1 /*
2 * daemon/remote.c - remote control for the unbound daemon.
3 *
4 * Copyright (c) 2008, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36 /**
37 * \file
38 *
39 * This file contains the remote control functionality for the daemon.
40 * The remote control can be performed using either the commandline
41 * unbound-control tool, or a TLS capable web browser.
42 * The channel is secured using TLSv1, and certificates.
43 * Both the server and the client(control tool) have their own keys.
44 */
45 #include "config.h"
46 #ifdef HAVE_OPENSSL_ERR_H
47 #include <openssl/err.h>
48 #endif
49 #ifdef HAVE_OPENSSL_DH_H
50 #include <openssl/dh.h>
51 #endif
52 #ifdef HAVE_OPENSSL_BN_H
53 #include <openssl/bn.h>
54 #endif
55
56 #include <ctype.h>
57 #include "daemon/remote.h"
58 #include "daemon/worker.h"
59 #include "daemon/daemon.h"
60 #include "daemon/stats.h"
61 #include "daemon/cachedump.h"
62 #include "util/log.h"
63 #include "util/config_file.h"
64 #include "util/net_help.h"
65 #include "util/module.h"
66 #include "services/listen_dnsport.h"
67 #include "services/cache/rrset.h"
68 #include "services/cache/infra.h"
69 #include "services/mesh.h"
70 #include "services/localzone.h"
71 #include "services/authzone.h"
72 #include "services/rpz.h"
73 #include "util/storage/slabhash.h"
74 #include "util/fptr_wlist.h"
75 #include "util/data/dname.h"
76 #include "validator/validator.h"
77 #include "validator/val_kcache.h"
78 #include "validator/val_kentry.h"
79 #include "validator/val_anchor.h"
80 #include "iterator/iterator.h"
81 #include "iterator/iter_fwd.h"
82 #include "iterator/iter_hints.h"
83 #include "iterator/iter_delegpt.h"
84 #include "services/outbound_list.h"
85 #include "services/outside_network.h"
86 #include "sldns/str2wire.h"
87 #include "sldns/parseutil.h"
88 #include "sldns/wire2str.h"
89 #include "sldns/sbuffer.h"
90 #include "util/timeval_func.h"
91 #include "util/edns.h"
92 #ifdef USE_CACHEDB
93 #include "cachedb/cachedb.h"
94 #endif
95
96 #ifdef HAVE_SYS_TYPES_H
97 # include <sys/types.h>
98 #endif
99 #ifdef HAVE_SYS_STAT_H
100 #include <sys/stat.h>
101 #endif
102 #ifdef HAVE_NETDB_H
103 #include <netdb.h>
104 #endif
105
106 /* just for portability */
107 #ifdef SQ
108 #undef SQ
109 #endif
110
111 /** what to put on statistics lines between var and value, ": " or "=" */
112 #define SQ "="
113
114 /** Acceptable lengths of str lines */
115 #define MAX_CMD_STRLINE 1024
116 #define MAX_STDIN_STRLINE 2048
117
118 static int
remote_setup_ctx(struct daemon_remote * rc,struct config_file * cfg)119 remote_setup_ctx(struct daemon_remote* rc, struct config_file* cfg)
120 {
121 char* s_cert;
122 char* s_key;
123 rc->ctx = SSL_CTX_new(SSLv23_server_method());
124 if(!rc->ctx) {
125 log_crypto_err("could not SSL_CTX_new");
126 return 0;
127 }
128 if(!listen_sslctx_setup(rc->ctx)) {
129 return 0;
130 }
131
132 s_cert = fname_after_chroot(cfg->server_cert_file, cfg, 1);
133 s_key = fname_after_chroot(cfg->server_key_file, cfg, 1);
134 if(!s_cert || !s_key) {
135 log_err("out of memory in remote control fname");
136 goto setup_error;
137 }
138 verbose(VERB_ALGO, "setup SSL certificates");
139 if (!SSL_CTX_use_certificate_chain_file(rc->ctx,s_cert)) {
140 log_err("Error for server-cert-file: %s", s_cert);
141 log_crypto_err("Error in SSL_CTX use_certificate_chain_file");
142 goto setup_error;
143 }
144 if(!SSL_CTX_use_PrivateKey_file(rc->ctx,s_key,SSL_FILETYPE_PEM)) {
145 log_err("Error for server-key-file: %s", s_key);
146 log_crypto_err("Error in SSL_CTX use_PrivateKey_file");
147 goto setup_error;
148 }
149 if(!SSL_CTX_check_private_key(rc->ctx)) {
150 log_err("Error for server-key-file: %s", s_key);
151 log_crypto_err("Error in SSL_CTX check_private_key");
152 goto setup_error;
153 }
154 listen_sslctx_setup_2(rc->ctx);
155 if(!SSL_CTX_load_verify_locations(rc->ctx, s_cert, NULL)) {
156 log_crypto_err("Error setting up SSL_CTX verify locations");
157 setup_error:
158 free(s_cert);
159 free(s_key);
160 return 0;
161 }
162 SSL_CTX_set_client_CA_list(rc->ctx, SSL_load_client_CA_file(s_cert));
163 SSL_CTX_set_verify(rc->ctx, SSL_VERIFY_PEER, NULL);
164 free(s_cert);
165 free(s_key);
166 return 1;
167 }
168
169 struct daemon_remote*
daemon_remote_create(struct config_file * cfg)170 daemon_remote_create(struct config_file* cfg)
171 {
172 struct daemon_remote* rc = (struct daemon_remote*)calloc(1,
173 sizeof(*rc));
174 if(!rc) {
175 log_err("out of memory in daemon_remote_create");
176 return NULL;
177 }
178 rc->max_active = 10;
179
180 if(!cfg->remote_control_enable) {
181 rc->ctx = NULL;
182 return rc;
183 }
184 if(options_remote_is_address(cfg) && cfg->control_use_cert) {
185 if(!remote_setup_ctx(rc, cfg)) {
186 daemon_remote_delete(rc);
187 return NULL;
188 }
189 rc->use_cert = 1;
190 } else {
191 struct config_strlist* p;
192 rc->ctx = NULL;
193 rc->use_cert = 0;
194 if(!options_remote_is_address(cfg))
195 for(p = cfg->control_ifs.first; p; p = p->next) {
196 if(p->str && p->str[0] != '/')
197 log_warn("control-interface %s is not using TLS, but plain transfer, because first control-interface in config file is a local socket (starts with a /).", p->str);
198 }
199 }
200 return rc;
201 }
202
daemon_remote_clear(struct daemon_remote * rc)203 void daemon_remote_clear(struct daemon_remote* rc)
204 {
205 struct rc_state* p, *np;
206 if(!rc) return;
207 /* but do not close the ports */
208 listen_list_delete(rc->accept_list);
209 rc->accept_list = NULL;
210 /* do close these sockets */
211 p = rc->busy_list;
212 while(p) {
213 np = p->next;
214 if(p->ssl)
215 SSL_free(p->ssl);
216 comm_point_delete(p->c);
217 free(p);
218 p = np;
219 }
220 rc->busy_list = NULL;
221 rc->active = 0;
222 rc->worker = NULL;
223 }
224
daemon_remote_delete(struct daemon_remote * rc)225 void daemon_remote_delete(struct daemon_remote* rc)
226 {
227 if(!rc) return;
228 daemon_remote_clear(rc);
229 if(rc->ctx) {
230 SSL_CTX_free(rc->ctx);
231 }
232 free(rc);
233 }
234
235 /**
236 * Add and open a new control port
237 * @param ip: ip str
238 * @param nr: port nr
239 * @param list: list head
240 * @param noproto_is_err: if lack of protocol support is an error.
241 * @param cfg: config with username for chown of unix-sockets.
242 * @return false on failure.
243 */
244 static int
add_open(const char * ip,int nr,struct listen_port ** list,int noproto_is_err,struct config_file * cfg)245 add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
246 struct config_file* cfg)
247 {
248 struct addrinfo hints;
249 struct addrinfo* res;
250 struct listen_port* n;
251 int noproto = 0;
252 int fd, r;
253 char port[15];
254 snprintf(port, sizeof(port), "%d", nr);
255 port[sizeof(port)-1]=0;
256 memset(&hints, 0, sizeof(hints));
257 log_assert(ip);
258
259 if(ip[0] == '/') {
260 /* This looks like a local socket */
261 fd = create_local_accept_sock(ip, &noproto, cfg->use_systemd);
262 /*
263 * Change socket ownership and permissions so users other
264 * than root can access it provided they are in the same
265 * group as the user we run as.
266 */
267 if(fd != -1) {
268 #ifdef HAVE_CHOWN
269 chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP));
270 if (cfg->username && cfg->username[0] &&
271 cfg_uid != (uid_t)-1) {
272 if(chown(ip, cfg_uid, cfg_gid) == -1)
273 verbose(VERB_QUERY, "cannot chown %u.%u %s: %s",
274 (unsigned)cfg_uid, (unsigned)cfg_gid,
275 ip, strerror(errno));
276 }
277 #else
278 (void)cfg;
279 #endif
280 }
281 } else {
282 hints.ai_socktype = SOCK_STREAM;
283 hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
284 if((r = getaddrinfo(ip, port, &hints, &res)) != 0 || !res) {
285 #ifdef USE_WINSOCK
286 if(!noproto_is_err && r == EAI_NONAME) {
287 /* tried to lookup the address as name */
288 return 1; /* return success, but do nothing */
289 }
290 #endif /* USE_WINSOCK */
291 log_err("control interface %s:%s getaddrinfo: %s %s",
292 ip?ip:"default", port, gai_strerror(r),
293 #ifdef EAI_SYSTEM
294 r==EAI_SYSTEM?(char*)strerror(errno):""
295 #else
296 ""
297 #endif
298 );
299 return 0;
300 }
301
302 /* open fd */
303 fd = create_tcp_accept_sock(res, 1, &noproto, 0,
304 cfg->ip_transparent, 0, 0, cfg->ip_freebind,
305 cfg->use_systemd, cfg->ip_dscp);
306 freeaddrinfo(res);
307 }
308
309 if(fd == -1 && noproto) {
310 if(!noproto_is_err)
311 return 1; /* return success, but do nothing */
312 log_err("cannot open control interface %s %d : "
313 "protocol not supported", ip, nr);
314 return 0;
315 }
316 if(fd == -1) {
317 log_err("cannot open control interface %s %d", ip, nr);
318 return 0;
319 }
320
321 /* alloc */
322 n = (struct listen_port*)calloc(1, sizeof(*n));
323 if(!n) {
324 sock_close(fd);
325 log_err("out of memory");
326 return 0;
327 }
328 n->next = *list;
329 *list = n;
330 n->fd = fd;
331 return 1;
332 }
333
daemon_remote_open_ports(struct config_file * cfg)334 struct listen_port* daemon_remote_open_ports(struct config_file* cfg)
335 {
336 struct listen_port* l = NULL;
337 log_assert(cfg->remote_control_enable && cfg->control_port);
338 if(cfg->control_ifs.first) {
339 char** rcif = NULL;
340 int i, num_rcif = 0;
341 if(!resolve_interface_names(NULL, 0, cfg->control_ifs.first,
342 &rcif, &num_rcif)) {
343 return NULL;
344 }
345 for(i=0; i<num_rcif; i++) {
346 if(!add_open(rcif[i], cfg->control_port, &l, 1, cfg)) {
347 listening_ports_free(l);
348 config_del_strarray(rcif, num_rcif);
349 return NULL;
350 }
351 }
352 config_del_strarray(rcif, num_rcif);
353 } else {
354 /* defaults */
355 if(cfg->do_ip6 &&
356 !add_open("::1", cfg->control_port, &l, 0, cfg)) {
357 listening_ports_free(l);
358 return NULL;
359 }
360 if(cfg->do_ip4 &&
361 !add_open("127.0.0.1", cfg->control_port, &l, 1, cfg)) {
362 listening_ports_free(l);
363 return NULL;
364 }
365 }
366 return l;
367 }
368
369 /** open accept commpoint */
370 static int
accept_open(struct daemon_remote * rc,int fd)371 accept_open(struct daemon_remote* rc, int fd)
372 {
373 struct listen_list* n = (struct listen_list*)malloc(sizeof(*n));
374 if(!n) {
375 log_err("out of memory");
376 return 0;
377 }
378 n->next = rc->accept_list;
379 rc->accept_list = n;
380 /* open commpt */
381 n->com = comm_point_create_raw(rc->worker->base, fd, 0,
382 &remote_accept_callback, rc);
383 if(!n->com)
384 return 0;
385 /* keep this port open, its fd is kept in the rc portlist */
386 n->com->do_not_close = 1;
387 return 1;
388 }
389
daemon_remote_open_accept(struct daemon_remote * rc,struct listen_port * ports,struct worker * worker)390 int daemon_remote_open_accept(struct daemon_remote* rc,
391 struct listen_port* ports, struct worker* worker)
392 {
393 struct listen_port* p;
394 rc->worker = worker;
395 for(p = ports; p; p = p->next) {
396 if(!accept_open(rc, p->fd)) {
397 log_err("could not create accept comm point");
398 return 0;
399 }
400 }
401 return 1;
402 }
403
daemon_remote_stop_accept(struct daemon_remote * rc)404 void daemon_remote_stop_accept(struct daemon_remote* rc)
405 {
406 struct listen_list* p;
407 for(p=rc->accept_list; p; p=p->next) {
408 comm_point_stop_listening(p->com);
409 }
410 }
411
daemon_remote_start_accept(struct daemon_remote * rc)412 void daemon_remote_start_accept(struct daemon_remote* rc)
413 {
414 struct listen_list* p;
415 for(p=rc->accept_list; p; p=p->next) {
416 comm_point_start_listening(p->com, -1, -1);
417 }
418 }
419
remote_accept_callback(struct comm_point * c,void * arg,int err,struct comm_reply * ATTR_UNUSED (rep))420 int remote_accept_callback(struct comm_point* c, void* arg, int err,
421 struct comm_reply* ATTR_UNUSED(rep))
422 {
423 struct daemon_remote* rc = (struct daemon_remote*)arg;
424 struct sockaddr_storage addr;
425 socklen_t addrlen;
426 int newfd;
427 struct rc_state* n;
428 if(err != NETEVENT_NOERROR) {
429 log_err("error %d on remote_accept_callback", err);
430 return 0;
431 }
432 /* perform the accept */
433 newfd = comm_point_perform_accept(c, &addr, &addrlen);
434 if(newfd == -1)
435 return 0;
436 /* create new commpoint unless we are servicing already */
437 if(rc->active >= rc->max_active) {
438 log_warn("drop incoming remote control: too many connections");
439 close_exit:
440 sock_close(newfd);
441 return 0;
442 }
443
444 /* setup commpoint to service the remote control command */
445 n = (struct rc_state*)calloc(1, sizeof(*n));
446 if(!n) {
447 log_err("out of memory");
448 goto close_exit;
449 }
450 n->fd = newfd;
451 /* start in reading state */
452 n->c = comm_point_create_raw(rc->worker->base, newfd, 0,
453 &remote_control_callback, n);
454 if(!n->c) {
455 log_err("out of memory");
456 free(n);
457 goto close_exit;
458 }
459 log_addr(VERB_QUERY, "new control connection from", &addr, addrlen);
460 n->c->do_not_close = 0;
461 comm_point_stop_listening(n->c);
462 comm_point_start_listening(n->c, -1, REMOTE_CONTROL_TCP_TIMEOUT);
463 memcpy(&n->c->repinfo.remote_addr, &addr, addrlen);
464 n->c->repinfo.remote_addrlen = addrlen;
465 if(rc->use_cert) {
466 n->shake_state = rc_hs_read;
467 n->ssl = SSL_new(rc->ctx);
468 if(!n->ssl) {
469 log_crypto_err("could not SSL_new");
470 comm_point_delete(n->c);
471 free(n);
472 goto close_exit;
473 }
474 SSL_set_accept_state(n->ssl);
475 (void)SSL_set_mode(n->ssl, (long)SSL_MODE_AUTO_RETRY);
476 if(!SSL_set_fd(n->ssl, newfd)) {
477 log_crypto_err("could not SSL_set_fd");
478 SSL_free(n->ssl);
479 comm_point_delete(n->c);
480 free(n);
481 goto close_exit;
482 }
483 } else {
484 n->ssl = NULL;
485 }
486
487 n->rc = rc;
488 n->next = rc->busy_list;
489 rc->busy_list = n;
490 rc->active ++;
491
492 /* perform the first nonblocking read already, for windows,
493 * so it can return wouldblock. could be faster too. */
494 (void)remote_control_callback(n->c, n, NETEVENT_NOERROR, NULL);
495 return 0;
496 }
497
498 /** delete from list */
499 static void
state_list_remove_elem(struct rc_state ** list,struct comm_point * c)500 state_list_remove_elem(struct rc_state** list, struct comm_point* c)
501 {
502 while(*list) {
503 if( (*list)->c == c) {
504 *list = (*list)->next;
505 return;
506 }
507 list = &(*list)->next;
508 }
509 }
510
511 /** decrease active count and remove commpoint from busy list */
512 static void
clean_point(struct daemon_remote * rc,struct rc_state * s)513 clean_point(struct daemon_remote* rc, struct rc_state* s)
514 {
515 state_list_remove_elem(&rc->busy_list, s->c);
516 rc->active --;
517 if(s->ssl) {
518 SSL_shutdown(s->ssl);
519 SSL_free(s->ssl);
520 }
521 comm_point_delete(s->c);
522 free(s);
523 }
524
525 int
ssl_print_text(RES * res,const char * text)526 ssl_print_text(RES* res, const char* text)
527 {
528 int r;
529 if(!res)
530 return 0;
531 if(res->ssl) {
532 ERR_clear_error();
533 if((r=SSL_write(res->ssl, text, (int)strlen(text))) <= 0) {
534 int r2;
535 if((r2=SSL_get_error(res->ssl, r)) == SSL_ERROR_ZERO_RETURN) {
536 verbose(VERB_QUERY, "warning, in SSL_write, peer "
537 "closed connection");
538 return 0;
539 }
540 log_crypto_err_io("could not SSL_write", r2);
541 return 0;
542 }
543 } else {
544 size_t at = 0;
545 while(at < strlen(text)) {
546 ssize_t r = send(res->fd, text+at, strlen(text)-at, 0);
547 if(r == -1) {
548 if(errno == EAGAIN || errno == EINTR)
549 continue;
550 log_err("could not send: %s",
551 sock_strerror(errno));
552 return 0;
553 }
554 at += r;
555 }
556 }
557 return 1;
558 }
559
560 /** print text over the ssl connection */
561 static int
ssl_print_vmsg(RES * ssl,const char * format,va_list args)562 ssl_print_vmsg(RES* ssl, const char* format, va_list args)
563 {
564 char msg[65535];
565 vsnprintf(msg, sizeof(msg), format, args);
566 return ssl_print_text(ssl, msg);
567 }
568
569 /** printf style printing to the ssl connection */
ssl_printf(RES * ssl,const char * format,...)570 int ssl_printf(RES* ssl, const char* format, ...)
