0002
2020-04-10
pjp
* Copyright (c) 2020 Peter J. Philipp
0003
2020-04-10
pjp
* All rights reserved.
0005
2020-04-10
pjp
* Redistribution and use in source and binary forms, with or without
0006
2020-04-10
pjp
* modification, are permitted provided that the following conditions
0007
2020-04-10
pjp
* are met:
0008
2020-04-10
pjp
* 1. Redistributions of source code must retain the above copyright
0009
2020-04-10
pjp
* notice, this list of conditions and the following disclaimer.
0010
2020-04-10
pjp
* 2. Redistributions in binary form must reproduce the above copyright
0011
2020-04-10
pjp
* notice, this list of conditions and the following disclaimer in the
0012
2020-04-10
pjp
* documentation and/or other materials provided with the distribution.
0013
2020-04-10
pjp
* 3. The name of the author may not be used to endorse or promote products
0014
2020-04-10
pjp
* derived from this software without specific prior written permission
0016
2020-04-10
pjp
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
0017
2020-04-10
pjp
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
0018
2020-04-10
pjp
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
0019
2020-04-10
pjp
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
0020
2020-04-10
pjp
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
0021
2020-04-10
pjp
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
0022
2020-04-10
pjp
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
0023
2020-04-10
pjp
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
0024
2020-04-10
pjp
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
0025
2020-04-10
pjp
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
0029
2020-08-11
pjp
#include <sys/param.h> /* for MIN() */
0030
2020-04-10
pjp
#include <sys/time.h>
0031
2020-04-10
pjp
#include <sys/stat.h>
0032
2020-04-10
pjp
#include <sys/uio.h>
0033
2020-04-10
pjp
#include <sys/socket.h>
0035
2020-04-10
pjp
#include <netinet/in.h>
0036
2020-04-10
pjp
#include <arpa/inet.h>
0037
2020-04-10
pjp
#include <netdb.h>
0039
2020-04-10
pjp
#include <stdio.h>
0040
2020-04-10
pjp
#include <stdlib.h>
0041
2020-04-10
pjp
#include <stdint.h>
0042
2020-04-10
pjp
#include <stdarg.h>
0043
2020-04-10
pjp
#include <string.h>
0044
2020-04-10
pjp
#include <unistd.h>
0045
2020-04-10
pjp
#include <syslog.h>
0046
2020-04-10
pjp
#include <fcntl.h>
0047
2020-04-10
pjp
#include <ctype.h>
0049
2020-04-10
pjp
#ifdef __linux__
0050
2020-04-10
pjp
#include <grp.h>
0051
2020-04-10
pjp
#define __USE_BSD 1
0052
2020-04-10
pjp
#include <endian.h>
0053
2020-04-10
pjp
#include <bsd/stdlib.h>
0054
2020-04-10
pjp
#include <bsd/string.h>
0055
2020-04-10
pjp
#include <bsd/unistd.h>
0056
2020-04-10
pjp
#include <bsd/sys/queue.h>
0057
2020-04-10
pjp
#define __unused
0058
2020-04-10
pjp
#include <bsd/sys/tree.h>
0059
2020-04-10
pjp
#include <bsd/sys/endian.h>
0060
2020-04-10
pjp
#include "imsg.h"
0061
2020-04-10
pjp
#else /* not linux */
0062
2020-04-10
pjp
#include <sys/queue.h>
0063
2020-04-10
pjp
#include <sys/tree.h>
0064
2020-04-10
pjp
#ifdef __FreeBSD__
0065
2020-04-10
pjp
#include "imsg.h"
0067
2020-04-10
pjp
#include <imsg.h>
0068
2020-04-10
pjp
#endif /* __FreeBSD__ */
0069
2020-04-10
pjp
#endif /* __linux__ */
0071
2020-04-10
pjp
#ifndef NTOHS
0072
2020-04-10
pjp
#include "endian.h"
0075
2020-04-10
pjp
#include <openssl/bn.h>
0076
2020-04-10
pjp
#include <openssl/obj_mac.h>
0077
2020-04-10
pjp
#include <openssl/rsa.h>
0078
2020-04-10
pjp
#include <openssl/err.h>
0079
2020-04-10
pjp
#include <openssl/sha.h>
0080
2020-04-10
pjp
#include <openssl/ec.h>
0081
2020-04-10
pjp
#include <openssl/ecdsa.h>
0083
2020-04-10
pjp
#include <openssl/evp.h>
0084
2020-04-10
pjp
#include <openssl/hmac.h>
0086
2020-04-10
pjp
#include "ddd-dns.h"
0087
2020-04-10
pjp
#include "ddd-db.h"
0088
2020-04-10
pjp
#include "ddd-config.h"
0091
2020-04-10
pjp
SLIST_HEAD(, keysentry) keyshead;
0093
2020-04-10
pjp
static struct keysentry {
0094
2020-04-10
pjp
char *keyname;
0095
2020-04-10
pjp
uint32_t pid;
0096
2020-04-10
pjp
int sign;
0097
2020-04-10
pjp
int type;
0099
2020-04-10
pjp
/* key material in this struct */
0100
2020-04-10
pjp
char *key;
0101
2020-04-10
pjp
char *zone;
0102
2020-04-10
pjp
uint32_t ttl;
0103
2020-04-10
pjp
uint16_t flags;
0104
2020-04-10
pjp
uint8_t protocol;
0105
2020-04-10
pjp
uint8_t algorithm;
0106
2020-04-10
pjp
int keyid;
0108
2020-04-10
pjp
/* private key RSA */
0109
2020-04-10
pjp
BIGNUM *rsan;
0110
2020-04-10
pjp
BIGNUM *rsae;
0111
2020-04-10
pjp
BIGNUM *rsad;
0112
2020-04-10
pjp
BIGNUM *rsap;
0113
2020-04-10
pjp
BIGNUM *rsaq;
0114
2020-04-10
pjp
BIGNUM *rsadmp1;
0115
2020-04-10
pjp
BIGNUM *rsadmq1;
0116
2020-04-10
pjp
BIGNUM *rsaiqmp;
0118
2020-04-10
pjp
/* private key Elliptic Curve */
0120
2020-04-10
pjp
BIGNUM *ecprivate;
0122
2020-04-10
pjp
SLIST_ENTRY(keysentry) keys_entry;
0123
2020-04-10
pjp
} *kn, *knp;
0125
2020-04-11
pjp
u_int64_t expiredon, signedon;
0127
2020-04-10
pjp
/* prototypes */
0129
2020-04-10
pjp
int add_dnskey(ddDB *);
0130
2020-04-10
pjp
char * parse_keyfile(int, uint32_t *, uint16_t *, uint8_t *, uint8_t *, char *, int *);
0131
2020-04-10
pjp
char * key2zone(char *, uint32_t *, uint16_t *, uint8_t *, uint8_t *, char *, int *);
0132
2020-04-10
pjp
char * get_key(struct keysentry *,uint32_t *, uint16_t *, uint8_t *, uint8_t *, char *, int, int *);
0134
2020-04-10
pjp
char * create_key(char *, int, int, int, int, uint32_t *);
0135
2020-04-10
pjp
char * create_key_rsa(char *, int, int, int, int, uint32_t *);
0136
2020-04-10
pjp
char * create_key_ec(char *, int, int, int, int, uint32_t *);
0137
2020-04-10
pjp
int create_key_ec_getpid(EC_KEY *, EC_GROUP *, EC_POINT *, int, int);
0139
2020-04-10
pjp
char * alg_to_name(int);
0140
2020-04-10
pjp
int alg_to_rsa(int);
0142
2020-04-10
pjp
int construct_nsec3(ddDB *, char *, int, char *);
0143
2020-04-10
pjp
int calculate_rrsigs(ddDB *, char *, int, int);
0145
2020-07-23
pjp
static int sign_hinfo(ddDB *, char *, int, struct rbtree *, int);
0146
2020-07-23
pjp
static int sign_rp(ddDB *, char *, int, struct rbtree *, int);
0147
2020-07-23
pjp
static int sign_caa(ddDB *, char *, int, struct rbtree *, int);
0148
2020-04-10
pjp
static int sign_dnskey(ddDB *, char *, int, struct rbtree *, int);
0149
2020-04-10
pjp
static int sign_a(ddDB *, char *, int, struct rbtree *, int);
0150
2020-04-10
pjp
static int sign_mx(ddDB *, char *, int, struct rbtree *, int);
0151
2020-04-10
pjp
static int sign_ns(ddDB *, char *, int, struct rbtree *, int);
0152
2020-04-10
pjp
static int sign_srv(ddDB *, char *, int, struct rbtree *, int);
0153
2020-04-10
pjp
static int sign_cname(ddDB *, char *, int, struct rbtree *, int);
0154
2020-04-10
pjp
static int sign_soa(ddDB *, char *, int, struct rbtree *, int);
0155
2020-04-10
pjp
static int sign_txt(ddDB *, char *, int, struct rbtree *, int);
0156
2020-04-10
pjp
static int sign_aaaa(ddDB *, char *, int, struct rbtree *, int);
0157
2020-04-10
pjp
static int sign_ptr(ddDB *, char *, int, struct rbtree *, int);
0158
2020-04-10
pjp
static int sign_nsec3(ddDB *, char *, int, struct rbtree *, int);
0159
2020-04-10
pjp
static int sign_nsec3param(ddDB *, char *, int, struct rbtree *, int);
0160
2020-04-10
pjp
static int sign_naptr(ddDB *, char *, int, struct rbtree *, int);
0161
2020-04-10
pjp
static int sign_sshfp(ddDB *, char *, int, struct rbtree *, int);
0162
2020-04-10
pjp
static int sign_tlsa(ddDB *, char *, int, struct rbtree *, int);
0163
2020-04-10
pjp
static int sign_ds(ddDB *, char *, int, struct rbtree *, int);
0165
2020-04-10
pjp
int sign(int, char *, int, struct keysentry *, char *, int *);
0166
2020-04-10
pjp
int create_ds(ddDB *, char *, struct keysentry *);
0167
2020-04-10
pjp
u_int keytag(u_char *key, u_int keysize);
0168
2020-04-10
pjp
u_int dnskey_keytag(struct dnskey *dnskey);
0169
2020-04-10
pjp
void free_private_key(struct keysentry *);
0170
2020-04-10
pjp
RSA * get_private_key_rsa(struct keysentry *);
0171
2020-04-10
pjp
EC_KEY * get_private_key_ec(struct keysentry *);
0172
2020-04-10
pjp
int store_private_key(struct keysentry *, char *, int, int);
0173
2020-04-10
pjp
int print_rbt(FILE *, struct rbtree *);
0174
2020-04-10
pjp
int print_rbt_bind(FILE *, struct rbtree *);
0175
2020-04-10
pjp
int signmain(int argc, char *argv[]);
0176
2020-04-10
pjp
void init_keys(void);
0177
2020-04-10
pjp
uint32_t getkeypid(char *);
0178
2020-04-10
pjp
void update_soa_serial(ddDB *, char *, time_t);
0179
2020-04-10
pjp
void debug_bindump(const char *, int);
0180
2020-04-10
pjp
int dump_db(ddDB *, FILE *, char *);
0181
2020-04-10
pjp
int notglue(ddDB *, struct rbtree *, char *);
0183
2020-08-11
pjp
char * canonical_sort(char **, int, int *);
0184
2020-08-11
pjp
int cs_cmp(const void *, const void *);
0186
2020-04-10
pjp
extern int debug;
0187
2020-04-10
pjp
extern int verbose;
0188
2020-04-10
pjp
extern int bytes_received;
0189
2020-04-10
pjp
extern int notify;
0190
2020-07-16
pjp
extern int passlist;
0191
2020-04-10
pjp
extern int bcount;
0192
2020-04-10
pjp
extern char *bind_list[255];
0193
2020-04-10
pjp
extern char *interface_list[255];
0194
2020-04-10
pjp
extern int bflag;
0195
2020-04-10
pjp
extern int ratelimit_packets_per_second;
0196
2020-04-10
pjp
extern int ratelimit;
0197
2020-04-10
pjp
extern int nflag;
0198
2020-04-10
pjp
extern int iflag;
0199
2020-04-10
pjp
extern int lflag;
0200
2020-04-10
pjp
extern int icount;
0201
2020-04-10
pjp
extern int vslen;
0202
2020-04-10
pjp
extern char *versionstring;
0204
2020-04-10
pjp
/* externs */
0206
2020-04-10
pjp
extern void dolog(int pri, char *fmt, ...);
0207
2020-04-10
pjp
extern uint32_t unpack32(char *);
0208
2020-04-10
pjp
extern uint16_t unpack16(char *);
0209
2020-04-10
pjp
extern void unpack(char *, char *, int);
0211
2020-04-10
pjp
extern void pack(char *, char *, int);
0212
2020-04-10
pjp
extern void pack32(char *, u_int32_t);
0213
2020-04-10
pjp
extern void pack16(char *, u_int16_t);
0214
2020-04-10
pjp
extern void pack8(char *, u_int8_t);
0215
2020-07-06
pjp
extern int fill_dnskey(ddDB *,char *, char *, u_int32_t, u_int16_t, u_int8_t, u_int8_t, char *);
0216
2020-07-06
pjp
extern int fill_rrsig(ddDB *,char *, char *, u_int32_t, char *, u_int8_t, u_int8_t, u_int32_t, u_int64_t, u_int64_t, u_int16_t, char *, char *);
0217
2020-07-06
pjp
extern int fill_nsec3param(ddDB *, char *, char *, u_int32_t, u_int8_t, u_int8_t, u_int16_t, char *);
0218
2020-07-06
pjp
extern int fill_nsec3(ddDB *, char *, char *, u_int32_t, u_int8_t, u_int8_t, u_int16_t, char *, char *, char *);
0219
2020-04-10
pjp
extern char * convert_name(char *name, int namelen);
0221
2020-04-10
pjp
extern int mybase64_encode(u_char const *, size_t, char *, size_t);
0222
2020-04-10
pjp
extern int mybase64_decode(char const *, u_char *, size_t);
0223
2020-04-10
pjp
extern struct rbtree * Lookup_zone(ddDB *, char *, int, int, int);
0224
2020-04-10
pjp
extern struct question *build_fake_question(char *, int, u_int16_t, char *, int);
0225
2020-04-10
pjp
extern char * dns_label(char *, int *);
0226
2020-04-10
pjp
extern int label_count(char *);
0227
2020-04-10
pjp
extern char *get_dns_type(int, int);
0228
2020-04-10
pjp
extern char * hash_name(char *, int, struct nsec3param *);
0229
2020-04-10
pjp
extern char * base32hex_encode(u_char *input, int len);
0230
2020-04-10
pjp
extern int init_entlist(ddDB *);
0231
2020-04-10
pjp
extern int check_ent(char *, int);
0232
2020-04-10
pjp
extern struct question *build_question(char *, int, int, char *);
0233
2020-04-10
pjp
struct rrtab *rrlookup(char *);
0235
2020-04-10
pjp
extern struct rbtree * find_rrset(ddDB *db, char *name, int len);
0236
2020-04-10
pjp
extern struct rrset * find_rr(struct rbtree *rbt, u_int16_t rrtype);
0237
2020-04-10
pjp
extern int add_rr(struct rbtree *rbt, char *name, int len, u_int16_t rrtype, void *rdata);
0238
2020-04-10
pjp
extern char * bin2hex(char *, int);
0239
2020-04-10
pjp
extern u_int64_t timethuman(time_t);
0240
2020-04-10
pjp
extern char * bitmap2human(char *, int);
0241
2020-04-10
pjp
extern int memcasecmp(u_char *, u_char *, int);
0243
2020-04-10
pjp
extern int insert_axfr(char *, char *);
0244
2020-04-10
pjp
extern int insert_filter(char *, char *);
0245
2020-07-16
pjp
extern int insert_passlist(char *, char *);
0246
2020-06-25
pjp
extern int insert_notifyddd(char *, char *);
0248
2020-04-10
pjp
extern int dnssec;
0249
2020-04-10
pjp
extern int tsig;
0251
2020-04-10
pjp
/* Aliases */
0253
2020-04-10
pjp
#define ROLLOVER_METHOD_PRE_PUBLICATION 0
0254
2020-04-10
pjp
#define ROLLOVER_METHOD_DOUBLE_SIGNATURE 1
0256
2020-04-10
pjp
#define KEYTYPE_NONE 0
0257
2020-04-10
pjp
#define KEYTYPE_KSK 1
0258
2020-04-10
pjp
#define KEYTYPE_ZSK 2
0260
2020-04-10
pjp
#define SCHEME_OFF 0
0261
2020-04-10
pjp
#define SCHEME_YYYY 1
0262
2020-04-10
pjp
#define SCHEME_TSTAMP 2
0264
2020-04-10
pjp
#define ALGORITHM_RSASHA1_NSEC3_SHA1 7 /* rfc 5155 */
0265
2020-04-10
pjp
#define ALGORITHM_RSASHA256 8 /* rfc 5702 */
0266
2020-04-10
pjp
#define ALGORITHM_RSASHA512 10 /* rfc 5702 */
0267
2020-04-10
pjp
#define ALGORITHM_ECDSAP256SHA256 13 /* rfc 6605 */
0269
2020-04-10
pjp
#define RSA_F5 0x100000001
0271
2020-04-10
pjp
#define PROVIDED_SIGNTIME 0
0272
2020-04-10
pjp
#define SIGNEDON 20161230073133
0273
2020-04-10
pjp
#define EXPIREDON 20170228073133
0275
2020-04-10
pjp
#define SIGNEDON_DRIFT (14 * 86400)
0276
2020-04-10
pjp
#define DEFAULT_EXPIRYTIME (60 * 86400)
0278
2020-04-10
pjp
#define DEFAULT_TTL 3600
0279
2020-04-10
pjp
#define DEFAULT_BITS 3072
0281
2020-04-10
pjp
/* define masks */
0283
2020-04-10
pjp
#define MASK_PARSE_BINDFILE 0x1
0284
2020-04-10
pjp
#define MASK_PARSE_FILE 0x2
0285
2020-04-10
pjp
#define MASK_ADD_DNSKEY 0x4
0286
2020-04-10
pjp
#define MASK_CONSTRUCT_NSEC3 0x8
0287
2020-04-10
pjp
#define MASK_CALCULATE_RRSIGS 0x10
0288
2020-04-10
pjp
#define MASK_CREATE_DS 0x20
0289
2020-04-10
pjp
#define MASK_DUMP_DB 0x40
0290
2020-04-10
pjp
#define MASK_DUMP_BIND 0x80
0293
2020-08-11
pjp
#define MAX_RECORDS_IN_RRSET 100
0296
2020-04-10
pjp
* SIGNMAIN - the heart of dddctl sign ...
