addr_is_ip6(&addr, addrlen)) 6072 xfr->task_probe->cp_is_ip6 = 1; 6073 else xfr->task_probe->cp_is_ip6 = 0; 6074 xfr->task_probe->cp = outnet_comm_point_for_udp(env->outnet, 6075 auth_xfer_probe_udp_callback, xfr, &addr, addrlen); 6076 if(!xfr->task_probe->cp) { 6077 char zname[255+1], as[256]; 6078 dname_str(xfr->name, zname); 6079 addr_to_str(&addr, addrlen, as, sizeof(as)); 6080 verbose(VERB_ALGO, "cannot create udp cp for " 6081 "probe %s to %s", zname, as); 6082 return 0; 6083 } 6084 } 6085 if(!xfr->task_probe->timer) { 6086 xfr->task_probe->timer = comm_timer_create(env->worker_base, 6087 auth_xfer_probe_timer_callback, xfr); 6088 if(!xfr->task_probe->timer) { 6089 log_err("malloc failure"); 6090 return 0; 6091 } 6092 } 6093 6094 /* send udp packet */ 6095 if(!comm_point_send_udp_msg(xfr->task_probe->cp, env->scratch_buffer, 6096 (struct sockaddr*)&addr, addrlen)) { 6097 char zname[255+1], as[256]; 6098 dname_str(xfr->name, zname); 6099 addr_to_str(&addr, addrlen, as, sizeof(as)); 6100 verbose(VERB_ALGO, "failed to send soa probe for %s to %s", 6101 zname, as); 6102 return 0; 6103 } 6104 if(verbosity >= VERB_ALGO) { 6105 char zname[255+1], as[256]; 6106 dname_str(xfr->name, zname); 6107 addr_to_str(&addr, addrlen, as, sizeof(as)); 6108 verbose(VERB_ALGO, "auth zone %s soa probe sent to %s", zname, 6109 as); 6110 } 6111 xfr->task_probe->timeout = timeout; 6112#ifndef S_SPLINT_S 6113 t.tv_sec = timeout/1000; 6114 t.tv_usec = (timeout%1000)*1000; 6115#endif 6116 comm_timer_set(xfr->task_probe->timer, &t); 6117 6118 return 1; 6119} 6120 6121/** callback for task_probe timer */ 6122void 6123auth_xfer_probe_timer_callback(void* arg) 6124{ 6125 struct auth_xfer* xfr = (struct auth_xfer*)arg; 6126 struct module_env* env; 6127 log_assert(xfr->task_probe); 6128 lock_basic_lock(&xfr->lock); 6129 env = xfr->task_probe->env; 6130 if(!env || env->outnet->want_to_quit) { 6131 lock_basic_unlock(&xfr->lock); 6132 return; /* stop on quit */ 6133 } 6134 6135 if(verbosity >= VERB_ALGO) { 6136 char zname[255+1]; 6137 dname_str(xfr->name, zname); 6138 verbose(VERB_ALGO, "auth zone %s soa probe timeout", zname); 6139 } 6140 if(xfr->task_probe->timeout <= AUTH_PROBE_TIMEOUT_STOP) { 6141 /* try again with bigger timeout */ 6142 if(xfr_probe_send_probe(xfr, env, xfr->task_probe->timeout*2)) { 6143 lock_basic_unlock(&xfr->lock); 6144 return; 6145 } 6146 } 6147 /* delete commpoint so a new one is created, with a fresh port nr */ 6148 comm_point_delete(xfr->task_probe->cp); 6149 xfr->task_probe->cp = NULL; 6150 6151 /* too many timeouts (or fail to send), move to next or end */ 6152 xfr_probe_nextmaster(xfr); 6153 xfr_probe_send_or_end(xfr, env); 6154} 6155 6156/** callback for task_probe udp packets */ 6157int 6158auth_xfer_probe_udp_callback(struct comm_point* c, void* arg, int err, 6159 struct comm_reply* repinfo) 6160{ 6161 struct auth_xfer* xfr = (struct auth_xfer*)arg; 6162 struct module_env* env; 6163 log_assert(xfr->task_probe); 6164 lock_basic_lock(&xfr->lock); 6165 env = xfr->task_probe->env; 6166 if(!env || env->outnet->want_to_quit) { 6167 lock_basic_unlock(&xfr->lock); 6168 return 0; /* stop on quit */ 6169 } 6170 6171 /* the comm_point_udp_callback is in a for loop for NUM_UDP_PER_SELECT 6172 * and we set rep.c=NULL to stop if from looking inside the commpoint*/ 6173 repinfo->c = NULL; 6174 /* stop the timer */ 6175 comm_timer_disable(xfr->task_probe->timer); 6176 6177 /* see if we got a packet and what that means */ 6178 if(err == NETEVENT_NOERROR) { 6179 uint32_t serial = 0; 6180 if(check_packet_ok(c->buffer, LDNS_RR_TYPE_SOA, xfr, 6181 &serial)) { 6182 /* successful lookup */ 6183 if(verbosity >= VERB_ALGO) { 