823N/A

823N/A

823N/A

823N/A#include <config.h>

823N/A

823N/A#include <stdlib.h>

823N/A

823N/A#include <isc/buffer.h>

823N/A#include <isc/dir.h>

823N/A#include <isc/entropy.h>

823N/A#include <isc/fsaccess.h>

823N/A#include <isc/hmacsha.h>

823N/A#include <isc/lex.h>

823N/A#include <isc/mem.h>

823N/A#include <isc/once.h>

897N/A#include <isc/print.h>

823N/A#include <isc/random.h>

823N/A#include <isc/string.h>

823N/A#include <isc/time.h>

823N/A#include <isc/util.h>

823N/A

823N/A#include <dns/fixedname.h>

823N/A#include <dns/keyvalues.h>

823N/A#include <dns/name.h>

823N/A#include <dns/rdata.h>

823N/A#include <dns/rdataclass.h>

823N/A#include <dns/ttl.h>

823N/A#include <dns/types.h>

823N/A

823N/A#include <dst/result.h>

823N/A

823N/A#include "dst_internal.h"

823N/A

823N/A#define DST_AS_STR(t) ((t).value.as_textregion.base)

823N/A

823N/Astatic dst_func_t *dst_t_func[DST_MAX_ALGS];

823N/A#ifdef BIND9

823N/Astatic isc_entropy_t *dst_entropy_pool = NULL;

823N/A#endif

823N/Astatic unsigned int dst_entropy_flags = 0;

823N/Astatic isc_boolean_t dst_initialized = ISC_FALSE;

823N/A

823N/Avoid gss_log(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);

823N/A

823N/Aisc_mem_t *dst__memory_pool = NULL;

823N/A

823N/Astatic dst_key_t * get_key_struct(dns_name_t *name,

823N/A unsigned int alg,

823N/A unsigned int flags,

823N/A unsigned int protocol,

823N/A unsigned int bits,

823N/A dns_rdataclass_t rdclass,

823N/A isc_mem_t *mctx);

static isc_result_t write_public_key(const dst_key_t *key, int type,

const char *directory);

static isc_result_t buildfilename(dns_name_t *name,

dns_keytag_t id,

unsigned int alg,

unsigned int type,

const char *directory,

isc_buffer_t *out);

static isc_result_t computeid(dst_key_t *key);

static isc_result_t frombuffer(dns_name_t *name,

unsigned int alg,

unsigned int flags,

unsigned int protocol,

dns_rdataclass_t rdclass,

isc_buffer_t *source,

isc_mem_t *mctx,

dst_key_t **keyp);

static isc_result_t algorithm_status(unsigned int alg);

static isc_result_t addsuffix(char *filename, int len,

const char *dirname, const char *ofilename,

const char *suffix);

#define RETERR(x) \

do { \

result = (x); \

if (result != ISC_R_SUCCESS) \

goto out; \

} while (0)

#define CHECKALG(alg) \

do { \

isc_result_t _r; \

_r = algorithm_status(alg); \

if (_r != ISC_R_SUCCESS) \

return (_r); \

} while (0); \

#if defined(OPENSSL) && defined(BIND9)

static void *

default_memalloc(void *arg, size_t size) {

UNUSED(arg);

if (size == 0U)

size = 1;

return (malloc(size));

}

static void

default_memfree(void *arg, void *ptr) {

UNUSED(arg);

free(ptr);

}

#endif

dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {

return (dst_lib_init2(mctx, ectx, NULL, eflags));

}

dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,

const char *engine, unsigned int eflags) {

isc_result_t result;

REQUIRE(mctx != NULL);

#ifdef BIND9

REQUIRE(ectx != NULL);

#else

UNUSED(ectx);

#endif

REQUIRE(dst_initialized == ISC_FALSE);

dst__memory_pool = NULL;

#if defined(OPENSSL) && defined(BIND9)

UNUSED(mctx);

/*

result = isc_mem_createx2(0, 0, default_memalloc, default_memfree,

NULL, &dst__memory_pool, 0);

if (result != ISC_R_SUCCESS)

return (result);

isc_mem_setname(dst__memory_pool, "dst", NULL);

#ifndef OPENSSL_LEAKS

isc_mem_setdestroycheck(dst__memory_pool, ISC_FALSE);

#endif

#else

isc_mem_attach(mctx, &dst__memory_pool);

#endif

#ifdef BIND9

isc_entropy_attach(ectx, &dst_entropy_pool);

#endif

dst_entropy_flags = eflags;

dst_result_register();

memset(dst_t_func, 0, sizeof(dst_t_func));

RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));

RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1]));

RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224]));

RETERR(dst__hmacsha256_init(&dst_t_func[DST_ALG_HMACSHA256]));

RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));

RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));

#ifdef OPENSSL

RETERR(dst__openssl_init(engine));

RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5]));

RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1]));

RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));

#ifdef HAVE_OPENSSL_DSA

RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));

RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));

#endif

RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));

#endif /* OPENSSL */

#ifdef GSSAPI

RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));

#endif

dst_initialized = ISC_TRUE;

return (ISC_R_SUCCESS);

out:

/* avoid immediate crash! */

dst_initialized = ISC_TRUE;

dst_lib_destroy();

return (result);

}

dst_lib_destroy(void) {

int i;

RUNTIME_CHECK(dst_initialized == ISC_TRUE);

dst_initialized = ISC_FALSE;

for (i = 0; i < DST_MAX_ALGS; i++)

if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)

dst_t_func[i]->cleanup();

#ifdef OPENSSL

dst__openssl_destroy();

#endif

if (dst__memory_pool != NULL)

isc_mem_detach(&dst__memory_pool);

#ifdef BIND9

if (dst_entropy_pool != NULL)

isc_entropy_detach(&dst_entropy_pool);

#endif

}

dst_algorithm_supported(unsigned int alg) {

REQUIRE(dst_initialized == ISC_TRUE);

if (alg >= DST_MAX_ALGS || dst_t_func[alg] == NULL)

return (ISC_FALSE);

return (ISC_TRUE);

}

dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) {

dst_context_t *dctx;

isc_result_t result;

REQUIRE(dst_initialized == ISC_TRUE);

REQUIRE(VALID_KEY(key));

REQUIRE(mctx != NULL);

REQUIRE(dctxp != NULL && *dctxp == NULL);

if (key->func->createctx == NULL)

return (DST_R_UNSUPPORTEDALG);

if (key->keydata.generic == NULL)

return (DST_R_NULLKEY);

dctx = isc_mem_get(mctx, sizeof(dst_context_t));

if (dctx == NULL)

return (ISC_R_NOMEMORY);

dctx->key = key;

dctx->mctx = mctx;

result = key->func->createctx(key, dctx);

if (result != ISC_R_SUCCESS) {

isc_mem_put(mctx, dctx, sizeof(dst_context_t));

return (result);

}

dctx->magic = CTX_MAGIC;

*dctxp = dctx;

return (ISC_R_SUCCESS);

}

dst_context_destroy(dst_context_t **dctxp) {

dst_context_t *dctx;

REQUIRE(dctxp != NULL && VALID_CTX(*dctxp));

dctx = *dctxp;

INSIST(dctx->key->func->destroyctx != NULL);

dctx->key->func->destroyctx(dctx);

dctx->magic = 0;

isc_mem_put(dctx->mctx, dctx, sizeof(dst_context_t));

*dctxp = NULL;

}

dst_context_adddata(dst_context_t *dctx, const isc_region_t *data) {

REQUIRE(VALID_CTX(dctx));

REQUIRE(data != NULL);

INSIST(dctx->key->func->adddata != NULL);

return (dctx->key->func->adddata(dctx, data));

}

dst_context_sign(dst_context_t *dctx, isc_buffer_t *sig) {

dst_key_t *key;

REQUIRE(VALID_CTX(dctx));

REQUIRE(sig != NULL);

key = dctx->key;

CHECKALG(key->key_alg);

if (key->keydata.generic == NULL)

return (DST_R_NULLKEY);

if (key->func->sign == NULL)

return (DST_R_NOTPRIVATEKEY);

if (key->func->isprivate == NULL ||

key->func->isprivate(key) == ISC_FALSE)

return (DST_R_NOTPRIVATEKEY);

return (key->func->sign(dctx, sig));

}

dst_context_verify(dst_context_t *dctx, isc_region_t *sig) {

REQUIRE(VALID_CTX(dctx));

REQUIRE(sig != NULL);

CHECKALG(dctx->key->key_alg);

if (dctx->key->keydata.generic == NULL)

return (DST_R_NULLKEY);

if (dctx->key->func->verify == NULL)

return (DST_R_NOTPUBLICKEY);

return (dctx->key->func->verify(dctx, sig));

}

dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,

isc_buffer_t *secret)

{

REQUIRE(dst_initialized == ISC_TRUE);

REQUIRE(VALID_KEY(pub) && VALID_KEY(priv));

REQUIRE(secret != NULL);

CHECKALG(pub->key_alg);

