static void
register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
controlkeylist_t *keyids, isc_mem_t *mctx, const char *socktext)
{
controlkey_t *keyid, *next;
const cfg_obj_t *keydef;
char secret[1024];
isc_buffer_t b;
isc_result_t result;
/*
* Find the keys corresponding to the keyids used by this listener.
*/
for (keyid = ISC_LIST_HEAD(*keyids); keyid != NULL; keyid = next) {
next = ISC_LIST_NEXT(keyid, link);
result = cfgkeylist_find(keylist, keyid->keyname, &keydef);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
"couldn't find key '%s' for use with "
"command channel %s",
keyid->keyname, socktext);
ISC_LIST_UNLINK(*keyids, keyid, link);
free_controlkey(keyid, mctx);
} else {
const cfg_obj_t *algobj = NULL;
const cfg_obj_t *secretobj = NULL;
const char *algstr = NULL;
const char *secretstr = NULL;
unsigned int algtype;
(void)cfg_map_get(keydef, "algorithm", &algobj);
(void)cfg_map_get(keydef, "secret", &secretobj);
INSIST(algobj != NULL && secretobj != NULL);
algstr = cfg_obj_asstring(algobj);
secretstr = cfg_obj_asstring(secretobj);
if (ns_config_getkeyalgorithm2(algstr, NULL,
&algtype, NULL) != ISC_R_SUCCESS)
{
cfg_obj_log(control, ns_g_lctx,
ISC_LOG_WARNING,
"unsupported algorithm '%s' in "
"key '%s' for use with command "
"channel %s",
algstr, keyid->keyname, socktext);
ISC_LIST_UNLINK(*keyids, keyid, link);
free_controlkey(keyid, mctx);
continue;
}
keyid->algorithm = algtype;
isc_buffer_init(&b, secret, sizeof(secret));
result = isc_base64_decodestring(secretstr, &b);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(keydef, ns_g_lctx, ISC_LOG_WARNING,
"secret for key '%s' on "
"command channel %s: %s",
keyid->keyname, socktext,
isc_result_totext(result));
ISC_LIST_UNLINK(*keyids, keyid, link);
free_controlkey(keyid, mctx);
continue;
}
keyid->secret.length = isc_buffer_usedlength(&b);
keyid->secret.base = isc_mem_get(mctx,
keyid->secret.length);
if (keyid->secret.base == NULL) {
cfg_obj_log(keydef, ns_g_lctx, ISC_LOG_WARNING,
"couldn't register key '%s': "
"out of memory", keyid->keyname);
ISC_LIST_UNLINK(*keyids, keyid, link);
free_controlkey(keyid, mctx);
break;
}
memmove(keyid->secret.base, isc_buffer_base(&b),
keyid->secret.length);
}
}
}
/*
* Poll each source, trying to get data from it to stuff into the entropy
* pool.
*/
static void fillpool (isc_entropy_t * ent, unsigned int desired, isc_boolean_t blocking)
{
unsigned int added;
unsigned int remaining;
unsigned int needed;
unsigned int nsource;
isc_entropysource_t *source;
REQUIRE (VALID_ENTROPY (ent));
needed = desired;
/*
* This logic is a little strange, so an explanation is in order.
*
* If needed is 0, it means we are being asked to "fill to whatever
* we think is best." This means that if we have at least a
* partially full pool (say, > 1/4th of the pool) we probably don't
* need to add anything.
*
* Also, we will check to see if the "pseudo" count is too high.
* If it is, try to mix in better data. Too high is currently
* defined as 1/4th of the pool.
*
* Next, if we are asked to add a specific bit of entropy, make
* certain that we will do so. Clamp how much we try to add to
* (DIGEST_SIZE * 8 < needed < POOLBITS - entropy).
*
* Note that if we are in a blocking mode, we will only try to
* get as much data as we need, not as much as we might want
* to build up.
*/
if (needed == 0)
{
REQUIRE (!blocking);
if ((ent->pool.entropy >= RND_POOLBITS / 4) && (ent->pool.pseudo <= RND_POOLBITS / 4))
return;
needed = THRESHOLD_BITS * 4;
}
else
{
needed = ISC_MAX (needed, THRESHOLD_BITS);
needed = ISC_MIN (needed, RND_POOLBITS);
}
/*
* In any case, clamp how much we need to how much we can add.
*/
needed = ISC_MIN (needed, RND_POOLBITS - ent->pool.entropy);
/*
* But wait! If we're not yet initialized, we need at least
* THRESHOLD_BITS
* of randomness.
*/
if (ent->initialized < THRESHOLD_BITS)
needed = ISC_MAX (needed, THRESHOLD_BITS - ent->initialized);
/*
* Poll each file source to see if we can read anything useful from
* it. XXXMLG When where are multiple sources, we should keep a
* record of which one we last used so we can start from it (or the
* next one) to avoid letting some sources build up entropy while
* others are always drained.
*/
added = 0;
remaining = needed;
if (ent->nextsource == NULL)
{
ent->nextsource = ISC_LIST_HEAD (ent->sources);
if (ent->nextsource == NULL)
return;
}
source = ent->nextsource;
again_file:
for (nsource = 0; nsource < ent->nsources; nsource++)
{
unsigned int got;
if (remaining == 0)
break;
got = 0;
switch (source->type)
{
case ENTROPY_SOURCETYPE_FILE:
got = get_from_filesource (source, remaining);
break;
case ENTROPY_SOURCETYPE_USOCKET:
got = get_from_usocketsource (source, remaining);
break;
}
added += got;
remaining -= ISC_MIN (remaining, got);
source = ISC_LIST_NEXT (source, link);
if (source == NULL)
source = ISC_LIST_HEAD (ent->sources);
}
ent->nextsource = source;
if (blocking && remaining != 0)
{
int fds;
fds = wait_for_sources (ent);
if (fds > 0)
goto again_file;
}
/*
* Here, if there are bits remaining to be had and we can block,
* check to see if we have a callback source. If so, call them.
*/
source = ISC_LIST_HEAD (ent->sources);
while ((remaining != 0) && (source != NULL))
{
unsigned int got;
got = 0;
if (source->type == ENTROPY_SOURCETYPE_CALLBACK)
got = get_from_callback (source, remaining, blocking);
added += got;
remaining -= ISC_MIN (remaining, got);
if (added >= needed)
break;
source = ISC_LIST_NEXT (source, link);
}
/*
* Mark as initialized if we've added enough data.
*/
if (ent->initialized < THRESHOLD_BITS)
ent->initialized += added;
}
void
isc_taskmgr_renderxml(isc_taskmgr_t *mgr0, xmlTextWriterPtr writer) {
isc__taskmgr_t *mgr = (isc__taskmgr_t *)mgr0;
isc__task_t *task;
LOCK(&mgr->lock);
/*
* Write out the thread-model, and some details about each depending
* on which type is enabled.
*/
xmlTextWriterStartElement(writer, ISC_XMLCHAR "thread-model");
#ifdef ISC_PLATFORM_USETHREADS
xmlTextWriterStartElement(writer, ISC_XMLCHAR "type");
xmlTextWriterWriteString(writer, ISC_XMLCHAR "threaded");
xmlTextWriterEndElement(writer); /* type */
xmlTextWriterStartElement(writer, ISC_XMLCHAR "worker-threads");
xmlTextWriterWriteFormatString(writer, "%d", mgr->workers);
xmlTextWriterEndElement(writer); /* worker-threads */
#else /* ISC_PLATFORM_USETHREADS */
xmlTextWriterStartElement(writer, ISC_XMLCHAR "type");
xmlTextWriterWriteString(writer, ISC_XMLCHAR "non-threaded");
xmlTextWriterEndElement(writer); /* type */
xmlTextWriterStartElement(writer, ISC_XMLCHAR "references");
xmlTextWriterWriteFormatString(writer, "%d", mgr->refs);
xmlTextWriterEndElement(writer); /* references */
#endif /* ISC_PLATFORM_USETHREADS */
xmlTextWriterStartElement(writer, ISC_XMLCHAR "default-quantum");
xmlTextWriterWriteFormatString(writer, "%d", mgr->default_quantum);
xmlTextWriterEndElement(writer); /* default-quantum */
xmlTextWriterStartElement(writer, ISC_XMLCHAR "tasks-running");
xmlTextWriterWriteFormatString(writer, "%d", mgr->tasks_running);
xmlTextWriterEndElement(writer); /* tasks-running */
xmlTextWriterEndElement(writer); /* thread-model */
xmlTextWriterStartElement(writer, ISC_XMLCHAR "tasks");
task = ISC_LIST_HEAD(mgr->tasks);
while (task != NULL) {
LOCK(&task->lock);
xmlTextWriterStartElement(writer, ISC_XMLCHAR "task");
if (task->name[0] != 0) {
xmlTextWriterStartElement(writer, ISC_XMLCHAR "name");
xmlTextWriterWriteFormatString(writer, "%s",
task->name);
xmlTextWriterEndElement(writer); /* name */
}
xmlTextWriterStartElement(writer, ISC_XMLCHAR "references");
xmlTextWriterWriteFormatString(writer, "%d", task->references);
xmlTextWriterEndElement(writer); /* references */
xmlTextWriterStartElement(writer, ISC_XMLCHAR "id");
xmlTextWriterWriteFormatString(writer, "%p", task);
xmlTextWriterEndElement(writer); /* id */
xmlTextWriterStartElement(writer, ISC_XMLCHAR "state");
xmlTextWriterWriteFormatString(writer, "%s",
statenames[task->state]);
xmlTextWriterEndElement(writer); /* state */
xmlTextWriterStartElement(writer, ISC_XMLCHAR "quantum");
xmlTextWriterWriteFormatString(writer, "%d", task->quantum);
xmlTextWriterEndElement(writer); /* quantum */
xmlTextWriterEndElement(writer);
UNLOCK(&task->lock);
task = ISC_LIST_NEXT(task, link);
}
xmlTextWriterEndElement(writer); /* tasks */
UNLOCK(&mgr->lock);
}
isc_result_t
dns_diff_print(dns_diff_t *diff, FILE *file) {
isc_result_t result;
dns_difftuple_t *t;
char *mem = NULL;
unsigned int size = 2048;
const char *op = NULL;
REQUIRE(DNS_DIFF_VALID(diff));
mem = isc_mem_get(diff->mctx, size);
if (mem == NULL)
return (ISC_R_NOMEMORY);
for (t = ISC_LIST_HEAD(diff->tuples); t != NULL;
t = ISC_LIST_NEXT(t, link))
{
isc_buffer_t buf;
isc_region_t r;
dns_rdatalist_t rdl;
dns_rdataset_t rds;
dns_rdata_t rd = DNS_RDATA_INIT;
result = diff_tuple_tordataset(t, &rd, &rdl, &rds);
if (result != ISC_R_SUCCESS) {
UNEXPECTED_ERROR(__FILE__, __LINE__,
"diff_tuple_tordataset failed: %s",
dns_result_totext(result));
result = ISC_R_UNEXPECTED;
goto cleanup;
}
again:
isc_buffer_init(&buf, mem, size);
result = dns_rdataset_totext(&rds, &t->name,
ISC_FALSE, ISC_FALSE, &buf);
if (result == ISC_R_NOSPACE) {
isc_mem_put(diff->mctx, mem, size);
size += 1024;
mem = isc_mem_get(diff->mctx, size);
if (mem == NULL) {
result = ISC_R_NOMEMORY;
goto cleanup;
}
goto again;
}
if (result != ISC_R_SUCCESS)
goto cleanup;
/*
* Get rid of final newline.
*/
INSIST(buf.used >= 1 &&
((char *) buf.base)[buf.used-1] == '\n');
buf.used--;
isc_buffer_usedregion(&buf, &r);
switch (t->op) {
case DNS_DIFFOP_EXISTS: op = "exists"; break;
case DNS_DIFFOP_ADD: op = "add"; break;
case DNS_DIFFOP_DEL: op = "del"; break;
case DNS_DIFFOP_ADDRESIGN: op = "add re-sign"; break;
case DNS_DIFFOP_DELRESIGN: op = "del re-sign"; break;
}
if (file != NULL)
fprintf(file, "%s %.*s\n", op, (int) r.length,
(char *) r.base);
else
isc_log_write(DIFF_COMMON_LOGARGS, ISC_LOG_DEBUG(7),
"%s %.*s", op, (int) r.length,
(char *) r.base);
}
result = ISC_R_SUCCESS;
cleanup:
if (mem != NULL)
isc_mem_put(diff->mctx, mem, size);
return (result);
}
ISC_APPFUNC_SCOPE isc_result_t
isc__app_ctxrun(isc_appctx_t *ctx0) {
isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
int result;
isc_event_t *event, *next_event;
isc_task_t *task;
sigset_t sset;
char strbuf[ISC_STRERRORSIZE];
#ifdef HAVE_SIGWAIT
int sig;
#endif
REQUIRE(VALID_APPCTX(ctx));
#ifdef HAVE_LINUXTHREADS
REQUIRE(main_thread == pthread_self());
#endif
LOCK(&ctx->lock);
if (!ctx->running) {
ctx->running = ISC_TRUE;
/*
* Post any on-run events (in FIFO order).
*/
for (event = ISC_LIST_HEAD(ctx->on_run);
event != NULL;
event = next_event) {
next_event = ISC_LIST_NEXT(event, ev_link);
ISC_LIST_UNLINK(ctx->on_run, event, ev_link);
task = event->ev_sender;
event->ev_sender = NULL;
isc_task_sendanddetach(&task, &event);
}
}
UNLOCK(&ctx->lock);
#ifndef HAVE_SIGWAIT
/*
* Catch SIGHUP.
*
* We do this here to ensure that the signal handler is installed
* (i.e. that it wasn't a "one-shot" handler).
*/
if (ctx == &isc_g_appctx) {
result = handle_signal(SIGHUP, reload_action);
if (result != ISC_R_SUCCESS)
return (ISC_R_SUCCESS);
}
#endif
/*
* When we are using multiple contexts, we don't rely on signals.
*/
if (ctx == &isc_g_appctx) {
/*
* There is no danger if isc_app_shutdown() is called before we wait
* for signals. Signals are blocked, so any such signal will simply
* be made pending and we will get it when we call sigwait().
*/
while (!ctx->want_shutdown) {
#ifdef HAVE_SIGWAIT
/*
* Wait for SIGHUP, SIGINT, or SIGTERM.
*/
if (sigemptyset(&sset) != 0 ||
sigaddset(&sset, SIGHUP) != 0 ||
sigaddset(&sset, SIGINT) != 0 ||
sigaddset(&sset, SIGTERM) != 0) {
isc__strerror(errno, strbuf, sizeof(strbuf));
UNEXPECTED_ERROR(__FILE__, __LINE__,
"isc_app_run() sigsetops: %s", strbuf);
return (ISC_R_UNEXPECTED);
}
#ifndef HAVE_UNIXWARE_SIGWAIT
result = sigwait(&sset, &sig);
if (result == 0) {
if (sig == SIGINT || sig == SIGTERM)
ctx->want_shutdown = ISC_TRUE;
else if (sig == SIGHUP)
ctx->want_reload = ISC_TRUE;
}
#else /* Using UnixWare sigwait semantics. */
sig = sigwait(&sset);
if (sig >= 0) {
if (sig == SIGINT || sig == SIGTERM)
ctx->want_shutdown = ISC_TRUE;
else if (sig == SIGHUP)
ctx->want_reload = ISC_TRUE;
}
#endif /* HAVE_UNIXWARE_SIGWAIT */
#else /* Don't have sigwait(). */
/*
* Listen for all signals.