0300
2020-04-10
pjp
signmain(int argc, char *argv[])
0302
2020-04-10
pjp
FILE *of = stdout;
0303
2020-04-10
pjp
struct stat sb;
0305
2020-04-10
pjp
int ch;
0306
2020-04-10
pjp
int bits = DEFAULT_BITS;
0307
2020-04-10
pjp
int ttl = DEFAULT_TTL;
0308
2020-04-10
pjp
int create_zsk = 0;
0309
2020-04-10
pjp
int create_ksk = 0;
0310
2020-04-10
pjp
int rollmethod = ROLLOVER_METHOD_PRE_PUBLICATION;
0311
2020-04-10
pjp
int algorithm = ALGORITHM_ECDSAP256SHA256;
0312
2020-04-10
pjp
int expiry = DEFAULT_EXPIRYTIME;
0313
2020-04-10
pjp
int iterations = 10;
0314
2020-04-10
pjp
u_int32_t mask = (MASK_PARSE_FILE | MASK_ADD_DNSKEY | MASK_CONSTRUCT_NSEC3 | MASK_CALCULATE_RRSIGS | MASK_CREATE_DS | MASK_DUMP_DB);
0316
2020-04-10
pjp
char *salt = "-";
0317
2020-04-10
pjp
char *zonefile = NULL;
0318
2020-04-10
pjp
char *zonename = NULL;
0319
2020-04-10
pjp
char *ep;
0321
2020-04-10
pjp
int ksk_key = 0, zsk_key = 0;
0322
2020-04-10
pjp
int numkeys = 0, search = 0;
0324
2020-04-10
pjp
int numksk = 0, numzsk = 0;
0326
2020-04-10
pjp
uint32_t pid = -1, newpid;
0328
2020-04-10
pjp
char key_key[4096];
0329
2020-04-10
pjp
char buf[512];
0330
2020-04-10
pjp
char *key_zone;
0331
2020-04-10
pjp
uint32_t key_ttl;
0332
2020-04-10
pjp
uint16_t key_flags;
0333
2020-04-10
pjp
uint8_t key_protocol;
0334
2020-04-10
pjp
uint8_t key_algorithm;
0335
2020-04-10
pjp
int key_keyid;
0337
2020-04-10
pjp
ddDB *db;
0339
2020-04-10
pjp
time_t now, serial = 0;
0340
2020-04-10
pjp
struct tm *tm;
0341
2020-04-10
pjp
uint32_t parseflags = PARSEFILE_FLAG_NOSOCKET;
0343
2020-04-10
pjp
#if __OpenBSD__
0344
2020-04-10
pjp
if (pledge("stdio rpath wpath cpath", NULL) < 0) {
0345
2020-04-10
pjp
perror("pledge");
0346
2020-04-10
pjp
exit(1);
0351
2020-04-10
pjp
while ((ch = getopt(argc, argv, "a:B:e:hI:i:Kk:m:n:o:R:S:s:t:vXx:Zz:")) != -1) {
0352
2020-04-10
pjp
switch (ch) {
0353
2020-04-10
pjp
case 'a':
0354
2020-04-10
pjp
/* algorithm */
0355
2020-04-10
pjp
algorithm = atoi(optarg);
0358
2020-04-10
pjp
case 'B':
0359
2020-04-10
pjp
/* bits */
0361
2020-04-10
pjp
bits = atoi(optarg);
0363
2020-04-10
pjp
case 'e':
0364
2020-04-10
pjp
/* expiry */
0366
2020-04-10
pjp
expiry = atoi(optarg);
0369
2020-04-10
pjp
case 'I':
0370
2020-04-10
pjp
/* NSEC3 iterations */
0371
2020-04-10
pjp
iterations = atoi(optarg);
0374
2020-04-10
pjp
case 'i':
0375
2020-04-10
pjp
/* inputfile */
0376
2020-04-10
pjp
zonefile = optarg;
0380
2020-04-10
pjp
case 'K':
0381
2020-04-10
pjp
/* create KSK key */
0382
2020-04-10
pjp
create_ksk = 1;
0386
2020-04-10
pjp
case 'k':
0387
2020-04-10
pjp
/* use KSK key */
0388
2020-04-10
pjp
kn = malloc(sizeof(struct keysentry));
0389
2020-04-10
pjp
if (kn == NULL) {
0390
2020-04-10
pjp
perror("malloc");
0391
2020-04-10
pjp
exit(1);
0393
2020-04-10
pjp
kn->keyname = strdup(optarg);
0394
2020-04-10
pjp
if (kn->keyname == NULL) {
0395
2020-04-10
pjp
perror("strdup");
0396
2020-04-10
pjp
exit(1);
0398
2020-04-10
pjp
kn->type = KEYTYPE_KSK;
0399
2020-04-10
pjp
kn->pid = getkeypid(kn->keyname);
0400
2020-04-10
pjp
#if DEBUG
0401
2020-04-10
pjp
printf("opened %s with pid %u\n", kn->keyname, kn->pid);
0403
2020-04-10
pjp
kn->sign = 0;
0404
2020-04-10
pjp
ksk_key = 1;
0406
2020-04-10
pjp
if ((key_zone = key2zone(kn->keyname, &key_ttl, &key_flags, &key_protocol, &key_algorithm, (char *)&key_key, &key_keyid)) == NULL) {
0407
2020-04-10
pjp
perror("key2zone");
0408
2020-04-10
pjp
exit(1);
0411
2020-04-10
pjp
kn->zone = strdup(key_zone);
0412
2020-04-10
pjp
if (kn->zone == NULL) {
0413
2020-04-10
pjp
perror("strdup");
0414
2020-04-10
pjp
exit(1);
0416
2020-04-10
pjp
kn->ttl = key_ttl;
0417
2020-04-10
pjp
kn->flags = key_flags;
0418
2020-04-10
pjp
kn->protocol = key_protocol;
0419
2020-04-10
pjp
kn->algorithm = key_algorithm;
0420
2020-04-10
pjp
kn->key = strdup(key_key);
0421
2020-04-10
pjp
if (kn->key == NULL) {
0422
2020-04-10
pjp
perror("strdup kn->key");
0423
2020-04-10
pjp
exit(1);
0425
2020-04-10
pjp
kn->keyid = key_keyid;
0427
2020-04-10
pjp
if (store_private_key(kn, kn->zone, kn->keyid, kn->algorithm) < 0) {
0428
2020-04-10
pjp
perror("store_private_key");
0429
2020-04-10
pjp
exit(1);
0432
2020-04-10
pjp
SLIST_INSERT_HEAD(&keyshead, kn, keys_entry);
0433
2020-04-10
pjp
numkeys++;
0434
2020-04-10
pjp
numksk++;
0438
2020-04-10
pjp
case 'm':
0439
2020-04-10
pjp
/* mask */
0440
2020-04-10
pjp
mask = strtoull(optarg, &ep, 16);
0443
2020-04-10
pjp
case 'n':
0445
2020-04-10
pjp
/* zone name */
0446
2020-04-10
pjp
zonename = optarg;
0450
2020-04-10
pjp
case 'o':
0451
2020-04-10
pjp
/* output file */
0452
2020-04-10
pjp
if (optarg[0] == '-')
0455
2020-04-10
pjp
errno = 0;
0456
2020-04-10
pjp
if (lstat(optarg, &sb) < 0 && errno != ENOENT) {
0457
2020-04-10
pjp
perror("lstat");
0458
2020-04-10
pjp
exit(1);
0460
2020-04-10
pjp
if (errno != ENOENT && ! S_ISREG(sb.st_mode)) {
0461
2020-04-10
pjp
fprintf(stderr, "%s is not a file!\n", optarg);
0462
2020-04-10
pjp
exit(1);
0464
2020-04-10
pjp
if ((of = fopen(optarg, "w")) == NULL) {
0465
2020-04-10
pjp
perror("fopen");
0466
2020-04-10
pjp
exit(1);
0470
2020-04-10
pjp
case 'R':
0471
2020-04-10
pjp
/* rollover method see RFC 7583 section 2.1 */
0472
2020-04-10
pjp
if (strcmp(optarg, "prep") == 0) {
0473
2020-04-10
pjp
rollmethod = ROLLOVER_METHOD_PRE_PUBLICATION;
0474
2020-04-10
pjp
} else if (strcmp(optarg, "double") == 0) {
0475
2020-04-10
pjp
rollmethod = ROLLOVER_METHOD_DOUBLE_SIGNATURE;
0480
2020-04-10
pjp
case 'S':
0481
2020-04-10
pjp
pid = atoi(optarg);
0485
2020-04-10
pjp
case 's':
0486
2020-04-10
pjp
/* salt */
0487
2020-04-10
pjp
salt = optarg;
0490
2020-04-10
pjp
case 't':
0492
2020-04-10
pjp
/* ttl of the zone */
0493
2020-04-10
pjp
ttl = atoi(optarg);
0497
2020-04-10
pjp
case 'v':
0498
2020-04-10
pjp
/* version */
0500
2020-04-10
pjp
printf("%s\n", DD_CONVERT_VERSION);
0501
2020-04-10
pjp
exit(0);
0503
2020-04-10
pjp
case 'X':
0504
2020-04-10
pjp
/* update serial */
0505
2020-04-10
pjp
now = time(NULL);
0506
2020-04-10
pjp
tm = localtime(&now);
0507
2020-04-10
pjp
strftime(buf, sizeof(buf), "%Y%m%d01", tm);
0508
2020-04-10
pjp
serial = atoll(buf);
0511
2020-04-10
pjp
case 'x':
0512
2020-04-10
pjp
serial = atoll(optarg);
0515
2020-04-10
pjp
case 'Z':
0516
2020-04-10
pjp
/* create ZSK */
0517
2020-04-10
pjp
create_zsk = 1;
0520
2020-04-10
pjp
case 'z':
0521
2020-04-10
pjp
/* use ZSK */
0522
2020-04-10
pjp
kn = malloc(sizeof(struct keysentry));
0523
2020-04-10
pjp
if (kn == NULL) {
0524
2020-04-10
pjp
perror("malloc");
0525
2020-04-10
pjp
exit(1);
0527
2020-04-10
pjp
kn->keyname = strdup(optarg);
0528
2020-04-10
pjp
if (kn->keyname == NULL) {
0529
2020-04-10
pjp
perror("strdup");
0530
2020-04-10
pjp
exit(1);
0532
2020-04-10
pjp
kn->type = KEYTYPE_ZSK;
0533
2020-04-10
pjp
kn->pid = getkeypid(kn->keyname);
0534
2020-04-10
pjp
#if DEBUG
0535
2020-04-10
pjp
printf("opened %s with pid %u\n", kn->keyname, kn->pid);
0537
2020-04-10
pjp
kn->sign = 0;
0538
2020-04-10
pjp
zsk_key = 1;
0540
2020-04-10
pjp
if ((key_zone = key2zone(kn->keyname, &key_ttl, &key_flags, &key_protocol, &key_algorithm, (char *)&key_key, &key_keyid)) == NULL) {
0541
2020-04-10
pjp
perror("key2zone");
0542
2020-04-10
pjp
exit(1);
0545
2020-04-10
pjp
kn->zone = strdup(key_zone);
0546
2020-04-10
pjp
if (kn->zone == NULL) {
0547
2020-04-10
pjp
perror("strdup");
0548
2020-04-10
pjp
exit(1);
0550
2020-04-10
pjp
kn->ttl = key_ttl;
0551
2020-04-10
pjp
kn->flags = key_flags;
0552
2020-04-10
pjp
kn->protocol = key_protocol;
0553
2020-04-10
pjp
kn->algorithm = key_algorithm;
0554
2020-04-10
pjp
kn->key = strdup(key_key);
0555
2020-04-10
pjp
if (kn->key == NULL) {
0556
2020-04-10
pjp
perror("strdup kn->key");
0557
2020-04-10
pjp
exit(1);
0559
2020-04-10
pjp
kn->keyid = key_keyid;
0561
2020-04-10
pjp
if (store_private_key(kn, kn->zone, kn->keyid, kn->algorithm) < 0) {
0562
2020-04-10
pjp
perror("store_private_key");
0563
2020-04-10
pjp
exit(1);
0567
2020-04-10
pjp
SLIST_INSERT_HEAD(&keyshead, kn, keys_entry);
0568
2020-04-10
pjp
numkeys++;
0569
2020-04-10
pjp
numzsk++;
0577
2020-04-10
pjp
if (zonename == NULL) {
0578
2020-04-10
pjp
fprintf(stderr, "must provide a zonename with the -n flag\n");
0579
2020-04-10
pjp
exit(1);
0582
2020-04-10
pjp
if (create_ksk) {
0583
2020-04-10
pjp
kn = malloc(sizeof(struct keysentry));
0584
2020-04-10
pjp
if (kn == NULL) {
0585
2020-04-10
pjp
perror("malloc");
0586
2020-04-10
pjp
exit(1);
0589
2020-04-10
pjp
dolog(LOG_INFO, "creating new KSK (257) algorithm: %s with %d bits, pid ", alg_to_name(algorithm), bits);
0590
2020-04-10
pjp
kn->keyname = create_key(zonename, ttl, 257, algorithm, bits, &newpid);
0591
2020-04-10
pjp
if (kn->keyname == NULL) {
0592
2020-04-10
pjp
dolog(LOG_ERR, "failed.\n");
0593
2020-04-10
pjp
exit(1);
0596
2020-04-10
pjp
kn->type = KEYTYPE_KSK;
0597
2020-04-10
pjp
kn->pid = newpid;
0598
2020-04-10
pjp
kn->sign = 0;
0599
2020-04-10
pjp
ksk_key = 1;
0601
2020-04-10
pjp
dolog(LOG_INFO, "%d.\n", newpid);
0603
2020-04-10
pjp
if ((key_zone = key2zone(kn->keyname, &key_ttl, &key_flags, &key_protocol, &key_algorithm, (char *)&key_key, &key_keyid)) == NULL) {
0604
2020-04-10
pjp
perror("key2zone");
0605
2020-04-10
pjp
exit(1);
0608
2020-04-10
pjp
kn->zone = strdup(key_zone);
0609
2020-04-10
pjp
if (kn->zone == NULL) {
0610
2020-04-10
pjp
perror("strdup");
0611
2020-04-10
pjp
exit(1);
0613
2020-04-10
pjp
kn->ttl = key_ttl;
0614
2020-04-10
pjp
kn->flags = key_flags;
0615
2020-04-10
pjp
kn->protocol = key_protocol;
0616
2020-04-10
pjp
kn->algorithm = key_algorithm;
0617
2020-04-10
pjp
kn->key = strdup(key_key);
0618
2020-04-10
pjp
if (kn->key == NULL) {
0619
2020-04-10
pjp
perror("strdup kn->key");
0620
2020-04-10
pjp
exit(1);
0622
2020-04-10
pjp
kn->keyid = key_keyid;
0625
2020-04-10
pjp
if (store_private_key(kn, kn->zone, kn->keyid, kn->algorithm) < 0) {
0626
2020-04-10
pjp
perror("store_private_key");
0627
2020-04-10
pjp
exit(1);
0630
2020-04-10
pjp
SLIST_INSERT_HEAD(&keyshead, kn, keys_entry);
0631
2020-04-10
pjp
numkeys++;
0632
2020-04-10
pjp
numksk++;
0634
2020-04-10
pjp
if (create_zsk) {
0635
2020-04-10
pjp
kn = malloc(sizeof(struct keysentry));
0636
2020-04-10
pjp
if (kn == NULL) {
0637
2020-04-10
pjp
perror("malloc");
0638
2020-04-10
pjp
exit(1);
0640
2020-04-10
pjp
dolog(LOG_INFO, "creating new ZSK (256) algorithm: %s with %d bits, pid ", alg_to_name(algorithm), bits);
0641
2020-04-10
pjp
kn->keyname = create_key(zonename, ttl, 256, algorithm, bits, &newpid);
0642
2020-04-10
pjp
if (kn->keyname == NULL) {
0643
2020-04-10
pjp
dolog(LOG_ERR, "failed.\n");
0644
2020-04-10
pjp
exit(1);
0647
2020-04-10
pjp
kn->type = KEYTYPE_ZSK;
0648
2020-04-10
pjp
kn->pid = newpid;
0649
2020-04-10
pjp
kn->sign = 0;
0650
2020-04-10
pjp
zsk_key = 1;
0652
2020-04-10
pjp
dolog(LOG_INFO, "%d.\n", newpid);
0654
2020-04-10
pjp
if ((key_zone = key2zone(kn->keyname, &key_ttl, &key_flags, &key_protocol, &key_algorithm, (char *)&key_key, &key_keyid)) == NULL) {
0655
2020-04-10
pjp
perror("key2zone");
0656
2020-04-10
pjp
exit(1);
0659
2020-04-10
pjp
kn->zone = strdup(key_zone);
0660
2020-04-10
pjp
if (kn->zone == NULL) {
0661
2020-04-10
pjp
perror("strdup");
0662
2020-04-10
pjp
exit(1);
0664
2020-04-10
pjp
kn->ttl = key_ttl;
0665
2020-04-10
pjp
kn->flags = key_flags;
0666
2020-04-10
pjp
kn->protocol = key_protocol;
0667
2020-04-10
pjp
kn->algorithm = key_algorithm;
0668
2020-04-10
pjp
kn->key = strdup(key_key);
0669
2020-04-10
pjp
if (kn->key == NULL) {
0670
2020-04-10
pjp
perror("strdup kn->key");
0671
2020-04-10
pjp
exit(1);
0673
2020-04-10
pjp
kn->keyid = key_keyid;
0675
2020-04-10
pjp
if (store_private_key(kn, kn->zone, kn->keyid, kn->algorithm) < 0) {
0676
2020-04-10
pjp
perror("store_private_key");
0677
2020-04-10
pjp
exit(1);
0681
2020-04-10
pjp
SLIST_INSERT_HEAD(&keyshead, kn, keys_entry);
0682
2020-04-10
pjp
numkeys++;
0683
2020-04-10
pjp
numzsk++;
0686
2020-04-10
pjp
if (zonefile == NULL || zonename == NULL) {
0687
2020-04-10
pjp
if (create_zsk || create_ksk) {
0688
2020-04-10
pjp
fprintf(stderr, "key(s) created\n");
0689
2020-04-10
pjp
exit(0);
0692
2020-04-10
pjp
fprintf(stderr, "must provide a zonefile and a zonename!\n");
0693
2020-04-10
pjp
exit(1);
0696
2020-04-10
pjp
if (ksk_key == 0 || zsk_key == 0) {
0697
2020-04-10
pjp
dolog(LOG_INFO, "must specify both a ksk and a zsk key! or -z -k\n");
0698
2020-04-10
pjp
exit(1);
0702
2020-04-10
pjp
/* check what keys we sign or not */
0703
2020-04-10
pjp
if ((rollmethod == ROLLOVER_METHOD_PRE_PUBLICATION && numkeys > 3) ||
0704
2020-04-10
pjp
(rollmethod == ROLLOVER_METHOD_DOUBLE_SIGNATURE && numkeys > 4)) {
0705
2020-04-10
pjp
switch (rollmethod) {
0706
2020-04-10
pjp
case ROLLOVER_METHOD_PRE_PUBLICATION:
0707
2020-04-10
pjp
dolog(LOG_INFO, "rollover pre-publication method: can't roll-over more than 1 key at a time! numkeys > 3\n");
0709
2020-04-10
pjp
case ROLLOVER_METHOD_DOUBLE_SIGNATURE:
0710
2020-04-10
pjp
dolog(LOG_INFO, "rollover double-signature method: can't roll-over more than 2 keys at a time! numkeys > 4\n");
0714
2020-04-10
pjp
exit(1);
0715
2020-04-10
pjp
} else if ((numkeys > 2 && rollmethod == ROLLOVER_METHOD_DOUBLE_SIGNATURE) || numkeys == 2) {
0717
2020-04-10
pjp
} else if (numkeys == 2) {
0719
2020-04-10
pjp
/* sign them all */
0720
2020-04-10
pjp
SLIST_FOREACH(knp, &keyshead, keys_entry) {
0721
2020-04-10
pjp
knp->sign = 1;
0723
2020-04-10
pjp
} else {
0724
2020-04-10
pjp
/* we can only be pre-publication method and have 3 keys now */
0725
2020-04-10
pjp
if (pid == -1) {
0726
2020-04-10
pjp
fprintf(stderr, "pre-publication rollover: you specified three keys, please select one for signing (with -S pid)!\n");
0727
2020-04-10
pjp
exit(1);
0730
2020-04-10
pjp
search = KEYTYPE_NONE;
0731
2020-04-10
pjp
SLIST_FOREACH(knp, &keyshead, keys_entry) {
0732
2020-04-10
pjp
if (knp->pid == pid) {
0733
2020-04-10
pjp
knp->sign = 1;
0734
2020-04-10
pjp