571 {
572 va_list args;
573 int ret;
574 va_start(args, format);
575 ret = ssl_print_vmsg(ssl, format, args);
576 va_end(args);
577 return ret;
578 }
579
580 int
ssl_read_line(RES * res,char * buf,size_t max)581 ssl_read_line(RES* res, char* buf, size_t max)
582 {
583 int r;
584 size_t len = 0;
585 if(!res)
586 return 0;
587 while(len < max) {
588 if(res->ssl) {
589 ERR_clear_error();
590 if((r=SSL_read(res->ssl, buf+len, 1)) <= 0) {
591 int r2;
592 if((r2=SSL_get_error(res->ssl, r)) == SSL_ERROR_ZERO_RETURN) {
593 buf[len] = 0;
594 return 1;
595 }
596 log_crypto_err_io("could not SSL_read", r2);
597 return 0;
598 }
599 } else {
600 while(1) {
601 ssize_t rr = recv(res->fd, buf+len, 1, 0);
602 if(rr <= 0) {
603 if(rr == 0) {
604 buf[len] = 0;
605 return 1;
606 }
607 if(errno == EINTR || errno == EAGAIN)
608 continue;
609 if(rr < 0) log_err("could not recv: %s",
610 sock_strerror(errno));
611 return 0;
612 }
613 break;
614 }
615 }
616 if(buf[len] == '\n') {
617 /* return string without \n */
618 buf[len] = 0;
619 return 1;
620 }
621 len++;
622 }
623 buf[max-1] = 0;
624 log_err("control line too long (%d): %s", (int)max, buf);
625 return 0;
626 }
627
628 /** skip whitespace, return new pointer into string */
629 static char*
skipwhite(char * str)630 skipwhite(char* str)
631 {
632 /* EOS \0 is not a space */
633 while( isspace((unsigned char)*str) )
634 str++;
635 return str;
636 }
637
638 /** send the OK to the control client */
send_ok(RES * ssl)639 static void send_ok(RES* ssl)
640 {
641 (void)ssl_printf(ssl, "ok\n");
642 }
643
644 /** tell other processes to execute the command */
645 static void
distribute_cmd(struct daemon_remote * rc,RES * ssl,char * cmd)646 distribute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd)
647 {
648 int i;
649 if(!cmd || !ssl)
650 return;
651 /* skip i=0 which is me */
652 for(i=1; i<rc->worker->daemon->num; i++) {
653 worker_send_cmd(rc->worker->daemon->workers[i],
654 worker_cmd_remote);
655 if(!tube_write_msg(rc->worker->daemon->workers[i]->cmd,
656 (uint8_t*)cmd, strlen(cmd)+1, 0)) {
657 (void)ssl_printf(ssl, "error could not distribute cmd\n");
658 return;
659 }
660 }
661 }
662
663 /** do the stop command */
664 static void
do_stop(RES * ssl,struct worker * worker)665 do_stop(RES* ssl, struct worker* worker)
666 {
667 worker->need_to_exit = 1;
668 comm_base_exit(worker->base);
669 send_ok(ssl);
670 }
671
672 /** do the reload command */
673 static void
do_reload(RES * ssl,struct worker * worker,int reuse_cache)674 do_reload(RES* ssl, struct worker* worker, int reuse_cache)
675 {
676 worker->reuse_cache = reuse_cache;
677 worker->need_to_exit = 0;
678 comm_base_exit(worker->base);
679 send_ok(ssl);
680 }
681
682 /** do the verbosity command */
683 static void
do_verbosity(RES * ssl,char * str)684 do_verbosity(RES* ssl, char* str)
685 {
686 int val = atoi(str);
687 if(val == 0 && strcmp(str, "0") != 0) {
688 ssl_printf(ssl, "error in verbosity number syntax: %s\n", str);
689 return;
690 }
691 verbosity = val;
692 send_ok(ssl);
693 }
694
695 /** print stats from statinfo */
696 static int
print_stats(RES * ssl,const char * nm,struct ub_stats_info * s)697 print_stats(RES* ssl, const char* nm, struct ub_stats_info* s)
698 {
699 struct timeval sumwait, avg;
700 if(!ssl_printf(ssl, "%s.num.queries"SQ"%lu\n", nm,
701 (unsigned long)s->svr.num_queries)) return 0;
702 if(!ssl_printf(ssl, "%s.num.queries_ip_ratelimited"SQ"%lu\n", nm,
703 (unsigned long)s->svr.num_queries_ip_ratelimited)) return 0;
704 if(!ssl_printf(ssl, "%s.num.queries_cookie_valid"SQ"%lu\n", nm,
705 (unsigned long)s->svr.num_queries_cookie_valid)) return 0;
706 if(!ssl_printf(ssl, "%s.num.queries_cookie_client"SQ"%lu\n", nm,
707 (unsigned long)s->svr.num_queries_cookie_client)) return 0;
708 if(!ssl_printf(ssl, "%s.num.queries_cookie_invalid"SQ"%lu\n", nm,
709 (unsigned long)s->svr.num_queries_cookie_invalid)) return 0;
710 if(!ssl_printf(ssl, "%s.num.cachehits"SQ"%lu\n", nm,
711 (unsigned long)(s->svr.num_queries
712 - s->svr.num_queries_missed_cache))) return 0;
713 if(!ssl_printf(ssl, "%s.num.cachemiss"SQ"%lu\n", nm,
714 (unsigned long)s->svr.num_queries_missed_cache)) return 0;
715 if(!ssl_printf(ssl, "%s.num.prefetch"SQ"%lu\n", nm,
716 (unsigned long)s->svr.num_queries_prefetch)) return 0;
717 if(!ssl_printf(ssl, "%s.num.queries_timed_out"SQ"%lu\n", nm,
718 (unsigned long)s->svr.num_queries_timed_out)) return 0;
719 if(!ssl_printf(ssl, "%s.query.queue_time_us.max"SQ"%lu\n", nm,
720 (unsigned long)s->svr.max_query_time_us)) return 0;
721 if(!ssl_printf(ssl, "%s.num.expired"SQ"%lu\n", nm,
722 (unsigned long)s->svr.ans_expired)) return 0;
723 if(!ssl_printf(ssl, "%s.num.recursivereplies"SQ"%lu\n", nm,
724 (unsigned long)s->mesh_replies_sent)) return 0;
725 #ifdef USE_DNSCRYPT
726 if(!ssl_printf(ssl, "%s.num.dnscrypt.crypted"SQ"%lu\n", nm,
727 (unsigned long)s->svr.num_query_dnscrypt_crypted)) return 0;
728 if(!ssl_printf(ssl, "%s.num.dnscrypt.cert"SQ"%lu\n", nm,
729 (unsigned long)s->svr.num_query_dnscrypt_cert)) return 0;
730 if(!ssl_printf(ssl, "%s.num.dnscrypt.cleartext"SQ"%lu\n", nm,
731 (unsigned long)s->svr.num_query_dnscrypt_cleartext)) return 0;
732 if(!ssl_printf(ssl, "%s.num.dnscrypt.malformed"SQ"%lu\n", nm,
733 (unsigned long)s->svr.num_query_dnscrypt_crypted_malformed)) return 0;
734 #endif
735 if(!ssl_printf(ssl, "%s.requestlist.avg"SQ"%g\n", nm,
736 (s->svr.num_queries_missed_cache+s->svr.num_queries_prefetch)?
737 (double)s->svr.sum_query_list_size/
738 (double)(s->svr.num_queries_missed_cache+
739 s->svr.num_queries_prefetch) : 0.0)) return 0;
740 if(!ssl_printf(ssl, "%s.requestlist.max"SQ"%lu\n", nm,
741 (unsigned long)s->svr.max_query_list_size)) return 0;
742 if(!ssl_printf(ssl, "%s.requestlist.overwritten"SQ"%lu\n", nm,
743 (unsigned long)s->mesh_jostled)) return 0;
744 if(!ssl_printf(ssl, "%s.requestlist.exceeded"SQ"%lu\n", nm,
745 (unsigned long)s->mesh_dropped)) return 0;
746 if(!ssl_printf(ssl, "%s.requestlist.current.all"SQ"%lu\n", nm,
747 (unsigned long)s->mesh_num_states)) return 0;
748 if(!ssl_printf(ssl, "%s.requestlist.current.user"SQ"%lu\n", nm,
749 (unsigned long)s->mesh_num_reply_states)) return 0;
750 #ifndef S_SPLINT_S
751 sumwait.tv_sec = s->mesh_replies_sum_wait_sec;
752 sumwait.tv_usec = s->mesh_replies_sum_wait_usec;
753 #endif
754 timeval_divide(&avg, &sumwait, s->mesh_replies_sent);
755 if(!ssl_printf(ssl, "%s.recursion.time.avg"SQ ARG_LL "d.%6.6d\n", nm,
756 (long long)avg.tv_sec, (int)avg.tv_usec)) return 0;
757 if(!ssl_printf(ssl, "%s.recursion.time.median"SQ"%g\n", nm,
758 s->mesh_time_median)) return 0;
759 if(!ssl_printf(ssl, "%s.tcpusage"SQ"%lu\n", nm,
760 (unsigned long)s->svr.tcp_accept_usage)) return 0;
761 return 1;
762 }
763
764 /** print stats for one thread */
765 static int
print_thread_stats(RES * ssl,int i,struct ub_stats_info * s)766 print_thread_stats(RES* ssl, int i, struct ub_stats_info* s)
767 {
768 char nm[32];
769 snprintf(nm, sizeof(nm), "thread%d", i);
770 nm[sizeof(nm)-1]=0;
771 return print_stats(ssl, nm, s);
772 }
773
774 /** print long number */
775 static int
print_longnum(RES * ssl,const char * desc,size_t x)776 print_longnum(RES* ssl, const char* desc, size_t x)
777 {
778 if(x > 1024*1024*1024) {
779 /* more than a Gb */
780 size_t front = x / (size_t)1000000;
781 size_t back = x % (size_t)1000000;
782 return ssl_printf(ssl, "%s%u%6.6u\n", desc,
783 (unsigned)front, (unsigned)back);
784 } else {
785 return ssl_printf(ssl, "%s%lu\n", desc, (unsigned long)x);
786 }
787 }
788
789 /** print mem stats */
790 static int
print_mem(RES * ssl,struct worker * worker,struct daemon * daemon,struct ub_stats_info * s)791 print_mem(RES* ssl, struct worker* worker, struct daemon* daemon,
792 struct ub_stats_info* s)
793 {
794 size_t msg, rrset, val, iter, respip;
795 #ifdef CLIENT_SUBNET
796 size_t subnet = 0;
797 #endif /* CLIENT_SUBNET */
798 #ifdef USE_IPSECMOD
799 size_t ipsecmod = 0;
800 #endif /* USE_IPSECMOD */
801 #ifdef USE_DNSCRYPT
802 size_t dnscrypt_shared_secret = 0;
803 size_t dnscrypt_nonce = 0;
804 #endif /* USE_DNSCRYPT */
805 #ifdef WITH_DYNLIBMODULE
806 size_t dynlib = 0;
807 #endif /* WITH_DYNLIBMODULE */
808 msg = slabhash_get_mem(daemon->env->msg_cache);
809 rrset = slabhash_get_mem(&daemon->env->rrset_cache->table);
810 val = mod_get_mem(&worker->env, "validator");
811 iter = mod_get_mem(&worker->env, "iterator");
812 respip = mod_get_mem(&worker->env, "respip");
813 #ifdef CLIENT_SUBNET
814 subnet = mod_get_mem(&worker->env, "subnetcache");
815 #endif /* CLIENT_SUBNET */
816 #ifdef USE_IPSECMOD
817 ipsecmod = mod_get_mem(&worker->env, "ipsecmod");
818 #endif /* USE_IPSECMOD */
819 #ifdef USE_DNSCRYPT
820 if(daemon->dnscenv) {
821 dnscrypt_shared_secret = slabhash_get_mem(
822 daemon->dnscenv->shared_secrets_cache);
823 dnscrypt_nonce = slabhash_get_mem(daemon->dnscenv->nonces_cache);
824 }
825 #endif /* USE_DNSCRYPT */
826 #ifdef WITH_DYNLIBMODULE
827 dynlib = mod_get_mem(&worker->env, "dynlib");
828 #endif /* WITH_DYNLIBMODULE */
829
830 if(!print_longnum(ssl, "mem.cache.rrset"SQ, rrset))
831 return 0;
832 if(!print_longnum(ssl, "mem.cache.message"SQ, msg))
833 return 0;
834 if(!print_longnum(ssl, "mem.mod.iterator"SQ, iter))
835 return 0;
836 if(!print_longnum(ssl, "mem.mod.validator"SQ, val))
837 return 0;
838 if(!print_longnum(ssl, "mem.mod.respip"SQ, respip))
839 return 0;
840 #ifdef CLIENT_SUBNET
841 if(!print_longnum(ssl, "mem.mod.subnet"SQ, subnet))
842 return 0;
843 #endif /* CLIENT_SUBNET */
844 #ifdef USE_IPSECMOD
845 if(!print_longnum(ssl, "mem.mod.ipsecmod"SQ, ipsecmod))
846 return 0;
847 #endif /* USE_IPSECMOD */
848 #ifdef USE_DNSCRYPT
849 if(!print_longnum(ssl, "mem.cache.dnscrypt_shared_secret"SQ,
850 dnscrypt_shared_secret))
851 return 0;
852 if(!print_longnum(ssl, "mem.cache.dnscrypt_nonce"SQ,
853 dnscrypt_nonce))
854 return 0;
855 #endif /* USE_DNSCRYPT */
856 #ifdef WITH_DYNLIBMODULE
857 if(!print_longnum(ssl, "mem.mod.dynlibmod"SQ, dynlib))
858 return 0;
859 #endif /* WITH_DYNLIBMODULE */
860 if(!print_longnum(ssl, "mem.streamwait"SQ,
861 (size_t)s->svr.mem_stream_wait))
862 return 0;
863 if(!print_longnum(ssl, "mem.http.query_buffer"SQ,
864 (size_t)s->svr.mem_http2_query_buffer))
865 return 0;
866 if(!print_longnum(ssl, "mem.http.response_buffer"SQ,
867 (size_t)s->svr.mem_http2_response_buffer))
868 return 0;
869 return 1;
870 }
871
872 /** print uptime stats */
873 static int
print_uptime(RES * ssl,struct worker * worker,int reset)874 print_uptime(RES* ssl, struct worker* worker, int reset)
875 {
876 struct timeval now = *worker->env.now_tv;
877 struct timeval up, dt;
878 timeval_subtract(&up, &now, &worker->daemon->time_boot);
879 timeval_subtract(&dt, &now, &worker->daemon->time_last_stat);
880 if(reset)
881 worker->daemon->time_last_stat = now;
882 if(!ssl_printf(ssl, "time.now"SQ ARG_LL "d.%6.6d\n",
883 (long long)now.tv_sec, (unsigned)now.tv_usec)) return 0;
884 if(!ssl_printf(ssl, "time.up"SQ ARG_LL "d.%6.6d\n",
885 (long long)up.tv_sec, (unsigned)up.tv_usec)) return 0;
886 if(!ssl_printf(ssl, "time.elapsed"SQ ARG_LL "d.%6.6d\n",
887 (long long)dt.tv_sec, (unsigned)dt.tv_usec)) return 0;
888 return 1;
889 }
890
891 /** print extended histogram */
892 static int
print_hist(RES * ssl,struct ub_stats_info * s)893 print_hist(RES* ssl, struct ub_stats_info* s)
894 {
895 struct timehist* hist;
896 size_t i;
897 hist = timehist_setup();
898 if(!hist) {
899 log_err("out of memory");
900 return 0;
901 }
902 timehist_import(hist, s->svr.hist, NUM_BUCKETS_HIST);
903 for(i=0; i<hist->num; i++) {
904 if(!ssl_printf(ssl,
905 "histogram.%6.6d.%6.6d.to.%6.6d.%6.6d=%lu\n",
906 (int)hist->buckets[i].lower.tv_sec,
907 (int)hist->buckets[i].lower.tv_usec,
908 (int)hist->buckets[i].upper.tv_sec,
909 (int)hist->buckets[i].upper.tv_usec,
910 (unsigned long)hist->buckets[i].count)) {
911 timehist_delete(hist);
912 return 0;
913 }
914 }
915 timehist_delete(hist);
916 return 1;
917 }
918
919 /** print extended stats */
920 static int
print_ext(RES * ssl,struct ub_stats_info * s,int inhibit_zero)921 print_ext(RES* ssl, struct ub_stats_info* s, int inhibit_zero)
922 {
923 int i;
924 char nm[32];
925 const sldns_rr_descriptor* desc;
926 const sldns_lookup_table* lt;
927 /* TYPE */
928 for(i=0; i<UB_STATS_QTYPE_NUM; i++) {
929 if(inhibit_zero && s->svr.qtype[i] == 0)
930 continue;
931 desc = sldns_rr_descript((uint16_t)i);
932 if(desc && desc->_name) {
933 snprintf(nm, sizeof(nm), "%s", desc->_name);
934 } else if (i == LDNS_RR_TYPE_IXFR) {
935 snprintf(nm, sizeof(nm), "IXFR");
936 } else if (i == LDNS_RR_TYPE_AXFR) {
937 snprintf(nm, sizeof(nm), "AXFR");
938 } else if (i == LDNS_RR_TYPE_MAILA) {
939 snprintf(nm, sizeof(nm), "MAILA");
940 } else if (i == LDNS_RR_TYPE_MAILB) {
941 snprintf(nm, sizeof(nm), "MAILB");
942 } else if (i == LDNS_RR_TYPE_ANY) {
943 snprintf(nm, sizeof(nm), "ANY");
944 } else {
945 snprintf(nm, sizeof(nm), "TYPE%d", i);
946 }
947 if(!ssl_printf(ssl, "num.query.type.%s"SQ"%lu\n",
948 nm, (unsigned long)s->svr.qtype[i])) return 0;
949 }
950 if(!inhibit_zero || s->svr.qtype_big) {
951 if(!ssl_printf(ssl, "num.query.type.other"SQ"%lu\n",
952 (unsigned long)s->svr.qtype_big)) return 0;
953 }
954 /* CLASS */
955 for(i=0; i<UB_STATS_QCLASS_NUM; i++) {
956 if(inhibit_zero && s->svr.qclass[i] == 0)
957 continue;
958 lt = sldns_lookup_by_id(sldns_rr_classes, i);
959 if(lt && lt->name) {
960 snprintf(nm, sizeof(nm), "%s", lt->name);
961 } else {
962 snprintf(nm, sizeof(nm), "CLASS%d", i);
963 }
964 if(!ssl_printf(ssl, "num.query.class.%s"SQ"%lu\n",
965 nm, (unsigned long)s->svr.qclass[i])) return 0;
966 }
967 if(!inhibit_zero || s->svr.qclass_big) {
968 if(!ssl_printf(ssl, "num.query.class.other"SQ"%lu\n",
969 (unsigned long)s->svr.qclass_big)) return 0;
970 }
971 /* OPCODE */
972 for(i=0; i<UB_STATS_OPCODE_NUM; i++) {
973 if(inhibit_zero && s->svr.qopcode[i] == 0)
974 continue;
975 lt = sldns_lookup_by_id(sldns_opcodes, i);
976 if(lt && lt->name) {
977 snprintf(nm, sizeof(nm), "%s", lt->name);
978 } else {
979 snprintf(nm, sizeof(nm), "OPCODE%d", i);
980 }
981 if(!ssl_printf(ssl, "num.query.opcode.%s"SQ"%lu\n",
982 nm, (unsigned long)s->svr.qopcode[i])) return 0;
983 }
984 /* transport */
985 if(!ssl_printf(ssl, "num.query.tcp"SQ"%lu\n",
986 (unsigned long)s->svr.qtcp)) return 0;
987 if(!ssl_printf(ssl, "num.query.tcpout"SQ"%lu\n",
988 (unsigned long)s->svr.qtcp_outgoing)) return 0;
989 if(!ssl_printf(ssl, "num.query.udpout"SQ"%lu\n",
990 (unsigned long)s->svr.qudp_outgoing)) return 0;
991 if(!ssl_printf(ssl, "num.query.tls"SQ"%lu\n",
992 (unsigned long)s->svr.qtls)) return 0;
993 if(!ssl_printf(ssl, "num.query.tls.resume"SQ"%lu\n",
994 (unsigned long)s->svr.qtls_resume)) return 0;
995 if(!ssl_printf(ssl, "num.query.ipv6"SQ"%lu\n",
996 (unsigned long)s->svr.qipv6)) return 0;
997 if(!ssl_printf(ssl, "num.query.https"SQ"%lu\n",
998 (unsigned long)s->svr.qhttps)) return 0;
999 /* flags */
1000 if(!ssl_printf(ssl, "num.query.flags.QR"SQ"%lu\n",
1001 (unsigned long)s->svr.qbit_QR)) return 0;
1002 if(!ssl_printf(ssl, "num.query.flags.AA"SQ"%lu\n",
1003 (unsigned long)s->svr.qbit_AA)) return 0;
1004 if(!ssl_printf(ssl, "num.query.flags.TC"SQ"%lu\n",
1005 (unsigned long)s->svr.qbit_TC)) return 0;
1006 if(!ssl_printf(ssl, "num.query.flags.RD"SQ"%lu\n",
1007 (unsigned long)s->svr.qbit_RD)) return 0;
1008 if(!ssl_printf(ssl, "num.query.flags.RA"SQ"%lu\n",
1009 (unsigned long)s->svr.qbit_RA)) return 0;
1010 if(!ssl_printf(ssl, "num.query.flags.Z"SQ"%lu\n",
1011 (unsigned long)s->svr.qbit_Z)) return 0;
1012 if(!ssl_printf(ssl, "num.query.flags.AD"SQ"%lu\n",
1013 (unsigned long)s->svr.qbit_AD)) return 0;
