Update repub branch u/fanf2/patch to rebasing branch u/fanf2/rebasing revision v9_13_...
[ipreg/bind9.git] / bin / dnssec / dnssectool.c
1 /*
2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
7 *
8 * See the COPYRIGHT file distributed with this work for additional
9 * information regarding copyright ownership.
10 */
11
12 /*! \file */
13
14 /*%
15 * DNSSEC Support Routines.
16 */
17
18 #include <inttypes.h>
19 #include <stdbool.h>
20 #include <stdlib.h>
21
22 #ifdef _WIN32
23 #include <Winsock2.h>
24 #endif
25
26 #include <isc/base32.h>
27 #include <isc/buffer.h>
28 #include <isc/commandline.h>
29 #include <isc/dir.h>
30 #include <isc/file.h>
31 #include <isc/heap.h>
32 #include <isc/list.h>
33 #include <isc/mem.h>
34 #include <isc/platform.h>
35 #include <isc/print.h>
36 #include <isc/string.h>
37 #include <isc/time.h>
38 #include <isc/util.h>
39
40 #include <dns/db.h>
41 #include <dns/dbiterator.h>
42 #include <dns/dnssec.h>
43 #include <dns/fixedname.h>
44 #include <dns/keyvalues.h>
45 #include <dns/log.h>
46 #include <dns/name.h>
47 #include <dns/nsec.h>
48 #include <dns/nsec3.h>
49 #include <dns/rdatastruct.h>
50 #include <dns/rdataclass.h>
51 #include <dns/rdataset.h>
52 #include <dns/rdatasetiter.h>
53 #include <dns/rdatatype.h>
54 #include <dns/result.h>
55 #include <dns/secalg.h>
56 #include <dns/time.h>
57
58 #include "dnssectool.h"
59
60 extern int verbose;
61 extern const char *program;
62
63 static fatalcallback_t *fatalcallback = NULL;
64
65 void
66 fatal(const char *format, ...) {
67 va_list args;
68
69 fprintf(stderr, "%s: fatal: ", program);
70 va_start(args, format);
71 vfprintf(stderr, format, args);
72 va_end(args);
73 fprintf(stderr, "\n");
74 if (fatalcallback != NULL)
75 (*fatalcallback)();
76 exit(1);
77 }
78
79 void
80 setfatalcallback(fatalcallback_t *callback) {
81 fatalcallback = callback;
82 }
83
84 void
85 check_result(isc_result_t result, const char *message) {
86 if (result != ISC_R_SUCCESS)
87 fatal("%s: %s", message, isc_result_totext(result));
88 }
89
90 void
91 vbprintf(int level, const char *fmt, ...) {
92 va_list ap;
93 if (level > verbose)
94 return;
95 va_start(ap, fmt);
96 fprintf(stderr, "%s: ", program);
97 vfprintf(stderr, fmt, ap);
98 va_end(ap);
99 }
100
101 void
102 version(const char *name) {
103 fprintf(stderr, "%s %s\n", name, VERSION);
104 exit(0);
105 }
106
107 void
108 sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size) {
109 char namestr[DNS_NAME_FORMATSIZE];
110 char algstr[DNS_NAME_FORMATSIZE];
111
112 dns_name_format(&sig->signer, namestr, sizeof(namestr));
113 dns_secalg_format(sig->algorithm, algstr, sizeof(algstr));
114 snprintf(cp, size, "%s/%s/%d", namestr, algstr, sig->keyid);
115 }
116
117 void
118 setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
119 isc_result_t result;
120 isc_logdestination_t destination;
121 isc_logconfig_t *logconfig = NULL;
122 isc_log_t *log = NULL;
123 int level;
124
125 if (verbose < 0)
126 verbose = 0;
127 switch (verbose) {
128 case 0:
129 /*
130 * We want to see warnings about things like out-of-zone
131 * data in the master file even when not verbose.