*/
if (sigemptyset(&sset) != 0) {
isc__strerror(errno, strbuf, sizeof(strbuf));
UNEXPECTED_ERROR(__FILE__, __LINE__,
"isc_app_run() sigsetops: %s",
strbuf);
return (ISC_R_UNEXPECTED);
}
result = sigsuspend(&sset);
#endif /* HAVE_SIGWAIT */
if (ctx->want_reload) {
ctx->want_reload = ISC_FALSE;
return (ISC_R_RELOAD);
}
if (ctx->want_shutdown && ctx->blocked)
exit(1);
}
} else {
(void)isc__taskmgr_dispatch(ctx->taskmgr);
#ifndef ISC_PLATFORM_USETHREADS
result = evloop(ctx);
if (result != ISC_R_SUCCESS)
return (result);
#endif
}
return (ISC_R_SUCCESS);
}
isc_result_t
ns_stats_dump(ns_server_t *server, FILE *fp) {
isc_stdtime_t now;
isc_result_t result;
dns_view_t *view;
dns_zone_t *zone, *next;
stats_dumparg_t dumparg;
isc_uint64_t nsstat_values[dns_nsstatscounter_max];
isc_uint64_t resstat_values[dns_resstatscounter_max];
isc_uint64_t zonestat_values[dns_zonestatscounter_max];
isc_uint64_t sockstat_values[isc_sockstatscounter_max];
RUNTIME_CHECK(isc_once_do(&once, init_desc) == ISC_R_SUCCESS);
/* Set common fields */
dumparg.type = statsformat_file;
dumparg.arg = fp;
isc_stdtime_get(&now);
fprintf(fp, "+++ Statistics Dump +++ (%lu)\n", (unsigned long)now);
fprintf(fp, "++ Incoming Requests ++\n");
dns_opcodestats_dump(server->opcodestats, opcodestat_dump, &dumparg, 0);
fprintf(fp, "++ Incoming Queries ++\n");
dns_rdatatypestats_dump(server->rcvquerystats, rdtypestat_dump,
&dumparg, 0);
fprintf(fp, "++ Outgoing Queries ++\n");
for (view = ISC_LIST_HEAD(server->viewlist);
view != NULL;
view = ISC_LIST_NEXT(view, link)) {
if (view->resquerystats == NULL)
continue;
if (strcmp(view->name, "_default") == 0)
fprintf(fp, "[View: default]\n");
else
fprintf(fp, "[View: %s]\n", view->name);
dns_rdatatypestats_dump(view->resquerystats, rdtypestat_dump,
&dumparg, 0);
}
fprintf(fp, "++ Name Server Statistics ++\n");
(void) dump_counters(server->nsstats, statsformat_file, fp, NULL,
nsstats_desc, dns_nsstatscounter_max,
nsstats_index, nsstat_values, 0);
fprintf(fp, "++ Zone Maintenance Statistics ++\n");
(void) dump_counters(server->zonestats, statsformat_file, fp, NULL,
zonestats_desc, dns_zonestatscounter_max,
zonestats_index, zonestat_values, 0);
fprintf(fp, "++ Resolver Statistics ++\n");
fprintf(fp, "[Common]\n");
(void) dump_counters(server->resolverstats, statsformat_file, fp, NULL,
resstats_desc, dns_resstatscounter_max,
resstats_index, resstat_values, 0);
for (view = ISC_LIST_HEAD(server->viewlist);
view != NULL;
view = ISC_LIST_NEXT(view, link)) {
if (view->resstats == NULL)
continue;
if (strcmp(view->name, "_default") == 0)
fprintf(fp, "[View: default]\n");
else
fprintf(fp, "[View: %s]\n", view->name);
(void) dump_counters(view->resstats, statsformat_file, fp, NULL,
resstats_desc, dns_resstatscounter_max,
resstats_index, resstat_values, 0);
}
fprintf(fp, "++ Cache DB RRsets ++\n");
for (view = ISC_LIST_HEAD(server->viewlist);
view != NULL;
view = ISC_LIST_NEXT(view, link)) {
dns_stats_t *cachestats;
cachestats = dns_db_getrrsetstats(view->cachedb);
if (cachestats == NULL)
continue;
if (strcmp(view->name, "_default") == 0)
fprintf(fp, "[View: default]\n");
else
fprintf(fp, "[View: %s (Cache: %s)]\n", view->name,
dns_cache_getname(view->cache));
if (dns_view_iscacheshared(view)) {
/*
* Avoid dumping redundant statistics when the cache is
* shared.
*/
continue;
}
dns_rdatasetstats_dump(cachestats, rdatasetstats_dump, &dumparg,
0);
}
fprintf(fp, "++ Socket I/O Statistics ++\n");
(void) dump_counters(server->sockstats, statsformat_file, fp, NULL,
sockstats_desc, isc_sockstatscounter_max,
sockstats_index, sockstat_values, 0);
fprintf(fp, "++ Per Zone Query Statistics ++\n");
zone = NULL;
for (result = dns_zone_first(server->zonemgr, &zone);
result == ISC_R_SUCCESS;
next = NULL, result = dns_zone_next(zone, &next), zone = next)
{
isc_stats_t *zonestats = dns_zone_getrequeststats(zone);
if (zonestats != NULL) {
char zonename[DNS_NAME_FORMATSIZE];
dns_name_format(dns_zone_getorigin(zone),
zonename, sizeof(zonename));
view = dns_zone_getview(zone);
fprintf(fp, "[%s", zonename);
if (strcmp(view->name, "_default") != 0)
fprintf(fp, " (view: %s)", view->name);
fprintf(fp, "]\n");
(void) dump_counters(zonestats, statsformat_file, fp,
NULL, nsstats_desc,
dns_nsstatscounter_max,
nsstats_index, nsstat_values, 0);
}
}
fprintf(fp, "--- Statistics Dump --- (%lu)\n", (unsigned long)now);
return (ISC_R_SUCCESS); /* this function currently always succeeds */
}
static isc_result_t
diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
isc_boolean_t warn)
{
dns_difftuple_t *t;
dns_dbnode_t *node = NULL;
isc_result_t result;
char namebuf[DNS_NAME_FORMATSIZE];
char typebuf[DNS_RDATATYPE_FORMATSIZE];
char classbuf[DNS_RDATACLASS_FORMATSIZE];
REQUIRE(DNS_DIFF_VALID(diff));
REQUIRE(DNS_DB_VALID(db));
t = ISC_LIST_HEAD(diff->tuples);
while (t != NULL) {
dns_name_t *name;
INSIST(node == NULL);
name = &t->name;
/*
* Find the node.
* We create the node if it does not exist.
* This will cause an empty node to be created if the diff
* contains a deletion of an RR at a nonexistent name,
* but such diffs should never be created in the first
* place.
*/
while (t != NULL && dns_name_equal(&t->name, name)) {
dns_rdatatype_t type, covers;
dns_diffop_t op;
dns_rdatalist_t rdl;
dns_rdataset_t rds;
dns_rdataset_t ardataset;
dns_rdataset_t *modified = NULL;
op = t->op;
type = t->rdata.type;
covers = rdata_covers(&t->rdata);
/*
* Collect a contiguous set of updates with
* the same operation (add/delete) and RR type
* into a single rdatalist so that the
* database rrset merging/subtraction code
* can work more efficiently than if each
* RR were merged into / subtracted from
* the database separately.
*
* This is done by linking rdata structures from the
* diff into "rdatalist". This uses the rdata link
* field, not the diff link field, so the structure
* of the diff itself is not affected.
*/
rdl.type = type;
rdl.covers = covers;
rdl.rdclass = t->rdata.rdclass;
rdl.ttl = t->ttl;
ISC_LIST_INIT(rdl.rdata);
ISC_LINK_INIT(&rdl, link);
node = NULL;
if (type != dns_rdatatype_nsec3 &&
covers != dns_rdatatype_nsec3)
CHECK(dns_db_findnode(db, name, ISC_TRUE,
&node));
else
CHECK(dns_db_findnsec3node(db, name, ISC_TRUE,
&node));
while (t != NULL &&
dns_name_equal(&t->name, name) &&
t->op == op &&
t->rdata.type == type &&
rdata_covers(&t->rdata) == covers)
{
dns_name_format(name, namebuf, sizeof(namebuf));
dns_rdatatype_format(t->rdata.type, typebuf,
sizeof(typebuf));
dns_rdataclass_format(t->rdata.rdclass,
classbuf,
sizeof(classbuf));
if (t->ttl != rdl.ttl && warn)
isc_log_write(DIFF_COMMON_LOGARGS,
ISC_LOG_WARNING,
"'%s/%s/%s': TTL differs in "
"rdataset, adjusting "
"%lu -> %lu",
namebuf, typebuf, classbuf,
(unsigned long) t->ttl,
(unsigned long) rdl.ttl);
ISC_LIST_APPEND(rdl.rdata, &t->rdata, link);
t = ISC_LIST_NEXT(t, link);
}
/*
* Convert the rdatalist into a rdataset.
*/
dns_rdataset_init(&rds);
CHECK(dns_rdatalist_tordataset(&rdl, &rds));
if (rds.type == dns_rdatatype_rrsig)
switch (op) {
case DNS_DIFFOP_ADDRESIGN:
case DNS_DIFFOP_DELRESIGN:
modified = &ardataset;
dns_rdataset_init(modified);
break;
default:
break;
}
rds.trust = dns_trust_ultimate;
/*
* Merge the rdataset into the database.
*/
switch (op) {
case DNS_DIFFOP_ADD:
case DNS_DIFFOP_ADDRESIGN:
result = dns_db_addrdataset(db, node, ver,
0, &rds,
DNS_DBADD_MERGE|
DNS_DBADD_EXACT|
DNS_DBADD_EXACTTTL,
modified);
break;
case DNS_DIFFOP_DEL:
case DNS_DIFFOP_DELRESIGN:
result = dns_db_subtractrdataset(db, node, ver,
&rds,
DNS_DBSUB_EXACT,
modified);
break;
default:
INSIST(0);
}
if (result == ISC_R_SUCCESS) {
if (modified != NULL) {
isc_stdtime_t resign;
resign = setresign(modified,
diff->resign);
dns_db_setsigningtime(db, modified,
resign);
if (diff->resign == 0 &&
(op == DNS_DIFFOP_ADDRESIGN ||
op == DNS_DIFFOP_DELRESIGN))
isc_log_write(
DIFF_COMMON_LOGARGS,
ISC_LOG_WARNING,
"resign requested "
"with 0 resign "
"interval");
}
} else if (result == DNS_R_UNCHANGED) {
/*
* This will not happen when executing a
* dynamic update, because that code will
* generate strictly minimal diffs.
* It may happen when receiving an IXFR
* from a server that is not as careful.
* Issue a warning and continue.
*/
if (warn) {
char classbuf[DNS_RDATATYPE_FORMATSIZE];
char namebuf[DNS_NAME_FORMATSIZE];
dns_name_format(dns_db_origin(db),
namebuf,
sizeof(namebuf));
dns_rdataclass_format(dns_db_class(db),
classbuf,
sizeof(classbuf));
isc_log_write(DIFF_COMMON_LOGARGS,
ISC_LOG_WARNING,
"%s/%s: dns_diff_apply: "
"update with no effect",
namebuf, classbuf);
}
} else if (result == DNS_R_NXRRSET) {
/*
* OK.
*/
} else {
if (modified != NULL &&
dns_rdataset_isassociated(modified))
dns_rdataset_disassociate(modified);
CHECK(result);
}
dns_db_detachnode(db, &node);
if (modified != NULL &&
dns_rdataset_isassociated(modified))
dns_rdataset_disassociate(modified);
}
}
return (ISC_R_SUCCESS);
failure:
if (node != NULL)
dns_db_detachnode(db, &node);
return (result);
}
static void
resolve_ns(isc_task_t *task, isc_event_t *event) {
struct probe_trans *trans = event->ev_arg;
dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
dns_name_t *name;
dns_rdataset_t *rdataset;
isc_result_t result = ISC_R_SUCCESS;
dns_rdata_t rdata = DNS_RDATA_INIT;
struct probe_ns *pns;
REQUIRE(task == probe_task);
REQUIRE(trans->inuse == ISC_TRUE);
INSIST(outstanding_probes > 0);
for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
name = ISC_LIST_NEXT(name, link)) {
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link)) {
(void)print_rdataset(rdataset, name);
if (rdataset->type != dns_rdatatype_ns)
continue;
for (result = dns_rdataset_first(rdataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(rdataset)) {
dns_rdata_ns_t ns;
dns_rdataset_current(rdataset, &rdata);
/*
* Extract the name from the NS record.
*/
result = dns_rdata_tostruct(&rdata, &ns, NULL);
if (result != ISC_R_SUCCESS)
continue;
pns = isc_mem_get(mctx, sizeof(*pns));
if (pns == NULL) {
fprintf(stderr,
"resolve_ns: mem_get failed");
result = ISC_R_NOMEMORY;
POST(result);
/*
* XXX: should we continue with the
* available servers anyway?
*/
goto cleanup;
}
dns_fixedname_init(&pns->fixedname);
pns->name =
dns_fixedname_name(&pns->fixedname);
ISC_LINK_INIT(pns, link);
ISC_LIST_APPEND(trans->nslist, pns, link);
ISC_LIST_INIT(pns->servers);
dns_name_copy(&ns.name, pns->name, NULL);
dns_rdata_reset(&rdata);
dns_rdata_freestruct(&ns);
}
}
}
cleanup:
dns_client_freeresanswer(client, &rev->answerlist);
dns_client_destroyrestrans(&trans->resid);
isc_event_free(&event);
if (!ISC_LIST_EMPTY(trans->nslist)) {
/* Go get addresses of NSes */
trans->current_ns = ISC_LIST_HEAD(trans->nslist);
result = fetch_nsaddress(trans);
} else
result = ISC_R_FAILURE;
if (result == ISC_R_SUCCESS)
return;
reset_probe(trans);
}
static isc_result_t
do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,
isc_boolean_t verbose)
{
isc_interfaceiter_t *iter = NULL;
isc_boolean_t scan_ipv4 = ISC_FALSE;
isc_boolean_t scan_ipv6 = ISC_FALSE;
isc_boolean_t adjusting = ISC_FALSE;
isc_boolean_t ipv6only = ISC_TRUE;
isc_boolean_t ipv6pktinfo = ISC_TRUE;
isc_result_t result;
isc_netaddr_t zero_address, zero_address6;
ns_listenelt_t *le;
isc_sockaddr_t listen_addr;
ns_interface_t *ifp;
isc_boolean_t log_explicit = ISC_FALSE;
isc_boolean_t dolistenon;
if (ext_listen != NULL)
adjusting = ISC_TRUE;
if (isc_net_probeipv6() == ISC_R_SUCCESS)
scan_ipv6 = ISC_TRUE;
#ifdef WANT_IPV6
else
isc_log_write(IFMGR_COMMON_LOGARGS,
verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1),
"no IPv6 interfaces found");
#endif
if (isc_net_probeipv4() == ISC_R_SUCCESS)
scan_ipv4 = ISC_TRUE;
else
isc_log_write(IFMGR_COMMON_LOGARGS,
verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1),
"no IPv4 interfaces found");
/*
* A special, but typical case; listen-on-v6 { any; }.
