1 /* $NetBSD: dnssectool.c,v 1.8 2023/01/25 21:43:23 christos Exp $ */
2
3 /*
4 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
5 *
6 * SPDX-License-Identifier: MPL-2.0
7 *
8 * This Source Code Form is subject to the terms of the Mozilla Public
9 * License, v. 2.0. If a copy of the MPL was not distributed with this
10 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
11 *
12 * See the COPYRIGHT file distributed with this work for additional
13 * information regarding copyright ownership.
14 */
15
16 /*! \file */
17
18 /*%
19 * DNSSEC Support Routines.
20 */
21
22 #include <inttypes.h>
23 #include <stdbool.h>
24 #include <stdlib.h>
25
26 #ifdef _WIN32
27 #include <Winsock2.h>
28 #endif /* ifdef _WIN32 */
29
30 #include <isc/base32.h>
31 #include <isc/buffer.h>
32 #include <isc/commandline.h>
33 #include <isc/dir.h>
34 #include <isc/file.h>
35 #include <isc/heap.h>
36 #include <isc/list.h>
37 #include <isc/mem.h>
38 #include <isc/platform.h>
39 #include <isc/print.h>
40 #include <isc/string.h>
41 #include <isc/time.h>
42 #include <isc/util.h>
43
44 #include <dns/db.h>
45 #include <dns/dbiterator.h>
46 #include <dns/dnssec.h>
47 #include <dns/fixedname.h>
48 #include <dns/keyvalues.h>
49 #include <dns/log.h>
50 #include <dns/name.h>
51 #include <dns/nsec.h>
52 #include <dns/nsec3.h>
53 #include <dns/rdataclass.h>
54 #include <dns/rdataset.h>
55 #include <dns/rdatasetiter.h>
56 #include <dns/rdatastruct.h>
57 #include <dns/rdatatype.h>
58 #include <dns/result.h>
59 #include <dns/secalg.h>
60 #include <dns/time.h>
61
62 #include "dnssectool.h"
63
64 #define KEYSTATES_NVALUES 4
65 static const char *keystates[KEYSTATES_NVALUES] = {
66 "hidden",
67 "rumoured",
68 "omnipresent",
69 "unretentive",
70 };
71
72 int verbose = 0;
73 bool quiet = false;
74 uint8_t dtype[8];
75
76 static fatalcallback_t *fatalcallback = NULL;
77
78 void
fatal(const char * format,...)79 fatal(const char *format, ...) {
80 va_list args;
81
82 fprintf(stderr, "%s: fatal: ", program);
83 va_start(args, format);
84 vfprintf(stderr, format, args);
85 va_end(args);
86 fprintf(stderr, "\n");
87 if (fatalcallback != NULL) {
88 (*fatalcallback)();
89 }
90 exit(1);
91 }
92
93 void
setfatalcallback(fatalcallback_t * callback)94 setfatalcallback(fatalcallback_t *callback) {
95 fatalcallback = callback;
96 }
97
98 void
check_result(isc_result_t result,const char * message)99 check_result(isc_result_t result, const char *message) {
100 if (result != ISC_R_SUCCESS) {
101 fatal("%s: %s", message, isc_result_totext(result));
102 }
103 }
104
105 void
vbprintf(int level,const char * fmt,...)106 vbprintf(int level, const char *fmt, ...) {
107 va_list ap;
108 if (level > verbose) {
109 return;
110 }
111 va_start(ap, fmt);
112 fprintf(stderr, "%s: ", program);
113 vfprintf(stderr, fmt, ap);
114 va_end(ap);
115 }
116
117 void
version(const char * name)118 version(const char *name) {
119 fprintf(stderr, "%s %s\n", name, VERSION);
120 exit(0);
121 }
122
123 void
sig_format(dns_rdata_rrsig_t * sig,char * cp,unsigned int size)124 sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size) {
125 char namestr[DNS_NAME_FORMATSIZE];
126 char algstr[DNS_NAME_FORMATSIZE];
127
128 dns_name_format(&sig->signer, namestr, sizeof(namestr));
129 dns_secalg_format(sig->algorithm, algstr, sizeof(algstr));
130 snprintf(cp, size, "%s/%s/%d", namestr, algstr, sig->keyid);
131 }
132
133 void
setup_logging(isc_mem_t * mctx,isc_log_t ** logp)134 setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
135 isc_logdestination_t destination;
136 isc_logconfig_t *logconfig = NULL;
137 isc_log_t *log = NULL;
138 int level;
139
140 if (verbose < 0) {
141 verbose = 0;
142 }
143 switch (verbose) {
144 case 0:
145 /*
146 * We want to see warnings about things like out-of-zone
147 * data in the master file even when not verbose.
