1 /* 2 * options.c -- options functions. 3 * 4 * Copyright (c) 2001-2006, NLnet Labs. All rights reserved. 5 * 6 * See LICENSE for the license. 7 * 8 */ 9 #include "config.h" 10 #include <string.h> 11 #include <stdio.h> 12 #include <sys/stat.h> 13 #include <errno.h> 14 #ifdef HAVE_IFADDRS_H 15 #include <ifaddrs.h> 16 #endif 17 #ifdef HAVE_SSL 18 #include <openssl/ssl.h> 19 #include <openssl/x509v3.h> 20 #endif 21 #ifdef HAVE_STRINGS_H 22 #include <strings.h> 23 #endif 24 #include "options.h" 25 #include "query.h" 26 #include "tsig.h" 27 #include "ixfr.h" 28 #include "difffile.h" 29 #include "rrl.h" 30 #include "bitset.h" 31 #include "xfrd.h" 32 33 #include "configparser.h" 34 config_parser_state_type* cfg_parser = 0; 35 extern FILE* c_in, *c_out; 36 int c_parse(void); 37 int c_lex(void); 38 int c_wrap(void); 39 int c_lex_destroy(void); 40 extern char* c_text; 41 42 static int 43 rbtree_strcmp(const void* p1, const void* p2) 44 { 45 if(p1 == NULL && p2 == NULL) return 0; 46 if(p1 == NULL) return -1; 47 if(p2 == NULL) return 1; 48 return strcmp((const char*)p1, (const char*)p2); 49 } 50 51 struct nsd_options* 52 nsd_options_create(region_type* region) 53 { 54 struct nsd_options* opt; 55 opt = (struct nsd_options*)region_alloc(region, sizeof( 56 struct nsd_options)); 57 opt->region = region; 58 opt->zone_options = rbtree_create(region, 59 (int (*)(const void *, const void *)) dname_compare); 60 opt->configfile = NULL; 61 opt->zonestatnames = rbtree_create(opt->region, rbtree_strcmp); 62 opt->patterns = rbtree_create(region, rbtree_strcmp); 63 opt->keys = rbtree_create(region, rbtree_strcmp); 64 opt->tls_auths = rbtree_create(region, rbtree_strcmp); 65 opt->ip_addresses = NULL; 66 opt->ip_transparent = 0; 67 opt->ip_freebind = 0; 68 opt->send_buffer_size = 4*1024*1024; 69 opt->receive_buffer_size = 1*1024*1024; 70 opt->debug_mode = 0; 71 opt->verbosity = 0; 72 opt->hide_version = 0; 73 opt->hide_identity = 0; 74 opt->drop_updates = 0; 75 opt->do_ip4 = 1; 76 opt->do_ip6 = 1; 77 opt->identity = 0; 78 opt->version = 0; 79 opt->nsid = 0; 80 opt->logfile = 0; 81 opt->log_only_syslog = 0; 82 opt->log_time_ascii = 1; 83 opt->log_time_iso = 0; 84 opt->round_robin = 0; /* also packet.h::round_robin */ 85 opt->minimal_responses = 0; /* also packet.h::minimal_responses */ 86 opt->confine_to_zone = 0; 87 opt->refuse_any = 0; 88 opt->server_count = 1; 89 opt->cpu_affinity = NULL; 90 opt->service_cpu_affinity = NULL; 91 opt->tcp_count = 100; 92 opt->tcp_reject_overflow = 0; 93 opt->tcp_query_count = 0; 94 opt->tcp_timeout = TCP_TIMEOUT; 95 opt->tcp_mss = 0; 96 opt->outgoing_tcp_mss = 0; 97 opt->tcp_listen_queue = TCP_BACKLOG; 98 opt->ipv4_edns_size = EDNS_MAX_MESSAGE_LEN; 99 opt->ipv6_edns_size = EDNS_MAX_MESSAGE_LEN; 100 opt->pidfile = PIDFILE; 101 opt->port = UDP_PORT; 102 /* deprecated? opt->port = TCP_PORT; */ 103 opt->reuseport = 0; 104 opt->xfrd_tcp_max = 128; 105 opt->xfrd_tcp_pipeline = 128; 106 opt->statistics = 0; 107 opt->chroot = 0; 108 opt->username = USER; 109 opt->zonesdir = ZONESDIR; 110 opt->xfrdfile = XFRDFILE; 111 opt->xfrdir = XFRDIR; 112 opt->zonelistfile = ZONELISTFILE; 113 #ifdef RATELIMIT 114 opt->rrl_size = RRL_BUCKETS; 115 opt->rrl_slip = RRL_SLIP; 116 opt->rrl_ipv4_prefix_length = RRL_IPV4_PREFIX_LENGTH; 117 opt->rrl_ipv6_prefix_length = RRL_IPV6_PREFIX_LENGTH; 118 # ifdef RATELIMIT_DEFAULT_OFF 119 opt->rrl_ratelimit = 0; 120 opt->rrl_whitelist_ratelimit = 0; 121 # else 122 opt->rrl_ratelimit = RRL_LIMIT/2; 123 opt->rrl_whitelist_ratelimit = RRL_WLIST_LIMIT/2; 124 # endif 125 #endif 126 #ifdef USE_DNSTAP 127 opt->dnstap_enable = 0; 128 opt->dnstap_socket_path = DNSTAP_SOCKET_PATH; 129 opt->dnstap_ip = ""; 130 opt->dnstap_tls = 1; 131 opt->dnstap_tls_server_name = NULL; 132 opt->dnstap_tls_cert_bundle = NULL; 133 opt->dnstap_tls_client_key_file = NULL; 134 opt->dnstap_tls_client_cert_file = NULL; 135 opt->dnstap_send_identity = 0; 136 opt->dnstap_send_version = 0; 137 opt->dnstap_identity = NULL; 138 opt->dnstap_version = NULL; 139 opt->dnstap_log_auth_query_messages = 0; 140 opt->dnstap_log_auth_response_messages = 0; 141 #endif 142 opt->reload_config = 0; 143 opt->zonefiles_check = 1; 144 opt->zonefiles_write = ZONEFILES_WRITE_INTERVAL; 145 opt->xfrd_reload_timeout = 1; 146 opt->tls_service_key = NULL; 147 opt->tls_service_ocsp = NULL; 148 opt->tls_service_pem = NULL; 149 opt->tls_port = TLS_PORT; 150 opt->tls_auth_port = NULL; 151 opt->tls_cert_bundle = NULL; 152 opt->tls_auth_xfr_only = 0; 153 opt->proxy_protocol_port = NULL; 154 opt->answer_cookie = 0; 155 opt->cookie_secret = NULL; 156 opt->cookie_staging_secret = NULL; 157 opt->cookie_secret_file = NULL; 158 opt->cookie_secret_file_is_default = 1; 159 opt->control_enable = 0; 160 opt->control_interface = NULL; 161 opt->control_port = NSD_CONTROL_PORT; 162 opt->server_key_file = CONFIGDIR"/nsd_server.key"; 163 opt->server_cert_file = CONFIGDIR"/nsd_server.pem"; 164 opt->control_key_file = CONFIGDIR"/nsd_control.key"; 165 opt->control_cert_file = CONFIGDIR"/nsd_control.pem"; 166 #ifdef USE_XDP 167 opt->xdp_interface = NULL; 168 opt->xdp_program_path = SHAREDFILESDIR"/xdp-dns-redirect_kern.o"; 169 opt->xdp_program_load = 1; 170 opt->xdp_bpffs_path = "/sys/fs/bpf"; 171 opt->xdp_force_copy = 0; 172 #endif 173 #ifdef USE_METRICS 174 opt->metrics_enable = 0; 175 opt->metrics_interface = NULL; 176 opt->metrics_port = NSD_METRICS_PORT; 177 opt->metrics_path = "/metrics"; 178 #endif /* USE_METRICS */ 179 180 opt->verify_enable = 0; 181 opt->verify_ip_addresses = NULL; 182 opt->verify_port = VERIFY_PORT; 183 opt->verify_zones = 1; 184 opt->verifier = NULL; 185 opt->verifier_count = 1; 186 opt->verifier_feed_zone = 1; 187 opt->verifier_timeout = 0; 188 189 return opt; 190 } 191 192 int 193 nsd_options_insert_zone(struct nsd_options* opt, struct zone_options* zone) 194 { 195 /* create dname for lookup */ 196 const dname_type* dname = dname_parse(opt->region, zone->name); 197 if(!dname) 198 return 0; 199 zone->node.key = dname; 200 if(!rbtree_insert(opt->zone_options, (rbnode_type*)zone)) 201 return 0; 202 return 1; 203 } 204 205 int 206 nsd_options_insert_pattern(struct nsd_options* opt, 207 struct pattern_options* pat) 208 { 209 if(!pat->pname) 210 return 0; 211 pat->node.key = pat->pname; 212 if(!rbtree_insert(opt->patterns, (rbnode_type*)pat)) 213 return 0; 214 return 1; 215 } 216 217 void 218 warn_if_directory(const char* filetype, FILE* f, const char* fname) 219 { 220 if(fileno(f) != -1) { 221 struct stat st; 222 memset(&st, 0, sizeof(st)); 223 if(fstat(fileno(f), &st) != -1) { 224 if(S_ISDIR(st.st_mode)) { 225 log_msg(LOG_WARNING, "trying to read %s but it is a directory: %s", filetype, fname); 226 } 227 } 228 } 229 } 230 231 int 232 parse_options_file(struct nsd_options* opt, const char* file, 233 void (*err)(void*,const char*), void* err_arg, 234 struct nsd_options* old_opts) 235 { 236 FILE *in = 0; 237 struct pattern_options* pat; 238 struct acl_options* acl; 239 240 if(!cfg_parser) { 241 cfg_parser = (config_parser_state_type*)region_alloc( 242 opt->region, sizeof(config_parser_state_type)); 243 cfg_parser->chroot = 0; 244 } 245 cfg_parser->err = err; 246 cfg_parser->err_arg = err_arg; 247 cfg_parser->filename = (char*)file; 248 cfg_parser->line = 1; 249 cfg_parser->errors = 0; 250 cfg_parser->opt = opt; 251 cfg_parser->pattern = NULL; 252 cfg_parser->zone = NULL; 253 cfg_parser->key = NULL; 254 cfg_parser->tls_auth = NULL; 255 256 in = fopen(cfg_parser->filename, "r"); 257 if(!in) { 258 if(err) { 259 char m[MAXSYSLOGMSGLEN]; 260 snprintf(m, sizeof(m), "Could not open %s: %s\n", 261 file, strerror(errno)); 262 err(err_arg, m); 263 } else { 264 fprintf(stderr, "Could not open %s: %s\n", 265 file, strerror(errno)); 266 } 267 return 0; 268 } 269 warn_if_directory("configfile", in, file); 270 c_in = in; 271 c_parse(); 272 fclose(in); 273 274 opt->configfile = region_strdup(opt->region, file); 275 276 /* Set default cookie_secret_file value */ 277 if(opt->cookie_secret_file_is_default && !opt->cookie_secret_file) { 278 opt->cookie_secret_file = 279 region_strdup(opt->region, COOKIESECRETSFILE); 280 } 281 /* Semantic errors */ 282 if(opt->cookie_staging_secret && !opt->cookie_secret) { 283 c_error("a cookie-staging-secret cannot be configured without " 284 "also providing a cookie-secret"); 285 } 286 RBTREE_FOR(pat, struct pattern_options*, opt->patterns) 287 { 288 struct pattern_options* old_pat = 289 old_opts ? pattern_options_find(old_opts, pat->pname) 290 : NULL; 291 292 /* lookup keys for acls */ 293 for(acl=pat->allow_notify; acl; acl=acl->next) 294 { 295 if(acl->nokey || acl->blocked) 296 continue; 297 acl->key_options = key_options_find(opt, acl->key_name); 298 if(!acl->key_options) 299 c_error("key %s in pattern %s could not be found", 300 acl->key_name, pat->pname); 301 } 302 for(acl=pat->notify; acl; acl=acl->next) 303 { 304 if(acl->nokey || acl->blocked) 305 continue; 306 acl->key_options = key_options_find(opt, acl->key_name); 307 if(!acl->key_options) 308 c_error("key %s in pattern %s could not be found", 309 acl->key_name, pat->pname); 310 } 311 for(acl=pat->request_xfr; acl; acl=acl->next) 312 { 313 /* Find tls_auth */ 314 if (!acl->tls_auth_name) 315 ; /* pass */ 316 else if (!(acl->tls_auth_options = 317 tls_auth_options_find(opt, acl->tls_auth_name))) 318 c_error("tls_auth %s in pattern %s could not be found", 319 acl->tls_auth_name, pat->pname); 320 /* Find key */ 321 if(acl->nokey || acl->blocked) 322 continue; 323 acl->key_options = key_options_find(opt, acl->key_name); 324 if(!acl->key_options) 325 c_error("key %s in pattern %s could not be found", 326 acl->key_name, pat->pname); 327 } 328 for(acl=pat->provide_xfr; acl; acl=acl->next) 329 { 330 /* Find tls_auth */ 331 if (acl->tls_auth_name) { 332 if (!(acl->tls_auth_options = 333 tls_auth_options_find(opt, acl->tls_auth_name))) 334 c_error("tls_auth %s in pattern %s could not be found", 335 acl->tls_auth_name, pat->pname); 336 } 337 if(acl->nokey || acl->blocked) 338 continue; 339 acl->key_options = key_options_find(opt, acl->key_name); 340 if(!acl->key_options) 341 c_error("key %s in pattern %s could not be found", 342 acl->key_name, pat->pname); 343 } 344 for(acl=pat->allow_query; acl; acl=acl->next) 345 { 346 if(acl->nokey || acl->blocked) 347 continue; 348 acl->key_options = key_options_find(opt, acl->key_name); 349 if(!acl->key_options) 350 c_error("key %s in pattern %s could not be found", 351 acl->key_name, pat->pname); 352 } 353 /* lookup zones for catalog-producer-zone options */ 354 if(pat->catalog_producer_zone) { 355 struct zone_options* zopt; 356 const dname_type *dname = dname_parse(opt->region, 357 pat->catalog_producer_zone); 358 if(dname == NULL) { 359 ; /* pass; already erred during parsing */ 360 361 } else if (!