search = (knp->type == KEYTYPE_KSK) ? KEYTYPE_ZSK : KEYTYPE_KSK;
0739
2020-04-10
pjp
SLIST_FOREACH(knp, &keyshead, keys_entry) {
0740
2020-04-10
pjp
if (search == knp->type && knp->sign == 0)
0741
2020-04-10
pjp
knp->sign = 1;
0742
2020-04-10
pjp
} /* SLIST_FOREACH */
0743
2020-04-10
pjp
} /* numkeys == 3 */
0745
2020-04-10
pjp
#if DEBUG
0746
2020-04-10
pjp
SLIST_FOREACH(knp, &keyshead, keys_entry) {
0747
2020-04-10
pjp
printf("%s pid: %u %s\n", knp->keyname, knp->pid, knp->sign ? "<--" : "" );
0750
2020-04-10
pjp
#if DEBUG
0751
2020-04-10
pjp
printf("zonefile is %s\n", zonefile);
0754
2020-04-10
pjp
/* open the database(s) */
0755
2020-04-10
pjp
db = dddbopen();
0756
2020-04-10
pjp
if (db == NULL) {
0757
2020-04-10
pjp
dolog(LOG_INFO, "dddbopen() failed\n");
0758
2020-04-10
pjp
exit(1);
0761
2020-04-10
pjp
/* now we start reading our configfile */
0763
2020-04-10
pjp
if ((mask & MASK_PARSE_FILE) && parse_file(db, zonefile, parseflags) < 0) {
0764
2020-04-10
pjp
dolog(LOG_INFO, "parsing config file failed\n");
0765
2020-04-10
pjp
exit(1);
0768
2020-04-10
pjp
/* create ENT list */
0769
2020-04-10
pjp
if (init_entlist(db) < 0) {
0770
2020-04-10
pjp
dolog(LOG_INFO, "creating entlist failed\n");
0771
2020-04-10
pjp
exit(1);
0774
2020-04-10
pjp
/* update any serial updates here */
0775
2020-04-10
pjp
if (serial)
0776
2020-04-10
pjp
update_soa_serial(db, zonename, serial);
0778
2020-04-10
pjp
/* three passes to "sign" our zones */
0779
2020-04-10
pjp
/* first pass, add dnskey records, on apex */
0781
2020-04-10
pjp
if ((mask & MASK_ADD_DNSKEY) && add_dnskey(db) < 0) {
0782
2020-04-10
pjp
dolog(LOG_INFO, "add_dnskey failed\n");
0783
2020-04-10
pjp
exit(1);
0786
2020-04-10
pjp
/* second pass construct NSEC3 records, including ENT's */
0788
2020-04-10
pjp
if ((mask & MASK_CONSTRUCT_NSEC3) && construct_nsec3(db, zonename, iterations, salt) < 0) {
0789
2020-04-10
pjp
dolog(LOG_INFO, "construct nsec3 failed\n");
0790
2020-04-10
pjp
exit(1);
0793
2020-04-10
pjp
/* third pass calculate RRSIG's for every RR set */
0795
2020-04-10
pjp
if ((mask & MASK_CALCULATE_RRSIGS) && calculate_rrsigs(db, zonename, expiry, rollmethod) < 0) {
0796
2020-04-10
pjp
dolog(LOG_INFO, "calculate rrsigs failed\n");
0797
2020-04-10
pjp
exit(1);
0800
2020-04-10
pjp
/* calculate ds */
0801
2020-04-10
pjp
SLIST_FOREACH(knp, &keyshead, keys_entry) {
0802
2020-04-10
pjp
if ((mask & MASK_CREATE_DS) && create_ds(db, zonename, knp) < 0) {
0803
2020-04-10
pjp
dolog(LOG_INFO, "create_ds failed\n");
0804
2020-04-10
pjp
exit(1);
0808
2020-04-10
pjp
/* free private keys */
0809
2020-04-10
pjp
SLIST_FOREACH(knp, &keyshead, keys_entry) {
0810
2020-04-10
pjp
free_private_key(knp);
0813
2020-04-10
pjp
/* write new zone file */
0814
2020-04-10
pjp
if ((mask & MASK_DUMP_DB) && dump_db(db, of, zonename) < 0)
0815
2020-04-10
pjp
exit (1);
0818
2020-04-10
pjp
exit(0);
0823
2020-04-10
pjp
add_dnskey(ddDB *db)
0825
2020-04-10
pjp
char key[4096];
0826
2020-04-10
pjp
char *zone;
0827
2020-04-10
pjp
uint32_t ttl;
0828
2020-04-10
pjp
uint16_t flags;
0829
2020-04-10
pjp
uint8_t protocol;
0830
2020-04-10
pjp
uint8_t algorithm;
0831
2020-04-10
pjp
int keyid;
0833
2020-04-10
pjp
/* first the zsk */
0834
2020-04-10
pjp
SLIST_FOREACH(knp, &keyshead, keys_entry) {
0835
2020-04-10
pjp
if (knp->type == KEYTYPE_ZSK) {
0836
2020-04-10
pjp
if ((zone = get_key(knp, &ttl, &flags, &protocol, &algorithm, (char *)&key, sizeof(key), &keyid)) == NULL) {
0837
2020-04-10
pjp
dolog(LOG_INFO, "get_key: %s\n", knp->keyname);
0838
2020-04-10
pjp
return -1;
0840
2020-07-06
pjp
if (fill_dnskey(db, zone, "dnskey", ttl, flags, protocol, algorithm, key) < 0) {
0841
2020-04-10
pjp
return -1;
0843
2020-04-10
pjp
} /* if ZSK */
0844
2020-04-10
pjp
} /* SLIST_FOREACH */
0846
2020-04-10
pjp
/* now the ksk */
0847
2020-04-10
pjp
SLIST_FOREACH(knp, &keyshead, keys_entry) {
0848
2020-04-10
pjp
if (knp->type == KEYTYPE_KSK) {
0849
2020-04-10
pjp
if ((zone = get_key(knp, &ttl, &flags, &protocol, &algorithm, (char *)&key, sizeof(key), &keyid)) == NULL) {
0850
2020-04-10
pjp
dolog(LOG_INFO, "get_key %s\n", knp->keyname);
0851
2020-04-10
pjp
return -1;
0853
2020-07-06
pjp
if (fill_dnskey(db, zone, "dnskey", ttl, flags, protocol, algorithm, key) < 0) {
0854
2020-04-10
pjp
return -1;
0856
2020-04-10
pjp
} /* if KSK */
0857
2020-04-10
pjp
} /* SLIST_FOREACH */
0859
2020-04-10
pjp
return 0;
0863
2020-04-10
pjp
parse_keyfile(int fd, uint32_t *ttl, uint16_t *flags, uint8_t *protocol, uint8_t *algorithm, char *key, int *keyid)
0865
2020-04-10
pjp
static char retbuf[256];
0866
2020-04-10
pjp
char buf[8192];
0867
2020-04-10
pjp
char *p, *q;
0868
2020-04-10
pjp
FILE *f;
0870
2020-04-10
pjp
if ((f = fdopen(fd, "r")) == NULL)
0871
2020-04-10
pjp
return NULL;
0873
2020-04-10
pjp
while (fgets(buf, sizeof(buf), f) != NULL) {
0874
2020-04-10
pjp
if (buf[0] == ';') {
0875
2020-04-10
pjp
if ((p = strstr(buf, "keyid ")) != NULL) {
0876
2020-04-10
pjp
p += 6;
0877
2020-04-10
pjp
q = strchr(p, ' ');
0878
2020-04-10
pjp
if (q == NULL)
0879
2020-04-10
pjp
return NULL;
0880
2020-04-10
pjp
*q = '\0';
0881
2020-04-10
pjp
pack32((char *)keyid, atoi(p));
0884
2020-04-10
pjp
continue;
0888
2020-04-10
pjp
/* name */
0889
2020-04-10
pjp
p = &buf[0];
0890
2020-04-10
pjp
q = strchr(p, ' ');
0891
2020-04-10
pjp
if (q == NULL) {
0892
2020-04-10
pjp
return NULL;
0895
2020-04-10
pjp
*q++ = '\0';
0897
2020-04-10
pjp
strlcpy(retbuf, p, sizeof(retbuf));
0898
2020-04-10
pjp
/* ttl */
0901
2020-04-10
pjp
q = strchr(p, ' ');
0902
2020-04-10
pjp
if (q == NULL)
0903
2020-04-10
pjp
return NULL;
0905
2020-04-10
pjp
*q++ = '\0';
0906
2020-04-10
pjp
*ttl = atoi(p);
0907
2020-04-10
pjp
/* IN/DNSKEY/ flags */
0909
2020-04-10
pjp
q = strchr(p, ' ');
0910
2020-04-10
pjp
if (q == NULL)
0911
2020-04-10
pjp
return NULL;
0914
2020-04-10
pjp
q = strchr(p, ' ');
0915
2020-04-10
pjp
if (q == NULL)
0916
2020-04-10
pjp
return NULL;
0919
2020-04-10
pjp
q = strchr(p, ' ');
0920
2020-04-10
pjp
if (q == NULL)
0921
2020-04-10
pjp
return NULL;
0922
2020-04-10
pjp
*q++ = '\0';
0923
2020-04-10
pjp
*flags = atoi(p);
0924
2020-04-10
pjp
/* protocol */
0926
2020-04-10
pjp
q = strchr(p, ' ');
0927
2020-04-10
pjp
if (q == NULL)
0928
2020-04-10
pjp
return NULL;
0929
2020-04-10
pjp
*q++ = '\0';
0930
2020-04-10
pjp
*protocol = atoi(p);
0931
2020-04-10
pjp
/* algorithm */
0933
2020-04-10
pjp
q = strchr(p, ' ');
0934
2020-04-10
pjp
if (q == NULL)
0935
2020-04-10
pjp
return NULL;
0936
2020-04-10
pjp
*q++ = '\0';
0937
2020-04-10
pjp
*algorithm = atoi(p);
0938
2020-04-10
pjp
/* key */
0941
2020-04-10
pjp
q = key;
0942
2020-04-10
pjp
while (*p) {
0943
2020-04-10
pjp
if (*p == ' ' || *p == '\n' || *p == '\r') {
0945
2020-04-10
pjp
continue;
0948
2020-04-10
pjp
*q++ = *p++;
0950
2020-04-10
pjp
*q = '\0';
0952
2020-04-10
pjp
return (&retbuf[0]);
0956
2020-04-10
pjp
dump_db(ddDB *db, FILE *of, char *zonename)
0958
2020-04-10
pjp
int j, rs;
0960
2020-04-10
pjp
ddDBT key, data;
0962
2020-04-10
pjp
struct node *n, *nx;
0963
2020-04-10
pjp
struct rbtree *rbt0, *rbt;
0965
2020-04-10
pjp
char *dnsname;
0966
2020-04-10
pjp
int labellen;
0968
2020-04-10
pjp
fprintf(of, "; this file is automatically generated, do NOT edit\n");
0969
2020-04-10
pjp
fprintf(of, "; it was generated by dddctl.c\n");
0971
2020-04-10
pjp
fprintf(of, "zone \"%s\" {\n", zonename);
0973
2020-04-10
pjp
dnsname = dns_label(zonename, &labellen);
0974
2020-04-10
pjp
if (dnsname == NULL)
0975
2020-04-10
pjp
return -1;
0977
2020-04-10
pjp
if ((rbt0 = Lookup_zone(db, dnsname, labellen, DNS_TYPE_SOA, 0)) == NULL) {
0978
2020-04-10
pjp
return -1;
0981
2020-04-10
pjp
if (print_rbt(of, rbt0) < 0) {
0982
2020-04-10
pjp
fprintf(stderr, "print_rbt error\n");
0983
2020-04-10
pjp
return -1;
0986
2020-04-10
pjp
memset(&key, 0, sizeof(key));
0987
2020-04-10
pjp
memset(&data, 0, sizeof(data));
0990
2020-04-10
pjp
RB_FOREACH_SAFE(n, domaintree, &db->head, nx) {
0991
2020-04-10
pjp
rs = n->datalen;
0992
2020-04-10
pjp
if ((rbt = calloc(1, rs)) == NULL) {
0993
2020-04-10
pjp
dolog(LOG_INFO, "calloc: %s\n", strerror(errno));
0994
2020-04-10
pjp
exit(1);
0997
2020-04-10
pjp
memcpy((char *)rbt, (char *)n->data, n->datalen);
0999
2020-04-10
pjp
if (rbt->zonelen == rbt0->zonelen &&
1000
2020-04-10
pjp
memcasecmp(rbt->zone, rbt0->zone, rbt->zonelen) == 0) {
1001
2020-04-10
pjp
continue;
1004
2020-04-10
pjp
if (print_rbt(of, rbt) < 0) {
1005
2020-04-10
pjp
fprintf(stderr, "print_rbt error\n");
1006
2020-04-10
pjp
return -1;
1012
2020-04-10
pjp
fprintf(of, "}\n");
1014
2020-04-10
pjp
#if DEBUG
1015
2020-04-10
pjp
printf("%d records\n", j);
1017
2020-04-10
pjp
return (0);
1021
2020-04-10
pjp
create_key(char *zonename, int ttl, int flags, int algorithm, int bits, uint32_t *pid)
1023
2020-04-10
pjp
switch (algorithm) {
1024
2020-04-10
pjp
case ALGORITHM_RSASHA1_NSEC3_SHA1:
1025
2020-04-10
pjp
case ALGORITHM_RSASHA256:
1026
2020-04-10
pjp
case ALGORITHM_RSASHA512:
1027
2020-04-10
pjp
return (create_key_rsa(zonename, ttl, flags, algorithm, bits, pid));
1029
2020-04-10
pjp
case ALGORITHM_ECDSAP256SHA256:
1030
2020-04-10
pjp
return (create_key_ec(zonename, ttl, flags, algorithm, bits, pid));
1032
2020-04-10
pjp
default:
1033
2020-04-10
pjp
dolog(LOG_INFO, "invalid algorithm in key\n");
1037
2020-04-10
pjp
return NULL;
1041
2020-04-10
pjp
create_key_ec(char *zonename, int ttl, int flags, int algorithm, int bits, uint32_t *pid)
1043
2020-04-10
pjp
FILE *f;
1044
2020-04-10
pjp
EC_KEY *eckey;
1045
2020-04-10
pjp
EC_GROUP *ecgroup;
1046
2020-04-10
pjp
const BIGNUM *ecprivatekey;
1047
2020-04-10
pjp
const EC_POINT *ecpublickey;
1049
2020-04-10
pjp
struct stat sb;
1051
2020-04-10
pjp
char bin[4096];
1052
2020-04-10
pjp
char b64[4096];
1053
2020-04-10
pjp
char tmp[4096];
1054
2020-04-10
pjp
char buf[512];
1055
2020-04-10
pjp
char *retval;
1056
2020-04-10
pjp
char *p;
1058
2020-04-10
pjp
int binlen;
1060
2020-04-10
pjp
mode_t savemask;
1061
2020-04-10
pjp
time_t now;
1062
2020-04-10
pjp
struct tm *tm;
1064
2020-04-10
pjp
if (algorithm != ALGORITHM_ECDSAP256SHA256) {
1065
2020-04-10
pjp
return NULL;
1068
2020-04-10
pjp
eckey = EC_KEY_new();
1069
2020-04-10
pjp
if (eckey == NULL) {
1070
2020-04-10
pjp
dolog(LOG_ERR, "EC_KEY_new(): %s\n", strerror(errno));
1071
2020-04-10
pjp
return NULL;
1074
2020-04-10
pjp
ecgroup = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
1075
2020-04-10
pjp
if (ecgroup == NULL) {
1076
2020-04-10
pjp
dolog(LOG_ERR, "EC_GROUP_new_by_curve_name(): %s\n", strerror(errno));
1077
2020-04-10
pjp
EC_KEY_free(eckey);
1078
2020-04-10
pjp
return NULL;
1081
2020-04-10
pjp
if (EC_KEY_set_group(eckey, ecgroup) != 1) {
1082
2020-04-10
pjp
dolog(LOG_ERR, "EC_KEY_set_group(): %s\n", strerror(errno));
1083
2020-04-10
pjp
goto out;
1086
2020-04-10
pjp
/* XXX create EC key here */
1087
2020-04-10
pjp
if (EC_KEY_generate_key(eckey) == 0) {
1088
2020-04-10
pjp
dolog(LOG_ERR, "EC_KEY_generate_key(): %s\n", strerror(errno));
1089
2020-04-10
pjp
goto out;
1092
2020-04-10
pjp
ecprivatekey = EC_KEY_get0_private_key(eckey);
1093
2020-04-10
pjp
if (ecprivatekey == NULL) {
1094
2020-04-10
pjp
dolog(LOG_INFO, "EC_KEY_get0_private_key(): %s\n", strerror(errno));
1095
2020-04-10
pjp
goto out;
1098
2020-04-10
pjp
ecpublickey = EC_KEY_get0_public_key(eckey);
1099
2020-04-10
pjp
if (ecpublickey == NULL) {
1100
2020-04-10
pjp
dolog(LOG_ERR, "EC_KEY_get0_public_key(): %s\n", strerror(errno));
1101
2020-04-10
pjp
goto out;
1104
2020-04-10
pjp
*pid = create_key_ec_getpid(eckey, ecgroup, (EC_POINT *)ecpublickey, algorithm, flags);
1105
2020-04-10
pjp
if (*pid == -1) {
1106
2020-04-10
pjp
dolog(LOG_ERR, "create_key_ec_getpid(): %s\n", strerror(errno));
1107
2020-04-10
pjp
goto out;
1110
2020-04-10
pjp
/* check for collisions, XXX should be rare */
1111
2020-04-10
pjp
SLIST_FOREACH(knp, &keyshead, keys_entry) {
1112
2020-04-10
pjp
if (knp->pid == *pid)
1116
2020-04-10
pjp
if (knp != NULL) {
1117
2020-04-10
pjp
dolog(LOG_INFO, "create_key: collision with existing pid %d\n", *pid);
1118
2020-04-10
pjp
EC_GROUP_free(ecgroup);
1119
2020-04-10
pjp
EC_KEY_free(eckey);
1120
2020-04-10
pjp
return (create_key_ec(zonename, ttl, flags, algorithm, bits, pid));
1123
2020-04-10
pjp
snprintf(buf, sizeof(buf), "K%s%s+%03d+%d", zonename,
1124
2020-04-10
pjp
(zonename[strlen(zonename) - 1] == '.') ? "" : ".",
1125
2020-04-10
pjp
algorithm, *pid);
1127
2020-04-10
pjp
retval = strdup(buf);
1128
2020-04-10
pjp
if (retval == NULL) {
1129
2020-04-10
pjp
dolog(LOG_INFO, "strdup: %s\n", strerror(errno));
1130
2020-04-10
pjp
goto out;
1133
2020-04-10
pjp
snprintf(buf, sizeof(buf), "%s.private", retval);
1135
2020-04-10
pjp
savemask = umask(077);
1137
2020-04-10
pjp
errno = 0;
1138
2020-04-10
pjp
if (lstat(buf, &sb) < 0 && errno != ENOENT) {
1139
2020-04-10
pjp
perror("lstat");
1140
2020-04-10
pjp
goto out;
1143
2020-04-10
pjp
if (errno != ENOENT && ! S_ISREG(sb.st_mode)) {
1144
2020-04-10
pjp
dolog(LOG_INFO, "%s is not a file!\n", buf);
1145
2020-04-10
pjp
goto out;
1148
2020-04-10
pjp
f = fopen(buf, "w+");
1149
2020-04-10
pjp
if (f == NULL) {
1150
2020-04-10
pjp
dolog(LOG_INFO, "fopen: %s\n", strerror(errno));
1151
2020-04-10
pjp
goto out;
1154
2020-04-10
pjp
fprintf(f, "Private-key-format: v1.3\n");
1155
2020-04-10
pjp
fprintf(f, "Algorithm: %d (%s)\n", algorithm, alg_to_name(algorithm));
1156
2020-04-10
pjp
/* PrivateKey */
1157
2020-04-10
pjp
binlen = BN_bn2bin(ecprivatekey, (char *)&bin);
1158
2020-08-08
pjp
mybase64_encode(bin, binlen, b64, sizeof(b64));
1159
2020-04-10
pjp
fprintf(f, "PrivateKey: %s\n", b64);
1161
2020-04-10
pjp
now = time(NULL);
1162
2020-04-10
pjp
tm = gmtime(&now);
1164
2020-04-10
pjp
strftime(buf, sizeof(buf), "%Y%m%d%H%M%S", tm);
1165
2020-04-10
pjp
fprintf(f, "Created: %s\n", buf);
1166
2020-04-10
pjp
fprintf(f, "Publish: %s\n", buf);
1167
2020-04-10
pjp
fprintf(f, "Activate: %s\n", buf);
1168
2020-04-10
pjp
fclose(f);
