controlconf.c revision c2da4f9d8a153ffeb2b659541130abef2d586789
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington * Copyright (C) 2001 Internet Software Consortium.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington * Permission to use, copy, modify, and distribute this software for any
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington * purpose with or without fee is hereby granted, provided that the above
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington * copyright notice and this permission notice appear in all copies.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
c2da4f9d8a153ffeb2b659541130abef2d586789Brian Wellington/* $Id: controlconf.c,v 1.14 2001/07/04 03:54:55 bwelling Exp $ */
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * Note: Listeners and connections are not locked. All event handlers are
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * executed by the server task, and all callers of exported routines must
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * be running under the server task.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtontypedef ISC_LIST(controlkey_t) controlkeylist_t;
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtontypedef struct controlconnection controlconnection_t;
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtontypedef ISC_LIST(controlconnection_t) controlconnectionlist_t;
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtontypedef struct controllistener controllistener_t;
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtontypedef ISC_LIST(controllistener_t) controllistenerlist_t;
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrencestatic struct {
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence isc_sockaddr_t address; /* Last channel that needed automagic. */
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonstatic void control_newconn(isc_task_t *task, isc_event_t *event);
091329e690b20755aa80b86cc7389d25c5d32c9bBrian Wellingtonstatic void control_recvmessage(isc_task_t *task, isc_event_t *event);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonfree_controlkey(controlkey_t *key, isc_mem_t *mctx) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_mem_put(mctx, key->secret.base, key->secret.length);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonfree_controlkeylist(controlkeylist_t *keylist, isc_mem_t *mctx) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington controlkey_t *key = ISC_LIST_HEAD(*keylist);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonfree_listener(controllistener_t *listener) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington INSIST(ISC_LIST_EMPTY(listener->connections));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington free_controlkeylist(&listener->keys, listener->mctx);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_mem_put(listener->mctx, listener, sizeof(*listener));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonmaybe_free_listener(controllistener_t *listener) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonmaybe_free_connection(controlconnection_t *conn) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington controllistener_t *listener = conn->listener;
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_socket_cancel(conn->sock, listener->task,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington ISC_LIST_UNLINK(listener->connections, conn, link);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_mem_put(listener->mctx, conn, sizeof(*conn));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonshutdown_listener(controllistener_t *listener) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington if (!ISC_LIST_EMPTY(listener->connections)) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington for (conn = ISC_LIST_HEAD(listener->connections);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_socket_cancel(listener->sock, listener->task,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence isc_sockaddr_format(&listener->address, socktext, sizeof(socktext));
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonaddress_ok(isc_sockaddr_t *sockaddr, dns_acl_t *acl) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_netaddr_fromsockaddr(&netaddr, sockaddr);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington result = dns_acl_match(&netaddr, NULL, acl,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtoncontrol_accept(controllistener_t *listener) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "isc_socket_accept() failed: %s",
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtoncontrol_listen(controllistener_t *listener) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington result = isc_socket_listen(listener->sock, 0);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "isc_socket_listen() failed: %s",
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtoncontrol_senddone(isc_task_t *task, isc_event_t *event) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_socketevent_t *sevent = (isc_socketevent_t *) event;
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington controllistener_t *listener = conn->listener;
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_socket_t *sock = (isc_socket_t *)sevent->ev_sender;
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington (void)isc_socket_getpeername(sock, &peeraddr);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "error sending command response to %s: %s",
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington socktext, isc_result_totext(sevent->result));
091329e690b20755aa80b86cc7389d25c5d32c9bBrian Wellington result = isccc_ccmsg_readmessage(&conn->ccmsg, listener->task,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonstatic inline void
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonlog_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington (void)isc_socket_getpeername(ccmsg->sock, &peeraddr);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "invalid command from %s: %s",
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtoncontrol_recvmessage(isc_task_t *task, isc_event_t *event) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington REQUIRE(event->ev_type == ISCCC_EVENT_CCMSG);
091329e690b20755aa80b86cc7389d25c5d32c9bBrian Wellington if (conn->ccmsg.result != ISC_R_CANCELED &&
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington log_invalid(&conn->ccmsg, conn->ccmsg.result);
c2da4f9d8a153ffeb2b659541130abef2d586789Brian Wellington ccregion.rstart = isc_buffer_base(&conn->ccmsg.buffer);
c2da4f9d8a153ffeb2b659541130abef2d586789Brian Wellington ccregion.rend = isc_buffer_used(&conn->ccmsg.buffer);
c2da4f9d8a153ffeb2b659541130abef2d586789Brian Wellington secret.rstart = isc_mem_get(listener->mctx, key->secret.length);
c2da4f9d8a153ffeb2b659541130abef2d586789Brian Wellington memcpy(secret.rstart, key->secret.base, key->secret.length);
c2da4f9d8a153ffeb2b659541130abef2d586789Brian Wellington secret.rend = secret.rstart + key->secret.length;
c2da4f9d8a153ffeb2b659541130abef2d586789Brian Wellington result = isccc_cc_fromwire(&ccregion, &request, &secret);
c2da4f9d8a153ffeb2b659541130abef2d586789Brian Wellington * For some reason, request is non-NULL when
c2da4f9d8a153ffeb2b659541130abef2d586789Brian Wellington * isccc_cc_fromwire returns ISCCC_R_BADAUTH.
