diff options
| author | Internet Software Consortium, Inc <@isc.org> | 2007-09-07 14:08:24 -0600 |
|---|---|---|
| committer | LaMont Jones <lamont@debian.org> | 2007-09-07 14:08:24 -0600 |
| commit | c5b102d4b4b76c54d5cf2576dae9b38d003f39a0 (patch) | |
| tree | 007a0a3408afda5fd9ec2de4dd66bf32546c940f /bin/dnssec | |
| parent | fc0b5c902db294dff1930e558f8dce9cf060fd42 (diff) | |
| download | bind9-c5b102d4b4b76c54d5cf2576dae9b38d003f39a0.tar.gz | |
9.0.0b5
Diffstat (limited to 'bin/dnssec')
| -rw-r--r-- | bin/dnssec/Makefile.in | 34 | ||||
| -rw-r--r-- | bin/dnssec/dnssec-keygen.c | 5 | ||||
| -rw-r--r-- | bin/dnssec/dnssec-makekeyset.c | 3 | ||||
| -rw-r--r-- | bin/dnssec/dnssec-signkey.c | 6 | ||||
| -rw-r--r-- | bin/dnssec/dnssec-signzone.c | 201 | ||||
| -rw-r--r-- | bin/dnssec/dnssectool.c | 110 | ||||
| -rw-r--r-- | bin/dnssec/dnssectool.h | 6 |
7 files changed, 223 insertions, 142 deletions
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in index 3a56ff88..c32e059f 100644 --- a/bin/dnssec/Makefile.in +++ b/bin/dnssec/Makefile.in @@ -13,6 +13,8 @@ # ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS # SOFTWARE. +# $Id: Makefile.in,v 1.7 2000/06/22 21:49:01 tale Exp $ + srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ @@ -30,9 +32,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@ DNSDEPLIBS = ../../lib/dns/libdns.@A@ ISCDEPLIBS = ../../lib/isc/libisc.@A@ -LIBS = @LIBS@ +DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} -SUBDIRS = +LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ # Alphabetically TARGETS = dnssec-keygen \ @@ -40,29 +42,25 @@ TARGETS = dnssec-keygen \ dnssec-signkey \ dnssec-signzone -SRCS = dnssec-keygen.c \ - dnssec-makekeyset.c \ - dnssec-signkey.c \ - dnssec-signzone.c \ +OBJS = dnssectool.@O@ + +SRCS = dnssec-keygen.c dnssec-makekeyset.c \ + dnssec-signkey.c dnssec-signzone.c \ dnssectool.c @BIND9_MAKE_RULES@ -dnssec-keygen: dnssec-keygen.@O@ dnssectool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL} ${CC} ${CFLAGS} -o $@ dnssec-keygen.@O@ dnssectool.@O@ \ - ${DNSLIBS} ${ISCLIBS} ${LIBS} +dnssec-keygen: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL} ${CC} ${CFLAGS} -o $@ dnssec-keygen.@O@ ${OBJS} ${LIBS} -dnssec-makekeyset: dnssec-makekeyset.@O@ dnssectool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL} ${CC} ${CFLAGS} -o $@ dnssec-makekeyset.@O@ dnssectool.@O@ \ - ${DNSLIBS} ${ISCLIBS} ${LIBS} +dnssec-makekeyset: dnssec-makekeyset.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL} ${CC} ${CFLAGS} -o $@ dnssec-makekeyset.@O@ ${OBJS} ${LIBS} -dnssec-signkey: dnssec-signkey.@O@ dnssectool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL} ${CC} ${CFLAGS} -o $@ dnssec-signkey.@O@ dnssectool.@O@ \ - ${DNSLIBS} ${ISCLIBS} ${LIBS} +dnssec-signkey: dnssec-signkey.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL} ${CC} ${CFLAGS} -o $@ dnssec-signkey.@O@ ${OBJS} ${LIBS} -dnssec-signzone: dnssec-signzone.@O@ dnssectool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL} ${CC} ${CFLAGS} -o $@ dnssec-signzone.@O@ dnssectool.@O@ \ - ${DNSLIBS} ${ISCLIBS} ${LIBS} +dnssec-signzone: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL} ${CC} ${CFLAGS} -o $@ dnssec-signzone.