diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 10:36:22 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 10:36:22 +0000 |
| commit | b88bb292821fd7742604ec4e280acebd9a049f62 (patch) | |
| tree | 625e4e19e6619f7481e5a8103f876520950769f6 /src/utils | |
| parent | Initial commit. (diff) | |
| download | knot-b88bb292821fd7742604ec4e280acebd9a049f62.tar.xz knot-b88bb292821fd7742604ec4e280acebd9a049f62.zip | |
Adding upstream version 3.0.5.upstream/3.0.5upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/utils')
65 files changed, 18573 insertions, 0 deletions
diff --git a/src/utils/Makefile.inc b/src/utils/Makefile.inc new file mode 100644 index 0000000..ab3d550 --- /dev/null +++ b/src/utils/Makefile.inc @@ -0,0 +1,170 @@ +bin_PROGRAMS = +sbin_PROGRAMS = + +if HAVE_LIBUTILS +noinst_LTLIBRARIES += libknotus.la + +libknotus_la_CPPFLAGS = $(AM_CPPFLAGS) $(CFLAG_VISIBILITY) $(libidn2_CFLAGS) \ + $(libidn_CFLAGS) $(libedit_CFLAGS) $(libnghttp2_CFLAGS) \ + $(gnutls_CFLAGS) +libknotus_la_LDFLAGS = $(AM_LDFLAGS) $(LDFLAG_EXCLUDE_LIBS) +libknotus_la_LIBADD = libcontrib.la libknot.la $(libidn2_LIBS) $(libidn_LIBS) \ + $(libedit_LIBS) $(libnghttp2_LIBS) $(gnutls_LIBS) + +libknotus_la_SOURCES = \ + utils/common/cert.c \ + utils/common/cert.h \ + utils/common/exec.c \ + utils/common/exec.h \ + utils/common/hex.c \ + utils/common/hex.h \ + utils/common/https.c \ + utils/common/https.h \ + utils/common/lookup.c \ + utils/common/lookup.h \ + utils/common/msg.c \ + utils/common/msg.h \ + utils/common/netio.c \ + utils/common/netio.h \ + utils/common/params.c \ + utils/common/params.h \ + utils/common/resolv.c \ + utils/common/resolv.h \ + utils/common/sign.c \ + utils/common/sign.h \ + utils/common/tls.c \ + utils/common/tls.h \ + utils/common/token.c \ + utils/common/token.h +endif HAVE_LIBUTILS + +if HAVE_UTILS +bin_PROGRAMS += kdig khost knsec3hash knsupdate + +kdig_SOURCES = \ + utils/kdig/kdig_exec.c \ + utils/kdig/kdig_exec.h \ + utils/kdig/kdig_main.c \ + utils/kdig/kdig_params.c \ + utils/kdig/kdig_params.h + +khost_SOURCES = \ + utils/kdig/kdig_exec.c \ + utils/kdig/kdig_exec.h \ + utils/kdig/kdig_params.c \ + utils/kdig/kdig_params.h \ + utils/khost/khost_main.c \ + utils/khost/khost_params.c \ + utils/khost/khost_params.h + +knsec3hash_SOURCES = \ + utils/knsec3hash/knsec3hash.c + +knsupdate_SOURCES = \ + utils/knsupdate/knsupdate_exec.c \ + utils/knsupdate/knsupdate_exec.h \ + utils/knsupdate/knsupdate_main.c \ + utils/knsupdate/knsupdate_params.c \ + utils/knsupdate/knsupdate_params.h + +kdig_CPPFLAGS = $(AM_CPPFLAGS) $(gnutls_CFLAGS) $(libnghttp2_CFLAGS) +kdig_LDADD = libknotus.la +khost_CPPFLAGS = $(AM_CPPFLAGS) $(gnutls_CFLAGS) $(libnghttp2_CFLAGS) +khost_LDADD = libknotus.la +knsec3hash_CPPFLAGS = $(AM_CPPFLAGS) +knsec3hash_LDADD = libcontrib.la libdnssec.la libknot.la +knsupdate_CPPFLAGS = $(AM_CPPFLAGS) $(gnutls_CFLAGS) $(libnghttp2_CFLAGS) +knsupdate_LDADD = libknotus.la libzscanner.la + +if HAVE_DNSTAP +kdig_CPPFLAGS += $(DNSTAP_CFLAGS) +kdig_LDADD += $(DNSTAP_LIBS) libdnstap.la +khost_CPPFLAGS += $(DNSTAP_CFLAGS) +khost_LDADD += $(DNSTAP_LIBS) libdnstap.la +endif HAVE_DNSTAP + +if ENABLE_XDP +sbin_PROGRAMS += kxdpgun +kxdpgun_SOURCES = \ + utils/kxdpgun/load_queries.c \ + utils/kxdpgun/load_queries.h \ + utils/kxdpgun/main.c \ + utils/kxdpgun/popenve.c \ + utils/kxdpgun/popenve.h + +kxdpgun_CPPFLAGS = $(AM_CPPFLAGS) +kxdpgun_LDADD = libcontrib.la libknot.la $(pthread_LIBS) $(cap_ng_LIBS) +endif ENABLE_XDP +endif HAVE_UTILS + +if HAVE_DAEMON +# Create storage and run-time directories +install-data-hook: + $(INSTALL) -d $(DESTDIR)/@config_dir@ + $(INSTALL) -d $(DESTDIR)/@run_dir@ + $(INSTALL) -d $(DESTDIR)/@storage_dir@ + +sbin_PROGRAMS += knotc knotd + +knotc_SOURCES = \ + utils/knotc/commands.c \ + utils/knotc/commands.h \ + utils/knotc/interactive.c \ + utils/knotc/interactive.h \ + utils/knotc/process.c \ + utils/knotc/process.h \ + utils/knotc/main.c + +knotd_SOURCES = \ + utils/knotd/main.c + +knotc_CPPFLAGS = $(AM_CPPFLAGS) $(CFLAG_VISIBILITY) $(libedit_CFLAGS) \ + $(lmdb_CFLAGS) +knotc_LDADD = libcontrib.la libknotd.la libknotus.la $(libedit_LIBS) +knotc_LDFLAGS = $(AM_LDFLAGS) -rdynamic +knotd_CPPFLAGS = $(AM_CPPFLAGS) $(CFLAG_VISIBILITY) $(liburcu_CFLAGS) \ + $(lmdb_CFLAGS) +knotd_LDADD = $(malloc_LIBS) libcontrib.la libknotd.la $(liburcu_LIBS) \ + $(cap_ng_LIBS) +knotd_LDFLAGS = $(AM_LDFLAGS) -rdynamic + +if HAVE_UTILS +bin_PROGRAMS += kzonecheck kzonesign +sbin_PROGRAMS += keymgr kjournalprint kcatalogprint + +kzonecheck_SOURCES = \ + utils/kzonecheck/main.c \ + utils/kzonecheck/zone_check.c \ + utils/kzonecheck/zone_check.h + +kzonesign_SOURCES = \ + utils/kzonesign/main.c + +keymgr_SOURCES = \ + utils/keymgr/bind_privkey.c \ + utils/keymgr/bind_privkey.h \ + utils/keymgr/functions.c \ + utils/keymgr/functions.h \ + utils/keymgr/offline_ksk.c \ + utils/keymgr/offline_ksk.h \ + utils/keymgr/main.c + +kjournalprint_SOURCES = \ + utils/kjournalprint/main.c + +kcatalogprint_SOURCES = \ + utils/kcatalogprint/main.c + +kzonecheck_CPPFLAGS = $(AM_CPPFLAGS) $(lmdb_CFLAGS) +kzonecheck_LDADD = libcontrib.la libknotd.la +kzonesign_CPPFLAGS = $(AM_CPPFLAGS) $(lmdb_CFLAGS) +kzonesign_LDADD = libcontrib.la libknotd.la +keymgr_CPPFLAGS = $(AM_CPPFLAGS) $(gnutls_CFLAGS) $(lmdb_CFLAGS) +keymgr_LDADD = libcontrib.la libknotd.la libknotus.la libdnssec.la \ + libzscanner.la +kjournalprint_CPPFLAGS = $(AM_CPPFLAGS) $(lmdb_CFLAGS) +kjournalprint_LDADD = libcontrib.la libknotd.la +kcatalogprint_CPPFLAGS = $(AM_CPPFLAGS) $(lmdb_CFLAGS) +kcatalogprint_LDADD = libcontrib.la libknotd.la +endif HAVE_UTILS +endif HAVE_DAEMON diff --git a/src/utils/common/cert.c b/src/utils/common/cert.c new file mode 100644 index 0000000..1b76b23 --- /dev/null +++ b/src/utils/common/cert.c @@ -0,0 +1,61 @@ +/* Copyright (C) 2016 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <gnutls/abstract.h> +#include <gnutls/crypto.h> + +#include "utils/common/cert.h" +#include "libknot/error.h" + +static int spki_hash(gnutls_x509_crt_t cert, gnutls_digest_algorithm_t alg, + uint8_t *hash, size_t size) +{ + if (!cert || !hash || gnutls_hash_get_len(alg) != size) { + return KNOT_EINVAL; + } + + gnutls_pubkey_t key = { 0 }; + if (gnutls_pubkey_init(&key) != GNUTLS_E_SUCCESS) { + return KNOT_ENOMEM; + } + + if (gnutls_pubkey_import_x509(key, cert, 0) != GNUTLS_E_SUCCESS) { + gnutls_pubkey_deinit(key); + return KNOT_ERROR; + } + + gnutls_datum_t der = { 0 }; + if (gnutls_pubkey_export2(key, GNUTLS_X509_FMT_DER, &der) != GNUTLS_E_SUCCESS) { + gnutls_pubkey_deinit(key); + return KNOT_ERROR; + } + + int ret = gnutls_hash_fast(alg, der.data, der.size, hash); + + gnutls_free(der.data); + gnutls_pubkey_deinit(key); + + if (ret != GNUTLS_E_SUCCESS) { + return KNOT_ERROR; + } + + return KNOT_EOK; +} + +int cert_get_pin(gnutls_x509_crt_t cert, uint8_t *pin, size_t size) +{ + return spki_hash(cert, GNUTLS_DIG_SHA256, pin, size); +} diff --git a/src/utils/common/cert.h b/src/utils/common/cert.h new file mode 100644 index 0000000..51e3d53 --- /dev/null +++ b/src/utils/common/cert.h @@ -0,0 +1,36 @@ +/* Copyright (C) 2016 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include <gnutls/x509.h> +#include <stdint.h> +#include <stdlib.h> + +#define CERT_PIN_LEN 32 + +/*! + * \brief Get certificate pin value. + * + * The pin is a SHA-256 hash of the X.509 SubjectPublicKeyInfo. + * + * \param[in] crt Certificate. + * \param[out] pin Pin. + * \param[in] size Length of the pin, must be CERT_PIN_LEN. + * + * \return Error code, KNOT_EOK if successful. + */ +int cert_get_pin(gnutls_x509_crt_t crt, uint8_t *pin, size_t size); diff --git a/src/utils/common/exec.c b/src/utils/common/exec.c new file mode 100644 index 0000000..0791614 --- /dev/null +++ b/src/utils/common/exec.c @@ -0,0 +1,736 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <arpa/inet.h> +#include <stdlib.h> +#include <time.h> + +#include "libdnssec/random.h" +#include "utils/common/exec.h" +#include "utils/common/msg.h" +#include "utils/common/netio.h" +#include "utils/common/params.h" +#include "libknot/libknot.h" +#include "contrib/ctype.h" +#include "contrib/sockaddr.h" +#include "contrib/openbsd/strlcat.h" +#include "contrib/ucw/lists.h" +#include "contrib/wire_ctx.h" + +static knot_lookup_t rtypes[] = { + { KNOT_RRTYPE_A, "has IPv4 address" }, + { KNOT_RRTYPE_NS, "nameserver is" }, + { KNOT_RRTYPE_CNAME, "is an alias for" }, + { KNOT_RRTYPE_SOA, "start of authority is" }, + { KNOT_RRTYPE_PTR, "points to" }, + { KNOT_RRTYPE_MX, "mail is handled by" }, + { KNOT_RRTYPE_TXT, "description is" }, + { KNOT_RRTYPE_AAAA, "has IPv6 address" }, + { KNOT_RRTYPE_LOC, "location is" }, + { KNOT_RRTYPE_DS, "delegation signature is" }, + { KNOT_RRTYPE_SSHFP, "SSH fingerprint is" }, + { KNOT_RRTYPE_RRSIG, "RR set signature is" }, + { KNOT_RRTYPE_DNSKEY, "DNSSEC key is" }, + { KNOT_RRTYPE_TLSA, "has TLS certificate" }, + { 0, NULL } +}; + +static void print_header(const knot_pkt_t *packet, const style_t *style) +{ + char flags[64] = ""; + char unknown_rcode[64] = ""; + char unknown_opcode[64] = ""; + + const char *rcode_str = NULL; + const char *opcode_str = NULL; + + // Get extended RCODE. + const char *code_name = knot_pkt_ext_rcode_name(packet); + if (code_name[0] != '\0') { + rcode_str = code_name; + } else { + uint16_t code = knot_pkt_ext_rcode(packet); + (void)snprintf(unknown_rcode, sizeof(unknown_rcode), "RCODE %d", code); + rcode_str = unknown_rcode; + } + + // Get OPCODE. + uint8_t code = knot_wire_get_opcode(packet->wire); + const knot_lookup_t *opcode = knot_lookup_by_id(knot_opcode_names, code); + if (opcode != NULL) { + opcode_str = opcode->name; + } else { + (void)snprintf(unknown_opcode, sizeof(unknown_opcode), "OPCODE %d", code); + opcode_str = unknown_opcode; + } + + // Get flags. + size_t flags_rest = sizeof(flags); + const size_t flag_len = 4; + if (knot_wire_get_qr(packet->wire) != 0 && flags_rest > flag_len) { + flags_rest -= strlcat(flags, " qr", flags_rest); + } + if (knot_wire_get_aa(packet->wire) != 0 && flags_rest > flag_len) { + flags_rest -= strlcat(flags, " aa", flags_rest); + } + if (knot_wire_get_tc(packet->wire) != 0 && flags_rest > flag_len) { + flags_rest -= strlcat(flags, " tc", flags_rest); + } + if (knot_wire_get_rd(packet->wire) != 0 && flags_rest > flag_len) { + flags_rest -= strlcat(flags, " rd", flags_rest); + } + if (knot_wire_get_ra(packet->wire) != 0 && flags_rest > flag_len) { + flags_rest -= strlcat(flags, " ra", flags_rest); + } + if (knot_wire_get_z(packet->wire) != 0 && flags_rest > flag_len) { + flags_rest -= strlcat(flags, " z", flags_rest); + } + if (knot_wire_get_ad(packet->wire) != 0 && flags_rest > flag_len) { + flags_rest -= strlcat(flags, " ad", flags_rest); + } + if (knot_wire_get_cd(packet->wire) != 0 && flags_rest > flag_len) { + strlcat(flags, " cd", flags_rest); + } + + uint16_t id = knot_wire_get_id(packet->wire); + uint16_t qdcount = knot_wire_get_qdcount(packet->wire); + uint16_t ancount = knot_wire_get_ancount(packet->wire); + uint16_t nscount = knot_wire_get_nscount(packet->wire); + uint16_t arcount = knot_wire_get_arcount(packet->wire); + + if (knot_pkt_has_tsig(packet)) { + arcount++; + } + + // Print formatted info. + switch (style->format) { + case FORMAT_NSUPDATE: + printf(";; ->>HEADER<<- opcode: %s; status: %s; id: %u\n" + ";; Flags:%1s; " + "ZONE: %u; PREREQ: %u; UPDATE: %u; ADDITIONAL: %u\n", + opcode_str, rcode_str, id, flags, qdcount, ancount, + nscount, arcount); + break; + default: + printf(";; ->>HEADER<<- opcode: %s; status: %s; id: %u\n" + ";; Flags:%1s; " + "QUERY: %u; ANSWER: %u; AUTHORITY: %u; ADDITIONAL: %u\n", + opcode_str, rcode_str, id, flags, qdcount, ancount, + nscount, arcount); + break; + } +} + +static void print_footer(const size_t total_len, + const size_t msg_count, + const size_t rr_count, + const net_t *net, + const float elapsed, + time_t exec_time, + const bool incoming) +{ + struct tm tm; + char date[64]; + + // Get current timestamp. + if (exec_time == 0) { + exec_time = time(NULL); + } + + // Create formatted date-time string. + localtime_r(&exec_time, &tm); + strftime(date, sizeof(date), "%Y-%m-%d %H:%M:%S %Z", &tm); + + // Print messages statistics. + if (incoming) { + printf(";; Received %zu B", total_len); + } else { + printf(";; Sent %zu B", total_len); + } + + // If multimessage (XFR) print additional statistics. + if (msg_count > 0) { + printf(" (%zu messages, %zu records)\n", msg_count, rr_count); + } else { + printf("\n"); + } + // Print date. + printf(";; Time %s\n", date); + + // Print connection statistics. + if (net != NULL) { + if (incoming) { + printf(";; From %s", net->remote_str); + } else { + printf(";; To %s", net->remote_str); + } + + if (elapsed >= 0) { + printf(" in %.1f ms\n", elapsed); + } else { + printf("\n"); + } + } +} + +static void print_hex(const uint8_t *data, uint16_t len) +{ + for (int i = 0; i < len; i++) { + printf("%02X", data[i]); + } +} + +static void print_nsid(const uint8_t *data, uint16_t len) +{ + if (len == 0) { + return; + } + + print_hex(data, len); + + // Check if printable string. + for (int i = 0; i < len; i++) { + if (!is_print(data[i])) { + return; + } + } + printf(" \"%.*s\"", len, data); +} + +static bool print_text(const uint8_t *data, uint16_t len) +{ + if (len == 0) { + return false; + } + + // Check if printable string. + for (int i = 0; i < len; i++) { + if (!is_print(data[i])) { + return false; + } + } + printf("%.*s", len, data); + return true; +} + +static void print_edns_client_subnet(const uint8_t *data, uint16_t len) +{ + knot_edns_client_subnet_t ecs = { 0 }; + int ret = knot_edns_client_subnet_parse(&ecs, data, len); + if (ret != KNOT_EOK) { + return; + } + + struct sockaddr_storage addr = { 0 }; + ret = knot_edns_client_subnet_get_addr(&addr, &ecs); + assert(ret == KNOT_EOK); + + char addr_str[SOCKADDR_STRLEN] = { 0 }; + sockaddr_tostr(addr_str, sizeof(addr_str), &addr); + + printf("%s/%u/%u", addr_str, ecs.source_len, ecs.scope_len); +} + +static void print_ede(const uint8_t *data, uint16_t len) +{ + if (len < 2) { + printf("(malformed)"); + return; + } + uint16_t errcode = be16toh(*(uint16_t *)data); + const char *strerr = knot_edns_ede_strerr(errcode); + if (len > 2) { + printf("%hu (%s): '%.*s'", errcode, strerr, (int)(len - 2), data + 2); + } else { + printf("%hu (%s)", errcode, strerr); + } +} + +static void print_section_opt(const knot_pkt_t *packet, const style_t *style) +{ + char unknown_ercode[64] = ""; + const char *ercode_str = NULL; + + uint16_t ercode = knot_edns_get_ext_rcode(packet->opt_rr); + if (ercode > 0) { + ercode = knot_edns_whole_rcode(ercode, + knot_wire_get_rcode(packet->wire)); + } + + const knot_lookup_t *item = knot_lookup_by_id(knot_rcode_names, ercode); + if (item != NULL) { + ercode_str = item->name; + } else { + (void)snprintf(unknown_ercode, sizeof(unknown_ercode), "RCODE %d", ercode); + ercode_str = unknown_ercode; + } + + printf("Version: %u; flags: %s; UDP size: %u B; ext-rcode: %s\n", + knot_edns_get_version(packet->opt_rr), + (knot_edns_do(packet->opt_rr) != 0) ? "do" : "", + knot_edns_get_payload(packet->opt_rr), + ercode_str); + + assert(packet->opt_rr->rrs.count > 0); + knot_rdata_t *rdata = packet->opt_rr->rrs.rdata; + wire_ctx_t wire = wire_ctx_init_const(rdata->data, rdata->len); + + while (wire_ctx_available(&wire) >= KNOT_EDNS_OPTION_HDRLEN) { + uint16_t opt_code = wire_ctx_read_u16(&wire); + uint16_t opt_len = wire_ctx_read_u16(&wire); + uint8_t *opt_data = wire.position; + + if (wire.error != KNOT_EOK) { + WARN("invalid OPT record data\n"); + return; + } + + switch (opt_code) { + case KNOT_EDNS_OPTION_NSID: + printf(";; NSID: "); + print_nsid(opt_data, opt_len); + break; + case KNOT_EDNS_OPTION_CLIENT_SUBNET: + printf(";; CLIENT-SUBNET: "); + print_edns_client_subnet(opt_data, opt_len); + break; + case KNOT_EDNS_OPTION_PADDING: + printf(";; PADDING: %u B", opt_len); + break; + case KNOT_EDNS_OPTION_COOKIE: + printf(";; COOKIE: "); + print_hex(opt_data, opt_len); + break; + case KNOT_EDNS_OPTION_EDE: + printf(";; EDE: "); + print_ede(opt_data, opt_len); + break; + default: + printf(";; Option (%u): ", opt_code); + if (style->show_edns_opt_text) { + if (!print_text(opt_data, opt_len)) { + print_hex(opt_data, opt_len); + } + } else { + print_hex(opt_data, opt_len); + } + } + printf("\n"); + + wire_ctx_skip(&wire, opt_len); + } + + if (wire_ctx_available(&wire) > 0) { + WARN("invalid OPT record data\n"); + } +} + +static void print_section_question(const knot_dname_t *owner, + const uint16_t qclass, + const uint16_t qtype, + const style_t *style) +{ + size_t buflen = 8192; + char *buf = calloc(buflen, 1); + + // Don't print zero TTL. + knot_dump_style_t qstyle = style->style; + qstyle.empty_ttl = true; + + knot_rrset_t *question = knot_rrset_new(owner, qtype, qclass, 0, NULL); + + if (knot_rrset_txt_dump_header(question, 0, buf, buflen, &qstyle) < 0) { + WARN("can't print whole question section\n"); + } + + printf("%s\n", buf); + + knot_rrset_free(question, NULL); + free(buf); +} + +static void print_section_full(const knot_rrset_t *rrsets, + const uint16_t count, + const style_t *style, + const bool no_tsig) +{ + size_t buflen = 8192; + char *buf = calloc(buflen, 1); + + for (size_t i = 0; i < count; i++) { + // Ignore OPT records. + if (rrsets[i].type == KNOT_RRTYPE_OPT) { + continue; + } + + // Exclude TSIG record. + if (no_tsig && rrsets[i].type == KNOT_RRTYPE_TSIG) { + continue; + } + + if (knot_rrset_txt_dump(&rrsets[i], &buf, &buflen, + &(style->style)) < 0) { + WARN("can't print whole section\n"); + break; + } + printf("%s", buf); + } + + free(buf); +} + +static void print_section_dig(const knot_rrset_t *rrsets, + const uint16_t count, + const style_t *style) +{ + size_t buflen = 8192; + char *buf = calloc(buflen, 1); + + for (size_t i = 0; i < count; i++) { + const knot_rrset_t *rrset = &rrsets[i]; + uint16_t rrset_rdata_count = rrset->rrs.count; + for (uint16_t j = 0; j < rrset_rdata_count; j++) { + while (knot_rrset_txt_dump_data(rrset, j, buf, buflen, + &(style->style)) < 0) { + buflen += 4096; + // Oversize protection. + if (buflen > 100000) { + WARN("can't print whole section\n"); + break; + } + + char *newbuf = realloc(buf, buflen); + if (newbuf == NULL) { + WARN("can't print whole section\n"); + break; + } + buf = newbuf; + } + printf("%s\n", buf); + } + } + + free(buf); +} + +static void print_section_host(const knot_rrset_t *rrsets, + const uint16_t count, + const style_t *style) +{ + size_t buflen = 8192; + char *buf = calloc(buflen, 1); + + for (size_t i = 0; i < count; i++) { + const knot_rrset_t *rrset = &rrsets[i]; + const knot_lookup_t *descr; + char type[32] = "NULL"; + char *owner; + + owner = knot_dname_to_str_alloc(rrset->owner); + if (style->style.ascii_to_idn != NULL) { + style->style.ascii_to_idn(&owner); + } + descr = knot_lookup_by_id(rtypes, rrset->type); + + uint16_t rrset_rdata_count = rrset->rrs.count; + for (uint16_t j = 0; j < rrset_rdata_count; j++) { + if (rrset->type == KNOT_RRTYPE_CNAME && + style->hide_cname) { + continue; + } + + while (knot_rrset_txt_dump_data(rrset, j, buf, buflen, + &(style->style)) < 0) { + buflen += 4096; + // Oversize protection. + if (buflen > 100000) { + WARN("can't print whole section\n"); + break; + } + + char *newbuf = realloc(buf, buflen); + if (newbuf == NULL) { + WARN("can't print whole section\n"); + break; + } + buf = newbuf; + } + + if (descr != NULL) { + printf("%s %s %s\n", owner, descr->name, buf); + } else { + knot_rrtype_to_string(rrset->type, type, + sizeof(type)); + printf("%s has %s record %s\n", + owner, type, buf); + } + } + + free(owner); + } + + free(buf); +} + +static void print_error_host(const knot_pkt_t *packet, const style_t *style) +{ + char type[32] = "Unknown"; + const char *rcode_str = "Unknown"; + + knot_rrtype_to_string(knot_pkt_qtype(packet), type, sizeof(type)); + + // Get extended RCODE. + const char *code_name = knot_pkt_ext_rcode_name(packet); + if (code_name[0] != '\0') { + rcode_str = code_name; + } + + // Get record owner. + char *owner = knot_dname_to_str_alloc(knot_pkt_qname(packet)); + if (style->style.ascii_to_idn != NULL) { + style->style.ascii_to_idn(&owner); + } + + if (knot_pkt_ext_rcode(packet) == KNOT_RCODE_NOERROR) { + printf("Host %s has no %s record\n", owner, type); + } else { + printf("Host %s type %s error: %s\n", owner, type, rcode_str); + } + + free(owner); +} + +knot_pkt_t *create_empty_packet(const uint16_t max_size) +{ + // Create packet skeleton. + knot_pkt_t *packet = knot_pkt_new(NULL, max_size, NULL); + if (packet == NULL) { + DBG_NULL; + return NULL; + } + + // Set random sequence id. + knot_wire_set_id(packet->wire, dnssec_random_uint16_t()); + + return packet; +} + +void print_header_xfr(const knot_pkt_t *packet, const style_t *style) +{ + if (style == NULL) { + DBG_NULL; + return; + } + + char xfr[16] = "AXFR"; + + switch (knot_pkt_qtype(packet)) { + case KNOT_RRTYPE_AXFR: + break; + case KNOT_RRTYPE_IXFR: + xfr[0] = 'I'; + break; + default: + return; + } + + if (style->show_header) { + char *owner = knot_dname_to_str_alloc(knot_pkt_qname(packet)); + if (style->style.ascii_to_idn != NULL) { + style->style.ascii_to_idn(&owner); + } + if (owner != NULL) { + printf(";; %s for %s\n", xfr, owner); + free(owner); + } + } +} + +void print_data_xfr(const knot_pkt_t *packet, + const style_t *style) +{ + if (packet == NULL || style == NULL) { + DBG_NULL; + return; + } + + const knot_pktsection_t *answers = knot_pkt_section(packet, KNOT_ANSWER); + + switch (style->format) { + case FORMAT_DIG: + print_section_dig(knot_pkt_rr(answers, 0), answers->count, style); + break; + case FORMAT_HOST: + print_section_host(knot_pkt_rr(answers, 0), answers->count, style); + break; + case FORMAT_FULL: + print_section_full(knot_pkt_rr(answers, 0), answers->count, style, true); + + // Print TSIG record. + if (style->show_tsig && knot_pkt_has_tsig(packet)) { + print_section_full(packet->tsig_rr, 1, style, false); + } + break; + default: + break; + } +} + +void print_footer_xfr(const size_t total_len, + const size_t msg_count, + const size_t rr_count, + const net_t *net, + const float elapsed, + const time_t exec_time, + const style_t *style) +{ + if (style == NULL) { + DBG_NULL; + return; + } + + if (style->show_footer) { + print_footer(total_len, msg_count, rr_count, net, elapsed, + exec_time, true); + } +} + +void print_packet(const knot_pkt_t *packet, + const net_t *net, + const size_t size, + const float elapsed, + const time_t exec_time, + const bool incoming, + const style_t *style) +{ + if (packet == NULL || style == NULL) { + DBG_NULL; + return; + } + + const knot_pktsection_t *answers = knot_pkt_section(packet, + KNOT_ANSWER); + const knot_pktsection_t *authority = knot_pkt_section(packet, + KNOT_AUTHORITY); + const knot_pktsection_t *additional = knot_pkt_section(packet, + KNOT_ADDITIONAL); + + uint16_t qdcount = knot_wire_get_qdcount(packet->wire); + uint16_t ancount = knot_wire_get_ancount(packet->wire); + uint16_t nscount = knot_wire_get_nscount(packet->wire); + uint16_t arcount = knot_wire_get_arcount(packet->wire); + + // Disable additionals printing if there are no other records. + // OPT record may be placed anywhere within additionals! + if (knot_pkt_has_edns(packet) && arcount == 1) { + arcount = 0; + } + + // Print packet information header. + if (style->show_header) { + if (net != NULL) { + print_tls(&net->tls); +#ifdef LIBNGHTTP2 + print_https(&net->https); +#endif + } + print_header(packet, style); + } + + // Print EDNS section. + if (style->show_edns && knot_pkt_has_edns(packet)) { + printf("%s", style->show_section ? "\n;; EDNS PSEUDOSECTION:\n;; " : ";;"); + print_section_opt(packet, style); + } + + // Print DNS sections. + switch (style->format) { + case FORMAT_DIG: + if (ancount > 0) { + print_section_dig(knot_pkt_rr(answers, 0), ancount, style); + } + break; + case FORMAT_HOST: + if (ancount > 0) { + print_section_host(knot_pkt_rr(answers, 0), ancount, style); + } else { + print_error_host(packet, style); + } + break; + case FORMAT_NSUPDATE: + if (style->show_question && qdcount > 0) { + printf("%s", style->show_section ? "\n;; ZONE SECTION:\n;; " : ";;"); + print_section_question(knot_pkt_qname(packet), + knot_pkt_qclass(packet), + knot_pkt_qtype(packet), + style); + } + + if (style->show_answer && ancount > 0) { + printf("%s", style->show_section ? "\n;; PREREQUISITE SECTION:\n" : ""); + print_section_full(knot_pkt_rr(answers, 0), ancount, style, true); + } + + if (style->show_authority && nscount > 0) { + printf("%s", style->show_section ? "\n;; UPDATE SECTION:\n" : ""); + print_section_full(knot_pkt_rr(authority, 0), nscount, style, true); + } + + if (style->show_additional && arcount > 0) { + printf("%s", style->show_section ? "\n;; ADDITIONAL DATA:\n" : ""); + print_section_full(knot_pkt_rr(additional, 0), arcount, style, true); + } + break; + case FORMAT_FULL: + if (style->show_question && qdcount > 0) { + printf("%s", style->show_section ? "\n;; QUESTION SECTION:\n;; " : ";;"); + print_section_question(knot_pkt_qname(packet), + knot_pkt_qclass(packet), + knot_pkt_qtype(packet), + style); + } + + if (style->show_answer && ancount > 0) { + printf("%s", style->show_section ? "\n;; ANSWER SECTION:\n" : ""); + print_section_full(knot_pkt_rr(answers, 0), ancount, style, true); + } + + if (style->show_authority && nscount > 0) { + printf("%s", style->show_section ? "\n;; AUTHORITY SECTION:\n" : ""); + print_section_full(knot_pkt_rr(authority, 0), nscount, style, true); + } + + if (style->show_additional && arcount > 0) { + printf("%s", style->show_section ? "\n;; ADDITIONAL SECTION:\n" : ""); + print_section_full(knot_pkt_rr(additional, 0), arcount, style, true); + } + break; + default: + break; + } + + // Print TSIG section. + if (style->show_tsig && knot_pkt_has_tsig(packet)) { + printf("%s", style->show_section ? "\n;; TSIG PSEUDOSECTION:\n" : ""); + print_section_full(packet->tsig_rr, 1, style, false); + } + + // Print packet statistics. + if (style->show_footer) { + printf("\n"); + print_footer(size, 0, 0, net, elapsed, exec_time, incoming); + } +} diff --git a/src/utils/common/exec.h b/src/utils/common/exec.h new file mode 100644 index 0000000..2940be4 --- /dev/null +++ b/src/utils/common/exec.h @@ -0,0 +1,87 @@ +/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include <time.h> + +#include "utils/common/netio.h" +#include "utils/common/params.h" +#include "libknot/libknot.h" + +/*! + * \brief Allocates empty packet and sets packet size and random id. + * + * \param max_size Maximal packet size. + * + * \retval packet if success. + * \retval NULL if error. + */ +knot_pkt_t *create_empty_packet(const uint16_t max_size); + +/*! + * \brief Prints information header for transfer. + * + * \param packet Parsed packet. + * \param style Style of the output. + */ +void print_header_xfr(const knot_pkt_t *packet, const style_t *style); + +/*! + * \brief Prints answer section for 1 transfer message. + * + * \param packet Response packet. + * \param style Style of the output. + */ +void print_data_xfr(const knot_pkt_t *packet, const style_t *style); + +/*! + * \brief Prints trailing statistics for transfer. + * + * \param total_len Total reply size (all messages). + * \param msg_count Number of messages. + * \param rr_count Total number of answer records. + * \param net Connection information. + * \param elapsed Total elapsed time. + * \param exec_time Time of the packet creation. + * \param style Style of the otput. + */ +void print_footer_xfr(const size_t total_len, + const size_t msg_count, + const size_t rr_count, + const net_t *net, + const float elapsed, + const time_t exec_time, + const style_t *style); + +/*! + * \brief Prints one response packet. + * + * \param packet Response packet. + * \param net Connection information. + * \param size Original packet wire size. + * \param elapsed Total elapsed time. + * \param exec_time Time of the packet creation. + * \param incoming Indicates if the packet is input. + * \param style Style of the otput. + */ +void print_packet(const knot_pkt_t *packet, + const net_t *net, + const size_t size, + const float elapsed, + const time_t exec_time, + const bool incoming, + const style_t *style); diff --git a/src/utils/common/hex.c b/src/utils/common/hex.c new file mode 100644 index 0000000..9683446 --- /dev/null +++ b/src/utils/common/hex.c @@ -0,0 +1,82 @@ +/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <assert.h> +#include <stdint.h> +#include <stdlib.h> +#include <string.h> +#include "libknot/libknot.h" +#include "contrib/ctype.h" +#include "contrib/tolower.h" + +/*! + * \brief Convert HEX char to byte. + * \note Expects valid lowercase letters. + */ +static uint8_t hex_to_num(int c) +{ + if (c >= '0' && c <= '9') { + return c - '0'; + } else { + return c - 'a' + 10; + } +} + +/*! + * \brief Convert string encoded in hex to bytes. + */ +int hex_decode(const char *input, uint8_t **output, size_t *output_size) +{ + if (!input || input[0] == '\0' || !output || !output_size) { + return KNOT_EINVAL; + } + + // input validation (length and content) + + size_t input_size = strlen(input); + if (input_size % 2 != 0) { + return KNOT_EMALF; + } + + for (size_t i = 0; i < input_size; i++) { + if (!is_xdigit(input[i])) { + return KNOT_EMALF; + } + } + + // output allocation + + size_t result_size = input_size / 2; + assert(result_size > 0); + uint8_t *result = malloc(result_size); + if (!result) { + return KNOT_ENOMEM; + } + + // conversion + + for (size_t i = 0; i < result_size; i++) { + int high_nib = knot_tolower(input[2 * i]); + int low_nib = knot_tolower(input[2 * i + 1]); + + result[i] = hex_to_num(high_nib) << 4 | hex_to_num(low_nib); + } + + *output = result; + *output_size = result_size; + + return KNOT_EOK; +} diff --git a/src/utils/common/hex.h b/src/utils/common/hex.h new file mode 100644 index 0000000..efe81be --- /dev/null +++ b/src/utils/common/hex.h @@ -0,0 +1,31 @@ +/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include <stdint.h> +#include <stdlib.h> + +/*! + * \brief Convert string encoded in hex to bytes. + * + * \param input Hex encoded input string. + * \param output Decoded bytes. + * \param output_size Size of the output. + * + * \return Error code, KNOT_EOK if successful. + */ +int hex_decode(const char *input, uint8_t **output, size_t *output_size); diff --git a/src/utils/common/https.c b/src/utils/common/https.c new file mode 100644 index 0000000..f5d7bd0 --- /dev/null +++ b/src/utils/common/https.c @@ -0,0 +1,572 @@ +/* Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <assert.h> +#include <arpa/inet.h> +#include <poll.h> +#include <stdlib.h> +#include <string.h> + +#include "contrib/base64url.h" +#include "contrib/url-parser/url_parser.h" +#include "libknot/errcode.h" +#include "utils/common/https.h" +#include "utils/common/msg.h" + +int https_params_copy(https_params_t *dst, const https_params_t *src) +{ + if (dst == NULL || src == NULL) { + return KNOT_EINVAL; + } + + dst->enable = src->enable; + dst->method = src->method; + if (src->path != NULL) { + dst->path = strdup(src->path); + if (dst->path == NULL) { + return KNOT_ENOMEM; + } + } + + return KNOT_EOK; +} + +void https_params_clean(https_params_t *params) +{ + if (params == NULL) { + return; + } + + params->enable = false; + params->method = GET; + free(params->path); + params->path = NULL; +} + +#ifdef LIBNGHTTP2 + +#define HTTP_STATUS_SUCCESS 200 +#define HTTPS_MAX_STREAMS 16 +#define HTTPS_AUTHORITY_LEN (INET6_ADDRSTRLEN + 2) + +#define MAKE_NV(K, KS, V, VS) \ + { (uint8_t *)K, (uint8_t *)V, KS, VS, NGHTTP2_NV_FLAG_NONE } + +#define MAKE_STATIC_NV(K, V) \ + MAKE_NV(K, sizeof(K) - 1, V, sizeof(V) - 1) + +static const char default_path[] = "/dns-query"; +static const char default_query[] = "?dns="; + +static const gnutls_datum_t https_protocols[] = { + { (unsigned char *)"h2", 2 } +}; + +static const nghttp2_settings_entry settings[] = { + { NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS, HTTPS_MAX_STREAMS } +}; + +static bool https_status_is_redirect(unsigned long status) +{ + switch (status) { + case 301UL: + case 302UL: + case 307UL: + case 308UL: + return true; + } + return false; +} + +static ssize_t https_send_callback(nghttp2_session *session, const uint8_t *data, + size_t length, int flags, void *user_data) +{ + assert(user_data); + + gnutls_session_t tls_session = ((https_ctx_t *)user_data)->tls->session; + ssize_t len = 0; + + gnutls_record_cork(tls_session); + if ((len = gnutls_record_send(tls_session, data, length)) <= 0) { + WARN("TLS, failed to send\n"); + return KNOT_NET_ESEND; + } + return len; +} + +static int https_on_frame_send_callback(nghttp2_session *session, const nghttp2_frame *frame, + void *user_data) +{ + assert(user_data); + + gnutls_session_t tls_session = ((https_ctx_t *)user_data)->tls->session; + while (gnutls_record_check_corked(tls_session) > 0) { + int ret = gnutls_record_uncork(tls_session, 0); + if (ret < 0 && gnutls_error_is_fatal(ret) != 0) { + WARN("TLS, failed to send (%s)\n", gnutls_strerror(ret)); + return KNOT_NET_ESEND; + } + } + return KNOT_EOK; +} + +static ssize_t https_recv_callback(nghttp2_session *session, uint8_t *data, size_t length, + int flags, void *user_data) +{ + assert(user_data); + + https_ctx_t *ctx = (https_ctx_t *)user_data; + struct pollfd pfd = { + .fd = ctx->tls->sockfd, + .events = POLLIN, + .revents = 0, + }; + + ssize_t ret = 0; + while ((ret = gnutls_record_recv(ctx->tls->session, data, length)) <= 0) { + if (!ctx->read) { //Unblock `nghttp2_session_recv(nghttp2_session)` + ctx->read = true; + return NGHTTP2_ERR_WOULDBLOCK; + } + if (ret == 0) { + WARN("TLS, peer has closed the connection\n"); + return KNOT_NET_ERECV; + } else if (gnutls_error_is_fatal(ret)) { + WARN("TLS, failed to receive reply (%s)\n", + gnutls_strerror(ret)); + return KNOT_NET_ERECV; + } else if (poll(&pfd, 1, 1000 * ctx->tls->wait) != 1) { + WARN("TLS, peer took too long to respond\n"); + return KNOT_ETIMEOUT; + } + } + + return ret; +} + +static int https_on_data_chunk_recv_callback(nghttp2_session *session, uint8_t flags, int32_t stream_id, + const uint8_t *data, size_t len, void *user_data) +{ + assert(user_data); + + https_ctx_t *ctx = (https_ctx_t *)user_data; + if (ctx->stream == stream_id) { + memcpy(ctx->recv_buf, data, len); + ctx->recv_buflen = len; + ctx->read = false; + ctx->stream = -1; + } + return KNOT_EOK; +} + +static int https_on_header_callback(nghttp2_session *session, const nghttp2_frame *frame, + const uint8_t *name, size_t namelen, + const uint8_t *value, size_t valuelen, + uint8_t flags, void *user_data) +{ + assert(user_data); + https_ctx_t *ctx = (https_ctx_t *)user_data; + + if (!strncasecmp(":status", (const char *)name, namelen)) { + char *end; + long status; + status = strtoul((const char *)value, &end, 10); + if (value != (const uint8_t *)end) { + ctx->status = status; + } + } + else if (!strncasecmp("location", (const char *)name, namelen) && + https_status_is_redirect(ctx->status)) { + struct http_parser_url redirect_url; + http_parser_parse_url((const char *)value, valuelen, 0, &redirect_url); + + bool r_auth = redirect_url.field_set & (1 << UF_HOST); + bool r_path = redirect_url.field_set & (1 << UF_PATH); + char *old_auth = ctx->authority, *old_path = ctx->path; + + if (r_auth) { + ctx->authority = strndup((const char *)(value + redirect_url.field_data[UF_HOST].off), + redirect_url.field_data[UF_HOST].len); + } + if (r_path) { + ctx->path = strndup((const char *)(value + redirect_url.field_data[UF_PATH].off), + redirect_url.field_data[UF_PATH].len); + } + WARN("HTTP redirect (%s%s)->(%s%s)\n", old_auth, old_path, ctx->authority, ctx->path); + if (r_auth) { + free(old_auth); + } + if (r_path) { + free(old_path); + } + return https_send_dns_query(ctx, ctx->send_buf, ctx->send_buflen); + } + return KNOT_EOK; +} + +int https_ctx_init(https_ctx_t *ctx, tls_ctx_t *tls_ctx, const https_params_t *params) +{ + if (ctx == NULL || tls_ctx == NULL || params == NULL) { + return KNOT_EINVAL; + } + if (ctx->session != NULL) { // Already initialized before + return KNOT_EINVAL; + } + if (!params->enable) { + return KNOT_EINVAL; + } + + nghttp2_session_callbacks *callbacks; + nghttp2_session_callbacks_new(&callbacks); + nghttp2_session_callbacks_set_send_callback(callbacks, https_send_callback); + nghttp2_session_callbacks_set_on_frame_send_callback(callbacks, https_on_frame_send_callback); + nghttp2_session_callbacks_set_recv_callback(callbacks, https_recv_callback); + nghttp2_session_callbacks_set_on_data_chunk_recv_callback(callbacks, https_on_data_chunk_recv_callback); + nghttp2_session_callbacks_set_on_header_callback(callbacks, https_on_header_callback); + + int ret = nghttp2_session_client_new(&(ctx->session), callbacks, ctx); + if (ret != 0) { + return KNOT_EINVAL; + } + + nghttp2_session_callbacks_del(callbacks); + + if (pthread_mutex_init(&ctx->recv_mx, NULL) != 0) { + return KNOT_EINVAL; + } + + ctx->tls = tls_ctx; + ctx->params = *params; + ctx->authority = (tls_ctx->params->hostname) ? strdup(tls_ctx->params->hostname) : NULL; + ctx->path = strdup((ctx->params.path) ? ctx->params.path : (char *)default_path); + ctx->read = true; + + return KNOT_EOK; +} + +static int sockaddr_to_authority(char *buf, const size_t buf_len, const struct sockaddr_storage *ss) +{ + if (buf == NULL || ss == NULL) { + return KNOT_EINVAL; + } + + const char *out = NULL; + + /* Convert IPv6 network address string. */ + if (ss->ss_family == AF_INET6) { + if (buf_len < HTTPS_AUTHORITY_LEN) { + return KNOT_EINVAL; + } + + const struct sockaddr_in6 *s = (const struct sockaddr_in6 *)ss; + buf[0] = '['; + + out = inet_ntop(ss->ss_family, &s->sin6_addr, buf + 1, buf_len - 1); + if (out == NULL) { + return KNOT_EINVAL; + } + + buf += strlen(buf); + buf[0] = ']'; + buf[1] = '\0'; + /* Convert IPv4 network address string. */ + } else if (ss->ss_family == AF_INET) { + if (buf_len < INET_ADDRSTRLEN) { + return KNOT_EINVAL; + } + + const struct sockaddr_in *s = (const struct sockaddr_in *)ss; + + out = inet_ntop(ss->ss_family, &s->sin_addr, buf, buf_len); + if (out == NULL) { + return KNOT_EINVAL; + } + /* Unknown network address family. */ + } else { + return KNOT_EINVAL; + } + + return KNOT_EOK; +} + +int https_ctx_connect(https_ctx_t *ctx, const int sockfd, struct sockaddr_storage *address, + const char *remote) +{ + if (ctx == NULL || address == NULL) { + return KNOT_EINVAL; + } + + // Create TLS connection + int ret = gnutls_init(&ctx->tls->session, GNUTLS_CLIENT | GNUTLS_NONBLOCK); + if (ret != GNUTLS_E_SUCCESS) { + return KNOT_NET_ECONNECT; + } + + ret = gnutls_set_default_priority(ctx->tls->session); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_deinit(ctx->tls->session); + return KNOT_NET_ECONNECT; + } + + ret = gnutls_credentials_set(ctx->tls->session, GNUTLS_CRD_CERTIFICATE, + ctx->tls->credentials); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_deinit(ctx->tls->session); + return KNOT_NET_ECONNECT; + } + + if (remote != NULL) { + ret = gnutls_server_name_set(ctx->tls->session, GNUTLS_NAME_DNS, remote, + strlen(remote)); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_deinit(ctx->tls->session); + return KNOT_NET_ECONNECT; + } + } + + gnutls_session_set_ptr(ctx->tls->session, ctx->tls); + gnutls_transport_set_int(ctx->tls->session, sockfd); + gnutls_handshake_set_timeout(ctx->tls->session, 1000 * ctx->tls->wait); + + ret = gnutls_alpn_set_protocols(ctx->tls->session, https_protocols, + sizeof(https_protocols) / sizeof(*https_protocols), 0); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_deinit(ctx->tls->session); + return KNOT_NET_ECONNECT; + } + + // Initialize poll descriptor structure. + struct pollfd pfd = { + .fd = sockfd, + .events = POLLIN, + .revents = 0, + }; + + // Perform the TLS handshake + do { + ret = gnutls_handshake(ctx->tls->session); + if (ret != GNUTLS_E_SUCCESS && gnutls_error_is_fatal(ret) == 0) { + if (poll(&pfd, 1, 1000 * ctx->tls->wait) != 1) { + WARN("TLS, peer took too long to respond\n"); + gnutls_deinit(ctx->tls->session); + return KNOT_NET_ETIMEOUT; + } + } + } while (ret != GNUTLS_E_SUCCESS && gnutls_error_is_fatal(ret) == 0); + if (ret != GNUTLS_E_SUCCESS) { + WARN("TLS, handshake failed (%s)\n", gnutls_strerror(ret)); + tls_ctx_close(ctx->tls); + return KNOT_NET_ESOCKET; + } + + // Save the socket descriptor. + ctx->tls->sockfd = sockfd; + + // Perform HTTP handshake + ret = nghttp2_submit_settings(ctx->session, NGHTTP2_FLAG_NONE, settings, + sizeof(settings) / sizeof(*settings)); + if (ret != 0) { + return KNOT_NET_ESOCKET; + } + ret = nghttp2_session_send(ctx->session); + if (ret != 0) { + return KNOT_NET_ESOCKET; + } + + // Save authority server + if (ctx->authority == NULL) { + if (remote != NULL) { + ctx->authority = strdup(remote); + } else { + ctx->authority = (char*)calloc(HTTPS_AUTHORITY_LEN, sizeof(char)); + ret = sockaddr_to_authority(ctx->authority, HTTPS_AUTHORITY_LEN, address); + if (ret != KNOT_EOK) { + free(ctx->authority); + ctx->authority = NULL; + return KNOT_EINVAL; + } + } + } + + return KNOT_EOK; +} + +static int https_send_dns_query_get(https_ctx_t *ctx) +{ + const size_t dns_query_len = strlen(ctx->path) + + sizeof(default_query) + + (ctx->send_buflen * 4) / 3 + 3; + char dns_query[dns_query_len]; + strncpy(dns_query, ctx->path, dns_query_len); + strncat(dns_query, default_query, dns_query_len); + + size_t tmp_strlen = strlen(dns_query); + int32_t ret = knot_base64url_encode(ctx->send_buf, ctx->send_buflen, + (uint8_t *)(dns_query + tmp_strlen), dns_query_len - tmp_strlen - 1); + if (ret < 0) { + return KNOT_EINVAL; + } + + nghttp2_nv hdrs[] = { + MAKE_STATIC_NV(":method", "GET"), + MAKE_STATIC_NV(":scheme", "https"), + MAKE_NV(":authority", 10, ctx->authority, strlen(ctx->authority)), + MAKE_NV(":path", 5, dns_query, tmp_strlen + ret), + MAKE_STATIC_NV("accept", "application/dns-message"), + }; + + ctx->stream = nghttp2_submit_request(ctx->session, NULL, hdrs, + sizeof(hdrs) / sizeof(*hdrs), + NULL, NULL); + if (ctx->stream < 0) { + return KNOT_NET_ESEND; + } + ret = nghttp2_session_send(ctx->session); + if (ret != 0) { + return KNOT_NET_ESEND; + } + + return KNOT_EOK; +} + +static ssize_t https_send_data_callback(nghttp2_session *session, int32_t stream_id, + uint8_t *buf, size_t length, uint32_t *data_flags, + nghttp2_data_source *source, void *user_data) +{ + https_data_provider_t *buffer = source->ptr; + ssize_t sent = (length < buffer->buf_len) ? length : buffer->buf_len; + + memcpy(buf, buffer->buf, sent); + buffer->buf += sent; + buffer->buf_len -= sent; + if (!buffer->buf_len) { + *data_flags |= NGHTTP2_DATA_FLAG_EOF; + } + + return sent; +} + +static int https_send_dns_query_post(https_ctx_t *ctx) +{ + // size of number in text form (base 10) + char content_length[sizeof(size_t) * 3 + 1]; // limit for x->inf: log10(2^(8*sizeof(x))-1)/sizeof(x) = 2,408239965 -> 3 + int content_length_len = sprintf(content_length, "%zu", ctx->send_buflen); + + nghttp2_nv hdrs[] = { + MAKE_STATIC_NV(":method", "POST"), + MAKE_STATIC_NV(":scheme", "https"), + MAKE_NV(":authority", 10, ctx->authority, strlen(ctx->authority)), + MAKE_NV(":path", 5, ctx->path, strlen(ctx->path)), + MAKE_STATIC_NV("accept", "application/dns-message"), + MAKE_STATIC_NV("content-type", "application/dns-message"), + MAKE_NV("content-length", 14, content_length, content_length_len) + }; + + https_data_provider_t data = { + .buf = ctx->send_buf, + .buf_len = ctx->send_buflen + }; + + nghttp2_data_provider data_provider = { + .source.ptr = &data, + .read_callback = https_send_data_callback + }; + + ctx->stream = nghttp2_submit_request(ctx->session, NULL, hdrs, + sizeof(hdrs) / sizeof(nghttp2_nv), + &data_provider, NULL); + if (ctx->stream < 0) { + return KNOT_NET_ESEND; + } + int ret = nghttp2_session_send(ctx->session); + if (ret != 0) { + return KNOT_NET_ESEND; + } + + return KNOT_EOK; +} + +int https_send_dns_query(https_ctx_t *ctx, const uint8_t *buf, const size_t buf_len) +{ + if (ctx == NULL || buf == NULL || buf_len == 0) { + return KNOT_EINVAL; + } + + ctx->send_buf = buf; + ctx->send_buflen = buf_len; + + assert(ctx->params.method == POST || ctx->params.method == GET); + + if (ctx->params.method == POST) { + return https_send_dns_query_post(ctx); + } else { + return https_send_dns_query_get(ctx); + } +} + +int https_recv_dns_response(https_ctx_t *ctx, uint8_t *buf, const size_t buf_len) +{ + if (ctx == NULL || buf == NULL || buf_len == 0) { + return KNOT_EINVAL; + } + + pthread_mutex_lock(&ctx->recv_mx); + ctx->recv_buf = buf; + ctx->recv_buflen = buf_len; + + int ret = nghttp2_session_recv(ctx->session); + if (ret != 0) { + pthread_mutex_unlock(&ctx->recv_mx); + return KNOT_NET_ERECV; + } + + ctx->recv_buf = NULL; + + pthread_mutex_unlock(&ctx->recv_mx); + + if (ctx->status != HTTP_STATUS_SUCCESS) { + print_https(ctx); + return KNOT_NET_ERECV; + } + + return ctx->recv_buflen; +} + +void https_ctx_deinit(https_ctx_t *ctx) +{ + if (ctx == NULL) { + return; + } + + nghttp2_session_del(ctx->session); + pthread_mutex_destroy(&ctx->recv_mx); + free(ctx->path); + ctx->path = NULL; + free(ctx->authority); + ctx->authority = NULL; +} + +void print_https(const https_ctx_t *ctx) +{ + if (!ctx || !ctx->authority || !ctx->path) { + return; + } + printf(";; HTTP session (HTTP/2-%s)-(%s%s)-(status: %lu)\n", + ctx->params.method == POST ? "POST" : "GET", ctx->authority, + ctx->path, ctx->status); +} + +#endif //LIBNGHTTP2 diff --git a/src/utils/common/https.h b/src/utils/common/https.h new file mode 100644 index 0000000..d39b527 --- /dev/null +++ b/src/utils/common/https.h @@ -0,0 +1,149 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include <stdbool.h> + +/*! \brief HTTP method to transfer query. */ +typedef enum { + POST, + GET +} https_method_t; + +/*! \brief HTTPS parameters. */ +typedef struct { + /*! Use HTTPS indicator. */ + bool enable; + /*! HTTP method to transfer query. */ + https_method_t method; + /*! Path */ + char *path; +} https_params_t; + +int https_params_copy(https_params_t *dst, const https_params_t *src); +void https_params_clean(https_params_t *params); + +#ifdef LIBNGHTTP2 + +#include <netinet/in.h> +#include <pthread.h> +#include <sys/socket.h> +#include <nghttp2/nghttp2.h> + +#include "utils/common/tls.h" + +/*! \brief Structure that stores data source for DATA frames. */ +typedef struct { + const uint8_t *buf; + size_t buf_len; +} https_data_provider_t; + +/*! \brief HTTPS context. */ +typedef struct { + // Parameters + https_params_t params; + + // Contexts + nghttp2_session *session; + tls_ctx_t *tls; + char *authority; + char *path; + + // Send destination + const uint8_t *send_buf; + size_t send_buflen; + + // Recv destination + uint8_t *recv_buf; + size_t recv_buflen; + unsigned long status; + + // Recv locks + pthread_mutex_t recv_mx; + bool read; + int32_t stream; +} https_ctx_t; + +/*! + * \brief Initialize HTTPS context. + * + * \param ctx HTTPS context. + * \param tls_ctx TLS context. + * \param params Parameter table. + * + * \retval KNOT_EOK When initialized. + * \retval KNOT_EINVAL When parameters are invalid. + */ +int https_ctx_init(https_ctx_t *ctx, tls_ctx_t *tls_ctx, const https_params_t *params); + +/*! + * \brief Create TLS connection and perform HTTPS handshake. + * + * \param ctx HTTPS context. + * \param sockfd TLS context. + * \param address Socket address storage with address to server side. + * \param remote [optional] Remote name. + * + * \retval KNOT_EOK When successfully connected. + * \retval KNOT_EINVAL When parameters are invalid. + * \retval KNOT_NET_ESOCKET When socket is no accessible. + * \retval KNOT_NET_ETIMEOUT When server respond takes too long. + * \retval KNOT_NET_ECONNECT When unnable to connect to the server. + */ +int https_ctx_connect(https_ctx_t *ctx, const int sockfd, struct sockaddr_storage *address, + const char *remote); + +/*! + * \brief Send buffer as DNS message over HTTPS. + * + * \param ctx HTTPS context. + * \param buf Buffer with DNS message in wire format. + * \param buf_len Length of buffer. + * + * \retval KNOT_EOK When successfully sent. + * \retval KNOT_EINVAL When parameters are invalid. + * \retval KNOT_NET_ESEND When error occurs while sending a data. + */ +int https_send_dns_query(https_ctx_t *ctx, const uint8_t *buf, const size_t buf_len); + +/*! + * \brief Receive DATA frame as HTTPS packet, and store it into buffer. + * + * \param ctx HTTPS context. + * \param buf Buffer where will be DNS response stored. + * \param buf_len Length of buffer. + * + * \retval >=0 Number of bytes received in DATA frame. + * \retval KNOT_NET_ERECV When error while receive. + */ +int https_recv_dns_response(https_ctx_t *ctx, uint8_t *buf, const size_t buf_len); + +/*! + * \brief Deinitialize HTTPS context. + * + * \param ctx HTTPS context. + */ +void https_ctx_deinit(https_ctx_t *ctx); + +/*! + * \brief Prints information about HTTPS context. + * + * \param ctx HTTPS context. + */ +void print_https(const https_ctx_t *ctx); + +#endif //LIBNGHTTP2 diff --git a/src/utils/common/lookup.c b/src/utils/common/lookup.c new file mode 100644 index 0000000..bb64252 --- /dev/null +++ b/src/utils/common/lookup.c @@ -0,0 +1,279 @@ +/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <string.h> + +#include "utils/common/lookup.h" +#include "contrib/mempattern.h" +#include "contrib/ucw/mempool.h" +#include "libknot/error.h" + +int lookup_init(lookup_t *lookup) +{ + if (lookup == NULL) { + return KNOT_EINVAL; + } + memset(lookup, 0, sizeof(*lookup)); + + mm_ctx_mempool(&lookup->mm, MM_DEFAULT_BLKSIZE); + lookup->trie = trie_create(&lookup->mm); + if (lookup->trie == NULL) { + mp_delete(lookup->mm.ctx); + return KNOT_ENOMEM; + } + + return KNOT_EOK; +} + +static void reset_output(lookup_t *lookup) +{ + if (lookup == NULL) { + return; + } + + mm_free(&lookup->mm, lookup->found.key); + lookup->found.key = NULL; + lookup->found.data = NULL; + + lookup->iter.count = 0; + + mm_free(&lookup->mm, lookup->iter.first_key); + lookup->iter.first_key = NULL; + + trie_it_free(lookup->iter.it); + lookup->iter.it = NULL; +} + +void lookup_deinit(lookup_t *lookup) +{ + if (lookup == NULL) { + return; + } + + reset_output(lookup); + + trie_free(lookup->trie); + mp_delete(lookup->mm.ctx); +} + +int lookup_insert(lookup_t *lookup, const char *str, void *data) +{ + if (lookup == NULL || str == NULL) { + return KNOT_EINVAL; + } + + size_t str_len = strlen(str); + if (str_len == 0) { + return KNOT_EINVAL; + } + + trie_val_t *val = trie_get_ins(lookup->trie, (const trie_key_t *)str, str_len); + if (val == NULL) { + return KNOT_ENOMEM; + } + *val = data; + + return KNOT_EOK; +} + +static int set_key(lookup_t *lookup, char **dst, const char *key, size_t key_len) +{ + if (*dst != NULL) { + mm_free(&lookup->mm, *dst); + } + *dst = mm_alloc(&lookup->mm, key_len + 1); + if (*dst == NULL) { + return KNOT_ENOMEM; + } + memcpy(*dst, key, key_len); + (*dst)[key_len] = '\0'; + + return KNOT_EOK; +} + +int lookup_search(lookup_t *lookup, const char *str, size_t str_len) +{ + if (lookup == NULL) { + return KNOT_EINVAL; + } + + // Change NULL string to the empty one. + if (str == NULL) { + str = ""; + } + + reset_output(lookup); + + size_t new_len = 0; + trie_it_t *it = trie_it_begin(lookup->trie); + for (; !trie_it_finished(it); trie_it_next(it)) { + size_t len; + const char *key = (const char *)trie_it_key(it, &len); + + // Compare with a shorter key. + if (len < str_len) { + int ret = memcmp(str, key, len); + if (ret >= 0) { + continue; + } else { + break; + } + } + + // Compare with an equal length or longer key. + int ret = memcmp(str, key, str_len); + if (ret == 0) { + lookup->iter.count++; + + // First candidate. + if (lookup->iter.count == 1) { + ret = set_key(lookup, &lookup->found.key, key, len); + if (ret != KNOT_EOK) { + break; + } + lookup->found.data = *trie_it_val(it); + new_len = len; + // Another candidate. + } else if (new_len > str_len) { + if (new_len > len) { + new_len = len; + } + while (memcmp(lookup->found.key, key, new_len) != 0) { + new_len--; + } + } + // Stop if greater than the key, and also than all the following keys. + } else if (ret < 0) { + break; + } + } + trie_it_free(it); + + switch (lookup->iter.count) { + case 0: + return KNOT_ENOENT; + case 1: + return KNOT_EOK; + default: + // Store full name of the first candidate. + if (set_key(lookup, &lookup->iter.first_key, lookup->found.key, + strlen(lookup->found.key)) != KNOT_EOK) { + return KNOT_ENOMEM; + } + lookup->found.key[new_len] = '\0'; + lookup->found.data = NULL; + + return