1 /* 2 * remote.c - remote control for the NSD daemon. 3 * 4 * Copyright (c) 2008, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains the remote control functionality for the daemon. 40 * The remote control can be performed using either the commandline 41 * nsd-control tool, or a TLS capable web browser. 42 * The channel is secured using TLSv1, and certificates. 43 * Both the server and the client(control tool) have their own keys. 44 */ 45 #include "config.h" 46 #ifdef HAVE_SSL 47 48 #ifdef HAVE_OPENSSL_SSL_H 49 #include "openssl/ssl.h" 50 #endif 51 #ifdef HAVE_OPENSSL_ERR_H 52 #include <openssl/err.h> 53 #endif 54 #ifdef HAVE_OPENSSL_RAND_H 55 #include <openssl/rand.h> 56 #endif 57 #include <ctype.h> 58 #include <unistd.h> 59 #include <assert.h> 60 #include <fcntl.h> 61 #ifndef USE_MINI_EVENT 62 # ifdef HAVE_EVENT_H 63 # include <event.h> 64 # else 65 # include <event2/event.h> 66 # include "event2/event_struct.h" 67 # include "event2/event_compat.h" 68 # endif 69 #else 70 # include "mini_event.h" 71 #endif 72 #include "remote.h" 73 #include "util.h" 74 #include "xfrd.h" 75 #include "xfrd-notify.h" 76 #include "xfrd-tcp.h" 77 #include "nsd.h" 78 #include "options.h" 79 #include "difffile.h" 80 #include "ipc.h" 81 82 #ifdef HAVE_SYS_TYPES_H 83 # include <sys/types.h> 84 #endif 85 #ifdef HAVE_SYS_STAT_H 86 # include <sys/stat.h> 87 #endif 88 #ifdef HAVE_NETDB_H 89 # include <netdb.h> 90 #endif 91 #ifdef HAVE_SYS_UN_H 92 # include <sys/un.h> 93 #endif 94 95 /** number of seconds timeout on incoming remote control handshake */ 96 #define REMOTE_CONTROL_TCP_TIMEOUT 120 97 98 /** repattern to master or slave */ 99 #define REPAT_SLAVE 1 100 #define REPAT_MASTER 2 101 102 /** if you want zero to be inhibited in stats output. 103 * it omits zeroes for types that have no acronym and unused-rcodes */ 104 const int inhibit_zero = 1; 105 106 /** 107 * a busy control command connection, SSL state 108 * Defined here to keep the definition private, and keep SSL out of the .h 109 */ 110 struct rc_state { 111 /** the next item in list */ 112 struct rc_state* next, *prev; 113 /* if the event was added to the event_base */ 114 int event_added; 115 /** the commpoint */ 116 struct event c; 117 /** timeout for this state */ 118 struct timeval tval; 119 /** in the handshake part */ 120 enum { rc_none, rc_hs_read, rc_hs_write } shake_state; 121 /** the ssl state */ 122 SSL* ssl; 123 /** file descriptor */ 124 int fd; 125 /** the rc this is part of */ 126 struct daemon_remote* rc; 127 /** stats list next item */ 128 struct rc_state* stats_next; 129 /** stats list indicator (0 is not part of stats list, 1 is stats, 130 * 2 is stats_noreset. */ 131 int in_stats_list; 132 }; 133 134 /** 135 * list of events for accepting connections 136 */ 137 struct acceptlist { 138 struct acceptlist* next; 139 int event_added; 140 struct event c; 141 char* ident; 142 struct daemon_remote* rc; 143 }; 144 145 /** 146 * The remote control state. 147 */ 148 struct daemon_remote { 149 /** the master process for this remote control */ 150 struct xfrd_state* xfrd; 151 /** commpoints for accepting remote control connections */ 152 struct acceptlist* accept_list; 153 /* if certificates are used */ 154 int use_cert; 155 /** number of active commpoints that are handling remote control */ 156 int active; 157 /** max active commpoints */ 158 int max_active; 159 /** current commpoints busy; double linked, malloced */ 160 struct rc_state* busy_list; 161 /** commpoints waiting for stats to complete (also in busy_list) */ 162 struct rc_state* stats_list; 163 /** last time stats was reported */ 164 struct timeval stats_time, boot_time; 165 /** the SSL context for creating new SSL streams */ 166 SSL_CTX* ctx; 167 }; 168 169 /** 170 * Connection to print to, either SSL or plain over fd 171 */ 172 struct remote_stream { 173 /** SSL structure, nonNULL if using SSL */ 174 SSL* ssl; 175 /** file descriptor for plain transfer */ 176 int fd; 177 }; 178 typedef struct remote_stream RES; 179 180 /** 181 * Print fixed line of text over ssl connection in blocking mode 182 * @param res: print to 183 * @param text: the text. 184 * @return false on connection failure. 185 */ 186 static int ssl_print_text(RES* res, const char* text); 187 188 /** 189 * printf style printing to the ssl connection 190 * @param res: the RES connection to print to. Blocking. 191 * @param format: printf style format string. 192 * @return success or false on a network failure. 193 */ 194 static int ssl_printf(RES* res, const char* format, ...) 195 ATTR_FORMAT(printf, 2, 3); 196 197 /** 198 * Read until \n is encountered 199 * If stream signals EOF, the string up to then is returned (without \n). 200 * @param res: the RES connection to read from. blocking. 201 * @param buf: buffer to read to. 202 * @param max: size of buffer. 203 * @return false on connection failure. 204 */ 205 static int ssl_read_line(RES* res, char* buf, size_t max); 206 207 /** perform the accept of a new remote control connection */ 208 static void 209 remote_accept_callback(int fd, short event, void* arg); 210 211 /** perform remote control */ 212 static void 213 remote_control_callback(int fd, short event, void* arg); 214 215 216 /** ---- end of private defines ---- **/ 217 218 219 /** log ssl crypto err */ 220 static void 221 log_crypto_err(const char* str) 222 { 223 /* error:[error code]:[library name]:[function name]:[reason string] */ 224 char buf[128]; 225 unsigned long e; 226 ERR_error_string_n(ERR_get_error(), buf, sizeof(buf)); 227 log_msg(LOG_ERR, "%s crypto %s", str, buf); 228 while( (e=ERR_get_error()) ) { 229 ERR_error_string_n(e, buf, sizeof(buf)); 230 log_msg(LOG_ERR, "and additionally crypto %s", buf); 231 } 232 } 233 234 #ifdef BIND8_STATS 235 /** subtract timers and the values do not overflow or become negative */ 236 static void 237 timeval_subtract(struct timeval* d, const struct timeval* end, 238 const struct timeval* start) 239 { 240 #ifndef S_SPLINT_S 241 time_t end_usec = end->tv_usec; 242 d->tv_sec = end->tv_sec - start->tv_sec; 243 if(end_usec < start->tv_usec) { 244 end_usec += 1000000; 245 d->tv_sec--; 246 } 247 d->tv_usec = end_usec - start->tv_usec; 248 #endif 249 } 250 #endif /* BIND8_STATS */ 251 252 static int 253 remote_setup_ctx(struct daemon_remote* rc, struct nsd_options* cfg) 254 { 255 char* s_cert = cfg->server_cert_file; 256 char* s_key = cfg->server_key_file; 257 rc->ctx = server_tls_ctx_setup(s_key, s_cert, s_cert); 258 if(!rc->ctx) { 259 log_msg(LOG_ERR, "could not setup remote control TLS context"); 260 return 0; 261 } 262 return 1; 263 } 264 265 struct daemon_remote* 266 daemon_remote_create(struct nsd_options* cfg) 267 { 268 struct daemon_remote* rc = (struct daemon_remote*)xalloc_zero( 269 sizeof(*rc)); 270 rc->max_active = 10; 271 assert(cfg->control_enable); 272 273 if(options_remote_is_address(cfg)) { 274 if(!remote_setup_ctx(rc, cfg)) { 275 daemon_remote_delete(rc); 276 return NULL; 277 } 278 rc->use_cert = 1; 279 } else { 280 struct ip_address_option* o; 281 rc->ctx = NULL; 282 rc->use_cert = 0; 283 for(o = cfg->control_interface; o; o = o->next) { 284 if(o->address && o->address[0] != '/') 285 log_msg(LOG_WARNING, "control-interface %s is not using TLS, but plain transfer, because first control-interface in config file is a local socket (starts with a /).", o->address); 286 } 287 } 288 289 /* and try to open the ports */ 290 if(!daemon_remote_open_ports(rc, cfg)) { 291 log_msg(LOG_ERR, "could not open remote control port"); 292 daemon_remote_delete(rc); 293 return NULL; 294 } 295 296 if(gettimeofday(&rc->boot_time, NULL) == -1) 297 log_msg(LOG_ERR, "gettimeofday: %s", strerror(errno)); 298 rc->stats_time = rc->boot_time; 299 300 return rc; 301 } 302 303 void daemon_remote_close(struct daemon_remote* rc) 304 { 305 struct rc_state* p, *np; 306 struct acceptlist* h, *nh; 307 if(!rc) return; 308 309 /* close listen sockets */ 310 h = rc->accept_list; 311 while(h) { 312 nh = h->next; 313 if(h->event_added) 314 event_del(&h->c); 315 close(h->c.ev_fd); 316 free(h->ident); 317 free(h); 318 h = nh; 319 } 320 rc->accept_list = NULL; 321 322 /* close busy connection sockets */ 323 p = rc->busy_list; 324 while(p) { 325 np = p->next; 326 if(p->event_added) 327 event_del(&p->c); 328 if(p->ssl) 329 SSL_free(p->ssl); 330 close(p->c.ev_fd); 331 free(p); 332 p = np; 333 } 334 rc->busy_list = NULL; 335 rc->active = 0; 336 } 337 338 void daemon_remote_delete(struct daemon_remote* rc) 339 { 340 if(!rc) return; 341 daemon_remote_close(rc); 342 if(rc->ctx) { 343 SSL_CTX_free(rc->ctx); 344 } 345 free(rc); 346 } 347 348 static int 349 create_tcp_accept_sock(struct addrinfo* addr, int* noproto) 350 { 351 #if defined(SO_REUSEADDR) || (defined(INET6) && (defined(IPV6_V6ONLY) || defined(IPV6_USE_MIN_MTU) || defined(IPV6_MTU))) 352 int on = 1; 353 #endif 354 int s; 355 *noproto = 0; 356 if ((s = socket(addr->ai_family, addr->ai_socktype, 0)) == -1) { 357 #if defined(INET6) 358 if (addr->ai_family == AF_INET6 && 359 errno == EAFNOSUPPORT) { 360 *noproto = 1; 361 log_msg(LOG_WARNING, "fallback to TCP4, no IPv6: not supported"); 362 return -1; 363 } 364 #endif /* INET6 */ 365 log_msg(LOG_ERR, "can't create a socket: %s", strerror(errno)); 366 return -1; 367 } 368 #ifdef SO_REUSEADDR 369 if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0) { 370 log_msg(LOG_ERR, "setsockopt(..., SO_REUSEADDR, ...) failed: %s", strerror(errno)); 371 } 372 #endif /* SO_REUSEADDR */ 373 #if defined(INET6) && defined(IPV6_V6ONLY) 374 if (addr->ai_family == AF_INET6 && 375 setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) 376 { 377 log_msg(LOG_ERR, "setsockopt(..., IPV6_V6ONLY, ...) failed: %s", strerror(errno)); 378 return -1; 379 } 380 #endif 381 /* set it nonblocking */ 382 /* (StevensUNP p463), if tcp listening socket is blocking, then 383 it may block in accept, even if select() says readable. */ 384 if (fcntl(s, F_SETFL, O_NONBLOCK) == -1) { 385 log_msg(LOG_ERR, "cannot fcntl tcp: %s", strerror(errno)); 386 } 387 /* Bind it... */ 388 if (bind(s, (struct sockaddr *)addr->ai_addr, addr->ai_addrlen) != 0) { 389 log_msg(LOG_ERR, "can't bind tcp socket: %s", strerror(errno)); 390 return -1; 391 } 392 /* Listen to it... */ 393 if (listen(s, TCP_BACKLOG_REMOTE) == -1) { 394 log_msg(LOG_ERR, "can't listen: %s", strerror(errno)); 395 return -1; 396 } 397 return s; 398 } 399 400 /** 401 * Add and open a new control port 402 * @param rc: rc with result list. 403 * @param ip: ip str 404 * @param nr: port nr 405 * @param noproto_is_err: if lack of protocol support is an error. 