1170
2020-04-10
pjp
/* now for the EC public .key */
1172
2020-04-10
pjp
snprintf(buf, sizeof(buf), "%s.key", retval);
1173
2020-04-10
pjp
umask(savemask);
1175
2020-04-10
pjp
errno = 0;
1176
2020-04-10
pjp
if (lstat(buf, &sb) < 0 && errno != ENOENT) {
1177
2020-04-10
pjp
perror("lstat");
1178
2020-04-10
pjp
goto out;
1181
2020-04-10
pjp
if (errno != ENOENT && ! S_ISREG(sb.st_mode)) {
1182
2020-04-10
pjp
dolog(LOG_INFO, "%s is not a file!\n", buf);
1183
2020-04-10
pjp
goto out;
1186
2020-04-10
pjp
f = fopen(buf, "w+");
1187
2020-04-10
pjp
if (f == NULL) {
1188
2020-04-10
pjp
dolog(LOG_INFO, "fopen: %s\n", strerror(errno));
1189
2020-04-10
pjp
snprintf(buf, sizeof(buf), "%s.private", retval);
1190
2020-04-10
pjp
unlink(buf);
1191
2020-04-10
pjp
goto out;
1194
2020-04-10
pjp
fprintf(f, "; This is a %s key, keyid %u, for %s%s\n", (flags == 257) ? "key-signing" : "zone-signing", *pid, zonename, (zonename[strlen(zonename) - 1] == '.') ? "" : ".");
1196
2020-04-10
pjp
strftime(buf, sizeof(buf), "%Y%m%d%H%M%S", tm);
1197
2020-04-10
pjp
strftime(bin, sizeof(bin), "%c", tm);
1198
2020-04-10
pjp
fprintf(f, "; Created: %s (%s)\n", buf, bin);
1199
2020-04-10
pjp
fprintf(f, "; Publish: %s (%s)\n", buf, bin);
1200
2020-04-10
pjp
fprintf(f, "; Activate: %s (%s)\n", buf, bin);
1202
2020-04-10
pjp
if ((binlen = EC_POINT_point2oct(ecgroup, ecpublickey, POINT_CONVERSION_UNCOMPRESSED, tmp, sizeof(tmp), NULL)) == 0) {
1203
2020-04-10
pjp
dolog(LOG_ERR, "EC_POINT_point2oct(): %s\n", strerror(errno));
1204
2020-04-10
pjp
fclose(f);
1205
2020-04-10
pjp
snprintf(buf, sizeof(buf), "%s.private", retval);
1206
2020-04-10
pjp
unlink(buf);
1207
2020-04-10
pjp
goto out;
1211
2020-04-10
pjp
* taken from PowerDNS's opensslsigners.cc, apparently to get to the
1212
2020-04-10
pjp
* real public key one has to take out a byte and reduce the length
1215
2020-04-10
pjp
p = tmp;
1217
2020-04-10
pjp
binlen--;
1219
2020-08-08
pjp
mybase64_encode(p, binlen, b64, sizeof(b64));
1220
2020-04-10
pjp
fprintf(f, "%s%s %d IN DNSKEY %d 3 %d %s\n", zonename, (zonename[strlen(zonename) - 1] == '.') ? "" : ".", ttl, flags, algorithm, b64);
1222
2020-04-10
pjp
fclose(f);
1224
2020-04-10
pjp
EC_GROUP_free(ecgroup);
1225
2020-04-10
pjp
EC_KEY_free(eckey);
1227
2020-04-10
pjp
return (retval);
1230
2020-04-10
pjp
EC_GROUP_free(ecgroup);
1231
2020-04-10
pjp
EC_KEY_free(eckey);
1233
2020-04-10
pjp
return NULL;
1237
2020-04-10
pjp
create_key_ec_getpid(EC_KEY *eckey, EC_GROUP *ecgroup, EC_POINT *ecpublickey, int algorithm, int flags)
1239
2020-04-10
pjp
int binlen;
1240
2020-04-10
pjp
char *tmp, *p, *q;
1241
2020-04-10
pjp
char bin[4096];
1243
2020-04-10
pjp
p = &bin[0];
1244
2020-04-10
pjp
pack16(p, htons(flags));
1245
2020-04-10
pjp
p += 2;
1246
2020-04-10
pjp
pack8(p, 3); /* protocol always 3 */
1248
2020-04-10
pjp
pack8(p, algorithm);
1251
2020-04-10
pjp
binlen = EC_POINT_point2oct(ecgroup, ecpublickey, POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
1253
2020-04-10
pjp
if (binlen == 0) {
1254
2020-04-10
pjp
dolog(LOG_ERR, "EC_POINT_point2oct(): %s\n", strerror(errno));
1255
2020-04-10
pjp
return -1;
1258
2020-04-10
pjp
tmp = malloc(binlen);
1259
2020-04-10
pjp
if (tmp == NULL) {
1260
2020-04-10
pjp
dolog(LOG_ERR, "malloc: %s\n", strerror(errno));
1261
2020-04-10
pjp
return (-1);
1264
2020-04-10
pjp
if (EC_POINT_point2oct(ecgroup, ecpublickey, POINT_CONVERSION_UNCOMPRESSED, tmp, binlen, NULL) == 0) {
1265
2020-04-10
pjp
dolog(LOG_ERR, "EC_POINT_point2oct(): %s\n", strerror(errno));
1266
2020-04-10
pjp
return -1;
1269
2020-04-10
pjp
q = tmp;
1271
2020-04-10
pjp
binlen--;
1273
2020-04-10
pjp
pack(p, q, binlen);
1274
2020-04-10
pjp
p += binlen;
1276
2020-04-10
pjp
free(tmp);
1277
2020-04-10
pjp
binlen = (p - &bin[0]);
1279
2020-04-10
pjp
return (keytag(bin, binlen));
1283
2020-04-10
pjp
create_key_rsa(char *zonename, int ttl, int flags, int algorithm, int bits, uint32_t *pid)
1285
2020-04-10
pjp
FILE *f;
1286
2020-04-10
pjp
RSA *rsa;
1287
2020-04-10
pjp
BIGNUM *e;
1288
2020-04-10
pjp
BIGNUM *rsan, *rsae, *rsad, *rsap, *rsaq;
1289
2020-04-10
pjp
BIGNUM *rsadmp1, *rsadmq1, *rsaiqmp;
1290
2020-04-10
pjp
BN_GENCB *cb;
1291
2020-04-10
pjp
char buf[512];
1292
2020-04-10
pjp
char bin[4096];
1293
2020-04-10
pjp
char b64[4096];
1294
2020-04-10
pjp
char tmp[4096];
1295
2020-08-08
pjp
int i, binlen;
1296
2020-04-10
pjp
char *retval;
1297
2020-04-10
pjp
char *p;
1298
2020-04-10
pjp
time_t now;
1299
2020-04-10
pjp
struct tm *tm;
1300
2020-04-10
pjp
struct stat sb;
1301
2020-04-10
pjp
mode_t savemask;
1302
2020-04-10
pjp
int rlen;
1304
2020-04-10
pjp
if ((rsa = RSA_new()) == NULL) {
1305
2020-04-10
pjp
dolog(LOG_INFO, "RSA_new: %s\n", strerror(errno));
1306
2020-04-10
pjp
return NULL;
1309
2020-04-10
pjp
if ((e = BN_new()) == NULL) {
1310
2020-04-10
pjp
dolog(LOG_INFO, "BN_new: %s\n", strerror(errno));
1311
2020-04-10
pjp
RSA_free(rsa);
1312
2020-04-10
pjp
return NULL;
1314
2020-04-10
pjp
if ((rsan = BN_new()) == NULL ||
1315
2020-04-10
pjp
(rsae = BN_new()) == NULL ||
1316
2020-04-10
pjp
(rsad = BN_new()) == NULL ||
1317
2020-04-10
pjp
(rsap = BN_new()) == NULL ||
1318
2020-04-10
pjp
(rsaq = BN_new()) == NULL ||
1319
2020-04-10
pjp
(rsadmp1 = BN_new()) == NULL ||
1320
2020-04-10
pjp
(rsadmq1 = BN_new()) == NULL ||
1321
2020-04-10
pjp
(rsaiqmp = BN_new()) == NULL) {
1322
2020-04-10
pjp
dolog(LOG_INFO, "BN_new: %s\n", strerror(errno));
1323
2020-04-10
pjp
RSA_free(rsa);
1324
2020-04-10
pjp
return NULL;
1327
2020-04-10
pjp
if ((cb = BN_GENCB_new()) == NULL) {
1328
2020-04-10
pjp
dolog(LOG_INFO, "BN_GENCB_new: %s\n", strerror(errno));
1329
2020-04-10
pjp
RSA_free(rsa);
1330
2020-04-10
pjp
return NULL;
1333
2020-04-10
pjp
for (i = 0; i < 32; i++) {
1334
2020-04-10
pjp
if (RSA_F4 & (1 << i)) {
1335
2020-04-10
pjp
BN_set_bit(e, i);
1339
2020-04-10
pjp
BN_GENCB_set_old(cb, NULL, NULL);
1341
2020-04-10
pjp
switch (algorithm) {
1342
2020-04-10
pjp
case ALGORITHM_RSASHA1_NSEC3_SHA1:
1344
2020-04-10
pjp
case ALGORITHM_RSASHA256:
1346
2020-04-10
pjp
case ALGORITHM_RSASHA512:
1348
2020-04-10
pjp
default:
1349
2020-04-10
pjp
dolog(LOG_INFO, "invalid algorithm in key\n");
1350
2020-04-10
pjp
return NULL;
1353
2020-04-10
pjp
if (RSA_generate_key_ex(rsa, bits, e, cb) == 0) {
1354
2020-04-10
pjp
dolog(LOG_INFO, "RSA_generate_key_ex: %s\n", strerror(errno));
1355
2020-04-10
pjp
BN_free(e);
1356
2020-04-10
pjp
RSA_free(rsa);
1357
2020-04-10
pjp
BN_GENCB_free(cb);
1358
2020-04-10
pjp
return NULL;
1361
2020-04-10
pjp
/* cb is not used again */
1362
2020-04-10
pjp
BN_GENCB_free(cb);
1364
2020-04-10
pjp
/* get the bignums for now hidden struct */
1365
2020-04-10
pjp
RSA_get0_key(rsa, (const BIGNUM **)&rsan, (const BIGNUM **)&rsae, (const BIGNUM **)&rsad);
1367
2020-04-10
pjp
/* get the keytag, this is a bit of a hard process */
1368
2020-04-10
pjp
p = (char *)&bin[0];
1369
2020-04-10
pjp
pack16(p, htons(flags));
1371
2020-04-10
pjp
pack8(p, 3); /* protocol always 3 */
1373
2020-04-10
pjp
pack8(p, algorithm);
1375
2020-04-10
pjp
binlen = BN_bn2bin(rsae, (char *)tmp);
1376
2020-04-10
pjp
/* RFC 3110 */
1377
2020-04-10
pjp
if (binlen < 256) {
1378
2020-04-10
pjp
*p = binlen;
1380
2020-04-10
pjp
} else {
1381
2020-04-10
pjp
*p = 0;
1383
2020-04-10
pjp
pack16(p, htons(binlen));
1384
2020-04-10
pjp
p += 2;
1387
2020-04-10
pjp
pack(p, tmp, binlen);
1388
2020-04-10
pjp
p += binlen;
1389
2020-04-10
pjp
binlen = BN_bn2bin(rsan, (char *)tmp);
1390
2020-04-10
pjp
pack(p, tmp, binlen);
1391
2020-04-10
pjp
p += binlen;
1392
2020-04-10
pjp
rlen = (p - &bin[0]);
1393
2020-04-10
pjp
*pid = keytag(bin, rlen);
1395
2020-04-10
pjp
/* check for collisions, XXX should be rare */
1396
2020-04-10
pjp
SLIST_FOREACH(knp, &keyshead, keys_entry) {
1397
2020-04-10
pjp
if (knp->pid == *pid)
1401
2020-04-10
pjp
if (knp != NULL) {
1402
2020-04-10
pjp
dolog(LOG_INFO, "create_key: collision with existing pid %d\n", *pid);
1403
2020-04-10
pjp
RSA_free(rsa);
1404
2020-04-10
pjp
BN_free(e);
1405
2020-04-10
pjp
return (create_key_rsa(zonename, ttl, flags, algorithm, bits, pid));
1408
2020-04-10
pjp
snprintf(buf, sizeof(buf), "K%s%s+%03d+%d", zonename,
1409
2020-04-10
pjp
(zonename[strlen(zonename) - 1] == '.') ? "" : ".",
1410
2020-04-10
pjp
algorithm, *pid);
1412
2020-04-10
pjp
retval = strdup(buf);
1413
2020-04-10
pjp
if (retval == NULL) {
1414
2020-04-10
pjp
dolog(LOG_INFO, "strdup: %s\n", strerror(errno));
1415
2020-04-10
pjp
RSA_free(rsa);
1416
2020-04-10
pjp
BN_free(e);
1417
2020-04-10
pjp
return NULL;
1420
2020-04-10
pjp
snprintf(buf, sizeof(buf), "%s.private", retval);
1422
2020-04-10
pjp
savemask = umask(077);
1424
2020-04-10
pjp
errno = 0;
1425
2020-04-10
pjp
if (lstat(buf, &sb) < 0 && errno != ENOENT) {
1426
2020-04-10
pjp
perror("lstat");
1427
2020-04-10
pjp
exit(1);
1430
2020-04-10
pjp
if (errno != ENOENT && ! S_ISREG(sb.st_mode)) {
1431
2020-04-10
pjp
dolog(LOG_INFO, "%s is not a file!\n", buf);
1432
2020-04-10
pjp
RSA_free(rsa);
1433
2020-04-10
pjp
BN_free(e);
1434
2020-04-10
pjp
return NULL;
1437
2020-04-10
pjp
f = fopen(buf, "w+");
1438
2020-04-10
pjp
if (f == NULL) {
1439
2020-04-10
pjp
dolog(LOG_INFO, "fopen: %s\n", strerror(errno));
1440
2020-04-10
pjp
RSA_free(rsa);
1441
2020-04-10
pjp
BN_free(e);
1442
2020-04-10
pjp
return NULL;
1445
2020-04-10
pjp
fprintf(f, "Private-key-format: v1.3\n");
1446
2020-04-10
pjp
fprintf(f, "Algorithm: %d (%s)\n", algorithm, alg_to_name(algorithm));
1447
2020-04-10
pjp
/* modulus */
1448
2020-04-10
pjp
binlen = BN_bn2bin(rsan, (char *)&bin);
1449
2020-08-08
pjp
mybase64_encode(bin, binlen, b64, sizeof(b64));
1450
2020-04-10
pjp
fprintf(f, "Modulus: %s\n", b64);
1451
2020-04-10
pjp
/* public exponent */
1452
2020-04-10
pjp
binlen = BN_bn2bin(rsae, (char *)&bin);
1453
2020-08-08
pjp
mybase64_encode(bin, binlen, b64, sizeof(b64));
1454
2020-04-10
pjp
fprintf(f, "PublicExponent: %s\n", b64);
1455
2020-04-10
pjp
/* private exponent */
1456
2020-04-10
pjp
binlen = BN_bn2bin(rsad, (char *)&bin);
1457
2020-08-08
pjp
mybase64_encode(bin, binlen, b64, sizeof(b64));
1458
2020-04-10
pjp
fprintf(f, "PrivateExponent: %s\n", b64);
1459
2020-04-10
pjp
/* get the RSA factors */
1460
2020-04-10
pjp
RSA_get0_factors(rsa, (const BIGNUM **)&rsap, (const BIGNUM **)&rsaq);
1461
2020-04-10
pjp
/* prime1 */
1462
2020-04-10
pjp
binlen = BN_bn2bin(rsap, (char *)&bin);
1463
2020-08-08
pjp
mybase64_encode(bin, binlen, b64, sizeof(b64));
1464
2020-04-10
pjp
fprintf(f, "Prime1: %s\n", b64);
1465
2020-04-10
pjp
/* prime2 */
1466
2020-04-10
pjp
binlen = BN_bn2bin(rsaq, (char *)&bin);
1467
2020-08-08
pjp
mybase64_encode(bin, binlen, b64, sizeof(b64));
1468
2020-04-10
pjp
fprintf(f, "Prime2: %s\n", b64);
1469
2020-04-10
pjp
/* get the RSA crt params */
1470
2020-04-10
pjp
RSA_get0_crt_params(rsa, (const BIGNUM **)&rsadmp1, (const BIGNUM **)&rsadmq1, (const BIGNUM **)&rsaiqmp);
1471
2020-04-10
pjp
/* exponent1 */
1472
2020-04-10
pjp
binlen = BN_bn2bin(rsadmp1, (char *)&bin);
1473
2020-08-08
pjp
mybase64_encode(bin, binlen, b64, sizeof(b64));
1474
2020-04-10
pjp
fprintf(f, "Exponent1: %s\n", b64);
1475
2020-04-10
pjp
/* exponent2 */
1476
2020-04-10
pjp
binlen = BN_bn2bin(rsadmq1, (char *)&bin);
1477
2020-08-08
pjp
mybase64_encode(bin, binlen, b64, sizeof(b64));
1478
2020-04-10
pjp
fprintf(f, "Exponent2: %s\n", b64);
1479
2020-04-10
pjp
/* coefficient */
1480
2020-04-10
pjp
binlen = BN_bn2bin(rsaiqmp, (char *)&bin);
1481
2020-08-08
pjp
mybase64_encode(bin, binlen, b64, sizeof(b64));
1482
2020-04-10
pjp
fprintf(f, "Coefficient: %s\n", b64);
1484
2020-04-10
pjp
now = time(NULL);
1485
2020-04-10
pjp
tm = gmtime(&now);
1487
2020-04-10
pjp
strftime(buf, sizeof(buf), "%Y%m%d%H%M%S", tm);
1488
2020-04-10
pjp
fprintf(f, "Created: %s\n", buf);
1489
2020-04-10
pjp
fprintf(f, "Publish: %s\n", buf);
1490
2020-04-10
pjp
fprintf(f, "Activate: %s\n", buf);
1492
2020-04-10
pjp
fclose(f);
1493
2020-04-10
pjp
BN_free(e);
1495
2020-04-10
pjp
/* now for the .key */
1498
2020-04-10
pjp
snprintf(buf, sizeof(buf), "%s.key", retval);
1499
2020-04-10
pjp
umask(savemask);
1501
2020-04-10
pjp
errno = 0;
1502
2020-04-10
pjp
if (lstat(buf, &sb) < 0 && errno != ENOENT) {
1503
2020-04-10
pjp
perror("lstat");
1504
2020-04-10
pjp
exit(1);
1507
2020-04-10
pjp
if (errno != ENOENT && ! S_ISREG(sb.st_mode)) {
1508
2020-04-10
pjp
dolog(LOG_INFO, "%s is not a file!\n", buf);
1509
2020-04-10
pjp
RSA_free(rsa);
1510
2020-04-10
pjp
BN_free(e);
1511
2020-04-10
pjp
return NULL;
1513
2020-04-10
pjp
f = fopen(buf, "w+");
1514
2020-04-10
pjp
if (f == NULL) {
1515
2020-04-10
pjp
dolog(LOG_INFO, "fopen: %s\n", strerror(errno));
1516
2020-04-10
pjp
snprintf(buf, sizeof(buf), "%s.private", retval);
1517
2020-04-10
pjp
unlink(buf);
1518
2020-04-10
pjp
RSA_free(rsa);
1519
2020-04-10
pjp
return NULL;
1522
2020-04-10
pjp
fprintf(f, "; This is a %s key, keyid %u, for %s%s\n", (flags == 257) ? "key-signing" : "zone-signing", *pid, zonename, (zonename[strlen(zonename) - 1] == '.') ? "" : ".");
1524
2020-04-10
pjp
strftime(buf, sizeof(buf), "%Y%m%d%H%M%S", tm);
1525
2020-04-10
pjp
strftime(bin, sizeof(bin), "%c", tm);
1526
2020-04-10
pjp
fprintf(f, "; Created: %s (%s)\n", buf, bin);
1527
2020-04-10
pjp
fprintf(f, "; Publish: %s (%s)\n", buf, bin);
1528
2020-04-10
pjp
fprintf(f, "; Activate: %s (%s)\n", buf, bin);
1530
2020-04-10
pjp
/* RFC 3110, section 2 */
1531
2020-04-10
pjp
p = &bin[0];
1532
2020-04-10
pjp
binlen = BN_bn2bin(rsae, (char *)tmp);
1533
2020-04-10
pjp
if (binlen < 256) {
1534
2020-04-10
pjp
*p = binlen;
1536
2020-04-10
pjp
} else {
1537
2020-04-10
pjp
*p = 0;
1539
2020-04-10
pjp
pack16(p, htons(binlen));
1540
2020-04-10
pjp
p += 2;
1542
2020-04-10
pjp
pack(p, tmp, binlen);
1543
2020-04-10
pjp
p += binlen;
1544
2020-04-10
pjp
binlen = BN_bn2bin(rsan, (char *)tmp);
1545
2020-04-10
pjp
pack(p, tmp, binlen);
1546
2020-04-10
pjp
p += binlen;
1547
2020-04-10
pjp