KNOT_EFEWDATA; + } +} + +void lookup_list(lookup_t *lookup) +{ + if (lookup == NULL || lookup->iter.first_key == NULL) { + return; + } + + if (lookup->iter.it != NULL) { + if (trie_it_finished(lookup->iter.it)) { + trie_it_free(lookup->iter.it); + lookup->iter.it = NULL; + return; + } + + trie_it_next(lookup->iter.it); + + size_t len; + const char *key = (const char *)trie_it_key(lookup->iter.it, &len); + + int ret = set_key(lookup, &lookup->found.key, key, len); + if (ret == KNOT_EOK) { + lookup->found.data = *trie_it_val(lookup->iter.it); + } + return; + } + + lookup->iter.it = trie_it_begin(lookup->trie); + while (!trie_it_finished(lookup->iter.it)) { + size_t len; + const char *key = (const char *)trie_it_key(lookup->iter.it, &len); + + if (strncmp(key, lookup->iter.first_key, len) == 0) { + int ret = set_key(lookup, &lookup->found.key, key, len); + if (ret == KNOT_EOK) { + lookup->found.data = *trie_it_val(lookup->iter.it); + } + break; + } + trie_it_next(lookup->iter.it); + } +} + +static void print_options(lookup_t *lookup, EditLine *el) +{ + // Get terminal lines. + unsigned lines = 0; + if (el_get(el, EL_GETTC, "li", &lines) != 0 || lines < 3) { + return; + } + + for (size_t i = 1; i <= lookup->iter.count; i++) { + lookup_list(lookup); + printf("\n%s", lookup->found.key); + + if (i > 1 && i % (lines - 1) == 0 && i < lookup->iter.count) { + printf("\n Display next from %zu possibilities? (y or n)", + lookup->iter.count); + char next; + el_getc(el, &next); + if (next != 'y') { + break; + } + } + } + + printf("\n"); + fflush(stdout); +} + +void lookup_complete(lookup_t *lookup, const char *str, size_t str_len, + EditLine *el, bool add_space) +{ + if (lookup == NULL || el == NULL) { + return; + } + + // Try to complete the command name. + int ret = lookup_search(lookup, str, str_len); + switch (ret) { + case KNOT_EOK: + el_deletestr(el, str_len); + el_insertstr(el, lookup->found.key); + if (add_space) { + el_insertstr(el, " "); + } + break; + case KNOT_EFEWDATA: + if (strlen(lookup->found.key) > str_len) { + el_deletestr(el, str_len); + el_insertstr(el, lookup->found.key); + } else { + print_options(lookup, el); + } + break; + default: + break; + } +} diff --git a/src/utils/common/lookup.h b/src/utils/common/lookup.h new file mode 100644 index 0000000..3f43ab6 --- /dev/null +++ b/src/utils/common/lookup.h @@ -0,0 +1,112 @@ +/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include <histedit.h> + +#include "libknot/mm_ctx.h" +#include "contrib/qp-trie/trie.h" + +/*! Lookup context. */ +typedef struct { + /*! Memory pool context. */ + knot_mm_t mm; + /*! Main trie storage. */ + trie_t *trie; + + /*! Current (iteration) data context. */ + struct { + /*! Stored key. */ + char *key; + /*! Corresponding key data. */ + void *data; + } found; + + /*! Iteration context. */ + struct { + /*! Total number of possibilies. */ + size_t count; + /*! The first possibility. */ + char *first_key; + /*! Hat-trie iterator. */ + trie_it_t *it; + } iter; +} lookup_t; + +/*! + * Initializes the lookup context. + * + * \param[in] lookup Lookup context. + * + * \return Error code, KNOT_EOK if successful. + */ +int lookup_init(lookup_t *lookup); + +/*! + * Deinitializes the lookup context. + * + * \param[in] lookup Lookup context. + */ +void lookup_deinit(lookup_t *lookup); + +/*! + * Inserts given key and data into the lookup. + * + * \param[in] lookup Lookup context. + * \param[in] str Textual key. + * \param[in] data Key textual data. + * + * \return Error code, KNOT_EOK if successful. + */ +int lookup_insert(lookup_t *lookup, const char *str, void *data); + +/*! + * Searches the lookup container for the given key. + * + * \note If one candidate, lookup.found contains the key/data, + * if more candidates, lookup.found contains the common key prefix and + * lookup.iter.first_key is the first candidate key. + * + * \param[in] lookup Lookup context. + * \param[in] str Textual key. + * \param[in] str_len Textual key length. + * + * \return Error code, KNOT_EOK if 1 candidate, KNOT_ENOENT if no candidate, + * and KNOT_EFEWDATA if more candidates are possible. + */ +int lookup_search(lookup_t *lookup, const char *str, size_t str_len); + +/*! + * Moves the lookup iterator to the next key candidate. + * + * \note lookup.found is updated. + * + * \param[in] lookup Lookup context. + */ +void lookup_list(lookup_t *lookup); + +/*! + * Completes the string based on the lookup content or prints all candidates. + * + * \param[in] lookup Lookup context. + * \param[in] str Textual key. + * \param[in] str_len Textual key length. + * \param[in] el Editline context. + * \param[in] add_space Add one space after completed string flag. + */ +void lookup_complete(lookup_t *lookup, const char *str, size_t str_len, + EditLine *el, bool add_space); diff --git a/src/utils/common/msg.c b/src/utils/common/msg.c new file mode 100644 index 0000000..c125297 --- /dev/null +++ b/src/utils/common/msg.c @@ -0,0 +1,40 @@ +/* Copyright (C) 2011 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <stdarg.h> +#include <stdio.h> +#include <stdlib.h> + +#include "utils/common/msg.h" + +static volatile int MSG_DBG_STATE = 0; /* True if debugging is enabled. */ + +int msg_enable_debug(int val) +{ + return MSG_DBG_STATE = val; +} + +int msg_debug(const char *fmt, ...) +{ + int n = 0; + if (MSG_DBG_STATE) { + va_list ap; + va_start(ap, fmt); + n = vprintf(fmt, ap); + va_end(ap); + } + return n; +} diff --git a/src/utils/common/msg.h b/src/utils/common/msg.h new file mode 100644 index 0000000..02eedcc --- /dev/null +++ b/src/utils/common/msg.h @@ -0,0 +1,38 @@ +/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include <stdio.h> + +#define ERROR_ ";; ERROR: " +#define INFO_ ";; INFO: " +#define WARNING_ ";; WARNING: " +#define DEBUG_ ";; DEBUG: " + +#define ERR(msg, ...) { fprintf(stderr, ERROR_ msg, ##__VA_ARGS__); fflush(stderr); } +#define INFO(msg, ...) { fprintf(stdout, INFO_ msg, ##__VA_ARGS__); fflush(stdout); } +#define WARN(msg, ...) { fprintf(stderr, WARNING_ msg, ##__VA_ARGS__); fflush(stderr); } +#define DBG(msg, ...) msg_debug(DEBUG_ msg, ##__VA_ARGS__) + +/*! \brief Enable/disable debugging. */ +int msg_enable_debug(int val); + +/*! \brief Print debug message. */ +int msg_debug(const char *fmt, ...); + +/*! \brief Debug message for null input. */ +#define DBG_NULL DBG("%s: null parameter\n", __func__) diff --git a/src/utils/common/netio.c b/src/utils/common/netio.c new file mode 100644 index 0000000..3c75ccb --- /dev/null +++ b/src/utils/common/netio.c @@ -0,0 +1,673 @@ +/* Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <arpa/inet.h> +#include <fcntl.h> +#include <netdb.h> +#include <poll.h> +#include <stdlib.h> +#include <netinet/in.h> +#include <sys/types.h> // OpenBSD +#include <netinet/tcp.h> // TCP_FASTOPEN +#include <sys/socket.h> + +#ifdef HAVE_SYS_UIO_H +#include <sys/uio.h> +#endif + +#include "utils/common/netio.h" +#include "utils/common/msg.h" +#include "utils/common/tls.h" +#include "libknot/libknot.h" +#include "contrib/sockaddr.h" + +srv_info_t *srv_info_create(const char *name, const char *service) +{ + if (name == NULL || service == NULL) { + DBG_NULL; + return NULL; + } + + // Create output structure. + srv_info_t *server = calloc(1, sizeof(srv_info_t)); + + // Check output. + if (server == NULL) { + return NULL; + } + + // Fill output. + server->name = strdup(name); + server->service = strdup(service); + + if (server->name == NULL || server->service == NULL) { + srv_info_free(server); + return NULL; + } + + // Return result. + return server; +} + +void srv_info_free(srv_info_t *server) +{ + if (server == NULL) { + DBG_NULL; + return; + } + + free(server->name); + free(server->service); + free(server); +} + +int get_iptype(const ip_t ip) +{ + switch (ip) { + case IP_4: + return AF_INET; + case IP_6: + return AF_INET6; + default: + return AF_UNSPEC; + } +} + +int get_socktype(const protocol_t proto, const uint16_t type) +{ + switch (proto) { + case PROTO_TCP: + return SOCK_STREAM; + case PROTO_UDP: + return SOCK_DGRAM; + default: + if (type == KNOT_RRTYPE_AXFR || type == KNOT_RRTYPE_IXFR) { + return SOCK_STREAM; + } else { + return SOCK_DGRAM; + } + } +} + +const char *get_sockname(const int socktype) +{ + switch (socktype) { + case SOCK_STREAM: + return "TCP"; + case SOCK_DGRAM: + return "UDP"; + default: + return "UNKNOWN"; + } +} + +static int get_addr(const srv_info_t *server, + const int iptype, + const int socktype, + struct addrinfo **info) +{ + struct addrinfo hints; + + // Set connection hints. + memset(&hints, 0, sizeof(hints)); + hints.ai_family = iptype; + hints.ai_socktype = socktype; + + // Get connection parameters. + int ret = getaddrinfo(server->name, server->service, &hints, info); + switch (ret) { + case 0: + return 0; +#ifdef EAI_ADDRFAMILY /* EAI_ADDRFAMILY isn't implemented in FreeBSD/macOS anymore. */ + case EAI_ADDRFAMILY: + break; +#else /* FreeBSD, macOS, and likely others return EAI_NONAME instead. */ + case EAI_NONAME: + if (iptype != AF_UNSPEC) { + break; + } + /* FALLTHROUGH */ +#endif /* EAI_ADDRFAMILY */ + default: + ERR("%s for %s@%s\n", gai_strerror(ret), server->name, server->service); + } + return -1; +} + +void get_addr_str(const struct sockaddr_storage *ss, + const int socktype, + char **dst) +{ + char addr_str[SOCKADDR_STRLEN] = {0}; + + // Get network address string and port number. + sockaddr_tostr(addr_str, sizeof(addr_str), ss); + + // Calculate needed buffer size + const char *sock_name = get_sockname(socktype); + size_t buflen = strlen(addr_str) + strlen(sock_name) + 3 /* () */; + + // Free previous string if any and write result + free(*dst); + *dst = malloc(buflen); + if (*dst != NULL) { + int ret = snprintf(*dst, buflen, "%s(%s)", addr_str, sock_name); + if (ret <= 0 || ret >= buflen) { + **dst = '\0'; + } + } +} + +int net_init(const srv_info_t *local, + const srv_info_t *remote, + const int iptype, + const int socktype, + const int wait, + const net_flags_t flags, + const tls_params_t *tls_params, + const https_params_t *https_params, + net_t *net) +{ + if (remote == NULL || net == NULL) { + DBG_NULL; + return KNOT_EINVAL; + } + + // Clean network structure. + memset(net, 0, sizeof(*net)); + + // Get remote address list. + if (get_addr(remote, iptype, socktype, &net->remote_info) != 0) { + net_clean(net); + return KNOT_NET_EADDR; + } + + // Set current remote address. + net->srv = net->remote_info; + + // Get local address if specified. + if (local != NULL) { + if (get_addr(local, iptype, socktype, &net->local_info) != 0) { + net_clean(net); + return KNOT_NET_EADDR; + } + } + + // Store network parameters. + net->iptype = iptype; + net->socktype = socktype; + net->wait = wait; + net->local = local; + net->remote = remote; + net->flags = flags; + + // Prepare for TLS. + if (tls_params != NULL && tls_params->enable) { + int ret = tls_ctx_init(&net->tls, tls_params, net->wait); + if (ret != KNOT_EOK) { + net_clean(net); + return ret; + } + +#ifdef LIBNGHTTP2 + // Prepare for HTTPS. + if (https_params != NULL && https_params->enable) { + ret = https_ctx_init(&net->https, &net->tls, https_params); + if (ret != KNOT_EOK) { + net_clean(net); + return ret; + } + } +#endif //LIBNGHTTP2 + } + + return KNOT_EOK; +} + +/*! + * Connect with TCP Fast Open. + */ +static int fastopen_connect(int sockfd, const struct addrinfo *srv) +{ +#if defined( __FreeBSD__) + const int enable = 1; + return setsockopt(sockfd, IPPROTO_TCP, TCP_FASTOPEN, &enable, sizeof(enable)); +#elif defined(__APPLE__) + // connection is performed lazily when first data are sent + struct sa_endpoints ep = {0}; + ep.sae_dstaddr = srv->ai_addr; + ep.sae_dstaddrlen = srv->ai_addrlen; + int flags = CONNECT_DATA_IDEMPOTENT|CONNECT_RESUME_ON_READ_WRITE; + + return connectx(sockfd, &ep, SAE_ASSOCID_ANY, flags, NULL, 0, NULL, NULL); +#elif defined(__linux__) + // connect() will be called implicitly with sendto(), sendmsg() + return 0; +#else + errno = ENOTSUP; + return -1; +#endif +} + +/*! + * Sends data with TCP Fast Open. + */ +static int fastopen_send(int sockfd, const struct msghdr *msg, int timeout) +{ +#if defined(__FreeBSD__) || defined(__APPLE__) + return sendmsg(sockfd, msg, 0); +#elif defined(__linux__) + int ret = sendmsg(sockfd, msg, MSG_FASTOPEN); + if (ret == -1 && errno == EINPROGRESS) { + struct pollfd pfd = { + .fd = sockfd, + .events = POLLOUT, + .revents = 0, + }; + if (poll(&pfd, 1, 1000 * timeout) != 1) { + errno = ETIMEDOUT; + return -1; + } + ret = sendmsg(sockfd, msg, 0); + } + return ret; +#else + errno = ENOTSUP; + return -1; +#endif +} + +int net_connect(net_t *net) +{ + if (net == NULL || net->srv == NULL) { + DBG_NULL; + return KNOT_EINVAL; + } + + // Set remote information string. + get_addr_str((struct sockaddr_storage *)net->srv->ai_addr, + net->socktype, &net->remote_str); + + // Create socket. + int sockfd = socket(net->srv->ai_family, net->socktype, 0); + if (sockfd == -1) { + WARN("can't create socket for %s\n", net->remote_str); + return KNOT_NET_ESOCKET; + } + + // Initialize poll descriptor structure. + struct pollfd pfd = { + .fd = sockfd, + .events = POLLOUT, + .revents = 0, + }; + + // Set non-blocking socket. + if (fcntl(sockfd, F_SETFL, O_NONBLOCK) == -1) { + WARN("can't set non-blocking socket for %s\n", net->remote_str); + return KNOT_NET_ESOCKET; + } + + // Bind address to socket if specified. + if (net->local_info != NULL) { + if (bind(sockfd, net->local_info->ai_addr, + net->local_info->ai_addrlen) == -1) { + WARN("can't assign address %s\n", net->local->name); + return KNOT_NET_ESOCKET; + } + } else { + // Ensure source port is always randomized (even for TCP). + struct sockaddr_storage local = { .ss_family = net->srv->ai_family }; + (void)bind(sockfd, (struct sockaddr *)&local, sockaddr_len(&local)); + } + + if (net->socktype == SOCK_STREAM) { + int cs, err, ret = 0; + socklen_t err_len = sizeof(err); + bool fastopen = net->flags & NET_FLAGS_FASTOPEN; + + // Connect using socket. + if (fastopen) { + ret = fastopen_connect(sockfd, net->srv); + } else { + ret = connect(sockfd, net->srv->ai_addr, net->srv->ai_addrlen); + } + if (ret != 0 && errno != EINPROGRESS) { + WARN("can't connect to %s\n", net->remote_str); + close(sockfd); + return KNOT_NET_ECONNECT; + } + + // Check for connection timeout. + if (!fastopen && poll(&pfd, 1, 1000 * net->wait) != 1) { + WARN("connection timeout for %s\n", net->remote_str); + close(sockfd); + return KNOT_NET_ECONNECT; + } + + // Check if NB socket is writeable. + cs = getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &err, &err_len); + if (cs < 0 || err != 0) { + WARN("can't connect to %s\n", net->remote_str); + close(sockfd); + return KNOT_NET_ECONNECT; + } + + if (net->tls.params != NULL) { +#ifdef LIBNGHTTP2 + if (net->https.params.enable) { + // Establish HTTPS connection. + char *remote = NULL; + if (net->tls.params->sni != NULL) { + remote = net->tls.params->sni; + } else if (net->tls.params->hostname != NULL) { + remote = net->tls.params->hostname; + } else if (strchr(net->remote_str, ':') == NULL) { + char *at = strchr(net->remote_str, '@'); + if (at != NULL && strncmp(net->remote->name, net->remote_str, at - net->remote_str)) { + remote = net->remote->name; + } + } + ret = https_ctx_connect(&net->https, sockfd, (struct sockaddr_storage *)net->srv->ai_addr, remote); + } else { + // Establish TLS connection. + ret = tls_ctx_connect(&net->tls, sockfd, net->tls.params->sni); + } +#else + ret = tls_ctx_connect(&net->tls, sockfd, net->tls.params->sni); +#endif //LIBNGHTTP2 + if (ret != KNOT_EOK) { + close(sockfd); + return ret; + } + } + } + + // Store socket descriptor. + net->sockfd = sockfd; + + return KNOT_EOK; +} + +int net_set_local_info(net_t *net) +{ + if (net == NULL) { + DBG_NULL; + return KNOT_EINVAL; + } + + socklen_t local_addr_len = sizeof(struct sockaddr_storage); + + struct addrinfo *new_info = calloc(1, sizeof(*new_info) + local_addr_len); + if (new_info == NULL) { + return KNOT_ENOMEM; + } + + new_info->ai_addr = (struct sockaddr *)(new_info + 1); + new_info->ai_family = net->srv->ai_family; + new_info->ai_socktype = net->srv->ai_socktype; + new_info->ai_protocol = net->srv->ai_protocol; + new_info->ai_addrlen = local_addr_len; + + if (getsockname(net->sockfd, new_info->ai_addr, &local_addr_len) == -1) { + WARN("can't get local address\n"); + free(new_info); + return KNOT_NET_ESOCKET; + } + + if (net->local_info != NULL) { + if (net->local == NULL) { + free(net->local_info); + } else { + freeaddrinfo(net->local_info); + } + } + + net->local_info = new_info; + + get_addr_str((struct sockaddr_storage *)net->local_info->ai_addr, + net->socktype, &net->local_str); + + return KNOT_EOK; +} + +int net_send(const net_t *net, const uint8_t *buf, const size_t buf_len) +{ + if (net == NULL || buf == NULL) { + DBG_NULL; + return KNOT_EINVAL; + } + + // Send data over UDP. + if (net->socktype == SOCK_DGRAM) { + if (sendto(net->sockfd, buf, buf_len, 0, net->srv->ai_addr, + net->srv->ai_addrlen) != (ssize_t)buf_len) { + WARN("can't send query to %s\n", net->remote_str); + return KNOT_NET_ESEND; + } +#ifdef LIBNGHTTP2 + // Send data over HTTPS + } else if (net->https.params.enable) { + int ret = https_send_dns_query((https_ctx_t *)&net->https, buf, buf_len); + if (ret != KNOT_EOK) { + WARN("can't send query to %s\n", net->remote_str); + return KNOT_NET_ESEND; + } +#endif //LIBNGHTTP2 + // Send data over TLS. + } else if (net->tls.params != NULL) { + int ret = tls_ctx_send((tls_ctx_t *)&net->tls, buf, buf_len); + if (ret != KNOT_EOK) { + WARN("can't send query to %s\n", net->remote_str); + return KNOT_NET_ESEND; + } + // Send data over TCP. + } else { + bool fastopen = net->flags & NET_FLAGS_FASTOPEN; + + // Leading packet length bytes. + uint16_t pktsize = htons(buf_len); + + struct iovec iov[2]; + iov[0].iov_base = &pktsize; + iov[0].iov_len = sizeof(pktsize); + iov[1].iov_base = (uint8_t *)buf; + iov[1].iov_len = buf_len; + + // Compute packet total length. + ssize_t total = iov[0].iov_len + iov[1].iov_len; + + struct msghdr msg = {0}; + msg.msg_iov = iov; + msg.msg_iovlen = sizeof(iov) / sizeof(*iov); + msg.msg_name = net->srv->ai_addr; + msg.msg_namelen = net->srv->ai_addrlen; + + int ret = 0; + if (fastopen) { + ret = fastopen_send(net->sockfd, &msg, net->wait); + } else { + ret = sendmsg(net->sockfd, &msg, 0); + } + if (ret != total) { + WARN("can't send query to %s\n", net->remote_str); + return KNOT_NET_ESEND; + } + } + + return KNOT_EOK; +} + +int net_receive(const net_t *net, uint8_t *buf, const size_t buf_len) +{ + if (net == NULL || buf == NULL) { + DBG_NULL; + return KNOT_EINVAL; + } + + // Initialize poll descriptor structure. + struct pollfd pfd = { + .fd = net->sockfd, + .events = POLLIN, + .revents = 0, + }; + + // Receive data over UDP. + if (net->socktype == SOCK_DGRAM) { + struct sockaddr_storage from; + memset(&from, '\0', sizeof(from)); + + // Receive replies unless correct reply or timeout. + while (true) { + socklen_t from_len = sizeof(from); + + // Wait for datagram data. + if (poll(&pfd, 1, 1000 * net->wait) != 1) { + WARN("response timeout for %s\n", + net->remote_str); + return KNOT_NET_ETIMEOUT; + } + + // Receive whole UDP datagram. + ssize_t ret = recvfrom(net->sockfd, buf, buf_len, 0, + (struct sockaddr *)&from, &from_len); + if (ret <= 0) { + WARN("can't receive reply from %s\n", + net->remote_str); + return KNOT_NET_ERECV; + } + + // Compare reply address with the remote one. + if (from_len > sizeof(from) || + memcmp(&from, net->srv->ai_addr, from_len) != 0) { + char *src = NULL; + get_addr_str(&from, net->socktype, &src); + WARN("unexpected reply source %s\n", src); + free(src); + continue; + } + + return ret; + } +#ifdef LIBNGHTTP2 + // Receive data over HTTPS. + } else if (net->https.params.enable) { + return https_recv_dns_response((https_ctx_t *)&net->https, buf, buf_len); +#endif //LIBNGHTTP2 + // Receive data over TLS. + } else if (net->tls.params != NULL) { + int ret = tls_ctx_receive((tls_ctx_t *)&net->tls, buf, buf_len); + if (ret < 0) { + WARN("can't receive reply from %s\n", net->remote_str); + return KNOT_NET_ERECV; + } + + return ret; + // Receive data over TCP. + } else { + uint32_t total = 0; + + uint16_t msg_len = 0; + // Receive TCP message header. + while (total < sizeof(msg_len)) { + if (poll(&pfd, 1, 1000 * net->wait) != 1) { + WARN("response timeout for %s\n", + net->remote_str); + return KNOT_NET_ETIMEOUT; + } + + // Receive piece of message. + ssize_t ret = recv(net->sockfd, (uint8_t *)&msg_len + total, + sizeof(msg_len) - total, 0); + if (ret <= 0) { + WARN("can't receive reply from %s\n", + net->remote_str); + return KNOT_NET_ERECV; + } + total += ret; + } + + // Convert number to host format. + msg_len = ntohs(msg_len); + if (msg_len > buf_len) { + return KNOT_ESPACE; + } + + total = 0; + + // Receive whole answer message by parts. + while (total < msg_len) { + if (poll(&pfd, 1, 1000 * net->wait) != 1) { + WARN("response timeout for %s\n", + net->remote_str); + return KNOT_NET_ETIMEOUT; + } + + // Receive piece of message. + ssize_t ret = recv(net->sockfd, buf + total, msg_len - total, 0); + if (ret <= 0) { + WARN("can't receive reply from %s\n", + net->remote_str); + return KNOT_NET_ERECV; + } + total += ret; + } + + return total; + } + + return KNOT_NET_ERECV; +} + +void net_close(net_t *net) +{ + if (net == NULL) { + DBG_NULL; + return; + } + + tls_ctx_close(&net->tls); + close(net->sockfd); + net->sockfd = -1; +} + +void net_clean(net_t *net) +{ + if (net == NULL) { + DBG_NULL; + return; + } + + free(net->local_str); + free(net->remote_str); + + if (net->local_info != NULL) { + if (net->local == NULL) { + free(net->local_info); + } else { + freeaddrinfo(net->local_info); + } + } + + if (net->remote_info != NULL) { + freeaddrinfo(net->remote_info); + } + +#ifdef LIBNGHTTP2 + https_ctx_deinit(&net->https); +#endif + tls_ctx_deinit(&net->tls); +} diff --git a/src/utils/common/netio.h b/src/utils/common/netio.h new file mode 100644 index 0000000..adea1f2 --- /dev/null +++ b/src/utils/common/netio.h @@ -0,0 +1,226 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include <netdb.h> +#include <stdint.h> +#include <sys/socket.h> + +#include "utils/common/https.h" +#include "utils/common/params.h" +#include "utils/common/tls.h" + +/*! \brief Structure containing server information. */ +typedef struct { + /*! List node (for list container). */ + node_t n; + /*! Name or address of the server. */ + char *name; + /*! Name or number of the service. */ + char *service; +} srv_info_t; + +typedef enum { + NET_FLAGS_NONE = 0, + NET_FLAGS_FASTOPEN = 1 << 0, +} net_flags_t; + +typedef struct { + /*! Socket descriptor. */ + int sockfd; + + /*! IP protocol type. */ + int iptype; + /*! Socket type. */ + int socktype; + /*! Timeout for all network operations. */ + int wait; + /*! Connection flags. */ + net_flags_t flags; + + /*! Local interface parameters. */ + const srv_info_t *local; + /*! Remote server parameters. */ + const srv_info_t *remote; + + /*! Local description string (used for logging). */ + char *local_str; + /*! Remote description string (used for logging). */ + char *remote_str; + + /*! Output from getaddrinfo for remote server. If the server is + * specified using domain name, this structure may contain more + * results. + */ + struct addrinfo *remote_info; + /*! Currently used result from remote_info. */ + struct addrinfo *srv; + /*! Output from getaddrinfo for local address. Only first result is + * used. + */ + struct addrinfo *local_info; + + /*! TLS context. */ + tls_ctx_t tls; +#ifdef LIBNGHTTP2 + /*! HTTPS context. */ + https_ctx_t https; +#endif +} net_t; + +/*! + * \brief Creates and fills server structure. + * + * \param name Address or host name. + * \param service Port number or service name. + * + * \retval server if success. + * \retval NULL if error. + */ +srv_info_t *srv_info_create(const char *name, const char *service); + +/*! + * \brief Destroys server structure. + * + * \param server Server structure to destroy. + */ +void srv_info_free(srv_info_t *server); + +/*! + * \brief Translates enum IP version type to int version. + * + * \param ip IP version to convert. + * + * \retval AF_INET, AF_INET6 or AF_UNSPEC. + */ +int get_iptype(const ip_t ip); + +/*! + * \brief Translates enum IP protocol type to int version in context to the + * current DNS query type. + * + * \param proto IP protocol type to convert. + * \param type DNS query type number. + * + * \retval SOCK_STREAM or SOCK_DGRAM. + */ +int get_socktype(const protocol_t proto, const uint16_t type); + +/*! + * \brief Translates int socket type to the common string one. + * + * \param socktype Socket type (SOCK_STREAM or SOCK_DGRAM). + * + * \retval "TCP" or "UDP". + */ +const char *get_sockname(const int socktype); + +/*! + * \brief Translates int socket type to the common string one. + * + * \param ss Socket address storage. + * \param socktype Socket type (SOCK_STREAM or SOCK_DGRAM). + * \param dst Output string. + */ +void get_addr_str(const struct sockaddr_storage *ss, + const int socktype, + char **dst); + +/*! + * \brief Initializes network structure and resolves local and remote addresses. + * + * \param local Local address and service description. + * \param remote Remote address and service description. + * \param iptype IP version. + * \param socktype Socket type. + * \param wait Network timeout interval. + * \param tls_params TLS parameters. + * \param https_params HTTPS parameters. + * \param flags Connection flags. + * \param net Network structure to initialize. + * + * \retval KNOT_EOK if success. + * \retval errcode if error. + */ +int net_init(const srv_info_t *local, + const srv_info_t *remote, + const int iptype, + const int socktype, + const int wait, + const net_flags_t flags, + const tls_params_t *tls_params, + const https_params_t *https_params, + net_t *net); + +/*! + * \brief Creates socket and connects (if TCP) to remote address specified + * by net->srv. + * + * \param net Connection parameters. + * + * \retval KNOT_EOK if success. + * \retval errcode if error. + */ +int net_connect(net_t *net); + +/*! + * \brief Fills in local address information. + * + * \param net Connection parameters. + * + * \retval KNOT_EOK if success. + * \retval errcode if error. + */ +int