* When we can make the socket IPv6-only, open a single wildcard
* socket for IPv6 communication. Otherwise, make separate socket
* for each IPv6 address in order to avoid accepting IPv4 packets
* as the form of mapped addresses unintentionally unless explicitly
* allowed.
*/
#ifndef ISC_ALLOW_MAPPED
if (scan_ipv6 == ISC_TRUE &&
isc_net_probe_ipv6only() != ISC_R_SUCCESS) {
ipv6only = ISC_FALSE;
log_explicit = ISC_TRUE;
}
#endif
if (scan_ipv6 == ISC_TRUE &&
isc_net_probe_ipv6pktinfo() != ISC_R_SUCCESS) {
ipv6pktinfo = ISC_FALSE;
log_explicit = ISC_TRUE;
}
if (scan_ipv6 == ISC_TRUE && ipv6only && ipv6pktinfo) {
for (le = ISC_LIST_HEAD(mgr->listenon6->elts);
le != NULL;
le = ISC_LIST_NEXT(le, link)) {
struct in6_addr in6a;
if (!listenon_is_ip6_any(le))
continue;
in6a = in6addr_any;
isc_sockaddr_fromin6(&listen_addr, &in6a, le->port);
ifp = find_matching_interface(mgr, &listen_addr);
if (ifp != NULL) {
ifp->generation = mgr->generation;
} else {
isc_log_write(IFMGR_COMMON_LOGARGS,
ISC_LOG_INFO,
"listening on IPv6 "
"interfaces, port %u",
le->port);
result = ns_interface_setup(mgr, &listen_addr,
"<any>", &ifp,
ISC_TRUE);
if (result == ISC_R_SUCCESS)
ifp->flags |= NS_INTERFACEFLAG_ANYADDR;
else
isc_log_write(IFMGR_COMMON_LOGARGS,
ISC_LOG_ERROR,
"listening on all IPv6 "
"interfaces failed");
/* Continue. */
}
}
}
isc_netaddr_any(&zero_address);
isc_netaddr_any6(&zero_address6);
result = isc_interfaceiter_create(mgr->mctx, &iter);
if (result != ISC_R_SUCCESS)
return (result);
if (adjusting == ISC_FALSE) {
result = clearacl(mgr->mctx, &mgr->aclenv.localhost);
if (result != ISC_R_SUCCESS)
goto cleanup_iter;
result = clearacl(mgr->mctx, &mgr->aclenv.localnets);
if (result != ISC_R_SUCCESS)
goto cleanup_iter;
clearlistenon(mgr);
}
for (result = isc_interfaceiter_first(iter);
result == ISC_R_SUCCESS;
result = isc_interfaceiter_next(iter))
{
isc_interface_t interface;
ns_listenlist_t *ll;
unsigned int family;
result = isc_interfaceiter_current(iter, &interface);
if (result != ISC_R_SUCCESS)
break;
family = interface.address.family;
if (family != AF_INET && family != AF_INET6)
continue;
if (scan_ipv4 == ISC_FALSE && family == AF_INET)
continue;
if (scan_ipv6 == ISC_FALSE && family == AF_INET6)
continue;
/*
* Test for the address being nonzero rather than testing
* INTERFACE_F_UP, because on some systems the latter
* follows the media state and we could end up ignoring
* the interface for an entire rescan interval due to
* a temporary media glitch at rescan time.
*/
if (family == AF_INET &&
isc_netaddr_equal(&interface.address, &zero_address)) {
continue;
}
if (family == AF_INET6 &&
isc_netaddr_equal(&interface.address, &zero_address6)) {
continue;
}
if (adjusting == ISC_FALSE) {
result = setup_locals(mgr, &interface);
if (result != ISC_R_SUCCESS)
goto ignore_interface;
}
ll = (family == AF_INET) ? mgr->listenon4 : mgr->listenon6;
dolistenon = ISC_TRUE;
for (le = ISC_LIST_HEAD(ll->elts);
le != NULL;
le = ISC_LIST_NEXT(le, link))
{
int match;
isc_boolean_t ipv6_wildcard = ISC_FALSE;
isc_netaddr_t listen_netaddr;
isc_sockaddr_t listen_sockaddr;
/*
* Construct a socket address for this IP/port
* combination.
*/
if (family == AF_INET) {
isc_netaddr_fromin(&listen_netaddr,
&interface.address.type.in);
} else {
isc_netaddr_fromin6(&listen_netaddr,
&interface.address.type.in6);
isc_netaddr_setzone(&listen_netaddr,
interface.address.zone);
}
isc_sockaddr_fromnetaddr(&listen_sockaddr,
&listen_netaddr,
le->port);
/*
* See if the address matches the listen-on statement;
* if not, ignore the interface.
*/
(void)dns_acl_match(&listen_netaddr, NULL, le->acl,
&mgr->aclenv, &match, NULL);
if (match <= 0)
continue;
if (adjusting == ISC_FALSE && dolistenon == ISC_TRUE) {
setup_listenon(mgr, &interface, le->port);
dolistenon = ISC_FALSE;
}
/*
* The case of "any" IPv6 address will require
* special considerations later, so remember it.
*/
if (family == AF_INET6 && ipv6only && ipv6pktinfo &&
listenon_is_ip6_any(le))
ipv6_wildcard = ISC_TRUE;
/*
* When adjusting interfaces with extra a listening
* list, see if the address matches the extra list.
* If it does, and is also covered by a wildcard
* interface, we need to listen on the address
* explicitly.
*/
if (adjusting == ISC_TRUE) {
ns_listenelt_t *ele;
match = 0;
for (ele = ISC_LIST_HEAD(ext_listen->elts);
ele != NULL;
ele = ISC_LIST_NEXT(ele, link)) {
(void)dns_acl_match(&listen_netaddr,
NULL, ele->acl,
NULL, &match, NULL);
if (match > 0 &&
(ele->port == le->port ||
ele->port == 0))
break;
else
match = 0;
}
if (ipv6_wildcard == ISC_TRUE && match == 0)
continue;
}
ifp = find_matching_interface(mgr, &listen_sockaddr);
if (ifp != NULL) {
ifp->generation = mgr->generation;
} else {
char sabuf[ISC_SOCKADDR_FORMATSIZE];
if (adjusting == ISC_FALSE &&
ipv6_wildcard == ISC_TRUE)
continue;
if (log_explicit && family == AF_INET6 &&
!adjusting && listenon_is_ip6_any(le)) {
isc_log_write(IFMGR_COMMON_LOGARGS,
verbose ? ISC_LOG_INFO :
ISC_LOG_DEBUG(1),
"IPv6 socket API is "
"incomplete; explicitly "
"binding to each IPv6 "
"address separately");
log_explicit = ISC_FALSE;
}
isc_sockaddr_format(&listen_sockaddr,
sabuf, sizeof(sabuf));
isc_log_write(IFMGR_COMMON_LOGARGS,
ISC_LOG_INFO,
"%s"
"listening on %s interface "
"%s, %s",
(adjusting == ISC_TRUE) ?
"additionally " : "",
(family == AF_INET) ?
"IPv4" : "IPv6",
interface.name, sabuf);
result = ns_interface_setup(mgr,
&listen_sockaddr,
interface.name,
&ifp,
(adjusting == ISC_TRUE) ?
ISC_FALSE :
ISC_TRUE);
if (result != ISC_R_SUCCESS) {
isc_log_write(IFMGR_COMMON_LOGARGS,
ISC_LOG_ERROR,
"creating %s interface "
"%s failed; interface "
"ignored",
(family == AF_INET) ?
"IPv4" : "IPv6",
interface.name);
}
/* Continue. */
}
}
continue;
ignore_interface:
isc_log_write(IFMGR_COMMON_LOGARGS,
ISC_LOG_ERROR,
"ignoring %s interface %s: %s",
(family == AF_INET) ? "IPv4" : "IPv6",
interface.name, isc_result_totext(result));
continue;
}
if (result != ISC_R_NOMORE)
UNEXPECTED_ERROR(__FILE__, __LINE__,
"interface iteration failed: %s",
isc_result_totext(result));
else
result = ISC_R_SUCCESS;
cleanup_iter:
isc_interfaceiter_destroy(&iter);
return (result);
}
static void
request_done(isc_task_t *task, isc_event_t *event) {
struct probe_trans *trans = event->ev_arg;
dns_clientreqevent_t *rev = (dns_clientreqevent_t *)event;
dns_message_t *rmessage;
struct probe_ns *pns;
struct server *server;
isc_result_t result;
query_result_t *resultp;
dns_name_t *name;
dns_rdataset_t *rdataset;
dns_rdatatype_t type;
REQUIRE(task == probe_task);
REQUIRE(trans != NULL && trans->inuse == ISC_TRUE);
rmessage = rev->rmessage;
REQUIRE(rmessage == trans->rmessage);
INSIST(outstanding_probes > 0);
server = trans->current_ns->current_server;
INSIST(server != NULL);
if (server->result_a == none) {
type = dns_rdatatype_a;
resultp = &server->result_a;
} else {
resultp = &server->result_aaaa;
type = dns_rdatatype_aaaa;
}
if (rev->result == ISC_R_SUCCESS) {
if ((rmessage->flags & DNS_MESSAGEFLAG_AA) == 0)
*resultp = lame;
else if (rmessage->rcode == dns_rcode_nxdomain)
*resultp = nxdomain;
else if (rmessage->rcode != dns_rcode_noerror)
*resultp = othererr;
else if (rmessage->counts[DNS_SECTION_ANSWER] == 0) {
/* no error but empty answer */
*resultp = notype;
} else {
result = dns_message_firstname(rmessage,
DNS_SECTION_ANSWER);
while (result == ISC_R_SUCCESS) {
name = NULL;
dns_message_currentname(rmessage,
DNS_SECTION_ANSWER,
&name);
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset,
link)) {
(void)print_rdataset(rdataset, name);
if (rdataset->type ==
dns_rdatatype_cname ||
rdataset->type ==
dns_rdatatype_dname) {
/* Should chase the chain? */
*resultp = exist;
goto found;
} else if (rdataset->type == type) {
*resultp = exist;
goto found;
}
}
result = dns_message_nextname(rmessage,
DNS_SECTION_ANSWER);
}
/*
* Something unexpected happened: the response
* contained a non-empty authoritative answer, but we
* could not find an expected result.
*/
*resultp = unexpected;
}
} else if (rev->result == DNS_R_RECOVERABLE ||
rev->result == DNS_R_BADLABELTYPE) {
/* Broken response. Try identifying known cases. */
*resultp = brokenanswer;
if (rmessage->counts[DNS_SECTION_ANSWER] > 0) {
result = dns_message_firstname(rmessage,
DNS_SECTION_ANSWER);
while (result == ISC_R_SUCCESS) {
/*
* Check to see if the response has multiple
* CNAME RRs. Update the result code if so.
*/
name = NULL;
dns_message_currentname(rmessage,
DNS_SECTION_ANSWER,
&name);
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset,
link)) {
if (rdataset->type ==
dns_rdatatype_cname &&
dns_rdataset_count(rdataset) > 1) {
*resultp = multiplecname;
goto found;
}
}
result = dns_message_nextname(rmessage,
DNS_SECTION_ANSWER);
}
}
if (rmessage->counts[DNS_SECTION_AUTHORITY] > 0) {
result = dns_message_firstname(rmessage,
DNS_SECTION_AUTHORITY);
while (result == ISC_R_SUCCESS) {
/*
* Check to see if the response has multiple
* SOA RRs. Update the result code if so.
*/
name = NULL;
dns_message_currentname(rmessage,
DNS_SECTION_AUTHORITY,
&name);
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset,
link)) {
if (rdataset->type ==
dns_rdatatype_soa &&
dns_rdataset_count(rdataset) > 1) {
*resultp = multiplesoa;
goto found;
}
}
result = dns_message_nextname(rmessage,
DNS_SECTION_AUTHORITY);
}
}
} else if (rev->result == ISC_R_TIMEDOUT)
*resultp = timedout;
else {
fprintf(stderr, "unexpected result: %d (domain=%s, server=",
rev->result, trans->domain);
print_address(stderr, &server->address);
fputc('\n', stderr);
*resultp = unexpected;
}
found:
INSIST(*resultp != none);
if (type == dns_rdatatype_a && *resultp == exist)
trans->qname_found = ISC_TRUE;
dns_client_destroyreqtrans(&trans->reqid);
isc_event_free(&event);
dns_message_reset(trans->rmessage, DNS_MESSAGE_INTENTPARSE);
result = probe_name(trans, type);
if (result == ISC_R_NOMORE) {
/* We've tried all addresses of all servers. */
if (type == dns_rdatatype_a && trans->qname_found) {
/*
* If we've explored A RRs and found an existent
* record, we can move to AAAA.
*/
trans->current_ns = ISC_LIST_HEAD(trans->nslist);
probe_name(trans, dns_rdatatype_aaaa);
result = ISC_R_SUCCESS;
} else if (type == dns_rdatatype_a) {
/*
* No server provided an existent A RR of this name.
* Try next label.
*/
dns_fixedname_invalidate(&trans->fixedname);
trans->qname = NULL;
result = set_nextqname(trans);
if (result == ISC_R_SUCCESS) {
trans->current_ns =
ISC_LIST_HEAD(trans->nslist);
for (pns = trans->current_ns; pns != NULL;
pns = ISC_LIST_NEXT(pns, link)) {
for (server = ISC_LIST_HEAD(pns->servers);
server != NULL;
server = ISC_LIST_NEXT(server,
link)) {
INSIST(server->result_aaaa ==
none);
server->result_a = none;
}
}
result = probe_name(trans, dns_rdatatype_a);
}
}
if (result != ISC_R_SUCCESS) {
/*
* We've explored AAAA RRs or failed to find a valid
* query label. Wrap up the result and move to the
* next domain.
