0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews * Copyright (C) 2001-2008, 2011-2016 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews * This Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews * License, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews * file, You can obtain one at http://mozilla.org/MPL/2.0/.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * Note: Listeners and connections are not locked. All event handlers are
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * executed by the server task, and all callers of exported routines must
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * be running under the server task.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtontypedef ISC_LIST(controlkey_t) controlkeylist_t;
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtontypedef struct controlconnection controlconnection_t;
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtontypedef ISC_LIST(controlconnection_t) controlconnectionlist_t;
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtontypedef struct controllistener controllistener_t;
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtontypedef ISC_LIST(controllistener_t) controllistenerlist_t;
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonstatic void control_newconn(isc_task_t *task, isc_event_t *event);
091329e690b20755aa80b86cc7389d25c5d32c9bBrian Wellingtonstatic void control_recvmessage(isc_task_t *task, isc_event_t *event);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonfree_controlkey(controlkey_t *key, isc_mem_t *mctx) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_mem_put(mctx, key->secret.base, key->secret.length);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonfree_controlkeylist(controlkeylist_t *keylist, isc_mem_t *mctx) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington controlkey_t *key = ISC_LIST_HEAD(*keylist);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonfree_listener(controllistener_t *listener) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington INSIST(ISC_LIST_EMPTY(listener->connections));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington free_controlkeylist(&listener->keys, listener->mctx);
3a0da183bb40bd120698102b20b61ef12665c09bMark Andrews isc_mem_putanddetach(&listener->mctx, listener, sizeof(*listener));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonmaybe_free_listener(controllistener_t *listener) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonmaybe_free_connection(controlconnection_t *conn) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington controllistener_t *listener = conn->listener;
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_socket_cancel(conn->sock, listener->task,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington ISC_LIST_UNLINK(listener->connections, conn, link);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_mem_put(listener->mctx, conn, sizeof(*conn));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonshutdown_listener(controllistener_t *listener) {
32d248107a5bc92b4bf9fc77deaa55b3da969ba2Andreas Gustafsson ISC_LIST_UNLINK(listener->controls->listeners, listener, link);
ed3418751ebdf7de397df76753dae97851d2bdf9Brian Wellington isc_sockaddr_format(&listener->address, socktext,
ed3418751ebdf7de397df76753dae97851d2bdf9Brian Wellington isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
ed3418751ebdf7de397df76753dae97851d2bdf9Brian Wellington "stopping command channel on %s", socktext);
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews isc_socket_cleanunix(&listener->address, ISC_TRUE);
32d248107a5bc92b4bf9fc77deaa55b3da969ba2Andreas Gustafsson for (conn = ISC_LIST_HEAD(listener->connections);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_socket_cancel(listener->sock, listener->task,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonaddress_ok(isc_sockaddr_t *sockaddr, dns_acl_t *acl) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_netaddr_fromsockaddr(&netaddr, sockaddr);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington result = dns_acl_match(&netaddr, NULL, acl,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtoncontrol_accept(controllistener_t *listener) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "isc_socket_accept() failed: %s",
