mirror of
https://github.com/isc-projects/bind9.git
synced 2026-05-23 10:37:43 -04:00
2393be779c
The -C option, introduced in BIND 9.7, caused a backward-compatible key to be generated, using private key format version 1.2, omitting the creation date and other timing metadata. This made it possible to generate keys that could be loaded by older versions of BIND. Those older versions having reached end of life many years ago, the option can now be removed, along with the "dnssec-settime -f" option, which caused old-style keys to be upgraded.
659 lines
14 KiB
C
659 lines
14 KiB
C
/*
|
|
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
*
|
|
* SPDX-License-Identifier: MPL-2.0
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
*
|
|
* See the COPYRIGHT file distributed with this work for additional
|
|
* information regarding copyright ownership.
|
|
*/
|
|
|
|
/*! \file */
|
|
|
|
/*%
|
|
* DNSSEC Support Routines.
|
|
*/
|
|
|
|
#include <inttypes.h>
|
|
#include <stdbool.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
|
|
#include <isc/base32.h>
|
|
#include <isc/buffer.h>
|
|
#include <isc/commandline.h>
|
|
#include <isc/dir.h>
|
|
#include <isc/heap.h>
|
|
#include <isc/list.h>
|
|
#include <isc/log.h>
|
|
#include <isc/mem.h>
|
|
#include <isc/result.h>
|
|
#include <isc/string.h>
|
|
#include <isc/time.h>
|
|
#include <isc/tls.h>
|
|
#include <isc/tm.h>
|
|
#include <isc/util.h>
|
|
|
|
#include <dns/db.h>
|
|
#include <dns/dbiterator.h>
|
|
#include <dns/dnssec.h>
|
|
#include <dns/fixedname.h>
|
|
#include <dns/journal.h>
|
|
#include <dns/keyvalues.h>
|
|
#include <dns/name.h>
|
|
#include <dns/nsec.h>
|
|
#include <dns/nsec3.h>
|
|
#include <dns/rdataclass.h>
|
|
#include <dns/rdataset.h>
|
|
#include <dns/rdatasetiter.h>
|
|
#include <dns/rdatastruct.h>
|
|
#include <dns/rdatatype.h>
|
|
#include <dns/secalg.h>
|
|
#include <dns/time.h>
|
|
|
|
#include "dnssectool.h"
|
|
|
|
#define KEYSTATES_NVALUES 4
|
|
static const char *keystates[KEYSTATES_NVALUES] = {
|
|
"hidden",
|
|
"rumoured",
|
|
"omnipresent",
|
|
"unretentive",
|
|
};
|
|
|
|
int verbose = 0;
|
|
bool quiet = false;
|
|
const char *journal = NULL;
|
|
dns_dsdigest_t dtype[8];
|
|
|
|
static fatalcallback_t *fatalcallback = NULL;
|
|
|
|
void
|
|
fatal(const char *format, ...) {
|
|
va_list args;
|
|
|
|
fprintf(stderr, "%s: fatal: ", isc_commandline_progname);
|
|
va_start(args, format);
|
|
vfprintf(stderr, format, args);
|
|
va_end(args);
|
|
fprintf(stderr, "\n");
|
|
if (fatalcallback != NULL) {
|
|
(*fatalcallback)();
|
|
}
|
|
_exit(EXIT_FAILURE);
|
|
}
|
|
|
|
void
|
|
setfatalcallback(fatalcallback_t *callback) {
|
|
fatalcallback = callback;
|
|
}
|
|
|
|
void
|
|
check_result(isc_result_t result, const char *message) {
|
|
if (result != ISC_R_SUCCESS) {
|
|
fatal("%s: %s", message, isc_result_totext(result));
|
|
}
|
|
}
|
|
|
|
void
|
|
vbprintf(int level, const char *fmt, ...) {
|
|
va_list ap;
|
|
if (level > verbose) {
|
|
return;
|
|
}
|
|
va_start(ap, fmt);
|
|
fprintf(stderr, "%s: ", isc_commandline_progname);
|
|
vfprintf(stderr, fmt, ap);
|
|
va_end(ap);
|
|
}
|
|
|
|
void
|
|
version(const char *name) {
|
|
printf("%s %s\n", name, PACKAGE_VERSION);
|
|
exit(EXIT_SUCCESS);
|
|
}
|
|
|
|
void
|
|
sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size) {
|
|
char namestr[DNS_NAME_FORMATSIZE];
|
|
char algstr[DNS_NAME_FORMATSIZE];
|
|
dst_algorithm_t algorithm = dst_algorithm_fromdata(
|
|
sig->algorithm, sig->signature, sig->siglen);
|
|
|
|
dns_name_format(&sig->signer, namestr, sizeof(namestr));
|
|
dst_algorithm_format(algorithm, algstr, sizeof(algstr));
|
|
snprintf(cp, size, "%s/%s/%d", namestr, algstr, sig->keyid);
|
|
}
|
|
|
|
void
|
|
setup_logging(void) {
|
|
isc_logconfig_t *logconfig = NULL;
|
|
int level;
|
|
|
|
if (verbose < 0) {
|
|
verbose = 0;
|
|
}
|
|
switch (verbose) {
|
|
case 0:
|
|
/*
|
|
* We want to see warnings about things like out-of-zone
|
|
* data in the master file even when not verbose.
