/contrib/bind9/bin/dnssec/dnssectool.c

https://bitbucket.org/freebsd/freebsd-head/ · C · 469 lines · 362 code · 66 blank · 41 comment · 100 complexity · 060848546d7bf68392216f7d3eddd1ca MD5 · raw file

  1. /*
  2. * Copyright (C) 2004, 2005, 2007, 2009-2011 Internet Systems Consortium, Inc. ("ISC")
  3. * Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
  4. *
  5. * Permission to use, copy, modify, and/or distribute this software for any
  6. * purpose with or without fee is hereby granted, provided that the above
  7. * copyright notice and this permission notice appear in all copies.
  8. *
  9. * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  10. * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  11. * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  12. * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  13. * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  14. * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  15. * PERFORMANCE OF THIS SOFTWARE.
  16. */
  17. /* $Id: dnssectool.c,v 1.60.162.3 2011/10/21 03:56:32 marka Exp $ */
  18. /*! \file */
  19. /*%
  20. * DNSSEC Support Routines.
  21. */
  22. #include <config.h>
  23. #include <stdlib.h>
  24. #include <isc/buffer.h>
  25. #include <isc/dir.h>
  26. #include <isc/entropy.h>
  27. #include <isc/list.h>
  28. #include <isc/mem.h>
  29. #include <isc/string.h>
  30. #include <isc/time.h>
  31. #include <isc/util.h>
  32. #include <isc/print.h>
  33. #include <dns/dnssec.h>
  34. #include <dns/keyvalues.h>
  35. #include <dns/log.h>
  36. #include <dns/name.h>
  37. #include <dns/rdatastruct.h>
  38. #include <dns/rdataclass.h>
  39. #include <dns/rdatatype.h>
  40. #include <dns/result.h>
  41. #include <dns/secalg.h>
  42. #include <dns/time.h>
  43. #include "dnssectool.h"
  44. extern int verbose;
  45. extern const char *program;
  46. typedef struct entropysource entropysource_t;
  47. struct entropysource {
  48. isc_entropysource_t *source;
  49. isc_mem_t *mctx;
  50. ISC_LINK(entropysource_t) link;
  51. };
  52. static ISC_LIST(entropysource_t) sources;
  53. static fatalcallback_t *fatalcallback = NULL;
  54. void
  55. fatal(const char *format, ...) {
  56. va_list args;
  57. fprintf(stderr, "%s: fatal: ", program);
  58. va_start(args, format);
  59. vfprintf(stderr, format, args);
  60. va_end(args);
  61. fprintf(stderr, "\n");
  62. if (fatalcallback != NULL)
  63. (*fatalcallback)();
  64. exit(1);
  65. }
  66. void
  67. setfatalcallback(fatalcallback_t *callback) {
  68. fatalcallback = callback;
  69. }
  70. void
  71. check_result(isc_result_t result, const char *message) {
  72. if (result != ISC_R_SUCCESS)
  73. fatal("%s: %s", message, isc_result_totext(result));
  74. }
  75. void
  76. vbprintf(int level, const char *fmt, ...) {
  77. va_list ap;
  78. if (level > verbose)
  79. return;
  80. va_start(ap, fmt);
  81. fprintf(stderr, "%s: ", program);
  82. vfprintf(stderr, fmt, ap);
  83. va_end(ap);
  84. }
  85. void
  86. type_format(const dns_rdatatype_t type, char *cp, unsigned int size) {
  87. isc_buffer_t b;
  88. isc_region_t r;
  89. isc_result_t result;
  90. isc_buffer_init(&b, cp, size - 1);
  91. result = dns_rdatatype_totext(type, &b);
  92. check_result(result, "dns_rdatatype_totext()");
  93. isc_buffer_usedregion(&b, &r);
  94. r.base[r.length] = 0;
  95. }
  96. void
  97. sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size) {
  98. char namestr[DNS_NAME_FORMATSIZE];
  99. char algstr[DNS_NAME_FORMATSIZE];
  100. dns_name_format(&sig->signer, namestr, sizeof(namestr));
  101. dns_secalg_format(sig->algorithm, algstr, sizeof(algstr));
  102. snprintf(cp, size, "%s/%s/%d", namestr, algstr, sig->keyid);
  103. }
  104. void
  105. setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp) {
  106. isc_result_t result;
  107. isc_logdestination_t destination;
  108. isc_logconfig_t *logconfig = NULL;
  109. isc_log_t *log = NULL;
  110. int level;
  111. if (verbose < 0)
  112. verbose = 0;
  113. switch (verbose) {
  114. case 0:
  115. /*
  116. * We want to see warnings about things like out-of-zone
  117. * data in the master file even when not verbose.