c2da4f9d8a153ffeb2b659541130abef2d586789Brian Wellington log_invalid(&conn->ccmsg, ISCCC_R_BADAUTH);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington /* We shouldn't be getting a reply. */
e4cd5a1e5d0358abeee7618b02b4592c055d957fBrian Wellington isc_buffer_init(&text, textarray, sizeof(textarray));
e4cd5a1e5d0358abeee7618b02b4592c055d957fBrian Wellington eresult = ns_control_docommand(request, &text);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington result = isccc_cc_createresponse(request, now, now + 60, &response);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington data = isccc_alist_lookup(response, "_data");
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington const char *estr = isc_result_totext(eresult);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington if (isccc_cc_definestring(data, "err", estr) == NULL)
e4cd5a1e5d0358abeee7618b02b4592c055d957fBrian Wellington data = isccc_alist_lookup(response, "_data");
e4cd5a1e5d0358abeee7618b02b4592c055d957fBrian Wellington char *str = (char *)isc_buffer_base(&text);
e4cd5a1e5d0358abeee7618b02b4592c055d957fBrian Wellington if (isccc_cc_definestring(data, "text", str) == NULL)
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington ccregion.rend = conn->buffer + sizeof(conn->buffer);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington result = isccc_cc_towire(response, &ccregion, &secret);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington len = sizeof(conn->buffer) - REGION_SIZE(ccregion);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington result = isc_socket_send(conn->sock, &r, task, control_senddone, conn);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtoncontrol_timeout(isc_task_t *task, isc_event_t *event) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonnewconnection(controllistener_t *listener, isc_socket_t *sock) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington conn = isc_mem_get(listener->mctx, sizeof(*conn));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isccc_ccmsg_init(listener->mctx, sock, &conn->ccmsg);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington result = isc_timer_create(ns_g_timermgr, isc_timertype_once,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington result = isccc_ccmsg_readmessage(&conn->ccmsg, listener->task,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isccc_ccmsg_setmaxsize(&conn->ccmsg, 2048);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington ISC_LIST_APPEND(listener->connections, conn, link);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_mem_put(listener->mctx, conn, sizeof(*conn));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtoncontrol_newconn(isc_task_t *task, isc_event_t *event) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington controllistener_t *listener = event->ev_arg;
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington (void)isc_socket_getpeername(sock, &peeraddr);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington if (!address_ok(&peeraddr, listener->acl)) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "rejected command channel message from %s",
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "dropped command channel from %s: %s",
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafssonns_controls_shutdown(ns_controls_t *controls) {
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafsson for (listener = ISC_LIST_HEAD(controls->listeners);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * This is asynchronous. As listeners shut down, they will
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * call their callbacks.
