isc_result_t
dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
dns_tsec_t **tsecp)
{
isc_result_t result;
dns_tsec_t *tsec;
dns_tsigkey_t *tsigkey = NULL;
dns_name_t *algname;
REQUIRE(mctx != NULL);
REQUIRE(tsecp != NULL && *tsecp == NULL);
tsec = isc_mem_get(mctx, sizeof(*tsec));
if (tsec == NULL)
return (ISC_R_NOMEMORY);
tsec->type = type;
tsec->mctx = mctx;
switch (type) {
case dns_tsectype_tsig:
switch (dst_key_alg(key)) {
case DST_ALG_HMACMD5:
algname = dns_tsig_hmacmd5_name;
break;
case DST_ALG_HMACSHA1:
algname = dns_tsig_hmacsha1_name;
break;
case DST_ALG_HMACSHA224:
algname = dns_tsig_hmacsha224_name;
break;
case DST_ALG_HMACSHA256:
algname = dns_tsig_hmacsha256_name;
break;
case DST_ALG_HMACSHA384:
algname = dns_tsig_hmacsha384_name;
break;
case DST_ALG_HMACSHA512:
algname = dns_tsig_hmacsha512_name;
break;
default:
isc_mem_put(mctx, tsec, sizeof(*tsec));
return (DNS_R_BADALG);
}
result = dns_tsigkey_createfromkey(dst_key_name(key),
algname, key, ISC_FALSE,
NULL, 0, 0, mctx, NULL,
&tsigkey);
if (result != ISC_R_SUCCESS) {
isc_mem_put(mctx, tsec, sizeof(*tsec));
return (result);
}
tsec->ukey.tsigkey = tsigkey;
break;
case dns_tsectype_sig0:
tsec->ukey.key = key;
break;
default:
INSIST(0);
}
tsec->magic = DNS_TSEC_MAGIC;
*tsecp = tsec;
return (ISC_R_SUCCESS);
}
isc_result_t
dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
dns_tsig_keyring_t *ring1, dns_tsig_keyring_t *ring2)
{
dns_rdata_any_tsig_t tsig, querytsig;
isc_region_t r, source_r, header_r, sig_r;
isc_buffer_t databuf;
unsigned char data[32];
dns_name_t *keyname;
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_stdtime_t now;
isc_result_t ret;
dns_tsigkey_t *tsigkey;
dst_key_t *key = NULL;
unsigned char header[DNS_MESSAGE_HEADERLEN];
dst_context_t *ctx = NULL;
isc_mem_t *mctx;
isc_uint16_t addcount, id;
unsigned int siglen;
unsigned int alg;
isc_boolean_t response;
REQUIRE(source != NULL);
REQUIRE(DNS_MESSAGE_VALID(msg));
tsigkey = dns_message_gettsigkey(msg);
response = is_response(msg);
REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
msg->verify_attempted = 1;
if (msg->tcp_continuation) {
if (tsigkey == NULL || msg->querytsig == NULL)
return (DNS_R_UNEXPECTEDTSIG);
return (tsig_verify_tcp(source, msg));
}
/*
* There should be a TSIG record...
*/
if (msg->tsig == NULL)
return (DNS_R_EXPECTEDTSIG);
/*
* If this is a response and there's no key or query TSIG, there
* shouldn't be one on the response.
*/
if (response && (tsigkey == NULL || msg->querytsig == NULL))
return (DNS_R_UNEXPECTEDTSIG);
mctx = msg->mctx;
/*
* If we're here, we know the message is well formed and contains a
* TSIG record.
*/
keyname = msg->tsigname;
ret = dns_rdataset_first(msg->tsig);
if (ret != ISC_R_SUCCESS)
return (ret);
dns_rdataset_current(msg->tsig, &rdata);
ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
if (ret != ISC_R_SUCCESS)
return (ret);
dns_rdata_reset(&rdata);
if (response) {
ret = dns_rdataset_first(msg->querytsig);
if (ret != ISC_R_SUCCESS)
return (ret);
dns_rdataset_current(msg->querytsig, &rdata);
ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
if (ret != ISC_R_SUCCESS)
return (ret);
}
#if defined(__clang__) && \
( __clang_major__ < 3 || \
(__clang_major__ == 3 && __clang_minor__ < 2) || \
(__clang_major__ == 4 && __clang_minor__ < 2))
/* false positive: http://llvm.org/bugs/show_bug.cgi?id=14461 */
else memset(&querytsig, 0, sizeof(querytsig));
#endif
/*
* Do the key name and algorithm match that of the query?
*/
if (response &&
(!dns_name_equal(keyname, &tsigkey->name) ||
!dns_name_equal(&tsig.algorithm, &querytsig.algorithm))) {
msg->tsigstatus = dns_tsigerror_badkey;
tsig_log(msg->tsigkey, 2,
"key name and algorithm do not match");
return (DNS_R_TSIGVERIFYFAILURE);
}
/*
* Get the current time.
*/
isc_stdtime_get(&now);
/*
* Find dns_tsigkey_t based on keyname.
*/
if (tsigkey == NULL) {
ret = ISC_R_NOTFOUND;
if (ring1 != NULL)
ret = dns_tsigkey_find(&tsigkey, keyname,
&tsig.algorithm, ring1);
if (ret == ISC_R_NOTFOUND && ring2 != NULL)
ret = dns_tsigkey_find(&tsigkey, keyname,
&tsig.algorithm, ring2);
if (ret != ISC_R_SUCCESS) {
msg->tsigstatus = dns_tsigerror_badkey;
ret = dns_tsigkey_create(keyname, &tsig.algorithm,
NULL, 0, ISC_FALSE, NULL,
now, now,
mctx, NULL, &msg->tsigkey);
if (ret != ISC_R_SUCCESS)
return (ret);
tsig_log(msg->tsigkey, 2, "unknown key");
return (DNS_R_TSIGVERIFYFAILURE);
}
msg->tsigkey = tsigkey;
}
key = tsigkey->key;
/*
* Is the time ok?
*/
if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
msg->tsigstatus = dns_tsigerror_badtime;
tsig_log(msg->tsigkey, 2, "signature has expired");
return (DNS_R_CLOCKSKEW);
} else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
msg->tsigstatus = dns_tsigerror_badtime;
tsig_log(msg->tsigkey, 2, "signature is in the future");
return (DNS_R_CLOCKSKEW);
}
/*
* Check digest length.