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtoncontrol_listen(controllistener_t *listener) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington result = isc_socket_listen(listener->sock, 0);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "isc_socket_listen() failed: %s",
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtoncontrol_senddone(isc_task_t *task, isc_event_t *event) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_socketevent_t *sevent = (isc_socketevent_t *) event;
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington controllistener_t *listener = conn->listener;
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_socket_t *sock = (isc_socket_t *)sevent->ev_sender;
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington (void)isc_socket_getpeername(sock, &peeraddr);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "error sending command response to %s: %s",
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington socktext, isc_result_totext(sevent->result));
091329e690b20755aa80b86cc7389d25c5d32c9bBrian Wellington result = isccc_ccmsg_readmessage(&conn->ccmsg, listener->task,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonstatic inline void
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonlog_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington (void)isc_socket_getpeername(ccmsg->sock, &peeraddr);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "invalid command from %s: %s",
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtoncontrol_recvmessage(isc_task_t *task, isc_event_t *event) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington REQUIRE(event->ev_type == ISCCC_EVENT_CCMSG);
2f012d936b5ccdf6520c96a4de23721dc58a2221Automatic Updater /* Is the server shutting down? */
091329e690b20755aa80b86cc7389d25c5d32c9bBrian Wellington if (conn->ccmsg.result != ISC_R_CANCELED &&
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington log_invalid(&conn->ccmsg, conn->ccmsg.result);
c2da4f9d8a153ffeb2b659541130abef2d586789Brian Wellington ccregion.rstart = isc_buffer_base(&conn->ccmsg.buffer);
c2da4f9d8a153ffeb2b659541130abef2d586789Brian Wellington ccregion.rend = isc_buffer_used(&conn->ccmsg.buffer);
c2da4f9d8a153ffeb2b659541130abef2d586789Brian Wellington secret.rstart = isc_mem_get(listener->mctx, key->secret.length);
e851ea826066ac5a5b01c2c23218faa0273a12e8Evan Hunt memmove(secret.rstart, key->secret.base, key->secret.length);
c2da4f9d8a153ffeb2b659541130abef2d586789Brian Wellington secret.rend = secret.rstart + key->secret.length;
546c2bf791782df1077217bdaf1865235fa95a93Mark Andrews isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret));
c2da4f9d8a153ffeb2b659541130abef2d586789Brian Wellington log_invalid(&conn->ccmsg, ISCCC_R_BADAUTH);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington /* We shouldn't be getting a reply. */
72ddc4cef9c6a6de53aae530dea1ddbb90631131Mark Andrews * Limit exposure to replay attacks.
72ddc4cef9c6a6de53aae530dea1ddbb90631131Mark Andrews if (isccc_cc_lookupuint32(_ctrl, "_tim", &sent) == ISC_R_SUCCESS) {
72ddc4cef9c6a6de53aae530dea1ddbb90631131Mark Andrews if ((sent + CLOCKSKEW) < now || (sent - CLOCKSKEW) > now) {
72ddc4cef9c6a6de53aae530dea1ddbb90631131Mark Andrews * Expire messages that are too old.
72ddc4cef9c6a6de53aae530dea1ddbb90631131Mark Andrews if (isccc_cc_lookupuint32(_ctrl, "_exp", &exp) == ISC_R_SUCCESS &&
72ddc4cef9c6a6de53aae530dea1ddbb90631131Mark Andrews * Duplicate suppression (required for UDP).
72ddc4cef9c6a6de53aae530dea1ddbb90631131Mark Andrews isccc_cc_cleansymtab(listener->controls->symtab, now);
72ddc4cef9c6a6de53aae530dea1ddbb90631131Mark Andrews result = isccc_cc_checkdup(listener->controls->symtab, request, now);
72ddc4cef9c6a6de53aae530dea1ddbb90631131Mark Andrews (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS ||
e32d354f754a5d7847a0862bcd6302827ea225bfEvan Hunt result = isc_buffer_allocate(listener->mctx, &text, 2 * 2048);
72ddc4cef9c6a6de53aae530dea1ddbb90631131Mark Andrews * Establish nonce.