  118. */
  119. level = ISC_LOG_WARNING;
  120. break;
  121. case 1:
  122. level = ISC_LOG_INFO;
  123. break;
  124. default:
  125. level = ISC_LOG_DEBUG(verbose - 2 + 1);
  126. break;
  127. }
  128. RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS);
  129. isc_log_setcontext(log);
  130. dns_log_init(log);
  131. dns_log_setcontext(log);
  132. RUNTIME_CHECK(isc_log_settag(logconfig, program) == ISC_R_SUCCESS);
  133. /*
  134. * Set up a channel similar to default_stderr except:
  135. * - the logging level is passed in
  136. * - the program name and logging level are printed
  137. * - no time stamp is printed
  138. */
  139. destination.file.stream = stderr;
  140. destination.file.name = NULL;
  141. destination.file.versions = ISC_LOG_ROLLNEVER;
  142. destination.file.maximum_size = 0;
  143. result = isc_log_createchannel(logconfig, "stderr",
  144. ISC_LOG_TOFILEDESC,
  145. level,
  146. &destination,
  147. ISC_LOG_PRINTTAG|ISC_LOG_PRINTLEVEL);
  148. check_result(result, "isc_log_createchannel()");
  149. RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr",
  150. NULL, NULL) == ISC_R_SUCCESS);
  151. *logp = log;
  152. }
  153. void
  154. cleanup_logging(isc_log_t **logp) {
  155. isc_log_t *log;
  156. REQUIRE(logp != NULL);
  157. log = *logp;
  158. if (log == NULL)
  159. return;
  160. isc_log_destroy(&log);
  161. isc_log_setcontext(NULL);
  162. dns_log_setcontext(NULL);
  163. logp = NULL;
  164. }
  165. void
  166. setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
  167. isc_result_t result;
  168. isc_entropysource_t *source = NULL;
  169. entropysource_t *elt;
  170. int usekeyboard = ISC_ENTROPY_KEYBOARDMAYBE;
  171. REQUIRE(ectx != NULL);
  172. if (*ectx == NULL) {
  173. result = isc_entropy_create(mctx, ectx);
  174. if (result != ISC_R_SUCCESS)
  175. fatal("could not create entropy object");
  176. ISC_LIST_INIT(sources);
  177. }
  178. if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
  179. usekeyboard = ISC_ENTROPY_KEYBOARDYES;
  180. randomfile = NULL;
  181. }
  182. result = isc_entropy_usebestsource(*ectx, &source, randomfile,
  183. usekeyboard);
  184. if (result != ISC_R_SUCCESS)
  185. fatal("could not initialize entropy source: %s",
  186. isc_result_totext(result));
  187. if (source != NULL) {
  188. elt = isc_mem_get(mctx, sizeof(*elt));
  189. if (elt == NULL)
  190. fatal("out of memory");
  191. elt->source = source;
  192. elt->mctx = mctx;
  193. ISC_LINK_INIT(elt, link);
  194. ISC_LIST_APPEND(sources, elt, link);
  195. }
  196. }
  197. void
  198. cleanup_entropy(isc_entropy_t **ectx) {
  199. entropysource_t *source;
  200. while (!ISC_LIST_EMPTY(sources)) {
  201. source = ISC_LIST_HEAD(sources);
  202. ISC_LIST_UNLINK(sources, source, link);
  203. isc_entropy_destroysource(&source->source);
  204. isc_mem_put(source->mctx, source, sizeof(*source));
  205. }
  206. isc_entropy_detach(ectx);
  207. }
  208. static isc_stdtime_t
  209. time_units(isc_stdtime_t offset, char *suffix, const char *str) {
  210. switch (suffix[0]) {
  211. case 'Y': case 'y':
  212. return (offset * (365 * 24 * 3600));
  213. case 'M': case 'm':
  214. switch (suffix[1]) {