(zopt = zone_options_find(opt, dname))) { 362 c_error("catalog producer zone %s in pattern " 363 "%s could not be found", 364 pat->catalog_producer_zone, 365 pat->pname); 366 367 } else if (!zone_is_catalog_producer(zopt)) { 368 c_error("catalog-producer-zone %s in pattern " 369 "%s is not configered as a " 370 "catalog: producer", 371 pat->catalog_producer_zone, 372 pat->pname); 373 } 374 } 375 if( !old_opts /* Okay to add a cat producer member zone pat */ 376 || (!old_pat) /* But not to add, change or del an existing */ 377 || ( old_pat && !old_pat->catalog_producer_zone 378 && !pat->catalog_producer_zone) 379 || ( old_pat && old_pat->catalog_producer_zone 380 && pat->catalog_producer_zone 381 && strcmp( old_pat->catalog_producer_zone 382 , pat->catalog_producer_zone) == 0)){ 383 ; /* No existing catalog producer member zone added 384 * or changed. Everyting is fine: pass */ 385 } else { 386 c_error("catalog-producer-zone in pattern %s cannot " 387 "be removed or changed on a running NSD", 388 pat->pname); 389 } 390 } 391 392 if(cfg_parser->errors > 0) 393 { 394 if(err) { 395 char m[MAXSYSLOGMSGLEN]; 396 snprintf(m, sizeof(m), "read %s failed: %d errors in " 397 "configuration file\n", file, 398 cfg_parser->errors); 399 err(err_arg, m); 400 } else { 401 fprintf(stderr, "read %s failed: %d errors in " 402 "configuration file\n", file, 403 cfg_parser->errors); 404 } 405 return 0; 406 } 407 return 1; 408 } 409 410 void options_zonestatnames_create(struct nsd_options* opt) 411 { 412 struct zone_options* zopt; 413 /* allocate "" as zonestat 0, for zones without a zonestat */ 414 if(!rbtree_search(opt->zonestatnames, "")) { 415 struct zonestatname* n; 416 n = (struct zonestatname*)region_alloc_zero(opt->region, 417 sizeof(*n)); 418 n->node.key = region_strdup(opt->region, ""); 419 if(!n->node.key) { 420 log_msg(LOG_ERR, "malloc failed: %s", strerror(errno)); 421 exit(1); 422 } 423 n->id = (unsigned)(opt->zonestatnames->count); 424 rbtree_insert(opt->zonestatnames, (rbnode_type*)n); 425 } 426 RBTREE_FOR(zopt, struct zone_options*, opt->zone_options) { 427 /* insert into tree, so that when read in later id exists */ 428 (void)getzonestatid(opt, zopt); 429 } 430 } 431 432 #define ZONELIST_HEADER "# NSD zone list\n# name pattern\n" 433 static int 434 comp_zonebucket(const void* a, const void* b) 435 { 436 /* the line size is much smaller than max-int, and positive, 437 * so the subtraction works */ 438 return *(const int*)b - *(const int*)a; 439 } 440 441 /* insert free entry into zonelist free buckets */ 442 static void 443 zone_list_free_insert(struct nsd_options* opt, int linesize, off_t off) 444 { 445 struct zonelist_free* e; 446 struct zonelist_bucket* b = (struct zonelist_bucket*)rbtree_search( 447 opt->zonefree, &linesize); 448 if(!b) { 449 b = region_alloc_zero(opt->region, sizeof(*b)); 450 b->linesize = linesize; 451 b->node = *RBTREE_NULL; 452 b->node.key = &b->linesize; 453 rbtree_insert(opt->zonefree, &b->node); 454 } 455 e = (struct zonelist_free*)region_alloc_zero(opt->region, sizeof(*e)); 456 e->next = b->list; 457 b->list = e; 458 e->off = off; 459 opt->zonefree_number++; 460 } 461 462 static struct zone_options* 463 zone_list_member_zone_insert(struct nsd_options* opt, const char* nm, 464 const char* patnm, int linesize, off_t off, const char* mem_idnm, 465 new_member_id_type new_member_id) 466 { 467 struct pattern_options* pat = pattern_options_find(opt, patnm); 468 struct catalog_member_zone* cmz = NULL; 469 struct zone_options* zone; 470 char member_id_str[MAXDOMAINLEN * 5 + 3] = "ERROR!"; 471 DEBUG(DEBUG_XFRD, 2, (LOG_INFO, "zone_list_zone_insert(\"%s\", \"%s\"" 472 ", %d, \"%s\")", nm, patnm, linesize, 473 (mem_idnm ? mem_idnm : "<NULL>"))); 474 if(!pat) { 475 log_msg(LOG_ERR, "pattern does not exist for zone %s " 476 "pattern %s", nm, patnm); 477 return NULL; 478 } 479 zone = pat->catalog_producer_zone 480 ? &(cmz = catalog_member_zone_create(opt->region))->options 481 : zone_options_create(opt->region); 482 zone->part_of_config = 0; 483 zone->name = region_strdup(opt->region, nm); 484 zone->linesize = linesize; 485 zone->off = off; 486 zone->pattern = pat; 487 if(!nsd_options_insert_zone(opt, zone)) { 488 log_msg(LOG_ERR, "bad domain name or duplicate zone '%s' " 489 "pattern %s", nm, patnm); 490 region_recycle(opt->region, (void*)zone->name, strlen(nm)+1); 491 region_recycle(opt->region, zone, sizeof(*zone)); 492 return NULL; 493 } 494 if(!mem_idnm) { 495 if(cmz && new_member_id) 496 new_member_id(cmz); 497 if(cmz && cmz->member_id) { 498 /* Assume all bytes of member_id are printable. 499 * plus 1 for space 500 */ 501 zone->linesize += label_length(dname_name(cmz->member_id)) + 1; 502 DEBUG(DEBUG_XFRD, 2, (LOG_INFO, "new linesize: %d", 503 (int)zone->linesize)); 504 } 505 } else if(!cmz) 506 log_msg(LOG_ERR, "member ID '%s' given, but no catalog-producer-" 507 "zone value provided in zone '%s' or pattern '%s'", 508 mem_idnm, nm, patnm); 509 510 else if(snprintf(member_id_str, sizeof(member_id_str), 511 "%s.zones.%s", mem_idnm, pat->catalog_producer_zone) >= 512 (int)sizeof(member_id_str)) 513 log_msg(LOG_ERR, "syntax error in member ID '%s.zones.%s' for " 514 "zone '%s'", mem_idnm, pat->catalog_producer_zone, nm); 515 516 else if(!(cmz->member_id = dname_parse(opt->region, member_id_str))) 517 log_msg(LOG_ERR, "parse error in member ID '%s' for " 518 "zone '%s'", member_id_str, nm); 519 return zone; 520 } 521 522 struct zone_options* 523 zone_list_zone_insert(struct nsd_options* opt,const char* nm,const char* patnm) 524 { 525 return zone_list_member_zone_insert(opt, nm, patnm, 0, 0, NULL, NULL); 526 } 527 528 int 529 parse_zone_list_file(struct nsd_options* opt) 530 { 531 /* zonelist looks like this: 532 # name pattern 533 add example.com master 534 del example.net slave 535 add foo.bar.nl slave 536 add rutabaga.uk config 537 */ 538 char hdr[64]; 539 char buf[1024]; 540 541 /* create empty data structures */ 542 opt->zonefree = rbtree_create(opt->region, comp_zonebucket); 543 opt->zonelist = NULL; 544 opt->zonefree_number = 0; 545 opt->zonelist_off = 0; 546 547 /* try to open the zonelist file, an empty or nonexist file is OK */ 548 opt->zonelist = fopen(opt->zonelistfile, "r+"); 549 if(!opt->zonelist) { 550 if(errno == ENOENT) 551 return 1; /* file does not exist, it is created later */ 552 log_msg(LOG_ERR, "could not open zone list %s: %s", opt->zonelistfile, 553 strerror(errno)); 554 return 0; 555 } 556 /* read header */ 557 hdr[strlen(ZONELIST_HEADER)] = 0; 558 if(fread(hdr, 1, strlen(ZONELIST_HEADER), opt->zonelist) != 559 strlen(ZONELIST_HEADER) || strncmp(hdr, ZONELIST_HEADER, 560 strlen(ZONELIST_HEADER)) != 0) { 561 log_msg(LOG_ERR, "zone list %s contains bad header\n", opt->zonelistfile); 562 fclose(opt->zonelist); 563 opt->zonelist = NULL; 564 return 0; 565 } 566 buf[sizeof(buf)-1]=0; 567 568 /* read entries in file */ 569 while(fgets(buf, sizeof(buf), opt->zonelist)) { 570 /* skip comments and empty lines */ 571 if(buf[0] == 0 || buf[0] == '\n' || buf[0] == '#') 572 continue; 573 if(strncmp(buf, "add ", 4) == 0) { 574 int linesize = strlen(buf); 575 /* parse the 'add' line */ 576 /* pick last space on the line, so that the domain 577 * name can have a space in it (but not the pattern)*/ 578 char* space = strrchr(buf+4, ' '); 579 char* nm, *patnm; 580 if(!space) { 581 /* parse error */ 582 log_msg(LOG_ERR, "parse error in %s: '%s'", 583 opt->zonelistfile, buf); 584 continue; 585 } 586 nm = buf+4; 587 *space = 0; 588 patnm = space+1; 589 if(linesize && buf[linesize-1] == '\n') 590 buf[linesize-1] = 0; 591 592 /* store offset and line size for zone entry */ 593 /* and create zone entry in zonetree */ 594 (void)zone_list_member_zone_insert(opt, nm, patnm, 595 linesize, ftello(opt->zonelist)-linesize, 596 NULL, NULL); 597 598 } else if(strncmp(buf, "cat ", 4) == 0) { 599 int linesize = strlen(buf); 600 /* parse the 'add' line */ 601 /* pick last space on the line, so that the domain 602 * name can have a space in it (but not the pattern)*/ 603 char* nm = buf + 4; 604 char* mem_idnm = strrchr(nm, ' '), *patnm; 605 if(!mem_idnm) { 606 /* parse error */ 607 log_msg(LOG_ERR, "parse error in %s: '%s'", 608 opt->zonelistfile, buf); 609 continue; 610 } 611 *mem_idnm++ = 0; 612 patnm = strrchr(nm, ' '); 613 if(!patnm) { 614 *--mem_idnm = ' '; 615 /* parse error */ 616 log_msg(LOG_ERR, "parse error in %s: '%s'", 617 opt->zonelistfile, buf); 618 continue; 619 } 620 *patnm++ = 0; 621 if(linesize && buf[linesize-1] == '\n') 622 buf[linesize-1] = 0; 623 624 /* store offset and line size for zone entry */ 625 /* and create zone entry in zonetree */ 626 (void)zone_list_member_zone_insert(opt, nm, patnm, 627 linesize, ftello(opt->zonelist)-linesize, 628 mem_idnm, NULL); 629 630 } else if(strncmp(buf, "del ", 4) == 0) { 631 /* store offset and line size for deleted entry */ 632 int linesize = strlen(buf); 633 zone_list_free_insert(opt, linesize, 634 ftello(opt->zonelist)-linesize); 635 } else { 636 log_msg(LOG_WARNING, "bad data in %s, '%s'", opt->zonelistfile, 637 buf); 638 } 639 } 640 /* store EOF offset */ 641 opt->zonelist_off = ftello(opt->zonelist); 642 return 1; 643 } 644 645 void 646 zone_options_delete(struct nsd_options* opt, struct zone_options* zone) 647 { 648 struct catalog_member_zone* member_zone = as_catalog_member_zone(zone); 649 650 rbtree_delete(opt->zone_options, zone->node.key); 651 region_recycle(opt->region, (void*)zone->node.key, dname_total_size( 652 (dname_type*)zone->node.key)); 653 if(!member_zone) { 654 region_recycle(opt->region, zone, sizeof(*zone)); 655 return; 656 } 657 /* Because catalog member zones are in xfrd only deleted through 658 * catalog_del_consumer_member_zone() or through 659 * xfrd_del_catalog_producer_member(), which both clear the node, 660 * and because member zones in the main and serve processes are not 661 * indexed, *member_zone->node == *RBTREE_NULL. 662 * member_id is cleared too by those delete function, but there may be 663 * leftover member_id's from the initial zone.list processing, which 664 * made it to the main and serve processes. 665 */ 666 assert(!memcmp(&member_zone->node, RBTREE_NULL, sizeof(*RBTREE_NULL))); 667 if(member_zone->member_id) { 668 region_recycle(opt->region, (void*)member_zone->member_id, 669 dname_total_size(member_zone->member_id)); 670 } 671 region_recycle(opt->region, member_zone, sizeof(*member_zone)); 672 } 673 674 675 /* add a new zone to the zonelist */ 676 struct zone_options* 677 zone_list_add_or_cat(struct nsd_options* opt, const char* zname, 678 const char* pname, new_member_id_type new_member_id) 679 { 680 int r; 681 struct zonelist_free* e; 682 struct zonelist_bucket* b; 683 char zone_list_line[6 + 5 * MAXDOMAINLEN + 2024 + 65]; 684 struct catalog_member_zone* cmz; 685 686 /* create zone entry */ 687 struct zone_options* zone = zone_list_member_zone_insert( 688 opt, zname, pname, 6 + strlen(zname) + strlen(pname), 689 0, NULL, new_member_id); 690 if(!zone) 691 return NULL; 692 693 if(zone_is_catalog_producer_member(zone) 694 && (cmz = as_catalog_member_zone(zone)) 695 && cmz->member_id) { 696 snprintf(zone_list_line, sizeof(zone_list_line), 697 "cat %s %s %.*s\n", zname, pname, 698 (int)label_length(dname_name(cmz->member_id)), 699 (const char*)dname_name(cmz->member_id) + 1); 700 } else { 701 snprintf(zone_list_line, sizeof(zone_list_line), 702 "add %s %s\n", zname, pname); 703 } 704 /* use free entry or append to file or create new file */ 705 if(!opt->zonelist || opt->zonelist_off == 0) { 706 /* create new file */ 707 if(opt->zonelist) fclose(opt->zonelist); 708 opt->zonelist = fopen(opt->zonelistfile, "w+"); 709 if(!opt->zonelist) { 710 log_msg(LOG_ERR, "could not create zone list %s: %s", 711 opt->zonelistfile, strerror(errno)); 712 log_msg(LOG_ERR, "zone %s could not be added", zname); 713 zone_options_delete(opt, zone); 714 return NULL; 715 } 716 r = fprintf(opt->zonelist, ZONELIST_HEADER); 717 if(r != strlen(ZONELIST_HEADER)) { 718 if(r == -1) 719 log_msg(LOG_ERR, "could not write to %s: %s", 720 opt->zonelistfile, strerror(errno)); 721 else log_msg(LOG_ERR, "partial write to %s: disk full", 722 opt->zonelistfile); 723 log_msg(LOG_ERR, "zone %s could not be added", zname); 724 zone_options_delete(opt, zone); 725 return NULL; 726 } 727 zone->off = ftello(opt->zonelist); 728 if(zone->off == -1) 729 log_msg(LOG_ERR, "ftello(%s): %s", opt->zonelistfile, strerror(errno)); 730 r = fprintf(opt->zonelist, "%s", zone_list_line); 731 if(r != zone->linesize) { 732 if(r == -1) 733 log_msg(LOG_ERR, "could not write to %s: %s", 734 opt->zonelistfile, strerror(errno)); 735 else log_msg(LOG_ERR, "partial write to %s: disk full", 736 opt->zonelistfile); 737 log_msg(LOG_ERR, "zone %s could not be added", zname); 738 zone_options_delete(opt, zone); 739 return NULL; 740 } 741 opt->zonelist_off = ftello(opt->zonelist); 742 if(opt->zonelist_off == -1) 743 log_msg(LOG_ERR, "ftello(%s): %s", opt->zonelistfile, strerror(errno)); 744 if(fflush(opt->zonelist) != 0) { 745 log_msg(LOG_ERR, "fflush %s: %s", opt->zonelistfile, strerror(errno)); 746 } 747 return zone; 748 } 749 b = (struct zonelist_bucket*)rbtree_search(opt->zonefree, 750 &zone->linesize); 751 if(!b || b->list == NULL) { 752 /* no empty place, append to file */ 753 zone->off = opt->zonelist_off; 754 if(fseeko(opt->zonelist, zone->off, SEEK_SET) == -1) { 755 log_msg(LOG_ERR, "fseeko(%s): %s", opt->zonelistfile, strerror(errno)); 756 log_msg(LOG_ERR, "zone %s could not be added", zname); 757 zone_options_delete(opt, zone); 758 return NULL; 759 } 760 r = fprintf(opt->zonelist, "%s", zone_list_line); 761 if(r != zone->linesize) { 762 if(r == -1) 763 log_msg(LOG_ERR, "could not write to %s: %s", 764 opt->zonelistfile, strerror(errno)); 765 else log_msg(LOG_ERR, "partial write to %s: disk full", 766 opt->zonelistfile); 767 log_msg(LOG_ERR, "zone %s could not be added", zname); 768 zone_options_delete(opt, zone); 769 return NULL; 770 } 771 opt->zonelist_off += zone->linesize; 772 if(fflush(opt->zonelist) != 0) { 773 log_msg(LOG_ERR, "fflush %s: %s", opt->zonelistfile, strerror(errno)); 774 } 775 return zone; 776 } 777 /* reuse empty spot */ 778 e = b->list; 779 zone->off = e->off; 780 if(fseeko(opt->zonelist, zone->off, SEEK_SET) == -1) { 781 log_msg(LOG_ERR, "fseeko(%s): %s", opt->zonelistfile, strerror(errno)); 