1 /*
2 * remote.c - remote control for the NSD daemon.
3 *
4 * Copyright (c) 2008, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36 /**
37 * \file
38 *
39 * This file contains the remote control functionality for the daemon.
40 * The remote control can be performed using either the commandline
41 * nsd-control tool, or a TLS capable web browser.
42 * The channel is secured using TLSv1, and certificates.
43 * Both the server and the client(control tool) have their own keys.
44 */
45 #include "config.h"
46
47 #ifdef HAVE_SSL
48 #ifdef HAVE_OPENSSL_SSL_H
49 #include <openssl/ssl.h>
50 #endif
51 #ifdef HAVE_OPENSSL_ERR_H
52 #include <openssl/err.h>
53 #endif
54 #ifdef HAVE_OPENSSL_RAND_H
55 #include <openssl/rand.h>
56 #endif
57 #endif /* HAVE_SSL */
58 #include <ctype.h>
59 #include <unistd.h>
60 #include <assert.h>
61 #include <fcntl.h>
62 #include <errno.h>
63 #ifndef USE_MINI_EVENT
64 # ifdef HAVE_EVENT_H
65 # include <event.h>
66 # else
67 # include <event2/event.h>
68 # include "event2/event_struct.h"
69 # include "event2/event_compat.h"
70 # endif
71 #else
72 # include "mini_event.h"
73 #endif
74 #include "remote.h"
75 #include "util.h"
76 #include "xfrd.h"
77 #include "xfrd-catalog-zones.h"
78 #include "xfrd-notify.h"
79 #include "xfrd-tcp.h"
80 #include "nsd.h"
81 #include "options.h"
82 #include "difffile.h"
83 #include "ipc.h"
84
85 #ifdef HAVE_SYS_TYPES_H
86 # include <sys/types.h>
87 #endif
88 #ifdef HAVE_SYS_STAT_H
89 # include <sys/stat.h>
90 #endif
91 #ifdef HAVE_NETDB_H
92 # include <netdb.h>
93 #endif
94 #ifdef HAVE_SYS_UN_H
95 # include <sys/un.h>
96 #endif
97 #ifndef AF_LOCAL
98 #define AF_LOCAL AF_UNIX
99 #endif
100
101 /** number of seconds timeout on incoming remote control handshake */
102 #define REMOTE_CONTROL_TCP_TIMEOUT 120
103
104 /** repattern to master or slave */
105 #define REPAT_SLAVE 1
106 #define REPAT_MASTER 2
107 #define REPAT_CATALOG_CONSUMER 4
108 #define REPAT_CATALOG_CONSUMER_DEINIT 8
109
110 /** if you want zero to be inhibited in stats output.
111 * it omits zeroes for types that have no acronym and unused-rcodes */
112 const int inhibit_zero = 1;
113
114 /**
115 * a busy control command connection, SSL state
116 * Defined here to keep the definition private, and keep SSL out of the .h
117 */
118 struct rc_state {
119 /** the next item in list */
120 struct rc_state* next, *prev;
121 /* if the event was added to the event_base */
122 int event_added;
123 /** the commpoint */
124 struct event c;
125 /** timeout for this state */
126 struct timeval tval;
127 /** in the handshake part */
128 enum { rc_none, rc_hs_read, rc_hs_write } shake_state;
129 #ifdef HAVE_SSL
130 /** the ssl state */
131 SSL* ssl;
132 #endif
133 /** file descriptor */
134 int fd;
135 /** the rc this is part of */
136 struct daemon_remote* rc;
137 /** stats list next item */
138 struct rc_state* stats_next;
139 };
140
141 /**
142 * list of events for accepting connections
143 */
144 struct acceptlist {
145 struct acceptlist* next;
146 int event_added;
147 struct event c;
148 char* ident;
149 struct daemon_remote* rc;
150 };
151
152 /**
153 * The remote control state.
154 */
155 struct daemon_remote {
156 /** the master process for this remote control */
157 struct xfrd_state* xfrd;
158 /** commpoints for accepting remote control connections */
159 struct acceptlist* accept_list;
160 /* if certificates are used */
161 int use_cert;
162 /** number of active commpoints that are handling remote control */
163 int active;
164 /** max active commpoints */
165 int max_active;
166 /** current commpoints busy; double linked, malloced */
167 struct rc_state* busy_list;
168 /** last time stats was reported */
169 struct timeval stats_time, boot_time;
170 #ifdef HAVE_SSL
171 /** the SSL context for creating new SSL streams */
172 SSL_CTX* ctx;
173 #endif
174 };
175
176 /**
177 * Connection to print to, either SSL or plain over fd
178 */
179 struct remote_stream {
180 #ifdef HAVE_SSL
181 /** SSL structure, nonNULL if using SSL */
182 SSL* ssl;
183 #endif
184 /** file descriptor for plain transfer */
185 int fd;
186 };
187 typedef struct remote_stream RES;
188
189 /**
190 * Print fixed line of text over ssl connection in blocking mode
191 * @param res: print to
192 * @param text: the text.
193 * @return false on connection failure.
194 */
195 static int ssl_print_text(RES* res, const char* text);
196
197 /**
198 * printf style printing to the ssl connection
199 * @param res: the RES connection to print to. Blocking.
200 * @param format: printf style format string.
201 * @return success or false on a network failure.
202 */
203 static int ssl_printf(RES* res, const char* format, ...)
204 ATTR_FORMAT(printf, 2, 3);
205
206 /**
207 * Read until \n is encountered
208 * If stream signals EOF, the string up to then is returned (without \n).
209 * @param res: the RES connection to read from. blocking.
210 * @param buf: buffer to read to.
211 * @param max: size of buffer.
212 * @return false on connection failure.
213 */
214 static int ssl_read_line(RES* res, char* buf, size_t max);
215
216 /** perform the accept of a new remote control connection */
217 static void
218 remote_accept_callback(int fd, short event, void* arg);
219
220 /** perform remote control */
221 static void
222 remote_control_callback(int fd, short event, void* arg);
223
224 #ifdef BIND8_STATS
225 /* process the statistics and output them */
226 static void process_stats(RES* ssl, xfrd_state_type* xfrd, int peek);
227 #endif
228
229 /** ---- end of private defines ---- **/
230
231 #ifdef HAVE_SSL
232 /** log ssl crypto err */
233 static void
log_crypto_err(const char * str)234 log_crypto_err(const char* str)
235 {
236 /* error:[error code]:[library name]:[function name]:[reason string] */
237 char buf[128];
238 unsigned long e;
239 ERR_error_string_n(ERR_get_error(), buf, sizeof(buf));
240 log_msg(LOG_ERR, "%s crypto %s", str, buf);
241 while( (e=ERR_get_error()) ) {
242 ERR_error_string_n(e, buf, sizeof(buf));
243 log_msg(LOG_ERR, "and additionally crypto %s", buf);
244 }
245 }
246 #endif /* HAVE_SSL */
247
248 #ifdef BIND8_STATS
249 /** subtract timers and the values do not overflow or become negative */
250 static void
timeval_subtract(struct timeval * d,const struct timeval * end,const struct timeval * start)251 timeval_subtract(struct timeval* d, const struct timeval* end,
252 const struct timeval* start)
253 {
254 #ifndef S_SPLINT_S
255 time_t end_usec = end->tv_usec;
256 d->tv_sec = end->tv_sec - start->tv_sec;
257 if(end_usec < start->tv_usec) {
258 end_usec += 1000000;
259 d->tv_sec--;
260 }
261 d->tv_usec = end_usec - start->tv_usec;
262 #endif
263 }
264 #endif /* BIND8_STATS */
265
266 #ifdef HAVE_SSL
267 static int
remote_setup_ctx(struct daemon_remote * rc,struct nsd_options * cfg)268 remote_setup_ctx(struct daemon_remote* rc, struct nsd_options* cfg)
269 {
270 char* s_cert = cfg->server_cert_file;
271 char* s_key = cfg->server_key_file;
272 rc->ctx = server_tls_ctx_setup(s_key, s_cert, s_cert);
273 if(!rc->ctx) {
274 log_msg(LOG_ERR, "could not setup remote control TLS context");
275 return 0;
276 }
277 return 1;
278 }
279 #endif /* HAVE_SSL */
280
281 struct daemon_remote*
daemon_remote_create(struct nsd_options * cfg)282 daemon_remote_create(struct nsd_options* cfg)
283 {
284 struct daemon_remote* rc = (struct daemon_remote*)xalloc_zero(
285 sizeof(*rc));
286 rc->max_active = 10;
287 assert(cfg->control_enable);
288
289 if(options_remote_is_address(cfg)) {
290 #ifdef HAVE_SSL
291 if(!remote_setup_ctx(rc, cfg)) {
292 daemon_remote_delete(rc);
293 return NULL;
294 }
295 rc->use_cert = 1;
296 #else
297 log_msg(LOG_ERR, "Could not setup remote control: NSD was compiled without SSL.");
298 #endif /* HAVE_SSL */
299 } else {
300 struct ip_address_option* o;
301 #ifdef HAVE_SSL
302 rc->ctx = NULL;
303 #endif
304 rc->use_cert = 0;
305 for(o = cfg->control_interface; o; o = o->next) {
306 if(o->address && o->address[0] != '/')
307 log_msg(LOG_WARNING, "control-interface %s is not using TLS, but plain transfer, because first control-interface in config file is a local socket (starts with a /).", o->address);
308 }
309 }
310
311 /* and try to open the ports */
312 if(!daemon_remote_open_ports(rc, cfg)) {
313 log_msg(LOG_ERR, "could not open remote control port");
314 daemon_remote_delete(rc);
315 return NULL;
316 }
317
318 if(gettimeofday(&rc->boot_time, NULL) == -1)
319 log_msg(LOG_ERR, "gettimeofday: %s", strerror(errno));
320 rc->stats_time = rc->boot_time;
321
322 return rc;
323 }
324
daemon_remote_close(struct daemon_remote * rc)325 void daemon_remote_close(struct daemon_remote* rc)
326 {
327 struct rc_state* p, *np;
328 struct acceptlist* h, *nh;
329 if(!rc) return;
330
331 /* close listen sockets */
332 h = rc->accept_list;
333 while(h) {
334 nh = h->next;
335 if(h->event_added)
336 event_del(&h->c);
337 close(h->c.ev_fd);
338 free(h->ident);
339 free(h);
340 h = nh;
341 }
342 rc->accept_list = NULL;
343
344 /* close busy connection sockets */
345 p = rc->busy_list;
346 while(p) {
347 np = p->next;
348 if(p->event_added)
349 event_del(&p->c);
350 #ifdef HAVE_SSL
351 if(p->ssl)
352 SSL_free(p->ssl);
353 #endif
354 close(p->c.ev_fd);
355 free(p);
356 p = np;
357 }
358 rc->busy_list = NULL;
359 rc->active = 0;
360 }
361
daemon_remote_delete(struct daemon_remote * rc)362 void daemon_remote_delete(struct daemon_remote* rc)
363 {
364 if(!rc) return;
365 daemon_remote_close(rc);
366 #ifdef HAVE_SSL
367 if(rc->ctx) {
368 SSL_CTX_free(rc->ctx);
369 }
370 #endif
371 free(rc);
372 }
373
374 static int
create_tcp_accept_sock(struct addrinfo * addr,int * noproto)375 create_tcp_accept_sock(struct addrinfo* addr, int* noproto)
376 {
377 #if defined(SO_REUSEADDR) || (defined(INET6) && (defined(IPV6_V6ONLY) || defined(IPV6_USE_MIN_MTU) || defined(IPV6_MTU)))
378 int on = 1;
379 #endif
380 int s;
381 *noproto = 0;
382 if ((s = socket(addr->ai_family, addr->ai_socktype, 0)) == -1) {
383 #if defined(INET6)
384 if (addr->ai_family == AF_INET6 &&
385 errno == EAFNOSUPPORT) {
386 *noproto = 1;
387 log_msg(LOG_WARNING, "fallback to TCP4, no IPv6: not supported");
388 return -1;
389 }
390 #endif /* INET6 */
391 log_msg(LOG_ERR, "can't create a socket: %s", strerror(errno));
392 return -1;
393 }
394 #ifdef SO_REUSEADDR
395 if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0) {
396 log_msg(LOG_ERR, "setsockopt(..., SO_REUSEADDR, ...) failed: %s", strerror(errno));
397 }
398 #endif /* SO_REUSEADDR */
399 #if defined(INET6) && defined(IPV6_V6ONLY)
400 if (addr->ai_family == AF_INET6 &&
401 setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0)
402 {
403 log_msg(LOG_ERR, "setsockopt(..., IPV6_V6ONLY, ...) failed: %s", strerror(errno));
404 close(s);
405 return -1;
406 }
407 #endif
408 /* set it nonblocking */
409 /* (StevensUNP p463), if tcp listening socket is blocking, then
410 it may block in accept, even if select() says readable. */
411 if (fcntl(s, F_SETFL, O_NONBLOCK) == -1) {
412 log_msg(LOG_ERR, "cannot fcntl tcp: %s", strerror(errno));
413 }
414 /* Bind it... */
415 if (bind(s, (struct sockaddr *)addr->ai_addr, addr->ai_addrlen) != 0) {
416 log_msg(LOG_ERR, "can't bind tcp socket: %s", strerror(errno));
417 close(s);
418 return -1;
419 }
420 /* Listen to it... */
421 if (listen(s, TCP_BACKLOG_REMOTE) == -1) {
422 log_msg(LOG_ERR, "can't listen: %s", strerror(errno));
423 close(s);
424 return -1;
425 }
426 return s;
427 }
428
429 /**
430 * Add and open a new control port
431 * @param rc: rc with result list.
432 * @param ip: ip str
433 * @param nr: port nr
434 * @param noproto_is_err: if lack of protocol support is an error.
435 * @return false on failure.
436 */
437 static int
add_open(struct daemon_remote * rc,struct nsd_options * cfg,const char * ip,int nr,int noproto_is_err)438 add_open(struct daemon_remote* rc, struct nsd_options* cfg, const char* ip,
439 int nr, int noproto_is_err)
440 {
441 struct addrinfo hints;
442 struct addrinfo* res;
443 struct acceptlist* hl;
444 int noproto = 0;
445 int fd, r;
446 char port[15];
447 snprintf(port, sizeof(port), "%d", nr);
448 port[sizeof(port)-1]=0;
449 memset(&hints, 0, sizeof(hints));
450 assert(ip);
451
452 if(ip[0] == '/') {
453 /* This looks like a local socket */
454 fd = create_local_accept_sock(ip, &noproto);
455 /*
456 * Change socket ownership and permissions so users other
457 * than root can access it provided they are in the same
458 * group as the user we run as.
