Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-4]: src/dist/bind/bin/named Pull up revision 1.3 (via patch, re...
details: https://anonhg.NetBSD.org/src/rev/8de530456217
branches: netbsd-1-4
changeset: 471243:8de530456217
user: he <he%NetBSD.org@localhost>
date: Sun Jan 28 17:09:23 2001 +0000
description:
Pull up revision 1.3 (via patch, requested by itojun):
Upgrade to BIND version 8.2.3.
diffstat:
dist/bind/bin/named/ns_req.c | 253 ++++++++++++++++++++++++++++--------------
1 files changed, 165 insertions(+), 88 deletions(-)
diffs (truncated from 597 to 300 lines):
diff -r da1cbbe2cae8 -r 8de530456217 dist/bind/bin/named/ns_req.c
--- a/dist/bind/bin/named/ns_req.c Sun Jan 28 17:09:13 2001 +0000
+++ b/dist/bind/bin/named/ns_req.c Sun Jan 28 17:09:23 2001 +0000
@@ -1,8 +1,8 @@
-/* $NetBSD: ns_req.c,v 1.1.1.1.2.3 2000/12/13 23:57:43 he Exp $ */
+/* $NetBSD: ns_req.c,v 1.1.1.1.2.4 2001/01/28 17:09:23 he Exp $ */
#if !defined(lint) && !defined(SABER)
static const char sccsid[] = "@(#)ns_req.c 4.47 (Berkeley) 7/1/91";
-static const char rcsid[] = "Id: ns_req.c,v 8.104.2.2 2000/11/09 23:15:29 vixie Exp";
+static const char rcsid[] = "Id: ns_req.c,v 8.129 2001/01/08 23:46:41 marka Exp";
#endif /* not lint */
/*
@@ -84,7 +84,7 @@
*/
/*
- * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
+ * Portions Copyright (c) 1996-2000 by Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -140,6 +140,7 @@
u_int16_t a_class; /* class for data */
};
+
#ifndef BIND_UPDATE
enum req_action { Finish, Refuse, Return };
#endif
@@ -175,22 +176,23 @@
HEADER *hp = (HEADER *) msg;
u_char *cp, *eom;
enum req_action action;
- int n, ra, has_tsig, msglen_orig, tsig_size, siglen, sig2len;
+ int n, ra, has_tsig, tsig_size, sig2len;
u_char *tsigstart;
u_char sig[TSIG_SIG_SIZE], sig2[TSIG_SIG_SIZE];
struct tsig_record *in_tsig = NULL;
int error = NOERROR;
+ int msglen_orig = msglen;
+ int buflen_orig = buflen;
+ int siglen = sizeof sig;
DST_KEY *key;
time_t tsig_time;
#ifdef DEBUG
if (debug > 3) {
ns_debug(ns_log_packet, 3, "ns_req(from %s)", sin_ntoa(from));
- res_pquery(&res, msg, msglen, log_get_stream(packet_channel));
+ fp_nquery(msg, msglen, log_get_stream(packet_channel));
}
#endif
- msglen_orig = msglen;
- siglen = sizeof(sig);
tsigstart = ns_find_tsig(msg, msg + msglen);
if (tsigstart == NULL)
@@ -199,10 +201,17 @@
char buf[MAXDNAME];
has_tsig = 1;
- ns_name_ntop(tsigstart, buf, sizeof(buf));
+ n = dn_expand(msg, msg + msglen, tsigstart, buf, sizeof buf);
+ if (n < 0) {
+ ns_debug(ns_log_default, 1,
+ "ns_req: bad TSIG key name",
+ buf);
+ key = NULL;
+ }
key = find_key(buf, NULL);
if (key == NULL) {
error = ns_r_badkey;
+ hp->rcode = ns_r_notauth;
ns_debug(ns_log_default, 1,
"ns_req: TSIG verify failed - unknown key %s",
buf);
@@ -265,7 +274,11 @@
* safely assume these are always 0 when a query
* comes in.