782 log_msg(LOG_ERR, "zone %s could not be added", zname); 783 zone_options_delete(opt, zone); 784 return NULL; 785 } 786 r = fprintf(opt->zonelist, "%s", zone_list_line); 787 if(r != zone->linesize) { 788 if(r == -1) 789 log_msg(LOG_ERR, "could not write to %s: %s", 790 opt->zonelistfile, strerror(errno)); 791 else log_msg(LOG_ERR, "partial write to %s: disk full", 792 opt->zonelistfile); 793 log_msg(LOG_ERR, "zone %s could not be added", zname); 794 zone_options_delete(opt, zone); 795 return NULL; 796 } 797 if(fflush(opt->zonelist) != 0) { 798 log_msg(LOG_ERR, "fflush %s: %s", opt->zonelistfile, strerror(errno)); 799 } 800 801 /* snip off and recycle element */ 802 b->list = e->next; 803 region_recycle(opt->region, e, sizeof(*e)); 804 if(b->list == NULL) { 805 rbtree_delete(opt->zonefree, &b->linesize); 806 region_recycle(opt->region, b, sizeof(*b)); 807 } 808 opt->zonefree_number--; 809 return zone; 810 } 811 812 /* remove a zone on the zonelist */ 813 void 814 zone_list_del(struct nsd_options* opt, struct zone_options* zone) 815 { 816 if (zone_is_catalog_consumer_member(zone)) { 817 /* catalog consumer member zones are not in the zones.list file */ 818 zone_options_delete(opt, zone); 819 return; 820 } 821 /* put its space onto the free entry */ 822 if(fseeko(opt->zonelist, zone->off, SEEK_SET) == -1) { 823 log_msg(LOG_ERR, "fseeko(%s): %s", opt->zonelistfile, strerror(errno)); 824 return; 825 } 826 fprintf(opt->zonelist, "del"); 827 zone_list_free_insert(opt, zone->linesize, zone->off); 828 829 /* remove zone_options */ 830 zone_options_delete(opt, zone); 831 832 /* see if we need to compact: it is going to halve the zonelist */ 833 if(opt->zonefree_number > opt->zone_options->count) { 834 zone_list_compact(opt); 835 } else { 836 if(fflush(opt->zonelist) != 0) { 837 log_msg(LOG_ERR, "fflush %s: %s", opt->zonelistfile, strerror(errno)); 838 } 839 } 840 } 841 /* postorder delete of zonelist free space tree */ 842 static void 843 delbucket(region_type* region, struct zonelist_bucket* b) 844 { 845 struct zonelist_free* e, *f; 846 if(!b || (rbnode_type*)b==RBTREE_NULL) 847 return; 848 delbucket(region, (struct zonelist_bucket*)b->node.left); 849 delbucket(region, (struct zonelist_bucket*)b->node.right); 850 e = b->list; 851 while(e) { 852 f = e->next; 853 region_recycle(region, e, sizeof(*e)); 854 e = f; 855 } 856 region_recycle(region, b, sizeof(*b)); 857 } 858 859 /* compact zonelist file */ 860 void 861 zone_list_compact(struct nsd_options* opt) 862 { 863 char outname[1024]; 864 FILE* out; 865 struct zone_options* zone; 866 off_t off; 867 int r; 868 snprintf(outname, sizeof(outname), "%s~", opt->zonelistfile); 869 /* useful, when : count-of-free > count-of-used */ 870 /* write zonelist to zonelist~ */ 871 out = fopen(outname, "w+"); 872 if(!out) { 873 log_msg(LOG_ERR, "could not open %s: %s", outname, strerror(errno)); 874 return; 875 } 876 r = fprintf(out, ZONELIST_HEADER); 877 if(r == -1) { 878 log_msg(LOG_ERR, "write %s failed: %s", outname, 879 strerror(errno)); 880 fclose(out); 881 return; 882 } else if(r != strlen(ZONELIST_HEADER)) { 883 log_msg(LOG_ERR, "write %s was partial: disk full", 884 outname); 885 fclose(out); 886 return; 887 } 888 off = ftello(out); 889 if(off == -1) { 890 log_msg(LOG_ERR, "ftello(%s): %s", outname, strerror(errno)); 891 fclose(out); 892 return; 893 } 894 RBTREE_FOR(zone, struct zone_options*, opt->zone_options) { 895 struct catalog_member_zone* cmz; 896 897 if(zone->part_of_config) 898 continue; 899 if(zone_is_catalog_producer_member(zone) 900 && (cmz = as_catalog_member_zone(zone)) 901 && cmz->member_id) { 902 r = fprintf(out, "cat %s %s %.*s\n", zone->name, 903 zone->pattern->pname, 904 (int)label_length(dname_name(cmz->member_id)), 905 (const char*)dname_name(cmz->member_id) + 1); 906 } else { 907 r = fprintf(out, "add %s %s\n", zone->name, 908 zone->pattern->pname); 909 } 910 if(r < 0) { 911 log_msg(LOG_ERR, "write %s failed: %s", outname, 912 strerror(errno)); 913 fclose(out); 914 return; 915 } else if(r != zone->linesize) { 916 log_msg(LOG_ERR, "write %s was partial: disk full", 917 outname); 918 fclose(out); 919 return; 920 } 921 } 922 if(fflush(out) != 0) { 923 log_msg(LOG_ERR, "fflush %s: %s", outname, strerror(errno)); 924 } 925 926 /* rename zonelist~ onto zonelist */ 927 if(rename(outname, opt->zonelistfile) == -1) { 928 log_msg(LOG_ERR, "rename(%s to %s) failed: %s", 929 outname, opt->zonelistfile, strerror(errno)); 930 fclose(out); 931 return; 932 } 933 fclose(opt->zonelist); 934 /* set offsets */ 935 RBTREE_FOR(zone, struct zone_options*, opt->zone_options) { 936 if(zone->part_of_config) 937 continue; 938 zone->off = off; 939 off += zone->linesize; 940 } 941 /* empty the free tree */ 942 delbucket(opt->region, (struct zonelist_bucket*)opt->zonefree->root); 943 opt->zonefree->root = RBTREE_NULL; 944 opt->zonefree->count = 0; 945 opt->zonefree_number = 0; 946 /* finish */ 947 opt->zonelist = out; 948 opt->zonelist_off = off; 949 } 950 951 /* close zonelist file */ 952 void 953 zone_list_close(struct nsd_options* opt) 954 { 955 if(opt->zonelist) { 956 fclose(opt->zonelist); 957 opt->zonelist = NULL; 958 } 959 } 960 961 static void 962 c_error_va_list_pos(int showpos, const char* fmt, va_list args) 963 { 964 char* at = NULL; 965 cfg_parser->errors++; 966 if(showpos && c_text && c_text[0]!=0) { 967 at = c_text; 968 } 969 if(cfg_parser->err) { 970 char m[MAXSYSLOGMSGLEN]; 971 snprintf(m, sizeof(m), "%s:%d: ", cfg_parser->filename, 972 cfg_parser->line); 973 (*cfg_parser->err)(cfg_parser->err_arg, m); 974 if(at) { 975 snprintf(m, sizeof(m), "at '%s': ", at); 976 (*cfg_parser->err)(cfg_parser->err_arg, m); 977 } 978 (*cfg_parser->err)(cfg_parser->err_arg, "error: "); 979 vsnprintf(m, sizeof(m), fmt, args); 980 (*cfg_parser->err)(cfg_parser->err_arg, m); 981 (*cfg_parser->err)(cfg_parser->err_arg, "\n"); 982 return; 983 } 984 fprintf(stderr, "%s:%d: ", cfg_parser->filename, cfg_parser->line); 985 if(at) fprintf(stderr, "at '%s': ", at); 986 fprintf(stderr, "error: "); 987 vfprintf(stderr, fmt, args); 988 fprintf(stderr, "\n"); 989 } 990 991 void 992 c_error(const char *fmt, ...) 993 { 994 va_list ap; 995 int showpos = 0; 996 997 if (strcmp(fmt, "syntax error") == 0 || strcmp(fmt, "parse error") == 0) { 998 showpos = 1; 999 } 1000 1001 va_start(ap, fmt); 1002 c_error_va_list_pos(showpos, fmt, ap); 1003 va_end(ap); 1004 } 1005 1006 int 1007 c_wrap(void) 1008 { 1009 return 1; 1010 } 1011 1012 struct zone_options* 1013 zone_options_create(region_type* region) 1014 { 1015 struct zone_options* zone; 1016 zone = (struct zone_options*)region_alloc(region, sizeof( 1017 struct zone_options)); 1018 zone->node = *RBTREE_NULL; 1019 zone->name = 0; 1020 zone->pattern = 0; 1021 zone->part_of_config = 0; 1022 zone->is_catalog_member_zone = 0; 1023 return zone; 1024 } 1025 1026 struct catalog_member_zone* 1027 catalog_member_zone_create(region_type* region) 1028 { 1029 struct catalog_member_zone* member_zone; 1030 member_zone = (struct catalog_member_zone*)region_alloc(region, 1031 sizeof(struct catalog_member_zone)); 1032 member_zone->options.node = *RBTREE_NULL; 1033 member_zone->options.name = 0; 1034 member_zone->options.pattern = 0; 1035 member_zone->options.part_of_config = 0; 1036 member_zone->options.is_catalog_member_zone = 1; 1037 member_zone->member_id = NULL; 1038 member_zone->node = *RBTREE_NULL; 1039 return member_zone; 1040 } 1041 1042 /* true is booleans are the same truth value */ 1043 #define booleq(x,y) ( ((x) && (y)) || (!(x) && !(y)) ) 1044 1045 /* true is min_expire_time_expr has either an equal known value 1046 * or none of these known values but booleanally equal 1047 */ 1048 #define expire_expr_eq(x,y) ( ( (x) == REFRESHPLUSRETRYPLUS1 \ 1049 && (y) == REFRESHPLUSRETRYPLUS1 ) \ 1050 || ( (x) != REFRESHPLUSRETRYPLUS1 \ 1051 && (y) != REFRESHPLUSRETRYPLUS1 \ 1052 && booleq((x), (y)))) 1053 1054 1055 int 1056 acl_equal(struct acl_options* p, struct acl_options* q) 1057 { 1058 if(!booleq(p->use_axfr_only, q->use_axfr_only)) return 0; 1059 if(!booleq(p->allow_udp, q->allow_udp)) return 0; 1060 if(strcmp(p->ip_address_spec, q->ip_address_spec)!=0) return 0; 1061 /* the ip6, port, addr, mask, type: are derived from the ip_address_spec */ 1062 if(!booleq(p->nokey, q->nokey)) return 0; 1063 if(!booleq(p->blocked, q->blocked)) return 0; 1064 if(p->key_name && q->key_name) { 1065 if(strcmp(p->key_name, q->key_name)!=0) return 0; 1066 } else if(p->key_name && !q->key_name) return 0; 1067 else if(!p->key_name && q->key_name) return 0; 1068 /* key_options is derived from key_name */ 1069 if(p->tls_auth_name && q->tls_auth_name) { 1070 if(strcmp(p->tls_auth_name, q->tls_auth_name)!=0) return 0; 1071 } else if(p->tls_auth_name && !q->tls_auth_name) return 0; 1072 else if(!p->tls_auth_name && q->tls_auth_name) return 0; 1073 /* tls_auth_options is derived from tls_auth_name */ 1074 return 1; 1075 } 1076 1077 int 1078 acl_list_equal(struct acl_options* p, struct acl_options* q) 1079 { 1080 /* must be same and in same order */ 1081 while(p && q) { 1082 if(!acl_equal(p, q)) 1083 return 0; 1084 p = p->next; 1085 q = q->next; 1086 } 1087 if(!p && !q) return 1; 1088 /* different lengths */ 1089 return 0; 1090 } 1091 1092 struct pattern_options* 1093 pattern_options_create(region_type* region) 1094 { 1095 struct pattern_options* p; 1096 p = (struct pattern_options*)region_alloc(region, sizeof( 1097 struct pattern_options)); 1098 p->node = *RBTREE_NULL; 1099 p->pname = 0; 1100 p->zonefile = 0; 1101 p->zonestats = 0; 1102 p->allow_notify = 0; 1103 p->request_xfr = 0; 1104 p->size_limit_xfr = 0; 1105 p->notify = 0; 1106 p->provide_xfr = 0; 1107 p->allow_query = 0; 1108 p->outgoing_interface = 0; 1109 p->notify_retry = 5; 1110 p->notify_retry_is_default = 1; 1111 p->allow_axfr_fallback = 1; 1112 p->allow_axfr_fallback_is_default = 1; 1113 p->implicit = 0; 1114 p->xfrd_flags = 0; 1115 p->max_refresh_time = 2419200; /* 4 weeks */ 1116 p->max_refresh_time_is_default = 1; 1117 p->min_refresh_time = 0; 1118 p->min_refresh_time_is_default = 1; 1119 p->max_retry_time = 1209600; /* 2 weeks */ 1120 p->max_retry_time_is_default = 1; 1121 p->min_retry_time = 0; 1122 p->min_retry_time_is_default = 1; 1123 p->min_expire_time = 0; 1124 p->min_expire_time_expr = EXPIRE_TIME_IS_DEFAULT; 1125 #ifdef RATELIMIT 1126 p->rrl_whitelist = 0; 1127 #endif 1128 p->multi_primary_check = 0; 1129 p->store_ixfr = 0; 1130 p->store_ixfr_is_default = 1; 1131 p->ixfr_size = IXFR_SIZE_DEFAULT; 1132 p->ixfr_size_is_default = 1; 1133 p->ixfr_number = IXFR_NUMBER_DEFAULT; 1134 p->ixfr_number_is_default = 1; 1135 p->create_ixfr = 0; 1136 p->create_ixfr_is_default = 1; 1137 p->verify_zone = VERIFY_ZONE_INHERIT; 1138 p->verify_zone_is_default = 1; 1139 p->verifier = NULL; 1140 p->verifier_feed_zone = VERIFIER_FEED_ZONE_INHERIT; 1141 p->verifier_feed_zone_is_default = 1; 1142 p->verifier_timeout = VERIFIER_TIMEOUT_INHERIT; 1143 p->verifier_timeout_is_default = 1; 1144 p->catalog_role = CATALOG_ROLE_INHERIT; 1145 p->catalog_role_is_default = 1; 1146 p->catalog_member_pattern = NULL; 1147 p->catalog_producer_zone = NULL; 1148 return p; 1149 } 1150 1151 static void 1152 acl_delete(region_type* region, struct acl_options* acl) 1153 { 1154 if(acl->ip_address_spec) 1155 region_recycle(region, (void*)acl->ip_address_spec, 1156 strlen(acl->ip_address_spec)+1); 1157 if(acl->key_name) 1158 region_recycle(region, (void*)acl->key_name, 1159 strlen(acl->key_name)+1); 1160 if(acl->tls_auth_name) 1161 region_recycle(region, (void*)acl->tls_auth_name, 1162 strlen(acl->tls_auth_name)+1); 1163 /* key_options is a convenience pointer, not owned by the acl */ 1164 region_recycle(region, acl, sizeof(*acl)); 1165 } 1166 1167 static void 1168 acl_list_delete(region_type* region, struct acl_options* list) 1169 { 1170 struct acl_options* n; 1171 while(list) { 1172 n = list->next; 1173 acl_delete(region, list); 1174 list = n; 1175 } 1176 } 1177 1178 static void 1179 verifier_delete(region_type* region, char **v) 1180 { 1181 if(v != NULL) { 1182 size_t vc = 0; 1183 for(vc = 0; v[vc] != NULL; vc++) 1184 region_recycle(region, v[vc], strlen(v[vc]) + 1); 1185 region_recycle(region, v, (vc + 1) * sizeof(char *)); 1186 } 1187 } 1188 1189 void 1190 pattern_options_remove(struct nsd_options* opt, const char* name) 1191 { 1192 struct pattern_options* p = (struct pattern_options*)rbtree_delete( 1193 opt->patterns, name); 1194 /* delete p and its contents */ 1195 if (!p) 1196 return; 1197 if(p->pname) 1198 region_recycle(opt->region, (void*)p->pname, 