459 */
460 if(fd != -1) {
461 #ifdef HAVE_CHOWN
462 if(chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP)) == -1) {
463 VERBOSITY(3, (LOG_INFO, "cannot chmod control socket %s: %s", ip, strerror(errno)));
464 }
465 if (cfg->username && cfg->username[0] &&
466 nsd.uid != (uid_t)-1) {
467 if(chown(ip, nsd.uid, nsd.gid) == -1)
468 VERBOSITY(2, (LOG_INFO, "cannot chown %u.%u %s: %s",
469 (unsigned)nsd.uid, (unsigned)nsd.gid,
470 ip, strerror(errno)));
471 }
472 #else
473 (void)cfg;
474 #endif
475 }
476 } else {
477 hints.ai_socktype = SOCK_STREAM;
478 hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
479 /* if we had no interface ip name, "default" is what we
480 * would do getaddrinfo for. */
481 if((r = getaddrinfo(ip, port, &hints, &res)) != 0 || !res) {
482 log_msg(LOG_ERR, "control interface %s:%s getaddrinfo: %s %s",
483 ip, port, gai_strerror(r),
484 #ifdef EAI_SYSTEM
485 r==EAI_SYSTEM?(char*)strerror(errno):""
486 #else
487 ""
488 #endif
489 );
490 return 0;
491 }
492
493 /* open fd */
494 fd = create_tcp_accept_sock(res, &noproto);
495 freeaddrinfo(res);
496 }
497
498 if(fd == -1 && noproto) {
499 if(!noproto_is_err)
500 return 1; /* return success, but do nothing */
501 log_msg(LOG_ERR, "cannot open control interface %s %d : "
502 "protocol not supported", ip, nr);
503 return 0;
504 }
505 if(fd == -1) {
506 log_msg(LOG_ERR, "cannot open control interface %s %d", ip, nr);
507 return 0;
508 }
509
510 /* alloc */
511 hl = (struct acceptlist*)xalloc_zero(sizeof(*hl));
512 hl->rc = rc;
513 hl->ident = strdup(ip);
514 if(!hl->ident) {
515 log_msg(LOG_ERR, "malloc failure");
516 close(fd);
517 free(hl);
518 return 0;
519 }
520 hl->next = rc->accept_list;
521 rc->accept_list = hl;
522
523 hl->c.ev_fd = fd;
524 hl->event_added = 0;
525 return 1;
526 }
527
528 int
daemon_remote_open_ports(struct daemon_remote * rc,struct nsd_options * cfg)529 daemon_remote_open_ports(struct daemon_remote* rc, struct nsd_options* cfg)
530 {
531 assert(cfg->control_enable && cfg->control_port);
532 if(cfg->control_interface) {
533 ip_address_option_type* p;
534 for(p = cfg->control_interface; p; p = p->next) {
535 if(!add_open(rc, cfg, p->address, cfg->control_port, 1)) {
536 return 0;
537 }
538 }
539 } else {
540 /* defaults */
541 if(cfg->do_ip6 && !add_open(rc, cfg, "::1", cfg->control_port, 0)) {
542 return 0;
543 }
544 if(cfg->do_ip4 &&
545 !add_open(rc, cfg, "127.0.0.1", cfg->control_port, 1)) {
546 return 0;
547 }
548 }
549 return 1;
550 }
551
552 void
daemon_remote_attach(struct daemon_remote * rc,struct xfrd_state * xfrd)553 daemon_remote_attach(struct daemon_remote* rc, struct xfrd_state* xfrd)
554 {
555 int fd;
556 struct acceptlist* p;
557 if(!rc) return;
558 rc->xfrd = xfrd;
559 for(p = rc->accept_list; p; p = p->next) {
560 /* add event */
561 fd = p->c.ev_fd;
562 memset(&p->c, 0, sizeof(p->c));
563 event_set(&p->c, fd, EV_PERSIST|EV_READ, remote_accept_callback,
564 p);
565 if(event_base_set(xfrd->event_base, &p->c) != 0)
566 log_msg(LOG_ERR, "remote: cannot set event_base");
567 if(event_add(&p->c, NULL) != 0)
568 log_msg(LOG_ERR, "remote: cannot add event");
569 p->event_added = 1;
570 }
571 }
572
573 static void
remote_accept_callback(int fd,short event,void * arg)574 remote_accept_callback(int fd, short event, void* arg)
575 {
576 struct acceptlist *hl = (struct acceptlist*)arg;
577 struct daemon_remote *rc = hl->rc;
578 #ifdef INET6
579 struct sockaddr_storage addr;
580 #else
581 struct sockaddr_in addr;
582 #endif
583 socklen_t addrlen;
584 int newfd;
585 struct rc_state* n;
586
587 if (!(event & EV_READ)) {
588 return;
589 }
590
591 /* perform the accept */
592 addrlen = sizeof(addr);
593 #ifndef HAVE_ACCEPT4
594 newfd = accept(fd, (struct sockaddr*)&addr, &addrlen);
595 #else
596 newfd = accept4(fd, (struct sockaddr*)&addr, &addrlen, SOCK_NONBLOCK);
597 #endif
598 if(newfd == -1) {
599 if ( errno != EINTR
600 && errno != EWOULDBLOCK
601 #ifdef ECONNABORTED
602 && errno != ECONNABORTED
603 #endif /* ECONNABORTED */
604 #ifdef EPROTO
605 && errno != EPROTO
606 #endif /* EPROTO */
607 ) {
608 log_msg(LOG_ERR, "accept failed: %s", strerror(errno));
609 }
610 return;
611 }
612
613 /* create new commpoint unless we are servicing already */
614 if(rc->active >= rc->max_active) {
615 log_msg(LOG_WARNING, "drop incoming remote control: "
616 "too many connections");
617 close_exit:
618 close(newfd);
619 return;
620 }
621
622 #ifndef HAVE_ACCEPT4
623 if (fcntl(newfd, F_SETFL, O_NONBLOCK) == -1) {
624 log_msg(LOG_ERR, "fcntl failed: %s", strerror(errno));
625 goto close_exit;
626 }
627 #endif
628
629 /* setup state to service the remote control command */
630 n = (struct rc_state*)calloc(1, sizeof(*n));
631 if(!n) {
632 log_msg(LOG_ERR, "out of memory");
633 goto close_exit;
634 }
635
636 n->tval.tv_sec = REMOTE_CONTROL_TCP_TIMEOUT;
637 n->tval.tv_usec = 0L;
638 n->fd = newfd;
639
640 memset(&n->c, 0, sizeof(n->c));
641 event_set(&n->c, newfd, EV_PERSIST|EV_TIMEOUT|EV_READ,
642 remote_control_callback, n);
643 if(event_base_set(xfrd->event_base, &n->c) != 0) {
644 log_msg(LOG_ERR, "remote_accept: cannot set event_base");
645 free(n);
646 goto close_exit;
647 }
648 if(event_add(&n->c, &n->tval) != 0) {
649 log_msg(LOG_ERR, "remote_accept: cannot add event");
650 free(n);
651 goto close_exit;
652 }
653 n->event_added = 1;
654
655 if(2 <= verbosity) {
656 if(hl->ident && hl->ident[0] == '/') {
657 VERBOSITY(2, (LOG_INFO, "new control connection from %s", hl->ident));
658 } else {
659 char s[128];
660 addr2str(&addr, s, sizeof(s));
661 VERBOSITY(2, (LOG_INFO, "new control connection from %s", s));
662 }
663 }
664
665 #ifdef HAVE_SSL
666 if(rc->ctx) {
667 n->shake_state = rc_hs_read;
668 n->ssl = SSL_new(rc->ctx);
669 if(!n->ssl) {
670 log_crypto_err("could not SSL_new");
671 if(n->event_added)
672 event_del(&n->c);
673 free(n);
674 goto close_exit;
675 }
676 SSL_set_accept_state(n->ssl);
677 (void)SSL_set_mode(n->ssl, SSL_MODE_AUTO_RETRY);
678 if(!SSL_set_fd(n->ssl, newfd)) {
679 log_crypto_err("could not SSL_set_fd");
680 if(n->event_added)
681 event_del(&n->c);
682 SSL_free(n->ssl);
683 free(n);
684 goto close_exit;
685 }
686 } else {
687 n->ssl = NULL;
688 }
689 #endif /* HAVE_SSL */
690
691 n->rc = rc;
692 n->stats_next = NULL;
693 n->prev = NULL;
694 n->next = rc->busy_list;
695 if(n->next) n->next->prev = n;
696 rc->busy_list = n;
697 rc->active ++;
698
699 /* perform the first nonblocking read already, for windows,
700 * so it can return wouldblock. could be faster too. */
701 remote_control_callback(newfd, EV_READ, n);
702 }
703
704 /** delete from list */
705 static void
state_list_remove_elem(struct rc_state ** list,struct rc_state * todel)706 state_list_remove_elem(struct rc_state** list, struct rc_state* todel)
707 {
708 if(todel->prev) todel->prev->next = todel->next;
709 else *list = todel->next;
710 if(todel->next) todel->next->prev = todel->prev;
711 }
712
713 /** decrease active count and remove commpoint from busy list */
714 static void
clean_point(struct daemon_remote * rc,struct rc_state * s)715 clean_point(struct daemon_remote* rc, struct rc_state* s)
716 {
717 state_list_remove_elem(&rc->busy_list, s);
718 rc->active --;
719 if(s->event_added)
720 event_del(&s->c);
721 #ifdef HAVE_SSL
722 if(s->ssl) {
723 SSL_shutdown(s->ssl);
724 SSL_free(s->ssl);
725 }
726 #endif /* HAVE_SSL */
727 close(s->c.ev_fd);
728 free(s);
729 }
730
731 static int
ssl_print_text(RES * res,const char * text)732 ssl_print_text(RES* res, const char* text)
733 {
734 if(!res)
735 return 0;
736 #ifdef HAVE_SSL
737 if(res->ssl) {
738 int r;
739 ERR_clear_error();
740 if((r=SSL_write(res->ssl, text, (int)strlen(text))) <= 0) {
741 if(SSL_get_error(res->ssl, r) == SSL_ERROR_ZERO_RETURN) {
742 VERBOSITY(2, (LOG_WARNING, "in SSL_write, peer "
743 "closed connection"));
744 return 0;
745 }
746 log_crypto_err("could not SSL_write");
747 return 0;
748 }
749 } else {
750 #endif /* HAVE_SSL */
751 if(write_socket(res->fd, text, strlen(text)) <= 0) {
752 log_msg(LOG_ERR, "could not write: %s",
753 strerror(errno));
754 return 0;
755 }
756 #ifdef HAVE_SSL
757 }
758 #endif /* HAVE_SSL */
759 return 1;
760 }
761
762 /** print text over the ssl connection */
763 static int
ssl_print_vmsg(RES * ssl,const char * format,va_list args)764 ssl_print_vmsg(RES* ssl, const char* format, va_list args)
765 {
766 char msg[1024];
767 vsnprintf(msg, sizeof(msg), format, args);
768 return ssl_print_text(ssl, msg);
769 }
770
771 /** printf style printing to the ssl connection */
772 static int
ssl_printf(RES * ssl,const char * format,...)773 ssl_printf(RES* ssl, const char* format, ...)
774 {
775 va_list args;
776 int ret;
777 va_start(args, format);
778 ret = ssl_print_vmsg(ssl, format, args);
779 va_end(args);
780 return ret;
781 }
782
783 static int
ssl_read_line(RES * res,char * buf,size_t max)784 ssl_read_line(RES* res, char* buf, size_t max)
785 {
786 size_t len = 0;
787 if(!res)
788 return 0;
789 while(len < max) {
790 buf[len] = 0; /* terminate for safety and please checkers */
791 /* this byte is written if we read a byte from the input */
792 #ifdef HAVE_SSL
793 if(res->ssl) {
794 int r;
795 ERR_clear_error();
796 if((r=SSL_read(res->ssl, buf+len, 1)) <= 0) {
797 if(SSL_get_error(res->ssl, r) == SSL_ERROR_ZERO_RETURN) {
798 buf[len] = 0;
799 return 1;
800 }
801 log_crypto_err("could not SSL_read");
802 return 0;
803 }
804 } else {
805 #endif /* HAVE_SSL */
806 while(1) {
807 ssize_t rr = read(res->fd, buf+len, 1);
808 if(rr <= 0) {
809 if(rr == 0) {
810 buf[len] = 0;
811 return 1;
812 }
813 if(errno == EINTR || errno == EAGAIN)
814 continue;
815 log_msg(LOG_ERR, "could not read: %s",
816 strerror(errno));
817 return 0;
818 }
819 break;
820 }
821 #ifdef HAVE_SSL
822 }
823 #endif /* HAVE_SSL */
824 if(buf[len] == '\n') {
825 /* return string without \n */
826 buf[len] = 0;
827 return 1;
828 }
829 len++;
830 }
831 buf[max-1] = 0;
832 log_msg(LOG_ERR, "control line too long (%d): %s", (int)max, buf);
833 return 0;
834 }
835
836 /** skip whitespace, return new pointer into string */
837 static char*
skipwhite(char * str)838 skipwhite(char* str)
839 {
840 /* EOS \0 is not a space */
841 while( isspace((unsigned char)*str) )
842 str++;
843 return str;
844 }
845
846 /** send the OK to the control client */
847 static void
send_ok(RES * ssl)848 send_ok(RES* ssl)
849 {
850 (void)ssl_printf(ssl, "ok\n");
851 }
852
853 /** get zone argument (if any) or NULL, false on error */
854 static int
get_zone_arg(RES * ssl,xfrd_state_type * xfrd,char * arg,struct zone_options ** zo)855 get_zone_arg(RES* ssl, xfrd_state_type* xfrd, char* arg,
856 struct zone_options** zo)
857 {
858 const dname_type* dname;
859 if(!arg[0]) {
860 /* no argument present, return NULL */
861 *zo = NULL;
862 return 1;
863 }
864 dname = dname_parse(xfrd->region, arg);
865 if(!dname) {
866 (void)ssl_printf(ssl, "error cannot parse zone name '%s'\n", arg);
867 *zo = NULL;
868 return 0;
869 }
870 *zo = zone_options_find(xfrd->nsd->options, dname);
871 region_recycle(xfrd->region, (void*)dname, dname_total_size(dname));
872 if(!*zo) {
873 (void)ssl_printf(ssl, "error zone %s not configured\n", arg);
874 return 0;
875 }
876 return 1;
877 }
878
879 /** do the stop command */
880 static void
do_stop(RES * ssl,xfrd_state_type * xfrd)881 do_stop(RES* ssl, xfrd_state_type* xfrd)
882 {
883 xfrd->need_to_send_shutdown = 1;
884
885 if(!(xfrd->ipc_handler_flags&EV_WRITE)) {
886 ipc_xfrd_set_listening(xfrd, EV_PERSIST|EV_READ|EV_WRITE);
887 }
888
889 send_ok(ssl);
890 }
891
892 /** do the log_reopen command, it only needs reload_now */
893 static void
do_log_reopen(RES * ssl,xfrd_state_type * xfrd)894 do_log_reopen(RES* ssl, xfrd_state_type* xfrd)
895 {
896 xfrd_set_reload_now(xfrd);
897 send_ok(ssl);
898 }
899
900 /** do the reload command */
901 static void
do_reload(RES * ssl,xfrd_state_type * xfrd,char * arg)902 do_reload(RES* ssl, xfrd_state_type* xfrd, char* arg)
903 {
904 struct zone_options* zo;
905 if(!get_zone_arg(ssl, xfrd, arg, &zo))
906 return;
907 task_new_check_zonefiles(xfrd->nsd->task[xfrd->nsd->mytask],
908 xfrd->last_task, zo?(const dname_type*)zo->node.key:NULL);
909 xfrd_set_reload_now(xfrd);
910 send_ok(ssl);
911 }
912
913 /** do the write command */
914 static void
do_write(RES * ssl,xfrd_state_type * xfrd,char * arg)915 do_write(RES* ssl, xfrd_state_type* xfrd, char* arg)
916 {
917 struct zone_options* zo;
918 if(!get_zone_arg(ssl, xfrd, arg, &zo))
919 return;
920 task_new_write_zonefiles(xfrd->nsd->task[xfrd->nsd->mytask],
921 xfrd->last_task, zo?(const dname_type*)zo->node.key:NULL);
922 xfrd_set_reload_now(xfrd);
923 send_ok(ssl);
924 }
925
926 /** do the notify command */
927 static void
do_notify(RES * ssl,xfrd_state_type * xfrd,char * arg)928 do_notify(RES* ssl, xfrd_state_type* xfrd, char* arg)
929 {
930 struct zone_options* zo;
931 if(!get_zone_arg(ssl, xfrd, arg, &zo))
932 return;
933 if(zo) {
934 struct notify_zone* n = (struct notify_zone*)rbtree_search(
935 xfrd->notify_zones, (const dname_type*)zo->node.key);
936 if(n) {
937 xfrd_notify_start(n, xfrd);
938 send_ok(ssl);
939 } else {
940 (void)ssl_printf(ssl, "error zone does not have notify\n");
941 }
942 } else {
943 struct notify_zone* n;
944 RBTREE_FOR(n, struct notify_zone*, xfrd->notify_zones) {
945 xfrd_notify_start(n, xfrd);
946 }
947 send_ok(ssl);
948 }
949 }
950
951 /** do the transfer command */
952 static void
do_transfer(RES * ssl,xfrd_state_type * xfrd,char * arg)953 do_transfer(RES* ssl, xfrd_state_type* xfrd, char* arg)
954 {
955 struct zone_options* zo;
956 xfrd_zone_type* zone;
957 if(!get_zone_arg(ssl, xfrd, arg, &zo))
958 return;
959 if(zo) {
960 zone = (xfrd_zone_type*)rbtree_search(xfrd->zones, (const
961 dname_type*)zo->node.key);
962 if(zone) {
963 xfrd_handle_notify_and_start_xfr(zone, NULL);
964 send_ok(ssl);
965 } else {
966 (void)ssl_printf(ssl, "error zone not secondary\n");
967 }
968 } else {
969 RBTREE_FOR(zone, xfrd_zone_type*, xfrd->zones) {
970 xfrd_handle_notify_and_start_xfr(zone, NULL);
971 }
972 (void)ssl_printf(ssl, "ok, %lu zones\n", (unsigned long)xfrd->zones->count);
973 }
974 }
975
976 /** force transfer a zone */
