2 * Portions Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
3 * Portions Copyright (C) 1999-2003 Internet Software Consortium.
4 * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
11 * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
12 * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
13 * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
16 * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 * Principal Author: Brian Wellington
21 * $Id: dst_api.c,v 1.1.6.7 2006/01/27 23:57:44 marka Exp $
30 #include <isc/buffer.h>
32 #include <isc/entropy.h>
33 #include <isc/fsaccess.h>
34 #include <isc/hmacsha.h>
38 #include <isc/print.h>
39 #include <isc/random.h>
40 #include <isc/string.h>
44 #include <dns/fixedname.h>
45 #include <dns/keyvalues.h>
47 #include <dns/rdata.h>
48 #include <dns/rdataclass.h>
50 #include <dns/types.h>
52 #include <dst/result.h>
54 #include "dst_internal.h"
56 #define DST_AS_STR(t) ((t).value.as_textregion.base)
58 static dst_func_t *dst_t_func[DST_MAX_ALGS];
59 static isc_entropy_t *dst_entropy_pool = NULL;
60 static unsigned int dst_entropy_flags = 0;
61 static isc_boolean_t dst_initialized = ISC_FALSE;
63 isc_mem_t *dst__memory_pool = NULL;
68 static dst_key_t * get_key_struct(dns_name_t *name,
71 unsigned int protocol,
73 dns_rdataclass_t rdclass,
75 static isc_result_t write_public_key(const dst_key_t *key, int type,
76 const char *directory);
77 static isc_result_t buildfilename(dns_name_t *name,
81 const char *directory,
83 static isc_result_t computeid(dst_key_t *key);
84 static isc_result_t frombuffer(dns_name_t *name,
87 unsigned int protocol,
88 dns_rdataclass_t rdclass,
93 static isc_result_t algorithm_status(unsigned int alg);
95 static isc_result_t addsuffix(char *filename, unsigned int len,
96 const char *ofilename, const char *suffix);
101 if (result != ISC_R_SUCCESS) \
105 #define CHECKALG(alg) \
108 _r = algorithm_status(alg); \
109 if (_r != ISC_R_SUCCESS) \
114 default_memalloc(void *arg, size_t size) {
118 return (malloc(size));
122 default_memfree(void *arg, void *ptr) {
128 dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
131 REQUIRE(mctx != NULL && ectx != NULL);
132 REQUIRE(dst_initialized == ISC_FALSE);
134 dst__memory_pool = NULL;
139 * When using --with-openssl, there seems to be no good way of not
140 * leaking memory due to the openssl error handling mechanism.
141 * Avoid assertions by using a local memory context and not checking
142 * for leaks on exit. Note: as there are leaks we cannot use
143 * ISC_MEMFLAG_INTERNAL as it will free up memory still being used
146 result = isc_mem_createx2(0, 0, default_memalloc, default_memfree,
147 NULL, &dst__memory_pool, 0);
148 if (result != ISC_R_SUCCESS)
150 isc_mem_setdestroycheck(dst__memory_pool, ISC_FALSE);
152 isc_mem_attach(mctx, &dst__memory_pool);
154 isc_entropy_attach(ectx, &dst_entropy_pool);
155 dst_entropy_flags = eflags;
157 dst_result_register();
159 memset(dst_t_func, 0, sizeof(dst_t_func));
160 RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
161 RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1]));
162 RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224]));
163 RETERR(dst__hmacsha256_init(&dst_t_func[DST_ALG_HMACSHA256]));
164 RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
165 RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
167 RETERR(dst__openssl_init());
168 RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5]));