1199 strlen(p->pname)+1); 1200 if(p->zonefile) 1201 region_recycle(opt->region, (void*)p->zonefile, 1202 strlen(p->zonefile)+1); 1203 if(p->zonestats) 1204 region_recycle(opt->region, (void*)p->zonestats, 1205 strlen(p->zonestats)+1); 1206 acl_list_delete(opt->region, p->allow_notify); 1207 acl_list_delete(opt->region, p->request_xfr); 1208 acl_list_delete(opt->region, p->notify); 1209 acl_list_delete(opt->region, p->provide_xfr); 1210 acl_list_delete(opt->region, p->allow_query); 1211 acl_list_delete(opt->region, p->outgoing_interface); 1212 verifier_delete(opt->region, p->verifier); 1213 1214 region_recycle(opt->region, p, sizeof(struct pattern_options)); 1215 } 1216 1217 static struct acl_options* 1218 copy_acl(region_type* region, struct acl_options* a) 1219 { 1220 struct acl_options* b; 1221 if(!a) return NULL; 1222 b = (struct acl_options*)region_alloc(region, sizeof(*b)); 1223 /* copy the whole lot */ 1224 *b = *a; 1225 /* fix the pointers */ 1226 if(a->ip_address_spec) 1227 b->ip_address_spec = region_strdup(region, a->ip_address_spec); 1228 if(a->key_name) 1229 b->key_name = region_strdup(region, a->key_name); 1230 if(a->tls_auth_name) 1231 b->tls_auth_name = region_strdup(region, a->tls_auth_name); 1232 b->next = NULL; 1233 b->key_options = NULL; 1234 b->tls_auth_options = NULL; 1235 return b; 1236 } 1237 1238 static struct acl_options* 1239 copy_acl_list(struct nsd_options* opt, struct acl_options* a) 1240 { 1241 struct acl_options* b, *blast = NULL, *blist = NULL; 1242 while(a) { 1243 b = copy_acl(opt->region, a); 1244 /* fixup key_options */ 1245 if(b->key_name) 1246 b->key_options = key_options_find(opt, b->key_name); 1247 else b->key_options = NULL; 1248 /* fixup tls_auth_options */ 1249 if(b->tls_auth_name) 1250 b->tls_auth_options = tls_auth_options_find(opt, b->tls_auth_name); 1251 else b->tls_auth_options = NULL; 1252 1253 /* link as last into list */ 1254 b->next = NULL; 1255 if(!blist) blist = b; 1256 else blast->next = b; 1257 blast = b; 1258 1259 a = a->next; 1260 } 1261 return blist; 1262 } 1263 1264 static void 1265 copy_changed_acl(struct nsd_options* opt, struct acl_options** orig, 1266 struct acl_options* anew) 1267 { 1268 if(!acl_list_equal(*orig, anew)) { 1269 acl_list_delete(opt->region, *orig); 1270 *orig = copy_acl_list(opt, anew); 1271 } 1272 } 1273 1274 static void 1275 copy_changed_verifier(struct nsd_options* opt, char ***ov, char **nv) 1276 { 1277 size_t ovc, nvc; 1278 assert(ov != NULL); 1279 ovc = nvc = 0; 1280 if(nv != NULL) { 1281 for(; nv[nvc] != NULL; nvc++) ; 1282 } else { 1283 verifier_delete(opt->region, *ov); 1284 *ov = NULL; 1285 return; 1286 } 1287 if(*ov != NULL) { 1288 for(; (*ov)[ovc] != NULL; ovc++) { 1289 if(ovc < nvc && strcmp((*ov)[ovc], nv[ovc]) != 0) 1290 break; 1291 } 1292 if(ovc == nvc) 1293 return; 1294 verifier_delete(opt->region, *ov); 1295 *ov = NULL; 1296 } 1297 *ov = region_alloc(opt->region, (nvc + 1) * sizeof(*nv)); 1298 for(ovc = 0; nv[ovc] != NULL; ovc++) { 1299 (*ov)[ovc] = region_strdup(opt->region, nv[ovc]); 1300 } 1301 (*ov)[ovc] = NULL; 1302 assert(ovc == nvc); 1303 } 1304 1305 static void 1306 copy_pat_fixed(region_type* region, struct pattern_options* orig, 1307 struct pattern_options* p) 1308 { 1309 orig->allow_axfr_fallback = p->allow_axfr_fallback; 1310 orig->allow_axfr_fallback_is_default = 1311 p->allow_axfr_fallback_is_default; 1312 orig->notify_retry = p->notify_retry; 1313 orig->notify_retry_is_default = p->notify_retry_is_default; 1314 orig->implicit = p->implicit; 1315 if(p->zonefile) 1316 orig->zonefile = region_strdup(region, p->zonefile); 1317 else orig->zonefile = NULL; 1318 if(p->zonestats) 1319 orig->zonestats = region_strdup(region, p->zonestats); 1320 else orig->zonestats = NULL; 1321 orig->max_refresh_time = p->max_refresh_time; 1322 orig->max_refresh_time_is_default = p->max_refresh_time_is_default; 1323 orig->min_refresh_time = p->min_refresh_time; 1324 orig->min_refresh_time_is_default = p->min_refresh_time_is_default; 1325 orig->max_retry_time = p->max_retry_time; 1326 orig->max_retry_time_is_default = p->max_retry_time_is_default; 1327 orig->min_retry_time = p->min_retry_time; 1328 orig->min_retry_time_is_default = p->min_retry_time_is_default; 1329 orig->min_expire_time = p->min_expire_time; 1330 orig->min_expire_time_expr = p->min_expire_time_expr; 1331 #ifdef RATELIMIT 1332 orig->rrl_whitelist = p->rrl_whitelist; 1333 #endif 1334 orig->multi_primary_check = p->multi_primary_check; 1335 orig->store_ixfr = p->store_ixfr; 1336 orig->store_ixfr_is_default = p->store_ixfr_is_default; 1337 orig->ixfr_size = p->ixfr_size; 1338 orig->ixfr_size_is_default = p->ixfr_size_is_default; 1339 orig->ixfr_number = p->ixfr_number; 1340 orig->ixfr_number_is_default = p->ixfr_number_is_default; 1341 orig->create_ixfr = p->create_ixfr; 1342 orig->create_ixfr_is_default = p->create_ixfr_is_default; 1343 orig->verify_zone = p->verify_zone; 1344 orig->verify_zone_is_default = p->verify_zone_is_default; 1345 orig->verifier_timeout = p->verifier_timeout; 1346 orig->verifier_timeout_is_default = p->verifier_timeout_is_default; 1347 orig->verifier_feed_zone = p->verifier_feed_zone; 1348 orig->verifier_feed_zone_is_default = p->verifier_feed_zone_is_default; 1349 orig->catalog_role = p->catalog_role; 1350 orig->catalog_role_is_default = p->catalog_role_is_default; 1351 if(p->catalog_member_pattern) 1352 orig->catalog_member_pattern = 1353 region_strdup(region, p->catalog_member_pattern); 1354 else orig->catalog_member_pattern = NULL; 1355 if(p->catalog_producer_zone) 1356 orig->catalog_producer_zone = 1357 region_strdup(region, p->catalog_producer_zone); 1358 else orig->catalog_producer_zone = NULL; 1359 } 1360 1361 void 1362 pattern_options_add_modify(struct nsd_options* opt, struct pattern_options* p) 1363 { 1364 struct pattern_options* orig = pattern_options_find(opt, p->pname); 1365 if(!orig) { 1366 /* needs to be copied to opt region */ 1367 orig = pattern_options_create(opt->region); 1368 orig->pname = region_strdup(opt->region, p->pname); 1369 copy_pat_fixed(opt->region, orig, p); 1370 orig->allow_notify = copy_acl_list(opt, p->allow_notify); 1371 orig->request_xfr = copy_acl_list(opt, p->request_xfr); 1372 orig->notify = copy_acl_list(opt, p->notify); 1373 orig->provide_xfr = copy_acl_list(opt, p->provide_xfr); 1374 orig->allow_query = copy_acl_list(opt, p->allow_query); 1375 orig->outgoing_interface = copy_acl_list(opt, 1376 p->outgoing_interface); 1377 copy_changed_verifier(opt, &orig->verifier, p->verifier); 1378 nsd_options_insert_pattern(opt, orig); 1379 } else { 1380 /* modify in place so pointers stay valid (and copy 1381 into region). Do not touch unchanged acls. */ 1382 if(orig->zonefile) 1383 region_recycle(opt->region, (char*)orig->zonefile, 1384 strlen(orig->zonefile)+1); 1385 if(orig->zonestats) 1386 region_recycle(opt->region, (char*)orig->zonestats, 1387 strlen(orig->zonestats)+1); 1388 copy_pat_fixed(opt->region, orig, p); 1389 copy_changed_acl(opt, &orig->allow_notify, p->allow_notify); 1390 copy_changed_acl(opt, &orig->request_xfr, p->request_xfr); 1391 copy_changed_acl(opt, &orig->notify, p->notify); 1392 copy_changed_acl(opt, &orig->provide_xfr, p->provide_xfr); 1393 copy_changed_acl(opt, &orig->allow_query, p->allow_query); 1394 copy_changed_acl(opt, &orig->outgoing_interface, 1395 p->outgoing_interface); 1396 copy_changed_verifier(opt, &orig->verifier, p->verifier); 1397 } 1398 } 1399 1400 struct pattern_options* 1401 pattern_options_find(struct nsd_options* opt, const char* name) 1402 { 1403 return (struct pattern_options*)rbtree_search(opt->patterns, name); 1404 } 1405 1406 static int 1407 pattern_verifiers_equal(const char **vp, const char **vq) 1408 { 1409 size_t vpc, vqc; 1410 if(vp == NULL) 1411 return vq == NULL; 1412 if(vq == NULL) 1413 return 0; 1414 for(vpc = 0; vp[vpc] != NULL; vpc++) ; 1415 for(vqc = 0; vq[vqc] != NULL; vqc++) ; 1416 if(vpc != vqc) 1417 return 0; 1418 for(vpc = 0; vp[vpc] != NULL; vpc++) { 1419 assert(vq[vpc] != NULL); 1420 if (strcmp(vp[vpc], vq[vpc]) != 0) 1421 return 0; 1422 } 1423 return 1; 1424 } 1425 1426 int 1427 pattern_options_equal(struct pattern_options* p, struct pattern_options* q) 1428 { 1429 if(strcmp(p->pname, q->pname) != 0) return 0; 1430 if(!p->zonefile && q->zonefile) return 0; 1431 else if(p->zonefile && !q->zonefile) return 0; 1432 else if(p->zonefile && q->zonefile) { 1433 if(strcmp(p->zonefile, q->zonefile) != 0) return 0; 1434 } 1435 if(!p->zonestats && q->zonestats) return 0; 1436 else if(p->zonestats && !q->zonestats) return 0; 1437 else if(p->zonestats && q->zonestats) { 1438 if(strcmp(p->zonestats, q->zonestats) != 0) return 0; 1439 } 1440 if(!booleq(p->allow_axfr_fallback, q->allow_axfr_fallback)) return 0; 1441 if(!booleq(p->allow_axfr_fallback_is_default, 1442 q->allow_axfr_fallback_is_default)) return 0; 1443 if(p->notify_retry != q->notify_retry) return 0; 1444 if(!booleq(p->notify_retry_is_default, 1445 q->notify_retry_is_default)) return 0; 1446 if(!booleq(p->implicit, q->implicit)) return 0; 1447 if(!acl_list_equal(p->allow_notify, q->allow_notify)) return 0; 1448 if(!acl_list_equal(p->request_xfr, q->request_xfr)) return 0; 1449 if(!acl_list_equal(p->notify, q->notify)) return 0; 1450 if(!acl_list_equal(p->provide_xfr, q->provide_xfr)) return 0; 1451 if(!acl_list_equal(p->allow_query, q->allow_query)) return 0; 1452 if(!acl_list_equal(p->outgoing_interface, q->outgoing_interface)) 1453 return 0; 1454 if(p->max_refresh_time != q->max_refresh_time) return 0; 1455 if(!booleq(p->max_refresh_time_is_default, 1456 q->max_refresh_time_is_default)) return 0; 1457 if(p->min_refresh_time != q->min_refresh_time) return 0; 1458 if(!booleq(p->min_refresh_time_is_default, 1459 q->min_refresh_time_is_default)) return 0; 1460 if(p->max_retry_time != q->max_retry_time) return 0; 1461 if(!booleq(p->max_retry_time_is_default, 1462 q->max_retry_time_is_default)) return 0; 1463 if(p->min_retry_time != q->min_retry_time) return 0; 1464 if(!booleq(p->min_retry_time_is_default, 1465 q->min_retry_time_is_default)) return 0; 1466 if(p->min_expire_time != q->min_expire_time) return 0; 1467 if(!expire_expr_eq(p->min_expire_time_expr, 1468 q->min_expire_time_expr)) return 0; 1469 #ifdef RATELIMIT 1470 if(p->rrl_whitelist != q->rrl_whitelist) return 0; 1471 #endif 1472 if(!booleq(p->multi_primary_check,q->multi_primary_check)) return 0; 1473 if(p->size_limit_xfr != q->size_limit_xfr) return 0; 1474 if(!booleq(p->store_ixfr,q->store_ixfr)) return 0; 1475 if(!booleq(p->store_ixfr_is_default,q->store_ixfr_is_default)) return 0; 1476 if(p->ixfr_size != q->ixfr_size) return 0; 1477 if(!booleq(p->ixfr_size_is_default,q->ixfr_size_is_default)) return 0; 1478 if(p->ixfr_number != q->ixfr_number) return 0; 1479 if(!booleq(p->ixfr_number_is_default,q->ixfr_number_is_default)) return 0; 1480 if(!booleq(p->create_ixfr,q->create_ixfr)) return 0; 1481 if(!booleq(p->create_ixfr_is_default,q->create_ixfr_is_default)) return 0; 1482 if(p->verify_zone != q->verify_zone) return 0; 1483 if(!booleq(p->verify_zone_is_default, 1484 q->verify_zone_is_default)) return 0; 1485 if(!pattern_verifiers_equal((const char **)p->verifier, 1486 (const char **)q->verifier)) return 0; 1487 if(p->verifier_feed_zone != q->verifier_feed_zone) return 0; 1488 if(!booleq(p->verifier_feed_zone_is_default, 1489 q->verifier_feed_zone_is_default)) return 0; 1490 if(p->verifier_timeout != q->verifier_timeout) return 0; 1491 if(!booleq(p->verifier_timeout_is_default, 1492 q->verifier_timeout_is_default)) return 0; 1493 if(p->catalog_role != q->catalog_role) return 0; 1494 if(!booleq(p->catalog_role_is_default, 1495 q->catalog_role_is_default)) return 0; 1496 if(!p->catalog_member_pattern && q->catalog_member_pattern) return 0; 1497 else if(p->catalog_member_pattern && !q->catalog_member_pattern) return 0; 1498 else if(p->catalog_member_pattern && q->catalog_member_pattern) { 1499 if(strcmp(p->catalog_member_pattern, q->catalog_member_pattern) != 0) return 0; 1500 } 1501 if(!p->catalog_producer_zone && q->catalog_producer_zone) return 0; 1502 else if(p->catalog_producer_zone && !q->catalog_producer_zone) return 0; 1503 else if(p->catalog_producer_zone && q->catalog_producer_zone) { 1504 if(strcmp(p->catalog_producer_zone, q->catalog_producer_zone) != 0) return 0; 1505 } 1506 return 1; 1507 } 1508 1509 static void 1510 marshal_u8(struct buffer* b, uint8_t v) 1511 { 1512 buffer_reserve(b, 1); 1513 buffer_write_u8(b, v); 1514 } 1515 1516 static uint8_t 1517 unmarshal_u8(struct buffer* b) 