CHECKALG(priv->key_alg);

if (pub->keydata.generic == NULL || priv->keydata.generic == NULL)

return (DST_R_NULLKEY);

if (pub->key_alg != priv->key_alg ||

pub->func->computesecret == NULL ||

priv->func->computesecret == NULL)

return (DST_R_KEYCANNOTCOMPUTESECRET);

if (dst_key_isprivate(priv) == ISC_FALSE)

return (DST_R_NOTPRIVATEKEY);

return (pub->func->computesecret(pub, priv, secret));

}

dst_key_tofile(const dst_key_t *key, int type, const char *directory) {

isc_result_t ret = ISC_R_SUCCESS;

REQUIRE(dst_initialized == ISC_TRUE);

REQUIRE(VALID_KEY(key));

REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);

CHECKALG(key->key_alg);

if (key->func->tofile == NULL)

return (DST_R_UNSUPPORTEDALG);

if (type & DST_TYPE_PUBLIC) {

ret = write_public_key(key, type, directory);

if (ret != ISC_R_SUCCESS)

return (ret);

}

if ((type & DST_TYPE_PRIVATE) &&

(key->key_flags & DNS_KEYFLAG_TYPEMASK) != DNS_KEYTYPE_NOKEY)

return (key->func->tofile(key, directory));

else

return (ISC_R_SUCCESS);

}

dst_key_fromfile(dns_name_t *name, dns_keytag_t id,

unsigned int alg, int type, const char *directory,

isc_mem_t *mctx, dst_key_t **keyp)

{

char filename[ISC_DIR_NAMEMAX];

isc_buffer_t b;

dst_key_t *key;

isc_result_t result;

REQUIRE(dst_initialized == ISC_TRUE);

REQUIRE(dns_name_isabsolute(name));

REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);

REQUIRE(mctx != NULL);

REQUIRE(keyp != NULL && *keyp == NULL);

CHECKALG(alg);

isc_buffer_init(&b, filename, sizeof(filename));

result = buildfilename(name, id, alg, type, directory, &b);

if (result != ISC_R_SUCCESS)

return (result);

key = NULL;

result = dst_key_fromnamedfile(filename, NULL, type, mctx, &key);

if (result != ISC_R_SUCCESS)

return (result);

result = computeid(key);

if (result != ISC_R_SUCCESS) {

dst_key_free(&key);

return (result);

}

if (!dns_name_equal(name, key->key_name) || id != key->key_id ||

alg != key->key_alg) {

dst_key_free(&key);

return (DST_R_INVALIDPRIVATEKEY);

}

key->key_id = id;

*keyp = key;

return (ISC_R_SUCCESS);

}

dst_key_fromnamedfile(const char *filename, const char *dirname,

int type, isc_mem_t *mctx, dst_key_t **keyp)

{

isc_result_t result;

dst_key_t *pubkey = NULL, *key = NULL;

char *newfilename = NULL;

int newfilenamelen = 0;

isc_lex_t *lex = NULL;

REQUIRE(dst_initialized == ISC_TRUE);

REQUIRE(filename != NULL);

REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);

REQUIRE(mctx != NULL);

REQUIRE(keyp != NULL && *keyp == NULL);

/* If an absolute path is specified, don't use the key directory */

#ifndef WIN32

if (filename[0] == '/')

dirname = NULL;

#else /* WIN32 */

if (filename[0] == '/' || filename[0] == '\\')

dirname = NULL;

#endif

newfilenamelen = strlen(filename) + 5;

if (dirname != NULL)

newfilenamelen += strlen(dirname) + 1;

newfilename = isc_mem_get(mctx, newfilenamelen);

if (newfilename == NULL)

return (ISC_R_NOMEMORY);

result = addsuffix(newfilename, newfilenamelen,

dirname, filename, ".key");

INSIST(result == ISC_R_SUCCESS);

result = dst_key_read_public(newfilename, type, mctx, &pubkey);

isc_mem_put(mctx, newfilename, newfilenamelen);

newfilename = NULL;

if (result != ISC_R_SUCCESS)

return (result);

if ((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) == DST_TYPE_PUBLIC ||

(pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {

result = computeid(pubkey);

if (result != ISC_R_SUCCESS) {

dst_key_free(&pubkey);

return (result);

}

*keyp = pubkey;

return (ISC_R_SUCCESS);

}

result = algorithm_status(pubkey->key_alg);

if (result != ISC_R_SUCCESS) {

dst_key_free(&pubkey);

return (result);