169 RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1]));
170 #ifdef HAVE_OPENSSL_DSA
171 RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
173 RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
176 RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
178 dst_initialized = ISC_TRUE;
179 return (ISC_R_SUCCESS);
187 dst_lib_destroy(void) {
189 RUNTIME_CHECK(dst_initialized == ISC_TRUE);
190 dst_initialized = ISC_FALSE;
192 for (i = 0; i < DST_MAX_ALGS; i++)
193 if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)
194 dst_t_func[i]->cleanup();
196 dst__openssl_destroy();
198 if (dst__memory_pool != NULL)
199 isc_mem_detach(&dst__memory_pool);
200 if (dst_entropy_pool != NULL)
201 isc_entropy_detach(&dst_entropy_pool);
206 dst_algorithm_supported(unsigned int alg) {
207 REQUIRE(dst_initialized == ISC_TRUE);
209 if (alg >= DST_MAX_ALGS || dst_t_func[alg] == NULL)
215 dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) {
219 REQUIRE(dst_initialized == ISC_TRUE);
220 REQUIRE(VALID_KEY(key));
221 REQUIRE(mctx != NULL);
222 REQUIRE(dctxp != NULL && *dctxp == NULL);
224 if (key->func->createctx == NULL)
225 return (DST_R_UNSUPPORTEDALG);
226 if (key->opaque == NULL)
227 return (DST_R_NULLKEY);
229 dctx = isc_mem_get(mctx, sizeof(dst_context_t));
231 return (ISC_R_NOMEMORY);
234 result = key->func->createctx(key, dctx);
235 if (result != ISC_R_SUCCESS) {
236 isc_mem_put(mctx, dctx, sizeof(dst_context_t));
239 dctx->magic = CTX_MAGIC;
241 return (ISC_R_SUCCESS);
245 dst_context_destroy(dst_context_t **dctxp) {
248 REQUIRE(dctxp != NULL && VALID_CTX(*dctxp));
251 INSIST(dctx->key->func->destroyctx != NULL);
252 dctx->key->func->destroyctx(dctx);
254 isc_mem_put(dctx->mctx, dctx, sizeof(dst_context_t));
259 dst_context_adddata(dst_context_t *dctx, const isc_region_t *data) {
260 REQUIRE(VALID_CTX(dctx));
261 REQUIRE(data != NULL);
262 INSIST(dctx->key->func->adddata != NULL);
264 return (dctx->key->func->adddata(dctx, data));
268 dst_context_sign(dst_context_t *dctx, isc_buffer_t *sig) {
271 REQUIRE(VALID_CTX(dctx));
272 REQUIRE(sig != NULL);
275 CHECKALG(key->key_alg);
276 if (key->opaque == NULL)
277 return (DST_R_NULLKEY);
278 if (key->func->sign == NULL)
279 return (DST_R_NOTPRIVATEKEY);
280 if (key->func->isprivate == NULL ||
281 key->func->isprivate(key) == ISC_FALSE)
282 return (DST_R_NOTPRIVATEKEY);
284 return (key->func->sign(dctx, sig));
288 dst_context_verify(dst_context_t *dctx, isc_region_t *sig) {
289 REQUIRE(VALID_CTX(dctx));
290 REQUIRE(sig != NULL);
292 CHECKALG(dctx->key->key_alg);
293 if (dctx->key->opaque == NULL)
294 return (DST_R_NULLKEY);
295 if (dctx->key->func->verify == NULL)
296 return (DST_R_NOTPUBLICKEY);
298 return (dctx->key->func->verify(dctx, sig));
302 dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,
303 isc_buffer_t *secret)
305 REQUIRE(dst_initialized == ISC_TRUE);
306 REQUIRE(VALID_KEY(pub) && VALID_KEY(priv));
307 REQUIRE(secret != NULL);
309 CHECKALG(pub->key_alg);
310 CHECKALG(priv->key_alg);
312 if (pub->opaque == NULL || priv->opaque == NULL)
313 return (DST_R_NULLKEY);
315 if (pub->key_alg != priv->key_alg ||
316 pub->func->computesecret == NULL ||
317 priv->func->computesecret == NULL)
318 return (DST_R_KEYCANNOTCOMPUTESECRET);
320 if (dst_key_isprivate(priv) == ISC_FALSE)
321 return (DST_R_NOTPRIVATEKEY);
323 return (pub->func->computesecret(pub, priv, secret));
327 dst_key_tofile(const dst_key_t *key, int type, const char *directory) {