*/
alg = dst_key_alg(key);
ret = dst_key_sigsize(key, &siglen);
if (ret != ISC_R_SUCCESS)
return (ret);
if (alg == DST_ALG_HMACMD5 || alg == DST_ALG_HMACSHA1 ||
alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) {
isc_uint16_t digestbits = dst_key_getbits(key);
if (tsig.siglen > siglen) {
tsig_log(msg->tsigkey, 2, "signature length too big");
return (DNS_R_FORMERR);
}
if (tsig.siglen > 0 &&
(tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) {
tsig_log(msg->tsigkey, 2,
"signature length below minimum");
return (DNS_R_FORMERR);
}
if (tsig.siglen > 0 && digestbits != 0 &&
tsig.siglen < ((digestbits + 1) / 8)) {
msg->tsigstatus = dns_tsigerror_badtrunc;
tsig_log(msg->tsigkey, 2,
"truncated signature length too small");
return (DNS_R_TSIGVERIFYFAILURE);
}
if (tsig.siglen > 0 && digestbits == 0 &&
tsig.siglen < siglen) {
msg->tsigstatus = dns_tsigerror_badtrunc;
tsig_log(msg->tsigkey, 2, "signature length too small");
return (DNS_R_TSIGVERIFYFAILURE);
}
}
if (tsig.siglen > 0) {
sig_r.base = tsig.signature;
sig_r.length = tsig.siglen;
ret = dst_context_create3(key, mctx,
DNS_LOGCATEGORY_DNSSEC,
ISC_FALSE, &ctx);
if (ret != ISC_R_SUCCESS)
return (ret);
if (response) {
isc_buffer_init(&databuf, data, sizeof(data));
isc_buffer_putuint16(&databuf, querytsig.siglen);
isc_buffer_usedregion(&databuf, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
if (querytsig.siglen > 0) {
r.length = querytsig.siglen;
r.base = querytsig.signature;
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
}
/*
* Extract the header.
*/
isc_buffer_usedregion(source, &r);
memmove(header, r.base, DNS_MESSAGE_HEADERLEN);
isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
/*
* Decrement the additional field counter.
*/
memmove(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
addcount = htons((isc_uint16_t)(ntohs(addcount) - 1));
memmove(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
/*
* Put in the original id.
*/
id = htons(tsig.originalid);
memmove(&header[0], &id, 2);
/*
* Digest the modified header.
*/
header_r.base = (unsigned char *) header;
header_r.length = DNS_MESSAGE_HEADERLEN;
ret = dst_context_adddata(ctx, &header_r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest all non-TSIG records.
*/
isc_buffer_usedregion(source, &source_r);
r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest the key name.
*/
dns_name_toregion(&tsigkey->name, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
isc_buffer_init(&databuf, data, sizeof(data));
isc_buffer_putuint16(&databuf, tsig.common.rdclass);
isc_buffer_putuint32(&databuf, msg->tsig->ttl);
isc_buffer_usedregion(&databuf, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest the key algorithm.
*/
dns_name_toregion(tsigkey->algorithm, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
isc_buffer_clear(&databuf);
isc_buffer_putuint48(&databuf, tsig.timesigned);
isc_buffer_putuint16(&databuf, tsig.fudge);
isc_buffer_putuint16(&databuf, tsig.error);
isc_buffer_putuint16(&databuf, tsig.otherlen);
isc_buffer_usedregion(&databuf, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
if (tsig.otherlen > 0) {
r.base = tsig.other;
r.length = tsig.otherlen;
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
ret = dst_context_verify(ctx, &sig_r);
if (ret == DST_R_VERIFYFAILURE) {
msg->tsigstatus = dns_tsigerror_badsig;
ret = DNS_R_TSIGVERIFYFAILURE;
tsig_log(msg->tsigkey, 2,
"signature failed to verify(1)");
goto cleanup_context;
} else if (ret != ISC_R_SUCCESS)
goto cleanup_context;
dst_context_destroy(&ctx);
} else if (tsig.error != dns_tsigerror_badsig &&
tsig.error != dns_tsigerror_badkey) {
msg->tsigstatus = dns_tsigerror_badsig;
tsig_log(msg->tsigkey, 2, "signature was empty");
return (DNS_R_TSIGVERIFYFAILURE);
}
msg->tsigstatus = dns_rcode_noerror;
if (tsig.error != dns_rcode_noerror) {
if (tsig.error == dns_tsigerror_badtime)
return (DNS_R_CLOCKSKEW);
else
return (DNS_R_TSIGERRORSET);
}
msg->verified_sig = 1;
return (ISC_R_SUCCESS);
cleanup_context:
if (ctx != NULL)
dst_context_destroy(&ctx);
return (ret);
}
int
main(int argc, char **argv) {
isc_result_t result;
#ifdef USE_PKCS11
const char *engine = "pkcs11";
#else
const char *engine = NULL;
#endif
char *filename = NULL, *directory = NULL;
char newname[1024];
char keystr[DST_KEY_FORMATSIZE];
char *endp, *p;
int ch;
isc_entropy_t *ectx = NULL;
const char *predecessor = NULL;
dst_key_t *prevkey = NULL;
dst_key_t *key = NULL;
isc_buffer_t buf;
dns_name_t *name = NULL;
dns_secalg_t alg = 0;
unsigned int size = 0;
isc_uint16_t flags = 0;
int prepub = -1;
dns_ttl_t ttl = 0;
isc_stdtime_t now;
isc_stdtime_t pub = 0, act = 0, rev = 0, inact = 0, del = 0;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE, setttl = ISC_FALSE;
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
isc_boolean_t unsetdel = ISC_FALSE;
isc_boolean_t printcreate = ISC_FALSE, printpub = ISC_FALSE;
isc_boolean_t printact = ISC_FALSE, printrev = ISC_FALSE;
isc_boolean_t printinact = ISC_FALSE, printdel = ISC_FALSE;
isc_boolean_t force = ISC_FALSE;
isc_boolean_t epoch = ISC_FALSE;
isc_boolean_t changed = ISC_FALSE;
isc_log_t *log = NULL;
if (argc == 1)
usage();
result = isc_mem_create(0, 0, &mctx);
if (result != ISC_R_SUCCESS)
fatal("Out of memory");
setup_logging(verbose, mctx, &log);
dns_result_register();
isc_commandline_errprint = ISC_FALSE;
isc_stdtime_get(&now);
#define CMDLINE_FLAGS "A:D:E:fhI:i:K:L:P:p:R:S:uv:"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'E':
engine = isc_commandline_argument;
break;
case 'f':
force = ISC_TRUE;
break;
case 'p':
p = isc_commandline_argument;
if (!strcasecmp(p, "all")) {
printcreate = ISC_TRUE;
printpub = ISC_TRUE;
printact = ISC_TRUE;
printrev = ISC_TRUE;
printinact = ISC_TRUE;
printdel = ISC_TRUE;
break;
}
do {
switch (*p++) {
case 'C':
printcreate = ISC_TRUE;
break;
case 'P':
printpub = ISC_TRUE;
break;
case 'A':
printact = ISC_TRUE;
break;
case 'R':
