1 /* 2 * remote.c - remote control for the NSD daemon. 3 * 4 * Copyright (c) 2008, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains the remote control functionality for the daemon. 40 * The remote control can be performed using either the commandline 41 * nsd-control tool, or a TLS capable web browser. 42 * The channel is secured using TLSv1, and certificates. 43 * Both the server and the client(control tool) have their own keys. 44 */ 45 #include "config.h" 46 #ifdef HAVE_SSL 47 48 #ifdef HAVE_OPENSSL_SSL_H 49 #include "openssl/ssl.h" 50 #endif 51 #ifdef HAVE_OPENSSL_ERR_H 52 #include <openssl/err.h> 53 #endif 54 #ifdef HAVE_OPENSSL_RAND_H 55 #include <openssl/rand.h> 56 #endif 57 #include <ctype.h> 58 #include <unistd.h> 59 #include <assert.h> 60 #include <fcntl.h> 61 #ifndef USE_MINI_EVENT 62 # ifdef HAVE_EVENT_H 63 # include <event.h> 64 # else 65 # include <event2/event.h> 66 # include "event2/event_struct.h" 67 # include "event2/event_compat.h" 68 # endif 69 #else 70 # include "mini_event.h" 71 #endif 72 #include "remote.h" 73 #include "util.h" 74 #include "xfrd.h" 75 #include "xfrd-notify.h" 76 #include "xfrd-tcp.h" 77 #include "nsd.h" 78 #include "options.h" 79 #include "difffile.h" 80 #include "ipc.h" 81 82 #ifdef HAVE_SYS_TYPES_H 83 # include <sys/types.h> 84 #endif 85 #ifdef HAVE_SYS_STAT_H 86 # include <sys/stat.h> 87 #endif 88 #ifdef HAVE_NETDB_H 89 # include <netdb.h> 90 #endif 91 #ifdef HAVE_SYS_UN_H 92 # include <sys/un.h> 93 #endif 94 95 /** number of seconds timeout on incoming remote control handshake */ 96 #define REMOTE_CONTROL_TCP_TIMEOUT 120 97 98 /** repattern to master or slave */ 99 #define REPAT_SLAVE 1 100 #define REPAT_MASTER 2 101 102 /** if you want zero to be inhibited in stats output. 103 * it omits zeroes for types that have no acronym and unused-rcodes */ 104 const int inhibit_zero = 1; 105 106 /** 107 * a busy control command connection, SSL state 108 * Defined here to keep the definition private, and keep SSL out of the .h 109 */ 110 struct rc_state { 111 /** the next item in list */ 112 struct rc_state* next, *prev; 113 /* if the event was added to the event_base */ 114 int event_added; 115 /** the commpoint */ 116 struct event c; 117 /** timeout for this state */ 118 struct timeval tval; 119 /** in the handshake part */ 120 enum { rc_none, rc_hs_read, rc_hs_write } shake_state; 121 /** the ssl state */ 122 SSL* ssl; 123 /** file descriptor */ 124 int fd; 125 /** the rc this is part of */ 126 struct daemon_remote* rc; 127 /** stats list next item */ 128 struct rc_state* stats_next; 129 /** stats list indicator (0 is not part of stats list, 1 is stats, 130 * 2 is stats_noreset. */ 131 int in_stats_list; 132 }; 133 134 /** 135 * list of events for accepting connections 136 */ 137 struct acceptlist { 138 struct acceptlist* next; 139 int event_added; 140 struct event c; 141 char* ident; 142 struct daemon_remote* rc; 143 }; 144 145 /** 146 * The remote control state. 147 */ 148 struct daemon_remote { 149 /** the master process for this remote control */ 150 struct xfrd_state* xfrd; 151 /** commpoints for accepting remote control connections */ 152 struct acceptlist* accept_list; 153 /* if certificates are used */ 154 int use_cert; 155 /** number of active commpoints that are handling remote control */ 156 int active; 157 /** max active commpoints */ 158 int max_active; 159 /** current commpoints busy; double linked, malloced */ 160 struct rc_state* busy_list; 161 /** commpoints waiting for stats to complete (also in busy_list) */ 162 struct rc_state* stats_list; 163 /** last time stats was reported */ 164 struct timeval stats_time, boot_time; 165 /** the SSL context for creating new SSL streams */ 166 SSL_CTX* ctx; 167 }; 168 169 /** 170 * Connection to print to, either SSL or plain over fd 171 */ 172 struct remote_stream { 173 /** SSL structure, nonNULL if using SSL */ 174 SSL* ssl; 175 /** file descriptor for plain transfer */ 176 int fd; 177 }; 178 typedef struct remote_stream RES; 179 180 /** 181 * Print fixed line of text over ssl connection in blocking mode 182 * @param res: print to 183 * @param text: the text. 184 * @return false on connection failure. 185 */ 186 static int ssl_print_text(RES* res, const char* text); 187 188 /** 189 * printf style printing to the ssl connection 190 * @param res: the RES connection to print to. Blocking. 191 * @param format: printf style format string. 192 * @return success or false on a network failure. 193 */ 194 static int ssl_printf(RES* res, const char* format, ...) 195 ATTR_FORMAT(printf, 2, 3); 196 197 /** 198 * Read until \n is encountered 199 * If stream signals EOF, the string up to then is returned (without \n). 200 * @param res: the RES connection to read from. blocking. 201 * @param buf: buffer to read to. 202 * @param max: size of buffer. 203 * @return false on connection failure. 204 */ 205 static int ssl_read_line(RES* res, char* buf, size_t max); 206 207 /** perform the accept of a new remote control connection */ 208 static void 209 remote_accept_callback(int fd, short event, void* arg); 210 211 /** perform remote control */ 212 static void 213 remote_control_callback(int fd, short event, void* arg); 214 215 216 /** ---- end of private defines ---- **/ 217 218 219 /** log ssl crypto err */ 220 static void 221 log_crypto_err(const char* str) 222 { 223 /* error:[error code]:[library name]:[function name]:[reason string] */ 224 char buf[128]; 225 unsigned long e; 226 ERR_error_string_n(ERR_get_error(), buf, sizeof(buf)); 227 log_msg(LOG_ERR, "%s crypto %s", str, buf); 228 while( (e=ERR_get_error()) ) { 229 ERR_error_string_n(e, buf, sizeof(buf)); 230 log_msg(LOG_ERR, "and additionally crypto %s", buf); 231 } 232 } 233 234 #ifdef BIND8_STATS 235 /** subtract timers and the values do not overflow or become negative */ 236 static void 237 timeval_subtract(struct timeval* d, const struct timeval* end, 238 const struct timeval* start) 239 { 240 #ifndef S_SPLINT_S 241 time_t end_usec = end->tv_usec; 242 d->tv_sec = end->tv_sec - start->tv_sec; 243 if(end_usec < start->tv_usec) { 244 end_usec += 1000000; 245 d->tv_sec--; 246 } 247 d->tv_usec = end_usec - start->tv_usec; 248 #endif 249 } 250 #endif /* BIND8_STATS */ 251 252 static int 253 remote_setup_ctx(struct daemon_remote* rc, struct nsd_options* cfg) 254 { 255 char* s_cert = cfg->server_cert_file; 256 char* s_key = cfg->server_key_file; 257 rc->ctx = server_tls_ctx_setup(s_key, s_cert, s_cert); 258 if(!rc->ctx) { 259 log_msg(LOG_ERR, "could not setup remote control TLS context"); 260 return 0; 261 } 262 return 1; 263 } 264 265 struct daemon_remote* 266 daemon_remote_create(struct nsd_options* cfg) 267 { 268 struct daemon_remote* rc = (struct daemon_remote*)xalloc_zero( 269 sizeof(*rc)); 270 rc->max_active = 10; 271 assert(cfg->control_enable); 272 273 if(options_remote_is_address(cfg)) { 274 if(!remote_setup_ctx(rc, cfg)) { 275 daemon_remote_delete(rc); 276 return NULL; 277 } 278 rc->use_cert = 1; 279 } else { 280 struct ip_address_option* o; 281 rc->ctx = NULL; 282 rc->use_cert = 0; 283 for(o = cfg->control_interface; o; o = o->next) { 284 if(o->address && o->address[0] != '/') 285 log_msg(LOG_WARNING, "control-interface %s is not using TLS, but plain transfer, because first control-interface in config file is a local socket (starts with a /).", o->address); 286 } 287 } 288 289 /* and try to open the ports */ 290 if(!daemon_remote_open_ports(rc, cfg)) { 291 log_msg(LOG_ERR, "could not open remote control port"); 292 daemon_remote_delete(rc); 293 return NULL; 294 } 295 296 if(gettimeofday(&rc->boot_time, NULL) == -1) 297 log_msg(LOG_ERR, "gettimeofday: %s", strerror(errno)); 298 rc->stats_time = rc->boot_time; 299 300 return rc; 301 } 302 303 void daemon_remote_close(struct daemon_remote* rc) 304 { 305 struct rc_state* p, *np; 306 struct acceptlist* h, *nh; 307 if(!rc) return; 308 309 /* close listen sockets */ 310 h = rc->accept_list; 311 while(h) { 312 nh = h->next; 313 if(h->event_added) 314 event_del(&h->c); 315 close(h->c.ev_fd); 316 free(h->ident); 317 free(h); 318 h = nh; 319 } 320 rc->accept_list = NULL; 321 322 /* close busy connection sockets */ 323 p = rc->busy_list; 324 while(p) { 325 np = p->next; 326 if(p->event_added) 327 event_del(&p->c); 328 if(p->ssl) 329 SSL_free(p->ssl); 330 close(p->c.ev_fd); 331 free(p); 332 p = np; 333 } 334 rc->busy_list = NULL; 335 rc->active = 0; 336 } 337 338 void daemon_remote_delete(struct daemon_remote* rc) 339 { 340 if(!rc) return; 341 daemon_remote_close(rc); 342 if(rc->ctx) { 343 SSL_CTX_free(rc->ctx); 344 } 345 free(rc); 346 } 347 348 static int 349 create_tcp_accept_sock(struct addrinfo* addr, int* noproto) 350 { 351 #if defined(SO_REUSEADDR) || (defined(INET6) && (defined(IPV6_V6ONLY) || defined(IPV6_USE_MIN_MTU) || defined(IPV6_MTU))) 352 int on = 1; 353 #endif 354 int s; 355 *noproto = 0; 356 if ((s = socket(addr->ai_family, addr->ai_socktype, 0)) == -1) { 357 #if defined(INET6) 358 if (addr->ai_family == AF_INET6 && 359 errno == EAFNOSUPPORT) { 360 *noproto = 1; 361 log_msg(LOG_WARNING, "fallback to TCP4, no IPv6: not supported"); 362 return -1; 363 } 364 #endif /* INET6 */ 365 log_msg(LOG_ERR, "can't create a socket: %s", strerror(errno)); 366 return -1; 367 } 368 #ifdef SO_REUSEADDR 369 if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0) { 370 log_msg(LOG_ERR, "setsockopt(..., SO_REUSEADDR, ...) failed: %s", strerror(errno)); 371 } 372 #endif /* SO_REUSEADDR */ 373 #if defined(INET6) && defined(IPV6_V6ONLY) 374 if (addr->ai_family == AF_INET6 && 375 setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) 376 { 377 log_msg(LOG_ERR, "setsockopt(..., IPV6_V6ONLY, ...) failed: %s", strerror(errno)); 378 close(s); 379 return -1; 380 } 381 #endif 382 /* set it nonblocking */ 383 /* (StevensUNP p463), if tcp listening socket is blocking, then 384 it may block in accept, even if select() says readable. */ 385 if (fcntl(s, F_SETFL, O_NONBLOCK) == -1) { 386 log_msg(LOG_ERR, "cannot fcntl tcp: %s", strerror(errno)); 387 } 388 /* Bind it... */ 389 if (bind(s, (struct sockaddr *)addr->ai_addr, addr->ai_addrlen) != 0) { 390 log_msg(LOG_ERR, "can't bind tcp socket: %s", strerror(errno)); 391 close(s); 392 return -1; 393 } 394 /* Listen to it... */ 395 if (listen(s, TCP_BACKLOG_REMOTE) == -1) { 396 log_msg(LOG_ERR, "can't listen: %s", strerror(errno)); 397 close(s); 398 return -1; 399 } 400 return s; 401 } 402 403 /** 404 * Add and open a new control port 405 * @param rc: rc with result list. 406 * @param ip: ip str 407 * @param nr: port nr 408 * @param noproto_is_err: if lack of protocol support is an error. 