}

key = get_key_struct(pubkey->key_name, pubkey->key_alg,

pubkey->key_flags, pubkey->key_proto, 0,

pubkey->key_class, mctx);

if (key == NULL) {

dst_key_free(&pubkey);

return (ISC_R_NOMEMORY);

}

if (key->func->parse == NULL)

RETERR(DST_R_UNSUPPORTEDALG);

newfilenamelen = strlen(filename) + 9;

if (dirname != NULL)

newfilenamelen += strlen(dirname) + 1;

newfilename = isc_mem_get(mctx, newfilenamelen);

if (newfilename == NULL)

RETERR(ISC_R_NOMEMORY);

result = addsuffix(newfilename, newfilenamelen,

dirname, filename, ".private");

INSIST(result == ISC_R_SUCCESS);

RETERR(isc_lex_create(mctx, 1500, &lex));

RETERR(isc_lex_openfile(lex, newfilename));

isc_mem_put(mctx, newfilename, newfilenamelen);

RETERR(key->func->parse(key, lex, pubkey));

isc_lex_destroy(&lex);

RETERR(computeid(key));

if (pubkey->key_id != key->key_id)

RETERR(DST_R_INVALIDPRIVATEKEY);

dst_key_free(&pubkey);

*keyp = key;

return (ISC_R_SUCCESS);

out:

if (pubkey != NULL)

dst_key_free(&pubkey);

if (newfilename != NULL)

isc_mem_put(mctx, newfilename, newfilenamelen);

if (lex != NULL)

isc_lex_destroy(&lex);

dst_key_free(&key);

return (result);

}

dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {

REQUIRE(dst_initialized == ISC_TRUE);

REQUIRE(VALID_KEY(key));

REQUIRE(target != NULL);

CHECKALG(key->key_alg);

if (key->func->todns == NULL)

return (DST_R_UNSUPPORTEDALG);

if (isc_buffer_availablelength(target) < 4)

return (ISC_R_NOSPACE);

isc_buffer_putuint16(target, (isc_uint16_t)(key->key_flags & 0xffff));

isc_buffer_putuint8(target, (isc_uint8_t)key->key_proto);

isc_buffer_putuint8(target, (isc_uint8_t)key->key_alg);

if (key->key_flags & DNS_KEYFLAG_EXTENDED) {

if (isc_buffer_availablelength(target) < 2)

return (ISC_R_NOSPACE);

isc_buffer_putuint16(target,

(isc_uint16_t)((key->key_flags >> 16)

& 0xffff));

}

if (key->keydata.generic == NULL) /*%< NULL KEY */

return (ISC_R_SUCCESS);

return (key->func->todns(key, target));

}

dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,

isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)

{

isc_uint8_t alg, proto;

isc_uint32_t flags, extflags;

dst_key_t *key = NULL;

dns_keytag_t id;

isc_region_t r;

isc_result_t result;

REQUIRE(dst_initialized);

isc_buffer_remainingregion(source, &r);

if (isc_buffer_remaininglength(source) < 4)

return (DST_R_INVALIDPUBLICKEY);

flags = isc_buffer_getuint16(source);

proto = isc_buffer_getuint8(source);

alg = isc_buffer_getuint8(source);

id = dst_region_computeid(&r, alg);

if (flags & DNS_KEYFLAG_EXTENDED) {

if (isc_buffer_remaininglength(source) < 2)

return (DST_R_INVALIDPUBLICKEY);

extflags = isc_buffer_getuint16(source);

flags |= (extflags << 16);

}

result = frombuffer(name, alg, flags, proto, rdclass, source,

mctx, &key);

if (result != ISC_R_SUCCESS)

return (result);

key->key_id = id;

*keyp = key;

return (ISC_R_SUCCESS);

}

dst_key_frombuffer(dns_name_t *name, unsigned int alg,

unsigned int flags, unsigned int protocol,

dns_rdataclass_t rdclass,

isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)

{

dst_key_t *key = NULL;

isc_result_t result;

REQUIRE(dst_initialized);

result = frombuffer(name, alg, flags, protocol, rdclass, source,

mctx, &key);

if (result != ISC_R_SUCCESS)

return (result);

result = computeid(key);

if (result != ISC_R_SUCCESS) {

dst_key_free(&key);

return (result);

}

*keyp = key;

return (ISC_R_SUCCESS);

}

dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target) {

REQUIRE(dst_initialized == ISC_TRUE);

REQUIRE(VALID_KEY(key));

REQUIRE(target != NULL);

CHECKALG(key->key_alg);

if (key->func->todns == NULL)

return (DST_R_UNSUPPORTEDALG);

return (key->func->todns(key, target));