*/
reset_probe(trans);
}
} else if (result != ISC_R_SUCCESS)
reset_probe(trans); /* XXX */
}
static void
resolve_nsaddress(isc_task_t *task, isc_event_t *event) {
struct probe_trans *trans = event->ev_arg;
dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
dns_name_t *name;
dns_rdataset_t *rdataset;
dns_rdata_t rdata = DNS_RDATA_INIT;
struct probe_ns *pns = trans->current_ns;
isc_result_t result;
REQUIRE(task == probe_task);
REQUIRE(trans->inuse == ISC_TRUE);
REQUIRE(pns != NULL);
INSIST(outstanding_probes > 0);
for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
name = ISC_LIST_NEXT(name, link)) {
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link)) {
(void)print_rdataset(rdataset, name);
if (rdataset->type != dns_rdatatype_a)
continue;
for (result = dns_rdataset_first(rdataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(rdataset)) {
dns_rdata_in_a_t rdata_a;
struct server *server;
dns_rdataset_current(rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &rdata_a,
NULL);
if (result != ISC_R_SUCCESS)
continue;
server = isc_mem_get(mctx, sizeof(*server));
if (server == NULL) {
fprintf(stderr, "resolve_nsaddress: "
"mem_get failed");
result = ISC_R_NOMEMORY;
POST(result);
goto cleanup;
}
isc_sockaddr_fromin(&server->address,
&rdata_a.in_addr, 53);
ISC_LINK_INIT(server, link);
server->result_a = none;
server->result_aaaa = none;
ISC_LIST_APPEND(pns->servers, server, link);
}
}
}
cleanup:
dns_client_freeresanswer(client, &rev->answerlist);
dns_client_destroyrestrans(&trans->resid);
isc_event_free(&event);
next_ns:
trans->current_ns = ISC_LIST_NEXT(pns, link);
if (trans->current_ns == NULL) {
trans->current_ns = ISC_LIST_HEAD(trans->nslist);
dns_fixedname_invalidate(&trans->fixedname);
trans->qname = NULL;
result = set_nextqname(trans);
if (result == ISC_R_SUCCESS)
result = probe_name(trans, dns_rdatatype_a);
} else {
result = fetch_nsaddress(trans);
if (result != ISC_R_SUCCESS)
goto next_ns; /* XXX: this is unlikely to succeed */
}
if (result != ISC_R_SUCCESS)
reset_probe(trans);
}
isc_result_t
res_nupdate(res_state statp, ns_updrec *rrecp_in) {
ns_updrec *rrecp;
double answer[PACKETSZ / sizeof (double)];
double packet[2*PACKETSZ / sizeof (double)];
struct zonegrp *zptr, tgrp;
int nzones = 0, nscount = 0;
unsigned n;
unsigned rval;
struct sockaddr_in nsaddrs[MAXNS];
ns_tsig_key *key;
void *zcookie = 0;
void *zcookp = &zcookie;
isc_result_t rcode;
again:
/* Make sure all the updates are in the same zone, and find out
what zone they are in. */
zptr = NULL;
for (rrecp = rrecp_in; rrecp; rrecp = ISC_LIST_NEXT(rrecp, r_link)) {
/* Find the origin for it if there is one. */
tgrp.z_class = rrecp->r_class;
rcode = res_findzonecut(statp, rrecp->r_dname, tgrp.z_class,
RES_EXHAUSTIVE,
tgrp.z_origin,
sizeof tgrp.z_origin,
tgrp.z_nsaddrs, MAXNS, &tgrp.z_nscount,
zcookp);
if (rcode != ISC_R_SUCCESS)
goto done;
if (tgrp.z_nscount <= 0) {
rcode = ISC_R_NOTZONE;
goto done;
}
/* Make a group for it if there isn't one. */
if (zptr == NULL) {
zptr = malloc(sizeof *zptr);
if (zptr == NULL) {
rcode = ISC_R_NOMEMORY;
goto done;
}
*zptr = tgrp;
zptr->z_flags = 0;
ISC_LIST_INIT(zptr->z_rrlist);
} else if (ns_samename(tgrp.z_origin, zptr->z_origin) == 0 ||
tgrp.z_class != zptr->z_class) {
/* Some of the records are in different zones. */
rcode = ISC_R_CROSSZONE;
goto done;
}
/* Thread this rrecp onto the zone group. */
ISC_LIST_APPEND(zptr->z_rrlist, rrecp, r_glink);
}
/* Construct zone section and prepend it. */
rrecp = res_mkupdrec(ns_s_zn, zptr->z_origin,
zptr->z_class, ns_t_soa, 0);
if (rrecp == NULL) {
rcode = ISC_R_UNEXPECTED;
goto done;
}
ISC_LIST_PREPEND(zptr->z_rrlist, rrecp, r_glink);
zptr->z_flags |= ZG_F_ZONESECTADDED;
/* Marshall the update message. */
n = sizeof packet;
rcode = res_nmkupdate(statp,
ISC_LIST_HEAD(zptr->z_rrlist), packet, &n);
if (rcode != ISC_R_SUCCESS)
goto done;
/* Temporarily replace the resolver's nameserver set. */
nscount = nscopy(nsaddrs, statp->nsaddr_list, statp->nscount);
statp->nscount = nsprom(statp->nsaddr_list,
zptr->z_nsaddrs, zptr->z_nscount);
/* Send the update and remember the result. */
key = (ns_tsig_key *)0;
rcode = find_tsig_key (&key, zptr->z_origin, zcookie);
if (rcode == ISC_R_SUCCESS) {
rcode = res_nsendsigned(statp, packet, n, key,
answer, sizeof answer, &rval);
tkey_free (&key);
} else if (rcode == ISC_R_NOTFOUND || rcode == ISC_R_KEY_UNKNOWN) {
rcode = res_nsend(statp, packet, n,
answer, sizeof answer, &rval);
}
if (rcode != ISC_R_SUCCESS)
goto undone;
rcode = ns_rcode_to_isc (((HEADER *)answer)->rcode);
if (zcookie && rcode == ISC_R_BADSIG) {
repudiate_zone (&zcookie);
}
undone:
/* Restore resolver's nameserver set. */
statp->nscount = nscopy(statp->nsaddr_list, nsaddrs, nscount);
nscount = 0;
done:
if (zptr) {
if ((zptr->z_flags & ZG_F_ZONESECTADDED) != 0)
res_freeupdrec(ISC_LIST_HEAD(zptr->z_rrlist));
free(zptr);
}
/* If the update failed because we used a cached zone and it
didn't work, try it again without the cached zone. */
if (zcookp && (rcode == ISC_R_NOTZONE || rcode == ISC_R_BADSIG)) {
zcookp = 0;
goto again;
}
if (zcookie)
forget_zone (&zcookie);
return rcode;
}
isc_result_t
dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
dns_dbnode_t *node, dns_rdatatype_t covers,
isc_stdtime_t now, dns_ttl_t maxttl,
isc_boolean_t optout, dns_rdataset_t *addedrdataset)
{
isc_result_t result;
isc_buffer_t buffer;
isc_region_t r;
dns_rdataset_t *rdataset;
dns_rdatatype_t type;
dns_name_t *name;
dns_ttl_t ttl;
dns_trust_t trust;
dns_rdata_t rdata[DNS_NCACHE_RDATA];
dns_rdataset_t ncrdataset;
dns_rdatalist_t ncrdatalist;
unsigned char data[4096];
unsigned int next = 0;
/*
* Convert the authority data from 'message' into a negative cache
* rdataset, and store it in 'cache' at 'node'.
*/
REQUIRE(message != NULL);
/*
* We assume that all data in the authority section has been
* validated by the caller.
*/
/*
* Initialize the list.
*/
ncrdatalist.rdclass = dns_db_class(cache);
ncrdatalist.type = 0;
ncrdatalist.covers = covers;
ncrdatalist.ttl = maxttl;
ISC_LIST_INIT(ncrdatalist.rdata);
ISC_LINK_INIT(&ncrdatalist, link);
/*
* Build an ncache rdatas into buffer.
*/
ttl = maxttl;
trust = 0xffff;
isc_buffer_init(&buffer, data, sizeof(data));
if (message->counts[DNS_SECTION_AUTHORITY])
result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
else
result = ISC_R_NOMORE;
while (result == ISC_R_SUCCESS) {
name = NULL;
dns_message_currentname(message, DNS_SECTION_AUTHORITY,
&name);
if ((name->attributes & DNS_NAMEATTR_NCACHE) != 0) {
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link)) {
if ((rdataset->attributes &
DNS_RDATASETATTR_NCACHE) == 0)
continue;
type = rdataset->type;
if (type == dns_rdatatype_rrsig)
type = rdataset->covers;
if (type == dns_rdatatype_soa ||
type == dns_rdatatype_nsec ||
type == dns_rdatatype_nsec3) {
if (ttl > rdataset->ttl)
ttl = rdataset->ttl;
if (trust > rdataset->trust)
trust = rdataset->trust;
/*
* Copy the owner name to the buffer.
*/
dns_name_toregion(name, &r);
result = isc_buffer_copyregion(&buffer,
&r);
if (result != ISC_R_SUCCESS)
return (result);
/*
* Copy the type to the buffer.
*/
isc_buffer_availableregion(&buffer,
&r);
if (r.length < 3)
return (ISC_R_NOSPACE);
isc_buffer_putuint16(&buffer,
rdataset->type);
isc_buffer_putuint8(&buffer,
(unsigned char)rdataset->trust);
/*
* Copy the rdataset into the buffer.
*/
result = copy_rdataset(rdataset,
&buffer);
if (result != ISC_R_SUCCESS)
return (result);
if (next >= DNS_NCACHE_RDATA)
return (ISC_R_NOSPACE);
dns_rdata_init(&rdata[next]);
isc_buffer_remainingregion(&buffer, &r);
rdata[next].data = r.base;
rdata[next].length = r.length;
rdata[next].rdclass =
ncrdatalist.rdclass;
rdata[next].type = 0;
rdata[next].flags = 0;
ISC_LIST_APPEND(ncrdatalist.rdata,
&rdata[next], link);
isc_buffer_forward(&buffer, r.length);
next++;
}
}
}
result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
}
if (result != ISC_R_NOMORE)
return (result);
if (trust == 0xffff) {
if ((message->flags & DNS_MESSAGEFLAG_AA) != 0 &&
message->counts[DNS_SECTION_ANSWER] == 0) {
/*
* The response has aa set and we haven't followed
* any CNAME or DNAME chains.
*/
trust = dns_trust_authauthority;
} else
trust = dns_trust_additional;
ttl = 0;
}
INSIST(trust != 0xffff);
ncrdatalist.ttl = ttl;
dns_rdataset_init(&ncrdataset);
RUNTIME_CHECK(dns_rdatalist_tordataset(&ncrdatalist, &ncrdataset)
== ISC_R_SUCCESS);
ncrdataset.trust = trust;
ncrdataset.attributes |= DNS_RDATASETATTR_NEGATIVE;
if (message->rcode == dns_rcode_nxdomain)
ncrdataset.attributes |= DNS_RDATASETATTR_NXDOMAIN;
if (optout)
ncrdataset.attributes |= DNS_RDATASETATTR_OPTOUT;
return (dns_db_addrdataset(cache, node, NULL, now, &ncrdataset,
0, addedrdataset));
}
static void
update_listener(ns_controls_t *cp, controllistener_t **listenerp,
const cfg_obj_t *control, const cfg_obj_t *config,
isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx,
const char *socktext, isc_sockettype_t type)
{
controllistener_t *listener;
const cfg_obj_t *allow;
const cfg_obj_t *global_keylist = NULL;
const cfg_obj_t *control_keylist = NULL;
dns_acl_t *new_acl = NULL;
controlkeylist_t keys;
isc_result_t result = ISC_R_SUCCESS;
for (listener = ISC_LIST_HEAD(cp->listeners);
listener != NULL;
listener = ISC_LIST_NEXT(listener, link))
if (isc_sockaddr_equal(addr, &listener->address))
break;
if (listener == NULL) {
*listenerp = NULL;
return;
}
/*
* There is already a listener for this sockaddr.
* Update the access list and key information.
*
* First try to deal with the key situation. There are a few
* possibilities:
* (a) It had an explicit keylist and still has an explicit keylist.
* (b) It had an automagic key and now has an explicit keylist.
* (c) It had an explicit keylist and now needs an automagic key.
* (d) It has an automagic key and still needs the automagic key.
*
* (c) and (d) are the annoying ones. The caller needs to know
* that it should use the automagic configuration for key information
* in place of the named.conf configuration.
*
* XXXDCL There is one other hazard that has not been dealt with,
* the problem that if a key change is being caused by a control
* channel reload, then the response will be with the new key
* and not able to be decrypted by the client.
*/
if (control != NULL)
get_key_info(config, control, &global_keylist,
&control_keylist);
if (control_keylist != NULL) {
INSIST(global_keylist != NULL);
ISC_LIST_INIT(keys);
result = controlkeylist_fromcfg(control_keylist,
listener->mctx, &keys);
if (result == ISC_R_SUCCESS) {
free_controlkeylist(&listener->keys, listener->mctx);
listener->keys = keys;
register_keys(control, global_keylist, &listener->keys,
listener->mctx, socktext);
}
} else {
free_controlkeylist(&listener->keys, listener->mctx);
result = get_rndckey(listener->mctx, &listener->keys);
}
if (result != ISC_R_SUCCESS && global_keylist != NULL) {
/*
* This message might be a little misleading since the
* "new keys" might in fact be identical to the old ones,
* but tracking whether they are identical just for the
* sake of avoiding this message would be too much trouble.
*/
if (control != NULL)
cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
"couldn't install new keys for "
"command channel %s: %s",
socktext, isc_result_totext(result));
else
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
"couldn't install new keys for "
"command channel %s: %s",
socktext, isc_result_totext(result));
}
/*
* Now, keep the old access list unless a new one can be made.
*/
if (control != NULL && type == isc_sockettype_tcp) {
allow = cfg_tuple_get(control, "allow");
result = cfg_acl_fromconfig(allow, config, ns_g_lctx,
aclconfctx, listener->mctx, 0,
&new_acl);
} else {
result = dns_acl_any(listener->mctx, &new_acl);
}
if (result == ISC_R_SUCCESS) {
dns_acl_detach(&listener->acl);
dns_acl_attach(new_acl, &listener->acl);
dns_acl_detach(&new_acl);
/* XXXDCL say the old acl is still used? */
} else if (control != NULL)
cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
"couldn't install new acl for "
"command channel %s: %s",
socktext, isc_result_totext(result));
else
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
"couldn't install new acl for "
"command channel %s: %s",
socktext, isc_result_totext(result));
if (result == ISC_R_SUCCESS && type == isc_sockettype_unix) {
isc_uint32_t perm, owner, group;
perm = cfg_obj_asuint32(cfg_tuple_get(control, "perm"));
owner = cfg_obj_asuint32(cfg_tuple_get(control, "owner"));
group = cfg_obj_asuint32(cfg_tuple_get(control, "group"));
result = ISC_R_SUCCESS;
if (listener->perm != perm || listener->owner != owner ||
listener->group != group)
result = isc_socket_permunix(&listener->address, perm,
owner, group);
if (result == ISC_R_SUCCESS) {
listener->perm = perm;
listener->owner = owner;
listener->group = group;
} else if (control != NULL)
cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
"couldn't update ownership/permission for "
"command channel %s", socktext);
}
*listenerp = listener;
}
void
ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
isc_result_t result;
dns_name_t *question_name;
dns_rdataset_t *question_rdataset;
dns_zone_t *zone = NULL;
dns_db_t *db = NULL;
dns_dbversion_t *ver = NULL;
dns_rdataclass_t question_class;
rrstream_t *soa_stream = NULL;
rrstream_t *data_stream = NULL;
rrstream_t *stream = NULL;
dns_difftuple_t *current_soa_tuple = NULL;
dns_name_t *soa_name;
dns_rdataset_t *soa_rdataset;
dns_rdata_t soa_rdata = DNS_RDATA_INIT;
isc_boolean_t have_soa = ISC_FALSE;
const char *mnemonic = NULL;
isc_mem_t *mctx = client->mctx;
dns_message_t *request = client->message;
xfrout_ctx_t *xfr = NULL;
isc_quota_t *quota = NULL;
dns_transfer_format_t format = client->view->transfer_format;
isc_netaddr_t na;
dns_peer_t *peer = NULL;
isc_buffer_t *tsigbuf = NULL;
char *journalfile;
char msg[NS_CLIENT_ACLMSGSIZE("zone transfer")];
char keyname[DNS_NAME_FORMATSIZE];
isc_boolean_t is_poll = ISC_FALSE;
#ifdef DLZ
isc_boolean_t is_dlz = ISC_FALSE;
#endif
switch (reqtype) {
case dns_rdatatype_axfr:
mnemonic = "AXFR";
break;
case dns_rdatatype_ixfr:
mnemonic = "IXFR";
break;
default:
INSIST(0);
break;
}
ns_client_log(client,
DNS_LOGCATEGORY_XFER_OUT, NS_LOGMODULE_XFER_OUT,
ISC_LOG_DEBUG(6), "%s request", mnemonic);
/*
* Apply quota.
