2 * Portions Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
3 * Portions Copyright (C) 1999-2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
10 * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
11 * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
12 * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
15 * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
19 * Permission to use, copy, modify, and/or distribute this software for any
20 * purpose with or without fee is hereby granted, provided that the above
21 * copyright notice and this permission notice appear in all copies.
23 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
24 * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
25 * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
26 * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
27 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
28 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
29 * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
33 * Principal Author: Brian Wellington
34 * $Id: dst_api.c,v 1.57.10.1 2011-03-21 19:53:34 each Exp $
44 #include <isc/buffer.h>
46 #include <isc/entropy.h>
47 #include <isc/fsaccess.h>
48 #include <isc/hmacsha.h>
52 #include <isc/platform.h>
53 #include <isc/print.h>
54 #include <isc/refcount.h>
55 #include <isc/random.h>
56 #include <isc/string.h>
60 #include <dns/fixedname.h>
61 #include <dns/keyvalues.h>
63 #include <dns/rdata.h>
64 #include <dns/rdataclass.h>
66 #include <dns/types.h>
68 #include <dst/result.h>
70 #include "dst_internal.h"
72 #define DST_AS_STR(t) ((t).value.as_textregion.base)
74 static dst_func_t *dst_t_func[DST_MAX_ALGS];
76 static isc_entropy_t *dst_entropy_pool = NULL;
78 static unsigned int dst_entropy_flags = 0;
79 static isc_boolean_t dst_initialized = ISC_FALSE;
81 void gss_log(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
83 isc_mem_t *dst__memory_pool = NULL;
88 static dst_key_t * get_key_struct(dns_name_t *name,
91 unsigned int protocol,
93 dns_rdataclass_t rdclass,
95 static isc_result_t write_public_key(const dst_key_t *key, int type,
96 const char *directory);
97 static isc_result_t buildfilename(dns_name_t *name,
101 const char *directory,
103 static isc_result_t computeid(dst_key_t *key);
104 static isc_result_t frombuffer(dns_name_t *name,
107 unsigned int protocol,
108 dns_rdataclass_t rdclass,
109 isc_buffer_t *source,
113 static isc_result_t algorithm_status(unsigned int alg);
115 static isc_result_t addsuffix(char *filename, int len,
116 const char *dirname, const char *ofilename,
122 if (result != ISC_R_SUCCESS) \
126 #define CHECKALG(alg) \
129 _r = algorithm_status(alg); \
130 if (_r != ISC_R_SUCCESS) \
134 #if defined(OPENSSL) && defined(BIND9)
136 default_memalloc(void *arg, size_t size) {
140 return (malloc(size));
144 default_memfree(void *arg, void *ptr) {
151 dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
152 return (dst_lib_init2(mctx, ectx, NULL, eflags));
156 dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
157 const char *engine, unsigned int eflags) {
160 REQUIRE(mctx != NULL);
162 REQUIRE(ectx != NULL);
166 REQUIRE(dst_initialized == ISC_FALSE);
172 dst__memory_pool = NULL;
174 #if defined(OPENSSL) && defined(BIND9)
177 * When using --with-openssl, there seems to be no good way of not
178 * leaking memory due to the openssl error handling mechanism.
179 * Avoid assertions by using a local memory context and not checking
180 * for leaks on exit. Note: as there are leaks we cannot use
181 * ISC_MEMFLAG_INTERNAL as it will free up memory still being used
184 result = isc_mem_createx2(0, 0, default_memalloc, default_memfree,
185 NULL, &dst__memory_pool, 0);
186 if (result != ISC_R_SUCCESS)
188 isc_mem_setname(dst__memory_pool, "dst", NULL);
189 #ifndef OPENSSL_LEAKS
190 isc_mem_setdestroycheck(dst__memory_pool, ISC_FALSE);
193 isc_mem_attach(mctx, &dst__memory_pool);
196 isc_entropy_attach(ectx, &dst_entropy_pool);
198 dst_entropy_flags = eflags;
200 dst_result_register();
202 memset(dst_t_func, 0, sizeof(dst_t_func));
203 RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
204 RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1]));
205 RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224]));
206 RETERR(dst__hmacsha256_init(&dst_t_func[DST_ALG_HMACSHA256]));
207 RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
208 RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
210 RETERR(dst__openssl_init(engine));
211 RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5],
213 RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1],
215 RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
216 DST_ALG_NSEC3RSASHA1));
217 RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA256],
219 RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512],
221 #ifdef HAVE_OPENSSL_DSA
222 RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
223 RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
225 RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
226 #ifdef HAVE_OPENSSL_GOST
227 RETERR(dst__opensslgost_init(&dst_t_func[DST_ALG_ECCGOST]));
231 RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
233 dst_initialized = ISC_TRUE;
234 return (ISC_R_SUCCESS);
237 /* avoid immediate crash! */
238 dst_initialized = ISC_TRUE;
244 dst_lib_destroy(void) {