409 * @return false on failure. 410 */ 411 static int 412 add_open(struct daemon_remote* rc, struct nsd_options* cfg, const char* ip, 413 int nr, int noproto_is_err) 414 { 415 struct addrinfo hints; 416 struct addrinfo* res; 417 struct acceptlist* hl; 418 int noproto = 0; 419 int fd, r; 420 char port[15]; 421 snprintf(port, sizeof(port), "%d", nr); 422 port[sizeof(port)-1]=0; 423 memset(&hints, 0, sizeof(hints)); 424 assert(ip); 425 426 if(ip[0] == '/') { 427 /* This looks like a local socket */ 428 fd = create_local_accept_sock(ip, &noproto); 429 /* 430 * Change socket ownership and permissions so users other 431 * than root can access it provided they are in the same 432 * group as the user we run as. 433 */ 434 if(fd != -1) { 435 #ifdef HAVE_CHOWN 436 if (cfg->username && cfg->username[0] && 437 nsd.uid != (uid_t)-1) { 438 if(chown(ip, nsd.uid, nsd.gid) == -1) 439 VERBOSITY(2, (LOG_INFO, "cannot chown %u.%u %s: %s", 440 (unsigned)nsd.uid, (unsigned)nsd.gid, 441 ip, strerror(errno))); 442 } 443 if(chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP)) == -1) { 444 VERBOSITY(3, (LOG_INFO, "cannot chmod control socket %s: %s", ip, strerror(errno))); 445 } 446 #else 447 (void)cfg; 448 #endif 449 } 450 } else { 451 hints.ai_socktype = SOCK_STREAM; 452 hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; 453 /* if we had no interface ip name, "default" is what we 454 * would do getaddrinfo for. */ 455 if((r = getaddrinfo(ip, port, &hints, &res)) != 0 || !res) { 456 log_msg(LOG_ERR, "control interface %s:%s getaddrinfo: %s %s", 457 ip, port, gai_strerror(r), 458 #ifdef EAI_SYSTEM 459 r==EAI_SYSTEM?(char*)strerror(errno):"" 460 #else 461 "" 462 #endif 463 ); 464 return 0; 465 } 466 467 /* open fd */ 468 fd = create_tcp_accept_sock(res, &noproto); 469 freeaddrinfo(res); 470 } 471 472 if(fd == -1 && noproto) { 473 if(!noproto_is_err) 474 return 1; /* return success, but do nothing */ 475 log_msg(LOG_ERR, "cannot open control interface %s %d : " 476 "protocol not supported", ip, nr); 477 return 0; 478 } 479 if(fd == -1) { 480 log_msg(LOG_ERR, "cannot open control interface %s %d", ip, nr); 481 return 0; 482 } 483 484 /* alloc */ 485 hl = (struct acceptlist*)xalloc_zero(sizeof(*hl)); 486 hl->rc = rc; 487 hl->ident = strdup(ip); 488 if(!hl->ident) { 489 log_msg(LOG_ERR, "malloc failure"); 490 close(fd); 491 free(hl); 492 return 0; 493 } 494 hl->next = rc->accept_list; 495 rc->accept_list = hl; 496 497 hl->c.ev_fd = fd; 498 hl->event_added = 0; 499 return 1; 500 } 501 502 int 503 daemon_remote_open_ports(struct daemon_remote* rc, struct nsd_options* cfg) 504 { 505 assert(cfg->control_enable && cfg->control_port); 506 if(cfg->control_interface) { 507 ip_address_option_type* p; 508 for(p = cfg->control_interface; p; p = p->next) { 509 if(!add_open(rc, cfg, p->address, cfg->control_port, 1)) { 510 return 0; 511 } 512 } 513 } else { 514 /* defaults */ 515 if(cfg->do_ip6 && !add_open(rc, cfg, "::1", cfg->control_port, 0)) { 516 return 0; 517 } 518 if(cfg->do_ip4 && 519 !add_open(rc, cfg, "127.0.0.1", cfg->control_port, 1)) { 520 return 0; 521 } 522 } 523 return 1; 524 } 525 526 void 527 daemon_remote_attach(struct daemon_remote* rc, struct xfrd_state* xfrd) 528 { 529 int fd; 530 struct acceptlist* p; 531 if(!rc) return; 532 rc->xfrd = xfrd; 533 for(p = rc->accept_list; p; p = p->next) { 534 /* add event */ 535 fd = p->c.ev_fd; 536 memset(&p->c, 0, sizeof(p->c)); 537 event_set(&p->c, fd, EV_PERSIST|EV_READ, remote_accept_callback, 538 p); 539 if(event_base_set(xfrd->event_base, &p->c) != 0) 540 log_msg(LOG_ERR, "remote: cannot set event_base"); 541 if(event_add(&p->c, NULL) != 0) 542 log_msg(LOG_ERR, "remote: cannot add event"); 543 p->event_added = 1; 544 } 545 } 546 547 static void 548 remote_accept_callback(int fd, short event, void* arg) 549 { 550 struct acceptlist *hl = (struct acceptlist*)arg; 551 struct daemon_remote *rc = hl->rc; 552 #ifdef INET6 553 struct sockaddr_storage addr; 554 #else 555 struct sockaddr_in addr; 556 #endif 557 socklen_t addrlen; 558 int newfd; 559 struct rc_state* n; 560 561 if (!(event & EV_READ)) { 562 return; 563 } 564 565 /* perform the accept */ 566 addrlen = sizeof(addr); 567 #ifndef HAVE_ACCEPT4 568 newfd = accept(fd, (struct sockaddr*)&addr, &addrlen); 569 #else 570 newfd = accept4(fd, (struct sockaddr*)&addr, &addrlen, SOCK_NONBLOCK); 571 #endif 572 if(newfd == -1) { 573 if ( errno != EINTR 574 && errno != EWOULDBLOCK 575 #ifdef ECONNABORTED 576 && errno != ECONNABORTED 577 #endif /* ECONNABORTED */ 578 #ifdef EPROTO 579 && errno != EPROTO 580 #endif /* EPROTO */ 581 ) { 582 log_msg(LOG_ERR, "accept failed: %s", strerror(errno)); 583 } 584 return; 585 } 586 587 /* create new commpoint unless we are servicing already */ 588 if(rc->active >= rc->max_active) { 589 log_msg(LOG_WARNING, "drop incoming remote control: " 590 "too many connections"); 591 close_exit: 592 close(newfd); 593 return; 594 } 595 596 #ifndef HAVE_ACCEPT4 597 if (fcntl(newfd, F_SETFL, O_NONBLOCK) == -1) { 598 log_msg(LOG_ERR, "fcntl failed: %s", strerror(errno)); 599 goto close_exit; 600 } 601 #endif 602 603 /* setup state to service the remote control command */ 604 n = (struct rc_state*)calloc(1, sizeof(*n)); 605 if(!n) { 606 log_msg(LOG_ERR, "out of memory"); 607 goto close_exit; 608 } 609 610 n->tval.tv_sec = REMOTE_CONTROL_TCP_TIMEOUT; 611 n->tval.tv_usec = 0L; 612 n->fd = newfd; 613 614 memset(&n->c, 0, sizeof(n->c)); 615 event_set(&n->c, newfd, EV_PERSIST|EV_TIMEOUT|EV_READ, 616 remote_control_callback, n); 617 if(event_base_set(xfrd->event_base, &n->c) != 0) { 618 log_msg(LOG_ERR, "remote_accept: cannot set event_base"); 619 free(n); 620 goto close_exit; 621 } 622 if(event_add(&n->c, &n->tval) != 0) { 623 log_msg(LOG_ERR, "remote_accept: cannot add event"); 624 free(n); 625 goto close_exit; 626 } 627 n->event_added = 1; 628 629 if(2 <= verbosity) { 630 if(hl->ident && hl->ident[0] == '/') { 631 VERBOSITY(2, (LOG_INFO, "new control connection from %s", hl->ident)); 632 } else { 633 char s[128]; 634 addr2str(&addr, s, sizeof(s)); 635 VERBOSITY(2, (LOG_INFO, "new control connection from %s", s)); 636 } 637 } 638 639 if(rc->ctx) { 640 n->shake_state = rc_hs_read; 641 n->ssl = SSL_new(rc->ctx); 642 if(!n->ssl) { 643 log_crypto_err("could not SSL_new"); 644 event_del(&n->c); 645 free(n); 646 goto close_exit; 647 } 648 SSL_set_accept_state(n->ssl); 649 (void)SSL_set_mode(n->ssl, SSL_MODE_AUTO_RETRY); 650 if(!SSL_set_fd(n->ssl, newfd)) { 651 log_crypto_err("could not SSL_set_fd"); 652 event_del(&n->c); 653 SSL_free(n->ssl); 654 free(n); 655 goto close_exit; 656 } 657 } else { 658 n->ssl = NULL; 659 } 660 661 n->rc = rc; 662 n->stats_next = NULL; 663 n->in_stats_list = 0; 664 n->prev = NULL; 665 n->next = rc->busy_list; 666 if(n->next) n->next->prev = n; 667 rc->busy_list = n; 668 rc->active ++; 669 670 /* perform the first nonblocking read already, for windows, 671 * so it can return wouldblock. could be faster too. */ 672 remote_control_callback(newfd, EV_READ, n); 673 } 674 675 /** delete from list */ 676 static void 677 state_list_remove_elem(struct rc_state** list, struct rc_state* todel) 678 { 679 if(todel->prev) todel->prev->next = todel->next; 680 else *list = todel->next; 681 if(todel->next) todel->next->prev = todel->prev; 682 } 683 684 /** delete from stats list */ 685 static void 686 stats_list_remove_elem(struct rc_state** list, struct rc_state* todel) 687 { 688 struct rc_state* prev = NULL; 689 struct rc_state* n = *list; 690 while(n) { 691 /* delete this one? */ 692 if(n == todel) { 693 if(prev) prev->next = n->next; 694 else (*list) = n->next; 695 /* go on and delete further elements */ 696 /* prev = prev; */ 697 n = n->next; 698 continue; 699 } 700 701 /* go to the next element */ 702 prev = n; 703 n = n->next; 704 } 705 } 706 707 /** decrease active count and remove commpoint from busy list */ 708 static void 709 clean_point(struct daemon_remote* rc, struct rc_state* s) 710 { 711 if(s->in_stats_list) 712 stats_list_remove_elem(&rc->stats_list, s); 713 state_list_remove_elem(&rc->busy_list, s); 714 rc->active --; 715 if(s->event_added) 716 event_del(&s->c); 717 if(s->ssl) { 718 SSL_shutdown(s->ssl); 719 SSL_free(s->ssl); 720 } 721 close(s->c.ev_fd); 722 free(s); 723 } 724 725 static int 726 ssl_print_text(RES* res, const char* text) 727 { 728 int r; 729 if(!res) 730 return 0; 731 if(res->ssl) { 732 ERR_clear_error(); 733 if((r=SSL_write(res->ssl, text, (int)strlen(text))) <= 0) { 734 if(SSL_get_error(res->ssl, r) == SSL_ERROR_ZERO_RETURN) { 735 VERBOSITY(2, (LOG_WARNING, "in SSL_write, peer " 736 "closed connection")); 737 return 0; 738 } 739 log_crypto_err("could not SSL_write"); 740 return 0; 741 } 742 } else { 743 if(write_socket(res->fd, text, strlen(text)) <= 0) { 744 log_msg(LOG_ERR, "could not write: %s", 745 strerror(errno)); 746 return 0; 747 } 748 } 749 return 1; 750 } 751 752 /** print text over the ssl connection */ 753 static int 754 ssl_print_vmsg(RES* ssl, const char* format, va_list args) 755 { 756 char msg[1024]; 757 vsnprintf(msg, sizeof(msg), format, args); 758 return ssl_print_text(ssl, msg); 759 } 760 761 /** printf style printing to the ssl connection */ 762 static int 763 ssl_printf(RES* ssl, const char* format, ...) 