/**
* Read the next RR from zone file.
*
*/
ldns_rr*
addns_read_rr(FILE* fd, char* line, ldns_rdf** orig, ldns_rdf** prev,
uint32_t* ttl, ldns_status* status, unsigned int* l)
{
ldns_rr* rr = NULL;
int len = 0;
uint32_t new_ttl = 0;
addns_read_line:
if (ttl) {
new_ttl = *ttl;
}
len = adutil_readline_frm_file(fd, line, l, 0);
adutil_rtrim_line(line, &len);
if (len >= 0) {
switch (line[0]) {
/* no directives */
/* comments, empty lines */
case ';':
case '\n':
goto addns_read_line; /* perhaps next line is rr */
break;
/* let's hope its a RR */
default:
if (adutil_whitespace_line(line, len)) {
goto addns_read_line; /* perhaps next line is rr */
break;
}
*status = ldns_rr_new_frm_str(&rr, line, new_ttl, *orig, prev);
if (*status == LDNS_STATUS_OK) {
return rr;
} else if (*status == LDNS_STATUS_SYNTAX_EMPTY) {
if (rr) {
ldns_rr_free(rr);
rr = NULL;
}
*status = LDNS_STATUS_OK;
goto addns_read_line; /* perhaps next line is rr */
break;
} else {
ods_log_error("[%s] error parsing RR at line %i (%s): %s",
adapter_str, l&&*l?*l:0,
ldns_get_errorstr_by_id(*status), line);
while (len >= 0) {
len = adutil_readline_frm_file(fd, line, l, 0);
}
if (rr) {
ldns_rr_free(rr);
rr = NULL;
}
return NULL;
}
break;
}
}
/* -1, EOF */
*status = LDNS_STATUS_OK;
return NULL;
}
/**
* Update serial.
*
*/
ods_status
zone_update_serial(zone_type* zone)
{
ods_status status = ODS_STATUS_OK;
rrset_type* rrset = NULL;
rr_type* soa = NULL;
ldns_rr* rr = NULL;
ldns_rdf* soa_rdata = NULL;
ods_log_assert(zone);
ods_log_assert(zone->apex);
ods_log_assert(zone->name);
ods_log_assert(zone->db);
ods_log_assert(zone->signconf);
if (zone->db->serial_updated) {
/* already done, unmark and return ok */
ods_log_debug("[%s] zone %s soa serial already up to date",
zone_str, zone->name);
zone->db->serial_updated = 0;
return ODS_STATUS_OK;
}
rrset = zone_lookup_rrset(zone, zone->apex, LDNS_RR_TYPE_SOA);
ods_log_assert(rrset);
ods_log_assert(rrset->rrs);
ods_log_assert(rrset->rrs[0].rr);
rr = ldns_rr_clone(rrset->rrs[0].rr);
if (!rr) {
ods_log_error("[%s] unable to update zone %s soa serial: failed to "
"clone soa rr", zone_str, zone->name);
return ODS_STATUS_ERR;
}
status = namedb_update_serial(zone->db, zone->signconf->soa_serial,
zone->db->inbserial);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to update zone %s soa serial: %s",
zone_str, zone->name, ods_status2str(status));
ldns_rr_free(rr);
return status;
}
ods_log_verbose("[%s] zone %s set soa serial to %u", zone_str,
zone->name, zone->db->intserial);
soa_rdata = ldns_rr_set_rdf(rr,
ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32,
zone->db->intserial), SE_SOA_RDATA_SERIAL);
if (soa_rdata) {
ldns_rdf_deep_free(soa_rdata);
soa_rdata = NULL;
} else {
ods_log_error("[%s] unable to update zone %s soa serial: failed to "
"replace soa serial rdata", zone_str, zone->name);
ldns_rr_free(rr);
return ODS_STATUS_ERR;
}
soa = rrset_add_rr(rrset, rr);
ods_log_assert(soa);
rrset_diff(rrset, 0, 0);
zone->db->serial_updated = 0;
return ODS_STATUS_OK;
}
/** convert to ldns rr */
static ldns_rr*
to_rr(struct ub_packed_rrset_key* k, struct packed_rrset_data* d,
uint32_t now, size_t i, uint16_t type)
{
ldns_rr* rr = ldns_rr_new();
ldns_rdf* rdf;
ldns_status status;
size_t pos;
log_assert(i < d->count + d->rrsig_count);
if(!rr) {
return NULL;
}
ldns_rr_set_type(rr, type);
ldns_rr_set_class(rr, ntohs(k->rk.rrset_class));
if(d->rr_ttl[i] < now)
ldns_rr_set_ttl(rr, 0);
else ldns_rr_set_ttl(rr, d->rr_ttl[i] - now);
pos = 0;
status = ldns_wire2dname(&rdf, k->rk.dname, k->rk.dname_len, &pos);
if(status != LDNS_STATUS_OK) {
/* we drop detailed error in status */
ldns_rr_free(rr);
return NULL;
}
ldns_rr_set_owner(rr, rdf);
pos = 0;
status = ldns_wire2rdf(rr, d->rr_data[i], d->rr_len[i], &pos);
if(status != LDNS_STATUS_OK) {
/* we drop detailed error in status */
ldns_rr_free(rr);
return NULL;
}
return rr;
}
/** convert and print rdata */
static void
print_rd(int t, char* data, size_t len)
{
size_t i, pos = 0;
uint8_t* rd = (uint8_t*)malloc(len+2);
ldns_rr* rr = ldns_rr_new();
ldns_status status;
if(!rd || !rr) {
fprintf(stderr, "out of memory");
exit(1);
}
ldns_rr_set_type(rr, t);
ldns_write_uint16(rd, len);
memmove(rd+2, data, len);
ldns_rr_set_owner(rr, NULL);
status = ldns_wire2rdf(rr, rd, len+2, &pos);
if(status != LDNS_STATUS_OK) {
free(rd);
ldns_rr_free(rr);
printf("error_printing_data");
return;
}
for(i=0; i<ldns_rr_rd_count(rr); i++) {
printf(" ");
ldns_rdf_print(stdout, ldns_rr_rdf(rr, i));
}
ldns_rr_free(rr);
free(rd);
}
void *
sign (void *arg)
{
hsm_ctx_t *ctx = NULL;
hsm_key_t *key = NULL;
size_t i;
unsigned int iterations = 0;
ldns_rr_list *rrset;
ldns_rr *rr, *sig, *dnskey_rr;
ldns_status status;
hsm_sign_params_t *sign_params;
sign_arg_t *sign_arg = arg;
ctx = sign_arg->ctx;
key = sign_arg->key;
iterations = sign_arg->iterations;
fprintf(stderr, "Signer thread #%d started...\n", sign_arg->id);
/* Prepare dummy RRset for signing */
rrset = ldns_rr_list_new();
status = ldns_rr_new_frm_str(&rr, "regress.opendnssec.se. IN A 123.123.123.123", 0, NULL, NULL);
if (status == LDNS_STATUS_OK) ldns_rr_list_push_rr(rrset, rr);
status = ldns_rr_new_frm_str(&rr, "regress.opendnssec.se. IN A 124.124.124.124", 0, NULL, NULL);
if (status == LDNS_STATUS_OK) ldns_rr_list_push_rr(rrset, rr);
sign_params = hsm_sign_params_new();
sign_params->algorithm = algorithm;
sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, "opendnssec.se.");
dnskey_rr = hsm_get_dnskey(ctx, key, sign_params);
sign_params->keytag = ldns_calc_keytag(dnskey_rr);
/* Do some signing */
for (i=0; i<iterations; i++) {
sig = hsm_sign_rrset(ctx, rrset, key, sign_params);
if (! sig) {
fprintf(stderr,
"hsm_sign_rrset() returned error: %s in %s\n",
ctx->error_message,
ctx->error_action
);
break;
}
ldns_rr_free(sig);
}
/* Clean up */
ldns_rr_list_deep_free(rrset);
hsm_sign_params_free(sign_params);
ldns_rr_free(dnskey_rr);
hsm_destroy_context(ctx);
fprintf(stderr, "Signer thread #%d done.\n", sign_arg->id);
pthread_exit(NULL);
}
/**
* Read the next RR from the backup file.