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafsson ISC_LIST_UNLINK(controls->listeners, listener, link);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtoncfgkeylist_find(cfg_obj_t *keylist, const char *keyname, cfg_obj_t **objp) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington str = cfg_obj_asstring(cfg_map_getname(obj));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtoncontrolkeylist_fromcfg(cfg_obj_t *keylist, isc_mem_t *mctx,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonregister_keys(cfg_obj_t *control, cfg_obj_t *keylist,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington controlkeylist_t *keyids, isc_mem_t *mctx, char *socktext)
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * Find the keys corresponding to the keyids used by this listener.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington for (keyid = ISC_LIST_HEAD(*keyids); keyid != NULL; keyid = next) {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington result = cfgkeylist_find(keylist, keyid->keyname, &keydef);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
6e0e723b2554ba1c4af8b79733f54bf2692cdecfAndreas Gustafsson "couldn't find key '%s' for use with "
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "command channel %s",
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington (void)cfg_map_get(keydef, "algorithm", &algobj);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington (void)cfg_map_get(keydef, "secret", &secretobj);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington INSIST(algobj != NULL && secretobj != NULL);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "unsupported algorithm '%s' in "
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "key '%s' for use with command "
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "channel %s",
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington isc_buffer_init(&b, secret, sizeof(secret));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington result = isc_base64_decodestring(secretstr, &b);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington cfg_obj_log(keydef, ns_g_lctx, ISC_LOG_WARNING,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "secret for key '%s' on "
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "command channel %s: %s",
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington keyid->secret.length = isc_buffer_usedlength(&b);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington cfg_obj_log(keydef, ns_g_lctx, ISC_LOG_WARNING,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "couldn't register key '%s': "
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington memcpy(keyid->secret.base, isc_buffer_base(&b),
11c4f6b687564cdda8a0a38745e30a12e874084aDavid Lawrence * First generate a secret. The fourth parameter non-zero means
11c4f6b687564cdda8a0a38745e30a12e874084aDavid Lawrence * that pseudorandom data is ok; good entropy is not required.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence result = dst_key_generate(dns_rootname, DST_ALG_HMACMD5,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence isc_buffer_init(&key_rawbuffer, &key_rawsecret,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence result = dst_key_tobuffer(key, &key_rawbuffer);
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence isc_buffer_init(&key_txtbuffer, &key_txtsecret,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
0eace215bd758e347767c63c13504520e855b94aAndreas Gustafsson result = isc_base64_totext(&key_rawregion, -1, "",
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence unsigned int len = isc_buffer_usedlength(&key_txtbuffer);
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence memcpy(automagic_key.secret, isc_buffer_base(&key_txtbuffer),
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * Make a random name for the key and generate the config
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * file statement for it.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence len = snprintf(automagic_key.name, sizeof(automagic_key.name),
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence "could not generate control channel key: %s",
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence unsigned int len;
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence len = snprintf(isc_buffer_base(conf), isc_buffer_length(conf),
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence "key \"%s\" {\n"
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence "\talgorithm hmac-md5;\n"
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence "\tsecret \"%s\";\n"
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence unsigned int len;
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * Fake up a configuration with a dummy inet control
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * to grab the keylist tuple.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence isc_buffer_init(&cfg_buffer, cfg_data, sizeof(cfg_data));
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence "controls { inet 127.0.0.1 allow { localhost; }"
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence " keys { %s; }; };",
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence INSIST(len < isc_buffer_availablelength(&cfg_buffer));
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence result = cfg_parser_create(mctx, ns_g_lctx, &parser);
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence result = cfg_parse_buffer(parser, &cfg_buffer,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence "could not parse autogenerated "
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence "control channel key: %s",
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * An automagic key was parsed, so some channel needed it.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * Try to write the rndc.conf file.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence result = isc_stdio_open(ns_g_autorndckeyfile, "w", &fp);
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence isc_fsaccess_add(ISC_FSACCESS_OWNER, ISC_FSACCESS_READ,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence result = isc_fsaccess_set(ns_g_autorndckeyfile,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence "could not set owner-only "
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence "access on %s: %s: "
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence "server control key might be "
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence "exposed to local users",
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence isc_netaddr_format(&netaddr, nettext, sizeof(nettext));
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence "\tdefault-server %s;\n"
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence "\tdefault-port %hu;\n"
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence "\tdefault-key \"%s\";\n"
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence "could not write %s",
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence "error closing %s: %s",
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence cfg_obj_destroy(automagic_key.parser, &automagic_key.config);
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrenceget_key_info(isc_mem_t *mctx, cfg_obj_t *config, cfg_obj_t *control,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence cfg_obj_t **global_keylistp, cfg_obj_t **control_keylistp,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence REQUIRE(global_keylistp != NULL && *global_keylistp == NULL);
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence REQUIRE(control_keylistp != NULL && *control_keylistp == NULL);
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence control_keylist = cfg_tuple_get(control, "keys");
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * All of these should succeed.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence (void)cfg_map_get(config, "key", &global_keylist);
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence (void)cfg_map_get(config, "controls", &controls);
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence result = cfg_map_get(config, "key", &global_keylist);
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence *explicit_key = config != automagic_key.config
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence "no key statements for use by control channel");
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafsson controllistener_t **listenerp, cfg_obj_t *control,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington ns_aclconfctx_t *aclconfctx, char *socktext)
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafsson for (listener = ISC_LIST_HEAD(cp->listeners);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington if (isc_sockaddr_equal(addr, &listener->address))
