Commit 6a285c81 authored by Brian Wellington's avatar Brian Wellington
Browse files

better error reporting and miscellaneous cleanup

parent 844eaa56
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
*/
/* $Id: dnssec-keygen.c,v 1.18 2000/05/15 21:06:41 bwelling Exp $ */
/* $Id: dnssec-keygen.c,v 1.19 2000/05/16 18:40:57 bwelling Exp $ */
#include <config.h>
......@@ -33,13 +33,82 @@
#include <dst/dst.h>
#include <dst/result.h>
static isc_boolean_t dsa_size_ok(int size);
static void die(char *str);
static void usage(char *prog);
#define PROGRAM "keygen"
static int verbose;
#define MAX_RSA 2048 /* XXX ogud update this when rsa library is updated */
static int verbose;
static inline void
fatal(char *format, ...) {
va_list args;
fprintf(stderr, "%s: ", PROGRAM);
va_start(args, format);
vfprintf(stderr, format, args);
va_end(args);
fprintf(stderr, "\n");
exit(1);
}
static inline void
check_result(isc_result_t result, char *message) {
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "%s: %s: %s\n", PROGRAM, message,
isc_result_totext(result));
exit(1);
}
}
/* Not thread-safe! */
static char *
algtostr(const dns_secalg_t alg) {
isc_buffer_t b;
isc_region_t r;
isc_result_t result;
static char data[10];
isc_buffer_init(&b, data, sizeof(data));
result = dns_secalg_totext(alg, &b);
check_result(result, "dns_secalg_totext()");
isc_buffer_usedregion(&b, &r);
r.base[r.length] = 0;
return (char *) r.base;
}
static isc_boolean_t
dsa_size_ok(int size) {
return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
}
static void
usage(char *prog) {
printf("Usage:\n");
printf(" %s [options] name\n\n", prog);
printf("Required options:\n");
printf(" -a algorithm: RSA | RSAMD5 | DH | DSA | HMAC-MD5\n");
printf(" -b key size, in bits:\n");
printf(" RSA:\t\t[512..%d]\n", MAX_RSA);
printf(" DH:\t\t[128..4096]\n");
printf(" DSA:\t\t[512..1024] and dividable by 64\n");
printf(" HMAC-MD5:\t[1..512]\n");
printf(" -n nametype: ZONE | HOST | ENTITY | USER\n");
printf(" name: owner of the key\n");
printf("Other options:\n");
printf(" -e use large exponent (RSA only)\n");
printf(" -g use specified generator (DH only)\n");
printf(" -t type: AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF\n");
printf(" default: AUTHCONF\n");
printf(" -p protocol value\n");
printf(" default: 2 (email) for User keys, "
"3 (dnssec) for all others\n");
printf(" -s strength value this key signs DNS records with\n");
printf(" default: 0\n");
printf(" -v verbose level\n");
exit (-1);
}
int
main(int argc, char **argv) {
char *algname = NULL, *nametype = NULL, *type = NULL;
......@@ -64,7 +133,7 @@ main(int argc, char **argv) {
else
prog = isc_mem_strdup(mctx, ++prog);
if (prog == NULL)
die("strdup failure");
fatal("out of memory");
if (argc == 1)
usage(prog);
......@@ -77,12 +146,12 @@ main(int argc, char **argv) {
algname = isc_mem_strdup(mctx,
isc_commandline_argument);
if (algname == NULL)
die("strdup failure");
fatal("out of memory");
break;
case 'b':
size = strtol(isc_commandline_argument, &endp, 10);
if (*endp != '\0' || size < 0)
die("-b requires a non-negative number");
fatal("-b requires a non-negative number");
break;
case 'e':
rsa_exp = 1;
......@@ -90,36 +159,37 @@ main(int argc, char **argv) {
case 'g':
generator = strtol(isc_commandline_argument, &endp, 10);
if (*endp != '\0' || generator <= 0)
die("-g requires a positive number");
fatal("-g requires a positive number");
break;
case 'n':
nametype = isc_mem_strdup(mctx,
isc_commandline_argument);
if (nametype == NULL)
die("strdup failure");
fatal("out of memory");
break;
case 't':
type = isc_mem_strdup(mctx, isc_commandline_argument);
if (type == NULL)
die("strdup failure");
fatal("out of memory");
break;
case 'p':
protocol = strtol(isc_commandline_argument, &endp, 10);
if (*endp != '\0' || protocol < 0 || protocol > 255)
die("-p must be followed by "
"a number [0..255]");
fatal("-p must be followed by a number "
"[0..255]");
break;
case 's':
signatory = strtol(isc_commandline_argument,
&endp, 10);