58f7af60e79a5aaf58f6a8861c306d4c617fb1d1Mukund Sivaraman eresult = ns_control_docommand(request, listener->readonly, &text);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington result = isccc_cc_createresponse(request, now, now + 60, &response);
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt if (isccc_cc_defineuint32(data, "result", eresult) == NULL)
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington const char *estr = isc_result_totext(eresult);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington if (isccc_cc_definestring(data, "err", estr) == NULL)
e4cd5a1e5d0358abeee7618b02b4592c055d957fBrian Wellington if (isccc_cc_definestring(data, "text", str) == NULL)
72ddc4cef9c6a6de53aae530dea1ddbb90631131Mark Andrews isccc_cc_defineuint32(_ctrl, "_nonce", conn->nonce) == NULL)
e32d354f754a5d7847a0862bcd6302827ea225bfEvan Hunt /* Skip the length field (4 bytes) */
e32d354f754a5d7847a0862bcd6302827ea225bfEvan Hunt result = isccc_cc_towire(response, &conn->buffer, algorithm, &secret);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington result = isc_socket_send(conn->sock, &r, task, control_senddone, conn);
546c2bf791782df1077217bdaf1865235fa95a93Mark Andrews isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret));
546c2bf791782df1077217bdaf1865235fa95a93Mark Andrews isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtoncontrol_timeout(isc_task_t *task, isc_event_t *event) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonnewconnection(controllistener_t *listener, isc_socket_t *sock) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington conn = isc_mem_get(listener->mctx, sizeof(*conn));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isccc_ccmsg_init(listener->mctx, sock, &conn->ccmsg);
9b17fd447c684a84b2f5fbfb04ad6e890ae2078cMukund Sivaraman /* Set a 32 KiB upper limit on incoming message. */
9b17fd447c684a84b2f5fbfb04ad6e890ae2078cMukund Sivaraman isccc_ccmsg_setmaxsize(&conn->ccmsg, 32768);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington result = isc_timer_create(ns_g_timermgr, isc_timertype_once,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington result = isccc_ccmsg_readmessage(&conn->ccmsg, listener->task,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington ISC_LIST_APPEND(listener->connections, conn, link);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_mem_put(listener->mctx, conn, sizeof(*conn));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtoncontrol_newconn(isc_task_t *task, isc_event_t *event) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington controllistener_t *listener = event->ev_arg;
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington (void)isc_socket_getpeername(sock, &peeraddr);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "rejected command channel message from %s",
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "dropped command channel from %s: %s",
9cc98b104e1a1d479a4cf9a47e2acccba927dbcdBrian Wellingtoncontrols_shutdown(ns_controls_t *controls) {
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafsson for (listener = ISC_LIST_HEAD(controls->listeners);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * This is asynchronous. As listeners shut down, they will
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * call their callbacks.
9cc98b104e1a1d479a4cf9a47e2acccba927dbcdBrian Wellingtonns_controls_shutdown(ns_controls_t *controls) {
45e1bd63587102c3bb361eaca42ee7b714fb3542Mark Andrewscfgkeylist_find(const cfg_obj_t *keylist, const char *keyname,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington str = cfg_obj_asstring(cfg_map_getname(obj));
45e1bd63587102c3bb361eaca42ee7b714fb3542Mark Andrewscontrolkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx,
45e1bd63587102c3bb361eaca42ee7b714fb3542Mark Andrewsregister_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews controlkeylist_t *keyids, isc_mem_t *mctx, const char *socktext)
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * Find the keys corresponding to the keyids used by this listener.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington for (keyid = ISC_LIST_HEAD(*keyids); keyid != NULL; keyid = next) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington result = cfgkeylist_find(keylist, keyid->keyname, &keydef);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
6e0e723b2554ba1c4af8b79733f54bf2692cdecfAndreas Gustafsson "couldn't find key '%s' for use with "
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "command channel %s",
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington (void)cfg_map_get(keydef, "algorithm", &algobj);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington (void)cfg_map_get(keydef, "secret", &secretobj);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington INSIST(algobj != NULL && secretobj != NULL);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "unsupported algorithm '%s' in "
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "key '%s' for use with command "
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "channel %s",
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_buffer_init(&b, secret, sizeof(secret));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington result = isc_base64_decodestring(secretstr, &b);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington cfg_obj_log(keydef, ns_g_lctx, ISC_LOG_WARNING,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "secret for key '%s' on "
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "command channel %s: %s",
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington keyid->secret.length = isc_buffer_usedlength(&b);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington cfg_obj_log(keydef, ns_g_lctx, ISC_LOG_WARNING,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "couldn't register key '%s': "
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrewsget_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
368aedf188d7c7782cae8a5ce2a978be47b5a764Evan Hunt "configuring command channel from '%s'",
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews CHECK(cfg_parser_create(mctx, ns_g_lctx, &pctx));
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews CHECK(cfg_parse_file(pctx, ns_g_keyfile, &cfg_type_rndckey, &config));
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews "unsupported algorithm '%s' in "
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews "key '%s' for use with command "
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews result = isc_base64_decodestring(secretstr, &b);
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews "secret for key '%s' on command channel: %s",
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews keyid->secret.length = isc_buffer_usedlength(&b);
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews "couldn't register key '%s': "
9bac746a3cdabdbb7b306875f101c03e637dc639Mark Andrews * Ensures that both '*global_keylistp' and '*control_keylistp' are
9bac746a3cdabdbb7b306875f101c03e637dc639Mark Andrews * valid or both are NULL.