}

dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer) {

isc_lex_t *lex = NULL;

isc_result_t result = ISC_R_SUCCESS;

REQUIRE(dst_initialized == ISC_TRUE);

REQUIRE(VALID_KEY(key));

REQUIRE(!dst_key_isprivate(key));

REQUIRE(buffer != NULL);

if (key->func->parse == NULL)

RETERR(DST_R_UNSUPPORTEDALG);

RETERR(isc_lex_create(key->mctx, 1500, &lex));

RETERR(isc_lex_openbuffer(lex, buffer));

RETERR(key->func->parse(key, lex, NULL));

out:

if (lex != NULL)

isc_lex_destroy(&lex);

return (result);

}

dst_key_getgssctx(const dst_key_t *key)

{

REQUIRE(key != NULL);

return (key->keydata.gssctx);

}

dst_key_fromgssapi(dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx,

dst_key_t **keyp)

{

dst_key_t *key;

REQUIRE(gssctx != NULL);

REQUIRE(keyp != NULL && *keyp == NULL);

key = get_key_struct(name, DST_ALG_GSSAPI, 0, DNS_KEYPROTO_DNSSEC,

0, dns_rdataclass_in, mctx);

if (key == NULL)

return (ISC_R_NOMEMORY);

key->keydata.gssctx = gssctx;

*keyp = key;

return (ISC_R_SUCCESS);

}

dst_key_fromlabel(dns_name_t *name, int alg, unsigned int flags,

unsigned int protocol, dns_rdataclass_t rdclass,

const char *engine, const char *label, const char *pin,

isc_mem_t *mctx, dst_key_t **keyp)

{

dst_key_t *key;

isc_result_t result;

REQUIRE(dst_initialized == ISC_TRUE);

REQUIRE(dns_name_isabsolute(name));

REQUIRE(mctx != NULL);

REQUIRE(keyp != NULL && *keyp == NULL);

REQUIRE(label != NULL);

CHECKALG(alg);

key = get_key_struct(name, alg, flags, protocol, 0, rdclass, mctx);

if (key == NULL)

return (ISC_R_NOMEMORY);

if (key->func->fromlabel == NULL) {

dst_key_free(&key);

return (DST_R_UNSUPPORTEDALG);

}

result = key->func->fromlabel(key, engine, label, pin);

if (result != ISC_R_SUCCESS) {

dst_key_free(&key);

return (result);

}

result = computeid(key);

if (result != ISC_R_SUCCESS) {

dst_key_free(&key);

return (result);

}

*keyp = key;

return (ISC_R_SUCCESS);

}

dst_key_generate(dns_name_t *name, unsigned int alg,

unsigned int bits, unsigned int param,

unsigned int flags, unsigned int protocol,

dns_rdataclass_t rdclass,

isc_mem_t *mctx, dst_key_t **keyp)

{

dst_key_t *key;

isc_result_t ret;

REQUIRE(dst_initialized == ISC_TRUE);

REQUIRE(dns_name_isabsolute(name));

REQUIRE(mctx != NULL);

REQUIRE(keyp != NULL && *keyp == NULL);

CHECKALG(alg);

key = get_key_struct(name, alg, flags, protocol, bits, rdclass, mctx);

if (key == NULL)

return (ISC_R_NOMEMORY);

if (bits == 0) { /*%< NULL KEY */

key->key_flags |= DNS_KEYTYPE_NOKEY;

*keyp = key;

return (ISC_R_SUCCESS);

}

if (key->func->generate == NULL) {

dst_key_free(&key);

return (DST_R_UNSUPPORTEDALG);

}

ret = key->func->generate(key, param);

if (ret != ISC_R_SUCCESS) {

dst_key_free(&key);

return (ret);

}

ret = computeid(key);

if (ret != ISC_R_SUCCESS) {

dst_key_free(&key);

return (ret);

}

*keyp = key;

return (ISC_R_SUCCESS);

}

dst_key_getnum(const dst_key_t *key, int type, isc_uint32_t *valuep)

{

REQUIRE(VALID_KEY(key));

REQUIRE(valuep != NULL);

REQUIRE(type <= DST_MAX_NUMERIC);

if (!key->numset[type])

return (ISC_R_NOTFOUND);

*valuep = key->nums[type];

return (ISC_R_SUCCESS);

}

dst_key_setnum(dst_key_t *key, int type, isc_uint32_t value)

{

REQUIRE(VALID_KEY(key));

REQUIRE(type <= DST_MAX_NUMERIC);

key->nums[type] = value;

key->numset[type] = ISC_TRUE;