246 RUNTIME_CHECK(dst_initialized == ISC_TRUE);
247 dst_initialized = ISC_FALSE;
249 for (i = 0; i < DST_MAX_ALGS; i++)
250 if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)
251 dst_t_func[i]->cleanup();
253 dst__openssl_destroy();
255 if (dst__memory_pool != NULL)
256 isc_mem_detach(&dst__memory_pool);
258 if (dst_entropy_pool != NULL)
259 isc_entropy_detach(&dst_entropy_pool);
264 dst_algorithm_supported(unsigned int alg) {
265 REQUIRE(dst_initialized == ISC_TRUE);
267 if (alg >= DST_MAX_ALGS || dst_t_func[alg] == NULL)
273 dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) {
277 REQUIRE(dst_initialized == ISC_TRUE);
278 REQUIRE(VALID_KEY(key));
279 REQUIRE(mctx != NULL);
280 REQUIRE(dctxp != NULL && *dctxp == NULL);
282 if (key->func->createctx == NULL)
283 return (DST_R_UNSUPPORTEDALG);
284 if (key->keydata.generic == NULL)
285 return (DST_R_NULLKEY);
287 dctx = isc_mem_get(mctx, sizeof(dst_context_t));
289 return (ISC_R_NOMEMORY);
292 result = key->func->createctx(key, dctx);
293 if (result != ISC_R_SUCCESS) {
294 isc_mem_put(mctx, dctx, sizeof(dst_context_t));
297 dctx->magic = CTX_MAGIC;
299 return (ISC_R_SUCCESS);
303 dst_context_destroy(dst_context_t **dctxp) {
306 REQUIRE(dctxp != NULL && VALID_CTX(*dctxp));
309 INSIST(dctx->key->func->destroyctx != NULL);
310 dctx->key->func->destroyctx(dctx);
312 isc_mem_put(dctx->mctx, dctx, sizeof(dst_context_t));
317 dst_context_adddata(dst_context_t *dctx, const isc_region_t *data) {
318 REQUIRE(VALID_CTX(dctx));
319 REQUIRE(data != NULL);
320 INSIST(dctx->key->func->adddata != NULL);
322 return (dctx->key->func->adddata(dctx, data));
326 dst_context_sign(dst_context_t *dctx, isc_buffer_t *sig) {
329 REQUIRE(VALID_CTX(dctx));
330 REQUIRE(sig != NULL);
333 CHECKALG(key->key_alg);
334 if (key->keydata.generic == NULL)
335 return (DST_R_NULLKEY);
337 if (key->func->sign == NULL)
338 return (DST_R_NOTPRIVATEKEY);
339 if (key->func->isprivate == NULL ||
340 key->func->isprivate(key) == ISC_FALSE)
341 return (DST_R_NOTPRIVATEKEY);
343 return (key->func->sign(dctx, sig));
347 dst_context_verify(dst_context_t *dctx, isc_region_t *sig) {
348 REQUIRE(VALID_CTX(dctx));
349 REQUIRE(sig != NULL);
351 CHECKALG(dctx->key->key_alg);
352 if (dctx->key->keydata.generic == NULL)
353 return (DST_R_NULLKEY);
354 if (dctx->key->func->verify == NULL)
355 return (DST_R_NOTPUBLICKEY);
357 return (dctx->key->func->verify(dctx, sig));
361 dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,
362 isc_buffer_t *secret)
364 REQUIRE(dst_initialized == ISC_TRUE);
365 REQUIRE(VALID_KEY(pub) && VALID_KEY(priv));
366 REQUIRE(secret != NULL);
368 CHECKALG(pub->key_alg);
369 CHECKALG(priv->key_alg);
371 if (pub->keydata.generic == NULL || priv->keydata.generic == NULL)
372 return (DST_R_NULLKEY);
374 if (pub->key_alg != priv->key_alg ||
375 pub->func->computesecret == NULL ||
376 priv->func->computesecret == NULL)
377 return (DST_R_KEYCANNOTCOMPUTESECRET);
379 if (dst_key_isprivate(priv) == ISC_FALSE)
380 return (DST_R_NOTPRIVATEKEY);
382 return (pub->func->computesecret(pub, priv, secret));
386 dst_key_tofile(const dst_key_t *key, int type, const char *directory) {
387 isc_result_t ret = ISC_R_SUCCESS;
389 REQUIRE(dst_initialized == ISC_TRUE);
390 REQUIRE(VALID_KEY(key));
391 REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
393 CHECKALG(key->key_alg);
395 if (key->func->tofile == NULL)
396 return (DST_R_UNSUPPORTEDALG);
398 if (type & DST_TYPE_PUBLIC) {
399 ret = write_public_key(key, type, directory);
400 if (ret != ISC_R_SUCCESS)
404 if ((type & DST_TYPE_PRIVATE) &&
405 (key->key_flags & DNS_KEYFLAG_TYPEMASK) != DNS_KEYTYPE_NOKEY)
406 return (key->func->tofile(key, directory));
408 return (ISC_R_SUCCESS);
412 dst_key_fromfile(dns_name_t *name, dns_keytag_t id,
413 unsigned int alg, int type, const char *directory,
414 isc_mem_t *mctx, dst_key_t **keyp)
416 char filename[ISC_DIR_NAMEMAX];
421 REQUIRE(dst_initialized == ISC_TRUE);
422 REQUIRE(dns_name_isabsolute(name));
423 REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
424 REQUIRE(mctx != NULL);
425 REQUIRE(keyp != NULL && *keyp == NULL);
429 isc_buffer_init(&b, filename, sizeof(filename));
430 result = buildfilename(name, id, alg, type, directory, &b);
431 if (result != ISC_R_SUCCESS)
435 result = dst_key_fromnamedfile(filename, NULL, type, mctx, &key);
436 if (result != ISC_R_SUCCESS)
439 result = computeid(key);
440 if (result != ISC_R_SUCCESS) {
445 if (!dns_name_equal(name, key->key_name) || id != key->key_id ||
446 alg != key->key_alg) {
448 return (DST_R_INVALIDPRIVATEKEY);
453 return (ISC_R_SUCCESS);
457 dst_key_fromnamedfile(const char *filename, const char *dirname,
458 int type, isc_mem_t *mctx, dst_key_t **keyp)
461 dst_key_t *pubkey = NULL, *key = NULL;
462 char *newfilename = NULL;
463 int newfilenamelen = 0;
464 isc_lex_t *lex = NULL;
466 REQUIRE(dst_initialized == ISC_TRUE);
467 REQUIRE(filename != NULL);
468 REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
469 REQUIRE(mctx != NULL);
470 REQUIRE(keyp != NULL && *keyp == NULL);
472 /* If an absolute path is specified, don't use the key directory */
474 if (filename[0] == '/')
477 if (filename[0] == '/' || filename[0] == '\\')
481 newfilenamelen = strlen(filename) + 5;
483 newfilenamelen += strlen(dirname) + 1;
484 newfilename = isc_mem_get(mctx, newfilenamelen);
485 if (newfilename == NULL)