|
|
*/
|
|
level = ISC_LOG_WARNING;
|
|
break;
|
|
case 1:
|
|
level = ISC_LOG_INFO;
|
|
break;
|
|
default:
|
|
level = ISC_LOG_DEBUG(verbose - 2 + 1);
|
|
break;
|
|
}
|
|
|
|
logconfig = isc_logconfig_get();
|
|
|
|
isc_log_settag(logconfig, isc_commandline_progname);
|
|
|
|
/*
|
|
* Set up a channel similar to default_stderr except:
|
|
* - the logging level is passed in
|
|
* - the program name and logging level are printed
|
|
* - no time stamp is printed
|
|
*/
|
|
isc_log_createandusechannel(
|
|
logconfig, "default_stderr", ISC_LOG_TOFILEDESC, level,
|
|
ISC_LOGDESTINATION_STDERR,
|
|
ISC_LOG_PRINTTAG | ISC_LOG_PRINTLEVEL, ISC_LOGCATEGORY_DEFAULT,
|
|
ISC_LOGMODULE_DEFAULT);
|
|
}
|
|
|
|
static isc_stdtime_t
|
|
time_units(isc_stdtime_t offset, char *suffix, const char *str) {
|
|
switch (suffix[0]) {
|
|
case 'Y':
|
|
case 'y':
|
|
return offset * (365 * 24 * 3600);
|
|
case 'M':
|
|
case 'm':
|
|
switch (suffix[1]) {
|
|
case 'O':
|
|
case 'o':
|
|
return offset * (30 * 24 * 3600);
|
|
case 'I':
|
|
case 'i':
|
|
return offset * 60;
|
|
case '\0':
|
|
fatal("'%s' ambiguous: use 'mi' for minutes "
|
|
"or 'mo' for months",
|
|
str);
|
|
default:
|
|
fatal("time value %s is invalid", str);
|
|
}
|
|
UNREACHABLE();
|
|
break;
|
|
case 'W':
|
|
case 'w':
|
|
return offset * (7 * 24 * 3600);
|
|
case 'D':
|
|
case 'd':
|
|
return offset * (24 * 3600);
|
|
case 'H':
|
|
case 'h':
|
|
return offset * 3600;
|
|
case 'S':
|
|
case 's':
|
|
case '\0':
|
|
return offset;
|
|
default:
|
|
fatal("time value %s is invalid", str);
|
|
}
|
|
UNREACHABLE();
|
|
return 0; /* silence compiler warning */
|
|
}
|
|
|
|
static bool
|
|
isnone(const char *str) {
|
|
return (strcasecmp(str, "none") == 0) ||
|
|
(strcasecmp(str, "never") == 0) ||
|
|
(strcasecmp(str, "unset") == 0);
|
|
}
|
|
|
|
dns_ttl_t
|
|
strtottl(const char *str) {
|
|
const char *orig = str;
|
|
dns_ttl_t ttl;
|
|
char *endp;
|
|
|
|
if (isnone(str)) {
|
|
return (dns_ttl_t)0;
|
|
}
|
|
|
|
ttl = strtol(str, &endp, 0);
|
|
if (ttl == 0 && endp == str) {
|
|
fatal("TTL must be numeric");
|
|
}
|
|
ttl = time_units(ttl, endp, orig);
|
|
return ttl;
|
|
}
|
|
|
|
dst_key_state_t
|
|
strtokeystate(const char *str) {
|
|
if (isnone(str)) {
|
|
return DST_KEY_STATE_NA;
|
|
}
|
|
|
|
for (int i = 0; i < KEYSTATES_NVALUES; i++) {
|
|
if (keystates[i] != NULL && strcasecmp(str, keystates[i]) == 0)
|
|
{
|
|
return (dst_key_state_t)i;
|
|
}
|
|
}
|
|
fatal("unknown key state %s", str);
|
|
}
|
|
|
|
isc_stdtime_t
|
|
strtotime(const char *str, int64_t now, int64_t base, bool *setp) {
|
|
int64_t val, offset;
|
|
isc_result_t result;
|
|
const char *orig = str;
|
|
