signer.c revision 2d478b7049ae12dcd610e497424d85fc46de4a02
/*
* Copyright (C) 1999, 2000 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
* ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
* CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
* DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
* PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
* ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
* SOFTWARE.
*/
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <isc/assertions.h>
#include <isc/commandline.h>
#include <dns/fixedname.h>
#include <dns/dbiterator.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
#include <dns/rdatastruct.h>
#include <dns/rdatatype.h>
#include <dns/keyvalues.h>
#define BUFSIZE 2048
typedef struct signer_key_struct signer_key_t;
typedef struct signer_array_struct signer_array_t;
struct signer_key_struct {
};
struct signer_array_struct {
};
int cycle = -1;
int verbose;
static inline void
exit(1);
}
static inline void
if (result != ISC_R_SUCCESS) {
exit(1);
}
}
static void
return;
}
/* Not thread-safe! */
static char *
isc_buffer_t b;
isc_region_t r;
static char data[1025];
isc_buffer_used(&b, &r);
return (char *) r.base;
}
/* Not thread-safe! */
static char *
isc_buffer_t b;
isc_region_t r;
static char data[10];
dns_rdatatype_totext(type, &b);
isc_buffer_used(&b, &r);
return (char *) r.base;
}
/* Not thread-safe! */
static char *
isc_buffer_t b;
isc_region_t r;
static char data[10];
dns_secalg_totext(alg, &b);
isc_buffer_used(&b, &r);
return (char *) r.base;
}
static inline void
if (bit)
else
}
static void
{
#if 0
/* Verify the data. This won't work if the start time is reset */
#endif
}
static inline isc_boolean_t
}
static inline isc_boolean_t
char origin[1024];
isc_buffer_t b;
}
/*
* Finds the key that generated a SIG, if possible. First look at the keys
* that we've loaded already, and then see if there's a key on disk.
*/
static signer_key_t *
char *keyname;
return key;
}
if (result != ISC_R_SUCCESS)
return (NULL);
if (result == ISC_R_SUCCESS) {
}
else
return key;
}
/*
* Check to see if we expect to find a key at this name. If we see a SIG
* and can't find the signing key that we expect to find, we drop the sig.
* I'm not sure if this is completely correct, but it seems to work.
*/
static isc_boolean_t
unsigned int options = DNS_DBFIND_NOWILD;
switch (result) {
case DNS_R_SUCCESS:
case DNS_R_NXDOMAIN:
case DNS_R_NXRDATASET:
return ISC_TRUE;
case DNS_R_DELEGATION:
case DNS_R_CNAME:
case DNS_R_DNAME:
return ISC_FALSE;
default:
return ISC_FALSE; /* removes a warning */
}
}
static inline isc_boolean_t
{
}
#define allocbufferandrdata \
isc_buffer_t b; \
/*
* Signs a set. Goes through contortions to decide if each SIG should
* be dropped or retained, and then determines if any new SIGs need to
* be generated.
*/
static void
{
int i;
for (i = 0; i < 256; i++)
if (result == ISC_R_NOTFOUND) {
}
if (!nosigs) {
while (result == ISC_R_SUCCESS) {
/* sig is dropped and not replaced */
"invalid validity period\n",
}
{
/* sig is dropped and not replaced */
"private key not found\n",
}
"key not found\n",
if (!expired)
}
else if (issigningkey(key)) {
if (!expired &&
{
vbprintf(2,
"\tsig by %s/%s/%d retained\n",
}
else {
vbprintf(2,
"\tsig by %s/%s/%d dropped - "
"%s\n",
expired ? "expired" :
"failed to verify");
}
}
if (!expired &&
{
vbprintf(2,
"\tsig by %s/%s/%d retained\n",
}
else {
vbprintf(2,
"\tsig by %s/%s/%d dropped - ",
"%s\n",
expired ? "expired" :
"failed to verify");
}
}
else if (!expired) {
}
else {
}
if (keep) {
&sig, &b);
}
else if (resign) {
}
}
if (result == DNS_R_NOMORE)
}
for (i = 0; i < 256; i++)
if (wassignedby[i] != 0) {
break;
}
{
}
}
else
0, NULL);
if (result == DNS_R_UNCHANGED)
}
else if (!nosigs) {
#if 0
/*
* If this is compiled in, running a signed set through the
* signer with no private keys causes DNS_R_BADDB to occur
* later. This is bad.