486 return (ISC_R_NOMEMORY);
487 result = addsuffix(newfilename, newfilenamelen,
488 dirname, filename, ".key");
489 INSIST(result == ISC_R_SUCCESS);
491 result = dst_key_read_public(newfilename, type, mctx, &pubkey);
492 isc_mem_put(mctx, newfilename, newfilenamelen);
494 if (result != ISC_R_SUCCESS)
497 if ((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) == DST_TYPE_PUBLIC ||
498 (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
499 result = computeid(pubkey);
500 if (result != ISC_R_SUCCESS) {
501 dst_key_free(&pubkey);
506 return (ISC_R_SUCCESS);
509 result = algorithm_status(pubkey->key_alg);
510 if (result != ISC_R_SUCCESS) {
511 dst_key_free(&pubkey);
515 key = get_key_struct(pubkey->key_name, pubkey->key_alg,
516 pubkey->key_flags, pubkey->key_proto, 0,
517 pubkey->key_class, mctx);
519 dst_key_free(&pubkey);
520 return (ISC_R_NOMEMORY);
523 if (key->func->parse == NULL)
524 RETERR(DST_R_UNSUPPORTEDALG);
526 newfilenamelen = strlen(filename) + 9;
528 newfilenamelen += strlen(dirname) + 1;
529 newfilename = isc_mem_get(mctx, newfilenamelen);
530 if (newfilename == NULL)
531 RETERR(ISC_R_NOMEMORY);
532 result = addsuffix(newfilename, newfilenamelen,
533 dirname, filename, ".private");
534 INSIST(result == ISC_R_SUCCESS);
536 RETERR(isc_lex_create(mctx, 1500, &lex));
537 RETERR(isc_lex_openfile(lex, newfilename));
538 isc_mem_put(mctx, newfilename, newfilenamelen);
540 RETERR(key->func->parse(key, lex, pubkey));
541 isc_lex_destroy(&lex);
543 RETERR(computeid(key));
545 if (pubkey->key_id != key->key_id)
546 RETERR(DST_R_INVALIDPRIVATEKEY);
547 dst_key_free(&pubkey);
550 return (ISC_R_SUCCESS);
554 dst_key_free(&pubkey);
555 if (newfilename != NULL)
556 isc_mem_put(mctx, newfilename, newfilenamelen);
558 isc_lex_destroy(&lex);
564 dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {
565 REQUIRE(dst_initialized == ISC_TRUE);
566 REQUIRE(VALID_KEY(key));
567 REQUIRE(target != NULL);
569 CHECKALG(key->key_alg);
571 if (key->func->todns == NULL)
572 return (DST_R_UNSUPPORTEDALG);
574 if (isc_buffer_availablelength(target) < 4)
575 return (ISC_R_NOSPACE);
576 isc_buffer_putuint16(target, (isc_uint16_t)(key->key_flags & 0xffff));
577 isc_buffer_putuint8(target, (isc_uint8_t)key->key_proto);
578 isc_buffer_putuint8(target, (isc_uint8_t)key->key_alg);
580 if (key->key_flags & DNS_KEYFLAG_EXTENDED) {
581 if (isc_buffer_availablelength(target) < 2)
582 return (ISC_R_NOSPACE);
583 isc_buffer_putuint16(target,
584 (isc_uint16_t)((key->key_flags >> 16)
588 if (key->keydata.generic == NULL) /*%< NULL KEY */
589 return (ISC_R_SUCCESS);
591 return (key->func->todns(key, target));
595 dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
596 isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
598 isc_uint8_t alg, proto;
599 isc_uint32_t flags, extflags;
600 dst_key_t *key = NULL;
605 REQUIRE(dst_initialized);
607 isc_buffer_remainingregion(source, &r);
609 if (isc_buffer_remaininglength(source) < 4)
610 return (DST_R_INVALIDPUBLICKEY);
611 flags = isc_buffer_getuint16(source);
612 proto = isc_buffer_getuint8(source);
613 alg = isc_buffer_getuint8(source);
615 id = dst_region_computeid(&r, alg);
617 if (flags & DNS_KEYFLAG_EXTENDED) {
618 if (isc_buffer_remaininglength(source) < 2)
619 return (DST_R_INVALIDPUBLICKEY);
620 extflags = isc_buffer_getuint16(source);
621 flags |= (extflags << 16);
624 result = frombuffer(name, alg, flags, proto, rdclass, source,
626 if (result != ISC_R_SUCCESS)
631 return (ISC_R_SUCCESS);
635 dst_key_frombuffer(dns_name_t *name, unsigned int alg,
636 unsigned int flags, unsigned int protocol,
637 dns_rdataclass_t rdclass,
638 isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
640 dst_key_t *key = NULL;
643 REQUIRE(dst_initialized);
645 result = frombuffer(name, alg, flags, protocol, rdclass, source,
647 if (result != ISC_R_SUCCESS)
650 result = computeid(key);
651 if (result != ISC_R_SUCCESS) {
657 return (ISC_R_SUCCESS);
661 dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target) {
662 REQUIRE(dst_initialized == ISC_TRUE);
663 REQUIRE(VALID_KEY(key));
664 REQUIRE(target != NULL);
666 CHECKALG(key->key_alg);
668 if (key->func->todns == NULL)
669 return (DST_R_UNSUPPORTEDALG);
671 return (key->func->todns(key, target));
675 dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer) {
676 isc_lex_t *lex = NULL;
677 isc_result_t result = ISC_R_SUCCESS;
679 REQUIRE(dst_initialized == ISC_TRUE);
680 REQUIRE(VALID_KEY(key));
681 REQUIRE(!dst_key_isprivate(key));
682 REQUIRE(buffer != NULL);
684 if (key->func->parse == NULL)
685 RETERR(DST_R_UNSUPPORTEDALG);
687 RETERR(isc_lex_create(key->mctx, 1500, &lex));
688 RETERR(isc_lex_openbuffer(lex, buffer));
689 RETERR(key->func->parse(key, lex, NULL));
692 isc_lex_destroy(&lex);
697 dst_key_getgssctx(const dst_key_t *key)
699 REQUIRE(key != NULL);
701 return (key->keydata.gssctx);
705 dst_key_fromgssapi(dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx,
706 dst_key_t **keyp, isc_region_t *intoken)
711 REQUIRE(gssctx != NULL);
712 REQUIRE(keyp != NULL && *keyp == NULL);
714 key = get_key_struct(name, DST_ALG_GSSAPI, 0, DNS_KEYPROTO_DNSSEC,
715 0, dns_rdataclass_in, mctx);
717 return (ISC_R_NOMEMORY);
719 if (intoken != NULL) {
721 * Keep the token for use by external ssu rules. They may need
722 * to examine the PAC in the kerberos ticket.