char *endp;
|
|
size_t n;
|
|
struct tm tm;
|
|
|
|
if (isnone(str)) {
|
|
SET_IF_NOT_NULL(setp, false);
|
|
return (isc_stdtime_t)0;
|
|
}
|
|
|
|
SET_IF_NOT_NULL(setp, true);
|
|
|
|
if ((str[0] == '0' || str[0] == '-') && str[1] == '\0') {
|
|
return (isc_stdtime_t)0;
|
|
}
|
|
|
|
/*
|
|
* We accept times in the following formats:
|
|
* now([+-]offset)
|
|
* YYYYMMDD([+-]offset)
|
|
* YYYYMMDDhhmmss([+-]offset)
|
|
* Day Mon DD HH:MM:SS YYYY([+-]offset)
|
|
* 1234567890([+-]offset)
|
|
* [+-]offset
|
|
*/
|
|
n = strspn(str, "0123456789");
|
|
if ((n == 8u || n == 14u) &&
|
|
(str[n] == '\0' || str[n] == '-' || str[n] == '+'))
|
|
{
|
|
char timestr[15];
|
|
|
|
strlcpy(timestr, str, sizeof(timestr));
|
|
timestr[n] = 0;
|
|
if (n == 8u) {
|
|
strlcat(timestr, "000000", sizeof(timestr));
|
|
}
|
|
result = dns_time64_fromtext(timestr, &val);
|
|
if (result != ISC_R_SUCCESS) {
|
|
fatal("time value %s is invalid: %s", orig,
|
|
isc_result_totext(result));
|
|
}
|
|
base = val;
|
|
str += n;
|
|
} else if (n == 10u &&
|
|
(str[n] == '\0' || str[n] == '-' || str[n] == '+'))
|
|
{
|
|
base = strtoll(str, &endp, 0);
|
|
str += 10;
|
|
} else if (strncmp(str, "now", 3) == 0) {
|
|
base = now;
|
|
str += 3;
|
|
} else if (str[0] >= 'A' && str[0] <= 'Z') {
|
|
/* parse ctime() format as written by `dnssec-settime -p` */
|
|
endp = isc_tm_strptime(str, "%a %b %d %H:%M:%S %Y", &tm);
|
|
if (endp != str + 24) {
|
|
fatal("time value %s is invalid", orig);
|
|
}
|
|
base = mktime(&tm);
|
|
str += 24;
|
|
}
|
|
|
|
if (str[0] == '\0') {
|
|
return (isc_stdtime_t)base;
|
|
} else if (str[0] == '+') {
|
|
offset = strtol(str + 1, &endp, 0);
|
|
offset = time_units((isc_stdtime_t)offset, endp, orig);
|
|
val = base + offset;
|
|
} else if (str[0] == '-') {
|
|
offset = strtol(str + 1, &endp, 0);
|
|
offset = time_units((isc_stdtime_t)offset, endp, orig);
|
|
val = base - offset;
|
|
} else {
|
|
fatal("time value %s is invalid", orig);
|
|
}
|
|
|
|
return (isc_stdtime_t)val;
|
|
}
|
|
|
|
dns_rdataclass_t
|
|
strtoclass(const char *str) {
|
|
isc_textregion_t r;
|
|
dns_rdataclass_t rdclass;
|
|
isc_result_t result;
|
|
|
|
if (str == NULL) {
|
|
return dns_rdataclass_in;
|
|
}
|
|
r.base = UNCONST(str);
|
|
r.length = strlen(str);
|
|
result = dns_rdataclass_fromtext(&rdclass, &r);
|
|
if (result != ISC_R_SUCCESS) {
|
|
fatal("unknown class %s", str);
|
|
}
|
|
return rdclass;
|
|
}
|
|
|
|
unsigned int
|
|
strtodsdigest(const char *str) {
|
|
isc_textregion_t r;
|
|
dns_dsdigest_t alg;
|
|
isc_result_t result;
|
|
|
|
r.base = UNCONST(str);
|
|
r.length = strlen(str);
|
|
result = dns_dsdigest_fromtext(&alg, &r);
|
|
if (result != ISC_R_SUCCESS) {