406 * @return false on failure. 407 */ 408 static int 409 add_open(struct daemon_remote* rc, struct nsd_options* cfg, const char* ip, 410 int nr, int noproto_is_err) 411 { 412 struct addrinfo hints; 413 struct addrinfo* res; 414 struct acceptlist* hl; 415 int noproto = 0; 416 int fd, r; 417 char port[15]; 418 snprintf(port, sizeof(port), "%d", nr); 419 port[sizeof(port)-1]=0; 420 memset(&hints, 0, sizeof(hints)); 421 assert(ip); 422 423 if(ip[0] == '/') { 424 /* This looks like a local socket */ 425 fd = create_local_accept_sock(ip, &noproto); 426 /* 427 * Change socket ownership and permissions so users other 428 * than root can access it provided they are in the same 429 * group as the user we run as. 430 */ 431 if(fd != -1) { 432 #ifdef HAVE_CHOWN 433 if (cfg->username && cfg->username[0] && 434 nsd.uid != (uid_t)-1) { 435 if(chown(ip, nsd.uid, nsd.gid) == -1) 436 VERBOSITY(2, (LOG_INFO, "cannot chown %u.%u %s: %s", 437 (unsigned)nsd.uid, (unsigned)nsd.gid, 438 ip, strerror(errno))); 439 } 440 chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP)); 441 #else 442 (void)cfg; 443 #endif 444 } 445 } else { 446 hints.ai_socktype = SOCK_STREAM; 447 hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; 448 if((r = getaddrinfo(ip, port, &hints, &res)) != 0 || !res) { 449 log_msg(LOG_ERR, "control interface %s:%s getaddrinfo: %s %s", 450 ip?ip:"default", port, gai_strerror(r), 451 #ifdef EAI_SYSTEM 452 r==EAI_SYSTEM?(char*)strerror(errno):"" 453 #else 454 "" 455 #endif 456 ); 457 return 0; 458 } 459 460 /* open fd */ 461 fd = create_tcp_accept_sock(res, &noproto); 462 freeaddrinfo(res); 463 } 464 465 if(fd == -1 && noproto) { 466 if(!noproto_is_err) 467 return 1; /* return success, but do nothing */ 468 log_msg(LOG_ERR, "cannot open control interface %s %d : " 469 "protocol not supported", ip, nr); 470 return 0; 471 } 472 if(fd == -1) { 473 log_msg(LOG_ERR, "cannot open control interface %s %d", ip, nr); 474 return 0; 475 } 476 477 /* alloc */ 478 hl = (struct acceptlist*)xalloc_zero(sizeof(*hl)); 479 hl->rc = rc; 480 hl->ident = strdup(ip); 481 if(!hl->ident) { 482 log_msg(LOG_ERR, "malloc failure"); 483 close(fd); 484 free(hl); 485 return 0; 486 } 487 hl->next = rc->accept_list; 488 rc->accept_list = hl; 489 490 hl->c.ev_fd = fd; 491 hl->event_added = 0; 492 return 1; 493 } 494 495 int 496 daemon_remote_open_ports(struct daemon_remote* rc, struct nsd_options* cfg) 497 { 498 assert(cfg->control_enable && cfg->control_port); 499 if(cfg->control_interface) { 500 ip_address_option_type* p; 501 for(p = cfg->control_interface; p; p = p->next) { 502 if(!add_open(rc, cfg, p->address, cfg->control_port, 1)) { 503 return 0; 504 } 505 } 506 } else { 507 /* defaults */ 508 if(cfg->do_ip6 && !add_open(rc, cfg, "::1", cfg->control_port, 0)) { 509 return 0; 510 } 511 if(cfg->do_ip4 && 512 !add_open(rc, cfg, "127.0.0.1", cfg->control_port, 1)) { 513 return 0; 514 } 515 } 516 return 1; 517 } 518 519 void 520 daemon_remote_attach(struct daemon_remote* rc, struct xfrd_state* xfrd) 521 { 522 int fd; 523 struct acceptlist* p; 524 if(!rc) return; 525 rc->xfrd = xfrd; 526 for(p = rc->accept_list; p; p = p->next) { 527 /* add event */ 528 fd = p->c.ev_fd; 529 memset(&p->c, 0, sizeof(p->c)); 530 event_set(&p->c, fd, EV_PERSIST|EV_READ, remote_accept_callback, 531 p); 532 if(event_base_set(xfrd->event_base, &p->c) != 0) 533 log_msg(LOG_ERR, "remote: cannot set event_base"); 534 if(event_add(&p->c, NULL) != 0) 535 log_msg(LOG_ERR, "remote: cannot add event"); 536 p->event_added = 1; 537 } 538 } 539 540 static void 541 remote_accept_callback(int fd, short event, void* arg) 542 { 543 struct acceptlist *hl = (struct acceptlist*)arg; 544 struct daemon_remote *rc = hl->rc; 545 #ifdef INET6 546 struct sockaddr_storage addr; 547 #else 548 struct sockaddr_in addr; 549 #endif 550 socklen_t addrlen; 551 int newfd; 552 struct rc_state* n; 553 554 if (!(event & EV_READ)) { 555 return; 556 } 557 558 /* perform the accept */ 559 addrlen = sizeof(addr); 560 #ifndef HAVE_ACCEPT4 561 newfd = accept(fd, (struct sockaddr*)&addr, &addrlen); 562 #else 563 newfd = accept4(fd, (struct sockaddr*)&addr, &addrlen, SOCK_NONBLOCK); 564 #endif 565 if(newfd == -1) { 566 if ( errno != EINTR 567 && errno != EWOULDBLOCK 568 #ifdef ECONNABORTED 569 && errno != ECONNABORTED 570 #endif /* ECONNABORTED */ 571 #ifdef EPROTO 572 && errno != EPROTO 573 #endif /* EPROTO */ 574 ) { 575 log_msg(LOG_ERR, "accept failed: %s", strerror(errno)); 576 } 577 return; 578 } 579 580 /* create new commpoint unless we are servicing already */ 581 if(rc->active >= rc->max_active) { 582 log_msg(LOG_WARNING, "drop incoming remote control: " 583 "too many connections"); 584 close_exit: 585 close(newfd); 586 return; 587 } 588 589 #ifndef HAVE_ACCEPT4 590 if (fcntl(newfd, F_SETFL, O_NONBLOCK) == -1) { 591 log_msg(LOG_ERR, "fcntl failed: %s", strerror(errno)); 592 goto close_exit; 593 } 594 #endif 595 596 /* setup state to service the remote control command */ 597 n = (struct rc_state*)calloc(1, sizeof(*n)); 598 if(!n) { 599 log_msg(LOG_ERR, "out of memory"); 600 goto close_exit; 601 } 602 603 n->tval.tv_sec = REMOTE_CONTROL_TCP_TIMEOUT; 604 n->tval.tv_usec = 0L; 605 n->fd = newfd; 606 607 memset(&n->c, 0, sizeof(n->c)); 608 event_set(&n->c, newfd, EV_PERSIST|EV_TIMEOUT|EV_READ, 609 remote_control_callback, n); 610 if(event_base_set(xfrd->event_base, &n->c) != 0) { 611 log_msg(LOG_ERR, "remote_accept: cannot set event_base"); 612 free(n); 613 goto close_exit; 614 } 615 if(event_add(&n->c, &n->tval) != 0) { 616 log_msg(LOG_ERR, "remote_accept: cannot add event"); 617 free(n); 618 goto close_exit; 619 } 620 n->event_added = 1; 621 622 if(2 <= verbosity) { 623 if(hl->ident && hl->ident[0] == '/') { 624 VERBOSITY(2, (LOG_INFO, "new control connection from %s", hl->ident)); 625 } else { 626 char s[128]; 627 addr2str(&addr, s, sizeof(s)); 628 VERBOSITY(2, (LOG_INFO, "new control connection from %s", s)); 629 } 630 } 631 632 if(rc->ctx) { 633 n->shake_state = rc_hs_read; 634 n->ssl = SSL_new(rc->ctx); 635 if(!n->ssl) { 636 log_crypto_err("could not SSL_new"); 637 event_del(&n->c); 638 free(n); 639 goto close_exit; 640 } 641 SSL_set_accept_state(n->ssl); 642 (void)SSL_set_mode(n->ssl, SSL_MODE_AUTO_RETRY); 643 if(!SSL_set_fd(n->ssl, newfd)) { 644 log_crypto_err("could not SSL_set_fd"); 645 event_del(&n->c); 646 SSL_free(n->ssl); 647 free(n); 648 goto close_exit; 649 } 650 } else { 651 n->ssl = NULL; 652 } 653 654 n->rc = rc; 655 n->stats_next = NULL; 656 n->in_stats_list = 0; 657 n->prev = NULL; 658 n->next = rc->busy_list; 659 if(n->next) n->next->prev = n; 660 rc->busy_list = n; 661 rc->active ++; 662 663 /* perform the first nonblocking read already, for windows, 664 * so it can return wouldblock. could be faster too. */ 665 remote_control_callback(newfd, EV_READ, n); 666 } 667 668 /** delete from list */ 669 static void 670 state_list_remove_elem(struct rc_state** list, struct rc_state* todel) 671 { 672 if(todel->prev) todel->prev->next = todel->next; 673 else *list = todel->next; 674 if(todel->next) todel->next->prev = todel->prev; 675 } 676 677 /** delete from stats list */ 678 static void 679 stats_list_remove_elem(struct rc_state** list, struct rc_state* todel) 680 { 681 struct rc_state* prev = NULL; 682 struct rc_state* n = *list; 683 while(n) { 684 /* delete this one? */ 685 if(n == todel) { 686 if(prev) prev->next = n->next; 687 else (*list) = n->next; 688 /* go on and delete further elements */ 689 /* prev = prev; */ 690 n = n->next; 691 continue; 692 } 693 694 /* go to the next element */ 695 prev = n; 696 n = n->next; 697 } 698 } 699 700 /** decrease active count and remove commpoint from busy list */ 701 static void 702 clean_point(struct daemon_remote* rc, struct rc_state* s) 703 { 704 if(s->in_stats_list) 705 stats_list_remove_elem(&rc->stats_list, s); 706 state_list_remove_elem(&rc->busy_list, s); 707 rc->active --; 708 if(s->event_added) 709 event_del(&s->c); 710 if(s->ssl) { 711 SSL_shutdown(s->ssl); 712 SSL_free(s->ssl); 713 } 714 close(s->c.ev_fd); 715 free(s); 716 } 717 718 static int 719 ssl_print_text(RES* res, const char* text) 720 { 721 int r; 722 if(!res) 723 return 0; 724 if(res->ssl) { 725 ERR_clear_error(); 726 if((r=SSL_write(res->ssl, text, (int)strlen(text))) <= 0) { 727 if(SSL_get_error(res->ssl, r) == SSL_ERROR_ZERO_RETURN) { 728 VERBOSITY(2, (LOG_WARNING, "in SSL_write, peer " 729 "closed connection")); 730 return 0; 731 } 732 log_crypto_err("could not SSL_write"); 733 return 0; 734 } 735 } else { 736 if(write_socket(res->fd, text, strlen(text)) <= 0) { 737 log_msg(LOG_ERR, "could not write: %s", 738 strerror(errno)); 739 return 0; 740 } 741 } 742 return 1; 743 } 744 745 /** print text over the ssl connection */ 746 static int 747 ssl_print_vmsg(RES* ssl, const char* format, va_list args) 748 { 749 char msg[1024]; 750 vsnprintf(msg, sizeof(msg), format, args); 751 return ssl_print_text(ssl, msg); 752 } 753 754 /** printf style printing to the ssl connection */ 755 static int 756 ssl_printf(RES* ssl, const char* format, ...) 