static isc_result_t
buildfilename(dns_name_t *name, dns_keytag_t id,
unsigned int alg, unsigned int type,
const char *directory, isc_buffer_t *out)
{
const char *suffix = "";
unsigned int len;
isc_result_t result;
REQUIRE(out != NULL);
if ((type & DST_TYPE_PRIVATE) != 0)
suffix = ".private";
else if (type == DST_TYPE_PUBLIC)
suffix = ".key";
if (directory != NULL) {
if (isc_buffer_availablelength(out) < strlen(directory))
return (ISC_R_NOSPACE);
isc_buffer_putstr(out, directory);
if (strlen(directory) > 0U &&
directory[strlen(directory) - 1] != '/')
isc_buffer_putstr(out, "/");
}
if (isc_buffer_availablelength(out) < 1)
return (ISC_R_NOSPACE);
isc_buffer_putstr(out, "K");
result = dns_name_tofilenametext(name, ISC_FALSE, out);
if (result != ISC_R_SUCCESS)
return (result);
len = 1 + 3 + 1 + 5 + strlen(suffix) + 1;
if (isc_buffer_availablelength(out) < len)
return (ISC_R_NOSPACE);
sprintf((char *) isc_buffer_used(out), "+%03d+%05d%s", alg, id,
suffix);
isc_buffer_add(out, len);
return (ISC_R_SUCCESS);
}
int
main(int argc, char *argv[]) {
isc_token_t token;
isc_result_t result;
int c;
unsigned int options = 0;
dns_rdatatype_t rdtype;
dns_rdataclass_t rdclass;
char text[256*1024];
char data[64*1024];
isc_buffer_t tbuf;
isc_buffer_t dbuf;
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_boolean_t doexit = ISC_FALSE;
isc_boolean_t once = ISC_FALSE;
isc_boolean_t print = ISC_FALSE;
isc_boolean_t unknown = ISC_FALSE;
unsigned int t;
char *origin = NULL;
dns_fixedname_t fixed;
dns_name_t *name = NULL;
while ((c = isc_commandline_parse(argc, argv, "ho:puCPT")) != -1) {
switch (c) {
case 'o':
origin = isc_commandline_argument;
break;
case 'p':
print = ISC_TRUE;
break;
case 'u':
unknown = ISC_TRUE;
break;
case 'C':
for (t = 1; t <= 0xfeffu; t++) {
if (dns_rdataclass_ismeta(t))
continue;
dns_rdataclass_format(t, text, sizeof(text));
if (strncmp(text, "CLASS", 4) != 0)
fprintf(stdout, "%s\n", text);
}
exit(0);
case 'P':
for (t = 0xff00; t <= 0xfffeu; t++) {
if (dns_rdatatype_ismeta(t))
continue;
dns_rdatatype_format(t, text, sizeof(text));
if (strncmp(text, "TYPE", 4) != 0)
fprintf(stdout, "%s\n", text);
}
doexit = ISC_TRUE;
break;
case 'T':
for (t = 1; t <= 0xfeffu; t++) {
if (dns_rdatatype_ismeta(t))
continue;
dns_rdatatype_format(t, text, sizeof(text));
if (strncmp(text, "TYPE", 4) != 0)
fprintf(stdout, "%s\n", text);
}
doexit = ISC_TRUE;
break;
case '?':
case 'h':
/* Does not return. */
usage();
default:
fprintf(stderr, "%s: unhandled option -%c\n",
argv[0], isc_commandline_option);
exit(1);
}
}
if (doexit)
exit(0);
RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
RUNTIME_CHECK(isc_lex_create(mctx, 256, &lex) == ISC_R_SUCCESS);
/*
* Set up to lex DNS master file.