if (*endp != '\0' || signatory < 0 || signatory > 15)
die("-s must be followed by a number [0..15]");
fatal("-s must be followed by a number "
"[0..15]");
break;
case 'v':
endp = NULL;
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
die("-v must be followed by a number");
fatal("-v must be followed by a number");
break;
case 'h':
......@@ -131,12 +201,12 @@ main(int argc, char **argv) {
}
if (argc < isc_commandline_index + 1)
die("Must specify a domain name");
fatal("the key name was not specified");
if (argc > isc_commandline_index + 1)
die("Extraneous arguments");
fatal("extraneous arguments");
if (algname == NULL)
die("No algorithm specified");
fatal("no algorithm was specified");
if (strcasecmp(algname, "RSA") == 0)
alg = DNS_KEYALG_RSA;
else if (strcasecmp(algname, "HMAC-MD5") == 0)
......@@ -146,10 +216,10 @@ main(int argc, char **argv) {
r.length = strlen(algname);
ret = dns_secalg_fromtext(&alg, &r);
if (ret != ISC_R_SUCCESS)
die("Unknown algorithm");
fatal("unknown algorithm %s", algname);
}
if (dst_supported_algorithm(alg) == ISC_FALSE)
die("Unsupported algorithm");
fatal("unsupported algorithm %s", algname);
if (type != NULL) {
if (strcasecmp(type, "NOAUTH") == 0)
......@@ -164,39 +234,39 @@ main(int argc, char **argv) {
else if (strcasecmp(type, "AUTHCONF") == 0)
/* nothing */;
else
die("Invalid type");
fatal("invalid type %s", type);
}
if (size < 0)
die("Must specify key size (-b option)");
fatal("key size not specified (-b option)");
switch (alg) {
case DNS_KEYALG_RSA:
if (size != 0 && (size < 512 || size > MAX_RSA))
die("RSA key size out of range");
fatal("RSA key size %d out of range", size);
break;
case DNS_KEYALG_DH:
if (size != 0 && (size < 128 || size > 4096))
die("DH key size out of range");
fatal("DH key size %d out of range", size);
break;
case DNS_KEYALG_DSA:
if (size != 0 && !dsa_size_ok(size))
die("Invalid DSS key size");
fatal("Invalid DSS key size: %d", size);
break;
case DST_ALG_HMACMD5:
if (size < 1 || size > 512)
die("Invalid HMAC-MD5 key size");
fatal("HMAC-MD5 key size %d out of range", size);
break;
}
if (alg != DNS_KEYALG_RSA && rsa_exp != 0)
die("Cannot specify RSA exponent without RSA");
fatal("specified RSA exponent without RSA");
if (alg != DNS_KEYALG_DH && generator != 0)
die("Cannot specify DH generator without DH");
fatal("specified DH generator without DH");
if (nametype == NULL)
die("No nametype specified");
fatal("no nametype specified");
if (strcasecmp(nametype, "zone") == 0)
flags |= DNS_KEYOWNER_ZONE;
else if (strcasecmp(nametype, "host") == 0 ||
......@@ -205,7 +275,7 @@ main(int argc, char **argv) {
else if (strcasecmp(nametype, "user") == 0)
flags |= DNS_KEYOWNER_USER;
else
die("Invalid nametype");
fatal("invalid nametype %s", nametype);
flags |= signatory;
......@@ -218,14 +288,14 @@ main(int argc, char **argv) {
if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
if (size > 0)
die("Specified null key with non-zero size");
fatal("Specified null key with non-zero size");
if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0)
die("Specified null key with signing authority");
fatal("Specified null key with signing authority");
}
name = isc_mem_allocate(mctx, strlen(argv[isc_commandline_index]) + 2);
if (name == NULL)
die("strdup failure");
fatal("out of memory");
strcpy(name, argv[isc_commandline_index]);
if (name[strlen(name) - 1] != '.') {
strcat(name, ".");
......@@ -262,7 +332,7 @@ main(int argc, char **argv) {
mctx, &key);
if (ret != ISC_R_SUCCESS) {
fprintf(stderr, "keygen: failed to generate key: %s\n",
fatal("failed to generate key %s/%d: %s\n", name, alg,
dst_result_totext(ret));
exit(-1);
}
......@@ -288,15 +358,13 @@ main(int argc, char **argv) {
} while (conflict == ISC_TRUE);
if (conflict)
die("Attempting to generate a null key when a key with id 0 "
"already exists\n");
fatal("cannot generate a null key when a key with id 0 "
"already exists");
ret = dst_key_tofile(key, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE);
if (ret != ISC_R_SUCCESS) {