757 { 758 va_list args; 759 int ret; 760 va_start(args, format); 761 ret = ssl_print_vmsg(ssl, format, args); 762 va_end(args); 763 return ret; 764 } 765 766 static int 767 ssl_read_line(RES* res, char* buf, size_t max) 768 { 769 int r; 770 size_t len = 0; 771 if(!res) 772 return 0; 773 while(len < max) { 774 if(res->ssl) { 775 ERR_clear_error(); 776 if((r=SSL_read(res->ssl, buf+len, 1)) <= 0) { 777 if(SSL_get_error(res->ssl, r) == SSL_ERROR_ZERO_RETURN) { 778 buf[len] = 0; 779 return 1; 780 } 781 log_crypto_err("could not SSL_read"); 782 return 0; 783 } 784 } else { 785 while(1) { 786 ssize_t rr = read(res->fd, buf+len, 1); 787 if(rr <= 0) { 788 if(rr == 0) { 789 buf[len] = 0; 790 return 1; 791 } 792 if(errno == EINTR || errno == EAGAIN) 793 continue; 794 log_msg(LOG_ERR, "could not read: %s", 795 strerror(errno)); 796 return 0; 797 } 798 break; 799 } 800 } 801 if(buf[len] == '\n') { 802 /* return string without \n */ 803 buf[len] = 0; 804 return 1; 805 } 806 len++; 807 } 808 buf[max-1] = 0; 809 log_msg(LOG_ERR, "control line too long (%d): %s", (int)max, buf); 810 return 0; 811 } 812 813 /** skip whitespace, return new pointer into string */ 814 static char* 815 skipwhite(char* str) 816 { 817 /* EOS \0 is not a space */ 818 while( isspace((unsigned char)*str) ) 819 str++; 820 return str; 821 } 822 823 /** send the OK to the control client */ 824 static void 825 send_ok(RES* ssl) 826 { 827 (void)ssl_printf(ssl, "ok\n"); 828 } 829 830 /** get zone argument (if any) or NULL, false on error */ 831 static int 832 get_zone_arg(RES* ssl, xfrd_state_type* xfrd, char* arg, 833 struct zone_options** zo) 834 { 835 const dname_type* dname; 836 if(!arg[0]) { 837 /* no argument present, return NULL */ 838 *zo = NULL; 839 return 1; 840 } 841 dname = dname_parse(xfrd->region, arg); 842 if(!dname) { 843 ssl_printf(ssl, "error cannot parse zone name '%s'\n", arg); 844 *zo = NULL; 845 return 0; 846 } 847 *zo = zone_options_find(xfrd->nsd->options, dname); 848 region_recycle(xfrd->region, (void*)dname, dname_total_size(dname)); 849 if(!*zo) { 850 ssl_printf(ssl, "error zone %s not configured\n", arg); 851 return 0; 852 } 853 return 1; 854 } 855 856 /** do the stop command */ 857 static void 858 do_stop(RES* ssl, xfrd_state_type* xfrd) 859 { 860 xfrd->need_to_send_shutdown = 1; 861 862 if(!(xfrd->ipc_handler_flags&EV_WRITE)) { 863 ipc_xfrd_set_listening(xfrd, EV_PERSIST|EV_READ|EV_WRITE); 864 } 865 866 send_ok(ssl); 867 } 868 869 /** do the log_reopen command, it only needs reload_now */ 870 static void 871 do_log_reopen(RES* ssl, xfrd_state_type* xfrd) 872 { 873 xfrd_set_reload_now(xfrd); 874 send_ok(ssl); 875 } 876 877 /** do the reload command */ 878 static void 879 do_reload(RES* ssl, xfrd_state_type* xfrd, char* arg) 880 { 881 struct zone_options* zo; 882 if(!get_zone_arg(ssl, xfrd, arg, &zo)) 883 return; 884 task_new_check_zonefiles(xfrd->nsd->task[xfrd->nsd->mytask], 885 xfrd->last_task, zo?(const dname_type*)zo->node.key:NULL); 886 xfrd_set_reload_now(xfrd); 887 send_ok(ssl); 888 } 889 890 /** do the write command */ 891 static void 892 do_write(RES* ssl, xfrd_state_type* xfrd, char* arg) 893 { 894 struct zone_options* zo; 895 if(!get_zone_arg(ssl, xfrd, arg, &zo)) 896 return; 897 task_new_write_zonefiles(xfrd->nsd->task[xfrd->nsd->mytask], 898 xfrd->last_task, zo?(const dname_type*)zo->node.key:NULL); 899 xfrd_set_reload_now(xfrd); 900 send_ok(ssl); 901 } 902 903 /** do the notify command */ 904 static void 905 do_notify(RES* ssl, xfrd_state_type* xfrd, char* arg) 906 { 907 struct zone_options* zo; 908 if(!get_zone_arg(ssl, xfrd, arg, &zo)) 909 return; 910 if(zo) { 911 struct notify_zone* n = (struct notify_zone*)rbtree_search( 912 xfrd->notify_zones, (const dname_type*)zo->node.key); 913 if(n) { 914 xfrd_notify_start(n, xfrd); 915 send_ok(ssl); 916 } else { 917 ssl_printf(ssl, "error zone does not have notify\n"); 918 } 919 } else { 920 struct notify_zone* n; 921 RBTREE_FOR(n, struct notify_zone*, xfrd->notify_zones) { 922 xfrd_notify_start(n, xfrd); 923 } 924 send_ok(ssl); 925 } 926 } 927 928 /** do the transfer command */ 929 static void 930 do_transfer(RES* ssl, xfrd_state_type* xfrd, char* arg) 931 { 932 struct zone_options* zo; 933 xfrd_zone_type* zone; 934 if(!get_zone_arg(ssl, xfrd, arg, &zo)) 935 return; 936 if(zo) { 937 zone = (xfrd_zone_type*)rbtree_search(xfrd->zones, (const 938 dname_type*)zo->node.key); 939 if(zone) { 940 xfrd_handle_notify_and_start_xfr(zone, NULL); 941 send_ok(ssl); 942 } else { 943 ssl_printf(ssl, "error zone not slave\n"); 944 } 945 } else { 946 RBTREE_FOR(zone, xfrd_zone_type*, xfrd->zones) { 947 xfrd_handle_notify_and_start_xfr(zone, NULL); 948 } 949 ssl_printf(ssl, "ok, %lu zones\n", (unsigned long)xfrd->zones->count); 950 } 951 } 952 953 /** force transfer a zone */ 954 static void 955 force_transfer_zone(xfrd_zone_type* zone) 956 { 957 /* if in TCP transaction, stop it immediately. */ 958 if(zone->tcp_conn != -1) 959 xfrd_tcp_release(xfrd->tcp_set, zone); 960 else if(zone->zone_handler.ev_fd != -1) 961 xfrd_udp_release(zone); 962 /* pretend we not longer have it and force any 963 * zone to be downloaded (even same serial, w AXFR) */ 964 zone->soa_disk_acquired = 0; 965 zone->soa_nsd_acquired = 0; 966 xfrd_handle_notify_and_start_xfr(zone, NULL); 967 } 968 969 /** do the force transfer command */ 970 static void 971 do_force_transfer(RES* ssl, xfrd_state_type* xfrd, char* arg) 972 { 973 struct zone_options* zo; 974 xfrd_zone_type* zone; 975 if(!get_zone_arg(ssl, xfrd, arg, &zo)) 976 return; 977 if(zo) { 978 zone = (xfrd_zone_type*)rbtree_search(xfrd->zones, (const 979 dname_type*)zo->node.key); 980 if(zone) { 981 force_transfer_zone(zone); 982 send_ok(ssl); 983 } else { 984 ssl_printf(ssl, "error zone not slave\n"); 985 } 986 } else { 987 RBTREE_FOR(zone, xfrd_zone_type*, xfrd->zones) { 988 force_transfer_zone(zone); 989 } 990 ssl_printf(ssl, "ok, %lu zones\n", (unsigned long)xfrd->zones->count); 991 } 992 } 993 994 static int 995 print_soa_status(RES* ssl, const char* str, xfrd_soa_type* soa, time_t acq) 996 { 997 if(acq) { 998 if(!ssl_printf(ssl, " %s: \"%u since %s\"\n", str, 999 (unsigned)ntohl(soa->serial), xfrd_pretty_time(acq))) 1000 return 0; 1001 } else { 1002 if(!ssl_printf(ssl, " %s: none\n", str)) 1003 return 0; 1004 } 1005 return 1; 1006 } 1007 1008 /** print zonestatus for one domain */ 1009 static int 1010 print_zonestatus(RES* ssl, xfrd_state_type* xfrd, struct zone_options* zo) 1011 { 1012 xfrd_zone_type* xz = (xfrd_zone_type*)rbtree_search(xfrd->zones, 1013 (const dname_type*)zo->node.key); 1014 struct notify_zone* nz = (struct notify_zone*)rbtree_search( 1015 xfrd->notify_zones, (const dname_type*)zo->node.key); 1016 if(!ssl_printf(ssl, "zone: %s\n", zo->name)) 1017 return 0; 1018 if(!zo->part_of_config) { 1019 if(!ssl_printf(ssl, " pattern: %s\n", zo->pattern->pname)) 1020 return 0; 1021 } 1022 if(nz) { 1023 if(nz->is_waiting) { 1024 if(!ssl_printf(ssl, " notify: \"waiting-for-fd\"\n")) 1025 return 0; 1026 } else if(nz->notify_send_enable || nz->notify_send6_enable) { 1027 int i; 1028 if(!ssl_printf(ssl, " notify: \"send")) 1029 return 0; 1030 for(i=0; i<NOTIFY_CONCURRENT_MAX; i++) { 1031 if(!nz->pkts[i].dest) continue; 1032 if(!ssl_printf(ssl, " %s", 1033 nz->pkts[i].dest->ip_address_spec)) 1034 return 0; 1035 } 1036 if(!ssl_printf(ssl, " with serial %u\"\n", 1037 (unsigned)ntohl(nz->current_soa->serial))) 1038 return 0; 1039 } 1040 } 1041 if(!xz) { 1042 if(!ssl_printf(ssl, " state: master\n")) 1043 return 0; 1044 return 1; 1045 } 1046 if(!ssl_printf(ssl, " state: %s\n", 1047 (xz->state == xfrd_zone_ok)?"ok":( 1048 (xz->state == xfrd_zone_expired)?"expired":"refreshing"))) 1049 return 0; 1050 if(!print_soa_status(ssl, "served-serial", &xz->soa_nsd, 1051 xz->soa_nsd_acquired)) 1052 return 0; 1053 if(!print_soa_status(ssl, "commit-serial", &xz->soa_disk, 1054 xz->soa_disk_acquired)) 1055 return 0; 1056 if(xz->round_num != -1) { 1057 if(!print_soa_status(ssl, "notified-serial", &xz->soa_notified, 1058 xz->soa_notified_acquired)) 1059 return 0; 1060 } else if(xz->event_added) { 1061 if(!ssl_printf(ssl, "\twait: \"%lu sec between attempts\"\n", 1062 (unsigned long)xz->timeout.tv_sec)) 1063 return 0; 1064 } 1065 1066 /* UDP */ 1067 if(xz->udp_waiting) { 1068 if(!ssl_printf(ssl, " transfer: \"waiting-for-UDP-fd\"\n")) 1069 return 0; 1070 } else if(xz->zone_handler.ev_fd != -1 && xz->tcp_conn == -1) { 1071 if(!ssl_printf(ssl, " transfer: \"sent UDP to %s\"\n", 1072 xz->master->ip_address_spec)) 1073 return 0; 1074 } 1075 1076 /* TCP */ 1077 if(xz->tcp_waiting) { 1078 if(!ssl_printf(ssl, " transfer: \"waiting-for-TCP-fd\"\n")) 1079 return 0; 1080 } else if(xz->tcp_conn != -1) { 1081 if(!ssl_printf(ssl, " transfer: \"TCP connected to %s\"\n", 1082 xz->master->ip_address_spec)) 1083 return 0; 1084 } 1085 1086 return 1; 1087 } 1088 1089 /** do the zonestatus command */ 1090 static void 1091 do_zonestatus(RES* ssl, xfrd_state_type* xfrd, char* arg) 1092 { 1093 struct zone_options* zo; 1094 if(!get_zone_arg(ssl, xfrd, arg, &zo)) 1095 return; 1096 if(zo) (void)print_zonestatus(ssl, xfrd, zo); 1097 else { 1098 RBTREE_FOR(zo, struct zone_options*, 1099 xfrd->nsd->options->zone_options) { 1100 if(!print_zonestatus(ssl, xfrd, zo)) 1101 return; 1102 } 1103 } 1104 } 1105 1106 /** do the verbosity command */ 1107 static void 1108 do_verbosity(RES* ssl, char* str) 1109 { 1110 int val = atoi(str); 1111 if(strcmp(str, "") == 0) { 1112 ssl_printf(ssl, "verbosity %d\n", verbosity); 1113 return; 1114 } 1115 if(val == 0 && strcmp(str, "0") != 0) { 1116 ssl_printf(ssl, "error in verbosity number syntax: %s\n", str); 1117 return; 1118 } 1119 verbosity = val; 1120 task_new_set_verbosity(xfrd->nsd->task[xfrd->nsd->mytask], 1121 xfrd->last_task, val); 1122 xfrd_set_reload_now(xfrd); 1123 send_ok(ssl); 1124 } 1125 1126 /** find second argument, modifies string */ 1127 static int 1128 find_arg2(RES* ssl, char* arg, char** arg2) 1129 { 1130 char* as = strrchr(arg, ' '); 1131 if(as) { 1132 as[0]=0; 1133 *arg2 = as+1; 1134 while(isspace((unsigned char)*as) && as > arg) 1135 as--; 1136 as[0]=0; 1137 return 1; 1138 } 1139 *arg2 = NULL; 1140 ssl_printf(ssl, "error could not find next argument " 1141 "after %s\n", arg); 1142 return 0; 1143 } 1144 1145 /** find second and third arguments, modifies string, 1146 * does not print error for missing arg3 so that if it does not find an 1147 * arg3, the caller can use two arguments. */ 1148 static int 1149 find_arg3(RES* ssl, char* arg, char** arg2, char** arg3) 1150 { 1151 if(find_arg2(ssl, arg, arg2)) { 1152 char* as; 1153 *arg3 = *arg2; 1154 as = strrchr(arg, ' '); 1155 if(as) { 1156 as[0]=0; 1157 *arg2 = as+1; 1158 while(isspace((unsigned char)*as) && as > arg) 1159 as--; 1160 as[0]=0; 1161 return 1; 1162 } 1163 } 1164 *arg3 = NULL; 1165 return 0; 1166 } 1167 1168 /** do the status command */ 1169 static void 1170 do_status(RES* ssl, xfrd_state_type* xfrd) 1171 { 1172 if(!ssl_printf(ssl, "version: %s\n", PACKAGE_VERSION)) 1173 return; 1174 if(!ssl_printf(ssl, "verbosity: %d\n", verbosity)) 1175 return; 1176 #ifdef RATELIMIT 1177 if(!ssl_printf(ssl, "ratelimit: %d\n", 1178 (int)xfrd->nsd->options->rrl_ratelimit)) 1179 return; 1180 #else 1181 (void)xfrd; 1182 #endif 1183 } 1184 1185 /** do the stats command */ 1186 static void 1187 do_stats(struct daemon_remote* rc, int peek, struct rc_state* rs) 1188 { 1189 #ifdef BIND8_STATS 1190 /* queue up to get stats after a reload is done (to gather statistics 1191 * from the servers) */ 1192 assert(!rs->in_stats_list); 1193 if(peek) rs->in_stats_list = 2; 1194 else rs->in_stats_list = 1; 1195 rs->stats_next = rc->stats_list; 1196 rc->stats_list = rs; 1197 /* block the tcp waiting for the reload */ 1198 event_del(&rs->c); 1199 rs->event_added = 0; 1200 /* force a reload */ 1201 xfrd_set_reload_now(xfrd); 1202 #else 1203 (void)rc; (void)peek; 1204 (void)ssl_printf(rs->ssl, "error no stats enabled at compile time\n"); 1205 #endif /* BIND8_STATS */ 1206 } 1207 1208 /** see if we have more zonestatistics entries and it has to be incremented */ 1209 static void 1210 zonestat_inc_ifneeded(xfrd_state_type* xfrd) 1211 { 1212 #ifdef USE_ZONE_STATS 1213 if(xfrd->nsd->options->zonestatnames->count != xfrd->zonestat_safe) 1214 task_new_zonestat_inc(xfrd->nsd->task[xfrd->nsd->mytask], 1215 xfrd->last_task, 1216 xfrd->nsd->options->zonestatnames->count); 1217 #else 1218 (void)xfrd; 1219 #endif /* USE_ZONE_STATS */ 1220 } 1221 1222 /** perform the changezone command for one zone */ 1223 static int 1224 perform_changezone(RES* ssl, xfrd_state_type* xfrd, char* arg) 1225 { 1226 const dname_type* dname; 1227 struct zone_options* zopt; 1228 char* arg2 = NULL; 1229 if(!find_arg2(ssl, arg, &arg2)) 1230 return 0; 1231 1232 /* if we add it to the xfrd now, then xfrd could download AXFR and 1233 * store it and the NSD-reload would see it in the difffile before 1234 * it sees the add-config task. 1235 */ 1236 /* thus: AXFRs and IXFRs must store the pattern name in the 1237 * difffile, so that it can be added when the AXFR or IXFR is seen. 1238 */ 1239 1240 /* check that the pattern exists */ 1241 if(!rbtree_search(xfrd->nsd->options->patterns, arg2)) { 1242 (void)ssl_printf(ssl, "error pattern %s does not exist\n", 1243 arg2); 1244 return 0; 1245 } 1246 1247 dname = dname_parse(xfrd->region, arg); 1248 if(!dname) { 1249 (void)ssl_printf(ssl, "error cannot parse zone name\n"); 1250 return 0; 1251 } 1252 1253 /* see if zone is a duplicate */ 1254 if( (zopt=zone_options_find(xfrd->nsd->options, dname)) ) { 1255 if(zopt->part_of_config) { 1256 (void)ssl_printf(ssl, "error zone defined in nsd.conf, " 1257 "cannot delete it in this manner: remove it from " 1258 "nsd.conf yourself and repattern\n"); 1259 region_recycle(xfrd->region, (void*)dname, dname_total_size(dname)); 1260 dname = NULL; 1261 return 0; 1262 } 1263 /* found the zone, now delete it */ 1264 /* create deletion task */ 1265 /* this deletion task is processed before the addition task, 1266 * that is created below, in the same reload process, causing 1267 * a seamless change from one to the other, with no downtime 1268 * for the zone. */ 1269 task_new_del_zone(xfrd->nsd->task[xfrd->nsd->mytask], 1270 xfrd->last_task, dname); 1271 xfrd_set_reload_now(xfrd); 1272 /* delete it in xfrd */ 1273 if(zone_is_slave(zopt)) { 1274 xfrd_del_slave_zone(xfrd, dname); 1275 } 1276 xfrd_del_notify(xfrd, dname); 1277 /* delete from config */ 1278 zone_list_del(xfrd->nsd->options, zopt); 1279 } else { 1280 (void)ssl_printf(ssl, "zone %s did not exist, creating", arg); 1281 } 1282 region_recycle(xfrd->region, (void*)dname, dname_total_size(dname)); 1283 dname = NULL; 1284 1285 /* add to zonelist and adds to config in memory */ 1286 zopt = zone_list_add(xfrd->nsd->options, arg, arg2); 1287 if(!zopt) { 1288 /* also dname parse error here */ 1289 (void)ssl_printf(ssl, "error could not add zonelist entry\n"); 1290 return 0; 1291 } 1292 /* make addzone task and schedule reload */ 1293 task_new_add_zone(xfrd->nsd->task[xfrd->nsd->mytask], 1294 xfrd->last_task, arg, arg2, 1295 getzonestatid(xfrd->nsd->options, zopt)); 1296 zonestat_inc_ifneeded(xfrd); 1297 xfrd_set_reload_now(xfrd); 1298 /* add to xfrd - notify (for master and slaves) */ 1299 init_notify_send(xfrd->notify_zones, xfrd->region, zopt); 1300 /* add to xfrd - slave */ 1301 if(zone_is_slave(zopt)) { 1302 xfrd_init_slave_zone(xfrd, zopt); 1303 } 1304 return 1; 1305 } 1306 1307 /** perform the addzone command for one zone */ 1308 static int 1309 perform_addzone(RES* ssl, xfrd_state_type* xfrd, char* arg) 1310 { 1311 const dname_type* dname; 1312 struct zone_options* zopt; 1313 char* arg2 = NULL; 1314 if(!find_arg2(ssl, arg, &arg2)) 1315 return 0; 1316 1317 /* if we add it to the xfrd now, then xfrd could download AXFR and 1318 * store it and the NSD-reload would see it in the difffile before 1319 * it sees the add-config task. 1320 */ 1321 /* thus: AXFRs and IXFRs must store the pattern name in the 1322 * difffile, so that it can be added when the AXFR or IXFR is seen. 1323 */ 1324 1325 /* check that the pattern exists */ 1326 if(!rbtree_search(xfrd->nsd->options->patterns, arg2)) { 1327 (void)ssl_printf(ssl, "error pattern %s does not exist\n", 1328 arg2); 1329 return 0; 1330 } 1331 1332 dname = dname_parse(xfrd->region, arg); 1333 if(!dname) { 1334 (void)ssl_printf(ssl, "error cannot parse zone name\n"); 1335 return 0; 1336 } 1337 1338 /* see if zone is a duplicate */ 1339 if( (zopt=zone_options_find(xfrd->nsd->options, dname)) ) { 1340 region_recycle(xfrd->region, (void*)dname, 1341 dname_total_size(dname)); 1342 (void)ssl_printf(ssl, "zone %s already exists\n", arg); 1343 return 1; 1344 } 1345 region_recycle(xfrd->region, (void*)dname, dname_total_size(dname)); 1346 dname = NULL; 1347 1348 /* add to zonelist and adds to config in memory */ 1349 zopt = zone_list_add(xfrd->nsd->options, arg, arg2); 1350 if(!zopt) { 1351 /* also dname parse error here */ 1352 (void)ssl_printf(ssl, "error could not add zonelist entry\n"); 1353 return 0; 1354 } 1355 /* make addzone task and schedule reload */ 1356 task_new_add_zone(xfrd->nsd->task[xfrd->nsd->mytask], 1357 xfrd->last_task, arg, arg2, 1358 getzonestatid(xfrd->nsd->options, zopt)); 1359 zonestat_inc_ifneeded(xfrd); 1360 xfrd_set_reload_now(xfrd); 1361 /* add to xfrd - notify (for master and slaves) */ 1362 init_notify_send(xfrd->notify_zones, xfrd->region, zopt); 1363 /* add to xfrd - slave */ 1364 if(zone_is_slave(zopt)) { 1365 xfrd_init_slave_zone(xfrd, zopt); 1366 } 1367 return 1; 1368 } 1369 1370 /** perform the delzone command for one zone */ 1371 static int 1372 perform_delzone(RES* ssl, xfrd_state_type* xfrd, char* arg) 1373 { 1374 const dname_type* dname; 1375 struct zone_options* zopt; 1376 1377 dname = dname_parse(xfrd->region, arg); 1378 if(!dname) { 1379 (void)ssl_printf(ssl, "error cannot parse zone name\n"); 1380 return 0; 1381 } 1382 1383 /* see if we have the zone in question */ 1384 zopt = zone_options_find(xfrd->nsd->options, dname); 1385 if(!zopt) { 1386 region_recycle(xfrd->region, (void*)dname, 1387 dname_total_size(dname)); 1388 /* nothing to do */ 1389 if(!ssl_printf(ssl, "warning zone %s not present\n", arg)) 1390 return 0; 1391 return 0; 1392 } 1393 1394 /* see if it can be deleted */ 1395 if(zopt->part_of_config) { 1396 region_recycle(xfrd->region, (void*)dname, 1397 dname_total_size(dname)); 1398 (void)ssl_printf(ssl, "error zone defined in nsd.conf, " 1399 "cannot delete it in this manner: remove it from " 1400 "nsd.conf yourself and repattern\n"); 1401 return 0; 1402 } 1403 1404 /* create deletion task */ 1405 task_new_del_zone(xfrd->nsd->task[xfrd->nsd->mytask], 1406 xfrd->last_task, dname); 1407 xfrd_set_reload_now(xfrd); 1408 /* delete it in xfrd */ 1409 if(zone_is_slave(zopt)) { 1410 xfrd_del_slave_zone(xfrd, dname); 1411 } 1412 xfrd_del_notify(xfrd, dname); 1413 /* delete from config */ 1414 zone_list_del(xfrd->nsd->options, zopt); 1415 1416 region_recycle(xfrd->region, (void*)dname, dname_total_size(dname)); 1417 return 1; 1418 } 1419 1420 /** do the addzone command */ 1421 static void 1422 do_addzone(RES* ssl, xfrd_state_type* xfrd, char* arg) 1423 { 1424 if(!perform_addzone(ssl, xfrd, arg)) 1425 return; 1426 send_ok(ssl); 1427 } 1428 1429 /** do the delzone command */ 1430 static void 1431 do_delzone(RES* ssl, xfrd_state_type* xfrd, char* arg) 1432 { 1433 if(!perform_delzone(ssl, xfrd, arg)) 1434 return; 1435 send_ok(ssl); 1436 } 1437 1438 /** do the changezone command */ 1439 static void 1440 do_changezone(RES* ssl, xfrd_state_type* xfrd, char* arg) 1441 { 1442 if(!perform_changezone(ssl, xfrd, arg)) 1443 return; 1444 send_ok(ssl); 1445 } 1446 1447 /** do the addzones command */ 1448 static void 1449 do_addzones(RES* ssl, xfrd_state_type* xfrd) 1450 { 1451 char buf[2048]; 1452 int num = 0; 1453 while(ssl_read_line(ssl, buf, sizeof(buf))) { 1454 if(buf[0] == 0x04 && buf[1] == 0) 1455 break; /* end of transmission */ 1456 if(!perform_addzone(ssl, xfrd, buf)) { 1457 if(!ssl_printf(ssl, "error for input line '%s'\n", 1458 buf)) 1459 return; 1460 } else { 1461 if(!ssl_printf(ssl, "added: %s\n", buf)) 1462 return; 1463 num++; 1464 } 1465 } 1466 (void)ssl_printf(ssl, "added %d zones\n", num); 1467 } 1468 1469 /** do the delzones command */ 1470 static void 1471 do_delzones(RES* ssl, xfrd_state_type* xfrd) 1472 { 1473 char buf[2048]; 1474 int num = 0; 1475 while(ssl_read_line(ssl, buf, sizeof(buf))) { 1476 if(buf[0] == 0x04 && buf[1] == 0) 1477 break; /* end of transmission */ 1478 if(!perform_delzone(ssl, xfrd, buf)) { 1479 if(!ssl_printf(ssl, "error for input line '%s'\n", 1480 buf)) 1481 return; 1482 } else { 1483 if(!ssl_printf(ssl, "removed: %s\n", buf)) 1484 return; 1485 num++; 1486 } 1487 } 1488 (void)ssl_printf(ssl, "deleted %d zones\n", num); 1489 } 1490 1491 1492 /** remove TSIG key from config and add task so that reload does too */ 1493 static void remove_key(xfrd_state_type* xfrd, const char* kname) 1494 { 1495 /* add task before deletion because the name string could be deleted */ 1496 task_new_del_key(xfrd->nsd->task[xfrd->nsd->mytask], xfrd->last_task, 1497 kname); 1498 key_options_remove(xfrd->nsd->options, kname); 1499 xfrd_set_reload_now(xfrd); /* this is executed when the current control 1500 