net_set_local_info(net_t *net); + +/*! + * \brief Sends data to connected remote server. + * + * \param net Connection parameters. + * \param buf Data to send. + * \param buf_len Length of the data to send. + * + * \retval KNOT_EOK if success. + * \retval errcode if error. + */ +int net_send(const net_t *net, const uint8_t *buf, const size_t buf_len); + +/*! + * \brief Receives data from connected remote server. + * + * \param net Connection parameters. + * \param buf Buffer for incoming data. + * \param buf_len Length of the buffer. + * + * \retval >=0 length of successfully received data. + * \retval errcode if error. + */ +int net_receive(const net_t *net, uint8_t *buf, const size_t buf_len); + +/*! + * \brief Closes current network connection. + * + * \param net Connection parameters. + */ +void net_close(net_t *net); + +/*! + * \brief Cleans up network structure. + * + * \param net Connection parameters. + */ +void net_clean(net_t *net); diff --git a/src/utils/common/params.c b/src/utils/common/params.c new file mode 100644 index 0000000..684a7d1 --- /dev/null +++ b/src/utils/common/params.c @@ -0,0 +1,347 @@ +/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <arpa/inet.h> +#include <stdio.h> +#include <stdlib.h> +#include <netinet/in.h> +#include <sys/socket.h> + +#ifdef LIBIDN +#include LIBIDN_HEADER +#endif + +#include "utils/common/params.h" +#include "utils/common/msg.h" +#include "utils/common/resolv.h" +#include "utils/common/token.h" +#include "libknot/libknot.h" +#include "contrib/macros.h" +#include "contrib/mempattern.h" +#include "contrib/openbsd/strlcpy.h" +#include "contrib/strtonum.h" + +#define IPV4_REVERSE_DOMAIN "in-addr.arpa." +#define IPV6_REVERSE_DOMAIN "ip6.arpa." + +char *name_from_idn(const char *idn_name) { +#ifdef LIBIDN + char *name = NULL; + + int rc = idna_to_ascii_lz(idn_name, &name, 0); + if (rc != IDNA_SUCCESS) { + ERR("IDNA (%s)\n", idna_strerror(rc)); + return NULL; + } + + return name; +#endif + return strdup(idn_name); +} + +void name_to_idn(char **name) { +#ifdef LIBIDN + char *idn_name = NULL; + + int rc = idna_to_unicode_8zlz(*name, &idn_name, 0); + if (rc != IDNA_SUCCESS) { + return; + } + + free(*name); + *name = idn_name; +#endif + return; +} + +/*! + * \brief Checks if string is a prefix of reference string. + * + * \param pref Prefix string. + * \param pref_len Prefix length. + * \param str Reference string (must have trailing zero). + * + * \retval -1 \a pref is not a prefix of \a str. + * \retval 0<= number of chars after prefix \a pref in \a str. + */ +static int cmp_prefix(const char *pref, const size_t pref_len, + const char *str) +{ + size_t i = 0; + while (1) { + // Different characters => NOT prefix. + if (pref[i] != str[i]) { + return -1; + } + + i++; + + // Pref IS a prefix of pref. + if (i == pref_len) { + size_t rest = 0; + while (str[i + rest] != '\0') { + rest++; + } + return rest; + // Pref is longer then ref => NOT prefix. + } else if (str[i] == '\0') { + return -1; + } + } +} + +int best_param(const char *str, const size_t str_len, const param_t *tbl, + bool *unique) +{ + if (str == NULL || str_len == 0 || tbl == NULL) { + DBG_NULL; + return KNOT_EINVAL; + } + + int best_pos = -1; + int best_match = INT_MAX; + size_t matches = 0; + for (int i = 0; tbl[i].name != NULL; i++) { + int ret = cmp_prefix(str, str_len, tbl[i].name); + switch (ret) { + case -1: + continue; + case 0: + *unique = true; + return i; + default: + if (ret < best_match) { + best_pos = i; + best_match = ret; + } + matches++; + } + } + + switch (matches) { + case 0: + return KNOT_ENOTSUP; + case 1: + *unique = true; + return best_pos; + default: + *unique = false; + return best_pos; + } +} + +char *get_reverse_name(const char *name) +{ + struct in_addr addr4; + struct in6_addr addr6; + int ret; + char buf[128] = "\0"; + + if (name == NULL) { + DBG_NULL; + return NULL; + } + + // Check name for IPv4 address, IPv6 address or other. + if (inet_pton(AF_INET, name, &addr4) == 1) { + uint32_t num = ntohl(addr4.s_addr); + + // Create IPv4 reverse FQD name. + ret = snprintf(buf, sizeof(buf), "%u.%u.%u.%u.%s", + (num >> 0) & 0xFF, (num >> 8) & 0xFF, + (num >> 16) & 0xFF, (num >> 24) & 0xFF, + IPV4_REVERSE_DOMAIN); + if (ret < 0 || (size_t)ret >= sizeof(buf)) { + return NULL; + } + + return strdup(buf); + } else if (inet_pton(AF_INET6, name, &addr6) == 1) { + char *pos = buf; + size_t len = sizeof(buf); + uint8_t left, right; + + // Create IPv6 reverse name. + for (int i = 15; i >= 0; i--) { + left = ((addr6.s6_addr)[i] & 0xF0) >> 4; + right = (addr6.s6_addr)[i] & 0x0F; + + ret = snprintf(pos, len, "%x.%x.", right, left); + if (ret < 0 || (size_t)ret >= len) { + return NULL; + } + + pos += ret; + len -= ret; + } + + // Add IPv6 reverse domain. + ret = snprintf(pos, len, "%s", IPV6_REVERSE_DOMAIN); + if (ret < 0 || (size_t)ret >= len) { + return NULL; + } + + return strdup(buf); + } else { + return NULL; + } +} + +char *get_fqd_name(const char *name) +{ + char *fqd_name = NULL; + + if (name == NULL) { + DBG_NULL; + return NULL; + } + + size_t name_len = strlen(name); + + // If the name is FQDN, make a copy. + if (name[name_len - 1] == '.') { + fqd_name = strdup(name); + // Else make a copy and append a trailing dot. + } else { + size_t fqd_name_size = name_len + 2; + fqd_name = malloc(fqd_name_size); + if (fqd_name != NULL) { + strlcpy(fqd_name, name, fqd_name_size); + fqd_name[name_len] = '.'; + fqd_name[name_len + 1] = 0; + } + } + + return fqd_name; +} + +int params_parse_class(const char *value, uint16_t *rclass) +{ + if (value == NULL || rclass == NULL) { + DBG_NULL; + return KNOT_EINVAL; + } + + if (knot_rrclass_from_string(value, rclass) == 0) { + return KNOT_EOK; + } else { + return KNOT_EINVAL; + } +} + +int params_parse_type(const char *value, uint16_t *rtype, int64_t *serial, + bool *notify) +{ + if (value == NULL || rtype == NULL || serial == NULL) { + DBG_NULL; + return KNOT_EINVAL; + } + + // Find and parse type name. + size_t param_pos = strcspn(value, "="); + char *type_char = strndup(value, param_pos); + + if (knot_rrtype_from_string(type_char, rtype) != 0) { + size_t cmp_len = MAX(strlen("NOTIFY"), param_pos); + if (strncasecmp(type_char, "NOTIFY", cmp_len) == 0) { + *rtype = KNOT_RRTYPE_SOA; + *notify = true; + } else { + free(type_char); + return KNOT_EINVAL; + } + } else { + *notify = false; + } + + free(type_char); + + // Parse additional parameter. + if (param_pos == strlen(value)) { + // IXFR requires serial parameter. + if (*rtype == KNOT_RRTYPE_IXFR) { + DBG("SOA serial is required for IXFR query\n"); + return KNOT_EINVAL; + } else { + *serial = -1; + } + } else { + // Additional parameter is accepted for IXFR or NOTIFY. + if (*rtype == KNOT_RRTYPE_IXFR || *notify) { + const char *param_str = value + 1 + param_pos; + char *end; + + // Convert string to serial. + unsigned long long num = strtoull(param_str, &end, 10); + + // Check for bad serial string. + if (end == param_str || *end != '\0' || num > UINT32_MAX) { + DBG("bad SOA serial '%s'\n", param_str); + return KNOT_EINVAL; + } + + *serial = num; + } else { + DBG("unsupported parameter '%s'\n", value); + return KNOT_EINVAL; + } + } + + return KNOT_EOK; +} + +int params_parse_server(const char *value, list_t *servers, const char *def_port) +{ + if (value == NULL || servers == NULL) { + DBG_NULL; + return KNOT_EINVAL; + } + + // Add specified nameserver. + srv_info_t *server = parse_nameserver(value, def_port); + if (server == NULL) { + return KNOT_EINVAL; + } + add_tail(servers, (node_t *)server); + + return KNOT_EOK; +} + +int params_parse_wait(const char *value, int32_t *dst) +{ + if (value == NULL || dst == NULL) { + DBG_NULL; + return KNOT_EINVAL; + } + + uint32_t num = 0; + int ret = str_to_u32(value, &num); + if (ret != KNOT_EOK) { + return ret; + } + + // Check for minimal value. + if (num < 1) { + num = 1; + // Reduce maximal value. Poll takes signed int in milliseconds. + } else if (num > INT32_MAX / 1000) { + num = INT32_MAX / 1000; + } + + *dst = num; + + return KNOT_EOK; +} diff --git a/src/utils/common/params.h b/src/utils/common/params.h new file mode 100644 index 0000000..6c3cc31 --- /dev/null +++ b/src/utils/common/params.h @@ -0,0 +1,165 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include <limits.h> +#include <stdint.h> +#include <stdbool.h> +#include <stdio.h> + +#include "libknot/libknot.h" +#include "contrib/ucw/lists.h" + +#define DEFAULT_IPV4_NAME "127.0.0.1" +#define DEFAULT_IPV6_NAME "::1" +#define DEFAULT_DNS_PORT "53" +#define DEFAULT_DNS_HTTPS_PORT "443" +#define DEFAULT_DNS_TLS_PORT "853" +#define DEFAULT_UDP_SIZE 512 +#define DEFAULT_EDNS_SIZE 4096 +#define MAX_PACKET_SIZE 65535 + +#define SEP_CHARS "\n\t " + +/*! \brief Variants of IP protocol. */ +typedef enum { + IP_ALL, + IP_4, + IP_6 +} ip_t; + +/*! \brief Variants of transport protocol. */ +typedef enum { + PROTO_ALL, + PROTO_TCP, + PROTO_UDP +} protocol_t; + +/*! \brief Variants of output type. */ +typedef enum { + /*!< Verbose output (same for host and dig). */ + FORMAT_FULL, + /*!< Short dig output. */ + FORMAT_DIG, + /*!< Brief host output. */ + FORMAT_HOST, + /*!< Brief nsupdate output. */ + FORMAT_NSUPDATE +} format_t; + +/*! \brief Text output settings. */ +typedef struct { + /*!< Output format. */ + format_t format; + + /*!< Style of rrset dump. */ + knot_dump_style_t style; + + /*!< Show query packet. */ + bool show_query; + /*!< Show header info. */ + bool show_header; + /*!< Show section name. */ + bool show_section; + /*!< Show EDNS pseudosection. */ + bool show_edns; + /*!< Show unknown EDNS options in printable format. */ + bool show_edns_opt_text; + /*!< Show QUERY/ZONE section. */ + bool show_question; + /*!< Show ANSWER/PREREQ section. */ + bool show_answer; + /*!< Show UPDATE/AUTHORITY section. */ + bool show_authority; + /*!< Show ADDITIONAL section. */ + bool show_additional; + /*!< Show TSIG pseudosection. */ + bool show_tsig; + /*!< Show footer info. */ + bool show_footer; + + /*!< KHOST - Hide CNAME record in answer (duplicity reduction). */ + bool hide_cname; +} style_t; + +/*! \brief Parameter handler. */ +typedef int (*param_handle_f)(const char *arg, void *params); + +/*! \brief Parameter argument type. */ +typedef enum { + ARG_NONE, + ARG_REQUIRED, + ARG_OPTIONAL +} arg_t; + +/*! \brief Parameter specification. */ +typedef struct { + const char *name; + arg_t arg; + param_handle_f handler; +} param_t; + +inline static void print_version(const char *program_name) +{ + printf("%s (Knot DNS), version %s\n", program_name, PACKAGE_VERSION); +} + +/*! + * \brief Transforms localized IDN string to ASCII punycode. + * + * \param idn_name IDN name to transform. + * + * \retval NULL if transformation fails. + * \retval string if ok. + */ +char *name_from_idn(const char *idn_name); + +/*! + * \brief Transforms ASCII punycode to localized IDN string. + * + * If an error occurs or IDN support is missing, this function does nothing. + * + * \param name ASCII name to transform and replace with IDN name. + */ +void name_to_idn(char **name); + +/*! + * \brief Find the best parameter match in table based on prefix equality. + * + * \param str Parameter name to look up. + * \param str_len Parameter name length. + * \param tbl Parameter table. + * \param unique Indication if output is unique result. + * + * \retval >=0 looked up parameter position in \a tbl. + * \retval err if error. + */ +int best_param(const char *str, const size_t str_len, const param_t *tbl, + bool *unique); + +char *get_reverse_name(const char *name); + +char *get_fqd_name(const char *name); + +int params_parse_class(const char *value, uint16_t *rclass); + +int params_parse_type(const char *value, uint16_t *rtype, int64_t *serial, + bool *notify); + +int params_parse_server(const char *value, list_t *servers, const char *def_port); + +int params_parse_wait(const char *value, int32_t *dst); diff --git a/src/utils/common/resolv.c b/src/utils/common/resolv.c new file mode 100644 index 0000000..a5aad14 --- /dev/null +++ b/src/utils/common/resolv.c @@ -0,0 +1,208 @@ +/* Copyright (C) 2016 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> + +#include "utils/common/resolv.h" +#include "utils/common/msg.h" +#include "utils/common/params.h" +#include "libknot/libknot.h" +#include "contrib/ucw/lists.h" + +#define RESOLV_FILE "/etc/resolv.conf" + +srv_info_t* parse_nameserver(const char *str, const char *def_port) +{ + char *host = NULL, *port = NULL; + const char *addr = NULL, *sep = NULL; + size_t addr_len = 0; + char separator = ':'; + + if (str == NULL || def_port == NULL) { + DBG_NULL; + return NULL; + } + + const size_t str_len = strlen(str); + const char *str_end = str + str_len; + + // [address]:port notation. + if (*str == '[') { + addr = str + 1; + const char *addr_end = strchr(addr, ']'); + // Missing closing bracket -> stop processing. + if (addr_end == NULL) { + return NULL; + } + addr_len = addr_end - addr; + str += 1 + addr_len + 1; + // Address@port notation. + } else if ((sep = strchr(str, '@')) != NULL) { + addr = str; + addr_len = sep - addr; + str += addr_len; + separator = '@'; + // Address#port notation. + } else if ((sep = strchr(str, '#')) != NULL) { + addr = str; + addr_len = sep - addr; + str += addr_len; + separator = '#'; + // IPv4:port notation. + } else if ((sep = strchr(str, ':')) != NULL) { + addr = str; + // Not IPv4 address -> no port. + if (strchr(sep + 1, ':') != NULL) { + addr_len = str_len; + str = str_end; + } else { + addr_len = sep - addr; + str += addr_len; + } + // No port specified. + } else { + addr = str; + addr_len = str_len; + str = str_end; + } + + // Process port. + if (str < str_end) { + // Check port separator. + if (*str != separator) { + return NULL; + } + str++; + + // Check for missing port. + if (str >= str_end) { + return NULL; + } + + port = strdup(str); + } else { + port = strdup(def_port); + } + + host = strndup(addr, addr_len); + + // Create server structure. + srv_info_t *server = srv_info_create(host, port); + + free(host); + free(port); + + return server; +} + +static size_t get_resolv_nameservers(list_t *servers, const char *def_port) +{ + char line[512]; + + // Open config file. + FILE *f = fopen(RESOLV_FILE, "r"); + if (f == NULL) { + return 0; + } + + // Read lines from config file. + while (fgets(line, sizeof(line), f) != NULL) { + size_t len; + char *pos = line; + char *option, *value; + + // Find leading white characters. + len = strspn(pos, SEP_CHARS); + pos += len; + + // Start of the first token. + option = pos; + + // Find length of the token. + len = strcspn(pos, SEP_CHARS); + pos += len; + + // Check if the token is not empty. + if (len == 0) { + continue; + } + + // Find separating white characters. + len = strspn(pos, SEP_CHARS); + pos += len; + + // Check if there is a separation between tokens. + if (len == 0) { + continue; + } + + // Copy of the second token. + value = strndup(pos, strcspn(pos, SEP_CHARS)); + + // Process value with respect to option name. + if (strncmp(option, "nameserver", strlen("nameserver")) == 0) { + srv_info_t *server; + + server = parse_nameserver(value, def_port); + + // If value is correct, add nameserver to the list. + if (server != NULL) { + add_tail(servers, (node_t *)server); + } + } + + // Drop value string. + free(value); + } + + // Close config file. + fclose(f); + + // Return number of servers. + return list_size(servers); +} + +void get_nameservers(list_t *servers, const char *def_port) +{ + if (servers == NULL || def_port == NULL) { + DBG_NULL; + return; + } + + // Initialize list of servers. + init_list(servers); + + // Read nameservers from resolv file or use the default ones. + if (get_resolv_nameservers(servers, def_port) == 0) { + srv_info_t *server; + + // Add default ipv6 nameservers. + server = srv_info_create(DEFAULT_IPV6_NAME, def_port); + + if (server != NULL) { + add_tail(servers, (node_t *)server); + } + + // Add default ipv4 nameservers. + server = srv_info_create(DEFAULT_IPV4_NAME, def_port); + + if (server != NULL) { + add_tail(servers, (node_t *)server); + } + } +} diff --git a/src/utils/common/resolv.h b/src/utils/common/resolv.h new file mode 100644 index 0000000..fb751d1 --- /dev/null +++ b/src/utils/common/resolv.h @@ -0,0 +1,24 @@ +/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include "utils/common/netio.h" +#include "contrib/ucw/lists.h" + +srv_info_t* parse_nameserver(const char *str, const char *def_port); + +void get_nameservers(list_t *servers, const char *def_port); diff --git a/src/utils/common/sign.c b/src/utils/common/sign.c new file mode 100644 index 0000000..84284d3 --- /dev/null +++ b/src/utils/common/sign.c @@ -0,0 +1,109 @@ +/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <string.h> + +#include "utils/common/sign.h" +#include "libknot/errcode.h" +#include "libknot/tsig-op.h" + +int sign_context_init_tsig(sign_context_t *ctx, const knot_tsig_key_t *key) +{ + if (!ctx || !key) { + return KNOT_EINVAL; + } + + size_t digest_size = dnssec_tsig_algorithm_size(key->algorithm); + if (digest_size == 0) { + return KNOT_EINVAL; + } + + uint8_t *digest = calloc(1, digest_size); + if (!digest) { + return KNOT_ENOMEM; + } + + ctx->digest_size = digest_size; + ctx->digest = digest; + ctx->tsig_key = key; + + return KNOT_EOK; +} + +void sign_context_deinit(sign_context_t *ctx) +{ + if (!ctx) { + return; + } + + free(ctx->digest); + + memset(ctx, 0, sizeof(*ctx)); +} + +int sign_packet(knot_pkt_t *pkt, sign_context_t *sign_ctx) +{ + if (pkt == NULL || sign_ctx == NULL || sign_ctx->digest == NULL) { + return KNOT_EINVAL; + } + + uint8_t *wire = pkt->wire; + size_t *wire_size = &pkt->size; + size_t max_size = pkt->max_size; + + int ret = knot_pkt_reserve(pkt, knot_tsig_wire_size(sign_ctx->tsig_key)); + if (ret != KNOT_EOK) { + return ret; + } + + return knot_tsig_sign(wire, wire_size, max_size, NULL, 0, + sign_ctx->digest, &sign_ctx->digest_size, + sign_ctx->tsig_key, 0, 0); +} + +int verify_packet(const knot_pkt_t *pkt, const sign_context_t *sign_ctx) +{ + if (pkt == NULL || sign_ctx == NULL || sign_ctx->digest == NULL) { + return KNOT_EINVAL; + } + + const uint8_t *wire = pkt->wire; + const size_t *wire_size = &pkt->size; + + if (pkt->tsig_rr == NULL) { + return KNOT_ENOTSIG; + } + + int ret = knot_tsig_client_check(pkt->tsig_rr, wire, *wire_size, + sign_ctx->digest, sign_ctx->digest_size, + sign_ctx->tsig_key, 0); + if (ret != KNOT_EOK) { + return ret; + } + + switch (knot_tsig_rdata_error(pkt->tsig_rr)) { + case KNOT_RCODE_BADSIG: + return KNOT_TSIG_EBADSIG; + case KNOT_RCODE_BADKEY: + return KNOT_TSIG_EBADKEY; + case KNOT_RCODE_BADTIME: + return KNOT_TSIG_EBADTIME; + case KNOT_RCODE_BADTRUNC: + return KNOT_TSIG_EBADTRUNC; + default: + return KNOT_EOK; + } +} diff --git a/src/utils/common/sign.h b/src/utils/common/sign.h new file mode 100644 index 0000000..52f41ef --- /dev/null +++ b/src/utils/common/sign.h @@ -0,0 +1,63 @@ +/* Copyright (C) 2015 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include "libknot/packet/pkt.h" +#include "libknot/tsig.h" + +/*! + * \brief Holds data required between signing and signature verification. + */ +struct sign_context { + size_t digest_size; + uint8_t *digest; + const knot_tsig_key_t *tsig_key; +}; + +typedef struct sign_context sign_context_t; + +/*! + * \brief Initialize signing context for TSIG. + */ +int sign_context_init_tsig(sign_context_t *ctx, const knot_tsig_key_t *key); + +/*! + * \brief Clean up signing context. + * + * \param ctx Sign context. + */ +void sign_context_deinit(sign_context_t *ctx); + +/*! + * \brief Signs outgoing DNS packet. + * + * \param pkt Packet to sign. + * \param sign_ctx Signing context. + * + * \return Error code, KNOT_EOK if successful. + */ +int sign_packet(knot_pkt_t *pkt, sign_context_t *sign_ctx); + +/*! + * \brief Verifies signature for incoming DNS packet. + * + * \param pkt Packet verify sign. + * \param sign_ctx Signing context. + * + * \return Error code, KNOT_EOK if successful. + */ +int verify_packet(const knot_pkt_t *pkt, const sign_context_t *sign_ctx); diff --git a/src/utils/common/tls.c b/src/utils/common/tls.c new file mode 100644 index 0000000..57dfc9f --- /dev/null +++ b/src/utils/common/tls.c @@ -0,0 +1,681 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <assert.h> +#include <arpa/inet.h> +#include <stdbool.h> +#include <string.h> +#include <gnutls/gnutls.h> +#include <gnutls/ocsp.h> +#include <gnutls/x509.h> +#include <poll.h> + +#include "utils/common/tls.h" +#include "utils/common/cert.h" +#include "utils/common/msg.h" +#include "contrib/base64.h" +#include "libknot/errcode.h" + +void tls_params_init(tls_params_t *params) +{ + if (params == NULL) { + return; + } + + memset(params, 0, sizeof(*params)); + + init_list(¶ms->ca_files); + init_list(¶ms->pins); +} + +int tls_params_copy(tls_params_t *dst, const tls_params_t *src) +{ + if (dst == NULL || src == NULL) { + return KNOT_EINVAL; + } + + tls_params_init(dst); + + dst->enable = src->enable; + dst->system_ca = src->system_ca; + if (src->hostname != NULL) { + dst->hostname = strdup(src->hostname); + if (dst->hostname == NULL) { + tls_params_clean(dst); + return KNOT_ENOMEM; + } + } + + if (src->sni != NULL) { + dst->sni = strdup(src->sni); + if (dst->sni == NULL) { + tls_params_clean(dst); + return KNOT_ENOMEM; + } + } + + if (src->keyfile != NULL) { + dst->keyfile = strdup(src->keyfile); + if (dst->keyfile == NULL) { + tls_params_clean(dst); + return KNOT_ENOMEM; + } + } + + if (src->certfile != NULL) { + dst->certfile = strdup(src->certfile); + if (dst->certfile == NULL) { + tls_params_clean(dst); + return KNOT_ENOMEM; + } + } + + dst->ocsp_stapling = src->ocsp_stapling; + + ptrnode_t *n; + WALK_LIST(n, src->ca_files) { + char *src_file = (char *)n->d; + char *file = strdup(src_file); + if (file == NULL || ptrlist_add(&dst->ca_files, file, NULL) == NULL) { + tls_params_clean(dst); + return KNOT_ENOMEM; + } + } + WALK_LIST(n, src->pins) { + uint8_t *src_pin = (uint8_t *)n->d; + uint8_t *pin = malloc(1 + src_pin[0]); + if (pin == NULL || ptrlist_add(&dst->pins, pin, NULL) == NULL) { + tls_params_clean(dst); + return KNOT_ENOMEM; + } + memcpy(pin, src_pin, 1 + src_pin[0]); + } + + return KNOT_EOK; +} + +void tls_params_clean(tls_params_t *params) +{ + if (params == NULL) { + return; + } + + ptrnode_t *node, *nxt; + WALK_LIST_DELSAFE(node, nxt, params->ca_files) { + free(node->d); + } + ptrlist_free(¶ms->ca_files, NULL); + + WALK_LIST_DELSAFE(node, nxt, params->pins) { + free(node->d); + } + ptrlist_free(¶ms->pins, NULL); + + free(params->hostname); + free(params->sni); + free(params->keyfile); + free(params->certfile); + + memset(params, 0, sizeof(*params)); +} + +static bool check_pin(const uint8_t *cert_pin, size_t cert_pin_len, const list_t *pins) +{ + if (EMPTY_LIST(*pins)) { + return false; + } + + ptrnode_t *n; + WALK_LIST(n, *pins) { + uint8_t *pin = (uint8_t *)n->d; + if (pin[0] == cert_pin_len && + memcmp(cert_pin, &pin[1], cert_pin_len) == 0) { + return true; + } + } + + return false; +} + +static bool verify_ocsp(gnutls_session_t *session) +{ + bool ret = false; + + gnutls_ocsp_resp_t ocsp_resp; + bool deinit_ocsp_resp = false; + + gnutls_x509_crt_t server_cert; + bool deinit_server_cert = false; + + gnutls_certificate_credentials_t xcred; + bool deinit_xcreds = false; + + gnutls_x509_crt_t issuer_cert; + bool deinit_issuer_cert = false; + + gnutls_datum_t ocsp_resp_raw; + if (gnutls_ocsp_status_request_get(*session, &ocsp_resp_raw) != GNUTLS_E_SUCCESS) { + WARN("TLS, unable to retrieve stapled OCSP data\n"); + goto cleanup; + } + if (gnutls_ocsp_resp_init(&ocsp_resp) != GNUTLS_E_SUCCESS) { + WARN("TLS, unable to init OCSP data\n"); + goto cleanup; + } + deinit_ocsp_resp = true; + if (gnutls_ocsp_resp_import(ocsp_resp, &ocsp_resp_raw) != GNUTLS_E_SUCCESS) { + WARN("TLS, unable to import OCSP response\n"); + goto cleanup; + } + + unsigned int cert_list_size = 0; + const gnutls_datum_t *cert_list = gnutls_certificate_get_peers(*session, &cert_list_size); + if (cert_list_size == 0) { + WARN("TLS, unable to retrieve peer certs when verifying OCSP\n"); + goto cleanup; + } + if (gnutls_x509_crt_init(&server_cert) != GNUTLS_E_SUCCESS) { + WARN("TLS, unable to init server cert when verifying OCSP\n"); + goto cleanup; + } + deinit_server_cert = true; + if (gnutls_x509_crt_import(server_cert, &cert_list[0], GNUTLS_X509_FMT_DER) != GNUTLS_E_SUCCESS) { + WARN("TLS, unable to import server cert when verifying OCSP\n"); + goto cleanup; + } + + if (gnutls_certificate_allocate_credentials(&xcred) != GNUTLS_E_SUCCESS) { + WARN("TLS, unable to allocate credentials when verifying OCSP\n"); + goto cleanup; + } + deinit_xcreds = true; + + if (gnutls_certificate_get_issuer(xcred, server_cert, &issuer_cert, 0) != GNUTLS_E_SUCCESS) { + if (cert_list_size < 2) { + WARN("TLS, unable to get issuer (CA) cert when verifying OCSP\n"); + goto cleanup; + } + if (gnutls_x509_crt_init(&issuer_cert) != GNUTLS_E_SUCCESS) { + WARN("TLS, unable to init issuer cert when verifying OCSP\n"); + goto cleanup; + } + deinit_issuer_cert = true; + if (gnutls_x509_crt_import(issuer_cert, &cert_list[1], GNUTLS_X509_FMT_DER) != GNUTLS_E_SUCCESS) { + WARN("TLS, unable to import issuer cert when verifying OCSP\n"); + goto cleanup; + } + } + + unsigned int status; + time_t this_upd, next_upd, now = time(0); + if (gnutls_ocsp_resp_check_crt(ocsp_resp, 0, server_cert) != GNUTLS_E_SUCCESS) { + WARN("TLS, OCSP response either empty or not for provided server cert\n"); + goto cleanup; + } + if (gnutls_ocsp_resp_verify_direct(ocsp_resp, issuer_cert, &status, 0) != GNUTLS_E_SUCCESS) { + WARN("TLS, unable to verify OCSP response against issuer cert\n"); + goto cleanup; + } + if (status != 0) { + WARN("TLS, got a non-zero status when verifying OCSP response against issuer cert\n"); + goto cleanup; + } + if (gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL, &status, + &this_upd, &next_upd, NULL, NULL) != GNUTLS_E_SUCCESS) { + WARN("TLS, error reading OCSP response\n"); + goto cleanup; + } + if (status == GNUTLS_OCSP_CERT_REVOKED) { + WARN("TLS, OCSP data shows that cert was revoked\n"); + goto cleanup; + } + if (next_upd == -1) { + tls_ctx_t *ctx = gnutls_session_get_ptr(*session); + assert(now >= this_upd); + assert(ctx->params->ocsp_stapling > 0); + if (now - this_upd > ctx->params->ocsp_stapling) { + WARN("TLS, OCSP response is out of date.