binlen = (p - &bin[0]);
1548
2020-08-08
pjp
mybase64_encode(bin, binlen, b64, sizeof(b64));
1549
2020-04-10
pjp
fprintf(f, "%s%s %d IN DNSKEY %d 3 %d %s\n", zonename, (zonename[strlen(zonename) - 1] == '.') ? "" : ".", ttl, flags, algorithm, b64);
1551
2020-04-10
pjp
fclose(f);
1552
2020-04-10
pjp
RSA_free(rsa);
1554
2020-04-10
pjp
return (retval);
1558
2020-04-10
pjp
alg_to_name(int algorithm)
1561
2020-04-10
pjp
switch (algorithm) {
1562
2020-04-10
pjp
case ALGORITHM_RSASHA1_NSEC3_SHA1:
1563
2020-04-10
pjp
return ("RSASHA1_NSEC3_SHA1");
1565
2020-04-10
pjp
case ALGORITHM_RSASHA256:
1566
2020-04-10
pjp
return ("RSASHA256");
1568
2020-04-10
pjp
case ALGORITHM_RSASHA512:
1569
2020-04-10
pjp
return ("RSASHA512");
1571
2020-04-10
pjp
case ALGORITHM_ECDSAP256SHA256:
1572
2020-04-10
pjp
return ("ECDSAP256SHA256");
1576
2020-04-10
pjp
return (NULL);
1580
2020-04-10
pjp
alg_to_rsa(int algorithm)
1583
2020-04-10
pjp
switch (algorithm) {
1584
2020-04-10
pjp
case ALGORITHM_RSASHA1_NSEC3_SHA1:
1585
2020-04-10
pjp
return (NID_sha1);
1587
2020-04-10
pjp
case ALGORITHM_RSASHA256:
1588
2020-04-10
pjp
return (NID_sha256);
1590
2020-04-10
pjp
case ALGORITHM_RSASHA512:
1591
2020-04-10
pjp
return (NID_sha512);
1595
2020-04-10
pjp
return (-1);
1599
2020-04-10
pjp
calculate_rrsigs(ddDB *db, char *zonename, int expiry, int rollmethod)
1601
2020-04-10
pjp
struct node *n, *nx;
1602
2020-04-10
pjp
struct rbtree *rbt;
1603
2020-04-10
pjp
struct rrset *rrset = NULL;
1604
2020-04-10
pjp
int j, rs;
1606
2020-04-10
pjp
time_t now, twoweeksago;
1607
2020-04-10
pjp
char timebuf[32];
1608
2020-04-10
pjp
struct tm *tm;
1610
2020-04-10
pjp
/* set expiredon and signedon */
1612
2020-04-10
pjp
now = time(NULL);
1613
2020-04-10
pjp
twoweeksago = now - SIGNEDON_DRIFT;
1614
2020-04-10
pjp
tm = gmtime(&twoweeksago);
1615
2020-04-10
pjp
strftime(timebuf, sizeof(timebuf), "%Y%m%d%H%M%S", tm);
1616
2020-04-10
pjp
signedon = atoll(timebuf);
1617
2020-04-10
pjp
now += expiry;
1618
2020-04-10
pjp
tm = gmtime(&now);
1619
2020-04-10
pjp
strftime(timebuf, sizeof(timebuf), "%Y%m%d%H%M%S", tm);
1620
2020-04-10
pjp
expiredon = atoll(timebuf);
1622
2020-04-10
pjp
#if PROVIDED_SIGNTIME
1623
2020-04-10
pjp
signedon = SIGNEDON;
1624
2020-04-10
pjp
expiredon = EXPIREDON;
1629
2020-04-10
pjp
RB_FOREACH_SAFE(n, domaintree, &db->head, nx) {
1630
2020-04-10
pjp
rs = n->datalen;
1631
2020-04-10
pjp
if ((rbt = calloc(1, rs)) == NULL) {
1632
2020-04-10
pjp
dolog(LOG_INFO, "calloc: %s\n", strerror(errno));
1633
2020-04-10
pjp
exit(1);
1636
2020-04-10
pjp
memcpy((char *)rbt, (char *)n->data, n->datalen);
1638
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_DNSKEY)) != NULL) {
1639
2020-04-10
pjp
if (sign_dnskey(db, zonename, expiry, rbt, rollmethod) < 0) {
1640
2020-04-10
pjp
fprintf(stderr, "sign_dnskey error\n");
1641
2020-04-10
pjp
return -1;
1644
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_A)) != NULL) {
1645
2020-04-10
pjp
if (notglue(db, rbt, zonename) &&
1646
2020-04-10
pjp
sign_a(db, zonename, expiry, rbt, rollmethod) < 0) {
1647
2020-04-10
pjp
fprintf(stderr, "sign_a error\n");
1648
2020-04-10
pjp
return -1;
1651
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_MX)) != NULL) {
1652
2020-04-10
pjp
if (sign_mx(db, zonename, expiry, rbt, rollmethod) < 0) {
1653
2020-04-10
pjp
fprintf(stderr, "sign_mx error\n");
1654
2020-04-10
pjp
return -1;
1657
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_NS)) != NULL) {
1658
2020-04-10
pjp
if (sign_ns(db, zonename, expiry, rbt, rollmethod) < 0) {
1659
2020-04-10
pjp
fprintf(stderr, "sign_ns error\n");
1660
2020-04-10
pjp
return -1;
1663
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_SOA)) != NULL) {
1664
2020-04-10
pjp
if (sign_soa(db, zonename, expiry, rbt, rollmethod) < 0) {
1665
2020-04-10
pjp
fprintf(stderr, "sign_soa error\n");
1666
2020-04-10
pjp
return -1;
1669
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_TXT)) != NULL) {
1670
2020-04-10
pjp
if (sign_txt(db, zonename, expiry, rbt, rollmethod) < 0) {
1671
2020-04-10
pjp
fprintf(stderr, "sign_txt error\n");
1672
2020-04-10
pjp
return -1;
1675
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_AAAA)) != NULL) {
1676
2020-04-10
pjp
/* find out if we're glue, if not sign */
1677
2020-04-10
pjp
if (notglue(db, rbt, zonename) &&
1678
2020-04-10
pjp
sign_aaaa(db, zonename, expiry, rbt, rollmethod) < 0) {
1679
2020-04-10
pjp
fprintf(stderr, "sign_aaaa error\n");
1680
2020-04-10
pjp
return -1;
1683
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_NSEC3)) != NULL) {
1684
2020-04-10
pjp
if (sign_nsec3(db, zonename, expiry, rbt, rollmethod) < 0) {
1685
2020-04-10
pjp
fprintf(stderr, "sign_nsec3 error\n");
1686
2020-04-10
pjp
return -1;
1689
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_NSEC3PARAM)) != NULL) {
1690
2020-04-10
pjp
if (sign_nsec3param(db, zonename, expiry, rbt, rollmethod) < 0) {
1691
2020-04-10
pjp
fprintf(stderr, "sign_nsec3param error\n");
1692
2020-04-10
pjp
return -1;
1695
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_CNAME)) != NULL) {
1696
2020-04-10
pjp
if (sign_cname(db, zonename, expiry, rbt, rollmethod) < 0) {
1697
2020-04-10
pjp
fprintf(stderr, "sign_cname error\n");
1698
2020-04-10
pjp
return -1;
1701
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_PTR)) != NULL) {
1702
2020-04-10
pjp
if (sign_ptr(db, zonename, expiry, rbt, rollmethod) < 0) {
1703
2020-04-10
pjp
fprintf(stderr, "sign_ptr error\n");
1704
2020-04-10
pjp
return -1;
1707
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_NAPTR)) != NULL) {
1708
2020-04-10
pjp
if (sign_naptr(db, zonename, expiry, rbt, rollmethod) < 0) {
1709
2020-04-10
pjp
fprintf(stderr, "sign_naptr error\n");
1710
2020-04-10
pjp
return -1;
1713
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_SRV)) != NULL) {
1714
2020-04-10
pjp
if (sign_srv(db, zonename, expiry, rbt, rollmethod) < 0) {
1715
2020-04-10
pjp
fprintf(stderr, "sign_srv error\n");
1716
2020-04-10
pjp
return -1;
1719
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_SSHFP)) != NULL) {
1720
2020-04-10
pjp
if (sign_sshfp(db, zonename, expiry, rbt, rollmethod) < 0) {
1721
2020-04-10
pjp
fprintf(stderr, "sign_sshfp error\n");
1722
2020-04-10
pjp
return -1;
1725
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_TLSA)) != NULL) {
1726
2020-04-10
pjp
if (sign_tlsa(db, zonename, expiry, rbt, rollmethod) < 0) {
1727
2020-04-10
pjp
fprintf(stderr, "sign_tlsa error\n");
1728
2020-04-10
pjp
return -1;
1731
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_DS)) != NULL) {
1732
2020-04-10
pjp
if (sign_ds(db, zonename, expiry, rbt, rollmethod) < 0) {
1733
2020-04-10
pjp
fprintf(stderr, "sign_ds error\n");
1734
2020-04-10
pjp
return -1;
1737
2020-07-23
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_CAA)) != NULL) {
1738
2020-07-23
pjp
if (sign_caa(db, zonename, expiry, rbt, rollmethod) < 0) {
1739
2020-07-23
pjp
fprintf(stderr, "sign_caa error\n");
1740
2020-07-23
pjp
return -1;
1743
2020-07-23
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_RP)) != NULL) {
1744
2020-07-23
pjp
if (sign_rp(db, zonename, expiry, rbt, rollmethod) < 0) {
1745
2020-07-23
pjp
fprintf(stderr, "sign_rp error\n");
1746
2020-07-23
pjp
return -1;
1749
2020-07-23
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_HINFO)) != NULL) {
1750
2020-07-23
pjp
if (sign_hinfo(db, zonename, expiry, rbt, rollmethod) < 0) {
1751
2020-07-23
pjp
fprintf(stderr, "sign_hinfo error\n");
1752
2020-07-23
pjp
return -1;
1760
2020-04-10
pjp
return 0;
1764
2020-04-10
pjp
* create a RRSIG for an SOA record
1767
2020-04-10
pjp
static int
1768
2020-04-10
pjp
sign_soa(ddDB *db, char *zonename, int expiry, struct rbtree *rbt, int rollmethod)
1770
2020-04-10
pjp
struct rrset *rrset = NULL;
1771
2020-04-10
pjp
struct rr *rrp = NULL;
1772
2020-04-10
pjp
struct keysentry **zsk_key;
1774
2020-04-10
pjp
char tmp[4096];
1775
2020-04-10
pjp
char signature[4096];
1776
2020-04-10
pjp
char shabuf[64];
1779
2020-04-10
pjp
char *dnsname;
1780
2020-04-10
pjp
char *p;
1781
2020-04-10
pjp
char *key;
1782
2020-04-10
pjp
char *zone;
1784
2020-04-10
pjp
uint32_t ttl;
1785
2020-04-10
pjp
uint16_t flags;
1786
2020-04-10
pjp
uint8_t protocol;
1787
2020-04-10
pjp
uint8_t algorithm;
1789
2020-04-10
pjp
int labellen;
1790
2020-04-10
pjp
int keyid;
1791
2020-04-10
pjp
int len;
1792
2020-04-10
pjp
int keylen, siglen = sizeof(signature);
1793
2020-04-10
pjp
int labels;
1794
2020-04-10
pjp
int nzk = 0;
1796
2020-04-10
pjp
char timebuf[32];
1797
2020-04-10
pjp
struct tm tm;
1798
2020-04-10
pjp
u_int32_t expiredon2, signedon2;
1800
2020-04-10
pjp
memset(&shabuf, 0, sizeof(shabuf));
1802
2020-04-10
pjp
key = malloc(10 * 4096);
1803
2020-04-10
pjp
if (key == NULL) {
1804
2020-04-10
pjp
dolog(LOG_INFO, "out of memory\n");
1805
2020-04-10
pjp
return -1;
1808
2020-04-10
pjp
zsk_key = calloc(3, sizeof(struct keysentry *));
1809
2020-04-10
pjp
if (zsk_key == NULL) {
1810
2020-04-10
pjp
dolog(LOG_INFO, "out of memory\n");
1811
2020-04-10
pjp
return -1;
1814
2020-04-10
pjp
nzk = 0;
1815
2020-04-10
pjp
SLIST_FOREACH(knp, &keyshead, keys_entry) {
1816
2020-04-10
pjp
if ((knp->type == KEYTYPE_ZSK && rollmethod == \
1817
2020-04-10
pjp
ROLLOVER_METHOD_DOUBLE_SIGNATURE) || \
1818
2020-04-10
pjp
(knp->sign == 1 && knp->type == KEYTYPE_ZSK)) {
1819
2020-04-10
pjp
zsk_key[nzk++] = knp;
1823
2020-04-10
pjp
zsk_key[nzk] = NULL;
1825
2020-04-10
pjp
/* get the ZSK */
1827
2020-04-10
pjp
if ((zone = get_key(*zsk_key, &ttl, &flags, &protocol, &algorithm, (char *)&tmp, sizeof(tmp), &keyid)) == NULL) {
1828
2020-04-10
pjp
dolog(LOG_INFO, "get_key %s\n", (*zsk_key)->keyname);
1829
2020-04-10
pjp
return -1;
1832
2020-04-10
pjp
/* check the keytag supplied */
1833
2020-04-10
pjp
p = key;
1834
2020-04-10
pjp
pack16(p, htons(flags));
1835
2020-04-10
pjp
p += 2;
1836
2020-04-10
pjp
pack8(p, protocol);
1838
2020-04-10
pjp
pack8(p, algorithm);
1840
2020-04-10
pjp
keylen = mybase64_decode(tmp, (char *)&signature, sizeof(signature));
1841
2020-04-10
pjp
pack(p, signature, keylen);
1842
2020-04-10
pjp
p += keylen;
1843
2020-04-10
pjp
keylen = (p - key);
1844
2020-04-10
pjp
if (keyid != keytag(key, keylen)) {
1845
2020-04-10
pjp
dolog(LOG_ERR, "keytag does not match %d vs. %d\n", keyid, keytag(key, keylen));
1846
2020-04-10
pjp
return -1;
1849
2020-04-10
pjp
labels = label_count(rbt->zone);
1850
2020-04-10
pjp
if (labels < 0) {
1851
2020-04-10
pjp
dolog(LOG_INFO, "label_count");
1852
2020-04-10
pjp
return -1;
1855
2020-04-10
pjp
dnsname = dns_label(zonename, &labellen);
1856
2020-04-10
pjp
if (dnsname == NULL)
1857
2020-04-10
pjp
return -1;
1859
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_SOA)) != NULL) {
1860
2020-04-10
pjp
rrp = TAILQ_FIRST(&rrset->rr_head);
1861
2020-04-10
pjp
if (rrp == NULL) {
1862
2020-04-10
pjp
dolog(LOG_INFO, "no SOA records but have rrset entry!\n");
1863
2020-04-10
pjp
return -1;
1865
2020-04-10
pjp
} else {
1866
2020-04-10
pjp
dolog(LOG_INFO, "no SOA records\n");
1867
2020-04-10
pjp
return -1;
1870
2020-04-10
pjp
p = key;
1872
2020-04-10
pjp
pack16(p, htons(DNS_TYPE_SOA));
1873
2020-04-10
pjp
p += 2;
1874
2020-04-10
pjp
pack8(p, algorithm);
1876
2020-04-10
pjp
pack8(p, labels);
1878
2020-05-07
pjp
pack32(p, htonl(rrset->ttl));
1879
2020-04-10
pjp
p += 4;
1881
2020-04-10
pjp
snprintf(timebuf, sizeof(timebuf), "%lld", expiredon);
1882
2020-04-10
pjp
strptime(timebuf, "%Y%m%d%H%M%S", &tm);
1883
2020-04-10
pjp
expiredon2 = timegm(&tm);
1884
2020-04-10
pjp
snprintf(timebuf, sizeof(timebuf), "%lld", signedon);
1885
2020-04-10
pjp
strptime(timebuf, "%Y%m%d%H%M%S", &tm);
1886
2020-04-10
pjp
signedon2 = timegm(&tm);
1888
2020-04-10
pjp
pack32(p, htonl(expiredon2));
1889
2020-04-10
pjp
p += 4;
1890
2020-04-10
pjp
pack32(p, htonl(signedon2));
1891
2020-04-10
pjp
p += 4;
1892
2020-04-10
pjp
pack16(p, htons(keyid));
1893
2020-04-10
pjp
p += 2;
1894
2020-04-10
pjp
pack(p, dnsname, labellen);
1895
2020-04-10
pjp
p += labellen;
1897
2020-04-10
pjp
/* no signature here */
1898
2020-04-10
pjp
/* XXX this should probably be done on a canonical sorted records */
1900
2020-04-10
pjp
pack(p, rbt->zone, rbt->zonelen);
1901
2020-04-10
pjp
p += rbt->zonelen;
1902
2020-04-10
pjp
pack16(p, htons(DNS_TYPE_SOA));
1903
2020-04-10
pjp
p += 2;
1904
2020-04-10
pjp
pack16(p, htons(DNS_CLASS_IN));
1905
2020-04-10
pjp
p += 2;
1906
2020-05-07
pjp
pack32(p, htonl(rrset->ttl));
1907
2020-04-10
pjp
p += 4;
1908
2020-04-10
pjp
pack16(p, htons(((struct soa *)rrp->rdata)->nsserver_len + ((struct soa *)rrp->rdata)->rp_len + 4 + 4 + 4 + 4 + 4));
1909
2020-04-10
pjp
p += 2;
1910
2020-04-10
pjp
pack(p, ((struct soa *)rrp->rdata)->nsserver, ((struct soa *)rrp->rdata)->nsserver_len);
1911
2020-04-10
pjp
p += ((struct soa *)rrp->rdata)->nsserver_len;
1912
2020-04-10
pjp
pack(p, ((struct soa *)rrp->rdata)->responsible_person, ((struct soa *)rrp->rdata)->rp_len);
1913
2020-04-10
pjp
p += ((struct soa *)rrp->rdata)->rp_len;
1914
2020-04-10
pjp
pack32(p, htonl(((struct soa *)rrp->rdata)->serial));
1915
2020-04-10
pjp
p += sizeof(u_int32_t);
1916
2020-04-10
pjp
pack32(p, htonl(((struct soa *)rrp->rdata)->refresh));
1917
2020-04-10
pjp
p += sizeof(u_int32_t);
1918
2020-04-10
pjp
pack32(p, htonl(((struct soa *)rrp->rdata)->retry));
1919
2020-04-10
pjp
p += sizeof(u_int32_t);
1920
2020-04-10
pjp
pack32(p, htonl(((struct soa *)rrp->rdata)->expire));
1921
2020-04-10
pjp
p += sizeof(u_int32_t);
1922
2020-04-10
pjp
pack32(p, htonl(((struct soa *)rrp->rdata)->minttl));
1923
2020-04-10
pjp
p += sizeof(u_int32_t);
1925
2020-04-10
pjp
keylen = (p - key);
1928
2020-04-10
pjp
debug_bindump(key, keylen);
1931
2020-04-10
pjp
if (sign(algorithm, key, keylen, *zsk_key, (char *)&signature, &siglen) < 0) {
1932
2020-04-10
pjp
dolog(LOG_INFO, "signing failed\n");
1933
2020-04-10
pjp
return -1;
1936
2020-04-10
pjp