45e1bd63587102c3bb361eaca42ee7b714fb3542Mark Andrewsget_key_info(const cfg_obj_t *config, const cfg_obj_t *control,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence REQUIRE(global_keylistp != NULL && *global_keylistp == NULL);
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence REQUIRE(control_keylistp != NULL && *control_keylistp == NULL);
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence control_keylist = cfg_tuple_get(control, "keys");
9bac746a3cdabdbb7b306875f101c03e637dc639Mark Andrews result = cfg_map_get(config, "key", &global_keylist);
45e1bd63587102c3bb361eaca42ee7b714fb3542Mark Andrewsupdate_listener(ns_controls_t *cp, controllistener_t **listenerp,
45e1bd63587102c3bb361eaca42ee7b714fb3542Mark Andrews const cfg_obj_t *control, const cfg_obj_t *config,
45e1bd63587102c3bb361eaca42ee7b714fb3542Mark Andrews isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx,
2f012d936b5ccdf6520c96a4de23721dc58a2221Automatic Updater const char *socktext, isc_sockettype_t type)
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafsson for (listener = ISC_LIST_HEAD(cp->listeners);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington if (isc_sockaddr_equal(addr, &listener->address))
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * There is already a listener for this sockaddr.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * Update the access list and key information.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * First try to deal with the key situation. There are a few
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * possibilities:
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * (a) It had an explicit keylist and still has an explicit keylist.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * (b) It had an automagic key and now has an explicit keylist.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * (c) It had an explicit keylist and now needs an automagic key.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * (d) It has an automagic key and still needs the automagic key.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * (c) and (d) are the annoying ones. The caller needs to know
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * that it should use the automagic configuration for key information
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * in place of the named.conf configuration.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * XXXDCL There is one other hazard that has not been dealt with,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * the problem that if a key change is being caused by a control
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * channel reload, then the response will be with the new key
f8c304e5a5ed6c9a195ce03877381e5a77d439eeAndreas Gustafsson * and not able to be decrypted by the client.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence result = controlkeylist_fromcfg(control_keylist,
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews free_controlkeylist(&listener->keys, listener->mctx);
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews register_keys(control, global_keylist, &listener->keys,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence free_controlkeylist(&listener->keys, listener->mctx);
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews result = get_rndckey(listener->mctx, &listener->keys);
ade83e60fa640d495de7d46bed87114d6f9a740cMark Andrews if (result != ISC_R_SUCCESS && global_keylist != NULL) {
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * This message might be a little misleading since the
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * "new keys" might in fact be identical to the old ones,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * but tracking whether they are identical just for the
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * sake of avoiding this message would be too much trouble.
2674e1a455d4f71de09b2b60e7a8304b9a305588Mark Andrews cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
2674e1a455d4f71de09b2b60e7a8304b9a305588Mark Andrews "couldn't install new keys for "
2674e1a455d4f71de09b2b60e7a8304b9a305588Mark Andrews "command channel %s: %s",
2674e1a455d4f71de09b2b60e7a8304b9a305588Mark Andrews isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2674e1a455d4f71de09b2b60e7a8304b9a305588Mark Andrews "couldn't install new keys for "
2674e1a455d4f71de09b2b60e7a8304b9a305588Mark Andrews "command channel %s: %s",
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * Now, keep the old access list unless a new one can be made.