1518 { 1519 return buffer_read_u8(b); 1520 } 1521 1522 static void 1523 marshal_u64(struct buffer* b, uint64_t v) 1524 { 1525 buffer_reserve(b, 8); 1526 buffer_write_u64(b, v); 1527 } 1528 1529 static uint64_t 1530 unmarshal_u64(struct buffer* b) 1531 { 1532 return buffer_read_u64(b); 1533 } 1534 1535 #ifdef RATELIMIT 1536 static void 1537 marshal_u16(struct buffer* b, uint16_t v) 1538 { 1539 buffer_reserve(b, 2); 1540 buffer_write_u16(b, v); 1541 } 1542 #endif 1543 1544 #ifdef RATELIMIT 1545 static uint16_t 1546 unmarshal_u16(struct buffer* b) 1547 { 1548 return buffer_read_u16(b); 1549 } 1550 #endif 1551 1552 static void 1553 marshal_u32(struct buffer* b, uint32_t v) 1554 { 1555 buffer_reserve(b, 4); 1556 buffer_write_u32(b, v); 1557 } 1558 1559 static uint32_t 1560 unmarshal_u32(struct buffer* b) 1561 { 1562 return buffer_read_u32(b); 1563 } 1564 1565 static void 1566 marshal_str(struct buffer* b, const char* s) 1567 { 1568 if(!s) marshal_u8(b, 0); 1569 else { 1570 size_t len = strlen(s); 1571 marshal_u8(b, 1); 1572 buffer_reserve(b, len+1); 1573 buffer_write(b, s, len+1); 1574 } 1575 } 1576 1577 static char* 1578 unmarshal_str(region_type* r, struct buffer* b) 1579 { 1580 uint8_t nonnull = unmarshal_u8(b); 1581 if(nonnull) { 1582 char* result = region_strdup(r, (char*)buffer_current(b)); 1583 size_t len = strlen((char*)buffer_current(b)); 1584 buffer_skip(b, len+1); 1585 return result; 1586 } else return NULL; 1587 } 1588 1589 static void 1590 marshal_acl(struct buffer* b, struct acl_options* acl) 1591 { 1592 buffer_reserve(b, sizeof(*acl)); 1593 buffer_write(b, acl, sizeof(*acl)); 1594 marshal_str(b, acl->ip_address_spec); 1595 marshal_str(b, acl->key_name); 1596 marshal_str(b, acl->tls_auth_name); 1597 } 1598 1599 static struct acl_options* 1600 unmarshal_acl(region_type* r, struct buffer* b) 1601 { 1602 struct acl_options* acl = (struct acl_options*)region_alloc(r, 1603 sizeof(*acl)); 1604 buffer_read(b, acl, sizeof(*acl)); 1605 acl->next = NULL; 1606 acl->key_options = NULL; 1607 acl->tls_auth_options = NULL; 1608 acl->ip_address_spec = unmarshal_str(r, b); 1609 acl->key_name = unmarshal_str(r, b); 1610 acl->tls_auth_name = unmarshal_str(r, b); 1611 return acl; 1612 } 1613 1614 static void 1615 marshal_acl_list(struct buffer* b, struct acl_options* list) 1616 { 1617 while(list) { 1618 marshal_u8(b, 1); /* is there a next one marker */ 1619 marshal_acl(b, list); 1620 list = list->next; 1621 } 1622 marshal_u8(b, 0); /* end of list marker */ 1623 } 1624 1625 static struct acl_options* 1626 unmarshal_acl_list(region_type* r, struct buffer* b) 1627 { 1628 struct acl_options* a, *last=NULL, *list=NULL; 1629 while(unmarshal_u8(b)) { 1630 a = unmarshal_acl(r, b); 1631 /* link in */ 1632 a->next = NULL; 1633 if(!list) list = a; 1634 else last->next = a; 1635 last = a; 1636 } 1637 return list; 1638 } 1639 1640 static void 1641 marshal_strv(struct buffer* b, char **strv) 1642 { 1643 uint32_t i, n; 1644 1645 assert(b != NULL); 1646 1647 if (strv == NULL) { 1648 marshal_u32(b, 0); 1649 return; 1650 } 1651 for(n = 0; strv[n]; n++) { 1652 /* do nothing */ 1653 } 1654 marshal_u32(b, n); 1655 for(i = 0; strv[i] != NULL; i++) { 1656 marshal_str(b, strv[i]); 1657 } 1658 marshal_u8(b, 0); 1659 } 1660 1661 static char ** 1662 unmarshal_strv(region_type* r, struct buffer* b) 1663 { 1664 uint32_t i, n; 1665 char **strv; 1666 1667 assert(r != NULL); 1668 assert(b != NULL); 1669 1670 if ((n = unmarshal_u32(b)) == 0) { 1671 return NULL; 1672 } 1673 strv = region_alloc_zero(r, (n + 1) * sizeof(char *)); 1674 for(i = 0; i <= n; i++) { 1675 strv[i] = unmarshal_str(r, b); 1676 } 1677 assert(i == (n + 1)); 1678 assert(strv[i - 1] == NULL); 1679 1680 return strv; 1681 } 1682 1683 void 1684 pattern_options_marshal(struct buffer* b, struct pattern_options* p) 1685 { 1686 marshal_str(b, p->pname); 1687 marshal_str(b, p->zonefile); 1688 marshal_str(b, p->zonestats); 1689 #ifdef RATELIMIT 1690 marshal_u16(b, p->rrl_whitelist); 1691 #endif 1692 marshal_u8(b, p->allow_axfr_fallback); 1693 marshal_u8(b, p->allow_axfr_fallback_is_default); 1694 marshal_u8(b, p->notify_retry); 1695 marshal_u8(b, p->notify_retry_is_default); 1696 marshal_u8(b, p->implicit); 1697 marshal_u64(b, p->size_limit_xfr); 1698 marshal_acl_list(b, p->allow_notify); 1699 marshal_acl_list(b, p->request_xfr); 1700 marshal_acl_list(b, p->notify); 1701 marshal_acl_list(b, p->provide_xfr); 1702 marshal_acl_list(b, p->allow_query); 1703 marshal_acl_list(b, p->outgoing_interface); 1704 marshal_u32(b, p->max_refresh_time); 1705 marshal_u8(b, p->max_refresh_time_is_default); 1706 marshal_u32(b, p->min_refresh_time); 1707 marshal_u8(b, p->min_refresh_time_is_default); 1708 marshal_u32(b, p->max_retry_time); 1709 marshal_u8(b, p->max_retry_time_is_default); 1710 marshal_u32(b, p->min_retry_time); 1711 marshal_u8(b, p->min_retry_time_is_default); 1712 marshal_u32(b, p->min_expire_time); 1713 marshal_u8(b, p->min_expire_time_expr); 1714 marshal_u8(b, p->multi_primary_check); 1715 marshal_u8(b, p->store_ixfr); 1716 marshal_u8(b, p->store_ixfr_is_default); 1717 marshal_u64(b, p->ixfr_size); 1718 marshal_u8(b, p->ixfr_size_is_default); 1719 marshal_u32(b, p->ixfr_number); 1720 marshal_u8(b, p->ixfr_number_is_default); 1721 marshal_u8(b, p->create_ixfr); 1722 marshal_u8(b, p->create_ixfr_is_default); 1723 marshal_u8(b, p->verify_zone); 1724 marshal_u8(b, p->verify_zone_is_default); 1725 marshal_strv(b, p->verifier); 1726 marshal_u8(b, p->verifier_feed_zone); 1727 marshal_u8(b, p->verifier_feed_zone_is_default); 1728 marshal_u32(b, p->verifier_timeout); 1729 marshal_u8(b, p->verifier_timeout_is_default); 1730 marshal_u8(b, p->catalog_role); 1731 marshal_u8(b, p->catalog_role_is_default); 1732 marshal_str(b, p->catalog_member_pattern); 1733 marshal_str(b, p->catalog_producer_zone); 1734 } 1735 1736 struct pattern_options* 1737 pattern_options_unmarshal(region_type* r, struct buffer* b) 1738 { 1739 struct pattern_options* p = pattern_options_create(r); 1740 p->pname = unmarshal_str(r, b); 1741 p->zonefile = unmarshal_str(r, b); 1742 p->zonestats = unmarshal_str(r, b); 1743 #ifdef RATELIMIT 1744 p->rrl_whitelist = unmarshal_u16(b); 1745 #endif 1746 p->allow_axfr_fallback = unmarshal_u8(b); 1747 p->allow_axfr_fallback_is_default = unmarshal_u8(b); 1748 p->notify_retry = unmarshal_u8(b); 1749 p->notify_retry_is_default = unmarshal_u8(b); 1750 p->implicit = unmarshal_u8(b); 1751 p->size_limit_xfr = unmarshal_u64(b); 1752 p->allow_notify = unmarshal_acl_list(r, b); 1753 p->request_xfr = unmarshal_acl_list(r, b); 1754 p->notify = unmarshal_acl_list(r, b); 1755 p->provide_xfr = unmarshal_acl_list(r, b); 1756 p->allow_query = unmarshal_acl_list(r, b); 1757 p->outgoing_interface = unmarshal_acl_list(r, b); 1758 p->max_refresh_time = unmarshal_u32(b); 1759 p->max_refresh_time_is_default = unmarshal_u8(b); 1760 p->min_refresh_time = unmarshal_u32(b); 1761 p->min_refresh_time_is_default = unmarshal_u8(b); 1762 p->max_retry_time = unmarshal_u32(b); 1763 p->max_retry_time_is_default = unmarshal_u8(b); 1764 p->min_retry_time = unmarshal_u32(b); 1765 p->min_retry_time_is_default = unmarshal_u8(b); 1766 p->min_expire_time = unmarshal_u32(b); 1767 p->min_expire_time_expr = unmarshal_u8(b); 1768 p->multi_primary_check = unmarshal_u8(b); 1769 p->store_ixfr = unmarshal_u8(b); 1770 p->store_ixfr_is_default = unmarshal_u8(b); 1771 p->ixfr_size = unmarshal_u64(b); 1772 p->ixfr_size_is_default = unmarshal_u8(b); 1773 p->ixfr_number = unmarshal_u32(b); 1774 p->ixfr_number_is_default = unmarshal_u8(b); 1775 p->create_ixfr = unmarshal_u8(b); 1776 p->create_ixfr_is_default = unmarshal_u8(b); 1777 p->verify_zone = unmarshal_u8(b); 1778 p->verify_zone_is_default = unmarshal_u8(b); 1779 p->verifier = unmarshal_strv(r, b); 1780 p->verifier_feed_zone = unmarshal_u8(b); 1781 p->verifier_feed_zone_is_default = unmarshal_u8(b); 1782 p->verifier_timeout = unmarshal_u32(b); 1783 p->verifier_timeout_is_default = unmarshal_u8(b); 1784 p->catalog_role = unmarshal_u8(b); 1785 p->catalog_role_is_default = unmarshal_u8(b); 1786 p->catalog_member_pattern = unmarshal_str(r, b); 1787 p->catalog_producer_zone = unmarshal_str(r, b); 1788 return p; 1789 } 1790 1791 struct key_options* 1792 key_options_create(region_type* region) 1793 { 1794 struct key_options* key; 1795 key = (struct key_options*)region_alloc_zero(region, 1796 sizeof(struct key_options)); 1797 return key; 1798 } 1799 1800 struct tls_auth_options* 1801 tls_auth_options_create(region_type* region) 1802 { 1803 struct tls_auth_options* tls_auth_options; 1804 tls_auth_options = (struct tls_auth_options*)region_alloc_zero(region, sizeof(struct tls_auth_options)); 1805 return tls_auth_options; 1806 } 1807 1808 void 1809 key_options_insert(struct nsd_options* opt, struct key_options* key) 1810 { 1811 if(!key->name) return; 1812 key->node.key = key->name; 1813 (void)rbtree_insert(opt->keys, &key->node); 1814 } 1815 1816 struct key_options* 1817 key_options_find(struct nsd_options* opt, const char* name) 1818 { 1819 return (struct key_options*)rbtree_search(opt->keys, name); 1820 } 1821 1822 void 1823 tls_auth_options_insert(struct nsd_options* opt, struct tls_auth_options* auth) 1824 { 1825 if(!auth->name) return; 1826 auth->node.key = auth->name; 1827 (void)rbtree_insert(opt->tls_auths, &auth->node); 1828 } 1829 1830 struct tls_auth_options* 1831 tls_auth_options_find(struct nsd_options* opt, const char* name) 1832 { 1833 return (struct tls_auth_options*)rbtree_search(opt->tls_auths, name); 1834 } 1835 1836 /** remove tsig_key contents */ 1837 void 1838 key_options_desetup(region_type* region, struct key_options* key) 1839 { 1840 /* keep tsig_key pointer so that existing references keep valid */ 1841 if(!key->tsig_key) 1842 return; 1843 /* name stays the same */ 1844 if(key->tsig_key->data) { 1845 /* wipe secret! */ 1846 memset(key->tsig_key->data, 0xdd, key->tsig_key->size); 1847 region_recycle(region, key->tsig_key->data, 1848 key->tsig_key->size); 1849 key->tsig_key->data = NULL; 1850 key->tsig_key->size = 0; 1851 } 1852 } 1853 1854 /** add tsig_key contents */ 1855 void 1856 key_options_setup(region_type* region, struct key_options* key) 1857 { 1858 uint8_t data[16384]; /* 16KB */ 1859 int size; 1860 if(!key->tsig_key) { 1861 /* create it */ 1862 key->tsig_key = (tsig_key_type *) region_alloc(region, 1863 sizeof(tsig_key_type)); 1864 /* create name */ 1865 key->tsig_key->name = dname_parse(region, key->name); 1866 if(!key->tsig_key->name) { 1867 log_msg(LOG_ERR, "Failed to parse tsig key name %s", 1868 key->name); 1869 /* key and base64 were checked during syntax parse */ 1870 exit(1); 1871 } 1872 key->tsig_key->size = 0; 1873 key->tsig_key->data = NULL; 1874 } 1875 size = b64_pton(key->secret, data, sizeof(data)); 1876 if(size == -1) { 1877 log_msg(LOG_ERR, "Failed to parse tsig key data %s", 1878 key->name); 1879 /* key and base64 were checked during syntax parse */ 1880 exit(1); 1881 } 1882 key->tsig_key->size = size; 1883 key->tsig_key->data = (uint8_t *)region_alloc_init(region, data, size); 1884 } 1885 1886 void 1887 key_options_remove(struct nsd_options* opt, const char* name) 1888 { 1889 struct key_options* k = key_options_find(opt, name); 1890 if(!k) return; 1891 (void)rbtree_delete(opt->keys, name); 1892 if(k->name) 1893 region_recycle(opt->region, k->name, strlen(k->name)+1); 1894 if(k->algorithm) 1895 region_recycle(opt->region, k->algorithm, strlen(k->algorithm)+1); 1896 if(k->secret) { 1897 memset(k->secret, 0xdd, strlen(k->secret)); /* wipe secret! */ 1898 region_recycle(opt->region, k->secret, strlen(k->secret)+1); 1899 } 1900 if(k->tsig_key) { 1901 tsig_del_key(k->tsig_key); 1902 if(k->tsig_key->name) 1903 region_recycle(opt->region, (void*)k->tsig_key->name, 1904 dname_total_size(k->tsig_key->name)); 1905 key_options_desetup(opt->region, k); 1906 region_recycle(opt->region, k->tsig_key, sizeof(tsig_key_type)); 1907 } 1908 region_recycle(opt->region, k, sizeof(struct key_options)); 1909 } 1910 1911 int 1912 key_options_equal(struct key_options* p, struct key_options* q) 1913 { 1914 return strcmp(p->name, q->name)==0 && strcmp(p->algorithm, 1915 q->algorithm)==0 && strcmp(p->secret, q->secret)==0; 1916 } 1917 1918 void 1919 key_options_add_modify(struct nsd_options* opt, struct key_options* key) 1920 { 1921 struct key_options* orig = key_options_find(opt, key->name); 1922 if(!orig) { 1923 /* needs to be copied to opt region */ 1924 orig = key_options_create(opt->region); 1925 orig->name = region_strdup(opt->region, key->name); 1926 orig->algorithm = region_strdup(opt->region, key->algorithm); 1927 orig->secret = region_strdup(opt->region, key->secret); 1928 key_options_setup(opt->region, orig); 1929 tsig_add_key(orig->tsig_key); 1930 key_options_insert(opt, orig); 1931 } else { 1932 /* modify entries in existing key, and copy to opt region */ 1933 key_options_desetup(opt->region, orig); 1934 region_recycle(opt->region, orig->algorithm, 1935 strlen(orig->algorithm)+1); 1936 orig->algorithm = region_strdup(opt->region, key->algorithm); 1937 region_recycle(opt->region, orig->secret, 1938 strlen(orig->secret)+1); 1939 orig->secret = region_strdup(opt->region, key->secret); 1940 key_options_setup(opt->region, orig); 1941 } 1942 } 1943 1944 int 1945 acl_check_incoming_block_proxy(struct acl_options* acl, struct query* q, 1946 struct acl_options** reason) 1947 { 1948 /* check each acl element. 