*/
result = isc_quota_attach(&ns_g_server->xfroutquota, "a);
if (result != ISC_R_SUCCESS) {
isc_log_write(XFROUT_COMMON_LOGARGS, ISC_LOG_WARNING,
"%s request denied: %s", mnemonic,
isc_result_totext(result));
goto failure;
}
/*
* Interpret the question section.
*/
result = dns_message_firstname(request, DNS_SECTION_QUESTION);
INSIST(result == ISC_R_SUCCESS);
/*
* The question section must contain exactly one question, and
* it must be for AXFR/IXFR as appropriate.
*/
question_name = NULL;
dns_message_currentname(request, DNS_SECTION_QUESTION, &question_name);
question_rdataset = ISC_LIST_HEAD(question_name->list);
question_class = question_rdataset->rdclass;
INSIST(question_rdataset->type == reqtype);
if (ISC_LIST_NEXT(question_rdataset, link) != NULL)
FAILC(DNS_R_FORMERR, "multiple questions");
result = dns_message_nextname(request, DNS_SECTION_QUESTION);
if (result != ISC_R_NOMORE)
FAILC(DNS_R_FORMERR, "multiple questions");
result = dns_zt_find(client->view->zonetable, question_name, 0, NULL,
&zone);
if (result != ISC_R_SUCCESS)
#ifdef DLZ
{
/*
* Normal zone table does not have a match. Try the DLZ database
*/
if (client->view->dlzdatabase != NULL) {
result = dns_dlzallowzonexfr(client->view,
question_name, &client->peeraddr,
&db);
if (result == ISC_R_NOPERM) {
char _buf1[DNS_NAME_FORMATSIZE];
char _buf2[DNS_RDATACLASS_FORMATSIZE];
result = DNS_R_REFUSED;
dns_name_format(question_name, _buf1,
sizeof(_buf1));
dns_rdataclass_format(question_class,
_buf2, sizeof(_buf2));
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_XFER_OUT,
ISC_LOG_ERROR,
"zone transfer '%s/%s' denied",
_buf1, _buf2);
goto failure;
}
if (result != ISC_R_SUCCESS)
#endif
FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
question_name, question_class);
#ifdef DLZ
is_dlz = ISC_TRUE;
/*
* DLZ only support full zone transfer, not incremental
*/
if (reqtype != dns_rdatatype_axfr) {
mnemonic = "AXFR-style IXFR";
reqtype = dns_rdatatype_axfr;
}
} else {
/*
* not DLZ and not in normal zone table, we are
* not authoritative
*/
FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
question_name, question_class);
}
} else {
/* zone table has a match */
#endif
switch(dns_zone_gettype(zone)) {
case dns_zone_master:
case dns_zone_slave:
break; /* Master and slave zones are OK for transfer. */
default:
FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", question_name, question_class);
}
CHECK(dns_zone_getdb(zone, &db));
dns_db_currentversion(db, &ver);
#ifdef DLZ
}
#endif
xfrout_log1(client, question_name, question_class, ISC_LOG_DEBUG(6),
"%s question section OK", mnemonic);
/*
* Check the authority section. Look for a SOA record with
* the same name and class as the question.
*/
for (result = dns_message_firstname(request, DNS_SECTION_AUTHORITY);
result == ISC_R_SUCCESS;
result = dns_message_nextname(request, DNS_SECTION_AUTHORITY))
{
soa_name = NULL;
dns_message_currentname(request, DNS_SECTION_AUTHORITY,
&soa_name);
/*
* Ignore data whose owner name is not the zone apex.
*/
if (! dns_name_equal(soa_name, question_name))
continue;
for (soa_rdataset = ISC_LIST_HEAD(soa_name->list);
soa_rdataset != NULL;
soa_rdataset = ISC_LIST_NEXT(soa_rdataset, link))
{
/*
* Ignore non-SOA data.
*/
if (soa_rdataset->type != dns_rdatatype_soa)
continue;
if (soa_rdataset->rdclass != question_class)
continue;
CHECK(dns_rdataset_first(soa_rdataset));
dns_rdataset_current(soa_rdataset, &soa_rdata);
result = dns_rdataset_next(soa_rdataset);
if (result == ISC_R_SUCCESS)
FAILC(DNS_R_FORMERR,
"IXFR authority section "
"has multiple SOAs");
have_soa = ISC_TRUE;
goto got_soa;
}
}
got_soa:
if (result != ISC_R_NOMORE)
CHECK(result);
xfrout_log1(client, question_name, question_class, ISC_LOG_DEBUG(6),
"%s authority section OK", mnemonic);
/*
* Decide whether to allow this transfer.
*/
#ifdef DLZ
/*
* if not a DLZ zone decide whether to allow this transfer.
*/
if (!is_dlz) {
#endif
ns_client_aclmsg("zone transfer", question_name, reqtype,
client->view->rdclass, msg, sizeof(msg));
CHECK(ns_client_checkacl(client, NULL, msg,
dns_zone_getxfracl(zone),
ISC_TRUE, ISC_LOG_ERROR));
#ifdef DLZ
}
#endif
/*
* AXFR over UDP is not possible.
*/
if (reqtype == dns_rdatatype_axfr &&
(client->attributes & NS_CLIENTATTR_TCP) == 0)
FAILC(DNS_R_FORMERR, "attempted AXFR over UDP");
/*
* Look up the requesting server in the peer table.
*/
isc_netaddr_fromsockaddr(&na, &client->peeraddr);
(void)dns_peerlist_peerbyaddr(client->view->peers, &na, &peer);
/*
* Decide on the transfer format (one-answer or many-answers).
*/
if (peer != NULL)
(void)dns_peer_gettransferformat(peer, &format);
/*
* Get a dynamically allocated copy of the current SOA.
*/
#ifdef DLZ
if (is_dlz)
dns_db_currentversion(db, &ver);
#endif
CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_EXISTS,
¤t_soa_tuple));
if (reqtype == dns_rdatatype_ixfr) {
isc_uint32_t begin_serial, current_serial;
isc_boolean_t provide_ixfr;
/*
* Outgoing IXFR may have been disabled for this peer
* or globally.
*/
provide_ixfr = client->view->provideixfr;
if (peer != NULL)
(void) dns_peer_getprovideixfr(peer, &provide_ixfr);
if (provide_ixfr == ISC_FALSE)
goto axfr_fallback;
if (! have_soa)
FAILC(DNS_R_FORMERR,
"IXFR request missing SOA");
begin_serial = dns_soa_getserial(&soa_rdata);
current_serial = dns_soa_getserial(¤t_soa_tuple->rdata);
/*
* RFC1995 says "If an IXFR query with the same or
* newer version number than that of the server
* is received, it is replied to with a single SOA
* record of the server's current version, just as
* in AXFR". The claim about AXFR is incorrect,
* but other than that, we do as the RFC says.
*
* Sending a single SOA record is also how we refuse
* IXFR over UDP (currently, we always do).
*/
if (DNS_SERIAL_GE(begin_serial, current_serial) ||
(client->attributes & NS_CLIENTATTR_TCP) == 0)
{
CHECK(soa_rrstream_create(mctx, db, ver, &stream));
is_poll = ISC_TRUE;
goto have_stream;
}
journalfile = dns_zone_getjournal(zone);
if (journalfile != NULL)
result = ixfr_rrstream_create(mctx,
journalfile,
begin_serial,
current_serial,
&data_stream);
else
result = ISC_R_NOTFOUND;
if (result == ISC_R_NOTFOUND ||
result == ISC_R_RANGE) {
xfrout_log1(client, question_name, question_class,
ISC_LOG_DEBUG(4),
"IXFR version not in journal, "
"falling back to AXFR");
mnemonic = "AXFR-style IXFR";
goto axfr_fallback;
}
CHECK(result);
} else {
axfr_fallback:
CHECK(axfr_rrstream_create(mctx, db, ver,
&data_stream));
}
/*
* Bracket the the data stream with SOAs.
*/
CHECK(soa_rrstream_create(mctx, db, ver, &soa_stream));
CHECK(compound_rrstream_create(mctx, &soa_stream, &data_stream,
&stream));
soa_stream = NULL;
data_stream = NULL;
have_stream:
CHECK(dns_message_getquerytsig(request, mctx, &tsigbuf));
/*
* Create the xfrout context object. This transfers the ownership
* of "stream", "db", "ver", and "quota" to the xfrout context object.
*/
#ifdef DLZ
if (is_dlz)
CHECK(xfrout_ctx_create(mctx, client, request->id, question_name,
reqtype, question_class, zone, db, ver,
quota, stream,
dns_message_gettsigkey(request),
tsigbuf,
3600,
3600,
(format == dns_many_answers) ?
ISC_TRUE : ISC_FALSE,
&xfr));
else
#endif
CHECK(xfrout_ctx_create(mctx, client, request->id, question_name,
reqtype, question_class, zone, db, ver,
quota, stream,
dns_message_gettsigkey(request),
tsigbuf,
dns_zone_getmaxxfrout(zone),
dns_zone_getidleout(zone),
(format == dns_many_answers) ?
ISC_TRUE : ISC_FALSE,
&xfr));
xfr->mnemonic = mnemonic;
stream = NULL;
quota = NULL;
CHECK(xfr->stream->methods->first(xfr->stream));
if (xfr->tsigkey != NULL) {
dns_name_format(&xfr->tsigkey->name, keyname, sizeof(keyname));
} else
keyname[0] = '\0';
if (is_poll)
xfrout_log1(client, question_name, question_class,
ISC_LOG_DEBUG(1), "IXFR poll up to date%s%s",
(xfr->tsigkey != NULL) ? ": TSIG " : "", keyname);
else
xfrout_log1(client, question_name, question_class,
ISC_LOG_INFO, "%s started%s%s", mnemonic,
(xfr->tsigkey != NULL) ? ": TSIG " : "", keyname);
/*
* Hand the context over to sendstream(). Set xfr to NULL;
* sendstream() is responsible for either passing the
* context on to a later event handler or destroying it.
*/
sendstream(xfr);
xfr = NULL;
result = ISC_R_SUCCESS;
failure:
if (result == DNS_R_REFUSED)
inc_stats(zone, dns_nsstatscounter_xfrrej);
if (quota != NULL)
isc_quota_detach("a);
if (current_soa_tuple != NULL)
dns_difftuple_free(¤t_soa_tuple);
if (stream != NULL)
stream->methods->destroy(&stream);
if (soa_stream != NULL)
soa_stream->methods->destroy(&soa_stream);
if (data_stream != NULL)
data_stream->methods->destroy(&data_stream);
if (ver != NULL)
dns_db_closeversion(db, &ver, ISC_FALSE);
if (db != NULL)
dns_db_detach(&db);
if (zone != NULL)
dns_zone_detach(&zone);
/* XXX kludge */
if (xfr != NULL) {
xfrout_fail(xfr, result, "setting up zone transfer");
} else if (result != ISC_R_SUCCESS) {
ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT,
NS_LOGMODULE_XFER_OUT,
ISC_LOG_DEBUG(3), "zone transfer setup failed");
ns_client_error(client, result);
}
}
isc_result_t
irs_context_create(irs_context_t **contextp) {
isc_result_t result;
irs_context_t *context;
isc_appctx_t *actx = NULL;
isc_mem_t *mctx = NULL;
isc_taskmgr_t *taskmgr = NULL;
isc_socketmgr_t *socketmgr = NULL;
isc_timermgr_t *timermgr = NULL;
dns_client_t *client = NULL;
isc_sockaddrlist_t *nameservers;
irs_dnsconf_dnskeylist_t *trustedkeys;
irs_dnsconf_dnskey_t *trustedkey;
isc_lib_register();
result = dns_lib_init();
if (result != ISC_R_SUCCESS)
return (result);
result = ctxs_init(&mctx, &actx, &taskmgr, &socketmgr, &timermgr);
if (result != ISC_R_SUCCESS)
return (result);
result = isc_app_ctxstart(actx);
if (result != ISC_R_SUCCESS) {
ctxs_destroy(&mctx, &actx, &taskmgr, &socketmgr, &timermgr);
return (result);
}
context = isc_mem_get(mctx, sizeof(*context));
if (context == NULL) {
ctxs_destroy(&mctx, &actx, &taskmgr, &socketmgr, &timermgr);
return (ISC_R_NOMEMORY);
}
context->mctx = mctx;
context->actx = actx;
context->taskmgr = taskmgr;
context->socketmgr = socketmgr;
context->timermgr = timermgr;
context->resconf = NULL;
context->dnsconf = NULL;
context->task = NULL;
result = isc_task_create(taskmgr, 0, &context->task);
if (result != ISC_R_SUCCESS)
goto fail;
/* Create a DNS client object */
result = dns_client_createx(mctx, actx, taskmgr, socketmgr, timermgr,
0, &client);
if (result != ISC_R_SUCCESS)
goto fail;
context->dnsclient = client;
/* Read resolver configuration file */
result = irs_resconf_load(mctx, RESOLV_CONF, &context->resconf);
if (result != ISC_R_SUCCESS)
goto fail;
/* Set nameservers */
nameservers = irs_resconf_getnameservers(context->resconf);
result = dns_client_setservers(client, dns_rdataclass_in, NULL,
nameservers);
if (result != ISC_R_SUCCESS)
goto fail;
/* Read advanced DNS configuration (if any) */
result = irs_dnsconf_load(mctx, DNS_CONF, &context->dnsconf);
if (result != ISC_R_SUCCESS)
goto fail;
trustedkeys = irs_dnsconf_gettrustedkeys(context->dnsconf);
for (trustedkey = ISC_LIST_HEAD(*trustedkeys);
trustedkey != NULL;
trustedkey = ISC_LIST_NEXT(trustedkey, link)) {
result = dns_client_addtrustedkey(client, dns_rdataclass_in,
trustedkey->keyname,
trustedkey->keydatabuf);
if (result != ISC_R_SUCCESS)
goto fail;
}
context->magic = IRS_CONTEXT_MAGIC;
*contextp = context;
return (ISC_R_SUCCESS);
fail:
if (context->task != NULL)
isc_task_detach(&context->task);
if (context->resconf != NULL)
irs_resconf_destroy(&context->resconf);
if (context->dnsconf != NULL)
irs_dnsconf_destroy(&context->dnsconf);
if (client != NULL)
dns_client_destroy(&client);
ctxs_destroy(NULL, &actx, &taskmgr, &socketmgr, &timermgr);
isc_mem_putanddetach(&mctx, context, sizeof(*context));
return (result);
}
isc_result_t
ns_statschannels_configure(ns_server_t *server, const cfg_obj_t *config,
cfg_aclconfctx_t *aclconfctx)
{
ns_statschannel_t *listener, *listener_next;
ns_statschannellist_t new_listeners;
const cfg_obj_t *statschannellist = NULL;
const cfg_listelt_t *element, *element2;
char socktext[ISC_SOCKADDR_FORMATSIZE];
RUNTIME_CHECK(isc_once_do(&once, init_desc) == ISC_R_SUCCESS);
ISC_LIST_INIT(new_listeners);
/*
* Get the list of named.conf 'statistics-channels' statements.
*/
(void)cfg_map_get(config, "statistics-channels", &statschannellist);
/*
* Run through the new address/port list, noting sockets that are
* already being listened on and moving them to the new list.
*
* Identifying duplicate addr/port combinations is left to either
* the underlying config code, or to the bind attempt getting an
* address-in-use error.