\n"); + goto cleanup; + } + } else { + if (next_upd < now) { + WARN("TLS, a newer OCSP response is available but was not sent\n"); + goto cleanup; + } + } + + // Only if we get here is the ocsp result completely valid. + ret = true; + +cleanup: + if (deinit_issuer_cert) { + gnutls_x509_crt_deinit(issuer_cert); + } + if (deinit_xcreds) { + gnutls_certificate_free_credentials(xcred); + } + if (deinit_server_cert) { + gnutls_x509_crt_deinit(server_cert); + } + if (deinit_ocsp_resp) { + gnutls_ocsp_resp_deinit(ocsp_resp); + } + + return ret; +} + +static int check_certificates(gnutls_session_t session, const list_t *pins) +{ + if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) { + DBG("TLS, invalid certificate type\n"); + return GNUTLS_E_CERTIFICATE_ERROR; + } + + unsigned cert_list_size; + const gnutls_datum_t *cert_list = + gnutls_certificate_get_peers(session, &cert_list_size); + if (cert_list == NULL || cert_list_size == 0) { + DBG("TLS, empty certificate list\n"); + return GNUTLS_E_CERTIFICATE_ERROR; + } + + size_t matches = 0; + + DBG("TLS, received certificate hierarchy:\n"); + for (int i = 0; i < cert_list_size; i++) { + gnutls_x509_crt_t cert; + int ret = gnutls_x509_crt_init(&cert); + if (ret != GNUTLS_E_SUCCESS) { + return ret; + } + + ret = gnutls_x509_crt_import(cert, &cert_list[i], GNUTLS_X509_FMT_DER); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_x509_crt_deinit(cert); + return ret; + } + + gnutls_datum_t cert_name = { 0 }; + ret = gnutls_x509_crt_get_dn2(cert, &cert_name); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_x509_crt_deinit(cert); + return ret; + } + DBG(" #%i, %s\n", i + 1, cert_name.data); + gnutls_free(cert_name.data); + + uint8_t cert_pin[CERT_PIN_LEN] = { 0 }; + ret = cert_get_pin(cert, cert_pin, sizeof(cert_pin)); + if (ret != KNOT_EOK) { + gnutls_x509_crt_deinit(cert); + return GNUTLS_E_CERTIFICATE_ERROR; + } + + // Check if correspond to a specified PIN. + bool match = check_pin(cert_pin, sizeof(cert_pin), pins); + if (match) { + matches++; + } + + uint8_t *txt_pin; + ret = knot_base64_encode_alloc(cert_pin, sizeof(cert_pin), &txt_pin); + if (ret < 0) { + gnutls_x509_crt_deinit(cert); + return ret; + } + DBG(" SHA-256 PIN: %.*s%s\n", ret, txt_pin, match ? ", MATCH" : ""); + free(txt_pin); + + gnutls_x509_crt_deinit(cert); + } + + if (matches > 0) { + return GNUTLS_E_SUCCESS; + } else if (EMPTY_LIST(*pins)) { + DBG("TLS, skipping certificate PIN check\n"); + return GNUTLS_E_SUCCESS; + } else { + DBG("TLS, no certificate PIN match\n"); + return GNUTLS_E_CERTIFICATE_ERROR; + } +} + +static bool do_verification(const tls_params_t *params) +{ + return params->hostname != NULL || params->system_ca || + !EMPTY_LIST(params->ca_files) || params->ocsp_stapling > 0; +} + +static int verify_certificate(gnutls_session_t session) +{ + tls_ctx_t *ctx = gnutls_session_get_ptr(session); + + // Check for pinned certificates and print certificate hierarchy. + int ret = check_certificates(session, &ctx->params->pins); + if (ret != GNUTLS_E_SUCCESS) { + return ret; + } + + if (!do_verification(ctx->params)) { + DBG("TLS, skipping certificate verification\n"); + return GNUTLS_E_SUCCESS; + } + + if (ctx->params->ocsp_stapling > 0 && !verify_ocsp(&session)) { + WARN("TLS, failed to validate required OCSP data\n"); + return GNUTLS_E_CERTIFICATE_ERROR; + } + + // Set server certificate check. + gnutls_typed_vdata_st data[2] = { + { .type = GNUTLS_DT_KEY_PURPOSE_OID, + .data = (void *)GNUTLS_KP_TLS_WWW_SERVER }, + { .type = GNUTLS_DT_DNS_HOSTNAME, + .data = (void *)ctx->params->hostname } + }; + size_t data_count = (ctx->params->hostname != NULL) ? 2 : 1; + if (data_count == 1) { + WARN("TLS, no hostname provided, will not verify certificate owner\n") + } + + unsigned int status; + ret = gnutls_certificate_verify_peers(session, data, data_count, &status); + if (ret != GNUTLS_E_SUCCESS) { + WARN("TLS, failed to verify peer certificate\n"); + return GNUTLS_E_CERTIFICATE_ERROR; + } + + gnutls_datum_t msg; + ret = gnutls_certificate_verification_status_print( + status, gnutls_certificate_type_get(session), &msg, 0); + if (ret == GNUTLS_E_SUCCESS) { + DBG("TLS, %s\n", msg.data); + } + gnutls_free(msg.data); + + if (status != 0) { + return GNUTLS_E_CERTIFICATE_ERROR; + } + + return GNUTLS_E_SUCCESS; +} + +int tls_ctx_init(tls_ctx_t *ctx, const tls_params_t *params, int wait) +{ + if (ctx == NULL || params == NULL || !params->enable) { + return KNOT_EINVAL; + } + + memset(ctx, 0, sizeof(*ctx)); + ctx->params = params; + ctx->wait = wait; + ctx->sockfd = -1; + + int ret = gnutls_certificate_allocate_credentials(&ctx->credentials); + if (ret != GNUTLS_E_SUCCESS) { + return KNOT_ENOMEM; + } + + // Import system certificates. + if (ctx->params->system_ca || + (ctx->params->hostname != NULL && EMPTY_LIST(ctx->params->ca_files))) { + ret = gnutls_certificate_set_x509_system_trust(ctx->credentials); + if (ret < 0) { + WARN("TLS, failed to import system certificates (%s)\n", + gnutls_strerror_name(ret)); + return KNOT_ERROR; + } else { + DBG("TLS, imported %i system certificates\n", ret); + } + } + + // Import provided certificate files. + ptrnode_t *n; + WALK_LIST(n, ctx->params->ca_files) { + const char *file = (char *)n->d; + ret = gnutls_certificate_set_x509_trust_file(ctx->credentials, file, + GNUTLS_X509_FMT_PEM); + if (ret < 0) { + WARN("TLS, failed to import certificate file '%s' (%s)\n", + file, gnutls_strerror_name(ret)); + return KNOT_ERROR; + } else { + DBG("TLS, imported %i certificates from '%s'\n", ret, file); + } + } + + gnutls_certificate_set_verify_function(ctx->credentials, verify_certificate); + + // Setup client keypair if specified. Both key and cert files must be provided. + if (params->keyfile != NULL && params->certfile != NULL) { + // First, try PEM. + ret = gnutls_certificate_set_x509_key_file(ctx->credentials, + params->certfile, params->keyfile, GNUTLS_X509_FMT_PEM); + if (ret != GNUTLS_E_SUCCESS) { + // If PEM didn't work, try DER. + ret = gnutls_certificate_set_x509_key_file(ctx->credentials, + params->certfile, params->keyfile, GNUTLS_X509_FMT_DER); + } + + if (ret != GNUTLS_E_SUCCESS) { + WARN("TLS, failed to add client certfile '%s' and keyfile '%s'\n", + params->certfile, params->keyfile); + return KNOT_ERROR; + } else { + DBG("TLS, added client certfile '%s' and keyfile '%s'\n", + params->certfile, params->keyfile); + } + } else if (params->keyfile != NULL) { + WARN("TLS, cannot use client keyfile without a certfile\n"); + return KNOT_ERROR; + } else if (params->certfile != NULL) { + WARN("TLS, cannot use client certfile without a keyfile\n"); + return KNOT_ERROR; + } + + return KNOT_EOK; +} + +int tls_ctx_connect(tls_ctx_t *ctx, int sockfd, const char *remote) +{ + if (ctx == NULL) { + return KNOT_EINVAL; + } + + int ret = gnutls_init(&ctx->session, GNUTLS_CLIENT | GNUTLS_NONBLOCK); + if (ret != GNUTLS_E_SUCCESS) { + return KNOT_NET_ECONNECT; + } + + ret = gnutls_set_default_priority(ctx->session); + if (ret != GNUTLS_E_SUCCESS) { + return KNOT_NET_ECONNECT; + } + + ret = gnutls_credentials_set(ctx->session, GNUTLS_CRD_CERTIFICATE, + ctx->credentials); + if (ret != GNUTLS_E_SUCCESS) { + return KNOT_NET_ECONNECT; + } + + if (remote != NULL) { + ret = gnutls_server_name_set(ctx->session, GNUTLS_NAME_DNS, remote, + strlen(remote)); + if (ret != GNUTLS_E_SUCCESS) { + return KNOT_NET_ECONNECT; + } + } + + gnutls_session_set_ptr(ctx->session, ctx); + gnutls_transport_set_int(ctx->session, sockfd); + gnutls_handshake_set_timeout(ctx->session, 1000 * ctx->wait); + + // Initialize poll descriptor structure. + struct pollfd pfd = { + .fd = sockfd, + .events = POLLIN, + .revents = 0, + }; + + // Perform the TLS handshake + do { + ret = gnutls_handshake(ctx->session); + if (ret != GNUTLS_E_SUCCESS && gnutls_error_is_fatal(ret) == 0) { + if (poll(&pfd, 1, 1000 * ctx->wait) != 1) { + WARN("TLS, peer took too long to respond\n"); + return KNOT_NET_ETIMEOUT; + } + } + } while (ret != GNUTLS_E_SUCCESS && gnutls_error_is_fatal(ret) == 0); + if (ret != GNUTLS_E_SUCCESS) { + WARN("TLS, handshake failed (%s)\n", gnutls_strerror(ret)); + tls_ctx_close(ctx); + return KNOT_NET_ESOCKET; + } + + // Save the socket descriptor. + ctx->sockfd = sockfd; + + return KNOT_EOK; +} + +int tls_ctx_send(tls_ctx_t *ctx, const uint8_t *buf, const size_t buf_len) +{ + if (ctx == NULL || buf == NULL) { + return KNOT_EINVAL; + } + + uint16_t msg_len = htons(buf_len); + + gnutls_record_cork(ctx->session); + + if (gnutls_record_send(ctx->session, &msg_len, sizeof(msg_len)) <= 0) { + WARN("TLS, failed to send\n"); + return KNOT_NET_ESEND; + } + if (gnutls_record_send(ctx->session, buf, buf_len) <= 0) { + WARN("TLS, failed to send\n"); + return KNOT_NET_ESEND; + } + + while (gnutls_record_check_corked(ctx->session) > 0) { + int ret = gnutls_record_uncork(ctx->session, 0); + if (ret < 0 && gnutls_error_is_fatal(ret) != 0) { + WARN("TLS, failed to send (%s)\n", gnutls_strerror(ret)); + return KNOT_NET_ESEND; + } + } + + return KNOT_EOK; +} + +int tls_ctx_receive(tls_ctx_t *ctx, uint8_t *buf, const size_t buf_len) +{ + if (ctx == NULL || buf == NULL) { + return KNOT_EINVAL; + } + + // Initialize poll descriptor structure. + struct pollfd pfd = { + .fd = ctx->sockfd, + .events = POLLIN, + .revents = 0, + }; + + uint32_t total = 0; + uint16_t msg_len = 0; + + // Receive message header. + while (total < sizeof(msg_len)) { + ssize_t ret = gnutls_record_recv(ctx->session, + (uint8_t *)&msg_len + total, + sizeof(msg_len) - total); + if (ret > 0) { + total += ret; + } else if (ret == 0) { + WARN("TLS, peer has closed the connection\n"); + return KNOT_NET_ERECV; + } else if (gnutls_error_is_fatal(ret) != 0) { + WARN("TLS, failed to receive reply (%s)\n", + gnutls_strerror(ret)); + return KNOT_NET_ERECV; + } else if (poll(&pfd, 1, 1000 * ctx->wait) != 1) { + WARN("TLS, peer took too long to respond\n"); + return KNOT_NET_ETIMEOUT; + } + } + + // Convert number to host format. + msg_len = ntohs(msg_len); + if (msg_len > buf_len) { + return KNOT_ESPACE; + } + + total = 0; + + // Receive data over TLS + while (total < msg_len) { + ssize_t ret = gnutls_record_recv(ctx->session, buf + total, + msg_len - total); + if (ret > 0) { + total += ret; + } else if (ret == 0) { + WARN("TLS, peer has closed the connection\n"); + return KNOT_NET_ERECV; + } else if (gnutls_error_is_fatal(ret) != 0) { + WARN("TLS, failed to receive reply (%s)\n", + gnutls_strerror(ret)); + return KNOT_NET_ERECV; + } else if (poll(&pfd, 1, 1000 * ctx->wait) != 1) { + WARN("TLS, peer took too long to respond\n"); + return KNOT_NET_ETIMEOUT; + } + } + + return total; +} + +void tls_ctx_close(tls_ctx_t *ctx) +{ + if (ctx == NULL || ctx->session == NULL) { + return; + } + + gnutls_bye(ctx->session, GNUTLS_SHUT_RDWR); + gnutls_deinit(ctx->session); +} + +void tls_ctx_deinit(tls_ctx_t *ctx) +{ + if (ctx == NULL) { + return; + } + + if (ctx->credentials != NULL) { + gnutls_certificate_free_credentials(ctx->credentials); + } +} + +void print_tls(const tls_ctx_t *ctx) +{ + if (ctx == NULL || ctx->session == NULL) { + return; + } + + char *msg = gnutls_session_get_desc(ctx->session); + printf(";; TLS session %s\n", msg); + gnutls_free(msg); +} diff --git a/src/utils/common/tls.h b/src/utils/common/tls.h new file mode 100644 index 0000000..2e7ecba --- /dev/null +++ b/src/utils/common/tls.h @@ -0,0 +1,70 @@ +/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include <stdint.h> +#include <gnutls/gnutls.h> + +#include "contrib/ucw/lists.h" + +/*! \brief TLS parameters. */ +typedef struct { + /*! Use TLS indicator. */ + bool enable; + /*! Import system certificates indicator. */ + bool system_ca; + /*! Certificate files to import. */ + list_t ca_files; + /*! Pinned certificates. */ + list_t pins; + /*! Required server hostname. */ + char *hostname; + /*! Optional server name indicator. */ + char *sni; + /*! Optional client keyfile name. */ + char *keyfile; + /*! Optional client certfile name. */ + char *certfile; + /*! Optional validity of stapled OCSP response for the server cert. */ + uint32_t ocsp_stapling; +} tls_params_t; + +/*! \brief TLS context. */ +typedef struct { + /*! TLS handshake timeout. */ + int wait; + /*! Socket descriptor. */ + int sockfd; + /*! TLS parameters. */ + const tls_params_t *params; + /*! GnuTLS session handle. */ + gnutls_session_t session; + /*! GnuTLS credentials handle. */ + gnutls_certificate_credentials_t credentials; +} tls_ctx_t; + +void tls_params_init(tls_params_t *params); +int tls_params_copy(tls_params_t *dst, const tls_params_t *src); +void tls_params_clean(tls_params_t *params); + +int tls_ctx_init(tls_ctx_t *ctx, const tls_params_t *params, int wait); +int tls_ctx_connect(tls_ctx_t *ctx, int sockfd, const char *remote); +int tls_ctx_send(tls_ctx_t *ctx, const uint8_t *buf, const size_t buf_len); +int tls_ctx_receive(tls_ctx_t *ctx, uint8_t *buf, const size_t buf_len); +void tls_ctx_close(tls_ctx_t *ctx); +void tls_ctx_deinit(tls_ctx_t *ctx); +void print_tls(const tls_ctx_t *ctx); diff --git a/src/utils/common/token.c b/src/utils/common/token.c new file mode 100644 index 0000000..aca994f --- /dev/null +++ b/src/utils/common/token.c @@ -0,0 +1,115 @@ +/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#include "utils/common/token.h" +#include "utils/common/msg.h" +#include "libknot/libknot.h" +#include "contrib/ctype.h" + +int tok_scan(const char* lp, const char **tbl, int *lpm) +{ + if (lp == NULL || tbl == NULL || *tbl == NULL || lpm == NULL) { + DBG_NULL; + return -1; + } + + const char *prefix = lp; /* Ptr to line start. */ + int i = 0, pl = 1; /* Match index, prefix length. */ + unsigned char len = 0; /* Read length. */ + for(;;) { + const char *tok = tbl[i]; + if (*lp == '\0' || is_space(*lp)) { + if (tok && TOK_L(tok) == len) { /* Consumed whole w? */ + return i; /* Identifier */ + } else { /* Word is shorter than cmd? */ + break; + } + } + + /* Find next prefix match. */ + ++len; + while (tok) { + if (TOK_L(tok) >= len) { /* Is prefix of current token */ + if (*lp < tok[pl]) { /* Terminate early. */ + tok = NULL; + break; /* No match could be found. */ + } + if (*lp == tok[pl]) { /* Match */ + if(lpm) *lpm = i; + ++pl; + break; + } + } + + /* No early cut, no match - seek next. */ + while ((tok = tbl[++i]) != NULL) { + if (TOK_L(tok) >= len && + memcmp(TOK_S(tok), prefix, len) == 0) { + break; + } + } + } + + if (tok == NULL) { + break; /* All tokens exhausted. */ + } else { + ++lp; /* Next char */ + } + } + + return -1; +} + +int tok_find(const char *lp, const char **tbl) +{ + if (lp == NULL || tbl == NULL || *tbl == NULL) { + DBG_NULL; + return KNOT_EINVAL; + } + + int lpm = -1; + int bp = 0; + if ((bp = tok_scan(lp, tbl, &lpm)) < 0) { + if (lpm > -1) { + ERR("unexpected literal: '%s', did you mean '%s' ?\n", + lp, TOK_S(tbl[lpm])); + } else { + ERR("unexpected literal: '%s'\n", lp); + } + + return KNOT_EPARSEFAIL; + } + + return bp; +} + +const char *tok_skipspace(const char *lp) +{ + if (lp == NULL) { + DBG_NULL; + return NULL; + } + + while (is_space(*lp)) { + lp += 1; + } + + return lp; +} diff --git a/src/utils/common/token.h b/src/utils/common/token.h new file mode 100644 index 0000000..fab4ea1 --- /dev/null +++ b/src/utils/common/token.h @@ -0,0 +1,65 @@ +/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include <stdio.h> + +/*! + * \brief Example of token table: + * + * \warning Table _must_ be lexicographically ordered. + * + * const char *tok_tbl[] = { + * // LEN STRING + * "\x4" "abcd", + * "\x5" "class", + * NULL // END + * } + */ +/*! \brief String part of the token. */ +#define TOK_S(x) ((x)+1) +/*! \brief Len of the token. */ +#define TOK_L(x) ((unsigned char)(x)[0]) + +/*! + * \brief Scan for matching token described by a match table. + * + * Table consists of strings, prefixed with 1B length. + * + * \param lp Pointer to current line. + * \param tbl Match description table. + * \param lpm Pointer to longest prefix match. + * \retval index to matching record. + * \retval -1 if no match is found, lpm may be set to longest prefix match. + */ +int tok_scan(const char* lp, const char **tbl, int *lpm); + +/*! + * \brief Find token from table in a line buffer. + * \param lp Pointer to current line. + * \param tbl Match description table. + * \retval index to matching record. + * \retval error code if no match is found + */ +int tok_find(const char *lp, const char **tbl); + +/*! + * \brief Return pointer to next non-blank character. + * \param lp Pointer to current line. + * \return ptr to next non-blank character. + */ +const char *tok_skipspace(const char *lp); diff --git a/src/utils/kcatalogprint/main.c b/src/utils/kcatalogprint/main.c new file mode 100644 index 0000000..76f4d61 --- /dev/null +++ b/src/utils/kcatalogprint/main.c @@ -0,0 +1,73 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <getopt.h> +#include <stdlib.h> +#include <string.h> + +#include "knot/zone/catalog.h" +#include "utils/common/params.h" + +#define PROGRAM_NAME "kcatalogprint" + +static void print_help(void) +{ + printf("Usage: %s [parameters] <catalog_dir>\n" + "\n" + "Parameters:\n" + " -h, --help Print the program help.\n" + " -V, --version Print the program version.\n", + PROGRAM_NAME); +} + +int main(int argc, char *argv[]) +{ + struct option options[] = { + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, 'V' }, + { NULL } + }; + + int opt = 0; + while ((opt = getopt_long(argc, argv, "hV", options, NULL)) != -1) { + switch (opt) { + case 'h': + print_help(); + return EXIT_SUCCESS; + case 'V': + print_version(PROGRAM_NAME); + return EXIT_SUCCESS; + default: + print_help(); + return EXIT_FAILURE; + } + } + + if (argc != 2) { + print_help(); + return EXIT_FAILURE; + } + + catalog_t c = { { 0 } }; + + catalog_init(&c, argv[1], 0); // mapsize grows automatically + catalog_print(&c); + if (catalog_deinit(&c) != KNOT_EOK) { + return EXIT_FAILURE; + } + + return EXIT_SUCCESS; +} diff --git a/src/utils/kdig/kdig_exec.c b/src/utils/kdig/kdig_exec.c new file mode 100644 index 0000000..7d788df --- /dev/null +++ b/src/utils/kdig/kdig_exec.c @@ -0,0 +1,1206 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <stdlib.h> +#include <netinet/in.h> +#include <sys/socket.h> +#include <sys/time.h> + +#include "utils/kdig/kdig_exec.h" +#include "utils/common/exec.h" +#include "utils/common/msg.h" +#include "utils/common/netio.h" +#include "utils/common/sign.h" +#include "libknot/libknot.h" +#include "contrib/sockaddr.h" +#include "contrib/time.h" +#include "contrib/ucw/lists.h" + +#if USE_DNSTAP +# include "contrib/dnstap/convert.h" +# include "contrib/dnstap/message.h" +# include "contrib/dnstap/writer.h" + +static int write_dnstap(dt_writer_t *writer, + const bool is_query, + const uint8_t *wire, + const size_t wire_len, + net_t *net, + const struct timespec *mtime) +{ + Dnstap__Message msg; + Dnstap__Message__Type msg_type; + int ret; + int protocol = 0; + + if (writer == NULL) { + return KNOT_EOK; + } + + if (net->local == NULL) { + net_set_local_info(net); + } + + msg_type = is_query ? DNSTAP__MESSAGE__TYPE__TOOL_QUERY : + DNSTAP__MESSAGE__TYPE__TOOL_RESPONSE; + + if (net->socktype == SOCK_DGRAM) { + protocol = IPPROTO_UDP; + } else if (net->socktype == SOCK_STREAM) { + protocol = IPPROTO_TCP; + } + + ret = dt_message_fill(&msg, msg_type, net->local_info->ai_addr, + net->srv->ai_addr, protocol, + wire, wire_len, mtime); + if (ret != KNOT_EOK) { + return ret; + } + + return dt_writer_write(writer, (const ProtobufCMessage *)&msg); +} + +static float get_query_time(const Dnstap__Dnstap *frame) +{ + if (!frame->message->has_query_time_sec || + !frame->message->has_query_time_nsec || + !frame->message->has_response_time_sec || + !frame->message->has_response_time_sec) { + return 0; + } + + struct timespec from = { + .tv_sec = frame->message->query_time_sec, + .tv_nsec = frame->message->query_time_nsec + }; + + struct timespec to = { + .tv_sec = frame->message->response_time_sec, + .tv_nsec = frame->message->response_time_nsec + }; + + return time_diff_ms(&from, &to); +} + +static void fill_remote_addr(net_t *net, Dnstap__Message *message, bool is_initiator) +{ + if (!message->has_socket_family || !message->has_socket_protocol) { + return; + } + + if ((message->response_address.data == NULL && is_initiator) || + message->query_address.data == NULL) { + return; + } + + struct sockaddr_storage ss = { 0 }; + int family = dt_family_decode(message->socket_family); + int proto = dt_protocol_decode(message->socket_protocol); + int sock_type = 0; + + switch (proto) { + case IPPROTO_TCP: + sock_type = SOCK_STREAM; + break; + case IPPROTO_UDP: + sock_type = SOCK_DGRAM; + break; + default: + break; + } + + ProtobufCBinaryData *addr = NULL; + uint32_t port = 0; + if (is_initiator) { + addr = &message->response_address; + port = message->response_port; + } else { + addr = &message->query_address; + port = message->query_port; + } + + sockaddr_set_raw(&ss, family, addr->data, addr->len); + sockaddr_port_set(&ss, port); + + get_addr_str(&ss, sock_type, &net->remote_str); +} + +static int process_dnstap(const query_t *query) +{ + dt_reader_t *reader = query->dt_reader; + + if (query->dt_reader == NULL) { + return -1; + } + + bool first_message = true; + + for (;;) { + Dnstap__Dnstap *frame = NULL; + Dnstap__Message *message = NULL; + ProtobufCBinaryData *wire = NULL; + bool is_query; + bool is_initiator; + + // Read next message. + int ret = dt_reader_read(reader, &frame); + if (ret == KNOT_EOF) { + break; + } else if (ret != KNOT_EOK) { + ERR("can't read dnstap message\n"); + break; + } + + // Check for dnstap message. + if (frame->type == DNSTAP__DNSTAP__TYPE__MESSAGE) { + message = frame->message; + } else { + WARN("ignoring non-dnstap message\n"); + dt_reader_free_frame(reader, &frame); + continue; + } + + // Check for the type of dnstap message. + if (message->has_response_message) { + wire = &message->response_message; + is_query = false; + } else if (message->has_query_message) { + wire = &message->query_message; + is_query = true; + } else { + WARN("dnstap frame contains no message\n"); + dt_reader_free_frame(reader, &frame); + continue; + } + + // Ignore query message if requested. + if (is_query && !query->style.show_query) { + dt_reader_free_frame(reader, &frame); + continue; + } + + // Get the message role. + is_initiator = dt_message_role_is_initiator(message->type); + + // Create dns packet based on dnstap wire data. + knot_pkt_t *pkt = knot_pkt_new(wire->data, wire->len, NULL); + if (pkt == NULL) { + ERR("can't allocate packet\n"); + dt_reader_free_frame(reader, &frame); + break; + } + + // Parse packet and reconstruct required data. + if (knot_pkt_parse(pkt, 0) == KNOT_EOK) { + time_t timestamp = 0; + float query_time = 0.0; + net_t net_ctx = { 0 }; + + if (is_query) { + if (message->has_query_time_sec) { + timestamp = message->query_time_sec; + } + } else { + if (message->has_response_time_sec) { + timestamp = message->response_time_sec; + } + query_time = get_query_time(frame); + } + + // Prepare connection information string. + fill_remote_addr(&net_ctx, message, is_initiator); + + if (first_message) { + first_message = false; + } else { + printf("\n"); + } + + print_packet(pkt, &net_ctx, pkt->size, query_time, timestamp, + is_query ^ is_initiator, &query->style); + + net_clean(&net_ctx); + } else { + ERR("can't print dnstap message\n"); + } + + knot_pkt_free(pkt); + dt_reader_free_frame(reader, &frame); + } + + return 0; +} +#endif // USE_DNSTAP + +static int add_query_edns(knot_pkt_t *packet, const query_t *query, uint16_t max_size) +{ + /* Initialize OPT RR. */ + knot_rrset_t opt_rr; + int ret = knot_edns_init(&opt_rr, max_size, 0, + query->edns > -1 ? query->edns : 0, &packet->mm); + if (ret != KNOT_EOK) { + return ret; + } + + if (query->flags.do_flag) { + knot_edns_set_do(&opt_rr); + } + + /* Append NSID. */ + if (query->nsid) { + ret = knot_edns_add_option(&opt_rr, KNOT_EDNS_OPTION_NSID, + 0, NULL, &packet->mm); + if (ret != KNOT_EOK) { + knot_rrset_clear(&opt_rr, &packet->mm); + return ret; + } + } + + /* Append EDNS-client-subnet. */ + if (query->subnet.family != AF_UNSPEC) { + uint16_t size = knot_edns_client_subnet_size(&query->subnet); + uint8_t data[size]; + + ret = knot_edns_client_subnet_write(data, size, &query->subnet); + if (ret != KNOT_EOK) { + knot_rrset_clear(&opt_rr, &packet->mm); + return ret; + } + + ret = knot_edns_add_option(&opt_rr, KNOT_EDNS_OPTION_CLIENT_SUBNET, + size, data, &packet->mm); + if (ret != KNOT_EOK) { + knot_rrset_clear(&opt_rr, &packet->mm); + return ret; + } + } + + /* Append a cookie option if present. */ + if (query->cc.len > 0) { + uint16_t size = knot_edns_cookie_size(&query->cc, &query->sc); + uint8_t data[size]; + + ret = knot_edns_cookie_write(data, size, &query->cc, &query->sc); + if (ret != KNOT_EOK) { + knot_rrset_clear(&opt_rr, &packet->mm); + return ret; + } + + ret = knot_edns_add_option(&opt_rr, KNOT_EDNS_OPTION_COOKIE, + size, data, &packet->mm); + if (ret != KNOT_EOK) { + knot_rrset_clear(&opt_rr, &packet->mm); + return ret; + } + } + + /* Append EDNS Padding. */ + int padding = query->padding; + if (padding != -3 && query->alignment > 0) { + padding = knot_edns_alignment_size(packet->size, + knot_rrset_size(&opt_rr), + query->alignment); + } else if (query->padding == -2 || (query->padding == -1 && query->tls.enable)) { + padding = knot_pkt_default_padding_size(packet, &opt_rr); + } + if (padding > -1) { + uint8_t zeros[padding]; + memset(zeros, 0, sizeof(zeros)); + + ret = knot_edns_add_option(&opt_rr, KNOT_EDNS_OPTION_PADDING, + padding, zeros, &packet->mm); + if (ret != KNOT_EOK) { + knot_rrset_clear(&opt_rr, &packet->mm); + return ret; + } + } + + /* Append custom EDNS options. */ + node_t *node; + WALK_LIST(node, query->edns_opts) { + ednsopt_t *opt = (ednsopt_t *)node; + ret = knot_edns_add_option(&opt_rr, opt->code, opt->length, + opt->data, &packet->mm); + if (ret != KNOT_EOK) { + knot_rrset_clear(&opt_rr, &packet->mm); + return ret; + } + } + + /* Add prepared OPT to packet. */ + ret = knot_pkt_put(packet, KNOT_COMPR_HINT_NONE, &opt_rr, KNOT_PF_FREE); + if (ret != KNOT_EOK) { + knot_rrset_clear(&opt_rr, &packet->mm); + } + + return ret; +} + +static bool do_padding(const