764 { 765 va_list args; 766 int ret; 767 va_start(args, format); 768 ret = ssl_print_vmsg(ssl, format, args); 769 va_end(args); 770 return ret; 771 } 772 773 static int 774 ssl_read_line(RES* res, char* buf, size_t max) 775 { 776 int r; 777 size_t len = 0; 778 if(!res) 779 return 0; 780 while(len < max) { 781 buf[len] = 0; /* terminate for safety and please checkers */ 782 /* this byte is written if we read a byte from the input */ 783 if(res->ssl) { 784 ERR_clear_error(); 785 if((r=SSL_read(res->ssl, buf+len, 1)) <= 0) { 786 if(SSL_get_error(res->ssl, r) == SSL_ERROR_ZERO_RETURN) { 787 buf[len] = 0; 788 return 1; 789 } 790 log_crypto_err("could not SSL_read"); 791 return 0; 792 } 793 } else { 794 while(1) { 795 ssize_t rr = read(res->fd, buf+len, 1); 796 if(rr <= 0) { 797 if(rr == 0) { 798 buf[len] = 0; 799 return 1; 800 } 801 if(errno == EINTR || errno == EAGAIN) 802 continue; 803 log_msg(LOG_ERR, "could not read: %s", 804 strerror(errno)); 805 return 0; 806 } 807 break; 808 } 809 } 810 if(buf[len] == '\n') { 811 /* return string without \n */ 812 buf[len] = 0; 813 return 1; 814 } 815 len++; 816 } 817 buf[max-1] = 0; 818 log_msg(LOG_ERR, "control line too long (%d): %s", (int)max, buf); 819 return 0; 820 } 821 822 /** skip whitespace, return new pointer into string */ 823 static char* 824 skipwhite(char* str) 825 { 826 /* EOS \0 is not a space */ 827 while( isspace((unsigned char)*str) ) 828 str++; 829 return str; 830 } 831 832 /** send the OK to the control client */ 833 static void 834 send_ok(RES* ssl) 835 { 836 (void)ssl_printf(ssl, "ok\n"); 837 } 838 839 /** get zone argument (if any) or NULL, false on error */ 840 static int 841 get_zone_arg(RES* ssl, xfrd_state_type* xfrd, char* arg, 842 struct zone_options** zo) 843 { 844 const dname_type* dname; 845 if(!arg[0]) { 846 /* no argument present, return NULL */ 847 *zo = NULL; 848 return 1; 849 } 850 dname = dname_parse(xfrd->region, arg); 851 if(!dname) { 852 (void)ssl_printf(ssl, "error cannot parse zone name '%s'\n", arg); 853 *zo = NULL; 854 return 0; 855 } 856 *zo = zone_options_find(xfrd->nsd->options, dname); 857 region_recycle(xfrd->region, (void*)dname, dname_total_size(dname)); 858 if(!*zo) { 859 (void)ssl_printf(ssl, "error zone %s not configured\n", arg); 860 return 0; 861 } 862 return 1; 863 } 864 865 /** do the stop command */ 866 static void 867 do_stop(RES* ssl, xfrd_state_type* xfrd) 868 { 869 xfrd->need_to_send_shutdown = 1; 870 871 if(!(xfrd->ipc_handler_flags&EV_WRITE)) { 872 ipc_xfrd_set_listening(xfrd, EV_PERSIST|EV_READ|EV_WRITE); 873 } 874 875 send_ok(ssl); 876 } 877 878 /** do the log_reopen command, it only needs reload_now */ 879 static void 880 do_log_reopen(RES* ssl, xfrd_state_type* xfrd) 881 { 882 xfrd_set_reload_now(xfrd); 883 send_ok(ssl); 884 } 885 886 /** do the reload command */ 887 static void 888 do_reload(RES* ssl, xfrd_state_type* xfrd, char* arg) 889 { 890 struct zone_options* zo; 891 if(!get_zone_arg(ssl, xfrd, arg, &zo)) 892 return; 893 task_new_check_zonefiles(xfrd->nsd->task[xfrd->nsd->mytask], 894 xfrd->last_task, zo?(const dname_type*)zo->node.key:NULL); 895 xfrd_set_reload_now(xfrd); 896 send_ok(ssl); 897 } 898 899 /** do the write command */ 900 static void 901 do_write(RES* ssl, xfrd_state_type* xfrd, char* arg) 902 { 903 struct zone_options* zo; 904 if(!get_zone_arg(ssl, xfrd, arg, &zo)) 905 return; 906 task_new_write_zonefiles(xfrd->nsd->task[xfrd->nsd->mytask], 907 xfrd->last_task, zo?(const dname_type*)zo->node.key:NULL); 908 xfrd_set_reload_now(xfrd); 909 send_ok(ssl); 910 } 911 912 /** do the notify command */ 913 static void 914 do_notify(RES* ssl, xfrd_state_type* xfrd, char* arg) 915 { 916 struct zone_options* zo; 917 if(!get_zone_arg(ssl, xfrd, arg, &zo)) 918 return; 919 if(zo) { 920 struct notify_zone* n = (struct notify_zone*)rbtree_search( 921 xfrd->notify_zones, (const dname_type*)zo->node.key); 922 if(n) { 923 xfrd_notify_start(n, xfrd); 924 send_ok(ssl); 925 } else { 926 (void)ssl_printf(ssl, "error zone does not have notify\n"); 927 } 928 } else { 929 struct notify_zone* n; 930 RBTREE_FOR(n, struct notify_zone*, xfrd->notify_zones) { 931 xfrd_notify_start(n, xfrd); 932 } 933 send_ok(ssl); 934 } 935 } 936 937 /** do the transfer command */ 938 static void 939 do_transfer(RES* ssl, xfrd_state_type* xfrd, char* arg) 940 { 941 struct zone_options* zo; 942 xfrd_zone_type* zone; 943 if(!get_zone_arg(ssl, xfrd, arg, &zo)) 944 return; 945 if(zo) { 946 zone = (xfrd_zone_type*)rbtree_search(xfrd->zones, (const 947 dname_type*)zo->node.key); 948 if(zone) { 949 xfrd_handle_notify_and_start_xfr(zone, NULL); 950 send_ok(ssl); 951 } else { 952 (void)ssl_printf(ssl, "error zone not slave\n"); 953 } 954 } else { 955 RBTREE_FOR(zone, xfrd_zone_type*, xfrd->zones) { 956 xfrd_handle_notify_and_start_xfr(zone, NULL); 957 } 958 (void)ssl_printf(ssl, "ok, %lu zones\n", (unsigned long)xfrd->zones->count); 959 } 960 } 961 962 /** force transfer a zone */ 963 static void 964 force_transfer_zone(xfrd_zone_type* zone) 965 { 966 /* if in TCP transaction, stop it immediately. */ 967 if(zone->tcp_conn != -1) 968 xfrd_tcp_release(xfrd->tcp_set, zone); 969 else if(zone->zone_handler.ev_fd != -1) 970 xfrd_udp_release(zone); 971 /* pretend we not longer have it and force any 972 * zone to be downloaded (even same serial, w AXFR) */ 973 zone->soa_disk_acquired = 0; 974 zone->soa_nsd_acquired = 0; 975 xfrd_handle_notify_and_start_xfr(zone, NULL); 976 } 977 978 /** do the force transfer command */ 979 static void 980 do_force_transfer(RES* ssl, xfrd_state_type* xfrd, char* arg) 981 { 982 struct zone_options* zo; 983 xfrd_zone_type* zone; 984 if(!get_zone_arg(ssl, xfrd, arg, &zo)) 985 return; 986 if(zo) { 987 zone = (xfrd_zone_type*)rbtree_search(xfrd->zones, (const 988 dname_type*)zo->node.key); 989 if(zone) { 990 force_transfer_zone(zone); 991 send_ok(ssl); 992 } else { 993 (void)ssl_printf(ssl, "error zone not slave\n"); 994 } 995 } else { 996 RBTREE_FOR(zone, xfrd_zone_type*, xfrd->zones) { 997 force_transfer_zone(zone); 998 } 999 (void)ssl_printf(ssl, "ok, %lu zones\n", (unsigned long)xfrd->zones->count); 1000 } 1001 } 1002 1003 static int 1004 print_soa_status(RES* ssl, const char* str, xfrd_soa_type* soa, time_t acq) 1005 { 1006 if(acq) { 1007 if(!ssl_printf(ssl, " %s: \"%u since %s\"\n", str, 1008 (unsigned)ntohl(soa->serial), xfrd_pretty_time(acq))) 1009 return 0; 1010 } else { 1011 if(!ssl_printf(ssl, " %s: none\n", str)) 1012 return 0; 1013 } 1014 return 1; 1015 } 1016 1017 /** print zonestatus for one domain */ 1018 static int 1019 print_zonestatus(RES* ssl, xfrd_state_type* xfrd, struct zone_options* zo) 1020 { 1021 xfrd_zone_type* xz = (xfrd_zone_type*)rbtree_search(xfrd->zones, 1022 (const dname_type*)zo->node.key); 1023 struct notify_zone* nz = (struct notify_zone*)rbtree_search( 1024 xfrd->notify_zones, (const dname_type*)zo->node.key); 1025 if(!ssl_printf(ssl, "zone: %s\n", zo->name)) 1026 return 0; 1027 if(!zo->part_of_config) { 1028 if(!ssl_printf(ssl, " pattern: %s\n", zo->pattern->pname)) 1029 return 0; 1030 } 1031 if(nz) { 1032 if(nz->is_waiting) { 1033 if(!ssl_printf(ssl, " notify: \"waiting-for-fd\"\n")) 1034 return 0; 1035 } else if(nz->notify_send_enable || nz->notify_send6_enable) { 1036 int i; 1037 if(!ssl_printf(ssl, " notify: \"send")) 1038 return 0; 1039 for(i=0; i<NOTIFY_CONCURRENT_MAX; i++) { 1040 if(!nz->pkts[i].dest) continue; 1041 if(!ssl_printf(ssl, " %s", 1042 nz->pkts[i].dest->ip_address_spec)) 1043 return 0; 1044 } 1045 if(!ssl_printf(ssl, " with serial %u\"\n", 1046 (unsigned)ntohl(nz->current_soa->serial))) 1047 return 0; 1048 } 1049 } 1050 if(!xz) { 1051 if(!ssl_printf(ssl, " state: master\n")) 1052 return 0; 1053 return 1; 1054 } 1055 if(!ssl_printf(ssl, " state: %s\n", 1056 (xz->state == xfrd_zone_ok)?"ok":( 1057 (xz->state == xfrd_zone_expired)?"expired":"refreshing"))) 1058 return 0; 1059 if(!print_soa_status(ssl, "served-serial", &xz->soa_nsd, 1060 xz->soa_nsd_acquired)) 1061 return 0; 1062 if(!print_soa_status(ssl, "commit-serial", &xz->soa_disk, 1063 xz->soa_disk_acquired)) 1064 return 0; 1065 if(xz->round_num != -1) { 1066 if(!print_soa_status(ssl, "notified-serial", &xz->soa_notified, 1067 xz->soa_notified_acquired)) 1068 return 0; 1069 } else if(xz->event_added) { 1070 if(!ssl_printf(ssl, "\twait: \"%lu sec between attempts\"\n", 1071 (unsigned long)xz->timeout.tv_sec)) 1072 return 0; 1073 } 1074 1075 /* UDP */ 1076 if(xz->udp_waiting) { 1077 if(!ssl_printf(ssl, " transfer: \"waiting-for-UDP-fd\"\n")) 1078 return 0; 1079 } else if(xz->zone_handler.ev_fd != -1 && xz->tcp_conn == -1) { 1080 if(!ssl_printf(ssl, " transfer: \"sent UDP to %s\"\n", 1081 xz->master->ip_address_spec)) 1082 return 0; 1083 } 1084 1085 /* TCP */ 1086 if(xz->tcp_waiting) { 1087 if(!ssl_printf(ssl, " transfer: \"waiting-for-TCP-fd\"\n")) 1088 return 0; 1089 } else if(xz->tcp_conn != -1) { 1090 if(!ssl_printf(ssl, " transfer: \"TCP connected to %s\"\n", 1091 xz->master->ip_address_spec)) 1092 return 0; 1093 } 1094 1095 return 1; 1096 } 1097 1098 /** do the zonestatus command */ 1099 static void 1100 do_zonestatus(RES* ssl, xfrd_state_type* xfrd, char* arg) 1101 { 1102 struct zone_options* zo; 1103 if(!get_zone_arg(ssl, xfrd, arg, &zo)) 1104 return; 1105 if(zo) (void)print_zonestatus(ssl, xfrd, zo); 1106 else { 1107 RBTREE_FOR(zo, struct zone_options*, 1108 xfrd->nsd->options->zone_options) { 1109 if(!print_zonestatus(ssl, xfrd, zo)) 1110 return; 1111 } 1112 } 1113 } 1114 1115 /** do the verbosity command */ 1116 static void 1117 do_verbosity(RES* ssl, char* str) 1118 { 1119 int val = atoi(str); 1120 if(strcmp(str, "") == 0) { 1121 (void)ssl_printf(ssl, "verbosity %d\n", verbosity); 1122 return; 1123 } 1124 if(val == 0 && strcmp(str, "0") != 0) { 1125 (void)ssl_printf(ssl, "error in verbosity number syntax: %s\n", str); 1126 return; 1127 } 1128 verbosity = val; 1129 task_new_set_verbosity(xfrd->nsd->task[xfrd->nsd->mytask], 1130 xfrd->last_task, val); 1131 xfrd_set_reload_now(xfrd); 1132 send_ok(ssl); 1133 } 1134 1135 /** find second argument, modifies string */ 1136 static int 1137 find_arg2(RES* ssl, char* arg, char** arg2) 1138 { 1139 char* as = strrchr(arg, ' '); 1140 if(as) { 1141 as[0]=0; 1142 *arg2 = as+1; 1143 while(isspace((unsigned char)*as) && as > arg) 1144 as--; 1145 as[0]=0; 1146 return 1; 1147 } 1148 *arg2 = NULL; 1149 (void)ssl_printf(ssl, "error could not find next argument " 1150 "after %s\n", arg); 1151 return 0; 1152 } 1153 1154 /** find second and third arguments, modifies string, 1155 * does not print error for missing arg3 so that if it does not find an 1156 * arg3, the caller can use two arguments. */ 1157 static int 1158 find_arg3(RES* ssl, char* arg, char** arg2, char** arg3) 1159 { 1160 if(find_arg2(ssl, arg, arg2)) { 1161 char* as; 1162 *arg3 = *arg2; 1163 as = strrchr(arg, ' '); 1164 if(as) { 1165 as[0]=0; 1166 *arg2 = as+1; 1167 while(isspace((unsigned