1014 if(!ssl_printf(ssl, "num.query.flags.CD"SQ"%lu\n",
1015 (unsigned long)s->svr.qbit_CD)) return 0;
1016 if(!ssl_printf(ssl, "num.query.edns.present"SQ"%lu\n",
1017 (unsigned long)s->svr.qEDNS)) return 0;
1018 if(!ssl_printf(ssl, "num.query.edns.DO"SQ"%lu\n",
1019 (unsigned long)s->svr.qEDNS_DO)) return 0;
1020
1021 /* RCODE */
1022 for(i=0; i<UB_STATS_RCODE_NUM; i++) {
1023 /* Always include RCODEs 0-5 */
1024 if(inhibit_zero && i > LDNS_RCODE_REFUSED && s->svr.ans_rcode[i] == 0)
1025 continue;
1026 lt = sldns_lookup_by_id(sldns_rcodes, i);
1027 if(lt && lt->name) {
1028 snprintf(nm, sizeof(nm), "%s", lt->name);
1029 } else {
1030 snprintf(nm, sizeof(nm), "RCODE%d", i);
1031 }
1032 if(!ssl_printf(ssl, "num.answer.rcode.%s"SQ"%lu\n",
1033 nm, (unsigned long)s->svr.ans_rcode[i])) return 0;
1034 }
1035 if(!inhibit_zero || s->svr.ans_rcode_nodata) {
1036 if(!ssl_printf(ssl, "num.answer.rcode.nodata"SQ"%lu\n",
1037 (unsigned long)s->svr.ans_rcode_nodata)) return 0;
1038 }
1039 /* iteration */
1040 if(!ssl_printf(ssl, "num.query.ratelimited"SQ"%lu\n",
1041 (unsigned long)s->svr.queries_ratelimited)) return 0;
1042 /* validation */
1043 if(!ssl_printf(ssl, "num.answer.secure"SQ"%lu\n",
1044 (unsigned long)s->svr.ans_secure)) return 0;
1045 if(!ssl_printf(ssl, "num.answer.bogus"SQ"%lu\n",
1046 (unsigned long)s->svr.ans_bogus)) return 0;
1047 if(!ssl_printf(ssl, "num.rrset.bogus"SQ"%lu\n",
1048 (unsigned long)s->svr.rrset_bogus)) return 0;
1049 if(!ssl_printf(ssl, "num.query.aggressive.NOERROR"SQ"%lu\n",
1050 (unsigned long)s->svr.num_neg_cache_noerror)) return 0;
1051 if(!ssl_printf(ssl, "num.query.aggressive.NXDOMAIN"SQ"%lu\n",
1052 (unsigned long)s->svr.num_neg_cache_nxdomain)) return 0;
1053 /* threat detection */
1054 if(!ssl_printf(ssl, "unwanted.queries"SQ"%lu\n",
1055 (unsigned long)s->svr.unwanted_queries)) return 0;
1056 if(!ssl_printf(ssl, "unwanted.replies"SQ"%lu\n",
1057 (unsigned long)s->svr.unwanted_replies)) return 0;
1058 /* cache counts */
1059 if(!ssl_printf(ssl, "msg.cache.count"SQ"%u\n",
1060 (unsigned)s->svr.msg_cache_count)) return 0;
1061 if(!ssl_printf(ssl, "rrset.cache.count"SQ"%u\n",
1062 (unsigned)s->svr.rrset_cache_count)) return 0;
1063 if(!ssl_printf(ssl, "infra.cache.count"SQ"%u\n",
1064 (unsigned)s->svr.infra_cache_count)) return 0;
1065 if(!ssl_printf(ssl, "key.cache.count"SQ"%u\n",
1066 (unsigned)s->svr.key_cache_count)) return 0;
1067 /* max collisions */
1068 if(!ssl_printf(ssl, "msg.cache.max_collisions"SQ"%u\n",
1069 (unsigned)s->svr.msg_cache_max_collisions)) return 0;
1070 if(!ssl_printf(ssl, "rrset.cache.max_collisions"SQ"%u\n",
1071 (unsigned)s->svr.rrset_cache_max_collisions)) return 0;
1072 /* applied RPZ actions */
1073 for(i=0; i<UB_STATS_RPZ_ACTION_NUM; i++) {
1074 if(i == RPZ_NO_OVERRIDE_ACTION)
1075 continue;
1076 if(inhibit_zero && s->svr.rpz_action[i] == 0)
1077 continue;
1078 if(!ssl_printf(ssl, "num.rpz.action.%s"SQ"%lu\n",
1079 rpz_action_to_string(i),
1080 (unsigned long)s->svr.rpz_action[i])) return 0;
1081 }
1082 #ifdef USE_DNSCRYPT
1083 if(!ssl_printf(ssl, "dnscrypt_shared_secret.cache.count"SQ"%u\n",
1084 (unsigned)s->svr.shared_secret_cache_count)) return 0;
1085 if(!ssl_printf(ssl, "dnscrypt_nonce.cache.count"SQ"%u\n",
1086 (unsigned)s->svr.nonce_cache_count)) return 0;
1087 if(!ssl_printf(ssl, "num.query.dnscrypt.shared_secret.cachemiss"SQ"%lu\n",
1088 (unsigned long)s->svr.num_query_dnscrypt_secret_missed_cache)) return 0;
1089 if(!ssl_printf(ssl, "num.query.dnscrypt.replay"SQ"%lu\n",
1090 (unsigned long)s->svr.num_query_dnscrypt_replay)) return 0;
1091 #endif /* USE_DNSCRYPT */
1092 if(!ssl_printf(ssl, "num.query.authzone.up"SQ"%lu\n",
1093 (unsigned long)s->svr.num_query_authzone_up)) return 0;
1094 if(!ssl_printf(ssl, "num.query.authzone.down"SQ"%lu\n",
1095 (unsigned long)s->svr.num_query_authzone_down)) return 0;
1096 #ifdef CLIENT_SUBNET
1097 if(!ssl_printf(ssl, "num.query.subnet"SQ"%lu\n",
1098 (unsigned long)s->svr.num_query_subnet)) return 0;
1099 if(!ssl_printf(ssl, "num.query.subnet_cache"SQ"%lu\n",
1100 (unsigned long)s->svr.num_query_subnet_cache)) return 0;
1101 #endif /* CLIENT_SUBNET */
1102 #ifdef USE_CACHEDB
1103 if(!ssl_printf(ssl, "num.query.cachedb"SQ"%lu\n",
1104 (unsigned long)s->svr.num_query_cachedb)) return 0;
1105 #endif /* USE_CACHEDB */
1106 return 1;
1107 }
1108
1109 /** do the stats command */
1110 static void
do_stats(RES * ssl,struct worker * worker,int reset)1111 do_stats(RES* ssl, struct worker* worker, int reset)
1112 {
1113 struct daemon* daemon = worker->daemon;
1114 struct ub_stats_info total;
1115 struct ub_stats_info s;
1116 int i;
1117 memset(&total, 0, sizeof(total));
1118 log_assert(daemon->num > 0);
1119 /* gather all thread statistics in one place */
1120 for(i=0; i<daemon->num; i++) {
1121 server_stats_obtain(worker, daemon->workers[i], &s, reset);
1122 if(!print_thread_stats(ssl, i, &s))
1123 return;
1124 if(i == 0)
1125 total = s;
1126 else server_stats_add(&total, &s);
1127 }
1128 /* print the thread statistics */
1129 total.mesh_time_median /= (double)daemon->num;
1130 if(!print_stats(ssl, "total", &total))
1131 return;
1132 if(!print_uptime(ssl, worker, reset))
1133 return;
1134 if(daemon->cfg->stat_extended) {
1135 if(!print_mem(ssl, worker, daemon, &total))
1136 return;
1137 if(!print_hist(ssl, &total))
1138 return;
1139 if(!print_ext(ssl, &total, daemon->cfg->stat_inhibit_zero))
1140 return;
1141 }
1142 }
1143
1144 /** parse commandline argument domain name */
1145 static int
parse_arg_name(RES * ssl,char * str,uint8_t ** res,size_t * len,int * labs)1146 parse_arg_name(RES* ssl, char* str, uint8_t** res, size_t* len, int* labs)
1147 {
1148 uint8_t nm[LDNS_MAX_DOMAINLEN+1];
1149 size_t nmlen = sizeof(nm);
1150 int status;
1151 *res = NULL;
1152 *len = 0;
1153 *labs = 0;
1154 if(str[0] == '\0') {
1155 ssl_printf(ssl, "error: this option requires a domain name\n");
1156 return 0;
1157 }
1158 status = sldns_str2wire_dname_buf(str, nm, &nmlen);
1159 if(status != 0) {
1160 ssl_printf(ssl, "error cannot parse name %s at %d: %s\n", str,
1161 LDNS_WIREPARSE_OFFSET(status),
1162 sldns_get_errorstr_parse(status));
1163 return 0;
1164 }
1165 *res = memdup(nm, nmlen);
1166 if(!*res) {
1167 ssl_printf(ssl, "error out of memory\n");
1168 return 0;
1169 }
1170 *labs = dname_count_size_labels(*res, len);
1171 return 1;
1172 }
1173
1174 /** find second argument, modifies string */
1175 static int
find_arg2(RES * ssl,char * arg,char ** arg2)1176 find_arg2(RES* ssl, char* arg, char** arg2)
1177 {
1178 char* as = strchr(arg, ' ');
1179 char* at = strchr(arg, '\t');
1180 if(as && at) {
1181 if(at < as)
1182 as = at;
1183 as[0]=0;
1184 *arg2 = skipwhite(as+1);
1185 } else if(as) {
1186 as[0]=0;
1187 *arg2 = skipwhite(as+1);
1188 } else if(at) {
1189 at[0]=0;
1190 *arg2 = skipwhite(at+1);
1191 } else {
1192 ssl_printf(ssl, "error could not find next argument "
1193 "after %s\n", arg);
1194 return 0;
1195 }
1196 return 1;
1197 }
1198
1199 /** Add a new zone */
1200 static int
perform_zone_add(RES * ssl,struct local_zones * zones,char * arg)1201 perform_zone_add(RES* ssl, struct local_zones* zones, char* arg)
1202 {
1203 uint8_t* nm;
1204 int nmlabs;
1205 size_t nmlen;
1206 char* arg2;
1207 enum localzone_type t;
1208 struct local_zone* z;
1209 if(!find_arg2(ssl, arg, &arg2))
1210 return 0;
1211 if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
1212 return 0;
1213 if(!local_zone_str2type(arg2, &t)) {
1214 ssl_printf(ssl, "error not a zone type. %s\n", arg2);
1215 free(nm);
1216 return 0;
1217 }
1218 lock_rw_wrlock(&zones->lock);
1219 if((z=local_zones_find(zones, nm, nmlen,
1220 nmlabs, LDNS_RR_CLASS_IN))) {
1221 /* already present in tree */
1222 lock_rw_wrlock(&z->lock);
1223 z->type = t; /* update type anyway */
1224 lock_rw_unlock(&z->lock);
1225 free(nm);
1226 lock_rw_unlock(&zones->lock);
1227 return 1;
1228 }
1229 if(!local_zones_add_zone(zones, nm, nmlen,
1230 nmlabs, LDNS_RR_CLASS_IN, t)) {
1231 lock_rw_unlock(&zones->lock);
1232 ssl_printf(ssl, "error out of memory\n");
1233 return 0;
1234 }
1235 lock_rw_unlock(&zones->lock);
1236 return 1;
1237 }
1238
1239 /** Do the local_zone command */
1240 static void
do_zone_add(RES * ssl,struct local_zones * zones,char * arg)1241 do_zone_add(RES* ssl, struct local_zones* zones, char* arg)
1242 {
1243 if(!perform_zone_add(ssl, zones, arg))
1244 return;
1245 send_ok(ssl);
1246 }
1247
1248 /** Do the local_zones command */
1249 static void
do_zones_add(struct daemon_remote * rc,RES * ssl,struct worker * worker)1250 do_zones_add(struct daemon_remote* rc, RES* ssl, struct worker* worker)
1251 {
1252 char buf[MAX_CMD_STRLINE + MAX_STDIN_STRLINE] = "local_zone ";
1253 int num = 0;
1254 size_t cmd_len = strlen(buf);
1255 while(ssl_read_line(ssl, buf+cmd_len, MAX_STDIN_STRLINE)) {
1256 if(buf[0+cmd_len] == 0 ||
1257 (buf[0+cmd_len] == 0x04 && buf[1+cmd_len] == 0))
1258 break; /* zero byte line or end of transmission */
1259 #ifdef THREADS_DISABLED
1260 /* distribute single item command */
1261 if(rc) distribute_cmd(rc, ssl, buf);
1262 #else
1263 (void)rc; /* unused */
1264 #endif
1265 if(!perform_zone_add(ssl, worker->daemon->local_zones,
1266 buf+cmd_len)) {
1267 if(!ssl_printf(ssl, "error for input line: %s\n",
1268 buf+cmd_len))
1269 return;
1270 }
1271 else num++;
1272 }
1273 (void)ssl_printf(ssl, "added %d zones\n", num);
1274 }
1275
1276 /** Remove a zone */
1277 static int
perform_zone_remove(RES * ssl,struct local_zones * zones,char * arg)1278 perform_zone_remove(RES* ssl, struct local_zones* zones, char* arg)
1279 {
1280 uint8_t* nm;
1281 int nmlabs;
1282 size_t nmlen;
1283 struct local_zone* z;
1284 if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
1285 return 0;
1286 lock_rw_wrlock(&zones->lock);
1287 if((z=local_zones_find(zones, nm, nmlen,
1288 nmlabs, LDNS_RR_CLASS_IN))) {
1289 /* present in tree */
1290 local_zones_del_zone(zones, z);
1291 }
1292 lock_rw_unlock(&zones->lock);
1293 free(nm);
1294 return 1;
1295 }
1296
1297 /** Do the local_zone_remove command */
1298 static void
do_zone_remove(RES * ssl,struct local_zones * zones,char * arg)1299 do_zone_remove(RES* ssl, struct local_zones* zones, char* arg)
1300 {
1301 if(!perform_zone_remove(ssl, zones, arg))
1302 return;
1303 send_ok(ssl);
1304 }
1305
1306 /** Do the local_zones_remove command */
1307 static void
do_zones_remove(struct daemon_remote * rc,RES * ssl,struct worker * worker)1308 do_zones_remove(struct daemon_remote* rc, RES* ssl, struct worker* worker)
1309 {
1310 char buf[MAX_CMD_STRLINE + MAX_STDIN_STRLINE] = "local_zone_remove ";
1311 int num = 0;
1312 size_t cmd_len = strlen(buf);
1313 while(ssl_read_line(ssl, buf+cmd_len, MAX_STDIN_STRLINE)) {
1314 if(buf[0+cmd_len] == 0 ||
1315 (buf[0+cmd_len] == 0x04 && buf[1+cmd_len] == 0))
1316 break; /* zero byte line or end of transmission */
1317 #ifdef THREADS_DISABLED
1318 /* distribute single item command */
1319 if(rc) distribute_cmd(rc, ssl, buf);
1320 #else
1321 (void)rc; /* unused */
1322 #endif
1323 if(!perform_zone_remove(ssl, worker->daemon->local_zones,
1324 buf+cmd_len)) {
1325 if(!ssl_printf(ssl, "error for input line: %s\n",
1326 buf+cmd_len))
1327 return;
1328 }
1329 else num++;
1330 }
1331 (void)ssl_printf(ssl, "removed %d zones\n", num);
1332 }
1333
1334 /** check syntax of newly added RR */
1335 static int
check_RR_syntax(RES * ssl,char * str,int line)1336 check_RR_syntax(RES* ssl, char* str, int line)
1337 {
1338 uint8_t rr[LDNS_RR_BUF_SIZE];
1339 size_t len = sizeof(rr), dname_len = 0;
1340 int s = sldns_str2wire_rr_buf(str, rr, &len, &dname_len, 3600,
1341 NULL, 0, NULL, 0);
1342 if(s != 0) {
1343 char linestr[32];
1344 if(line == 0)
1345 linestr[0]=0;
1346 else snprintf(linestr, sizeof(linestr), "line %d ", line);
1347 if(!ssl_printf(ssl, "error parsing local-data at %sposition %d '%s': %s\n",
1348 linestr, LDNS_WIREPARSE_OFFSET(s), str,
1349 sldns_get_errorstr_parse(s)))
1350 return 0;
1351 return 0;
1352 }
1353 return 1;
1354 }
1355
1356 /** Add new RR data */
1357 static int
perform_data_add(RES * ssl,struct local_zones * zones,char * arg,int line)1358 perform_data_add(RES* ssl, struct local_zones* zones, char* arg, int line)
1359 {
1360 if(!check_RR_syntax(ssl, arg, line)) {
1361 return 0;
1362 }
1363 if(!local_zones_add_RR(zones, arg)) {
1364 ssl_printf(ssl,"error in syntax or out of memory, %s\n", arg);
1365 return 0;
1366 }
1367 return 1;
1368 }
1369
1370 /** Do the local_data command */
1371 static void
do_data_add(RES * ssl,struct local_zones * zones,char * arg)1372 do_data_add(RES* ssl, struct local_zones* zones, char* arg)
1373 {
1374 if(!perform_data_add(ssl, zones, arg, 0))
1375 return;
1376 send_ok(ssl);
1377 }
1378
1379 /** Do the local_datas command */
1380 static void
do_datas_add(struct daemon_remote * rc,RES * ssl,struct worker * worker)1381 do_datas_add(struct daemon_remote* rc, RES* ssl, struct worker* worker)
1382 {
1383 char buf[MAX_CMD_STRLINE + MAX_STDIN_STRLINE] = "local_data ";
1384 int num = 0, line = 0;
1385 size_t cmd_len = strlen(buf);
1386 while(ssl_read_line(ssl, buf+cmd_len, MAX_STDIN_STRLINE)) {
1387 if(buf[0+cmd_len] == 0 ||
1388 (buf[0+cmd_len] == 0x04 && buf[1+cmd_len] == 0))
1389 break; /* zero byte line or end of transmission */
1390 #ifdef THREADS_DISABLED
1391 /* distribute single item command */
1392 if(rc) distribute_cmd(rc, ssl, buf);
1393 #else
1394 (void)rc; /* unused */
1395 #endif
1396 line++;
1397 if(perform_data_add(ssl, worker->daemon->local_zones,
1398 buf+cmd_len, line))
1399 num++;
1400 }
1401 (void)ssl_printf(ssl, "added %d datas\n", num);
1402 }
1403
1404 /** Remove RR data */
1405 static int
perform_data_remove(RES * ssl,struct local_zones * zones,char * arg)1406 perform_data_remove(RES* ssl, struct local_zones* zones, char* arg)
1407 {
1408 uint8_t* nm;
1409 int nmlabs;
1410 size_t nmlen;
1411 if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
1412 return 0;
1413 local_zones_del_data(zones, nm,
1414 nmlen, nmlabs, LDNS_RR_CLASS_IN);
1415 free(nm);
1416 return 1;
1417 }
1418
1419 /** Do the local_data_remove command */
1420 static void
do_data_remove(RES * ssl,struct local_zones * zones,char * arg)1421 do_data_remove(RES* ssl, struct local_zones* zones, char* arg)
1422 {
1423 if(!perform_data_remove(ssl, zones, arg))
1424 return;
1425 send_ok(ssl);
1426 }
1427
1428 /** Do the local_datas_remove command */
1429 static void
do_datas_remove(struct daemon_remote * rc,RES * ssl,struct worker * worker)1430 do_datas_remove(struct daemon_remote* rc, RES* ssl, struct worker* worker)
1431 {
1432 char buf[MAX_CMD_STRLINE + MAX_STDIN_STRLINE] = "local_data_remove ";
1433 int num = 0;
1434 size_t cmd_len = strlen(buf);
1435 while(ssl_read_line(ssl, buf+cmd_len, MAX_STDIN_STRLINE)) {
1436 if(buf[0+cmd_len] == 0 ||
1437 (buf[0+cmd_len] == 0x04 && buf[1+cmd_len] == 0))
1438 break; /* zero byte line or end of transmission */
1439 #ifdef THREADS_DISABLED
1440 /* distribute single item command */
1441 if(rc) distribute_cmd(rc, ssl, buf);
1442 #else
1443 (void)rc; /* unused */
1444 #endif
1445 if(!perform_data_remove(ssl, worker->daemon->local_zones,
1446 buf+cmd_len)) {
1447 if(!ssl_printf(ssl, "error for input line: %s\n",
1448 buf+cmd_len))
1449 return;
1450 }
1451 else num++;
1452 }
1453 (void)ssl_printf(ssl, "removed %d datas\n", num);
1454 }
1455
1456 /** Add a new zone to view */
1457 static void
do_view_zone_add(RES * ssl,struct worker * worker,char * arg)1458 do_view_zone_add(RES* ssl, struct worker* worker, char* arg)
1459 {
1460 char* arg2;
1461 struct view* v;
1462 if(!find_arg2(ssl, arg, &arg2))
1463 return;
1464 v = views_find_view(worker->daemon->views,