328 isc_result_t ret = ISC_R_SUCCESS;
330 REQUIRE(dst_initialized == ISC_TRUE);
331 REQUIRE(VALID_KEY(key));
332 REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
334 CHECKALG(key->key_alg);
336 if (key->func->tofile == NULL)
337 return (DST_R_UNSUPPORTEDALG);
339 if (type & DST_TYPE_PUBLIC) {
340 ret = write_public_key(key, type, directory);
341 if (ret != ISC_R_SUCCESS)
345 if ((type & DST_TYPE_PRIVATE) &&
346 (key->key_flags & DNS_KEYFLAG_TYPEMASK) != DNS_KEYTYPE_NOKEY)
347 return (key->func->tofile(key, directory));
349 return (ISC_R_SUCCESS);
353 dst_key_fromfile(dns_name_t *name, dns_keytag_t id,
354 unsigned int alg, int type, const char *directory,
355 isc_mem_t *mctx, dst_key_t **keyp)
357 char filename[ISC_DIR_NAMEMAX];
362 REQUIRE(dst_initialized == ISC_TRUE);
363 REQUIRE(dns_name_isabsolute(name));
364 REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
365 REQUIRE(mctx != NULL);
366 REQUIRE(keyp != NULL && *keyp == NULL);
370 isc_buffer_init(&b, filename, sizeof(filename));
371 result = buildfilename(name, id, alg, type, directory, &b);
372 if (result != ISC_R_SUCCESS)
376 result = dst_key_fromnamedfile(filename, type, mctx, &key);
377 if (result != ISC_R_SUCCESS)
380 result = computeid(key);
381 if (result != ISC_R_SUCCESS) {
386 if (!dns_name_equal(name, key->key_name) ||
391 return (DST_R_INVALIDPRIVATEKEY);
396 return (ISC_R_SUCCESS);
400 dst_key_fromnamedfile(const char *filename, int type, isc_mem_t *mctx,
404 dst_key_t *pubkey = NULL, *key = NULL;
406 char *newfilename = NULL;
407 int newfilenamelen = 0;
408 isc_lex_t *lex = NULL;
410 REQUIRE(dst_initialized == ISC_TRUE);
411 REQUIRE(filename != NULL);
412 REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
413 REQUIRE(mctx != NULL);
414 REQUIRE(keyp != NULL && *keyp == NULL);
416 newfilenamelen = strlen(filename) + 5;
417 newfilename = isc_mem_get(mctx, newfilenamelen);
418 if (newfilename == NULL)
419 return (ISC_R_NOMEMORY);
420 result = addsuffix(newfilename, newfilenamelen, filename, ".key");
421 INSIST(result == ISC_R_SUCCESS);
423 result = dst_key_read_public(newfilename, type, mctx, &pubkey);
424 isc_mem_put(mctx, newfilename, newfilenamelen);
426 if (result != ISC_R_SUCCESS)
429 if ((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) == DST_TYPE_PUBLIC ||
430 (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
432 result = computeid(pubkey);
433 if (result != ISC_R_SUCCESS) {
434 dst_key_free(&pubkey);
439 return (ISC_R_SUCCESS);
442 result = algorithm_status(pubkey->key_alg);
443 if (result != ISC_R_SUCCESS) {
444 dst_key_free(&pubkey);
448 key = get_key_struct(pubkey->key_name, pubkey->key_alg,
449 pubkey->key_flags, pubkey->key_proto, 0,
450 pubkey->key_class, mctx);
452 dst_key_free(&pubkey);
455 return (ISC_R_NOMEMORY);
457 if (key->func->parse == NULL)
458 RETERR(DST_R_UNSUPPORTEDALG);
460 newfilenamelen = strlen(filename) + 9;
461 newfilename = isc_mem_get(mctx, newfilenamelen);
462 if (newfilename == NULL)
463 RETERR(ISC_R_NOMEMORY);
464 result = addsuffix(newfilename, newfilenamelen, filename, ".private");
465 INSIST(result == ISC_R_SUCCESS);
467 RETERR(isc_lex_create(mctx, 1500, &lex));
468 RETERR(isc_lex_openfile(lex, newfilename));
469 isc_mem_put(mctx, newfilename, newfilenamelen);
471 RETERR(key->func->parse(key, lex));
472 isc_lex_destroy(&lex);
474 RETERR(computeid(key));
476 if (id != key->key_id)
477 RETERR(DST_R_INVALIDPRIVATEKEY);