724 RETERR(isc_buffer_allocate(key->mctx, &key->key_tkeytoken,
726 RETERR(isc_buffer_copyregion(key->key_tkeytoken, intoken));
729 key->keydata.gssctx = gssctx;
731 result = ISC_R_SUCCESS;
737 dst_key_fromlabel(dns_name_t *name, int alg, unsigned int flags,
738 unsigned int protocol, dns_rdataclass_t rdclass,
739 const char *engine, const char *label, const char *pin,
740 isc_mem_t *mctx, dst_key_t **keyp)
745 REQUIRE(dst_initialized == ISC_TRUE);
746 REQUIRE(dns_name_isabsolute(name));
747 REQUIRE(mctx != NULL);
748 REQUIRE(keyp != NULL && *keyp == NULL);
749 REQUIRE(label != NULL);
753 key = get_key_struct(name, alg, flags, protocol, 0, rdclass, mctx);
755 return (ISC_R_NOMEMORY);
757 if (key->func->fromlabel == NULL) {
759 return (DST_R_UNSUPPORTEDALG);
762 result = key->func->fromlabel(key, engine, label, pin);
763 if (result != ISC_R_SUCCESS) {
768 result = computeid(key);
769 if (result != ISC_R_SUCCESS) {
775 return (ISC_R_SUCCESS);
779 dst_key_generate(dns_name_t *name, unsigned int alg,
780 unsigned int bits, unsigned int param,
781 unsigned int flags, unsigned int protocol,
782 dns_rdataclass_t rdclass,
783 isc_mem_t *mctx, dst_key_t **keyp)
785 return (dst_key_generate2(name, alg, bits, param, flags, protocol,
786 rdclass, mctx, keyp, NULL));
790 dst_key_generate2(dns_name_t *name, unsigned int alg,
791 unsigned int bits, unsigned int param,
792 unsigned int flags, unsigned int protocol,
793 dns_rdataclass_t rdclass,
794 isc_mem_t *mctx, dst_key_t **keyp,
795 void (*callback)(int))
800 REQUIRE(dst_initialized == ISC_TRUE);
801 REQUIRE(dns_name_isabsolute(name));
802 REQUIRE(mctx != NULL);
803 REQUIRE(keyp != NULL && *keyp == NULL);
807 key = get_key_struct(name, alg, flags, protocol, bits, rdclass, mctx);
809 return (ISC_R_NOMEMORY);
811 if (bits == 0) { /*%< NULL KEY */
812 key->key_flags |= DNS_KEYTYPE_NOKEY;
814 return (ISC_R_SUCCESS);
817 if (key->func->generate == NULL) {
819 return (DST_R_UNSUPPORTEDALG);
822 ret = key->func->generate(key, param, callback);
823 if (ret != ISC_R_SUCCESS) {
828 ret = computeid(key);
829 if (ret != ISC_R_SUCCESS) {
835 return (ISC_R_SUCCESS);
839 dst_key_getnum(const dst_key_t *key, int type, isc_uint32_t *valuep)
841 REQUIRE(VALID_KEY(key));
842 REQUIRE(valuep != NULL);
843 REQUIRE(type <= DST_MAX_NUMERIC);
844 if (!key->numset[type])
845 return (ISC_R_NOTFOUND);
846 *valuep = key->nums[type];
847 return (ISC_R_SUCCESS);
851 dst_key_setnum(dst_key_t *key, int type, isc_uint32_t value)
853 REQUIRE(VALID_KEY(key));
854 REQUIRE(type <= DST_MAX_NUMERIC);
855 key->nums[type] = value;
856 key->numset[type] = ISC_TRUE;
860 dst_key_unsetnum(dst_key_t *key, int type)
862 REQUIRE(VALID_KEY(key));
863 REQUIRE(type <= DST_MAX_NUMERIC);
864 key->numset[type] = ISC_FALSE;
868 dst_key_gettime(const dst_key_t *key, int type, isc_stdtime_t *timep) {
869 REQUIRE(VALID_KEY(key));
870 REQUIRE(timep != NULL);
871 REQUIRE(type <= DST_MAX_TIMES);
872 if (!key->timeset[type])
873 return (ISC_R_NOTFOUND);
874 *timep = key->times[type];
875 return (ISC_R_SUCCESS);
879 dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when) {
880 REQUIRE(VALID_KEY(key));
881 REQUIRE(type <= DST_MAX_TIMES);
882 key->times[type] = when;
883 key->timeset[type] = ISC_TRUE;
887 dst_key_unsettime(dst_key_t *key, int type) {
888 REQUIRE(VALID_KEY(key));
889 REQUIRE(type <= DST_MAX_TIMES);
890 key->timeset[type] = ISC_FALSE;
894 dst_key_getprivateformat(const dst_key_t *key, int *majorp, int *minorp) {
895 REQUIRE(VALID_KEY(key));
896 REQUIRE(majorp != NULL);
897 REQUIRE(minorp != NULL);
898 *majorp = key->fmt_major;
899 *minorp = key->fmt_minor;
900 return (ISC_R_SUCCESS);
904 dst_key_setprivateformat(dst_key_t *key, int major, int minor) {
905 REQUIRE(VALID_KEY(key));
906 key->fmt_major = major;
907 key->fmt_minor = minor;
911 comparekeys(const dst_key_t *key1, const dst_key_t *key2,
912 isc_boolean_t match_revoked_key,
913 isc_boolean_t (*compare)(const dst_key_t *key1,
914 const dst_key_t *key2))
916 REQUIRE(dst_initialized == ISC_TRUE);
917 REQUIRE(VALID_KEY(key1));
918 REQUIRE(VALID_KEY(key2));
923 if (key1 == NULL || key2 == NULL)
926 if (key1->key_alg != key2->key_alg)
930 * For all algorithms except RSAMD5, revoking the key
931 * changes the key ID, increasing it by 128. If we want to
932 * be able to find matching keys even if one of them is the
933 * revoked version of the other one, then we need to check
934 * for that possibility.
936 if (key1->key_id != key2->key_id) {
937 if (!match_revoked_key)
939 if (key1->key_alg == DST_ALG_RSAMD5)
941 if ((key1->key_flags & DNS_KEYFLAG_REVOKE) ==
942 (key2->key_flags & DNS_KEYFLAG_REVOKE))
944 if ((key1->key_flags & DNS_KEYFLAG_REVOKE) != 0 &&
945 key1->key_id != ((key2->key_id + 128) & 0xffff))
947 if ((key2->key_flags & DNS_KEYFLAG_REVOKE) != 0 &&
948 key2->key_id != ((key1->key_id + 128) & 0xffff))
953 return (compare(key1, key2));
960 * Compares only the public portion of two keys, by converting them
961 * both to wire format and comparing the results.