@O@ ${OBJS} ${LIBS} clean distclean:: rm -f ${TARGETS} diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index c5579d84..09898622 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -17,7 +17,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keygen.c,v 1.34 2000/06/10 01:28:06 bwelling Exp $ */ +/* $Id: dnssec-keygen.c,v 1.36 2000/06/22 02:48:12 bwelling Exp $ */ #include <config.h> @@ -326,6 +326,7 @@ main(int argc, char **argv) { /* generate the key */ ret = dst_key_generate(name, alg, size, param, flags, protocol, mctx, &key); + isc_entropy_stopcallbacksources(ectx); if (ret != ISC_R_SUCCESS) { fatal("failed to generate key %s/%s: %s\n", @@ -370,7 +371,7 @@ main(int argc, char **argv) { ret = dst_key_tofile(key, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, NULL); if (ret != ISC_R_SUCCESS) fatal("failed to write key %s/%s/%d: %s\n", nametostr(name), - dst_key_id(key), algtostr(alg), isc_result_totext(ret)); + algtostr(alg), dst_key_id(key), isc_result_totext(ret)); isc_buffer_clear(&buf); ret = dst_key_buildfilename(key, 0, NULL, &buf); diff --git a/bin/dnssec/dnssec-makekeyset.c b/bin/dnssec/dnssec-makekeyset.c index 9152e61a..a4497fa8 100644 --- a/bin/dnssec/dnssec-makekeyset.c +++ b/bin/dnssec/dnssec-makekeyset.c @@ -17,6 +17,8 @@ * PERFORMANCE OF THIS SOFTWARE. */ +/* $Id: dnssec-makekeyset.c,v 1.28 2000/06/22 21:49:02 tale Exp $ */ + #include <config.h> #include <stdlib.h> @@ -343,6 +345,7 @@ main(int argc, char *argv[]) { result = dns_dnssec_sign(domain, &rdataset, keynode->key, &starttime, &endtime, mctx, &b, rdata); + isc_entropy_stopcallbacksources(ectx); if (result != ISC_R_SUCCESS) fatal("failed to sign keyset with key %s/%s/%d: %s", nametostr(dst_key_name(keynode->key)), diff --git a/bin/dnssec/dnssec-signkey.c b/bin/dnssec/dnssec-signkey.c index 29fd2529..5bb56eae 100644 --- a/bin/dnssec/dnssec-signkey.c +++ b/bin/dnssec/dnssec-signkey.c @@ -17,6 +17,8 @@ * PERFORMANCE OF THIS SOFTWARE. */ +/* $Id: dnssec-signkey.c,v 1.28 2000/06/22 21:49:03 tale Exp $ */ + #include <config.h> #include <stdlib.h> @@ -325,9 +327,11 @@ main(int argc, char *argv[]) { result = dns_dnssec_sign(domain, &rdataset, key, &sig.timesigned, &sig.timeexpire, mctx, &b, rdata); + isc_entropy_stopcallbacksources(ectx); if (result != ISC_R_SUCCESS) fatal("key '%s/%s/%d' failed to sign data: %s", - dst_key_name(key), algtostr(dst_key_alg(key)), + nametostr(dst_key_name(key)), + algtostr(dst_key_alg(key)), dst_key_id(key), isc_result_totext(result)); ISC_LIST_APPEND(sigrdatalist.rdata, rdata, link); dst_key_free(&key); diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index e1dbb2d5..cf056783 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -17,6 +17,8 @@ * PERFORMANCE OF THIS SOFTWARE. */ +/* $Id: dnssec-signzone.c,v 1.81 2000/06/22 21:49:04 tale Exp $ */ + #include <config.h> #include <stdlib.h> @@ -75,6 +77,7 @@ static int cycle = -1; static isc_boolean_t tryverify = ISC_FALSE; static isc_mem_t *mctx = NULL; static isc_entropy_t *ectx = NULL; +static dns_ttl_t zonettl; static inline void set_bit(unsigned char *array, unsigned int index, unsigned int bit) { @@ -98,6 +101,7 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata, dns_rdata_init(rdata); result = dns_dnssec_sign(name, rdataset, key, &starttime, &endtime, mctx, b, rdata); + isc_entropy_stopcallbacksources(ectx); if (result != ISC_R_SUCCESS) fatal("key '%s/%s/%d' failed to sign