*/
specials['('] = 1;
specials[')'] = 1;
specials['"'] = 1;
isc_lex_setspecials(lex, specials);
options = ISC_LEXOPT_EOL;
isc_lex_setcomments(lex, ISC_LEXCOMMENT_DNSMASTERFILE);
RUNTIME_CHECK(isc_lex_openstream(lex, stdin) == ISC_R_SUCCESS);
if (origin != NULL) {
dns_fixedname_init(&fixed);
name = dns_fixedname_name(&fixed);
result = dns_name_fromstring(name, origin, 0, NULL);
if (result != ISC_R_SUCCESS) {
fatal("dns_name_fromstring: %s",
dns_result_totext(result));
}
}
while ((result = isc_lex_gettoken(lex, options | ISC_LEXOPT_NUMBER,
&token)) == ISC_R_SUCCESS) {
if (token.type == isc_tokentype_eof)
break;
if (token.type == isc_tokentype_eol)
continue;
if (once) {
fatal("extra data");
}
/*
* Get class.
*/
if (token.type == isc_tokentype_number) {
rdclass = (dns_rdataclass_t) token.value.as_ulong;
if (token.value.as_ulong > 0xffffu) {
fatal("class value too big %lu",
token.value.as_ulong);
}
if (dns_rdataclass_ismeta(rdclass)) {
fatal("class %lu is a meta value",
token.value.as_ulong);
}
} else if (token.type == isc_tokentype_string) {
result = dns_rdataclass_fromtext(&rdclass,
&token.value.as_textregion);
if (result != ISC_R_SUCCESS) {
fatal("dns_rdataclass_fromtext: %s",
dns_result_totext(result));
}
if (dns_rdataclass_ismeta(rdclass)) {
fatal("class %.*s(%d) is a meta value",
(int)token.value.as_textregion.length,
token.value.as_textregion.base, rdclass);
}
} else {
fatal("unexpected token %u", token.type);
}
result = isc_lex_gettoken(lex, options | ISC_LEXOPT_NUMBER,
&token);
if (result != ISC_R_SUCCESS)
break;
if (token.type == isc_tokentype_eol)
continue;
if (token.type == isc_tokentype_eof)
break;
/*
* Get type.
*/
if (token.type == isc_tokentype_number) {
rdtype = (dns_rdatatype_t) token.value.as_ulong;
if (token.value.as_ulong > 0xffffu) {
fatal("type value too big %lu",
token.value.as_ulong);
}
if (dns_rdatatype_ismeta(rdtype)) {
fatal("type %lu is a meta value",
token.value.as_ulong);
}
} else if (token.type == isc_tokentype_string) {
result = dns_rdatatype_fromtext(&rdtype,
&token.value.as_textregion);
if (result != ISC_R_SUCCESS) {
fatal("dns_rdatatype_fromtext: %s",
dns_result_totext(result));
}
if (dns_rdatatype_ismeta(rdtype)) {
fatal("type %.*s(%d) is a meta value",
(int)token.value.as_textregion.length,
token.value.as_textregion.base, rdtype);
}
} else {
fatal("unexpected token %u", token.type);
}
isc_buffer_init(&dbuf, data, sizeof(data));
result = dns_rdata_fromtext(&rdata, rdclass, rdtype, lex,
name, 0, mctx, &dbuf, NULL);
if (result != ISC_R_SUCCESS) {
fatal("dns_rdata_fromtext: %s",
dns_result_totext(result));
}
once = ISC_TRUE;
}
if (result != ISC_R_EOF) {
fatal("eof not found");
}
if (!once) {
fatal("no records found");
}
if (print) {
isc_buffer_init(&tbuf, text, sizeof(text));
result = dns_rdataclass_totext(rdclass, &tbuf);
if (result != ISC_R_SUCCESS) {
fatal("dns_rdataclass_totext: %s",
dns_result_totext(result));
}
isc_buffer_putstr(&tbuf, "\t");
result = dns_rdatatype_totext(rdtype, &tbuf);
if (result != ISC_R_SUCCESS) {