len = mybase64_encode(signature, siglen, tmp, sizeof(tmp));
1937
2020-04-10
pjp
tmp[len] = '\0';
1939
2020-07-06
pjp
if (fill_rrsig(db, rbt->humanname, "RRSIG", rrset->ttl, "SOA", algorithm, labels, rrset->ttl, expiredon, signedon, keyid, zonename, tmp) < 0) {
1940
2020-04-10
pjp
dolog(LOG_INFO, "fill_rrsig\n");
1941
2020-04-10
pjp
return -1;
1944
2020-04-10
pjp
} while ((*++zsk_key) != NULL);
1946
2020-04-10
pjp
return 0;
1950
2020-04-10
pjp
* create a RRSIG for a TXT record
1953
2020-04-10
pjp
static int
1954
2020-04-10
pjp
sign_txt(ddDB *db, char *zonename, int expiry, struct rbtree *rbt, int rollmethod)
1956
2020-04-10
pjp
struct rrset *rrset = NULL;
1957
2020-04-10
pjp
struct rr *rrp = NULL, *rrp2 = NULL;
1958
2020-04-10
pjp
struct keysentry **zsk_key;
1960
2020-04-10
pjp
char tmp[4096];
1961
2020-04-10
pjp
char signature[4096];
1962
2020-04-10
pjp
char shabuf[64];
1965
2020-04-10
pjp
char *dnsname;
1966
2020-08-11
pjp
char *p, *q, *r;
1967
2020-08-11
pjp
char **canonsort;
1968
2020-04-10
pjp
char *key, *tmpkey = NULL;
1969
2020-04-10
pjp
char *zone;
1971
2020-04-10
pjp
uint32_t ttl;
1972
2020-04-10
pjp
uint16_t flags;
1973
2020-04-10
pjp
uint8_t protocol;
1974
2020-04-10
pjp
uint8_t algorithm;
1976
2020-04-10
pjp
int labellen;
1977
2020-04-10
pjp
int keyid;
1978
2020-08-11
pjp
int len, rlen, clen, i;
1979
2020-04-10
pjp
int keylen, siglen = sizeof(signature);
1980
2020-04-10
pjp
int labels;
1981
2020-04-10
pjp
int nzk = 0;
1982
2020-08-11
pjp
int csort = 0;
1984
2020-04-10
pjp
char timebuf[32];
1985
2020-04-10
pjp
struct tm tm;
1986
2020-04-10
pjp
u_int32_t expiredon2, signedon2;
1988
2020-04-10
pjp
memset(&shabuf, 0, sizeof(shabuf));
1990
2020-04-10
pjp
key = malloc(10 * 4096);
1991
2020-04-10
pjp
if (key == NULL) {
1992
2020-04-10
pjp
dolog(LOG_INFO, "out of memory\n");
1993
2020-04-10
pjp
return -1;
1996
2020-04-10
pjp
tmpkey = malloc(10 * 4096);
1997
2020-04-10
pjp
if (tmpkey == NULL) {
1998
2020-04-10
pjp
dolog(LOG_INFO, "tmpkey out of memory\n");
1999
2020-04-10
pjp
return -1;
2002
2020-04-10
pjp
zsk_key = calloc(3, sizeof(struct keysentry *));
2003
2020-04-10
pjp
if (zsk_key == NULL) {
2004
2020-04-10
pjp
dolog(LOG_INFO, "out of memory\n");
2005
2020-04-10
pjp
return -1;
2008
2020-04-10
pjp
nzk = 0;
2009
2020-04-10
pjp
SLIST_FOREACH(knp, &keyshead, keys_entry) {
2010
2020-04-10
pjp
if ((knp->type == KEYTYPE_ZSK && rollmethod == \
2011
2020-04-10
pjp
ROLLOVER_METHOD_DOUBLE_SIGNATURE) || \
2012
2020-04-10
pjp
(knp->sign == 1 && knp->type == KEYTYPE_ZSK)) {
2013
2020-04-10
pjp
zsk_key[nzk++] = knp;
2017
2020-04-10
pjp
zsk_key[nzk] = NULL;
2019
2020-04-10
pjp
/* get the ZSK */
2021
2020-04-10
pjp
if ((zone = get_key(*zsk_key, &ttl, &flags, &protocol, &algorithm, (char *)&tmp, sizeof(tmp), &keyid)) == NULL) {
2022
2020-04-10
pjp
dolog(LOG_INFO, "get_key %s\n", (*zsk_key)->keyname);
2023
2020-04-10
pjp
return -1;
2026
2020-04-10
pjp
/* check the keytag supplied */
2027
2020-04-10
pjp
p = key;
2028
2020-04-10
pjp
pack16(p, htons(flags));
2029
2020-04-10
pjp
p += 2;
2030
2020-04-10
pjp
pack8(p, protocol);
2032
2020-04-10
pjp
pack8(p, algorithm);
2034
2020-04-10
pjp
keylen = mybase64_decode(tmp, (char *)&signature, sizeof(signature));
2035
2020-04-10
pjp
pack(p, signature, keylen);
2036
2020-04-10
pjp
p += keylen;
2037
2020-04-10
pjp
keylen = (p - key);
2038
2020-04-10
pjp
if (keyid != keytag(key, keylen)) {
2039
2020-04-10
pjp
dolog(LOG_ERR, "keytag does not match %d vs. %d\n", keyid, keytag(key, keylen));
2040
2020-04-10
pjp
return -1;
2043
2020-04-10
pjp
labels = label_count(rbt->zone);
2044
2020-04-10
pjp
if (labels < 0) {
2045
2020-04-10
pjp
dolog(LOG_INFO, "label_count");
2046
2020-04-10
pjp
return -1;
2049
2020-04-10
pjp
dnsname = dns_label(zonename, &labellen);
2050
2020-04-10
pjp
if (dnsname == NULL)
2051
2020-04-10
pjp
return -1;
2053
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_TXT)) != NULL) {
2054
2020-04-10
pjp
rrp = TAILQ_FIRST(&rrset->rr_head);
2055
2020-04-10
pjp
if (rrp == NULL) {
2056
2020-04-10
pjp
dolog(LOG_INFO, "no TXT records but have rrset entry!\n");
2057
2020-04-10
pjp
return -1;
2059
2020-04-10
pjp
} else {
2060
2020-04-10
pjp
dolog(LOG_INFO, "no TXT records\n");
2061
2020-04-10
pjp
return -1;
2064
2020-04-10
pjp
p = key;
2066
2020-04-10
pjp
pack16(p, htons(DNS_TYPE_TXT));
2067
2020-04-10
pjp
p += 2;
2068
2020-04-10
pjp
pack8(p, algorithm);
2070
2020-04-10
pjp
pack8(p, labels);
2072
2020-05-07
pjp
pack32(p, htonl(rrset->ttl));
2073
2020-04-10
pjp
p += sizeof(u_int32_t);
2075
2020-04-10
pjp
snprintf(timebuf, sizeof(timebuf), "%lld", expiredon);
2076
2020-04-10
pjp
strptime(timebuf, "%Y%m%d%H%M%S", &tm);
2077
2020-04-10
pjp
expiredon2 = timegm(&tm);
2078
2020-04-10
pjp
snprintf(timebuf, sizeof(timebuf), "%lld", signedon);
2079
2020-04-10
pjp
strptime(timebuf, "%Y%m%d%H%M%S", &tm);
2080
2020-04-10
pjp
signedon2 = timegm(&tm);
2082
2020-04-10
pjp
pack32(p, htonl(expiredon2));
2083
2020-04-10
pjp
p += 4;
2084
2020-04-10
pjp
pack32(p, htonl(signedon2));
2085
2020-04-10
pjp
p += 4;
2086
2020-04-10
pjp
pack16(p, htons(keyid));
2087
2020-04-10
pjp
p += 2;
2088
2020-04-10
pjp
pack(p, dnsname, labellen);
2089
2020-04-10
pjp
p += labellen;
2091
2020-08-11
pjp
canonsort = (char **)calloc(MAX_RECORDS_IN_RRSET, sizeof(char *));
2092
2020-08-11
pjp
if (canonsort == NULL) {
2093
2020-08-11
pjp
dolog(LOG_INFO, "canonsort out of memory\n");
2094
2020-08-11
pjp
return -1;
2097
2020-08-11
pjp
csort = 0;
2100
2020-04-10
pjp
TAILQ_FOREACH(rrp2, &rrset->rr_head, entries) {
2101
2020-04-10
pjp
q = tmpkey;
2102
2020-04-10
pjp
pack(q, rbt->zone, rbt->zonelen);
2103
2020-04-10
pjp
q += rbt->zonelen;
2104
2020-04-10
pjp
pack16(q, htons(DNS_TYPE_TXT));
2105
2020-04-10
pjp
q += 2;
2106
2020-04-10
pjp
pack16(q, htons(DNS_CLASS_IN));
2107
2020-04-10
pjp
q += 2;
2108
2020-04-10
pjp
/* the below uses rrp! because we can't have an rrsig differ */
2109
2020-05-07
pjp
pack32(q, htonl(rrset->ttl));
2110
2020-04-10
pjp
q += 4;
2111
2020-04-10
pjp
pack16(q, htons(((struct txt *)rrp2->rdata)->txtlen));
2112
2020-04-10
pjp
q += 2;
2113
2020-04-10
pjp
pack(q, (char *)((struct txt *)rrp2->rdata)->txt, ((struct txt *)rrp2->rdata)->txtlen);
2114
2020-04-10
pjp
q += ((struct txt *)rrp2->rdata)->txtlen;
2116
2020-08-11
pjp
r = canonsort[csort] = malloc(68000);
2117
2020-08-11
pjp
if (r == NULL) {
2118
2020-04-10
pjp
dolog(LOG_INFO, "c1 out of memory\n");
2119
2020-04-10
pjp
return -1;
2122
2020-08-11
pjp
clen = (q - tmpkey);
2123
2020-08-11
pjp
pack16(r, clen);
2124
2020-08-11
pjp
r += 2;
2125
2020-08-11
pjp
pack(r, tmpkey, clen);
2127
2020-08-11
pjp
csort++;
2131
2020-08-11
pjp
r = canonical_sort(canonsort, csort, &rlen);
2132
2020-08-11
pjp
if (r == NULL) {
2133
2020-08-11
pjp
dolog(LOG_INFO, "canonical_sort failed\n");
2134
2020-08-11
pjp
return -1;
2137
2020-08-11
pjp
pack(p, r, rlen);
2138
2020-08-11
pjp
p += rlen;
2140
2020-08-11
pjp
free (r);
2141
2020-08-11
pjp
for (i = 0; i < csort; i++) {
2142
2020-08-11
pjp
free(canonsort[i]);
2144
2020-08-11
pjp
free(canonsort);
2146
2020-04-10
pjp
keylen = (p - key);
2148
2020-04-10
pjp
if (sign(algorithm, key, keylen, *zsk_key, (char *)&signature, &siglen) < 0) {
2149
2020-04-10
pjp
dolog(LOG_INFO, "signing failed\n");
2150
2020-04-10
pjp
return -1;
2153
2020-04-10
pjp
len = mybase64_encode(signature, siglen, tmp, sizeof(tmp));
2154
2020-04-10
pjp
tmp[len] = '\0';
2156
2020-07-06
pjp
if (fill_rrsig(db, rbt->humanname, "RRSIG", rrset->ttl, "TXT", algorithm, labels, rrset->ttl, expiredon, signedon, keyid, zonename, tmp) < 0) {
2157
2020-04-10
pjp
dolog(LOG_INFO, "fill_rrsig\n");
2158
2020-04-10
pjp
return -1;
2160
2020-04-10
pjp
} while ((*++zsk_key) != NULL);
2162
2020-04-10
pjp
return 0;
2166
2020-04-10
pjp
* create a RRSIG for an AAAA record
2168
2020-04-10
pjp
static int
2169
2020-04-10
pjp
sign_aaaa(ddDB *db, char *zonename, int expiry, struct rbtree *rbt, int rollmethod)
2171
2020-04-10
pjp
struct rrset *rrset = NULL;
2172
2020-04-10
pjp
struct rr *rrp = NULL;
2173
2020-04-10
pjp
struct rr *rrp2 = NULL;
2174
2020-04-10
pjp
struct keysentry **zsk_key;
2176
2020-04-10
pjp
char tmp[4096];
2177
2020-04-10
pjp
char signature[4096];
2178
2020-04-10
pjp
char shabuf[64];
2181
2020-04-10
pjp
char *dnsname;
2182
2020-08-11
pjp
char *p, *q, *r;
2183
2020-08-11
pjp
char **canonsort;
2184
2020-04-10
pjp
char *key, *tmpkey;
2185
2020-04-10
pjp
char *zone;
2187
2020-04-10
pjp
uint32_t ttl;
2188
2020-04-10
pjp
uint16_t flags;
2189
2020-04-10
pjp
uint8_t protocol;
2190
2020-04-10
pjp
uint8_t algorithm;
2192
2020-04-10
pjp
int labellen;
2193
2020-04-10
pjp
int keyid;
2194
2020-08-11
pjp
int len, rlen, clen, i;
2195
2020-04-10
pjp
int keylen, siglen = sizeof(signature);
2196
2020-04-10
pjp
int labels;
2197
2020-04-10
pjp
int nzk = 0;
2198
2020-08-11
pjp
int csort = 0;
2200
2020-04-10
pjp
char timebuf[32];
2201
2020-04-10
pjp
struct tm tm;
2202
2020-04-10
pjp
u_int32_t expiredon2, signedon2;
2204
2020-04-10
pjp
memset(&shabuf, 0, sizeof(shabuf));
2206
2020-04-10
pjp
key = malloc(10 * 4096);
2207
2020-04-10
pjp
if (key == NULL) {
2208
2020-04-10
pjp
dolog(LOG_INFO, "key out of memory\n");
2209
2020-04-10
pjp
return -1;
2211
2020-04-10
pjp
tmpkey = malloc(10 * 4096);
2212
2020-04-10
pjp
if (tmpkey == NULL) {
2213
2020-04-10
pjp
dolog(LOG_INFO, "tmpkey out of memory\n");
2214
2020-04-10
pjp
return -1;
2217
2020-04-10
pjp
zsk_key = calloc(3, sizeof(struct keysentry *));
2218
2020-04-10
pjp
if (zsk_key == NULL) {
2219
2020-04-10
pjp
dolog(LOG_INFO, "out of memory\n");
2220
2020-04-10
pjp
return -1;
2223
2020-04-10
pjp
nzk = 0;
2224
2020-04-10
pjp
SLIST_FOREACH(knp, &keyshead, keys_entry) {
2225
2020-04-10
pjp
if ((knp->type == KEYTYPE_ZSK && rollmethod == \
2226
2020-04-10
pjp
ROLLOVER_METHOD_DOUBLE_SIGNATURE) || \
2227
2020-04-10
pjp
(knp->sign == 1 && knp->type == KEYTYPE_ZSK)) {
2228
2020-04-10
pjp
zsk_key[nzk++] = knp;
2232
2020-04-10
pjp
zsk_key[nzk] = NULL;
2234
2020-04-10
pjp
/* get the ZSK */
2236
2020-04-10
pjp
if ((zone = get_key(*zsk_key, &ttl, &flags, &protocol, &algorithm, (char *)&tmp, sizeof(tmp), &keyid)) == NULL) {
2237
2020-04-10
pjp
dolog(LOG_INFO, "get_key %s\n", (*zsk_key)->keyname);
2238
2020-04-10
pjp
return -1;
2241
2020-04-10
pjp
/* check the keytag supplied */
2242
2020-04-10
pjp
p = key;
2243
2020-04-10
pjp
pack16(p, htons(flags));
2244
2020-04-10
pjp
p += 2;
2245
2020-04-10
pjp
pack8(p, protocol);
2247
2020-04-10
pjp
pack8(p, algorithm);
2249
2020-04-10
pjp
keylen = mybase64_decode(tmp, (char *)&signature, sizeof(signature));
2250
2020-04-10
pjp
pack(p, signature, keylen);
2251
2020-04-10
pjp
p += keylen;
2252
2020-04-10
pjp
keylen = (p - key);
2253
2020-04-10
pjp
if (keyid != keytag(key, keylen)) {
2254
2020-04-10
pjp
dolog(LOG_ERR, "keytag does not match %d vs. %d\n", keyid, keytag(key, keylen));
2255
2020-04-10
pjp
return -1;
2258
2020-04-10
pjp
labels = label_count(rbt->zone);
2259
2020-04-10
pjp
if (labels < 0) {
2260
2020-04-10
pjp
dolog(LOG_INFO, "label_count");
2261
2020-04-10
pjp
return -1;
2264
2020-04-10
pjp
dnsname = dns_label(zonename, &labellen);
2265
2020-04-10
pjp
if (dnsname == NULL)
2266
2020-04-10
pjp
return -1;
2268
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_AAAA)) != NULL) {
2269
2020-04-10
pjp
rrp = TAILQ_FIRST(&rrset->rr_head);
2270
2020-04-10
pjp
if (rrp == NULL) {
2271
2020-04-10
pjp
dolog(LOG_INFO, "no AAAA records but have flags!\n");
2272
2020-04-10
pjp
return -1;
2274
2020-04-10
pjp
} else {
2275
2020-04-10
pjp
dolog(LOG_INFO, "no AAAA records\n");
2276
2020-04-10
pjp
return -1;
2279
2020-04-10
pjp
p = key;
2281
2020-04-10
pjp
pack16(p, htons(DNS_TYPE_AAAA));
2282
2020-04-10
pjp
p += 2;
2283
2020-04-10
pjp
pack8(p, algorithm);
2285
2020-04-10
pjp
pack8(p, labels);
2287
2020-05-07
pjp
pack32(p, htonl(rrset->ttl));
2288
2020-04-10
pjp
p += 4;
2290
2020-04-10
pjp
snprintf(timebuf, sizeof(timebuf), "%lld", expiredon);
2291
2020-04-10
pjp
strptime(timebuf, "%Y%m%d%H%M%S", &tm);
2292
2020-04-10
pjp
expiredon2 = timegm(&tm);
2293
2020-04-10
pjp
snprintf(timebuf, sizeof(timebuf), "%lld", signedon);
2294
2020-04-10
pjp
strptime(timebuf, "%Y%m%d%H%M%S", &tm);
2295
2020-04-10
pjp
signedon2 = timegm(&tm);
2297
2020-04-10
pjp
pack32(p, htonl(expiredon2));
2298
2020-04-10
pjp
p += 4;
2299
2020-04-10
pjp
pack32(p, htonl(signedon2));
2300
2020-04-10
pjp
p += 4;
2301
2020-04-10
pjp
pack16(p, htons(keyid));
2302
2020-04-10
pjp
p += 2;
2303
2020-04-10
pjp
pack(p, dnsname, labellen);
2304
2020-04-10
pjp
p += labellen;
2306
2020-04-10
pjp
/* no signature here */
2307
2020-08-11
pjp
canonsort = (char **)calloc(MAX_RECORDS_IN_RRSET, sizeof(char *));
2308
2020-08-11
pjp
if (canonsort == NULL) {
2309
2020-08-11
pjp
dolog(LOG_INFO, "canonsort out of memory\n");
2310
2020-08-11
pjp
return -1;
2313
2020-08-11
pjp
csort = 0;
2316
2020-04-10
pjp
TAILQ_FOREACH(rrp2, &rrset->rr_head, entries) {
2317
2020-04-10
pjp
q = tmpkey;
2318
2020-04-10
pjp
pack(q, rbt->zone, rbt->zonelen);
2319
2020-04-10
pjp
q += rbt->zonelen;
2320
2020-04-10
pjp
pack16(q, htons(DNS_TYPE_AAAA));
2321
2020-04-10
pjp
q += 2;
2322
2020-04-10
pjp
pack16(q, htons(DNS_CLASS_IN));
2323
2020-04-10
pjp
q += 2;
2324
2020-04-10
pjp
/* the below uses rrp! because we can't have an rrsig differ */
2325
2020-05-07
pjp
pack32(q, htonl(rrset->ttl));
2326
2020-04-10
pjp
q += 4;
2327
2020-04-10
pjp
pack16(q, htons(sizeof(struct in6_addr)));
2328
2020-04-10
pjp
q += 2;
2329
2020-04-10
pjp
pack(q, (char *)&((struct aaaa *)rrp2->rdata)->aaaa, sizeof(struct in6_addr));
2330
2020-04-10
pjp
q += sizeof(struct in6_addr);
2332
2020-08-11
pjp
r = canonsort[csort] = malloc(68000);
2333
2020-08-11
pjp
if (r == NULL) {
2334
2020-04-10
pjp
dolog(LOG_INFO, "c1 out of memory\n");
2335
2020-04-10
pjp
return -1;
2338
2020-08-11
pjp
clen = (q - tmpkey);
2339
2020-08-11
pjp
pack16(r, clen);
2340
2020-08-11
pjp
r += 2;
2341
2020-08-11