fprintf(stderr, "keygen: failed to write key %s(%d)\n", name,
dst_key_id(key));
exit(-1);
}
if (ret != ISC_R_SUCCESS)
fatal("failed to write key %s/%s/%d: %s\n", name,
dst_key_id(key), algtostr(alg), isc_result_totext(ret));
isc_buffer_clear(&buf);
ret = dst_key_buildfilename(key, 0, &buf);
......@@ -313,42 +381,3 @@ main(int argc, char **argv) {
return (0);
}
static isc_boolean_t
dsa_size_ok(int size) {
return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
}
static void
die(char *str) {
fprintf(stderr, "keygen: %s\n", str);
exit(-1);
}
static void
usage(char *prog) {
printf("Usage:\n");
printf(" %s [options] name\n\n", prog);
printf("Required options:\n");
printf(" -a algorithm: RSA | RSAMD5 | DH | DSA | HMAC-MD5\n");
printf(" -b key size, in bits:\n");
printf(" RSA:\t\t[512..%d]\n", MAX_RSA);
printf(" DH:\t\t[128..4096]\n");
printf(" DSA:\t\t[512..1024] and dividable by 64\n");
printf(" HMAC-MD5:\t[1..512]\n");
printf(" -n nametype: ZONE | HOST | ENTITY | USER\n");
printf(" name: owner of the key\n");
printf("Other options:\n");
printf(" -e use large exponent (RSA only)\n");
printf(" -g use specified generator (DH only)\n");
printf(" -t type: AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF\n");
printf(" default: AUTHCONF\n");
printf(" -p protocol value\n");
printf(" default: 2 (email) for User keys, "
"3 (dnssec) for all others\n");
printf(" -s strength value this key signs DNS records with\n");
printf(" default: 0\n");
printf(" -v verbose level\n");
exit (-1);
}
......@@ -32,6 +32,7 @@
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
#include <dns/result.h>
#include <dns/secalg.h>
#include <dns/time.h>
#define PROGRAM "keysettool"
......@@ -78,10 +79,28 @@ static char *
nametostr(dns_name_t *name) {
isc_buffer_t b;
isc_region_t r;
isc_result_t result;
static char data[1025];
isc_buffer_init(&b, data, sizeof(data));
dns_name_totext(name, ISC_FALSE, &b);
result = dns_name_totext(name, ISC_FALSE, &b);
check_result(result, "dns_name_totext()");
isc_buffer_usedregion(&b, &r);
r.base[r.length] = 0;
return (char *) r.base;
}
/* Not thread-safe! */
static char *
algtostr(const dns_secalg_t alg) {
isc_buffer_t b;
isc_region_t r;
isc_result_t result;
static char data[10];
isc_buffer_init(&b, data, sizeof(data));
result = dns_secalg_totext(alg, &b);
check_result(result, "dns_secalg_totext()");
isc_buffer_usedregion(&b, &r);
r.base[r.length] = 0;
return (char *) r.base;
......@@ -104,7 +123,8 @@ strtotime(char *str, isc_int64_t now, isc_int64_t base) {
}
else {
result = dns_time64_fromtext(str, &val);
fatal("time %s must be numeric", str);
if (result != ISC_R_SUCCESS)
fatal("time %s must be numeric", str);
}
if (*endp != '\0')
fatal("time value %s is invalid", str);
......@@ -304,8 +324,8 @@ main(int argc, char *argv[]) {
&zonekey);
if (result != ISC_R_SUCCESS)
fatal("failed to read key %s/%d/%d: %s",
namestr, id, alg,
fatal("failed to read key %s/%s/%d: %s",
namestr, id, algtostr(alg),
isc_result_totext(result));
keynode = isc_mem_get(mctx, sizeof (keynode_t));
if (keynode == NULL)
......@@ -323,8 +343,9 @@ main(int argc, char *argv[]) {
isc_buffer_init(&b, data, BUFSIZE);
result = dst_key_todns(key, &b);
if (result != ISC_R_SUCCESS)
fatal("failed to convert key %s/%d/%d to a DNS KEY: %s",
namestr, id, alg, isc_result_totext(result));
fatal("failed to convert key %s/%s/%d to a DNS KEY: %s",
namestr, id, algtostr(alg),
isc_result_totext(result));
isc_buffer_usedregion(&b, &r);
dns_rdata_fromregion(rdata, dns_rdataclass_in,
dns_rdatatype_key, &r);
......@@ -364,10 +385,10 @@ main(int argc, char *argv[]) {
&starttime, &endtime, mctx, &b,
rdata);
if (result != ISC_R_SUCCESS)
fatal("failed to sign keyset with key %s/%d/%d: %s",
fatal("failed to sign keyset with key %s/%s/%d: %s",
dst_key_name(keynode->key),
algtostr(dst_key_alg(keynode->key)),
dst_key_id(keynode->key),
dst_key_alg(keynode->key),
isc_result_totext(result));
ISC_LIST_APPEND(sigrdatalist.rdata, rdata, link);
dns_rdataset_init(&sigrdataset);
......