*
*/
static ldns_rr*
backup_read_rr(FILE* in, zone_type* zone, char* line, ldns_rdf** orig,
ldns_rdf** prev, ldns_status* status, unsigned int* l)
{
ldns_rr* rr = NULL;
int len = 0;
backup_read_line:
len = adutil_readline_frm_file(in, line, l, 1);
if (len >= 0) {
switch (line[0]) {
case ';':
/* done */
*status = LDNS_STATUS_OK;
return NULL;
break;
case '\n':
case '\0':
goto backup_read_line; /* perhaps next line is rr */
break;
/* let's hope its a RR */
default:
*status = ldns_rr_new_frm_str(&rr, line, zone->default_ttl,
*orig, prev);
if (*status == LDNS_STATUS_OK) {
return rr;
} else if (*status == LDNS_STATUS_SYNTAX_EMPTY) {
if (rr) {
ldns_rr_free(rr);
rr = NULL;
}
*status = LDNS_STATUS_OK;
goto backup_read_line; /* perhaps next line is rr */
break;
} else {
ods_log_error("[%s] error parsing RR #%i (%s): %s",
backup_str, l&&*l?*l:0,
ldns_get_errorstr_by_id(*status), line);
if (rr) {
ldns_rr_free(rr);
rr = NULL;
}
return NULL;
}
break;
}
}
/* -1, EOF */
*status = LDNS_STATUS_OK;
return NULL;
}
void
ldns_zone_deep_free(ldns_zone *zone)
{
ldns_rr_free(zone->_soa);
ldns_rr_list_deep_free(zone->_rrs);
LDNS_FREE(zone);
}
/**
* Lookup SOA RR.
*
*/
ldns_rr*
adutil_lookup_soa_rr(FILE* fd)
{
ldns_rr *cur_rr = NULL;
char line[SE_ADFILE_MAXLINE];
ldns_status status = LDNS_STATUS_OK;
int line_len = 0;
unsigned int l = 0;
while (line_len >= 0) {
line_len = adutil_readline_frm_file(fd, (char*) line, &l, 0);
adutil_rtrim_line(line, &line_len);
if (line_len > 0) {
if (line[0] != ';') {
status = ldns_rr_new_frm_str(&cur_rr, line, 0, NULL, NULL);
if (status == LDNS_STATUS_OK) {
if (ldns_rr_get_type(cur_rr) == LDNS_RR_TYPE_SOA) {
return cur_rr;
} else {
ldns_rr_free(cur_rr);
cur_rr = NULL;
}
}
}
}
}
return NULL;
}
INLINE void
ldns_dnssec_name_free_internal(ldns_dnssec_name *name,
int deep)
{
if (name) {
if (name->name_alloced) {
ldns_rdf_deep_free(name->name);
}
if (name->rrsets) {
ldns_dnssec_rrsets_free_internal(name->rrsets, deep);
}
if (name->nsec && deep) {
ldns_rr_free(name->nsec);
}
if (name->nsec_signatures) {
ldns_dnssec_rrs_free_internal(name->nsec_signatures, deep);
}
if (name->hashed_name) {
if (deep) {
ldns_rdf_deep_free(name->hashed_name);
}
}
LDNS_FREE(name);
}
}
/**
* Publish the NSEC3 parameters as indicated by the signer configuration.
*
*/
ods_status
zone_publish_nsec3param(zone_type* zone)
{
rrset_type* rrset = NULL;
rr_type* n3prr = NULL;
ldns_rr* rr = NULL;
ods_status status = ODS_STATUS_OK;
if (!zone || !zone->name || !zone->db || !zone->signconf) {
return ODS_STATUS_ASSERT_ERR;
}
if (!zone->signconf->nsec3params) {
/* NSEC */
ods_log_assert(zone->signconf->nsec_type == LDNS_RR_TYPE_NSEC);
return ODS_STATUS_OK;
}
if (!zone->signconf->nsec3params->rr) {
rr = ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3PARAMS);
if (!rr) {
ods_log_error("[%s] unable to publish nsec3params for zone %s: "
"error creating rr (%s)", zone_str, zone->name,
ods_status2str(status));
return ODS_STATUS_MALLOC_ERR;
}
ldns_rr_set_class(rr, zone->klass);
ldns_rr_set_ttl(rr, 0);
ldns_rr_set_owner(rr, ldns_rdf_clone(zone->apex));
ldns_nsec3_add_param_rdfs(rr,
zone->signconf->nsec3params->algorithm, 0,
zone->signconf->nsec3params->iterations,
zone->signconf->nsec3params->salt_len,
zone->signconf->nsec3params->salt_data);
/**
* Always set bit 7 of the flags to zero,
* according to rfc5155 section 11
*/
ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(rr, 1)), 7, 0);
zone->signconf->nsec3params->rr = rr;
}
ods_log_assert(zone->signconf->nsec3params->rr);
status = zone_add_rr(zone, zone->signconf->nsec3params->rr, 0);
if (status == ODS_STATUS_UNCHANGED) {
/* rr already exists, adjust pointer */
rrset = zone_lookup_rrset(zone, zone->apex, LDNS_RR_TYPE_NSEC3PARAMS);
ods_log_assert(rrset);
n3prr = rrset_lookup_rr(rrset, zone->signconf->nsec3params->rr);
ods_log_assert(n3prr);
if (n3prr->rr != zone->signconf->nsec3params->rr) {
ldns_rr_free(zone->signconf->nsec3params->rr);
}
zone->signconf->nsec3params->rr = n3prr->rr;
status = ODS_STATUS_OK;
} else if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to publish nsec3params for zone %s: "
"error adding nsec3params (%s)", zone_str,
zone->name, ods_status2str(status));
}
return status;
}
static int
l_rr_free(lua_State *L)
{
ldns_rr *tofree = (ldns_rr*)lua_touserdata(L, 1); /* pop from the stack */
if (!tofree) {
return 0;
}
ldns_rr_free(tofree);
return 0;
}
/**
* Update current SOA.