977 static void
force_transfer_zone(xfrd_zone_type * zone)978 force_transfer_zone(xfrd_zone_type* zone)
979 {
980 /* if in TCP transaction, stop it immediately. */
981 if(zone->tcp_conn != -1)
982 xfrd_tcp_release(xfrd->tcp_set, zone);
983 else if(zone->zone_handler.ev_fd != -1)
984 xfrd_udp_release(zone);
985 /* pretend we not longer have it and force any
986 * zone to be downloaded (even same serial, w AXFR) */
987 zone->soa_disk_acquired = 0;
988 zone->soa_nsd_acquired = 0;
989 xfrd_handle_notify_and_start_xfr(zone, NULL);
990 }
991
992 /** do the force transfer command */
993 static void
do_force_transfer(RES * ssl,xfrd_state_type * xfrd,char * arg)994 do_force_transfer(RES* ssl, xfrd_state_type* xfrd, char* arg)
995 {
996 struct zone_options* zo;
997 xfrd_zone_type* zone;
998 if(!get_zone_arg(ssl, xfrd, arg, &zo))
999 return;
1000 if(zo) {
1001 zone = (xfrd_zone_type*)rbtree_search(xfrd->zones, (const
1002 dname_type*)zo->node.key);
1003 if(zone) {
1004 force_transfer_zone(zone);
1005 send_ok(ssl);
1006 } else {
1007 (void)ssl_printf(ssl, "error zone not secondary\n");
1008 }
1009 } else {
1010 RBTREE_FOR(zone, xfrd_zone_type*, xfrd->zones) {
1011 force_transfer_zone(zone);
1012 }
1013 (void)ssl_printf(ssl, "ok, %lu zones\n", (unsigned long)xfrd->zones->count);
1014 }
1015 }
1016
1017 static int
print_soa_status(RES * ssl,const char * str,xfrd_soa_type * soa,time_t acq)1018 print_soa_status(RES* ssl, const char* str, xfrd_soa_type* soa, time_t acq)
1019 {
1020 if(acq) {
1021 if(!ssl_printf(ssl, " %s: \"%u since %s\"\n", str,
1022 (unsigned)ntohl(soa->serial), xfrd_pretty_time(acq)))
1023 return 0;
1024 } else {
1025 if(!ssl_printf(ssl, " %s: none\n", str))
1026 return 0;
1027 }
1028 return 1;
1029 }
1030
1031 /** print zonestatus for one domain */
1032 static int
print_zonestatus(RES * ssl,xfrd_state_type * xfrd,struct zone_options * zo)1033 print_zonestatus(RES* ssl, xfrd_state_type* xfrd, struct zone_options* zo)
1034 {
1035 xfrd_zone_type* xz = (xfrd_zone_type*)rbtree_search(xfrd->zones,
1036 (const dname_type*)zo->node.key);
1037 struct notify_zone* nz = (struct notify_zone*)rbtree_search(
1038 xfrd->notify_zones, (const dname_type*)zo->node.key);
1039 if(!ssl_printf(ssl, "zone: %s\n", zo->name))
1040 return 0;
1041 if(!zo->part_of_config) {
1042 if(!ssl_printf(ssl, " pattern: %s\n", zo->pattern->pname))
1043 return 0;
1044 }
1045 if(zone_is_catalog_consumer(zo)) {
1046 zone_type* zone = namedb_find_zone(xfrd->nsd->db,
1047 (const dname_type*)zo->node.key);
1048 struct xfrd_catalog_consumer_zone* consumer_zone =
1049 (struct xfrd_catalog_consumer_zone*)
1050 rbtree_search( xfrd->catalog_consumer_zones
1051 , zo->node.key);
1052
1053 if(!ssl_printf(ssl, " catalog: consumer"))
1054 return 0;
1055 if(zone && zone->soa_rrset && zone->soa_rrset->rrs
1056 && zone->soa_rrset->rrs[0].rdata_count > 2
1057 && rdata_atom_size(zone->soa_rrset->rrs[0].rdatas[2]) ==
1058 sizeof(uint32_t)) {
1059 if(!ssl_printf(ssl, " (serial: %u, # members: %zu)\n",
1060 read_uint32(rdata_atom_data(
1061 zone->soa_rrset->rrs[0].rdatas[2])),
1062 consumer_zone
1063 ? consumer_zone->member_ids.count : 0))
1064 return 0;
1065
1066 } else if(!ssl_printf(ssl, "\n"))
1067 return 0;
1068 if(invalid_catalog_consumer_zone(zo)) {
1069 if(!ssl_printf(ssl, " catalog-invalid: %s\n",
1070 invalid_catalog_consumer_zone(zo)))
1071 return 0;
1072 }
1073 }
1074 if(zone_is_catalog_producer(zo)) {
1075 struct xfrd_catalog_producer_zone* producer_zone =
1076 (struct xfrd_catalog_producer_zone*)
1077 rbtree_search( xfrd->catalog_producer_zones
1078 , zo->node.key);
1079 if(!ssl_printf(ssl, " catalog: producer"))
1080 return 0;
1081 if(producer_zone) {
1082 if(!ssl_printf(ssl, " (serial: %u, # members: %zu)\n",
1083 (unsigned)producer_zone->serial,
1084 producer_zone->member_ids.count))
1085 return 0;
1086 } else if(!ssl_printf(ssl, "\n"))
1087 return 0;
1088 if (zone_is_slave(zo)) {
1089 if(!ssl_printf(ssl, " catalog-invalid: a catalog "
1090 "producer cannot be a secondary zone"))
1091 return 0;
1092 }
1093 }
1094 if(zone_is_catalog_member(zo)) {
1095 if(!ssl_printf(ssl, " catalog-member-id: %s\n",
1096 as_catalog_member_zone(zo)->member_id
1097 ? dname_to_string(as_catalog_member_zone(zo)->member_id, NULL)
1098 : "ERROR member-id is missing!"))
1099 return 0;
1100 }
1101 if(nz) {
1102 if(nz->is_waiting) {
1103 if(!ssl_printf(ssl, " notify: \"waiting-for-fd\"\n"))
1104 return 0;
1105 } else if(nz->notify_send_enable || nz->notify_send6_enable) {
1106 int i;
1107 if(!ssl_printf(ssl, " notify: \"send"))
1108 return 0;
1109 for(i=0; i<NOTIFY_CONCURRENT_MAX; i++) {
1110 if(!nz->pkts[i].dest) continue;
1111 if(!ssl_printf(ssl, " %s",
1112 nz->pkts[i].dest->ip_address_spec))
1113 return 0;
1114 }
1115 if(!ssl_printf(ssl, " with serial %u\"\n",
1116 (unsigned)ntohl(nz->current_soa->serial)))
1117 return 0;
1118 }
1119 }
1120 if(!xz) {
1121 if(!ssl_printf(ssl, " state: primary\n"))
1122 return 0;
1123 return 1;
1124 }
1125 if(!ssl_printf(ssl, " state: %s\n",
1126 (xz->state == xfrd_zone_ok)?"ok":(
1127 (xz->state == xfrd_zone_expired)?"expired":"refreshing")))
1128 return 0;
1129 if(!print_soa_status(ssl, "served-serial", &xz->soa_nsd,
1130 xz->soa_nsd_acquired))
1131 return 0;
1132 if(!print_soa_status(ssl, "commit-serial", &xz->soa_disk,
1133 xz->soa_disk_acquired))
1134 return 0;
1135 if(xz->round_num != -1) {
1136 if(!print_soa_status(ssl, "notified-serial", &xz->soa_notified,
1137 xz->soa_notified_acquired))
1138 return 0;
1139 } else if(xz->event_added) {
1140 if(!ssl_printf(ssl, "\twait: \"%lu sec between attempts\"\n",
1141 (unsigned long)xz->timeout.tv_sec))
1142 return 0;
1143 }
1144
1145 /* UDP */
1146 if(xz->udp_waiting) {
1147 if(!ssl_printf(ssl, " transfer: \"waiting-for-UDP-fd\"\n"))
1148 return 0;
1149 } else if(xz->zone_handler.ev_fd != -1 && xz->tcp_conn == -1) {
1150 if(!ssl_printf(ssl, " transfer: \"sent UDP to %s\"\n",
1151 xz->master->ip_address_spec))
1152 return 0;
1153 }
1154
1155 /* TCP */
1156 if(xz->tcp_waiting) {
1157 if(!ssl_printf(ssl, " transfer: \"waiting-for-TCP-fd\"\n"))
1158 return 0;
1159 } else if(xz->tcp_conn != -1) {
1160 if(!ssl_printf(ssl, " transfer: \"TCP connected to %s\"\n",
1161 xz->master->ip_address_spec))
1162 return 0;
1163 }
1164
1165 return 1;
1166 }
1167
1168 /** do the zonestatus command */
1169 static void
do_zonestatus(RES * ssl,xfrd_state_type * xfrd,char * arg)1170 do_zonestatus(RES* ssl, xfrd_state_type* xfrd, char* arg)
1171 {
1172 struct zone_options* zo;
1173 if(!get_zone_arg(ssl, xfrd, arg, &zo))
1174 return;
1175 if(zo) (void)print_zonestatus(ssl, xfrd, zo);
1176 else {
1177 RBTREE_FOR(zo, struct zone_options*,
1178 xfrd->nsd->options->zone_options) {
1179 if(!print_zonestatus(ssl, xfrd, zo))
1180 return;
1181 }
1182 }
1183 }
1184
1185 /** do the verbosity command */
1186 static void
do_verbosity(RES * ssl,char * str)1187 do_verbosity(RES* ssl, char* str)
1188 {
1189 int val = atoi(str);
1190 if(strcmp(str, "") == 0) {
1191 (void)ssl_printf(ssl, "verbosity %d\n", verbosity);
1192 return;
1193 }
1194 if(val == 0 && strcmp(str, "0") != 0) {
1195 (void)ssl_printf(ssl, "error in verbosity number syntax: %s\n", str);
1196 return;
1197 }
1198 verbosity = val;
1199 task_new_set_verbosity(xfrd->nsd->task[xfrd->nsd->mytask],
1200 xfrd->last_task, val);
1201 xfrd_set_reload_now(xfrd);
1202 send_ok(ssl);
1203 }
1204
1205 /** find second argument, modifies string */
1206 static int
find_arg2(RES * ssl,char * arg,char ** arg2)1207 find_arg2(RES* ssl, char* arg, char** arg2)
1208 {
1209 char* as = strrchr(arg, ' ');
1210 if(as) {
1211 as[0]=0;
1212 *arg2 = as+1;
1213 while(isspace((unsigned char)*as) && as > arg)
1214 as--;
1215 as[0]=0;
1216 return 1;
1217 }
1218 *arg2 = NULL;
1219 (void)ssl_printf(ssl, "error could not find next argument "
1220 "after %s\n", arg);
1221 return 0;
1222 }
1223
1224 /** find second and third arguments, modifies string,
1225 * does not print error for missing arg3 so that if it does not find an
1226 * arg3, the caller can use two arguments. */
1227 static int
find_arg3(RES * ssl,char * arg,char ** arg2,char ** arg3)1228 find_arg3(RES* ssl, char* arg, char** arg2, char** arg3)
1229 {
1230 if(find_arg2(ssl, arg, arg2)) {
1231 char* as;
1232 *arg3 = *arg2;
1233 as = strrchr(arg, ' ');
1234 if(as) {
1235 as[0]=0;
1236 *arg2 = as+1;
1237 while(isspace((unsigned char)*as) && as > arg)
1238 as--;
1239 as[0]=0;
1240 return 1;
1241 }
1242 }
1243 *arg3 = NULL;
1244 return 0;
1245 }
1246
1247 /** do the status command */
1248 static void
do_status(RES * ssl,xfrd_state_type * xfrd)1249 do_status(RES* ssl, xfrd_state_type* xfrd)
1250 {
1251 if(!ssl_printf(ssl, "version: %s\n", PACKAGE_VERSION))
1252 return;
1253 if(!ssl_printf(ssl, "verbosity: %d\n", verbosity))
1254 return;
1255 #ifdef RATELIMIT
1256 if(!ssl_printf(ssl, "ratelimit: %d\n",
1257 (int)xfrd->nsd->options->rrl_ratelimit))
1258 return;
1259 #else
1260 (void)xfrd;
1261 #endif
1262 }
1263
1264 /** do the stats command */
1265 static void
do_stats(RES * ssl,xfrd_state_type * xfrd,int peek)1266 do_stats(RES* ssl, xfrd_state_type* xfrd, int peek)
1267 {
1268 #ifdef BIND8_STATS
1269 process_stats(ssl, xfrd, peek);
1270 #else
1271 (void)xfrd; (void)peek;
1272 (void)ssl_printf(ssl, "error no stats enabled at compile time\n");
1273 #endif /* BIND8_STATS */
1274 }
1275
1276 /** see if we have more zonestatistics entries and it has to be incremented */
1277 static void
zonestat_inc_ifneeded(xfrd_state_type * xfrd)1278 zonestat_inc_ifneeded(xfrd_state_type* xfrd)
1279 {
1280 #ifdef USE_ZONE_STATS
1281 if(xfrd->nsd->options->zonestatnames->count != xfrd->zonestat_safe)
1282 task_new_zonestat_inc(xfrd->nsd->task[xfrd->nsd->mytask],
1283 xfrd->last_task,
1284 xfrd->nsd->options->zonestatnames->count);
1285 #else
1286 (void)xfrd;
1287 #endif /* USE_ZONE_STATS */
1288 }
1289
1290 /** perform the changezone command for one zone */
1291 static int
perform_changezone(RES * ssl,xfrd_state_type * xfrd,char * arg)1292 perform_changezone(RES* ssl, xfrd_state_type* xfrd, char* arg)
1293 {
1294 const dname_type* dname;
1295 struct zone_options* zopt;
1296 char* arg2 = NULL;
1297 if(!find_arg2(ssl, arg, &arg2))
1298 return 0;
1299
1300 /* if we add it to the xfrd now, then xfrd could download AXFR and
1301 * store it and the NSD-reload would see it in the difffile before
1302 * it sees the add-config task.
1303 */
1304 /* thus: AXFRs and IXFRs must store the pattern name in the
1305 * difffile, so that it can be added when the AXFR or IXFR is seen.
1306 */
1307
1308 /* check that the pattern exists */
1309 if(!rbtree_search(xfrd->nsd->options->patterns, arg2)) {
1310 (void)ssl_printf(ssl, "error pattern %s does not exist\n",
1311 arg2);
1312 return 0;
1313 }
1314
1315 dname = dname_parse(xfrd->region, arg);
1316 if(!dname) {
1317 (void)ssl_printf(ssl, "error cannot parse zone name\n");
1318 return 0;
1319 }
1320
1321 /* see if zone is a duplicate */
1322 if( (zopt=zone_options_find(xfrd->nsd->options, dname)) ) {
1323 if(zopt->part_of_config) {
1324 (void)ssl_printf(ssl, "error zone defined in nsd.conf, "
1325 "cannot delete it in this manner: remove it from "
1326 "nsd.conf yourself and repattern\n");
1327 region_recycle(xfrd->region, (void*)dname, dname_total_size(dname));
1328 dname = NULL;
1329 return 0;
1330 }
1331 if(zone_is_catalog_consumer_member(zopt)) {
1332 (void)ssl_printf(ssl, "Error: Zone is a catalog "
1333 "consumer member zone with id %s\nRepattern in the "
1334 "catalog with a group property.\n", dname_to_string(
1335 as_catalog_member_zone(zopt)->member_id, NULL));
1336 region_recycle(xfrd->region, (void*)dname, dname_total_size(dname));
1337 dname = NULL;
1338 return 0;
1339 }
1340 /* found the zone, now delete it */
1341 /* create deletion task */
1342 /* this deletion task is processed before the addition task,
1343 * that is created below, in the same reload process, causing
1344 * a seamless change from one to the other, with no downtime
1345 * for the zone. */
1346 task_new_del_zone(xfrd->nsd->task[xfrd->nsd->mytask],
1347 xfrd->last_task, dname);
1348 xfrd_set_reload_now(xfrd);
1349 /* delete it in xfrd */
1350 if(zone_is_slave(zopt)) {
1351 xfrd_del_slave_zone(xfrd, dname);
1352 }
1353 xfrd_del_notify(xfrd, dname);
1354 /* delete it in xfrd's catalog consumers list */
1355 if(zone_is_catalog_consumer(zopt)) {
1356 xfrd_deinit_catalog_consumer_zone(xfrd, dname);
1357 }
1358 /* delete from config */
1359 zone_list_del(xfrd->nsd->options, zopt);
1360 } else {
1361 (void)ssl_printf(ssl, "zone %s did not exist, creating", arg);
1362 }
1363 region_recycle(xfrd->region, (void*)dname, dname_total_size(dname));
1364 dname = NULL;
1365
1366 /* add to zonelist and adds to config in memory */
1367 zopt = zone_list_add_or_cat(xfrd->nsd->options, arg, arg2,
1368 xfrd_add_catalog_producer_member);
1369 if(!zopt) {
1370 /* also dname parse error here */
1371 (void)ssl_printf(ssl, "error could not add zonelist entry\n");
1372 return 0;
1373 }
1374 /* make addzone task and schedule reload */
1375 task_new_add_zone(xfrd->nsd->task[xfrd->nsd->mytask],
1376 xfrd->last_task, arg, arg2,
1377 getzonestatid(xfrd->nsd->options, zopt));
1378 zonestat_inc_ifneeded(xfrd);
1379 xfrd_set_reload_now(xfrd);
1380 /* add to xfrd - catalog consumer zones */
1381 if (zone_is_catalog_consumer(zopt)) {
1382 xfrd_init_catalog_consumer_zone(xfrd, zopt);
1383 }
1384 /* add to xfrd - notify (for master and slaves) */
1385 init_notify_send(xfrd->notify_zones, xfrd->region, zopt);
1386 /* add to xfrd - slave */
1387 if(zone_is_slave(zopt)) {
1388 xfrd_init_slave_zone(xfrd, zopt);
1389 }
1390 return 1;
1391 }
1392
1393 /** perform the addzone command for one zone */
1394 static int
perform_addzone(RES * ssl,xfrd_state_type * xfrd,char * arg)1395 perform_addzone(RES* ssl, xfrd_state_type* xfrd, char* arg)
1396 {
1397 const dname_type* dname;
1398 struct zone_options* zopt;
1399 char* arg2 = NULL;
1400 if(!find_arg2(ssl, arg, &arg2))
1401 return 0;
1402
1403 /* if we add it to the xfrd now, then xfrd could download AXFR and
1404 * store it and the NSD-reload would see it in the difffile before
1405 * it sees the add-config task.