964 pub_compare(const dst_key_t *key1, const dst_key_t *key2) {
966 unsigned char buf1[DST_KEY_MAXSIZE], buf2[DST_KEY_MAXSIZE];
970 isc_buffer_init(&b1, buf1, sizeof(buf1));
971 result = dst_key_todns(key1, &b1);
972 if (result != ISC_R_SUCCESS)
974 /* Zero out flags. */
975 buf1[0] = buf1[1] = 0;
976 if ((key1->key_flags & DNS_KEYFLAG_EXTENDED) != 0)
977 isc_buffer_subtract(&b1, 2);
979 isc_buffer_init(&b2, buf2, sizeof(buf2));
980 result = dst_key_todns(key2, &b2);
981 if (result != ISC_R_SUCCESS)
983 /* Zero out flags. */
984 buf2[0] = buf2[1] = 0;
985 if ((key2->key_flags & DNS_KEYFLAG_EXTENDED) != 0)
986 isc_buffer_subtract(&b2, 2);
988 isc_buffer_usedregion(&b1, &r1);
989 /* Remove extended flags. */
990 if ((key1->key_flags & DNS_KEYFLAG_EXTENDED) != 0) {
991 memmove(&buf1[4], &buf1[6], r1.length - 6);
995 isc_buffer_usedregion(&b2, &r2);
996 /* Remove extended flags. */
997 if ((key2->key_flags & DNS_KEYFLAG_EXTENDED) != 0) {
998 memmove(&buf2[4], &buf2[6], r2.length - 6);
1001 return (ISC_TF(isc_region_compare(&r1, &r2) == 0));
1005 dst_key_compare(const dst_key_t *key1, const dst_key_t *key2) {
1006 return (comparekeys(key1, key2, ISC_FALSE, key1->func->compare));
1010 dst_key_pubcompare(const dst_key_t *key1, const dst_key_t *key2,
1011 isc_boolean_t match_revoked_key)
1013 return (comparekeys(key1, key2, match_revoked_key, pub_compare));
1018 dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
1019 REQUIRE(dst_initialized == ISC_TRUE);
1020 REQUIRE(VALID_KEY(key1));
1021 REQUIRE(VALID_KEY(key2));
1025 if (key1 == NULL || key2 == NULL)
1027 if (key1->key_alg == key2->key_alg &&
1028 key1->func->paramcompare != NULL &&
1029 key1->func->paramcompare(key1, key2) == ISC_TRUE)
1036 dst_key_attach(dst_key_t *source, dst_key_t **target) {
1038 REQUIRE(dst_initialized == ISC_TRUE);
1039 REQUIRE(target != NULL && *target == NULL);
1040 REQUIRE(VALID_KEY(source));
1042 isc_refcount_increment(&source->refs, NULL);
1047 dst_key_free(dst_key_t **keyp) {
1052 REQUIRE(dst_initialized == ISC_TRUE);
1053 REQUIRE(keyp != NULL && VALID_KEY(*keyp));
1058 isc_refcount_decrement(&key->refs, &refs);
1062 isc_refcount_destroy(&key->refs);
1063 if (key->keydata.generic != NULL) {
1064 INSIST(key->func->destroy != NULL);
1065 key->func->destroy(key);
1067 if (key->engine != NULL)
1068 isc_mem_free(mctx, key->engine);
1069 if (key->label != NULL)
1070 isc_mem_free(mctx, key->label);
1071 dns_name_free(key->key_name, mctx);
1072 isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
1073 if (key->key_tkeytoken) {
1074 isc_buffer_free(&key->key_tkeytoken);
1076 memset(key, 0, sizeof(dst_key_t));
1077 isc_mem_put(mctx, key, sizeof(dst_key_t));
1082 dst_key_isprivate(const dst_key_t *key) {
1083 REQUIRE(VALID_KEY(key));
1084 INSIST(key->func->isprivate != NULL);
1085 return (key->func->isprivate(key));
1089 dst_key_buildfilename(const dst_key_t *key, int type,
1090 const char *directory, isc_buffer_t *out) {
1092 REQUIRE(VALID_KEY(key));
1093 REQUIRE(type == DST_TYPE_PRIVATE || type == DST_TYPE_PUBLIC ||
1096 return (buildfilename(key->key_name, key->key_id, key->key_alg,
1097 type, directory, out));
1101 dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
1102 REQUIRE(dst_initialized == ISC_TRUE);
1103 REQUIRE(VALID_KEY(key));
1106 /* XXXVIX this switch statement is too sparse to gen a jump table. */
1107 switch (key->key_alg) {
1108 case DST_ALG_RSAMD5:
1109 case DST_ALG_RSASHA1:
1110 case DST_ALG_NSEC3RSASHA1:
1111 case DST_ALG_RSASHA256:
1112 case DST_ALG_RSASHA512:
1113 *n = (key->key_size + 7) / 8;
1116 case DST_ALG_NSEC3DSA:
1117 *n = DNS_SIG_DSASIGSIZE;
1119 case DST_ALG_ECCGOST:
1120 *n = DNS_SIG_GOSTSIGSIZE;
1122 case DST_ALG_HMACMD5:
1125 case DST_ALG_HMACSHA1:
1126 *n = ISC_SHA1_DIGESTLENGTH;
1128 case DST_ALG_HMACSHA224:
1129 *n = ISC_SHA224_DIGESTLENGTH;
1131 case DST_ALG_HMACSHA256:
1132 *n = ISC_SHA256_DIGESTLENGTH;
1134 case DST_ALG_HMACSHA384:
1135 *n = ISC_SHA384_DIGESTLENGTH;
1137 case DST_ALG_HMACSHA512:
1138 *n = ISC_SHA512_DIGESTLENGTH;
1140 case DST_ALG_GSSAPI:
1141 *n = 128; /*%< XXX */
1145 return (DST_R_UNSUPPORTEDALG);
1147 return (ISC_R_SUCCESS);
1151 dst_key_secretsize(const dst_key_t *key, unsigned int *n) {
1152 REQUIRE(dst_initialized == ISC_TRUE);