*
*/
static void
notify_update_soa(notify_type* notify, ldns_rr* soa)
{
if (!notify) {
return;
}
if (notify->soa) {
ldns_rr_free(notify->soa);
}
notify->soa = soa;
return;
}
struct trust_anchor*
anchor_store_str(struct val_anchors* anchors, ldns_buffer* buffer,
const char* str)
{
struct trust_anchor* ta;
ldns_rr* rr = NULL;
ldns_status status = ldns_rr_new_frm_str(&rr, str, 0, NULL, NULL);
if(status != LDNS_STATUS_OK) {
log_err("error parsing trust anchor: %s",
ldns_get_errorstr_by_id(status));
ldns_rr_free(rr);
return NULL;
}
if(!(ta=anchor_store_new_rr(anchors, buffer, rr))) {
log_err("out of memory");
ldns_rr_free(rr);
return NULL;
}
ldns_rr_free(rr);
return ta;
}
INLINE void
ldns_dnssec_rrs_free_internal(ldns_dnssec_rrs *rrs, int deep)
{
ldns_dnssec_rrs *next;
while (rrs) {
next = rrs->next;
if (deep) {
ldns_rr_free(rrs->rr);
}
LDNS_FREE(rrs);
rrs = next;
}
}
ldns_status
zonefile_read(struct zonefile *z, ldns_rr **out)
{
ldns_rr *rr;
ldns_status status = LDNS_STATUS_OK;
if (!z->valid)
return (LDNS_STATUS_ERR);
if (z->count == 1 && z->rr_soa != NULL) {
*out = z->rr_soa;
z->rr_soa = NULL;
return (LDNS_STATUS_OK);
}
for (;;) {
if (feof(z->fp)) {
*out = NULL;
if (z->is_pipe)
pclose(z->fp);
else
fclose(z->fp);
z->fp = NULL;
return (LDNS_STATUS_OK);
}
status = ldns_rr_new_frm_fp_l(&rr, z->fp, &z->ttl, &z->origin, &z->prev, NULL);
switch (status) {
case LDNS_STATUS_OK:
if (ldns_rr_get_type(rr) == LDNS_RR_TYPE_SOA) {
ldns_rr_free(rr);
rr = 0;
z->valid = false;
status = LDNS_STATUS_OK;
goto out;
}
z->count++;
goto out;
case LDNS_STATUS_SYNTAX_EMPTY:
case LDNS_STATUS_SYNTAX_TTL:
case LDNS_STATUS_SYNTAX_ORIGIN:
status = LDNS_STATUS_OK;
break;
default:
goto out;
}
}
out:
if (status != LDNS_STATUS_OK)
return (status);
*out = rr;
return (status);
}
static int
hsm_test_sign (hsm_ctx_t *ctx, hsm_key_t *key, ldns_algorithm alg)
{
int result;
ldns_rr_list *rrset;
ldns_rr *rr, *sig, *dnskey_rr;
ldns_status status;
hsm_sign_params_t *sign_params;
rrset = ldns_rr_list_new();
status = ldns_rr_new_frm_str(&rr, "example.com. IN A 192.168.0.1", 0, NULL, NULL);
if (status == LDNS_STATUS_OK) ldns_rr_list_push_rr(rrset, rr);
status = ldns_rr_new_frm_str(&rr, "example.com. IN A 192.168.0.2", 0, NULL, NULL);
if (status == LDNS_STATUS_OK) ldns_rr_list_push_rr(rrset, rr);
sign_params = hsm_sign_params_new();
sign_params->algorithm = alg;
sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, "example.com.");
dnskey_rr = hsm_get_dnskey(ctx, key, sign_params);
sign_params->keytag = ldns_calc_keytag(dnskey_rr);
sig = hsm_sign_rrset(ctx, rrset, key, sign_params);
if (sig) {
result = 0;
ldns_rr_free(sig);
} else {
result = 1;
}
ldns_rr_list_deep_free(rrset);
hsm_sign_params_free(sign_params);
ldns_rr_free(dnskey_rr);
return result;
}
/** read qinfo from next three words */
static char*
load_qinfo(char* str, struct query_info* qinfo, ldns_buffer* buf,
struct regional* region)
{
/* s is part of the buf */
char* s = str;
ldns_rr* rr;
ldns_status status;
/* skip three words */
s = strchr(str, ' ');
if(s) s = strchr(s+1, ' ');
if(s) s = strchr(s+1, ' ');
if(!s) {
log_warn("error line too short, %s", str);
return NULL;
}
s[0] = 0;
s++;
/* parse them */
status = ldns_rr_new_question_frm_str(&rr, str, NULL, NULL);
if(status != LDNS_STATUS_OK) {
log_warn("error cannot parse: %s %s",
ldns_get_errorstr_by_id(status), str);
return NULL;
}
qinfo->qtype = ldns_rr_get_type(rr);
qinfo->qclass = ldns_rr_get_class(rr);
ldns_buffer_clear(buf);
status = ldns_dname2buffer_wire(buf, ldns_rr_owner(rr));
ldns_rr_free(rr);
if(status != LDNS_STATUS_OK) {
log_warn("error cannot dname2wire: %s",
ldns_get_errorstr_by_id(status));
return NULL;
}
ldns_buffer_flip(buf);
qinfo->qname_len = ldns_buffer_limit(buf);
qinfo->qname = (uint8_t*)regional_alloc_init(region,
ldns_buffer_begin(buf), ldns_buffer_limit(buf));
if(!qinfo->qname) {
log_warn("error out of memory");
return NULL;
}
return s;
}
/* key_list must be initialized with ldns_rr_list_new() */
ldns_status
read_key_file(const char *filename, ldns_rr_list *key_list)
{
int line_len = 0;
int line_nr = 0;
int key_count = 0;
char line[LDNS_MAX_PACKETLEN];
ldns_status status;
FILE *input_file;
ldns_rr *rr;
input_file = fopen(filename, "r");
if (!input_file) {
fprintf(stderr, "Error opening %s: %s\n",
filename, strerror(errno));
return LDNS_STATUS_ERR;
}
while (line_len >= 0) {
line_len = read_line(input_file, line);
line_nr++;
if (line_len > 0 && line[0] != ';') {
status = ldns_rr_new_frm_str(&rr, line, 0, NULL, NULL);
if (status != LDNS_STATUS_OK) {
fprintf(stderr,
"Error parsing DNSKEY RR in line %d: %s\n",
line_nr,
ldns_get_errorstr_by_id(status));
} else if (ldns_rr_get_type(rr) == LDNS_RR_TYPE_DNSKEY ||
ldns_rr_get_type(rr) == LDNS_RR_TYPE_DS) {
ldns_rr_list_push_rr(key_list, rr);
key_count++;
} else {
ldns_rr_free(rr);
}
}
}
// printf(";; Number of trusted keys: %d\n", key_count);
if (key_count > 0) {
return LDNS_STATUS_OK;
} else {
/*fprintf(stderr, "No keys read\n");*/
return LDNS_STATUS_ERR;
}
}
/**
* Cleanup notify structure.