*/
- hp->aa = hp->ra = 0;
+#ifdef BIND_NOTIFY
+ if (hp->opcode != ns_o_notify)
+#endif
+ hp->aa = 0;
+ hp->ra = 0;
ra = (NS_OPTION_P(OPTION_NORECURSE) == 0);
if (error == NOERROR)
@@ -356,6 +369,7 @@
hp->ancount = htons(0);
hp->nscount = htons(0);
hp->arcount = htons(0);
+ cp = msg + HFIXEDSZ;
}
/*
@@ -363,24 +377,31 @@
* a TSIG error, build a new message with no data and a TSIG.
*/
if ((hp->tc || error != NOERROR) && has_tsig > 0) {
+ sign_again:
hp->ancount = htons(0);
hp->nscount = htons(0);
hp->arcount = htons(0);
cp = msg + HFIXEDSZ;
cp += ns_skiprr(cp, msg + msglen, ns_s_qd, ntohs(hp->qdcount));
- sig2len = sizeof(sig2);
- buflen += (msglen - (cp - msg));
+ sig2len = sizeof sig2;
msglen = cp - msg;
+ buflen = buflen_orig - msglen;
n = ns_sign(msg, &msglen, msglen + buflen, error, key,
sig, siglen, sig2, &sig2len, tsig_time);
- if (n != 0) {
- INSIST(0);
+ if (n == NS_TSIG_ERROR_NO_SPACE && ntohs(hp->qdcount) != 0) {
+ hp->qdcount = htons(0);
+ goto sign_again;
}
+ if (n != 0)
+ ns_info(ns_log_default,
+ "ns_req: unable to sign response");
cp = msg + msglen;
-
}
/* Either the message is not truncated or there was no TSIG */
else {
+ /*
+ * Reserve space for tsig if required.
+ */
if (has_tsig > 0)
buflen -= tsig_size;
n = doaddinfo(hp, cp, buflen);
@@ -388,7 +409,7 @@
buflen -= n;
if (has_tsig > 0) {
buflen += tsig_size;
- sig2len = sizeof(sig2);
+ sig2len = sizeof sig2;
msglen = cp - msg;
n = ns_sign(msg, &msglen, msglen + buflen, error, key,
sig, siglen, sig2, &sig2len, tsig_time);
@@ -406,12 +427,12 @@
ntohs(hp->id), cp - msg, hp->rcode);
if (debug >= 10)
res_pquery(&res, msg, cp - msg,
- log_get_stream(packet_channel));
+ log_get_stream(packet_channel));
#endif /*DEBUG*/
if (qsp == NULL) {
if (sendto(dfd, (char*)msg, cp - msg, 0,
(struct sockaddr *)&from,
- sizeof(from)) < 0) {
+ sizeof from) < 0) {
if (!haveComplained(ina_ulong(from.sin_addr),
(u_long)sendtoStr))
ns_info(ns_log_default,
@@ -449,10 +470,21 @@
req_notify(HEADER *hp, u_char **cpp, u_char *eom, u_char *msg,
struct sockaddr_in from)
{
- int n, type, class, zn;
+ int n, type, class;
char dnbuf[MAXDNAME];
struct zoneinfo *zp;
+ /* valid notify's are authoritative */
+ if (!hp->aa) {
+ ns_debug(ns_log_notify, 1,
+ "FORMERR Notify request without AA");
+#ifdef not_yet
+ hp->rcode = ns_r_formerr;
+ return (Finish);
+#endif
+ }
+ hp->aa = 0;
+
/* valid notify's have one question */
if (ntohs(hp->qdcount) != 1) {
ns_debug(ns_log_notify, 1,
@@ -517,7 +549,7 @@
goto refuse;
}
if (findZonePri(zp, from) == -1) {
- ns_info(ns_log_notify,
+ ns_debug(ns_log_notify, 1,
"NOTIFY(SOA) from non-master server (zone %s), from %s",
zp->z_origin, sin_ntoa(from));
goto refuse;
@@ -551,6 +583,7 @@
}
noerror:
hp->rcode = ns_r_noerror;
+ hp->aa = 1;
return (Finish);
refuse:
hp->rcode = ns_r_refused;
@@ -558,6 +591,7 @@
}
#endif /*BIND_NOTIFY*/
+
static enum req_action
req_query(HEADER *hp, u_char **cpp, u_char *eom, struct qstream *qsp,
int *buflenp, int *msglenp, u_char *msg, int dfd, int *ra,
@@ -635,7 +669,7 @@
}
if (((ntohs(hp->nscount) != 0) && (type != ns_t_ixfr)) ||
- ((ntohs(hp->nscount) != 1) && (type == ns_t_ixfr)))
+ ((ntohs(hp->nscount) != 1) && (type == ns_t_ixfr)))
{
ns_debug(ns_log_default, 1, "FORMERR Query nscount wrong");
hp->rcode = ns_r_formerr;
@@ -649,6 +683,8 @@
* Process query.