132 */
133 level = ISC_LOG_WARNING;
134 break;
135 case 1:
136 level = ISC_LOG_INFO;
137 break;
138 default:
139 level = ISC_LOG_DEBUG(verbose - 2 + 1);
140 break;
141 }
142
143 RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS);
144 isc_log_setcontext(log);
145 dns_log_init(log);
146 dns_log_setcontext(log);
147
148 RUNTIME_CHECK(isc_log_settag(logconfig, program) == ISC_R_SUCCESS);
149
150 /*
151 * Set up a channel similar to default_stderr except:
152 * - the logging level is passed in
153 * - the program name and logging level are printed
154 * - no time stamp is printed
155 */
156 destination.file.stream = stderr;
157 destination.file.name = NULL;
158 destination.file.versions = ISC_LOG_ROLLNEVER;
159 destination.file.maximum_size = 0;
160 result = isc_log_createchannel(logconfig, "stderr",
161 ISC_LOG_TOFILEDESC,
162 level,
163 &destination,
164 ISC_LOG_PRINTTAG|ISC_LOG_PRINTLEVEL);
165 check_result(result, "isc_log_createchannel()");
166
167 RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr",
168 NULL, NULL) == ISC_R_SUCCESS);
169
170 *logp = log;
171 }
172
173 void
174 cleanup_logging(isc_log_t **logp) {
175 isc_log_t *log;
176
177 REQUIRE(logp != NULL);
178
179 log = *logp;
180 *logp = NULL;
181
182 if (log == NULL)
183 return;
184
185 isc_log_destroy(&log);
186 isc_log_setcontext(NULL);
187 dns_log_setcontext(NULL);
188 }
189
190 static isc_stdtime_t
191 time_units(isc_stdtime_t offset, char *suffix, const char *str) {
192 switch (suffix[0]) {
193 case 'Y': case 'y':
194 return (offset * (365 * 24 * 3600));
195 case 'M': case 'm':
196 switch (suffix[1]) {
197 case 'O': case 'o':
198 return (offset * (30 * 24 * 3600));
199 case 'I': case 'i':
200 return (offset * 60);
201 case '\0':
202 fatal("'%s' ambiguous: use 'mi' for minutes "
203 "or 'mo' for months", str);
204 default:
205 fatal("time value %s is invalid", str);
206 }
207 /* NOTREACHED */
208 break;
209 case 'W': case 'w':
210 return (offset * (7 * 24 * 3600));
211 case 'D': case 'd':
212 return (offset * (24 * 3600));
213 case 'H': case 'h':
214 return (offset * 3600);
215 case 'S': case 's': case '\0':
216 return (offset);
217 default:
218 fatal("time value %s is invalid", str);
219 }
220 /* NOTREACHED */
221 return(0); /* silence compiler warning */
222 }
223
224 static inline bool
225 isnone(const char *str) {
226 return ((strcasecmp(str, "none") == 0) ||
227 (strcasecmp(str, "never") == 0));
228 }
229
230 dns_ttl_t
231 strtottl(const char *str) {
232 const char *orig = str;
233 dns_ttl_t ttl;
234 char *endp;
235
236 if (isnone(str))
237 return ((dns_ttl_t) 0);
238
239 ttl = strtol(str, &endp, 0);
240 if (ttl == 0 && endp == str)
241 fatal("TTL must be numeric");
242 ttl = time_units(ttl, endp, orig);
243 return (ttl);
244 }
245
246 isc_stdtime_t
247 strtotime(const char *str, int64_t now, int64_t base,
248 bool *setp)
249 {
250 int64_t val, offset;
251 isc_result_t result;
252 const char *orig = str;
253 char *endp;
254 size_t n;
255
256 if (isnone(str)) {
257 if (setp != NULL)
258 *setp = false;
259 return ((isc_stdtime_t) 0);
260 }
261
262 if (setp != NULL)
263 *setp = true;
264
265 if ((str[0] == '0' || str[0] == '-') && str[1] == '\0')
266 return ((isc_stdtime_t) 0);
267
268 /*
269 * We accept times in the following formats:
270 * now([+-]offset)
271 * YYYYMMDD([+-]offset)
272 * YYYYMMDDhhmmss([+-]offset)
273 * [+-]offset
274 */
275 n = strspn(str, "0123456789");
276 if ((n == 8u || n == 14u) &&
277 (str[n] == '\0' || str[n] == '-' || str[n] == '+'))
278 {
279 char timestr[15];
280
281 strlcpy(timestr, str, sizeof(timestr));
282 timestr[n] = 0;
283 if (n == 8u)
284 strlcat(timestr, "000000", sizeof(timestr));
285 result = dns_time64_fromtext(timestr, &val);
286 if (result != ISC_R_SUCCESS)