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews if (control != NULL && type == isc_sockettype_tcp) {
ad5bc22a819190839bdcc4d102d023782dc23660Mark Andrews result = cfg_acl_fromconfig(allow, config, ns_g_lctx,
1bcdcce64b5b0f66a23fb784b442d38a134581c8Andreas Gustafsson result = dns_acl_any(listener->mctx, &new_acl);
58f7af60e79a5aaf58f6a8861c306d4c617fb1d1Mukund Sivaraman readonly = cfg_tuple_get(control, "read-only");
58f7af60e79a5aaf58f6a8861c306d4c617fb1d1Mukund Sivaraman listener->readonly = cfg_obj_asboolean(readonly);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington /* XXXDCL say the old acl is still used? */
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "couldn't install new acl for "
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "command channel %s: %s",
2674e1a455d4f71de09b2b60e7a8304b9a305588Mark Andrews isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2674e1a455d4f71de09b2b60e7a8304b9a305588Mark Andrews "couldn't install new acl for "
2674e1a455d4f71de09b2b60e7a8304b9a305588Mark Andrews "command channel %s: %s",
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews if (result == ISC_R_SUCCESS && type == isc_sockettype_unix) {
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews perm = cfg_obj_asuint32(cfg_tuple_get(control, "perm"));
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews owner = cfg_obj_asuint32(cfg_tuple_get(control, "owner"));
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews group = cfg_obj_asuint32(cfg_tuple_get(control, "group"));
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews if (listener->perm != perm || listener->owner != owner ||
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews result = isc_socket_permunix(&listener->address, perm,
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews "couldn't update ownership/permission for "
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafssonadd_listener(ns_controls_t *cp, controllistener_t **listenerp,
45e1bd63587102c3bb361eaca42ee7b714fb3542Mark Andrews const cfg_obj_t *control, const cfg_obj_t *config,
45e1bd63587102c3bb361eaca42ee7b714fb3542Mark Andrews isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington listener = isc_mem_get(mctx, sizeof(*listener));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * Make the acl.
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews if (control != NULL && type == isc_sockettype_tcp) {
ad5bc22a819190839bdcc4d102d023782dc23660Mark Andrews result = cfg_acl_fromconfig(allow, config, ns_g_lctx,
58f7af60e79a5aaf58f6a8861c306d4c617fb1d1Mukund Sivaraman if ((result == ISC_R_SUCCESS) && (control != NULL)) {
58f7af60e79a5aaf58f6a8861c306d4c617fb1d1Mukund Sivaraman readonly = cfg_tuple_get(control, "read-only");
58f7af60e79a5aaf58f6a8861c306d4c617fb1d1Mukund Sivaraman listener->readonly = cfg_obj_asboolean(readonly);
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence result = controlkeylist_fromcfg(control_keylist,
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews if (result != ISC_R_SUCCESS && control != NULL)
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence "couldn't install keys for "
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "command channel %s: %s",
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington int pf = isc_sockaddr_pf(&listener->address);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington if ((pf == AF_INET && isc_net_probeipv4() != ISC_R_SUCCESS) ||
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews (pf == AF_UNIX && isc_net_probeunix() != ISC_R_SUCCESS) ||
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington (pf == AF_INET6 && isc_net_probeipv6() != ISC_R_SUCCESS))
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews if (result == ISC_R_SUCCESS && type == isc_sockettype_unix)
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews isc_socket_cleanunix(&listener->address, ISC_FALSE);
96ea71632887c58a9d00f47eb318bf76b35903c3Mark Andrews isc_socket_setname(listener->sock, "control", NULL);
240e53b13217af266abb3dae8ba103614daf2bf7Mark Andrews result = isc_socket_bind(listener->sock, &listener->address,
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews if (result == ISC_R_SUCCESS && type == isc_sockettype_unix) {
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews listener->perm = cfg_obj_asuint32(cfg_tuple_get(control,
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews listener->owner = cfg_obj_asuint32(cfg_tuple_get(control,
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews listener->group = cfg_obj_asuint32(cfg_tuple_get(control,
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews result = isc_socket_permunix(&listener->address, listener->perm,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "command channel listening on %s", socktext);
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews "couldn't add command channel %s: %s",
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews "couldn't add command channel %s: %s",
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington /* XXXDCL return error results? fail hard? */
45e1bd63587102c3bb361eaca42ee7b714fb3542Mark Andrewsns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config,
6e0e723b2554ba1c4af8b79733f54bf2692cdecfAndreas Gustafsson * Get the list of named.conf 'controls' statements.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington (void)cfg_map_get(config, "controls", &controlslist);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * Run through the new control channel list, noting sockets that
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * are already being listened on and moving them to the new list.