fatal("dns_rdatatype_totext: %s",
dns_result_totext(result));
}
isc_buffer_putstr(&tbuf, "\t");
result = dns_rdata_totext(&rdata, NULL, &tbuf);
if (result != ISC_R_SUCCESS) {
fatal("dns_rdata_totext: %s",
dns_result_totext(result));
}
printf("%.*s\n", (int)tbuf.used, (char*)tbuf.base);
fflush(stdout);
}
if (unknown) {
isc_buffer_init(&tbuf, text, sizeof(text));
result = dns_rdataclass_tounknowntext(rdclass, &tbuf);
if (result != ISC_R_SUCCESS) {
fatal("dns_rdataclass_tounknowntext: %s",
dns_result_totext(result));
}
isc_buffer_putstr(&tbuf, "\t");
result = dns_rdatatype_tounknowntext(rdtype, &tbuf);
if (result != ISC_R_SUCCESS) {
fatal("dns_rdatatype_tounknowntext: %s",
dns_result_totext(result));
}
isc_buffer_putstr(&tbuf, "\t");
result = dns_rdata_tofmttext(&rdata, NULL,
DNS_STYLEFLAG_UNKNOWNFORMAT,
0, 0, "", &tbuf);
if (result != ISC_R_SUCCESS) {
fatal("dns_rdata_tofmttext: %sn",
dns_result_totext(result));
}
printf("%.*s\n", (int)tbuf.used, (char*)tbuf.base);
fflush(stdout);
}
isc_lex_close(lex);
isc_lex_destroy(&lex);
isc_mem_destroy(&mctx);
return (0);
}
static void
emit(unsigned int dtype, isc_boolean_t showall, char *lookaside,
dns_rdata_t *rdata)
{
isc_result_t result;
unsigned char buf[DNS_DS_BUFFERSIZE];
char text_buf[DST_KEY_MAXTEXTSIZE];
char name_buf[DNS_NAME_MAXWIRE];
char class_buf[10];
isc_buffer_t textb, nameb, classb;
isc_region_t r;
dns_rdata_t ds;
dns_rdata_dnskey_t dnskey;
isc_buffer_init(&textb, text_buf, sizeof(text_buf));
isc_buffer_init(&nameb, name_buf, sizeof(name_buf));
isc_buffer_init(&classb, class_buf, sizeof(class_buf));
dns_rdata_init(&ds);
result = dns_rdata_tostruct(rdata, &dnskey, NULL);
if (result != ISC_R_SUCCESS)
fatal("can't convert DNSKEY");
if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall)
return;
result = dns_ds_buildrdata(name, rdata, dtype, buf, &ds);
if (result != ISC_R_SUCCESS)
fatal("can't build record");
result = dns_name_totext(name, ISC_FALSE, &nameb);
if (result != ISC_R_SUCCESS)
fatal("can't print name");
/* Add lookaside origin, if set */
if (lookaside != NULL) {
if (isc_buffer_availablelength(&nameb) < strlen(lookaside))
fatal("DLV origin '%s' is too long", lookaside);
isc_buffer_putstr(&nameb, lookaside);
if (lookaside[strlen(lookaside) - 1] != '.') {
if (isc_buffer_availablelength(&nameb) < 1)
fatal("DLV origin '%s' is too long", lookaside);
isc_buffer_putstr(&nameb, ".");
}
}
result = dns_rdata_totext(&ds, (dns_name_t *) NULL, &textb);
if (result != ISC_R_SUCCESS)
fatal("can't print rdata");
result = dns_rdataclass_totext(rdclass, &classb);
if (result != ISC_R_SUCCESS)
fatal("can't print class");
isc_buffer_usedregion(&nameb, &r);
printf("%.*s ", (int)r.length, r.base);
isc_buffer_usedregion(&classb, &r);
printf("%.*s", (int)r.length, r.base);
if (lookaside == NULL)
printf(" DS ");
else
printf(" DLV ");
isc_buffer_usedregion(&textb, &r);
printf("%.*s\n", (int)r.length, r.base);
}
/*
* Perform an update-policy rule check against an external application
* over a socket.