1949 * if it is blocked, return -1. 1950 * return false if no matches for blocked elements. */ 1951 if(reason) 1952 *reason = NULL; 1953 1954 while(acl) 1955 { 1956 DEBUG(DEBUG_XFRD,2, (LOG_INFO, "proxy testing acl %s %s", 1957 acl->ip_address_spec, acl->nokey?"NOKEY": 1958 (acl->blocked?"BLOCKED":acl->key_name))); 1959 if(acl_addr_matches_proxy(acl, q) && acl->blocked) { 1960 if(reason) 1961 *reason = acl; 1962 return -1; 1963 } 1964 acl = acl->next; 1965 } 1966 1967 return 0; 1968 } 1969 1970 int 1971 acl_check_incoming(struct acl_options* acl, struct query* q, 1972 struct acl_options** reason) 1973 { 1974 /* check each acl element. 1975 if 1 blocked element matches - return -1. 1976 if any element matches - return number. 1977 else return -1. */ 1978 int found_match = -1; 1979 int number = 0; 1980 struct acl_options* match = 0; 1981 1982 if(reason) 1983 *reason = NULL; 1984 1985 while(acl) 1986 { 1987 #ifdef HAVE_SSL 1988 DEBUG(DEBUG_XFRD,2, (LOG_INFO, "testing acl %s %s %s", 1989 acl->ip_address_spec, acl->nokey?"NOKEY": 1990 (acl->blocked?"BLOCKED":acl->key_name), 1991 (acl->tls_auth_name && q->tls_auth)?acl->tls_auth_name:"")); 1992 #else 1993 DEBUG(DEBUG_XFRD,2, (LOG_INFO, "testing acl %s %s", 1994 acl->ip_address_spec, acl->nokey?"NOKEY": 1995 (acl->blocked?"BLOCKED":acl->key_name))); 1996 #endif 1997 if(acl_addr_matches(acl, q) && acl_key_matches(acl, q)) { 1998 if(!match) 1999 { 2000 match = acl; /* remember first match */ 2001 found_match=number; 2002 } 2003 if(acl->blocked) { 2004 if(reason) 2005 *reason = acl; 2006 return -1; 2007 } 2008 } 2009 #ifdef HAVE_SSL 2010 /* we are in a acl with tls_auth */ 2011 if (acl->tls_auth_name && q->tls_auth) { 2012 /* we have auth_domain_name in tls_auth */ 2013 if (acl->tls_auth_options && acl->tls_auth_options->auth_domain_name) { 2014 if (!acl_tls_hostname_matches(q->tls_auth, acl->tls_auth_options->auth_domain_name)) { 2015 VERBOSITY(3, (LOG_WARNING, 2016 "client cert does not match %s %s", 2017 acl->tls_auth_name, acl->tls_auth_options->auth_domain_name)); 2018 q->cert_cn = NULL; 2019 return -1; 2020 } 2021 VERBOSITY(5, (LOG_INFO, "%s %s verified", 2022 acl->tls_auth_name, acl->tls_auth_options->auth_domain_name)); 2023 q->cert_cn = acl->tls_auth_options->auth_domain_name; 2024 } else { 2025 /* nsd gives error on start for this, but check just in case */ 2026 log_msg(LOG_ERR, "auth-domain-name not defined in %s", acl->tls_auth_name); 2027 } 2028 } 2029 #endif 2030 number++; 2031 acl = acl->next; 2032 } 2033 2034 if(reason) 2035 *reason = match; 2036 return found_match; 2037 } 2038 2039 #ifdef INET6 2040 int 2041 acl_addr_matches_ipv6host(struct acl_options* acl, struct sockaddr_storage* addr_storage, unsigned int port) 2042 { 2043 struct sockaddr_in6* addr = (struct sockaddr_in6*)addr_storage; 2044 if(acl->port != 0 && acl->port != port) 2045 return 0; 2046 switch(acl->rangetype) { 2047 case acl_range_mask: 2048 case acl_range_subnet: 2049 if(!acl_addr_match_mask((uint32_t*)&acl->addr.addr6, (uint32_t*)&addr->sin6_addr, 2050 (uint32_t*)&acl->range_mask.addr6, sizeof(struct in6_addr))) 2051 return 0; 2052 break; 2053 case acl_range_minmax: 2054 if(!acl_addr_match_range_v6((uint32_t*)&acl->addr.addr6, (uint32_t*)&addr->sin6_addr, 2055 (uint32_t*)&acl->range_mask.addr6, sizeof(struct in6_addr))) 2056 return 0; 2057 break; 2058 case acl_range_single: 2059 default: 2060 if(memcmp(&addr->sin6_addr, &acl->addr.addr6, 2061 sizeof(struct in6_addr)) != 0) 2062 return 0; 2063 break; 2064 } 2065 return 1; 2066 } 2067 #endif 2068 2069 int 2070 acl_addr_matches_ipv4host(struct acl_options* acl, struct sockaddr_in* addr, unsigned int port) 2071 { 2072 if(acl->port != 0 && acl->port != port) 2073 return 0; 2074 switch(acl->rangetype) { 2075 case acl_range_mask: 2076 case acl_range_subnet: 2077 if(!acl_addr_match_mask((uint32_t*)&acl->addr.addr, (uint32_t*)&addr->sin_addr, 2078 (uint32_t*)&acl->range_mask.addr, sizeof(struct in_addr))) 2079 return 0; 2080 break; 2081 case acl_range_minmax: 2082 if(!acl_addr_match_range_v4((uint32_t*)&acl->addr.addr, (uint32_t*)&addr->sin_addr, 2083 (uint32_t*)&acl->range_mask.addr, sizeof(struct in_addr))) 2084 return 0; 2085 break; 2086 case acl_range_single: 2087 default: 2088 if(memcmp(&addr->sin_addr, &acl->addr.addr, 2089 sizeof(struct in_addr)) != 0) 2090 return 0; 2091 break; 2092 } 2093 return 1; 2094 } 2095 2096 int 2097 acl_addr_matches_host(struct acl_options* acl, struct acl_options* host) 2098 { 2099 if(acl->is_ipv6) 2100 { 2101 #ifdef INET6 2102 struct sockaddr_storage* addr = (struct sockaddr_storage*)&host->addr; 2103 if(!host->is_ipv6) return 0; 2104 return acl_addr_matches_ipv6host(acl, addr, host->port); 2105 #else 2106 return 0; /* no inet6, no match */ 2107 #endif 2108 } 2109 else 2110 { 2111 struct sockaddr_in* addr = (struct sockaddr_in*)&host->addr; 2112 if(host->is_ipv6) return 0; 2113 return acl_addr_matches_ipv4host(acl, addr, host->port); 2114 } 2115 /* ENOTREACH */ 2116 return 0; 2117 } 2118 2119 int 2120 acl_addr_matches(struct acl_options* acl, struct query* q) 2121 { 2122 if(acl->is_ipv6) 2123 { 2124 #ifdef INET6 2125 struct sockaddr_storage* addr = (struct sockaddr_storage*)&q->client_addr; 2126 if(addr->ss_family != AF_INET6) 2127 return 0; 2128 return acl_addr_matches_ipv6host(acl, addr, ntohs(((struct sockaddr_in6*)addr)->sin6_port)); 2129 #else 2130 return 0; /* no inet6, no match */ 2131 #endif 2132 } 2133 else 2134 { 2135 struct sockaddr_in* addr = (struct sockaddr_in*)&q->client_addr; 2136 if(addr->sin_family != AF_INET) 2137 return 0; 2138 return acl_addr_matches_ipv4host(acl, addr, ntohs(addr->sin_port)); 2139 } 2140 /* ENOTREACH */ 2141 return 0; 2142 } 2143 2144 int 2145 acl_addr_matches_proxy(struct acl_options* acl, struct query* q) 2146 { 2147 if(acl->is_ipv6) 2148 { 2149 #ifdef INET6 2150 struct sockaddr_storage* addr = (struct sockaddr_storage*)&q->remote_addr; 2151 if(addr->ss_family != AF_INET6) 2152 return 0; 2153 return acl_addr_matches_ipv6host(acl, addr, ntohs(((struct sockaddr_in6*)addr)->sin6_port)); 2154 #else 2155 return 0; /* no inet6, no match */ 2156 #endif 2157 } 2158 else 2159 { 2160 struct sockaddr_in* addr = (struct sockaddr_in*)&q->remote_addr; 2161 if(addr->sin_family != AF_INET) 2162 return 0; 2163 return acl_addr_matches_ipv4host(acl, addr, ntohs(addr->sin_port)); 2164 } 2165 /* ENOTREACH */ 2166 return 0; 2167 } 2168 2169 int 2170 acl_addr_match_mask(uint32_t* a, uint32_t* b, uint32_t* mask, size_t sz) 2171 { 2172 size_t i; 2173 #ifndef NDEBUG 2174 assert(sz % 4 == 0); 2175 #endif 2176 sz /= 4; 2177 for(i=0; i<sz; ++i) 2178 { 2179 if(((*a++)&*mask) != ((*b++)&*mask)) 2180 return 0; 2181 ++mask; 2182 } 2183 return 1; 2184 } 2185 2186 int 2187 acl_addr_match_range_v4(uint32_t* minval, uint32_t* x, uint32_t* maxval, size_t sz) 2188 { 2189 assert(sz == 4); (void)sz; 2190 /* check treats x as one huge number */ 2191 2192 /* if outside bounds, we are done */ 2193 if(*minval > *x) 2194 return 0; 2195 if(*maxval < *x) 2196 return 0; 2197 2198 return 1; 2199 } 2200 2201 #ifdef INET6 2202 int 2203 acl_addr_match_range_v6(uint32_t* minval, uint32_t* x, uint32_t* maxval, size_t sz) 2204 { 2205 size_t i; 2206 uint8_t checkmin = 1, checkmax = 1; 2207 #ifndef NDEBUG 2208 assert(sz % 4 == 0); 2209 #endif 2210 /* check treats x as one huge number */ 2211 sz /= 4; 2212 for(i=0; i<sz; ++i) 2213 { 2214 /* if outside bounds, we are done */ 2215 if(checkmin) 2216 if(minval[i] > x[i]) 2217 return 0; 2218 if(checkmax) 2219 if(maxval[i] < x[i]) 2220 return 0; 2221 /* if x is equal to a bound, that bound needs further checks */ 2222 if(checkmin && minval[i]!=x[i]) 2223 checkmin = 0; 2224 if(checkmax && maxval[i]!=x[i]) 2225 checkmax = 0; 2226 if(!checkmin && !checkmax) 2227 return 1; /* will always match */ 2228 } 2229 return 1; 2230 } 2231 #endif /* INET6 */ 2232 2233 #ifdef HAVE_SSL 2234 /* Code in for matches_subject_alternative_name and matches_common_name 2235 * functions is from https://wiki.openssl.org/index.php/Hostname_validation 2236 * with modifications. 2237 * 2238 * Obtained from: https://github.com/iSECPartners/ssl-conservatory 2239 * Copyright (C) 2012, iSEC Partners. 2240 * License: MIT License 2241 * Author: Alban Diquet 2242 */ 2243 static int matches_subject_alternative_name( 2244 const char *acl_cert_cn, size_t acl_cert_cn_len, const X509 *cert) 2245 { 2246 int result = 0; 2247 int san_names_nb = -1; 2248 STACK_OF(GENERAL_NAME) *san_names = NULL; 2249 2250 /* Try to extract the names within the SAN extension from the certificate */ 2251 san_names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); 2252 if (san_names == NULL) 2253 return 0; 2254 2255 san_names_nb = sk_GENERAL_NAME_num(san_names); 2256 2257 /* Check each name within the extension */ 2258 for (int i = 0; i < san_names_nb && !result; i++) { 2259 int len; 2260 const char *str; 2261 const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(san_names, i); 2262 /* Skip non-DNS SAN entries. */ 2263 if (current_name->type != GEN_DNS) 2264 continue; 2265 #if HAVE_ASN1_STRING_GET0_DATA 2266 str = (const char *)ASN1_STRING_get0_data(current_name->d.dNSName); 2267 #else 2268 str = (const char *)ASN1_STRING_data(current_name->d.dNSName); 2269 #endif 2270 if (str == NULL) 2271 continue; 2272 len = ASN1_STRING_length(current_name->d.dNSName); 2273 if (acl_cert_cn_len == (size_t)len && 2274 strncasecmp(str, acl_cert_cn, len) == 0) 2275 { 2276 result = 1; 2277 } else { 2278 /* Make sure there isn't an embedded NUL character in the DNS name */ 2279 /* From the man page: In general it cannot be assumed that the data 2280 * returned by ASN1_STRING_data() is null terminated or does not 2281 * contain embedded nulls. */ 2282 int pos = 0; 2283 while (pos < len && str[pos] != 0) 2284 pos++; 2285 if (pos == len) { 2286 DEBUG(DEBUG_XFRD, 2, (LOG_INFO, 2287 "SAN %*s does not match acl for %s", len, str, acl_cert_cn)); 2288 } else { 2289 DEBUG(DEBUG_XFRD, 2, (LOG_INFO, "Malformed SAN in certificate")); 2290 break; 2291 } 2292 } 2293 } 2294 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free); 2295 2296 return result; 2297 } 2298 2299 static int matches_common_name( 2300 const char *acl_cert_cn, size_t acl_cert_cn_len, const X509 *cert) 2301 { 2302 int len; 2303 int common_name_loc = -1; 2304 const char *common_name_str = NULL; 2305 X509_NAME *subject_name = NULL; 2306 X509_NAME_ENTRY *common_name_entry = NULL; 2307 ASN1_STRING *common_name_asn1 = NULL; 2308 2309 if ((subject_name = X509_get_subject_name(cert)) == NULL) 2310 return 0; 2311 2312 /* Find the position of the CN field in the Subject field of the certificate */ 2313 common_name_loc = X509_NAME_get_index_by_NID(subject_name, NID_commonName, -1); 2314 if (common_name_loc < 0) 2315 return 0; 2316 2317 /* Extract the CN field */ 2318 common_name_entry = X509_NAME_get_entry(subject_name, common_name_loc); 2319 if (common_name_entry == NULL) 2320 return 0; 2321 2322 /* Convert the CN field to a C string */ 2323 common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry); 2324 if (common_name_asn1 == NULL) 2325 return 0; 2326 2327 #if HAVE_ASN1_STRING_GET0_DATA 2328 common_name_str = (const char *)ASN1_STRING_get0_data(common_name_asn1); 2329 #else 2330 common_name_str = (const char *)ASN1_STRING_data(common_name_asn1); 2331 #endif 2332 2333 len = ASN1_STRING_length(common_name_asn1); 2334 if (acl_cert_cn_len == (size_t)len && 2335 strncasecmp(acl_cert_cn, common_name_str, len) == 0) 2336 { 2337 return 1; 2338 } else { 2339 /* Make sure there isn't an embedded NUL character in the CN */ 2340 int pos = 0; 2341 while (pos < len && common_name_str[pos] != 0) 2342 pos++; 2343 if (pos == len) { 2344 DEBUG(DEBUG_XFRD, 2, (LOG_INFO, 2345 "CN %*s does not match acl for %s", len, common_name_str, acl_cert_cn)); 2346 } else { 2347 DEBUG(DEBUG_XFRD, 2, (LOG_INFO, "Malformed CN in certificate")); 2348 } 2349 } 2350 2351 return 0; 2352 } 2353 2354 int 2355 acl_tls_hostname_matches(SSL* tls_auth, const char *acl_cert_cn) 2356 { 2357 int result = 0; 2358 size_t acl_cert_cn_len; 2359 X509 *client_cert; 2360 2361 assert(acl_cert_cn != NULL); 2362 2363 #ifdef HAVE_SSL_GET1_PEER_CERTIFICATE 2364 client_cert = SSL_get1_peer_certificate(tls_auth); 2365 #else 2366 client_cert = SSL_get_peer_certificate(tls_auth); 2367 #endif 2368 2369 if (client_cert == NULL) 2370 return 0; 2371 2372 /* OpenSSL provides functions for hostname checking from certificate 2373 * Following code should work but it doesn't. 2374 * Keep it for future test in order to not use custom code 2375 * 2376 * X509_VERIFY_PARAM *vpm = SSL_get0_param(tls_auth); 2377 * Hostname check is done here: 2378 * X509_VERIFY_PARAM_set1_host(vpm, acl_cert_cn, 0); // recommended 2379 * X509_check_host() // can also be used instead. Not recommended DANE-EE 2380 * SSL_get_verify_result(tls_auth) != X509_V_OK) // NOT ok 2381 * const char *peername = X509_VERIFY_PARAM_get0_peername(vpm); // NOT ok 2382 */ 2383 2384 acl_cert_cn_len = strlen(acl_cert_cn); 2385 /* semi follow RFC6125#section-6.4.4 check SAN DNS first */ 2386 if (!