query_t *query) +{ + return (query->padding != -3) && // Disabled padding. + (query->padding > -1 || query->alignment > 0 || // Explicit padding. + query->padding == -2 || // Default padding. + (query->padding == -1 && query->tls.enable)); // TLS automatic. +} + +static bool use_edns(const query_t *query) +{ + return query->edns > -1 || query->udp_size > -1 || query->nsid || + query->flags.do_flag || query->subnet.family != AF_UNSPEC || + query->cc.len > 0 || do_padding(query) || + !ednsopt_list_empty(&query->edns_opts); +} + +static knot_pkt_t *create_query_packet(const query_t *query) +{ + // Set packet buffer size. + uint16_t max_size; + if (query->udp_size < 0) { + if (use_edns(query)) { + max_size = DEFAULT_EDNS_SIZE; + } else { + max_size = DEFAULT_UDP_SIZE; + } + } else { + max_size = query->udp_size; + } + + // Create packet skeleton. + knot_pkt_t *packet = create_empty_packet(max_size); + if (packet == NULL) { + return NULL; + } + + // Set ID = 0 for packet send over HTTPS + // Due HTTP cache it is convenient to set the query ID to 0 - GET messages has same header then +#ifdef LIBNGHTTP2 + if (query->https.enable) { + knot_wire_set_id(packet->wire, 0); + } +#endif + + // Set flags to wireformat. + if (query->flags.aa_flag) { + knot_wire_set_aa(packet->wire); + } + if (query->flags.tc_flag) { + knot_wire_set_tc(packet->wire); + } + if (query->flags.rd_flag) { + knot_wire_set_rd(packet->wire); + } + if (query->flags.ra_flag) { + knot_wire_set_ra(packet->wire); + } + if (query->flags.z_flag) { + knot_wire_set_z(packet->wire); + } + if (query->flags.ad_flag) { + knot_wire_set_ad(packet->wire); + } + if (query->flags.cd_flag) { + knot_wire_set_cd(packet->wire); + } + + // Set NOTIFY opcode. + if (query->notify) { + knot_wire_set_opcode(packet->wire, KNOT_OPCODE_NOTIFY); + } + + // Set packet question if available. + knot_dname_t *qname = NULL; + if (query->owner != NULL) { + qname = knot_dname_from_str_alloc(query->owner); + if (qname == NULL) { + ERR("'%s' is not a valid domain name\n", query->owner); + knot_pkt_free(packet); + return NULL; + } + + int ret = knot_pkt_put_question(packet, qname, query->class_num, + query->type_num); + if (ret != KNOT_EOK) { + knot_dname_free(qname, NULL); + knot_pkt_free(packet); + return NULL; + } + } + + // For IXFR query or NOTIFY query with SOA serial, add a proper section. + if (query->serial >= 0) { + if (query->notify) { + knot_pkt_begin(packet, KNOT_ANSWER); + } else { + knot_pkt_begin(packet, KNOT_AUTHORITY); + } + + // SOA rdata in wireformat. + uint8_t wire[22] = { 0x0 }; + + // Create rrset with SOA record. + knot_rrset_t *soa = knot_rrset_new(qname, + KNOT_RRTYPE_SOA, + query->class_num, + 0, + &packet->mm); + knot_dname_free(qname, NULL); + if (soa == NULL) { + knot_pkt_free(packet); + return NULL; + } + + // Fill in blank SOA rdata to rrset. + int ret = knot_rrset_add_rdata(soa, wire, sizeof(wire), &packet->mm); + if (ret != KNOT_EOK) { + knot_rrset_free(soa, &packet->mm); + knot_pkt_free(packet); + return NULL; + } + + // Set SOA serial. + knot_soa_serial_set(soa->rrs.rdata, query->serial); + + ret = knot_pkt_put(packet, KNOT_COMPR_HINT_NONE, soa, KNOT_PF_FREE); + if (ret != KNOT_EOK) { + knot_rrset_free(soa, &packet->mm); + knot_pkt_free(packet); + return NULL; + } + + free(soa); + } else { + knot_dname_free(qname, NULL); + } + + // Begin additional section + knot_pkt_begin(packet, KNOT_ADDITIONAL); + + // Create EDNS section if required. + if (use_edns(query)) { + int ret = add_query_edns(packet, query, max_size); + if (ret != KNOT_EOK) { + ERR("can't set up EDNS section\n"); + knot_pkt_free(packet); + return NULL; + } + } + + return packet; +} + +static bool check_reply_id(const knot_pkt_t *reply, + const knot_pkt_t *query) +{ + uint16_t query_id = knot_wire_get_id(query->wire); + uint16_t reply_id = knot_wire_get_id(reply->wire); + + if (reply_id != query_id) { + WARN("reply ID (%u) is different from query ID (%u)\n", + reply_id, query_id); + return false; + } + + return true; +} + +static void check_reply_qr(const knot_pkt_t *reply) +{ + if (!knot_wire_get_qr(reply->wire)) { + WARN("response QR bit not set\n"); + } +} + +static void check_reply_question(const knot_pkt_t *reply, + const knot_pkt_t *query) +{ + if (knot_wire_get_qdcount(reply->wire) < 1) { + WARN("response doesn't have question section\n"); + return; + } + + if (!knot_dname_is_equal(knot_pkt_qname(reply), knot_pkt_qname(query)) || + knot_pkt_qclass(reply) != knot_pkt_qclass(query) || + knot_pkt_qtype(reply) != knot_pkt_qtype(query)) { + WARN("query/response question sections are different\n"); + return; + } +} + +static int64_t first_serial_check(const knot_pkt_t *reply) +{ + const knot_pktsection_t *answer = knot_pkt_section(reply, KNOT_ANSWER); + + if (answer->count <= 0) { + return -1; + } + + const knot_rrset_t *first = knot_pkt_rr(answer, 0); + + if (first->type != KNOT_RRTYPE_SOA) { + return -1; + } else { + return knot_soa_serial(first->rrs.rdata); + } +} + +static bool finished_xfr(const uint32_t serial, const knot_pkt_t *reply, + const size_t msg_count, bool is_ixfr) +{ + const knot_pktsection_t *answer = knot_pkt_section(reply, KNOT_ANSWER); + + if (answer->count <= 0) { + return false; + } + + const knot_rrset_t *last = knot_pkt_rr(answer, answer->count - 1); + + if (last->type != KNOT_RRTYPE_SOA) { + return false; + } else if (answer->count == 1 && msg_count == 1) { + return is_ixfr; + } else { + return knot_soa_serial(last->rrs.rdata) == serial; + } +} + +static int sign_query(knot_pkt_t *pkt, const query_t *query, sign_context_t *ctx) +{ + if (query->tsig_key.name == NULL) { + return KNOT_EOK; + } + + int ret = sign_context_init_tsig(ctx, &query->tsig_key); + if (ret != KNOT_EOK) { + return ret; + } + + ret = sign_packet(pkt, ctx); + if (ret != KNOT_EOK) { + sign_context_deinit(ctx); + return ret; + } + + return KNOT_EOK; +} + +static int process_query_packet(const knot_pkt_t *query, + net_t *net, + const query_t *query_ctx, + const bool ignore_tc, + const sign_context_t *sign_ctx, + const style_t *style) +{ + struct timespec t_start, t_query, t_query_full, t_end, t_end_full; + time_t timestamp; + knot_pkt_t *reply; + uint8_t in[MAX_PACKET_SIZE]; + int in_len; + int ret; + + // Get start query time. + timestamp = time(NULL); + t_start = time_now(); + + // Connect to the server. + ret = net_connect(net); + if (ret != KNOT_EOK) { + return -1; + } + + // Send query packet. + ret = net_send(net, query->wire, query->size); + if (ret != KNOT_EOK) { + net_close(net); + return -1; + } + + // Get stop query time and start reply time. + t_query = time_now(); + t_query_full = time_diff(&t_start, &t_query); + t_query_full.tv_sec += timestamp; + +#if USE_DNSTAP + // Make the dnstap copy of the query. + write_dnstap(query_ctx->dt_writer, true, query->wire, query->size, + net, &t_query_full); +#endif // USE_DNSTAP + + // Print query packet if required. + if (style->show_query) { + // Create copy of query packet for parsing. + knot_pkt_t *q = knot_pkt_new(query->wire, query->size, NULL); + if (q != NULL) { + if (knot_pkt_parse(q, 0) == KNOT_EOK) { + print_packet(q, net, query->size, + time_diff_ms(&t_start, &t_query), + timestamp, false, style); + } else { + ERR("can't print query packet\n"); + } + knot_pkt_free(q); + } else { + ERR("can't print query packet\n"); + } + + printf("\n"); + } + + // Loop over incoming messages, unless reply id is correct or timeout. + while (true) { + // Receive a reply message. + in_len = net_receive(net, in, sizeof(in)); + if (in_len <= 0) { + net_close(net); + return -1; + } + + // Get stop reply time. + t_end = time_now(); + t_end_full = time_diff(&t_start, &t_end); + t_end_full.tv_sec += timestamp; + +#if USE_DNSTAP + // Make the dnstap copy of the response. + write_dnstap(query_ctx->dt_writer, false, in, in_len, net, + &t_end_full); +#endif // USE_DNSTAP + + // Create reply packet structure to fill up. + reply = knot_pkt_new(in, in_len, NULL); + if (reply == NULL) { + ERR("internal error (%s)\n", knot_strerror(KNOT_ENOMEM)); + net_close(net); + return -1; + } + + // Parse reply to the packet structure. + if (knot_pkt_parse(reply, KNOT_PF_NOCANON) != KNOT_EOK) { + ERR("malformed reply packet from %s\n", net->remote_str); + knot_pkt_free(reply); + net_close(net); + return -1; + } + + // Compare reply header id. + if (check_reply_id(reply, query)) { + break; + // Check for timeout. + } else if (time_diff_ms(&t_query, &t_end) > 1000 * net->wait) { + knot_pkt_free(reply); + net_close(net); + return -1; + } + + knot_pkt_free(reply); + } + + // Check for TC bit and repeat query with TCP if required. + if (knot_wire_get_tc(reply->wire) != 0 && + ignore_tc == false && net->socktype == SOCK_DGRAM) { + printf("\n"); + WARN("truncated reply from %s, retrying over TCP\n\n", + net->remote_str); + knot_pkt_free(reply); + net_close(net); + + net->socktype = SOCK_STREAM; + + return process_query_packet(query, net, query_ctx, true, + sign_ctx, style); + } + + // Check for question sections equality. + check_reply_question(reply, query); + + // Check QR bit + check_reply_qr(reply); + + // Print reply packet. + print_packet(reply, net, in_len, time_diff_ms(&t_query, &t_end), timestamp, + true, style); + + // Verify signature if a key was specified. + if (sign_ctx->digest != NULL) { + ret = verify_packet(reply, sign_ctx); + if (ret != KNOT_EOK) { + WARN("reply verification for %s (%s)\n", + net->remote_str, knot_strerror(ret)); + } + } + + // Check for BADCOOKIE RCODE and repeat query with the new cookie if required. + if (knot_pkt_ext_rcode(reply) == KNOT_RCODE_BADCOOKIE && query_ctx->badcookie > 0) { + printf("\n"); + WARN("bad cookie from %s, retrying with the received one\n", + net->remote_str); + net_close(net); + + // Prepare new query context. + query_t new_ctx = *query_ctx; + + uint8_t *opt = knot_pkt_edns_option(reply, KNOT_EDNS_OPTION_COOKIE); + if (opt == NULL) { + ERR("bad cookie, missing EDNS section\n"); + knot_pkt_free(reply); + return -1; + } + + const uint8_t *data = knot_edns_opt_get_data(opt); + uint16_t data_len = knot_edns_opt_get_length(opt); + ret = knot_edns_cookie_parse(&new_ctx.cc, &new_ctx.sc, data, data_len); + if (ret != KNOT_EOK) { + knot_pkt_free(reply); + ERR("bad cookie, missing EDNS cookie option\n"); + return -1; + } + knot_pkt_free(reply); + + // Restore the original client cookie. + new_ctx.cc = query_ctx->cc; + + new_ctx.badcookie--; + + knot_pkt_t *new_query = create_query_packet(&new_ctx); + ret = process_query_packet(new_query, net, &new_ctx, ignore_tc, + sign_ctx, style); + knot_pkt_free(new_query); + + return ret; + } + + knot_pkt_free(reply); + net_close(net); + + return 0; +} + +static int process_query(const query_t *query) +{ + node_t *server; + knot_pkt_t *out_packet; + net_t net; + int ret; + + // Create query packet. + out_packet = create_query_packet(query); + if (out_packet == NULL) { + ERR("can't create query packet\n"); + return -1; + } + + // Sign the query. + sign_context_t sign_ctx = { 0 }; + ret = sign_query(out_packet, query, &sign_ctx); + if (ret != KNOT_EOK) { + ERR("can't sign the packet (%s)\n", knot_strerror(ret)); + return -1; + } + + // Get connection parameters. + int iptype = get_iptype(query->ip); + int socktype = get_socktype(query->protocol, query->type_num); + int flags = query->fastopen ? NET_FLAGS_FASTOPEN : NET_FLAGS_NONE; + + // Loop over server list to process query. + WALK_LIST(server, query->servers) { + srv_info_t *remote = (srv_info_t *)server; + + DBG("Querying for owner(%s), class(%u), type(%u), server(%s), " + "port(%s), protocol(%s)\n", query->owner, query->class_num, + query->type_num, remote->name, remote->service, + get_sockname(socktype)); + + // Loop over the number of retries. + for (size_t i = 0; i <= query->retries; i++) { + // Initialize network structure for current server. + ret = net_init(query->local, remote, iptype, socktype, + query->wait, flags, &query->tls, &query->https, &net); + if (ret != KNOT_EOK) { + if (ret == KNOT_NET_EADDR) { + // Requested address family not available. + goto next_server; + } + continue; + } + + // Loop over all resolved addresses for remote. + while (net.srv != NULL) { + ret = process_query_packet(out_packet, &net, + query, + query->ignore_tc, + &sign_ctx, + &query->style); + // If error try next resolved address. + if (ret != 0) { + net.srv = (net.srv)->ai_next; + if (net.srv != NULL && query->style.show_query) { + printf("\n"); + } + + continue; + } + + break; + } + + // Success. + if (ret == 0) { + net_clean(&net); + sign_context_deinit(&sign_ctx); + knot_pkt_free(out_packet); + return 0; + } + + if (i < query->retries) { + DBG("retrying server %s@%s(%s)\n", + remote->name, remote->service, + get_sockname(socktype)); + + if (query->style.show_query) { + printf("\n"); + } + } + + net_clean(&net); + } + + ERR("failed to query server %s@%s(%s)\n", + remote->name, remote->service, get_sockname(socktype)); + + // If not last server, print separation. + if (server->next->next && query->style.show_query) { + printf("\n"); + } +next_server: + continue; + } + + if (ret == KNOT_NET_EADDR) { + WARN("no servers to query\n"); + } + sign_context_deinit(&sign_ctx); + knot_pkt_free(out_packet); + + return -1; +} + +static int process_xfr_packet(const knot_pkt_t *query, + net_t *net, + const query_t *query_ctx, + const sign_context_t *sign_ctx, + const style_t *style) +{ + struct timespec t_start, t_query, t_query_full, t_end, t_end_full; + time_t timestamp; + knot_pkt_t *reply; + uint8_t in[MAX_PACKET_SIZE]; + int in_len; + int ret; + int64_t serial = 0; + size_t total_len = 0; + size_t msg_count = 0; + size_t rr_count = 0; + + // Get start query time. + timestamp = time(NULL); + t_start = time_now(); + + // Connect to the server. + ret = net_connect(net); + if (ret != KNOT_EOK) { + return -1; + } + + // Send query packet. + ret = net_send(net, query->wire, query->size); + if (ret != KNOT_EOK) { + net_close(net); + return -1; + } + + // Get stop query time and start reply time. + t_query = time_now(); + t_query_full = time_diff(&t_start, &t_query); + t_query_full.tv_sec += timestamp; + +#if USE_DNSTAP + // Make the dnstap copy of the query. + write_dnstap(query_ctx->dt_writer, true, query->wire, query->size, + net, &t_query_full); +#endif // USE_DNSTAP + + // Print query packet if required. + if (style->show_query) { + // Create copy of query packet for parsing. + knot_pkt_t *q = knot_pkt_new(query->wire, query->size, NULL); + if (q != NULL) { + if (knot_pkt_parse(q, 0) == KNOT_EOK) { + print_packet(q, net, query->size, + time_diff_ms(&t_start, &t_query), + timestamp, false, style); + } else { + ERR("can't print query packet\n"); + } + knot_pkt_free(q); + } else { + ERR("can't print query packet\n"); + } + + printf("\n"); + } + + // Loop over reply messages unless first and last SOA serials differ. + while (true) { + // Receive a reply message. + in_len = net_receive(net, in, sizeof(in)); + if (in_len <= 0) { + net_close(net); + return -1; + } + + // Get stop message time. + t_end = time_now(); + t_end_full = time_diff(&t_start, &t_end); + t_end_full.tv_sec += timestamp; + +#if USE_DNSTAP + // Make the dnstap copy of the response. + write_dnstap(query_ctx->dt_writer, false, in, in_len, net, + &t_end_full); +#endif // USE_DNSTAP + + // Create reply packet structure to fill up. + reply = knot_pkt_new(in, in_len, NULL); + if (reply == NULL) { + ERR("internal error (%s)\n", knot_strerror(KNOT_ENOMEM)); + net_close(net); + return -1; + } + + // Parse reply to the packet structure. + if (knot_pkt_parse(reply, 0) != KNOT_EOK) { + ERR("malformed reply packet from %s\n", net->remote_str); + knot_pkt_free(reply); + net_close(net); + return -1; + } + + // Compare reply header id. + if (check_reply_id(reply, query) == false) { + ERR("reply ID mismatch from %s\n", net->remote_str); + knot_pkt_free(reply); + net_close(net); + return -1; + } + + // Print leading transfer information. + if (msg_count == 0) { + print_header_xfr(query, style); + } + + // Check for error reply. + if (knot_pkt_ext_rcode(reply) != KNOT_RCODE_NOERROR) { + ERR("server replied with error '%s'\n", + knot_pkt_ext_rcode_name(reply)); + knot_pkt_free(reply); + net_close(net); + return -1; + } + + // The first message has a special treatment. + if (msg_count == 0) { + // Verify 1. signature if a key was specified. + if (sign_ctx->digest != NULL) { + ret = verify_packet(reply, sign_ctx); + if (ret != KNOT_EOK) { + style_t tsig_style = { + .format = style->format, + .style = style->style, + .show_tsig = true + }; + print_data_xfr(reply, &tsig_style); + + ERR("reply verification for %s (%s)\n", + net->remote_str, knot_strerror(ret)); + knot_pkt_free(reply); + net_close(net); + return -1; + } + } + + // Read first SOA serial. + serial = first_serial_check(reply); + + if (serial < 0) { + ERR("first answer record from %s isn't SOA\n", + net->remote_str); + knot_pkt_free(reply); + net_close(net); + return -1; + } + + // Check for question sections equality. + check_reply_question(reply, query); + + // Check QR bit + check_reply_qr(reply); + } + + msg_count++; + rr_count += knot_wire_get_ancount(reply->wire); + total_len += in_len; + + // Print reply packet. + print_data_xfr(reply, style); + + // Check for finished transfer. + if (finished_xfr(serial, reply, msg_count, query_ctx->serial != -1)) { + knot_pkt_free(reply); + break; + } + + knot_pkt_free(reply); + } + + // Get stop reply time. + t_end = time_now(); + + // Print trailing transfer information. + print_footer_xfr(total_len, msg_count, rr_count, net, + time_diff_ms(&t_query, &t_end), timestamp, style); + + net_close(net); + + return 0; +} + +static int process_xfr(const query_t *query) +{ + knot_pkt_t *out_packet; + net_t net; + int ret; + + // Create query packet. + out_packet = create_query_packet(query); + if (out_packet == NULL) { + ERR("can't create query packet\n"); + return -1; + } + + // Sign the query. + sign_context_t sign_ctx = { 0 }; + ret = sign_query(out_packet, query, &sign_ctx); + if (ret != KNOT_EOK) { + ERR("can't sign the packet (%s)\n", knot_strerror(ret)); + return -1; + } + + // Get connection parameters. + int iptype = get_iptype(query->ip); + int socktype = get_socktype(query->protocol, query->type_num); + int flags = query->fastopen ? NET_FLAGS_FASTOPEN : NET_FLAGS_NONE; + + // Use the first nameserver from the list. + srv_info_t *remote = HEAD(query->servers); + + DBG("Querying for owner(%s), class(%u), type(%u), server(%s), " + "port(%s), protocol(%s)\n", query->owner, query->class_num, + query->type_num, remote->name, remote->service, + get_sockname(socktype)); + + // Initialize network structure. + ret = net_init(query->local, remote, iptype, socktype, query->wait, + flags, &query->tls, &query->https, &net); + if (ret != KNOT_EOK) { + sign_context_deinit(&sign_ctx); + knot_pkt_free(out_packet); + return -1; + } + + // Loop over all resolved addresses for remote. + while (net.srv != NULL) { + ret = process_xfr_packet(out_packet, &net, + query, + &sign_ctx, + &query->style); + // If error try next resolved address. + if (ret != 0) { + net.srv = (net.srv)->ai_next; + continue; + } + + break; + } + + if (ret != 0) { + ERR("failed to query server %s@%s(%s)\n", + remote->name, remote->service, get_sockname(socktype)); + } + + net_clean(&net); + sign_context_deinit(&sign_ctx); + knot_pkt_free(out_packet); + + return ret; +} + +int kdig_exec(const kdig_params_t *params) +{ + node_t *n; + + if (params == NULL) { + DBG_NULL; + return KNOT_EINVAL; + } + + bool success = true; + + // Loop over query list. + WALK_LIST(n, params->queries) { + query_t *query = (query_t *)n; + + int ret = -1; + switch (query->operation) { + case OPERATION_QUERY: + ret = process_query(query); + break; + case OPERATION_XFR: + ret = process_xfr(query); + break; +#if USE_DNSTAP + case OPERATION_LIST_DNSTAP: + ret = process_dnstap(query); + break; +#endif // USE_DNSTAP + default: + ERR("unsupported operation\n"); + break; + } + + // All operations must succeed. + if (ret != 0) { + success = false; + } + + // If not last query, print separation. + if (n->next->next && params->config->style.format == FORMAT_FULL) { + printf("\n"); + } + } + + return success ? KNOT_EOK : KNOT_ERROR; +} diff --git a/src/utils/kdig/kdig_exec.h b/src/utils/kdig/kdig_exec.h new file mode 100644 index 0000000..99167ce --- /dev/null +++ b/src/utils/kdig/kdig_exec.h @@ -0,0 +1,21 @@ +/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include "utils/kdig/kdig_params.h" + +int kdig_exec(const kdig_params_t *params); diff --git a/src/utils/kdig/kdig_main.c b/src/utils/kdig/kdig_main.c new file mode 100644 index 0000000..534d50e --- /dev/null +++ b/src/utils/kdig/kdig_main.c @@ -0,0 +1,45 @@ +/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <stdlib.h> + +#include "libdnssec/crypto.h" +#include "utils/kdig/kdig_params.h" +#include "utils/kdig/kdig_exec.h" +#include "libknot/libknot.h" + +int main(int argc, char *argv[]) +{ + int ret = EXIT_SUCCESS; + + tzset(); + + kdig_params_t params; + if (kdig_parse(¶ms, argc, argv) == KNOT_EOK) { + if (!params.stop) { + dnssec_crypto_init(); + if (kdig_exec(¶ms) != KNOT_EOK) { + ret = EXIT_FAILURE; + } + dnssec_crypto_cleanup(); + } + } else { + ret = EXIT_FAILURE; + } + + kdig_clean(¶ms); + return ret; +} diff --git a/src/utils/kdig/kdig_params.c b/src/utils/kdig/kdig_params.c new file mode 100644 index 0000000..e1ea109 --- /dev/null +++ b/src/utils/kdig/kdig_params.c @@ -0,0 +1,2507 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <arpa/inet.h> +#include <locale.h> +#include <stdio.h> +#include <string.h> +#include <stdlib.h> + +#include "utils/kdig/kdig_params.h" +#include "utils/common/cert.h" +#include "utils/common/hex.h" +#include "utils/common/msg.h" +#include "utils/common/params.h" +#include "utils/common/resolv.h" +#include "libknot/descriptor.h" +#include "libknot/libknot.h" +#include "contrib/base64.h" +#include "contrib/sockaddr.h" +#include "contrib/string.h" +#include "contrib/strtonum.h" +#include "contrib/ucw/lists.h" +#include "libdnssec/error.h" +#include "libdnssec/random.h" + +#define PROGRAM_NAME "kdig" + +#define DEFAULT_RETRIES_DIG 2 +#define DEFAULT_TIMEOUT_DIG 5 +#define DEFAULT_ALIGNMENT_SIZE 128 +#define DEFAULT_TLS_OCSP_STAPLING (7 * 24 * 3600) + +#define BADCOOKIE_RETRY_MAX 10 + +static const flags_t DEFAULT_FLAGS_DIG = { + .aa_flag = false, + .tc_flag = false, + .rd_flag = true, + .ra_flag = false, + .z_flag = false, + .ad_flag = false, + .cd_flag = false, + .do_flag = false +}; + +static const style_t DEFAULT_STYLE_DIG = { + .format = FORMAT_FULL, + .style = { + .wrap = false, + .show_class = true, + .show_ttl = true, + .verbose = false, + .original_ttl = false, + .empty_ttl = false, + .human_ttl = false, + .human_tmstamp = true, + .generic = false, + .ascii_to_idn = name_to_idn + }, + .show_query = false, + .show_header = true, + .show_section = true, + .show_edns = true, + .show_question = true, + .show_answer = true, + .show_authority = true, + .show_additional = true, + .show_tsig = true, + .show_footer = true +}; + +static int opt_multiline(const char *arg, void *query) +{ + query_t *q = query; + + q->style.style.wrap = true; + q->style.format = FORMAT_FULL; + q->style.show_header = true; + q->style.show_edns = true; + q->style.show_footer = true; + q->style.style.verbose = true; + + return KNOT_EOK; +} + +static int opt_nomultiline(const char *arg, void *query) +{ + query_t *q = query; + + q->style.style.wrap = false; + + return KNOT_EOK; +} + +static int opt_short(const char *arg, void *query) +{ + query_t *q = query; + + q->style.format = FORMAT_DIG; + q->style.show_header = false; + q->style.show_edns = false; + q->style.show_footer = false; + + return KNOT_EOK; +} + +static int opt_noshort(const char *arg, void *query) +{ + query_t *q = query; + + q->style.format = FORMAT_FULL; + + return KNOT_EOK; +} + +static int opt_generic(const char *arg, void *query) +{ + query_t *q = query; + + q->style.style.generic = true; + + return KNOT_EOK; +} + +static int opt_nogeneric(const char *arg, void *query) +{ + query_t *q = query; + + q->style.style.generic = false; + + return KNOT_EOK; +} + +static int opt_aaflag(const char *arg, void *query) +{ + query_t *q = query; + + q->flags.aa_flag = true; + + return KNOT_EOK; +} + +static int opt_noaaflag(const char *arg, void *query) +{ + query_t *q = query; + + q->flags.aa_flag = false; + + return KNOT_EOK; +} + +static int opt_tcflag(const char *arg, void *query) +{ + query_t *q = query; + + q->flags.tc_flag = true; + + return KNOT_EOK; +} + +static int opt_notcflag(const char *arg, void *query) +{ + query_t *q = query; + + q->flags.tc_flag = false; + + return KNOT_EOK; +} + +static int opt_rdflag(const char *arg, void *query) +{ + query_t *q = query; + + q->flags.rd_flag = true; + + return KNOT_EOK; +} + +static int opt_nordflag(const char *arg, void *query) +{ + query_t *q = query; + + q->flags.rd_flag = false; + + return KNOT_EOK; +} + +static int opt_raflag(const char *arg, void *query) +{ + query_t *q = query; + + q->flags.ra_flag = true; + + return KNOT_EOK; +} + +static int opt_noraflag(const char *arg, void *query) +{ + query_t *q = query; + + q->flags.ra_flag = false; + + return KNOT_EOK; +} + +static int opt_zflag(const char *arg, void *query) +{ + query_t *q = query; + + q->flags.z_flag = true; + + return KNOT_EOK; +} + +static int opt_nozflag(const char *arg, void *query) +{ + query_t *q = query; + + q->flags.z_flag = false; + + return KNOT_EOK; +} + +static int opt_adflag(const char *arg, void *query) +{ + query_t *q = query; + + q->flags.ad_flag = true; + + return KNOT_EOK; +} + +static int opt_noadflag(const char *arg, void *query) +{ + query_t *q = query; + + q->flags.ad_flag = false; + + return KNOT_EOK; +} + +static int opt_cdflag(const char *arg, void *query) +{ + query_t *q = query; + + q->flags.cd_flag = true; + + return KNOT_EOK; +} + +static int opt_nocdflag(const char *arg, void *query) +{ + query_t *q = query; + + q->flags.cd_flag = false; + + return KNOT_EOK; +} + +static int opt_doflag(const char *arg, void *query) +{ + query_t *q = query; + + q->flags.do_flag = true; + + return KNOT_EOK; +} + +static int opt_nodoflag(const char *arg, void *query) +{ + query_t *q = query; + + q->flags.do_flag = false; + + return KNOT_EOK; +} + +static