printrev = ISC_TRUE;
break;
case 'I':
printinact = ISC_TRUE;
break;
case 'D':
printdel = ISC_TRUE;
break;
case ' ':
break;
default:
usage();
break;
}
} while (*p != '\0');
break;
case 'u':
epoch = ISC_TRUE;
break;
case 'K':
/*
* We don't have to copy it here, but do it to
* simplify cleanup later
*/
directory = isc_mem_strdup(mctx,
isc_commandline_argument);
if (directory == NULL) {
fatal("Failed to allocate memory for "
"directory");
}
break;
case 'L':
if (strcmp(isc_commandline_argument, "none") == 0)
ttl = 0;
else
ttl = strtottl(isc_commandline_argument);
setttl = ISC_TRUE;
break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
fatal("-v must be followed by a number");
break;
case 'P':
if (setpub || unsetpub)
fatal("-P specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetpub = ISC_TRUE;
} else {
setpub = ISC_TRUE;
pub = strtotime(isc_commandline_argument,
now, now);
}
break;
case 'A':
if (setact || unsetact)
fatal("-A specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetact = ISC_TRUE;
} else {
setact = ISC_TRUE;
act = strtotime(isc_commandline_argument,
now, now);
}
break;
case 'R':
if (setrev || unsetrev)
fatal("-R specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetrev = ISC_TRUE;
} else {
setrev = ISC_TRUE;
rev = strtotime(isc_commandline_argument,
now, now);
}
break;
case 'I':
if (setinact || unsetinact)
fatal("-I specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetinact = ISC_TRUE;
} else {
setinact = ISC_TRUE;
inact = strtotime(isc_commandline_argument,
now, now);
}
break;
case 'D':
if (setdel || unsetdel)
fatal("-D specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetdel = ISC_TRUE;
} else {
setdel = ISC_TRUE;
del = strtotime(isc_commandline_argument,
now, now);
}
break;
case 'S':
predecessor = isc_commandline_argument;
break;
case 'i':
prepub = strtottl(isc_commandline_argument);
break;
case '?':
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
/* Falls into */
case 'h':
usage();
default:
fprintf(stderr, "%s: unhandled option -%c\n",
program, isc_commandline_option);
exit(1);
}
}
if (argc < isc_commandline_index + 1 ||
argv[isc_commandline_index] == NULL)
fatal("The key file name was not specified");
if (argc > isc_commandline_index + 1)
fatal("Extraneous arguments");
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize hash");
result = dst_lib_init2(mctx, ectx, engine,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize dst: %s",
isc_result_totext(result));
isc_entropy_stopcallbacksources(ectx);
if (predecessor != NULL) {
char keystr[DST_KEY_FORMATSIZE];
isc_stdtime_t when;
int major, minor;
if (prepub == -1)
prepub = (30 * 86400);
if (setpub || unsetpub)
fatal("-S and -P cannot be used together");
if (setact || unsetact)
fatal("-S and -A cannot be used together");
result = dst_key_fromnamedfile(predecessor, directory,
DST_TYPE_PUBLIC |
DST_TYPE_PRIVATE,
mctx, &prevkey);
if (result != ISC_R_SUCCESS)
fatal("Invalid keyfile %s: %s",
filename, isc_result_totext(result));
if (!dst_key_isprivate(prevkey))
fatal("%s is not a private key", filename);
name = dst_key_name(prevkey);
alg = dst_key_alg(prevkey);
size = dst_key_size(prevkey);
flags = dst_key_flags(prevkey);
dst_key_format(prevkey, keystr, sizeof(keystr));
dst_key_getprivateformat(prevkey, &major, &minor);
if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
fatal("Predecessor has incompatible format "
"version %d.%d\n\t", major, minor);
result = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &when);
if (result != ISC_R_SUCCESS)
fatal("Predecessor has no activation date. "
"You must set one before\n\t"
"generating a successor.");
result = dst_key_gettime(prevkey, DST_TIME_INACTIVE, &act);
if (result != ISC_R_SUCCESS)
fatal("Predecessor has no inactivation date. "
"You must set one before\n\t"
"generating a successor.");
pub = act - prepub;
if (pub < now && prepub != 0)
fatal("Predecessor will become inactive before the\n\t"
"prepublication period ends. Either change "
"its inactivation date,\n\t"
"or use the -i option to set a shorter "
"prepublication interval.");
result = dst_key_gettime(prevkey, DST_TIME_DELETE, &when);
if (result != ISC_R_SUCCESS)
fprintf(stderr, "%s: WARNING: Predecessor has no "
"removal date;\n\t"
"it will remain in the zone "
"indefinitely after rollover.\n",
program);
changed = setpub = setact = ISC_TRUE;
dst_key_free(&prevkey);
} else {
if (prepub < 0)
prepub = 0;
if (prepub > 0) {
if (setpub && setact && (act - prepub) < pub)
fatal("Activation and publication dates "
"are closer together than the\n\t"
"prepublication interval.");
if (setpub && !setact) {
setact = ISC_TRUE;
act = pub + prepub;
} else if (setact && !setpub) {
setpub = ISC_TRUE;
pub = act - prepub;
}
if ((act - prepub) < now)
fatal("Time until activation is shorter "
"than the\n\tprepublication interval.");
}
}
if (directory != NULL) {
filename = argv[isc_commandline_index];
} else {
result = isc_file_splitpath(mctx, argv[isc_commandline_index],
&directory, &filename);
if (result != ISC_R_SUCCESS)
fatal("cannot process filename %s: %s",
argv[isc_commandline_index],
isc_result_totext(result));
}
result = dst_key_fromnamedfile(filename, directory,
DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
mctx, &key);
if (result != ISC_R_SUCCESS)
fatal("Invalid keyfile %s: %s",
filename, isc_result_totext(result));
if (!dst_key_isprivate(key))
fatal("%s is not a private key", filename);
dst_key_format(key, keystr, sizeof(keystr));
if (predecessor != NULL) {
if (!dns_name_equal(name, dst_key_name(key)))
fatal("Key name mismatch");
if (alg != dst_key_alg(key))
fatal("Key algorithm mismatch");
if (size != dst_key_size(key))
fatal("Key size mismatch");
if (flags != dst_key_flags(key))
fatal("Key flags mismatch");
}
if (force)
set_keyversion(key);
else
check_keyversion(key, keystr);
if (verbose > 2)
fprintf(stderr, "%s: %s\n", program, keystr);
/*
* Set time values.