*/
if (type == ns_t_ixfr) {
+ ns_info(ns_log_security, "Request %s from %s",
+ p_type(type), sin_ntoa(from));
hp->nscount = htons(0);
hp->rd = 0; /* Force IXFR queries to be non recursive. */
n = dn_expand(msg, eom, *cpp, dnbuf2, sizeof dnbuf2);
@@ -716,7 +752,7 @@
nameserIncr(from.sin_addr, nssRcvdAXFR);
hp->rd = 0; /* Recursion not possible. */
}
- *buflenp -= *msglenp;
+ *buflenp -= (*msglenp - HFIXEDSZ);
count = 0;
founddata = 0;
dname = dnbuf;
@@ -805,17 +841,21 @@
if (SEQ_GT(serial_ixfr, zp->z_serial))
ixfr_found = 0;
else {
- ixfr_error = ixfr_have_log(zp, serial_ixfr, zp->z_serial);
- if (ixfr_error < 0) {
- ns_debug(ns_log_default,
- 1, "ixfr_have_log(%d %d) failed %d",
- serial_ixfr, zp->z_serial, ixfr_error);
- ixfr_found = 0;
- /* Refuse IXFR and send AXFR */
- type = ns_t_axfr;
- } else
- ixfr_found = 1;
- }
+ ixfr_error = ixfr_have_log(zp, serial_ixfr,
+ zp->z_serial);
+ if (ixfr_error < 0) {
+ ns_info(ns_log_security, "No %s log from %d for \"%s\"",
+ p_type(type), serial_ixfr, *dname ? dname : ".");
+ ns_debug(ns_log_default,
+ 1, "ixfr_have_log(%d %d) failed %d",
+ serial_ixfr, zp->z_serial, ixfr_error);
+ ixfr_found = 0; /* Refuse IXFR and send AXFR */
+ } else if (ixfr_error == 1) {
+ ixfr_found = 1;
+ }
+ }
+ ns_debug(ns_log_default, 1, "IXFR log lowest serial: %d",
+ zp->z_serial_ixfr_start);
}
/*
* If recursion is turned on, we need to check recursion ACL
@@ -891,8 +931,9 @@
}
}
ns_notice(ns_log_security,
- "unapproved query from %s for \"%s\"",
+ "denied query from %s for \"%s\"",
sin_ntoa(from), *dname ? dname : ".");
+ nameserIncr(from.sin_addr, nssRcvdUQ);
return (Refuse);
}
} else {
@@ -910,9 +951,14 @@
in_key))
{
ns_notice(ns_log_security,
- "unapproved %s from %s for \"%s\" (acl)",
+ "denied %s from %s for \"%s\" (acl)",
p_type(type), sin_ntoa(from),
*dname ? dname : ".");
+ nameserIncr(from.sin_addr, nssRcvdUXFR);
+ if (type == ns_t_ixfr) {
+ hp->rcode = ns_r_refused;
+ return (Finish);
+ }
return (Refuse);
}
@@ -920,9 +966,14 @@
if (zp->z_type != z_master && zp->z_type != z_slave) {
ns_notice(ns_log_security,
- "unapproved %s from %s for \"%s\" (not master/slave)",
Home |
Main Index |
Thread Index |
Old Index