1465 arg, 1 /* get write lock*/);
1466 if(!v) {
1467 ssl_printf(ssl,"no view with name: %s\n", arg);
1468 return;
1469 }
1470 if(!v->local_zones) {
1471 if(!(v->local_zones = local_zones_create())){
1472 lock_rw_unlock(&v->lock);
1473 ssl_printf(ssl,"error out of memory\n");
1474 return;
1475 }
1476 if(!v->isfirst) {
1477 /* Global local-zone is not used for this view,
1478 * therefore add defaults to this view-specic
1479 * local-zone. */
1480 struct config_file lz_cfg;
1481 memset(&lz_cfg, 0, sizeof(lz_cfg));
1482 local_zone_enter_defaults(v->local_zones, &lz_cfg);
1483 }
1484 }
1485 do_zone_add(ssl, v->local_zones, arg2);
1486 lock_rw_unlock(&v->lock);
1487 }
1488
1489 /** Remove a zone from view */
1490 static void
do_view_zone_remove(RES * ssl,struct worker * worker,char * arg)1491 do_view_zone_remove(RES* ssl, struct worker* worker, char* arg)
1492 {
1493 char* arg2;
1494 struct view* v;
1495 if(!find_arg2(ssl, arg, &arg2))
1496 return;
1497 v = views_find_view(worker->daemon->views,
1498 arg, 1 /* get write lock*/);
1499 if(!v) {
1500 ssl_printf(ssl,"no view with name: %s\n", arg);
1501 return;
1502 }
1503 if(!v->local_zones) {
1504 lock_rw_unlock(&v->lock);
1505 send_ok(ssl);
1506 return;
1507 }
1508 do_zone_remove(ssl, v->local_zones, arg2);
1509 lock_rw_unlock(&v->lock);
1510 }
1511
1512 /** Add new RR data to view */
1513 static void
do_view_data_add(RES * ssl,struct worker * worker,char * arg)1514 do_view_data_add(RES* ssl, struct worker* worker, char* arg)
1515 {
1516 char* arg2;
1517 struct view* v;
1518 if(!find_arg2(ssl, arg, &arg2))
1519 return;
1520 v = views_find_view(worker->daemon->views,
1521 arg, 1 /* get write lock*/);
1522 if(!v) {
1523 ssl_printf(ssl,"no view with name: %s\n", arg);
1524 return;
1525 }
1526 if(!v->local_zones) {
1527 if(!(v->local_zones = local_zones_create())){
1528 lock_rw_unlock(&v->lock);
1529 ssl_printf(ssl,"error out of memory\n");
1530 return;
1531 }
1532 }
1533 do_data_add(ssl, v->local_zones, arg2);
1534 lock_rw_unlock(&v->lock);
1535 }
1536
1537 /** Add new RR data from stdin to view */
1538 static void
do_view_datas_add(struct daemon_remote * rc,RES * ssl,struct worker * worker,char * arg)1539 do_view_datas_add(struct daemon_remote* rc, RES* ssl, struct worker* worker,
1540 char* arg)
1541 {
1542 struct view* v;
1543 char buf[MAX_CMD_STRLINE + MAX_STDIN_STRLINE] = "view_local_data ";
1544 size_t cmd_len;
1545 int num = 0, line = 0;
1546 v = views_find_view(worker->daemon->views,
1547 arg, 1 /* get write lock*/);
1548 if(!v) {
1549 ssl_printf(ssl,"no view with name: %s\n", arg);
1550 return;
1551 }
1552 if(!v->local_zones) {
1553 if(!(v->local_zones = local_zones_create())){
1554 lock_rw_unlock(&v->lock);
1555 ssl_printf(ssl,"error out of memory\n");
1556 return;
1557 }
1558 }
1559 /* put the view name in the command buf */
1560 (void)snprintf(buf+strlen(buf), sizeof(buf)-strlen(buf), "%s ", arg);
1561 cmd_len = strlen(buf);
1562 while(ssl_read_line(ssl, buf+cmd_len, MAX_STDIN_STRLINE)) {
1563 if(buf[0+cmd_len] == 0 ||
1564 (buf[0+cmd_len] == 0x04 && buf[1+cmd_len] == 0))
1565 break; /* zero byte line or end of transmission */
1566 #ifdef THREADS_DISABLED
1567 /* distribute single item command */
1568 if(rc) distribute_cmd(rc, ssl, buf);
1569 #else
1570 (void)rc; /* unused */
1571 #endif
1572 line++;
1573 if(perform_data_add(ssl, v->local_zones, buf+cmd_len, line))
1574 num++;
1575 }
1576 lock_rw_unlock(&v->lock);
1577 (void)ssl_printf(ssl, "added %d datas\n", num);
1578 }
1579
1580 /** Remove RR data from view */
1581 static void
do_view_data_remove(RES * ssl,struct worker * worker,char * arg)1582 do_view_data_remove(RES* ssl, struct worker* worker, char* arg)
1583 {
1584 char* arg2;
1585 struct view* v;
1586 if(!find_arg2(ssl, arg, &arg2))
1587 return;
1588 v = views_find_view(worker->daemon->views,
1589 arg, 1 /* get write lock*/);
1590 if(!v) {
1591 ssl_printf(ssl,"no view with name: %s\n", arg);
1592 return;
1593 }
1594 if(!v->local_zones) {
1595 lock_rw_unlock(&v->lock);
1596 send_ok(ssl);
1597 return;
1598 }
1599 do_data_remove(ssl, v->local_zones, arg2);
1600 lock_rw_unlock(&v->lock);
1601 }
1602
1603 /** Remove RR data from stdin from view */
1604 static void
do_view_datas_remove(struct daemon_remote * rc,RES * ssl,struct worker * worker,char * arg)1605 do_view_datas_remove(struct daemon_remote* rc, RES* ssl, struct worker* worker,
1606 char* arg)
1607 {
1608 struct view* v;
1609 char buf[MAX_CMD_STRLINE + MAX_STDIN_STRLINE] = "view_local_data_remove ";
1610 int num = 0;
1611 size_t cmd_len;
1612 v = views_find_view(worker->daemon->views,
1613 arg, 1 /* get write lock*/);
1614 if(!v) {
1615 ssl_printf(ssl,"no view with name: %s\n", arg);
1616 return;
1617 }
1618 if(!v->local_zones){
1619 lock_rw_unlock(&v->lock);
1620 ssl_printf(ssl, "removed 0 datas\n");
1621 return;
1622 }
1623 /* put the view name in the command buf */
1624 (void)snprintf(buf+strlen(buf), sizeof(buf)-strlen(buf), "%s ", arg);
1625 cmd_len = strlen(buf);
1626 while(ssl_read_line(ssl, buf+cmd_len, MAX_STDIN_STRLINE)) {
1627 if(buf[0+cmd_len] == 0 ||
1628 (buf[0+cmd_len] == 0x04 && buf[1+cmd_len] == 0))
1629 break; /* zero byte line or end of transmission */
1630 #ifdef THREADS_DISABLED
1631 /* distribute single item command */
1632 if(rc) distribute_cmd(rc, ssl, buf);
1633 #else
1634 (void)rc; /* unused */
1635 #endif
1636 if(!perform_data_remove(ssl, v->local_zones, buf+cmd_len)) {
1637 if(!ssl_printf(ssl, "error for input line: %s\n",
1638 buf+cmd_len))
1639 return;
1640 }
1641 else num++;
1642 }
1643 lock_rw_unlock(&v->lock);
1644 (void)ssl_printf(ssl, "removed %d datas\n", num);
1645 }
1646
1647 /** cache lookup of nameservers */
1648 static void
do_lookup(RES * ssl,struct worker * worker,char * arg)1649 do_lookup(RES* ssl, struct worker* worker, char* arg)
1650 {
1651 uint8_t* nm;
1652 int nmlabs;
1653 size_t nmlen;
1654 if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
1655 return;
1656 (void)print_deleg_lookup(ssl, worker, nm, nmlen, nmlabs);
1657 free(nm);
1658 }
1659
1660 /** flush something from rrset and msg caches */
1661 static void
do_cache_remove(struct worker * worker,uint8_t * nm,size_t nmlen,uint16_t t,uint16_t c,int remcachedb)1662 do_cache_remove(struct worker* worker, uint8_t* nm, size_t nmlen,
1663 uint16_t t, uint16_t c, int remcachedb)
1664 {
1665 hashvalue_type h;
1666 struct query_info k;
1667 rrset_cache_remove(worker->env.rrset_cache, nm, nmlen, t, c, 0);
1668 if(t == LDNS_RR_TYPE_SOA)
1669 rrset_cache_remove(worker->env.rrset_cache, nm, nmlen, t, c,
1670 PACKED_RRSET_SOA_NEG);
1671 k.qname = nm;
1672 k.qname_len = nmlen;
1673 k.qtype = t;
1674 k.qclass = c;
1675 k.local_alias = NULL;
1676 h = query_info_hash(&k, 0);
1677 slabhash_remove(worker->env.msg_cache, h, &k);
1678 if(t == LDNS_RR_TYPE_AAAA) {
1679 /* for AAAA also flush dns64 bit_cd packet */
1680 h = query_info_hash(&k, BIT_CD);
1681 slabhash_remove(worker->env.msg_cache, h, &k);
1682 }
1683 #ifdef USE_CACHEDB
1684 if(remcachedb && worker->env.cachedb_enabled)
1685 cachedb_msg_remove_qinfo(&worker->env, &k);
1686 #else
1687 (void)remcachedb;
1688 #endif
1689 }
1690
1691 /** parse '+c' option, modifies string to return remainder. */
1692 static int
parse_remcachedb(RES * ssl,char ** arg,int * pc)1693 parse_remcachedb(RES* ssl, char** arg, int* pc)
1694 {
1695 *arg = skipwhite(*arg);
1696 if((*arg)[0] == '+' && (*arg)[1] == 'c') {
1697 char* arg2;
1698 *pc = 1;
1699 if(!find_arg2(ssl, *arg, &arg2))
1700 return 0;
1701 *arg = arg2;
1702 return 1;
1703 }
1704 /* The option was not found, no problem */
1705 return 1;
1706 }
1707
1708 /** flush a type */
1709 static void
do_flush_type(RES * ssl,struct worker * worker,char * arg)1710 do_flush_type(RES* ssl, struct worker* worker, char* arg)
1711 {
1712 uint8_t* nm;
1713 int nmlabs;
1714 size_t nmlen;
1715 char* arg2;
1716 uint16_t t;
1717 int pc = 0; /* '+c' option */
1718 if(!parse_remcachedb(ssl, &arg, &pc))
1719 return;
1720 if(!find_arg2(ssl, arg, &arg2))
1721 return;
1722 if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
1723 return;
1724 t = sldns_get_rr_type_by_name(arg2);
1725 if(t == 0 && strcmp(arg2, "TYPE0") != 0) {
1726 (void)ssl_printf(ssl, "error parsing RRset type: '%s'\n", arg2);
1727 free(nm);
1728 return;
1729 }
1730 do_cache_remove(worker, nm, nmlen, t, LDNS_RR_CLASS_IN, pc);
1731
1732 free(nm);
1733 send_ok(ssl);
1734 }
1735
1736 /** flush statistics */
1737 static void
do_flush_stats(RES * ssl,struct worker * worker)1738 do_flush_stats(RES* ssl, struct worker* worker)
1739 {
1740 worker_stats_clear(worker);
1741 send_ok(ssl);
1742 }
1743
1744 /**
1745 * Local info for deletion functions
1746 */
1747 struct del_info {
1748 /** worker */
1749 struct worker* worker;
1750 /** name to delete */
1751 uint8_t* name;
1752 /** length */
1753 size_t len;
1754 /** labels */
1755 int labs;
1756 /** time to invalidate to */
1757 time_t expired;
1758 /** number of rrsets removed */
1759 size_t num_rrsets;
1760 /** number of msgs removed */
1761 size_t num_msgs;
1762 /** number of key entries removed */
1763 size_t num_keys;
1764 /** length of addr */
1765 socklen_t addrlen;
1766 /** socket address for host deletion */
1767 struct sockaddr_storage addr;
1768 /** if cachedb information should be flushed too */
1769 int remcachedb;
1770 };
1771
1772 /** callback to delete hosts in infra cache */
1773 static void
infra_del_host(struct lruhash_entry * e,void * arg)1774 infra_del_host(struct lruhash_entry* e, void* arg)
1775 {
1776 /* entry is locked */
1777 struct del_info* inf = (struct del_info*)arg;
1778 struct infra_key* k = (struct infra_key*)e->key;
1779 if(sockaddr_cmp(&inf->addr, inf->addrlen, &k->addr, k->addrlen) == 0) {
1780 struct infra_data* d = (struct infra_data*)e->data;
1781 d->probedelay = 0;
1782 d->timeout_A = 0;
1783 d->timeout_AAAA = 0;
1784 d->timeout_other = 0;
1785 rtt_init(&d->rtt);
1786 if(d->ttl > inf->expired) {
1787 d->ttl = inf->expired;
1788 inf->num_keys++;
1789 }
1790 }
1791 }
1792
1793 /** flush infra cache */
1794 static void
do_flush_infra(RES * ssl,struct worker * worker,char * arg)1795 do_flush_infra(RES* ssl, struct worker* worker, char* arg)
1796 {
1797 struct sockaddr_storage addr;
1798 socklen_t len;
1799 struct del_info inf;
1800 if(strcmp(arg, "all") == 0) {
1801 slabhash_clear(worker->env.infra_cache->hosts);
1802 send_ok(ssl);
1803 return;
1804 }
1805 if(!ipstrtoaddr(arg, UNBOUND_DNS_PORT, &addr, &len)) {
1806 (void)ssl_printf(ssl, "error parsing ip addr: '%s'\n", arg);
1807 return;
1808 }
1809 /* delete all entries from cache */
1810 /* what we do is to set them all expired */
1811 inf.worker = worker;
1812 inf.name = 0;
1813 inf.len = 0;
1814 inf.labs = 0;
1815 inf.expired = *worker->env.now;
1816 inf.expired -= 3; /* handle 3 seconds skew between threads */
1817 inf.num_rrsets = 0;
1818 inf.num_msgs = 0;
1819 inf.num_keys = 0;
1820 inf.addrlen = len;
1821 inf.remcachedb = 0;
1822 memmove(&inf.addr, &addr, len);
1823 slabhash_traverse(worker->env.infra_cache->hosts, 1, &infra_del_host,
1824 &inf);
1825 send_ok(ssl);
1826 }
1827
1828 /** flush requestlist */
1829 static void
do_flush_requestlist(RES * ssl,struct worker * worker)1830 do_flush_requestlist(RES* ssl, struct worker* worker)
1831 {
1832 mesh_delete_all(worker->env.mesh);
1833 send_ok(ssl);
1834 }
1835
1836 /** callback to delete rrsets in a zone */
1837 static void
zone_del_rrset(struct lruhash_entry * e,void * arg)1838 zone_del_rrset(struct lruhash_entry* e, void* arg)
1839 {
1840 /* entry is locked */
1841 struct del_info* inf = (struct del_info*)arg;
1842 struct ub_packed_rrset_key* k = (struct ub_packed_rrset_key*)e->key;
1843 if(dname_subdomain_c(k->rk.dname, inf->name)) {
1844 struct packed_rrset_data* d =
1845 (struct packed_rrset_data*)e->data;
1846 if(d->ttl > inf->expired) {
1847 d->ttl = inf->expired;
1848 inf->num_rrsets++;
1849 }
1850 }
1851 }
1852
1853 /** callback to delete messages in a zone */
1854 static void
zone_del_msg(struct lruhash_entry * e,void * arg)1855 zone_del_msg(struct lruhash_entry* e, void* arg)
1856 {
1857 /* entry is locked */
1858 struct del_info* inf = (struct del_info*)arg;
1859 struct msgreply_entry* k = (struct msgreply_entry*)e->key;
1860 if(dname_subdomain_c(k->key.qname, inf->name)) {
1861 struct reply_info* d = (struct reply_info*)e->data;
1862 if(d->ttl > inf->expired) {
1863 d->ttl = inf->expired;
1864 d->prefetch_ttl = inf->expired;
1865 d->serve_expired_ttl = inf->expired;
1866 inf->num_msgs++;
1867 }
1868 #ifdef USE_CACHEDB
1869 if(inf->remcachedb && inf->worker->env.cachedb_enabled)
1870 cachedb_msg_remove_qinfo(&inf->worker->env, &k->key);
1871 #endif
1872 }
1873 }
1874
1875 /** callback to delete keys in zone */
1876 static void
zone_del_kcache(struct lruhash_entry * e,void * arg)1877 zone_del_kcache(struct lruhash_entry* e, void* arg)
1878 {
1879 /* entry is locked */
1880 struct del_info* inf = (struct del_info*)arg;
1881 struct key_entry_key* k = (struct key_entry_key*)e->key;
1882 if(dname_subdomain_c(k->name, inf->name)) {
1883 struct key_entry_data* d = (struct key_entry_data*)e->data;
1884 if(d->ttl > inf->expired) {
1885 d->ttl = inf->expired;
1886 inf->num_keys++;
1887 }
1888 }
1889 }
1890
1891 /** remove all rrsets and keys from zone from cache */
1892 static void
do_flush_zone(RES * ssl,struct worker * worker,char * arg)1893 do_flush_zone(RES* ssl, struct worker* worker, char* arg)
1894 {
1895 uint8_t* nm;
1896 int nmlabs;
1897 size_t nmlen;
1898 struct del_info inf;
1899 int pc = 0; /* '+c' option */
1900 if(!parse_remcachedb(ssl, &arg, &pc))
1901 return;
1902 if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
1903 return;
1904 /* delete all RRs and key entries from zone */
1905 /* what we do is to set them all expired */
1906 inf.worker = worker;
1907 inf.name = nm;
1908 inf.len = nmlen;
1909 inf.labs = nmlabs;
1910 inf.expired = *worker->env.now;
1911 inf.expired -= 3; /* handle 3 seconds skew between threads */
1912 inf.num_rrsets = 0;
1913 inf.num_msgs = 0;
1914 inf.num_keys = 0;
1915 inf.remcachedb = pc;
1916 slabhash_traverse(&worker->env.rrset_cache->table, 1,
1917 &zone_del_rrset, &inf);
1918
1919 slabhash_traverse(worker->env.msg_cache, 1, &zone_del_msg, &inf);
1920
1921 /* and validator cache */
1922 if(worker->env.key_cache) {
1923 slabhash_traverse(worker->env.key_cache->slab, 1,
1924 &zone_del_kcache, &inf);
1925 }
1926
1927 free(nm);
1928
1929 (void)ssl_printf(ssl, "ok removed %lu rrsets, %lu messages "
1930 "and %lu key entries\n", (unsigned long)inf.num_rrsets,
1931 (unsigned long)inf.num_msgs, (unsigned long)inf.num_keys);
1932 }
1933
1934 /** callback to delete bogus rrsets */
1935 static void
bogus_del_rrset(struct lruhash_entry * e,void * arg)1936 bogus_del_rrset(struct lruhash_entry* e, void* arg)
1937 {
1938 /* entry is locked */
1939 struct del_info* inf = (struct del_info*)arg;
1940 struct packed_rrset_data* d = (struct packed_rrset_data*)e->data;
1941 if(d->security == sec_status_bogus) {
1942 d->ttl = inf->expired;
1943 inf->num_rrsets++;
1944 }
1945 }
1946
1947 /** callback to delete bogus messages */
1948 static void
bogus_del_msg(struct lruhash_entry * e,void * arg)1949 bogus_del_msg(struct lruhash_entry* e, void* arg)
1950 {
1951 /* entry is locked */
1952 struct del_info* inf = (struct del_info*)arg;
1953 struct reply_info* d = (struct reply_info*)e->data;
1954 if(d->security == sec_status_bogus) {
1955 d->ttl = inf->expired;
1956 inf->num_msgs++;
1957 #ifdef USE_CACHEDB
1958 if(inf->remcachedb && inf->worker->env.cachedb_enabled)
1959 cachedb_msg_remove_qinfo(&inf->worker->env,
1960 &((struct msgreply_entry*)e->key)->key);