*
*/
void
notify_cleanup(notify_type* notify)
{
allocator_type* allocator = NULL;
if (!notify) {
return;
}
allocator = notify->allocator;
if (notify->handler.fd != -1) {
close(notify->handler.fd);
notify->handler.fd = -1;
}
if (notify->soa) {
ldns_rr_free(notify->soa);
}
tsig_rr_cleanup(notify->tsig_rr);
allocator_deallocate(allocator, (void*) notify);
allocator_cleanup(allocator);
return;
}
/** dump one rrset zonefile line */
static int
dump_rrset_line(SSL* ssl, struct ub_packed_rrset_key* k,
struct packed_rrset_data* d, uint32_t now, size_t i, uint16_t type)
{
char* s;
ldns_rr* rr = to_rr(k, d, now, i, type);
if(!rr) {
return ssl_printf(ssl, "BADRR\n");
}
s = ldns_rr2str(rr);
ldns_rr_free(rr);
if(!s) {
return ssl_printf(ssl, "BADRR\n");
}
if(!ssl_printf(ssl, "%s", s)) {
free(s);
return 0;
}
free(s);
return 1;
}
void
zonefile_destroy(struct zonefile **z)
{
if (*z) {
if ((*z)->fp) {
if ((*z)->is_pipe)
pclose((*z)->fp);
else
fclose((*z)->fp);
}
if ((*z)->origin)
ldns_rdf_deep_free((*z)->origin);
if ((*z)->prev)
ldns_rdf_deep_free((*z)->prev);
if ((*z)->domain)
ldns_rdf_deep_free((*z)->domain);
if ((*z)->rr_soa)
ldns_rr_free((*z)->rr_soa);
free(*z);
*z = NULL;
}
}
static ldns_status
read_soa(struct zonefile *z)
{
ldns_rr *rr;
ldns_status status;
for (;;) {
status = ldns_rr_new_frm_fp_l(&rr, z->fp, &z->ttl, &z->origin, &z->prev, NULL);
switch (status) {
case LDNS_STATUS_OK:
goto out;
case LDNS_STATUS_SYNTAX_EMPTY:
case LDNS_STATUS_SYNTAX_TTL:
case LDNS_STATUS_SYNTAX_ORIGIN:
status = LDNS_STATUS_OK;
break;
default:
goto out;
}
}
out:
if (status != LDNS_STATUS_OK) {
z->valid = false;
return (LDNS_STATUS_ERR);
}
if (ldns_rr_get_type(rr) != LDNS_RR_TYPE_SOA) {
ldns_rr_free(rr);
z->valid = false;
return (LDNS_STATUS_ERR);
}
z->count = 1;
z->domain = ldns_rdf_clone(ldns_rr_owner(rr));
z->origin = ldns_rdf_clone(ldns_rr_owner(rr));
z->rr_soa = rr;
return (LDNS_STATUS_OK);
}
int
main(int argc, char **argv)
{
char *filename;
FILE *fp;
ldns_zone *z;
int line_nr = 0;
int c;
bool canonicalize = false;
bool sort = false;
bool strip = false;
bool only_dnssec = false;
bool print_soa = true;
ldns_status s;
size_t i;
ldns_rr_list *stripped_list;
ldns_rr *cur_rr;
ldns_rr_type cur_rr_type;
while ((c = getopt(argc, argv, "cdhnsvz")) != -1) {
switch(c) {
case 'c':
canonicalize = true;
break;
case 'd':
only_dnssec = true;
if (strip) {
fprintf(stderr, "Warning: stripping both DNSSEC and non-DNSSEC records. Output will be sparse.\n");
}
break;
case 'h':
printf("Usage: %s [-c] [-v] [-z] <zonefile>\n", argv[0]);
printf("\tReads the zonefile and prints it.\n");
printf("\tThe RR count of the zone is printed to stderr.\n");
printf("\t-c canonicalize all rrs in the zone.\n");
printf("\t-d only show DNSSEC data from the zone\n");
printf("\t-h show this text\n");
printf("\t-n do not print the SOA record\n");
printf("\t-s strip DNSSEC data from the zone\n");
printf("\t-v shows the version and exits\n");
printf("\t-z sort the zone (implies -c).\n");
printf("\nif no file is given standard input is read\n");
exit(EXIT_SUCCESS);
break;
case 'n':
print_soa = false;
break;
case 's':
strip = true;
if (only_dnssec) {
fprintf(stderr, "Warning: stripping both DNSSEC and non-DNSSEC records. Output will be sparse.\n");
}
break;
case 'v':
printf("read zone version %s (ldns version %s)\n", LDNS_VERSION, ldns_version());
exit(EXIT_SUCCESS);
break;
case 'z':
canonicalize = true;
sort = true;
break;
}
}
argc -= optind;
argv += optind;
if (argc == 0) {
fp = stdin;
} else {
filename = argv[0];
fp = fopen(filename, "r");
if (!fp) {
fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
exit(EXIT_FAILURE);
}
}
s = ldns_zone_new_frm_fp_l(&z, fp, NULL, 0, LDNS_RR_CLASS_IN, &line_nr);
if (strip) {
stripped_list = ldns_rr_list_new();
while ((cur_rr = ldns_rr_list_pop_rr(ldns_zone_rrs(z)))) {
cur_rr_type = ldns_rr_get_type(cur_rr);
if (cur_rr_type == LDNS_RR_TYPE_RRSIG ||
cur_rr_type == LDNS_RR_TYPE_NSEC ||
cur_rr_type == LDNS_RR_TYPE_NSEC3 ||
cur_rr_type == LDNS_RR_TYPE_NSEC3PARAMS
) {
ldns_rr_free(cur_rr);
} else {
ldns_rr_list_push_rr(stripped_list, cur_rr);
}
}
ldns_rr_list_free(ldns_zone_rrs(z));
ldns_zone_set_rrs(z, stripped_list);
}
if (only_dnssec) {
stripped_list = ldns_rr_list_new();
while ((cur_rr = ldns_rr_list_pop_rr(ldns_zone_rrs(z)))) {
cur_rr_type = ldns_rr_get_type(cur_rr);
if (cur_rr_type == LDNS_RR_TYPE_RRSIG ||
cur_rr_type == LDNS_RR_TYPE_NSEC ||
cur_rr_type == LDNS_RR_TYPE_NSEC3 ||
cur_rr_type == LDNS_RR_TYPE_NSEC3PARAMS
) {
ldns_rr_list_push_rr(stripped_list, cur_rr);
} else {
ldns_rr_free(cur_rr);
}
}
ldns_rr_list_free(ldns_zone_rrs(z));
ldns_zone_set_rrs(z, stripped_list);
}
if (s == LDNS_STATUS_OK) {
if (canonicalize) {
ldns_rr2canonical(ldns_zone_soa(z));
for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(z)); i++) {
ldns_rr2canonical(ldns_rr_list_rr(ldns_zone_rrs(z), i));
}
}
if (sort) {
ldns_zone_sort(z);
}
if (print_soa && ldns_zone_soa(z)) {
ldns_rr_print(stdout, ldns_zone_soa(z));
}
ldns_rr_list_print(stdout, ldns_zone_rrs(z));
ldns_zone_deep_free(z);
} else {
fprintf(stderr, "%s at %d\n",
ldns_get_errorstr_by_id(s),
line_nr);
exit(EXIT_FAILURE);
}
fclose(fp);
exit(EXIT_SUCCESS);
}
/**
* Read a file with trust anchors
* @param anchors: anchor storage.
* @param buffer: parsing buffer.
* @param fname: string.
* @param onlyone: only one trust anchor allowed in file.
* @return NULL on error. Else last trust-anchor point.