1153 REQUIRE(VALID_KEY(key));
1156 if (key->key_alg == DST_ALG_DH)
1157 *n = (key->key_size + 7) / 8;
1159 return (DST_R_UNSUPPORTEDALG);
1160 return (ISC_R_SUCCESS);
1164 * Set the flags on a key, then recompute the key ID
1167 dst_key_setflags(dst_key_t *key, isc_uint32_t flags) {
1168 REQUIRE(VALID_KEY(key));
1169 key->key_flags = flags;
1170 return (computeid(key));
1174 dst_key_format(const dst_key_t *key, char *cp, unsigned int size) {
1175 char namestr[DNS_NAME_FORMATSIZE];
1176 char algstr[DNS_NAME_FORMATSIZE];
1178 dns_name_format(dst_key_name(key), namestr, sizeof(namestr));
1179 dns_secalg_format((dns_secalg_t) dst_key_alg(key), algstr,
1181 snprintf(cp, size, "%s/%s/%d", namestr, algstr, dst_key_id(key));
1185 dst_key_dump(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length) {
1187 REQUIRE(buffer != NULL && *buffer == NULL);
1188 REQUIRE(length != NULL && *length == 0);
1189 REQUIRE(VALID_KEY(key));
1191 if (key->func->isprivate == NULL)
1192 return (ISC_R_NOTIMPLEMENTED);
1193 return (key->func->dump(key, mctx, buffer, length));
1197 dst_key_restore(dns_name_t *name, unsigned int alg, unsigned int flags,
1198 unsigned int protocol, dns_rdataclass_t rdclass,
1199 isc_mem_t *mctx, const char *keystr, dst_key_t **keyp)
1201 isc_result_t result;
1204 REQUIRE(dst_initialized == ISC_TRUE);
1205 REQUIRE(keyp != NULL && *keyp == NULL);
1207 if (alg >= DST_MAX_ALGS || dst_t_func[alg] == NULL)
1208 return (DST_R_UNSUPPORTEDALG);
1210 if (dst_t_func[alg]->restore == NULL)
1211 return (ISC_R_NOTIMPLEMENTED);
1213 key = get_key_struct(name, alg, flags, protocol, 0, rdclass, mctx);
1215 return (ISC_R_NOMEMORY);
1217 result = (dst_t_func[alg]->restore)(key, keystr);
1218 if (result == ISC_R_SUCCESS)
1231 * Allocates a key structure and fills in some of the fields.
1234 get_key_struct(dns_name_t *name, unsigned int alg,
1235 unsigned int flags, unsigned int protocol,
1236 unsigned int bits, dns_rdataclass_t rdclass,
1240 isc_result_t result;
1243 key = (dst_key_t *) isc_mem_get(mctx, sizeof(dst_key_t));
1247 memset(key, 0, sizeof(dst_key_t));
1248 key->magic = KEY_MAGIC;
1250 result = isc_refcount_init(&key->refs, 1);
1251 if (result != ISC_R_SUCCESS) {
1252 isc_mem_put(mctx, key, sizeof(dst_key_t));
1256 key->key_name = isc_mem_get(mctx, sizeof(dns_name_t));
1257 if (key->key_name == NULL) {
1258 isc_refcount_destroy(&key->refs);
1259 isc_mem_put(mctx, key, sizeof(dst_key_t));
1262 dns_name_init(key->key_name, NULL);
1263 result = dns_name_dup(name, mctx, key->key_name);
1264 if (result != ISC_R_SUCCESS) {
1265 isc_refcount_destroy(&key->refs);
1266 isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
1267 isc_mem_put(mctx, key, sizeof(dst_key_t));
1271 key->key_flags = flags;
1272 key->key_proto = protocol;
1274 key->keydata.generic = NULL;
1275 key->key_size = bits;
1276 key->key_class = rdclass;
1277 key->func = dst_t_func[alg];
1280 for (i = 0; i < (DST_MAX_TIMES + 1); i++) {
1282 key->timeset[i] = ISC_FALSE;
1288 * Reads a public key from disk
1291 dst_key_read_public(const char *filename, int type,
1292 isc_mem_t *mctx, dst_key_t **keyp)
1294 u_char rdatabuf[DST_KEY_MAXSIZE];
1296 dns_fixedname_t name;
1297 isc_lex_t *lex = NULL;
1300 dns_rdata_t rdata = DNS_RDATA_INIT;
1301 unsigned int opt = ISC_LEXOPT_DNSMULTILINE;
1302 dns_rdataclass_t rdclass = dns_rdataclass_in;
1303 isc_lexspecials_t specials;
1305 isc_result_t result;
1306 dns_rdatatype_t keytype;
1309 * Open the file and read its formatted contents
1311 * domain.name [ttl] [class] [KEY|DNSKEY] <flags> <protocol> <algorithm> <key>
1314 /* 1500 should be large enough for any key */
1315 ret = isc_lex_create(mctx, 1500, &lex);
1316 if (ret != ISC_R_SUCCESS)
1319 memset(specials, 0, sizeof(specials));
1323 isc_lex_setspecials(lex, specials);
1324 isc_lex_setcomments(lex, ISC_LEXCOMMENT_DNSMASTERFILE);
1326 ret = isc_lex_openfile(lex, filename);
1327 if (ret != ISC_R_SUCCESS)
1330 #define NEXTTOKEN(lex, opt, token) { \
1331 ret = isc_lex_gettoken(lex, opt, token); \
1332 if (ret != ISC_R_SUCCESS) \
1336 #define BADTOKEN() { \
1337 ret = ISC_R_UNEXPECTEDTOKEN; \
1341 /* Read the domain name */
1342 NEXTTOKEN(lex, opt, &token);
1343 if (token.type != isc_tokentype_string)
1347 * We don't support "@" in .key files.