(result = matches_subject_alternative_name(acl_cert_cn, acl_cert_cn_len, client_cert))) 2387 result = matches_common_name(acl_cert_cn, acl_cert_cn_len, client_cert); 2388 2389 X509_free(client_cert); 2390 2391 return result; 2392 } 2393 #endif 2394 2395 int 2396 acl_key_matches(struct acl_options* acl, struct query* q) 2397 { 2398 if(acl->blocked) 2399 return 1; 2400 if(acl->nokey) { 2401 if(q->tsig.status == TSIG_NOT_PRESENT) 2402 return 1; 2403 return 0; 2404 } 2405 /* check name of tsig key */ 2406 if(q->tsig.status != TSIG_OK) { 2407 DEBUG(DEBUG_XFRD,2, (LOG_INFO, "keymatch fail query has no TSIG")); 2408 return 0; /* query has no TSIG */ 2409 } 2410 if(q->tsig.error_code != TSIG_ERROR_NOERROR) { 2411 DEBUG(DEBUG_XFRD,2, (LOG_INFO, "keymatch fail, tsig has error")); 2412 return 0; /* some tsig error */ 2413 } 2414 if(!acl->key_options->tsig_key) { 2415 DEBUG(DEBUG_XFRD,2, (LOG_INFO, "keymatch fail no config")); 2416 return 0; /* key not properly configured */ 2417 } 2418 if(dname_compare(q->tsig.key_name, 2419 acl->key_options->tsig_key->name) != 0) { 2420 DEBUG(DEBUG_XFRD,2, (LOG_INFO, "keymatch fail wrong key name")); 2421 return 0; /* wrong key name */ 2422 } 2423 if(tsig_strlowercmp(q->tsig.algorithm->short_name, 2424 acl->key_options->algorithm) != 0 && ( 2425 strncmp("hmac-", q->tsig.algorithm->short_name, 5) != 0 || 2426 tsig_strlowercmp(q->tsig.algorithm->short_name+5, 2427 acl->key_options->algorithm) != 0) ) { 2428 DEBUG(DEBUG_XFRD,2, (LOG_ERR, "query tsig wrong algorithm")); 2429 return 0; /* no such algo */ 2430 } 2431 return 1; 2432 } 2433 2434 int 2435 acl_same_host(struct acl_options* a, struct acl_options* b) 2436 { 2437 if(a->is_ipv6 && !b->is_ipv6) 2438 return 0; 2439 if(!a->is_ipv6 && b->is_ipv6) 2440 return 0; 2441 if(a->port != b->port) 2442 return 0; 2443 if(a->rangetype != b->rangetype) 2444 return 0; 2445 if(!a->is_ipv6) { 2446 if(memcmp(&a->addr.addr, &b->addr.addr, 2447 sizeof(struct in_addr)) != 0) 2448 return 0; 2449 if(a->rangetype != acl_range_single && 2450 memcmp(&a->range_mask.addr, &b->range_mask.addr, 2451 sizeof(struct in_addr)) != 0) 2452 return 0; 2453 } else { 2454 #ifdef INET6 2455 if(memcmp(&a->addr.addr6, &b->addr.addr6, 2456 sizeof(struct in6_addr)) != 0) 2457 return 0; 2458 if(a->rangetype != acl_range_single && 2459 memcmp(&a->range_mask.addr6, &b->range_mask.addr6, 2460 sizeof(struct in6_addr)) != 0) 2461 return 0; 2462 #else 2463 return 0; 2464 #endif 2465 } 2466 return 1; 2467 } 2468 2469 #if defined(HAVE_SSL) 2470 void 2471 key_options_tsig_add(struct nsd_options* opt) 2472 { 2473 struct key_options* optkey; 2474 RBTREE_FOR(optkey, struct key_options*, opt->keys) { 2475 key_options_setup(opt->region, optkey); 2476 tsig_add_key(optkey->tsig_key); 2477 } 2478 } 2479 #endif 2480 2481 int 2482 zone_is_slave(struct zone_options* opt) 2483 { 2484 return opt && opt->pattern && opt->pattern->request_xfr != 0; 2485 } 2486 2487 /* get a character in string (or replacement char if not long enough) */ 2488 static const char* 2489 get_char(const char* str, size_t i) 2490 { 2491 static char res[2]; 2492 if(i >= strlen(str)) 2493 return "."; 2494 res[0] = str[i]; 2495 res[1] = 0; 2496 return res; 2497 } 2498 /* get end label of the zone name (or .) */ 2499 static const char* 2500 get_end_label(struct zone_options* zone, int i) 2501 { 2502 const dname_type* d = (const dname_type*)zone->node.key; 2503 if(i >= d->label_count) { 2504 return "."; 2505 } 2506 return wirelabel2str(dname_label(d, i)); 2507 } 2508 /* replace occurrences of one with two */ 2509 void 2510 replace_str(char* str, size_t len, const char* one, const char* two) 2511 { 2512 char* pos; 2513 char* at = str; 2514 while( (pos=strstr(at, one)) ) { 2515 if(strlen(str)+strlen(two)-strlen(one) >= len) 2516 return; /* no more space to replace */ 2517 /* stuff before pos is fine */ 2518 /* move the stuff after pos to make space for two, add 2519 * one to length of remainder to also copy the 0 byte end */ 2520 memmove(pos+strlen(two), pos+strlen(one), 2521 strlen(pos+strlen(one))+1); 2522 /* copy in two */ 2523 memmove(pos, two, strlen(two)); 2524 /* at is end of the newly inserted two (avoids recursion if 2525 * two contains one) */ 2526 at = pos+strlen(two); 2527 } 2528 } 2529 2530 const char* 2531 config_cook_string(struct zone_options* zone, const char* input) 2532 { 2533 static char f[1024]; 2534 /* if not a template, return as-is */ 2535 if(!strchr(input, '%')) { 2536 return input; 2537 } 2538 strlcpy(f, input, sizeof(f)); 2539 if(strstr(f, "%1")) 2540 replace_str(f, sizeof(f), "%1", get_char(zone->name, 0)); 2541 if(strstr(f, "%2")) 2542 replace_str(f, sizeof(f), "%2", get_char(zone->name, 1)); 2543 if(strstr(f, "%3")) 2544 replace_str(f, sizeof(f), "%3", get_char(zone->name, 2)); 2545 if(strstr(f, "%z")) 2546 replace_str(f, sizeof(f), "%z", get_end_label(zone, 1)); 2547 if(strstr(f, "%y")) 2548 replace_str(f, sizeof(f), "%y", get_end_label(zone, 2)); 2549 if(strstr(f, "%x")) 2550 replace_str(f, sizeof(f), "%x", get_end_label(zone, 3)); 2551 if(strstr(f, "%s")) 2552 replace_str(f, sizeof(f), "%s", zone->name); 2553 return f; 2554 } 2555 2556 const char* 2557 config_make_zonefile(struct zone_options* zone, struct nsd* nsd) 2558 { 2559 static char f[1024]; 2560 /* if not a template, return as-is */ 2561 if(!strchr(zone->pattern->zonefile, '%')) { 2562 if (nsd->chrootdir && nsd->chrootdir[0] && 2563 zone->pattern->zonefile && 2564 zone->pattern->zonefile[0] == '/' && 2565 strncmp(zone->pattern->zonefile, nsd->chrootdir, 2566 strlen(nsd->chrootdir)) == 0) 2567 /* -1 because chrootdir ends in trailing slash */ 2568 return zone->pattern->zonefile + strlen(nsd->chrootdir) - 1; 2569 return zone->pattern->zonefile; 2570 } 2571 strlcpy(f, zone->pattern->zonefile, sizeof(f)); 2572 if(strstr(f, "%1")) 2573 replace_str(f, sizeof(f), "%1", get_char(zone->name, 0)); 2574 if(strstr(f, "%2")) 2575 replace_str(f, sizeof(f), "%2", get_char(zone->name, 1)); 2576 if(strstr(f, "%3")) 2577 replace_str(f, sizeof(f), "%3", get_char(zone->name, 2)); 2578 if(strstr(f, "%z")) 2579 replace_str(f, sizeof(f), "%z", get_end_label(zone, 1)); 2580 if(strstr(f, "%y")) 2581 replace_str(f, sizeof(f), "%y", get_end_label(zone, 2)); 2582 if(strstr(f, "%x")) 2583 replace_str(f, sizeof(f), "%x", get_end_label(zone, 3)); 2584 if(strstr(f, "%s")) 2585 replace_str(f, sizeof(f), "%s", zone->name); 2586 if (nsd->chrootdir && nsd->chrootdir[0] && f[0] == '/' && 2587 strncmp(f, nsd->chrootdir, strlen(nsd->chrootdir)) == 0) 2588 /* -1 because chrootdir ends in trailing slash */ 2589 return f + strlen(nsd->chrootdir) - 1; 2590 return f; 2591 } 2592 2593 struct zone_options* 2594 zone_options_find(struct nsd_options* opt, const struct dname* apex) 2595 { 2596 return (struct zone_options*) rbtree_search(opt->zone_options, apex); 2597 } 2598 2599 struct acl_options* 2600 acl_find_num(struct acl_options* acl, int num) 2601 { 2602 int count = num; 2603 if(num < 0) 2604 return 0; 2605 while(acl && count > 0) { 2606 acl = acl->next; 2607 count--; 2608 } 2609 if(count == 0) 2610 return acl; 2611 return 0; 2612 } 2613 2614 /* true if ipv6 address, false if ipv4 */ 2615 int 2616 parse_acl_is_ipv6(const char* p) 2617 { 2618 /* see if addr is ipv6 or ipv4 -- by : and . */ 2619 while(*p) { 2620 if(*p == '.') return 0; 2621 if(*p == ':') return 1; 2622 ++p; 2623 } 2624 return 0; 2625 } 2626 2627 /* returns range type. mask is the 2nd part of the range */ 2628 int 2629 parse_acl_range_type(char* ip, char** mask) 2630 { 2631 char *p; 2632 if((p=strchr(ip, '&'))!=0) { 2633 *p = 0; 2634 *mask = p+1; 2635 return acl_range_mask; 2636 } 2637 if((p=strchr(ip, '/'))!=0) { 2638 *p = 0; 2639 *mask = p+1; 2640 return acl_range_subnet; 2641 } 2642 if((p=strchr(ip, '-'))!=0) { 2643 *p = 0; 2644 *mask = p+1; 2645 return acl_range_minmax; 2646 } 2647 *mask = 0; 2648 return acl_range_single; 2649 } 2650 2651 /* parses subnet mask, fills 0 mask as well */ 2652 void 2653 parse_acl_range_subnet(char* p, void* addr, int maxbits) 2654 { 2655 int subnet_bits = atoi(p); 2656 uint8_t* addr_bytes = (uint8_t*)addr; 2657 if(subnet_bits == 0 && strcmp(p, "0")!=0) { 2658 c_error("bad subnet range '%s'", p); 2659 return; 2660 } 2661 if(subnet_bits < 0 || subnet_bits > maxbits) { 2662 c_error("subnet of %d bits out of range [0..%d]", subnet_bits, maxbits); 2663 return; 2664 } 2665 /* fill addr with n bits of 1s (struct has been zeroed) */ 2666 while(subnet_bits >= 8) { 2667 *addr_bytes++ = 0xff; 2668 subnet_bits -= 8; 2669 } 2670 if(subnet_bits > 0) { 2671 uint8_t shifts[] = {0x0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe, 0xff}; 2672 *addr_bytes = shifts[subnet_bits]; 2673 } 2674 } 2675 2676 struct acl_options* 2677 parse_acl_info(region_type* region, char* ip, const char* key) 2678 { 2679 char* p; 2680 struct acl_options* acl = (struct acl_options*)region_alloc(region, 2681 sizeof(struct acl_options)); 2682 acl->next = 0; 2683 /* ip */ 2684 acl->ip_address_spec = region_strdup(region, ip); 2685 acl->use_axfr_only = 0; 2686 acl->allow_udp = 0; 2687 acl->ixfr_disabled = 0; 2688 acl->bad_xfr_count = 0; 2689 acl->key_options = 0; 2690 acl->tls_auth_options = 0; 2691 acl->tls_auth_name = 0; 2692 acl->is_ipv6 = 0; 2693 acl->port = 0; 2694 memset(&acl->addr, 0, sizeof(union acl_addr_storage)); 2695 memset(&acl->range_mask, 0, sizeof(union acl_addr_storage)); 2696 if((p=strrchr(ip, '@'))!