bool ConcurrentTableSharedStore::store(const String& key, const Variant& value,
int64_t ttl,
bool overwrite /* = true */,
bool limit_ttl /* = true */) {
StoreValue *sval;
APCHandle* svar = construct(value);
ConditionalReadLock l(m_lock, !apcExtension::ConcurrentTableLockFree ||
m_lockingFlag);
const char *kcp = strdup(key.data());
bool present;
time_t expiry = 0;
bool overwritePrime = false;
{
Map::accessor acc;
present = !m_vars.insert(acc, kcp);
sval = &acc->second;
if (present) {
free((void *)kcp);
if (overwrite || sval->expired()) {
// if ApcTTLLimit is set, then only primed keys can have expiry == 0
overwritePrime = (sval->expiry == 0);
if (sval->inMem()) {
sval->var->unreferenceRoot();
} else {
// mark the inFile copy invalid since we are updating the key
sval->sAddr = nullptr;
sval->sSize = 0;
}
} else {
svar->unreferenceRoot();
return false;
}
}
int64_t adjustedTtl = adjust_ttl(ttl, overwritePrime || !limit_ttl);
if (check_noTTL(key.data(), key.size())) {
adjustedTtl = 0;
}
sval->set(svar, adjustedTtl);
expiry = sval->expiry;
}
if (expiry) {
addToExpirationQueue(key.data(), expiry);
}
if (apcExtension::ExpireOnSets) {
purgeExpired();
}
return true;
}
bool ConcurrentTableSharedStore::storeImpl(const String& key,
const Variant& value,
int64_t ttl,
bool overwrite,
bool limit_ttl) {
StoreValue *sval;
auto svar = APCHandle::Create(value, false, APCHandleLevel::Outer, false);
auto keyLen = key.size();
ReadLock l(m_lock);
char* const kcp = strdup(key.data());
bool present;
time_t expiry = 0;
bool overwritePrime = false;
{
Map::accessor acc;
APCHandle* current = nullptr;
present = !m_vars.insert(acc, kcp);
sval = &acc->second;
if (present) {
free(kcp);
if (!overwrite && !sval->expired()) {
svar.handle->unreferenceRoot(svar.size);
return false;
}
sval->data.match(
[&] (APCHandle* handle) {
current = handle;
// If ApcTTLLimit is set, then only primed keys can have
// expire == 0.
overwritePrime = sval->expire == 0;
},
[&] (char*) {
// Was inFile, but won't be anymore.
sval->data = nullptr;
sval->dataSize = 0;
overwritePrime = true;
}
);
} else {
APCStats::getAPCStats().addKey(keyLen);
}
int64_t adjustedTtl = adjust_ttl(ttl, overwritePrime || !limit_ttl);
if (check_noTTL(key.data(), key.size())) {
adjustedTtl = 0;
}
if (current) {
if (sval->expire == 0 && adjustedTtl != 0) {
APCStats::getAPCStats().removeAPCValue(
sval->dataSize, current, true, sval->expired());
APCStats::getAPCStats().addAPCValue(svar.handle, svar.size, false);
} else {
APCStats::getAPCStats().updateAPCValue(
svar.handle, svar.size, current, sval->dataSize,
sval->expire == 0, sval->expired());
}
current->unreferenceRoot(sval->dataSize);
} else {
APCStats::getAPCStats().addAPCValue(svar.handle, svar.size, present);
}
sval->set(svar.handle, adjustedTtl);
sval->dataSize = svar.size;
expiry = sval->expire;
if (expiry) {
auto ikey = intptr_t(acc->first);
if (m_expMap.insert({ ikey, 0 })) {
m_expQueue.push({ ikey, expiry });
}
}
}
if (apcExtension::ExpireOnSets) {
purgeExpired();
}
return true;
}
bool ConcurrentTableSharedStore::store(CStrRef key, CVarRef value, int64 ttl,
bool overwrite /* = true */) {
StoreValue *sval;
SharedVariant* svar = construct(value);
ConditionalReadLock l(m_lock, !RuntimeOption::ApcConcurrentTableLockFree ||
m_lockingFlag);
const char *kcp = strdup(key.data());
bool present;
time_t expiry = 0;
bool overwritePrime = false;
{
Map::accessor acc;
present = !m_vars.insert(acc, kcp);
sval = &acc->second;
bool update = false;
if (present) {
free((void *)kcp);
if (overwrite || sval->expired()) {
// if ApcTTLLimit is set, then only primed keys can have expiry == 0
overwritePrime = (sval->expiry == 0);
if (sval->inMem()) {
stats_on_update(key.get(), sval, svar,
adjust_ttl(ttl, overwritePrime));
sval->var->decRef();
update = true;
} else {
// mark the inFile copy invalid since we are updating the key
sval->sAddr = NULL;
sval->sSize = 0;
}
} else {
svar->decRef();
return false;
}
}
int64 adjustedTtl = adjust_ttl(ttl, overwritePrime);
if (check_noTTL(key.data())) {
adjustedTtl = 0;
}
sval->set(svar, adjustedTtl);
expiry = sval->expiry;
if (!update) {
stats_on_add(key.get(), sval, adjustedTtl, false, false);
}
}
if (expiry) {
addToExpirationQueue(key.data(), expiry);
}
if (RuntimeOption::ApcExpireOnSets) {
purgeExpired();
}
if (present) {
log_apc(std_apc_update);
} else {
log_apc(std_apc_new);
if (RuntimeOption::EnableStats && RuntimeOption::EnableAPCKeyStats) {