480 return (ISC_R_SUCCESS);
482 if (newfilename != NULL)
483 isc_mem_put(mctx, newfilename, newfilenamelen);
485 isc_lex_destroy(&lex);
491 dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {
492 REQUIRE(dst_initialized == ISC_TRUE);
493 REQUIRE(VALID_KEY(key));
494 REQUIRE(target != NULL);
496 CHECKALG(key->key_alg);
498 if (key->func->todns == NULL)
499 return (DST_R_UNSUPPORTEDALG);
501 if (isc_buffer_availablelength(target) < 4)
502 return (ISC_R_NOSPACE);
503 isc_buffer_putuint16(target, (isc_uint16_t)(key->key_flags & 0xffff));
504 isc_buffer_putuint8(target, (isc_uint8_t)key->key_proto);
505 isc_buffer_putuint8(target, (isc_uint8_t)key->key_alg);
507 if (key->key_flags & DNS_KEYFLAG_EXTENDED) {
508 if (isc_buffer_availablelength(target) < 2)
509 return (ISC_R_NOSPACE);
510 isc_buffer_putuint16(target,
511 (isc_uint16_t)((key->key_flags >> 16)
515 if (key->opaque == NULL) /*%< NULL KEY */
516 return (ISC_R_SUCCESS);
518 return (key->func->todns(key, target));
522 dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
523 isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
525 isc_uint8_t alg, proto;
526 isc_uint32_t flags, extflags;
527 dst_key_t *key = NULL;
532 REQUIRE(dst_initialized);
534 isc_buffer_remainingregion(source, &r);
536 if (isc_buffer_remaininglength(source) < 4)
537 return (DST_R_INVALIDPUBLICKEY);
538 flags = isc_buffer_getuint16(source);
539 proto = isc_buffer_getuint8(source);
540 alg = isc_buffer_getuint8(source);
542 id = dst_region_computeid(&r, alg);
544 if (flags & DNS_KEYFLAG_EXTENDED) {
545 if (isc_buffer_remaininglength(source) < 2)
546 return (DST_R_INVALIDPUBLICKEY);
547 extflags = isc_buffer_getuint16(source);
548 flags |= (extflags << 16);
551 result = frombuffer(name, alg, flags, proto, rdclass, source,
553 if (result != ISC_R_SUCCESS)
558 return (ISC_R_SUCCESS);
562 dst_key_frombuffer(dns_name_t *name, unsigned int alg,
563 unsigned int flags, unsigned int protocol,
564 dns_rdataclass_t rdclass,
565 isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
567 dst_key_t *key = NULL;
570 REQUIRE(dst_initialized);
572 result = frombuffer(name, alg, flags, protocol, rdclass, source,
574 if (result != ISC_R_SUCCESS)
577 result = computeid(key);
578 if (result != ISC_R_SUCCESS) {
584 return (ISC_R_SUCCESS);
588 dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target) {
589 REQUIRE(dst_initialized == ISC_TRUE);
590 REQUIRE(VALID_KEY(key));
591 REQUIRE(target != NULL);
593 CHECKALG(key->key_alg);
595 if (key->func->todns == NULL)
596 return (DST_R_UNSUPPORTEDALG);
598 return (key->func->todns(key, target));
602 dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer) {
603 isc_lex_t *lex = NULL;
604 isc_result_t result = ISC_R_SUCCESS;
606 REQUIRE(dst_initialized == ISC_TRUE);
607 REQUIRE(VALID_KEY(key));
608 REQUIRE(!dst_key_isprivate(key));
609 REQUIRE(buffer != NULL);
611 if (key->func->parse == NULL)
612 RETERR(DST_R_UNSUPPORTEDALG);
614 RETERR(isc_lex_create(key->mctx, 1500, &lex));
615 RETERR(isc_lex_openbuffer(lex, buffer));
616 RETERR(key->func->parse(key, lex));
619 isc_lex_destroy(&lex);
624 dst_key_fromgssapi(dns_name_t *name, void *opaque, isc_mem_t *mctx,
629 REQUIRE(opaque != NULL);
630 REQUIRE(keyp != NULL && *keyp == NULL);
632 key = get_key_struct(name, DST_ALG_GSSAPI, 0, DNS_KEYPROTO_DNSSEC,
633 0, dns_rdataclass_in, mctx);
635 return (ISC_R_NOMEMORY);
636 key->opaque = opaque;
638 return (ISC_R_SUCCESS);