148 */
149 level = ISC_LOG_WARNING;
150 break;
151 case 1:
152 level = ISC_LOG_INFO;
153 break;
154 default:
155 level = ISC_LOG_DEBUG(verbose - 2 + 1);
156 break;
157 }
158
159 isc_log_create(mctx, &log, &logconfig);
160 isc_log_setcontext(log);
161 dns_log_init(log);
162 dns_log_setcontext(log);
163 isc_log_settag(logconfig, program);
164
165 /*
166 * Set up a channel similar to default_stderr except:
167 * - the logging level is passed in
168 * - the program name and logging level are printed
169 * - no time stamp is printed
170 */
171 destination.file.stream = stderr;
172 destination.file.name = NULL;
173 destination.file.versions = ISC_LOG_ROLLNEVER;
174 destination.file.maximum_size = 0;
175 isc_log_createchannel(logconfig, "stderr", ISC_LOG_TOFILEDESC, level,
176 &destination,
177 ISC_LOG_PRINTTAG | ISC_LOG_PRINTLEVEL);
178
179 RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL) ==
180 ISC_R_SUCCESS);
181
182 *logp = log;
183 }
184
185 void
cleanup_logging(isc_log_t ** logp)186 cleanup_logging(isc_log_t **logp) {
187 isc_log_t *log;
188
189 REQUIRE(logp != NULL);
190
191 log = *logp;
192 *logp = NULL;
193
194 if (log == NULL) {
195 return;
196 }
197
198 isc_log_destroy(&log);
199 isc_log_setcontext(NULL);
200 dns_log_setcontext(NULL);
201 }
202
203 static isc_stdtime_t
time_units(isc_stdtime_t offset,char * suffix,const char * str)204 time_units(isc_stdtime_t offset, char *suffix, const char *str) {
205 switch (suffix[0]) {
206 case 'Y':
207 case 'y':
208 return (offset * (365 * 24 * 3600));
209 case 'M':
210 case 'm':
211 switch (suffix[1]) {
212 case 'O':
213 case 'o':
214 return (offset * (30 * 24 * 3600));
215 case 'I':
216 case 'i':
217 return (offset * 60);
218 case '\0':
219 fatal("'%s' ambiguous: use 'mi' for minutes "
220 "or 'mo' for months",
221 str);
222 default:
223 fatal("time value %s is invalid", str);
224 }
225 UNREACHABLE();
226 break;
227 case 'W':
228 case 'w':
229 return (offset * (7 * 24 * 3600));
230 case 'D':
231 case 'd':
232 return (offset * (24 * 3600));
233 case 'H':
234 case 'h':
235 return (offset * 3600);
236 case 'S':
237 case 's':
238 case '\0':
239 return (offset);
240 default:
241 fatal("time value %s is invalid", str);
242 }
243 UNREACHABLE();
244 return (0); /* silence compiler warning */
245 }
246
247 static bool
isnone(const char * str)248 isnone(const char *str) {
249 return ((strcasecmp(str, "none") == 0) ||
250 (strcasecmp(str, "never") == 0));
251 }
252
253 dns_ttl_t
strtottl(const char * str)254 strtottl(const char *str) {
255 const char *orig = str;
256 dns_ttl_t ttl;
257 char *endp;
258
259 if (isnone(str)) {
260 return ((dns_ttl_t)0);
261 }
262
263 ttl = strtol(str, &endp, 0);
264 if (ttl == 0 && endp == str) {
265 fatal("TTL must be numeric");
266 }
267 ttl = time_units(ttl, endp, orig);
268 return (ttl);
269 }
270
271 dst_key_state_t
strtokeystate(const char * str)272 strtokeystate(const char *str) {
273 if (isnone(str)) {
274 return (DST_KEY_STATE_NA);
275 }
276
277 for (int i = 0; i < KEYSTATES_NVALUES; i++) {
278 if (keystates[i] != NULL && strcasecmp(str, keystates[i]) == 0)
279 {
280 return ((dst_key_state_t)i);
281 }
282 }
283 fatal("unknown key state %s", str);
284 }
285
286 isc_stdtime_t
strtotime(const char * str,int64_t now,int64_t base,bool * setp)287 strtotime(const char *str, int64_t now, int64_t base, bool *setp) {
288 int64_t val, offset;