command ends, thus the entire config changes are bunched up */ 1501 } 1502 1503 /** add TSIG key to config and add task so that reload does too */ 1504 static void add_key(xfrd_state_type* xfrd, struct key_options* k) 1505 { 1506 key_options_add_modify(xfrd->nsd->options, k); 1507 task_new_add_key(xfrd->nsd->task[xfrd->nsd->mytask], xfrd->last_task, 1508 k); 1509 xfrd_set_reload_now(xfrd); 1510 } 1511 1512 /** check if keys have changed */ 1513 static void repat_keys(xfrd_state_type* xfrd, struct nsd_options* newopt) 1514 { 1515 struct nsd_options* oldopt = xfrd->nsd->options; 1516 struct key_options* k; 1517 /* find deleted keys */ 1518 k = (struct key_options*)rbtree_first(oldopt->keys); 1519 while((rbnode_type*)k != RBTREE_NULL) { 1520 struct key_options* next = (struct key_options*)rbtree_next( 1521 (rbnode_type*)k); 1522 if(!key_options_find(newopt, k->name)) 1523 remove_key(xfrd, k->name); 1524 k = next; 1525 } 1526 /* find added or changed keys */ 1527 RBTREE_FOR(k, struct key_options*, newopt->keys) { 1528 struct key_options* origk = key_options_find(oldopt, k->name); 1529 if(!origk) 1530 add_key(xfrd, k); 1531 else if(!key_options_equal(k, origk)) 1532 add_key(xfrd, k); 1533 } 1534 } 1535 1536 /** find zone given the implicit pattern */ 1537 static const dname_type* 1538 parse_implicit_name(xfrd_state_type* xfrd,const char* pname) 1539 { 1540 if(strncmp(pname, PATTERN_IMPLICIT_MARKER, 1541 strlen(PATTERN_IMPLICIT_MARKER)) != 0) 1542 return NULL; 1543 return dname_parse(xfrd->region, pname + 1544 strlen(PATTERN_IMPLICIT_MARKER)); 1545 } 1546 1547 /** remove cfgzone and add task so that reload does too */ 1548 static void 1549 remove_cfgzone(xfrd_state_type* xfrd, const char* pname) 1550 { 1551 /* dname and find the zone for the implicit pattern */ 1552 struct zone_options* zopt = NULL; 1553 const dname_type* dname = parse_implicit_name(xfrd, pname); 1554 if(!dname) { 1555 /* should have a parseable name, but it did not */ 1556 return; 1557 } 1558 1559 /* find the zone entry for the implicit pattern */ 1560 zopt = zone_options_find(xfrd->nsd->options, dname); 1561 if(!zopt) { 1562 /* this should not happen; implicit pattern has zone entry */ 1563 region_recycle(xfrd->region, (void*)dname, 1564 dname_total_size(dname)); 1565 return; 1566 } 1567 1568 /* create deletion task */ 1569 task_new_del_zone(xfrd->nsd->task[xfrd->nsd->mytask], 1570 xfrd->last_task, dname); 1571 xfrd_set_reload_now(xfrd); 1572 /* delete it in xfrd */ 1573 if(zone_is_slave(zopt)) { 1574 xfrd_del_slave_zone(xfrd, dname); 1575 } 1576 xfrd_del_notify(xfrd, dname); 1577 1578 /* delete from zoneoptions */ 1579 zone_options_delete(xfrd->nsd->options, zopt); 1580 1581 /* recycle parsed dname */ 1582 region_recycle(xfrd->region, (void*)dname, dname_total_size(dname)); 1583 } 1584 1585 /** add cfgzone and add task so that reload does too */ 1586 static void 1587 add_cfgzone(xfrd_state_type* xfrd, const char* pname) 1588 { 1589 /* add to our zonelist */ 1590 struct zone_options* zopt = zone_options_create( 1591 xfrd->nsd->options->region); 1592 if(!zopt) 1593 return; 1594 zopt->part_of_config = 1; 1595 zopt->name = region_strdup(xfrd->nsd->options->region, 1596 pname + strlen(PATTERN_IMPLICIT_MARKER)); 1597 zopt->pattern = pattern_options_find(xfrd->nsd->options, pname); 1598 if(!zopt->name || !zopt->pattern) 1599 return; 1600 if(!nsd_options_insert_zone(xfrd->nsd->options, zopt)) { 1601 log_msg(LOG_ERR, "bad domain name or duplicate zone '%s' " 1602 "pattern %s", zopt->name, pname); 1603 } 1604 1605 /* make addzone task and schedule reload */ 1606 task_new_add_zone(xfrd->nsd->task[xfrd->nsd->mytask], 1607 xfrd->last_task, zopt->name, pname, 1608 getzonestatid(xfrd->nsd->options, zopt)); 1609 /* zonestat_inc is done after the entire config file has been done */ 1610 xfrd_set_reload_now(xfrd); 1611 /* add to xfrd - notify (for master and slaves) */ 1612 init_notify_send(xfrd->notify_zones, xfrd->region, zopt); 1613 /* add to xfrd - slave */ 1614 if(zone_is_slave(zopt)) { 1615 xfrd_init_slave_zone(xfrd, zopt); 1616 } 1617 } 1618 1619 /** remove pattern and add task so that reload does too */ 1620 static void 1621 remove_pat(xfrd_state_type* xfrd, const char* name) 1622 { 1623 /* add task before deletion, because name-string could be deleted */ 1624 task_new_del_pattern(xfrd->nsd->task[xfrd->nsd->mytask], 1625 xfrd->last_task, name); 1626 pattern_options_remove(xfrd->nsd->options, name); 1627 xfrd_set_reload_now(xfrd); 1628 } 1629 1630 /** add pattern and add task so that reload does too */ 1631 static void 1632 add_pat(xfrd_state_type* xfrd, struct pattern_options* p) 1633 { 1634 pattern_options_add_modify(xfrd->nsd->options, p); 1635 task_new_add_pattern(xfrd->nsd->task[xfrd->nsd->mytask], 1636 xfrd->last_task, p); 1637 xfrd_set_reload_now(xfrd); 1638 } 1639 1640 /** interrupt zones that are using changed or removed patterns */ 1641 static void 1642 repat_interrupt_zones(xfrd_state_type* xfrd, struct nsd_options* newopt) 1643 { 1644 /* if masterlist changed: 1645 * interrupt slave zone (UDP or TCP) transfers. 1646 * slave zones reset master to start of list. 1647 */ 1648 xfrd_zone_type* xz; 1649 struct notify_zone* nz; 1650 RBTREE_FOR(xz, xfrd_zone_type*, xfrd->zones) { 1651 struct pattern_options* oldp = xz->zone_options->pattern; 1652 struct pattern_options* newp = pattern_options_find(newopt, 1653 oldp->pname); 1654 if(!newp || !acl_list_equal(oldp->request_xfr, 1655 newp->request_xfr)) { 1656 /* interrupt transfer */ 1657 if(xz->tcp_conn != -1) { 1658 xfrd_tcp_release(xfrd->tcp_set, xz); 1659 xfrd_set_refresh_now(xz); 1660 } else if(xz->zone_handler.ev_fd != -1) { 1661 xfrd_udp_release(xz); 1662 xfrd_set_refresh_now(xz); 1663 } 1664 xz->master = 0; 1665 xz->master_num = 0; 1666 xz->next_master = -1; 1667 xz->round_num = -1; /* fresh set of retries */ 1668 } 1669 } 1670 /* if notify list changed: 1671 * interrupt notify that is busy. 1672 * reset notify to start of list. (clear all other reset_notify) 1673 */ 1674 RBTREE_FOR(nz, struct notify_zone*, xfrd->notify_zones) { 1675 struct pattern_options* oldp = nz->options->pattern; 1676 struct pattern_options* newp = pattern_options_find(newopt, 1677 oldp->pname); 1678 if(!newp || !acl_list_equal(oldp->notify, newp->notify)) { 1679 /* interrupt notify */ 1680 if(nz->notify_send_enable) { 1681 notify_disable(nz); 1682 /* set to restart the notify after the 1683 * pattern has been changed. */ 1684 nz->notify_restart = 2; 1685 } else { 1686 nz->notify_restart = 1; 1687 } 1688 } else { 1689 nz->notify_restart = 0; 1690 } 1691 } 1692 } 1693 1694 /** for notify, after the pattern changes, restart the affected notifies */ 1695 static void 1696 repat_interrupt_notify_start(xfrd_state_type* xfrd) 1697 { 1698 struct notify_zone* nz; 1699 RBTREE_FOR(nz, struct notify_zone*, xfrd->notify_zones) { 1700 if(nz->notify_restart) { 1701 if(nz->notify_current) 1702 nz->notify_current = nz->options->pattern->notify; 1703 if(nz->notify_restart == 2) { 1704 if(nz->notify_restart) 1705 xfrd_notify_start(nz, xfrd); 1706 } 1707 } 1708 } 1709 } 1710 1711 /** check if patterns have changed */ 1712 static void 1713 repat_patterns(xfrd_state_type* xfrd, struct nsd_options* newopt) 1714 { 1715 /* zones that use changed patterns must have: 1716 * - their AXFR/IXFR interrupted: try again, acl may have changed. 1717 * if the old master/key still exists, OK, fix master-numptrs and 1718 * keep going. Otherwise, stop xfer and reset TSIG. 1719 * - send NOTIFY reset to start of NOTIFY list (and TSIG reset). 1720 */ 1721 struct nsd_options* oldopt = xfrd->nsd->options; 1722 struct pattern_options* p; 1723 int search_zones = 0; 1724 1725 repat_interrupt_zones(xfrd, newopt); 1726 /* find deleted patterns */ 1727 p = (struct pattern_options*)rbtree_first(oldopt->patterns); 1728 while((rbnode_type*)p != RBTREE_NULL) { 1729 struct pattern_options* next = (struct pattern_options*) 1730 rbtree_next((rbnode_type*)p); 1731 if(!pattern_options_find(newopt, p->pname)) { 1732 if(p->implicit) { 1733 /* first remove its zone */ 1734 VERBOSITY(1, (LOG_INFO, "zone removed from config: %s", p->pname + strlen(PATTERN_IMPLICIT_MARKER))); 1735 remove_cfgzone(xfrd, p->pname); 1736 } 1737 remove_pat(xfrd, p->pname); 1738 } 1739 p = next; 1740 } 1741 /* find added or changed patterns */ 1742 RBTREE_FOR(p, struct pattern_options*, newopt->patterns) { 1743 struct pattern_options* origp = pattern_options_find(oldopt, 1744 p->pname); 1745 if(!origp) { 1746 /* no zones can use it, no zone_interrupt needed */ 1747 add_pat(xfrd, p); 1748 if(p->implicit) { 1749 VERBOSITY(1, (LOG_INFO, "zone added to config: %s", p->pname + strlen(PATTERN_IMPLICIT_MARKER))); 1750 add_cfgzone(xfrd, p->pname); 1751 } 1752 } else if(!pattern_options_equal(p, origp)) { 1753 uint8_t newstate = 0; 1754 if (p->request_xfr && !origp->request_xfr) { 1755 newstate = REPAT_SLAVE; 1756 } else if (!p->request_xfr && origp->request_xfr) { 1757 newstate = REPAT_MASTER; 1758 } 1759 add_pat(xfrd, p); 1760 if (p->implicit && newstate) { 1761 const dname_type* dname = 1762 parse_implicit_name(xfrd, p->pname); 1763 if (dname) { 1764 if (newstate == REPAT_SLAVE) { 1765 struct zone_options* zopt = 1766 zone_options_find( 1767 oldopt, dname); 1768 if (zopt) { 1769 xfrd_init_slave_zone( 1770 xfrd, zopt); 1771 } 1772 } else if (newstate == REPAT_MASTER) { 1773 xfrd_del_slave_zone(xfrd, 1774 dname); 1775 } 1776 region_recycle(xfrd->region, 1777 (void*)dname, 1778 dname_total_size(dname)); 1779 } 1780 } else if(!p->implicit && newstate) { 1781 /* search all zones with this pattern */ 1782 search_zones = 1; 1783 origp->xfrd_flags = newstate; 1784 } 1785 } 1786 } 1787 if (search_zones) { 1788 struct zone_options* zone_opt; 1789 /* search in oldopt because 1) it contains zonelist zones, 1790 * and 2) you need oldopt(existing) to call xfrd_init */ 1791 RBTREE_FOR(zone_opt, struct zone_options*, oldopt->zone_options) { 1792 struct pattern_options* oldp = zone_opt->pattern; 1793 if (!oldp->implicit) { 1794 if (oldp->xfrd_flags == REPAT_SLAVE) { 1795 /* xfrd needs stable reference so get 1796 * it from the oldopt(modified) tree */ 1797 xfrd_init_slave_zone(xfrd, zone_opt); 1798 } else if (oldp->xfrd_flags == REPAT_MASTER) { 