......@@ -32,6 +32,7 @@
#include <dns/rdataset.h>
#include <dns/rdatastruct.h>
#include <dns/result.h>
#include <dns/secalg.h>
#define PROGRAM "keysigner"
......@@ -52,8 +53,14 @@ static isc_mem_t *mctx = NULL;
static keylist_t keylist;
static inline void
fatal(char *message) {
fprintf(stderr, "%s: %s\n", PROGRAM, message);
fatal(char *format, ...) {
va_list args;
fprintf(stderr, "%s: ", PROGRAM);
va_start(args, format);
vfprintf(stderr, format, args);
va_end(args);
fprintf(stderr, "\n");
exit(1);
}
......@@ -66,6 +73,39 @@ check_result(isc_result_t result, char *message) {
}
}
/* Not thread-safe! */
static char *
nametostr(dns_name_t *name) {
isc_buffer_t b;
isc_region_t r;
isc_result_t result;
static char data[1025];
isc_buffer_init(&b, data, sizeof(data));
result = dns_name_totext(name, ISC_FALSE, &b);
check_result(result, "dns_name_totext()");
isc_buffer_usedregion(&b, &r);
r.base[r.length] = 0;
return (char *) r.base;
}
/* Not thread-safe! */
static char *
algtostr(const dns_secalg_t alg) {
isc_buffer_t b;
isc_region_t r;
isc_result_t result;
static char data[10];
isc_buffer_init(&b, data, sizeof(data));
result = dns_secalg_totext(alg, &b);
check_result(result, "dns_secalg_totext()");
isc_buffer_usedregion(&b, &r);
r.base[r.length] = 0;
return (char *) r.base;
}
static void
usage() {
fprintf(stderr, "Usage:\n");
......@@ -106,15 +146,14 @@ loadkeys(dns_name_t *name, dns_rdataset_t *rdataset) {
continue;
keynode = isc_mem_get(mctx, sizeof (keynode_t));
if (keynode == NULL)
check_result(ISC_R_NOMEMORY, "isc_mem_get()");
fatal("out of memory");
keynode->key = key;
keynode->verified = ISC_FALSE;
ISC_LINK_INIT(keynode, link);
ISC_LIST_APPEND(keylist, keynode, link);
}
if (result == ISC_R_NOMORE)
result = ISC_R_SUCCESS;
check_result(result, "loadkeys()");
if (result != ISC_R_NOMORE)
fatal("failure traversing key list");
}
static dst_key_t *
......@@ -170,7 +209,7 @@ main(int argc, char *argv[]) {
endp = NULL;
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
check_result(ISC_R_FAILURE, "strtol()");
fatal("verbose level must be numeric");
break;
default:
......@@ -206,7 +245,8 @@ main(int argc, char *argv[]) {
isc_buffer_init(&b, argv[0], strlen(argv[0]) - 7);
isc_buffer_add(&b, strlen(argv[0]) - 7);
result = dns_name_fromtext(domain, &b, dns_rootname, ISC_FALSE, NULL);
check_result(result, "dns_name_fromtext()");
if (result != ISC_R_SUCCESS)
fatal("'%s' does not contain a valid domain name", argv[0]);
isc_buffer_init(&b, tdomain, sizeof(tdomain) - 1);
result = dns_name_totext(domain, ISC_FALSE, &b);
check_result(result, "dns_name_totext()");
......@@ -216,7 +256,7 @@ main(int argc, char *argv[]) {
output = isc_mem_allocate(mctx,
strlen(tdomain) + strlen("signedkey") + 1);
if (output == NULL)
check_result(ISC_R_FAILURE, "isc_mem_allocate()");
fatal("out of memory");
strcpy(output, tdomain);
strcat(output, "signedkey");
......@@ -226,33 +266,45 @@ main(int argc, char *argv[]) {
check_result(result, "dns_db_create()");