6e0e723b2554ba1c4af8b79733f54bf2692cdecfAndreas Gustafsson * Identifying duplicate addr/port combinations is left to either
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * the underlying config code, or to the bind attempt getting an
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * address-in-use error.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington for (element = cfg_list_first(controlslist);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington (void)cfg_map_get(controls, "inet", &inetcontrols);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington for (element2 = cfg_list_first(inetcontrols);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * The parser handles BIND 8 configuration file
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * syntax, so it allows unix phrases as well
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * inet phrases with no keys{} clause.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "processing control channel %s",
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafsson update_listener(cp, &listener, control, config,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * Remove the listener from the old
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * list, so it won't be shut down.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * This is a new listener.
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews (void)cfg_map_get(controls, "unix", &unixcontrols);
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews * The parser handles BIND 8 configuration file
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews * syntax, so it allows unix phrases as well
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews * inet phrases with no keys{} clause.
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews "control channel '%s': %s",
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews "processing control channel '%s'",
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews update_listener(cp, &listener, control, config,
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews * Remove the listener from the old
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews * list, so it won't be shut down.
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews * This is a new listener.
b199e25ab71bf7e212581e1c68b179b757418d1bAndreas Gustafsson for (i = 0; i < 2; i++) {
8173a963d2f8c413e698bf48b8eebdd01f3bb877Mark Andrews if (i == 0) {
5cd7e9d4db393c314dd1a761c52d2cb3a4da9b72Andreas Gustafsson localhost.s_addr = htonl(INADDR_LOOPBACK);
5cd7e9d4db393c314dd1a761c52d2cb3a4da9b72Andreas Gustafsson isc_sockaddr_fromin(&addr, &localhost, 0);
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews isc_sockaddr_format(&addr, socktext, sizeof(socktext));
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews * Remove the listener from the old
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews * list, so it won't be shut down.
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews * This is a new listener.
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews * ns_control_shutdown() will stop whatever is on the global
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews * listeners list, which currently only has whatever sockaddrs
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews * were in the previous configuration (if any) that do not
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews * remain in the current configuration.
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews * Put all of the valid listeners on the listeners list.
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews * Anything already on listeners in the process of shutting
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews * down will be taken care of by listen_done().
326bcfa0e2a6b924cb829a0bcc3bf9590ce21ad6Mark Andrews ISC_LIST_APPENDLIST(cp->listeners, new_listeners, link);
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafssonns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp) {
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafsson ns_controls_t *controls = isc_mem_get(mctx, sizeof(*controls));
72ddc4cef9c6a6de53aae530dea1ddbb90631131Mark Andrews result = isccc_cc_createsymtab(&controls->symtab);
72ddc4cef9c6a6de53aae530dea1ddbb90631131Mark Andrews isc_mem_put(server->mctx, controls, sizeof(*controls));
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafssonns_controls_destroy(ns_controls_t **ctrlsp) {
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafsson REQUIRE(ISC_LIST_EMPTY(controls->listeners));