char)*as) && as > arg) 1168 as--; 1169 as[0]=0; 1170 return 1; 1171 } 1172 } 1173 *arg3 = NULL; 1174 return 0; 1175 } 1176 1177 /** do the status command */ 1178 static void 1179 do_status(RES* ssl, xfrd_state_type* xfrd) 1180 { 1181 if(!ssl_printf(ssl, "version: %s\n", PACKAGE_VERSION)) 1182 return; 1183 if(!ssl_printf(ssl, "verbosity: %d\n", verbosity)) 1184 return; 1185 #ifdef RATELIMIT 1186 if(!ssl_printf(ssl, "ratelimit: %d\n", 1187 (int)xfrd->nsd->options->rrl_ratelimit)) 1188 return; 1189 #else 1190 (void)xfrd; 1191 #endif 1192 } 1193 1194 /** do the stats command */ 1195 static void 1196 do_stats(struct daemon_remote* rc, int peek, struct rc_state* rs) 1197 { 1198 #ifdef BIND8_STATS 1199 /* queue up to get stats after a reload is done (to gather statistics 1200 * from the servers) */ 1201 assert(!rs->in_stats_list); 1202 if(peek) rs->in_stats_list = 2; 1203 else rs->in_stats_list = 1; 1204 rs->stats_next = rc->stats_list; 1205 rc->stats_list = rs; 1206 /* block the tcp waiting for the reload */ 1207 event_del(&rs->c); 1208 rs->event_added = 0; 1209 /* force a reload */ 1210 xfrd_set_reload_now(xfrd); 1211 #else 1212 (void)rc; (void)peek; 1213 (void)ssl_printf(rs->ssl, "error no stats enabled at compile time\n"); 1214 #endif /* BIND8_STATS */ 1215 } 1216 1217 /** see if we have more zonestatistics entries and it has to be incremented */ 1218 static void 1219 zonestat_inc_ifneeded(xfrd_state_type* xfrd) 1220 { 1221 #ifdef USE_ZONE_STATS 1222 if(xfrd->nsd->options->zonestatnames->count != xfrd->zonestat_safe) 1223 task_new_zonestat_inc(xfrd->nsd->task[xfrd->nsd->mytask], 1224 xfrd->last_task, 1225 xfrd->nsd->options->zonestatnames->count); 1226 #else 1227 (void)xfrd; 1228 #endif /* USE_ZONE_STATS */ 1229 } 1230 1231 /** perform the changezone command for one zone */ 1232 static int 1233 perform_changezone(RES* ssl, xfrd_state_type* xfrd, char* arg) 1234 { 1235 const dname_type* dname; 1236 struct zone_options* zopt; 1237 char* arg2 = NULL; 1238 if(!find_arg2(ssl, arg, &arg2)) 1239 return 0; 1240 1241 /* if we add it to the xfrd now, then xfrd could download AXFR and 1242 * store it and the NSD-reload would see it in the difffile before 1243 * it sees the add-config task. 1244 */ 1245 /* thus: AXFRs and IXFRs must store the pattern name in the 1246 * difffile, so that it can be added when the AXFR or IXFR is seen. 1247 */ 1248 1249 /* check that the pattern exists */ 1250 if(!rbtree_search(xfrd->nsd->options->patterns, arg2)) { 1251 (void)ssl_printf(ssl, "error pattern %s does not exist\n", 1252 arg2); 1253 return 0; 1254 } 1255 1256 dname = dname_parse(xfrd->region, arg); 1257 if(!dname) { 1258 (void)ssl_printf(ssl, "error cannot parse zone name\n"); 1259 return 0; 1260 } 1261 1262 /* see if zone is a duplicate */ 1263 if( (zopt=zone_options_find(xfrd->nsd->options, dname)) ) { 1264 if(zopt->part_of_config) { 1265 (void)ssl_printf(ssl, "error zone defined in nsd.conf, " 1266 "cannot delete it in this manner: remove it from " 1267 "nsd.conf yourself and repattern\n"); 1268 region_recycle(xfrd->region, (void*)dname, dname_total_size(dname)); 1269 dname = NULL; 1270 return 0; 1271 } 1272 /* found the zone, now delete it */ 1273 /* create deletion task */ 1274 /* this deletion task is processed before the addition task, 1275 * that is created below, in the same reload process, causing 1276 * a seamless change from one to the other, with no downtime 1277 * for the zone. */ 1278 task_new_del_zone(xfrd->nsd->task[xfrd->nsd->mytask], 1279 xfrd->last_task, dname); 1280 xfrd_set_reload_now(xfrd); 1281 /* delete it in xfrd */ 1282 if(zone_is_slave(zopt)) { 1283 xfrd_del_slave_zone(xfrd, dname); 1284 } 1285 xfrd_del_notify(xfrd, dname); 1286 /* delete from config */ 1287 zone_list_del(xfrd->nsd->options, zopt); 1288 } else { 1289 (void)ssl_printf(ssl, "zone %s did not exist, creating", arg); 1290 } 1291 region_recycle(xfrd->region, (void*)dname, dname_total_size(dname)); 1292 dname = NULL; 1293 1294 /* add to zonelist and adds to config in memory */ 1295 zopt = zone_list_add(xfrd->nsd->options, arg, arg2); 1296 if(!zopt) { 1297 /* also dname parse error here */ 1298 (void)ssl_printf(ssl, "error could not add zonelist entry\n"); 1299 return 0; 1300 } 1301 /* make addzone task and schedule reload */ 1302 task_new_add_zone(xfrd->nsd->task[xfrd->nsd->mytask], 1303 xfrd->last_task, arg, arg2, 1304 getzonestatid(xfrd->nsd->options, zopt)); 1305 zonestat_inc_ifneeded(xfrd); 1306 xfrd_set_reload_now(xfrd); 1307 /* add to xfrd - notify (for master and slaves) */ 1308 init_notify_send(xfrd->notify_zones, xfrd->region, zopt); 1309 /* add to xfrd - slave */ 1310 if(zone_is_slave(zopt)) { 1311 xfrd_init_slave_zone(xfrd, zopt); 1312 } 1313 return 1; 1314 } 1315 1316 /** perform the addzone command for one zone */ 1317 static int 1318 perform_addzone(RES* ssl, xfrd_state_type* xfrd, char* arg) 1319 { 1320 const dname_type* dname; 1321 struct zone_options* zopt; 1322 char* arg2 = NULL; 1323 if(!find_arg2(ssl, arg, &arg2)) 1324 return 0; 1325 1326 /* if we add it to the xfrd now, then xfrd could download AXFR and 1327 * store it and the NSD-reload would see it in the difffile before 1328 * it sees the add-config task. 1329 */ 1330 /* thus: AXFRs and IXFRs must store the pattern name in the 1331 * difffile, so that it can be added when the AXFR or IXFR is seen. 1332 */ 1333 1334 /* check that the pattern exists */ 1335 if(!rbtree_search(xfrd->nsd->options->patterns, arg2)) { 1336 (void)ssl_printf(ssl, "error pattern %s does not exist\n", 1337 arg2); 1338 return 0; 1339 } 1340 1341 dname = dname_parse(xfrd->region, arg); 1342 if(!dname) { 1343 (void)ssl_printf(ssl, "error cannot parse zone name\n"); 1344 return 0; 1345 } 1346 1347 /* see if zone is a duplicate */ 1348 if( zone_options_find(xfrd->nsd->options, dname) ) { 1349 region_recycle(xfrd->region, (void*)dname, 1350 dname_total_size(dname)); 1351 (void)ssl_printf(ssl, "zone %s already exists\n", arg); 1352 return 1; 1353 } 1354 region_recycle(xfrd->region, (void*)dname, dname_total_size(dname)); 1355 dname = NULL; 1356 1357 /* add to zonelist and adds to config in memory */ 1358 zopt = zone_list_add(xfrd->nsd->options, arg, arg2); 1359 if(!zopt) { 1360 /* also dname parse error here */ 1361 (void)ssl_printf(ssl, "error could not add zonelist entry\n"); 1362 return 0; 1363 } 1364 /* make addzone task and schedule reload */ 1365 task_new_add_zone(xfrd->nsd->task[xfrd->nsd->mytask], 1366 xfrd->last_task, arg, arg2, 1367 getzonestatid(xfrd->nsd->options, zopt)); 1368 zonestat_inc_ifneeded(xfrd); 1369 xfrd_set_reload_now(xfrd); 1370 /* add to xfrd - notify (for master and slaves) */ 1371 init_notify_send(xfrd->notify_zones, xfrd->region, zopt); 1372 /* add to xfrd - slave */ 1373 if(zone_is_slave(zopt)) { 1374 xfrd_init_slave_zone(xfrd, zopt); 1375 } 1376 return 1; 1377 } 1378 1379 /** perform the delzone command for one zone */ 1380 static int 1381 perform_delzone(RES* ssl, xfrd_state_type* xfrd, char* arg) 1382 { 1383 const dname_type* dname; 1384 struct zone_options* zopt; 1385 1386 dname = dname_parse(xfrd->region, arg); 1387 if(!dname) { 1388 (void)ssl_printf(ssl, "error cannot parse zone name\n"); 1389 return 0; 1390 } 1391 1392 /* see if we have the zone in question */ 1393 zopt = zone_options_find(xfrd->nsd->options, dname); 1394 if(!zopt) { 1395 region_recycle(xfrd->region, (void*)dname, 1396 dname_total_size(dname)); 1397 /* nothing to do */ 1398 (void)ssl_printf(ssl, "warning zone %s not present\n", arg); 1399 return 0; 1400 } 1401 1402 /* see if it can be deleted */ 1403 if(zopt->part_of_config) { 1404 region_recycle(xfrd->region, (void*)dname, 1405 dname_total_size(dname)); 1406 (void)ssl_printf(ssl, "error zone defined in nsd.conf, " 1407 "cannot delete it in this manner: remove it from " 1408 "nsd.conf yourself and repattern\n"); 1409 return 0; 1410 } 1411 1412 /* create deletion task */ 1413 task_new_del_zone(xfrd->nsd->task[xfrd->nsd->mytask], 1414 xfrd->last_task, dname); 1415 xfrd_set_reload_now(xfrd); 1416 /* delete it in xfrd */ 1417 if(zone_is_slave(zopt)) { 1418 xfrd_del_slave_zone(xfrd, dname); 1419 } 1420 xfrd_del_notify(xfrd, dname); 1421 /* delete from config */ 1422 zone_list_del(xfrd->nsd->options, zopt); 1423 1424 region_recycle(xfrd->region, (void*)dname, dname_total_size(dname)); 1425 return 1; 1426 } 1427 1428 /** do the addzone command */ 1429 static void 1430 do_addzone(RES* ssl, xfrd_state_type* xfrd, char* arg) 1431 { 1432 if(!perform_addzone(ssl, xfrd, arg)) 1433 return; 1434 send_ok(ssl); 1435 } 1436 1437 /** do the delzone command */ 1438 static void 1439 do_delzone(RES* ssl, xfrd_state_type* xfrd, char* arg) 1440 { 1441 if(!perform_delzone(ssl, xfrd, arg)) 1442 return; 1443 send_ok(ssl); 1444 } 1445 1446 /** do the changezone command */ 1447 static void 1448 do_changezone(RES* ssl, xfrd_state_type* xfrd, char* arg) 1449 { 1450 if(!perform_changezone(ssl, xfrd, arg)) 1451 return; 1452 send_ok(ssl); 1453 } 1454 1455 /** do the addzones command */ 1456 static void 1457 do_addzones(RES* ssl, xfrd_state_type* xfrd) 1458 { 1459 char buf[2048]; 1460 int num = 0; 1461 while(ssl_read_line(ssl, buf, sizeof(buf))) { 1462 if(buf[0] == 0x04 && buf[1] == 0) 1463 break; /* end of transmission */ 1464 if(!perform_addzone(ssl, xfrd, buf)) { 1465 if(!ssl_printf(ssl, "error for input line '%s'\n", 1466 buf)) 1467 return; 1468 } else { 1469 if(!ssl_printf(ssl, "added: %s\n", buf)) 1470 return; 1471 num++; 1472 } 1473 } 1474 (void)ssl_printf(ssl, "added %d zones\n", num); 1475 } 1476 1477 /** do the delzones command */ 1478 static void 1479 do_delzones(RES* ssl, xfrd_state_type* xfrd) 1480 { 1481 char buf[2048]; 1482 int num = 0; 1483 while(ssl_read_line(ssl, buf, sizeof(buf))) { 1484 if(buf[0] == 0x04 && buf[1] == 0) 1485 break; /* end of transmission */ 1486 if(!perform_delzone(ssl, xfrd, buf)) { 1487 if(!ssl_printf(ssl, "error for input line '%s'\n", 1488 buf)) 1489 return; 1490 } else { 1491 if(!ssl_printf(ssl, "removed: %s\n", buf)) 1492 return; 1493 num++; 1494 } 1495 } 1496 (void)ssl_printf(ssl, "deleted %d zones\n", num); 1497 } 1498 1499 1500 /** remove TSIG key from config and add task so that reload does too */ 1501 static void remove_key(xfrd_state_type* xfrd, const char* kname) 1502 { 