*/
if (setpub)
dst_key_settime(key, DST_TIME_PUBLISH, pub);
else if (unsetpub)
dst_key_unsettime(key, DST_TIME_PUBLISH);
if (setact)
dst_key_settime(key, DST_TIME_ACTIVATE, act);
else if (unsetact)
dst_key_unsettime(key, DST_TIME_ACTIVATE);
if (setrev) {
if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
fprintf(stderr, "%s: warning: Key %s is already "
"revoked; changing the revocation date "
"will not affect this.\n",
program, keystr);
if ((dst_key_flags(key) & DNS_KEYFLAG_KSK) == 0)
fprintf(stderr, "%s: warning: Key %s is not flagged as "
"a KSK, but -R was used. Revoking a "
"ZSK is legal, but undefined.\n",
program, keystr);
dst_key_settime(key, DST_TIME_REVOKE, rev);
} else if (unsetrev) {
if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
fprintf(stderr, "%s: warning: Key %s is already "
"revoked; removing the revocation date "
"will not affect this.\n",
program, keystr);
dst_key_unsettime(key, DST_TIME_REVOKE);
}
if (setinact)
dst_key_settime(key, DST_TIME_INACTIVE, inact);
else if (unsetinact)
dst_key_unsettime(key, DST_TIME_INACTIVE);
if (setdel)
dst_key_settime(key, DST_TIME_DELETE, del);
else if (unsetdel)
dst_key_unsettime(key, DST_TIME_DELETE);
if (setttl)
dst_key_setttl(key, ttl);
/*
* No metadata changes were made but we're forcing an upgrade
* to the new format anyway: use "-P now -A now" as the default
*/
if (force && !changed) {
dst_key_settime(key, DST_TIME_PUBLISH, now);
dst_key_settime(key, DST_TIME_ACTIVATE, now);
changed = ISC_TRUE;
}
if (!changed && setttl)
changed = ISC_TRUE;
/*
* Print out time values, if -p was used.
*/
if (printcreate)
printtime(key, DST_TIME_CREATED, "Created", epoch, stdout);
if (printpub)
printtime(key, DST_TIME_PUBLISH, "Publish", epoch, stdout);
if (printact)
printtime(key, DST_TIME_ACTIVATE, "Activate", epoch, stdout);
if (printrev)
printtime(key, DST_TIME_REVOKE, "Revoke", epoch, stdout);
if (printinact)
printtime(key, DST_TIME_INACTIVE, "Inactive", epoch, stdout);
if (printdel)
printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout);
if (changed) {
isc_buffer_init(&buf, newname, sizeof(newname));
result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory,
&buf);
if (result != ISC_R_SUCCESS) {
fatal("Failed to build public key filename: %s",
isc_result_totext(result));
}
result = dst_key_tofile(key, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
directory);
if (result != ISC_R_SUCCESS) {
dst_key_format(key, keystr, sizeof(keystr));
fatal("Failed to write key %s: %s", keystr,
isc_result_totext(result));
}
printf("%s\n", newname);
isc_buffer_clear(&buf);
result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory,
&buf);
if (result != ISC_R_SUCCESS) {
fatal("Failed to build private key filename: %s",
isc_result_totext(result));
}
printf("%s\n", newname);
}
dst_key_free(&key);
dst_lib_destroy();
isc_hash_destroy();
cleanup_entropy(&ectx);
if (verbose > 10)
isc_mem_stats(mctx, stdout);
cleanup_logging(&log);
isc_mem_free(mctx, directory);
isc_mem_destroy(&mctx);
return (0);
}
static isc_result_t
process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx,
dns_rdata_tkey_t *tkeyout,
dns_tsig_keyring_t *ring, dns_namelist_t *namelist)
{
isc_result_t result = ISC_R_SUCCESS;
dns_name_t *keyname, ourname;
dns_rdataset_t *keyset = NULL;
dns_rdata_t keyrdata = DNS_RDATA_INIT, ourkeyrdata = DNS_RDATA_INIT;
isc_boolean_t found_key = ISC_FALSE, found_incompatible = ISC_FALSE;
dst_key_t *pubkey = NULL;
isc_buffer_t ourkeybuf, *shared = NULL;
isc_region_t r, r2, ourkeyr;
unsigned char keydata[DST_KEY_MAXSIZE];
unsigned int sharedsize;
isc_buffer_t secret;
unsigned char *randomdata = NULL, secretdata[256];
dns_ttl_t ttl = 0;
if (tctx->dhkey == NULL) {
tkey_log("process_dhtkey: tkey-dhkey not defined");
tkeyout->error = dns_tsigerror_badalg;
return (DNS_R_REFUSED);
}
if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
tkey_log("process_dhtkey: algorithms other than "
"hmac-md5 are not supported");
tkeyout->error = dns_tsigerror_badalg;
return (ISC_R_SUCCESS);
}
/*
* Look for a DH KEY record that will work with ours.