*
* This currently only supports local: for unix domain datagram sockets.
*
* Note that by using a datagram socket and creating a new socket each
* time we avoid the need for locking and allow for parallel access to
* the authorization server.
*/
isc_boolean_t
dns_ssu_external_match(dns_name_t *identity,
dns_name_t *signer, dns_name_t *name,
isc_netaddr_t *tcpaddr, dns_rdatatype_t type,
const dst_key_t *key, isc_mem_t *mctx)
{
char b_identity[DNS_NAME_FORMATSIZE];
char b_signer[DNS_NAME_FORMATSIZE];
char b_name[DNS_NAME_FORMATSIZE];
char b_addr[ISC_NETADDR_FORMATSIZE];
char b_type[DNS_RDATATYPE_FORMATSIZE];
char b_key[DST_KEY_FORMATSIZE];
isc_buffer_t *tkey_token = NULL;
int fd;
const char *sock_path;
unsigned int req_len;
isc_region_t token_region;
unsigned char *data;
isc_buffer_t buf;
isc_uint32_t token_len = 0;
isc_uint32_t reply;
ssize_t ret;
/* The identity contains local:/path/to/socket */
dns_name_format(identity, b_identity, sizeof(b_identity));
/* For now only local: is supported */
if (strncmp(b_identity, "local:", 6) != 0) {
ssu_e_log(3, "ssu_external: invalid socket path '%s'",
b_identity);
return (ISC_FALSE);
}
sock_path = &b_identity[6];
fd = ux_socket_connect(sock_path);
if (fd == -1)
return (ISC_FALSE);
if (key != NULL) {
dst_key_format(key, b_key, sizeof(b_key));
tkey_token = dst_key_tkeytoken(key);
} else
b_key[0] = 0;
if (tkey_token != NULL) {
isc_buffer_region(tkey_token, &token_region);
token_len = token_region.length;
}
/* Format the request elements */
if (signer != NULL)
dns_name_format(signer, b_signer, sizeof(b_signer));
else
b_signer[0] = 0;
dns_name_format(name, b_name, sizeof(b_name));
if (tcpaddr != NULL)
isc_netaddr_format(tcpaddr, b_addr, sizeof(b_addr));
else
b_addr[0] = 0;
dns_rdatatype_format(type, b_type, sizeof(b_type));
/* Work out how big the request will be */
req_len = sizeof(isc_uint32_t) + /* Format version */
sizeof(isc_uint32_t) + /* Length */
strlen(b_signer) + 1 + /* Signer */
strlen(b_name) + 1 + /* Name */
strlen(b_addr) + 1 + /* Address */
strlen(b_type) + 1 + /* Type */
strlen(b_key) + 1 + /* Key */
sizeof(isc_uint32_t) + /* tkey_token length */
token_len; /* tkey_token */
/* format the buffer */
data = isc_mem_allocate(mctx, req_len);
if (data == NULL) {
close(fd);
return (ISC_FALSE);
}
isc_buffer_init(&buf, data, req_len);
isc_buffer_putuint32(&buf, SSU_EXTERNAL_VERSION);
isc_buffer_putuint32(&buf, req_len);
/* Strings must be null-terminated */
isc_buffer_putstr(&buf, b_signer);
isc_buffer_putuint8(&buf, 0);
isc_buffer_putstr(&buf, b_name);
isc_buffer_putuint8(&buf, 0);
isc_buffer_putstr(&buf, b_addr);
isc_buffer_putuint8(&buf, 0);
isc_buffer_putstr(&buf, b_type);
isc_buffer_putuint8(&buf, 0);
isc_buffer_putstr(&buf, b_key);
isc_buffer_putuint8(&buf, 0);
isc_buffer_putuint32(&buf, token_len);
if (tkey_token && token_len != 0)
isc_buffer_putmem(&buf, token_region.base, token_len);