1503 /* add task before deletion because the name string could be deleted */ 1504 task_new_del_key(xfrd->nsd->task[xfrd->nsd->mytask], xfrd->last_task, 1505 kname); 1506 key_options_remove(xfrd->nsd->options, kname); 1507 xfrd_set_reload_now(xfrd); /* this is executed when the current control 1508 command ends, thus the entire config changes are bunched up */ 1509 } 1510 1511 /** add TSIG key to config and add task so that reload does too */ 1512 static void add_key(xfrd_state_type* xfrd, struct key_options* k) 1513 { 1514 key_options_add_modify(xfrd->nsd->options, k); 1515 task_new_add_key(xfrd->nsd->task[xfrd->nsd->mytask], xfrd->last_task, 1516 k); 1517 xfrd_set_reload_now(xfrd); 1518 } 1519 1520 /** check if keys have changed */ 1521 static void repat_keys(xfrd_state_type* xfrd, struct nsd_options* newopt) 1522 { 1523 struct nsd_options* oldopt = xfrd->nsd->options; 1524 struct key_options* k; 1525 /* find deleted keys */ 1526 k = (struct key_options*)rbtree_first(oldopt->keys); 1527 while((rbnode_type*)k != RBTREE_NULL) { 1528 struct key_options* next = (struct key_options*)rbtree_next( 1529 (rbnode_type*)k); 1530 if(!key_options_find(newopt, k->name)) 1531 remove_key(xfrd, k->name); 1532 k = next; 1533 } 1534 /* find added or changed keys */ 1535 RBTREE_FOR(k, struct key_options*, newopt->keys) { 1536 struct key_options* origk = key_options_find(oldopt, k->name); 1537 if(!origk) 1538 add_key(xfrd, k); 1539 else if(!key_options_equal(k, origk)) 1540 add_key(xfrd, k); 1541 } 1542 } 1543 1544 /** find zone given the implicit pattern */ 1545 static const dname_type* 1546 parse_implicit_name(xfrd_state_type* xfrd,const char* pname) 1547 { 1548 if(strncmp(pname, PATTERN_IMPLICIT_MARKER, 1549 strlen(PATTERN_IMPLICIT_MARKER)) != 0) 1550 return NULL; 1551 return dname_parse(xfrd->region, pname + 1552 strlen(PATTERN_IMPLICIT_MARKER)); 1553 } 1554 1555 /** remove cfgzone and add task so that reload does too */ 1556 static void 1557 remove_cfgzone(xfrd_state_type* xfrd, const char* pname) 1558 { 1559 /* dname and find the zone for the implicit pattern */ 1560 struct zone_options* zopt = NULL; 1561 const dname_type* dname = parse_implicit_name(xfrd, pname); 1562 if(!dname) { 1563 /* should have a parseable name, but it did not */ 1564 return; 1565 } 1566 1567 /* find the zone entry for the implicit pattern */ 1568 zopt = zone_options_find(xfrd->nsd->options, dname); 1569 if(!zopt) { 1570 /* this should not happen; implicit pattern has zone entry */ 1571 region_recycle(xfrd->region, (void*)dname, 1572 dname_total_size(dname)); 1573 return; 1574 } 1575 1576 /* create deletion task */ 1577 task_new_del_zone(xfrd->nsd->task[xfrd->nsd->mytask], 1578 xfrd->last_task, dname); 1579 xfrd_set_reload_now(xfrd); 1580 /* delete it in xfrd */ 1581 if(zone_is_slave(zopt)) { 1582 xfrd_del_slave_zone(xfrd, dname); 1583 } 1584 xfrd_del_notify(xfrd, dname); 1585 1586 /* delete from zoneoptions */ 1587 zone_options_delete(xfrd->nsd->options, zopt); 1588 1589 /* recycle parsed dname */ 1590 region_recycle(xfrd->region, (void*)dname, dname_total_size(dname)); 1591 } 1592 1593 /** add cfgzone and add task so that reload does too */ 1594 static void 1595 add_cfgzone(xfrd_state_type* xfrd, const char* pname) 1596 { 1597 /* add to our zonelist */ 1598 struct zone_options* zopt = zone_options_create( 1599 xfrd->nsd->options->region); 1600 if(!zopt) 1601 return; 1602 zopt->part_of_config = 1; 1603 zopt->name = region_strdup(xfrd->nsd->options->region, 1604 pname + strlen(PATTERN_IMPLICIT_MARKER)); 1605 zopt->pattern = pattern_options_find(xfrd->nsd->options, pname); 1606 if(!zopt->name || !zopt->pattern) 1607 return; 1608 if(!nsd_options_insert_zone(xfrd->nsd->options, zopt)) { 1609 log_msg(LOG_ERR, "bad domain name or duplicate zone '%s' " 1610 "pattern %s", zopt->name, pname); 1611 } 1612 1613 /* make addzone task and schedule reload */ 1614 task_new_add_zone(xfrd->nsd->task[xfrd->nsd->mytask], 1615 xfrd->last_task, zopt->name, pname, 1616 getzonestatid(xfrd->nsd->options, zopt)); 1617 /* zonestat_inc is done after the entire config file has been done */ 1618 xfrd_set_reload_now(xfrd); 1619 /* add to xfrd - notify (for master and slaves) */ 1620 init_notify_send(xfrd->notify_zones, xfrd->region, zopt); 1621 /* add to xfrd - slave */ 1622 if(zone_is_slave(zopt)) { 1623 xfrd_init_slave_zone(xfrd, zopt); 1624 } 1625 } 1626 1627 /** remove pattern and add task so that reload does too */ 1628 static void 1629 remove_pat(xfrd_state_type* xfrd, const char* name) 1630 { 1631 /* add task before deletion, because name-string could be deleted */ 1632 task_new_del_pattern(xfrd->nsd->task[xfrd->nsd->mytask], 1633 xfrd->last_task, name); 1634 pattern_options_remove(xfrd->nsd->options, name); 1635 xfrd_set_reload_now(xfrd); 1636 } 1637 1638 /** add pattern and add task so that reload does too */ 1639 static void 1640 add_pat(xfrd_state_type* xfrd, struct pattern_options* p) 1641 { 1642 pattern_options_add_modify(xfrd->nsd->options, p); 1643 task_new_add_pattern(xfrd->nsd->task[xfrd->nsd->mytask], 1644 xfrd->last_task, p); 1645 xfrd_set_reload_now(xfrd); 1646 } 1647 1648 /** interrupt zones that are using changed or removed patterns */ 1649 static void 1650 repat_interrupt_zones(xfrd_state_type* xfrd, struct nsd_options* newopt) 1651 { 1652 /* if masterlist changed: 1653 * interrupt slave zone (UDP or TCP) transfers. 1654 * slave zones reset master to start of list. 1655 */ 1656 xfrd_zone_type* xz; 1657 struct notify_zone* nz; 1658 RBTREE_FOR(xz, xfrd_zone_type*, xfrd->zones) { 1659 struct pattern_options* oldp = xz->zone_options->pattern; 1660 struct pattern_options* newp = pattern_options_find(newopt, 1661 oldp->pname); 1662 if(!newp || !acl_list_equal(oldp->request_xfr, 1663 newp->request_xfr)) { 1664 /* interrupt transfer */ 1665 if(xz->tcp_conn != -1) { 1666 xfrd_tcp_release(xfrd->tcp_set, xz); 1667 xfrd_set_refresh_now(xz); 1668 } else if(xz->zone_handler.ev_fd != -1) { 1669 xfrd_udp_release(xz); 1670 xfrd_set_refresh_now(xz); 1671 } 1672 xz->master = 0; 1673 xz->master_num = 0; 1674 xz->next_master = -1; 1675 xz->round_num = -1; /* fresh set of retries */ 1676 } 1677 } 1678 /* if notify list changed: 1679 * interrupt notify that is busy. 1680 * reset notify to start of list. (clear all other reset_notify) 1681 */ 1682 RBTREE_FOR(nz, struct notify_zone*, xfrd->notify_zones) { 1683 struct pattern_options* oldp = nz->options->pattern; 1684 struct pattern_options* newp = pattern_options_find(newopt, 1685 oldp->pname); 1686 if(!newp || !acl_list_equal(oldp->notify, newp->notify)) { 1687 /* interrupt notify */ 1688 if(nz->notify_send_enable) { 1689 notify_disable(nz); 1690 /* set to restart the notify after the 1691 * pattern has been changed. */ 1692 nz->notify_restart = 2; 1693 } else { 1694 nz->notify_restart = 1; 1695 } 1696 } else { 1697 nz->notify_restart = 0; 1698 } 1699 } 1700 } 1701 1702 /** for notify, after the pattern changes, restart the affected notifies */ 1703 static void 1704 repat_interrupt_notify_start(xfrd_state_type* xfrd) 1705 { 1706 struct notify_zone* nz; 1707 RBTREE_FOR(nz, struct notify_zone*, xfrd->notify_zones) { 1708 if(nz->notify_restart) { 1709 if(nz->notify_current) 1710 nz->notify_current = nz->options->pattern->notify; 1711 if(nz->notify_restart == 2) { 1712 if(nz->notify_restart) 1713 xfrd_notify_start(nz, xfrd); 1714 } 1715 } 1716 } 1717 } 1718 1719 /** check if patterns have changed */ 1720 static void 1721 repat_patterns(xfrd_state_type* xfrd, struct nsd_options* newopt) 1722 { 1723 /* zones that use changed patterns must have: 1724 * - their AXFR/IXFR interrupted: try again, acl may have changed. 1725 * if the old master/key still exists, OK, fix master-numptrs and 1726 * keep going. Otherwise, stop xfer and reset TSIG. 1727 * - send NOTIFY reset to start of NOTIFY list (and TSIG reset). 1728 */ 1729 struct nsd_options* oldopt = xfrd->nsd->options; 1730 struct pattern_options* p; 1731 int search_zones = 0; 1732 1733 repat_interrupt_zones(xfrd, newopt); 1734 /* find deleted patterns */ 1735 p = (struct pattern_options*)rbtree_first(oldopt->patterns); 1736 while((rbnode_type*)p != RBTREE_NULL) { 1737 struct pattern_options* next = (struct pattern_options*) 1738 rbtree_next((rbnode_type*)p); 1739 if(!pattern_options_find(newopt, p->pname)) { 1740 if(p->implicit) { 1741 /* first remove its zone */ 1742 VERBOSITY(1, (LOG_INFO, "zone removed from config: %s", p->pname + strlen(PATTERN_IMPLICIT_MARKER))); 1743 remove_cfgzone(xfrd, p->pname); 1744 } 1745 remove_pat(xfrd, p->pname); 1746 } 1747 p = next; 1748 } 1749 /* find added or changed patterns */ 1750 RBTREE_FOR(p, struct pattern_options*, newopt->patterns) { 1751 struct pattern_options* origp = pattern_options_find(oldopt, 1752 p->pname); 1753 if(!origp) { 1754 /* no zones can use it, no zone_interrupt needed */ 1755 add_pat(xfrd, p); 1756 if(p->implicit) { 1757 VERBOSITY(1, (LOG_INFO, "zone added to config: %s", p->pname + strlen(PATTERN_IMPLICIT_MARKER))); 1758 add_cfgzone(xfrd, p->pname); 1759 } 1760 } else if(!pattern_options_equal(p, origp)) { 1761 uint8_t newstate = 0; 1762 if (p->request_xfr && !origp->request_xfr) { 1763 newstate = REPAT_SLAVE; 1764 } else if (!p->request_xfr && origp->request_xfr) { 1765 newstate = REPAT_MASTER; 1766 } 1767 add_pat(xfrd, p); 1768 if (p->implicit && newstate) { 1769 const dname_type* dname = 1770 parse_implicit_name(xfrd, p->pname); 1771 if (dname) { 1772 if (newstate == REPAT_SLAVE) { 1773 struct zone_options* zopt = 1774 zone_options_find( 1775 oldopt, dname); 1776 if (zopt) { 1777 xfrd_init_slave_zone( 1778 xfrd, zopt); 1779 } 1780 } else if (newstate == REPAT_MASTER) { 1781 xfrd_del_slave_zone(xfrd, 1782 dname); 1783 } 1784 region_recycle(xfrd->region, 1785 (void*)dname, 1786 dname_total_size(dname)); 1787 } 1788 } else if(!p->implicit && newstate) { 1789 /* search all zones with this pattern */ 1790 search_zones = 1; 1791 origp->xfrd_flags = newstate; 1792 } 1793 } 1794 } 1795 if (search_zones) { 1796 struct zone_options* zone_opt; 1797 /* search in oldopt because 1) it contains zonelist zones, 1798 * and 2) you need oldopt(existing) to call xfrd_init */ 1799 RBTREE_FOR(zone_opt, struct zone_options*, oldopt->zone_options) { 1800 struct pattern_options* oldp = zone_opt->pattern; 1801 if (!oldp->implicit) { 1802 if (oldp->xfrd_flags == REPAT_SLAVE) { 1803 /* xfrd needs stable reference so get 1804 * it from the oldopt(modified) tree */ 1805 xfrd_init_slave_zone(xfrd, zone_opt); 1806 } else if (oldp->xfrd_flags == REPAT_MASTER) { 1807 xfrd_del_slave_zone(xfrd, 1808 (const dname_type*) 1809 zone_opt->node.key); 1810 } 1811 oldp->xfrd_flags = 0; 1812 } 1813 } 1814 } 1815 repat_interrupt_notify_start(xfrd); 1816 } 1817 1818 /** true if options are different that can be set via repat. */ 1819 static int 1820 repat_options_changed(xfrd_state_type* xfrd, struct nsd_options* newopt) 1821 { 1822 #ifdef RATELIMIT 1823 if(xfrd->nsd->options->rrl_ratelimit != newopt->rrl_ratelimit) 1824 return 1; 1825 if(xfrd->nsd->options->rrl_whitelist_ratelimit != newopt->rrl_whitelist_ratelimit) 1826 return 1; 1827 if(xfrd->nsd->options->rrl_slip != newopt->rrl_slip) 1828 return 1; 1829 #else 1830 (void)xfrd; (void)newopt; 1831 #endif 1832 return 0; 1833 } 1834 1835 /** check if global options have changed */ 1836 static void 1837 repat_options(xfrd_state_type* xfrd, struct nsd_options* newopt) 1838 { 1839 if(repat_options_changed(xfrd, newopt)) { 1840 /* update our options */ 1841 #ifdef RATELIMIT 1842 xfrd->nsd->options->rrl_ratelimit = newopt->rrl_ratelimit; 1843 xfrd->nsd->options->rrl_whitelist_ratelimit = newopt->rrl_whitelist_ratelimit; 1844 xfrd->nsd->options->rrl_slip = newopt->rrl_slip; 1845 #endif 1846 task_new_opt_change(xfrd->nsd->task[xfrd->nsd->mytask], 1847 xfrd->last_task, newopt); 1848 xfrd_set_reload_now(xfrd); 1849 } 1850 } 1851 1852 /** print errors over ssl, gets pointer-to-pointer to ssl, so it can set 1853 * the pointer to NULL on failure and stop printing */ 1854 static void 1855 print_ssl_cfg_err(void* arg, const char* str) 1856 { 1857 RES** ssl = (RES**)arg; 1858 if(!*ssl) return; 1859 if(!ssl_printf(*ssl, "%s", str)) 1860 *ssl = NULL; /* failed, stop printing */ 1861 } 1862 1863 /** do the repattern command: reread config file and apply keys, patterns */ 1864 static void 1865 do_repattern(RES* ssl, xfrd_state_type* xfrd) 1866 { 1867 region_type* region = region_create(xalloc, free); 1868 struct nsd_options* opt; 1869 const char* cfgfile = xfrd->nsd->options->configfile; 1870 1871 /* check chroot and configfile, if possible to reread */ 1872 if(xfrd->nsd->chrootdir) { 1873 size_t l = strlen(xfrd->nsd->chrootdir); 1874 while(l>0 && xfrd->nsd->chrootdir[l-1] == '/') 1875 --l; 1876 if(strncmp(xfrd->nsd->chrootdir, cfgfile, l) != 0) { 1877 (void)ssl_printf(ssl, "error %s is not relative to %s: " 1878 "chroot prevents reread of config\n", 1879 cfgfile, xfrd->nsd->chrootdir); 1880 region_destroy(region); 1881 return; 1882 } 1883 cfgfile += l; 1884 } 1885 1886 (void)ssl_printf(ssl, "reconfig start, read %s\n", cfgfile); 1887 opt = nsd_options_create(region); 1888 if(!parse_options_file(opt, cfgfile, &print_ssl_cfg_err, &ssl)) { 1889 /* error already printed */ 1890 region_destroy(region); 1891 return; 1892 } 1893 /* check for differences in TSIG keys and patterns, and apply, 1894 * first the keys, so that pattern->keyptr can be set right. */ 1895 repat_keys(xfrd, opt); 1896 repat_patterns(xfrd, opt); 1897 repat_options(xfrd, opt); 1898 zonestat_inc_ifneeded(xfrd); 1899 send_ok(ssl); 1900 region_destroy(region); 1901 } 1902 1903 /** do the serverpid command: printout pid of server process */ 1904 static void 1905 do_serverpid(RES* ssl, xfrd_state_type* xfrd) 1906 { 1907 (void)ssl_printf(ssl, "%u\n", (unsigned)xfrd->reload_pid); 1908 } 1909 1910 /** do the print_tsig command: printout tsig info */ 1911 static void 1912 do_print_tsig(RES* ssl, xfrd_state_type* xfrd, char* arg) 1913 { 1914 if(*arg == '\0') { 1915 struct key_options* key; 1916 RBTREE_FOR(key, struct key_options*, xfrd->nsd->options->keys) { 1917 if(!ssl_printf(ssl, "key: name: \"%s\" secret: \"%s\" algorithm: %s\n", key->name, key->secret, key->algorithm)) 1918 return; 1919 } 1920 return; 1921 } else { 1922 struct key_options* key_opts = key_options_find(xfrd->nsd->options, arg); 1923 if(!key_opts) { 1924 (void)ssl_printf(ssl, "error: no such key with name: %s\n", arg); 1925 return; 1926 } else { 1927 (void)ssl_printf(ssl, "key: name: \"%s\" secret: \"%s\" algorithm: %s\n", arg, key_opts->secret, key_opts->algorithm); 1928 } 1929 } 1930 } 1931 1932 /** do the update_tsig command: change existing tsig to new secret */ 1933 static void 1934 do_update_tsig(RES* ssl, xfrd_state_type* xfrd, char* arg) 1935 { 1936 struct region* region = xfrd->nsd->options->region; 1937 char* arg2 = NULL; 1938 uint8_t data[65536]; /* 64K */ 1939 struct key_options* key_opt; 1940 1941 if(*arg == '\0') { 1942 (void)ssl_printf(ssl, "error: missing argument (keyname)\n"); 1943 return; 1944 } 1945 if(!find_arg2(ssl, arg, &arg2)) { 1946 (void)ssl_printf(ssl, "error: missing argument (secret)\n"); 1947 return; 1948 } 1949 key_opt = key_options_find(xfrd->nsd->options, arg); 1950 if(!key_opt) { 1951 (void)ssl_printf(ssl, "error: no such key with name: %s\n", arg); 1952 memset(arg2, 0xdd, strlen(arg2)); 1953 return; 1954 } 1955 if(__b64_pton(arg2, data, sizeof(data)) == -1) { 1956 (void)ssl_printf(ssl, "error: the secret: %s is not in b64 format\n", arg2); 1957 memset(data, 0xdd, sizeof(data)); /* wipe secret */ 1958 memset(arg2, 0xdd, strlen(arg2)); 1959 return; 1960 } 1961 log_msg(LOG_INFO, "changing secret provided with the key: %s with old secret %s and algo: %s\n", arg, key_opt->secret, key_opt->algorithm); 1962 if(key_opt->secret) { 1963 /* wipe old secret */ 1964 memset(key_opt->secret, 0xdd, strlen(key_opt->secret)); 1965 region_recycle(region, key_opt->secret, 1966 strlen(key_opt->secret)+1); 1967 } 1968 key_opt->secret = region_strdup(region, arg2); 1969 log_msg(LOG_INFO, "the key: %s has new secret %s and algorithm: %s\n", arg, key_opt->secret, key_opt->algorithm); 1970 /* wipe secret from temp parse buffer */ 1971 memset(arg2, 0xdd, strlen(arg2)); 1972 memset(data, 0xdd, sizeof(data)); 1973 1974 key_options_desetup(region, key_opt); 1975 key_options_setup(region, key_opt); 1976 task_new_add_key(xfrd->nsd->task[xfrd->nsd->mytask], xfrd->last_task, 1977 key_opt); 1978 xfrd_set_reload_now(xfrd); 1979 1980 send_ok(ssl); 1981 } 1982 1983 /** do the add tsig command, add new key with name, secret and algo given */ 1984 static void 1985 do_add_tsig(RES* ssl, xfrd_state_type* xfrd, char* arg) 1986 { 1987 char* arg2 = NULL; 1988 char* arg3 = NULL; 1989 uint8_t data[65536]; /* 64KB */ 1990 uint8_t dname[MAXDOMAINLEN+1]; 1991 char algo[256]; 1992 region_type* region = xfrd->nsd->options->region; 1993 struct key_options* new_key_opt; 1994 1995 if(*arg == '\0') { 1996 (void)ssl_printf(ssl, "error: missing argument (keyname)\n"); 1997 return; 1998 } 1999 if(!find_arg3(ssl, arg, &arg2, &arg3)) { 2000 strlcpy(algo, "hmac-sha256", sizeof(algo)); 2001 } else { 2002 strlcpy(algo, arg3, sizeof(algo)); 2003 } 2004 if(!arg2) { 2005 (void)ssl_printf(ssl, "error: missing argument (secret)\n"); 2006 return; 2007 } 2008 if(key_options_find(xfrd->nsd->options, arg)) { 2009 (void)ssl_printf(ssl, "error: key %s already exists\n", arg); 2010 memset(arg2, 0xdd, strlen(arg2)); 2011 return; 2012 } 2013 if(__b64_pton(arg2, data, sizeof(data)) == -1) { 2014 (void)ssl_printf(ssl, "error: the secret: %s is not in b64 format\n", arg2); 2015 memset(data, 0xdd, sizeof(data)); /* wipe secret */ 2016 memset(arg2, 0xdd, strlen(arg2)); 2017 return; 2018 } 2019 memset(data, 0xdd, sizeof(data)); /* wipe secret from temp buffer */ 2020 if(!dname_parse_wire(dname, arg)) { 2021 (void)ssl_printf(ssl, "error: could not parse key name: %s\n", arg); 2022 memset(arg2, 0xdd, strlen(arg2)); 2023 return; 2024 } 2025 if(tsig_get_algorithm_by_name(algo) == NULL) { 2026 (void)ssl_printf(ssl, "error: unknown algorithm: %s\n", algo); 2027 memset(arg2, 0xdd, strlen(arg2)); 2028 return; 2029 } 2030 log_msg(LOG_INFO, "adding key with name: %s and secret: %s with algo: %s\n", arg, arg2, algo); 2031 new_key_opt = key_options_create(region); 2032 new_key_opt->name = region_strdup(region, arg); 2033 new_key_opt->secret = region_strdup(region, arg2); 2034 new_key_opt->algorithm = region_strdup(region, algo); 2035 add_key(xfrd, new_key_opt); 2036 2037 /* wipe secret from temp buffer */ 2038 memset(arg2, 0xdd, strlen(arg2)); 2039 send_ok(ssl); 2040 } 2041 2042 /** set acl entries to use the given TSIG key */ 2043 static void 2044 zopt_set_acl_to_tsig(struct acl_options* acl, struct region* region, 2045 const char* key_name, struct key_options* key_opt) 2046 { 2047 while(acl) { 2048 if(acl->blocked) { 2049 acl = acl->next; 2050 continue; 2051 } 2052 acl->nokey = 0; 2053 if(acl->key_name) 2054 region_recycle(region, (void*)acl->key_name, 2055 strlen(acl->key_name)+1); 2056 acl->key_name = region_strdup(region, key_name); 2057 acl->key_options = key_opt; 2058 acl = acl->next; 2059 } 2060 } 2061 2062 /** do the assoc_tsig command: associate the zone to use the tsig name */ 2063 static void 2064 do_assoc_tsig(RES* ssl, xfrd_state_type* xfrd, char* arg) 2065 { 2066 region_type* region = xfrd->nsd->options->region; 2067 char* arg2 = NULL; 2068 struct zone_options* zone; 2069 struct key_options* key_opt; 2070 2071 if(*arg == '\0') { 2072 (void)ssl_printf(ssl, "error: missing argument (zonename)\n"); 2073 return; 2074 } 2075 if(!find_arg2(ssl, arg, &arg2)) { 2076 (void)ssl_printf(ssl, "error: missing argument (keyname)\n"); 2077 return; 2078 } 2079 2080 if(!get_zone_arg(ssl, xfrd, arg, &zone)) 2081 return; 2082 if(!zone) { 2083 (void)ssl_printf(ssl, "error: missing argument (zone)\n"); 2084 return; 2085 } 2086 key_opt = key_options_find(xfrd->nsd->options, arg2); 2087 if(!key_opt) { 2088 (void)ssl_printf(ssl, "error: key: %s does not exist\n", arg2); 2089 return; 2090 } 2091 2092 zopt_set_acl_to_tsig(zone->pattern->allow_notify, region, arg2, 2093 key_opt); 2094 zopt_set_acl_to_tsig(zone->pattern->notify, region, arg2, key_opt); 2095 zopt_set_acl_to_tsig(zone->pattern->request_xfr, region, arg2, 2096 key_opt); 2097 zopt_set_acl_to_tsig(zone->pattern->provide_xfr, region, arg2, 2098 key_opt); 2099 2100 task_new_add_pattern(xfrd->nsd->task[xfrd->nsd->mytask], 2101 xfrd->last_task, zone->pattern); 2102 xfrd_set_reload_now(xfrd); 2103 2104 send_ok(ssl); 