*/
for (result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL);
result == ISC_R_SUCCESS && !found_key;
result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL))
{
keyname = NULL;
dns_message_currentname(msg, DNS_SECTION_ADDITIONAL, &keyname);
keyset = NULL;
result = dns_message_findtype(keyname, dns_rdatatype_key, 0,
&keyset);
if (result != ISC_R_SUCCESS)
continue;
for (result = dns_rdataset_first(keyset);
result == ISC_R_SUCCESS && !found_key;
result = dns_rdataset_next(keyset))
{
dns_rdataset_current(keyset, &keyrdata);
pubkey = NULL;
result = dns_dnssec_keyfromrdata(keyname, &keyrdata,
msg->mctx, &pubkey);
if (result != ISC_R_SUCCESS) {
dns_rdata_reset(&keyrdata);
continue;
}
if (dst_key_alg(pubkey) == DNS_KEYALG_DH) {
if (dst_key_paramcompare(pubkey, tctx->dhkey))
{
found_key = ISC_TRUE;
ttl = keyset->ttl;
break;
} else
found_incompatible = ISC_TRUE;
}
dst_key_free(&pubkey);
dns_rdata_reset(&keyrdata);
}
}
if (!found_key) {
if (found_incompatible) {
tkey_log("process_dhtkey: found an incompatible key");
tkeyout->error = dns_tsigerror_badkey;
return (ISC_R_SUCCESS);
} else {
tkey_log("process_dhtkey: failed to find a key");
return (DNS_R_FORMERR);
}
}
RETERR(add_rdata_to_list(msg, keyname, &keyrdata, ttl, namelist));
isc_buffer_init(&ourkeybuf, keydata, sizeof(keydata));
RETERR(dst_key_todns(tctx->dhkey, &ourkeybuf));
isc_buffer_usedregion(&ourkeybuf, &ourkeyr);
dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_any,
dns_rdatatype_key, &ourkeyr);
dns_name_init(&ourname, NULL);
dns_name_clone(dst_key_name(tctx->dhkey), &ourname);
/*
* XXXBEW The TTL should be obtained from the database, if it exists.
*/
RETERR(add_rdata_to_list(msg, &ourname, &ourkeyrdata, 0, namelist));
RETERR(dst_key_secretsize(tctx->dhkey, &sharedsize));
RETERR(isc_buffer_allocate(msg->mctx, &shared, sharedsize));
result = dst_key_computesecret(pubkey, tctx->dhkey, shared);
if (result != ISC_R_SUCCESS) {
tkey_log("process_dhtkey: failed to compute shared secret: %s",
isc_result_totext(result));
goto failure;
}
dst_key_free(&pubkey);
isc_buffer_init(&secret, secretdata, sizeof(secretdata));
randomdata = isc_mem_get(tkeyout->mctx, TKEY_RANDOM_AMOUNT);
if (randomdata == NULL)
goto failure;
result = isc_entropy_getdata(tctx->ectx, randomdata,
TKEY_RANDOM_AMOUNT, NULL, 0);
if (result != ISC_R_SUCCESS) {
tkey_log("process_dhtkey: failed to obtain entropy: %s",
isc_result_totext(result));
goto failure;
}
r.base = randomdata;
r.length = TKEY_RANDOM_AMOUNT;
r2.base = tkeyin->key;
r2.length = tkeyin->keylen;
RETERR(compute_secret(shared, &r2, &r, &secret));
isc_buffer_free(&shared);
RETERR(dns_tsigkey_create(name, &tkeyin->algorithm,
isc_buffer_base(&secret),
isc_buffer_usedlength(&secret),
ISC_TRUE, signer, tkeyin->inception,
tkeyin->expire, msg->mctx, ring, NULL));
/* This key is good for a long time */
tkeyout->inception = tkeyin->inception;
tkeyout->expire = tkeyin->expire;
tkeyout->key = randomdata;
tkeyout->keylen = TKEY_RANDOM_AMOUNT;
return (ISC_R_SUCCESS);
failure:
if (!ISC_LIST_EMPTY(*namelist))
free_namelist(msg, namelist);
if (shared != NULL)
isc_buffer_free(&shared);
if (pubkey != NULL)
dst_key_free(&pubkey);
if (randomdata != NULL)
isc_mem_put(tkeyout->mctx, randomdata, TKEY_RANDOM_AMOUNT);
return (result);
}
int
main(int argc, char **argv) {
isc_result_t result;
#ifdef USE_PKCS11
const char *engine = "pkcs11";
#else
const char *engine = NULL;
#endif
char *filename = NULL, *dir = NULL;
char newname[1024], oldname[1024];
char keystr[DST_KEY_FORMATSIZE];
char *endp;
int ch;
isc_entropy_t *ectx = NULL;
dst_key_t *key = NULL;
isc_uint32_t flags;
isc_buffer_t buf;
isc_boolean_t force = ISC_FALSE;
isc_boolean_t remove = ISC_FALSE;
if (argc == 1)
usage();
result = isc_mem_create(0, 0, &mctx);
if (result != ISC_R_SUCCESS)
fatal("Out of memory");
dns_result_register();
isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv, "E:fK:rhv:")) != -1) {
switch (ch) {
case 'E':
engine = isc_commandline_argument;
break;
case 'f':
force = ISC_TRUE;
break;
case 'K':
/*
* We don't have to copy it here, but do it to
* simplify cleanup later
*/
dir = isc_mem_strdup(mctx, isc_commandline_argument);
if (dir == NULL) {
fatal("Failed to allocate memory for "
"directory");
}
break;
case 'r':
remove = ISC_TRUE;
break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
fatal("-v must be followed by a number");
break;
case '?':
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
/* Falls into */
case 'h':
usage();
default:
fprintf(stderr, "%s: unhandled option -%c\n",
program, isc_commandline_option);
exit(1);
}
}
if (argc < isc_commandline_index + 1 ||
argv[isc_commandline_index] == NULL)
fatal("The key file name was not specified");
if (argc > isc_commandline_index + 1)
fatal("Extraneous arguments");
if (dir != NULL) {
filename = argv[isc_commandline_index];
} else {
result = isc_file_splitpath(mctx, argv[isc_commandline_index],
&dir, &filename);
if (result != ISC_R_SUCCESS)
fatal("cannot process filename %s: %s",
argv[isc_commandline_index],
isc_result_totext(result));
if (strcmp(dir, ".") == 0) {
isc_mem_free(mctx, dir);
dir = NULL;
}
}
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize hash");