1406 */
1407 /* thus: AXFRs and IXFRs must store the pattern name in the
1408 * difffile, so that it can be added when the AXFR or IXFR is seen.
1409 */
1410
1411 /* check that the pattern exists */
1412 if(!rbtree_search(xfrd->nsd->options->patterns, arg2)) {
1413 (void)ssl_printf(ssl, "error pattern %s does not exist\n",
1414 arg2);
1415 return 0;
1416 }
1417
1418 dname = dname_parse(xfrd->region, arg);
1419 if(!dname) {
1420 (void)ssl_printf(ssl, "error cannot parse zone name\n");
1421 return 0;
1422 }
1423
1424 /* see if zone is a duplicate */
1425 if( zone_options_find(xfrd->nsd->options, dname) ) {
1426 region_recycle(xfrd->region, (void*)dname,
1427 dname_total_size(dname));
1428 (void)ssl_printf(ssl, "zone %s already exists\n", arg);
1429 return 1;
1430 }
1431 region_recycle(xfrd->region, (void*)dname, dname_total_size(dname));
1432 dname = NULL;
1433
1434 /* add to zonelist and adds to config in memory */
1435 zopt = zone_list_add_or_cat(xfrd->nsd->options, arg, arg2,
1436 xfrd_add_catalog_producer_member);
1437 if(!zopt) {
1438 /* also dname parse error here */
1439 (void)ssl_printf(ssl, "error could not add zonelist entry\n");
1440 return 0;
1441 }
1442 /* make addzone task and schedule reload */
1443 task_new_add_zone(xfrd->nsd->task[xfrd->nsd->mytask],
1444 xfrd->last_task, arg, arg2,
1445 getzonestatid(xfrd->nsd->options, zopt));
1446 zonestat_inc_ifneeded(xfrd);
1447 xfrd_set_reload_now(xfrd);
1448 /* add to xfrd - catalog consumer zones */
1449 if (zone_is_catalog_consumer(zopt)) {
1450 xfrd_init_catalog_consumer_zone(xfrd, zopt);
1451 }
1452 /* add to xfrd - notify (for master and slaves) */
1453 init_notify_send(xfrd->notify_zones, xfrd->region, zopt);
1454 /* add to xfrd - slave */
1455 if(zone_is_slave(zopt)) {
1456 xfrd_init_slave_zone(xfrd, zopt);
1457 }
1458 return 1;
1459 }
1460
1461 /** perform the delzone command for one zone */
1462 static int
perform_delzone(RES * ssl,xfrd_state_type * xfrd,char * arg)1463 perform_delzone(RES* ssl, xfrd_state_type* xfrd, char* arg)
1464 {
1465 const dname_type* dname;
1466 struct zone_options* zopt;
1467 /* dont recycle dname when it becomes part of a xfrd_producer_member */
1468 int recycle_dname = 1;
1469
1470 dname = dname_parse(xfrd->region, arg);
1471 if(!dname) {
1472 (void)ssl_printf(ssl, "error cannot parse zone name\n");
1473 return 0;
1474 }
1475
1476 /* see if we have the zone in question */
1477 zopt = zone_options_find(xfrd->nsd->options, dname);
1478 if(!zopt) {
1479 region_recycle(xfrd->region, (void*)dname,
1480 dname_total_size(dname));
1481 /* nothing to do */
1482 (void)ssl_printf(ssl, "warning zone %s not present\n", arg);
1483 return 0;
1484 }
1485
1486 /* see if it can be deleted */
1487 if(zopt->part_of_config) {
1488 region_recycle(xfrd->region, (void*)dname,
1489 dname_total_size(dname));
1490 (void)ssl_printf(ssl, "error zone defined in nsd.conf, "
1491 "cannot delete it in this manner: remove it from "
1492 "nsd.conf yourself and repattern\n");
1493 return 0;
1494 }
1495 if(zone_is_catalog_consumer_member(zopt)
1496 && as_catalog_member_zone(zopt)->member_id) {
1497 (void)ssl_printf(ssl, "Error: Zone is a catalog consumer "
1498 "member zone with id %s\nRemove the member id from the "
1499 "catalog to delete this zone.\n", dname_to_string(
1500 as_catalog_member_zone(zopt)->member_id, NULL));
1501 region_recycle(xfrd->region, (void*)dname, dname_total_size(dname));
1502 dname = NULL;
1503 return 0;
1504
1505 }
1506 /* create deletion task */
1507 task_new_del_zone(xfrd->nsd->task[xfrd->nsd->mytask],
1508 xfrd->last_task, dname);
1509 xfrd_set_reload_now(xfrd);
1510 /* delete it in xfrd */
1511 if(zone_is_slave(zopt)) {
1512 xfrd_del_slave_zone(xfrd, dname);
1513 }
1514 xfrd_del_notify(xfrd, dname);
1515 /* delete it in xfrd's catalog consumers list */
1516 if(zone_is_catalog_consumer(zopt)) {
1517 xfrd_deinit_catalog_consumer_zone(xfrd, dname);
1518 } else {
1519 recycle_dname = !xfrd_del_catalog_producer_member(xfrd, dname);
1520 }
1521 /* delete from config */
1522 zone_list_del(xfrd->nsd->options, zopt);
1523
1524 if(recycle_dname)
1525 region_recycle(xfrd->region,
1526 (void*)dname, dname_total_size(dname));
1527 return 1;
1528 }
1529
1530 /** do the addzone command */
1531 static void
do_addzone(RES * ssl,xfrd_state_type * xfrd,char * arg)1532 do_addzone(RES* ssl, xfrd_state_type* xfrd, char* arg)
1533 {
1534 if(!perform_addzone(ssl, xfrd, arg))
1535 return;
1536 send_ok(ssl);
1537 }
1538
1539 /** do the delzone command */
1540 static void
do_delzone(RES * ssl,xfrd_state_type * xfrd,char * arg)1541 do_delzone(RES* ssl, xfrd_state_type* xfrd, char* arg)
1542 {
1543 if(!perform_delzone(ssl, xfrd, arg))
1544 return;
1545 send_ok(ssl);
1546 }
1547
1548 /** do the changezone command */
1549 static void
do_changezone(RES * ssl,xfrd_state_type * xfrd,char * arg)1550 do_changezone(RES* ssl, xfrd_state_type* xfrd, char* arg)
1551 {
1552 if(!perform_changezone(ssl, xfrd, arg))
1553 return;
1554 send_ok(ssl);
1555 }
1556
1557 /** do the addzones command */
1558 static void
do_addzones(RES * ssl,xfrd_state_type * xfrd)1559 do_addzones(RES* ssl, xfrd_state_type* xfrd)
1560 {
1561 char buf[2048];
1562 int num = 0;
1563 while(ssl_read_line(ssl, buf, sizeof(buf))) {
1564 if(buf[0] == 0x04 && buf[1] == 0)
1565 break; /* end of transmission */
1566 if(!perform_addzone(ssl, xfrd, buf)) {
1567 if(!ssl_printf(ssl, "error for input line '%s'\n",
1568 buf))
1569 return;
1570 } else {
1571 if(!ssl_printf(ssl, "added: %s\n", buf))
1572 return;
1573 num++;
1574 }
1575 }
1576 (void)ssl_printf(ssl, "added %d zones\n", num);
1577 }
1578
1579 /** do the delzones command */
1580 static void
do_delzones(RES * ssl,xfrd_state_type * xfrd)1581 do_delzones(RES* ssl, xfrd_state_type* xfrd)
1582 {
1583 char buf[2048];
1584 int num = 0;
1585 while(ssl_read_line(ssl, buf, sizeof(buf))) {
1586 if(buf[0] == 0x04 && buf[1] == 0)
1587 break; /* end of transmission */
1588 if(!perform_delzone(ssl, xfrd, buf)) {
1589 if(!ssl_printf(ssl, "error for input line '%s'\n",
1590 buf))
1591 return;
1592 } else {
1593 if(!ssl_printf(ssl, "removed: %s\n", buf))
1594 return;
1595 num++;
1596 }
1597 }
1598 (void)ssl_printf(ssl, "deleted %d zones\n", num);
1599 }
1600
1601
1602 /** remove TSIG key from config and add task so that reload does too */
remove_key(xfrd_state_type * xfrd,const char * kname)1603 static void remove_key(xfrd_state_type* xfrd, const char* kname)
1604 {
1605 /* add task before deletion because the name string could be deleted */
1606 task_new_del_key(xfrd->nsd->task[xfrd->nsd->mytask], xfrd->last_task,
1607 kname);
1608 key_options_remove(xfrd->nsd->options, kname);
1609 xfrd_set_reload_now(xfrd); /* this is executed when the current control
1610 command ends, thus the entire config changes are bunched up */
1611 }
1612
1613 /** add TSIG key to config and add task so that reload does too */
add_key(xfrd_state_type * xfrd,struct key_options * k)1614 static void add_key(xfrd_state_type* xfrd, struct key_options* k)
1615 {
1616 key_options_add_modify(xfrd->nsd->options, k);
1617 task_new_add_key(xfrd->nsd->task[xfrd->nsd->mytask], xfrd->last_task,
1618 k);
1619 xfrd_set_reload_now(xfrd);
1620 }
1621
1622 /** check if keys have changed */
repat_keys(xfrd_state_type * xfrd,struct nsd_options * newopt)1623 static void repat_keys(xfrd_state_type* xfrd, struct nsd_options* newopt)
1624 {
1625 struct nsd_options* oldopt = xfrd->nsd->options;
1626 struct key_options* k;
1627 /* find deleted keys */
1628 k = (struct key_options*)rbtree_first(oldopt->keys);
1629 while((rbnode_type*)k != RBTREE_NULL) {
1630 struct key_options* next = (struct key_options*)rbtree_next(
1631 (rbnode_type*)k);
1632 if(!key_options_find(newopt, k->name))
1633 remove_key(xfrd, k->name);
1634 k = next;
1635 }
1636 /* find added or changed keys */
1637 RBTREE_FOR(k, struct key_options*, newopt->keys) {
1638 struct key_options* origk = key_options_find(oldopt, k->name);
1639 if(!origk)
1640 add_key(xfrd, k);
1641 else if(!key_options_equal(k, origk))
1642 add_key(xfrd, k);
1643 }
1644 }
1645
1646 /** find zone given the implicit pattern */
1647 static const dname_type*
parse_implicit_name(xfrd_state_type * xfrd,const char * pname)1648 parse_implicit_name(xfrd_state_type* xfrd,const char* pname)
1649 {
1650 if(strncmp(pname, PATTERN_IMPLICIT_MARKER,
1651 strlen(PATTERN_IMPLICIT_MARKER)) != 0)
1652 return NULL;
1653 return dname_parse(xfrd->region, pname +
1654 strlen(PATTERN_IMPLICIT_MARKER));
1655 }
1656
1657 /** remove cfgzone and add task so that reload does too */
1658 static void
remove_cfgzone(xfrd_state_type * xfrd,const char * pname)1659 remove_cfgzone(xfrd_state_type* xfrd, const char* pname)
1660 {
1661 /* dname and find the zone for the implicit pattern */
1662 struct zone_options* zopt = NULL;
1663 const dname_type* dname = parse_implicit_name(xfrd, pname);
1664 if(!dname) {
1665 /* should have a parseable name, but it did not */
1666 return;
1667 }
1668
1669 /* find the zone entry for the implicit pattern */
1670 zopt = zone_options_find(xfrd->nsd->options, dname);
1671 if(!zopt) {
1672 /* this should not happen; implicit pattern has zone entry */
1673 region_recycle(xfrd->region, (void*)dname,
1674 dname_total_size(dname));
1675 return;
1676 }
1677
1678 /* create deletion task */
1679 task_new_del_zone(xfrd->nsd->task[xfrd->nsd->mytask],
1680 xfrd->last_task, dname);
1681 xfrd_set_reload_now(xfrd);
1682 /* delete it in xfrd */
1683 if(zone_is_slave(zopt)) {
1684 xfrd_del_slave_zone(xfrd, dname);
1685 }
1686 xfrd_del_notify(xfrd, dname);
1687 /* delete it in xfrd's catalog consumers list */
1688 if(zone_is_catalog_consumer(zopt)) {
1689 xfrd_deinit_catalog_consumer_zone(xfrd, dname);
1690 }
1691
1692 /* delete from zoneoptions */
1693 zone_options_delete(xfrd->nsd->options, zopt);
1694
1695 /* recycle parsed dname */
1696 region_recycle(xfrd->region, (void*)dname, dname_total_size(dname));
1697 }
1698
1699 /** add cfgzone and add task so that reload does too */
1700 static void
add_cfgzone(xfrd_state_type * xfrd,const char * pname)1701 add_cfgzone(xfrd_state_type* xfrd, const char* pname)
1702 {
1703 /* add to our zonelist */
1704 struct zone_options* zopt = zone_options_create(
1705 xfrd->nsd->options->region);
1706 if(!zopt)
1707 return;
1708 zopt->part_of_config = 1;
1709 zopt->name = region_strdup(xfrd->nsd->options->region,
1710 pname + strlen(PATTERN_IMPLICIT_MARKER));
1711 zopt->pattern = pattern_options_find(xfrd->nsd->options, pname);
1712 if(!zopt->name || !zopt->pattern)
1713 return;
1714 if(!nsd_options_insert_zone(xfrd->nsd->options, zopt)) {
1715 log_msg(LOG_ERR, "bad domain name or duplicate zone '%s' "
1716 "pattern %s", zopt->name, pname);
1717 }
1718
1719 /* make addzone task and schedule reload */
1720 task_new_add_zone(xfrd->nsd->task[xfrd->nsd->mytask],
1721 xfrd->last_task, zopt->name, pname,
1722 getzonestatid(xfrd->nsd->options, zopt));
1723 /* zonestat_inc is done after the entire config file has been done */
1724 xfrd_set_reload_now(xfrd);
1725 /* add to xfrd - catalog consumer zones */
1726 if (zone_is_catalog_consumer(zopt)) {
1727 xfrd_init_catalog_consumer_zone(xfrd, zopt);
1728 }
1729 /* add to xfrd - notify (for master and slaves) */
1730 init_notify_send(xfrd->notify_zones, xfrd->region, zopt);
1731 /* add to xfrd - slave */
1732 if(zone_is_slave(zopt)) {
1733 xfrd_init_slave_zone(xfrd, zopt);
1734 }
1735 }
1736
1737 /** remove pattern and add task so that reload does too */
1738 static void
remove_pat(xfrd_state_type * xfrd,const char * name)1739 remove_pat(xfrd_state_type* xfrd, const char* name)
1740 {
1741 /* add task before deletion, because name-string could be deleted */
1742 task_new_del_pattern(xfrd->nsd->task[xfrd->nsd->mytask],
1743 xfrd->last_task, name);
1744 pattern_options_remove(xfrd->nsd->options, name);
1745 xfrd_set_reload_now(xfrd);
1746 }
1747
1748 /** add pattern and add task so that reload does too */
1749 static void
add_pat(xfrd_state_type * xfrd,struct pattern_options * p)1750 add_pat(xfrd_state_type* xfrd, struct pattern_options* p)
1751 {
1752 pattern_options_add_modify(xfrd->nsd->options, p);
1753 task_new_add_pattern(xfrd->nsd->task[xfrd->nsd->mytask],
1754 xfrd->last_task, p);
1755 xfrd_set_reload_now(xfrd);
1756 }
1757
1758 /** interrupt zones that are using changed or removed patterns */
1759 static void
repat_interrupt_zones(xfrd_state_type * xfrd,struct nsd_options * newopt)1760 repat_interrupt_zones(xfrd_state_type* xfrd, struct nsd_options* newopt)
1761 {
1762 /* if masterlist changed:
1763 * interrupt slave zone (UDP or TCP) transfers.