289 isc_result_t result;
290 const char *orig = str;
291 char *endp;
292 size_t n;
293
294 if (isnone(str)) {
295 if (setp != NULL) {
296 *setp = false;
297 }
298 return ((isc_stdtime_t)0);
299 }
300
301 if (setp != NULL) {
302 *setp = true;
303 }
304
305 if ((str[0] == '0' || str[0] == '-') && str[1] == '\0') {
306 return ((isc_stdtime_t)0);
307 }
308
309 /*
310 * We accept times in the following formats:
311 * now([+-]offset)
312 * YYYYMMDD([+-]offset)
313 * YYYYMMDDhhmmss([+-]offset)
314 * [+-]offset
315 */
316 n = strspn(str, "0123456789");
317 if ((n == 8u || n == 14u) &&
318 (str[n] == '\0' || str[n] == '-' || str[n] == '+'))
319 {
320 char timestr[15];
321
322 strlcpy(timestr, str, sizeof(timestr));
323 timestr[n] = 0;
324 if (n == 8u) {
325 strlcat(timestr, "000000", sizeof(timestr));
326 }
327 result = dns_time64_fromtext(timestr, &val);
328 if (result != ISC_R_SUCCESS) {
329 fatal("time value %s is invalid: %s", orig,
330 isc_result_totext(result));
331 }
332 base = val;
333 str += n;
334 } else if (strncmp(str, "now", 3) == 0) {
335 base = now;
336 str += 3;
337 }
338
339 if (str[0] == '\0') {
340 return ((isc_stdtime_t)base);
341 } else if (str[0] == '+') {
342 offset = strtol(str + 1, &endp, 0);
343 offset = time_units((isc_stdtime_t)offset, endp, orig);
344 val = base + offset;
345 } else if (str[0] == '-') {
346 offset = strtol(str + 1, &endp, 0);
347 offset = time_units((isc_stdtime_t)offset, endp, orig);
348 val = base - offset;
349 } else {
350 fatal("time value %s is invalid", orig);
351 }
352
353 return ((isc_stdtime_t)val);
354 }
355
356 dns_rdataclass_t
strtoclass(const char * str)357 strtoclass(const char *str) {
358 isc_textregion_t r;
359 dns_rdataclass_t rdclass;
360 isc_result_t result;
361
362 if (str == NULL) {
363 return (dns_rdataclass_in);
364 }
365 DE_CONST(str, r.base);
366 r.length = strlen(str);
367 result = dns_rdataclass_fromtext(&rdclass, &r);
368 if (result != ISC_R_SUCCESS) {
369 fatal("unknown class %s", str);
370 }
371 return (rdclass);
372 }
373
374 unsigned int
strtodsdigest(const char * str)375 strtodsdigest(const char *str) {
376 isc_textregion_t r;
377 dns_dsdigest_t alg;
378 isc_result_t result;
379
380 DE_CONST(str, r.base);
381 r.length = strlen(str);
382 result = dns_dsdigest_fromtext(&alg, &r);
383 if (result != ISC_R_SUCCESS) {
384 fatal("unknown DS algorithm %s", str);
385 }
386 return (alg);
387 }
388
389 static int
cmp_dtype(const void * ap,const void * bp)390 cmp_dtype(const void *ap, const void *bp) {
391 int a = *(const uint8_t *)ap;
392 int b = *(const uint8_t *)bp;
393 return (a - b);
394 }
395
396 void
add_dtype(unsigned int dt)397 add_dtype(unsigned int dt) {
398 unsigned i, n;
399
400 /* ensure there is space for a zero terminator */
401 n = sizeof(dtype) / sizeof(dtype[0]) - 1;
402 for (i = 0; i < n; i++) {
403 if (dtype[i] == dt) {
404 return;
405 }
406 if (dtype[i] == 0) {
407 dtype[i] = dt;
408 qsort(dtype, i + 1, 1, cmp_dtype);
409 return;
410 }
411 }
412 fatal("too many -a digest type arguments");
413 }
414
415 isc_result_t
try_dir(const char * dirname)416 try_dir(const char *dirname) {
417 isc_result_t result;
418 isc_dir_t d;
419
420 isc_dir_init(&d);
421 result = isc_dir_open(&d, dirname);
422 if (result == ISC_R_SUCCESS) {
423 isc_dir_close(&d);
424 }
425 return (result);
426 }
427
428 /*
429 * Check private key version compatibility.