result = dst_lib_init2(mctx, ectx, engine,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize dst: %s",
isc_result_totext(result));
isc_entropy_stopcallbacksources(ectx);
result = dst_key_fromnamedfile(filename, dir,
DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
mctx, &key);
if (result != ISC_R_SUCCESS)
fatal("Invalid keyfile name %s: %s",
filename, isc_result_totext(result));
dst_key_format(key, keystr, sizeof(keystr));
if (verbose > 2)
fprintf(stderr, "%s: %s\n", program, keystr);
if (force)
set_keyversion(key);
else
check_keyversion(key, keystr);
flags = dst_key_flags(key);
if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
isc_stdtime_t now;
if ((flags & DNS_KEYFLAG_KSK) == 0)
fprintf(stderr, "%s: warning: Key is not flagged "
"as a KSK. Revoking a ZSK is "
"legal, but undefined.\n",
program);
isc_stdtime_get(&now);
dst_key_settime(key, DST_TIME_REVOKE, now);
dst_key_setflags(key, flags | DNS_KEYFLAG_REVOKE);
isc_buffer_init(&buf, newname, sizeof(newname));
dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
if (access(newname, F_OK) == 0 && !force) {
fatal("Key file %s already exists; "
"use -f to force overwrite", newname);
}
result = dst_key_tofile(key, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
dir);
if (result != ISC_R_SUCCESS) {
dst_key_format(key, keystr, sizeof(keystr));
fatal("Failed to write key %s: %s", keystr,
isc_result_totext(result));
}
isc_buffer_clear(&buf);
dst_key_buildfilename(key, 0, dir, &buf);
printf("%s\n", newname);
/*
* Remove old key file, if told to (and if
* it isn't the same as the new file)
*/
if (remove && dst_key_alg(key) != DST_ALG_RSAMD5) {
isc_buffer_init(&buf, oldname, sizeof(oldname));
dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE);
dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
if (strcmp(oldname, newname) == 0)
goto cleanup;
if (access(oldname, F_OK) == 0)
unlink(oldname);
isc_buffer_clear(&buf);
dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
if (access(oldname, F_OK) == 0)
unlink(oldname);
}
} else {
dst_key_format(key, keystr, sizeof(keystr));
fatal("Key %s is already revoked", keystr);
}
cleanup:
dst_key_free(&key);
dst_lib_destroy();
isc_hash_destroy();
cleanup_entropy(&ectx);
if (verbose > 10)
isc_mem_stats(mctx, stdout);
if (dir != NULL)
isc_mem_free(mctx, dir);
isc_mem_destroy(&mctx);
return (0);
}
isc_result_t
dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
const char *directory)
{
FILE *fp;
isc_result_t result;
char filename[ISC_DIR_NAMEMAX];
char buffer[MAXFIELDSIZE * 2];
isc_fsaccess_t access;
isc_stdtime_t when;
isc_uint32_t value;
isc_buffer_t b;
isc_region_t r;
int major, minor;
mode_t mode;
int i, ret;
REQUIRE(priv != NULL);
ret = check_data(priv, dst_key_alg(key), ISC_FALSE, key->external);
if (ret < 0)
return (DST_R_INVALIDPRIVATEKEY);
else if (ret != ISC_R_SUCCESS)
return (ret);
isc_buffer_init(&b, filename, sizeof(filename));
result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory, &b);
if (result != ISC_R_SUCCESS)
return (result);
result = isc_file_mode(filename, &mode);
if (result == ISC_R_SUCCESS && mode != 0600) {
/* File exists; warn that we are changing its permissions */
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
"Permissions on the file %s "
"have changed from 0%o to 0600 as "
"a result of this operation.",
filename, (unsigned int)mode);
}
if ((fp = fopen(filename, "w")) == NULL)
return (DST_R_WRITEERROR);
access = 0;
isc_fsaccess_add(ISC_FSACCESS_OWNER,
ISC_FSACCESS_READ | ISC_FSACCESS_WRITE,
&access);
(void)isc_fsaccess_set(filename, access);
dst_key_getprivateformat(key, &major, &minor);
if (major == 0 && minor == 0) {
major = DST_MAJOR_VERSION;
minor = DST_MINOR_VERSION;
}
/* XXXDCL return value should be checked for full filesystem */
fprintf(fp, "%s v%d.%d\n", PRIVATE_KEY_STR, major, minor);
fprintf(fp, "%s %d ", ALGORITHM_STR, dst_key_alg(key));
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (dst_key_alg(key)) {
case DST_ALG_RSAMD5:
fprintf(fp, "(RSA)\n");
break;
case DST_ALG_DH:
fprintf(fp, "(DH)\n");
break;
case DST_ALG_DSA:
fprintf(fp, "(DSA)\n");
break;
case DST_ALG_RSASHA1:
fprintf(fp, "(RSASHA1)\n");
break;
case DST_ALG_NSEC3RSASHA1:
fprintf(fp, "(NSEC3RSASHA1)\n");
break;
case DST_ALG_NSEC3DSA:
fprintf(fp, "(NSEC3DSA)\n");
break;
case DST_ALG_RSASHA256:
fprintf(fp, "(RSASHA256)\n");
break;
case DST_ALG_RSASHA512:
fprintf(fp, "(RSASHA512)\n");
break;
case DST_ALG_ECCGOST:
fprintf(fp, "(ECC-GOST)\n");
break;
case DST_ALG_ECDSA256:
fprintf(fp, "(ECDSAP256SHA256)\n");
break;
case DST_ALG_ECDSA384:
fprintf(fp, "(ECDSAP384SHA384)\n");
break;
case DST_ALG_HMACMD5:
fprintf(fp, "(HMAC_MD5)\n");
break;
case DST_ALG_HMACSHA1:
fprintf(fp, "(HMAC_SHA1)\n");
break;
case DST_ALG_HMACSHA224:
fprintf(fp, "(HMAC_SHA224)\n");
break;
case DST_ALG_HMACSHA256:
fprintf(fp, "(HMAC_SHA256)\n");
break;
case DST_ALG_HMACSHA384:
fprintf(fp, "(HMAC_SHA384)\n");
break;
case DST_ALG_HMACSHA512:
fprintf(fp, "(HMAC_SHA512)\n");
break;
default:
fprintf(fp, "(?)\n");
break;
}
for (i = 0; i < priv->nelements; i++) {
const char *s;
s = find_tag(priv->elements[i].tag);
r.base = priv->elements[i].data;