1961 #endif
1962 }
1963 }
1964
1965 /** callback to delete bogus keys */
1966 static void
bogus_del_kcache(struct lruhash_entry * e,void * arg)1967 bogus_del_kcache(struct lruhash_entry* e, void* arg)
1968 {
1969 /* entry is locked */
1970 struct del_info* inf = (struct del_info*)arg;
1971 struct key_entry_data* d = (struct key_entry_data*)e->data;
1972 if(d->isbad) {
1973 d->ttl = inf->expired;
1974 inf->num_keys++;
1975 }
1976 }
1977
1978 /** remove all bogus rrsets, msgs and keys from cache */
1979 static void
do_flush_bogus(RES * ssl,struct worker * worker,char * arg)1980 do_flush_bogus(RES* ssl, struct worker* worker, char* arg)
1981 {
1982 struct del_info inf;
1983 int pc = 0; /* '+c' option */
1984 if(!parse_remcachedb(ssl, &arg, &pc))
1985 return;
1986 /* what we do is to set them all expired */
1987 inf.worker = worker;
1988 inf.expired = *worker->env.now;
1989 inf.expired -= 3; /* handle 3 seconds skew between threads */
1990 inf.num_rrsets = 0;
1991 inf.num_msgs = 0;
1992 inf.num_keys = 0;
1993 inf.remcachedb = pc;
1994 slabhash_traverse(&worker->env.rrset_cache->table, 1,
1995 &bogus_del_rrset, &inf);
1996
1997 slabhash_traverse(worker->env.msg_cache, 1, &bogus_del_msg, &inf);
1998
1999 /* and validator cache */
2000 if(worker->env.key_cache) {
2001 slabhash_traverse(worker->env.key_cache->slab, 1,
2002 &bogus_del_kcache, &inf);
2003 }
2004
2005 (void)ssl_printf(ssl, "ok removed %lu rrsets, %lu messages "
2006 "and %lu key entries\n", (unsigned long)inf.num_rrsets,
2007 (unsigned long)inf.num_msgs, (unsigned long)inf.num_keys);
2008 }
2009
2010 /** callback to delete negative and servfail rrsets */
2011 static void
negative_del_rrset(struct lruhash_entry * e,void * arg)2012 negative_del_rrset(struct lruhash_entry* e, void* arg)
2013 {
2014 /* entry is locked */
2015 struct del_info* inf = (struct del_info*)arg;
2016 struct ub_packed_rrset_key* k = (struct ub_packed_rrset_key*)e->key;
2017 struct packed_rrset_data* d = (struct packed_rrset_data*)e->data;
2018 /* delete the parentside negative cache rrsets,
2019 * these are nameserver rrsets that failed lookup, rdata empty */
2020 if((k->rk.flags & PACKED_RRSET_PARENT_SIDE) && d->count == 1 &&
2021 d->rrsig_count == 0 && d->rr_len[0] == 0) {
2022 d->ttl = inf->expired;
2023 inf->num_rrsets++;
2024 }
2025 }
2026
2027 /** callback to delete negative and servfail messages */
2028 static void
negative_del_msg(struct lruhash_entry * e,void * arg)2029 negative_del_msg(struct lruhash_entry* e, void* arg)
2030 {
2031 /* entry is locked */
2032 struct del_info* inf = (struct del_info*)arg;
2033 struct reply_info* d = (struct reply_info*)e->data;
2034 /* rcode not NOERROR: NXDOMAIN, SERVFAIL, ..: an nxdomain or error
2035 * or NOERROR rcode with ANCOUNT==0: a NODATA answer */
2036 if(FLAGS_GET_RCODE(d->flags) != 0 || d->an_numrrsets == 0) {
2037 d->ttl = inf->expired;
2038 inf->num_msgs++;
2039 #ifdef USE_CACHEDB
2040 if(inf->remcachedb && inf->worker->env.cachedb_enabled)
2041 cachedb_msg_remove_qinfo(&inf->worker->env,
2042 &((struct msgreply_entry*)e->key)->key);
2043 #endif
2044 }
2045 }
2046
2047 /** callback to delete negative key entries */
2048 static void
negative_del_kcache(struct lruhash_entry * e,void * arg)2049 negative_del_kcache(struct lruhash_entry* e, void* arg)
2050 {
2051 /* entry is locked */
2052 struct del_info* inf = (struct del_info*)arg;
2053 struct key_entry_data* d = (struct key_entry_data*)e->data;
2054 /* could be bad because of lookup failure on the DS, DNSKEY, which
2055 * was nxdomain or servfail, and thus a result of negative lookups */
2056 if(d->isbad) {
2057 d->ttl = inf->expired;
2058 inf->num_keys++;
2059 }
2060 }
2061
2062 /** remove all negative(NODATA,NXDOMAIN), and servfail messages from cache */
2063 static void
do_flush_negative(RES * ssl,struct worker * worker,char * arg)2064 do_flush_negative(RES* ssl, struct worker* worker, char* arg)
2065 {
2066 struct del_info inf;
2067 int pc = 0; /* '+c' option */
2068 if(!parse_remcachedb(ssl, &arg, &pc))
2069 return;
2070 /* what we do is to set them all expired */
2071 inf.worker = worker;
2072 inf.expired = *worker->env.now;
2073 inf.expired -= 3; /* handle 3 seconds skew between threads */
2074 inf.num_rrsets = 0;
2075 inf.num_msgs = 0;
2076 inf.num_keys = 0;
2077 inf.remcachedb = pc;
2078 slabhash_traverse(&worker->env.rrset_cache->table, 1,
2079 &negative_del_rrset, &inf);
2080
2081 slabhash_traverse(worker->env.msg_cache, 1, &negative_del_msg, &inf);
2082
2083 /* and validator cache */
2084 if(worker->env.key_cache) {
2085 slabhash_traverse(worker->env.key_cache->slab, 1,
2086 &negative_del_kcache, &inf);
2087 }
2088
2089 (void)ssl_printf(ssl, "ok removed %lu rrsets, %lu messages "
2090 "and %lu key entries\n", (unsigned long)inf.num_rrsets,
2091 (unsigned long)inf.num_msgs, (unsigned long)inf.num_keys);
2092 }
2093
2094 /** remove name rrset from cache */
2095 static void
do_flush_name(RES * ssl,struct worker * w,char * arg)2096 do_flush_name(RES* ssl, struct worker* w, char* arg)
2097 {
2098 uint8_t* nm;
2099 int nmlabs;
2100 size_t nmlen;
2101 int pc = 0; /* '+c' option */
2102 if(!parse_remcachedb(ssl, &arg, &pc))
2103 return;
2104 if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
2105 return;
2106 do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_A, LDNS_RR_CLASS_IN, pc);
2107 do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_AAAA, LDNS_RR_CLASS_IN, pc);
2108 do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN, pc);
2109 do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_SOA, LDNS_RR_CLASS_IN, pc);
2110 do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_CNAME, LDNS_RR_CLASS_IN, pc);
2111 do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_DNAME, LDNS_RR_CLASS_IN, pc);
2112 do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_MX, LDNS_RR_CLASS_IN, pc);
2113 do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_PTR, LDNS_RR_CLASS_IN, pc);
2114 do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_SRV, LDNS_RR_CLASS_IN, pc);
2115 do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_NAPTR, LDNS_RR_CLASS_IN, pc);
2116 do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_SVCB, LDNS_RR_CLASS_IN, pc);
2117 do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_HTTPS, LDNS_RR_CLASS_IN, pc);
2118
2119 free(nm);
2120 send_ok(ssl);
2121 }
2122
2123 /** printout a delegation point info */
2124 static int
ssl_print_name_dp(RES * ssl,const char * str,uint8_t * nm,uint16_t dclass,struct delegpt * dp)2125 ssl_print_name_dp(RES* ssl, const char* str, uint8_t* nm, uint16_t dclass,
2126 struct delegpt* dp)
2127 {
2128 char buf[257];
2129 struct delegpt_ns* ns;
2130 struct delegpt_addr* a;
2131 int f = 0;
2132 if(str) { /* print header for forward, stub */
2133 char* c = sldns_wire2str_class(dclass);
2134 dname_str(nm, buf);
2135 if(!ssl_printf(ssl, "%s %s %s ", buf, (c?c:"CLASS??"), str)) {
2136 free(c);
2137 return 0;
2138 }
2139 free(c);
2140 }
2141 for(ns = dp->nslist; ns; ns = ns->next) {
2142 dname_str(ns->name, buf);
2143 if(!ssl_printf(ssl, "%s%s", (f?" ":""), buf))
2144 return 0;
2145 f = 1;
2146 }
2147 for(a = dp->target_list; a; a = a->next_target) {
2148 addr_to_str(&a->addr, a->addrlen, buf, sizeof(buf));
2149 if(!ssl_printf(ssl, "%s%s", (f?" ":""), buf))
2150 return 0;
2151 f = 1;
2152 }
2153 return ssl_printf(ssl, "\n");
2154 }
2155
2156
2157 /** print root forwards */
2158 static int
print_root_fwds(RES * ssl,struct iter_forwards * fwds,uint8_t * root)2159 print_root_fwds(RES* ssl, struct iter_forwards* fwds, uint8_t* root)
2160 {
2161 struct delegpt* dp;
2162 int nolock = 0;
2163 dp = forwards_lookup(fwds, root, LDNS_RR_CLASS_IN, nolock);
2164 if(!dp) {
2165 return ssl_printf(ssl, "off (using root hints)\n");
2166 }
2167 /* if dp is returned it must be the root */
2168 log_assert(query_dname_compare(dp->name, root)==0);
2169 if(!ssl_print_name_dp(ssl, NULL, root, LDNS_RR_CLASS_IN, dp)) {
2170 lock_rw_unlock(&fwds->lock);
2171 return 0;
2172 }
2173 lock_rw_unlock(&fwds->lock);
2174 return 1;
2175 }
2176
2177 /** parse args into delegpt */
2178 static struct delegpt*
parse_delegpt(RES * ssl,char * args,uint8_t * nm)2179 parse_delegpt(RES* ssl, char* args, uint8_t* nm)
2180 {
2181 /* parse args and add in */
2182 char* p = args;
2183 char* todo;
2184 struct delegpt* dp = delegpt_create_mlc(nm);
2185 struct sockaddr_storage addr;
2186 socklen_t addrlen;
2187 char* auth_name;
2188 if(!dp) {
2189 (void)ssl_printf(ssl, "error out of memory\n");
2190 return NULL;
2191 }
2192 while(p) {
2193 todo = p;
2194 p = strchr(p, ' '); /* find next spot, if any */
2195 if(p) {
2196 *p++ = 0; /* end this spot */
2197 p = skipwhite(p); /* position at next spot */
2198 }
2199 /* parse address */
2200 if(!authextstrtoaddr(todo, &addr, &addrlen, &auth_name)) {
2201 uint8_t* dname= NULL;
2202 int port;
2203 dname = authextstrtodname(todo, &port, &auth_name);
2204 if(!dname) {
2205 (void)ssl_printf(ssl, "error cannot parse"
2206 " '%s'\n", todo);
2207 delegpt_free_mlc(dp);
2208 return NULL;
2209 }
2210 #if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
2211 if(auth_name)
2212 log_err("no name verification functionality in "
2213 "ssl library, ignored name for %s", todo);
2214 #endif
2215 if(!delegpt_add_ns_mlc(dp, dname, 0, auth_name, port)) {
2216 (void)ssl_printf(ssl, "error out of memory\n");
2217 free(dname);
2218 delegpt_free_mlc(dp);
2219 return NULL;
2220 }
2221 } else {
2222 #if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
2223 if(auth_name)
2224 log_err("no name verification functionality in "
2225 "ssl library, ignored name for %s", todo);
2226 #endif
2227 /* add address */
2228 if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
2229 auth_name, -1)) {
2230 (void)ssl_printf(ssl, "error out of memory\n");
2231 delegpt_free_mlc(dp);
2232 return NULL;
2233 }
2234 }
2235 }
2236 dp->has_parent_side_NS = 1;
2237 return dp;
2238 }
2239
2240 /** do the forward command */
2241 static void
do_forward(RES * ssl,struct worker * worker,char * args)2242 do_forward(RES* ssl, struct worker* worker, char* args)
2243 {
2244 struct iter_forwards* fwd = worker->env.fwds;
2245 uint8_t* root = (uint8_t*)"\000";
2246 int nolock = 0;
2247 if(!fwd) {
2248 (void)ssl_printf(ssl, "error: structure not allocated\n");
2249 return;
2250 }
2251 if(args == NULL || args[0] == 0) {
2252 (void)print_root_fwds(ssl, fwd, root);
2253 return;
2254 }
2255 /* set root forwards for this thread. since we are in remote control
2256 * the actual mesh is not running, so we can freely edit it. */
2257 /* delete all the existing queries first */
2258 mesh_delete_all(worker->env.mesh);
2259 if(strcmp(args, "off") == 0) {
2260 forwards_delete_zone(fwd, LDNS_RR_CLASS_IN, root, nolock);
2261 } else {
2262 struct delegpt* dp;
2263 if(!(dp = parse_delegpt(ssl, args, root)))
2264 return;
2265 if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp, nolock)) {
2266 (void)ssl_printf(ssl, "error out of memory\n");
2267 return;
2268 }
2269 }
2270 send_ok(ssl);
2271 }
2272
2273 static int
parse_fs_args(RES * ssl,char * args,uint8_t ** nm,struct delegpt ** dp,int * insecure,int * prime,int * tls)2274 parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
2275 int* insecure, int* prime, int* tls)
2276 {
2277 char* zonename;
2278 char* rest;
2279 size_t nmlen;
2280 int nmlabs;
2281 /* parse all -x args */
2282 while(args[0] == '+') {
2283 if(!find_arg2(ssl, args, &rest))
2284 return 0;
2285 while(*(++args) != 0) {
2286 if(*args == 'i' && insecure)
2287 *insecure = 1;
2288 else if(*args == 'p' && prime)
2289 *prime = 1;
2290 else if(*args == 't' && tls)
2291 *tls = 1;
2292 else {
2293 (void)ssl_printf(ssl, "error: unknown option %s\n", args);
2294 return 0;
2295 }
2296 }
2297 args = rest;
2298 }
2299 /* parse name */
2300 if(dp) {
2301 if(!find_arg2(ssl, args, &rest))
2302 return 0;
2303 zonename = args;
2304 args = rest;
2305 } else zonename = args;
2306 if(!parse_arg_name(ssl, zonename, nm, &nmlen, &nmlabs))
2307 return 0;
2308
2309 /* parse dp */
2310 if(dp) {
2311 if(!(*dp = parse_delegpt(ssl, args, *nm))) {
2312 free(*nm);
2313 return 0;
2314 }
2315 }
2316 return 1;
2317 }
2318
2319 /** do the forward_add command */
2320 static void
do_forward_add(RES * ssl,struct worker * worker,char * args)2321 do_forward_add(RES* ssl, struct worker* worker, char* args)
2322 {
2323 struct iter_forwards* fwd = worker->env.fwds;
2324 int insecure = 0, tls = 0;
2325 uint8_t* nm = NULL;
2326 struct delegpt* dp = NULL;
2327 int nolock = 1;
2328 if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL, &tls))
2329 return;
2330 if(tls)
2331 dp->ssl_upstream = 1;
2332 /* prelock forwarders for atomic operation with anchors */
2333 lock_rw_wrlock(&fwd->lock);
2334 if(insecure && worker->env.anchors) {
2335 if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
2336 nm)) {
2337 lock_rw_unlock(&fwd->lock);
2338 (void)ssl_printf(ssl, "error out of memory\n");
2339 delegpt_free_mlc(dp);
2340 free(nm);
2341 return;
2342 }
2343 }
2344 if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp, nolock)) {
2345 lock_rw_unlock(&fwd->lock);
2346 (void)ssl_printf(ssl, "error out of memory\n");
2347 free(nm);
2348 return;
2349 }
2350 lock_rw_unlock(&fwd->lock);
2351 free(nm);
2352 send_ok(ssl);
2353 }
2354
2355 /** do the forward_remove command */
2356 static void
do_forward_remove(RES * ssl,struct worker * worker,char * args)2357 do_forward_remove(RES* ssl, struct worker* worker, char* args)
2358 {
2359 struct iter_forwards* fwd = worker->env.fwds;
2360 int insecure = 0;
2361 uint8_t* nm = NULL;
2362 int nolock = 1;
2363 if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
2364 return;
2365 /* prelock forwarders for atomic operation with anchors */
2366 lock_rw_wrlock(&fwd->lock);
2367 if(insecure && worker->env.anchors)
2368 anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
2369 nm);
2370 forwards_delete_zone(fwd, LDNS_RR_CLASS_IN, nm, nolock);
2371 lock_rw_unlock(&fwd->lock);
2372 free(nm);
2373 send_ok(ssl);
2374 }
2375
2376 /** do the stub_add command */
2377 static void
do_stub_add(RES * ssl,struct worker * worker,char * args)2378 do_stub_add(RES* ssl, struct worker* worker, char* args)
2379 {
2380 struct iter_forwards* fwd = worker->env.fwds;
2381 int insecure = 0, prime = 0, tls = 0;
2382 uint8_t* nm = NULL;
2383 struct delegpt* dp = NULL;
2384 int nolock = 1;
2385 if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime, &tls))
2386 return;
2387 if(tls)
2388 dp->ssl_upstream = 1;
2389 /* prelock forwarders and hints for atomic operation with anchors */
2390 lock_rw_wrlock(&fwd->lock);
2391 lock_rw_wrlock(&worker->env.hints->lock);
2392 if(insecure && worker->env.anchors) {
2393 if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
2394 nm)) {
2395 lock_rw_unlock(&fwd->lock);
2396 lock_rw_unlock(&worker->env.hints->lock);
2397 (void)ssl_printf(ssl, "error out of memory\n");
2398 delegpt_free_mlc(dp);
2399 free(nm);
2400 return;
2401 }
2402 }
2403 if(!forwards_add_stub_hole(fwd, LDNS_RR_CLASS_IN, nm, nolock)) {
2404 if(insecure && worker->env.anchors)
2405 anchors_delete_insecure(worker->env.anchors,
2406 LDNS_RR_CLASS_IN, nm);
2407 lock_rw_unlock(&fwd->lock);
2408 lock_rw_unlock(&worker->env.hints->lock);
2409 (void)ssl_printf(ssl, "error out of memory\n");
2410 delegpt_free_mlc(dp);
2411 free(nm);
2412 return;
2413 }
2414 if(!hints_add_stub(worker->env.hints, LDNS_RR_CLASS_IN, dp, !prime,
2415 nolock)) {
2416 (void)ssl_printf(ssl, "error out of memory\n");
2417 forwards_delete_stub_hole(fwd, LDNS_RR_CLASS_IN, nm, nolock);
2418 if(insecure && worker->env.anchors)