|
|
fatal("unknown DS digest %s", str);
|
|
}
|
|
if (!dst_ds_digest_supported(alg)) {
|
|
fatal("unsupported DS digest %s", str);
|
|
}
|
|
return alg;
|
|
}
|
|
|
|
static int
|
|
cmp_dtype(const void *ap, const void *bp) {
|
|
int a = *(const uint8_t *)ap;
|
|
int b = *(const uint8_t *)bp;
|
|
return a - b;
|
|
}
|
|
|
|
void
|
|
add_dtype(unsigned int dt) {
|
|
unsigned int i, n;
|
|
|
|
/* ensure there is space for a zero terminator */
|
|
n = sizeof(dtype) / sizeof(dtype[0]) - 1;
|
|
for (i = 0; i < n; i++) {
|
|
if (dtype[i] == dt) {
|
|
return;
|
|
}
|
|
if (dtype[i] == 0) {
|
|
dtype[i] = dt;
|
|
qsort(dtype, i + 1, 1, cmp_dtype);
|
|
return;
|
|
}
|
|
}
|
|
fatal("too many -a digest type arguments");
|
|
}
|
|
|
|
isc_result_t
|
|
try_dir(const char *dirname) {
|
|
isc_result_t result;
|
|
isc_dir_t d;
|
|
|
|
isc_dir_init(&d);
|
|
result = isc_dir_open(&d, dirname);
|
|
if (result == ISC_R_SUCCESS) {
|
|
isc_dir_close(&d);
|
|
}
|
|
return result;
|
|
}
|
|
|
|
/*
|
|
* Check private key version compatibility.
|
|
*/
|
|
void
|
|
check_keyversion(dst_key_t *key, char *keystr) {
|
|
int major, minor;
|
|
dst_key_getprivateformat(key, &major, &minor);
|
|
INSIST(major <= DST_MAJOR_VERSION); /* invalid private key */
|
|
|
|
if (major < DST_MAJOR_VERSION || minor < DST_MINOR_VERSION) {
|
|
fatal("Key %s has incompatible format version %d.%d, "
|
|
"use -f to force upgrade to new version.",
|
|
keystr, major, minor);
|
|
}
|
|
if (minor > DST_MINOR_VERSION) {
|
|
fatal("Key %s has incompatible format version %d.%d, "
|
|
"use -f to force downgrade to current version.",
|
|
keystr, major, minor);
|
|
}
|
|
}
|
|
|
|
bool
|
|
key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
|
|
isc_mem_t *mctx, uint16_t min, uint16_t max, bool *exact) {
|
|
isc_result_t result;
|
|
bool conflict = false;
|
|
dns_dnsseckeylist_t matchkeys;
|
|
dns_dnsseckey_t *key = NULL;
|
|
uint16_t id, oldid;
|
|
uint32_t rid, roldid;
|
|
dns_secalg_t alg;
|
|
isc_stdtime_t now = isc_stdtime_now();
|
|
|
|
SET_IF_NOT_NULL(exact, false);
|
|
|
|
id = dst_key_id(dstkey);
|
|
rid = dst_key_rid(dstkey);
|
|
alg = dst_key_alg(dstkey);
|
|
|
|
if (min != max) {
|
|
if (id < min || id > max) {
|
|
fprintf(stderr, "Key ID %d outside of [%u..%u]\n", id,
|
|
min, max);
|
|
return true;
|
|
}
|
|
if (rid < min || rid > max) {
|
|
fprintf(stderr,
|
|
"Revoked Key ID %d (for tag %d) outside of "
|
|
"[%u..%u]\n",
|
|
rid, id, min, max);
|
|
return true;
|
|
}
|
|
}
|
|
|
|
ISC_LIST_INIT(matchkeys);
|
|
bool keykey = false;
|
|
|
|
/*
|
|
* DNSKEY and KEY both use the same file names patterns so
|
|
* we have to look for both sets of keys.