642 dst_key_generate(dns_name_t *name, unsigned int alg,
643 unsigned int bits, unsigned int param,
644 unsigned int flags, unsigned int protocol,
645 dns_rdataclass_t rdclass,
646 isc_mem_t *mctx, dst_key_t **keyp)
651 REQUIRE(dst_initialized == ISC_TRUE);
652 REQUIRE(dns_name_isabsolute(name));
653 REQUIRE(mctx != NULL);
654 REQUIRE(keyp != NULL && *keyp == NULL);
658 key = get_key_struct(name, alg, flags, protocol, bits, rdclass, mctx);
660 return (ISC_R_NOMEMORY);
662 if (bits == 0) { /*%< NULL KEY */
663 key->key_flags |= DNS_KEYTYPE_NOKEY;
665 return (ISC_R_SUCCESS);
668 if (key->func->generate == NULL) {
670 return (DST_R_UNSUPPORTEDALG);
673 ret = key->func->generate(key, param);
674 if (ret != ISC_R_SUCCESS) {
679 ret = computeid(key);
680 if (ret != ISC_R_SUCCESS) {
686 return (ISC_R_SUCCESS);
690 dst_key_compare(const dst_key_t *key1, const dst_key_t *key2) {
691 REQUIRE(dst_initialized == ISC_TRUE);
692 REQUIRE(VALID_KEY(key1));
693 REQUIRE(VALID_KEY(key2));
697 if (key1 == NULL || key2 == NULL)
699 if (key1->key_alg == key2->key_alg &&
700 key1->key_id == key2->key_id &&
701 key1->func->compare != NULL &&
702 key1->func->compare(key1, key2) == ISC_TRUE)
709 dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
710 REQUIRE(dst_initialized == ISC_TRUE);
711 REQUIRE(VALID_KEY(key1));
712 REQUIRE(VALID_KEY(key2));
716 if (key1 == NULL || key2 == NULL)
718 if (key1->key_alg == key2->key_alg &&
719 key1->func->paramcompare != NULL &&
720 key1->func->paramcompare(key1, key2) == ISC_TRUE)
727 dst_key_free(dst_key_t **keyp) {
731 REQUIRE(dst_initialized == ISC_TRUE);
732 REQUIRE(keyp != NULL && VALID_KEY(*keyp));
737 if (key->opaque != NULL) {
738 INSIST(key->func->destroy != NULL);
739 key->func->destroy(key);
742 dns_name_free(key->key_name, mctx);
743 isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
744 memset(key, 0, sizeof(dst_key_t));
745 isc_mem_put(mctx, key, sizeof(dst_key_t));
750 dst_key_isprivate(const dst_key_t *key) {
751 REQUIRE(VALID_KEY(key));
752 INSIST(key->func->isprivate != NULL);
753 return (key->func->isprivate(key));
757 dst_key_buildfilename(const dst_key_t *key, int type,
758 const char *directory, isc_buffer_t *out) {
760 REQUIRE(VALID_KEY(key));
761 REQUIRE(type == DST_TYPE_PRIVATE || type == DST_TYPE_PUBLIC ||
764 return (buildfilename(key->key_name, key->key_id, key->key_alg,
765 type, directory, out));
769 dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
770 REQUIRE(dst_initialized == ISC_TRUE);
771 REQUIRE(VALID_KEY(key));
774 /* XXXVIX this switch statement is too sparse to gen a jump table. */
775 switch (key->key_alg) {
777 case DST_ALG_RSASHA1:
778 *n = (key->key_size + 7) / 8;
781 *n = DNS_SIG_DSASIGSIZE;
783 case DST_ALG_HMACMD5:
786 case DST_ALG_HMACSHA1:
787 *n = ISC_SHA1_DIGESTLENGTH;
789 case DST_ALG_HMACSHA224:
790 *n = ISC_SHA224_DIGESTLENGTH;
792 case DST_ALG_HMACSHA256:
793 *n = ISC_SHA256_DIGESTLENGTH;
795 case DST_ALG_HMACSHA384:
796 *n = ISC_SHA384_DIGESTLENGTH;
798 case DST_ALG_HMACSHA512:
799 *n = ISC_SHA512_DIGESTLENGTH;
802 *n = 128; /*%< XXX */
806 return (DST_R_UNSUPPORTEDALG);
808 return (ISC_R_SUCCESS);
812 dst_key_secretsize(const dst_key_t *key, unsigned int *n) {
813 REQUIRE(dst_initialized == ISC_TRUE);
814 REQUIRE(VALID_KEY(key));
817 if (key->key_alg == DST_ALG_DH)
818 *n = (key->key_size + 7) / 8;
820 return (DST_R_UNSUPPORTEDALG);
821 return (ISC_R_SUCCESS);
829 * Allocates a key structure and fills in some of the fields.