*/
static struct trust_anchor*
anchor_read_file(struct val_anchors* anchors, ldns_buffer* buffer,
const char* fname, int onlyone)
{
struct trust_anchor* ta = NULL, *tanew;
uint32_t default_ttl = 3600;
ldns_rdf* origin = NULL, *prev = NULL;
int line_nr = 1;
ldns_status status;
ldns_rr* rr;
int ok = 1;
FILE* in = fopen(fname, "r");
if(!in) {
log_err("error opening file %s: %s", fname, strerror(errno));
return 0;
}
while(!feof(in)) {
rr = NULL;
status = ldns_rr_new_frm_fp_l(&rr, in, &default_ttl, &origin,
&prev, &line_nr);
if(status == LDNS_STATUS_SYNTAX_EMPTY /* empty line */
|| status == LDNS_STATUS_SYNTAX_TTL /* $TTL */
|| status == LDNS_STATUS_SYNTAX_ORIGIN /* $ORIGIN */)
continue;
if(status != LDNS_STATUS_OK) {
log_err("parse error in %s:%d : %s", fname, line_nr,
ldns_get_errorstr_by_id(status));
ldns_rr_free(rr);
ok = 0;
break;
}
if(ldns_rr_get_type(rr) != LDNS_RR_TYPE_DS &&
ldns_rr_get_type(rr) != LDNS_RR_TYPE_DNSKEY) {
ldns_rr_free(rr);
continue;
}
if(!(tanew=anchor_store_new_rr(anchors, buffer, rr))) {
log_err("error at %s line %d", fname, line_nr);
ldns_rr_free(rr);
ok = 0;
break;
}
if(onlyone && ta && ta != tanew) {
log_err("error at %s line %d: no multiple anchor "
"domains allowed (you can have multiple "
"keys, but they must have the same name).",
fname, line_nr);
ldns_rr_free(rr);
ok = 0;
break;
}
ta = tanew;
ldns_rr_free(rr);
}
ldns_rdf_deep_free(origin);
ldns_rdf_deep_free(prev);
fclose(in);
if(!ok) return NULL;
/* empty file is OK when multiple anchors are allowed */
if(!onlyone && !ta) return (struct trust_anchor*)1;
return ta;
}
int
main(int argc, char **argv)
{
char *filename;
FILE *fp;
ldns_zone *z;
int line_nr = 0;
int c;
bool canonicalize = false;
bool sort = false;
bool strip = false;
bool only_dnssec = false;
bool print_soa = true;
ldns_status s;
size_t i;
ldns_rr_list *stripped_list;
ldns_rr *cur_rr;
ldns_rr_type cur_rr_type;
ldns_output_format_storage fmt_storage;
ldns_output_format* fmt = ldns_output_format_init(&fmt_storage);
ldns_soa_serial_increment_func_t soa_serial_increment_func = NULL;
int soa_serial_increment_func_data = 0;
while ((c = getopt(argc, argv, "0bcdhnpsu:U:vzS:")) != -1) {
switch(c) {
case 'b':
fmt->flags |=
( LDNS_COMMENT_BUBBLEBABBLE |
LDNS_COMMENT_FLAGS );
break;
case '0':
fmt->flags |= LDNS_FMT_ZEROIZE_RRSIGS;
break;
case 'c':
canonicalize = true;
break;
case 'd':
only_dnssec = true;
if (strip) {
fprintf(stderr, "Warning: stripping both DNSSEC and non-DNSSEC records. Output will be sparse.\n");
}
break;
case 'h':
print_usage("ldns-read-zone");
break;
case 'n':
print_soa = false;
break;
case 'p':
fmt->flags |= LDNS_FMT_PAD_SOA_SERIAL;
break;
case 's':
strip = true;
if (only_dnssec) {
fprintf(stderr, "Warning: stripping both DNSSEC and non-DNSSEC records. Output will be sparse.\n");
}
break;
case 'u':
s = ldns_output_format_set_type(fmt,
ldns_get_rr_type_by_name(optarg));
if (s != LDNS_STATUS_OK) {
fprintf( stderr
, "Cannot set rr type %s "
"in output format to "
"print as unknown type: %s\n"
, ldns_rr_descript(
ldns_get_rr_type_by_name(optarg)
)->_name
, ldns_get_errorstr_by_id(s)
);
exit(EXIT_FAILURE);
}
break;
case 'U':
s = ldns_output_format_clear_type(fmt,
ldns_get_rr_type_by_name(optarg));
if (s != LDNS_STATUS_OK) {
fprintf( stderr
, "Cannot set rr type %s "
"in output format to not "
"print as unknown type: %s\n"
, ldns_rr_descript(
ldns_get_rr_type_by_name(optarg)
)->_name
, ldns_get_errorstr_by_id(s)
);
exit(EXIT_FAILURE);
}
break;
case 'v':
printf("read zone version %s (ldns version %s)\n", LDNS_VERSION, ldns_version());
exit(EXIT_SUCCESS);
break;
case 'z':
canonicalize = true;
sort = true;
break;
case 'S':
strip = true;
if (*optarg == '+' || *optarg == '-') {
soa_serial_increment_func_data =
atoi(optarg);
soa_serial_increment_func =
ldns_soa_serial_increment_by;
} else if (! strtok(optarg, "0123456789")) {
soa_serial_increment_func_data =
atoi(optarg);
soa_serial_increment_func =
ldns_soa_serial_identity;
} else if (!strcasecmp(optarg, "YYYYMMDDxx")){
soa_serial_increment_func =
ldns_soa_serial_datecounter;
} else if (!strcasecmp(optarg, "unixtime")){
soa_serial_increment_func =
ldns_soa_serial_unixtime;
} else {
fprintf(stderr, "-S expects a number "
"optionally preceded by a "
"+ or - sign to indicate an "
"offset, or the text YYYYMM"
"DDxx or unixtime\n");
exit(EXIT_FAILURE);
}
break;
}
}
argc -= optind;
argv += optind;
if (argc == 0) {
fp = stdin;
} else {
filename = argv[0];
fp = fopen(filename, "r");
if (!fp) {
fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
exit(EXIT_FAILURE);
}
}
s = ldns_zone_new_frm_fp_l(&z, fp, NULL, 0, LDNS_RR_CLASS_IN, &line_nr);
fclose(fp);
if (s != LDNS_STATUS_OK) {
fprintf(stderr, "%s at %d\n",
ldns_get_errorstr_by_id(s),
line_nr);
exit(EXIT_FAILURE);
}
if (strip) {
stripped_list = ldns_rr_list_new();
while ((cur_rr = ldns_rr_list_pop_rr(ldns_zone_rrs(z)))) {
cur_rr_type = ldns_rr_get_type(cur_rr);
if (cur_rr_type == LDNS_RR_TYPE_RRSIG ||
cur_rr_type == LDNS_RR_TYPE_NSEC ||
cur_rr_type == LDNS_RR_TYPE_NSEC3 ||
cur_rr_type == LDNS_RR_TYPE_NSEC3PARAM
) {
ldns_rr_free(cur_rr);
} else {
ldns_rr_list_push_rr(stripped_list, cur_rr);
}
}
ldns_rr_list_free(ldns_zone_rrs(z));
ldns_zone_set_rrs(z, stripped_list);
}
if (only_dnssec) {
stripped_list = ldns_rr_list_new();
while ((cur_rr = ldns_rr_list_pop_rr(ldns_zone_rrs(z)))) {
cur_rr_type = ldns_rr_get_type(cur_rr);
if (cur_rr_type == LDNS_RR_TYPE_RRSIG ||
cur_rr_type == LDNS_RR_TYPE_NSEC ||
cur_rr_type == LDNS_RR_TYPE_NSEC3 ||
cur_rr_type == LDNS_RR_TYPE_NSEC3PARAM
) {
ldns_rr_list_push_rr(stripped_list, cur_rr);
} else {
ldns_rr_free(cur_rr);
}
}
ldns_rr_list_free(ldns_zone_rrs(z));
ldns_zone_set_rrs(z, stripped_list);
}
if (canonicalize) {
ldns_rr2canonical(ldns_zone_soa(z));
for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(z)); i++) {
ldns_rr2canonical(ldns_rr_list_rr(ldns_zone_rrs(z), i));
}
}
if (sort) {
ldns_zone_sort(z);
}
if (print_soa && ldns_zone_soa(z)) {
if (soa_serial_increment_func) {
ldns_rr_soa_increment_func_int(
ldns_zone_soa(z)
, soa_serial_increment_func
, soa_serial_increment_func_data
);
}
ldns_rr_print_fmt(stdout, fmt, ldns_zone_soa(z));
}
ldns_rr_list_print_fmt(stdout, fmt, ldns_zone_rrs(z));
ldns_zone_deep_free(z);
exit(EXIT_SUCCESS);
}
/**
* Read namedb from backup file.