1764 * slave zones reset master to start of list.
1765 */
1766 xfrd_zone_type* xz;
1767 struct notify_zone* nz;
1768 RBTREE_FOR(xz, xfrd_zone_type*, xfrd->zones) {
1769 struct pattern_options* oldp = xz->zone_options->pattern;
1770 struct pattern_options* newp = pattern_options_find(newopt,
1771 oldp->pname);
1772 if(!newp || !acl_list_equal(oldp->request_xfr,
1773 newp->request_xfr)) {
1774 /* interrupt transfer */
1775 if(xz->tcp_conn != -1) {
1776 xfrd_tcp_release(xfrd->tcp_set, xz);
1777 xfrd_set_refresh_now(xz);
1778 } else if(xz->zone_handler.ev_fd != -1) {
1779 xfrd_udp_release(xz);
1780 xfrd_set_refresh_now(xz);
1781 }
1782 xz->master = 0;
1783 xz->master_num = 0;
1784 xz->next_master = -1;
1785 xz->round_num = -1; /* fresh set of retries */
1786 }
1787 }
1788 /* if notify list changed:
1789 * interrupt notify that is busy.
1790 * reset notify to start of list. (clear all other reset_notify)
1791 */
1792 RBTREE_FOR(nz, struct notify_zone*, xfrd->notify_zones) {
1793 struct pattern_options* oldp = nz->options->pattern;
1794 struct pattern_options* newp = pattern_options_find(newopt,
1795 oldp->pname);
1796 if(!newp || !acl_list_equal(oldp->notify, newp->notify)) {
1797 /* interrupt notify */
1798 if(nz->notify_send_enable) {
1799 notify_disable(nz);
1800 /* set to restart the notify after the
1801 * pattern has been changed. */
1802 nz->notify_restart = 2;
1803 } else {
1804 nz->notify_restart = 1;
1805 }
1806 } else {
1807 nz->notify_restart = 0;
1808 }
1809 }
1810 }
1811
1812 /** for notify, after the pattern changes, restart the affected notifies */
1813 static void
repat_interrupt_notify_start(xfrd_state_type * xfrd)1814 repat_interrupt_notify_start(xfrd_state_type* xfrd)
1815 {
1816 struct notify_zone* nz;
1817 RBTREE_FOR(nz, struct notify_zone*, xfrd->notify_zones) {
1818 if(nz->notify_restart) {
1819 if(nz->notify_current)
1820 nz->notify_current = nz->options->pattern->notify;
1821 if(nz->notify_restart == 2) {
1822 if(nz->notify_restart)
1823 xfrd_notify_start(nz, xfrd);
1824 }
1825 }
1826 }
1827 }
1828
1829 /** check if patterns have changed */
1830 static void
repat_patterns(xfrd_state_type * xfrd,struct nsd_options * newopt)1831 repat_patterns(xfrd_state_type* xfrd, struct nsd_options* newopt)
1832 {
1833 /* zones that use changed patterns must have:
1834 * - their AXFR/IXFR interrupted: try again, acl may have changed.
1835 * if the old master/key still exists, OK, fix master-numptrs and
1836 * keep going. Otherwise, stop xfer and reset TSIG.
1837 * - send NOTIFY reset to start of NOTIFY list (and TSIG reset).
1838 */
1839 struct nsd_options* oldopt = xfrd->nsd->options;
1840 struct pattern_options* p;
1841 int search_zones = 0;
1842
1843 repat_interrupt_zones(xfrd, newopt);
1844 /* find deleted patterns */
1845 p = (struct pattern_options*)rbtree_first(oldopt->patterns);
1846 while((rbnode_type*)p != RBTREE_NULL) {
1847 struct pattern_options* next = (struct pattern_options*)
1848 rbtree_next((rbnode_type*)p);
1849 if(!pattern_options_find(newopt, p->pname)) {
1850 if(p->implicit) {
1851 /* first remove its zone */
1852 VERBOSITY(1, (LOG_INFO, "zone removed from config: %s", p->pname + strlen(PATTERN_IMPLICIT_MARKER)));
1853 remove_cfgzone(xfrd, p->pname);
1854 }
1855 remove_pat(xfrd, p->pname);
1856 }
1857 p = next;
1858 }
1859 /* find added or changed patterns */
1860 RBTREE_FOR(p, struct pattern_options*, newopt->patterns) {
1861 struct pattern_options* origp = pattern_options_find(oldopt,
1862 p->pname);
1863 if(!origp) {
1864 /* no zones can use it, no zone_interrupt needed */
1865 add_pat(xfrd, p);
1866 if(p->implicit) {
1867 VERBOSITY(1, (LOG_INFO, "zone added to config: %s", p->pname + strlen(PATTERN_IMPLICIT_MARKER)));
1868 add_cfgzone(xfrd, p->pname);
1869 }
1870 } else if(!pattern_options_equal(p, origp)) {
1871 uint8_t newstate = 0;
1872 if (p->request_xfr && !origp->request_xfr) {
1873 newstate = REPAT_SLAVE;
1874 } else if (!p->request_xfr && origp->request_xfr) {
1875 newstate = REPAT_MASTER;
1876 }
1877 if ( p->catalog_role == CATALOG_ROLE_CONSUMER
1878 && origp->catalog_role != CATALOG_ROLE_CONSUMER) {
1879 newstate |= REPAT_CATALOG_CONSUMER;
1880 } else if (p->catalog_role != CATALOG_ROLE_CONSUMER
1881 && origp->catalog_role == CATALOG_ROLE_CONSUMER) {
1882 newstate |= REPAT_CATALOG_CONSUMER_DEINIT;
1883 }
1884 add_pat(xfrd, p);
1885 if (p->implicit && newstate) {
1886 const dname_type* dname =
1887 parse_implicit_name(xfrd, p->pname);
1888 if (dname) {
1889 if (newstate & REPAT_SLAVE) {
1890 struct zone_options* zopt =
1891 zone_options_find(
1892 oldopt, dname);
1893 if (zopt) {
1894 xfrd_init_slave_zone(
1895 xfrd, zopt);
1896 }
1897 } else if (newstate & REPAT_MASTER) {
1898 xfrd_del_slave_zone(xfrd,
1899 dname);
1900 }
1901 if (newstate & REPAT_CATALOG_CONSUMER) {
1902 struct zone_options* zopt =
1903 zone_options_find(
1904 oldopt, dname);
1905 if (zopt) {
1906 xfrd_init_catalog_consumer_zone(
1907 xfrd, zopt);
1908 }
1909 } else if (newstate & REPAT_CATALOG_CONSUMER_DEINIT) {
1910 xfrd_deinit_catalog_consumer_zone(
1911 xfrd, dname);
1912 }
1913 region_recycle(xfrd->region,
1914 (void*)dname,
1915 dname_total_size(dname));
1916 }
1917 } else if(!p->implicit && newstate) {
1918 /* search all zones with this pattern */
1919 search_zones = 1;
1920 origp->xfrd_flags = newstate;
1921 }
1922 }
1923 }
1924 if (search_zones) {
1925 struct zone_options* zone_opt;
1926 /* search in oldopt because 1) it contains zonelist zones,
1927 * and 2) you need oldopt(existing) to call xfrd_init */
1928 RBTREE_FOR(zone_opt, struct zone_options*, oldopt->zone_options) {
1929 struct pattern_options* oldp = zone_opt->pattern;
1930 if (!oldp->implicit) {
1931 if (oldp->xfrd_flags & REPAT_SLAVE) {
1932 /* xfrd needs stable reference so get
1933 * it from the oldopt(modified) tree */
1934 xfrd_init_slave_zone(xfrd, zone_opt);
1935 } else if (oldp->xfrd_flags & REPAT_MASTER) {
1936 xfrd_del_slave_zone(xfrd,
1937 (const dname_type*)
1938 zone_opt->node.key);
1939 }
1940 if (oldp->xfrd_flags & REPAT_CATALOG_CONSUMER) {
1941 xfrd_init_catalog_consumer_zone(xfrd,
1942 zone_opt);
1943 } else if (oldp->xfrd_flags & REPAT_CATALOG_CONSUMER_DEINIT) {
1944 xfrd_deinit_catalog_consumer_zone(xfrd,
1945 (const dname_type*)
1946 zone_opt->node.key);
1947 }
1948 oldp->xfrd_flags = 0;
1949 }
1950 }
1951 }
1952 repat_interrupt_notify_start(xfrd);
1953 }
1954
1955 /** true if options are different that can be set via repat. */
1956 static int
repat_options_changed(xfrd_state_type * xfrd,struct nsd_options * newopt)1957 repat_options_changed(xfrd_state_type* xfrd, struct nsd_options* newopt)
1958 {
1959 #ifdef RATELIMIT
1960 if(xfrd->nsd->options->rrl_ratelimit != newopt->rrl_ratelimit)
1961 return 1;
1962 if(xfrd->nsd->options->rrl_whitelist_ratelimit != newopt->rrl_whitelist_ratelimit)
1963 return 1;
1964 if(xfrd->nsd->options->rrl_slip != newopt->rrl_slip)
1965 return 1;
1966 #else
1967 (void)xfrd; (void)newopt;
1968 #endif
1969 return 0;
1970 }
1971
1972 /** check if global options have changed */
1973 static void
repat_options(xfrd_state_type * xfrd,struct nsd_options * newopt)1974 repat_options(xfrd_state_type* xfrd, struct nsd_options* newopt)
1975 {
1976 if(repat_options_changed(xfrd, newopt)) {
1977 /* update our options */
1978 #ifdef RATELIMIT
1979 xfrd->nsd->options->rrl_ratelimit = newopt->rrl_ratelimit;
1980 xfrd->nsd->options->rrl_whitelist_ratelimit = newopt->rrl_whitelist_ratelimit;
1981 xfrd->nsd->options->rrl_slip = newopt->rrl_slip;
1982 #endif
1983 task_new_opt_change(xfrd->nsd->task[xfrd->nsd->mytask],
1984 xfrd->last_task, newopt);
1985 xfrd_set_reload_now(xfrd);
1986 }
1987 }
1988
1989 /** print errors over ssl, gets pointer-to-pointer to ssl, so it can set
1990 * the pointer to NULL on failure and stop printing */
1991 static void
print_ssl_cfg_err(void * arg,const char * str)1992 print_ssl_cfg_err(void* arg, const char* str)
1993 {
1994 RES** ssl = (RES**)arg;
1995 if(!*ssl) return;
1996 if(!ssl_printf(*ssl, "%s", str))
1997 *ssl = NULL; /* failed, stop printing */
1998 }
1999
2000 /** do the repattern command: reread config file and apply keys, patterns */
2001 static void
do_repattern(RES * ssl,xfrd_state_type * xfrd)2002 do_repattern(RES* ssl, xfrd_state_type* xfrd)
2003 {
2004 region_type* region = region_create(xalloc, free);
2005 struct nsd_options* opt;
2006 const char* cfgfile = xfrd->nsd->options->configfile;
2007
2008 /* check chroot and configfile, if possible to reread */
2009 if(xfrd->nsd->chrootdir) {
2010 size_t l = strlen(xfrd->nsd->chrootdir);
2011 while(l>0 && xfrd->nsd->chrootdir[l-1] == '/')
2012 --l;
2013 if(strncmp(xfrd->nsd->chrootdir, cfgfile, l) != 0) {
2014 (void)ssl_printf(ssl, "error %s is not relative to %s: "
2015 "chroot prevents reread of config\n",
2016 cfgfile, xfrd->nsd->chrootdir);
2017 region_destroy(region);
2018 return;
2019 }
2020 cfgfile += l;
2021 }
2022
2023 (void)ssl_printf(ssl, "reconfig start, read %s\n", cfgfile);
2024 opt = nsd_options_create(region);
2025 if(!parse_options_file(opt, cfgfile, &print_ssl_cfg_err, &ssl,
2026 xfrd->nsd->options)) {
2027 /* error already printed */
2028 region_destroy(region);
2029 return;
2030 }
2031 /* check for differences in TSIG keys and patterns, and apply,
2032 * first the keys, so that pattern->keyptr can be set right. */
2033 repat_keys(xfrd, opt);
2034 repat_patterns(xfrd, opt);
2035 repat_options(xfrd, opt);
2036 zonestat_inc_ifneeded(xfrd);
2037 send_ok(ssl);
2038 region_destroy(region);
2039 }
2040
2041 /** do the serverpid command: printout pid of server process */
2042 static void
do_serverpid(RES * ssl,xfrd_state_type * xfrd)2043 do_serverpid(RES* ssl, xfrd_state_type* xfrd)
2044 {
2045 (void)ssl_printf(ssl, "%u\n", (unsigned)xfrd->reload_pid);
2046 }
2047
2048 /** do the print_tsig command: printout tsig info */
2049 static void
do_print_tsig(RES * ssl,xfrd_state_type * xfrd,char * arg)2050 do_print_tsig(RES* ssl, xfrd_state_type* xfrd, char* arg)
2051 {
2052 if(*arg == '\0') {
2053 struct key_options* key;
2054 RBTREE_FOR(key, struct key_options*, xfrd->nsd->options->keys) {
2055 if(!ssl_printf(ssl, "key: name: \"%s\" secret: \"%s\" algorithm: %s\n", key->name, key->secret, key->algorithm))
2056 return;
2057 }
2058 return;
2059 } else {
2060 struct key_options* key_opts = key_options_find(xfrd->nsd->options, arg);
2061 if(!key_opts) {
2062 (void)ssl_printf(ssl, "error: no such key with name: %s\n", arg);
2063 return;
2064 } else {
2065 (void)ssl_printf(ssl, "key: name: \"%s\" secret: \"%s\" algorithm: %s\n", arg, key_opts->secret, key_opts->algorithm);
2066 }
2067 }
2068 }
2069
2070 /** do the update_tsig command: change existing tsig to new secret */
2071 static void
do_update_tsig(RES * ssl,xfrd_state_type * xfrd,char * arg)2072 do_update_tsig(RES* ssl, xfrd_state_type* xfrd, char* arg)
2073 {
2074 struct region* region = xfrd->nsd->options->region;
2075 char* arg2 = NULL;
2076 uint8_t data[65536]; /* 64K */
2077 struct key_options* key_opt;
2078
2079 if(*arg == '\0') {
2080 (void)ssl_printf(ssl, "error: missing argument (keyname)\n");
2081 return;
2082 }
2083 if(!find_arg2(ssl, arg, &arg2)) {
2084 (void)ssl_printf(ssl, "error: missing argument (secret)\n");
2085 return;
2086 }
2087 key_opt = key_options_find(xfrd->nsd->options, arg);
2088 if(!key_opt) {
2089 (void)ssl_printf(ssl, "error: no such key with name: %s\n", arg);
2090 memset(arg2, 0xdd, strlen(arg2));
2091 return;
2092 }
2093 if(__b64_pton(arg2, data, sizeof(data)) == -1) {
2094 (void)ssl_printf(ssl, "error: the secret: %s is not in b64 format\n", arg2);
2095 memset(data, 0xdd, sizeof(data)); /* wipe secret */
2096 memset(arg2, 0xdd, strlen(arg2));
2097 return;
2098 }
2099 log_msg(LOG_INFO, "changing secret provided with the key: %s with old secret %s and algo: %s\n", arg, key_opt->secret, key_opt->algorithm);
2100 if(key_opt->secret) {
2101 /* wipe old secret */
2102 memset(key_opt->secret, 0xdd, strlen(key_opt->secret));
2103 region_recycle(region, key_opt->secret,
2104 strlen(key_opt->secret)+1);
2105 }
2106 key_opt->secret = region_strdup(region, arg2);
2107 log_msg(LOG_INFO, "the key: %s has new secret %s and algorithm: %s\n", arg, key_opt->secret, key_opt->algorithm);
2108 /* wipe secret from temp parse buffer */
2109 memset(arg2, 0xdd, strlen(arg2));
2110 memset(data, 0xdd, sizeof(data));
2111