  215. case 'O': case 'o':
  216. return (offset * (30 * 24 * 3600));
  217. case 'I': case 'i':
  218. return (offset * 60);
  219. case '\0':
  220. fatal("'%s' ambiguous: use 'mi' for minutes "
  221. "or 'mo' for months", str);
  222. default:
  223. fatal("time value %s is invalid", str);
  224. }
  225. /* NOTREACHED */
  226. break;
  227. case 'W': case 'w':
  228. return (offset * (7 * 24 * 3600));
  229. case 'D': case 'd':
  230. return (offset * (24 * 3600));
  231. case 'H': case 'h':
  232. return (offset * 3600);
  233. case 'S': case 's': case '\0':
  234. return (offset);
  235. default:
  236. fatal("time value %s is invalid", str);
  237. }
  238. /* NOTREACHED */
  239. return(0); /* silence compiler warning */
  240. }
  241. dns_ttl_t
  242. strtottl(const char *str) {
  243. const char *orig = str;
  244. dns_ttl_t ttl;
  245. char *endp;
  246. ttl = strtol(str, &endp, 0);
  247. if (ttl == 0 && endp == str)
  248. fatal("TTL must be numeric");
  249. ttl = time_units(ttl, endp, orig);
  250. return (ttl);
  251. }
  252. isc_stdtime_t
  253. strtotime(const char *str, isc_int64_t now, isc_int64_t base) {
  254. isc_int64_t val, offset;
  255. isc_result_t result;
  256. const char *orig = str;
  257. char *endp;
  258. if ((str[0] == '0' || str[0] == '-') && str[1] == '\0')
  259. return ((isc_stdtime_t) 0);
  260. if (strncmp(str, "now", 3) == 0) {
  261. base = now;
  262. str += 3;
  263. }
  264. if (str[0] == '\0')
  265. return ((isc_stdtime_t) base);
  266. else if (str[0] == '+') {
  267. offset = strtol(str + 1, &endp, 0);
  268. offset = time_units((isc_stdtime_t) offset, endp, orig);
  269. val = base + offset;
  270. } else if (str[0] == '-') {
  271. offset = strtol(str + 1, &endp, 0);
  272. offset = time_units((isc_stdtime_t) offset, endp, orig);
  273. val = base - offset;
  274. } else if (strlen(str) == 8U) {
  275. char timestr[15];
  276. sprintf(timestr, "%s000000", str);
  277. result = dns_time64_fromtext(timestr, &val);
  278. if (result != ISC_R_SUCCESS)
  279. fatal("time value %s is invalid: %s", orig,
  280. isc_result_totext(result));
  281. } else if (strlen(str) > 14U) {
  282. fatal("time value %s is invalid", orig);
  283. } else {
  284. result = dns_time64_fromtext(str, &val);
  285. if (result != ISC_R_SUCCESS)
  286. fatal("time value %s is invalid: %s", orig,
  287. isc_result_totext(result));
  288. }
  289. return ((isc_stdtime_t) val);
  290. }
  291. dns_rdataclass_t
  292. strtoclass(const char *str) {
  293. isc_textregion_t r;
  294. dns_rdataclass_t rdclass;
  295. isc_result_t ret;
  296. if (str == NULL)
  297. return dns_rdataclass_in;
  298. DE_CONST(str, r.base);
  299. r.length = strlen(str);
  300. ret = dns_rdataclass_fromtext(&rdclass, &r);
  301. if (ret != ISC_R_SUCCESS)
  302. fatal("unknown class %s", str);
  303. return (rdclass);
  304. }
  305. isc_result_t
  306. try_dir(const char *dirname) {
  307. isc_result_t result;
  308. isc_dir_t d;
  309. isc_dir_init(&d);
  310. result = isc_dir_open(&d, dirname);
  311. if (result == ISC_R_SUCCESS) {
  312. isc_dir_close(&d);
  313. }
  314. return (result);
  315. }
  316. /*
  317. * Check private key version compatibility.