*/
if (result == ISC_R_NOTFOUND)
#endif
}
}
}
}
/* Determine if a KEY set contains a null key */
static isc_boolean_t
while (result == ISC_R_SUCCESS) {
return (ISC_TRUE);
}
if (result != DNS_R_NOMORE)
return (ISC_FALSE);
}
/*
* Signs all records at a name. This mostly just signs each set individually,
* but also handles exceptional cases and adds the SIG bit to any NXTs
* generated earlier.
*/
static void
{
if (!atorigin) {
dns_rdatatype_ns, 0, 0, &nsset,
NULL);
/* Is this a delegation point? */
if (result == ISC_R_SUCCESS) {
}
}
while (result == ISC_R_SUCCESS) {
/* If this is a SIG set, skip it. */
goto skip;
/* If this is a KEY set at the apex, skip it. */
goto skip;
/*
* If this name is a delegation point, skip all records
* except a KEY set containing a NULL key or an NXT set.
*/
if (isdelegation) {
case dns_rdatatype_nxt:
break;
case dns_rdatatype_key:
if (hasnullkey(rdataset))
break;
goto skip;
default:
goto skip;
}
}
/*
* There probably should be a dns_nxtsetbit, but it can get
* complicated if we need to extend the length of the
* bit set. In this case, since the NXT bit is set and
* SIG < NXT, the easy way works.
*/
unsigned char *nxt_bits;
isc_region_t r, r2;
dns_rdata_toregion(&rdata, &r);
dns_name_fromregion(&nxtname, &r);
}
skip:
}
if (result != DNS_R_NOMORE)
fatal("rdataset iteration failed");
}
static inline isc_boolean_t
while (result == ISC_R_SUCCESS) {
if (!active)
else
}
if (result != DNS_R_NOMORE)
fatal("rdataset iteration failed");
if (!active) {
/*
* Make sure there is no NXT record for this node.
*/
dns_rdatatype_nxt, 0);
if (result == DNS_R_UNCHANGED)
}
return (active);
}
static inline isc_result_t
{
do {
if (result == ISC_R_SUCCESS) {
if (!active) {
}
}
return (result);
}
static inline isc_result_t
{
do {
if (result == ISC_R_SUCCESS) {
return (ISC_R_SUCCESS);
}
} while (result == ISC_R_SUCCESS);
return (result);
}
/*
* Generates NXTs and SIGs for each non-glue name in the zone.
*/
static void
lastcut);
while (result == ISC_R_SUCCESS) {
if (!atorigin) {
0, &rdsiter);
while (result == ISC_R_SUCCESS) {
break;
}
}
fatal("rdataset iteration failed");
if (result == ISC_R_SUCCESS) {
else {
sizeof(dns_name_t));
fatal("allocation failure");
}
}
}
if (result == ISC_R_SUCCESS)
if (result == ISC_R_SUCCESS)
else if (result == DNS_R_NOMORE)
else {
fatal("db iteration failed");
}
}
if (result != DNS_R_NOMORE)
fatal("db iteration failed");
}
}
static void
isc_buffer_t b, b2;
unsigned char namedata[1024];
int len;
isc_buffer_add(&b, len);
}
static void
}
/*
* Finds all public zone keys in the zone, and attempts to load the
* private keys from disk.
*/
static void
unsigned int nkeys, i;
if (result == ISC_R_NOTFOUND)
for (i = 0; i < nkeys; i++) {
}
}
static void
exit(-1);
}
}
static isc_stdtime_t
char *endp = "";
if (str[0] == '+') {
}
}
else {
}
if (*endp != '\0')
return ((isc_stdtime_t) val);
}
static void
usage() {
"(zonefile + .signed)\n");
exit(0);
}
int
int i, ch;
char *endp;
{
switch (ch) {
case 's':
break;
case 'e':
break;
case 'c':
if (*endp != '\0')
break;
case 'v':
if (*endp != '\0')
break;
case 'o':
break;
case 'f':
break;
case 'h':
default:
usage();
}
}
}
else
}
else
if (cycle == -1) {
}
if (verbose > 0) {
}
if (argc < 1)
usage();
argc -= 1;
argv += 1;
}
}
if (argc == 0) {
}
}
else {
for (i = 0; i < argc; i++) {
*algstr++ = 0;
if (s != NULL) {
*s++ = 0;
algstr = s;
}
}
if (*endp != '\0')
if (*endp != '\0')
}
else
alg = 0;
{
if (!dst_key_isprivate(dkey))
"key specify");
if (alg == 0)
break;
}
}
"isc_mem_get");
}
else
printf("Ignoring key with algorithm 0\n");
}
}
/* should we update the SOA serial? */
dns_db_detach(&db);
}
/* isc_mem_stats(mctx, stdout);*/
return (0);
}