2112 key_options_desetup(region, key_opt);
2113 key_options_setup(region, key_opt);
2114 task_new_add_key(xfrd->nsd->task[xfrd->nsd->mytask], xfrd->last_task,
2115 key_opt);
2116 xfrd_set_reload_now(xfrd);
2117
2118 send_ok(ssl);
2119 }
2120
2121 /** do the add tsig command, add new key with name, secret and algo given */
2122 static void
do_add_tsig(RES * ssl,xfrd_state_type * xfrd,char * arg)2123 do_add_tsig(RES* ssl, xfrd_state_type* xfrd, char* arg)
2124 {
2125 char* arg2 = NULL;
2126 char* arg3 = NULL;
2127 uint8_t data[65536]; /* 64KB */
2128 uint8_t dname[MAXDOMAINLEN+1];
2129 char algo[256];
2130 region_type* region = xfrd->nsd->options->region;
2131 struct key_options* new_key_opt;
2132
2133 if(*arg == '\0') {
2134 (void)ssl_printf(ssl, "error: missing argument (keyname)\n");
2135 return;
2136 }
2137 if(!find_arg3(ssl, arg, &arg2, &arg3)) {
2138 strlcpy(algo, "hmac-sha256", sizeof(algo));
2139 } else {
2140 strlcpy(algo, arg3, sizeof(algo));
2141 }
2142 if(!arg2) {
2143 (void)ssl_printf(ssl, "error: missing argument (secret)\n");
2144 return;
2145 }
2146 if(key_options_find(xfrd->nsd->options, arg)) {
2147 (void)ssl_printf(ssl, "error: key %s already exists\n", arg);
2148 memset(arg2, 0xdd, strlen(arg2));
2149 return;
2150 }
2151 if(__b64_pton(arg2, data, sizeof(data)) == -1) {
2152 (void)ssl_printf(ssl, "error: the secret: %s is not in b64 format\n", arg2);
2153 memset(data, 0xdd, sizeof(data)); /* wipe secret */
2154 memset(arg2, 0xdd, strlen(arg2));
2155 return;
2156 }
2157 memset(data, 0xdd, sizeof(data)); /* wipe secret from temp buffer */
2158 if(!dname_parse_wire(dname, arg)) {
2159 (void)ssl_printf(ssl, "error: could not parse key name: %s\n", arg);
2160 memset(arg2, 0xdd, strlen(arg2));
2161 return;
2162 }
2163 if(tsig_get_algorithm_by_name(algo) == NULL) {
2164 (void)ssl_printf(ssl, "error: unknown algorithm: %s\n", algo);
2165 memset(arg2, 0xdd, strlen(arg2));
2166 return;
2167 }
2168 log_msg(LOG_INFO, "adding key with name: %s and secret: %s with algo: %s\n", arg, arg2, algo);
2169 new_key_opt = key_options_create(region);
2170 new_key_opt->name = region_strdup(region, arg);
2171 new_key_opt->secret = region_strdup(region, arg2);
2172 new_key_opt->algorithm = region_strdup(region, algo);
2173 add_key(xfrd, new_key_opt);
2174
2175 /* wipe secret from temp buffer */
2176 memset(arg2, 0xdd, strlen(arg2));
2177 send_ok(ssl);
2178 }
2179
2180 /** set acl entries to use the given TSIG key */
2181 static void
zopt_set_acl_to_tsig(struct acl_options * acl,struct region * region,const char * key_name,struct key_options * key_opt)2182 zopt_set_acl_to_tsig(struct acl_options* acl, struct region* region,
2183 const char* key_name, struct key_options* key_opt)
2184 {
2185 while(acl) {
2186 if(acl->blocked) {
2187 acl = acl->next;
2188 continue;
2189 }
2190 acl->nokey = 0;
2191 if(acl->key_name)
2192 region_recycle(region, (void*)acl->key_name,
2193 strlen(acl->key_name)+1);
2194 acl->key_name = region_strdup(region, key_name);
2195 acl->key_options = key_opt;
2196 acl = acl->next;
2197 }
2198 }
2199
2200 /** do the assoc_tsig command: associate the zone to use the tsig name */
2201 static void
do_assoc_tsig(RES * ssl,xfrd_state_type * xfrd,char * arg)2202 do_assoc_tsig(RES* ssl, xfrd_state_type* xfrd, char* arg)
2203 {
2204 region_type* region = xfrd->nsd->options->region;
2205 char* arg2 = NULL;
2206 struct zone_options* zone;
2207 struct key_options* key_opt;
2208
2209 if(*arg == '\0') {
2210 (void)ssl_printf(ssl, "error: missing argument (zonename)\n");
2211 return;
2212 }
2213 if(!find_arg2(ssl, arg, &arg2)) {
2214 (void)ssl_printf(ssl, "error: missing argument (keyname)\n");
2215 return;
2216 }
2217
2218 if(!get_zone_arg(ssl, xfrd, arg, &zone))
2219 return;
2220 if(!zone) {
2221 (void)ssl_printf(ssl, "error: missing argument (zone)\n");
2222 return;
2223 }
2224 key_opt = key_options_find(xfrd->nsd->options, arg2);
2225 if(!key_opt) {
2226 (void)ssl_printf(ssl, "error: key: %s does not exist\n", arg2);
2227 return;
2228 }
2229
2230 zopt_set_acl_to_tsig(zone->pattern->allow_notify, region, arg2,
2231 key_opt);
2232 zopt_set_acl_to_tsig(zone->pattern->notify, region, arg2, key_opt);
2233 zopt_set_acl_to_tsig(zone->pattern->request_xfr, region, arg2,
2234 key_opt);
2235 zopt_set_acl_to_tsig(zone->pattern->provide_xfr, region, arg2,
2236 key_opt);
2237 zopt_set_acl_to_tsig(zone->pattern->allow_query, region, arg2,
2238 key_opt);
2239
2240 task_new_add_pattern(xfrd->nsd->task[xfrd->nsd->mytask],
2241 xfrd->last_task, zone->pattern);
2242 xfrd_set_reload_now(xfrd);
2243
2244 send_ok(ssl);
2245 }
2246
2247 /** see if TSIG key is used in the acl */
2248 static int
acl_contains_tsig_key(struct acl_options * acl,const char * name)2249 acl_contains_tsig_key(struct acl_options* acl, const char* name)
2250 {
2251 while(acl) {
2252 if(acl->key_name && strcmp(acl->key_name, name) == 0)
2253 return 1;
2254 acl = acl->next;
2255 }
2256 return 0;
2257 }
2258
2259 /** do the del_tsig command, remove an (unused) tsig */
2260 static void
do_del_tsig(RES * ssl,xfrd_state_type * xfrd,char * arg)2261 do_del_tsig(RES* ssl, xfrd_state_type* xfrd, char* arg) {
2262 int used_key = 0;
2263 struct zone_options* zone;
2264 struct key_options* key_opt;
2265
2266 if(*arg == '\0') {
2267 (void)ssl_printf(ssl, "error: missing argument (keyname)\n");
2268 return;
2269 }
2270 key_opt = key_options_find(xfrd->nsd->options, arg);
2271 if(!key_opt) {
2272 (void)ssl_printf(ssl, "key %s does not exist, nothing to be deleted\n", arg);
2273 return;
2274 }
2275 RBTREE_FOR(zone, struct zone_options*, xfrd->nsd->options->zone_options)
2276 {
2277 if(acl_contains_tsig_key(zone->pattern->allow_notify, arg) ||
2278 acl_contains_tsig_key(zone->pattern->notify, arg) ||
2279 acl_contains_tsig_key(zone->pattern->request_xfr, arg) ||
2280 acl_contains_tsig_key(zone->pattern->provide_xfr, arg) ||
2281 acl_contains_tsig_key(zone->pattern->allow_query, arg)) {
2282 if(!ssl_printf(ssl, "zone %s uses key %s\n",
2283 zone->name, arg))
2284 return;
2285 used_key = 1;
2286 break;
2287 }
2288 }
2289
2290 if(used_key) {
2291 (void)ssl_printf(ssl, "error: key: %s is in use and cannot be deleted\n", arg);
2292 return;
2293 } else {
2294 remove_key(xfrd, arg);
2295 log_msg(LOG_INFO, "key: %s is successfully deleted\n", arg);
2296 }
2297
2298 send_ok(ssl);
2299 }
2300
2301 /* returns `0` on failure */
2302 static int
cookie_secret_file_dump(RES * ssl,nsd_type const * nsd)2303 cookie_secret_file_dump(RES* ssl, nsd_type const* nsd) {
2304 char const* secret_file = nsd->options->cookie_secret_file;
2305 char secret_hex[NSD_COOKIE_SECRET_SIZE * 2 + 1];
2306 FILE* f;
2307 size_t i;
2308 assert( secret_file != NULL );
2309
2310 /* open write only and truncate */
2311 if((f = fopen(secret_file, "w")) == NULL ) {
2312 (void)ssl_printf(ssl, "unable to open cookie secret file %s: %s",
2313 secret_file, strerror(errno));
2314 return 0;
2315 }
2316 for(i = 0; i < nsd->cookie_count; i++) {
2317 struct cookie_secret const* cs = &nsd->cookie_secrets[i];
2318 ssize_t const len = hex_ntop(cs->cookie_secret, NSD_COOKIE_SECRET_SIZE,
2319 secret_hex, sizeof(secret_hex));
2320 (void)len; /* silence unused variable warning with -DNDEBUG */
2321 assert( len == NSD_COOKIE_SECRET_SIZE * 2 );
2322 secret_hex[NSD_COOKIE_SECRET_SIZE * 2] = '\0';
2323 fprintf(f, "%s\n", secret_hex);
2324 }
2325 explicit_bzero(secret_hex, sizeof(secret_hex));
2326 fclose(f);
2327 return 1;
2328 }
2329
2330 static void
do_activate_cookie_secret(RES * ssl,xfrd_state_type * xrfd,char * arg)2331 do_activate_cookie_secret(RES* ssl, xfrd_state_type* xrfd, char* arg) {
2332 nsd_type* nsd = xrfd->nsd;
2333 (void)arg;
2334
2335 if(nsd->cookie_count <= 1 ) {
2336 (void)ssl_printf(ssl, "error: no staging cookie secret to activate\n");
2337 return;
2338 }
2339 if(!nsd->options->cookie_secret_file || !nsd->options->cookie_secret_file[0]) {
2340 (void)ssl_printf(ssl, "error: no cookie secret file configured\n");
2341 return;
2342 }
2343 if(!cookie_secret_file_dump(ssl, nsd)) {
2344 (void)ssl_printf(ssl, "error: writing to cookie secret file: \"%s\"\n",
2345 nsd->options->cookie_secret_file);
2346 return;
2347 }
2348 activate_cookie_secret(nsd);
2349 (void)cookie_secret_file_dump(ssl, nsd);
2350 task_new_activate_cookie_secret(xfrd->nsd->task[xfrd->nsd->mytask],
2351 xfrd->last_task);
2352 xfrd_set_reload_now(xfrd);
2353 send_ok(ssl);
2354 }
2355
2356 static void
do_drop_cookie_secret(RES * ssl,xfrd_state_type * xrfd,char * arg)2357 do_drop_cookie_secret(RES* ssl, xfrd_state_type* xrfd, char* arg) {
2358 nsd_type* nsd = xrfd->nsd;
2359 (void)arg;
2360
2361 if(nsd->cookie_count <= 1 ) {
2362 (void)ssl_printf(ssl, "error: can not drop the currently active cookie secret\n");
2363 return;
2364 }
2365 if(!nsd->options->cookie_secret_file || !nsd->options->cookie_secret_file[0]) {
2366 (void)ssl_printf(ssl, "error: no cookie secret file configured\n");
2367 return;
2368 }
2369 if(!cookie_secret_file_dump(ssl, nsd)) {
2370 (void)ssl_printf(ssl, "error: writing to cookie secret file: \"%s\"\n",
2371 nsd->options->cookie_secret_file);
2372 return;
2373 }
2374 drop_cookie_secret(nsd);
2375 (void)cookie_secret_file_dump(ssl, nsd);
2376 task_new_drop_cookie_secret(xfrd->nsd->task[xfrd->nsd->mytask],
2377 xfrd->last_task);
2378 xfrd_set_reload_now(xfrd);
2379 send_ok(ssl);
2380 }
2381
2382 static void
do_add_cookie_secret(RES * ssl,xfrd_state_type * xrfd,char * arg)2383 do_add_cookie_secret(RES* ssl, xfrd_state_type* xrfd, char* arg) {
2384 nsd_type* nsd = xrfd->nsd;
2385 uint8_t secret[NSD_COOKIE_SECRET_SIZE];
2386
2387 if(*arg == '\0') {
2388 (void)ssl_printf(ssl, "error: missing argument (cookie_secret)\n");
2389 return;
2390 }
2391 if(strlen(arg) != 32) {
2392 explicit_bzero(arg, strlen(arg));
2393 (void)ssl_printf(ssl, "invalid cookie secret: invalid argument length\n");
2394 (void)ssl_printf(ssl, "please provide a 128bit hex encoded secret\n");
2395 return;
2396 }
2397 if(hex_pton(arg, secret, NSD_COOKIE_SECRET_SIZE) != NSD_COOKIE_SECRET_SIZE ) {
2398 explicit_bzero(secret, NSD_COOKIE_SECRET_SIZE);
2399 explicit_bzero(arg, strlen(arg));
2400 (void)ssl_printf(ssl, "invalid cookie secret: parse error\n");
2401 (void)ssl_printf(ssl, "please provide a 128bit hex encoded secret\n");
2402 return;
2403 }
2404 if(!nsd->options->cookie_secret_file || !nsd->options->cookie_secret_file[0]) {
2405 explicit_bzero(secret, NSD_COOKIE_SECRET_SIZE);
2406 explicit_bzero(arg, strlen(arg));
2407 (void)ssl_printf(ssl, "error: no cookie secret file configured\n");
2408 return;
2409 }
2410 if(!cookie_secret_file_dump(ssl, nsd)) {
2411 explicit_bzero(secret, NSD_COOKIE_SECRET_SIZE);
2412 explicit_bzero(arg, strlen(arg));
2413 (void)ssl_printf(ssl, "error: writing to cookie secret file: \"%s\"\n",
2414 nsd->options->cookie_secret_file);
2415 return;
2416 }
2417 add_cookie_secret(nsd, secret);
2418 explicit_bzero(secret, NSD_COOKIE_SECRET_SIZE);
2419 (void)cookie_secret_file_dump(ssl, nsd);
2420 task_new_add_cookie_secret(xfrd->nsd->task[xfrd->nsd->mytask],
2421 xfrd->last_task, arg);
2422 explicit_bzero(arg, strlen(arg));
2423 xfrd_set_reload_now(xfrd);
2424 send_ok(ssl);
2425 }
2426
2427 static void
do_print_cookie_secrets(RES * ssl,xfrd_state_type * xrfd,char * arg)2428 do_print_cookie_secrets(RES* ssl, xfrd_state_type* xrfd, char* arg) {
2429 nsd_type* nsd = xrfd->nsd;
2430 char secret_hex[NSD_COOKIE_SECRET_SIZE * 2 + 1];
2431 int i;
2432 (void)arg;
2433
2434 /* (void)ssl_printf(ssl, "cookie_secret_count=%zu\n", nsd->cookie_count); */
2435 for(i = 0; (size_t)i < nsd->cookie_count; i++) {
2436 struct cookie_secret const* cs = &nsd->cookie_secrets[i];
2437 ssize_t const len = hex_ntop(cs->cookie_secret, NSD_COOKIE_SECRET_SIZE,
2438 secret_hex, sizeof(secret_hex));
2439 (void)len; /* silence unused variable warning with -DNDEBUG */
2440 assert( len == NSD_COOKIE_SECRET_SIZE * 2 );
2441 secret_hex[NSD_COOKIE_SECRET_SIZE * 2] = '\0';
2442 if (i == 0)
2443 (void)ssl_printf(ssl, "active : %s\n", secret_hex);
2444 else if (nsd->cookie_count == 2)
2445 (void)ssl_printf(ssl, "staging: %s\n", secret_hex);
2446 else
2447 (void)ssl_printf(ssl, "staging[%d]: %s\n", i, secret_hex);
2448 }
2449 explicit_bzero(secret_hex, sizeof(secret_hex));
2450 }
2451
2452 /** check for name with end-of-string, space or tab after it */
2453 static int