pjp
pack(r, tmpkey, clen);
2343
2020-08-11
pjp
csort++;
2347
2020-08-11
pjp
r = canonical_sort(canonsort, csort, &rlen);
2348
2020-08-11
pjp
if (r == NULL) {
2349
2020-08-11
pjp
dolog(LOG_INFO, "canonical_sort failed\n");
2350
2020-08-11
pjp
return -1;
2353
2020-08-11
pjp
pack(p, r, rlen);
2354
2020-08-11
pjp
p += rlen;
2356
2020-08-11
pjp
free (r);
2357
2020-08-11
pjp
for (i = 0; i < csort; i++) {
2358
2020-08-11
pjp
free(canonsort[i]);
2360
2020-08-11
pjp
free(canonsort);
2362
2020-04-10
pjp
keylen = (p - key);
2365
2020-04-10
pjp
debug_bindump(key, keylen);
2368
2020-04-10
pjp
if (sign(algorithm, key, keylen, *zsk_key, (char *)&signature, &siglen) < 0) {
2369
2020-04-10
pjp
dolog(LOG_INFO, "signing failed\n");
2370
2020-04-10
pjp
return -1;
2373
2020-04-10
pjp
len = mybase64_encode(signature, siglen, tmp, sizeof(tmp));
2374
2020-04-10
pjp
tmp[len] = '\0';
2376
2020-07-06
pjp
if (fill_rrsig(db, rbt->humanname, "RRSIG", rrset->ttl, "AAAA", algorithm, labels, rrset->ttl, expiredon, signedon, keyid, zonename, tmp) < 0) {
2377
2020-04-10
pjp
dolog(LOG_INFO, "fill_rrsig\n");
2378
2020-04-10
pjp
return -1;
2381
2020-04-10
pjp
} while ((*++zsk_key) != NULL);
2383
2020-04-10
pjp
return 0;
2387
2020-04-10
pjp
* create a RRSIG for an NSEC3 record
2390
2020-04-10
pjp
static int
2391
2020-04-10
pjp
sign_nsec3(ddDB *db, char *zonename, int expiry, struct rbtree *rbt, int rollmethod)
2393
2020-04-10
pjp
struct rrset *rrset = NULL;
2394
2020-04-10
pjp
struct rr *rrp = NULL;
2395
2020-04-10
pjp
struct keysentry **zsk_key;
2397
2020-04-10
pjp
char tmp[4096];
2398
2020-04-10
pjp
char signature[4096];
2399
2020-04-10
pjp
char shabuf[64];
2402
2020-04-10
pjp
char *dnsname;
2403
2020-04-10
pjp
char *p;
2404
2020-04-10
pjp
char *key;
2405
2020-04-10
pjp
char *zone;
2407
2020-04-10
pjp
uint32_t ttl;
2408
2020-04-10
pjp
uint16_t flags;
2409
2020-04-10
pjp
uint8_t protocol;
2410
2020-04-10
pjp
uint8_t algorithm;
2412
2020-04-10
pjp
int labellen;
2413
2020-04-10
pjp
int keyid;
2414
2020-04-10
pjp
int len;
2415
2020-04-10
pjp
int keylen, siglen = sizeof(signature);
2416
2020-04-10
pjp
int labels;
2417
2020-04-10
pjp
int nzk = 0;
2419
2020-04-10
pjp
char timebuf[32];
2420
2020-04-10
pjp
struct tm tm;
2421
2020-04-10
pjp
u_int32_t expiredon2, signedon2;
2423
2020-04-10
pjp
memset(&shabuf, 0, sizeof(shabuf));
2425
2020-04-10
pjp
key = malloc(10 * 4096);
2426
2020-04-10
pjp
if (key == NULL) {
2427
2020-04-10
pjp
dolog(LOG_INFO, "out of memory\n");
2428
2020-04-10
pjp
return -1;
2431
2020-04-10
pjp
zsk_key = calloc(3, sizeof(struct keysentry *));
2432
2020-04-10
pjp
if (zsk_key == NULL) {
2433
2020-04-10
pjp
dolog(LOG_INFO, "out of memory\n");
2434
2020-04-10
pjp
return -1;
2437
2020-04-10
pjp
nzk = 0;
2438
2020-04-10
pjp
SLIST_FOREACH(knp, &keyshead, keys_entry) {
2439
2020-04-10
pjp
if ((knp->type == KEYTYPE_ZSK && rollmethod == \
2440
2020-04-10
pjp
ROLLOVER_METHOD_DOUBLE_SIGNATURE) || \
2441
2020-04-10
pjp
(knp->sign == 1 && knp->type == KEYTYPE_ZSK)) {
2442
2020-04-10
pjp
zsk_key[nzk++] = knp;
2446
2020-04-10
pjp
zsk_key[nzk] = NULL;
2448
2020-04-10
pjp
/* get the ZSK */
2450
2020-04-10
pjp
if ((zone = get_key(*zsk_key, &ttl, &flags, &protocol, &algorithm, (char *)&tmp, sizeof(tmp), &keyid)) == NULL) {
2451
2020-04-10
pjp
dolog(LOG_INFO, "get_key %s\n", (*zsk_key)->keyname);
2452
2020-04-10
pjp
return -1;
2455
2020-04-10
pjp
/* check the keytag supplied */
2456
2020-04-10
pjp
p = key;
2457
2020-04-10
pjp
pack16(p, htons(flags));
2458
2020-04-10
pjp
p += 2;
2459
2020-04-10
pjp
pack8(p, protocol);
2461
2020-04-10
pjp
pack8(p, algorithm);
2463
2020-04-10
pjp
keylen = mybase64_decode(tmp, (char *)&signature, sizeof(signature));
2464
2020-04-10
pjp
pack(p, signature, keylen);
2465
2020-04-10
pjp
p += keylen;
2466
2020-04-10
pjp
keylen = (p - key);
2467
2020-04-10
pjp
if (keyid != keytag(key, keylen)) {
2468
2020-04-10
pjp
dolog(LOG_ERR, "keytag does not match %d vs. %d\n", keyid, keytag(key, keylen));
2469
2020-04-10
pjp
return -1;
2472
2020-04-10
pjp
labels = label_count(rbt->zone);
2473
2020-04-10
pjp
if (labels < 0) {
2474
2020-04-10
pjp
dolog(LOG_INFO, "label_count");
2475
2020-04-10
pjp
return -1;
2478
2020-04-10
pjp
dnsname = dns_label(zonename, &labellen);
2479
2020-04-10
pjp
if (dnsname == NULL)
2480
2020-04-10
pjp
return -1;
2482
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_NSEC3)) != NULL) {
2483
2020-04-10
pjp
rrp = TAILQ_FIRST(&rrset->rr_head);
2484
2020-04-10
pjp
if (rrp == NULL) {
2485
2020-04-10
pjp
dolog(LOG_INFO, "no NSEC3 records but have flags!\n");
2486
2020-04-10
pjp
return -1;
2488
2020-04-10
pjp
} else {
2489
2020-04-10
pjp
dolog(LOG_INFO, "no NSEC3 records\n");
2490
2020-04-10
pjp
return -1;
2493
2020-04-10
pjp
p = key;
2495
2020-04-10
pjp
pack16(p, htons(DNS_TYPE_NSEC3));
2496
2020-04-10
pjp
p += 2;
2497
2020-04-10
pjp
pack8(p, algorithm);
2499
2020-04-10
pjp
pack8(p, labels);
2501
2020-05-07
pjp
pack32(p, htonl(rrset->ttl));
2502
2020-04-10
pjp
p += 4;
2504
2020-04-10
pjp
snprintf(timebuf, sizeof(timebuf), "%lld", expiredon);
2505
2020-04-10
pjp
strptime(timebuf, "%Y%m%d%H%M%S", &tm);
2506
2020-04-10
pjp
expiredon2 = timegm(&tm);
2507
2020-04-10
pjp
snprintf(timebuf, sizeof(timebuf), "%lld", signedon);
2508
2020-04-10
pjp
strptime(timebuf, "%Y%m%d%H%M%S", &tm);
2509
2020-04-10
pjp
signedon2 = timegm(&tm);
2511
2020-04-10
pjp
pack32(p, htonl(expiredon2));
2512
2020-04-10
pjp
p += 4;
2513
2020-04-10
pjp
pack32(p, htonl(signedon2));
2514
2020-04-10
pjp
p += 4;
2515
2020-04-10
pjp
pack16(p, htons(keyid));
2516
2020-04-10
pjp
p += 2;
2517
2020-04-10
pjp
pack(p, dnsname, labellen);
2518
2020-04-10
pjp
p += labellen;
2520
2020-04-10
pjp
/* no signature here */
2521
2020-04-10
pjp
/* XXX this should probably be done on a canonical sorted records */
2523
2020-04-10
pjp
pack(p, rbt->zone, rbt->zonelen);
2524
2020-04-10
pjp
p += rbt->zonelen;
2526
2020-04-10
pjp
pack16(p, htons(DNS_TYPE_NSEC3));
2527
2020-04-10
pjp
p += 2;
2528
2020-04-10
pjp
pack16(p, htons(DNS_CLASS_IN));
2529
2020-04-10
pjp
p += 2;
2530
2020-05-07
pjp
pack32(p, htonl(rrset->ttl));
2531
2020-04-10
pjp
p += 4;
2532
2020-04-10
pjp
pack16(p, htons(1 + 1 + 2 + 1 + ((struct nsec3 *)rrp->rdata)->saltlen + 1 + ((struct nsec3 *)rrp->rdata)->nextlen + ((struct nsec3 *)rrp->rdata)->bitmap_len));
2533
2020-04-10
pjp
p += 2;
2534
2020-04-10
pjp
pack8(p, ((struct nsec3 *)rrp->rdata)->algorithm);
2536
2020-04-10
pjp
pack8(p, ((struct nsec3 *)rrp->rdata)->flags);
2538
2020-04-10
pjp
pack16(p, htons(((struct nsec3 *)rrp->rdata)->iterations));
2539
2020-04-10
pjp
p += 2;
2541
2020-04-10
pjp
pack8(p, ((struct nsec3 *)rrp->rdata)->saltlen);
2544
2020-04-10
pjp
if (((struct nsec3 *)rrp->rdata)->saltlen) {
2545
2020-04-10
pjp
pack(p, ((struct nsec3 *)rrp->rdata)->salt, ((struct nsec3 *)rrp->rdata)->saltlen);
2546
2020-04-10
pjp
p += ((struct nsec3 *)rrp->rdata)->saltlen;
2549
2020-04-10
pjp
pack8(p, ((struct nsec3 *)rrp->rdata)->nextlen);
2551
2020-04-10
pjp
pack(p, ((struct nsec3 *)rrp->rdata)->next, ((struct nsec3 *)rrp->rdata)->nextlen);
2552
2020-04-10
pjp
p += ((struct nsec3 *)rrp->rdata)->nextlen;
2553
2020-04-10
pjp
if (((struct nsec3 *)rrp->rdata)->bitmap_len) {
2554
2020-04-10
pjp
pack(p, ((struct nsec3 *)rrp->rdata)->bitmap, ((struct nsec3 *)rrp->rdata)->bitmap_len);
2555
2020-04-10
pjp
p += ((struct nsec3 *)rrp->rdata)->bitmap_len;
2558
2020-04-10
pjp
keylen = (p - key);
2560
2020-04-10
pjp
if (sign(algorithm, key, keylen, *zsk_key, (char *)&signature, &siglen) < 0) {
2561
2020-04-10
pjp
dolog(LOG_INFO, "signing failed\n");
2562
2020-04-10
pjp
return -1;
2565
2020-04-10
pjp
len = mybase64_encode(signature, siglen, tmp, sizeof(tmp));
2566
2020-04-10
pjp
tmp[len] = '\0';
2568
2020-07-06
pjp
if (fill_rrsig(db, rbt->humanname, "RRSIG", rrset->ttl, "NSEC3", algorithm, labels, rrset->ttl, expiredon, signedon, keyid, zonename, tmp) < 0) {
2569
2020-04-10
pjp
dolog(LOG_INFO, "fill_rrsig\n");
2570
2020-04-10
pjp
return -1;
2572
2020-04-10
pjp
} while ((*++zsk_key) != NULL);
2574
2020-04-10
pjp
return 0;
2579
2020-04-10
pjp
* create a RRSIG for an NSEC3PARAM record
2582
2020-04-10
pjp
static int
2583
2020-04-10
pjp
sign_nsec3param(ddDB *db, char *zonename, int expiry, struct rbtree *rbt, int rollmethod)
2585
2020-04-10
pjp
struct rrset *rrset = NULL;
2586
2020-04-10
pjp
struct rr *rrp = NULL;
2587
2020-04-10
pjp
struct keysentry **zsk_key;
2589
2020-04-10
pjp
char tmp[4096];
2590
2020-04-10
pjp
char signature[4096];
2591
2020-04-10
pjp
char shabuf[64];
2594
2020-04-10
pjp
char *dnsname;
2595
2020-04-10
pjp
char *p;
2596
2020-04-10
pjp
char *key;
2597
2020-04-10
pjp
char *zone;
2599
2020-04-10
pjp
uint32_t ttl;
2600
2020-04-10
pjp
uint16_t flags;
2601
2020-04-10
pjp
uint8_t protocol;
2602
2020-04-10
pjp
uint8_t algorithm;
2604
2020-04-10
pjp
int labellen;
2605
2020-04-10
pjp
int keyid;
2606
2020-04-10
pjp
int len;
2607
2020-04-10
pjp
int keylen, siglen = sizeof(signature);
2608
2020-04-10
pjp
int labels;
2609
2020-04-10
pjp
int nzk = 0;
2611
2020-04-10
pjp
char timebuf[32];
2612
2020-04-10
pjp
struct tm tm;
2613
2020-04-10
pjp
u_int32_t expiredon2, signedon2;
2615
2020-04-10
pjp
memset(&shabuf, 0, sizeof(shabuf));
2617
2020-04-10
pjp
key = malloc(10 * 4096);
2618
2020-04-10
pjp
if (key == NULL) {
2619
2020-04-10
pjp
dolog(LOG_INFO, "out of memory\n");
2620
2020-04-10
pjp
return -1;
2623
2020-04-10
pjp
zsk_key = calloc(3, sizeof(struct keysentry *));
2624
2020-04-10
pjp
if (zsk_key == NULL) {
2625
2020-04-10
pjp
dolog(LOG_INFO, "out of memory\n");
2626
2020-04-10
pjp
return -1;
2629
2020-04-10
pjp
nzk = 0;
2630
2020-04-10
pjp
SLIST_FOREACH(knp, &keyshead, keys_entry) {
2631
2020-04-10
pjp
if ((knp->type == KEYTYPE_ZSK && rollmethod == \
2632
2020-04-10
pjp
ROLLOVER_METHOD_DOUBLE_SIGNATURE) || \
2633
2020-04-10
pjp
(knp->sign == 1 && knp->type == KEYTYPE_ZSK)) {
2634
2020-04-10
pjp
zsk_key[nzk++] = knp;
2638
2020-04-10
pjp
zsk_key[nzk] = NULL;
2640
2020-04-10
pjp
/* get the ZSK */
2642
2020-04-10
pjp
if ((zone = get_key(*zsk_key, &ttl, &flags, &protocol, &algorithm, (char *)&tmp, sizeof(tmp), &keyid)) == NULL) {
2643
2020-04-10
pjp
dolog(LOG_INFO, "get_key %s\n", (*zsk_key)->keyname);
2644
2020-04-10
pjp
return -1;
2647
2020-04-10
pjp
/* check the keytag supplied */
2648
2020-04-10
pjp
p = key;
2649
2020-04-10
pjp
pack16(p, htons(flags));
2650
2020-04-10
pjp
p += 2;
2651
2020-04-10
pjp
pack8(p, protocol);
2653
2020-04-10
pjp
pack8(p, algorithm);
2655
2020-04-10
pjp
keylen = mybase64_decode(tmp, (char *)&signature, sizeof(signature));
2656
2020-04-10
pjp
pack(p, signature, keylen);
2657
2020-04-10
pjp
p += keylen;
2658
2020-04-10
pjp
keylen = (p - key);
2659
2020-04-10
pjp
if (keyid != keytag(key, keylen)) {
2660
2020-04-10
pjp
dolog(LOG_ERR, "keytag does not match %d vs. %d\n", keyid, keytag(key, keylen));
2661
2020-04-10
pjp
return -1;
2664
2020-04-10
pjp
labels = label_count(rbt->zone);
2665
2020-04-10
pjp
if (labels < 0) {
2666
2020-04-10
pjp
dolog(LOG_INFO, "label_count");
2667
2020-04-10
pjp
return -1;
2670
2020-04-10
pjp
dnsname = dns_label(zonename, &labellen);
2671
2020-04-10
pjp
if (dnsname == NULL)
2672
2020-04-10
pjp
return -1;
2674
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_NSEC3PARAM)) != NULL) {
2675
2020-04-10
pjp
rrp = TAILQ_FIRST(&rrset->rr_head);
2676
2020-04-10
pjp
if (rrp == NULL) {
2677
2020-04-10
pjp
dolog(LOG_INFO, "no NSEC3PARAM records but have flags!\n");
2678
2020-04-10
pjp
return -1;
2680
2020-04-10
pjp
} else {
2681
2020-04-10
pjp
dolog(LOG_INFO, "no NSEC3PARAM records\n");
2682
2020-04-10
pjp
return -1;
2685
2020-04-10
pjp
p = key;
2687
2020-04-10
pjp
pack16(p, htons(DNS_TYPE_NSEC3PARAM));
2688
2020-04-10
pjp
p += 2;
2689
2020-04-10
pjp
pack8(p, algorithm);
2691
2020-04-10
pjp
pack8(p, labels);
2693
2020-05-07
pjp
pack32(p, htonl(rrset->ttl));
2694
2020-04-10
pjp
p += 4;
2696
2020-04-10
pjp
snprintf(timebuf, sizeof(timebuf), "%lld", expiredon);
2697
2020-04-10
pjp
strptime(timebuf, "%Y%m%d%H%M%S", &tm);
2698
2020-04-10
pjp
expiredon2 = timegm(&tm);
2699
2020-04-10
pjp
snprintf(timebuf, sizeof(timebuf), "%lld", signedon);
2700
2020-04-10
pjp
strptime(timebuf, "%Y%m%d%H%M%S", &tm);
2701
2020-04-10
pjp
signedon2 = timegm(&tm);
2703
2020-04-10
pjp
pack32(p, htonl(expiredon2));
2704
2020-04-10
pjp
p += 4;
2705
2020-04-10
pjp
pack32(p, htonl(signedon2));
2706
2020-04-10
pjp
p += 4;
2707
2020-04-10
pjp
pack16(p, htons(keyid));
2708
2020-04-10
pjp
p += 2;
2709
2020-04-10
pjp
pack(p, dnsname, labellen);
2710
2020-04-10
pjp
p += labellen;
2712
2020-04-10
pjp
/* no signature here */
2713
2020-04-10
pjp
/* XXX this should probably be done on a canonical sorted records */
2714
2020-04-10
pjp
pack(p, rbt->zone, rbt->zonelen);
2715
2020-04-10
pjp
p += rbt->zonelen;
2716
2020-04-10
pjp
pack16(p, htons(DNS_TYPE_NSEC3PARAM));
2717
2020-04-10
pjp
p += 2;
2718
2020-04-10
pjp
pack16(p, htons(DNS_CLASS_IN));
2719
2020-04-10
pjp
p += 2;
2720
2020-05-07
pjp
pack32(p, htonl(rrset->ttl));
2721
2020-04-10
pjp
p += 4;
2722
2020-04-10
pjp
pack16(p, htons(1 + 1 + 2 + 1 + ((struct nsec3param *)rrp->rdata)->saltlen));
2723
2020-04-10
pjp
p += 2;
2724
2020-04-10
pjp
pack8(p, ((struct nsec3param *)rrp->rdata)->algorithm);
2726
2020-04-10
pjp
pack8(p, ((struct nsec3param *)rrp->rdata)->flags);
2728
2020-04-10
pjp
pack16(p, htons(((struct nsec3param *)rrp->rdata)->iterations));
2729
2020-04-10
pjp
p += 2;
2731
2020-04-10
pjp
pack8(p, ((struct nsec3param *)rrp->rdata)->saltlen);
2734
2020-04-10
pjp
if (((struct nsec3param *)rrp->rdata)->saltlen) {
2735
2020-04-10
pjp
pack(p, ((struct nsec3param *)rrp->rdata)->salt, ((struct nsec3param *)rrp->rdata)->saltlen);
2736
2020-04-10
pjp
p += ((struct nsec3param *)rrp->rdata)->saltlen;
2739
2020-04-10
pjp
keylen = (p - key);
2741
2020-04-10
pjp
if (sign(algorithm, key, keylen, *zsk_key, (char *)&signature, &siglen) < 0) {