result = dns_db_load(db, argv[0]);
check_result(result, "dns_db_load()");
if (result != ISC_R_SUCCESS)
fatal("failed to load database from '%s': %s", argv[0],
isc_result_totext(result));
version = NULL;
dns_db_newversion(db, &version);
node = NULL;
result = dns_db_findnode(db, domain, ISC_FALSE, &node);
check_result(result, "dns_db_findnode()");
if (result != ISC_R_SUCCESS)
fatal("failed to find database node '%s': %s",
nametostr(domain), isc_result_totext(result));
dns_rdataset_init(&rdataset);
dns_rdataset_init(&sigrdataset);
result = dns_db_findrdataset(db, node, version, dns_rdatatype_key, 0,
0, &rdataset, &sigrdataset);
check_result(result, "dns_db_findrdataset()");
if (result != ISC_R_SUCCESS)
fatal("failed to find rdataset '%s KEY': %s",
nametostr(domain), isc_result_totext(result));
loadkeys(domain, &rdataset);
if (!dns_rdataset_isassociated(&sigrdataset))
fatal("no SIG KEY set present");
result = dns_rdataset_first(&sigrdataset);
check_result(result, "dns_rdataset_first()");
do {
dns_rdataset_current(&sigrdataset, &sigrdata);
result = dns_rdata_tostruct(&sigrdata, &sig, mctx);
check_result(result, "dns_rdata_tostruct");
check_result(result, "dns_rdata_tostruct()");
key = findkey(&sig);
result = dns_dnssec_verify(domain, &rdataset, key,
ISC_TRUE, mctx, &sigrdata);
check_result(result, "dns_dnssec_verify");
if (result != ISC_R_SUCCESS)
fatal("signature by key '%s/%s/%d' did not verify: %s",
dst_key_name(key), algtostr(dst_key_alg(key)),
dst_key_id(key), isc_result_totext(result));
dns_rdata_freestruct(&sig);
result = dns_rdataset_next(&sigrdataset);
} while (result == ISC_R_SUCCESS);
......@@ -295,20 +347,26 @@ main(int argc, char *argv[]) {
key = NULL;
result = dst_key_fromfile(namestr, id, alg, DST_TYPE_PRIVATE,
mctx, &key);
check_result (result, "dst_key_fromfile()");
if (result != ISC_R_SUCCESS)
fatal("failed to read key %s/%s/%d from disk: %s",
dst_key_name(key), algtostr(dst_key_alg(key)),
dst_key_id(key), isc_result_totext(result));
isc_mem_put(mctx, namestr, strlen(namestr) + 1);
rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
if (rdata == NULL)
check_result(ISC_R_NOMEMORY, "isc_mem_get()");
fatal("out of memory");
data = isc_mem_get(mctx, BUFSIZE);
if (data == NULL)
check_result(ISC_R_NOMEMORY, "isc_mem_get()");
fatal("out of memory");
isc_buffer_init(&b, data, BUFSIZE);
result = dns_dnssec_sign(domain, &rdataset, key,
&sig.timesigned, &sig.timeexpire,
mctx, &b, rdata);
check_result (result, "dns_dnssec_sign()");
if (result != ISC_R_SUCCESS)
fatal("key '%s/%s/%d' failed to sign data: %s",
dst_key_name(key), algtostr(dst_key_alg(key)),
dst_key_id(key), isc_result_totext(result));
ISC_LIST_APPEND(sigrdatalist.rdata, rdata, link);
dst_key_free(key);
}
......@@ -323,7 +381,9 @@ main(int argc, char *argv[]) {
dns_db_detachnode(db, &node);
dns_db_closeversion(db, &version, ISC_TRUE);
result = dns_db_dump(db, version, output);
check_result(result, "dns_db_dump()");
if (result != ISC_R_SUCCESS)