}

dst_key_unsetnum(dst_key_t *key, int type)

{

REQUIRE(VALID_KEY(key));

REQUIRE(type <= DST_MAX_NUMERIC);

key->numset[type] = ISC_FALSE;

}

dst_key_gettime(const dst_key_t *key, int type, isc_stdtime_t *timep) {

REQUIRE(VALID_KEY(key));

REQUIRE(timep != NULL);

REQUIRE(type <= DST_MAX_TIMES);

if (!key->timeset[type])

return (ISC_R_NOTFOUND);

*timep = key->times[type];

return (ISC_R_SUCCESS);

}

dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when) {

REQUIRE(VALID_KEY(key));

REQUIRE(type <= DST_MAX_TIMES);

key->times[type] = when;

key->timeset[type] = ISC_TRUE;

}

dst_key_unsettime(dst_key_t *key, int type) {

REQUIRE(VALID_KEY(key));

REQUIRE(type <= DST_MAX_TIMES);

key->timeset[type] = ISC_FALSE;

}

dst_key_getprivateformat(const dst_key_t *key, int *majorp, int *minorp) {

REQUIRE(VALID_KEY(key));

REQUIRE(majorp != NULL);

REQUIRE(minorp != NULL);

*majorp = key->fmt_major;

*minorp = key->fmt_minor;

return (ISC_R_SUCCESS);

}

dst_key_setprivateformat(dst_key_t *key, int major, int minor) {

REQUIRE(VALID_KEY(key));

key->fmt_major = major;

key->fmt_minor = minor;

}

static isc_boolean_t

comparekeys(const dst_key_t *key1, const dst_key_t *key2,

isc_boolean_t match_revoked_key,

isc_boolean_t (*compare)(const dst_key_t *key1,

const dst_key_t *key2))

{

REQUIRE(dst_initialized == ISC_TRUE);

REQUIRE(VALID_KEY(key1));

REQUIRE(VALID_KEY(key2));

if (key1 == key2)

return (ISC_TRUE);

if (key1 == NULL || key2 == NULL)

return (ISC_FALSE);

if (key1->key_alg != key2->key_alg)

return (ISC_FALSE);

/*

if (key1->key_id != key2->key_id) {

if (!match_revoked_key)

return (ISC_FALSE);

if (key1->key_alg == DST_ALG_RSAMD5)

return (ISC_FALSE);

if ((key1->key_flags & DNS_KEYFLAG_REVOKE) ==

(key2->key_flags & DNS_KEYFLAG_REVOKE))

return (ISC_FALSE);

if ((key1->key_flags & DNS_KEYFLAG_REVOKE) != 0 &&

key1->key_id != ((key2->key_id + 128) & 0xffff))

return (ISC_FALSE);

if ((key2->key_flags & DNS_KEYFLAG_REVOKE) != 0 &&

key2->key_id != ((key1->key_id + 128) & 0xffff))

return (ISC_FALSE);

}

if (compare != NULL)

return (compare(key1, key2));

else

return (ISC_FALSE);

}

static isc_boolean_t

pub_compare(const dst_key_t *key1, const dst_key_t *key2) {

isc_result_t result;

unsigned char buf1[DST_KEY_MAXSIZE], buf2[DST_KEY_MAXSIZE];

isc_buffer_t b1, b2;

isc_region_t r1, r2;

isc_buffer_init(&b1, buf1, sizeof(buf1));

result = dst_key_todns(key1, &b1);

if (result != ISC_R_SUCCESS)

return (ISC_FALSE);

/* Zero out flags. */

buf1[0] = buf1[1] = 0;

isc_buffer_init(&b2, buf2, sizeof(buf2));

result = dst_key_todns(key2, &b2);

if (result != ISC_R_SUCCESS)

return (ISC_FALSE);

/* Zero out flags. */

buf2[0] = buf2[1] = 0;

isc_buffer_usedregion(&b1, &r1);

isc_buffer_usedregion(&b2, &r2);

return (ISC_TF(isc_region_compare(&r1, &r2) == 0));

}

dst_key_compare(const dst_key_t *key1, const dst_key_t *key2) {

return (comparekeys(key1, key2, ISC_FALSE, key1->func->compare));

}

dst_key_pubcompare(const dst_key_t *key1, const dst_key_t *key2,

isc_boolean_t match_revoked_key)

{

return (comparekeys(key1, key2, match_revoked_key, pub_compare));

}

dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {

REQUIRE(dst_initialized == ISC_TRUE);

REQUIRE(VALID_KEY(key1));