2419 anchors_delete_insecure(worker->env.anchors,
2420 LDNS_RR_CLASS_IN, nm);
2421 lock_rw_unlock(&fwd->lock);
2422 lock_rw_unlock(&worker->env.hints->lock);
2423 free(nm);
2424 return;
2425 }
2426 lock_rw_unlock(&fwd->lock);
2427 lock_rw_unlock(&worker->env.hints->lock);
2428 free(nm);
2429 send_ok(ssl);
2430 }
2431
2432 /** do the stub_remove command */
2433 static void
do_stub_remove(RES * ssl,struct worker * worker,char * args)2434 do_stub_remove(RES* ssl, struct worker* worker, char* args)
2435 {
2436 struct iter_forwards* fwd = worker->env.fwds;
2437 int insecure = 0;
2438 uint8_t* nm = NULL;
2439 int nolock = 1;
2440 if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
2441 return;
2442 /* prelock forwarders and hints for atomic operation with anchors */
2443 lock_rw_wrlock(&fwd->lock);
2444 lock_rw_wrlock(&worker->env.hints->lock);
2445 if(insecure && worker->env.anchors)
2446 anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
2447 nm);
2448 forwards_delete_stub_hole(fwd, LDNS_RR_CLASS_IN, nm, nolock);
2449 hints_delete_stub(worker->env.hints, LDNS_RR_CLASS_IN, nm, nolock);
2450 lock_rw_unlock(&fwd->lock);
2451 lock_rw_unlock(&worker->env.hints->lock);
2452 free(nm);
2453 send_ok(ssl);
2454 }
2455
2456 /** do the insecure_add command */
2457 static void
do_insecure_add(RES * ssl,struct worker * worker,char * arg)2458 do_insecure_add(RES* ssl, struct worker* worker, char* arg)
2459 {
2460 size_t nmlen;
2461 int nmlabs;
2462 uint8_t* nm = NULL;
2463 if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
2464 return;
2465 if(worker->env.anchors) {
2466 if(!anchors_add_insecure(worker->env.anchors,
2467 LDNS_RR_CLASS_IN, nm)) {
2468 (void)ssl_printf(ssl, "error out of memory\n");
2469 free(nm);
2470 return;
2471 }
2472 }
2473 free(nm);
2474 send_ok(ssl);
2475 }
2476
2477 /** do the insecure_remove command */
2478 static void
do_insecure_remove(RES * ssl,struct worker * worker,char * arg)2479 do_insecure_remove(RES* ssl, struct worker* worker, char* arg)
2480 {
2481 size_t nmlen;
2482 int nmlabs;
2483 uint8_t* nm = NULL;
2484 if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
2485 return;
2486 if(worker->env.anchors)
2487 anchors_delete_insecure(worker->env.anchors,
2488 LDNS_RR_CLASS_IN, nm);
2489 free(nm);
2490 send_ok(ssl);
2491 }
2492
2493 static void
do_insecure_list(RES * ssl,struct worker * worker)2494 do_insecure_list(RES* ssl, struct worker* worker)
2495 {
2496 char buf[257];
2497 struct trust_anchor* a;
2498 if(worker->env.anchors) {
2499 RBTREE_FOR(a, struct trust_anchor*, worker->env.anchors->tree) {
2500 if(a->numDS == 0 && a->numDNSKEY == 0) {
2501 dname_str(a->name, buf);
2502 ssl_printf(ssl, "%s\n", buf);
2503 }
2504 }
2505 }
2506 }
2507
2508 /** do the status command */
2509 static void
do_status(RES * ssl,struct worker * worker)2510 do_status(RES* ssl, struct worker* worker)
2511 {
2512 int i;
2513 time_t uptime;
2514 if(!ssl_printf(ssl, "version: %s\n", PACKAGE_VERSION))
2515 return;
2516 if(!ssl_printf(ssl, "verbosity: %d\n", verbosity))
2517 return;
2518 if(!ssl_printf(ssl, "threads: %d\n", worker->daemon->num))
2519 return;
2520 if(!ssl_printf(ssl, "modules: %d [", worker->daemon->mods.num))
2521 return;
2522 for(i=0; i<worker->daemon->mods.num; i++) {
2523 if(!ssl_printf(ssl, " %s", worker->daemon->mods.mod[i]->name))
2524 return;
2525 }
2526 if(!ssl_printf(ssl, " ]\n"))
2527 return;
2528 uptime = (time_t)time(NULL) - (time_t)worker->daemon->time_boot.tv_sec;
2529 if(!ssl_printf(ssl, "uptime: " ARG_LL "d seconds\n", (long long)uptime))
2530 return;
2531 if(!ssl_printf(ssl, "options:%s%s%s%s\n" ,
2532 (worker->daemon->reuseport?" reuseport":""),
2533 (worker->daemon->rc->accept_list?" control":""),
2534 (worker->daemon->rc->accept_list && worker->daemon->rc->use_cert?"(ssl)":""),
2535 (worker->daemon->rc->accept_list && worker->daemon->cfg->control_ifs.first && worker->daemon->cfg->control_ifs.first->str && worker->daemon->cfg->control_ifs.first->str[0] == '/'?"(namedpipe)":"")
2536 ))
2537 return;
2538 if(!ssl_printf(ssl, "unbound (pid %d) is running...\n",
2539 (int)getpid()))
2540 return;
2541 }
2542
2543 /** get age for the mesh state */
2544 static void
get_mesh_age(struct mesh_state * m,char * buf,size_t len,struct module_env * env)2545 get_mesh_age(struct mesh_state* m, char* buf, size_t len,
2546 struct module_env* env)
2547 {
2548 if(m->reply_list) {
2549 struct timeval d;
2550 struct mesh_reply* r = m->reply_list;
2551 /* last reply is the oldest */
2552 while(r && r->next)
2553 r = r->next;
2554 timeval_subtract(&d, env->now_tv, &r->start_time);
2555 snprintf(buf, len, ARG_LL "d.%6.6d",
2556 (long long)d.tv_sec, (int)d.tv_usec);
2557 } else {
2558 snprintf(buf, len, "-");
2559 }
2560 }
2561
2562 /** get status of a mesh state */
2563 static void
get_mesh_status(struct mesh_area * mesh,struct mesh_state * m,char * buf,size_t len)2564 get_mesh_status(struct mesh_area* mesh, struct mesh_state* m,
2565 char* buf, size_t len)
2566 {
2567 enum module_ext_state s = m->s.ext_state[m->s.curmod];
2568 const char *modname = mesh->mods.mod[m->s.curmod]->name;
2569 size_t l;
2570 if(strcmp(modname, "iterator") == 0 && s == module_wait_reply &&
2571 m->s.minfo[m->s.curmod]) {
2572 /* break into iterator to find out who its waiting for */
2573 struct iter_qstate* qstate = (struct iter_qstate*)
2574 m->s.minfo[m->s.curmod];
2575 struct outbound_list* ol = &qstate->outlist;
2576 struct outbound_entry* e;
2577 snprintf(buf, len, "%s wait for", modname);
2578 l = strlen(buf);
2579 buf += l; len -= l;
2580 if(ol->first == NULL)
2581 snprintf(buf, len, " (empty_list)");
2582 for(e = ol->first; e; e = e->next) {
2583 snprintf(buf, len, " ");
2584 l = strlen(buf);
2585 buf += l; len -= l;
2586 addr_to_str(&e->qsent->addr, e->qsent->addrlen,
2587 buf, len);
2588 l = strlen(buf);
2589 buf += l; len -= l;
2590 }
2591 } else if(s == module_wait_subquery) {
2592 /* look in subs from mesh state to see what */
2593 char nm[257];
2594 struct mesh_state_ref* sub;
2595 snprintf(buf, len, "%s wants", modname);
2596 l = strlen(buf);
2597 buf += l; len -= l;
2598 if(m->sub_set.count == 0)
2599 snprintf(buf, len, " (empty_list)");
2600 RBTREE_FOR(sub, struct mesh_state_ref*, &m->sub_set) {
2601 char* t = sldns_wire2str_type(sub->s->s.qinfo.qtype);
2602 char* c = sldns_wire2str_class(sub->s->s.qinfo.qclass);
2603 dname_str(sub->s->s.qinfo.qname, nm);
2604 snprintf(buf, len, " %s %s %s", (t?t:"TYPE??"),
2605 (c?c:"CLASS??"), nm);
2606 l = strlen(buf);
2607 buf += l; len -= l;
2608 free(t);
2609 free(c);
2610 }
2611 } else {
2612 snprintf(buf, len, "%s is %s", modname, strextstate(s));
2613 }
2614 }
2615
2616 /** do the dump_requestlist command */
2617 static void
do_dump_requestlist(RES * ssl,struct worker * worker)2618 do_dump_requestlist(RES* ssl, struct worker* worker)
2619 {
2620 struct mesh_area* mesh;
2621 struct mesh_state* m;
2622 int num = 0;
2623 char buf[257];
2624 char timebuf[32];
2625 char statbuf[10240];
2626 if(!ssl_printf(ssl, "thread #%d\n", worker->thread_num))
2627 return;
2628 if(!ssl_printf(ssl, "# type cl name seconds module status\n"))
2629 return;
2630 /* show worker mesh contents */
2631 mesh = worker->env.mesh;
2632 if(!mesh) return;
2633 RBTREE_FOR(m, struct mesh_state*, &mesh->all) {
2634 char* t = sldns_wire2str_type(m->s.qinfo.qtype);
2635 char* c = sldns_wire2str_class(m->s.qinfo.qclass);
2636 dname_str(m->s.qinfo.qname, buf);
2637 get_mesh_age(m, timebuf, sizeof(timebuf), &worker->env);
2638 get_mesh_status(mesh, m, statbuf, sizeof(statbuf));
2639 if(!ssl_printf(ssl, "%3d %4s %2s %s %s %s\n",
2640 num, (t?t:"TYPE??"), (c?c:"CLASS??"), buf, timebuf,
2641 statbuf)) {
2642 free(t);
2643 free(c);
2644 return;
2645 }
2646 num++;
2647 free(t);
2648 free(c);
2649 }
2650 }
2651
2652 /** structure for argument data for dump infra host */
2653 struct infra_arg {
2654 /** the infra cache */
2655 struct infra_cache* infra;
2656 /** the SSL connection */
2657 RES* ssl;
2658 /** the time now */
2659 time_t now;
2660 /** ssl failure? stop writing and skip the rest. If the tcp
2661 * connection is broken, and writes fail, we then stop writing. */
2662 int ssl_failed;
2663 };
2664
2665 /** callback for every host element in the infra cache */
2666 static void
dump_infra_host(struct lruhash_entry * e,void * arg)2667 dump_infra_host(struct lruhash_entry* e, void* arg)
2668 {
2669 struct infra_arg* a = (struct infra_arg*)arg;
2670 struct infra_key* k = (struct infra_key*)e->key;
2671 struct infra_data* d = (struct infra_data*)e->data;
2672 char ip_str[1024];
2673 char name[257];
2674 int port;
2675 if(a->ssl_failed)
2676 return;
2677 addr_to_str(&k->addr, k->addrlen, ip_str, sizeof(ip_str));
2678 dname_str(k->zonename, name);
2679 port = (int)ntohs(((struct sockaddr_in*)&k->addr)->sin_port);
2680 if(port != UNBOUND_DNS_PORT) {
2681 snprintf(ip_str+strlen(ip_str), sizeof(ip_str)-strlen(ip_str),
2682 "@%d", port);
2683 }
2684 /* skip expired stuff (only backed off) */
2685 if(d->ttl < a->now) {
2686 if(d->rtt.rto >= USEFUL_SERVER_TOP_TIMEOUT) {
2687 if(!ssl_printf(a->ssl, "%s %s expired rto %d\n", ip_str,
2688 name, d->rtt.rto)) {
2689 a->ssl_failed = 1;
2690 return;
2691 }
2692 }
2693 return;
2694 }
2695 if(!ssl_printf(a->ssl, "%s %s ttl %lu ping %d var %d rtt %d rto %d "
2696 "tA %d tAAAA %d tother %d "
2697 "ednsknown %d edns %d delay %d lame dnssec %d rec %d A %d "
2698 "other %d\n", ip_str, name, (unsigned long)(d->ttl - a->now),
2699 d->rtt.srtt, d->rtt.rttvar, rtt_notimeout(&d->rtt), d->rtt.rto,
2700 d->timeout_A, d->timeout_AAAA, d->timeout_other,
2701 (int)d->edns_lame_known, (int)d->edns_version,
2702 (int)(a->now<d->probedelay?(d->probedelay - a->now):0),
2703 (int)d->isdnsseclame, (int)d->rec_lame, (int)d->lame_type_A,
2704 (int)d->lame_other)) {
2705 a->ssl_failed = 1;
2706 return;
2707 }
2708 }
2709
2710 /** do the dump_infra command */
2711 static void
do_dump_infra(RES * ssl,struct worker * worker)2712 do_dump_infra(RES* ssl, struct worker* worker)
2713 {
2714 struct infra_arg arg;
2715 arg.infra = worker->env.infra_cache;
2716 arg.ssl = ssl;
2717 arg.now = *worker->env.now;
2718 arg.ssl_failed = 0;
2719 slabhash_traverse(arg.infra->hosts, 0, &dump_infra_host, (void*)&arg);
2720 }
2721
2722 /** do the log_reopen command */
2723 static void
do_log_reopen(RES * ssl,struct worker * worker)2724 do_log_reopen(RES* ssl, struct worker* worker)
2725 {
2726 struct config_file* cfg = worker->env.cfg;
2727 send_ok(ssl);
2728 log_init(cfg->logfile, cfg->use_syslog, cfg->chrootdir);
2729 }
2730
2731 /** do the auth_zone_reload command */
2732 static void
do_auth_zone_reload(RES * ssl,struct worker * worker,char * arg)2733 do_auth_zone_reload(RES* ssl, struct worker* worker, char* arg)
2734 {
2735 size_t nmlen;
2736 int nmlabs;
2737 uint8_t* nm = NULL;
2738 struct auth_zones* az = worker->env.auth_zones;
2739 struct auth_zone* z = NULL;
2740 struct auth_xfer* xfr = NULL;
2741 char* reason = NULL;
2742 if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
2743 return;
2744 if(az) {
2745 lock_rw_rdlock(&az->lock);
2746 z = auth_zone_find(az, nm, nmlen, LDNS_RR_CLASS_IN);
2747 if(z) {
2748 lock_rw_wrlock(&z->lock);
2749 }
2750 xfr = auth_xfer_find(az, nm, nmlen, LDNS_RR_CLASS_IN);
2751 if(xfr) {
2752 lock_basic_lock(&xfr->lock);
2753 }
2754 lock_rw_unlock(&az->lock);
2755 }
2756 free(nm);
2757 if(!z) {
2758 if(xfr) {
2759 lock_basic_unlock(&xfr->lock);
2760 }
2761 (void)ssl_printf(ssl, "error no auth-zone %s\n", arg);
2762 return;
2763 }
2764 if(!auth_zone_read_zonefile(z, worker->env.cfg)) {
2765 lock_rw_unlock(&z->lock);
2766 if(xfr) {
2767 lock_basic_unlock(&xfr->lock);
2768 }
2769 (void)ssl_printf(ssl, "error failed to read %s\n", arg);
2770 return;
2771 }
2772
2773 z->zone_expired = 0;
2774 if(xfr) {
2775 xfr->zone_expired = 0;
2776 if(!xfr_find_soa(z, xfr)) {
2777 if(z->data.count == 0) {
2778 lock_rw_unlock(&z->lock);
2779 lock_basic_unlock(&xfr->lock);
2780 (void)ssl_printf(ssl, "zone %s has no contents\n", arg);
2781 return;
2782 }
2783 lock_rw_unlock(&z->lock);
2784 lock_basic_unlock(&xfr->lock);
2785 (void)ssl_printf(ssl, "error: no SOA in zone after read %s\n", arg);
2786 return;
2787 }
2788 if(xfr->have_zone)
2789 xfr->lease_time = *worker->env.now;
2790 lock_basic_unlock(&xfr->lock);
2791 }
2792
2793 auth_zone_verify_zonemd(z, &worker->env, &worker->env.mesh->mods,
2794 &reason, 0, 0);
2795 if(reason && z->zone_expired) {
2796 lock_rw_unlock(&z->lock);
2797 (void)ssl_printf(ssl, "error zonemd for %s failed: %s\n",
2798 arg, reason);
2799 free(reason);
2800 return;
2801 } else if(reason && strcmp(reason, "ZONEMD verification successful")
2802 ==0) {
2803 (void)ssl_printf(ssl, "%s: %s\n", arg, reason);
2804 }
2805 lock_rw_unlock(&z->lock);
2806 free(reason);
2807 send_ok(ssl);
2808 }
2809
2810 /** do the auth_zone_transfer command */
2811 static void
do_auth_zone_transfer(RES * ssl,struct worker * worker,char * arg)2812 do_auth_zone_transfer(RES* ssl, struct worker* worker, char* arg)
2813 {
2814 size_t nmlen;
2815 int nmlabs;
2816 uint8_t* nm = NULL;
2817 struct auth_zones* az = worker->env.auth_zones;
2818 if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
2819 return;
2820 if(!az || !auth_zones_startprobesequence(az, &worker->env, nm, nmlen,
2821 LDNS_RR_CLASS_IN)) {
2822 (void)ssl_printf(ssl, "error zone xfr task not found %s\n", arg);
2823 free(nm);
2824 return;
2825 }
2826 free(nm);
2827 send_ok(ssl);
2828 }
2829
2830 /** do the set_option command */
2831 static void
do_set_option(RES * ssl,struct worker * worker,char * arg)2832 do_set_option(RES* ssl, struct worker* worker, char* arg)
2833 {
2834 char* arg2;
2835 if(!find_arg2(ssl, arg, &arg2))
2836 return;
2837 if(!config_set_option(worker->env.cfg, arg, arg2)) {
2838 (void)ssl_printf(ssl, "error setting option\n");
2839 return;
2840 }
2841 /* effectuate some arguments */
2842 if(strcmp(arg, "val-override-date:") == 0) {
2843 int m = modstack_find(&worker->env.mesh->mods, "validator");
2844 struct val_env* val_env = NULL;
2845 if(m != -1) val_env = (struct val_env*)worker->env.modinfo[m];
2846 if(val_env)
2847 val_env->date_override = worker->env.cfg->val_date_override;
2848 }
2849 send_ok(ssl);
2850 }
2851
2852 /* routine to printout option values over SSL */
remote_get_opt_ssl(char * line,void * arg)2853 void remote_get_opt_ssl(char* line, void* arg)
2854 {
2855 RES* ssl = (RES*)arg;
2856 (void)ssl_printf(ssl, "%s\n", line);
2857 }
2858
2859 /** do the get_option command */
2860 static void
do_get_option(RES * ssl,struct worker * worker,char * arg)2861 do_get_option(RES* ssl, struct worker* worker, char* arg)
2862 {
2863 int r;
2864 r = config_get_option(worker->env.cfg, arg, remote_get_opt_ssl, ssl);
2865 if(!r) {
2866 (void)ssl_printf(ssl, "error unknown option\n");
2867 return;
2868 }
2869 }
2870
2871 /** do the list_forwards command */
2872 static void
do_list_forwards(RES * ssl,struct worker * worker)2873 do_list_forwards(RES* ssl, struct worker* worker)
2874 {
2875 /* since its a per-worker structure no locks needed */
2876 struct iter_forwards* fwds = worker->env.fwds;
2877 struct iter_forward_zone* z;
2878 struct trust_anchor* a;
2879 int insecure;
2880 lock_rw_rdlock(&fwds->lock);
2881 RBTREE_FOR(z, struct iter_forward_zone*, fwds->tree) {
2882 if(!z->dp) continue; /* skip empty marker for stub */
2883
2884 /* see if it is insecure */
2885 insecure = 0;
2886 if(worker->env.anchors &&
2887 (a=anchor_find(worker->env.anchors, z->name,
2888 z->namelabs, z->namelen, z->dclass))) {
2889 if(!a->keylist && !a->numDS && !a->numDNSKEY)
2890 insecure = 1;
2891 lock_basic_unlock(&a->lock);
2892 }
2893