data: %s", nametostr(dst_key_name(key)), algtostr(dst_key_alg(key)), @@ -122,8 +126,7 @@ static inline isc_boolean_t iszonekey(signer_key_t *key, dns_db_t *db) { return (ISC_TF(dns_name_equal(dst_key_name(key->key), dns_db_origin(db)) && - (dst_key_flags(key->key) & DNS_KEYFLAG_OWNERMASK) == - DNS_KEYOWNER_ZONE)); + dst_key_iszonekey(key->key))); } /* @@ -595,6 +598,9 @@ haschildkey(dns_db_t *db, dns_name_t *name) { dns_rdata_sig_t sig; signer_key_t *key; + dns_rdataset_init(&set); + dns_rdataset_init(&sigset); + isc_buffer_init(&b, filename, sizeof(filename) - 10); result = dns_name_totext(name, ISC_FALSE, &b); check_result(result, "dns_name_totext()"); @@ -609,8 +615,6 @@ haschildkey(dns_db_t *db, dns_name_t *name) { result = dns_db_findnode(newdb, name, ISC_FALSE, &newnode); if (result != ISC_R_SUCCESS) goto failure; - dns_rdataset_init(&set); - dns_rdataset_init(&sigset); result = dns_db_findrdataset(newdb, newnode, NULL, dns_rdatatype_key, 0, 0, &set, &sigset); if (result != ISC_R_SUCCESS) @@ -618,7 +622,7 @@ haschildkey(dns_db_t *db, dns_name_t *name) { if (!dns_rdataset_isassociated(&set) || !dns_rdataset_isassociated(&sigset)) - goto disfail; + goto failure; result = dns_rdataset_first(&sigset); check_result(result, "dns_rdataset_first()"); @@ -627,11 +631,11 @@ haschildkey(dns_db_t *db, dns_name_t *name) { dns_rdataset_current(&sigset, &sigrdata); result = dns_rdata_tostruct(&sigrdata, &sig, mctx); if (result != ISC_R_SUCCESS) - goto disfail; + goto failure; key = keythatsigned(&sig); dns_rdata_freestruct(&sig); if (key == NULL) - goto disfail; + goto failure; result = dns_dnssec_verify(name, &set, key->key, ISC_FALSE, mctx, &sigrdata); if (result == ISC_R_SUCCESS) { @@ -640,13 +644,11 @@ haschildkey(dns_db_t *db, dns_name_t *name) { } } - disfail: + failure: if (dns_rdataset_isassociated(&set)) dns_rdataset_disassociate(&set); if (dns_rdataset_isassociated(&sigset)) dns_rdataset_disassociate(&sigset); - - failure: if (newnode != NULL) dns_db_detachnode(newdb, &newnode); if (newdb != NULL) @@ -662,7 +664,7 @@ haschildkey(dns_db_t *db, dns_name_t *name) { */ static void signname(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, - dns_name_t *name, isc_boolean_t atorigin) + dns_name_t *name) { isc_result_t result; dns_rdata_t rdata; @@ -671,6 +673,7 @@ signname(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, isc_boolean_t isdelegation = ISC_FALSE; isc_boolean_t childkey = ISC_FALSE; static int warnwild = 0; + isc_boolean_t atorigin; if (dns_name_iswildcard(name)) { if (warnwild++ == 0) { @@ -685,6 +688,7 @@ signname(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, fprintf(stderr, "%s: warning: wildcard name seen: %s\n", program, nametostr(name)); } + atorigin = dns_name_equal(name, dns_db_origin(db)); if (!atorigin) { dns_rdataset_t nsset; @@ -771,7 +775,6 @@ signname(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, "setting KEY bit in NXT\n", nametostr(name)); } - #else if (isdelegation && !childkey) { dns_rdataset_t keyset; @@ -825,9 +828,8 @@ signname(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, keyrdatalist.type = dns_rdatatype_key; keyrdatalist.covers = 0; keyrdatalist.ttl = rdataset.ttl; - result = - dns_rdatalist_tordataset(&keyrdatalist, - &keyset); + result = dns_rdatalist_tordataset(&keyrdatalist, + &keyset); check_result(result, "dns_rdatalist_tordataset"); dns_db_addrdataset(db, node, version, 0, @@ -835,11 +837,8 @@ signname(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, NULL); set_bit(nxt_bits, dns_rdatatype_key, 1); signset(db, version, node, name, &keyset); - - dns_rdataset_disassociate(&keyset); - alreadyhavenullkey: - ; + dns_rdataset_disassociate(&keyset); } #endif } @@ -941,31 +940,23 @@ next_nonglue(dns_db_t *db, dns_dbversion_t *version, dns_dbiterator_t *dbiter, } /* - * Generates NXTs and SIGs for each non-glue name in the zone. + * Extracts the zone minimum TTL from the SOA. */ -static void -signzone(dns_db_t *db, dns_dbversion_t *version) { - isc_result_t result, nxtresult; - dns_dbnode_t *node, *nextnode, *curnode; - dns_fixedname_t fname, fnextname, fcurname; - dns_name_t *name, *nextname, *target, *curname, *lastcut; - dns_dbiterator_t *dbiter; - isc_boolean_t atorigin = ISC_TRUE; - dns_name_t *origin; +static dns_ttl_t +minimumttl(dns_db_t *db, dns_dbversion_t *version) { dns_rdataset_t soaset; + dns_name_t *origin; + dns_fixedname_t fname; + dns_name_t *name; dns_rdata_t soarr; dns_rdata_soa_t soa; - dns_ttl_t zonettl; - - dns_fixedname_init(&fname); - name = dns_fixedname_name(&fname); - dns_fixedname_init(&fnextname); - nextname = dns_fixedname_name(&fnextname); - dns_fixedname_init(&fcurname); - curname = dns_fixedname_name(&fcurname); + isc_result_t result; + dns_ttl_t ttl; origin = dns_db_origin(db); + dns_fixedname_init(&fname); + name = dns_fixedname_name(&fname); dns_rdataset_init(&soaset); result = dns_db_find(db, origin, version, dns_rdatatype_soa, 0, 0, NULL, name, &soaset, NULL); @@ -977,10 +968,36 @@ signzone(dns_db_t *db, dns_dbversion_t *version) { dns_rdataset_current(&soaset, &soarr); result = dns_rdata_tostruct(&soarr, &soa, mctx); check_result(result, "dns_rdataset_tostruct()"); - zonettl = soa.minimum; + ttl = soa.minimum; dns_rdata_freestruct(&soa); dns_rdataset_disassociate(&soaset); + return (ttl); +} + +/* + * Generates NXTs and SIGs for each non-glue name in the zone. + */ +static void +signzone(dns_db_t *db, dns_dbversion_t *version) { + isc_result_t result, nxtresult; + dns_dbnode_t *node, *nextnode, *curnode; + dns_fixedname_t fname, fnextname, fcurname; + dns_name_t *name, *nextname, *target, *curname, *lastcut; + dns_dbiterator_t *dbiter; + dns_name_t *origin; + + zonettl = minimumttl(db, version); + + dns_fixedname_init(&fname); + name = dns_fixedname_name(&fname); + dns_fixedname_init(&fnextname); + nextname = dns_fixedname_name(&fnextname); + dns_fixedname_init(&fcurname); + curname = dns_fixedname_name(&fcurname); + + origin = dns_db_origin(db); + lastcut = NULL; dbiter = NULL; result = dns_db_createiterator(db, ISC_FALSE, &dbiter); @@ -994,7 +1011,7 @@ signzone(dns_db_t *db, dns_dbversion_t *version) { nextnode = NULL; curnode = NULL; dns_dbiterator_current(dbiter, &curnode, curname); - if (!atorigin) { + if (!dns_name_equal(name, dns_db_origin(db))) { dns_rdatasetiter_t *rdsiter = NULL; dns_rdataset_t set; @@ -1045,8 +1062,7 @@ signzone(dns_db_t *db, dns_dbversion_t *version) { } nxtresult = dns_buildnxt(db, version, node, target, zonettl); check_result(nxtresult, "dns_buildnxt()"); - signname(db, version, node, curname, atorigin); - atorigin = ISC_FALSE; + signname(db, version, node, curname); dns_db_detachnode(db, &node); dns_db_detachnode(db, &curnode); node = nextnode; @@ -1061,6 +1077,9 @@ signzone(dns_db_t *db, dns_dbversion_t *version) { dns_dbiterator_destroy(&dbiter); } +/* + * Load the zone file from disk + */ static void loadzone(char *file, char *origin, dns_db_t **db) { isc_buffer_t b, b2; @@ -1091,27 +1110,22 @@ loadzone(char *file, char *origin, dns_db_t **db) { file, isc_result_totext(result)); } -static void -getversion(dns_db_t *db, dns_dbversion_t **version) { - isc_result_t result; - - result = dns_db_newversion(db, version); - check_result(result, "dns_db_newversion()"); -} - /* * Finds all public zone keys in the zone, and attempts to load the * private keys from disk. */ static void -loadzonekeys(dns_db_t *db, dns_dbversion_t *version) { +loadzonekeys(dns_db_t *db) { dns_name_t *origin; dns_dbnode_t *node; + dns_dbversion_t *currentversion; isc_result_t result; dst_key_t *keys[20]; unsigned int nkeys, i; origin = dns_db_origin(db); + currentversion = NULL; + dns_db_currentversion(db, ¤tversion); node = NULL; result = dns_db_findnode(db, origin, ISC_FALSE, &node); @@ -1119,7 +1133,7 @@ loadzonekeys(dns_db_t *db, dns_dbversion_t *version) { fatal("failed to find the zone's origin: %s", isc_result_totext(result)); - result = dns_dnssec_findzonekeys(db, version, node, origin, mctx, + result = dns_dnssec_findzonekeys(db, currentversion, node, origin, mctx, 20, keys, &nkeys); if (result == ISC_R_NOTFOUND) result = ISC_R_SUCCESS; @@ -1139,6 +1153,7 @@ loadzonekeys(dns_db_t *db, dns_dbversion_t *version) { ISC_LIST_APPEND(keylist, key, link); } dns_db_detachnode(db, &node); + dns_db_closeversion(db, ¤tversion, ISC_FALSE); } static isc_stdtime_t @@ -1218,6 +1233,7 @@ main(int argc, char *argv[]) { isc_log_t *log = NULL; isc_boolean_t pseudorandom = ISC_FALSE; unsigned int eflags; + isc_boolean_t free_output = ISC_FALSE; result = isc_mem_create(0, 0, &mctx); if (result != ISC_R_SUCCESS) @@ -1229,24 +1245,19 @@ main(int argc, char *argv[]) { != -1) { switch (ch) { case 's': - startstr = isc_mem_strdup(mctx, - isc_commandline_argument); - if (startstr == NULL) - fatal("out of memory"); + startstr = isc_commandline_argument; break; case 'e': - endstr = isc_mem_strdup(mctx, - isc_commandline_argument); - if (endstr == NULL) - fatal("out of memory"); + endstr = isc_commandline_argument; break; case 'c': endp = NULL; cycle = strtol(isc_commandline_argument, &endp, 0); - if (*endp != '\0') - fatal("cycle period must be numeric"); + if (*endp != '\0' || cycle < 0) + fatal("cycle period must be numeric and " + "positive"); break; case 'p': @@ -1254,10 +1265,7 @@ main(int argc, char *argv[]) { break; case 'r': - randomfile = isc_mem_strdup(mctx, - isc_commandline_argument); - if (randomfile == NULL) - fatal("out of memory"); + randomfile = isc_commandline_argument; break; case 'v': @@ -1268,17 +1276,11 @@ main(int argc, char *argv[]) { break; case 'o': - origin = isc_mem_strdup(mctx, - isc_commandline_argument); - if (origin == NULL) - fatal("out of memory"); + origin = isc_commandline_argument; break; case 'f': - output = isc_mem_strdup(mctx, - isc_commandline_argument); - if (output == NULL) - fatal("out of memory"); + output = isc_commandline_argument; break; case 'a': @@ -1293,8 +1295,6 @@ main(int argc, char *argv[]) { } setup_entropy(mctx, randomfile, &ectx); - if (randomfile != NULL) - isc_mem_free(mctx, randomfile); eflags = ISC_ENTROPY_BLOCKING; if (!pseudorandom) eflags |= ISC_ENTROPY_GOODONLY; @@ -1304,23 +1304,18 @@ main(int argc, char *argv[]) { isc_stdtime_get(&now); - if (startstr != NULL) { + if (startstr != NULL) starttime = strtotime(startstr, now, now); - isc_mem_free(mctx, startstr); - } else starttime = now; - if (endstr != NULL) { + if (endstr != NULL) endtime = strtotime(endstr, now, starttime); - isc_mem_free(mctx, endstr); - } else endtime = starttime + (30 * 24 * 60 * 60); - if (cycle == -1) { + if (cycle == -1) cycle = (endtime - starttime) / 4; - } setup_logging(verbose, mctx, &log); @@ -1330,38 +1325,28 @@ main(int argc, char *argv[]) { if (argc < 1) usage(); - file = isc_mem_strdup(mctx, argv[0]); - if (file == NULL) - fatal("out of memory"); + file = argv[0]; argc -= 1; argv += 1; if (output == NULL) { + free_output = ISC_TRUE; output = isc_mem_allocate(mctx, - strlen(file) + strlen(".signed") + 1); + strlen(file) + strlen(".signed") + 1); if (output == NULL) fatal("out of memory"); sprintf(output, "%s.signed", file); } - if (origin == NULL) { - origin = isc_mem_allocate(mctx, strlen(file) + 2); - if (origin == NULL) - fatal("out of memory"); - strcpy(origin, file); - if (file[strlen(file) - 1] != '.') - strcat(origin, "."); - } + if (origin == NULL) + origin = file; db = NULL; loadzone(file, origin, &db); - version = NULL; - getversion(db, &version); - ISC_LIST_INIT(keylist); - loadzonekeys(db, version); + loadzonekeys(db); if (argc == 0) { signer_key_t *key; @@ -1412,6 +1397,10 @@ main(int argc, char *argv[]) { } } + version = NULL; + result = dns_db_newversion(db, &version); + check_result(result, "dns_db_newversion()"); + signzone(db, version); /* @@ -1426,22 +1415,20 @@ main(int argc, char *argv[]) { dns_db_detach(&db); - key = ISC_LIST_HEAD(keylist); - while (key != NULL) { - signer_key_t *next = ISC_LIST_NEXT(key, link); + while (!ISC_LIST_EMPTY(keylist)) { + key = ISC_LIST_HEAD(keylist); + ISC_LIST_UNLINK(keylist, key, link); dst_key_free(&key->key); isc_mem_put(mctx, key, sizeof(signer_key_t)); - key = next; } - isc_mem_free(mctx, origin); - isc_mem_free(mctx, file); - isc_mem_free(mctx, output); + if (free_output) + isc_mem_free(mctx, output); if (log != NULL) isc_log_destroy(&log); - cleanup_entropy(&ectx); dst_lib_destroy(); + cleanup_entropy(&ectx); if (verbose > 10) isc_mem_stats(mctx, stdout); isc_mem_destroy(&mctx); diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index ee08b08c..fd051995 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -15,13 +15,17 @@ * SOFTWARE. */ +/* $Id: dnssectool.c,v 1.12 2000/06/22 21:49:05 tale Exp $ */ + #include <config.h> #include <stdlib.h> #include <isc/buffer.h> #include <isc/entropy.h> +#include <isc/keyboard.h> #include <isc/string.h> +#include <isc/time.h> #include <isc/util.h> #include <dns/log.h> @@ -35,7 +39,9 @@ extern int verbose; extern const char *program; -static isc_entropysource_t *filesource = NULL; +static isc_entropysource_t *source = NULL; +static isc_keyboard_t kbd; +static isc_boolean_t wantkeyboard = ISC_FALSE; void fatal(const char *format, ...) { @@ -168,28 +174,106 @@ setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp) { *logp = log; } +static isc_result_t +kbdstart(isc_entropysource_t *source, void *arg, isc_boolean_t blocking) { + isc_keyboard_t *kbd = (isc_keyboard_t *)arg; + static isc_boolean_t first = ISC_TRUE; + + UNUSED(source); + + if (!blocking) + return (ISC_R_NOENTROPY); + if (first) { + if (!wantkeyboard) { + fprintf(stderr, "You must use the keyboard to create " + "entropy, since your system is lacking\n"); + fprintf(stderr, "/dev/random\n\n"); + } + first = ISC_FALSE; + } + fprintf(stderr, "start typing:\n"); + return (isc_keyboard_open(kbd)); +} + +static void +kbdstop(isc_entropysource_t *source, void *arg) { + isc_keyboard_t *kbd = (isc_keyboard_t *)arg; + + UNUSED(source); + + fprintf(stderr, "stop typing.\r\n"); + (void)isc_keyboard_close(kbd, 3); +} + +static isc_result_t +kbdget(isc_entropysource_t *source, void *arg, isc_boolean_t blocking) { + isc_keyboard_t *kbd = (isc_keyboard_t *)arg; + isc_result_t result; + isc_time_t t; + isc_uint32_t sample; + isc_uint32_t extra; + unsigned char c; + + if (!blocking) + return (ISC_R_NOENTROPY); + + result = isc_keyboard_getchar(kbd, &c); + if (result != ISC_R_SUCCESS) + return (result); + + result = isc_time_now(&t); + if (result != ISC_R_SUCCESS) + return (result); + + sample = isc_time_nanoseconds(&t); + extra = c; + + result = isc_entropy_addcallbacksample(source, sample, extra); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "\r\n"); + return (result); + } + + fprintf(stderr, "."); + fflush(stderr); + + return (result); +} + void setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { isc_result_t result; + result = isc_entropy_create(mctx, ectx); if (result != ISC_R_SUCCESS) fatal("could not create entropy object"); - if (randomfile != NULL) { - result = isc_entropy_createfilesource(*ectx, randomfile, 0, - &filesource); - if (result == ISC_R_SUCCESS) - return; + if (randomfile != NULL && strcasecmp(randomfile, "keyboard") != 0) { + result = isc_entropy_createfilesource(*ectx, randomfile); + if (result != ISC_R_SUCCESS) + fatal("could not open randomdev %s: %s", randomfile, + isc_result_totext(result)); + } + else { + if (randomfile == NULL) { + result = isc_entropy_createfilesource(*ectx, + "/dev/random"); + if (result == ISC_R_SUCCESS) + return; + } + else + wantkeyboard = ISC_TRUE; + result = isc_entropy_createcallbacksource(*ectx, kbdstart, + kbdget, kbdstop, + &kbd, &source); + if (result != ISC_R_SUCCESS) + fatal("failed to open keyboard: %s\n", + isc_result_totext(result)); } - result = isc_entropy_createfilesource(*ectx, "/dev/random", 0, - &filesource); - if (result != ISC_R_SUCCESS) - fatal("No randomfile specified, and /dev/random not present."); - return; } void cleanup_entropy(isc_entropy_t **ectx) { - if (filesource != NULL) - isc_entropy_destroysource(&filesource); + if (source != NULL) + isc_entropy_destroysource(&source); isc_entropy_detach(ectx); } diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h index 342f8f68..2ab08e91 100644 --- a/bin/dnssec/dnssectool.h +++ b/bin/dnssec/dnssectool.h @@ -15,11 +15,15 @@ * SOFTWARE. */ +/* $Id: dnssectool.h,v 1.6 2000/06/22 21:49:07 tale Exp $ */ + #ifndef DNSSECTOOL_H #define DNSSECTOOL_H 1 +#include <isc/log.h> + void -fatal(const char *format, ...); +fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); void check_result(isc_result_t result, const char *message); |