string prefix = "apc.new." + GetSkeleton(key);
ServerStats::Log(prefix, 1);
}
}
return true;
}
enum sec_status
dnskey_verify_rrset_sig(struct regional* region, sldns_buffer* buf,
struct val_env* ve, time_t now,
struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
size_t dnskey_idx, size_t sig_idx,
struct rbtree_t** sortree, int* buf_canon, char** reason)
{
enum sec_status sec;
uint8_t* sig; /* RRSIG rdata */
size_t siglen;
size_t rrnum = rrset_get_count(rrset);
uint8_t* signer; /* rrsig signer name */
size_t signer_len;
unsigned char* sigblock; /* signature rdata field */
unsigned int sigblock_len;
uint16_t ktag; /* DNSKEY key tag */
unsigned char* key; /* public key rdata field */
unsigned int keylen;
rrset_get_rdata(rrset, rrnum + sig_idx, &sig, &siglen);
/* min length of rdatalen, fixed rrsig, root signer, 1 byte sig */
if(siglen < 2+20) {
verbose(VERB_QUERY, "verify: signature too short");
*reason = "signature too short";
return sec_status_bogus;
}
if(!(dnskey_get_flags(dnskey, dnskey_idx) & DNSKEY_BIT_ZSK)) {
verbose(VERB_QUERY, "verify: dnskey without ZSK flag");
*reason = "dnskey without ZSK flag";
return sec_status_bogus;
}
if(dnskey_get_protocol(dnskey, dnskey_idx) != LDNS_DNSSEC_KEYPROTO) {
/* RFC 4034 says DNSKEY PROTOCOL MUST be 3 */
verbose(VERB_QUERY, "verify: dnskey has wrong key protocol");
*reason = "dnskey has wrong protocolnumber";
return sec_status_bogus;
}
/* verify as many fields in rrsig as possible */
signer = sig+2+18;
signer_len = dname_valid(signer, siglen-2-18);
if(!signer_len) {
verbose(VERB_QUERY, "verify: malformed signer name");
*reason = "signer name malformed";
return sec_status_bogus; /* signer name invalid */
}
if(!dname_subdomain_c(rrset->rk.dname, signer)) {
verbose(VERB_QUERY, "verify: signer name is off-tree");
*reason = "signer name off-tree";
return sec_status_bogus; /* signer name offtree */
}
sigblock = (unsigned char*)signer+signer_len;
if(siglen < 2+18+signer_len+1) {
verbose(VERB_QUERY, "verify: too short, no signature data");
*reason = "signature too short, no signature data";
return sec_status_bogus; /* sig rdf is < 1 byte */
}
sigblock_len = (unsigned int)(siglen - 2 - 18 - signer_len);
/* verify key dname == sig signer name */
if(query_dname_compare(signer, dnskey->rk.dname) != 0) {
verbose(VERB_QUERY, "verify: wrong key for rrsig");
log_nametypeclass(VERB_QUERY, "RRSIG signername is",
signer, 0, 0);
log_nametypeclass(VERB_QUERY, "the key name is",
dnskey->rk.dname, 0, 0);
*reason = "signer name mismatches key name";
return sec_status_bogus;
}
/* verify covered type */
/* memcmp works because type is in network format for rrset */
if(memcmp(sig+2, &rrset->rk.type, 2) != 0) {
verbose(VERB_QUERY, "verify: wrong type covered");
*reason = "signature covers wrong type";
return sec_status_bogus;
}
/* verify keytag and sig algo (possibly again) */
if((int)sig[2+2] != dnskey_get_algo(dnskey, dnskey_idx)) {
verbose(VERB_QUERY, "verify: wrong algorithm");
*reason = "signature has wrong algorithm";
return sec_status_bogus;
}
ktag = htons(dnskey_calc_keytag(dnskey, dnskey_idx));
if(memcmp(sig+2+16, &ktag, 2) != 0) {
verbose(VERB_QUERY, "verify: wrong keytag");
*reason = "signature has wrong keytag";
return sec_status_bogus;
}
/* verify labels is in a valid range */
if((int)sig[2+3] > dname_signame_label_count(rrset->rk.dname)) {
verbose(VERB_QUERY, "verify: labelcount out of range");
*reason = "signature labelcount out of range";
return sec_status_bogus;
}
/* original ttl, always ok */
if(!*buf_canon) {
/* create rrset canonical format in buffer, ready for
* signature */
if(!rrset_canonical(region, buf, rrset, sig+2,
18 + signer_len, sortree)) {
log_err("verify: failed due to alloc error");
return sec_status_unchecked;
}
*buf_canon = 1;
}
/* check that dnskey is available */
dnskey_get_pubkey(dnskey, dnskey_idx, &key, &keylen);
if(!key) {
verbose(VERB_QUERY, "verify: short DNSKEY RR");
return sec_status_unchecked;
}
/* verify */
sec = verify_canonrrset(buf, (int)sig[2+2],
sigblock, sigblock_len, key, keylen, reason);
if(sec == sec_status_secure) {
/* check if TTL is too high - reduce if so */
adjust_ttl(ve, now, rrset, sig+2+4, sig+2+8, sig+2+12);
/* verify inception, expiration dates
* Do this last so that if you ignore expired-sigs the
* rest is sure to be OK. */
if(!check_dates(ve, now, sig+2+8, sig+2+12, reason)) {
return sec_status_bogus;
}
}
return sec;
}