1349 if (!strcmp(DST_AS_STR(token), "@"))
1352 dns_fixedname_init(&name);
1353 isc_buffer_init(&b, DST_AS_STR(token), strlen(DST_AS_STR(token)));
1354 isc_buffer_add(&b, strlen(DST_AS_STR(token)));
1355 ret = dns_name_fromtext(dns_fixedname_name(&name), &b, dns_rootname,
1357 if (ret != ISC_R_SUCCESS)
1360 /* Read the next word: either TTL, class, or 'KEY' */
1361 NEXTTOKEN(lex, opt, &token);
1363 if (token.type != isc_tokentype_string)
1366 /* If it's a TTL, read the next one */
1367 result = dns_ttl_fromtext(&token.value.as_textregion, &ttl);
1368 if (result == ISC_R_SUCCESS)
1369 NEXTTOKEN(lex, opt, &token);
1371 if (token.type != isc_tokentype_string)
1374 ret = dns_rdataclass_fromtext(&rdclass, &token.value.as_textregion);
1375 if (ret == ISC_R_SUCCESS)
1376 NEXTTOKEN(lex, opt, &token);
1378 if (token.type != isc_tokentype_string)
1381 if (strcasecmp(DST_AS_STR(token), "DNSKEY") == 0)
1382 keytype = dns_rdatatype_dnskey;
1383 else if (strcasecmp(DST_AS_STR(token), "KEY") == 0)
1384 keytype = dns_rdatatype_key; /*%< SIG(0), TKEY */
1388 if (((type & DST_TYPE_KEY) != 0 && keytype != dns_rdatatype_key) ||
1389 ((type & DST_TYPE_KEY) == 0 && keytype != dns_rdatatype_dnskey)) {
1390 ret = DST_R_BADKEYTYPE;
1394 isc_buffer_init(&b, rdatabuf, sizeof(rdatabuf));
1395 ret = dns_rdata_fromtext(&rdata, rdclass, keytype, lex, NULL,
1396 ISC_FALSE, mctx, &b, NULL);
1397 if (ret != ISC_R_SUCCESS)
1400 ret = dst_key_fromdns(dns_fixedname_name(&name), rdclass, &b, mctx,
1402 if (ret != ISC_R_SUCCESS)
1407 isc_lex_destroy(&lex);
1411 static isc_boolean_t
1412 issymmetric(const dst_key_t *key) {
1413 REQUIRE(dst_initialized == ISC_TRUE);
1414 REQUIRE(VALID_KEY(key));
1416 /* XXXVIX this switch statement is too sparse to gen a jump table. */
1417 switch (key->key_alg) {
1418 case DST_ALG_RSAMD5:
1419 case DST_ALG_RSASHA1:
1420 case DST_ALG_NSEC3RSASHA1:
1421 case DST_ALG_RSASHA256:
1422 case DST_ALG_RSASHA512:
1424 case DST_ALG_NSEC3DSA:
1426 case DST_ALG_ECCGOST:
1428 case DST_ALG_HMACMD5:
1429 case DST_ALG_GSSAPI:
1437 * Write key timing metadata to a file pointer, preceded by 'tag'
1440 printtime(const dst_key_t *key, int type, const char *tag, FILE *stream) {
1441 isc_result_t result;
1442 #ifdef ISC_PLATFORM_USETHREADS
1443 char output[26]; /* Minimum buffer as per ctime_r() specification. */
1449 char utc[sizeof("YYYYMMDDHHSSMM")];
1453 result = dst_key_gettime(key, type, &when);
1454 if (result == ISC_R_NOTFOUND)
1457 /* time_t and isc_stdtime_t might be different sizes */
1459 #ifdef ISC_PLATFORM_USETHREADS
1461 if (ctime_s(output, sizeof(output), &t) != 0)
1464 if (ctime_r(&t, output) == NULL)
1471 isc_buffer_init(&b, utc, sizeof(utc));
1472 result = dns_time32_totext(when, &b);
1473 if (result != ISC_R_SUCCESS)
1476 isc_buffer_usedregion(&b, &r);
1477 fprintf(stream, "%s: %.*s (%.*s)\n", tag, (int)r.length, r.base,
1478 (int)strlen(output) - 1, output);
1482 fprintf(stream, "%s: (set, unable to display)\n", tag);
1486 * Writes a public key to disk in DNS format.
1489 write_public_key(const dst_key_t *key, int type, const char *directory) {
1491 isc_buffer_t keyb, textb, fileb, classb;
1493 char filename[ISC_DIR_NAMEMAX];
1494 unsigned char key_array[DST_KEY_MAXSIZE];
1495 char text_array[DST_KEY_MAXTEXTSIZE];
1496 char class_array[10];
1498 dns_rdata_t rdata = DNS_RDATA_INIT;
1499 isc_fsaccess_t access;
1501 REQUIRE(VALID_KEY(key));
1503 isc_buffer_init(&keyb, key_array, sizeof(key_array));
1504 isc_buffer_init(&textb, text_array, sizeof(text_array));
1505 isc_buffer_init(&classb, class_array, sizeof(class_array));
1507 ret = dst_key_todns(key, &keyb);
1508 if (ret != ISC_R_SUCCESS)
1511 isc_buffer_usedregion(&keyb, &r);
1512 dns_rdata_fromregion(&rdata, key->key_class, dns_rdatatype_dnskey, &r);
1514 ret = dns_rdata_totext(&rdata, (dns_name_t *) NULL, &textb);
1515 if (ret != ISC_R_SUCCESS)
1516 return (DST_R_INVALIDPUBLICKEY);
1518 ret = dns_rdataclass_totext(key->key_class, &classb);
1519 if (ret != ISC_R_SUCCESS)
1520 return (DST_R_INVALIDPUBLICKEY);
1523 * Make the filename.
1525 isc_buffer_init(&fileb, filename, sizeof(filename));
1526 ret = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory, &fileb);
1527 if (ret != ISC_R_SUCCESS)
1531 * Create public key file.
1533 if ((fp = fopen(filename, "w")) == NULL)
1534 return (DST_R_WRITEERROR);
1536 if (issymmetric(key)) {
1538 isc_fsaccess_add(ISC_FSACCESS_OWNER,
1539 ISC_FSACCESS_READ | ISC_FSACCESS_WRITE,
1541 (void)isc_fsaccess_set(filename, access);
1544 /* Write key information in comments */
1545 if ((type & DST_TYPE_KEY) == 0) {
1546 fprintf(fp, "; This is a %s%s-signing key, keyid %d, for ",
1547 (key->key_flags & DNS_KEYFLAG_REVOKE) != 0 ?
1550 (key->key_flags & DNS_KEYFLAG_KSK) != 0 ?