1799 xfrd_del_slave_zone(xfrd, 1800 (const dname_type*) 1801 zone_opt->node.key); 1802 } 1803 oldp->xfrd_flags = 0; 1804 } 1805 } 1806 } 1807 repat_interrupt_notify_start(xfrd); 1808 } 1809 1810 /** true if options are different that can be set via repat. */ 1811 static int 1812 repat_options_changed(xfrd_state_type* xfrd, struct nsd_options* newopt) 1813 { 1814 #ifdef RATELIMIT 1815 if(xfrd->nsd->options->rrl_ratelimit != newopt->rrl_ratelimit) 1816 return 1; 1817 if(xfrd->nsd->options->rrl_whitelist_ratelimit != newopt->rrl_whitelist_ratelimit) 1818 return 1; 1819 if(xfrd->nsd->options->rrl_slip != newopt->rrl_slip) 1820 return 1; 1821 #else 1822 (void)xfrd; (void)newopt; 1823 #endif 1824 return 0; 1825 } 1826 1827 /** check if global options have changed */ 1828 static void 1829 repat_options(xfrd_state_type* xfrd, struct nsd_options* newopt) 1830 { 1831 if(repat_options_changed(xfrd, newopt)) { 1832 /* update our options */ 1833 #ifdef RATELIMIT 1834 xfrd->nsd->options->rrl_ratelimit = newopt->rrl_ratelimit; 1835 xfrd->nsd->options->rrl_whitelist_ratelimit = newopt->rrl_whitelist_ratelimit; 1836 xfrd->nsd->options->rrl_slip = newopt->rrl_slip; 1837 #endif 1838 task_new_opt_change(xfrd->nsd->task[xfrd->nsd->mytask], 1839 xfrd->last_task, newopt); 1840 xfrd_set_reload_now(xfrd); 1841 } 1842 } 1843 1844 /** print errors over ssl, gets pointer-to-pointer to ssl, so it can set 1845 * the pointer to NULL on failure and stop printing */ 1846 static void 1847 print_ssl_cfg_err(void* arg, const char* str) 1848 { 1849 RES** ssl = (RES**)arg; 1850 if(!*ssl) return; 1851 if(!ssl_printf(*ssl, "%s", str)) 1852 *ssl = NULL; /* failed, stop printing */ 1853 } 1854 1855 /** do the repattern command: reread config file and apply keys, patterns */ 1856 static void 1857 do_repattern(RES* ssl, xfrd_state_type* xfrd) 1858 { 1859 region_type* region = region_create(xalloc, free); 1860 struct nsd_options* opt; 1861 const char* cfgfile = xfrd->nsd->options->configfile; 1862 1863 /* check chroot and configfile, if possible to reread */ 1864 if(xfrd->nsd->chrootdir) { 1865 size_t l = strlen(xfrd->nsd->chrootdir); 1866 while(l>0 && xfrd->nsd->chrootdir[l-1] == '/') 1867 --l; 1868 if(strncmp(xfrd->nsd->chrootdir, cfgfile, l) != 0) { 1869 ssl_printf(ssl, "error %s is not relative to %s: " 1870 "chroot prevents reread of config\n", 1871 cfgfile, xfrd->nsd->chrootdir); 1872 region_destroy(region); 1873 return; 1874 } 1875 cfgfile += l; 1876 } 1877 1878 ssl_printf(ssl, "reconfig start, read %s\n", cfgfile); 1879 opt = nsd_options_create(region); 1880 if(!parse_options_file(opt, cfgfile, &print_ssl_cfg_err, &ssl)) { 1881 /* error already printed */ 1882 region_destroy(region); 1883 return; 1884 } 1885 /* check for differences in TSIG keys and patterns, and apply, 1886 * first the keys, so that pattern->keyptr can be set right. */ 1887 repat_keys(xfrd, opt); 1888 repat_patterns(xfrd, opt); 1889 repat_options(xfrd, opt); 1890 zonestat_inc_ifneeded(xfrd); 1891 send_ok(ssl); 1892 region_destroy(region); 1893 } 1894 1895 /** do the serverpid command: printout pid of server process */ 1896 static void 1897 do_serverpid(RES* ssl, xfrd_state_type* xfrd) 1898 { 1899 (void)ssl_printf(ssl, "%u\n", (unsigned)xfrd->reload_pid); 1900 } 1901 1902 /** do the print_tsig command: printout tsig info */ 1903 static void 1904 do_print_tsig(RES* ssl, xfrd_state_type* xfrd, char* arg) 1905 { 1906 if(*arg == '\0') { 1907 struct key_options* key; 1908 RBTREE_FOR(key, struct key_options*, xfrd->nsd->options->keys) { 1909 if(!ssl_printf(ssl, "key: name: \"%s\" secret: \"%s\" algorithm: %s\n", key->name, key->secret, key->algorithm)) 1910 return; 1911 } 1912 return; 1913 } else { 1914 struct key_options* key_opts = key_options_find(xfrd->nsd->options, arg); 1915 if(!key_opts) { 1916 if(!ssl_printf(ssl, "error: no such key with name: %s\n", arg)) 1917 return; 1918 return; 1919 } else { 1920 if(!ssl_printf(ssl, "key: name: \"%s\" secret: \"%s\" algorithm: %s\n", arg, key_opts->secret, key_opts->algorithm)) 1921 return; 1922 } 1923 } 1924 } 1925 1926 /** do the update_tsig command: change existing tsig to new secret */ 1927 static void 1928 do_update_tsig(RES* ssl, xfrd_state_type* xfrd, char* arg) 1929 { 1930 struct region* region = xfrd->nsd->options->region; 1931 char* arg2 = NULL; 1932 uint8_t data[65536]; /* 64K */ 1933 struct key_options* key_opt; 1934 1935 if(*arg == '\0') { 1936 if(!ssl_printf(ssl, "error: missing argument (keyname)\n")) 1937 return; 1938 return; 1939 } 1940 if(!find_arg2(ssl, arg, &arg2)) { 1941 if(!ssl_printf(ssl, "error: missing argument (secret)\n")) 1942 return; 1943 return; 1944 } 1945 key_opt = key_options_find(xfrd->nsd->options, arg); 1946 if(!key_opt) { 1947 if(!ssl_printf(ssl, "error: no such key with name: %s\n", arg)) 1948 return; 1949 memset(arg2, 0xdd, strlen(arg2)); 1950 return; 1951 } 1952 if(__b64_pton(arg2, data, sizeof(data)) == -1) { 1953 if(!ssl_printf(ssl, "error: the secret: %s is not in b64 format\n", arg2)) 1954 return; 1955 memset(data, 0xdd, sizeof(data)); /* wipe secret */ 1956 memset(arg2, 0xdd, strlen(arg2)); 1957 return; 1958 } 1959 log_msg(LOG_INFO, "changing secret provided with the key: %s with old secret %s and algo: %s\n", arg, key_opt->secret, key_opt->algorithm); 1960 if(key_opt->secret) { 1961 /* wipe old secret */ 1962 memset(key_opt->secret, 0xdd, strlen(key_opt->secret)); 1963 region_recycle(region, key_opt->secret, 1964 strlen(key_opt->secret)+1); 1965 } 1966 key_opt->secret = region_strdup(region, arg2); 1967 log_msg(LOG_INFO, "the key: %s has new secret %s and algorithm: %s\n", arg, key_opt->secret, key_opt->algorithm); 1968 /* wipe secret from temp parse buffer */ 1969 memset(arg2, 0xdd, strlen(arg2)); 1970 memset(data, 0xdd, sizeof(data)); 1971 1972 key_options_desetup(region, key_opt); 1973 key_options_setup(region, key_opt); 1974 task_new_add_key(xfrd->nsd->task[xfrd->nsd->mytask], xfrd->last_task, 1975 key_opt); 1976 xfrd_set_reload_now(xfrd); 1977 1978 send_ok(ssl); 1979 } 1980 1981 /** do the add tsig command, add new key with name, secret and algo given */ 1982 static void 1983 do_add_tsig(RES* ssl, xfrd_state_type* xfrd, char* arg) 1984 { 1985 char* arg2 = NULL; 1986 char* arg3 = NULL; 1987 uint8_t data[65536]; /* 64KB */ 1988 uint8_t dname[MAXDOMAINLEN+1]; 1989 char algo[256]; 1990 region_type* region = xfrd->nsd->options->region; 1991 struct key_options* new_key_opt; 1992 1993 if(*arg == '\0') { 1994 if(!ssl_printf(ssl, "error: missing argument (keyname)\n")) 1995 return; 1996 return; 1997 } 1998 if(!find_arg3(ssl, arg, &arg2, &arg3)) { 1999 strlcpy(algo, "hmac-sha256", sizeof(algo)); 2000 } else { 2001 strlcpy(algo, arg3, sizeof(algo)); 2002 } 2003 if(!arg2) { 2004 if(!ssl_printf(ssl, "error: missing argument (secret)\n")) 2005 return; 2006 return; 2007 } 2008 if(key_options_find(xfrd->nsd->options, arg)) { 2009 if(!ssl_printf(ssl, "error: key %s already exists\n", arg)) 2010 return; 2011 memset(arg2, 0xdd, strlen(arg2)); 2012 return; 2013 } 2014 if(__b64_pton(arg2, data, sizeof(data)) == -1) { 2015 if(!ssl_printf(ssl, "error: the secret: %s is not in b64 format\n", arg2)) 2016 return; 2017 memset(data, 0xdd, sizeof(data)); /* wipe secret */ 2018 memset(arg2, 0xdd, strlen(arg2)); 2019 return; 2020 } 2021 memset(data, 0xdd, sizeof(data)); /* wipe secret from temp buffer */ 2022 if(!dname_parse_wire(dname, arg)) { 2023 if(!ssl_printf(ssl, "error: could not parse key name: %s\n", arg)) 2024 return; 2025 memset(arg2, 0xdd, strlen(arg2)); 2026 return; 2027 } 2028 if(tsig_get_algorithm_by_name(algo) == NULL) { 2029 if(!ssl_printf(ssl, "error: unknown algorithm: %s\n", algo)) 2030 return; 2031 memset(arg2, 0xdd, strlen(arg2)); 2032 return; 2033 } 2034 log_msg(LOG_INFO, "adding key with name: %s and secret: %s with algo: %s\n", arg, arg2, algo); 2035 new_key_opt = key_options_create(region); 2036 new_key_opt->name = region_strdup(region, arg); 2037 new_key_opt->secret = region_strdup(region, arg2); 2038 new_key_opt->algorithm = region_strdup(region, algo); 2039 add_key(xfrd, new_key_opt); 2040 2041 /* wipe secret from temp buffer */ 2042 memset(arg2, 0xdd, strlen(arg2)); 2043 send_ok(ssl); 2044 } 2045 2046 /** set acl entries to use the given TSIG key */ 2047 static void 2048 zopt_set_acl_to_tsig(struct acl_options* acl, struct region* region, 2049 const char* key_name, struct key_options* key_opt) 2050 { 2051 while(acl) { 2052 if(acl->blocked) { 2053 acl = acl->next; 2054 continue; 2055 } 2056 acl->nokey = 0; 2057 if(acl->key_name) 2058 region_recycle(region, (void*)acl->key_name, 2059 strlen(acl->key_name)+1); 2060 acl->key_name = region_strdup(region, key_name); 2061 acl->key_options = key_opt; 2062 acl = acl->next; 2063 } 2064 } 2065 2066 /** do the assoc_tsig command: associate the zone to use the tsig name */ 2067 static void 2068 do_assoc_tsig(RES* ssl, xfrd_state_type* xfrd, char* arg) 2069 { 2070 region_type* region = xfrd->nsd->options->region; 2071 char* arg2 = NULL; 2072 struct zone_options* zone; 2073 struct key_options* key_opt; 2074 2075 if(*arg == '\0') { 2076 if(!ssl_printf(ssl, "error: missing argument (zonename)\n")) 2077 return; 2078 return; 2079 } 2080 if(!find_arg2(ssl, arg, &arg2)) { 2081 if(!ssl_printf(ssl, "error: missing argument (keyname)\n")) 2082 return; 2083 return; 2084 } 2085 2086 if(!get_zone_arg(ssl, xfrd, arg, &zone)) 2087 return; 2088 if(!zone) { 2089 if(!ssl_printf(ssl, "error: missing argument (zone)\n")) 2090 return; 2091 return; 2092 } 2093 key_opt = key_options_find(xfrd->nsd->options, arg2); 2094 if(!key_opt) { 2095 if(!ssl_printf(ssl, "error: key: %s does not exist\n", arg2)) 2096 return; 2097 return; 2098 } 2099 2100 zopt_set_acl_to_tsig(zone->pattern->allow_notify, region, arg2, 2101 key_opt); 2102 zopt_set_acl_to_tsig(zone->pattern->notify, region, arg2, key_opt); 2103 zopt_set_acl_to_tsig(zone->pattern->request_xfr, region, arg2, 2104 key_opt); 2105 zopt_set_acl_to_tsig(zone->pattern->provide_xfr, region, arg2, 2106 key_opt); 2107 2108 task_new_add_pattern(xfrd->nsd->task[xfrd->nsd->mytask], 2109 xfrd->last_task, zone->pattern); 2110 xfrd_set_reload_now(xfrd); 2111 2112 send_ok(ssl); 2113 } 2114 2115 /** see if TSIG key is used in the acl */ 2116 static int 