832 get_key_struct(dns_name_t *name, unsigned int alg,
833 unsigned int flags, unsigned int protocol,
834 unsigned int bits, dns_rdataclass_t rdclass,
840 key = (dst_key_t *) isc_mem_get(mctx, sizeof(dst_key_t));
844 memset(key, 0, sizeof(dst_key_t));
845 key->magic = KEY_MAGIC;
847 key->key_name = isc_mem_get(mctx, sizeof(dns_name_t));
848 if (key->key_name == NULL) {
849 isc_mem_put(mctx, key, sizeof(dst_key_t));
852 dns_name_init(key->key_name, NULL);
853 result = dns_name_dup(name, mctx, key->key_name);
854 if (result != ISC_R_SUCCESS) {
855 isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
856 isc_mem_put(mctx, key, sizeof(dst_key_t));
860 key->key_flags = flags;
861 key->key_proto = protocol;
864 key->key_size = bits;
865 key->key_class = rdclass;
866 key->func = dst_t_func[alg];
871 * Reads a public key from disk
874 dst_key_read_public(const char *filename, int type,
875 isc_mem_t *mctx, dst_key_t **keyp)
877 u_char rdatabuf[DST_KEY_MAXSIZE];
879 dns_fixedname_t name;
880 isc_lex_t *lex = NULL;
883 dns_rdata_t rdata = DNS_RDATA_INIT;
884 unsigned int opt = ISC_LEXOPT_DNSMULTILINE;
885 dns_rdataclass_t rdclass = dns_rdataclass_in;
886 isc_lexspecials_t specials;
889 dns_rdatatype_t keytype;
892 * Open the file and read its formatted contents
894 * domain.name [ttl] [class] [KEY|DNSKEY] <flags> <protocol> <algorithm> <key>
897 /* 1500 should be large enough for any key */
898 ret = isc_lex_create(mctx, 1500, &lex);
899 if (ret != ISC_R_SUCCESS)
902 memset(specials, 0, sizeof(specials));
906 isc_lex_setspecials(lex, specials);
907 isc_lex_setcomments(lex, ISC_LEXCOMMENT_DNSMASTERFILE);
909 ret = isc_lex_openfile(lex, filename);
910 if (ret != ISC_R_SUCCESS)
913 #define NEXTTOKEN(lex, opt, token) { \
914 ret = isc_lex_gettoken(lex, opt, token); \
915 if (ret != ISC_R_SUCCESS) \
919 #define BADTOKEN() { \
920 ret = ISC_R_UNEXPECTEDTOKEN; \
924 /* Read the domain name */
925 NEXTTOKEN(lex, opt, &token);
926 if (token.type != isc_tokentype_string)
928 dns_fixedname_init(&name);
929 isc_buffer_init(&b, DST_AS_STR(token), strlen(DST_AS_STR(token)));
930 isc_buffer_add(&b, strlen(DST_AS_STR(token)));
931 ret = dns_name_fromtext(dns_fixedname_name(&name), &b, dns_rootname,
933 if (ret != ISC_R_SUCCESS)
936 /* Read the next word: either TTL, class, or 'KEY' */
937 NEXTTOKEN(lex, opt, &token);
939 /* If it's a TTL, read the next one */
940 result = dns_ttl_fromtext(&token.value.as_textregion, &ttl);
941 if (result == ISC_R_SUCCESS)