287 fatal("time value %s is invalid: %s", orig,
288 isc_result_totext(result));
289 base = val;
290 str += n;
291 } else if (strncmp(str, "now", 3) == 0) {
292 base = now;
293 str += 3;
294 }
295
296 if (str[0] == '\0')
297 return ((isc_stdtime_t) base);
298 else if (str[0] == '+') {
299 offset = strtol(str + 1, &endp, 0);
300 offset = time_units((isc_stdtime_t) offset, endp, orig);
301 val = base + offset;
302 } else if (str[0] == '-') {
303 offset = strtol(str + 1, &endp, 0);
304 offset = time_units((isc_stdtime_t) offset, endp, orig);
305 val = base - offset;
306 } else
307 fatal("time value %s is invalid", orig);
308
309 return ((isc_stdtime_t) val);
310 }
311
312 dns_rdataclass_t
313 strtoclass(const char *str) {
314 isc_textregion_t r;
315 dns_rdataclass_t rdclass;
316 isc_result_t ret;
317
318 if (str == NULL)
319 return dns_rdataclass_in;
320 DE_CONST(str, r.base);
321 r.length = strlen(str);
322 ret = dns_rdataclass_fromtext(&rdclass, &r);
323 if (ret != ISC_R_SUCCESS)
324 fatal("unknown class %s", str);
325 return (rdclass);
326 }
327
328 unsigned int
329 strtodsdigest(const char *algname) {
330 if (strcasecmp(algname, "SHA1") == 0 ||
331 strcasecmp(algname, "SHA-1") == 0)
332 {
333 return (DNS_DSDIGEST_SHA1);
334 } else if (strcasecmp(algname, "SHA256") == 0 ||
335 strcasecmp(algname, "SHA-256") == 0)
336 {
337 return (DNS_DSDIGEST_SHA256);
338 } else if (strcasecmp(algname, "SHA384") == 0 ||
339 strcasecmp(algname, "SHA-384") == 0)
340 {
341 return (DNS_DSDIGEST_SHA384);
342 } else {
343 fatal("unknown algorithm %s", algname);
344 }
345 }
346
347 isc_result_t
348 try_dir(const char *dirname) {
349 isc_result_t result;
350 isc_dir_t d;
351
352 isc_dir_init(&d);
353 result = isc_dir_open(&d, dirname);
354 if (result == ISC_R_SUCCESS) {
355 isc_dir_close(&d);
356 }
357 return (result);
358 }
359
360 /*
361 * Check private key version compatibility.
362 */
363 void
364 check_keyversion(dst_key_t *key, char *keystr) {
365 int major, minor;
366 dst_key_getprivateformat(key, &major, &minor);
367 INSIST(major <= DST_MAJOR_VERSION); /* invalid private key */
368
369 if (major < DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
370 fatal("Key %s has incompatible format version %d.%d, "
371 "use -f to force upgrade to new version.",
372 keystr, major, minor);
373 if (minor > DST_MINOR_VERSION)
374 fatal("Key %s has incompatible format version %d.%d, "
375 "use -f to force downgrade to current version.",
376 keystr, major, minor);
377 }
378
379 void
380 set_keyversion(dst_key_t *key) {
381 int major, minor;
382 dst_key_getprivateformat(key, &major, &minor);
383 INSIST(major <= DST_MAJOR_VERSION);
384
385 if (major != DST_MAJOR_VERSION || minor != DST_MINOR_VERSION)
386 dst_key_setprivateformat(key, DST_MAJOR_VERSION,
387 DST_MINOR_VERSION);
388
389 /*
390 * If the key is from a version older than 1.3, set
391 * set the creation date
392 */
393 if (major < 1 || (major == 1 && minor <= 2)) {
394 isc_stdtime_t now;
395 isc_stdtime_get(&now);
396 dst_key_settime(key, DST_TIME_CREATED, now);
397 }
398 }
399
400 bool
401 key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
402 isc_mem_t *mctx, bool *exact)
403 {
404 isc_result_t result;
405 bool conflict = false;
406 dns_dnsseckeylist_t matchkeys;
407 dns_dnsseckey_t *key = NULL;
408 uint16_t id, oldid;
409 uint32_t rid, roldid;
410 dns_secalg_t alg;
411 char filename[NAME_MAX];
412 isc_buffer_t fileb;
413 isc_stdtime_t now;
414
415 if (exact != NULL)
416 *exact = false;
417
418 id = dst_key_id(dstkey);
419 rid = dst_key_rid(dstkey);
420 alg = dst_key_alg(dstkey);
421
422 /*
423 * For Diffie Hellman just check if there is a direct collision as
424 * they can't be revoked. Additionally dns_dnssec_findmatchingkeys
425 * only handles DNSKEY which is not used for HMAC.