r.length = priv->elements[i].length;
isc_buffer_init(&b, buffer, sizeof(buffer));
result = isc_base64_totext(&r, sizeof(buffer), "", &b);
if (result != ISC_R_SUCCESS) {
fclose(fp);
return (DST_R_INVALIDPRIVATEKEY);
}
isc_buffer_usedregion(&b, &r);
fprintf(fp, "%s %.*s\n", s, (int)r.length, r.base);
}
if (key->external)
fprintf(fp, "External:\n");
/* Add the metadata tags */
if (major > 1 || (major == 1 && minor >= 3)) {
for (i = 0; i < NUMERIC_NTAGS; i++) {
result = dst_key_getnum(key, i, &value);
if (result != ISC_R_SUCCESS)
continue;
fprintf(fp, "%s %u\n", numerictags[i], value);
}
for (i = 0; i < TIMING_NTAGS; i++) {
result = dst_key_gettime(key, i, &when);
if (result != ISC_R_SUCCESS)
continue;
isc_buffer_init(&b, buffer, sizeof(buffer));
result = dns_time32_totext(when, &b);
if (result != ISC_R_SUCCESS) {
fclose(fp);
return (DST_R_INVALIDPRIVATEKEY);
}
isc_buffer_usedregion(&b, &r);
fprintf(fp, "%s %.*s\n", timetags[i], (int)r.length,
r.base);
}
}
fflush(fp);
result = ferror(fp) ? DST_R_WRITEERROR : ISC_R_SUCCESS;
fclose(fp);
return (result);
}
isc_result_t
dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
isc_mem_t *mctx, dst_private_t *priv)
{
int n = 0, major, minor, check;
isc_buffer_t b;
isc_token_t token;
unsigned char *data = NULL;
unsigned int opt = ISC_LEXOPT_EOL;
isc_stdtime_t when;
isc_result_t ret;
isc_boolean_t external = ISC_FALSE;
REQUIRE(priv != NULL);
priv->nelements = 0;
memset(priv->elements, 0, sizeof(priv->elements));
#define NEXTTOKEN(lex, opt, token) \
do { \
ret = isc_lex_gettoken(lex, opt, token); \
if (ret != ISC_R_SUCCESS) \
goto fail; \
} while (/*CONSTCOND*/0)
#define READLINE(lex, opt, token) \
do { \
ret = isc_lex_gettoken(lex, opt, token); \
if (ret == ISC_R_EOF) \
break; \
else if (ret != ISC_R_SUCCESS) \
goto fail; \
} while ((*token).type != isc_tokentype_eol)
/*
* Read the description line.
*/
NEXTTOKEN(lex, opt, &token);
if (token.type != isc_tokentype_string ||
strcmp(DST_AS_STR(token), PRIVATE_KEY_STR) != 0)
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
NEXTTOKEN(lex, opt, &token);
if (token.type != isc_tokentype_string ||
(DST_AS_STR(token))[0] != 'v')
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
if (sscanf(DST_AS_STR(token), "v%d.%d", &major, &minor) != 2)
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
if (major > DST_MAJOR_VERSION) {
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
/*
* Store the private key format version number
*/
dst_key_setprivateformat(key, major, minor);
READLINE(lex, opt, &token);
/*
* Read the algorithm line.
*/
NEXTTOKEN(lex, opt, &token);
if (token.type != isc_tokentype_string ||
strcmp(DST_AS_STR(token), ALGORITHM_STR) != 0)
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
if (token.type != isc_tokentype_number ||
token.value.as_ulong != (unsigned long) dst_key_alg(key))
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
READLINE(lex, opt, &token);
/*
* Read the key data.
*/
for (n = 0; n < MAXFIELDS; n++) {
int tag;
isc_region_t r;
do {
ret = isc_lex_gettoken(lex, opt, &token);
if (ret == ISC_R_EOF)
goto done;
if (ret != ISC_R_SUCCESS)
goto fail;
} while (token.type == isc_tokentype_eol);
if (token.type != isc_tokentype_string) {
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
if (strcmp(DST_AS_STR(token), "External:") == 0) {
external = ISC_TRUE;
goto next;
}
/* Numeric metadata */
tag = find_numericdata(DST_AS_STR(token));
if (tag >= 0) {
INSIST(tag < NUMERIC_NTAGS);
NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
if (token.type != isc_tokentype_number) {
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
dst_key_setnum(key, tag, token.value.as_ulong);
goto next;
}
/* Timing metadata */
tag = find_timedata(DST_AS_STR(token));
if (tag >= 0) {
INSIST(tag < TIMING_NTAGS);
NEXTTOKEN(lex, opt, &token);
if (token.type != isc_tokentype_string) {
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
ret = dns_time32_fromtext(DST_AS_STR(token), &when);
if (ret != ISC_R_SUCCESS)
goto fail;
dst_key_settime(key, tag, when);
goto next;
}
/* Key data */
tag = find_value(DST_AS_STR(token), alg);
if (tag < 0 && minor > DST_MINOR_VERSION)
goto next;
else if (tag < 0) {
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
priv->elements[n].tag = tag;
data = (unsigned char *) isc_mem_get(mctx, MAXFIELDSIZE);
if (data == NULL)
goto fail;
isc_buffer_init(&b, data, MAXFIELDSIZE);
ret = isc_base64_tobuffer(lex, &b, -1);
if (ret != ISC_R_SUCCESS)
goto fail;
isc_buffer_usedregion(&b, &r);
priv->elements[n].length = r.length;
priv->elements[n].data = r.base;
priv->nelements++;
next:
READLINE(lex, opt, &token);
data = NULL;
}
done:
if (external && priv->nelements != 0) {
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
check = check_data(priv, alg, ISC_TRUE, external);
if (check < 0) {
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
} else if (check != ISC_R_SUCCESS) {
ret = check;
goto fail;
}
key->external = external;
return (ISC_R_SUCCESS);
fail:
dst__privstruct_free(priv, mctx);
if (data != NULL)
isc_mem_put(mctx, data, MAXFIELDSIZE);
return (ret);
}
int
dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
const char *directory)