|
|
*/
|
|
again:
|
|
result = dns_dnssec_findmatchingkeys(name, NULL, dir, NULL, now, keykey,
|
|
mctx, &matchkeys);
|
|
if (result == ISC_R_NOTFOUND) {
|
|
goto try_key;
|
|
}
|
|
|
|
while (!ISC_LIST_EMPTY(matchkeys) && !conflict) {
|
|
key = ISC_LIST_HEAD(matchkeys);
|
|
if (dst_key_alg(key->key) != alg) {
|
|
goto next;
|
|
}
|
|
|
|
oldid = dst_key_id(key->key);
|
|
roldid = dst_key_rid(key->key);
|
|
|
|
if (oldid == rid || roldid == id || id == oldid) {
|
|
conflict = true;
|
|
if (id != oldid) {
|
|
if (verbose > 1) {
|
|
fprintf(stderr,
|
|
"Key ID %d could "
|
|
"collide with %d\n",
|
|
id, oldid);
|
|
}
|
|
} else {
|
|
SET_IF_NOT_NULL(exact, true);
|
|
if (verbose > 1) {
|
|
fprintf(stderr, "Key ID %d exists\n",
|
|
id);
|
|
}
|
|
}
|
|
}
|
|
|
|
next:
|
|
ISC_LIST_UNLINK(matchkeys, key, link);
|
|
dns_dnsseckey_destroy(mctx, &key);
|
|
}
|
|
|
|
/* Finish freeing the list */
|
|
while (!ISC_LIST_EMPTY(matchkeys)) {
|
|
key = ISC_LIST_HEAD(matchkeys);
|
|
ISC_LIST_UNLINK(matchkeys, key, link);
|
|
dns_dnsseckey_destroy(mctx, &key);
|
|
}
|
|
|
|
try_key:
|
|
if (!conflict && !keykey) {
|
|
keykey = true;
|
|
goto again;
|
|
}
|
|
return conflict;
|
|
}
|
|
|
|
bool
|
|
isoptarg(const char *arg, char **argv, void (*usage)(int ret)) {
|
|
if (!strcasecmp(isc_commandline_argument, arg)) {
|
|
if (argv[isc_commandline_index] == NULL) {
|
|
fprintf(stderr, "%s: missing argument -%c %s\n",
|
|
isc_commandline_progname,
|
|
isc_commandline_option,
|
|
isc_commandline_argument);
|
|
usage(EXIT_FAILURE);
|
|
}
|
|
isc_commandline_argument = argv[isc_commandline_index];
|
|
/* skip to next argument */
|
|
isc_commandline_index++;
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
void
|
|
loadjournal(isc_mem_t *mctx, dns_db_t *db, const char *file) {
|
|
dns_journal_t *jnl = NULL;
|
|
isc_result_t result;
|
|
|
|
result = dns_journal_open(mctx, file, DNS_JOURNAL_READ, &jnl);
|
|
if (result == ISC_R_NOTFOUND) {
|
|
fprintf(stderr, "%s: journal file %s not found\n",
|
|
isc_commandline_progname, file);
|
|
goto cleanup;
|
|
} else if (result != ISC_R_SUCCESS) {
|
|
fatal("unable to open journal %s: %s\n", file,
|
|
isc_result_totext(result));
|
|
}
|
|
|
|
if (dns_journal_empty(jnl)) {
|
|
dns_journal_destroy(&jnl);
|
|
return;
|
|
}
|
|
|
|
result = dns_journal_rollforward(jnl, db, 0);
|
|
switch (result) {
|
|
case ISC_R_SUCCESS:
|
|
case DNS_R_UPTODATE:
|
|
break;
|
|
|
|
case ISC_R_NOTFOUND:
|
|