426 */
427 if (alg == DST_ALG_DH) {
428 isc_buffer_init(&fileb, filename, sizeof(filename));
429 result = dst_key_buildfilename(dstkey, DST_TYPE_PRIVATE,
430 dir, &fileb);
431 if (result != ISC_R_SUCCESS)
432 return (true);
433 return (isc_file_exists(filename));
434 }
435
436 ISC_LIST_INIT(matchkeys);
437 isc_stdtime_get(&now);
438 result = dns_dnssec_findmatchingkeys(name, dir, now, mctx, &matchkeys);
439 if (result == ISC_R_NOTFOUND)
440 return (false);
441
442 while (!ISC_LIST_EMPTY(matchkeys) && !conflict) {
443 key = ISC_LIST_HEAD(matchkeys);
444 if (dst_key_alg(key->key) != alg)
445 goto next;
446
447 oldid = dst_key_id(key->key);
448 roldid = dst_key_rid(key->key);
449
450 if (oldid == rid || roldid == id || id == oldid) {
451 conflict = true;
452 if (id != oldid) {
453 if (verbose > 1)
454 fprintf(stderr, "Key ID %d could "
455 "collide with %d\n",
456 id, oldid);
457 } else {
458 if (exact != NULL)
459 *exact = true;
460 if (verbose > 1)
461 fprintf(stderr, "Key ID %d exists\n",
462 id);
463 }
464 }
465
466 next:
467 ISC_LIST_UNLINK(matchkeys, key, link);
468 dns_dnsseckey_destroy(mctx, &key);
469 }
470
471 /* Finish freeing the list */
472 while (!ISC_LIST_EMPTY(matchkeys)) {
473 key = ISC_LIST_HEAD(matchkeys);
474 ISC_LIST_UNLINK(matchkeys, key, link);
475 dns_dnsseckey_destroy(mctx, &key);
476 }
477
478 return (conflict);
479 }
480
481 bool
482 isoptarg(const char *arg, char **argv, void(*usage)(void)) {
483 if (!strcasecmp(isc_commandline_argument, arg)) {
484 if (argv[isc_commandline_index] == NULL) {
485 fprintf(stderr, "%s: missing argument -%c %s\n",
486 program, isc_commandline_option,
487 isc_commandline_argument);
488 usage();
489 }
490 isc_commandline_argument = argv[isc_commandline_index];
491 /* skip to next arguement */
492 isc_commandline_index++;
493 return (true);
494 }
495 return (false);
496 }
497
498 #ifdef _WIN32
499 void
500 InitSockets(void) {
501 WORD wVersionRequested;
502 WSADATA wsaData;
503 int err;
504
505 wVersionRequested = MAKEWORD(2, 0);
506
507 err = WSAStartup( wVersionRequested, &wsaData );
508 if (err != 0) {
509 fprintf(stderr, "WSAStartup() failed: %d\n", err);
510 exit(1);
511 }
512 }
513
514 void
515 DestroySockets(void) {
516 WSACleanup();
517 }
518 #endif