  318. */
  319. void
  320. check_keyversion(dst_key_t *key, char *keystr) {
  321. int major, minor;
  322. dst_key_getprivateformat(key, &major, &minor);
  323. INSIST(major <= DST_MAJOR_VERSION); /* invalid private key */
  324. if (major < DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
  325. fatal("Key %s has incompatible format version %d.%d, "
  326. "use -f to force upgrade to new version.",
  327. keystr, major, minor);
  328. if (minor > DST_MINOR_VERSION)
  329. fatal("Key %s has incompatible format version %d.%d, "
  330. "use -f to force downgrade to current version.",
  331. keystr, major, minor);
  332. }
  333. void
  334. set_keyversion(dst_key_t *key) {
  335. int major, minor;
  336. dst_key_getprivateformat(key, &major, &minor);
  337. INSIST(major <= DST_MAJOR_VERSION);
  338. if (major != DST_MAJOR_VERSION || minor != DST_MINOR_VERSION)
  339. dst_key_setprivateformat(key, DST_MAJOR_VERSION,
  340. DST_MINOR_VERSION);
  341. /*
  342. * If the key is from a version older than 1.3, set
  343. * set the creation date
  344. */
  345. if (major < 1 || (major == 1 && minor <= 2)) {
  346. isc_stdtime_t now;
  347. isc_stdtime_get(&now);
  348. dst_key_settime(key, DST_TIME_CREATED, now);
  349. }
  350. }
  351. isc_boolean_t
  352. key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
  353. isc_mem_t *mctx, isc_boolean_t *exact)
  354. {
  355. isc_result_t result;
  356. isc_boolean_t conflict = ISC_FALSE;
  357. dns_dnsseckeylist_t matchkeys;
  358. dns_dnsseckey_t *key = NULL;
  359. isc_uint16_t id, oldid;
  360. isc_uint32_t rid, roldid;
  361. dns_secalg_t alg;
  362. if (exact != NULL)
  363. *exact = ISC_FALSE;
  364. id = dst_key_id(dstkey);
  365. rid = dst_key_rid(dstkey);
  366. alg = dst_key_alg(dstkey);
  367. ISC_LIST_INIT(matchkeys);
  368. result = dns_dnssec_findmatchingkeys(name, dir, mctx, &matchkeys);
  369. if (result == ISC_R_NOTFOUND)
  370. return (ISC_FALSE);
  371. while (!ISC_LIST_EMPTY(matchkeys) && !conflict) {
  372. key = ISC_LIST_HEAD(matchkeys);
  373. if (dst_key_alg(key->key) != alg)
  374. goto next;
  375. oldid = dst_key_id(key->key);
  376. roldid = dst_key_rid(key->key);
  377. if (oldid == rid || roldid == id || id == oldid) {
  378. conflict = ISC_TRUE;
  379. if (id != oldid) {
  380. if (verbose > 1)
  381. fprintf(stderr, "Key ID %d could "
  382. "collide with %d\n",
  383. id, oldid);
  384. } else {
  385. if (exact != NULL)
  386. *exact = ISC_TRUE;
  387. if (verbose > 1)
  388. fprintf(stderr, "Key ID %d exists\n",
  389. id);
  390. }
  391. }
  392. next:
  393. ISC_LIST_UNLINK(matchkeys, key, link);
  394. dns_dnsseckey_destroy(mctx, &key);
  395. }
  396. /* Finish freeing the list */
  397. while (!ISC_LIST_EMPTY(matchkeys)) {
  398. key = ISC_LIST_HEAD(matchkeys);
  399. ISC_LIST_UNLINK(matchkeys, key, link);
  400. dns_dnsseckey_destroy(mctx, &key);
  401. }
  402. return (conflict);
  403. }