2105 } 2106 2107 /** see if TSIG key is used in the acl */ 2108 static int 2109 acl_contains_tsig_key(struct acl_options* acl, const char* name) 2110 { 2111 while(acl) { 2112 if(acl->key_name && strcmp(acl->key_name, name) == 0) 2113 return 1; 2114 acl = acl->next; 2115 } 2116 return 0; 2117 } 2118 2119 /** do the del_tsig command, remove an (unused) tsig */ 2120 static void 2121 do_del_tsig(RES* ssl, xfrd_state_type* xfrd, char* arg) { 2122 int used_key = 0; 2123 struct zone_options* zone; 2124 struct key_options* key_opt; 2125 2126 if(*arg == '\0') { 2127 (void)ssl_printf(ssl, "error: missing argument (keyname)\n"); 2128 return; 2129 } 2130 key_opt = key_options_find(xfrd->nsd->options, arg); 2131 if(!key_opt) { 2132 (void)ssl_printf(ssl, "key %s does not exist, nothing to be deleted\n", arg); 2133 return; 2134 } 2135 RBTREE_FOR(zone, struct zone_options*, xfrd->nsd->options->zone_options) 2136 { 2137 if(acl_contains_tsig_key(zone->pattern->allow_notify, arg) || 2138 acl_contains_tsig_key(zone->pattern->notify, arg) || 2139 acl_contains_tsig_key(zone->pattern->request_xfr, arg) || 2140 acl_contains_tsig_key(zone->pattern->provide_xfr, arg)) { 2141 if(!ssl_printf(ssl, "zone %s uses key %s\n", 2142 zone->name, arg)) 2143 return; 2144 used_key = 1; 2145 break; 2146 } 2147 } 2148 2149 if(used_key) { 2150 (void)ssl_printf(ssl, "error: key: %s is in use and cannot be deleted\n", arg); 2151 return; 2152 } else { 2153 remove_key(xfrd, arg); 2154 log_msg(LOG_INFO, "key: %s is successfully deleted\n", arg); 2155 } 2156 2157 send_ok(ssl); 2158 } 2159 2160 /** check for name with end-of-string, space or tab after it */ 2161 static int 2162 cmdcmp(char* p, const char* cmd, size_t len) 2163 { 2164 return strncmp(p,cmd,len)==0 && (p[len]==0||p[len]==' '||p[len]=='\t'); 2165 } 2166 2167 /** execute a remote control command */ 2168 static void 2169 execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd, struct rc_state* rs) 2170 { 2171 char* p = skipwhite(cmd); 2172 /* compare command */ 2173 if(cmdcmp(p, "stop", 4)) { 2174 do_stop(ssl, rc->xfrd); 2175 } else if(cmdcmp(p, "reload", 6)) { 2176 do_reload(ssl, rc->xfrd, skipwhite(p+6)); 2177 } else if(cmdcmp(p, "write", 5)) { 2178 do_write(ssl, rc->xfrd, skipwhite(p+5)); 2179 } else if(cmdcmp(p, "status", 6)) { 2180 do_status(ssl, rc->xfrd); 2181 } else if(cmdcmp(p, "stats_noreset", 13)) { 2182 do_stats(rc, 1, rs); 2183 } else if(cmdcmp(p, "stats", 5)) { 2184 do_stats(rc, 0, rs); 2185 } else if(cmdcmp(p, "log_reopen", 10)) { 2186 do_log_reopen(ssl, rc->xfrd); 2187 } else if(cmdcmp(p, "addzone", 7)) { 2188 do_addzone(ssl, rc->xfrd, skipwhite(p+7)); 2189 } else if(cmdcmp(p, "delzone", 7)) { 2190 do_delzone(ssl, rc->xfrd, skipwhite(p+7)); 2191 } else if(cmdcmp(p, "changezone", 10)) { 2192 do_changezone(ssl, rc->xfrd, skipwhite(p+10)); 2193 } else if(cmdcmp(p, "addzones", 8)) { 2194 do_addzones(ssl, rc->xfrd); 2195 } else if(cmdcmp(p, "delzones", 8)) { 2196 do_delzones(ssl, rc->xfrd); 2197 } else if(cmdcmp(p, "notify", 6)) { 2198 do_notify(ssl, rc->xfrd, skipwhite(p+6)); 2199 } else if(cmdcmp(p, "transfer", 8)) { 2200 do_transfer(ssl, rc->xfrd, skipwhite(p+8)); 2201 } else if(cmdcmp(p, "force_transfer", 14)) { 2202 do_force_transfer(ssl, rc->xfrd, skipwhite(p+14)); 2203 } else if(cmdcmp(p, "zonestatus", 10)) { 2204 do_zonestatus(ssl, rc->xfrd, skipwhite(p+10)); 2205 } else if(cmdcmp(p, "verbosity", 9)) { 2206 do_verbosity(ssl, skipwhite(p+9)); 2207 } else if(cmdcmp(p, "repattern", 9)) { 2208 do_repattern(ssl, rc->xfrd); 2209 } else if(cmdcmp(p, "reconfig", 8)) { 2210 do_repattern(ssl, rc->xfrd); 2211 } else if(cmdcmp(p, "serverpid", 9)) { 2212 do_serverpid(ssl, rc->xfrd); 2213 } else if(cmdcmp(p, "print_tsig", 10)) { 2214 do_print_tsig(ssl, rc->xfrd, skipwhite(p+10)); 2215 } else if(cmdcmp(p, "update_tsig", 11)) { 2216 do_update_tsig(ssl, rc->xfrd, skipwhite(p+11)); 2217 } else if(cmdcmp(p, "add_tsig", 8)) { 2218 do_add_tsig(ssl, rc->xfrd, skipwhite(p+8)); 2219 } else if(cmdcmp(p, "assoc_tsig", 10)) { 2220 do_assoc_tsig(ssl, rc->xfrd, skipwhite(p+10)); 2221 } else if(cmdcmp(p, "del_tsig", 8)) { 2222 do_del_tsig(ssl, rc->xfrd, skipwhite(p+8)); 2223 } else { 2224 (void)ssl_printf(ssl, "error unknown command '%s'\n", p); 2225 } 2226 } 2227 2228 /** handle remote control request */ 2229 static void 2230 handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res) 2231 { 2232 int r; 2233 char pre[10]; 2234 char magic[8]; 2235 char buf[1024]; 2236 if (fcntl(s->c.ev_fd, F_SETFL, 0) == -1) { /* set blocking */ 2237 log_msg(LOG_ERR, "cannot fcntl rc: %s", strerror(errno)); 2238 } 2239 2240 /* try to read magic UBCT[version]_space_ string */ 2241 if(res->ssl) { 2242 ERR_clear_error(); 2243 if((r=SSL_read(res->ssl, magic, (int)sizeof(magic)-1)) <= 0) { 2244 if(SSL_get_error(res->ssl, r) == SSL_ERROR_ZERO_RETURN) 2245 return; 2246 log_crypto_err("could not SSL_read"); 2247 return; 2248 } 2249 } else { 2250 while(1) { 2251 ssize_t rr = read(res->fd, magic, sizeof(magic)-1); 2252 if(rr <= 0) { 2253 if(rr == 0) return; 2254 if(errno == EINTR || errno == EAGAIN) 2255 continue; 2256 log_msg(LOG_ERR, "could not read: %s", strerror(errno)); 2257 return; 2258 } 2259 r = (int)rr; 2260 break; 2261 } 2262 } 2263 magic[7] = 0; 2264 if( r != 7 || strncmp(magic, "NSDCT", 5) != 0) { 2265 VERBOSITY(2, (LOG_INFO, "control connection has bad header")); 2266 /* probably wrong tool connected, ignore it completely */ 2267 return; 2268 } 2269 2270 /* read the command line */ 2271 if(!ssl_read_line(res, buf, sizeof(buf))) { 2272 return; 2273 } 2274 snprintf(pre, sizeof(pre), "NSDCT%d ", NSD_CONTROL_VERSION); 2275 if(strcmp(magic, pre) != 0) { 2276 VERBOSITY(2, (LOG_INFO, "control connection had bad " 2277 "version %s, cmd: %s", magic, buf)); 2278 (void)ssl_printf(res, "error version mismatch\n"); 2279 return; 2280 } 2281 VERBOSITY(2, (LOG_INFO, "control cmd: %s", buf)); 2282 2283 /* figure out what to do */ 2284 execute_cmd(rc, res, buf, s); 2285 } 2286 2287 /** handle SSL_do_handshake changes to the file descriptor to wait for later */ 2288 static void 2289 remote_handshake_later(struct daemon_remote* rc, struct rc_state* s, int fd, 2290 int r, int r2) 2291 { 2292 if(r2 == SSL_ERROR_WANT_READ) { 2293 if(s->shake_state == rc_hs_read) { 2294 /* try again later */ 2295 return; 2296 } 2297 s->shake_state = rc_hs_read; 2298 event_del(&s->c); 2299 memset(&s->c, 0, sizeof(s->c)); 2300 event_set(&s->c, fd, EV_PERSIST|EV_TIMEOUT|EV_READ, 2301 remote_control_callback, s); 2302 if(event_base_set(xfrd->event_base, &s->c) != 0) 2303 log_msg(LOG_ERR, "remote_accept: cannot set event_base"); 2304 if(event_add(&s->c, &s->tval) != 0) 2305 log_msg(LOG_ERR, "remote_accept: cannot add event"); 2306 return; 2307 } else if(r2 == SSL_ERROR_WANT_WRITE) { 2308 if(s->shake_state == rc_hs_write) { 2309 /* try again later */ 2310 return; 2311 } 2312 s->shake_state = rc_hs_write; 2313 event_del(&s->c); 2314 memset(&s->c, 0, sizeof(s->c)); 2315 event_set(&s->c, fd, EV_PERSIST|EV_TIMEOUT|EV_WRITE, 2316 remote_control_callback, s); 2317 if(event_base_set(xfrd->event_base, &s->c) != 0) 2318 log_msg(LOG_ERR, "remote_accept: cannot set event_base"); 2319 if(event_add(&s->c, &s->tval) != 0) 2320 log_msg(LOG_ERR, "remote_accept: cannot add event"); 2321 return; 2322 } else { 2323 if(r == 0) 2324 log_msg(LOG_ERR, "remote control connection closed prematurely"); 2325 log_crypto_err("remote control failed ssl"); 2326 clean_point(rc, s); 2327 } 2328 } 2329 2330 static void 2331 remote_control_callback(int fd, short event, void* arg) 2332 { 2333 RES res; 2334 struct rc_state* s = (struct rc_state*)arg; 2335 struct daemon_remote* rc = s->rc; 2336 int r; 2337 if( (event&EV_TIMEOUT) ) { 2338 log_msg(LOG_ERR, "remote control timed out"); 2339 clean_point(rc, s); 2340 return; 2341 } 2342 if(s->ssl) { 2343 /* (continue to) setup the SSL connection */ 2344 ERR_clear_error(); 2345 r = SSL_do_handshake(s->ssl); 2346 if(r != 1) { 2347 int r2 = SSL_get_error(s->ssl, r); 2348 remote_handshake_later(rc, s, fd, r, r2); 2349 return; 2350 } 2351 s->shake_state = rc_none; 2352 } 2353 2354 /* once handshake has completed, check authentication */ 2355 if (!rc->use_cert) { 2356 VERBOSITY(3, (LOG_INFO, "unauthenticated remote control connection")); 2357 } else if(SSL_get_verify_result(s->ssl) == X509_V_OK) { 2358 X509* x = SSL_get_peer_certificate(s->ssl); 2359 if(!x) { 2360 VERBOSITY(2, (LOG_INFO, "remote control connection " 2361 "provided no client certificate")); 2362 clean_point(rc, s); 2363 return; 2364 } 2365 VERBOSITY(3, (LOG_INFO, "remote control connection authenticated")); 2366 X509_free(x); 2367 } else { 2368 VERBOSITY(2, (LOG_INFO, "remote control connection failed to " 2369 "authenticate with client certificate")); 2370 clean_point(rc, s); 2371 return; 2372 } 2373 2374 /* if OK start to actually handle the request */ 2375 res.ssl = s->ssl; 2376 res.fd = fd; 2377 handle_req(rc, s, &res); 2378 2379 if(!s->in_stats_list) { 2380 VERBOSITY(3, (LOG_INFO, "remote control operation completed")); 2381 clean_point(rc, s); 2382 } 2383 } 2384 2385 #ifdef BIND8_STATS 2386 static const char* 2387 opcode2str(int o) 2388 { 2389 switch(o) { 2390 case OPCODE_QUERY: return "QUERY"; 2391 case OPCODE_IQUERY: return "IQUERY"; 2392 case OPCODE_STATUS: return "STATUS"; 2393 case OPCODE_NOTIFY: return "NOTIFY"; 2394 case OPCODE_UPDATE: return "UPDATE"; 2395 default: return "OTHER"; 2396 } 2397 } 2398 2399 /** print long number */ 2400 static int 2401 print_longnum(RES* ssl, char* desc, uint64_t x) 2402 { 2403 if(x > (uint64_t)1024*1024*1024) { 2404 /* more than a Gb */ 2405 size_t front = (size_t)(x / (uint64_t)1000000); 2406 size_t back = (size_t)(x % (uint64_t)1000000); 2407 return ssl_printf(ssl, "%s%lu%6.6lu\n", desc, 2408 (unsigned long)front, (unsigned long)back); 2409 } else { 2410 return ssl_printf(ssl, "%s%lu\n", desc, (unsigned long)x); 2411 } 2412 } 2413 2414 /* print one block of statistics. n is name and d is delimiter */ 2415 static void 2416 print_stat_block(RES* ssl, char* n, char* d, struct nsdst* st) 2417 { 2418 const char* rcstr[] = {"NOERROR", "FORMERR", "SERVFAIL", "NXDOMAIN", 2419 "NOTIMP", "REFUSED", "YXDOMAIN", "YXRRSET", "NXRRSET", "NOTAUTH", 2420 "NOTZONE", "RCODE11", "RCODE12", "RCODE13", "RCODE14", "RCODE15", 2421 "BADVERS" 2422 }; 2423 size_t i; 2424 for(i=0; i<= 255; i++) { 2425 if(inhibit_zero && st->qtype[i] == 0 && 2426 strncmp(rrtype_to_string(i), "TYPE", 4) == 0) 2427 continue; 2428 if(!ssl_printf(ssl, "%s%snum.type.