ENSURE(isc_buffer_availablelength(&buf) == 0);
/* Send the request */
ret = write(fd, data, req_len);
isc_mem_free(mctx, data);
if (ret != (ssize_t) req_len) {
char strbuf[ISC_STRERRORSIZE];
isc__strerror(errno, strbuf, sizeof(strbuf));
ssu_e_log(3, "ssu_external: unable to send request - %s",
strbuf);
close(fd);
return (ISC_FALSE);
}
/* Receive the reply */
ret = read(fd, &reply, sizeof(isc_uint32_t));
if (ret != (ssize_t) sizeof(isc_uint32_t)) {
char strbuf[ISC_STRERRORSIZE];
isc__strerror(errno, strbuf, sizeof(strbuf));
ssu_e_log(3, "ssu_external: unable to receive reply - %s",
strbuf);
close(fd);
return (ISC_FALSE);
}
close(fd);
reply = ntohl(reply);
if (reply == 0) {
ssu_e_log(3, "ssu_external: denied external auth for '%s'",
b_name);
return (ISC_FALSE);
} else if (reply == 1) {
ssu_e_log(3, "ssu_external: allowed external auth for '%s'",
b_name);
return (ISC_TRUE);
}
ssu_e_log(3, "ssu_external: invalid reply 0x%08x", reply);
return (ISC_FALSE);
}
static isc_result_t
printdata(dns_rdataset_t *rdataset, dns_name_t *owner,
dns_master_style_t *style)
{
isc_result_t result = ISC_R_SUCCESS;
static dns_trust_t trust;
static isc_boolean_t first = ISC_TRUE;
isc_buffer_t target;
isc_region_t r;
char *t = NULL;
int len = 2048;
if (!dns_rdataset_isassociated(rdataset)) {
char namebuf[DNS_NAME_FORMATSIZE];
dns_name_format(owner, namebuf, sizeof(namebuf));
delv_log(ISC_LOG_DEBUG(4),
"WARN: empty rdataset %s", namebuf);
return (ISC_R_SUCCESS);
}
if (!showdnssec && rdataset->type == dns_rdatatype_rrsig)
return (ISC_R_SUCCESS);
if (first || rdataset->trust != trust) {
if (!first && showtrust && !short_form)
putchar('\n');
print_status(rdataset);
trust = rdataset->trust;
first = ISC_FALSE;
}
do {
t = isc_mem_get(mctx, len);
if (t == NULL)
return (ISC_R_NOMEMORY);
isc_buffer_init(&target, t, len);
if (short_form) {
dns_rdata_t rdata = DNS_RDATA_INIT;
for (result = dns_rdataset_first(rdataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(rdataset))
{
if ((rdataset->attributes &
DNS_RDATASETATTR_NEGATIVE) != 0)
continue;
dns_rdataset_current(rdataset, &rdata);
result = dns_rdata_tofmttext(&rdata,
dns_rootname,
styleflags, 0,
splitwidth, " ",
&target);
if (result != ISC_R_SUCCESS)
break;
if (isc_buffer_availablelength(&target) < 1) {
result = ISC_R_NOSPACE;
break;
}
isc_buffer_putstr(&target, "\n");
dns_rdata_reset(&rdata);
}
} else {
if ((rdataset->attributes &
DNS_RDATASETATTR_NEGATIVE) != 0)
isc_buffer_putstr(&target, "; ");
result = dns_master_rdatasettotext(owner, rdataset,
style, &target);
}
if (result == ISC_R_NOSPACE) {
isc_mem_put(mctx, t, len);
len += 1024;
} else if (result == ISC_R_NOMORE)
result = ISC_R_SUCCESS;
else
CHECK(result);
} while (result == ISC_R_NOSPACE);
isc_buffer_usedregion(&target, &r);
printf("%.*s", (int)r.length, (char *)r.base);
cleanup:
if (t != NULL)
isc_mem_put(mctx, t, len);
return (ISC_R_SUCCESS);
}