*
*/
ods_status
backup_read_namedb(FILE* in, void* zone)
{
zone_type* z = (zone_type*) zone;
denial_type* denial = NULL;
rrset_type* rrset = NULL;
ods_status result = ODS_STATUS_OK;
ldns_rr_type type_covered;
ldns_rr* rr = NULL;
ldns_rdf* prev = NULL;
ldns_rdf* orig = NULL;
ldns_rdf* dname = NULL;
ldns_status status = LDNS_STATUS_OK;
char line[SE_ADFILE_MAXLINE];
char* str = NULL;
char* locator = NULL;
uint32_t flags = 0;
unsigned int l = 0;
ods_log_assert(in);
ods_log_assert(z);
/* $ORIGIN <zone name> */
dname = adapi_get_origin(z);
if (!dname) {
ods_log_error("[%s] error getting default value for $ORIGIN",
backup_str);
return ODS_STATUS_ERR;
}
orig = ldns_rdf_clone(dname);
if (!orig) {
ods_log_error("[%s] error setting default value for $ORIGIN",
backup_str);
return ODS_STATUS_ERR;
}
/* read RRs */
ods_log_debug("[%s] read RRs %s", backup_str, z->name);
while ((rr = backup_read_rr(in, z, line, &orig, &prev, &status, &l))
!= NULL) {
/* check status */
if (status != LDNS_STATUS_OK) {
ods_log_error("[%s] error reading RR #%i (%s): %s",
backup_str, l, ldns_get_errorstr_by_id(status), line);
result = ODS_STATUS_ERR;
goto backup_namedb_done;
}
/* add to the database */
result = adapi_add_rr(z, rr, 1);
if (result == ODS_STATUS_UNCHANGED) {
ods_log_debug("[%s] skipping RR #%i (duplicate): %s",
backup_str, l, line);
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_OK;
continue;
} else if (result != ODS_STATUS_OK) {
ods_log_error("[%s] error adding RR #%i: %s",
backup_str, l, line);
ldns_rr_free(rr);
rr = NULL;
goto backup_namedb_done;
}
}
if (result == ODS_STATUS_OK && status != LDNS_STATUS_OK) {
ods_log_error("[%s] error reading RR #%i (%s): %s",
backup_str, l, ldns_get_errorstr_by_id(status), line);
result = ODS_STATUS_ERR;
goto backup_namedb_done;
}
namedb_diff(z->db, 0, 0);
/* read NSEC(3)s */
ods_log_debug("[%s] read NSEC(3)s %s", backup_str, z->name);
l = 0;
while ((rr = backup_read_rr(in, z, line, &orig, &prev, &status, &l))
!= NULL) {
/* check status */
if (status != LDNS_STATUS_OK) {
ods_log_error("[%s] error reading NSEC(3) #%i (%s): %s",
backup_str, l, ldns_get_errorstr_by_id(status), line);
result = ODS_STATUS_ERR;
goto backup_namedb_done;
}
if (ldns_rr_get_type(rr) != LDNS_RR_TYPE_NSEC &&
ldns_rr_get_type(rr) != LDNS_RR_TYPE_NSEC3) {
ods_log_error("[%s] error NSEC(3) #%i is not NSEC(3): %s",
backup_str, l, line);
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_ERR;
goto backup_namedb_done;
}
/* add to the denial chain */
denial = namedb_lookup_denial(z->db, ldns_rr_owner(rr));
if (!denial) {
ods_log_error("[%s] error adding NSEC(3) #%i: %s",
backup_str, l, line);
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_ERR;
goto backup_namedb_done;
}
denial_add_rr(denial, rr);
}
if (result == ODS_STATUS_OK && status != LDNS_STATUS_OK) {
ods_log_error("[%s] error reading NSEC(3) #%i (%s): %s",
backup_str, l, ldns_get_errorstr_by_id(status), line);
result = ODS_STATUS_ERR;
goto backup_namedb_done;
}
/* read RRSIGs */
ods_log_debug("[%s] read RRSIGs %s", backup_str, z->name);
l = 0;
while ((rr = backup_read_rr(in, z, line, &orig, &prev, &status, &l))
!= NULL) {
/* check status */
if (status != LDNS_STATUS_OK) {
ods_log_error("[%s] error reading RRSIG #%i (%s): %s",
backup_str, l, ldns_get_errorstr_by_id(status), line);
result = ODS_STATUS_ERR;
goto backup_namedb_done;
}
if (ldns_rr_get_type(rr) != LDNS_RR_TYPE_RRSIG) {
ods_log_error("[%s] error RRSIG #%i is not RRSIG: %s",
backup_str, l, line);
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_ERR;
goto backup_namedb_done;
}
/* read locator and flags */
str = strstr(line, "flags");
if (str) {
flags = (uint32_t) atoi(str+6);
}
str = strstr(line, "locator");
if (str) {
locator = replace_space_with_nul(str+8);
}
/* add signatures */
type_covered = ldns_rdf2rr_type(ldns_rr_rrsig_typecovered(rr));
if (type_covered == LDNS_RR_TYPE_NSEC ||
type_covered == LDNS_RR_TYPE_NSEC3) {
denial = namedb_lookup_denial(z->db, ldns_rr_owner(rr));
if (!denial) {
ods_log_error("[%s] error restoring RRSIG #%i (%s): %s",
backup_str, l, ldns_get_errorstr_by_id(status), line);
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_ERR;
goto backup_namedb_done;
}
rrset = denial->rrset;
} else {
rrset = zone_lookup_rrset(z, ldns_rr_owner(rr), type_covered);
}
if (!rrset || !rrset_add_rrsig(rrset, rr, locator, flags)) {
ods_log_error("[%s] error restoring RRSIG #%i (%s): %s",
backup_str, l, ldns_get_errorstr_by_id(status), line);
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_ERR;
goto backup_namedb_done;
} else {
rrset->needs_signing = 0;
}
}
if (result == ODS_STATUS_OK && status != LDNS_STATUS_OK) {
ods_log_error("[%s] error reading RRSIG #%i (%s): %s",
backup_str, l, ldns_get_errorstr_by_id(status), line);
result = ODS_STATUS_ERR;
}
backup_namedb_done:
if (orig) {
ldns_rdf_deep_free(orig);
orig = NULL;
}
if (prev) {
ldns_rdf_deep_free(prev);
prev = NULL;
}
return result;
}
/*
* Makes an exact copy of the wire, but with the tsig rr removed
*/
static uint8_t *
ldns_tsig_prepare_pkt_wire(uint8_t *wire, size_t wire_len, size_t *result_len)
{
uint8_t *wire2 = NULL;