{
FILE *fp;
int ret, i;
isc_result_t iret;
char filename[ISC_DIR_NAMEMAX];
char buffer[MAXFIELDSIZE * 2];
isc_buffer_t b;
isc_fsaccess_t access;
REQUIRE(priv != NULL);
if (check_data(priv, dst_key_alg(key), ISC_FALSE) < 0)
return (DST_R_INVALIDPRIVATEKEY);
isc_buffer_init(&b, filename, sizeof(filename));
ret = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory, &b);
if (ret != ISC_R_SUCCESS)
return (ret);
if ((fp = fopen(filename, "w")) == NULL)
return (DST_R_WRITEERROR);
access = 0;
isc_fsaccess_add(ISC_FSACCESS_OWNER,
ISC_FSACCESS_READ | ISC_FSACCESS_WRITE,
&access);
(void)isc_fsaccess_set(filename, access);
/* XXXDCL return value should be checked for full filesystem */
fprintf(fp, "%s v%d.%d\n", PRIVATE_KEY_STR, MAJOR_VERSION,
MINOR_VERSION);
fprintf(fp, "%s %d ", ALGORITHM_STR, dst_key_alg(key));
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (dst_key_alg(key)) {
case DST_ALG_RSAMD5:
fprintf(fp, "(RSA)\n");
break;
case DST_ALG_DH:
fprintf(fp, "(DH)\n");
break;
case DST_ALG_DSA:
fprintf(fp, "(DSA)\n");
break;
case DST_ALG_RSASHA1:
fprintf(fp, "(RSASHA1)\n");
break;
case DST_ALG_NSEC3DSA:
fprintf(fp, "(NSEC3DSA)\n");
break;
case DST_ALG_NSEC3RSASHA1:
fprintf(fp, "(NSEC3RSASHA1)\n");
break;
case DST_ALG_RSASHA256:
fprintf(fp, "(RSASHA256)\n");
break;
case DST_ALG_RSASHA512:
fprintf(fp, "(RSASHA512)\n");
break;
case DST_ALG_HMACMD5:
fprintf(fp, "(HMAC_MD5)\n");
break;
case DST_ALG_HMACSHA1:
fprintf(fp, "(HMAC_SHA1)\n");
break;
case DST_ALG_HMACSHA224:
fprintf(fp, "(HMAC_SHA224)\n");
break;
case DST_ALG_HMACSHA256:
fprintf(fp, "(HMAC_SHA256)\n");
break;
case DST_ALG_HMACSHA384:
fprintf(fp, "(HMAC_SHA384)\n");
break;
case DST_ALG_HMACSHA512:
fprintf(fp, "(HMAC_SHA512)\n");
break;
default:
fprintf(fp, "(?)\n");
break;
}
for (i = 0; i < priv->nelements; i++) {
isc_buffer_t b;
isc_region_t r;
const char *s;
s = find_tag(priv->elements[i].tag);
r.base = priv->elements[i].data;
r.length = priv->elements[i].length;
isc_buffer_init(&b, buffer, sizeof(buffer));
iret = isc_base64_totext(&r, sizeof(buffer), "", &b);
if (iret != ISC_R_SUCCESS) {
fclose(fp);
return (DST_R_INVALIDPRIVATEKEY);
}
isc_buffer_usedregion(&b, &r);
fprintf(fp, "%s ", s);
isc_util_fwrite(r.base, 1, r.length, fp);
fprintf(fp, "\n");
}
fflush(fp);
iret = ferror(fp) ? DST_R_WRITEERROR : ISC_R_SUCCESS;
fclose(fp);
return (iret);
}
int
dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
isc_mem_t *mctx, dst_private_t *priv)
{
int n = 0, major, minor;
isc_buffer_t b;
isc_token_t token;
unsigned char *data = NULL;
unsigned int opt = ISC_LEXOPT_EOL;
isc_result_t ret;
REQUIRE(priv != NULL);
priv->nelements = 0;
memset(priv->elements, 0, sizeof(priv->elements));
#define NEXTTOKEN(lex, opt, token) \
do { \
ret = isc_lex_gettoken(lex, opt, token); \
if (ret != ISC_R_SUCCESS) \
goto fail; \
} while (0)
#define READLINE(lex, opt, token) \
do { \
ret = isc_lex_gettoken(lex, opt, token); \
if (ret == ISC_R_EOF) \
break; \
else if (ret != ISC_R_SUCCESS) \
goto fail; \
} while ((*token).type != isc_tokentype_eol)
/*
* Read the description line.
*/
NEXTTOKEN(lex, opt, &token);
if (token.type != isc_tokentype_string ||
strcmp(DST_AS_STR(token), PRIVATE_KEY_STR) != 0)
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
NEXTTOKEN(lex, opt, &token);
if (token.type != isc_tokentype_string ||
(DST_AS_STR(token))[0] != 'v')
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
if (sscanf(DST_AS_STR(token), "v%d.%d", &major, &minor) != 2)
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
if (major > MAJOR_VERSION ||
(major == MAJOR_VERSION && minor > MINOR_VERSION))
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
READLINE(lex, opt, &token);
/*
* Read the algorithm line.
*/
NEXTTOKEN(lex, opt, &token);
if (token.type != isc_tokentype_string ||
strcmp(DST_AS_STR(token), ALGORITHM_STR) != 0)
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
if (token.type != isc_tokentype_number ||
token.value.as_ulong != (unsigned long) dst_key_alg(key))
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
READLINE(lex, opt, &token);
/*
* Read the key data.
*/
for (n = 0; n < MAXFIELDS; n++) {
int tag;
isc_region_t r;
do {
ret = isc_lex_gettoken(lex, opt, &token);
if (ret == ISC_R_EOF)
goto done;
if (ret != ISC_R_SUCCESS)
goto fail;
} while (token.type == isc_tokentype_eol);
if (token.type != isc_tokentype_string) {
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
tag = find_value(DST_AS_STR(token), alg);
if (tag < 0 || TAG_ALG(tag) != alg) {
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
priv->elements[n].tag = tag;
data = (unsigned char *) isc_mem_get(mctx, MAXFIELDSIZE);
if (data == NULL)
goto fail;
isc_buffer_init(&b, data, MAXFIELDSIZE);
ret = isc_base64_tobuffer(lex, &b, -1);
if (ret != ISC_R_SUCCESS)
goto fail;
isc_buffer_usedregion(&b, &r);
priv->elements[n].length = r.length;
priv->elements[n].data = r.base;
READLINE(lex, opt, &token);
data = NULL;
}
done:
priv->nelements = n;
if (check_data(priv, alg, ISC_TRUE) < 0)
goto fail;
return (ISC_R_SUCCESS);
fail:
priv->nelements = n;
dst__privstruct_free(priv, mctx);
if (data != NULL)
isc_mem_put(mctx, data, MAXFIELDSIZE);
return (ret);
}