case ISC_R_RANGE:
|
|
fatal("journal %s out of sync with zone", file);
|
|
|
|
default:
|
|
fatal("journal %s: %s\n", file, isc_result_totext(result));
|
|
}
|
|
|
|
cleanup:
|
|
dns_journal_destroy(&jnl);
|
|
}
|
|
|
|
void
|
|
kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, const char *name,
|
|
const char *keydir, dns_kasp_t **kaspp) {
|
|
isc_result_t result = ISC_R_NOTFOUND;
|
|
const cfg_obj_t *kasps = NULL;
|
|
dns_kasplist_t kasplist;
|
|
const cfg_obj_t *keystores = NULL;
|
|
dns_keystore_t *keystore = NULL;
|
|
dns_keystorelist_t kslist;
|
|
unsigned int options = (ISCCFG_KASPCONF_CHECK_ALGORITHMS |
|
|
ISCCFG_KASPCONF_CHECK_KEYLIST |
|
|
ISCCFG_KASPCONF_LOG_ERRORS);
|
|
|
|
ISC_LIST_INIT(kasplist);
|
|
ISC_LIST_INIT(kslist);
|
|
|
|
(void)cfg_map_get(config, "key-store", &keystores);
|
|
CFG_LIST_FOREACH(keystores, element) {
|
|
cfg_obj_t *kconfig = cfg_listelt_value(element);
|
|
result = cfg_keystore_fromconfig(kconfig, mctx, &kslist, NULL);
|
|
if (result != ISC_R_SUCCESS) {
|
|
fatal("failed to configure key-store '%s': %s",
|
|
cfg_obj_asstring(cfg_tuple_get(kconfig, "name")),
|
|
isc_result_totext(result));
|
|
}
|
|
}
|
|
/* Default key-directory key store. */
|
|
(void)cfg_keystore_fromconfig(NULL, mctx, &kslist, &keystore);
|
|
INSIST(keystore != NULL);
|
|
if (keydir != NULL) {
|
|
/* '-K keydir' takes priority */
|
|
dns_keystore_setdirectory(keystore, keydir);
|
|
}
|
|
dns_keystore_detach(&keystore);
|
|
|
|
(void)cfg_map_get(config, "dnssec-policy", &kasps);
|
|
CFG_LIST_FOREACH(kasps, element) {
|
|
dns_kasp_t *kasp = NULL;
|
|
|
|
cfg_obj_t *kconfig = cfg_listelt_value(element);
|
|
if (strcmp(cfg_obj_asstring(cfg_tuple_get(kconfig, "name")),
|
|
name) != 0)
|
|
{
|
|
continue;
|
|
}
|
|
|
|
result = cfg_kasp_fromconfig(kconfig, NULL, options, mctx,
|
|
&kslist, &kasplist, &kasp);
|
|
if (result != ISC_R_SUCCESS) {
|
|
fatal("failed to configure dnssec-policy '%s': %s",
|
|
cfg_obj_asstring(cfg_tuple_get(kconfig, "name")),
|
|
isc_result_totext(result));
|
|
}
|
|
INSIST(kasp != NULL);
|
|
dns_kasp_freeze(kasp);
|
|
|
|
*kaspp = kasp;
|
|
break;
|
|
}
|
|
|
|
/*
|
|
* Cleanup kasp list.
|
|
*/
|
|
ISC_LIST_FOREACH(kasplist, kasp, link) {
|
|
ISC_LIST_UNLINK(kasplist, kasp, link);
|
|
dns_kasp_detach(&kasp);
|
|
}
|
|
|
|
/*
|
|
* Cleanup keystore list.
|
|
*/
|
|
ISC_LIST_FOREACH(kslist, ks, link) {
|
|
ISC_LIST_UNLINK(kslist, ks, link);
|
|
dns_keystore_detach(&ks);
|
|
}
|
|
}
|