cmdcmp(char * p,const char * cmd,size_t len)2454 cmdcmp(char* p, const char* cmd, size_t len)
2455 {
2456 return strncmp(p,cmd,len)==0 && (p[len]==0||p[len]==' '||p[len]=='\t');
2457 }
2458
2459 /** execute a remote control command */
2460 static void
execute_cmd(struct daemon_remote * rc,RES * ssl,char * cmd)2461 execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd)
2462 {
2463 char* p = skipwhite(cmd);
2464 /* compare command */
2465 if(cmdcmp(p, "stop", 4)) {
2466 do_stop(ssl, rc->xfrd);
2467 } else if(cmdcmp(p, "reload", 6)) {
2468 do_reload(ssl, rc->xfrd, skipwhite(p+6));
2469 } else if(cmdcmp(p, "write", 5)) {
2470 do_write(ssl, rc->xfrd, skipwhite(p+5));
2471 } else if(cmdcmp(p, "status", 6)) {
2472 do_status(ssl, rc->xfrd);
2473 } else if(cmdcmp(p, "stats_noreset", 13)) {
2474 do_stats(ssl, rc->xfrd, 1);
2475 } else if(cmdcmp(p, "stats", 5)) {
2476 do_stats(ssl, rc->xfrd, 0);
2477 } else if(cmdcmp(p, "log_reopen", 10)) {
2478 do_log_reopen(ssl, rc->xfrd);
2479 } else if(cmdcmp(p, "addzone", 7)) {
2480 do_addzone(ssl, rc->xfrd, skipwhite(p+7));
2481 } else if(cmdcmp(p, "delzone", 7)) {
2482 do_delzone(ssl, rc->xfrd, skipwhite(p+7));
2483 } else if(cmdcmp(p, "changezone", 10)) {
2484 do_changezone(ssl, rc->xfrd, skipwhite(p+10));
2485 } else if(cmdcmp(p, "addzones", 8)) {
2486 do_addzones(ssl, rc->xfrd);
2487 } else if(cmdcmp(p, "delzones", 8)) {
2488 do_delzones(ssl, rc->xfrd);
2489 } else if(cmdcmp(p, "notify", 6)) {
2490 do_notify(ssl, rc->xfrd, skipwhite(p+6));
2491 } else if(cmdcmp(p, "transfer", 8)) {
2492 do_transfer(ssl, rc->xfrd, skipwhite(p+8));
2493 } else if(cmdcmp(p, "force_transfer", 14)) {
2494 do_force_transfer(ssl, rc->xfrd, skipwhite(p+14));
2495 } else if(cmdcmp(p, "zonestatus", 10)) {
2496 do_zonestatus(ssl, rc->xfrd, skipwhite(p+10));
2497 } else if(cmdcmp(p, "verbosity", 9)) {
2498 do_verbosity(ssl, skipwhite(p+9));
2499 } else if(cmdcmp(p, "repattern", 9)) {
2500 do_repattern(ssl, rc->xfrd);
2501 } else if(cmdcmp(p, "reconfig", 8)) {
2502 do_repattern(ssl, rc->xfrd);
2503 } else if(cmdcmp(p, "serverpid", 9)) {
2504 do_serverpid(ssl, rc->xfrd);
2505 } else if(cmdcmp(p, "print_tsig", 10)) {
2506 do_print_tsig(ssl, rc->xfrd, skipwhite(p+10));
2507 } else if(cmdcmp(p, "update_tsig", 11)) {
2508 do_update_tsig(ssl, rc->xfrd, skipwhite(p+11));
2509 } else if(cmdcmp(p, "add_tsig", 8)) {
2510 do_add_tsig(ssl, rc->xfrd, skipwhite(p+8));
2511 } else if(cmdcmp(p, "assoc_tsig", 10)) {
2512 do_assoc_tsig(ssl, rc->xfrd, skipwhite(p+10));
2513 } else if(cmdcmp(p, "del_tsig", 8)) {
2514 do_del_tsig(ssl, rc->xfrd, skipwhite(p+8));
2515 } else if(cmdcmp(p, "add_cookie_secret", 17)) {
2516 do_add_cookie_secret(ssl, rc->xfrd, skipwhite(p+17));
2517 } else if(cmdcmp(p, "drop_cookie_secret", 18)) {
2518 do_drop_cookie_secret(ssl, rc->xfrd, skipwhite(p+18));
2519 } else if(cmdcmp(p, "print_cookie_secrets", 20)) {
2520 do_print_cookie_secrets(ssl, rc->xfrd, skipwhite(p+20));
2521 } else if(cmdcmp(p, "activate_cookie_secret", 22)) {
2522 do_activate_cookie_secret(ssl, rc->xfrd, skipwhite(p+22));
2523 } else {
2524 (void)ssl_printf(ssl, "error unknown command '%s'\n", p);
2525 }
2526 }
2527
2528 /** handle remote control request */
2529 static void
handle_req(struct daemon_remote * rc,struct rc_state * s,RES * res)2530 handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res)
2531 {
2532 int r;
2533 char pre[10];
2534 char magic[8];
2535 char buf[1024];
2536 if (fcntl(s->c.ev_fd, F_SETFL, 0) == -1) { /* set blocking */
2537 log_msg(LOG_ERR, "cannot fcntl rc: %s", strerror(errno));
2538 }
2539
2540 /* try to read magic UBCT[version]_space_ string */
2541 #ifdef HAVE_SSL
2542 if(res->ssl) {
2543 ERR_clear_error();
2544 if((r=SSL_read(res->ssl, magic, (int)sizeof(magic)-1)) <= 0) {
2545 if(SSL_get_error(res->ssl, r) == SSL_ERROR_ZERO_RETURN)
2546 return;
2547 log_crypto_err("could not SSL_read");
2548 return;
2549 }
2550 } else {
2551 #endif /* HAVE_SSL */
2552 while(1) {
2553 ssize_t rr = read(res->fd, magic, sizeof(magic)-1);
2554 if(rr <= 0) {
2555 if(rr == 0) return;
2556 if(errno == EINTR || errno == EAGAIN)
2557 continue;
2558 log_msg(LOG_ERR, "could not read: %s", strerror(errno));
2559 return;
2560 }
2561 r = (int)rr;
2562 break;
2563 }
2564 #ifdef HAVE_SSL
2565 }
2566 #endif /* HAVE_SSL */
2567 magic[7] = 0;
2568 if( r != 7 || strncmp(magic, "NSDCT", 5) != 0) {
2569 VERBOSITY(2, (LOG_INFO, "control connection has bad header"));
2570 /* probably wrong tool connected, ignore it completely */
2571 return;
2572 }
2573
2574 /* read the command line */
2575 if(!ssl_read_line(res, buf, sizeof(buf))) {
2576 return;
2577 }
2578 snprintf(pre, sizeof(pre), "NSDCT%d ", NSD_CONTROL_VERSION);
2579 if(strcmp(magic, pre) != 0) {
2580 VERBOSITY(2, (LOG_INFO, "control connection had bad "
2581 "version %s, cmd: %s", magic, buf));
2582 (void)ssl_printf(res, "error version mismatch\n");
2583 return;
2584 }
2585 /* always log control commands */
2586 VERBOSITY(0, (LOG_INFO, "control cmd: %s", buf));
2587
2588 /* figure out what to do */
2589 execute_cmd(rc, res, buf);
2590 }
2591
2592 #ifdef HAVE_SSL
2593 /** handle SSL_do_handshake changes to the file descriptor to wait for later */
2594 static void
remote_handshake_later(struct daemon_remote * rc,struct rc_state * s,int fd,int r,int r2)2595 remote_handshake_later(struct daemon_remote* rc, struct rc_state* s, int fd,
2596 int r, int r2)
2597 {
2598 if(r2 == SSL_ERROR_WANT_READ) {
2599 if(s->shake_state == rc_hs_read) {
2600 /* try again later */
2601 return;
2602 }
2603 s->shake_state = rc_hs_read;
2604 if(s->event_added)
2605 event_del(&s->c);
2606 memset(&s->c, 0, sizeof(s->c));
2607 event_set(&s->c, fd, EV_PERSIST|EV_TIMEOUT|EV_READ,
2608 remote_control_callback, s);
2609 if(event_base_set(xfrd->event_base, &s->c) != 0)
2610 log_msg(LOG_ERR, "remote_accept: cannot set event_base");
2611 if(event_add(&s->c, &s->tval) != 0)
2612 log_msg(LOG_ERR, "remote_accept: cannot add event");
2613 s->event_added = 1;
2614 return;
2615 } else if(r2 == SSL_ERROR_WANT_WRITE) {
2616 if(s->shake_state == rc_hs_write) {
2617 /* try again later */
2618 return;
2619 }
2620 s->shake_state = rc_hs_write;
2621 if(s->event_added)
2622 event_del(&s->c);
2623 memset(&s->c, 0, sizeof(s->c));
2624 event_set(&s->c, fd, EV_PERSIST|EV_TIMEOUT|EV_WRITE,
2625 remote_control_callback, s);
2626 if(event_base_set(xfrd->event_base, &s->c) != 0)
2627 log_msg(LOG_ERR, "remote_accept: cannot set event_base");
2628 if(event_add(&s->c, &s->tval) != 0)
2629 log_msg(LOG_ERR, "remote_accept: cannot add event");
2630 s->event_added = 1;
2631 return;
2632 } else {
2633 if(r == 0)
2634 log_msg(LOG_ERR, "remote control connection closed prematurely");
2635 log_crypto_err("remote control failed ssl");
2636 clean_point(rc, s);
2637 }
2638 }
2639 #endif /* HAVE_SSL */
2640
2641 static void
remote_control_callback(int fd,short event,void * arg)2642 remote_control_callback(int fd, short event, void* arg)
2643 {
2644 RES res;
2645 struct rc_state* s = (struct rc_state*)arg;
2646 struct daemon_remote* rc = s->rc;
2647 if( (event&EV_TIMEOUT) ) {
2648 log_msg(LOG_ERR, "remote control timed out");
2649 clean_point(rc, s);
2650 return;
2651 }
2652 #ifdef HAVE_SSL
2653 if(s->ssl) {
2654 /* (continue to) setup the SSL connection */
2655 int r;
2656 ERR_clear_error();
2657 r = SSL_do_handshake(s->ssl);
2658 if(r != 1) {
2659 int r2 = SSL_get_error(s->ssl, r);
2660 remote_handshake_later(rc, s, fd, r, r2);
2661 return;
2662 }
2663 s->shake_state = rc_none;
2664 }
2665 #endif /* HAVE_SSL */
2666
2667 /* once handshake has completed, check authentication */
2668 if (!rc->use_cert) {
2669 VERBOSITY(3, (LOG_INFO, "unauthenticated remote control connection"));
2670 #ifdef HAVE_SSL
2671 } else if(SSL_get_verify_result(s->ssl) == X509_V_OK) {
2672 X509* x = SSL_get_peer_certificate(s->ssl);
2673 if(!x) {
2674 VERBOSITY(2, (LOG_INFO, "remote control connection "
2675 "provided no client certificate"));
2676 clean_point(rc, s);
2677 return;
2678 }
2679 VERBOSITY(3, (LOG_INFO, "remote control connection authenticated"));
2680 X509_free(x);
2681 #endif /* HAVE_SSL */
2682 } else {
2683 VERBOSITY(2, (LOG_INFO, "remote control connection failed to "
2684 "authenticate with client certificate"));
2685 clean_point(rc, s);
2686 return;
2687 }
2688
2689 /* if OK start to actually handle the request */
2690 #ifdef HAVE_SSL
2691 res.ssl = s->ssl;
2692 #endif /* HAVE_SSL */
2693 res.fd = fd;
2694 handle_req(rc, s, &res);
2695
2696 VERBOSITY(3, (LOG_INFO, "remote control operation completed"));
2697 clean_point(rc, s);
2698 }
2699
2700 #ifdef BIND8_STATS
2701 static const char*
opcode2str(int o)2702 opcode2str(int o)
2703 {
2704 switch(o) {
2705 case OPCODE_QUERY: return "QUERY";
2706 case OPCODE_IQUERY: return "IQUERY";
2707 case OPCODE_STATUS: return "STATUS";
2708 case OPCODE_NOTIFY: return "NOTIFY";
2709 case OPCODE_UPDATE: return "UPDATE";
2710 default: return "OTHER";
2711 }
2712 }
2713
2714 /** print long number */
2715 static int
print_longnum(RES * ssl,char * desc,uint64_t x)2716 print_longnum(RES* ssl, char* desc, uint64_t x)
2717 {
2718 if(x > (uint64_t)1024*1024*1024) {
2719 /* more than a Gb */
2720 size_t front = (size_t)(x / (uint64_t)1000000);
2721 size_t back = (size_t)(x % (uint64_t)1000000);
2722 return ssl_printf(ssl, "%s%lu%6.6lu\n", desc,
2723 (unsigned long)front, (unsigned long)back);
2724 } else {
2725 return ssl_printf(ssl, "%s%lu\n", desc, (unsigned long)x);
2726 }
2727 }
2728
2729 /* print one block of statistics. n is name and d is delimiter */
2730 static void
print_stat_block(RES * ssl,char * n,char * d,struct nsdst * st)2731 print_stat_block(RES* ssl, char* n, char* d, struct nsdst* st)
2732 {
2733 const char* rcstr[] = {"NOERROR", "FORMERR", "SERVFAIL", "NXDOMAIN",
2734 "NOTIMP", "REFUSED", "YXDOMAIN", "YXRRSET", "NXRRSET", "NOTAUTH",
2735 "NOTZONE", "RCODE11", "RCODE12", "RCODE13", "RCODE14", "RCODE15",
2736 "BADVERS"
2737 };
2738 size_t i;
2739 for(i=0; i<= 255; i++) {
2740 if(inhibit_zero && st->qtype[i] == 0 &&
2741 strncmp(rrtype_to_string(i), "TYPE", 4) == 0)
2742 continue;
2743 if(!ssl_printf(ssl, "%s%snum.type.%s=%lu\n", n, d,
2744 rrtype_to_string(i), (unsigned long)st->qtype[i]))
2745 return;
2746 }
2747
2748 /* opcode */
2749 for(i=0; i<6; i++) {
2750 if(inhibit_zero && st->opcode[i] == 0 && i != OPCODE_QUERY)
2751 continue;
2752 if(!ssl_printf(ssl, "%s%snum.opcode.%s=%lu\n", n, d,
2753 opcode2str(i), (unsigned long)st->opcode[i]))
2754 return;
2755 }
2756
2757 /* qclass */
2758 for(i=0; i<4; i++) {
2759 if(inhibit_zero && st->qclass[i] == 0 && i != CLASS_IN)
2760 continue;
2761 if(!ssl_printf(ssl, "%s%snum.class.%s=%lu\n", n, d,
2762 rrclass_to_string(i), (unsigned long)st->qclass[i]))
2763 return;
2764 }
2765
2766 /* rcode */
2767 for(i=0; i<17; i++) {
2768 if(inhibit_zero && st->rcode[i] == 0 &&
2769 i > RCODE_YXDOMAIN) /* NSD does not use larger */
2770 continue;
2771 if(!ssl_printf(ssl, "%s%snum.rcode.%s=%lu\n", n, d, rcstr[i],
2772 (unsigned long)st->rcode[i]))
2773 return;
2774 }
2775
2776 /* edns */
2777 if(!ssl_printf(ssl, "%s%snum.edns=%lu\n", n, d, (unsigned long)st->edns))
2778 return;
2779
2780 /* ednserr */
2781 if(!ssl_printf(ssl, "%s%snum.ednserr=%lu\n", n, d,
2782 (unsigned long)st->ednserr))
2783 return;
2784
2785 /* qudp */
2786 if(!ssl_printf(ssl, "%s%snum.udp=%lu\n", n, d, (unsigned long)st->qudp))
2787 return;
2788 /* qudp6 */
2789 if(!ssl_printf(ssl, "%s%snum.udp6=%lu\n", n, d, (unsigned long)st->qudp6))
2790 return;
2791 /* ctcp */
2792 if(!ssl_printf(ssl, "%s%snum.tcp=%lu\n", n, d, (unsigned long)st->ctcp))
2793 return;
2794 /* ctcp6 */
2795 if(!ssl_printf(ssl, "%s%snum.tcp6=%lu\n", n, d, (unsigned long)st->ctcp6))
2796 return;
2797 /* ctls */
2798 if(!ssl_printf(ssl, "%s%snum.tls=%lu\n", n, d, (unsigned long)st->ctls))
2799 return;
2800 /* ctls6 */
2801 if(!ssl_printf(ssl, "%s%snum.tls6=%lu\n", n, d, (unsigned long)st->ctls6))
2802 return;
2803
2804 /* nona */
2805 if(!ssl_printf(ssl, "%s%snum.answer_wo_aa=%lu\n", n, d,
2806 (unsigned long)st->nona))
2807 return;
2808
2809 /* rxerr */
2810 if(!ssl_printf(ssl, "%s%snum.rxerr=%lu\n", n, d, (unsigned long)st->rxerr))
2811 return;
2812
2813 /* txerr */
2814 if(!ssl_printf(ssl, "%s%snum.txerr=%lu\n", n, d, (unsigned long)st->txerr))
2815 return;
2816
2817 /* number of requested-axfr, number of times axfr served to clients */