%s=%lu\n", n, d, 2429 rrtype_to_string(i), (unsigned long)st->qtype[i])) 2430 return; 2431 } 2432 2433 /* opcode */ 2434 for(i=0; i<6; i++) { 2435 if(inhibit_zero && st->opcode[i] == 0 && i != OPCODE_QUERY) 2436 continue; 2437 if(!ssl_printf(ssl, "%s%snum.opcode.%s=%lu\n", n, d, 2438 opcode2str(i), (unsigned long)st->opcode[i])) 2439 return; 2440 } 2441 2442 /* qclass */ 2443 for(i=0; i<4; i++) { 2444 if(inhibit_zero && st->qclass[i] == 0 && i != CLASS_IN) 2445 continue; 2446 if(!ssl_printf(ssl, "%s%snum.class.%s=%lu\n", n, d, 2447 rrclass_to_string(i), (unsigned long)st->qclass[i])) 2448 return; 2449 } 2450 2451 /* rcode */ 2452 for(i=0; i<17; i++) { 2453 if(inhibit_zero && st->rcode[i] == 0 && 2454 i > RCODE_YXDOMAIN) /* NSD does not use larger */ 2455 continue; 2456 if(!ssl_printf(ssl, "%s%snum.rcode.%s=%lu\n", n, d, rcstr[i], 2457 (unsigned long)st->rcode[i])) 2458 return; 2459 } 2460 2461 /* edns */ 2462 if(!ssl_printf(ssl, "%s%snum.edns=%lu\n", n, d, (unsigned long)st->edns)) 2463 return; 2464 2465 /* ednserr */ 2466 if(!ssl_printf(ssl, "%s%snum.ednserr=%lu\n", n, d, 2467 (unsigned long)st->ednserr)) 2468 return; 2469 2470 /* qudp */ 2471 if(!ssl_printf(ssl, "%s%snum.udp=%lu\n", n, d, (unsigned long)st->qudp)) 2472 return; 2473 /* qudp6 */ 2474 if(!ssl_printf(ssl, "%s%snum.udp6=%lu\n", n, d, (unsigned long)st->qudp6)) 2475 return; 2476 /* ctcp */ 2477 if(!ssl_printf(ssl, "%s%snum.tcp=%lu\n", n, d, (unsigned long)st->ctcp)) 2478 return; 2479 /* ctcp6 */ 2480 if(!ssl_printf(ssl, "%s%snum.tcp6=%lu\n", n, d, (unsigned long)st->ctcp6)) 2481 return; 2482 /* ctls */ 2483 if(!ssl_printf(ssl, "%s%snum.tls=%lu\n", n, d, (unsigned long)st->ctls)) 2484 return; 2485 /* ctls6 */ 2486 if(!ssl_printf(ssl, "%s%snum.tls6=%lu\n", n, d, (unsigned long)st->ctls6)) 2487 return; 2488 2489 /* nona */ 2490 if(!ssl_printf(ssl, "%s%snum.answer_wo_aa=%lu\n", n, d, 2491 (unsigned long)st->nona)) 2492 return; 2493 2494 /* rxerr */ 2495 if(!ssl_printf(ssl, "%s%snum.rxerr=%lu\n", n, d, (unsigned long)st->rxerr)) 2496 return; 2497 2498 /* txerr */ 2499 if(!ssl_printf(ssl, "%s%snum.txerr=%lu\n", n, d, (unsigned long)st->txerr)) 2500 return; 2501 2502 /* number of requested-axfr, number of times axfr served to clients */ 2503 if(!ssl_printf(ssl, "%s%snum.raxfr=%lu\n", n, d, (unsigned long)st->raxfr)) 2504 return; 2505 2506 /* truncated */ 2507 if(!ssl_printf(ssl, "%s%snum.truncated=%lu\n", n, d, 2508 (unsigned long)st->truncated)) 2509 return; 2510 2511 /* dropped */ 2512 if(!ssl_printf(ssl, "%s%snum.dropped=%lu\n", n, d, 2513 (unsigned long)st->dropped)) 2514 return; 2515 } 2516 2517 #ifdef USE_ZONE_STATS 2518 static void 2519 resize_zonestat(xfrd_state_type* xfrd, size_t num) 2520 { 2521 struct nsdst** a = xalloc_array_zero(num, sizeof(struct nsdst*)); 2522 if(xfrd->zonestat_clear_num != 0) 2523 memcpy(a, xfrd->zonestat_clear, xfrd->zonestat_clear_num 2524 * sizeof(struct nsdst*)); 2525 free(xfrd->zonestat_clear); 2526 xfrd->zonestat_clear = a; 2527 xfrd->zonestat_clear_num = num; 2528 } 2529 2530 static void 2531 zonestat_print(RES* ssl, xfrd_state_type* xfrd, int clear) 2532 { 2533 struct zonestatname* n; 2534 struct nsdst stat0, stat1; 2535 RBTREE_FOR(n, struct zonestatname*, xfrd->nsd->options->zonestatnames){ 2536 char* name = (char*)n->node.key; 2537 if(n->id >= xfrd->zonestat_safe) 2538 continue; /* newly allocated and reload has not yet 2539 done and replied with new size */ 2540 if(name == NULL || name[0]==0) 2541 continue; /* empty name, do not output */ 2542 /* the statistics are stored in two blocks, during reload 2543 * the newly forked processes get the other block to use, 2544 * these blocks are mmapped and are currently in use to 2545 * add statistics to */ 2546 memcpy(&stat0, &xfrd->nsd->zonestat[0][n->id], sizeof(stat0)); 2547 memcpy(&stat1, &xfrd->nsd->zonestat[1][n->id], sizeof(stat1)); 2548 stats_add(&stat0, &stat1); 2549 2550 /* save a copy of current (cumulative) stats in stat1 */ 2551 memcpy(&stat1, &stat0, sizeof(stat1)); 2552 /* subtract last total of stats that was 'cleared' */ 2553 if(n->id < xfrd->zonestat_clear_num && 2554 xfrd->zonestat_clear[n->id]) 2555 stats_subtract(&stat0, xfrd->zonestat_clear[n->id]); 2556 if(clear) { 2557 /* extend storage array if needed */ 2558 if(n->id >= xfrd->zonestat_clear_num) { 2559 if(n->id+1 < xfrd->nsd->options->zonestatnames->count) 2560 resize_zonestat(xfrd, xfrd->nsd->options->zonestatnames->count); 2561 else 2562 resize_zonestat(xfrd, n->id+1); 2563 } 2564 if(!xfrd->zonestat_clear[n->id]) 2565 xfrd->zonestat_clear[n->id] = xalloc( 2566 sizeof(struct nsdst)); 2567 /* store last total of stats */ 2568 memcpy(xfrd->zonestat_clear[n->id], &stat1, 2569 sizeof(struct nsdst)); 2570 } 2571 2572 /* stat0 contains the details that we want to print */ 2573 if(!ssl_printf(ssl, "%s%snum.queries=%lu\n", name, ".", 2574 (unsigned long)(stat0.qudp + stat0.qudp6 + stat0.ctcp + 2575 stat0.ctcp6 + stat0.ctls + stat0.ctls6))) 2576 return; 2577 print_stat_block(ssl, name, ".", &stat0); 2578 } 2579 } 2580 #endif /* USE_ZONE_STATS */ 2581 2582 static void 2583 print_stats(RES* ssl, xfrd_state_type* xfrd, struct timeval* now, int clear) 2584 { 2585 size_t i; 2586 stc_type total = 0; 2587 struct timeval elapsed, uptime; 2588 2589 /* per CPU and total */ 2590 for(i=0; i<xfrd->nsd->child_count; i++) { 2591 if(!ssl_printf(ssl, "server%d.queries=%lu\n", (int)i, 2592 (unsigned long)xfrd->nsd->children[i].query_count)) 2593 return; 2594 total += xfrd->nsd->children[i].query_count; 2595 } 2596 if(!ssl_printf(ssl, "num.queries=%lu\n", (unsigned long)total)) 2597 return; 2598 2599 /* time elapsed and uptime (in seconds) */ 2600 timeval_subtract(&uptime, now, &xfrd->nsd->rc->boot_time); 2601 timeval_subtract(&elapsed, now, &xfrd->nsd->rc->stats_time); 2602 if(!ssl_printf(ssl, "time.boot=%lu.%6.6lu\n", 2603 (unsigned long)uptime.tv_sec, (unsigned long)uptime.tv_usec)) 2604 return; 2605 if(!ssl_printf(ssl, "time.elapsed=%lu.%6.6lu\n", 2606 (unsigned long)elapsed.tv_sec, (unsigned long)elapsed.tv_usec)) 2607 return; 2608 2609 /* mem info, database on disksize */ 2610 if(!print_longnum(ssl, "size.db.disk=", xfrd->nsd->st.db_disk)) 2611 return; 2612 if(!print_longnum(ssl, "size.db.mem=", xfrd->nsd->st.db_mem)) 2613 return; 2614 if(!print_longnum(ssl, "size.xfrd.mem=", region_get_mem(xfrd->region))) 2615 return; 2616 if(!print_longnum(ssl, "size.config.disk=", 2617 xfrd->nsd->options->zonelist_off)) 2618 return; 2619 if(!print_longnum(ssl, "size.config.mem=", region_get_mem( 2620 xfrd->nsd->options->region))) 2621 return; 2622 print_stat_block(ssl, "", "", &xfrd->nsd->st); 2623 2624 /* zone statistics */ 2625 if(!ssl_printf(ssl, "zone.master=%lu\n", 2626 (unsigned long)(xfrd->notify_zones->count - xfrd->zones->count))) 2627 return; 2628 if(!ssl_printf(ssl, "zone.slave=%lu\n", (unsigned long)xfrd->zones->count)) 2629 return; 2630 #ifdef USE_ZONE_STATS 2631 zonestat_print(ssl, xfrd, clear); /* per-zone statistics */ 2632 #else 2633 (void)clear; 2634 #endif 2635 } 2636 2637 static void 2638 clear_stats(xfrd_state_type* xfrd) 2639 { 2640 size_t i; 2641 uint64_t dbd = xfrd->nsd->st.db_disk; 2642 uint64_t dbm = xfrd->nsd->st.db_mem; 2643 for(i=0; i<xfrd->nsd->child_count; i++) { 2644 xfrd->nsd->children[i].query_count = 0; 2645 } 2646 memset(&xfrd->nsd->st, 0, sizeof(struct nsdst)); 2647 /* zonestats are cleared by storing the cumulative value that 2648 * was last printed in the zonestat_clear array, and subtracting 2649 * that before the next stats printout */ 2650 xfrd->nsd->st.db_disk = dbd; 2651 xfrd->nsd->st.db_mem = dbm; 2652 } 2653 2654 void 2655 daemon_remote_process_stats(struct daemon_remote* rc) 2656 { 2657 RES res; 2658 struct rc_state* s; 2659 struct timeval now; 2660 if(!rc) return; 2661 if(gettimeofday(&now, NULL) == -1) 2662 log_msg(LOG_ERR, "gettimeofday: %s", strerror(errno)); 2663 /* pop one and give it stats */ 2664 while((s = rc->stats_list)) { 2665 assert(s->in_stats_list); 2666 res.ssl = s->ssl; 2667 res.fd = s->fd; 2668 print_stats(&res, rc->xfrd, &now, (s->in_stats_list == 1)); 2669 if(s->in_stats_list == 1) { 2670 clear_stats(rc->xfrd); 2671 rc->stats_time = now; 2672 } 2673 VERBOSITY(3, (LOG_INFO, "remote control stats printed")); 2674 rc->stats_list = s->next; 2675 s->in_stats_list = 0; 2676 clean_point(rc, s); 2677 } 2678 } 2679 #endif /* BIND8_STATS */ 2680 2681 int 2682 create_local_accept_sock(const char *path, int* noproto) 2683 { 2684 #ifdef HAVE_SYS_UN_H 2685 int s; 2686 struct sockaddr_un usock; 2687 2688 VERBOSITY(3, (LOG_INFO, "creating unix socket %s", path)); 2689 #ifdef HAVE_STRUCT_SOCKADDR_UN_SUN_LEN 2690 /* this member exists on BSDs, not Linux */ 2691 usock.sun_len = (unsigned)sizeof(usock); 2692 #endif 2693 usock.sun_family = AF_LOCAL; 2694 /* length is 92-108, 104 on FreeBSD */ 2695 (void)strlcpy(usock.sun_path, path, sizeof(usock.sun_path)); 2696 2697 if ((s = socket(AF_LOCAL, SOCK_STREAM, 0)) == -1) { 2698 log_msg(LOG_ERR, "Cannot create local socket %s (%s)", 2699 path, strerror(errno)); 2700 return -1; 2701 } 2702 2703 if (unlink(path) && errno != ENOENT) { 2704 /* The socket already exists and cannot be removed */ 2705 log_msg(LOG_ERR, "Cannot remove old local socket %s (%s)", 2706 path, strerror(errno)); 2707 goto err; 2708 } 2709 2710 if (bind(s, (struct sockaddr *)&usock, 2711 (socklen_t)sizeof(struct sockaddr_un)) == -1) { 2712 log_msg(LOG_ERR, "Cannot bind local socket %s (%s)", 2713 path, strerror(errno)); 2714 goto err; 2715 } 2716 2717 if (fcntl(s, F_SETFL, O_NONBLOCK) == -1) { 2718 log_msg(LOG_ERR, "Cannot set non-blocking mode"); 2719 goto err; 2720 } 2721 2722 if (listen(s, TCP_BACKLOG) == -1) { 2723 log_msg(LOG_ERR, "can't listen: %s", strerror(errno)); 2724 goto err; 2725 } 2726 2727 (void)noproto; /*unused*/ 2728 return s; 2729 2730 err: 2731 close(s); 2732 return -1; 2733 2734 #else 2735 (void)path; 2736 log_msg(LOG_ERR, "Local sockets are not supported"); 2737 *noproto = 1; 2738 return -1; 2739 #endif 2740 } 2741 2742 #endif /* HAVE_SSL */ 2743