uint16_t qd_count;
uint16_t an_count;
uint16_t ns_count;
uint16_t ar_count;
ldns_rr *rr;
size_t pos;
uint16_t i;
ldns_status status;
if(wire_len < LDNS_HEADER_SIZE) {
return NULL;
}
/* fake parse the wire */
qd_count = LDNS_QDCOUNT(wire);
an_count = LDNS_ANCOUNT(wire);
ns_count = LDNS_NSCOUNT(wire);
ar_count = LDNS_ARCOUNT(wire);
if (ar_count > 0) {
ar_count--;
} else {
return NULL;
}
pos = LDNS_HEADER_SIZE;
for (i = 0; i < qd_count; i++) {
status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_QUESTION);
if (status != LDNS_STATUS_OK) {
return NULL;
}
ldns_rr_free(rr);
}
for (i = 0; i < an_count; i++) {
status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_ANSWER);
if (status != LDNS_STATUS_OK) {
return NULL;
}
ldns_rr_free(rr);
}
for (i = 0; i < ns_count; i++) {
status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_AUTHORITY);
if (status != LDNS_STATUS_OK) {
return NULL;
}
ldns_rr_free(rr);
}
for (i = 0; i < ar_count; i++) {
status = ldns_wire2rr(&rr, wire, wire_len, &pos,
LDNS_SECTION_ADDITIONAL);
if (status != LDNS_STATUS_OK) {
return NULL;
}
ldns_rr_free(rr);
}
*result_len = pos;
wire2 = LDNS_XMALLOC(uint8_t, *result_len);
if(!wire2) {
return NULL;
}
memcpy(wire2, wire, *result_len);
ldns_write_uint16(wire2 + LDNS_ARCOUNT_OFF, ar_count);
return wire2;
}
static uint16_t
dnskey_from_id(std::string &dnskey,
const char *id,
::ods::keystate::keyrole role,
const char *zone,
int algorithm,
int bDS,
uint32_t ttl)
{
hsm_key_t *key;
hsm_sign_params_t *sign_params;
ldns_rr *dnskey_rr;
ldns_algorithm algo = (ldns_algorithm)algorithm;
/* Code to output the DNSKEY record (stolen from hsmutil) */
hsm_ctx_t *hsm_ctx = hsm_create_context();
if (!hsm_ctx) {
ods_log_error("[%s] Could not connect to HSM", module_str);
return false;
}
key = hsm_find_key_by_id(hsm_ctx, id);
if (!key) {
// printf("Key %s in DB but not repository\n", id);
hsm_destroy_context(hsm_ctx);
return 0;
}
/*
* Sign params only need to be kept around
* for the hsm_get_dnskey() call.
*/
sign_params = hsm_sign_params_new();
sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, zone);
sign_params->algorithm = algo;
sign_params->flags = LDNS_KEY_ZONE_KEY;
if (role == ::ods::keystate::KSK)
sign_params->flags += LDNS_KEY_SEP_KEY; /*KSK=>SEP*/
/* Get the DNSKEY record */
dnskey_rr = hsm_get_dnskey(hsm_ctx, key, sign_params);
hsm_sign_params_free(sign_params);
/* Calculate the keytag for this key, we return it. */
uint16_t keytag = ldns_calc_keytag(dnskey_rr);
/* Override the TTL in the dnskey rr */
if (ttl)
ldns_rr_set_ttl(dnskey_rr, ttl);
char *rrstr;
if (!bDS) {
#if 0
ldns_rr_print(stdout, dnskey_rr);
#endif
rrstr = ldns_rr2str(dnskey_rr);
dnskey = rrstr;
LDNS_FREE(rrstr);
} else {
switch (algo) {
case LDNS_RSASHA1: // 5
{
/* DS record (SHA1) */
ldns_rr *ds_sha1_rr = ldns_key_rr2ds(dnskey_rr, LDNS_SHA1);
#if 0
ldns_rr_print(stdout, ds_sha1_rr);
#endif
rrstr = ldns_rr2str(ds_sha1_rr);
dnskey = rrstr;
LDNS_FREE(rrstr);
ldns_rr_free(ds_sha1_rr);
break;
}
case LDNS_RSASHA256: // 8 - RFC 5702
{
/* DS record (SHA256) */
ldns_rr *ds_sha256_rr = ldns_key_rr2ds(dnskey_rr, LDNS_SHA256);
#if 0
ldns_rr_print(stdout, ds_sha256_rr);
#endif
rrstr = ldns_rr2str(ds_sha256_rr);
dnskey = rrstr;
LDNS_FREE(rrstr);
ldns_rr_free(ds_sha256_rr);
break;
}
default:
keytag = 0;
}
}
ldns_rr_free(dnskey_rr);
hsm_key_free(key);
hsm_destroy_context(hsm_ctx);
return keytag;
}
int
main (int argc, char *argv[])
{
int result;
hsm_ctx_t *ctx;
hsm_key_t **keys;
hsm_key_t *key = NULL;
char *id;
size_t key_count = 0;
size_t i;
ldns_rr_list *rrset;
ldns_rr *rr, *sig, *dnskey_rr;
ldns_status status;
hsm_sign_params_t *sign_params;
int do_generate = 0;
int do_sign = 0;
int do_delete = 0;
int do_random = 0;
int res;
uint32_t r32;
uint64_t r64;
char *config = NULL;
const char *repository = "default";
int ch;
progname = argv[0];
while ((ch = getopt(argc, argv, "hgsdrc:")) != -1) {
switch (ch) {
case 'c':
config = strdup(optarg);
break;
case 'g':
do_generate = 1;
break;
case 'h':
usage();
exit(0);
break;
case 's':
do_sign = 1;
break;
case 'd':
do_delete = 1;
break;
case 'r':
do_random = 1;
break;
default:
usage();
exit(1);
}
}
if (!config) {
usage();
exit(1);
}
/*
* Open HSM library
*/
fprintf(stdout, "Starting HSM lib test\n");
result = hsm_open(config, hsm_prompt_pin);
fprintf(stdout, "hsm_open result: %d\n", result);
/*
* Create HSM context
*/
ctx = hsm_create_context();
printf("global: ");
hsm_print_ctx(NULL);
printf("my: ");
hsm_print_ctx(ctx);
/*
* Generate a new key OR find any key with an ID
*/
if (do_generate) {
key = hsm_generate_rsa_key(ctx, repository, 1024);
if (key) {
printf("\nCreated key!\n");
hsm_print_key(key);
printf("\n");
} else {
printf("Error creating key, bad token name?\n");
hsm_print_error(ctx);
exit(1);
}
} else if (do_sign || do_delete) {
keys = hsm_list_keys(ctx, &key_count);
printf("I have found %u keys\n", (unsigned int) key_count);
/* let's just use the very first key we find and throw away the rest */
for (i = 0; i < key_count && !key; i++) {
printf("\nFound key!\n");
hsm_print_key(keys[i]);
id = hsm_get_key_id(ctx, keys[i]);
if (id) {
printf("Using key ID: %s\n", id);