6184 char buf[256]; 6185 dname_str(xfr->name, buf); 6186 verbose(VERB_ALGO, "auth zone %s: soa probe " 6187 "serial is %u", buf, (unsigned)serial); 6188 } 6189 /* see if this serial indicates that the zone has 6190 * to be updated */ 6191 if(xfr_serial_means_update(xfr, serial)) { 6192 /* if updated, start the transfer task, if needed */ 6193 verbose(VERB_ALGO, "auth_zone updated, start transfer"); 6194 if(xfr->task_transfer->worker == NULL) { 6195 struct auth_master* master = 6196 xfr_probe_current_master(xfr); 6197 /* if we have download URLs use them 6198 * in preference to this master we 6199 * just probed the SOA from */ 6200 if(xfr->task_transfer->masters && 6201 xfr->task_transfer->masters->http) 6202 master = NULL; 6203 xfr_probe_disown(xfr); 6204 xfr_start_transfer(xfr, env, master); 6205 return 0; 6206 6207 } 6208 /* other tasks are running, we don't do this anymore */ 6209 xfr_probe_disown(xfr); 6210 lock_basic_unlock(&xfr->lock); 6211 /* return, we don't sent a reply to this udp packet, 6212 * and we setup the tasks to do next */ 6213 return 0; 6214 } else { 6215 verbose(VERB_ALGO, "auth_zone master reports unchanged soa serial"); 6216 /* we if cannot find updates amongst the 6217 * masters, this means we then have a new lease 6218 * on the zone */ 6219 xfr->task_probe->have_new_lease = 1; 6220 } 6221 } else { 6222 if(verbosity >= VERB_ALGO) { 6223 char buf[256]; 6224 dname_str(xfr->name, buf); 6225 verbose(VERB_ALGO, "auth zone %s: bad reply to soa probe", buf); 6226 } 6227 } 6228 } else { 6229 if(verbosity >= VERB_ALGO) { 6230 char buf[256]; 6231 dname_str(xfr->name, buf); 6232 verbose(VERB_ALGO, "auth zone %s: soa probe failed", buf); 6233 } 6234 } 6235 6236 /* failed lookup or not an update */ 6237 /* delete commpoint so a new one is created, with a fresh port nr */ 6238 comm_point_delete(xfr->task_probe->cp); 6239 xfr->task_probe->cp = NULL; 6240 6241 /* if the result was not a successfull probe, we need 6242 * to send the next one */ 6243 xfr_probe_nextmaster(xfr); 6244 xfr_probe_send_or_end(xfr, env); 6245 return 0; 6246} 6247 6248/** lookup a host name for its addresses, if needed */ 6249static int 6250xfr_probe_lookup_host(struct auth_xfer* xfr, struct module_env* env) 6251{ 6252 struct sockaddr_storage addr; 6253 socklen_t addrlen = 0; 6254 struct auth_master* master = xfr->task_probe->lookup_target; 6255 struct query_info qinfo; 6256 uint16_t qflags = BIT_RD; 6257 uint8_t dname[LDNS_MAX_DOMAINLEN+1]; 6258 struct edns_data edns; 6259 sldns_buffer* buf = env->scratch_buffer; 6260 if(!master) return 0; 6261 if(extstrtoaddr(master->host, &addr, &addrlen)) { 6262 /* not needed, host is in IP addr format */ 6263 return 0; 6264 } 6265 if(master->allow_notify && !master->http && 6266 strchr(master->host, '/') != NULL && 6267 strchr(master->host, '/') == strrchr(master->host, '/')) { 6268 return 0; /* is IP/prefix format, not something to look up */ 6269 } 6270 6271 /* use mesh_new_callback to probe for non-addr hosts, 6272 * and then wait for them to be looked up (in cache, or query) */ 6273 qinfo.qname_len = sizeof(dname); 6274 if(sldns_str2wire_dname_buf(master->host, dname, &qinfo.qname_len) 6275 != 0) { 6276 log_err("cannot parse host name of master %s", master->host); 6277 return 0; 6278 } 6279 qinfo.qname = dname; 6280 qinfo.qclass = xfr->dclass; 6281 qinfo.qtype = LDNS_RR_TYPE_A; 6282 if(xfr->task_probe->lookup_aaaa) 6283 qinfo.qtype = LDNS_RR_TYPE_AAAA; 6284 qinfo.local_alias = NULL; 6285 if(verbosity >= VERB_ALGO) { 6286 char buf1[512]; 6287 char buf2[LDNS_MAX_DOMAINLEN+1]; 6288 dname_str(xfr->name, buf2); 6289 snprintf(buf1, sizeof(buf1), "auth zone %s: master lookup" 6290 " for task_probe", buf2); 6291 log_query_info(VERB_ALGO, buf1, &qinfo); 6292 } 6293 edns.edns_present = 1; 6294 edns.ext_rcode = 0; 6295 edns.edns_version = 0; 6296 edns.bits = EDNS_DO; 6297 edns.opt_list = NULL; 6298 if(sldns_buffer_capacity(buf) < 65535) 6299 edns.udp_size = (uint16_t)sldns_buffer_capacity(buf); 6300 else edns.udp_size = 65535; 6301 6302 /* unlock xfr during mesh_new_callback() because the callback can be 6303 * called straight away */ 6304 lock_basic_unlock(&xfr->lock); 6305 if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0, 6306 &auth_xfer_probe_lookup_callback, xfr)) { 6307 lock_basic_lock(&xfr->lock); 6308 log_err("out of memory lookup up master %s", master->host); 6309 return 0; 6310 } 6311 lock_basic_lock(&xfr->lock); 6312 return 1; 6313} 6314 6315/** move to sending the probe packets, next if fails. task_probe */ 6316static void 6317xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env) 6318{ 6319 /* are we doing hostname lookups? */ 6320 while(xfr->task_probe->lookup_target) { 6321 if(xfr_probe_lookup_host(xfr, env)) { 6322 /* wait for lookup to finish, 6323 * note that the hostname may be in unbound's cache 6324 * and we may then get an instant cache response, 6325 * and that calls the callback just like a full 6326 * lookup and lookup failures also call callback */ 6327 if(verbosity >= VERB_ALGO) { 6328 char zname[255+1]; 6329 dname_str(xfr->name, zname); 6330 verbose(VERB_ALGO, "auth zone %s probe next target lookup", zname); 6331 } 6332 lock_basic_unlock(&xfr->lock); 6333 return; 6334 } 6335 xfr_probe_move_to_next_lookup(xfr, env); 6336 } 6337 /* probe of list has ended. Create or refresh the list of of 6338 * allow_notify addrs */ 6339 probe_copy_masters_for_allow_notify(xfr); 6340 if(verbosity >= VERB_ALGO) { 6341 char zname[255+1]; 6342 dname_str(xfr->name, zname); 6343 verbose(VERB_ALGO, "auth zone %s probe: notify addrs updated", zname); 6344 } 6345 if(xfr->task_probe->only_lookup) { 6346 /* only wanted lookups for copy, stop probe and start wait */ 6347 xfr->task_probe->only_lookup = 0; 6348 if(verbosity >= VERB_ALGO) { 6349 char zname[255+1]; 6350 dname_str(xfr->name, zname); 6351 verbose(VERB_ALGO, "auth zone %s probe: finished only_lookup", zname); 6352 } 6353 xfr_probe_disown(xfr); 6354 if(xfr->task_nextprobe->worker == NULL) 6355 xfr_set_timeout(xfr, env, 0, 0); 6356 lock_basic_unlock(&xfr->lock); 6357 return; 6358 } 6359 6360 /* send probe packets */ 6361 while(!xfr_probe_end_of_list(xfr)) { 6362 if(xfr_probe_send_probe(xfr, env, AUTH_PROBE_TIMEOUT)) { 6363 /* successfully sent probe, wait for callback */ 6364 lock_basic_unlock(&xfr->lock); 6365 return; 6366 } 6367 /* failed to send probe, next master */ 6368 xfr_probe_nextmaster(xfr); 6369 } 6370 6371 /* done with probe sequence, wait */ 6372 if(xfr->task_probe->have_new_lease) { 6373 /* if zone not updated, start the wait timer again */ 6374 if(verbosity >= VERB_ALGO) { 6375 char zname[255+1]; 6376 dname_str(xfr->name, zname); 6377 verbose(VERB_ALGO, "auth_zone %s unchanged, new lease, wait", zname); 6378 } 6379 xfr_probe_disown(xfr); 6380 if(xfr->have_zone) 6381 xfr->lease_time = *env->now; 6382 if(xfr->task_nextprobe->worker == NULL) 6383 xfr_set_timeout(xfr, env, 0, 0); 6384 } else { 6385 if(verbosity >= VERB_ALGO) { 6386 char zname[255+1]; 6387 dname_str(xfr->name, zname); 6388 verbose(VERB_ALGO, "auth zone %s soa probe failed, wait to retry", zname); 6389 } 6390 /* we failed to send this as well, move to the wait task, 6391 * use the shorter retry timeout */ 6392 xfr_probe_disown(xfr); 6393 /* pick up the nextprobe task and wait */ 6394 if(xfr->task_nextprobe->worker == NULL) 6395 