*/
if (statschannellist != NULL) {
#ifndef HAVE_LIBXML2
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
"statistics-channels specified but not effective "
"due to missing XML library");
#endif
for (element = cfg_list_first(statschannellist);
element != NULL;
element = cfg_list_next(element)) {
const cfg_obj_t *statschannel;
const cfg_obj_t *listenercfg = NULL;
statschannel = cfg_listelt_value(element);
(void)cfg_map_get(statschannel, "inet",
&listenercfg);
if (listenercfg == NULL)
continue;
for (element2 = cfg_list_first(listenercfg);
element2 != NULL;
element2 = cfg_list_next(element2)) {
const cfg_obj_t *listen_params;
const cfg_obj_t *obj;
isc_sockaddr_t addr;
listen_params = cfg_listelt_value(element2);
obj = cfg_tuple_get(listen_params, "address");
addr = *cfg_obj_assockaddr(obj);
if (isc_sockaddr_getport(&addr) == 0)
isc_sockaddr_setport(&addr, NS_STATSCHANNEL_HTTPPORT);
isc_sockaddr_format(&addr, socktext,
sizeof(socktext));
isc_log_write(ns_g_lctx,
NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER,
ISC_LOG_DEBUG(9),
"processing statistics "
"channel %s",
socktext);
update_listener(server, &listener,
listen_params, config, &addr,
aclconfctx, socktext);
if (listener != NULL) {
/*
* Remove the listener from the old
* list, so it won't be shut down.
*/
ISC_LIST_UNLINK(server->statschannels,
listener, link);
} else {
/*
* This is a new listener.
*/
isc_result_t r;
r = add_listener(server, &listener,
listen_params, config,
&addr, aclconfctx,
socktext);
if (r != ISC_R_SUCCESS) {
cfg_obj_log(listen_params,
ns_g_lctx,
ISC_LOG_WARNING,
"couldn't allocate "
"statistics channel"
" %s: %s",
socktext,
isc_result_totext(r));
}
}
if (listener != NULL)
ISC_LIST_APPEND(new_listeners, listener,
link);
}
}
}
for (listener = ISC_LIST_HEAD(server->statschannels);
listener != NULL;
listener = listener_next) {
listener_next = ISC_LIST_NEXT(listener, link);
ISC_LIST_UNLINK(server->statschannels, listener, link);
shutdown_listener(listener);
}
ISC_LIST_APPENDLIST(server->statschannels, new_listeners, link);
return (ISC_R_SUCCESS);
}
static void
isc_httpd_recvdone(isc_task_t *task, isc_event_t *ev)
{
isc_region_t r;
isc_result_t result;
isc_httpd_t *httpd = ev->ev_arg;
isc_socketevent_t *sev = (isc_socketevent_t *)ev;
isc_httpdurl_t *url;
isc_time_t now;
char datebuf[32]; /* Only need 30, but safety first */
ENTER("recv");
INSIST(ISC_HTTPD_ISRECV(httpd));
if (sev->result != ISC_R_SUCCESS) {
NOTICE("recv destroying client");
destroy_client(&httpd);
goto out;
}
result = process_request(httpd, sev->n);
if (result == ISC_R_NOTFOUND) {
if (httpd->recvlen >= HTTP_RECVLEN - 1) {
destroy_client(&httpd);
goto out;
}
r.base = (unsigned char *)httpd->recvbuf + httpd->recvlen;
r.length = HTTP_RECVLEN - httpd->recvlen - 1;
/* check return code? */
(void)isc_socket_recv(httpd->sock, &r, 1, task,
isc_httpd_recvdone, httpd);
goto out;
} else if (result != ISC_R_SUCCESS) {
destroy_client(&httpd);
goto out;
}
ISC_HTTPD_SETSEND(httpd);
/*
* XXXMLG Call function here. Provide an add-header function
* which will append the common headers to a response we generate.
*/
isc_buffer_initnull(&httpd->bodybuffer);
isc_time_now(&now);
isc_time_formathttptimestamp(&now, datebuf, sizeof(datebuf));
url = ISC_LIST_HEAD(httpd->mgr->urls);
while (url != NULL) {
if (strcmp(httpd->url, url->url) == 0)
break;
url = ISC_LIST_NEXT(url, link);
}
if (url == NULL)
result = httpd->mgr->render_404(httpd->url, httpd->querystring,
NULL,
&httpd->retcode,
&httpd->retmsg,
&httpd->mimetype,
&httpd->bodybuffer,
&httpd->freecb,
&httpd->freecb_arg);
else
result = url->action(httpd->url, httpd->querystring,
url->action_arg,
&httpd->retcode, &httpd->retmsg,
&httpd->mimetype, &httpd->bodybuffer,
&httpd->freecb, &httpd->freecb_arg);
if (result != ISC_R_SUCCESS) {
result = httpd->mgr->render_500(httpd->url, httpd->querystring,
NULL, &httpd->retcode,
&httpd->retmsg,
&httpd->mimetype,
&httpd->bodybuffer,
&httpd->freecb,
&httpd->freecb_arg);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
}
isc_httpd_response(httpd);
isc_httpd_addheader(httpd, "Content-Type", httpd->mimetype);
isc_httpd_addheader(httpd, "Date", datebuf);
isc_httpd_addheader(httpd, "Expires", datebuf);
isc_httpd_addheader(httpd, "Last-Modified", datebuf);
isc_httpd_addheader(httpd, "Pragma: no-cache", NULL);
isc_httpd_addheader(httpd, "Cache-Control: no-cache", NULL);
isc_httpd_addheader(httpd, "Server: libisc", NULL);
isc_httpd_addheaderuint(httpd, "Content-Length",
isc_buffer_usedlength(&httpd->bodybuffer));
isc_httpd_endheaders(httpd); /* done */
ISC_LIST_APPEND(httpd->bufflist, &httpd->headerbuffer, link);
/*
* Link the data buffer into our send queue, should we have any data
* rendered into it. If no data is present, we won't do anything
* with the buffer.
*/
if (isc_buffer_length(&httpd->bodybuffer) > 0)
ISC_LIST_APPEND(httpd->bufflist, &httpd->bodybuffer, link);
/* check return code? */
(void)isc_socket_sendv(httpd->sock, &httpd->bufflist, task,
isc_httpd_senddone, httpd);
out:
isc_event_free(&ev);
EXIT("recv");
}
static isc_result_t
generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
char boottime[sizeof "yyyy-mm-ddThh:mm:ssZ"];
char nowstr[sizeof "yyyy-mm-ddThh:mm:ssZ"];
isc_time_t now;
xmlTextWriterPtr writer = NULL;
xmlDocPtr doc = NULL;
int xmlrc;
dns_view_t *view;
stats_dumparg_t dumparg;
dns_stats_t *cachestats;
isc_uint64_t nsstat_values[dns_nsstatscounter_max];
isc_uint64_t resstat_values[dns_resstatscounter_max];
isc_uint64_t zonestat_values[dns_zonestatscounter_max];
isc_uint64_t sockstat_values[isc_sockstatscounter_max];
isc_result_t result;
isc_time_now(&now);
isc_time_formatISO8601(&ns_g_boottime, boottime, sizeof boottime);
isc_time_formatISO8601(&now, nowstr, sizeof nowstr);
writer = xmlNewTextWriterDoc(&doc, 0);
if (writer == NULL)
goto error;
TRY0(xmlTextWriterStartDocument(writer, NULL, "UTF-8", NULL));
TRY0(xmlTextWriterWritePI(writer, ISC_XMLCHAR "xml-stylesheet",
ISC_XMLCHAR "type=\"text/xsl\" href=\"/bind9.xsl\""));
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "isc"));
TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
ISC_XMLCHAR "1.0"));
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "bind"));
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics"));
TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
ISC_XMLCHAR "2.2"));
/* Set common fields for statistics dump */
dumparg.type = statsformat_xml;
dumparg.arg = writer;
/*
* Start by rendering the views we know of here. For each view we
* know of, call its rendering function.
*/
view = ISC_LIST_HEAD(server->viewlist);
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "views"));
while (view != NULL) {
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "view"));
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"));
TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR view->name));
TRY0(xmlTextWriterEndElement(writer));
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "zones"));
result = dns_zt_apply(view->zonetable, ISC_TRUE, zone_xmlrender,
writer);
if (result != ISC_R_SUCCESS)
goto error;
TRY0(xmlTextWriterEndElement(writer));
if (view->resquerystats != NULL) {
dumparg.result = ISC_R_SUCCESS;
dns_rdatatypestats_dump(view->resquerystats,
rdtypestat_dump, &dumparg, 0);
if (dumparg.result != ISC_R_SUCCESS)
goto error;
}
if (view->resstats != NULL) {
result = dump_counters(view->resstats, statsformat_xml,
writer, "resstat",
resstats_xmldesc,
dns_resstatscounter_max,
resstats_index, resstat_values,
ISC_STATSDUMP_VERBOSE);
if (result != ISC_R_SUCCESS)
goto error;
}
cachestats = dns_db_getrrsetstats(view->cachedb);
if (cachestats != NULL) {
TRY0(xmlTextWriterStartElement(writer,
ISC_XMLCHAR "cache"));
TRY0(xmlTextWriterWriteAttribute(writer,
ISC_XMLCHAR "name",
ISC_XMLCHAR
dns_cache_getname(view->cache)));
dumparg.result = ISC_R_SUCCESS;
dns_rdatasetstats_dump(cachestats, rdatasetstats_dump,
&dumparg, 0);
if (dumparg.result != ISC_R_SUCCESS)
goto error;
TRY0(xmlTextWriterEndElement(writer)); /* cache */
}
TRY0(xmlTextWriterEndElement(writer)); /* view */
view = ISC_LIST_NEXT(view, link);
}
TRY0(xmlTextWriterEndElement(writer)); /* views */
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "socketmgr"));
isc_socketmgr_renderxml(ns_g_socketmgr, writer);
TRY0(xmlTextWriterEndElement(writer)); /* socketmgr */
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "taskmgr"));
isc_taskmgr_renderxml(ns_g_taskmgr, writer);
TRY0(xmlTextWriterEndElement(writer)); /* taskmgr */
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "server"));
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "boot-time"));
TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR boottime));
TRY0(xmlTextWriterEndElement(writer));
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "current-time"));
TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR nowstr));
TRY0(xmlTextWriterEndElement(writer));
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "requests"));
dumparg.result = ISC_R_SUCCESS;
dns_opcodestats_dump(server->opcodestats, opcodestat_dump, &dumparg,
0);
if (dumparg.result != ISC_R_SUCCESS)
goto error;
TRY0(xmlTextWriterEndElement(writer)); /* requests */
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "queries-in"));
dumparg.result = ISC_R_SUCCESS;
dns_rdatatypestats_dump(server->rcvquerystats, rdtypestat_dump,
&dumparg, 0);
if (dumparg.result != ISC_R_SUCCESS)
goto error;
TRY0(xmlTextWriterEndElement(writer)); /* queries-in */
result = dump_counters(server->nsstats, statsformat_xml, writer,
"nsstat", nsstats_xmldesc,
dns_nsstatscounter_max,
nsstats_index, nsstat_values,
ISC_STATSDUMP_VERBOSE);
if (result != ISC_R_SUCCESS)
goto error;
result = dump_counters(server->zonestats, statsformat_xml, writer,
"zonestat", zonestats_xmldesc,
dns_zonestatscounter_max, zonestats_index,
zonestat_values, ISC_STATSDUMP_VERBOSE);
if (result != ISC_R_SUCCESS)
goto error;
/*
* Most of the common resolver statistics entries are 0, so we don't
* use the verbose dump here.
*/
result = dump_counters(server->resolverstats, statsformat_xml, writer,
"resstat", resstats_xmldesc,
dns_resstatscounter_max, resstats_index,
resstat_values, 0);
if (result != ISC_R_SUCCESS)
goto error;
result = dump_counters(server->sockstats, statsformat_xml, writer,
"sockstat", sockstats_xmldesc,
isc_sockstatscounter_max, sockstats_index,
sockstat_values, ISC_STATSDUMP_VERBOSE);
if (result != ISC_R_SUCCESS)
goto error;
TRY0(xmlTextWriterEndElement(writer)); /* server */
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "memory"));
isc_mem_renderxml(writer);
TRY0(xmlTextWriterEndElement(writer)); /* memory */
TRY0(xmlTextWriterEndElement(writer)); /* statistics */
TRY0(xmlTextWriterEndElement(writer)); /* bind */
TRY0(xmlTextWriterEndElement(writer)); /* isc */
TRY0(xmlTextWriterEndDocument(writer));
xmlFreeTextWriter(writer);
xmlDocDumpFormatMemoryEnc(doc, buf, buflen, "UTF-8", 1);
xmlFreeDoc(doc);
return (ISC_R_SUCCESS);
error:
if (writer != NULL)
xmlFreeTextWriter(writer);
if (doc != NULL)
xmlFreeDoc(doc);
return (ISC_R_FAILURE);
}
isc_result_t
pk11_parse_uri(pk11_object_t *obj, const char *label,
isc_mem_t *mctx, pk11_optype_t optype)
{
CK_ATTRIBUTE *attr;
pk11_token_t *token = NULL;
char *uri, *p, *a, *na, *v;
size_t len, l;
FILE *stream = NULL;
char pin[PINLEN];
isc_boolean_t gotpin = ISC_FALSE;
isc_result_t ret;
/* get values to work on */
len = strlen(label) + 1;
uri = isc_mem_get(mctx, len);
if (uri == NULL)
return (ISC_R_NOMEMORY);
memmove(uri, label, len);
/* get the URI scheme */
p = strchr(uri, ':');
if (p == NULL)
DST_RET(DST_R_NOENGINE);
*p++ = '\0';
if (strcmp(uri, "pkcs11") != 0)
DST_RET(DST_R_NOENGINE);
/* get attributes */
for (na = p; na != NULL;) {
a = na;
p = strchr(a, ';');
if (p == NULL) {
/* last attribute */
na = NULL;
} else {
*p++ = '\0';
na = p;
}
p = strchr(a, '=');
if (p != NULL) {
*p++ = '\0';
v = p;
} else
v = a;
l = 0;
v = percent_decode(v, &l);
if (v == NULL)
DST_RET(DST_R_NOENGINE);
if ((a == v) || (strcmp(a, "object") == 0)) {
/* object: CKA_LABEL */
attr = pk11_attribute_bytype(obj, CKA_LABEL);
if (attr != NULL)
DST_RET(DST_R_NOENGINE);
attr = push_attribute(obj, mctx, l);
if (attr == NULL)
DST_RET(ISC_R_NOMEMORY);
attr->type = CKA_LABEL;
memmove(attr->pValue, v, l);
} else if (strcmp(a, "token") == 0) {
/* token: CK_TOKEN_INFO label */
if (token == NULL)
for (token = ISC_LIST_HEAD(tokens);
token != NULL;
token = ISC_LIST_NEXT(token, link))
if (pk11strcmp(v, l, token->name, 32))
break;
} else if (strcmp(a, "manufacturer") == 0) {
/* manufacturer: CK_TOKEN_INFO manufacturerID */
if (token == NULL)
for (token = ISC_LIST_HEAD(tokens);
token != NULL;
token = ISC_LIST_NEXT(token, link))
if (pk11strcmp(v, l, token->manuf, 32))
break;
} else if (strcmp(a, "serial") == 0) {
/* serial: CK_TOKEN_INFO serialNumber */
if (token == NULL)
for (token = ISC_LIST_HEAD(tokens);
token != NULL;
token = ISC_LIST_NEXT(token, link))
if (pk11strcmp(v, l, token->serial, 16))
break;
} else if (strcmp(a, "model") == 0) {
/* model: CK_TOKEN_INFO model */
if (token == NULL)
for (token = ISC_LIST_HEAD(tokens);
token != NULL;
token = ISC_LIST_NEXT(token, link))
if (pk11strcmp(v, l, token->model, 16))
break;
} else if (strcmp(a, "library-manufacturer") == 0) {
/* ignored */
} else if (strcmp(a, "library-description") == 0) {
/* ignored */
} else if (strcmp(a, "library-version") == 0) {
/* ignored */
} else if (strcmp(a, "object-type") == 0) {
/* object-type: CKA_CLASS */
/* only private makes sense */
if (strcmp(v, "private") != 0)
DST_RET(DST_R_NOENGINE);
} else if (strcmp(a, "id") == 0) {
/* id: CKA_ID */
attr = pk11_attribute_bytype(obj, CKA_ID);
if (attr != NULL)
DST_RET(DST_R_NOENGINE);
attr = push_attribute(obj, mctx, l);
if (attr == NULL)
DST_RET(ISC_R_NOMEMORY);
attr->type = CKA_ID;
memmove(attr->pValue, v, l);
} else if (strcmp(a, "pin-source") == 0) {
/* pin-source: PIN */
ret = isc_stdio_open(v, "r", &stream);
if (ret != ISC_R_SUCCESS)
goto err;
memset(pin, 0, PINLEN);
ret = isc_stdio_read(pin, 1, PINLEN - 1, stream, NULL);
if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF))
goto err;
ret = isc_stdio_close(stream);
stream = NULL;
if (ret != ISC_R_SUCCESS)
goto err;
gotpin = ISC_TRUE;
} else
DST_RET(DST_R_NOENGINE);
}
if ((pk11_attribute_bytype(obj, CKA_LABEL) == NULL) &&
(pk11_attribute_bytype(obj, CKA_ID) == NULL))
DST_RET(ISC_R_NOTFOUND);
if (token == NULL) {
if (optype == OP_RSA)
token = best_rsa_token;
else if (optype == OP_DSA)
token = best_dsa_token;
else if (optype == OP_DH)
token = best_dh_token;
else if (optype == OP_EC)
token = best_ec_token;
}
if (token == NULL)
DST_RET(ISC_R_NOTFOUND);
obj->slot = token->slotid;
if (gotpin) {
memmove(token->pin, pin, PINLEN);
obj->reqlogon = ISC_TRUE;
}
ret = ISC_R_SUCCESS;
err:
if (stream != NULL)
(void) isc_stdio_close(stream);
isc_mem_put(mctx, uri, len);
return (ret);
}
isc_result_t
dns_diff_load(dns_diff_t *diff, dns_addrdatasetfunc_t addfunc,
void *add_private)
{
dns_difftuple_t *t;
isc_result_t result;
REQUIRE(DNS_DIFF_VALID(diff));
t = ISC_LIST_HEAD(diff->tuples);
while (t != NULL) {
dns_name_t *name;
name = &t->name;
while (t != NULL && dns_name_equal(&t->name, name)) {
dns_rdatatype_t type, covers;
dns_diffop_t op;
dns_rdatalist_t rdl;
dns_rdataset_t rds;
op = t->op;
type = t->rdata.type;
covers = rdata_covers(&t->rdata);
rdl.type = type;
rdl.covers = covers;
rdl.rdclass = t->rdata.rdclass;
rdl.ttl = t->ttl;
ISC_LIST_INIT(rdl.rdata);
ISC_LINK_INIT(&rdl, link);
while (t != NULL && dns_name_equal(&t->name, name) &&
t->op == op && t->rdata.type == type &&
rdata_covers(&t->rdata) == covers)
{
ISC_LIST_APPEND(rdl.rdata, &t->rdata, link);
t = ISC_LIST_NEXT(t, link);
}
/*
* Convert the rdatalist into a rdataset.
