2 * Copyright (C) 2004, 2005, 2007, 2009-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: dnssectool.c,v 1.60.162.3 2011/10/21 03:56:32 marka Exp $ */
23 * DNSSEC Support Routines.
30 #include <isc/buffer.h>
32 #include <isc/entropy.h>
35 #include <isc/string.h>
38 #include <isc/print.h>
40 #include <dns/dnssec.h>
41 #include <dns/keyvalues.h>
44 #include <dns/rdatastruct.h>
45 #include <dns/rdataclass.h>
46 #include <dns/rdatatype.h>
47 #include <dns/result.h>
48 #include <dns/secalg.h>
51 #include "dnssectool.h"
54 extern const char *program;
56 typedef struct entropysource entropysource_t;
58 struct entropysource {
59 isc_entropysource_t *source;
61 ISC_LINK(entropysource_t) link;
64 static ISC_LIST(entropysource_t) sources;
65 static fatalcallback_t *fatalcallback = NULL;
68 fatal(const char *format, ...) {
71 fprintf(stderr, "%s: fatal: ", program);
72 va_start(args, format);
73 vfprintf(stderr, format, args);
75 fprintf(stderr, "\n");
76 if (fatalcallback != NULL)
82 setfatalcallback(fatalcallback_t *callback) {
83 fatalcallback = callback;
87 check_result(isc_result_t result, const char *message) {
88 if (result != ISC_R_SUCCESS)
89 fatal("%s: %s", message, isc_result_totext(result));
93 vbprintf(int level, const char *fmt, ...) {
98 fprintf(stderr, "%s: ", program);
99 vfprintf(stderr, fmt, ap);
104 type_format(const dns_rdatatype_t type, char *cp, unsigned int size) {
109 isc_buffer_init(&b, cp, size - 1);
110 result = dns_rdatatype_totext(type, &b);
111 check_result(result, "dns_rdatatype_totext()");
112 isc_buffer_usedregion(&b, &r);
113 r.base[r.length] = 0;
117 sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size) {
118 char namestr[DNS_NAME_FORMATSIZE];
119 char algstr[DNS_NAME_FORMATSIZE];
121 dns_name_format(&sig->signer, namestr, sizeof(namestr));
122 dns_secalg_format(sig->algorithm, algstr, sizeof(algstr));
123 snprintf(cp, size, "%s/%s/%d", namestr, algstr, sig->keyid);
127 setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp) {
129 isc_logdestination_t destination;
130 isc_logconfig_t *logconfig = NULL;
131 isc_log_t *log = NULL;
139 * We want to see warnings about things like out-of-zone
140 * data in the master file even when not verbose.
142 level = ISC_LOG_WARNING;
145 level = ISC_LOG_INFO;
148 level = ISC_LOG_DEBUG(verbose - 2 + 1);
152 RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS);
153 isc_log_setcontext(log);
155 dns_log_setcontext(log);
157 RUNTIME_CHECK(isc_log_settag(logconfig, program) == ISC_R_SUCCESS);
160 * Set up a channel similar to default_stderr except:
161 * - the logging level is passed in
162 * - the program name and logging level are printed
163 * - no time stamp is printed
165 destination.file.stream = stderr;
166 destination.file.name = NULL;
167 destination.file.versions = ISC_LOG_ROLLNEVER;
168 destination.file.maximum_size = 0;
169 result = isc_log_createchannel(logconfig, "stderr",
173 ISC_LOG_PRINTTAG|ISC_LOG_PRINTLEVEL);
174 check_result(result, "isc_log_createchannel()");
176 RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr",
177 NULL, NULL) == ISC_R_SUCCESS);
183 cleanup_logging(isc_log_t **logp) {
186 REQUIRE(logp != NULL);
191 isc_log_destroy(&log);
192 isc_log_setcontext(NULL);
193 dns_log_setcontext(NULL);
198 setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
200 isc_entropysource_t *source = NULL;
201 entropysource_t *elt;
202 int usekeyboard = ISC_ENTROPY_KEYBOARDMAYBE;
204 REQUIRE(ectx != NULL);
207 result = isc_entropy_create(mctx, ectx);
208 if (result != ISC_R_SUCCESS)
209 fatal("could not create entropy object");
210 ISC_LIST_INIT(sources);
213 if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
214 usekeyboard = ISC_ENTROPY_KEYBOARDYES;
218 result = isc_entropy_usebestsource(*ectx, &source, randomfile,
221 if (result != ISC_R_SUCCESS)
222 fatal("could not initialize entropy source: %s",
223 isc_result_totext(result));
225 if (source != NULL) {
226 elt = isc_mem_get(mctx, sizeof(*elt));
228 fatal("out of memory");
229 elt->source = source;
231 ISC_LINK_INIT(elt, link);
232 ISC_LIST_APPEND(sources, elt, link);
237 cleanup_entropy(isc_entropy_t **ectx) {
238 entropysource_t *source;
239 while (!ISC_LIST_EMPTY(sources)) {
240 source = ISC_LIST_HEAD(sources);
241 ISC_LIST_UNLINK(sources, source, link);
242 isc_entropy_destroysource(&source->source);
243 isc_mem_put(source->mctx, source, sizeof(*source));