430 */
431 void
check_keyversion(dst_key_t * key,char * keystr)432 check_keyversion(dst_key_t *key, char *keystr) {
433 int major, minor;
434 dst_key_getprivateformat(key, &major, &minor);
435 INSIST(major <= DST_MAJOR_VERSION); /* invalid private key */
436
437 if (major < DST_MAJOR_VERSION || minor < DST_MINOR_VERSION) {
438 fatal("Key %s has incompatible format version %d.%d, "
439 "use -f to force upgrade to new version.",
440 keystr, major, minor);
441 }
442 if (minor > DST_MINOR_VERSION) {
443 fatal("Key %s has incompatible format version %d.%d, "
444 "use -f to force downgrade to current version.",
445 keystr, major, minor);
446 }
447 }
448
449 void
set_keyversion(dst_key_t * key)450 set_keyversion(dst_key_t *key) {
451 int major, minor;
452 dst_key_getprivateformat(key, &major, &minor);
453 INSIST(major <= DST_MAJOR_VERSION);
454
455 if (major != DST_MAJOR_VERSION || minor != DST_MINOR_VERSION) {
456 dst_key_setprivateformat(key, DST_MAJOR_VERSION,
457 DST_MINOR_VERSION);
458 }
459
460 /*
461 * If the key is from a version older than 1.3, set
462 * set the creation date
463 */
464 if (major < 1 || (major == 1 && minor <= 2)) {
465 isc_stdtime_t now;
466 isc_stdtime_get(&now);
467 dst_key_settime(key, DST_TIME_CREATED, now);
468 }
469 }
470
471 bool
key_collision(dst_key_t * dstkey,dns_name_t * name,const char * dir,isc_mem_t * mctx,bool * exact)472 key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
473 isc_mem_t *mctx, bool *exact) {
474 isc_result_t result;
475 bool conflict = false;
476 dns_dnsseckeylist_t matchkeys;
477 dns_dnsseckey_t *key = NULL;
478 uint16_t id, oldid;
479 uint32_t rid, roldid;
480 dns_secalg_t alg;
481 char filename[NAME_MAX];
482 isc_buffer_t fileb;
483 isc_stdtime_t now;
484
485 if (exact != NULL) {
486 *exact = false;
487 }
488
489 id = dst_key_id(dstkey);
490 rid = dst_key_rid(dstkey);
491 alg = dst_key_alg(dstkey);
492
493 /*
494 * For Diffie Hellman just check if there is a direct collision as
495 * they can't be revoked. Additionally dns_dnssec_findmatchingkeys
496 * only handles DNSKEY which is not used for HMAC.
497 */
498 if (alg == DST_ALG_DH) {
499 isc_buffer_init(&fileb, filename, sizeof(filename));
500 result = dst_key_buildfilename(dstkey, DST_TYPE_PRIVATE, dir,
501 &fileb);
502 if (result != ISC_R_SUCCESS) {
503 return (true);
504 }
505 return (isc_file_exists(filename));
506 }
507
508 ISC_LIST_INIT(matchkeys);
509 isc_stdtime_get(&now);
510 result = dns_dnssec_findmatchingkeys(name, dir, now, mctx, &matchkeys);
511 if (result == ISC_R_NOTFOUND) {
512 return (false);
513 }
514
515 while (!ISC_LIST_EMPTY(matchkeys) && !conflict) {
516 key = ISC_LIST_HEAD(matchkeys);
517 if (dst_key_alg(key->key) != alg) {
518 goto next;
519 }
520
521 oldid = dst_key_id(key->key);
522 roldid = dst_key_rid(key->key);
523
524 if (oldid == rid || roldid == id || id == oldid) {
525 conflict = true;
526 if (id != oldid) {
527 if (verbose > 1) {
528 fprintf(stderr,
529 "Key ID %d could "
530 "collide with %d\n",
531 id, oldid);
532 }
533 } else {
534 if (exact != NULL) {
535 *exact = true;
536 }
537 if (verbose > 1) {
538 fprintf(stderr, "Key ID %d exists\n",
539 id);
540 }
541 }
542 }
543
544 next:
545 ISC_LIST_UNLINK(matchkeys, key, link);
546 dns_dnsseckey_destroy(mctx, &key);
547 }
548
549 /* Finish freeing the list */
550 while (!ISC_LIST_EMPTY(matchkeys)) {
551 key = ISC_LIST_HEAD(matchkeys);
552 ISC_LIST_UNLINK(matchkeys, key, link);
553 dns_dnsseckey_destroy(mctx, &key);
554 }
555
556 return (conflict);
557 }
558
559 bool
isoptarg(const char * arg,char ** argv,void (* usage)(void))560 isoptarg(const char *arg, char **argv, void (*usage)(void)) {
561 if (!strcasecmp(isc_commandline_argument, arg)) {
562 if (argv[isc_commandline_index] == NULL) {
563 fprintf(stderr, "%s: missing argument -%c %s\n",
564 program, isc_commandline_option,
565 isc_commandline_argument);
566 usage();
567 }
568 isc_commandline_argument = argv[isc_commandline_index];
569 /* skip to next argument */
570 isc_commandline_index++;
571 return (true);
572 }
573 return (false);
574 }
575
576 #ifdef _WIN32
577 void
InitSockets(void)578 InitSockets(void) {
579 WORD wVersionRequested;
580 WSADATA wsaData;
581 int err;
582
583 wVersionRequested = MAKEWORD(2, 0);
584
585 err = WSAStartup(wVersionRequested, &wsaData);
586 if (err != 0) {
587 fprintf(stderr, "WSAStartup() failed: %d\n", err);
588 exit(1);
589 }
590 }
591
592 void
DestroySockets(void)593 DestroySockets(void) {
594 WSACleanup();
595 }
596 #endif /* ifdef _WIN32 */
597