2117 acl_contains_tsig_key(struct acl_options* acl, const char* name) 2118 { 2119 while(acl) { 2120 if(acl->key_name && strcmp(acl->key_name, name) == 0) 2121 return 1; 2122 acl = acl->next; 2123 } 2124 return 0; 2125 } 2126 2127 /** do the del_tsig command, remove an (unused) tsig */ 2128 static void 2129 do_del_tsig(RES* ssl, xfrd_state_type* xfrd, char* arg) { 2130 int used_key = 0; 2131 struct zone_options* zone; 2132 struct key_options* key_opt; 2133 2134 if(*arg == '\0') { 2135 if(!ssl_printf(ssl, "error: missing argument (keyname)\n")) 2136 return; 2137 return; 2138 } 2139 key_opt = key_options_find(xfrd->nsd->options, arg); 2140 if(!key_opt) { 2141 if(!ssl_printf(ssl, "key %s does not exist, nothing to be deleted\n", arg)) 2142 return; 2143 return; 2144 } 2145 RBTREE_FOR(zone, struct zone_options*, xfrd->nsd->options->zone_options) 2146 { 2147 if(acl_contains_tsig_key(zone->pattern->allow_notify, arg) || 2148 acl_contains_tsig_key(zone->pattern->notify, arg) || 2149 acl_contains_tsig_key(zone->pattern->request_xfr, arg) || 2150 acl_contains_tsig_key(zone->pattern->provide_xfr, arg)) { 2151 if(!ssl_printf(ssl, "zone %s uses key %s\n", 2152 zone->name, arg)) 2153 return; 2154 used_key = 1; 2155 break; 2156 } 2157 } 2158 2159 if(used_key) { 2160 if(!ssl_printf(ssl, "error: key: %s is in use and cannot be deleted\n", arg)) 2161 return; 2162 return; 2163 } else { 2164 remove_key(xfrd, arg); 2165 log_msg(LOG_INFO, "key: %s is successfully deleted\n", arg); 2166 } 2167 2168 send_ok(ssl); 2169 } 2170 2171 /** check for name with end-of-string, space or tab after it */ 2172 static int 2173 cmdcmp(char* p, const char* cmd, size_t len) 2174 { 2175 return strncmp(p,cmd,len)==0 && (p[len]==0||p[len]==' '||p[len]=='\t'); 2176 } 2177 2178 /** execute a remote control command */ 2179 static void 2180 execute_cmd(struct daemon_remote* rc, RES* ssl, char* cmd, struct rc_state* rs) 2181 { 2182 char* p = skipwhite(cmd); 2183 /* compare command */ 2184 if(cmdcmp(p, "stop", 4)) { 2185 do_stop(ssl, rc->xfrd); 2186 } else if(cmdcmp(p, "reload", 6)) { 2187 do_reload(ssl, rc->xfrd, skipwhite(p+6)); 2188 } else if(cmdcmp(p, "write", 5)) { 2189 do_write(ssl, rc->xfrd, skipwhite(p+5)); 2190 } else if(cmdcmp(p, "status", 6)) { 2191 do_status(ssl, rc->xfrd); 2192 } else if(cmdcmp(p, "stats_noreset", 13)) { 2193 do_stats(rc, 1, rs); 2194 } else if(cmdcmp(p, "stats", 5)) { 2195 do_stats(rc, 0, rs); 2196 } else if(cmdcmp(p, "log_reopen", 10)) { 2197 do_log_reopen(ssl, rc->xfrd); 2198 } else if(cmdcmp(p, "addzone", 7)) { 2199 do_addzone(ssl, rc->xfrd, skipwhite(p+7)); 2200 } else if(cmdcmp(p, "delzone", 7)) { 2201 do_delzone(ssl, rc->xfrd, skipwhite(p+7)); 2202 } else if(cmdcmp(p, "changezone", 10)) { 2203 do_changezone(ssl, rc->xfrd, skipwhite(p+10)); 2204 } else if(cmdcmp(p, "addzones", 8)) { 2205 do_addzones(ssl, rc->xfrd); 2206 } else if(cmdcmp(p, "delzones", 8)) { 2207 do_delzones(ssl, rc->xfrd); 2208 } else if(cmdcmp(p, "notify", 6)) { 2209 do_notify(ssl, rc->xfrd, skipwhite(p+6)); 2210 } else if(cmdcmp(p, "transfer", 8)) { 2211 do_transfer(ssl, rc->xfrd, skipwhite(p+8)); 2212 } else if(cmdcmp(p, "force_transfer", 14)) { 2213 do_force_transfer(ssl, rc->xfrd, skipwhite(p+14)); 2214 } else if(cmdcmp(p, "zonestatus", 10)) { 2215 do_zonestatus(ssl, rc->xfrd, skipwhite(p+10)); 2216 } else if(cmdcmp(p, "verbosity", 9)) { 2217 do_verbosity(ssl, skipwhite(p+9)); 2218 } else if(cmdcmp(p, "repattern", 9)) { 2219 do_repattern(ssl, rc->xfrd); 2220 } else if(cmdcmp(p, "reconfig", 8)) { 2221 do_repattern(ssl, rc->xfrd); 2222 } else if(cmdcmp(p, "serverpid", 9)) { 2223 do_serverpid(ssl, rc->xfrd); 2224 } else if(cmdcmp(p, "print_tsig", 10)) { 2225 do_print_tsig(ssl, rc->xfrd, skipwhite(p+10)); 2226 } else if(cmdcmp(p, "update_tsig", 11)) { 2227 do_update_tsig(ssl, rc->xfrd, skipwhite(p+11)); 2228 } else if(cmdcmp(p, "add_tsig", 8)) { 2229 do_add_tsig(ssl, rc->xfrd, skipwhite(p+8)); 2230 } else if(cmdcmp(p, "assoc_tsig", 10)) { 2231 do_assoc_tsig(ssl, rc->xfrd, skipwhite(p+10)); 2232 } else if(cmdcmp(p, "del_tsig", 8)) { 2233 do_del_tsig(ssl, rc->xfrd, skipwhite(p+8)); 2234 } else { 2235 (void)ssl_printf(ssl, "error unknown command '%s'\n", p); 2236 } 2237 } 2238 2239 /** handle remote control request */ 2240 static void 2241 handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res) 2242 { 2243 int r; 2244 char pre[10]; 2245 char magic[8]; 2246 char buf[1024]; 2247 if (fcntl(s->c.ev_fd, F_SETFL, 0) == -1) { /* set blocking */ 2248 log_msg(LOG_ERR, "cannot fcntl rc: %s", strerror(errno)); 2249 } 2250 2251 /* try to read magic UBCT[version]_space_ string */ 2252 if(res->ssl) { 2253 ERR_clear_error(); 2254 if((r=SSL_read(res->ssl, magic, (int)sizeof(magic)-1)) <= 0) { 2255 if(SSL_get_error(res->ssl, r) == SSL_ERROR_ZERO_RETURN) 2256 return; 2257 log_crypto_err("could not SSL_read"); 2258 return; 2259 } 2260 } else { 2261 while(1) { 2262 ssize_t rr = read(res->fd, magic, sizeof(magic)-1); 2263 if(rr <= 0) { 2264 if(rr == 0) return; 2265 if(errno == EINTR || errno == EAGAIN) 2266 continue; 2267 log_msg(LOG_ERR, "could not read: %s", strerror(errno)); 2268 return; 2269 } 2270 r = (int)rr; 2271 break; 2272 } 2273 } 2274 magic[7] = 0; 2275 if( r != 7 || strncmp(magic, "NSDCT", 5) != 0) { 2276 VERBOSITY(2, (LOG_INFO, "control connection has bad header")); 2277 /* probably wrong tool connected, ignore it completely */ 2278 return; 2279 } 2280 2281 /* read the command line */ 2282 if(!ssl_read_line(res, buf, sizeof(buf))) { 2283 return; 2284 } 2285 snprintf(pre, sizeof(pre), "NSDCT%d ", NSD_CONTROL_VERSION); 2286 if(strcmp(magic, pre) != 0) { 2287 VERBOSITY(2, (LOG_INFO, "control connection had bad " 2288 "version %s, cmd: %s", magic, buf)); 2289 ssl_printf(res, "error version mismatch\n"); 2290 return; 2291 } 2292 VERBOSITY(2, (LOG_INFO, "control cmd: %s", buf)); 2293 2294 /* figure out what to do */ 2295 execute_cmd(rc, res, buf, s); 2296 } 2297 2298 /** handle SSL_do_handshake changes to the file descriptor to wait for later */ 2299 static void 2300 remote_handshake_later(struct daemon_remote* rc, struct rc_state* s, int fd, 2301 int r, int r2) 2302 { 2303 if(r2 == SSL_ERROR_WANT_READ) { 2304 if(s->shake_state == rc_hs_read) { 2305 /* try again later */ 2306 return; 2307 } 2308 s->shake_state = rc_hs_read; 2309 event_del(&s->c); 2310 memset(&s->c, 0, sizeof(s->c)); 2311 event_set(&s->c, fd, EV_PERSIST|EV_TIMEOUT|EV_READ, 2312 remote_control_callback, s); 2313 if(event_base_set(xfrd->event_base, &s->c) != 0) 2314 log_msg(LOG_ERR, "remote_accept: cannot set event_base"); 2315 if(event_add(&s->c, &s->tval) != 0) 2316 log_msg(LOG_ERR, "remote_accept: cannot add event"); 2317 return; 2318 } else if(r2 == SSL_ERROR_WANT_WRITE) { 2319 if(s->shake_state == rc_hs_write) { 2320 /* try again later */ 2321 return; 2322 } 2323 s->shake_state = rc_hs_write; 2324 event_del(&s->c); 2325 memset(&s->c, 0, sizeof(s->c)); 2326 event_set(&s->c, fd, EV_PERSIST|EV_TIMEOUT|EV_WRITE, 2327 remote_control_callback, s); 2328 if(event_base_set(xfrd->event_base, &s->c) != 0) 2329 log_msg(LOG_ERR, "remote_accept: cannot set event_base"); 2330 if(event_add(&s->c, &s->tval) != 0) 2331 log_msg(LOG_ERR, "remote_accept: cannot add event"); 2332 return; 2333 } else { 2334 if(r == 0) 2335 log_msg(LOG_ERR, "remote control connection closed prematurely"); 2336 log_crypto_err("remote control failed ssl"); 2337 clean_point(rc, s); 2338 } 2339 } 2340 2341 static void 2342 remote_control_callback(int fd, short event, void* arg) 2343 { 2344 RES res; 2345 struct rc_state* s = (struct rc_state*)arg; 2346 struct daemon_remote* rc = s->rc; 2347 int r; 2348 if( (event&EV_TIMEOUT) ) { 2349 log_msg(LOG_ERR, "remote control timed out"); 2350 clean_point(rc, s); 2351 return; 2352 } 2353 if(s->ssl) { 2354 /* (continue to) setup the SSL connection */ 2355 ERR_clear_error(); 2356 r = SSL_do_handshake(s->ssl); 2357 if(r != 1) { 2358 int r2 = SSL_get_error(s->ssl, r); 2359 remote_handshake_later(rc, s, fd, r, r2); 2360 return; 2361 } 2362 s->shake_state = rc_none; 2363 } 2364 2365 /* once handshake has completed, check authentication */ 2366 if (!rc->use_cert) { 2367 VERBOSITY(3, (LOG_INFO, "unauthenticated remote control connection")); 2368 } else if(SSL_get_verify_result(s->ssl) == X509_V_OK) { 2369 X509* x = SSL_get_peer_certificate(s->ssl); 2370 if(!x) { 2371 VERBOSITY(2, (LOG_INFO, "remote control connection " 2372 "provided no client certificate")); 2373 clean_point(rc, s); 2374 return; 2375 } 2376 VERBOSITY(3, (LOG_INFO, "remote control connection authenticated")); 2377 X509_free(x); 2378 } else { 2379 VERBOSITY(2, (LOG_INFO, "remote control connection failed to " 2380 "authenticate with client certificate")); 2381 clean_point(rc, s); 2382 return; 2383 } 2384 2385 /* if OK start to actually handle the request */ 2386 res.ssl = s->ssl; 2387 res.fd = fd; 2388 handle_req(rc, s, &res); 2389 2390 if(!s->in_stats_list) { 2391 VERBOSITY(3, (LOG_INFO, "remote control operation completed")); 2392 clean_point(rc, s); 2393 } 2394 } 2395 2396 #ifdef BIND8_STATS 2397 static const char* 2398 opcode2str(int o) 2399 { 2400 switch(o) { 2401 case OPCODE_QUERY: return "QUERY"; 2402 case OPCODE_IQUERY: return "IQUERY"; 2403 case OPCODE_STATUS: return "STATUS"; 2404 case OPCODE_NOTIFY: return "NOTIFY"; 2405 case OPCODE_UPDATE: return "UPDATE"; 2406 default: return "OTHER"; 2407 } 2408 } 2409 2410 /** print long number */ 2411 static int 2412 print_longnum(RES* ssl, char* desc, uint64_t x) 2413 { 2414 if(x > (uint64_t)1024*1024*1024) { 2415 /* more than a Gb */ 2416 size_t front = (size_t)(x / (uint64_t)1000000); 2417 size_t back = (size_t)(x % (uint64_t)1000000); 2418 return ssl_printf(ssl, "%s%lu%6.6lu\n", desc, 2419 (unsigned long)front, (unsigned long)back); 2420 } else { 2421 return ssl_printf(ssl, "%s%lu\n", desc, (unsigned long)x); 2422 } 2423 } 2424 2425 /* print one block of statistics. n is name and d is delimiter */ 2426 static void 2427 print_stat_block(RES* ssl, char* n, char* d, struct nsdst* st) 2428 { 2429 const char* rcstr[] = {"NOERROR", "FORMERR", "SERVFAIL", "NXDOMAIN", 2430 "NOTIMP", "REFUSED", "YXDOMAIN", "YXRRSET", "NXRRSET", "NOTAUTH", 2431 "NOTZONE", "RCODE11", "RCODE12", "RCODE13", "RCODE14", "RCODE15", 2432 "BADVERS" 2433 }; 2434 size_t i; 2435 for(i=0; i<= 255; i++) { 2436 if(inhibit_zero && st->qtype[i] == 0 && 2437 strncmp(rrtype_to_string(i), "TYPE", 4) == 0) 2438 continue; 2439 if(!ssl_printf(ssl, "%s%snum.type.