if (key) hsm_key_free(key);
key = hsm_find_key_by_id(ctx, id);
printf("ptr: 0x%p\n", (void *) key);
free(id);
} else {
printf("Got no key ID (broken key?), skipped...\n");
}
hsm_key_free(keys[i]);
}
free(keys);
if (!key) {
printf("Failed to find useful key\n");
exit(1);
}
}
/*
* Do some signing
*/
if (do_sign) {
printf("\nSigning with:\n");
hsm_print_key(key);
printf("\n");
rrset = ldns_rr_list_new();
status = ldns_rr_new_frm_str(&rr, "regress.opendnssec.se. IN A 123.123.123.123", 0, NULL, NULL);
if (status == LDNS_STATUS_OK) ldns_rr_list_push_rr(rrset, rr);
status = ldns_rr_new_frm_str(&rr, "regress.opendnssec.se. IN A 124.124.124.124", 0, NULL, NULL);
if (status == LDNS_STATUS_OK) ldns_rr_list_push_rr(rrset, rr);
sign_params = hsm_sign_params_new();
sign_params->algorithm = LDNS_RSASHA1;
sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, "opendnssec.se.");
dnskey_rr = hsm_get_dnskey(ctx, key, sign_params);
sign_params->keytag = ldns_calc_keytag(dnskey_rr);
sig = hsm_sign_rrset(ctx, rrset, key, sign_params);
if (sig) {
ldns_rr_list_print(stdout, rrset);
ldns_rr_print(stdout, sig);
ldns_rr_print(stdout, dnskey_rr);
ldns_rr_free(sig);
} else {
hsm_print_error(ctx);
exit(-1);
}
/* cleanup */
ldns_rr_list_deep_free(rrset);
hsm_sign_params_free(sign_params);
ldns_rr_free(dnskey_rr);
}
/*
* Delete key
*/
if (do_delete) {
printf("\nDelete key:\n");
hsm_print_key(key);
/* res = hsm_remove_key(ctx, key); */
res = hsm_remove_key(ctx, key);
printf("Deleted key. Result: %d\n", res);
printf("\n");
}
if (key) hsm_key_free(key);
/*
* Test random{32,64} functions
*/
if (do_random) {
r32 = hsm_random32(ctx);
printf("random 32: %u\n", r32);
r64 = hsm_random64(ctx);
printf("random 64: %llu\n", (long long unsigned int)r64);
}
/*
* Destroy HSM context
*/
if (ctx) {
hsm_destroy_context(ctx);
}
/*
* Close HSM library
*/
result = hsm_close();
fprintf(stdout, "all done! hsm_close result: %d\n", result);
if (config) free(config);
return 0;
}
/**
* Read ixfr journal from file.
*
*
*/
ods_status
backup_read_ixfr(FILE* in, void* zone)
{
zone_type* z = (zone_type*) zone;
ods_status result = ODS_STATUS_OK;
ldns_rr* rr = NULL;
ldns_rdf* prev = NULL;
ldns_rdf* orig = NULL;
ldns_rdf* dname = NULL;
ldns_status status = LDNS_STATUS_OK;
char line[SE_ADFILE_MAXLINE];
uint32_t serial = 0;
unsigned l = 0;
unsigned first_soa = 1; /* expect soa first */
unsigned del_mode = 0;
ods_log_assert(in);
ods_log_assert(z);
/* $ORIGIN <zone name> */
dname = adapi_get_origin(z);
if (!dname) {
ods_log_error("[%s] error getting default value for $ORIGIN",
backup_str);
return ODS_STATUS_ERR;
}
orig = ldns_rdf_clone(dname);
if (!orig) {
ods_log_error("[%s] error setting default value for $ORIGIN",
backup_str);
return ODS_STATUS_ERR;
}
/* read RRs */
while ((rr = backup_read_rr(in, z, line, &orig, &prev, &status, &l))
!= NULL) {
/* check status */
if (status != LDNS_STATUS_OK) {
ods_log_error("[%s] error reading RR #%i (%s): %s",
backup_str, l, ldns_get_errorstr_by_id(status), line);
result = ODS_STATUS_ERR;
goto backup_ixfr_done;
}
if (first_soa == 2) {
ods_log_error("[%s] bad ixfr journal: trailing RRs after final "
"SOA", backup_str);
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_ERR;
goto backup_ixfr_done;
}
if (ldns_rr_get_type(rr) == LDNS_RR_TYPE_SOA) {
serial = ldns_rdf2native_int32(
ldns_rr_rdf(rr, SE_SOA_RDATA_SERIAL));
if (first_soa) {
ods_log_debug("[%s] ixfr first SOA: %s", backup_str,
ldns_rr2str(rr));
/* first SOA */
ldns_rr_free(rr);
rr = NULL;
if (z->db->outserial != serial) {
ods_log_error("[%s] bad ixfr journal: first SOA wrong "
"serial (was %u, expected %u)", backup_str,
serial, z->db->outserial);
result = ODS_STATUS_ERR;
goto backup_ixfr_done;
}
first_soa = 0;
continue;
}
ods_log_assert(!first_soa);
if (!del_mode) {
if (z->db->outserial == serial) {
/* final SOA */
ods_log_debug("[%s] ixfr final SOA: %s", backup_str,
ldns_rr2str(rr));
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_OK;
first_soa = 2;
continue;
} else {
ods_log_debug("[%s] new part SOA: %s", backup_str,
ldns_rr2str(rr));
lock_basic_lock(&z->ixfr->ixfr_lock);
ixfr_purge(z->ixfr);
lock_basic_unlock(&z->ixfr->ixfr_lock);
}
} else {
ods_log_debug("[%s] second part SOA: %s", backup_str,
ldns_rr2str(rr));
}
del_mode = !del_mode;
}
/* ixfr add or del rr */
if (first_soa) {
ods_log_error("[%s] bad ixfr journal: first RR not SOA",
backup_str);
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_ERR;
goto backup_ixfr_done;
}
ods_log_assert(!first_soa);
lock_basic_lock(&z->ixfr->ixfr_lock);
if (del_mode) {
ods_log_debug("[%s] -IXFR: %s", backup_str, ldns_rr2str(rr));
ixfr_del_rr(z->ixfr, rr);
} else {
ods_log_debug("[%s] +IXFR: %s", backup_str, ldns_rr2str(rr));
ixfr_add_rr(z->ixfr, rr);
}
lock_basic_unlock(&z->ixfr->ixfr_lock);
}
if (result == ODS_STATUS_OK && status != LDNS_STATUS_OK) {
ods_log_error("[%s] error reading RR #%i (%s): %s",
backup_str, l, ldns_get_errorstr_by_id(status), line);
result = ODS_STATUS_ERR;
}
backup_ixfr_done:
if (orig) {
ldns_rdf_deep_free(orig);
orig = NULL;
}
if (prev) {
ldns_rdf_deep_free(prev);
prev = NULL;
}
return result;
}