xfr_set_timeout(xfr, env, 1, 0); 6396 } 6397 6398 lock_basic_unlock(&xfr->lock); 6399} 6400 6401/** callback for task_probe lookup of host name, of A or AAAA */ 6402void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf, 6403 enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus), 6404 int ATTR_UNUSED(was_ratelimited)) 6405{ 6406 struct auth_xfer* xfr = (struct auth_xfer*)arg; 6407 struct module_env* env; 6408 log_assert(xfr->task_probe); 6409 lock_basic_lock(&xfr->lock); 6410 env = xfr->task_probe->env; 6411 if(!env || env->outnet->want_to_quit) { 6412 lock_basic_unlock(&xfr->lock); 6413 return; /* stop on quit */ 6414 } 6415 6416 /* process result */ 6417 if(rcode == LDNS_RCODE_NOERROR) { 6418 uint16_t wanted_qtype = LDNS_RR_TYPE_A; 6419 struct regional* temp = env->scratch; 6420 struct query_info rq; 6421 struct reply_info* rep; 6422 if(xfr->task_probe->lookup_aaaa) 6423 wanted_qtype = LDNS_RR_TYPE_AAAA; 6424 memset(&rq, 0, sizeof(rq)); 6425 rep = parse_reply_in_temp_region(buf, temp, &rq); 6426 if(rep && rq.qtype == wanted_qtype && 6427 FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) { 6428 /* parsed successfully */ 6429 struct ub_packed_rrset_key* answer = 6430 reply_find_answer_rrset(&rq, rep); 6431 if(answer) { 6432 xfr_master_add_addrs(xfr->task_probe-> 6433 lookup_target, answer, wanted_qtype); 6434 } else { 6435 if(verbosity >= VERB_ALGO) { 6436 char zname[255+1]; 6437 dname_str(xfr->name, zname); 6438 verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup has nodata", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A")); 6439 } 6440 } 6441 } else { 6442 if(verbosity >= VERB_ALGO) { 6443 char zname[255+1]; 6444 dname_str(xfr->name, zname); 6445 verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup has no address", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A")); 6446 } 6447 } 6448 regional_free_all(temp); 6449 } else { 6450 if(verbosity >= VERB_ALGO) { 6451 char zname[255+1]; 6452 dname_str(xfr->name, zname); 6453 verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup failed", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A")); 6454 } 6455 } 6456 if(xfr->task_probe->lookup_target->list && 6457 xfr->task_probe->lookup_target == xfr_probe_current_master(xfr)) 6458 xfr->task_probe->scan_addr = xfr->task_probe->lookup_target->list; 6459 6460 /* move to lookup AAAA after A lookup, move to next hostname lookup, 6461 * or move to send the probes, or, if nothing to do, end task_probe */ 6462 xfr_probe_move_to_next_lookup(xfr, env); 6463 xfr_probe_send_or_end(xfr, env); 6464} 6465 6466/** disown task_nextprobe. caller must hold xfr.lock */ 6467static void 6468xfr_nextprobe_disown(struct auth_xfer* xfr) 6469{ 6470 /* delete the timer, because the next worker to pick this up may 6471 * not have the same event base */ 6472 comm_timer_delete(xfr->task_nextprobe->timer); 6473 xfr->task_nextprobe->timer = NULL; 6474 xfr->task_nextprobe->next_probe = 0; 6475 /* we don't own this item anymore */ 6476 xfr->task_nextprobe->worker = NULL; 6477 xfr->task_nextprobe->env = NULL; 6478} 6479 6480/** xfer nextprobe timeout callback, this is part of task_nextprobe */ 6481void 6482auth_xfer_timer(void* arg) 6483{ 6484 struct auth_xfer* xfr = (struct auth_xfer*)arg; 6485 struct module_env* env; 6486 log_assert(xfr->task_nextprobe); 6487 lock_basic_lock(&xfr->lock); 6488 env = xfr->task_nextprobe->env; 6489 if(!env || env->outnet->want_to_quit) { 6490 lock_basic_unlock(&xfr->lock); 6491 return; /* stop on quit */ 6492 } 6493 6494 /* see if zone has expired, and if so, also set auth_zone expired */ 6495 if(xfr->have_zone && !xfr->zone_expired && 6496 *env->now >= xfr->lease_time + xfr->expiry) { 6497 lock_basic_unlock(&xfr->lock); 6498 auth_xfer_set_expired(xfr, env, 1); 6499 lock_basic_lock(&xfr->lock); 6500 } 6501 6502 xfr_nextprobe_disown(xfr); 6503 6504 if(!xfr_start_probe(xfr, env, NULL)) { 6505 /* not started because already in progress */ 6506 lock_basic_unlock(&xfr->lock); 6507 } 6508} 6509 6510/** return true if there are probe (SOA UDP query) targets in the master list*/ 6511static int 6512have_probe_targets(struct auth_master* list) 6513{ 6514 struct auth_master* p; 6515 for(p=list; p; p = p->next) { 6516 if(!p->allow_notify && p->host) 6517 return 1; 6518 } 6519 return 0; 6520} 6521 6522/** start task_probe if possible, if no masters for probe start task_transfer 6523 * returns true if task has been started, and false if the task is already 6524 * in progress. */ 6525static int 6526xfr_start_probe(struct auth_xfer* xfr, struct module_env* env, 6527 struct auth_master* spec) 6528{ 6529 /* see if we need to start a probe (or maybe it is already in 6530 * progress (due to notify)) */ 6531 if(xfr->task_probe->worker == NULL) { 6532 if(!have_probe_targets(xfr->task_probe->masters) && 6533 !(xfr->task_probe->only_lookup && 6534 xfr->task_probe->masters != NULL)) { 6535 /* useless to pick up task_probe, no masters to 6536 * probe. Instead attempt to pick up task transfer */ 6537 if(xfr->task_transfer->worker == NULL) { 6538 xfr_start_transfer(xfr, env, spec); 6539 return 1; 6540 } 6541 /* task transfer already in progress */ 6542 return 0; 6543 } 6544 6545 /* pick up the probe task ourselves */ 6546 xfr->task_probe->worker = env->worker; 6547 xfr->task_probe->env = env; 6548 xfr->task_probe->cp = NULL; 6549 6550 /* start the task */ 6551 /* have not seen a new lease yet, this scan */ 6552 xfr->task_probe->have_new_lease = 0; 6553 /* if this was a timeout, no specific first master to scan */ 6554 /* otherwise, spec is nonNULL the notified master, scan 6555 * first and also transfer first from it */ 6556 xfr_probe_start_list(xfr, spec); 6557 /* setup to start the lookup of hostnames of masters afresh */ 6558 xfr_probe_start_lookups(xfr); 6559 /* send the probe packet or next send, or end task */ 6560 xfr_probe_send_or_end(xfr, env); 6561 return 1; 6562 } 6563 return 0; 6564} 6565 6566/** for task_nextprobe. 6567 * determine next timeout for auth_xfer. Also (re)sets timer. 6568 * @param xfr: task structure 6569 * @param env: module environment, with worker and time. 6570 * @param failure: set true if timer should be set for failure retry. 6571 * @param lookup_only: only perform lookups when timer done, 0 sec timeout 6572 */ 6573static void 6574xfr_set_timeout(struct auth_xfer* xfr, struct module_env* env, 6575 int failure, int lookup_only) 6576{ 6577 struct timeval tv; 6578 log_assert(xfr->task_nextprobe != NULL); 6579 log_assert(xfr->task_nextprobe->worker == NULL || 6580 xfr->task_nextprobe->worker == env->worker); 6581 /* normally, nextprobe = startoflease + refresh, 6582 * but if expiry is sooner, use that one. 6583 * after a failure, use the retry timer instead. */ 6584 xfr->task_nextprobe->next_probe = *env->now; 6585 if(xfr->lease_time && !failure) 6586 xfr->task_nextprobe->next_probe = xfr->lease_time; 6587 6588 if(!failure) { 6589 xfr->task_nextprobe->backoff = 0; 6590 } else { 6591 if(xfr->task_nextprobe->backoff == 0) 6592 xfr->task_nextprobe->backoff = 3; 6593 else xfr->task_nextprobe->backoff *= 2; 6594 if(xfr->task_nextprobe->backoff > AUTH_TRANSFER_MAX_BACKOFF) 6595 xfr->task_nextprobe->backoff = 6596 AUTH_TRANSFER_MAX_BACKOFF; 6597 } 6598 6599 if(xfr->have_zone) { 6600 time_t wait = xfr->refresh; 6601 if(failure) wait = xfr->retry; 6602 if(xfr->expiry < wait) 6603 