942 NEXTTOKEN(lex, opt, &token);
944 if (token.type != isc_tokentype_string)
947 ret = dns_rdataclass_fromtext(&rdclass, &token.value.as_textregion);
948 if (ret == ISC_R_SUCCESS)
949 NEXTTOKEN(lex, opt, &token);
951 if (token.type != isc_tokentype_string)
954 if (strcasecmp(DST_AS_STR(token), "DNSKEY") == 0)
955 keytype = dns_rdatatype_dnskey;
956 else if (strcasecmp(DST_AS_STR(token), "KEY") == 0)
957 keytype = dns_rdatatype_key; /*%< SIG(0), TKEY */
961 if (((type & DST_TYPE_KEY) != 0 && keytype != dns_rdatatype_key) ||
962 ((type & DST_TYPE_KEY) == 0 && keytype != dns_rdatatype_dnskey)) {
963 ret = DST_R_BADKEYTYPE;
967 isc_buffer_init(&b, rdatabuf, sizeof(rdatabuf));
968 ret = dns_rdata_fromtext(&rdata, rdclass, keytype, lex, NULL,
969 ISC_FALSE, mctx, &b, NULL);
970 if (ret != ISC_R_SUCCESS)
973 ret = dst_key_fromdns(dns_fixedname_name(&name), rdclass, &b, mctx,
975 if (ret != ISC_R_SUCCESS)
980 isc_lex_destroy(&lex);
985 issymmetric(const dst_key_t *key) {
986 REQUIRE(dst_initialized == ISC_TRUE);
987 REQUIRE(VALID_KEY(key));
989 /* XXXVIX this switch statement is too sparse to gen a jump table. */
990 switch (key->key_alg) {
992 case DST_ALG_RSASHA1:
996 case DST_ALG_HMACMD5:
1005 * Writes a public key to disk in DNS format.
1008 write_public_key(const dst_key_t *key, int type, const char *directory) {
1010 isc_buffer_t keyb, textb, fileb, classb;
1012 char filename[ISC_DIR_NAMEMAX];
1013 unsigned char key_array[DST_KEY_MAXSIZE];
1014 char text_array[DST_KEY_MAXTEXTSIZE];
1015 char class_array[10];
1017 dns_rdata_t rdata = DNS_RDATA_INIT;
1018 isc_fsaccess_t access;
1020 REQUIRE(VALID_KEY(key));
1022 isc_buffer_init(&keyb, key_array, sizeof(key_array));
1023 isc_buffer_init(&textb, text_array, sizeof(text_array));
1024 isc_buffer_init(&classb, class_array, sizeof(class_array));
1026 ret = dst_key_todns(key, &keyb);
1027 if (ret != ISC_R_SUCCESS)
1030 isc_buffer_usedregion(&keyb, &r);
1031 dns_rdata_fromregion(&rdata, key->key_class, dns_rdatatype_dnskey, &r);
1033 ret = dns_rdata_totext(&rdata, (dns_name_t *) NULL, &textb);
1034 if (ret != ISC_R_SUCCESS)
1035 return (DST_R_INVALIDPUBLICKEY);
1037 ret = dns_rdataclass_totext(key->key_class, &classb);
1038 if (ret != ISC_R_SUCCESS)
1039 return (DST_R_INVALIDPUBLICKEY);
1042 * Make the filename.
1044 isc_buffer_init(&fileb, filename, sizeof(filename));
1045 ret = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory, &fileb);
1046 if (ret != ISC_R_SUCCESS)
1050 * Create public key file.