1554 ret = dns_name_print(key->key_name, fp);
1555 if (ret != ISC_R_SUCCESS) {
1561 printtime(key, DST_TIME_CREATED, "; Created", fp);
1562 printtime(key, DST_TIME_PUBLISH, "; Publish", fp);
1563 printtime(key, DST_TIME_ACTIVATE, "; Activate", fp);
1564 printtime(key, DST_TIME_REVOKE, "; Revoke", fp);
1565 printtime(key, DST_TIME_INACTIVE, "; Inactive", fp);
1566 printtime(key, DST_TIME_DELETE, "; Delete", fp);
1569 /* Now print the actual key */
1570 ret = dns_name_print(key->key_name, fp);
1574 isc_buffer_usedregion(&classb, &r);
1575 isc_util_fwrite(r.base, 1, r.length, fp);
1577 if ((type & DST_TYPE_KEY) != 0)
1578 fprintf(fp, " KEY ");
1580 fprintf(fp, " DNSKEY ");
1582 isc_buffer_usedregion(&textb, &r);
1583 isc_util_fwrite(r.base, 1, r.length, fp);
1588 ret = DST_R_WRITEERROR;
1595 buildfilename(dns_name_t *name, dns_keytag_t id,
1596 unsigned int alg, unsigned int type,
1597 const char *directory, isc_buffer_t *out)
1599 const char *suffix = "";
1601 isc_result_t result;
1603 REQUIRE(out != NULL);
1604 if ((type & DST_TYPE_PRIVATE) != 0)
1605 suffix = ".private";
1606 else if (type == DST_TYPE_PUBLIC)
1608 if (directory != NULL) {
1609 if (isc_buffer_availablelength(out) < strlen(directory))
1610 return (ISC_R_NOSPACE);
1611 isc_buffer_putstr(out, directory);
1612 if (strlen(directory) > 0U &&
1613 directory[strlen(directory) - 1] != '/')
1614 isc_buffer_putstr(out, "/");
1616 if (isc_buffer_availablelength(out) < 1)
1617 return (ISC_R_NOSPACE);
1618 isc_buffer_putstr(out, "K");
1619 result = dns_name_tofilenametext(name, ISC_FALSE, out);
1620 if (result != ISC_R_SUCCESS)
1622 len = 1 + 3 + 1 + 5 + strlen(suffix) + 1;
1623 if (isc_buffer_availablelength(out) < len)
1624 return (ISC_R_NOSPACE);
1625 sprintf((char *) isc_buffer_used(out), "+%03d+%05d%s", alg, id,
1627 isc_buffer_add(out, len);
1629 return (ISC_R_SUCCESS);
1633 computeid(dst_key_t *key) {
1634 isc_buffer_t dnsbuf;
1635 unsigned char dns_array[DST_KEY_MAXSIZE];
1639 isc_buffer_init(&dnsbuf, dns_array, sizeof(dns_array));
1640 ret = dst_key_todns(key, &dnsbuf);
1641 if (ret != ISC_R_SUCCESS)
1644 isc_buffer_usedregion(&dnsbuf, &r);
1645 key->key_id = dst_region_computeid(&r, key->key_alg);
1646 return (ISC_R_SUCCESS);
1650 frombuffer(dns_name_t *name, unsigned int alg, unsigned int flags,
1651 unsigned int protocol, dns_rdataclass_t rdclass,
1652 isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
1657 REQUIRE(dns_name_isabsolute(name));
1658 REQUIRE(source != NULL);
1659 REQUIRE(mctx != NULL);
1660 REQUIRE(keyp != NULL && *keyp == NULL);
1662 key = get_key_struct(name, alg, flags, protocol, 0, rdclass, mctx);
1664 return (ISC_R_NOMEMORY);
1666 if (isc_buffer_remaininglength(source) > 0) {
1667 ret = algorithm_status(alg);
1668 if (ret != ISC_R_SUCCESS) {
1672 if (key->func->fromdns == NULL) {
1674 return (DST_R_UNSUPPORTEDALG);
1677 ret = key->func->fromdns(key, source);
1678 if (ret != ISC_R_SUCCESS) {
1685 return (ISC_R_SUCCESS);
1689 algorithm_status(unsigned int alg) {
1690 REQUIRE(dst_initialized == ISC_TRUE);
1692 if (dst_algorithm_supported(alg))
1693 return (ISC_R_SUCCESS);
1695 if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
1696 alg == DST_ALG_DSA || alg == DST_ALG_DH ||
1697 alg == DST_ALG_HMACMD5 || alg == DST_ALG_NSEC3DSA ||
1698 alg == DST_ALG_NSEC3RSASHA1 ||
1699 alg == DST_ALG_RSASHA256 || alg == DST_ALG_RSASHA512 ||
1700 alg == DST_ALG_ECCGOST)
1701 return (DST_R_NOCRYPTO);
1703 return (DST_R_UNSUPPORTEDALG);
1707 addsuffix(char *filename, int len, const char *odirname,
1708 const char *ofilename, const char *suffix)
1710 int olen = strlen(ofilename);
1713 if (olen > 1 && ofilename[olen - 1] == '.')
1715 else if (olen > 8 && strcmp(ofilename + olen - 8, ".private") == 0)
1717 else if (olen > 4 && strcmp(ofilename + olen - 4, ".key") == 0)
1720 if (odirname == NULL)
1721 n = snprintf(filename, len, "%.*s%s", olen, ofilename, suffix);
1723 n = snprintf(filename, len, "%s/%.*s%s",
1724 odirname, olen, ofilename, suffix);
1726 return (ISC_R_FAILURE);
1728 return (ISC_R_NOSPACE);
1729 return (ISC_R_SUCCESS);
1733 dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
1735 unsigned int flags = dst_entropy_flags;
1738 return (ISC_R_SUCCESS);
1740 flags &= ~ISC_ENTROPY_GOODONLY;
1742 flags |= ISC_ENTROPY_BLOCKING;
1743 return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
1749 return (ISC_R_NOTIMPLEMENTED);
1754 dst__entropy_status(void) {
1757 unsigned int flags = dst_entropy_flags;
1759 unsigned char buf[32];
1760 static isc_boolean_t first = ISC_TRUE;
1763 /* Someone believes RAND_status() initializes the PRNG */
1764 flags &= ~ISC_ENTROPY_GOODONLY;
1765 ret = isc_entropy_getdata(dst_entropy_pool, buf,
1766 sizeof(buf), NULL, flags);
1767 INSIST(ret == ISC_R_SUCCESS);
1768 isc_entropy_putdata(dst_entropy_pool, buf,
1769 sizeof(buf), 2 * sizeof(buf));
1773 return (isc_entropy_status(dst_entropy_pool));
1780 dst_key_tkeytoken(const dst_key_t *key) {
1781 REQUIRE(VALID_KEY(key));
1782 return (key->key_tkeytoken);
projects / FreeBSD / releng / 9.0.git / blob