xfr->task_nextprobe->next_probe += xfr->expiry; 6604 else xfr->task_nextprobe->next_probe += wait; 6605 if(failure) 6606 xfr->task_nextprobe->next_probe += 6607 xfr->task_nextprobe->backoff; 6608 /* put the timer exactly on expiry, if possible */ 6609 if(xfr->lease_time && xfr->lease_time+xfr->expiry < 6610 xfr->task_nextprobe->next_probe && 6611 xfr->lease_time+xfr->expiry > *env->now) 6612 xfr->task_nextprobe->next_probe = 6613 xfr->lease_time+xfr->expiry; 6614 } else { 6615 xfr->task_nextprobe->next_probe += 6616 xfr->task_nextprobe->backoff; 6617 } 6618 6619 if(!xfr->task_nextprobe->timer) { 6620 xfr->task_nextprobe->timer = comm_timer_create( 6621 env->worker_base, auth_xfer_timer, xfr); 6622 if(!xfr->task_nextprobe->timer) { 6623 /* failed to malloc memory. likely zone transfer 6624 * also fails for that. skip the timeout */ 6625 char zname[255+1]; 6626 dname_str(xfr->name, zname); 6627 log_err("cannot allocate timer, no refresh for %s", 6628 zname); 6629 return; 6630 } 6631 } 6632 xfr->task_nextprobe->worker = env->worker; 6633 xfr->task_nextprobe->env = env; 6634 if(*(xfr->task_nextprobe->env->now) <= xfr->task_nextprobe->next_probe) 6635 tv.tv_sec = xfr->task_nextprobe->next_probe - 6636 *(xfr->task_nextprobe->env->now); 6637 else tv.tv_sec = 0; 6638 if(tv.tv_sec != 0 && lookup_only && xfr->task_probe->masters) { 6639 /* don't lookup_only, if lookup timeout is 0 anyway, 6640 * or if we don't have masters to lookup */ 6641 tv.tv_sec = 0; 6642 if(xfr->task_probe->worker == NULL) 6643 xfr->task_probe->only_lookup = 1; 6644 } 6645 if(verbosity >= VERB_ALGO) { 6646 char zname[255+1]; 6647 dname_str(xfr->name, zname); 6648 verbose(VERB_ALGO, "auth zone %s timeout in %d seconds", 6649 zname, (int)tv.tv_sec); 6650 } 6651 tv.tv_usec = 0; 6652 comm_timer_set(xfr->task_nextprobe->timer, &tv); 6653} 6654 6655/** initial pick up of worker timeouts, ties events to worker event loop */ 6656void 6657auth_xfer_pickup_initial(struct auth_zones* az, struct module_env* env) 6658{ 6659 struct auth_xfer* x; 6660 lock_rw_wrlock(&az->lock); 6661 RBTREE_FOR(x, struct auth_xfer*, &az->xtree) { 6662 lock_basic_lock(&x->lock); 6663 /* set lease_time, because we now have timestamp in env, 6664 * (not earlier during startup and apply_cfg), and this 6665 * notes the start time when the data was acquired */ 6666 if(x->have_zone) 6667 x->lease_time = *env->now; 6668 if(x->task_nextprobe && x->task_nextprobe->worker == NULL) { 6669 xfr_set_timeout(x, env, 0, 1); 6670 } 6671 lock_basic_unlock(&x->lock); 6672 } 6673 lock_rw_unlock(&az->lock); 6674} 6675 6676void auth_zones_cleanup(struct auth_zones* az) 6677{ 6678 struct auth_xfer* x; 6679 lock_rw_wrlock(&az->lock); 6680 RBTREE_FOR(x, struct auth_xfer*, &az->xtree) { 6681 lock_basic_lock(&x->lock); 6682 if(x->task_nextprobe && x->task_nextprobe->worker != NULL) { 6683 xfr_nextprobe_disown(x); 6684 } 6685 if(x->task_probe && x->task_probe->worker != NULL) { 6686 xfr_probe_disown(x); 6687 } 6688 if(x->task_transfer && x->task_transfer->worker != NULL) { 6689 auth_chunks_delete(x->task_transfer); 6690 xfr_transfer_disown(x); 6691 } 6692 lock_basic_unlock(&x->lock); 6693 } 6694 lock_rw_unlock(&az->lock); 6695} 6696 6697/** 6698 * malloc the xfer and tasks 6699 * @param z: auth_zone with name of zone. 6700 */ 6701static struct auth_xfer* 6702auth_xfer_new(struct auth_zone* z) 6703{ 6704 struct auth_xfer* xfr; 6705 xfr = (struct auth_xfer*)calloc(1, sizeof(*xfr)); 6706 if(!xfr) return NULL; 6707 xfr->name = memdup(z->name, z->namelen); 6708 if(!xfr->name) { 6709 free(xfr); 6710 return NULL; 6711 } 6712 xfr->node.key = xfr; 6713 xfr->namelen = z->namelen; 6714 xfr->namelabs = z->namelabs; 