*/
dns_rdataset_init(&rds);
CHECK(dns_rdatalist_tordataset(&rdl, &rds));
rds.trust = dns_trust_ultimate;
INSIST(op == DNS_DIFFOP_ADD);
result = (*addfunc)(add_private, name, &rds);
if (result == DNS_R_UNCHANGED) {
isc_log_write(DIFF_COMMON_LOGARGS,
ISC_LOG_WARNING,
"dns_diff_load: "
"update with no effect");
} else if (result == ISC_R_SUCCESS ||
result == DNS_R_NXRRSET) {
/*
* OK.
*/
} else {
CHECK(result);
}
}
}
result = ISC_R_SUCCESS;
failure:
return (result);
}
void
pk11_dump_tokens(void)
{
pk11_token_t *token;
isc_boolean_t first;
printf("DEFAULTS\n");
printf("\trand_token=%p\n", rand_token);
printf("\tbest_rsa_token=%p\n", best_rsa_token);
printf("\tbest_dsa_token=%p\n", best_dsa_token);
printf("\tbest_dh_token=%p\n", best_dh_token);
printf("\tdigest_token=%p\n", digest_token);
printf("\tbest_ec_token=%p\n", best_ec_token);
for (token = ISC_LIST_HEAD(tokens);
token != NULL;
token = ISC_LIST_NEXT(token, link)) {
printf("\nTOKEN\n");
printf("\taddress=%p\n", token);
printf("\tslotID=%lu\n", token->slotid);
printf("\tlabel=%.32s\n", token->name);
printf("\tmanufacturerID=%.32s\n", token->manuf);
printf("\tmodel=%.16s\n", token->model);
printf("\tserialNumber=%.16s\n", token->serial);
printf("\tsupported operations=0x%x (", token->operations);
first = ISC_TRUE;
if (token->operations & (1 << OP_RAND)) {
if (!first)
printf(",");
first = ISC_FALSE;
printf("RAND");
}
if (token->operations & (1 << OP_RSA)) {
if (!first)
printf(",");
first = ISC_FALSE;
printf("RSA");
}
if (token->operations & (1 << OP_DSA)) {
if (!first)
printf(",");
first = ISC_FALSE;
printf("DSA");
}
if (token->operations & (1 << OP_DH)) {
if (!first)
printf(",");
first = ISC_FALSE;
printf("DH");
}
if (token->operations & (1 << OP_DIGEST)) {
if (!first)
printf(",");
first = ISC_FALSE;
printf("DIGEST");
}
if (token->operations & (1 << OP_EC)) {
if (!first)
printf(",");
first = ISC_FALSE;
printf("EC");
}
printf(")\n");
}
}
isc_result_t
isc__app_run(void) {
isc_event_t *event, *next_event;
isc_task_t *task;
HANDLE *pHandles = NULL;
REQUIRE(main_thread == GetCurrentThread());
LOCK(&lock);
if (!running) {
running = ISC_TRUE;
/*
* Post any on-run events (in FIFO order).
*/
for (event = ISC_LIST_HEAD(on_run);
event != NULL;
event = next_event) {
next_event = ISC_LIST_NEXT(event, ev_link);
ISC_LIST_UNLINK(on_run, event, ev_link);
task = event->ev_sender;
event->ev_sender = NULL;
isc_task_sendanddetach(&task, &event);
}
}
UNLOCK(&lock);
/*
* There is no danger if isc_app_shutdown() is called before we wait
* for events.
*/
while (!want_shutdown) {
dwWaitResult = WaitForMultipleObjects(NUM_EVENTS, hEvents,
FALSE, INFINITE);
/* See why we returned */
if (WaitSucceeded(dwWaitResult, NUM_EVENTS)) {
/*
* The return was due to one of the events
* being signaled
*/
switch (WaitSucceededIndex(dwWaitResult)) {
case RELOAD_EVENT:
want_reload = ISC_TRUE;
break;
case SHUTDOWN_EVENT:
want_shutdown = ISC_TRUE;
break;
}
}
if (want_reload) {
want_reload = ISC_FALSE;
return (ISC_R_RELOAD);
}
if (want_shutdown && blocked)
exit(-1);
}
return (ISC_R_SUCCESS);
}
isc_result_t
pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype,
isc_boolean_t rw, isc_boolean_t logon,
const char *pin, CK_SLOT_ID slot)
{
pk11_token_t *token = NULL;
pk11_sessionlist_t *freelist;
pk11_session_t *sp;
isc_result_t ret = ISC_R_SUCCESS;
dst__pkcs11_init(NULL, NULL);
LOCK(&sessionlock);
/* wait for initialization to finish */
UNLOCK(&sessionlock);
memset(ctx, 0, sizeof(pk11_context_t));
ctx->handle = NULL;
ctx->session = CK_INVALID_HANDLE;
switch(optype) {
#ifdef PKCS11CRYPTO
case OP_RAND:
token = rand_token;
break;
case OP_DIGEST:
token = digest_token;
break;
case OP_ANY:
for (token = ISC_LIST_HEAD(tokens);
token != NULL;
token = ISC_LIST_NEXT(token, link))
if (token->slotid == slot)
break;
break;
#endif
default:
for (token = ISC_LIST_HEAD(tokens);
token != NULL;
token = ISC_LIST_NEXT(token, link))
if (token->slotid == slot)
break;
#ifdef PKCS11CRYPTO
if ((token == NULL) ||
((token->operations & (1 << optype)) == 0))
return (ISC_R_NOTFOUND);
#endif
break;
}
if (token == NULL)
return (ISC_R_NOTFOUND);
/* Override the token's PIN */
if (logon && pin != NULL && *pin != '\0') {
memset(token->pin, 0, PINLEN);
strncpy(token->pin, pin, PINLEN);
}
freelist = &token->sessions;
LOCK(&sessionlock);
sp = ISC_LIST_HEAD(*freelist);
if (sp != NULL) {
ISC_LIST_UNLINK(*freelist, sp, link);
ISC_LIST_APPEND(actives, sp, link);
UNLOCK(&sessionlock);
if (logon)
ret = token_login(sp);
ctx->handle = sp;
ctx->session = sp->session;
return (ret);
}
UNLOCK(&sessionlock);
sp = pk11_mem_get(sizeof(*sp));
if (sp == NULL)
return (ISC_R_NOMEMORY);
sp->magic = SES_MAGIC;
sp->token = token;
sp->session = CK_INVALID_HANDLE;
ISC_LINK_INIT(sp, link);
ret = setup_session(sp, token, rw);
if ((ret == ISC_R_SUCCESS) && logon)
ret = token_login(sp);
LOCK(&sessionlock);
ISC_LIST_APPEND(actives, sp, link);
UNLOCK(&sessionlock);
ctx->handle = sp;
ctx->session = sp->session;
return (ret);
}
static void
destroy_odbc_instance(odbc_instance_t *odbc_inst) {
#ifdef ISC_PLATFORM_USETHREADS
dbinstance_t *ndbi = NULL;
dbinstance_t *dbi = NULL;
/* get the first DBI in the list */
ndbi = ISC_LIST_HEAD(*odbc_inst->db);
/* loop through the list */
while (ndbi != NULL) {
dbi = ndbi;
/* get the next DBI in the list */
ndbi = ISC_LIST_NEXT(dbi, link);
/* if we have a connection / statement object in memory */
if (dbi->dbconn != NULL) {
/* free statement handle */
if (((odbc_db_t *) (dbi->dbconn))->stmnt != NULL) {
SQLFreeHandle(SQL_HANDLE_STMT,
((odbc_db_t *)
(dbi->dbconn))->stmnt);
((odbc_db_t *) (dbi->dbconn))->stmnt = NULL;
}
/* disconnect from database & free connection handle */
if (((odbc_db_t *) (dbi->dbconn))->dbc != NULL) {
SQLDisconnect(((odbc_db_t *)
dbi->dbconn)->dbc);
SQLFreeHandle(SQL_HANDLE_DBC,
((odbc_db_t *)
(dbi->dbconn))->dbc);
((odbc_db_t *) (dbi->dbconn))->dbc = NULL;
}
/* free memory that held connection & statement. */
isc_mem_free(ns_g_mctx, dbi->dbconn);
}
/* release all memory that comprised a DBI */
destroy_sqldbinstance(dbi);
}
/* release memory for the list structure */
isc_mem_put(ns_g_mctx, odbc_inst->db, sizeof(db_list_t));
#else /* ISC_PLATFORM_USETHREADS */
/* free statement handle */
if (((odbc_db_t *) (odbc_inst->db->dbconn))->stmnt != NULL) {
SQLFreeHandle(SQL_HANDLE_STMT,
((odbc_db_t *) (odbc_inst->db->dbconn))->stmnt);
((odbc_db_t *) (odbc_inst->db->dbconn))->stmnt = NULL;
}
/* disconnect from database, free connection handle */
if (((odbc_db_t *) (odbc_inst->db->dbconn))->dbc != NULL) {
SQLDisconnect(((odbc_db_t *) (odbc_inst->db->dbconn))->dbc);
SQLFreeHandle(SQL_HANDLE_DBC,
((odbc_db_t *) (odbc_inst->db->dbconn))->dbc);
((odbc_db_t *) (odbc_inst->db->dbconn))->dbc = NULL;
}
/* free mem for the odbc_db_t structure held in db */
if (((odbc_db_t *) odbc_inst->db->dbconn) != NULL) {
isc_mem_free(ns_g_mctx, odbc_inst->db->dbconn);
odbc_inst->db->dbconn = NULL;
}
if (odbc_inst->db != NULL)
destroy_sqldbinstance(odbc_inst->db);
#endif /* ISC_PLATFORM_USETHREADS */
/* free sql environment */
if (odbc_inst->sql_env != NULL)
SQLFreeHandle(SQL_HANDLE_ENV, odbc_inst->sql_env);
/* free ODBC instance strings */
if (odbc_inst->dsn != NULL)
isc_mem_free(ns_g_mctx, odbc_inst->dsn);
if (odbc_inst->pass != NULL)
isc_mem_free(ns_g_mctx, odbc_inst->pass);
if (odbc_inst->user != NULL)
isc_mem_free(ns_g_mctx, odbc_inst->user);
/* free memory for odbc_inst */
if (odbc_inst != NULL)
isc_mem_put(ns_g_mctx, odbc_inst, sizeof(odbc_instance_t));
}
static isc_result_t
printsection (dig_query_t * query, dns_message_t * msg, isc_boolean_t headers, dns_section_t section)
{
isc_result_t result, loopresult;
dns_name_t *name;
dns_rdataset_t *rdataset = NULL;
dns_rdata_t rdata = DNS_RDATA_INIT;
char namebuf[DNS_NAME_FORMATSIZE];
UNUSED (query);
UNUSED (headers);
debug ("printsection()");
result = dns_message_firstname (msg, section);
if (result == ISC_R_NOMORE)
return (ISC_R_SUCCESS);
else if (result != ISC_R_SUCCESS)
return (result);
for (;;)
{
name = NULL;
dns_message_currentname (msg, section, &name);
for (rdataset = ISC_LIST_HEAD (name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT (rdataset, link))
{
loopresult = dns_rdataset_first (rdataset);
while (loopresult == ISC_R_SUCCESS)
{
dns_rdataset_current (rdataset, &rdata);
switch (rdata.type)
{
case dns_rdatatype_a:
if (section != DNS_SECTION_ANSWER)
goto def_short_section;
dns_name_format (name, namebuf, sizeof (namebuf));
printf ("Name:\t%s\n", namebuf);
printa (&rdata);
break;
case dns_rdatatype_soa:
dns_name_format (name, namebuf, sizeof (namebuf));
printf ("%s\n", namebuf);
printsoa (&rdata);
break;
default:
def_short_section:
dns_name_format (name, namebuf, sizeof (namebuf));
printf ("%s\t", namebuf);
printrdata (&rdata);
break;
}
dns_rdata_reset (&rdata);
loopresult = dns_rdataset_next (rdataset);
}
}
result = dns_message_nextname (msg, section);
if (result == ISC_R_NOMORE)
break;
else if (result != ISC_R_SUCCESS)
{
return (result);
}
}
return (ISC_R_SUCCESS);
}
static int wait_for_sources (isc_entropy_t * ent)
{
isc_entropysource_t *source;
int maxfd, fd;
int cc;
fd_set reads;
fd_set writes;
maxfd = -1;
FD_ZERO (&reads);
FD_ZERO (&writes);
source = ISC_LIST_HEAD (ent->sources);
while (source != NULL)
{
if (source->type == ENTROPY_SOURCETYPE_FILE)
{
fd = source->sources.file.handle;
if (fd >= 0)
{
maxfd = ISC_MAX (maxfd, fd);
FD_SET (fd, &reads);
}
}
if (source->type == ENTROPY_SOURCETYPE_USOCKET)
{
fd = source->sources.usocket.handle;
if (fd >= 0)
{
switch (source->sources.usocket.status)
{
case isc_usocketsource_disconnected:
break;
case isc_usocketsource_connecting:
case isc_usocketsource_connected:
case isc_usocketsource_ndesired:
maxfd = ISC_MAX (maxfd, fd);
FD_SET (fd, &writes);
break;
case isc_usocketsource_wrote:
case isc_usocketsource_reading:
maxfd = ISC_MAX (maxfd, fd);
FD_SET (fd, &reads);
break;
}
}
}
source = ISC_LIST_NEXT (source, link);
}
if (maxfd < 0)
return (-1);
cc = select (maxfd + 1, &reads, &writes, NULL, NULL);
if (cc < 0)
return (-1);
return (cc);
}
static isc_result_t
detailsection (dig_query_t * query, dns_message_t * msg, isc_boolean_t headers, dns_section_t section)
{
isc_result_t result, loopresult;
dns_name_t *name;
dns_rdataset_t *rdataset = NULL;
dns_rdata_t rdata = DNS_RDATA_INIT;
char namebuf[DNS_NAME_FORMATSIZE];
UNUSED (query);
debug ("detailsection()");
if (headers)
{
switch (section)
{
case DNS_SECTION_QUESTION:
puts (" QUESTIONS:");
break;
case DNS_SECTION_ANSWER:
puts (" ANSWERS:");
break;