2894 if(!ssl_print_name_dp(ssl, (insecure?"forward +i":"forward"),
2895 z->name, z->dclass, z->dp)) {
2896 lock_rw_unlock(&fwds->lock);
2897 return;
2898 }
2899 }
2900 lock_rw_unlock(&fwds->lock);
2901 }
2902
2903 /** do the list_stubs command */
2904 static void
do_list_stubs(RES * ssl,struct worker * worker)2905 do_list_stubs(RES* ssl, struct worker* worker)
2906 {
2907 struct iter_hints_stub* z;
2908 struct trust_anchor* a;
2909 int insecure;
2910 char str[32];
2911 lock_rw_rdlock(&worker->env.hints->lock);
2912 RBTREE_FOR(z, struct iter_hints_stub*, &worker->env.hints->tree) {
2913
2914 /* see if it is insecure */
2915 insecure = 0;
2916 if(worker->env.anchors &&
2917 (a=anchor_find(worker->env.anchors, z->node.name,
2918 z->node.labs, z->node.len, z->node.dclass))) {
2919 if(!a->keylist && !a->numDS && !a->numDNSKEY)
2920 insecure = 1;
2921 lock_basic_unlock(&a->lock);
2922 }
2923
2924 snprintf(str, sizeof(str), "stub %sprime%s",
2925 (z->noprime?"no":""), (insecure?" +i":""));
2926 if(!ssl_print_name_dp(ssl, str, z->node.name,
2927 z->node.dclass, z->dp)) {
2928 lock_rw_unlock(&worker->env.hints->lock);
2929 return;
2930 }
2931 }
2932 lock_rw_unlock(&worker->env.hints->lock);
2933 }
2934
2935 /** do the list_auth_zones command */
2936 static void
do_list_auth_zones(RES * ssl,struct auth_zones * az)2937 do_list_auth_zones(RES* ssl, struct auth_zones* az)
2938 {
2939 struct auth_zone* z;
2940 char buf[257], buf2[256];
2941 lock_rw_rdlock(&az->lock);
2942 RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
2943 lock_rw_rdlock(&z->lock);
2944 dname_str(z->name, buf);
2945 if(z->zone_expired)
2946 snprintf(buf2, sizeof(buf2), "expired");
2947 else {
2948 uint32_t serial = 0;
2949 if(auth_zone_get_serial(z, &serial))
2950 snprintf(buf2, sizeof(buf2), "serial %u",
2951 (unsigned)serial);
2952 else snprintf(buf2, sizeof(buf2), "no serial");
2953 }
2954 if(!ssl_printf(ssl, "%s\t%s\n", buf, buf2)) {
2955 /* failure to print */
2956 lock_rw_unlock(&z->lock);
2957 lock_rw_unlock(&az->lock);
2958 return;
2959 }
2960 lock_rw_unlock(&z->lock);
2961 }
2962 lock_rw_unlock(&az->lock);
2963 }
2964
2965 /** do the list_local_zones command */
2966 static void
do_list_local_zones(RES * ssl,struct local_zones * zones)2967 do_list_local_zones(RES* ssl, struct local_zones* zones)
2968 {
2969 struct local_zone* z;
2970 char buf[257];
2971 lock_rw_rdlock(&zones->lock);
2972 RBTREE_FOR(z, struct local_zone*, &zones->ztree) {
2973 lock_rw_rdlock(&z->lock);
2974 dname_str(z->name, buf);
2975 if(!ssl_printf(ssl, "%s %s\n", buf,
2976 local_zone_type2str(z->type))) {
2977 /* failure to print */
2978 lock_rw_unlock(&z->lock);
2979 lock_rw_unlock(&zones->lock);
2980 return;
2981 }
2982 lock_rw_unlock(&z->lock);
2983 }
2984 lock_rw_unlock(&zones->lock);
2985 }
2986
2987 /** do the list_local_data command */
2988 static void
do_list_local_data(RES * ssl,struct worker * worker,struct local_zones * zones)2989 do_list_local_data(RES* ssl, struct worker* worker, struct local_zones* zones)
2990 {
2991 struct local_zone* z;
2992 struct local_data* d;
2993 struct local_rrset* p;
2994 char* s = (char*)sldns_buffer_begin(worker->env.scratch_buffer);
2995 size_t slen = sldns_buffer_capacity(worker->env.scratch_buffer);
2996 lock_rw_rdlock(&zones->lock);
2997 RBTREE_FOR(z, struct local_zone*, &zones->ztree) {
2998 lock_rw_rdlock(&z->lock);
2999 RBTREE_FOR(d, struct local_data*, &z->data) {
3000 for(p = d->rrsets; p; p = p->next) {
3001 struct packed_rrset_data* d =
3002 (struct packed_rrset_data*)p->rrset->entry.data;
3003 size_t i;
3004 for(i=0; i<d->count + d->rrsig_count; i++) {
3005 if(!packed_rr_to_string(p->rrset, i,
3006 0, s, slen)) {
3007 if(!ssl_printf(ssl, "BADRR\n")) {
3008 lock_rw_unlock(&z->lock);
3009 lock_rw_unlock(&zones->lock);
3010 return;
3011 }
3012 }
3013 if(!ssl_printf(ssl, "%s\n", s)) {
3014 lock_rw_unlock(&z->lock);
3015 lock_rw_unlock(&zones->lock);
3016 return;
3017 }
3018 }
3019 }
3020 }
3021 lock_rw_unlock(&z->lock);
3022 }
3023 lock_rw_unlock(&zones->lock);
3024 }
3025
3026 /** do the view_list_local_zones command */
3027 static void
do_view_list_local_zones(RES * ssl,struct worker * worker,char * arg)3028 do_view_list_local_zones(RES* ssl, struct worker* worker, char* arg)
3029 {
3030 struct view* v = views_find_view(worker->daemon->views,
3031 arg, 0 /* get read lock*/);
3032 if(!v) {
3033 ssl_printf(ssl,"no view with name: %s\n", arg);
3034 return;
3035 }
3036 if(v->local_zones) {
3037 do_list_local_zones(ssl, v->local_zones);
3038 }
3039 lock_rw_unlock(&v->lock);
3040 }
3041
3042 /** do the view_list_local_data command */
3043 static void
do_view_list_local_data(RES * ssl,struct worker * worker,char * arg)3044 do_view_list_local_data(RES* ssl, struct worker* worker, char* arg)
3045 {
3046 struct view* v = views_find_view(worker->daemon->views,
3047 arg, 0 /* get read lock*/);
3048 if(!v) {
3049 ssl_printf(ssl,"no view with name: %s\n", arg);
3050 return;
3051 }
3052 if(v->local_zones) {
3053 do_list_local_data(ssl, worker, v->local_zones);
3054 }
3055 lock_rw_unlock(&v->lock);
3056 }
3057
3058 /** struct for user arg ratelimit list */
3059 struct ratelimit_list_arg {
3060 /** the infra cache */
3061 struct infra_cache* infra;
3062 /** the SSL to print to */
3063 RES* ssl;
3064 /** all or only ratelimited */
3065 int all;
3066 /** current time */
3067 time_t now;
3068 /** if backoff is enabled */
3069 int backoff;
3070 };
3071
3072 #define ip_ratelimit_list_arg ratelimit_list_arg
3073
3074 /** list items in the ratelimit table */
3075 static void
rate_list(struct lruhash_entry * e,void * arg)3076 rate_list(struct lruhash_entry* e, void* arg)
3077 {
3078 struct ratelimit_list_arg* a = (struct ratelimit_list_arg*)arg;
3079 struct rate_key* k = (struct rate_key*)e->key;
3080 struct rate_data* d = (struct rate_data*)e->data;
3081 char buf[257];
3082 int lim = infra_find_ratelimit(a->infra, k->name, k->namelen);
3083 int max = infra_rate_max(d, a->now, a->backoff);
3084 if(a->all == 0) {
3085 if(max < lim)
3086 return;
3087 }
3088 dname_str(k->name, buf);
3089 ssl_printf(a->ssl, "%s %d limit %d\n", buf, max, lim);
3090 }
3091
3092 /** list items in the ip_ratelimit table */
3093 static void
ip_rate_list(struct lruhash_entry * e,void * arg)3094 ip_rate_list(struct lruhash_entry* e, void* arg)
3095 {
3096 char ip[128];
3097 struct ip_ratelimit_list_arg* a = (struct ip_ratelimit_list_arg*)arg;
3098 struct ip_rate_key* k = (struct ip_rate_key*)e->key;
3099 struct ip_rate_data* d = (struct ip_rate_data*)e->data;
3100 int lim = infra_ip_ratelimit;
3101 int max = infra_rate_max(d, a->now, a->backoff);
3102 if(a->all == 0) {
3103 if(max < lim)
3104 return;
3105 }
3106 addr_to_str(&k->addr, k->addrlen, ip, sizeof(ip));
3107 ssl_printf(a->ssl, "%s %d limit %d\n", ip, max, lim);
3108 }
3109
3110 /** do the ratelimit_list command */
3111 static void
do_ratelimit_list(RES * ssl,struct worker * worker,char * arg)3112 do_ratelimit_list(RES* ssl, struct worker* worker, char* arg)
3113 {
3114 struct ratelimit_list_arg a;
3115 a.all = 0;
3116 a.infra = worker->env.infra_cache;
3117 a.now = *worker->env.now;
3118 a.ssl = ssl;
3119 a.backoff = worker->env.cfg->ratelimit_backoff;
3120 arg = skipwhite(arg);
3121 if(strcmp(arg, "+a") == 0)
3122 a.all = 1;
3123 if(a.infra->domain_rates==NULL ||
3124 (a.all == 0 && infra_dp_ratelimit == 0))
3125 return;
3126 slabhash_traverse(a.infra->domain_rates, 0, rate_list, &a);
3127 }
3128
3129 /** do the ip_ratelimit_list command */
3130 static void
do_ip_ratelimit_list(RES * ssl,struct worker * worker,char * arg)3131 do_ip_ratelimit_list(RES* ssl, struct worker* worker, char* arg)
3132 {
3133 struct ip_ratelimit_list_arg a;
3134 a.all = 0;
3135 a.infra = worker->env.infra_cache;
3136 a.now = *worker->env.now;
3137 a.ssl = ssl;
3138 a.backoff = worker->env.cfg->ip_ratelimit_backoff;
3139 arg = skipwhite(arg);
3140 if(strcmp(arg, "+a") == 0)
3141 a.all = 1;
3142 if(a.infra->client_ip_rates==NULL ||
3143 (a.all == 0 && infra_ip_ratelimit == 0))
3144 return;
3145 slabhash_traverse(a.infra->client_ip_rates, 0, ip_rate_list, &a);
3146 }
3147
3148 /** do the rpz_enable/disable command */
3149 static void
do_rpz_enable_disable(RES * ssl,struct worker * worker,char * arg,int enable)3150 do_rpz_enable_disable(RES* ssl, struct worker* worker, char* arg, int enable) {
3151 size_t nmlen;
3152 int nmlabs;
3153 uint8_t *nm = NULL;
3154 struct auth_zones *az = worker->env.auth_zones;
3155 struct auth_zone *z = NULL;
3156 if (!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
3157 return;
3158 if (az) {
3159 lock_rw_rdlock(&az->lock);
3160 z = auth_zone_find(az, nm, nmlen, LDNS_RR_CLASS_IN);
3161 if (z) {
3162 lock_rw_wrlock(&z->lock);
3163 }
3164 lock_rw_unlock(&az->lock);
3165 }
3166 free(nm);
3167 if (!z) {
3168 (void) ssl_printf(ssl, "error no auth-zone %s\n", arg);
3169 return;
3170 }
3171 if (!z->rpz) {
3172 (void) ssl_printf(ssl, "error auth-zone %s not RPZ\n", arg);
3173 lock_rw_unlock(&z->lock);
3174 return;
3175 }
3176 if (enable) {
3177 rpz_enable(z->rpz);
3178 } else {
3179 rpz_disable(z->rpz);
3180 }
3181 lock_rw_unlock(&z->lock);
3182 send_ok(ssl);
3183 }
3184
3185 /** do the rpz_enable command */
3186 static void
do_rpz_enable(RES * ssl,struct worker * worker,char * arg)3187 do_rpz_enable(RES* ssl, struct worker* worker, char* arg)
3188 {
3189 do_rpz_enable_disable(ssl, worker, arg, 1);
3190 }
3191
3192 /** do the rpz_disable command */
3193 static void
do_rpz_disable(RES * ssl,struct worker * worker,char * arg)3194 do_rpz_disable(RES* ssl, struct worker* worker, char* arg)
3195 {
3196 do_rpz_enable_disable(ssl, worker, arg, 0);
3197 }
3198
3199 /** Write the cookie secrets to file, returns `0` on failure.
3200 * Caller has to hold the lock. */
3201 static int
cookie_secret_file_dump(RES * ssl,struct worker * worker)3202 cookie_secret_file_dump(RES* ssl, struct worker* worker) {
3203 char const* secret_file = worker->env.cfg->cookie_secret_file;
3204 struct cookie_secrets* cookie_secrets = worker->daemon->cookie_secrets;
3205 char secret_hex[UNBOUND_COOKIE_SECRET_SIZE * 2 + 1];
3206 FILE* f;
3207 size_t i;
3208 if(secret_file == NULL || secret_file[0]==0) {
3209 (void)ssl_printf(ssl, "error: no cookie secret file configured\n");
3210 return 0;
3211 }
3212 log_assert( secret_file != NULL );
3213
3214 /* open write only and truncate */
3215 if((f = fopen(secret_file, "w")) == NULL ) {
3216 (void)ssl_printf(ssl, "unable to open cookie secret file %s: %s",
3217 secret_file, strerror(errno));
3218 return 0;
3219 }
3220 if(cookie_secrets == NULL) {
3221 /* nothing to write */
3222 fclose(f);
3223 return 1;
3224 }
3225
3226 for(i = 0; i < cookie_secrets->cookie_count; i++) {
3227 struct cookie_secret const* cs = &cookie_secrets->
3228 cookie_secrets[i];
3229 ssize_t const len = hex_ntop(cs->cookie_secret,
3230 UNBOUND_COOKIE_SECRET_SIZE, secret_hex,
3231 sizeof(secret_hex));
3232 (void)len; /* silence unused variable warning with -DNDEBUG */
3233 log_assert( len == UNBOUND_COOKIE_SECRET_SIZE * 2 );
3234 secret_hex[UNBOUND_COOKIE_SECRET_SIZE * 2] = '\0';
3235 fprintf(f, "%s\n", secret_hex);
3236 }
3237 explicit_bzero(secret_hex, sizeof(secret_hex));
3238 fclose(f);
3239 return 1;
3240 }
3241
3242 /** Activate cookie secret */
3243 static void
do_activate_cookie_secret(RES * ssl,struct worker * worker)3244 do_activate_cookie_secret(RES* ssl, struct worker* worker) {
3245 char const* secret_file = worker->env.cfg->cookie_secret_file;
3246 struct cookie_secrets* cookie_secrets = worker->daemon->cookie_secrets;
3247
3248 if(secret_file == NULL || secret_file[0] == 0) {
3249 (void)ssl_printf(ssl, "error: no cookie secret file configured\n");
3250 return;
3251 }
3252 if(cookie_secrets == NULL) {
3253 (void)ssl_printf(ssl, "error: there are no cookie_secrets.");
3254 return;
3255 }
3256 lock_basic_lock(&cookie_secrets->lock);
3257
3258 if(cookie_secrets->cookie_count <= 1 ) {
3259 lock_basic_unlock(&cookie_secrets->lock);
3260 (void)ssl_printf(ssl, "error: no staging cookie secret to activate\n");
3261 return;
3262 }
3263 /* Only the worker 0 writes to file, the others update state. */
3264 if(worker->thread_num == 0 && !cookie_secret_file_dump(ssl, worker)) {
3265 lock_basic_unlock(&cookie_secrets->lock);
3266 (void)ssl_printf(ssl, "error: writing to cookie secret file: \"%s\"\n",
3267 secret_file);
3268 return;
3269 }
3270 activate_cookie_secret(cookie_secrets);
3271 if(worker->thread_num == 0)
3272 (void)cookie_secret_file_dump(ssl, worker);
3273 lock_basic_unlock(&cookie_secrets->lock);
3274 send_ok(ssl);
3275 }
3276
3277 /** Drop cookie secret */
3278 static void
do_drop_cookie_secret(RES * ssl,struct worker * worker)3279 do_drop_cookie_secret(RES* ssl, struct worker* worker) {
3280 char const* secret_file = worker->env.cfg->cookie_secret_file;
3281 struct cookie_secrets* cookie_secrets = worker->daemon->cookie_secrets;
3282
3283 if(secret_file == NULL || secret_file[0] == 0) {
3284 (void)ssl_printf(ssl, "error: no cookie secret file configured\n");
3285 return;
3286 }
3287 if(cookie_secrets == NULL) {
3288 (void)ssl_printf(ssl, "error: there are no cookie_secrets.");
3289 return;
3290 }
3291 lock_basic_lock(&cookie_secrets->lock);
3292
3293 if(cookie_secrets->cookie_count <= 1 ) {
3294 lock_basic_unlock(&cookie_secrets->lock);
3295 (void)ssl_printf(ssl, "error: can not drop the currently active cookie secret\n");
3296 return;
3297 }
3298 /* Only the worker 0 writes to file, the others update state. */
3299 if(worker->thread_num == 0 && !cookie_secret_file_dump(ssl, worker)) {
3300 lock_basic_unlock(&cookie_secrets->lock);
3301 (void)ssl_printf(ssl, "error: writing to cookie secret file: \"%s\"\n",
3302 secret_file);
3303 return;
3304 }
3305 drop_cookie_secret(cookie_secrets);
3306 if(worker->thread_num == 0)
3307 (void)cookie_secret_file_dump(ssl, worker);
3308 lock_basic_unlock(&cookie_secrets->lock);
3309 send_ok(ssl);
3310 }
3311
3312 /** Add cookie secret */
3313 static void
do_add_cookie_secret(RES * ssl,struct worker * worker,char * arg)3314 do_add_cookie_secret(RES* ssl, struct worker* worker, char* arg) {
3315 uint8_t secret[UNBOUND_COOKIE_SECRET_SIZE];
3316 char const* secret_file = worker->env.cfg->cookie_secret_file;
3317 struct cookie_secrets* cookie_secrets = worker->daemon->cookie_secrets;
3318
3319 if(secret_file == NULL || secret_file[0] == 0) {
3320 (void)ssl_printf(ssl, "error: no cookie secret file configured\n");
3321 return;
3322 }
3323 if(cookie_secrets == NULL) {
3324 worker->daemon->cookie_secrets = cookie_secrets_create();
3325 if(!worker->daemon->cookie_secrets) {
3326 (void)ssl_printf(ssl, "error: out of memory");
3327 return;
3328 }
3329 cookie_secrets = worker->daemon->cookie_secrets;
3330 }
3331 lock_basic_lock(&cookie_secrets->lock);
3332
3333 if(*arg == '\0') {
3334 lock_basic_unlock(&cookie_secrets->lock);
3335 (void)ssl_printf(ssl, "error: missing argument (cookie_secret)\n");
3336 return;
3337 }
3338 if(strlen(arg) != 32) {
3339 lock_basic_unlock(&cookie_secrets->lock);
3340 explicit_bzero(arg, strlen(arg));
3341 (void)ssl_printf(ssl, "invalid cookie secret: invalid argument length\n");
3342 (void)ssl_printf(ssl, "please provide a 128bit hex encoded secret\n");
3343 return;
3344 }
3345 if(hex_pton(arg, secret, UNBOUND_COOKIE_SECRET_SIZE) !=
3346 UNBOUND_COOKIE_SECRET_SIZE ) {
3347 lock_basic_unlock(&cookie_secrets->lock);
3348 explicit_bzero(secret, UNBOUND_COOKIE_SECRET_SIZE);
3349 explicit_bzero(arg, strlen(arg));
3350 (void)ssl_printf(ssl, "invalid cookie secret: parse error\n");
3351 (void)ssl_printf(ssl, "please provide a 128bit hex encoded secret\n");