2742
2020-04-10
pjp
dolog(LOG_INFO, "signing failed\n");
2743
2020-04-10
pjp
return -1;
2746
2020-04-10
pjp
len = mybase64_encode(signature, siglen, tmp, sizeof(tmp));
2747
2020-04-10
pjp
tmp[len] = '\0';
2749
2020-07-06
pjp
if (fill_rrsig(db, rbt->humanname, "RRSIG", 0, "NSEC3PARAM", algorithm, labels, 0, expiredon, signedon, keyid, zonename, tmp) < 0) {
2750
2020-04-10
pjp
dolog(LOG_INFO, "fill_rrsig\n");
2751
2020-04-10
pjp
return -1;
2753
2020-04-10
pjp
} while ((*++zsk_key) != NULL);
2755
2020-04-10
pjp
return 0;
2759
2020-04-10
pjp
* create a RRSIG for a CNAME record
2762
2020-04-10
pjp
static int
2763
2020-04-10
pjp
sign_cname(ddDB *db, char *zonename, int expiry, struct rbtree *rbt, int rollmethod)
2765
2020-04-10
pjp
struct rrset *rrset = NULL;
2766
2020-04-10
pjp
struct rr *rrp = NULL;
2767
2020-04-10
pjp
struct keysentry **zsk_key;
2769
2020-04-10
pjp
char tmp[4096];
2770
2020-04-10
pjp
char signature[4096];
2771
2020-04-10
pjp
char shabuf[64];
2774
2020-04-10
pjp
char *dnsname;
2775
2020-04-10
pjp
char *p;
2776
2020-04-10
pjp
char *key;
2777
2020-04-10
pjp
char *zone;
2779
2020-04-10
pjp
uint32_t ttl;
2780
2020-04-10
pjp
uint16_t flags;
2781
2020-04-10
pjp
uint8_t protocol;
2782
2020-04-10
pjp
uint8_t algorithm;
2784
2020-04-10
pjp
int labellen;
2785
2020-04-10
pjp
int keyid;
2786
2020-04-10
pjp
int len;
2787
2020-04-10
pjp
int keylen, siglen = sizeof(signature);
2788
2020-04-10
pjp
int labels;
2789
2020-04-10
pjp
int nzk = 0;
2791
2020-04-10
pjp
char timebuf[32];
2792
2020-04-10
pjp
struct tm tm;
2793
2020-04-10
pjp
u_int32_t expiredon2, signedon2;
2795
2020-04-10
pjp
memset(&shabuf, 0, sizeof(shabuf));
2797
2020-04-10
pjp
key = malloc(10 * 4096);
2798
2020-04-10
pjp
if (key == NULL) {
2799
2020-04-10
pjp
dolog(LOG_INFO, "out of memory\n");
2800
2020-04-10
pjp
return -1;
2803
2020-04-10
pjp
zsk_key = calloc(3, sizeof(struct keysentry *));
2804
2020-04-10
pjp
if (zsk_key == NULL) {
2805
2020-04-10
pjp
dolog(LOG_INFO, "out of memory\n");
2806
2020-04-10
pjp
return -1;
2809
2020-04-10
pjp
nzk = 0;
2810
2020-04-10
pjp
SLIST_FOREACH(knp, &keyshead, keys_entry) {
2811
2020-04-10
pjp
if ((knp->type == KEYTYPE_ZSK && rollmethod == \
2812
2020-04-10
pjp
ROLLOVER_METHOD_DOUBLE_SIGNATURE) || \
2813
2020-04-10
pjp
(knp->sign == 1 && knp->type == KEYTYPE_ZSK)) {
2814
2020-04-10
pjp
zsk_key[nzk++] = knp;
2818
2020-04-10
pjp
zsk_key[nzk] = NULL;
2820
2020-04-10
pjp
/* get the ZSK */
2822
2020-04-10
pjp
if ((zone = get_key(*zsk_key, &ttl, &flags, &protocol, &algorithm, (char *)&tmp, sizeof(tmp), &keyid)) == NULL) {
2823
2020-04-10
pjp
dolog(LOG_INFO, "get_key %s\n", (*zsk_key)->keyname);
2824
2020-04-10
pjp
return -1;
2827
2020-04-10
pjp
/* check the keytag supplied */
2828
2020-04-10
pjp
p = key;
2829
2020-04-10
pjp
pack16(p, htons(flags));
2830
2020-04-10
pjp
p += 2;
2831
2020-04-10
pjp
pack8(p, protocol);
2833
2020-04-10
pjp
pack8(p, algorithm);
2835
2020-04-10
pjp
keylen = mybase64_decode(tmp, (char *)&signature, sizeof(signature));
2836
2020-04-10
pjp
pack(p, signature, keylen);
2837
2020-04-10
pjp
p += keylen;
2838
2020-04-10
pjp
keylen = (p - key);
2839
2020-04-10
pjp
if (keyid != keytag(key, keylen)) {
2840
2020-04-10
pjp
dolog(LOG_ERR, "keytag does not match %d vs. %d\n", keyid, keytag(key, keylen));
2841
2020-04-10
pjp
return -1;
2844
2020-04-10
pjp
labels = label_count(rbt->zone);
2845
2020-04-10
pjp
if (labels < 0) {
2846
2020-04-10
pjp
dolog(LOG_INFO, "label_count");
2847
2020-04-10
pjp
return -1;
2850
2020-04-10
pjp
dnsname = dns_label(zonename, &labellen);
2851
2020-04-10
pjp
if (dnsname == NULL)
2852
2020-04-10
pjp
return -1;
2854
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_CNAME)) != NULL) {
2855
2020-04-10
pjp
rrp = TAILQ_FIRST(&rrset->rr_head);
2856
2020-04-10
pjp
if (rrp == NULL) {
2857
2020-04-10
pjp
dolog(LOG_INFO, "no CNAME records but have flags!\n");
2858
2020-04-10
pjp
return -1;
2860
2020-04-10
pjp
} else {
2861
2020-04-10
pjp
dolog(LOG_INFO, "no CNAME records\n");
2862
2020-04-10
pjp
return -1;
2866
2020-04-10
pjp
p = key;
2868
2020-04-10
pjp
pack16(p, htons(DNS_TYPE_CNAME));
2869
2020-04-10
pjp
p += 2;
2870
2020-04-10
pjp
pack8(p, algorithm);
2872
2020-04-10
pjp
pack8(p, labels);
2874
2020-05-07
pjp
pack32(p, htonl(rrset->ttl));
2875
2020-04-10
pjp
p += 4;
2877
2020-04-10
pjp
snprintf(timebuf, sizeof(timebuf), "%lld", expiredon);
2878
2020-04-10
pjp
strptime(timebuf, "%Y%m%d%H%M%S", &tm);
2879
2020-04-10
pjp
expiredon2 = timegm(&tm);
2880
2020-04-10
pjp
snprintf(timebuf, sizeof(timebuf), "%lld", signedon);
2881
2020-04-10
pjp
strptime(timebuf, "%Y%m%d%H%M%S", &tm);
2882
2020-04-10
pjp
signedon2 = timegm(&tm);
2884
2020-04-10
pjp
pack32(p, htonl(expiredon2));
2885
2020-04-10
pjp
p += 4;
2886
2020-04-10
pjp
pack32(p, htonl(signedon2));
2887
2020-04-10
pjp
p += 4;
2888
2020-04-10
pjp
pack16(p, htons(keyid));
2889
2020-04-10
pjp
p += 2;
2890
2020-04-10
pjp
pack(p, dnsname, labellen);
2891
2020-04-10
pjp
p += labellen;
2893
2020-04-10
pjp
/* no signature here */
2894
2020-04-10
pjp
/* XXX this should probably be done on a canonical sorted records */
2896
2020-04-10
pjp
pack(p, rbt->zone, rbt->zonelen);
2897
2020-04-10
pjp
p += rbt->zonelen;
2898
2020-04-10
pjp
pack16(p, htons(DNS_TYPE_CNAME));
2899
2020-04-10
pjp
p += 2;
2900
2020-04-10
pjp
pack16(p, htons(DNS_CLASS_IN));
2901
2020-04-10
pjp
p += 2;
2902
2020-05-07
pjp
pack32(p, htonl(rrset->ttl));
2903
2020-04-10
pjp
p += 4;
2904
2020-04-10
pjp
pack16(p, htons(((struct cname *)rrp->rdata)->cnamelen));
2905
2020-04-10
pjp
p += 2;
2906
2020-04-10
pjp
pack(p, ((struct cname *)rrp->rdata)->cname, ((struct cname *)rrp->rdata)->cnamelen);
2907
2020-04-10
pjp
p += ((struct cname *)rrp->rdata)->cnamelen;
2909
2020-04-10
pjp
keylen = (p - key);
2911
2020-04-10
pjp
if (sign(algorithm, key, keylen, *zsk_key, (char *)&signature, &siglen) < 0) {
2912
2020-04-10
pjp
dolog(LOG_INFO, "signing failed\n");
2913
2020-04-10
pjp
return -1;
2916
2020-04-10
pjp
len = mybase64_encode(signature, siglen, tmp, sizeof(tmp));
2917
2020-04-10
pjp
tmp[len] = '\0';
2919
2020-07-06
pjp
if (fill_rrsig(db, rbt->humanname, "RRSIG", rrset->ttl, "CNAME", algorithm, labels, rrset->ttl, expiredon, signedon, keyid, zonename, tmp) < 0) {
2920
2020-04-10
pjp
dolog(LOG_INFO, "fill_rrsig\n");
2921
2020-04-10
pjp
return -1;
2923
2020-04-10
pjp
} while ((*++zsk_key) != NULL);
2925
2020-04-10
pjp
return 0;
2929
2020-04-10
pjp
* create a RRSIG for an NS record
2932
2020-04-10
pjp
static int
2933
2020-04-10
pjp
sign_ptr(ddDB *db, char *zonename, int expiry, struct rbtree *rbt, int rollmethod)
2935
2020-04-10
pjp
struct rrset *rrset = NULL;
2936
2020-04-10
pjp
struct rr *rrp = NULL;
2937
2020-04-10
pjp
struct keysentry **zsk_key;
2939
2020-04-10
pjp
char tmp[4096];
2940
2020-04-10
pjp
char signature[4096];
2941
2020-04-10
pjp
char shabuf[64];
2944
2020-04-10
pjp
char *dnsname;
2945
2020-04-10
pjp
char *p;
2946
2020-04-10
pjp
char *key;
2947
2020-04-10
pjp
char *zone;
2949
2020-04-10
pjp
uint32_t ttl;
2950
2020-04-10
pjp
uint16_t flags;
2951
2020-04-10
pjp
uint8_t protocol;
2952
2020-04-10
pjp
uint8_t algorithm;
2954
2020-04-10
pjp
int labellen;
2955
2020-04-10
pjp
int keyid;
2956
2020-04-10
pjp
int len;
2957
2020-04-10
pjp
int keylen, siglen = sizeof(signature);
2958
2020-04-10
pjp
int labels;
2959
2020-04-10
pjp
int nzk = 0;
2961
2020-04-10
pjp
char timebuf[32];
2962
2020-04-10
pjp
struct tm tm;
2963
2020-04-10
pjp
u_int32_t expiredon2, signedon2;
2965
2020-04-10
pjp
memset(&shabuf, 0, sizeof(shabuf));
2967
2020-04-10
pjp
key = malloc(10 * 4096);
2968
2020-04-10
pjp
if (key == NULL) {
2969
2020-04-10
pjp
dolog(LOG_INFO, "out of memory\n");
2970
2020-04-10
pjp
return -1;
2973
2020-04-10
pjp
zsk_key = calloc(3, sizeof(struct keysentry *));
2974
2020-04-10
pjp
if (zsk_key == NULL) {
2975
2020-04-10
pjp
dolog(LOG_INFO, "out of memory\n");
2976
2020-04-10
pjp
return -1;
2979
2020-04-10
pjp
nzk = 0;
2980
2020-04-10
pjp
SLIST_FOREACH(knp, &keyshead, keys_entry) {
2981
2020-04-10
pjp
if ((knp->type == KEYTYPE_ZSK && rollmethod == \
2982
2020-04-10
pjp
ROLLOVER_METHOD_DOUBLE_SIGNATURE) || \
2983
2020-04-10
pjp
(knp->sign == 1 && knp->type == KEYTYPE_ZSK)) {
2984
2020-04-10
pjp
zsk_key[nzk++] = knp;
2988
2020-04-10
pjp
zsk_key[nzk] = NULL;
2990
2020-04-10
pjp
/* get the ZSK */
2992
2020-04-10
pjp
if ((zone = get_key(*zsk_key, &ttl, &flags, &protocol, &algorithm, (char *)&tmp, sizeof(tmp), &keyid)) == NULL) {
2993
2020-04-10
pjp
dolog(LOG_INFO, "get_key %s\n", (*zsk_key)->keyname);
2994
2020-04-10
pjp
return -1;
2997
2020-04-10
pjp
/* check the keytag supplied */
2998
2020-04-10
pjp
p = key;
2999
2020-04-10
pjp
pack16(p, htons(flags));
3000
2020-04-10
pjp
p += 2;
3001
2020-04-10
pjp
pack8(p, protocol);
3003
2020-04-10
pjp
pack8(p, algorithm);
3005
2020-04-10
pjp
keylen = mybase64_decode(tmp, (char *)&signature, sizeof(signature));
3006
2020-04-10
pjp
pack(p, signature, keylen);
3007
2020-04-10
pjp
p += keylen;
3008
2020-04-10
pjp
keylen = (p - key);
3009
2020-04-10
pjp
if (keyid != keytag(key, keylen)) {
3010
2020-04-10
pjp
dolog(LOG_ERR, "keytag does not match %d vs. %d\n", keyid, keytag(key, keylen));
3011
2020-04-10
pjp
return -1;
3014
2020-04-10
pjp
labels = label_count(rbt->zone);
3015
2020-04-10
pjp
if (labels < 0) {
3016
2020-04-10
pjp
dolog(LOG_INFO, "label_count");
3017
2020-04-10
pjp
return -1;
3020
2020-04-10
pjp
dnsname = dns_label(zonename, &labellen);
3021
2020-04-10
pjp
if (dnsname == NULL)
3022
2020-04-10
pjp
return -1;
3024
2020-04-10
pjp
if ((rrset = find_rr(rbt, DNS_TYPE_PTR)) != NULL) {
3025
2020-04-10
pjp
rrp = TAILQ_FIRST(&rrset->rr_head);
3026
2020-04-10
pjp
if (rrp == NULL) {
3027
2020-04-10
pjp
dolog(LOG_INFO, "no PTR records but have flags!\n");
3028
2020-04-10
pjp
return -1;
3030
2020-04-10
pjp
} else {
3031
2020-04-10
pjp
dolog(LOG_INFO, "no PTR records\n");
3032
2020-04-10
pjp
return -1;
3036
2020-04-10
pjp
p = key;
3038
2020-04-10
pjp
pack16(p, htons(DNS_TYPE_PTR));
3039
2020-04-10
pjp
p += 2;
3040
2020-04-10
pjp
pack8(p, algorithm);
3042
2020-04-10
pjp
pack8(p, labels);
3044
2020-05-07
pjp
pack32(p, htonl(rrset->ttl));
3045
2020-04-10
pjp
p += 4;
3047
2020-04-10
pjp
snprintf(timebuf, sizeof(timebuf), "%lld", expiredon);
3048
2020-04-10
pjp
strptime(timebuf, "%Y%m%d%H%M%S", &tm);
3049
2020-04-10
pjp
expiredon2 = timegm(&tm);
3050
2020-04-10
pjp
snprintf(timebuf, sizeof(timebuf), "%lld", signedon);
3051
2020-04-10
pjp
strptime(timebuf, "%Y%m%d%H%M%S", &tm);
3052
2020-04-10
pjp
signedon2 = timegm(&tm);
3054
2020-04-10
pjp
pack32(p, htonl(expiredon2));
3055
2020-04-10
pjp
p += 4;
3056
2020-04-10
pjp
pack32(p, htonl(signedon2));
3057
2020-04-10
pjp
p += 4;
3058
2020-04-10
pjp
pack16(p, htons(keyid));
3059
2020-04-10
pjp
p += 2;
3060
2020-04-10
pjp
pack(p, dnsname, labellen);
3061
2020-04-10
pjp
p += labellen;
3063
2020-04-10
pjp
/* no signature here */
3064
2020-04-10
pjp
/* XXX this should probably be done on a canonical sorted records */
3065
2020-04-10
pjp
pack(p, rbt->zone, rbt->zonelen);
3066
2020-04-10
pjp
p += rbt->zonelen;
3067
2020-04-10
pjp
pack16(p, htons(DNS_TYPE_PTR));
3068
2020-04-10
pjp
p += 2;
3069
2020-04-10
pjp
pack16(p, htons(DNS_CLASS_IN));
3070
2020-04-10
pjp
p += 2;
3071
2020-05-07
pjp
pack32(p, htonl(rrset->ttl));
3072
2020-04-10
pjp
p += 4;
3073
2020-04-10
pjp
pack16(p, htons(((struct ptr *)rrp->rdata)->ptrlen));
3074
2020-04-10
pjp
p += 2;
3075
2020-04-10
pjp
pack(p, ((struct ptr *)rrp->rdata)->ptr, ((struct ptr *)rrp->rdata)->ptrlen);
3076
2020-04-10
pjp
p += ((struct ptr *)rrp->rdata)->ptrlen;
3078
2020-04-10
pjp
keylen = (p - key);
3080
2020-04-10
pjp
if (sign(algorithm, key, keylen, *zsk_key, (char *)&signature, &siglen) < 0) {
3081
2020-04-10
pjp
dolog(LOG_INFO, "signing failed\n");
3082
2020-04-10
pjp
return -1;
3085
2020-04-10
pjp
len = mybase64_encode(signature, siglen, tmp, sizeof(tmp));
3086
2020-04-10
pjp
tmp[len] = '\0';
3088
2020-07-06
pjp
if (fill_rrsig(db, rbt->humanname, "RRSIG", rrset->ttl, "PTR", algorithm, labels, rrset->ttl, expiredon, signedon, keyid, zonename, tmp) < 0) {
3089
2020-04-10
pjp
dolog(LOG_INFO, "fill_rrsig\n");
3090
2020-04-10
pjp
return -1;
3092
2020-04-10
pjp
} while ((*++zsk_key) != NULL);
3094
2020-04-10
pjp
return 0;
3098
2020-04-10
pjp
* create a RRSIG for a NAPTR record
3101
2020-04-10
pjp
static int
3102
2020-04-10
pjp
sign_naptr(ddDB *db, char *zonename, int expiry, struct rbtree *rbt, int rollmethod)
3104
2020-04-10
pjp
struct rrset *rrset = NULL;
3105
2020-04-10
pjp
struct rr *rrp = NULL;
3106
2020-04-10
pjp
struct rr *rrp2 = NULL;
3107
2020-04-10
pjp
struct keysentry **zsk_key;
3109
2020-04-10
pjp
char tmp[4096];
3110
2020-04-10
pjp
char signature[4096];
3111
2020-04-10
pjp
char shabuf[64];
3114
2020-04-10
pjp
char *dnsname;
3115
2020-08-11
pjp
char *p, *q, *r;
3116
2020-08-11
pjp
char **canonsort;
3117
2020-04-10
pjp
char *key, *tmpkey;
3118
2020-04-10
pjp
char *zone;
3120
2020-04-10
pjp
uint32_t ttl;
3121
2020-04-10
pjp
uint16_t flags;
3122
2020-04-10
pjp
uint8_t protocol;
3123
2020-04-10
pjp
uint8_t algorithm;
3125
2020-04-10
pjp
int labellen;
3126
2020-04-10
pjp
int keyid;
3127
2020-08-11
pjp
int len, rlen, clen, i;
3128
2020-04-10
pjp
int keylen, siglen = sizeof(signature);
3129
2020-04-10
pjp
int labels;
3130
2020-04-10
pjp
int nzk = 0;
3131
2020-08-11
pjp
int csort = 0;
3133
2020-04-10
pjp
char timebuf[32];
3134
2020-04-10
pjp
struct tm tm;
3135
2020-04-10
pjp
u_int32_t expiredon2, signedon2;
3137
2020-04-10
pjp
memset(&shabuf, 0, sizeof(shabuf));
3139
2020-04-10
pjp
key = malloc(10 * 4096);
3140
2020-04-10
pjp
if (key == NULL) {
3141
2020-04-10
pjp
dolog(LOG_INFO, "key out of memory\n");
3142
2020-04-10
pjp
return -1;
3144
2020-04-10
pjp
tmpkey = malloc(10 * 4096);
3145
2020-04-10
pjp
if (tmpkey == NULL) {
3146
2020-04-10
pjp
dolog(LOG_INFO, "tmpkey out of memory\n");