6715 xfr->dclass = z->dclass; 6716 6717 xfr->task_nextprobe = (struct auth_nextprobe*)calloc(1, 6718 sizeof(struct auth_nextprobe)); 6719 if(!xfr->task_nextprobe) { 6720 free(xfr->name); 6721 free(xfr); 6722 return NULL; 6723 } 6724 xfr->task_probe = (struct auth_probe*)calloc(1, 6725 sizeof(struct auth_probe)); 6726 if(!xfr->task_probe) { 6727 free(xfr->task_nextprobe); 6728 free(xfr->name); 6729 free(xfr); 6730 return NULL; 6731 } 6732 xfr->task_transfer = (struct auth_transfer*)calloc(1, 6733 sizeof(struct auth_transfer)); 6734 if(!xfr->task_transfer) { 6735 free(xfr->task_probe); 6736 free(xfr->task_nextprobe); 6737 free(xfr->name); 6738 free(xfr); 6739 return NULL; 6740 } 6741 6742 lock_basic_init(&xfr->lock); 6743 lock_protect(&xfr->lock, &xfr->name, sizeof(xfr->name)); 6744 lock_protect(&xfr->lock, &xfr->namelen, sizeof(xfr->namelen)); 6745 lock_protect(&xfr->lock, xfr->name, xfr->namelen); 6746 lock_protect(&xfr->lock, &xfr->namelabs, sizeof(xfr->namelabs)); 6747 lock_protect(&xfr->lock, &xfr->dclass, sizeof(xfr->dclass)); 6748 lock_protect(&xfr->lock, &xfr->notify_received, sizeof(xfr->notify_received)); 6749 lock_protect(&xfr->lock, &xfr->notify_serial, sizeof(xfr->notify_serial)); 6750 lock_protect(&xfr->lock, &xfr->zone_expired, sizeof(xfr->zone_expired)); 6751 lock_protect(&xfr->lock, &xfr->have_zone, sizeof(xfr->have_zone)); 6752 lock_protect(&xfr->lock, &xfr->serial, sizeof(xfr->serial)); 6753 lock_protect(&xfr->lock, &xfr->retry, sizeof(xfr->retry)); 6754 lock_protect(&xfr->lock, &xfr->refresh, sizeof(xfr->refresh)); 6755 lock_protect(&xfr->lock, &xfr->expiry, sizeof(xfr->expiry)); 6756 lock_protect(&xfr->lock, &xfr->lease_time, sizeof(xfr->lease_time)); 6757 lock_protect(&xfr->lock, &xfr->task_nextprobe->worker, 6758 sizeof(xfr->task_nextprobe->worker)); 6759 lock_protect(&xfr->lock, &xfr->task_probe->worker, 6760 sizeof(xfr->task_probe->worker)); 6761 lock_protect(&xfr->lock, &xfr->task_transfer->worker, 6762 sizeof(xfr->task_transfer->worker)); 6763 lock_basic_lock(&xfr->lock); 6764 return xfr; 6765} 6766 6767/** Create auth_xfer structure. 6768 * This populates the have_zone, soa values, and so on times. 6769 * and sets the timeout, if a zone transfer is needed a short timeout is set. 6770 * For that the auth_zone itself must exist (and read in zonefile) 6771 * returns false on alloc failure. */ 6772struct auth_xfer* 6773auth_xfer_create(struct auth_zones* az, struct auth_zone* z) 6774{ 6775 struct auth_xfer* xfr; 6776 6777 /* malloc it */ 6778 xfr = auth_xfer_new(z); 6779 if(!xfr) { 6780 log_err("malloc failure"); 6781 return NULL; 6782 } 6783 /* insert in tree */ 6784 (void)rbtree_insert(&az->xtree, &xfr->node); 6785 return xfr; 6786} 6787 6788/** create new auth_master structure */ 6789static struct auth_master* 6790auth_master_new(struct auth_master*** list) 6791{ 6792 struct auth_master *m; 6793 m = (struct auth_master*)calloc(1, sizeof(*m)); 6794 if(!m) { 6795 log_err("malloc failure"); 6796 return NULL; 6797 } 6798 /* set first pointer to m, or next pointer of previous element to m */ 6799 (**list) = m; 6800 /* store m's next pointer as future point to store at */ 6801 (*list) = &(m->next); 6802 return m; 6803} 6804 6805/** dup_prefix : create string from initial part of other string, malloced */ 6806static char* 6807dup_prefix(char* str, size_t num) 6808{ 6809 char* result; 6810 size_t len = strlen(str); 6811 if(len < num) num = len; /* not more than strlen */ 6812 result = (char*)malloc(num+1); 6813 if(!result) { 6814 log_err("malloc failure"); 6815 return result; 6816 } 6817 memmove(result, str, num); 6818 result[num] = 0; 6819 return result; 6820} 6821 6822/** dup