%s=%lu\n", n, d, 2440 rrtype_to_string(i), (unsigned long)st->qtype[i])) 2441 return; 2442 } 2443 2444 /* opcode */ 2445 for(i=0; i<6; i++) { 2446 if(inhibit_zero && st->opcode[i] == 0 && i != OPCODE_QUERY) 2447 continue; 2448 if(!ssl_printf(ssl, "%s%snum.opcode.%s=%lu\n", n, d, 2449 opcode2str(i), (unsigned long)st->opcode[i])) 2450 return; 2451 } 2452 2453 /* qclass */ 2454 for(i=0; i<4; i++) { 2455 if(inhibit_zero && st->qclass[i] == 0 && i != CLASS_IN) 2456 continue; 2457 if(!ssl_printf(ssl, "%s%snum.class.%s=%lu\n", n, d, 2458 rrclass_to_string(i), (unsigned long)st->qclass[i])) 2459 return; 2460 } 2461 2462 /* rcode */ 2463 for(i=0; i<17; i++) { 2464 if(inhibit_zero && st->rcode[i] == 0 && 2465 i > RCODE_YXDOMAIN) /* NSD does not use larger */ 2466 continue; 2467 if(!ssl_printf(ssl, "%s%snum.rcode.%s=%lu\n", n, d, rcstr[i], 2468 (unsigned long)st->rcode[i])) 2469 return; 2470 } 2471 2472 /* edns */ 2473 if(!ssl_printf(ssl, "%s%snum.edns=%lu\n", n, d, (unsigned long)st->edns)) 2474 return; 2475 2476 /* ednserr */ 2477 if(!ssl_printf(ssl, "%s%snum.ednserr=%lu\n", n, d, 2478 (unsigned long)st->ednserr)) 2479 return; 2480 2481 /* qudp */ 2482 if(!ssl_printf(ssl, "%s%snum.udp=%lu\n", n, d, (unsigned long)st->qudp)) 2483 return; 2484 /* qudp6 */ 2485 if(!ssl_printf(ssl, "%s%snum.udp6=%lu\n", n, d, (unsigned long)st->qudp6)) 2486 return; 2487 /* ctcp */ 2488 if(!ssl_printf(ssl, "%s%snum.tcp=%lu\n", n, d, (unsigned long)st->ctcp)) 2489 return; 2490 /* ctcp6 */ 2491 if(!ssl_printf(ssl, "%s%snum.tcp6=%lu\n", n, d, (unsigned long)st->ctcp6)) 2492 return; 2493 /* ctls */ 2494 if(!ssl_printf(ssl, "%s%snum.tls=%lu\n", n, d, (unsigned long)st->ctls)) 2495 return; 2496 /* ctls6 */ 2497 if(!ssl_printf(ssl, "%s%snum.tls6=%lu\n", n, d, (unsigned long)st->ctls6)) 2498 return; 2499 2500 /* nona */ 2501 if(!ssl_printf(ssl, "%s%snum.answer_wo_aa=%lu\n", n, d, 2502 (unsigned long)st->nona)) 2503 return; 2504 2505 /* rxerr */ 2506 if(!ssl_printf(ssl, "%s%snum.rxerr=%lu\n", n, d, (unsigned long)st->rxerr)) 2507 return; 2508 2509 /* txerr */ 2510 if(!ssl_printf(ssl, "%s%snum.txerr=%lu\n", n, d, (unsigned long)st->txerr)) 2511 return; 2512 2513 /* number of requested-axfr, number of times axfr served to clients */ 2514 if(!ssl_printf(ssl, "%s%snum.raxfr=%lu\n", n, d, (unsigned long)st->raxfr)) 2515 return; 2516 2517 /* truncated */ 2518 if(!ssl_printf(ssl, "%s%snum.truncated=%lu\n", n, d, 2519 (unsigned long)st->truncated)) 2520 return; 2521 2522 /* dropped */ 2523 if(!ssl_printf(ssl, "%s%snum.dropped=%lu\n", n, d, 2524 (unsigned long)st->dropped)) 2525 return; 2526 } 2527 2528 #ifdef USE_ZONE_STATS 2529 static void 2530 resize_zonestat(xfrd_state_type* xfrd, size_t num) 2531 { 2532 struct nsdst** a = xalloc_array_zero(num, sizeof(struct nsdst*)); 2533 if(xfrd->zonestat_clear_num != 0) 2534 memcpy(a, xfrd->zonestat_clear, xfrd->zonestat_clear_num 2535 * sizeof(struct nsdst*)); 2536 free(xfrd->zonestat_clear); 2537 xfrd->zonestat_clear = a; 2538 xfrd->zonestat_clear_num = num; 2539 } 2540 2541 static void 2542 zonestat_print(RES* ssl, xfrd_state_type* xfrd, int clear) 2543 { 2544 struct zonestatname* n; 2545 struct nsdst stat0, stat1; 2546 RBTREE_FOR(n, struct zonestatname*, xfrd->nsd->options->zonestatnames){ 2547 char* name = (char*)n->node.key; 2548 if(n->id >= xfrd->zonestat_safe) 2549 continue; /* newly allocated and reload has not yet 2550 done and replied with new size */ 2551 if(name == NULL || name[0]==0) 2552 continue; /* empty name, do not output */ 2553 /* the statistics are stored in two blocks, during reload 2554 * the newly forked processes get the other block to use, 2555 * these blocks are mmapped and are currently in use to 2556 * add statistics to */ 2557 memcpy(&stat0, &xfrd->nsd->zonestat[0][n->id], sizeof(stat0)); 2558 memcpy(&stat1, &xfrd->nsd->zonestat[1][n->id], sizeof(stat1)); 2559 stats_add(&stat0, &stat1); 2560 2561 /* save a copy of current (cumulative) stats in stat1 */ 2562 memcpy(&stat1, &stat0, sizeof(stat1)); 2563 /* subtract last total of stats that was 'cleared' */ 2564 if(n->id < xfrd->zonestat_clear_num && 2565 xfrd->zonestat_clear[n->id]) 2566 stats_subtract(&stat0, xfrd->zonestat_clear[n->id]); 2567 if(clear) { 2568 /* extend storage array if needed */ 2569 if(n->id >= xfrd->zonestat_clear_num) { 2570 if(n->id+1 < xfrd->nsd->options->zonestatnames->count) 2571 resize_zonestat(xfrd, xfrd->nsd->options->zonestatnames->count); 2572 else 2573 resize_zonestat(xfrd, n->id+1); 2574 } 2575 if(!xfrd->zonestat_clear[n->id]) 2576 xfrd->zonestat_clear[n->id] = xalloc( 2577 sizeof(struct nsdst)); 2578 /* store last total of stats */ 2579 memcpy(xfrd->zonestat_clear[n->id], &stat1, 2580 sizeof(struct nsdst)); 2581 } 2582 2583 /* stat0 contains the details that we want to print */ 2584 if(!ssl_printf(ssl, "%s%snum.queries=%lu\n", name, ".", 2585 (unsigned long)(stat0.qudp + stat0.qudp6 + stat0.ctcp + 2586 stat0.ctcp6 + stat0.ctls + stat0.ctls6))) 2587 return; 2588 print_stat_block(ssl, name, ".", &stat0); 2589 } 2590 } 2591 #endif /* USE_ZONE_STATS */ 2592 2593 static void 2594 print_stats(RES* ssl, xfrd_state_type* xfrd, struct timeval* now, int clear) 2595 { 2596 size_t i; 2597 stc_type total = 0; 2598 struct timeval elapsed, uptime; 2599 2600 /* per CPU and total */ 2601 for(i=0; i<xfrd->nsd->child_count; i++) { 2602 if(!ssl_printf(ssl, "server%d.queries=%lu\n", (int)i, 2603 (unsigned long)xfrd->nsd->children[i].query_count)) 2604 return; 2605 total += xfrd->nsd->children[i].query_count; 2606 } 2607 if(!ssl_printf(ssl, "num.queries=%lu\n", (unsigned long)total)) 2608 return; 2609 2610 /* time elapsed and uptime (in seconds) */ 2611 timeval_subtract(&uptime, now, &xfrd->nsd->rc->boot_time); 2612 timeval_subtract(&elapsed, now, &xfrd->nsd->rc->stats_time); 2613 if(!ssl_printf(ssl, "time.boot=%lu.%6.6lu\n", 2614 (unsigned long)uptime.tv_sec, (unsigned long)uptime.tv_usec)) 2615 return; 2616 if(!ssl_printf(ssl, "time.elapsed=%lu.%6.6lu\n", 2617 (unsigned long)elapsed.tv_sec, (unsigned long)elapsed.tv_usec)) 2618 return; 2619 2620 /* mem info, database on disksize */ 2621 if(!print_longnum(ssl, "size.db.disk=", xfrd->nsd->st.db_disk)) 2622 return; 2623 if(!print_longnum(ssl, "size.db.mem=", xfrd->nsd->st.db_mem)) 2624 return; 2625 if(!print_longnum(ssl, "size.xfrd.mem=", region_get_mem(xfrd->region))) 2626 return; 2627 if(!print_longnum(ssl, "size.config.disk=", 2628 xfrd->nsd->options->zonelist_off)) 2629 return; 2630 if(!print_longnum(ssl, "size.config.mem=", region_get_mem( 2631 xfrd->nsd->options->region))) 2632 return; 2633 print_stat_block(ssl, "", "", &xfrd->nsd->st); 2634 2635 /* zone statistics */ 2636 if(!ssl_printf(ssl, "zone.master=%lu\n", 2637 (unsigned long)(xfrd->notify_zones->count - xfrd->zones->count))) 2638 return; 2639 if(!ssl_printf(ssl, "zone.slave=%lu\n", (unsigned long)xfrd->zones->count)) 2640 return; 2641 #ifdef USE_ZONE_STATS 2642 zonestat_print(ssl, xfrd, clear); /* per-zone statistics */ 2643 #else 2644 (void)clear; 2645 #endif 2646 } 2647 2648 static void 2649 clear_stats(xfrd_state_type* xfrd) 2650 { 2651 size_t i; 2652 uint64_t dbd = xfrd->nsd->st.db_disk; 2653 uint64_t dbm = xfrd->nsd->st.db_mem; 2654 for(i=0; i<xfrd->nsd->child_count; i++) { 2655 xfrd->nsd->children[i].query_count = 0; 2656 } 2657 memset(&xfrd->nsd->st, 0, sizeof(struct nsdst)); 2658 /* zonestats are cleared by storing the cumulative value that 2659 * was last printed in the zonestat_clear array, and subtracting 2660 * that before the next stats printout */ 2661 xfrd->nsd->st.db_disk = dbd; 2662 xfrd->nsd->st.db_mem = dbm; 2663 } 2664 2665 void 2666 daemon_remote_process_stats(struct daemon_remote* rc) 2667 { 2668 RES res; 2669 struct rc_state* s; 2670 struct timeval now; 2671 if(!rc) return; 2672 if(gettimeofday(&now, NULL) == -1) 2673 log_msg(LOG_ERR, "gettimeofday: %s", strerror(errno)); 2674 /* pop one and give it stats */ 2675 while((s = rc->stats_list)) { 2676 assert(s->in_stats_list); 2677 res.ssl = s->ssl; 2678 res.fd = s->fd; 2679 print_stats(&res, rc->xfrd, &now, (s->in_stats_list == 1)); 2680 if(s->in_stats_list == 1) { 2681 clear_stats(rc->xfrd); 2682 rc->stats_time = now; 2683 } 2684 VERBOSITY(3, (LOG_INFO, "remote control stats printed")); 2685 rc->stats_list = s->next; 2686 s->in_stats_list = 0; 2687 clean_point(rc, s); 2688 } 2689 } 2690 #endif /* BIND8_STATS */ 2691 2692 int 2693 create_local_accept_sock(const char *path, int* noproto) 2694 { 2695 #ifdef HAVE_SYS_UN_H 2696 int s; 2697 struct sockaddr_un usock; 2698 2699 VERBOSITY(3, (LOG_INFO, "creating unix socket %s", path)); 2700 #ifdef HAVE_STRUCT_SOCKADDR_UN_SUN_LEN 2701 /* this member exists on BSDs, not Linux */ 2702 usock.sun_len = (unsigned)sizeof(usock); 2703 #endif 2704 usock.sun_family = AF_LOCAL; 2705 /* length is 92-108, 104 on FreeBSD */ 2706 (void)strlcpy(usock.sun_path, path, sizeof(usock.sun_path)); 2707 2708 if ((s = socket(AF_LOCAL, SOCK_STREAM, 0)) == -1) { 2709 log_msg(LOG_ERR, "Cannot create local socket %s (%s)", 2710 path, strerror(errno)); 2711 return -1; 2712 } 2713 2714 if (unlink(path) && errno != ENOENT) { 2715 /* The socket already exists and cannot be removed */ 2716 log_msg(LOG_ERR, "Cannot remove old local socket %s (%s)", 2717 path, strerror(errno)); 2718 goto err; 2719 } 2720 2721 if (bind(s, (struct sockaddr *)&usock, 2722 (socklen_t)sizeof(struct sockaddr_un)) == -1) { 2723 log_msg(LOG_ERR, "Cannot bind local socket %s (%s)", 2724 path, strerror(errno)); 2725 goto err; 2726 } 2727 2728 if (fcntl(s, F_SETFL, O_NONBLOCK) == -1) { 2729 log_msg(LOG_ERR, "Cannot set non-blocking mode"); 2730 goto err; 2731 } 2732 2733 if (listen(s, TCP_BACKLOG) == -1) { 2734 log_msg(LOG_ERR, "can't listen: %s", strerror(errno)); 2735 goto err; 2736 } 2737 2738 (void)noproto; /*unused*/ 2739 return s; 2740 2741 err: 2742 close(s); 2743 return -1; 2744 2745 #else 2746 (void)path; 2747 log_msg(LOG_ERR, "Local sockets are not supported"); 2748 *noproto = 1; 2749 return -1; 2750 #endif 2751 } 2752 2753 #endif /* HAVE_SSL */ 2754