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * There is already a listener for this sockaddr.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * Update the access list and key information.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * First try to deal with the key situation. There are a few
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * possibilities:
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * (a) It had an explicit keylist and still has an explicit keylist.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * (b) It had an automagic key and now has an explicit keylist.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * (c) It had an explicit keylist and now needs an automagic key.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * (d) It has an automagic key and still needs the automagic key.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * (c) and (d) are the annoying ones. The caller needs to know
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * that it should use the automagic configuration for key information
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * in place of the named.conf configuration.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * XXXDCL There is one other hazard that has not been dealt with,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * the problem that if a key change is being caused by a control
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * channel reload, then the response will be with the new key
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * and not able to be decrypted by the client. For this reason,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * the automagic key is not regenerated on each reload.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence get_key_info(listener->mctx, config, control,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence &global_keylist, &control_keylist, &explicit_key);
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence result = controlkeylist_fromcfg(control_keylist,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence free_controlkeylist(&listener->keys, listener->mctx);
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence register_keys(control, global_keylist, &listener->keys,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * This message might be a little misleading since the
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * "new keys" might in fact be identical to the old ones,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * but tracking whether they are identical just for the
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * sake of avoiding this message would be too much trouble.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence "couldn't install new keys for "
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence "command channel %s: %s",
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence * Now, keep the old access list unless a new one can be made.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington result = ns_acl_fromconfig(allow, config, aclconfctx,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington /* XXXDCL say the old acl is still used? */
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "couldn't install new acl for "
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "command channel %s: %s",
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafssonadd_listener(ns_controls_t *cp, controllistener_t **listenerp,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington cfg_obj_t *control, cfg_obj_t *config, isc_sockaddr_t *addr,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington ns_aclconfctx_t *aclconfctx, char *socktext)
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington listener = isc_mem_get(mctx, sizeof(*listener));
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * Make the acl.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington result = ns_acl_fromconfig(allow, config, aclconfctx, mctx,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence get_key_info(listener->mctx, config, control,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence &global_keylist, &control_keylist, &explicit_key);
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence result = controlkeylist_fromcfg(control_keylist,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence register_keys(control, global_keylist, &listener->keys,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence "couldn't install keys for "
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "command channel %s: %s",
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington int pf = isc_sockaddr_pf(&listener->address);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington if ((pf == AF_INET && isc_net_probeipv4() != ISC_R_SUCCESS) ||
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington (pf == AF_INET6 && isc_net_probeipv6() != ISC_R_SUCCESS))
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "command channel listening on %s", socktext);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "couldn't add command channel %s: %s",
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington /* XXXDCL return error results? fail hard? */
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrencens_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
6e0e723b2554ba1c4af8b79733f54bf2692cdecfAndreas Gustafsson * Get the list of named.conf 'controls' statements.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington (void)cfg_map_get(config, "controls", &controlslist);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * Run through the new control channel list, noting sockets that
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * are already being listened on and moving them to the new list.
6e0e723b2554ba1c4af8b79733f54bf2692cdecfAndreas Gustafsson * Identifying duplicate addr/port combinations is left to either
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * the underlying config code, or to the bind attempt getting an
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * address-in-use error.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington for (element = cfg_list_first(controlslist);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington (void)cfg_map_get(controls, "inet", &inetcontrols);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington for (element2 = cfg_list_first(inetcontrols);
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * The parser handles BIND 8 configuration file
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * syntax, so it allows unix phrases as well
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * inet phrases with no keys{} clause.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * "unix" phrases have been reported as
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * unsupported by the parser.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington "processing control channel %s",
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafsson update_listener(cp, &listener, control, config,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * Remove the listener from the old
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * list, so it won't be shut down.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington * This is a new listener.
1f7342e0989d9f9063b0e757cf7091668addfdb5David Lawrence * ns_control_shutdown() will stop whatever is on the global
1f7342e0989d9f9063b0e757cf7091668addfdb5David Lawrence * listeners list, which currently only has whatever sockaddrs
1f7342e0989d9f9063b0e757cf7091668addfdb5David Lawrence * were in the previous configuration (if any) that do not
1f7342e0989d9f9063b0e757cf7091668addfdb5David Lawrence * remain in the current configuration.
1f7342e0989d9f9063b0e757cf7091668addfdb5David Lawrence * Put all of the valid listeners on the listeners list.
1f7342e0989d9f9063b0e757cf7091668addfdb5David Lawrence * Anything already on listeners in the process of shutting
1f7342e0989d9f9063b0e757cf7091668addfdb5David Lawrence * down will be taken care of by listen_done().
1f7342e0989d9f9063b0e757cf7091668addfdb5David Lawrence ISC_LIST_APPENDLIST(cp->listeners, new_listeners, link);
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence result = parse_automagic_key(cp->server->mctx);
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence ns_controls_configure(cp, automagic_key.config,
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafssonns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp) {
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafsson ns_controls_t *controls = isc_mem_get(mctx, sizeof(*controls));
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafssonns_controls_destroy(ns_controls_t **ctrlsp) {
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafsson REQUIRE(ISC_LIST_EMPTY(controls->listeners));