string and print error on error */ 6823static char* 6824dup_all(char* str) 6825{ 6826 char* result = strdup(str); 6827 if(!result) { 6828 log_err("malloc failure"); 6829 return NULL; 6830 } 6831 return result; 6832} 6833 6834/** find first of two characters */ 6835static char* 6836str_find_first_of_chars(char* s, char a, char b) 6837{ 6838 char* ra = strchr(s, a); 6839 char* rb = strchr(s, b); 6840 if(!ra) return rb; 6841 if(!rb) return ra; 6842 if(ra < rb) return ra; 6843 return rb; 6844} 6845 6846/** parse URL into host and file parts, false on malloc or parse error */ 6847static int 6848parse_url(char* url, char** host, char** file, int* port, int* ssl) 6849{ 6850 char* p = url; 6851 /* parse http://www.example.com/file.htm 6852 * or http://127.0.0.1 (index.html) 6853 * or https://[::1@1234]/a/b/c/d */ 6854 *ssl = 1; 6855 *port = AUTH_HTTPS_PORT; 6856 6857 /* parse http:// or https:// */ 6858 if(strncmp(p, "http://", 7) == 0) { 6859 p += 7; 6860 *ssl = 0; 6861 *port = AUTH_HTTP_PORT; 6862 } else if(strncmp(p, "https://", 8) == 0) { 6863 p += 8; 6864 } else if(strstr(p, "://") && strchr(p, '/') > strstr(p, "://") && 6865 strchr(p, ':') >= strstr(p, "://")) { 6866 char* uri = dup_prefix(p, (size_t)(strstr(p, "://")-p)); 6867 log_err("protocol %s:// not supported (for url %s)", 6868 uri?uri:"", p); 6869 free(uri); 6870 return 0; 6871 } 6872 6873 /* parse hostname part */ 6874 if(p[0] == '[') { 6875 char* end = strchr(p, ']'); 6876 p++; /* skip over [ */ 6877 if(end) { 6878 *host = dup_prefix(p, (size_t)(end-p)); 6879 if(!*host) return 0; 6880 p = end+1; /* skip over ] */ 6881 } else { 6882 *host = dup_all(p); 6883 if(!*host) return 0; 6884 p = end; 6885 } 6886 } else { 6887 char* end = str_find_first_of_chars(p, ':', '/'); 6888 if(end) { 6889 *host = dup_prefix(p, (size_t)(end-p)); 6890 if(!*host) return 0; 6891 } else { 6892 *host = dup_all(p); 6893 if(!*host) return 0; 6894 } 6895 p = end; /* at next : or / or NULL */ 6896 } 6897 6898 /* parse port number */ 6899 if(p && p[0] == ':') { 6900 char* end = NULL; 6901 *port = strtol(p+1, &end, 10); 6902 p = end; 6903 } 6904 6905 /* parse filename part */ 6906 while(p && *p == '/') 6907 p++; 6908 if(!p || p[0] == 0) 6909 *file = strdup("index.html"); 6910 else *file = strdup(p); 6911 if(!*file) { 6912 log_err("malloc failure"); 6913 return 0; 6914 } 6915 return 1; 6916} 6917 6918int 6919xfer_set_masters(struct auth_master** list, struct config_auth* c, 6920 int with_http) 6921{ 6922 struct auth_master* m; 6923 struct config_strlist* p; 6924 /* list points to the first, or next pointer for the new element */ 6925 while(*list) { 6926 list = &( (*list)->next ); 6927 } 6928 if(with_http) 6929 for(p = c->urls; p; p = p->next) { 6930 m = auth_master_new(&list); 6931 m->http = 1; 6932 if(!parse_url(p->str, &m->host, &m->file, &m->port, &m->ssl)) 6933 return 0; 6934 } 6935 for(p = c->masters; p; p = p->next) { 6936 m = auth_master_new(&list); 6937 m->ixfr = 1; /* this flag is not configurable */ 6938 m->host = strdup(p->str); 6939 if(!m->host) { 6940 log_err("malloc failure"); 6941 return 0; 6942 } 6943 } 6944 for(p = c->allow_notify; p; p = p->next) { 6945 m = auth_master_new(&list); 6946 m->allow_notify = 1; 6947 m->host = strdup(p->str); 6948 if(!m->host) { 6949 log_err("malloc failure"); 6950 return 0; 6951 } 6952 } 6953 return 1; 6954} 6955 6956#define SERIAL_BITS 32 6957int 6958compare_serial(uint32_t a, uint32_t b) 6959{ 6960 const uint32_t cutoff = ((uint32_t) 1 << (SERIAL_BITS - 1)); 6961 6962 if (a == b) { 6963 return 0; 6964 } else if ((a < b && b - a < cutoff) || (a > b && a - b > cutoff)) { 6965 return -1; 6966 } else { 6967 return 1; 6968 } 6969} 6970