3352 return;
3353 }
3354 /* Only the worker 0 writes to file, the others update state. */
3355 if(worker->thread_num == 0 && !cookie_secret_file_dump(ssl, worker)) {
3356 lock_basic_unlock(&cookie_secrets->lock);
3357 explicit_bzero(secret, UNBOUND_COOKIE_SECRET_SIZE);
3358 explicit_bzero(arg, strlen(arg));
3359 (void)ssl_printf(ssl, "error: writing to cookie secret file: \"%s\"\n",
3360 secret_file);
3361 return;
3362 }
3363 add_cookie_secret(cookie_secrets, secret, UNBOUND_COOKIE_SECRET_SIZE);
3364 explicit_bzero(secret, UNBOUND_COOKIE_SECRET_SIZE);
3365 if(worker->thread_num == 0)
3366 (void)cookie_secret_file_dump(ssl, worker);
3367 lock_basic_unlock(&cookie_secrets->lock);
3368 explicit_bzero(arg, strlen(arg));
3369 send_ok(ssl);
3370 }
3371
3372 /** Print cookie secrets */
3373 static void
do_print_cookie_secrets(RES * ssl,struct worker * worker)3374 do_print_cookie_secrets(RES* ssl, struct worker* worker) {
3375 struct cookie_secrets* cookie_secrets = worker->daemon->cookie_secrets;
3376 char secret_hex[UNBOUND_COOKIE_SECRET_SIZE * 2 + 1];
3377 int i;
3378
3379 if(!cookie_secrets)
3380 return; /* Output is empty. */
3381 lock_basic_lock(&cookie_secrets->lock);
3382 for(i = 0; (size_t)i < cookie_secrets->cookie_count; i++) {
3383 struct cookie_secret const* cs = &cookie_secrets->
3384 cookie_secrets[i];
3385 ssize_t const len = hex_ntop(cs->cookie_secret,
3386 UNBOUND_COOKIE_SECRET_SIZE, secret_hex,
3387 sizeof(secret_hex));
3388 (void)len; /* silence unused variable warning with -DNDEBUG */
3389 log_assert( len == UNBOUND_COOKIE_SECRET_SIZE * 2 );
3390 secret_hex[UNBOUND_COOKIE_SECRET_SIZE * 2] = '\0';
3391 if (i == 0)
3392 (void)ssl_printf(ssl, "active : %s\n", secret_hex);
3393 else if (cookie_secrets->cookie_count == 2)
3394 (void)ssl_printf(ssl, "staging: %s\n", secret_hex);
3395 else
3396 (void)ssl_printf(ssl, "staging[%d]: %s\n", i,
3397 secret_hex);
3398 }
3399 lock_basic_unlock(&cookie_secrets->lock);
3400 explicit_bzero(secret_hex, sizeof(secret_hex));
3401 }
3402
3403 /** check for name with end-of-string, space or tab after it */
3404 static int
cmdcmp(char * p,const char * cmd,size_t len)3405 cmdcmp(char* p, const char* cmd, size_t len)
3406 {
3407 return strncmp(p,cmd,len)==0 && (p[len]==0||p[len]==' '||p[len]=='\t');
3408 }
3409
3410 /** execute a remote control command */
3411 static void
execute_cmd(struct daemon_remote * rc,RES * ssl,char * cmd,struct worker * worker)3412 execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd,
3413 struct worker* worker)
3414 {
3415 char* p = skipwhite(cmd);
3416 /* compare command */
3417 if(cmdcmp(p, "stop", 4)) {
3418 do_stop(ssl, worker);
3419 return;
3420 } else if(cmdcmp(p, "reload_keep_cache", 17)) {
3421 do_reload(ssl, worker, 1);
3422 return;
3423 } else if(cmdcmp(p, "reload", 6)) {
3424 do_reload(ssl, worker, 0);
3425 return;
3426 } else if(cmdcmp(p, "stats_noreset", 13)) {
3427 do_stats(ssl, worker, 0);
3428 return;
3429 } else if(cmdcmp(p, "stats", 5)) {
3430 do_stats(ssl, worker, 1);
3431 return;
3432 } else if(cmdcmp(p, "status", 6)) {
3433 do_status(ssl, worker);
3434 return;
3435 } else if(cmdcmp(p, "dump_cache", 10)) {
3436 #ifdef THREADS_DISABLED
3437 if(worker->daemon->num > 1) {
3438 (void)ssl_printf(ssl, "dump_cache/load_cache is not "
3439 "supported in multi-process operation\n");
3440 return;
3441 }
3442 #endif
3443 (void)dump_cache(ssl, worker);
3444 return;
3445 } else if(cmdcmp(p, "load_cache", 10)) {
3446 #ifdef THREADS_DISABLED
3447 if(worker->daemon->num > 1) {
3448 /* The warning can't be printed when stdin is sending
3449 * data; just return */
3450 return;
3451 }
3452 #endif
3453 if(load_cache(ssl, worker)) send_ok(ssl);
3454 return;
3455 } else if(cmdcmp(p, "list_forwards", 13)) {
3456 do_list_forwards(ssl, worker);
3457 return;
3458 } else if(cmdcmp(p, "list_stubs", 10)) {
3459 do_list_stubs(ssl, worker);
3460 return;
3461 } else if(cmdcmp(p, "list_insecure", 13)) {
3462 do_insecure_list(ssl, worker);
3463 return;
3464 } else if(cmdcmp(p, "list_local_zones", 16)) {
3465 do_list_local_zones(ssl, worker->daemon->local_zones);
3466 return;
3467 } else if(cmdcmp(p, "list_local_data", 15)) {
3468 do_list_local_data(ssl, worker, worker->daemon->local_zones);
3469 return;
3470 } else if(cmdcmp(p, "view_list_local_zones", 21)) {
3471 do_view_list_local_zones(ssl, worker, skipwhite(p+21));
3472 return;
3473 } else if(cmdcmp(p, "view_list_local_data", 20)) {
3474 do_view_list_local_data(ssl, worker, skipwhite(p+20));
3475 return;
3476 } else if(cmdcmp(p, "ratelimit_list", 14)) {
3477 do_ratelimit_list(ssl, worker, p+14);
3478 return;
3479 } else if(cmdcmp(p, "ip_ratelimit_list", 17)) {
3480 do_ip_ratelimit_list(ssl, worker, p+17);
3481 return;
3482 } else if(cmdcmp(p, "list_auth_zones", 15)) {
3483 do_list_auth_zones(ssl, worker->env.auth_zones);
3484 return;
3485 } else if(cmdcmp(p, "auth_zone_reload", 16)) {
3486 do_auth_zone_reload(ssl, worker, skipwhite(p+16));
3487 return;
3488 } else if(cmdcmp(p, "auth_zone_transfer", 18)) {
3489 do_auth_zone_transfer(ssl, worker, skipwhite(p+18));
3490 return;
3491 } else if(cmdcmp(p, "insecure_add", 12)) {
3492 /* must always distribute this cmd */
3493 if(rc) distribute_cmd(rc, ssl, cmd);
3494 do_insecure_add(ssl, worker, skipwhite(p+12));
3495 return;
3496 } else if(cmdcmp(p, "insecure_remove", 15)) {
3497 /* must always distribute this cmd */
3498 if(rc) distribute_cmd(rc, ssl, cmd);
3499 do_insecure_remove(ssl, worker, skipwhite(p+15));
3500 return;
3501 } else if(cmdcmp(p, "flush_stats", 11)) {
3502 /* must always distribute this cmd */
3503 if(rc) distribute_cmd(rc, ssl, cmd);
3504 do_flush_stats(ssl, worker);
3505 return;
3506 } else if(cmdcmp(p, "flush_requestlist", 17)) {
3507 /* must always distribute this cmd */
3508 if(rc) distribute_cmd(rc, ssl, cmd);
3509 do_flush_requestlist(ssl, worker);
3510 return;
3511 } else if(cmdcmp(p, "lookup", 6)) {
3512 do_lookup(ssl, worker, skipwhite(p+6));
3513 return;
3514 /* The following are commands that read stdin.
3515 * Each line needs to be distributed if THREADS_DISABLED.
3516 */
3517 } else if(cmdcmp(p, "local_zones_remove", 18)) {
3518 do_zones_remove(rc, ssl, worker);
3519 return;
3520 } else if(cmdcmp(p, "local_zones", 11)) {
3521 do_zones_add(rc, ssl, worker);
3522 return;
3523 } else if(cmdcmp(p, "local_datas_remove", 18)) {
3524 do_datas_remove(rc, ssl, worker);
3525 return;
3526 } else if(cmdcmp(p, "local_datas", 11)) {
3527 do_datas_add(rc, ssl, worker);
3528 return;
3529 } else if(cmdcmp(p, "view_local_datas_remove", 23)){
3530 do_view_datas_remove(rc, ssl, worker, skipwhite(p+23));
3531 return;
3532 } else if(cmdcmp(p, "view_local_datas", 16)) {
3533 do_view_datas_add(rc, ssl, worker, skipwhite(p+16));
3534 return;
3535 } else if(cmdcmp(p, "print_cookie_secrets", 20)) {
3536 do_print_cookie_secrets(ssl, worker);
3537 return;
3538 }
3539
3540 #ifdef THREADS_DISABLED
3541 /* other processes must execute the command as well */
3542 /* commands that should not be distributed, returned above. */
3543 if(rc) { /* only if this thread is the master (rc) thread */
3544 /* done before the code below, which may split the string */
3545 distribute_cmd(rc, ssl, cmd);
3546 }
3547 #endif
3548 if(cmdcmp(p, "verbosity", 9)) {
3549 do_verbosity(ssl, skipwhite(p+9));
3550 } else if(cmdcmp(p, "local_zone_remove", 17)) {
3551 do_zone_remove(ssl, worker->daemon->local_zones, skipwhite(p+17));
3552 } else if(cmdcmp(p, "local_zone", 10)) {
3553 do_zone_add(ssl, worker->daemon->local_zones, skipwhite(p+10));
3554 } else if(cmdcmp(p, "local_data_remove", 17)) {
3555 do_data_remove(ssl, worker->daemon->local_zones, skipwhite(p+17));
3556 } else if(cmdcmp(p, "local_data", 10)) {
3557 do_data_add(ssl, worker->daemon->local_zones, skipwhite(p+10));
3558 } else if(cmdcmp(p, "forward_add", 11)) {
3559 do_forward_add(ssl, worker, skipwhite(p+11));
3560 } else if(cmdcmp(p, "forward_remove", 14)) {
3561 do_forward_remove(ssl, worker, skipwhite(p+14));
3562 } else if(cmdcmp(p, "forward", 7)) {
3563 do_forward(ssl, worker, skipwhite(p+7));
3564 } else if(cmdcmp(p, "stub_add", 8)) {
3565 do_stub_add(ssl, worker, skipwhite(p+8));
3566 } else if(cmdcmp(p, "stub_remove", 11)) {
3567 do_stub_remove(ssl, worker, skipwhite(p+11));
3568 } else if(cmdcmp(p, "view_local_zone_remove", 22)) {
3569 do_view_zone_remove(ssl, worker, skipwhite(p+22));
3570 } else if(cmdcmp(p, "view_local_zone", 15)) {
3571 do_view_zone_add(ssl, worker, skipwhite(p+15));
3572 } else if(cmdcmp(p, "view_local_data_remove", 22)) {
3573 do_view_data_remove(ssl, worker, skipwhite(p+22));
3574 } else if(cmdcmp(p, "view_local_data", 15)) {
3575 do_view_data_add(ssl, worker, skipwhite(p+15));
3576 } else if(cmdcmp(p, "flush_zone", 10)) {
3577 do_flush_zone(ssl, worker, skipwhite(p+10));
3578 } else if(cmdcmp(p, "flush_type", 10)) {
3579 do_flush_type(ssl, worker, skipwhite(p+10));
3580 } else if(cmdcmp(p, "flush_infra", 11)) {
3581 do_flush_infra(ssl, worker, skipwhite(p+11));
3582 } else if(cmdcmp(p, "flush", 5)) {
3583 do_flush_name(ssl, worker, skipwhite(p+5));
3584 } else if(cmdcmp(p, "dump_requestlist", 16)) {
3585 do_dump_requestlist(ssl, worker);
3586 } else if(cmdcmp(p, "dump_infra", 10)) {
3587 do_dump_infra(ssl, worker);
3588 } else if(cmdcmp(p, "log_reopen", 10)) {
3589 do_log_reopen(ssl, worker);
3590 } else if(cmdcmp(p, "set_option", 10)) {
3591 do_set_option(ssl, worker, skipwhite(p+10));
3592 } else if(cmdcmp(p, "get_option", 10)) {
3593 do_get_option(ssl, worker, skipwhite(p+10));
3594 } else if(cmdcmp(p, "flush_bogus", 11)) {
3595 do_flush_bogus(ssl, worker, skipwhite(p+11));
3596 } else if(cmdcmp(p, "flush_negative", 14)) {
3597 do_flush_negative(ssl, worker, skipwhite(p+14));
3598 } else if(cmdcmp(p, "rpz_enable", 10)) {
3599 do_rpz_enable(ssl, worker, skipwhite(p+10));
3600 } else if(cmdcmp(p, "rpz_disable", 11)) {
3601 do_rpz_disable(ssl, worker, skipwhite(p+11));
3602 } else if(cmdcmp(p, "add_cookie_secret", 17)) {
3603 do_add_cookie_secret(ssl, worker, skipwhite(p+17));
3604 } else if(cmdcmp(p, "drop_cookie_secret", 18)) {
3605 do_drop_cookie_secret(ssl, worker);
3606 } else if(cmdcmp(p, "activate_cookie_secret", 22)) {
3607 do_activate_cookie_secret(ssl, worker);
3608 } else {
3609 (void)ssl_printf(ssl, "error unknown command '%s'\n", p);
3610 }
3611 }
3612
3613 void
daemon_remote_exec(struct worker * worker)3614 daemon_remote_exec(struct worker* worker)
3615 {
3616 /* read the cmd string */
3617 uint8_t* msg = NULL;
3618 uint32_t len = 0;
3619 if(!tube_read_msg(worker->cmd, &msg, &len, 0)) {
3620 log_err("daemon_remote_exec: tube_read_msg failed");
3621 return;
3622 }
3623 verbose(VERB_ALGO, "remote exec distributed: %s", (char*)msg);
3624 execute_cmd(NULL, NULL, (char*)msg, worker);
3625 free(msg);
3626 }
3627
3628 /** handle remote control request */
3629 static void
handle_req(struct daemon_remote * rc,struct rc_state * s,RES * res)3630 handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res)
3631 {
3632 int r;
3633 char pre[10];
3634 char magic[7];
3635 char buf[MAX_CMD_STRLINE];
3636 #ifdef USE_WINSOCK
3637 /* makes it possible to set the socket blocking again. */
3638 /* basically removes it from winsock_event ... */
3639 WSAEventSelect(s->c->fd, NULL, 0);
3640 #endif
3641 fd_set_block(s->c->fd);
3642
3643 /* try to read magic UBCT[version]_space_ string */
3644 if(res->ssl) {
3645 ERR_clear_error();
3646 if((r=SSL_read(res->ssl, magic, (int)sizeof(magic)-1)) <= 0) {
3647 int r2;
3648 if((r2=SSL_get_error(res->ssl, r)) == SSL_ERROR_ZERO_RETURN)
3649 return;
3650 log_crypto_err_io("could not SSL_read", r2);
3651 return;
3652 }
3653 } else {
3654 while(1) {
3655 ssize_t rr = recv(res->fd, magic, sizeof(magic)-1, 0);
3656 if(rr <= 0) {
3657 if(rr == 0) return;
3658 if(errno == EINTR || errno == EAGAIN)
3659 continue;
3660 log_err("could not recv: %s", sock_strerror(errno));
3661 return;
3662 }
3663 r = (int)rr;
3664 break;
3665 }
3666 }
3667 magic[6] = 0;
3668 if( r != 6 || strncmp(magic, "UBCT", 4) != 0) {
3669 verbose(VERB_QUERY, "control connection has bad magic string");
3670 /* probably wrong tool connected, ignore it completely */
3671 return;
3672 }
3673
3674 /* read the command line */
3675 if(!ssl_read_line(res, buf, sizeof(buf))) {
3676 return;
3677 }
3678 snprintf(pre, sizeof(pre), "UBCT%d ", UNBOUND_CONTROL_VERSION);
3679 if(strcmp(magic, pre) != 0) {
3680 verbose(VERB_QUERY, "control connection had bad "
3681 "version %s, cmd: %s", magic, buf);
3682 ssl_printf(res, "error version mismatch\n");
3683 return;
3684 }
3685 verbose(VERB_DETAIL, "control cmd: %s", buf);
3686
3687 /* figure out what to do */
3688 execute_cmd(rc, res, buf, rc->worker);
3689 }
3690
3691 /** handle SSL_do_handshake changes to the file descriptor to wait for later */
3692 static int
remote_handshake_later(struct daemon_remote * rc,struct rc_state * s,struct comm_point * c,int r,int r2)3693 remote_handshake_later(struct daemon_remote* rc, struct rc_state* s,
3694 struct comm_point* c, int r, int r2)
3695 {
3696 if(r2 == SSL_ERROR_WANT_READ) {
3697 if(s->shake_state == rc_hs_read) {
3698 /* try again later */
3699 return 0;
3700 }
3701 s->shake_state = rc_hs_read;
3702 comm_point_listen_for_rw(c, 1, 0);
3703 return 0;
3704 } else if(r2 == SSL_ERROR_WANT_WRITE) {
3705 if(s->shake_state == rc_hs_write) {
3706 /* try again later */
3707 return 0;
3708 }
3709 s->shake_state = rc_hs_write;
3710 comm_point_listen_for_rw(c, 0, 1);
3711 return 0;
3712 } else {
3713 if(r == 0)
3714 log_err("remote control connection closed prematurely");
3715 log_addr(VERB_OPS, "failed connection from",
3716 &s->c->repinfo.remote_addr, s->c->repinfo.remote_addrlen);
3717 log_crypto_err_io("remote control failed ssl", r2);
3718 clean_point(rc, s);
3719 }
3720 return 0;
3721 }
3722
remote_control_callback(struct comm_point * c,void * arg,int err,struct comm_reply * ATTR_UNUSED (rep))3723 int remote_control_callback(struct comm_point* c, void* arg, int err,
3724 struct comm_reply* ATTR_UNUSED(rep))
3725 {
3726 RES res;
3727 struct rc_state* s = (struct rc_state*)arg;
3728 struct daemon_remote* rc = s->rc;
3729 int r;
3730 if(err != NETEVENT_NOERROR) {
3731 if(err==NETEVENT_TIMEOUT)
3732 log_err("remote control timed out");
3733 clean_point(rc, s);
3734 return 0;
3735 }
3736 if(s->ssl) {
3737 /* (continue to) setup the SSL connection */
3738 ERR_clear_error();
3739 r = SSL_do_handshake(s->ssl);
3740 if(r != 1) {
3741 int r2 = SSL_get_error(s->ssl, r);
3742 return remote_handshake_later(rc, s, c, r, r2);
3743 }
3744 s->shake_state = rc_none;
3745 }
3746
3747 /* once handshake has completed, check authentication */
3748 if (!rc->use_cert) {
3749 verbose(VERB_ALGO, "unauthenticated remote control connection");
3750 } else if(SSL_get_verify_result(s->ssl) == X509_V_OK) {
3751 #ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
3752 X509* x = SSL_get1_peer_certificate(s->ssl);
3753 #else
3754 X509* x = SSL_get_peer_certificate(s->ssl);
3755 #endif
3756 if(!x) {
3757 verbose(VERB_DETAIL, "remote control connection "
3758 "provided no client certificate");
3759 clean_point(rc, s);
3760 return 0;
3761 }
3762 verbose(VERB_ALGO, "remote control connection authenticated");
3763 X509_free(x);
3764 } else {
3765 verbose(VERB_DETAIL, "remote control connection failed to "
3766 "authenticate with client certificate");
3767 clean_point(rc, s);
3768 return 0;
3769 }
3770
3771 /* if OK start to actually handle the request */
3772 res.ssl = s->ssl;
3773 res.fd = c->fd;
3774 handle_req(rc, s, &res);
3775
3776 verbose(VERB_ALGO, "remote control operation completed");
3777 clean_point(rc, s);
3778 return 0;
3779 }
3780