1052 if ((fp = fopen(filename, "w")) == NULL)
1053 return (DST_R_WRITEERROR);
1055 if (issymmetric(key)) {
1057 isc_fsaccess_add(ISC_FSACCESS_OWNER,
1058 ISC_FSACCESS_READ | ISC_FSACCESS_WRITE,
1060 (void)isc_fsaccess_set(filename, access);
1063 ret = dns_name_print(key->key_name, fp);
1064 if (ret != ISC_R_SUCCESS) {
1071 isc_buffer_usedregion(&classb, &r);
1072 fwrite(r.base, 1, r.length, fp);
1074 if ((type & DST_TYPE_KEY) != 0)
1075 fprintf(fp, " KEY ");
1077 fprintf(fp, " DNSKEY ");
1079 isc_buffer_usedregion(&textb, &r);
1080 fwrite(r.base, 1, r.length, fp);
1085 return (ISC_R_SUCCESS);
1089 buildfilename(dns_name_t *name, dns_keytag_t id,
1090 unsigned int alg, unsigned int type,
1091 const char *directory, isc_buffer_t *out)
1093 const char *suffix = "";
1095 isc_result_t result;
1097 REQUIRE(out != NULL);
1098 if ((type & DST_TYPE_PRIVATE) != 0)
1099 suffix = ".private";
1100 else if (type == DST_TYPE_PUBLIC)
1102 if (directory != NULL) {
1103 if (isc_buffer_availablelength(out) < strlen(directory))
1104 return (ISC_R_NOSPACE);
1105 isc_buffer_putstr(out, directory);
1106 if (strlen(directory) > 0U &&
1107 directory[strlen(directory) - 1] != '/')
1108 isc_buffer_putstr(out, "/");
1110 if (isc_buffer_availablelength(out) < 1)
1111 return (ISC_R_NOSPACE);
1112 isc_buffer_putstr(out, "K");
1113 result = dns_name_tofilenametext(name, ISC_FALSE, out);
1114 if (result != ISC_R_SUCCESS)
1116 len = 1 + 3 + 1 + 5 + strlen(suffix) + 1;
1117 if (isc_buffer_availablelength(out) < len)
1118 return (ISC_R_NOSPACE);
1119 sprintf((char *) isc_buffer_used(out), "+%03d+%05d%s", alg, id, suffix);
1120 isc_buffer_add(out, len);
1121 return (ISC_R_SUCCESS);
1125 computeid(dst_key_t *key) {
1126 isc_buffer_t dnsbuf;
1127 unsigned char dns_array[DST_KEY_MAXSIZE];
1131 isc_buffer_init(&dnsbuf, dns_array, sizeof(dns_array));
1132 ret = dst_key_todns(key, &dnsbuf);
1133 if (ret != ISC_R_SUCCESS)
1136 isc_buffer_usedregion(&dnsbuf, &r);
1137 key->key_id = dst_region_computeid(&r, key->key_alg);
1138 return (ISC_R_SUCCESS);
1142 frombuffer(dns_name_t *name, unsigned int alg, unsigned int flags,
1143 unsigned int protocol, dns_rdataclass_t rdclass,
1144 isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
1149 REQUIRE(dns_name_isabsolute(name));
1150 REQUIRE(source != NULL);
1151 REQUIRE(mctx != NULL);
1152 REQUIRE(keyp != NULL && *keyp == NULL);
1154 key = get_key_struct(name, alg, flags, protocol, 0, rdclass, mctx);
1156 return (ISC_R_NOMEMORY);
1158 if (isc_buffer_remaininglength(source) > 0) {
1159 ret = algorithm_status(alg);
1160 if (ret != ISC_R_SUCCESS) {
1164 if (key->func->fromdns == NULL) {
1166 return (DST_R_UNSUPPORTEDALG);
1169 ret = key->func->fromdns(key, source);
1170 if (ret != ISC_R_SUCCESS) {
1177 return (ISC_R_SUCCESS);
1181 algorithm_status(unsigned int alg) {
1182 REQUIRE(dst_initialized == ISC_TRUE);
1184 if (dst_algorithm_supported(alg))
1185 return (ISC_R_SUCCESS);
1187 if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
1188 alg == DST_ALG_DSA || alg == DST_ALG_DH ||
1189 alg == DST_ALG_HMACMD5)
1190 return (DST_R_NOCRYPTO);
1192 return (DST_R_UNSUPPORTEDALG);
1196 addsuffix(char *filename, unsigned int len, const char *ofilename,
1199 int olen = strlen(ofilename);
1202 if (olen > 1 && ofilename[olen - 1] == '.')
1204 else if (olen > 8 && strcmp(ofilename + olen - 8, ".private") == 0)
1206 else if (olen > 4 && strcmp(ofilename + olen - 4, ".key") == 0)
1209 n = snprintf(filename, len, "%.*s%s", olen, ofilename, suffix);
1211 return (ISC_R_NOSPACE);
1212 return (ISC_R_SUCCESS);
1216 dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
1217 unsigned int flags = dst_entropy_flags;
1219 flags &= ~ISC_ENTROPY_GOODONLY;
1220 return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
projects / FreeBSD / releng / 7.2.git / blob