REQUIRE(VALID_KEY(key2));

if (key1 == key2)

return (ISC_TRUE);

if (key1 == NULL || key2 == NULL)

return (ISC_FALSE);

if (key1->key_alg == key2->key_alg &&

key1->func->paramcompare != NULL &&

key1->func->paramcompare(key1, key2) == ISC_TRUE)

return (ISC_TRUE);

else

return (ISC_FALSE);

}

dst_key_free(dst_key_t **keyp) {

isc_mem_t *mctx;

dst_key_t *key;

REQUIRE(dst_initialized == ISC_TRUE);

REQUIRE(keyp != NULL && VALID_KEY(*keyp));

key = *keyp;

mctx = key->mctx;

if (key->keydata.generic != NULL) {

INSIST(key->func->destroy != NULL);

key->func->destroy(key);

}

if (key->engine != NULL)

isc_mem_free(mctx, key->engine);

if (key->label != NULL)

isc_mem_free(mctx, key->label);

dns_name_free(key->key_name, mctx);

isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));

memset(key, 0, sizeof(dst_key_t));

isc_mem_put(mctx, key, sizeof(dst_key_t));

*keyp = NULL;

}

dst_key_isprivate(const dst_key_t *key) {

REQUIRE(VALID_KEY(key));

INSIST(key->func->isprivate != NULL);

return (key->func->isprivate(key));

}

dst_key_buildfilename(const dst_key_t *key, int type,

const char *directory, isc_buffer_t *out) {

REQUIRE(VALID_KEY(key));

REQUIRE(type == DST_TYPE_PRIVATE || type == DST_TYPE_PUBLIC ||

type == 0);

return (buildfilename(key->key_name, key->key_id, key->key_alg,

type, directory, out));

}

dst_key_sigsize(const dst_key_t *key, unsigned int *n) {

REQUIRE(dst_initialized == ISC_TRUE);

REQUIRE(VALID_KEY(key));

REQUIRE(n != NULL);

/* XXXVIX this switch statement is too sparse to gen a jump table. */

switch (key->key_alg) {

case DST_ALG_RSAMD5:

case DST_ALG_RSASHA1:

case DST_ALG_NSEC3RSASHA1:

*n = (key->key_size + 7) / 8;

break;

case DST_ALG_DSA:

case DST_ALG_NSEC3DSA:

*n = DNS_SIG_DSASIGSIZE;

break;

case DST_ALG_HMACMD5:

*n = 16;

break;

case DST_ALG_HMACSHA1:

*n = ISC_SHA1_DIGESTLENGTH;

break;

case DST_ALG_HMACSHA224:

*n = ISC_SHA224_DIGESTLENGTH;

break;

case DST_ALG_HMACSHA256:

*n = ISC_SHA256_DIGESTLENGTH;

break;

case DST_ALG_HMACSHA384:

*n = ISC_SHA384_DIGESTLENGTH;

break;

case DST_ALG_HMACSHA512:

*n = ISC_SHA512_DIGESTLENGTH;

break;

case DST_ALG_GSSAPI:

*n = 128; /*%< XXX */

break;

case DST_ALG_DH:

default:

return (DST_R_UNSUPPORTEDALG);

}

return (ISC_R_SUCCESS);

}

dst_key_secretsize(const dst_key_t *key, unsigned int *n) {

REQUIRE(dst_initialized == ISC_TRUE);

REQUIRE(VALID_KEY(key));

REQUIRE(n != NULL);

if (key->key_alg == DST_ALG_DH)

*n = (key->key_size + 7) / 8;

else

return (DST_R_UNSUPPORTEDALG);

return (ISC_R_SUCCESS);

}

static dst_key_t *

get_key_struct(dns_name_t *name, unsigned int alg,

unsigned int flags, unsigned int protocol,

unsigned int bits, dns_rdataclass_t rdclass,

isc_mem_t *mctx)

{

dst_key_t *key;

isc_result_t result;

int i;

key = (dst_key_t *) isc_mem_get(mctx, sizeof(dst_key_t));

if (key == NULL)

return (NULL);

memset(key, 0, sizeof(dst_key_t));

key->magic = KEY_MAGIC;

key->key_name = isc_mem_get(mctx, sizeof(dns_name_t));

if (key->key_name == NULL) {

isc_mem_put(mctx, key, sizeof(dst_key_t));

return (NULL);

}

dns_name_init(key->key_name, NULL);

result = dns_name_dup(name, mctx, key->key_name);

if (result != ISC_R_SUCCESS) {

isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));

isc_mem_put(mctx, key, sizeof(dst_key_t));

return (NULL);