2818 if(!ssl_printf(ssl, "%s%snum.raxfr=%lu\n", n, d, (unsigned long)st->raxfr))
2819 return;
2820
2821 /* number of requested-ixfr, number of times ixfr served to clients */
2822 if(!ssl_printf(ssl, "%s%snum.rixfr=%lu\n", n, d, (unsigned long)st->rixfr))
2823 return;
2824
2825 /* truncated */
2826 if(!ssl_printf(ssl, "%s%snum.truncated=%lu\n", n, d,
2827 (unsigned long)st->truncated))
2828 return;
2829
2830 /* dropped */
2831 if(!ssl_printf(ssl, "%s%snum.dropped=%lu\n", n, d,
2832 (unsigned long)st->dropped))
2833 return;
2834 }
2835
2836 #ifdef USE_ZONE_STATS
2837 static void
resize_zonestat(xfrd_state_type * xfrd,size_t num)2838 resize_zonestat(xfrd_state_type* xfrd, size_t num)
2839 {
2840 struct nsdst** a = xalloc_array_zero(num, sizeof(struct nsdst*));
2841 if(xfrd->zonestat_clear_num != 0)
2842 memcpy(a, xfrd->zonestat_clear, xfrd->zonestat_clear_num
2843 * sizeof(struct nsdst*));
2844 free(xfrd->zonestat_clear);
2845 xfrd->zonestat_clear = a;
2846 xfrd->zonestat_clear_num = num;
2847 }
2848
2849 static void
zonestat_print(RES * ssl,xfrd_state_type * xfrd,int clear,struct nsdst ** zonestats)2850 zonestat_print(RES* ssl, xfrd_state_type* xfrd, int clear,
2851 struct nsdst** zonestats)
2852 {
2853 struct zonestatname* n;
2854 struct nsdst stat0, stat1;
2855 RBTREE_FOR(n, struct zonestatname*, xfrd->nsd->options->zonestatnames){
2856 char* name = (char*)n->node.key;
2857 if(n->id >= xfrd->zonestat_safe)
2858 continue; /* newly allocated and reload has not yet
2859 done and replied with new size */
2860 if(name == NULL || name[0]==0)
2861 continue; /* empty name, do not output */
2862 /* the statistics are stored in two blocks, during reload
2863 * the newly forked processes get the other block to use,
2864 * these blocks are mmapped and are currently in use to
2865 * add statistics to */
2866 memcpy(&stat0, &zonestats[0][n->id], sizeof(stat0));
2867 memcpy(&stat1, &zonestats[1][n->id], sizeof(stat1));
2868 stats_add(&stat0, &stat1);
2869
2870 /* save a copy of current (cumulative) stats in stat1 */
2871 memcpy(&stat1, &stat0, sizeof(stat1));
2872 /* subtract last total of stats that was 'cleared' */
2873 if(n->id < xfrd->zonestat_clear_num &&
2874 xfrd->zonestat_clear[n->id])
2875 stats_subtract(&stat0, xfrd->zonestat_clear[n->id]);
2876 if(clear) {
2877 /* extend storage array if needed */
2878 if(n->id >= xfrd->zonestat_clear_num) {
2879 if(n->id+1 < xfrd->nsd->options->zonestatnames->count)
2880 resize_zonestat(xfrd, xfrd->nsd->options->zonestatnames->count);
2881 else
2882 resize_zonestat(xfrd, n->id+1);
2883 }
2884 if(!xfrd->zonestat_clear[n->id])
2885 xfrd->zonestat_clear[n->id] = xalloc(
2886 sizeof(struct nsdst));
2887 /* store last total of stats */
2888 memcpy(xfrd->zonestat_clear[n->id], &stat1,
2889 sizeof(struct nsdst));
2890 }
2891
2892 /* stat0 contains the details that we want to print */
2893 if(!ssl_printf(ssl, "%s%snum.queries=%lu\n", name, ".",
2894 (unsigned long)(stat0.qudp + stat0.qudp6 + stat0.ctcp +
2895 stat0.ctcp6 + stat0.ctls + stat0.ctls6)))
2896 return;
2897 print_stat_block(ssl, name, ".", &stat0);
2898 }
2899 }
2900 #endif /* USE_ZONE_STATS */
2901
2902 static void
print_stats(RES * ssl,xfrd_state_type * xfrd,struct timeval * now,int clear,struct nsdst * st,struct nsdst ** zonestats)2903 print_stats(RES* ssl, xfrd_state_type* xfrd, struct timeval* now, int clear,
2904 struct nsdst* st, struct nsdst** zonestats)
2905 {
2906 size_t i;
2907 stc_type total = 0;
2908 struct timeval elapsed, uptime;
2909
2910 /* per CPU and total */
2911 for(i=0; i<xfrd->nsd->child_count; i++) {
2912 if(!ssl_printf(ssl, "server%d.queries=%lu\n", (int)i,
2913 (unsigned long)xfrd->nsd->children[i].query_count))
2914 return;
2915 total += xfrd->nsd->children[i].query_count;
2916 }
2917 if(!ssl_printf(ssl, "num.queries=%lu\n", (unsigned long)total))
2918 return;
2919
2920 /* time elapsed and uptime (in seconds) */
2921 timeval_subtract(&uptime, now, &xfrd->nsd->rc->boot_time);
2922 timeval_subtract(&elapsed, now, &xfrd->nsd->rc->stats_time);
2923 if(!ssl_printf(ssl, "time.boot=%lu.%6.6lu\n",
2924 (unsigned long)uptime.tv_sec, (unsigned long)uptime.tv_usec))
2925 return;
2926 if(!ssl_printf(ssl, "time.elapsed=%lu.%6.6lu\n",
2927 (unsigned long)elapsed.tv_sec, (unsigned long)elapsed.tv_usec))
2928 return;
2929
2930 /* mem info, database on disksize */
2931 if(!print_longnum(ssl, "size.db.disk=", st->db_disk))
2932 return;
2933 if(!print_longnum(ssl, "size.db.mem=", st->db_mem))
2934 return;
2935 if(!print_longnum(ssl, "size.xfrd.mem=", region_get_mem(xfrd->region)))
2936 return;
2937 if(!print_longnum(ssl, "size.config.disk=",
2938 xfrd->nsd->options->zonelist_off))
2939 return;
2940 if(!print_longnum(ssl, "size.config.mem=", region_get_mem(
2941 xfrd->nsd->options->region)))
2942 return;
2943 print_stat_block(ssl, "", "", st);
2944
2945 /* zone statistics */
2946 if(!ssl_printf(ssl, "zone.primary=%lu\n",
2947 (unsigned long)(xfrd->notify_zones->count - xfrd->zones->count)))
2948 return;
2949 if(!ssl_printf(ssl, "zone.secondary=%lu\n", (unsigned long)xfrd->zones->count))
2950 return;
2951 if(!ssl_printf(ssl, "zone.master=%lu\n",
2952 (unsigned long)(xfrd->notify_zones->count - xfrd->zones->count)))
2953 return;
2954 if(!ssl_printf(ssl, "zone.slave=%lu\n", (unsigned long)xfrd->zones->count))
2955 return;
2956 #ifdef USE_ZONE_STATS
2957 zonestat_print(ssl, xfrd, clear, zonestats); /* per-zone statistics */
2958 #else
2959 (void)clear; (void)zonestats;
2960 #endif
2961 }
2962
2963 /* allocate stats temp arrays, for taking a coherent snapshot of the
2964 * statistics values at that time. */
2965 static void
process_stats_alloc(xfrd_state_type * xfrd,struct nsdst ** stats,struct nsdst ** zonestats)2966 process_stats_alloc(xfrd_state_type* xfrd, struct nsdst** stats,
2967 struct nsdst** zonestats)
2968 {
2969 *stats = xmallocarray(xfrd->nsd->child_count*2, sizeof(struct nsdst));
2970 #ifdef USE_ZONE_STATS
2971 zonestats[0] = xmallocarray(xfrd->zonestat_safe, sizeof(struct nsdst));
2972 zonestats[1] = xmallocarray(xfrd->zonestat_safe, sizeof(struct nsdst));
2973 #else
2974 (void)zonestats;
2975 #endif
2976 }
2977
2978 /* grab a copy of the statistics, at this particular time. */
2979 static void
process_stats_grab(xfrd_state_type * xfrd,struct timeval * stattime,struct nsdst * stats,struct nsdst ** zonestats)2980 process_stats_grab(xfrd_state_type* xfrd, struct timeval* stattime,
2981 struct nsdst* stats, struct nsdst** zonestats)
2982 {
2983 if(gettimeofday(stattime, NULL) == -1)
2984 log_msg(LOG_ERR, "gettimeofday: %s", strerror(errno));
2985 memcpy(stats, xfrd->nsd->stat_map,
2986 xfrd->nsd->child_count*2*sizeof(struct nsdst));
2987 #ifdef USE_ZONE_STATS
2988 memcpy(zonestats[0], xfrd->nsd->zonestat[0],
2989 xfrd->zonestat_safe*sizeof(struct nsdst));
2990 memcpy(zonestats[1], xfrd->nsd->zonestat[1],
2991 xfrd->zonestat_safe*sizeof(struct nsdst));
2992 #else
2993 (void)zonestats;
2994 #endif
2995 }
2996
2997 /* add the old and new processes stat values into the first part of the
2998 * array of stats */
2999 static void
process_stats_add_old_new(xfrd_state_type * xfrd,struct nsdst * stats)3000 process_stats_add_old_new(xfrd_state_type* xfrd, struct nsdst* stats)
3001 {
3002 size_t i;
3003 uint64_t dbd = stats[0].db_disk;
3004 uint64_t dbm = stats[0].db_mem;
3005 /* The old and new server processes have separate stat blocks,
3006 * and these are added up together. This results in the statistics
3007 * values per server-child. The reload task briefly forks both
3008 * old and new server processes. */
3009 for(i=0; i<xfrd->nsd->child_count; i++) {
3010 stats_add(&stats[i], &stats[xfrd->nsd->child_count+i]);
3011 }
3012 stats[0].db_disk = dbd;
3013 stats[0].db_mem = dbm;
3014 }
3015
3016 /* manage clearing of stats, a cumulative count of cleared statistics */
3017 static void
process_stats_manage_clear(xfrd_state_type * xfrd,struct nsdst * stats,int peek)3018 process_stats_manage_clear(xfrd_state_type* xfrd, struct nsdst* stats,
3019 int peek)
3020 {
3021 struct nsdst st;
3022 size_t i;
3023 if(peek) {
3024 /* Subtract the earlier resetted values from the numbers,
3025 * but do not reset the values that are retrieved now. */
3026 if(!xfrd->stat_clear)
3027 return; /* nothing to subtract */
3028 for(i=0; i<xfrd->nsd->child_count; i++) {
3029 /* subtract cumulative count that has been reset */
3030 stats_subtract(&stats[i], &xfrd->stat_clear[i]);
3031 }
3032 return;
3033 }
3034 if(!xfrd->stat_clear)
3035 xfrd->stat_clear = region_alloc_zero(xfrd->region,
3036 sizeof(struct nsdst)*xfrd->nsd->child_count);
3037 for(i=0; i<xfrd->nsd->child_count; i++) {
3038 /* store cumulative count copy */
3039 memcpy(&st, &stats[i], sizeof(st));
3040 /* subtract cumulative count that has been reset */
3041 stats_subtract(&stats[i], &xfrd->stat_clear[i]);
3042 /* store cumulative count in the cleared value array */
3043 memcpy(&xfrd->stat_clear[i], &st, sizeof(st));
3044 }
3045 }
3046
3047 /* add up the statistics to get the total over the server children. */
3048 static void
process_stats_add_total(xfrd_state_type * xfrd,struct nsdst * total,struct nsdst * stats)3049 process_stats_add_total(xfrd_state_type* xfrd, struct nsdst* total,
3050 struct nsdst* stats)
3051 {
3052 size_t i;
3053 /* copy over the first one, with also the nonadded values. */
3054 memcpy(total, &stats[0], sizeof(*total));
3055 xfrd->nsd->children[0].query_count = stats[0].qudp + stats[0].qudp6
3056 + stats[0].ctcp + stats[0].ctcp6 + stats[0].ctls
3057 + stats[0].ctls6;
3058 for(i=1; i<xfrd->nsd->child_count; i++) {
3059 stats_add(total, &stats[i]);
3060 xfrd->nsd->children[i].query_count = stats[i].qudp
3061 + stats[i].qudp6 + stats[i].ctcp + stats[i].ctcp6
3062 + stats[i].ctls + stats[i].ctls6;
3063 }
3064 }
3065
3066 /* process the statistics and output them */
3067 static void
process_stats(RES * ssl,xfrd_state_type * xfrd,int peek)3068 process_stats(RES* ssl, xfrd_state_type* xfrd, int peek)
3069 {
3070 struct timeval stattime;
3071 struct nsdst* stats, *zonestats[2], total;
3072
3073 process_stats_alloc(xfrd, &stats, zonestats);
3074 process_stats_grab(xfrd, &stattime, stats, zonestats);
3075 process_stats_add_old_new(xfrd, stats);
3076 process_stats_manage_clear(xfrd, stats, peek);
3077 process_stats_add_total(xfrd, &total, stats);
3078 print_stats(ssl, xfrd, &stattime, !peek, &total, zonestats);
3079 if(!peek) {
3080 xfrd->nsd->rc->stats_time = stattime;
3081 }
3082
3083 free(stats);
3084 #ifdef USE_ZONE_STATS
3085 free(zonestats[0]);
3086 free(zonestats[1]);
3087 #endif
3088
3089 VERBOSITY(3, (LOG_INFO, "remote control stats printed"));
3090 }
3091 #endif /* BIND8_STATS */
3092
3093 int
create_local_accept_sock(const char * path,int * noproto)3094 create_local_accept_sock(const char *path, int* noproto)
3095 {
3096 #ifdef HAVE_SYS_UN_H
3097 int s;
3098 struct sockaddr_un usock;
3099
3100 VERBOSITY(3, (LOG_INFO, "creating unix socket %s", path));
3101 #ifdef HAVE_STRUCT_SOCKADDR_UN_SUN_LEN
3102 /* this member exists on BSDs, not Linux */
3103 usock.sun_len = (unsigned)sizeof(usock);
3104 #endif
3105 usock.sun_family = AF_LOCAL;
3106 /* length is 92-108, 104 on FreeBSD */
3107 (void)strlcpy(usock.sun_path, path, sizeof(usock.sun_path));
3108
3109 if ((s = socket(AF_LOCAL, SOCK_STREAM, 0)) == -1) {
3110 log_msg(LOG_ERR, "Cannot create local socket %s (%s)",
3111 path, strerror(errno));
3112 return -1;
3113 }
3114
3115 if (unlink(path) && errno != ENOENT) {
3116 /* The socket already exists and cannot be removed */
3117 log_msg(LOG_ERR, "Cannot remove old local socket %s (%s)",
3118 path, strerror(errno));
3119 goto err;
3120 }
3121
3122 if (bind(s, (struct sockaddr *)&usock,
3123 (socklen_t)sizeof(struct sockaddr_un)) == -1) {
3124 log_msg(LOG_ERR, "Cannot bind local socket %s (%s)",
3125 path, strerror(errno));
3126 goto err;
3127 }
3128
3129 if (fcntl(s, F_SETFL, O_NONBLOCK) == -1) {
3130 log_msg(LOG_ERR, "Cannot set non-blocking mode");
3131 goto err;
3132 }
3133
3134 if (listen(s, TCP_BACKLOG) == -1) {
3135 log_msg(LOG_ERR, "can't listen: %s", strerror(errno));
3136 goto err;
3137 }
3138
3139 (void)noproto; /*unused*/
3140 return s;
3141
3142 err:
3143 close(s);
3144 return -1;
3145
3146 #else
3147 (void)path;
3148 log_msg(LOG_ERR, "Local sockets are not supported");
3149 *noproto = 1;
3150 return -1;
3151 #endif
3152 }
3153