245 isc_entropy_detach(ectx);
249 time_units(isc_stdtime_t offset, char *suffix, const char *str) {
252 return (offset * (365 * 24 * 3600));
256 return (offset * (30 * 24 * 3600));
258 return (offset * 60);
260 fatal("'%s' ambiguous: use 'mi' for minutes "
261 "or 'mo' for months", str);
263 fatal("time value %s is invalid", str);
268 return (offset * (7 * 24 * 3600));
270 return (offset * (24 * 3600));
272 return (offset * 3600);
273 case 'S': case 's': case '\0':
276 fatal("time value %s is invalid", str);
279 return(0); /* silence compiler warning */
283 strtottl(const char *str) {
284 const char *orig = str;
288 ttl = strtol(str, &endp, 0);
289 if (ttl == 0 && endp == str)
290 fatal("TTL must be numeric");
291 ttl = time_units(ttl, endp, orig);
296 strtotime(const char *str, isc_int64_t now, isc_int64_t base) {
297 isc_int64_t val, offset;
299 const char *orig = str;
303 if ((str[0] == '0' || str[0] == '-') && str[1] == '\0')
304 return ((isc_stdtime_t) 0);
307 * We accept times in the following formats:
309 * YYYYMMDD([+-]offset)
310 * YYYYMMDDhhmmss([+-]offset)
313 n = strspn(str, "0123456789");
314 if ((n == 8 || n == 14) &&
315 (str[n] == '\0' || str[n] == '-' || str[n] == '+'))
319 strlcpy(timestr, str, sizeof(timestr));
322 strlcat(timestr, "000000", sizeof(timestr));
323 result = dns_time64_fromtext(timestr, &val);
324 if (result != ISC_R_SUCCESS)
325 fatal("time value %s is invalid: %s", orig,
326 isc_result_totext(result));
329 } else if (strncmp(str, "now", 3) == 0) {
335 return ((isc_stdtime_t) base);
336 else if (str[0] == '+') {
337 offset = strtol(str + 1, &endp, 0);
338 offset = time_units((isc_stdtime_t) offset, endp, orig);
340 } else if (str[0] == '-') {
341 offset = strtol(str + 1, &endp, 0);
342 offset = time_units((isc_stdtime_t) offset, endp, orig);
345 fatal("time value %s is invalid", orig);
347 return ((isc_stdtime_t) val);
351 strtoclass(const char *str) {
353 dns_rdataclass_t rdclass;
357 return dns_rdataclass_in;
358 DE_CONST(str, r.base);
359 r.length = strlen(str);
360 ret = dns_rdataclass_fromtext(&rdclass, &r);
361 if (ret != ISC_R_SUCCESS)
362 fatal("unknown class %s", str);
367 try_dir(const char *dirname) {
372 result = isc_dir_open(&d, dirname);
373 if (result == ISC_R_SUCCESS) {
380 * Check private key version compatibility.
383 check_keyversion(dst_key_t *key, char *keystr) {
385 dst_key_getprivateformat(key, &major, &minor);
386 INSIST(major <= DST_MAJOR_VERSION); /* invalid private key */
388 if (major < DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
389 fatal("Key %s has incompatible format version %d.%d, "
390 "use -f to force upgrade to new version.",
391 keystr, major, minor);
392 if (minor > DST_MINOR_VERSION)
393 fatal("Key %s has incompatible format version %d.%d, "
394 "use -f to force downgrade to current version.",
395 keystr, major, minor);
399 set_keyversion(dst_key_t *key) {
401 dst_key_getprivateformat(key, &major, &minor);
402 INSIST(major <= DST_MAJOR_VERSION);
404 if (major != DST_MAJOR_VERSION || minor != DST_MINOR_VERSION)
405 dst_key_setprivateformat(key, DST_MAJOR_VERSION,
409 * If the key is from a version older than 1.3, set
410 * set the creation date
412 if (major < 1 || (major == 1 && minor <= 2)) {
414 isc_stdtime_get(&now);
415 dst_key_settime(key, DST_TIME_CREATED, now);
420 key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
421 isc_mem_t *mctx, isc_boolean_t *exact)
424 isc_boolean_t conflict = ISC_FALSE;
425 dns_dnsseckeylist_t matchkeys;
426 dns_dnsseckey_t *key = NULL;
427 isc_uint16_t id, oldid;
428 isc_uint32_t rid, roldid;
434 id = dst_key_id(dstkey);
435 rid = dst_key_rid(dstkey);
436 alg = dst_key_alg(dstkey);
438 ISC_LIST_INIT(matchkeys);
439 result = dns_dnssec_findmatchingkeys(name, dir, mctx, &matchkeys);
440 if (result == ISC_R_NOTFOUND)
443 while (!ISC_LIST_EMPTY(matchkeys) && !conflict) {
444 key = ISC_LIST_HEAD(matchkeys);
445 if (dst_key_alg(key->key) != alg)
448 oldid = dst_key_id(key->key);
449 roldid = dst_key_rid(key->key);
451 if (oldid == rid || roldid == id || id == oldid) {
455 fprintf(stderr, "Key ID %d could "
462 fprintf(stderr, "Key ID %d exists\n",
468 ISC_LIST_UNLINK(matchkeys, key, link);
469 dns_dnsseckey_destroy(mctx, &key);
472 /* Finish freeing the list */
473 while (!ISC_LIST_EMPTY(matchkeys)) {
474 key = ISC_LIST_HEAD(matchkeys);
475 ISC_LIST_UNLINK(matchkeys, key, link);
476 dns_dnsseckey_destroy(mctx, &key);