=0) { 2697 if(atoi(p+1) == 0) c_error("expected port number after '@'"); 2698 else acl->port = atoi(p+1); 2699 *p=0; 2700 } 2701 acl->rangetype = parse_acl_range_type(ip, &p); 2702 if(parse_acl_is_ipv6(ip)) { 2703 acl->is_ipv6 = 1; 2704 #ifdef INET6 2705 if(inet_pton(AF_INET6, ip, &acl->addr.addr6) != 1) 2706 c_error("Bad ip6 address '%s'", ip); 2707 if(acl->rangetype==acl_range_mask || acl->rangetype==acl_range_minmax) { 2708 assert(p); 2709 if(inet_pton(AF_INET6, p, &acl->range_mask.addr6) != 1) 2710 c_error("Bad ip6 address mask '%s'", p); 2711 } 2712 if(acl->rangetype==acl_range_subnet) { 2713 assert(p); 2714 parse_acl_range_subnet(p, &acl->range_mask.addr6, 128); 2715 } 2716 #else 2717 c_error("encountered IPv6 address '%s'.", ip); 2718 #endif /* INET6 */ 2719 } else { 2720 acl->is_ipv6 = 0; 2721 if(inet_pton(AF_INET, ip, &acl->addr.addr) != 1) 2722 c_error("Bad ip4 address '%s'", ip); 2723 if(acl->rangetype==acl_range_mask || acl->rangetype==acl_range_minmax) { 2724 assert(p); 2725 if(inet_pton(AF_INET, p, &acl->range_mask.addr) != 1) 2726 c_error("Bad ip4 address mask '%s'", p); 2727 } 2728 if(acl->rangetype==acl_range_subnet) { 2729 assert(p); 2730 parse_acl_range_subnet(p, &acl->range_mask.addr, 32); 2731 } 2732 } 2733 2734 /* key */ 2735 if(strcmp(key, "NOKEY")==0) { 2736 acl->nokey = 1; 2737 acl->blocked = 0; 2738 acl->key_name = 0; 2739 } else if(strcmp(key, "BLOCKED")==0) { 2740 acl->nokey = 0; 2741 acl->blocked = 1; 2742 acl->key_name = 0; 2743 } else { 2744 acl->nokey = 0; 2745 acl->blocked = 0; 2746 acl->key_name = region_strdup(region, key); 2747 } 2748 return acl; 2749 } 2750 2751 /* copy acl list at end of parser start, update current */ 2752 static 2753 void copy_and_append_acls(struct acl_options** start, struct acl_options* list) 2754 { 2755 struct acl_options *tail = NULL; 2756 2757 assert(start != NULL); 2758 2759 tail = *start; 2760 if(tail) { 2761 while(tail->next) { 2762 tail = tail->next; 2763 } 2764 } 2765 2766 while(list) { 2767 struct acl_options* acl = copy_acl(cfg_parser->opt->region, 2768 list); 2769 acl->next = NULL; 2770 if(tail) { 2771 tail->next = acl; 2772 } else { 2773 *start = acl; 2774 } 2775 tail = acl; 2776 list = list->next; 2777 } 2778 } 2779 2780 void 2781 config_apply_pattern(struct pattern_options *dest, const char* name) 2782 { 2783 /* find the pattern */ 2784 struct pattern_options* pat = pattern_options_find(cfg_parser->opt, 2785 name); 2786 if(!pat) { 2787 c_error("could not find pattern %s", name); 2788 return; 2789 } 2790 if( (!dest->pname || strncmp(dest->pname, PATTERN_IMPLICIT_MARKER, 2791 strlen(PATTERN_IMPLICIT_MARKER)) == 0) 2792 && pat->catalog_producer_zone) { 2793 c_error("patterns with an catalog-producer-zone option are to " 2794 "be used with \"nsd-control addzone\" only and cannot " 2795 "be included from zone clauses in the config file"); 2796 return; 2797 } 2798 if((dest->catalog_role == CATALOG_ROLE_PRODUCER && pat->request_xfr) 2799 || ( pat->catalog_role == CATALOG_ROLE_PRODUCER && dest->request_xfr)){ 2800 c_error("catalog producer zones cannot be secondary zones"); 2801 } 2802 2803 /* apply settings */ 2804 if(pat->zonefile) 2805 dest->zonefile = region_strdup(cfg_parser->opt->region, 2806 pat->zonefile); 2807 if(pat->zonestats) 2808 dest->zonestats = region_strdup(cfg_parser->opt->region, 2809 pat->zonestats); 2810 if(!pat->allow_axfr_fallback_is_default) { 2811 dest->allow_axfr_fallback = pat->allow_axfr_fallback; 2812 dest->allow_axfr_fallback_is_default = 0; 2813 } 2814 if(!pat->notify_retry_is_default) { 2815 dest->notify_retry = pat->notify_retry; 2816 dest->notify_retry_is_default = 0; 2817 } 2818 if(!pat->max_refresh_time_is_default) { 2819 dest->max_refresh_time = pat->max_refresh_time; 2820 dest->max_refresh_time_is_default = 0; 2821 } 2822 if(!pat->min_refresh_time_is_default) { 2823 dest->min_refresh_time = pat->min_refresh_time; 2824 dest->min_refresh_time_is_default = 0; 2825 } 2826 if(!pat->max_retry_time_is_default) { 2827 dest->max_retry_time = pat->max_retry_time; 2828 dest->max_retry_time_is_default = 0; 2829 } 2830 if(!pat->min_retry_time_is_default) { 2831 dest->min_retry_time = pat->min_retry_time; 2832 dest->min_retry_time_is_default = 0; 2833 } 2834 if(!expire_time_is_default(pat->min_expire_time_expr)) { 2835 dest->min_expire_time = pat->min_expire_time; 2836 dest->min_expire_time_expr = pat->min_expire_time_expr; 2837 } 2838 if(!pat->store_ixfr_is_default) { 2839 dest->store_ixfr = pat->store_ixfr; 2840 dest->store_ixfr_is_default = 0; 2841 } 2842 if(!pat->ixfr_size_is_default) { 2843 dest->ixfr_size = pat->ixfr_size; 2844 dest->ixfr_size_is_default = 0; 2845 } 2846 if(!pat->ixfr_number_is_default) { 2847 dest->ixfr_number = pat->ixfr_number; 2848 dest->ixfr_number_is_default = 0; 2849 } 2850 if(!pat->create_ixfr_is_default) { 2851 dest->create_ixfr = pat->create_ixfr; 2852 dest->create_ixfr_is_default = 0; 2853 } 2854 dest->size_limit_xfr = pat->size_limit_xfr; 2855 #ifdef RATELIMIT 2856 dest->rrl_whitelist |= pat->rrl_whitelist; 2857 #endif 2858 /* append acl items */ 2859 copy_and_append_acls(&dest->allow_notify, pat->allow_notify); 2860 copy_and_append_acls(&dest->request_xfr, pat->request_xfr); 2861 copy_and_append_acls(&dest->notify, pat->notify); 2862 copy_and_append_acls(&dest->provide_xfr, pat->provide_xfr); 2863 copy_and_append_acls(&dest->allow_query, pat->allow_query); 2864 copy_and_append_acls(&dest->outgoing_interface, pat->outgoing_interface); 2865 if(pat->multi_primary_check) 2866 dest->multi_primary_check = pat->multi_primary_check; 2867 2868 if(!pat->verify_zone_is_default) { 2869 dest->verify_zone = pat->verify_zone; 2870 dest->verify_zone_is_default = 0; 2871 } 2872 if(!pat->verifier_timeout_is_default) { 2873 dest->verifier_timeout = pat->verifier_timeout; 2874 dest->verifier_timeout_is_default = 0; 2875 } 2876 if(!pat->verifier_feed_zone_is_default) { 2877 dest->verifier_feed_zone = pat->verifier_feed_zone; 2878 dest->verifier_feed_zone_is_default = 0; 2879 } 2880 if(pat->verifier != NULL) { 2881 size_t cnt; 2882 char **vec; 2883 region_type *region = cfg_parser->opt->region; 2884 2885 for(cnt = 0; pat->verifier[cnt] != NULL; cnt++) ; 2886 vec = region_alloc(region, (cnt + 1) * sizeof(char *)); 2887 for(cnt = 0; pat->verifier[cnt] != NULL; cnt++) { 2888 vec[cnt] = region_strdup(region, pat->verifier[cnt]); 2889 } 2890 vec[cnt] = NULL; 2891 if(dest->verifier != NULL) { 2892 size_t size; 2893 for(cnt = 0; dest->verifier[cnt] != NULL; cnt++) { 2894 size = strlen(dest->verifier[cnt]) + 1; 2895 region_recycle( 2896 region, dest->verifier[cnt], size); 2897 } 2898 size = (cnt + 1) * sizeof(char *); 2899 region_recycle(region, dest->verifier, size); 2900 } 2901 dest->verifier = vec; 2902 } 2903 if(!pat->catalog_role_is_default) { 2904 dest->catalog_role = pat->catalog_role; 2905 dest->catalog_role_is_default = 0; 2906 } 2907 if(pat->catalog_member_pattern) 2908 dest->catalog_member_pattern = region_strdup( 2909 cfg_parser->opt->region, pat->catalog_member_pattern); 2910 if(pat->catalog_producer_zone) 2911 dest->catalog_producer_zone = region_strdup( 2912 cfg_parser->opt->region, pat->catalog_producer_zone); 2913 } 2914 2915 void 2916 nsd_options_destroy(struct nsd_options* opt) 2917 { 2918 region_destroy(opt->region); 2919 #ifdef MEMCLEAN /* OS collects memory pages */ 2920 c_lex_destroy(); 2921 #endif 2922 } 2923 2924 unsigned getzonestatid(struct nsd_options* opt, struct zone_options* zopt) 2925 { 2926 #ifdef USE_ZONE_STATS 2927 const char* statname; 2928 struct zonestatname* n; 2929 rbnode_type* res; 2930 /* try to find the instantiated zonestat name */ 2931 if(!zopt->pattern->zonestats || zopt->pattern->zonestats[0]==0) 2932 return 0; /* no zone stats */ 2933 statname = config_cook_string(zopt, zopt->pattern->zonestats); 2934 res = rbtree_search(opt->zonestatnames, statname); 2935 if(res) 2936 return ((struct zonestatname*)res)->id; 2937 /* create it */ 2938 n = (struct zonestatname*)region_alloc_zero(opt->region, sizeof(*n)); 2939 n->node.key = region_strdup(opt->region, statname); 2940 if(!n->node.key) { 2941 log_msg(LOG_ERR, "malloc failed: %s", strerror(errno)); 2942 exit(1); 2943 } 2944 n->id = (unsigned)(opt->zonestatnames->count); 2945 rbtree_insert(opt->zonestatnames, (rbnode_type*)n); 2946 return n->id; 2947 #else /* USE_ZONE_STATS */ 2948 (void)opt; (void)zopt; 2949 return 0; 2950 #endif /* USE_ZONE_STATS */ 2951 } 2952 2953 /** check if config turns on IP-address interface with certificates or a 2954 * named pipe without certificates. */ 2955 int 2956 options_remote_is_address(struct nsd_options* cfg) 2957 { 2958 if(!cfg->control_enable) return 0; 2959 if(!cfg->control_interface) return 1; 2960 if(!cfg->control_interface->address) return 1; 2961 if(cfg->control_interface->address[0] == 0) return 1; 2962 return (cfg->control_interface->address[0] != '/'); 2963 } 2964 2965 #ifdef HAVE_GETIFADDRS 2966 static void 2967 resolve_ifa_name(struct ifaddrs *ifas, const char *search_ifa, char ***ip_addresses, size_t *ip_addresses_size) 2968 { 2969 struct ifaddrs *ifa; 2970 size_t last_ip_addresses_size = *ip_addresses_size; 2971 2972 for(ifa = ifas; ifa != NULL; ifa = ifa->ifa_next) { 2973 sa_family_t family; 2974 const char* atsign; 2975 #ifdef INET6 /* | address ip | % | ifa name | @ | port | nul */ 2976 char addr_buf[INET6_ADDRSTRLEN + 1 + IF_NAMESIZE + 1 + 16 + 1]; 2977 #else 2978 char addr_buf[INET_ADDRSTRLEN + 1 + 16 + 1]; 2979 #endif 2980 2981 if((atsign=strrchr(search_ifa, '@')) != NULL) { 2982 if(strlen(ifa->ifa_name) != (size_t)(atsign-search_ifa) 2983 || strncmp(ifa->ifa_name, search_ifa, 2984 atsign-search_ifa) != 0) 2985 continue; 2986 } else { 2987 if(strcmp(ifa->ifa_name, search_ifa) != 0) 2988 continue; 2989 atsign = ""; 2990 } 2991 2992 if(ifa->ifa_addr == NULL) 2993 continue; 2994 2995 family = ifa->ifa_addr->sa_family; 2996 if(family == AF_INET) { 2997 char a4[INET_ADDRSTRLEN + 1]; 2998 struct sockaddr_in *in4 = (struct sockaddr_in *) 2999 ifa->ifa_addr; 3000 if(!inet_ntop(family, &in4->sin_addr, a4, sizeof(a4))) 3001 error("inet_ntop"); 3002 snprintf(addr_buf, sizeof(addr_buf), "%s%s", 3003 a4, atsign); 3004 } 3005 #ifdef INET6 3006 else if(family == AF_INET6) { 3007 struct sockaddr_in6 *in6 = (struct sockaddr_in6 *) 3008 ifa->ifa_addr; 3009 char a6[INET6_ADDRSTRLEN + 1]; 3010 char if_index_name[IF_NAMESIZE + 1]; 3011 if_index_name[0] = 0; 3012 if(!inet_ntop(family, &in6->sin6_addr, a6, sizeof(a6))) 3013 error("inet_ntop"); 3014 if_indextoname(in6->sin6_scope_id, 3015 (char *)if_index_name); 3016 if (strlen(if_index_name) != 0) { 3017 snprintf(addr_buf, sizeof(addr_buf), 3018 "%s%%%s%s", a6, if_index_name, atsign); 3019 } else { 3020 snprintf(addr_buf, sizeof(addr_buf), "%s%s", 3021 a6, atsign); 3022 } 3023 } 3024 #endif 3025 else { 3026 continue; 3027 } 3028 VERBOSITY(4, (LOG_INFO, "interface %s has address %s", 3029 search_ifa, addr_buf)); 3030 3031 *ip_addresses = xrealloc(*ip_addresses, sizeof(char *) * (*ip_addresses_size + 1)); 3032 (*ip_addresses)[*ip_addresses_size] = xstrdup(addr_buf); 3033 (*ip_addresses_size)++; 3034 } 3035 3036 if (*ip_addresses_size == last_ip_addresses_size) { 3037 *ip_addresses = xrealloc(*ip_addresses, sizeof(char *) * (*ip_addresses_size + 1)); 3038 (*ip_addresses)[*ip_addresses_size] = xstrdup(search_ifa); 3039 (*ip_addresses_size)++; 3040 } 3041 } 3042 3043 static void 3044 resolve_interface_names_for_ref(struct ip_address_option** ip_addresses_ref, 3045 struct ifaddrs *addrs, region_type* region) 3046 { 3047 struct ip_address_option *ip_addr; 3048 struct ip_address_option *last = NULL; 3049 struct ip_address_option *first = NULL; 3050 3051 /* replace the list of ip_adresses with a new list where the 3052 * interface names are replaced with their ip-address strings 3053 * from getifaddrs. An interface can have several addresses. */ 3054 for(ip_addr = *ip_addresses_ref; ip_addr; ip_addr = ip_addr->next) { 3055 char **ip_addresses = NULL; 3056 size_t ip_addresses_size = 0, i; 3057 resolve_ifa_name(addrs, ip_addr->address, &ip_addresses, 3058 &ip_addresses_size); 3059 3060 for (i = 0; i < ip_addresses_size; i++) { 3061 struct ip_address_option *current; 3062 /* this copies the range_option, dev, and fib from 3063 * the original ip_address option to the new ones 3064 * with the addresses spelled out by resolve_ifa_name*/ 3065 current = region_alloc_init(region, ip_addr, 3066 sizeof(*ip_addr)); 3067 current->address = region_strdup(region, 3068 ip_addresses[i]); 3069 current->next = NULL; 3070 free(ip_addresses[i]); 3071 3072 if(first == NULL) { 3073 first = current; 3074 } else { 3075 last->next = current; 3076 } 3077 last = current; 3078 } 3079 free(ip_addresses); 3080 } 3081 *ip_addresses_ref = first; 3082 3083 } 3084 #endif /* HAVE_GETIFADDRS */ 3085 3086 void 3087 resolve_interface_names(struct nsd_options* options) 3088 { 3089 #ifdef HAVE_GETIFADDRS 3090 struct ifaddrs *addrs; 3091 3092 if(getifaddrs(&addrs) == -1) 3093 error("failed to list interfaces"); 3094 3095 resolve_interface_names_for_ref(&options->ip_addresses, 3096 addrs, options->region); 3097 resolve_interface_names_for_ref(&options->control_interface, 3098 addrs, options->region); 3099 #ifdef USE_METRICS 3100 resolve_interface_names_for_ref(&options->metrics_interface, 3101 addrs, options->region); 3102 #endif /* USE_METRICS */ 3103 3104 freeifaddrs(addrs); 3105 #else 3106 (void)options; 3107 #endif /* HAVE_GETIFADDRS */ 3108 } 3109 3110 int 3111 sockaddr_uses_proxy_protocol_port(struct nsd_options* options, 3112 struct sockaddr* addr) 3113 { 3114 struct proxy_protocol_port_list* p; 3115 int port; 3116 #ifdef INET6 3117 struct sockaddr_storage* ss = (struct sockaddr_storage*)addr; 3118 if(ss->ss_family == AF_INET6) { 3119 struct sockaddr_in6* a6 = (struct sockaddr_in6*)addr; 3120 port = ntohs(a6->sin6_port); 3121 } else if(ss->ss_family == AF_INET) { 3122 #endif 3123 struct sockaddr_in* a = (struct sockaddr_in*)addr; 3124 #ifndef INET6 3125 if(a->sin_family != AF_INET) 3126 return 0; /* unknown family */ 3127 #endif 3128 port = ntohs(a->sin_port); 3129 #ifdef INET6 3130 } else { 3131 return 0; /* unknown family */ 3132 } 3133 #endif 3134 p = options->proxy_protocol_port; 3135 while(p) { 3136 if(p->port == port) 3137 return 1; 3138 p = p->next; 3139 } 3140 return 0; 3141 } 3142
Indexes created Tue Feb 24 08:35:24 UTC 2026