}

key->key_alg = alg;

key->key_flags = flags;

key->key_proto = protocol;

key->mctx = mctx;

key->keydata.generic = NULL;

key->key_size = bits;

key->key_class = rdclass;

key->func = dst_t_func[alg];

key->fmt_major = 0;

key->fmt_minor = 0;

for (i = 0; i < (DST_MAX_TIMES + 1); i++) {

key->times[i] = 0;

key->timeset[i] = ISC_FALSE;

}

return (key);

}

dst_key_read_public(const char *filename, int type,

isc_mem_t *mctx, dst_key_t **keyp)

{

u_char rdatabuf[DST_KEY_MAXSIZE];

isc_buffer_t b;

dns_fixedname_t name;

isc_lex_t *lex = NULL;

isc_token_t token;

isc_result_t ret;

dns_rdata_t rdata = DNS_RDATA_INIT;

unsigned int opt = ISC_LEXOPT_DNSMULTILINE;

dns_rdataclass_t rdclass = dns_rdataclass_in;

isc_lexspecials_t specials;

isc_uint32_t ttl;

isc_result_t result;

dns_rdatatype_t keytype;

/*

/* 1500 should be large enough for any key */

ret = isc_lex_create(mctx, 1500, &lex);

if (ret != ISC_R_SUCCESS)

goto cleanup;

memset(specials, 0, sizeof(specials));

specials['('] = 1;

specials[')'] = 1;

specials['"'] = 1;

isc_lex_setspecials(lex, specials);

isc_lex_setcomments(lex, ISC_LEXCOMMENT_DNSMASTERFILE);

ret = isc_lex_openfile(lex, filename);

if (ret != ISC_R_SUCCESS)

goto cleanup;

#define NEXTTOKEN(lex, opt, token) { \

ret = isc_lex_gettoken(lex, opt, token); \

if (ret != ISC_R_SUCCESS) \

goto cleanup; \

}

#define BADTOKEN() { \

ret = ISC_R_UNEXPECTEDTOKEN; \

goto cleanup; \

}

/* Read the domain name */

NEXTTOKEN(lex, opt, &token);

if (token.type != isc_tokentype_string)

BADTOKEN();

/*

if (!strcmp(DST_AS_STR(token), "@"))

BADTOKEN();

dns_fixedname_init(&name);

isc_buffer_init(&b, DST_AS_STR(token), strlen(DST_AS_STR(token)));

isc_buffer_add(&b, strlen(DST_AS_STR(token)));

ret = dns_name_fromtext(dns_fixedname_name(&name), &b, dns_rootname,

0, NULL);

if (ret != ISC_R_SUCCESS)

goto cleanup;

/* Read the next word: either TTL, class, or 'KEY' */

NEXTTOKEN(lex, opt, &token);

if (token.type != isc_tokentype_string)

BADTOKEN();

/* If it's a TTL, read the next one */

result = dns_ttl_fromtext(&token.value.as_textregion, &ttl);

if (result == ISC_R_SUCCESS)

NEXTTOKEN(lex, opt, &token);

if (token.type != isc_tokentype_string)

BADTOKEN();

ret = dns_rdataclass_fromtext(&rdclass, &token.value.as_textregion);

if (ret == ISC_R_SUCCESS)

NEXTTOKEN(lex, opt, &token);

if (token.type != isc_tokentype_string)

BADTOKEN();

if (strcasecmp(DST_AS_STR(token), "DNSKEY") == 0)

keytype = dns_rdatatype_dnskey;

else if (strcasecmp(DST_AS_STR(token), "KEY") == 0)

keytype = dns_rdatatype_key; /*%< SIG(0), TKEY */

else

BADTOKEN();

if (((type & DST_TYPE_KEY) != 0 && keytype != dns_rdatatype_key) ||

((type & DST_TYPE_KEY) == 0 && keytype != dns_rdatatype_dnskey)) {

ret = DST_R_BADKEYTYPE;

goto cleanup;

}

isc_buffer_init(&b, rdatabuf, sizeof(rdatabuf));

ret = dns_rdata_fromtext(&rdata, rdclass, keytype, lex, NULL,

ISC_FALSE, mctx, &b, NULL);

if (ret != ISC_R_SUCCESS)

goto cleanup;

ret = dst_key_fromdns(dns_fixedname_name(&name), rdclass, &b, mctx,

keyp);

if (ret != ISC_R_SUCCESS)

goto cleanup;

cleanup:

if (lex != NULL)

isc_lex_destroy(&lex);

return (ret);

}

dst_key_setflags(dst_key_t *key, isc_uint32_t flags) {