case DNS_SECTION_AUTHORITY:
puts (" AUTHORITY RECORDS:");
break;
case DNS_SECTION_ADDITIONAL:
puts (" ADDITIONAL RECORDS:");
break;
}
}
result = dns_message_firstname (msg, section);
if (result == ISC_R_NOMORE)
return (ISC_R_SUCCESS);
else if (result != ISC_R_SUCCESS)
return (result);
for (;;)
{
name = NULL;
dns_message_currentname (msg, section, &name);
for (rdataset = ISC_LIST_HEAD (name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT (rdataset, link))
{
if (section == DNS_SECTION_QUESTION)
{
dns_name_format (name, namebuf, sizeof (namebuf));
printf ("\t%s, ", namebuf);
dns_rdatatype_format (rdataset->type, namebuf, sizeof (namebuf));
printf ("type = %s, ", namebuf);
dns_rdataclass_format (rdataset->rdclass, namebuf, sizeof (namebuf));
printf ("class = %s\n", namebuf);
}
loopresult = dns_rdataset_first (rdataset);
while (loopresult == ISC_R_SUCCESS)
{
dns_rdataset_current (rdataset, &rdata);
dns_name_format (name, namebuf, sizeof (namebuf));
printf (" -> %s\n", namebuf);
switch (rdata.type)
{
case dns_rdatatype_soa:
printsoa (&rdata);
break;
default:
printf ("\t");
printrdata (&rdata);
}
dns_rdata_reset (&rdata);
printf ("\tttl = %u\n", rdataset->ttl);
loopresult = dns_rdataset_next (rdataset);
}
}
result = dns_message_nextname (msg, section);
if (result == ISC_R_NOMORE)
break;
else if (result != ISC_R_SUCCESS)
{
return (result);
}
}
return (ISC_R_SUCCESS);
}
static void
update_stat(struct probe_trans *trans) {
struct probe_ns *pns;
struct server *server;
struct lcl_stat local_stat;
unsigned int err_count = 0;
const char *stattype;
increment_entry(&number_of_domains);
memset(&local_stat, 0, sizeof(local_stat));
/* Update per sever statistics */
for (pns = ISC_LIST_HEAD(trans->nslist); pns != NULL;
pns = ISC_LIST_NEXT(pns, link)) {
for (server = ISC_LIST_HEAD(pns->servers); server != NULL;
server = ISC_LIST_NEXT(server, link)) {
increment_entry(&number_of_servers);
if (server->result_aaaa == exist ||
server->result_aaaa == notype) {
/*
* Don't care about the result of A query if
* the answer to AAAA query was expected.
*/
stattype = "valid";
increment_entry(&server_stat.valid);
increment_entry(&local_stat.valid);
} else if (server->result_a == exist) {
switch (server->result_aaaa) {
case exist:
case notype:
stattype = "valid";
increment_entry(&server_stat.valid);
increment_entry(&local_stat.valid);
break;
case timedout:
stattype = "ignore";
increment_entry(&server_stat.ignore);
increment_entry(&local_stat.ignore);
break;
case nxdomain:
stattype = "nxdomain";
increment_entry(&server_stat.nxdomain);
increment_entry(&local_stat.nxdomain);
break;
case othererr:
stattype = "othererr";
increment_entry(&server_stat.othererr);
increment_entry(&local_stat.othererr);
break;
case multiplesoa:
stattype = "multiplesoa";
increment_entry(&server_stat.multiplesoa);
increment_entry(&local_stat.multiplesoa);
break;
case multiplecname:
stattype = "multiplecname";
increment_entry(&server_stat.multiplecname);
increment_entry(&local_stat.multiplecname);
break;
case brokenanswer:
stattype = "brokenanswer";
increment_entry(&server_stat.brokenanswer);
increment_entry(&local_stat.brokenanswer);
break;
case lame:
stattype = "lame";
increment_entry(&server_stat.lame);
increment_entry(&local_stat.lame);
break;
default:
stattype = "unknown";
increment_entry(&server_stat.unknown);
increment_entry(&local_stat.unknown);
break;
}
} else {
stattype = "unknown";
increment_entry(&server_stat.unknown);
increment_entry(&local_stat.unknown);
}
if (verbose_level > 1 ||
(verbose_level == 1 &&
strcmp(stattype, "valid") != 0 &&
strcmp(stattype, "unknown") != 0)) {
print_name(pns->name);
putchar('(');
print_address(stdout, &server->address);
printf(") for %s:%s\n", trans->domain,
stattype);
}
}
}
/* Update per domain statistics */
if (local_stat.ignore > 0U) {
if (verbose_level > 0)
printf("%s:ignore\n", trans->domain);
increment_entry(&domain_stat.ignore);
err_count++;
}
if (local_stat.nxdomain > 0U) {
if (verbose_level > 0)
printf("%s:nxdomain\n", trans->domain);
increment_entry(&domain_stat.nxdomain);
err_count++;
}
if (local_stat.othererr > 0U) {
if (verbose_level > 0)
printf("%s:othererr\n", trans->domain);
increment_entry(&domain_stat.othererr);
err_count++;
}
if (local_stat.multiplesoa > 0U) {
if (verbose_level > 0)
printf("%s:multiplesoa\n", trans->domain);
increment_entry(&domain_stat.multiplesoa);
err_count++;
}
if (local_stat.multiplecname > 0U) {
if (verbose_level > 0)
printf("%s:multiplecname\n", trans->domain);
increment_entry(&domain_stat.multiplecname);
err_count++;
}
if (local_stat.brokenanswer > 0U) {
if (verbose_level > 0)
printf("%s:brokenanswer\n", trans->domain);
increment_entry(&domain_stat.brokenanswer);
err_count++;
}
if (local_stat.lame > 0U) {
if (verbose_level > 0)
printf("%s:lame\n", trans->domain);
increment_entry(&domain_stat.lame);
err_count++;
}
if (err_count > 1U)
increment_entry(&multiple_error_domains);
/*
* We regard the domain as valid if and only if no authoritative server
* has a problem and at least one server is known to be valid.
*/
if (local_stat.valid > 0U && err_count == 0U) {
if (verbose_level > 1)
printf("%s:valid\n", trans->domain);
increment_entry(&domain_stat.valid);
}
/*
* If the domain has no available server or all servers have the
* 'unknown' result, the domain's result is also regarded as unknown.
*/
if (local_stat.valid == 0U && err_count == 0U) {
if (verbose_level > 1)
printf("%s:unknown\n", trans->domain);
increment_entry(&domain_stat.unknown);
}
}
static void
control_recvmessage(isc_task_t *task, isc_event_t *event) {
controlconnection_t *conn;
controllistener_t *listener;
controlkey_t *key;
isccc_sexpr_t *request = NULL;
isccc_sexpr_t *response = NULL;
isccc_region_t ccregion;
isc_uint32_t algorithm;
isccc_region_t secret;
isc_stdtime_t now;
isc_buffer_t b;
isc_region_t r;
isc_uint32_t len;
isc_buffer_t text;
char textarray[2*1024];
isc_result_t result;
isc_result_t eresult;
isccc_sexpr_t *_ctrl;
isccc_time_t sent;
isccc_time_t exp;
isc_uint32_t nonce;
REQUIRE(event->ev_type == ISCCC_EVENT_CCMSG);
conn = event->ev_arg;
listener = conn->listener;
algorithm = DST_ALG_UNKNOWN;
secret.rstart = NULL;
/* Is the server shutting down? */
if (listener->controls->shuttingdown)
goto cleanup;
if (conn->ccmsg.result != ISC_R_SUCCESS) {
if (conn->ccmsg.result != ISC_R_CANCELED &&
conn->ccmsg.result != ISC_R_EOF)
log_invalid(&conn->ccmsg, conn->ccmsg.result);
goto cleanup;
}
request = NULL;
for (key = ISC_LIST_HEAD(listener->keys);
key != NULL;
key = ISC_LIST_NEXT(key, link))
{
ccregion.rstart = isc_buffer_base(&conn->ccmsg.buffer);
ccregion.rend = isc_buffer_used(&conn->ccmsg.buffer);
secret.rstart = isc_mem_get(listener->mctx, key->secret.length);
if (secret.rstart == NULL)
goto cleanup;
memmove(secret.rstart, key->secret.base, key->secret.length);
secret.rend = secret.rstart + key->secret.length;
algorithm = key->algorithm;
result = isccc_cc_fromwire(&ccregion, &request,
algorithm, &secret);
if (result == ISC_R_SUCCESS)
break;
isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret));
if (result != ISCCC_R_BADAUTH) {
log_invalid(&conn->ccmsg, result);
goto cleanup;
}
}
if (key == NULL) {
log_invalid(&conn->ccmsg, ISCCC_R_BADAUTH);
goto cleanup;
}
/* We shouldn't be getting a reply. */
if (isccc_cc_isreply(request)) {
log_invalid(&conn->ccmsg, ISC_R_FAILURE);
goto cleanup_request;
}
isc_stdtime_get(&now);
/*
* Limit exposure to replay attacks.
*/
_ctrl = isccc_alist_lookup(request, "_ctrl");
if (_ctrl == NULL) {
log_invalid(&conn->ccmsg, ISC_R_FAILURE);
goto cleanup_request;
}
if (isccc_cc_lookupuint32(_ctrl, "_tim", &sent) == ISC_R_SUCCESS) {
if ((sent + CLOCKSKEW) < now || (sent - CLOCKSKEW) > now) {
log_invalid(&conn->ccmsg, ISCCC_R_CLOCKSKEW);
goto cleanup_request;
}
} else {
log_invalid(&conn->ccmsg, ISC_R_FAILURE);
goto cleanup_request;
}
/*
* Expire messages that are too old.
*/
if (isccc_cc_lookupuint32(_ctrl, "_exp", &exp) == ISC_R_SUCCESS &&
now > exp) {
log_invalid(&conn->ccmsg, ISCCC_R_EXPIRED);
goto cleanup_request;
}
/*
* Duplicate suppression (required for UDP).
*/
isccc_cc_cleansymtab(listener->controls->symtab, now);
result = isccc_cc_checkdup(listener->controls->symtab, request, now);
if (result != ISC_R_SUCCESS) {
if (result == ISC_R_EXISTS)
result = ISCCC_R_DUPLICATE;
log_invalid(&conn->ccmsg, result);
goto cleanup_request;
}
if (conn->nonce != 0 &&
(isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS ||
conn->nonce != nonce)) {
log_invalid(&conn->ccmsg, ISCCC_R_BADAUTH);
goto cleanup_request;
}
isc_buffer_init(&text, textarray, sizeof(textarray));
/*
* Establish nonce.
*/
if (conn->nonce == 0) {
while (conn->nonce == 0)
isc_random_get(&conn->nonce);
eresult = ISC_R_SUCCESS;
} else
eresult = ns_control_docommand(request, &text);
result = isccc_cc_createresponse(request, now, now + 60, &response);
if (result != ISC_R_SUCCESS)
goto cleanup_request;
if (eresult != ISC_R_SUCCESS) {
isccc_sexpr_t *data;
data = isccc_alist_lookup(response, "_data");
if (data != NULL) {
const char *estr = isc_result_totext(eresult);
if (isccc_cc_definestring(data, "err", estr) == NULL)
goto cleanup_response;
}
}
if (isc_buffer_usedlength(&text) > 0) {
isccc_sexpr_t *data;
data = isccc_alist_lookup(response, "_data");
if (data != NULL) {
char *str = (char *)isc_buffer_base(&text);
if (isccc_cc_definestring(data, "text", str) == NULL)
goto cleanup_response;
}
}
_ctrl = isccc_alist_lookup(response, "_ctrl");
if (_ctrl == NULL ||
isccc_cc_defineuint32(_ctrl, "_nonce", conn->nonce) == NULL)
goto cleanup_response;
ccregion.rstart = conn->buffer + 4;
ccregion.rend = conn->buffer + sizeof(conn->buffer);
result = isccc_cc_towire(response, &ccregion, algorithm, &secret);
if (result != ISC_R_SUCCESS)
goto cleanup_response;
isc_buffer_init(&b, conn->buffer, 4);
len = sizeof(conn->buffer) - REGION_SIZE(ccregion);
isc_buffer_putuint32(&b, len - 4);
r.base = conn->buffer;
r.length = len;
result = isc_socket_send(conn->sock, &r, task, control_senddone, conn);
if (result != ISC_R_SUCCESS)
goto cleanup_response;
conn->sending = ISC_TRUE;
isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret));
isccc_sexpr_free(&request);
isccc_sexpr_free(&response);
return;
cleanup_response:
isccc_sexpr_free(&response);
cleanup_request:
isccc_sexpr_free(&request);
isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret));
cleanup:
isc_socket_detach(&conn->sock);
isccc_ccmsg_invalidate(&conn->ccmsg);
conn->ccmsg_valid = ISC_FALSE;
maybe_free_connection(conn);
maybe_free_listener(listener);
}