int opt_all(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_header = true; + q->style.show_edns = true; + q->style.show_question = true; + q->style.show_answer = true; + q->style.show_authority = true; + q->style.show_additional = true; + q->style.show_tsig = true; + q->style.show_footer = true; + + return KNOT_EOK; +} + +static int opt_noall(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_header = false; + q->style.show_edns = false; + q->style.show_query = false; + q->style.show_question = false; + q->style.show_answer = false; + q->style.show_authority = false; + q->style.show_additional = false; + q->style.show_tsig = false; + q->style.show_footer = false; + + return KNOT_EOK; +} + +static int opt_qr(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_query = true; + + return KNOT_EOK; +} + +static int opt_noqr(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_query = false; + + return KNOT_EOK; +} + +static int opt_header(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_header = true; + + return KNOT_EOK; +} + +static int opt_noheader(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_header = false; + + return KNOT_EOK; +} + +static int opt_comments(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_section = true; + + return KNOT_EOK; +} + +static int opt_nocomments(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_section = false; + + return KNOT_EOK; +} + +static int opt_opt(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_edns = true; + + return KNOT_EOK; +} + +static int opt_noopt(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_edns = false; + + return KNOT_EOK; +} + +static int opt_opttext(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_edns_opt_text = true; + + return KNOT_EOK; +} + +static int opt_noopttext(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_edns_opt_text = false; + + return KNOT_EOK; +} + +static int opt_question(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_question = true; + + return KNOT_EOK; +} + +static int opt_noquestion(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_question = false; + + return KNOT_EOK; +} + +static int opt_answer(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_answer = true; + + return KNOT_EOK; +} + +static int opt_noanswer(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_answer = false; + + return KNOT_EOK; +} + +static int opt_authority(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_authority = true; + + return KNOT_EOK; +} + +static int opt_noauthority(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_authority = false; + + return KNOT_EOK; +} + +static int opt_additional(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_additional = true; + + return KNOT_EOK; +} + +static int opt_noadditional(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_additional = false; + q->style.show_edns = false; + q->style.show_tsig = false; + + return KNOT_EOK; +} + +static int opt_tsig(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_tsig = true; + + return KNOT_EOK; +} + +static int opt_notsig(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_tsig = false; + + return KNOT_EOK; +} + +static int opt_stats(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_footer = true; + + return KNOT_EOK; +} + +static int opt_nostats(const char *arg, void *query) +{ + query_t *q = query; + + q->style.show_footer = false; + + return KNOT_EOK; +} + +static int opt_class(const char *arg, void *query) +{ + query_t *q = query; + + q->style.style.show_class = true; + + return KNOT_EOK; +} + +static int opt_noclass(const char *arg, void *query) +{ + query_t *q = query; + + q->style.style.show_class = false; + + return KNOT_EOK; +} + +static int opt_ttl(const char *arg, void *query) +{ + query_t *q = query; + + q->style.style.show_ttl = true; + + return KNOT_EOK; +} + +static int opt_nottl(const char *arg, void *query) +{ + query_t *q = query; + + q->style.style.show_ttl = false; + + return KNOT_EOK; +} + +static int opt_ignore(const char *arg, void *query) +{ + query_t *q = query; + + q->ignore_tc = true; + + return KNOT_EOK; +} + +static int opt_noignore(const char *arg, void *query) +{ + query_t *q = query; + + q->ignore_tc = false; + + return KNOT_EOK; +} + +static int opt_crypto(const char *arg, void *query) +{ + query_t *q = query; + + q->style.style.hide_crypto = false; + + return KNOT_EOK; +} + +static int opt_nocrypto(const char *arg, void *query) +{ + query_t *q = query; + + q->style.style.hide_crypto = true; + + return KNOT_EOK; +} + +static int opt_tcp(const char *arg, void *query) +{ + query_t *q = query; + + q->protocol = PROTO_TCP; + + return KNOT_EOK; +} + +static int opt_notcp(const char *arg, void *query) +{ + query_t *q = query; + + q->protocol = PROTO_UDP; + return opt_ignore(arg, query); +} + +static int opt_fastopen(const char *arg, void *query) +{ + query_t *q = query; + + q->fastopen = true; + + return opt_tcp(arg, query); +} + +static int opt_nofastopen(const char *arg, void *query) +{ + query_t *q = query; + + q->fastopen = false; + + return KNOT_EOK; +} + +static int opt_tls(const char *arg, void *query) +{ + query_t *q = query; + + q->tls.enable = true; + return opt_tcp(arg, query); +} + +static int opt_notls(const char *arg, void *query) +{ + query_t *q = query; + + tls_params_clean(&q->tls); + tls_params_init(&q->tls); + + return KNOT_EOK; +} + +static int opt_tls_ca(const char *arg, void *query) +{ + query_t *q = query; + + if (arg == NULL) { + q->tls.system_ca = true; + return opt_tls(arg, query); + } else { + if (ptrlist_add(&q->tls.ca_files, strdup(arg), NULL) == NULL) { + return KNOT_ENOMEM; + } + return opt_tls(arg, query); + } +} + +static int opt_notls_ca(const char *arg, void *query) +{ + query_t *q = query; + + q->tls.system_ca = false; + + ptrnode_t *node, *nxt; + WALK_LIST_DELSAFE(node, nxt, q->tls.ca_files) { + free(node->d); + } + ptrlist_free(&q->tls.ca_files, NULL); + + return KNOT_EOK; +} + +static int opt_tls_pin(const char *arg, void *query) +{ + query_t *q = query; + + uint8_t pin[64] = { 0 }; + + int ret = knot_base64_decode((const uint8_t *)arg, strlen(arg), pin, sizeof(pin)); + if (ret < 0) { + ERR("invalid +tls-pin=%s\n", arg); + return ret; + } else if (ret != CERT_PIN_LEN) { // Check for 256-bit value. + ERR("invalid sha256 hash length +tls-pin=%s\n", arg); + return KNOT_EINVAL; + } + + uint8_t *item = malloc(1 + ret); // 1 ~ leading data length. + if (item == NULL) { + return KNOT_ENOMEM; + } + item[0] = ret; + memcpy(&item[1], pin, ret); + + if (ptrlist_add(&q->tls.pins, item, NULL) == NULL) { + return KNOT_ENOMEM; + } + + return opt_tls(arg, query); +} + +static int opt_notls_pin(const char *arg, void *query) +{ + query_t *q = query; + + ptrnode_t *node, *nxt; + WALK_LIST_DELSAFE(node, nxt, q->tls.pins) { + free(node->d); + } + ptrlist_free(&q->tls.pins, NULL); + + return KNOT_EOK; +} + +static int opt_tls_hostname(const char *arg, void *query) +{ + query_t *q = query; + + free(q->tls.hostname); + q->tls.hostname = strdup(arg); + + return opt_tls(arg, query); +} + +static int opt_notls_hostname(const char *arg, void *query) +{ + query_t *q = query; + + free(q->tls.hostname); + q->tls.hostname = NULL; + + return KNOT_EOK; +} + +static int opt_tls_sni(const char *arg, void *query) +{ + query_t *q = query; + + free(q->tls.sni); + q->tls.sni = strdup(arg); + + return opt_tls(arg, query); +} + +static int opt_notls_sni(const char *arg, void *query) +{ + query_t *q = query; + + free(q->tls.sni); + q->tls.sni = NULL; + + return KNOT_EOK; +} + +static int opt_tls_keyfile(const char *arg, void *query) +{ + query_t *q = query; + + free(q->tls.keyfile); + q->tls.keyfile = strdup(arg); + + return opt_tls(arg, query); +} + +static int opt_notls_keyfile(const char *arg, void *query) +{ + query_t *q = query; + + free(q->tls.keyfile); + q->tls.keyfile = NULL; + + return KNOT_EOK; +} + +static int opt_tls_certfile(const char *arg, void *query) +{ + query_t *q = query; + + free(q->tls.certfile); + q->tls.certfile = strdup(arg); + + return opt_tls(arg, query); +} + +static int opt_notls_certfile(const char *arg, void *query) +{ + query_t *q = query; + + free(q->tls.certfile); + q->tls.certfile = NULL; + + return KNOT_EOK; +} + +static int opt_tls_ocsp_stapling(const char *arg, void *query) +{ + query_t *q = query; + + if (arg == NULL) { + q->tls.ocsp_stapling = DEFAULT_TLS_OCSP_STAPLING; + return opt_tls(arg, query); + } else { + uint32_t num = 0; + if (str_to_u32(arg, &num) != KNOT_EOK || num == 0) { + ERR("invalid +tls-ocsp-stapling=%s\n", arg); + return KNOT_EINVAL; + } + + q->tls.ocsp_stapling = 3600 * num; + return opt_tls(arg, query); + } +} + +static int opt_notls_ocsp_stapling(const char *arg, void *query) +{ + query_t *q = query; + + q->tls.ocsp_stapling = 0; + + return KNOT_EOK; +} + +static int opt_https(const char *arg, void *query) +{ +#ifdef LIBNGHTTP2 + query_t *q = query; + + q->https.enable = true; + + if (arg != NULL) { + char *tmp_path = strchr(arg, '/'); + if (tmp_path) { + free(q->https.path); + q->https.path = strdup(tmp_path); + + if (tmp_path != arg) { + free(q->tls.hostname); + q->tls.hostname = strndup(arg, (size_t)(tmp_path - arg)); + } + return opt_tls(NULL, query); + } else { + return opt_tls_hostname(arg, q); + } + + } + + return opt_tls(NULL, query); + +#else + return KNOT_ENOTSUP; +#endif //LIBNGHTTP2 +} + +static int opt_nohttps(const char *arg, void *query) +{ +#ifdef LIBNGHTTP2 + query_t *q = query; + + https_params_clean(&q->https); + + return opt_notls(arg, query); +#else + return KNOT_ENOTSUP; +#endif //LIBNGHTTP2 +} + +static int opt_https_get(const char *arg, void *query) +{ +#ifdef LIBNGHTTP2 + query_t *q = query; + + q->https.method = GET; + + return opt_https(arg, q); +#else + return KNOT_ENOTSUP; +#endif //LIBNGHTTP2 +} + +static int opt_nohttps_get(const char *arg, void *query) +{ +#ifdef LIBNGHTTP2 + query_t *q = query; + + q->https.method = POST; + + return KNOT_EOK; +#else + return KNOT_ENOTSUP; +#endif +} + +static int opt_nsid(const char *arg, void *query) +{ + query_t *q = query; + + q->nsid = true; + + return KNOT_EOK; +} + +static int opt_nonsid(const char *arg, void *query) +{ + query_t *q = query; + + q->nsid = false; + + return KNOT_EOK; +} + +static int opt_bufsize(const char *arg, void *query) +{ + query_t *q = query; + + uint16_t num = 0; + if (str_to_u16(arg, &num) != KNOT_EOK) { + ERR("invalid +bufsize=%s\n", arg); + return KNOT_EINVAL; + } + + // Disable EDNS if zero bufsize. + if (num == 0) { + q->udp_size = -1; + } else if (num < KNOT_WIRE_HEADER_SIZE) { + q->udp_size = KNOT_WIRE_HEADER_SIZE; + } else { + q->udp_size = num; + } + + return KNOT_EOK; +} + +static int opt_nobufsize(const char *arg, void *query) +{ + query_t *q = query; + + q->udp_size = -1; + + return KNOT_EOK; +} + +static int opt_cookie(const char *arg, void *query) +{ + query_t *q = query; + + if (arg != NULL) { + uint8_t *input = NULL; + size_t input_len; + + int ret = hex_decode(arg, &input, &input_len); + if (ret != KNOT_EOK) { + ERR("invalid +cookie=%s\n", arg); + return KNOT_EINVAL; + } + + if (input_len < KNOT_EDNS_COOKIE_CLNT_SIZE) { + ERR("too short client +cookie=%s\n", arg); + free(input); + return KNOT_EINVAL; + } + q->cc.len = KNOT_EDNS_COOKIE_CLNT_SIZE; + memcpy(q->cc.data, input, q->cc.len); + + input_len -= q->cc.len; + if (input_len > 0) { + if (input_len < KNOT_EDNS_COOKIE_SRVR_MIN_SIZE) { + ERR("too short server +cookie=%s\n", arg); + free(input); + return KNOT_EINVAL; + } + if (input_len > KNOT_EDNS_COOKIE_SRVR_MAX_SIZE) { + ERR("too long server +cookie=%s\n", arg); + free(input); + return KNOT_EINVAL; + } + q->sc.len = input_len; + memcpy(q->sc.data, input + q->cc.len, q->sc.len); + } + + free(input); + } else { + q->cc.len = KNOT_EDNS_COOKIE_CLNT_SIZE; + + int ret = dnssec_random_buffer(q->cc.data, q->cc.len); + if (ret != DNSSEC_EOK) { + return knot_error_from_libdnssec(ret); + } + } + + return KNOT_EOK; +} + +static int opt_nocookie(const char *arg, void *query) +{ + query_t *q = query; + q->cc.len = 0; + q->sc.len = 0; + return KNOT_EOK; +} + +static int opt_badcookie(const char *arg, void *query) +{ + query_t *q = query; + q->badcookie = BADCOOKIE_RETRY_MAX; + return KNOT_EOK; +} + +static int opt_nobadcookie(const char *arg, void *query) +{ + query_t *q = query; + q->badcookie = 0; + return KNOT_EOK; +} + +static int opt_padding(const char *arg, void *query) +{ + query_t *q = query; + + if (arg == NULL) { + q->padding = -2; + return KNOT_EOK; + } else { + uint16_t num = 0; + if (str_to_u16(arg, &num) != KNOT_EOK) { + ERR("invalid +padding=%s\n", arg); + return KNOT_EINVAL; + } + + q->padding = num; + return KNOT_EOK; + } +} + +static int opt_nopadding(const char *arg, void *query) +{ + query_t *q = query; + + q->padding = -3; + + return KNOT_EOK; +} + +static int opt_alignment(const char *arg, void *query) +{ + query_t *q = query; + + if (arg == NULL) { + q->alignment = DEFAULT_ALIGNMENT_SIZE; + return KNOT_EOK; + } else { + uint16_t num = 0; + if (str_to_u16(arg, &num) != KNOT_EOK || num < 2) { + ERR("invalid +alignment=%s\n", arg); + return KNOT_EINVAL; + } + + q->alignment = num; + return KNOT_EOK; + } +} + +static int opt_noalignment(const char *arg, void *query) +{ + query_t *q = query; + + q->alignment = 0; + + return KNOT_EOK; +} + +static int opt_subnet(const char *arg, void *query) +{ + query_t *q = query; + + char *sep = NULL; + const size_t arg_len = strlen(arg); + const char *arg_end = arg + arg_len; + size_t addr_len = 0; + + // Separate address and network mask. + if ((sep = strchr(arg, '/')) != NULL) { + addr_len = sep - arg; + } else { + addr_len = arg_len; + } + + // Check IP address. + + struct sockaddr_storage ss = { 0 }; + struct addrinfo hints = { .ai_flags = AI_NUMERICHOST }; + struct addrinfo *ai = NULL; + + char *addr_str = strndup(arg, addr_len); + if (getaddrinfo(addr_str, NULL, &hints, &ai) != 0) { + free(addr_str); + ERR("invalid address +subnet=%s\n", arg); + return KNOT_EINVAL; + } + + memcpy(&ss, ai->ai_addr, ai->ai_addrlen); + freeaddrinfo(ai); + free(addr_str); + + if (knot_edns_client_subnet_set_addr(&q->subnet, &ss) != KNOT_EOK) { + ERR("invalid address +subnet=%s\n", arg); + return KNOT_EINVAL; + } + + // Parse network mask. + const char *mask = arg; + if (mask + addr_len < arg_end) { + mask += addr_len + 1; + uint8_t num = 0; + if (str_to_u8(mask, &num) != KNOT_EOK || num > q->subnet.source_len) { + ERR("invalid network mask +subnet=%s\n", arg); + return KNOT_EINVAL; + } + q->subnet.source_len = num; + } + + return KNOT_EOK; +} + +static int opt_nosubnet(const char *arg, void *query) +{ + query_t *q = query; + + q->subnet.family = AF_UNSPEC; + + return KNOT_EOK; +} + +static int opt_edns(const char *arg, void *query) +{ + query_t *q = query; + + if (arg == NULL) { + q->edns = 0; + return KNOT_EOK; + } else { + uint8_t num = 0; + if (str_to_u8(arg, &num) != KNOT_EOK) { + ERR("invalid +edns=%s\n", arg); + return KNOT_EINVAL; + } + + q->edns = num; + return KNOT_EOK; + } +} + +static int opt_noedns(const char *arg, void *query) +{ + query_t *q = query; + + q->edns = -1; + opt_nodoflag(arg, query); + opt_nonsid(arg, query); + opt_nobufsize(arg, query); + opt_nocookie(arg, query); + opt_nopadding(arg, query); + opt_noalignment(arg, query); + opt_nosubnet(arg, query); + + return KNOT_EOK; +} + +static int opt_timeout(const char *arg, void *query) +{ + query_t *q = query; + + if (params_parse_wait(arg, &q->wait) != KNOT_EOK) { + ERR("invalid +timeout=%s\n", arg); + return KNOT_EINVAL; + } + + return KNOT_EOK; +} + +static int opt_notimeout(const char *arg, void *query) +{ + query_t *q = query; + + q->wait = DEFAULT_TIMEOUT_DIG; + + return KNOT_EOK; +} + +static int opt_retry(const char *arg, void *query) +{ + query_t *q = query; + + if (str_to_u32(arg, &q->retries) != KNOT_EOK) { + ERR("invalid +retry=%s\n", arg); + return KNOT_EINVAL; + } + + return KNOT_EOK; +} + +static int opt_noretry(const char *arg, void *query) +{ + query_t *q = query; + + q->retries = DEFAULT_RETRIES_DIG; + + return KNOT_EOK; +} + +static int parse_ednsopt(const char *arg, ednsopt_t **opt_ptr) +{ + errno = 0; + char *end = NULL; + unsigned long code = strtoul(arg, &end, 10); + if (errno != 0 || arg == end || code > UINT16_MAX) { + return KNOT_EINVAL; + } + + size_t length = 0; + uint8_t *data = NULL; + if (end[0] == ':') { + if (end[1] != '\0') { + int ret = hex_decode(end + 1, &data, &length); + if (ret != KNOT_EOK) { + return ret; + } + if (length > UINT16_MAX) { + free(data); + return KNOT_ERANGE; + } + } + } else if (end[0] != '\0') { + return KNOT_EINVAL; + } + + ednsopt_t *opt = ednsopt_create(code, length, data); + if (opt == NULL) { + free(data); + return KNOT_ENOMEM; + } + + *opt_ptr = opt; + return KNOT_EOK; +} + +static int opt_ednsopt(const char *arg, void *query) +{ + query_t *q = query; + + ednsopt_t *opt = NULL; + int ret = parse_ednsopt(arg, &opt); + if (ret != KNOT_EOK) { + ERR("invalid +ednsopt=%s\n", arg); + return KNOT_EINVAL; + } + + add_tail(&q->edns_opts, &opt->n); + + return KNOT_EOK; +} + +static int opt_noednsopt(const char *arg, void *query) +{ + query_t *q = query; + + ednsopt_list_deinit(&q->edns_opts); + + return KNOT_EOK; +} + +static int opt_noidn(const char *arg, void *query) +{ + query_t *q = query; + + q->idn = false; + q->style.style.ascii_to_idn = NULL; + + return KNOT_EOK; +} + +static const param_t kdig_opts2[] = { + { "multiline", ARG_NONE, opt_multiline }, + { "nomultiline", ARG_NONE, opt_nomultiline }, + + { "short", ARG_NONE, opt_short }, + { "noshort", ARG_NONE, opt_noshort }, + + { "generic", ARG_NONE, opt_generic }, + { "nogeneric", ARG_NONE, opt_nogeneric }, + + { "aaflag", ARG_NONE, opt_aaflag }, + { "noaaflag", ARG_NONE, opt_noaaflag }, + + { "tcflag", ARG_NONE, opt_tcflag }, + { "notcflag", ARG_NONE, opt_notcflag }, + + { "rdflag", ARG_NONE, opt_rdflag }, + { "nordflag", ARG_NONE, opt_nordflag }, + + { "recurse", ARG_NONE, opt_rdflag }, + { "norecurse", ARG_NONE, opt_nordflag }, + + { "raflag", ARG_NONE, opt_raflag }, + { "noraflag", ARG_NONE, opt_noraflag }, + + { "zflag", ARG_NONE, opt_zflag }, + { "nozflag", ARG_NONE, opt_nozflag }, + + { "adflag", ARG_NONE, opt_adflag }, + { "noadflag", ARG_NONE, opt_noadflag }, + + { "cdflag", ARG_NONE, opt_cdflag }, + { "nocdflag", ARG_NONE, opt_nocdflag }, + + { "dnssec", ARG_NONE, opt_doflag }, + { "nodnssec", ARG_NONE, opt_nodoflag }, + + { "all", ARG_NONE, opt_all }, + { "noall", ARG_NONE, opt_noall }, + + { "qr", ARG_NONE, opt_qr }, + { "noqr", ARG_NONE, opt_noqr }, + + { "header", ARG_NONE, opt_header }, + { "noheader", ARG_NONE, opt_noheader }, + + { "comments", ARG_NONE, opt_comments }, + { "nocomments", ARG_NONE, opt_nocomments }, + + { "opt", ARG_NONE, opt_opt }, + { "noopt", ARG_NONE, opt_noopt }, + + { "opttext", ARG_NONE, opt_opttext }, + { "noopttext", ARG_NONE, opt_noopttext }, + + { "question", ARG_NONE, opt_question }, + { "noquestion", ARG_NONE, opt_noquestion }, + + { "answer", ARG_NONE, opt_answer }, + { "noanswer", ARG_NONE, opt_noanswer }, + + { "authority", ARG_NONE, opt_authority }, + { "noauthority", ARG_NONE, opt_noauthority }, + + { "additional", ARG_NONE, opt_additional }, + { "noadditional", ARG_NONE, opt_noadditional }, + + { "tsig", ARG_NONE, opt_tsig }, + { "notsig", ARG_NONE, opt_notsig }, + + { "stats", ARG_NONE, opt_stats }, + { "nostats", ARG_NONE, opt_nostats }, + + { "class", ARG_NONE, opt_class }, + { "noclass", ARG_NONE, opt_noclass }, + + { "ttl", ARG_NONE, opt_ttl }, + { "nottl", ARG_NONE, opt_nottl }, + + { "crypto", ARG_NONE, opt_crypto }, + { "nocrypto", ARG_NONE, opt_nocrypto }, + + { "tcp", ARG_NONE, opt_tcp }, + { "notcp", ARG_NONE, opt_notcp }, + + { "fastopen", ARG_NONE, opt_fastopen }, + { "nofastopen", ARG_NONE, opt_nofastopen }, + + { "ignore", ARG_NONE, opt_ignore }, + { "noignore", ARG_NONE, opt_noignore }, + + { "tls", ARG_NONE, opt_tls }, + { "notls", ARG_NONE, opt_notls }, + + { "tls-ca", ARG_OPTIONAL, opt_tls_ca }, + { "notls-ca", ARG_NONE, opt_notls_ca }, + + { "tls-pin", ARG_REQUIRED, opt_tls_pin }, + { "notls-pin", ARG_NONE, opt_notls_pin }, + + { "tls-hostname", ARG_REQUIRED, opt_tls_hostname }, + { "notls-hostname", ARG_NONE, opt_notls_hostname }, + + { "tls-sni", ARG_REQUIRED, opt_tls_sni }, + { "notls-sni", ARG_NONE, opt_notls_sni }, + + { "tls-keyfile", ARG_REQUIRED, opt_tls_keyfile }, + { "notls-keyfile", ARG_NONE, opt_notls_keyfile }, + + { "tls-certfile", ARG_REQUIRED, opt_tls_certfile }, + { "notls-certfile", ARG_NONE, opt_notls_certfile }, + + { "tls-ocsp-stapling", ARG_OPTIONAL, opt_tls_ocsp_stapling }, + { "notls-ocsp-stapling", ARG_NONE, opt_notls_ocsp_stapling }, + + { "https", ARG_OPTIONAL, opt_https }, + { "nohttps", ARG_NONE, opt_nohttps }, + + { "https-get", ARG_NONE, opt_https_get }, + { "nohttps-get", ARG_NONE, opt_nohttps_get }, + + { "nsid", ARG_NONE, opt_nsid }, + { "nonsid", ARG_NONE, opt_nonsid }, + + { "bufsize", ARG_REQUIRED, opt_bufsize }, + { "nobufsize", ARG_NONE, opt_nobufsize }, + + { "padding", ARG_OPTIONAL, opt_padding }, + { "nopadding", ARG_NONE, opt_nopadding }, + + { "alignment", ARG_OPTIONAL, opt_alignment }, + { "noalignment", ARG_NONE, opt_noalignment }, + + { "subnet", ARG_REQUIRED, opt_subnet }, + { "nosubnet", ARG_NONE, opt_nosubnet }, + + // Obsolete aliases. + { "client", ARG_REQUIRED, opt_subnet }, + { "noclient", ARG_NONE, opt_nosubnet }, + + { "edns", ARG_OPTIONAL, opt_edns }, + { "noedns", ARG_NONE, opt_noedns }, + + { "timeout", ARG_REQUIRED, opt_timeout }, + { "notimeout", ARG_NONE, opt_notimeout }, + + { "retry", ARG_REQUIRED, opt_retry }, + { "noretry", ARG_NONE, opt_noretry }, + + { "cookie", ARG_OPTIONAL, opt_cookie }, + { "nocookie", ARG_NONE, opt_nocookie }, + + { "badcookie", ARG_NONE, opt_badcookie }, + { "nobadcookie", ARG_NONE, opt_nobadcookie }, + + { "ednsopt", ARG_REQUIRED, opt_ednsopt }, + { "noednsopt", ARG_NONE, opt_noednsopt }, + + /* "idn" doesn't work since it must be called before query creation. */ + { "noidn", ARG_NONE, opt_noidn }, + + { NULL } +}; + +query_t *query_create(const char *owner, const query_t *conf) +{ + // Create output structure. + query_t *query = calloc(1, sizeof(query_t)); + + if (query == NULL) { + DBG_NULL; + return NULL; + } + + // Initialization with defaults or with reference query. + if (conf == NULL) { + query->conf = NULL; + query->local = NULL; + query->operation = OPERATION_QUERY; + query->ip = IP_ALL; + query->protocol = PROTO_ALL; + query->fastopen = false; + query->port = strdup(""); + query->udp_size = -1; + query->retries = DEFAULT_RETRIES_DIG; + query->wait = DEFAULT_TIMEOUT_DIG; + query->ignore_tc = false; + query->class_num = -1; + query->type_num = -1; + query->serial = -1; + query->notify = false; + query->flags = DEFAULT_FLAGS_DIG; + query->style = DEFAULT_STYLE_DIG; + query->idn = true; + query->nsid = false; + query->edns = -1; + query->cc.len = 0; + query->sc.len = 0; + query->badcookie = BADCOOKIE_RETRY_MAX; + query->padding = -1; + query->alignment = 0; + tls_params_init(&query->tls); + //query->tsig_key + query->subnet.family = AF_UNSPEC; + ednsopt_list_init(&query->edns_opts); +#if USE_DNSTAP + query->dt_reader = NULL; + query->dt_writer = NULL; +#endif // USE_DNSTAP + } else { + *query = *conf; + query->conf = conf; + if (conf->local != NULL) { + query->local = srv_info_create(conf->local->name, + conf->local->service); + if (query->local == NULL) { + query_free(query); + return NULL; + } + } else { + query->local = NULL; + } + query->port = strdup(conf->port); + tls_params_copy(&query->tls, &conf->tls); + https_params_copy(&query->https, &conf->https); + if (conf->tsig_key.name != NULL) { + int ret = knot_tsig_key_copy(&query->tsig_key, + &conf->tsig_key); + if (ret != KNOT_EOK) { + query_free(query); + return NULL; + } + } + + int ret = ednsopt_list_dup(&query->edns_opts, &conf->edns_opts); + if (ret != KNOT_EOK) { + query_free(query); + return NULL; + } + +#if USE_DNSTAP + query->dt_reader = conf->dt_reader; + query->dt_writer = conf->dt_writer; +#endif // USE_DNSTAP + } + + // Initialize list of servers. + init_list(&query->servers); + + // Set the query owner if any. + if (owner != NULL) { + if ((query->owner = strdup(owner)) == NULL) { + query_free(query); + return NULL; + } + } + + // Check dynamic allocation. + if (query->port == NULL) { + query_free(query); + return NULL; + } + + return query; +} + +void query_free(query_t *query) +{ + node_t *n, *nxt; + + if (query == NULL) { + DBG_NULL; + return; + } + + // Cleanup servers. + WALK_LIST_DELSAFE(n, nxt, query->servers) { + srv_info_free((srv_info_t *)n); + } + + // Cleanup local address. + if (query->local != NULL) { + srv_info_free(query->local); + } + + tls_params_clean(&query->tls); + https_params_clean(&query->https); + + // Cleanup signing key. + knot_tsig_key_deinit(&query->tsig_key); + + // Cleanup EDNS options. + ednsopt_list_deinit(&query->edns_opts); + +#if USE_DNSTAP + if (query->dt_reader != NULL) { + dt_reader_free(query->dt_reader); + } + if (query->dt_writer != NULL) { + // Global writer can be shared! + if (query->conf == NULL || + query->conf->dt_writer != query->dt_writer) { + dt_writer_free(query->dt_writer); + } + } +#endif // USE_DNSTAP + + free(query->owner); + free(query->port); + free(query); +} + +ednsopt_t *ednsopt_create(uint16_t code, uint16_t length, uint8_t *data) +{ + ednsopt_t *opt = calloc(1, sizeof(*opt)); + if (opt == NULL) { + return NULL; + } + + opt->code = code; + opt->length = length; + opt->data = data; + + return opt; +} + +ednsopt_t *ednsopt_dup(const ednsopt_t *opt) +{ + ednsopt_t *dup = calloc(1, sizeof(*opt)); + if (dup == NULL) { + return NULL; + } + + dup->code = opt->code; + dup->length = opt->length; + dup->data = memdup(opt->data, opt->length); + if (dup->data == NULL) { + free(dup); + return NULL; + } + + return dup; +} + +void ednsopt_free(ednsopt_t *opt) +{ + if (opt == NULL) { + return; + } + + free(opt->data); + free(opt); +} + +void ednsopt_list_init(list_t *list) +{ + init_list(list); +} + +void ednsopt_list_deinit(list_t *list) +{ + node_t *n, *next; + WALK_LIST_DELSAFE(n, next, *list) { + ednsopt_t *opt = (ednsopt_t *)n; + ednsopt_free(opt); + } + + init_list(list); +} + +int ednsopt_list_dup(list_t *dest, const list_t *src) +{ + list_t backup = *dest; + init_list(dest); + + node_t *n; + WALK_LIST(n, *src) { + ednsopt_t *opt = (ednsopt_t *)n; + ednsopt_t *dup = ednsopt_dup(opt); + if (dup == NULL) { + ednsopt_list_deinit(dest); + *dest = backup; + return KNOT_ENOMEM; + } + + add_tail(dest, &dup->n); + } + + return KNOT_EOK; +} + +bool ednsopt_list_empty(const list_t *list) +{ + return EMPTY_LIST(*list); +} + +int kdig_init(kdig_params_t *params) +{ + if (params == NULL) { + DBG_NULL; + return KNOT_EINVAL; + } + + memset(params, 0, sizeof(*params)); + + params->stop = false; + + // Initialize list of queries. + init_list(¶ms->queries); + + // Create config query. + if ((params->config = query_create(NULL, NULL)) == NULL) { + return KNOT_ENOMEM; + } + + return KNOT_EOK; +} + +void kdig_clean(kdig_params_t *params) +{ + node_t *n, *nxt; + + if (params == NULL) { + DBG_NULL; + return; + } + + // Clean up queries. + WALK_LIST_DELSAFE(n, nxt, params->queries) { + query_free((query_t *)n); + } + + // Clean up config. + query_free(params->config); + + // Clean up the structure. + memset(params, 0, sizeof(*params)); +} + +static int parse_class(const char *value, query_t *query) +{ + uint16_t rclass; + + if (params_parse_class(value, &rclass) != KNOT_EOK) { + return KNOT_EINVAL; + } + + query->class_num = rclass; + + return KNOT_EOK; +} + +static int parse_keyfile(const char *value, query_t *query) +{ + knot_tsig_key_deinit(&query->tsig_key); + + if (knot_tsig_key_init_file(&query->tsig_key, value) != KNOT_EOK) { + return KNOT_EINVAL; + } + + return KNOT_EOK; +} + +static int parse_local(const char *value, query_t *query) +{ + srv_info_t *local = parse_nameserver(value, "0"); + if (local == NULL) { + return KNOT_EINVAL; + } + + if (query->local != NULL) { + srv_info_free(query->local); + } + + query->local = local; + + return KNOT_EOK; +} + +static int parse_name(const char *value, list_t *queries, const query_t *conf) +{ + query_t *query = NULL; + char *ascii_name = (char *)value; + char *fqd_name = NULL; + + if (value != NULL) { + if (conf->idn) { + ascii_name = name_from_idn(value); + if (ascii_name == NULL) { + return KNOT_EINVAL; + } + } + + // If name is not FQDN, append trailing dot. + fqd_name = get_fqd_name(ascii_name); + + if (conf->idn) { + free(ascii_name); + } + } + + // Create new query. + query = query_create(fqd_name, conf); + + free(fqd_name); + + if (query == NULL) { + return KNOT_ENOMEM; + } + + // Add new query to the queries. + add_tail(queries, (node_t *)query); + + return KNOT_EOK; +} + +static int parse_port(const char *value, query_t *query) +{ + char **port; + + // Set current server port (last or query default). + if (list_size(&query->servers) > 0) { + srv_info_t *server = TAIL(query->servers); + port = &(server->service); + } else { + port = &(query->port); + } + + char *new_port = strdup(value); + + if (new_port == NULL) { + return KNOT_ENOMEM; + } + + // Deallocate old string. + free(*port); + + *port = new_port; + + return KNOT_EOK; +} + +static int parse_reverse(const char *value, list_t *queries, const query_t *conf) +{ + query_t *query = NULL; + + // Create reverse name. + char *reverse = get_reverse_name(value); + + if (reverse == NULL) { + return KNOT_EINVAL; + } + + // Create reverse query for given address. + query = query_create(reverse, conf); + + free(reverse); + + if (query == NULL) { + return KNOT_ENOMEM; + } + + // Set type for reverse query. + query->type_num = KNOT_RRTYPE_PTR; + + // Add new query to the queries. + add_tail(queries, (node_t *)query); + + return KNOT_EOK; +} + +static int parse_server(const char *value, kdig_params_t *params) +{ + query_t *query; + + // Set current query (last or config). + if (list_size(¶ms->queries) > 0) { + query = TAIL(params->queries); + } else { + query = params->config; + } + + if (params_parse_server(value, &query->servers, query->port) != KNOT_EOK) { + ERR("invalid server @%s\n", value); + return KNOT_EINVAL; + } + + return KNOT_EOK; +} + +static int parse_tsig(const char *value, query_t *query) +{ + knot_tsig_key_deinit(&query->tsig_key); + + if (knot_tsig_key_init_str(&query->tsig_key, value) != KNOT_EOK) { + return KNOT_EINVAL; + } + + return KNOT_EOK; +} + +static int parse_type(const char *value, query_t *query) +{ + uint16_t rtype; + int64_t serial; + bool notify; + + if (params_parse_type(value, &rtype, &serial, ¬ify) != KNOT_EOK) { + return KNOT_EINVAL; + } + + query->type_num = rtype; + query->serial = serial; + query->notify = notify; + + // If NOTIFY, reset default RD flag. + if (query->notify) { + query->flags.rd_flag = false; + } + + return KNOT_EOK; +} + +#if USE_DNSTAP +static int parse_dnstap_output(const char *value, query_t *query) +{ + if (query->dt_writer != NULL) { + if (query->conf == NULL || + query->conf->dt_writer != query->dt_writer) { + dt_writer_free(query->dt_writer); + } + } + + query->dt_writer = dt_writer_create(value, "kdig " PACKAGE_VERSION); + if (query->dt_writer == NULL) { + return KNOT_EINVAL; + } + + return KNOT_EOK; +} + +static int parse_dnstap_input(const char *value, query_t *query) +{ + // Just in case, shouldn't happen. + if (query->dt_reader != NULL) { + dt_reader_free(query->dt_reader); + } + + query->dt_reader = dt_reader_create(value); + if (query->dt_reader == NULL) { + return KNOT_EINVAL; + } + + return KNOT_EOK; +} +#endif // USE_DNSTAP + +static void complete_servers(query_t *query, const query_t *conf) +{ + node_t *n; + char *def_port; + + // Decide which default port use. + if (strlen(query->port) > 0) { + def_port = query->port; + } else if (strlen(conf->port) > 0) { + def_port = conf->port; + } else if (query->https.enable) { + def_port = DEFAULT_DNS_HTTPS_PORT; + } else if (query->tls.enable) { + def_port = DEFAULT_DNS_TLS_PORT; + } else { + def_port = DEFAULT_DNS_PORT; + } + + // Complete specified nameservers if any. + if (list_size(&query->servers) > 0) { + WALK_LIST(n, query->servers) { + srv_info_t *s = (srv_info_t *)n; + + // If the port isn't specified yet use the default one. + if (strlen(s->service) == 0) { + free(s->service); + s->service = strdup(def_port); + if (s->service == NULL) { + WARN("can't set port %s\n", def_port); + return; + } + } + + // Use server name as hostname for TLS if necessary. + if (query->tls.enable && query->tls.hostname == NULL && + (query->tls.system_ca || !EMPTY_LIST(query->tls.ca_files))) { + query->tls.hostname = strdup(s->name); + } + } + // Use servers from config if any. + } else if (list_size(&conf->servers) > 0) { + WALK_LIST(n, conf->servers) { + srv_info_t *s = (srv_info_t *)n; + char *port = def_port; + + // If the port is already specified, use it. + if (strlen(s->service) > 0) { + port = s->service; + } + + srv_info_t *server = srv_info_create(s->name, port); + if (server == NULL) { + WARN("can't set nameserver %s port %s\n", + s->name, s->service); + return; + } + add_tail(&query->servers, (node_t *)server); + + // Use server name as hostname for TLS if necessary. + if (query->tls.enable && query->tls.hostname == NULL && + (query->tls.system_ca || !EMPTY_LIST(query->tls.ca_files))) { + query->tls.hostname = strdup(s->name); + } + } + // Use system specific. + } else { + get_nameservers(&query->servers, def_port); + } +} + +void complete_queries(list_t *queries, const query_t *conf) +{ + node_t *n; + + if (queries == NULL || conf == NULL) { + DBG_NULL; + return; + } + + // If there is no query, add default query: NS to ".". + if (list_size(queries) == 0) { + query_t *q = query_create(".", conf); + if (q == NULL) { + WARN("can't create query . NS IN\n"); + return; + } + q->class_num = KNOT_CLASS_IN; + q->type_num = KNOT_RRTYPE_NS; + add_tail(queries, (node_t *)q); + } + + WALK_LIST(n, *queries) { + query_t *q = (query_t *)n; + + // Fill class number if missing. + if (q->class_num < 0) { + if (conf->class_num >= 0) { + q->class_num = conf->class_num; + } else { + q->class_num = KNOT_CLASS_IN; + } + } + + // Fill type number if missing. + if (q->type_num < 0) { + if (conf->type_num >= 0) { + q->type_num = conf->type_num; + q->serial = conf->serial; + } else { + q->type_num = KNOT_RRTYPE_A; + } + } + + // Set zone transfer if any. + if (q->type_num == KNOT_RRTYPE_AXFR || + q->type_num == KNOT_RRTYPE_IXFR) { + q->operation = OPERATION_XFR; + } + + // No retries for TCP. + if (q->protocol == PROTO_TCP) { + q->retries = 0; + } + + // Complete nameservers list. + complete_servers(q, conf); + } +} + +static void print_help(void) +{ + printf("Usage: %s [-4] [-6] [-d] [-b address] [-c class] [-p port]\n" + " [-q name] [-t type] [-x address] [-k keyfile]\n" + " [-y [algo:]keyname:key] [-E tapfile] [-G tapfile]\n" + " name [type] [class] [@server]\n" + "\n" + " +[no]multiline Wrap long records to more lines.\n" + " +[no]short Show record data only.\n" + " +[no]generic Use generic representation format.\n" + " +[no]aaflag Set AA flag.\n" + " +[no]tcflag Set TC flag.\n" + " +[no]rdflag Set RD flag.\n" + " +[no]recurse Same as +[no]rdflag\n" + " +[no]raflag Set RA flag.\n" + " +[no]zflag Set zero flag bit.\n" + " +[no]adflag Set AD flag.\n" + " +[no]cdflag Set CD flag.\n" + " +[no]dnssec Set DO flag.\n" + " +[no]all Show all packet sections.\n" + " +[no]qr Show query packet.\n" + " +[no]header Show packet header.\n" + " +[no]comments Show commented section names.\n" + " +[no]opt Show EDNS pseudosection.\n" + " +[no]opttext Try to show unknown EDNS options as text.\n" + " +[no]question Show question section.\n" + " +[no]answer Show answer section.\n" + " +[no]authority Show authority section.\n" + " +[no]additional Show additional section.\n" + " +[no]tsig Show TSIG pseudosection.\n" + " +[no]stats Show trailing packet statistics.\n" + " +[no]class Show DNS class.\n" + " +[no]ttl Show TTL value.\n" + " +[no]crypto Show binary parts of RRSIGs and DNSKEYs.\n" + " +[no]tcp Use TCP protocol.\n" + " +[no]fastopen Use TCP Fast Open.\n" + " +[no]ignore Don't use TCP automatically if truncated.\n" + " +[no]tls Use TLS with Opportunistic privacy profile.\n" + " +[no]tls-ca[=FILE] Use TLS with Out-Of-Band privacy profile.\n" + " +[no]tls-pin=BASE64 Use TLS with pinned certificate.\n" + " +[no]tls-hostname=STR Use TLS with remote server hostname.\n" + " +[no]tls-sni=STR Use TLS with Server Name Indication.\n" + " +[no]tls-keyfile=FILE Use TLS with a client keyfile.\n" + " +[no]tls-certfile=FILE Use TLS with a client certfile.\n" + " +[no]tls-ocsp-stapling[=H] Use TLS with a valid stapled OCSP response for the\n" + " server certificate (%u or specify hours).\n" +#ifdef LIBNGHTTP2 + " +[no]https[=URL] Use HTTPS protocol. It's also possible to specify\n" + " URL where query will be sent.\n" + " +[no]https-get Use HTTPS protocol with GET method instead of POST.\n" +#endif + " +[no]nsid Request NSID.\n" + " +[no]bufsize=B Set EDNS buffer size.\n" + " +[no]padding[=N] Pad with EDNS(0) (default or specify size).\n" + " +[no]alignment[=N] Pad with EDNS(0) to blocksize (%u or specify size).\n" + " +[no]subnet=SUBN Set EDNS(0) client subnet addr/prefix.\n" + " +[no]edns[=N] Use EDNS(=version).\n" + " +[no]timeout=T Set wait for reply interval in seconds.\n" + " +[no]retry=N Set number of retries.\n" + " +[no]cookie=HEX Attach EDNS(0) cookie to the query.\n" + " +[no]badcookie Repeat a query with the correct cookie.\n" + " +[no]ednsopt=CODE[:HEX] Set custom EDNS option.\n" + " +noidn Disable IDN transformation.\n" + "\n" + " -h, --help Print the program help.\n" + " -V, --version Print the program version.\n", + PROGRAM_NAME, DEFAULT_TLS_OCSP_STAPLING / 3600, DEFAULT_ALIGNMENT_SIZE); +} + +static int parse_opt1(const char *opt, const char *value, kdig_params_t *params, + int *index) +{ + const char *val = value; + size_t len = strlen(opt); + int add = 1; + query_t *query; + + // Set current query (last or config). + if (list_size(¶ms->queries) > 0) { + query = TAIL(params->queries); + } else { + query = params->config; + } + + // If there is no space between option and argument. + if (len > 1) { + val = opt + 1; + add = 0; + } + + switch (opt[0]) { + case '4': + if (len > 1) { + ERR("invalid option -%s\n", opt); + return KNOT_ENOTSUP; + } + + query->ip = IP_4; + break; + case '6': + if (len > 1) { + ERR("invalid option -%s\n", opt); + return KNOT_ENOTSUP; + } + + query->ip = IP_6; + break; + case 'b': + if (val == NULL) { + ERR("missing address\n"); + return KNOT_EINVAL; + } + + if (parse_local(val, query) != KNOT_EOK) { + ERR("bad address %s\n", val); + return KNOT_EINVAL; + } + *index += add; + break; + case 'd': + msg_enable_debug(1); + break; + case 'h': + if (len > 1) { + ERR("invalid option -%s\n", opt); + return KNOT_ENOTSUP; + } + + print_help(); + params->stop = true; + break; + case 'c': + if (val == NULL) { + ERR("missing class\n"); + return KNOT_EINVAL; + } + + if (parse_class(val, query) != KNOT_EOK) { + ERR("bad class %s\n", val); + return KNOT_EINVAL; + } + *index += add; + break; + case 'k': + if (val == NULL) { + ERR("missing filename\n"); + return KNOT_EINVAL; + } + + if (parse_keyfile(val, query) != KNOT_EOK) { + ERR("bad keyfile %s\n", value); + return KNOT_EINVAL; + } + *index += add; + break; + case 'p': + if (val == NULL) { + ERR("missing port\n"); + return KNOT_EINVAL; + } + + if (parse_port(val, query) != KNOT_EOK) { + ERR("bad port %s\n", value); + return KNOT_EINVAL; + } + *index += add; + break; + case 'q': + // Allow empty QNAME. + if (parse_name(val, ¶ms->queries, params->config) + != KNOT_EOK) { + ERR("bad query name %s\n", val); + return KNOT_EINVAL; + } + *index += add; + break; + case 't': + if (val == NULL) { + ERR("missing type\n"); + return KNOT_EINVAL; + } + + if (parse_type(val, query) != KNOT_EOK) { + ERR("bad type %s\n", val); + return KNOT_EINVAL; + } + *index += add; + break; + case 'V': + if (len > 1) { + ERR("invalid option -%s\n", opt); + return KNOT_ENOTSUP; + } + + print_version(PROGRAM_NAME); + params->stop = true; + break; + case 'x': + if (val == NULL) { + ERR("missing address\n"); + return KNOT_EINVAL; + } + + if (parse_reverse(val, ¶ms->queries, params->config) + != KNOT_EOK) { + ERR("bad reverse name %s\n", val); + return KNOT_EINVAL; + } + *index += add; + break; + case 'y': + if (val == NULL) { + ERR("missing key\n"); + return KNOT_EINVAL; + } + + if (parse_tsig(val, query) != KNOT_EOK) { + ERR("bad key %s\n", value); + return KNOT_EINVAL; + } + *index += add; + break; + case 'E': +#if USE_DNSTAP + if (val == NULL) { + ERR("missing filename\n"); + return KNOT_EINVAL; + } + + if (parse_dnstap_output(val, query) != KNOT_EOK) { + ERR("unable to open dnstap output file %s\n", val); + return KNOT_EINVAL; + } + *index += add; +#else + ERR("no dnstap support but -E specified\n"); + return KNOT_EINVAL; +#endif // USE_DNSTAP + break; + case 'G': +#if USE_DNSTAP + if (val == NULL) { + ERR("missing filename\n"); + return KNOT_EINVAL; + } + + query = query_create(NULL, params->config); + if (query == NULL) { + return KNOT_ENOMEM; + } + + if (parse_dnstap_input(val, query) != KNOT_EOK) { + ERR("unable to open dnstap input file %s\n", val); + query_free(query); + return KNOT_EINVAL; + } + + query->operation = OPERATION_LIST_DNSTAP; + add_tail(¶ms->queries, (node_t *)query); + + *index += add; +#else + ERR("no dnstap support but -G specified\n"); + return KNOT_EINVAL; +#endif // USE_DNSTAP + break; + case '-': + if (strcmp(opt, "-help") == 0) { + print_help(); + params->stop = true; + } else if (strcmp(opt, "-version") == 0) { + print_version(PROGRAM_NAME); + params->stop = true; + } else { + ERR("invalid option: -%s\n", opt); + return KNOT_ENOTSUP; + } + break; + default: + ERR("invalid option: -%s\n", opt); + return KNOT_ENOTSUP; + } + + return KNOT_EOK; +} + +static int parse_opt2(const char *value, kdig_params_t *params) +{ + query_t *query; + + // Set current query (last or config). + if (list_size(¶ms->queries) > 0) { + query = TAIL(params->queries); + } else { + query = params->config; + } + + // Get option name. + const char *arg_sep = "="; + size_t opt_len = strcspn(value, arg_sep); + if (opt_len < 1) { + ERR("invalid option: +%s\n", value); + return KNOT_ENOTSUP; + } + + // Get option argument if any. + const char *arg = NULL; + const char *rest = value + opt_len; + if (strlen(rest) > 0) { + arg = rest + strspn(rest, arg_sep); + } + + // Check if the given option is supported. + bool unique; + int ret = best_param(value, opt_len, kdig_opts2, &unique); + if (ret < 0) { + ERR("invalid option: +%s\n", value); + return KNOT_ENOTSUP; + } else if (!unique) { + ERR("ambiguous option: +%s\n", value); + return KNOT_ENOTSUP; + } + + // Check argument presence. + switch (kdig_opts2[ret].arg) { + case ARG_NONE: + if (arg != NULL && *arg != '\0') { + WARN("superfluous option argument: +%s\n", value); + } + break; + case ARG_REQUIRED: + if (arg == NULL) { + ERR("missing argument: +%s\n", value); + return KNOT_EFEWDATA; + } + // FALLTHROUGH + case ARG_OPTIONAL: + if (arg != NULL && *arg == '\0') { + ERR("empty argument: +%s\n", value); + return KNOT_EFEWDATA; + } + break; + } + + // Call option handler. + return kdig_opts2[ret].handler(arg, query); +} + +static int parse_token(const char *value, kdig_params_t *params) +{ + query_t *query; + + // Set current query (last or config). + if (list_size(¶ms->queries) > 0) { + query = TAIL(params->queries); + } else { + query = params->config; + } + + // Try to guess the meaning of the token. + if (strlen(value) == 0) { + ERR("invalid empty parameter\n"); + } else if (parse_type(value, query) == KNOT_EOK) { + return KNOT_EOK; + } else if (parse_class(value, query) == KNOT_EOK) { + return KNOT_EOK; + } else if (parse_name(value, ¶ms->queries, params->config) == KNOT_EOK) { + return KNOT_EOK; + } else { + ERR("invalid parameter: %s\n", value); + } + + return KNOT_EINVAL; +} + +int kdig_parse(kdig_params_t *params, int argc, char *argv[]) +{ + if (params == NULL || argv == NULL) { + DBG_NULL; + return KNOT_EINVAL; + } + + // Initialize parameters. + if (kdig_init(params) != KNOT_EOK) { + return KNOT_ERROR; + } + +#ifdef LIBIDN + // Set up localization. + if (setlocale(LC_CTYPE, "") == NULL) { + WARN("can't setlocale, disabling IDN\n"); + params->config->idn = false; + params->config->style.style.ascii_to_idn = NULL; + } +#endif + + // Command line parameters processing. + for (int i = 1; i < argc; i++) { + int ret = KNOT_ERROR; + + // Process parameter. + switch (argv[i][0]) { + case '@': + ret = parse_server(argv[i] + 1, params); + break; + case '-': + ret = parse_opt1(argv[i] + 1, argv[i + 1], params, &i); + break; + case '+': + ret = parse_opt2(argv[i] + 1, params); + break; + default: + ret = parse_token(argv[i], params); + break; + } + + // Check return. + switch (ret) { + case KNOT_EOK: + if (params->stop) { + return KNOT_EOK; + } + break; + case KNOT_ENOTSUP: + print_help(); + default: // Fall through. + return ret; + } + } + + // Complete missing data in queries based on defaults. + complete_queries(¶ms->queries, params->config); + + return KNOT_EOK; +} diff --git a/src/utils/kdig/kdig_params.h b/src/utils/kdig/kdig_params.h new file mode 100644 index 0000000..9a35986 --- /dev/null +++ b/src/utils/kdig/kdig_params.h @@ -0,0 +1,177 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include <stdbool.h> + +#include "utils/common/params.h" +#include "utils/common/exec.h" +#include "utils/common/https.h" +#include "utils/common/sign.h" +#include "libknot/libknot.h" +#include "contrib/sockaddr.h" + +#if USE_DNSTAP +# include "contrib/dnstap/reader.h" +# include "contrib/dnstap/writer.h" +#endif // USE_DNSTAP + +/*! \brief Operation mode of kdig. */ +typedef enum { + /*!< Standard 1-message query/reply. */ + OPERATION_QUERY, + /*!< Zone transfer (AXFR or IXFR). */ + OPERATION_XFR, + /*!< Dump dnstap file. */ + OPERATION_LIST_DNSTAP, +} operation_t; + +/*! \brief DNS header and EDNS flags. */ +typedef struct { + /*!< Authoritative answer flag. */ + bool aa_flag; + /*!< Truncated flag. */ + bool tc_flag; + /*!< Recursion desired flag. */ + bool rd_flag; + /*!< Recursion available flag. */ + bool ra_flag; + /*!< Z flag. */ + bool z_flag; + /*!< Authenticated data flag. */ + bool ad_flag; + /*!< Checking disabled flag. */ + bool cd_flag; + /*!< DNSSEC OK flag. */ + bool do_flag; +} flags_t; + +/*! \brief Basic parameters for DNS query. */ +typedef struct query query_t; // Forward declaration due to configuration. +struct query { + /*!< List node (for list container). */ + node_t n; + /*!< Reference to global config. */ + const query_t *conf; + /*!< Name to query on. */ + char *owner; + /*!< List of nameservers to query to. */ + list_t servers; + /*!< Local interface (optional). */ + srv_info_t *local; + /*!< Operation mode. */ + operation_t operation; + /*!< Version of ip protocol to use. */ + ip_t ip; + /*!< Protocol type (TCP, UDP) to use. */ + protocol_t protocol; + /*!< Use TCP Fast Open. */ + bool fastopen; + /*!< Port/service to connect to. */ + char *port; + /*!< UDP buffer size (16unsigned + -1 uninitialized). */ + int32_t udp_size; + /*!< Number of UDP retries. */ + uint32_t retries; + /*!< Wait for network response in seconds (-1 means forever). */ + int32_t wait; + /*!< Ignore truncated response. */ + bool ignore_tc; + /*!< Class number (16unsigned + -1 uninitialized). */ + int32_t class_num; + /*!< Type number (16unsigned + -1 uninitialized). */ + int32_t type_num; + /*!< SOA serial for IXFR and NOTIFY (32unsigned + -1 uninitialized). */ + int64_t serial; + /*!< NOTIFY query. */ + bool notify; + /*!< Header flags. */ + flags_t flags; + /*!< Output settings. */ + style_t style; + /*!< IDN conversion. */ + bool idn; + /*!< Query for NSID. */ + bool nsid; + /*!< EDNS version (8unsigned + -1 uninitialized). */ + int16_t edns; + /*!< EDNS client cookie. */ + knot_edns_cookie_t cc; + /*!< EDNS server cookie. */ + knot_edns_cookie_t sc; + /*!< Repeat query after BADCOOKIE. */ + int badcookie; + /*!< EDNS0 padding (16unsigned + -1 ~ uninitialized, -2 ~ default, -3 ~ none). */ + int32_t padding; + /*!< Query alignment with EDNS0 padding (0 ~ uninitialized). */ + uint16_t alignment; + /*!< TLS parameters. */ + tls_params_t tls; + /*!< HTTPS parameters. */ + https_params_t https; + /*!< Transaction signature. */ + knot_tsig_key_t tsig_key; + /*!< EDNS client subnet. */ + knot_edns_client_subnet_t subnet; + /*!< Lits of custom EDNS options. */ + list_t edns_opts; +#if USE_DNSTAP + /*!< Context for dnstap reader input. */ + dt_reader_t *dt_reader; + /*!< Context for dnstap writer output. */ + dt_writer_t *dt_writer; +#endif // USE_DNSTAP +}; + +/*! \brief EDNS option data. */ +typedef struct { + /*! List node (for list container). */ + node_t n; + /*!< OPTION-CODE field. */ + uint16_t code; + /*!< OPTION-LENGTH field. */ + uint16_t length; + /*!< OPTION-DATA field. */ + uint8_t *data; +} ednsopt_t; + +/*! \brief Settings for kdig. */ +typedef struct { + /*!< Stop processing - just print help, version,... */ + bool stop; + /*!< List of DNS queries to process. */ + list_t queries; + /*!< Default settings for queries. */ + query_t *config; +} kdig_params_t; + +query_t *query_create(const char *owner, const query_t *config); +void query_free(query_t *query); +void complete_queries(list_t *queries, const query_t *conf); + +ednsopt_t *ednsopt_create(uint16_t code, uint16_t length, uint8_t *data); +ednsopt_t *ednsopt_dup(const ednsopt_t *opt); +void ednsopt_free(ednsopt_t *opt); + +void ednsopt_list_init(list_t *list); +void ednsopt_list_deinit(list_t *list); +int ednsopt_list_dup(list_t *dst, const list_t *src); +bool ednsopt_list_empty(const list_t *list); + +int kdig_init(kdig_params_t *params); +int kdig_parse(kdig_params_t *params, int argc, char *argv[]); +void kdig_clean(kdig_params_t *params); diff --git a/src/utils/keymgr/bind_privkey.c b/src/utils/keymgr/bind_privkey.c new file mode 100644 index 0000000..9879f6b --- /dev/null +++ b/src/utils/keymgr/bind_privkey.c @@ -0,0 +1,411 @@ +/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <string.h> + +#include "contrib/ctype.h" +#include "contrib/strtonum.h" +#include "libdnssec/binary.h" +#include "libdnssec/error.h" +#include "libdnssec/pem.h" +#include "libdnssec/shared/shared.h" +#include "utils/keymgr/bind_privkey.h" + +/* -- private key params conversion ---------------------------------------- */ + +/*! + * Private key attribute conversion. + */ +typedef struct param_t { + char *name; + size_t offset; + int (*parse_cb)(char *string, void *data); + void (*free_cb)(void *data); +} param_t; + +static int parse_algorithm(char *string, void *_algorithm); +static int parse_binary(char *string, void *_binary); +static int parse_time(char *string, void *_time); + +static void binary_free(void *_binary) +{ + dnssec_binary_t *binary = _binary; + dnssec_binary_free(binary); +} + +/*! + * Know attributes in private key file. + */ +const param_t PRIVKEY_CONVERSION_TABLE[] = { + #define o(field) offsetof(bind_privkey_t, field) + { "Algorithm", o(algorithm), parse_algorithm, NULL }, + { "Modulus", o(modulus), parse_binary, binary_free }, + { "PublicExponent", o(public_exponent), parse_binary, binary_free }, + { "PrivateExponent", o(private_exponent), parse_binary, binary_free }, + { "Prime1", o(prime_one), parse_binary, binary_free }, + { "Prime2", o(prime_two), parse_binary, binary_free }, + { "Exponent1", o(exponent_one), parse_binary, binary_free }, + { "Exponent2", o(exponent_two), parse_binary, binary_free }, + { "Coefficient", o(coefficient), parse_binary, binary_free }, + { "PrivateKey", o(private_key), parse_binary, binary_free }, + { "Created", o(time_created), parse_time, NULL }, + { "Publish", o(time_publish), parse_time, NULL }, + { "Activate", o(time_activate), parse_time, NULL }, + { "Revoke", o(time_revoke), parse_time, NULL }, + { "Inactive", o(time_inactive), parse_time, NULL }, + { "Delete", o(time_delete), parse_time, NULL }, + { NULL } + #undef o +}; + +/* -- attribute parsing ---------------------------------------------------- */ + +/*! + * Parse key algorithm field. + * + * Example: 7 (NSEC3RSASHA1) + * + * Only the numeric value is decoded, the rest of the value is ignored. + */ +static int parse_algorithm(char *string, void *_algorithm) +{ + char *end = string; + while (*end != '\0' && !is_space(*end)) { + end += 1; + } + *end = '\0'; + + uint8_t *algorithm = _algorithm; + int r = str_to_u8(string, algorithm); + + return (r == KNOT_EOK ? DNSSEC_EOK : DNSSEC_INVALID_KEY_ALGORITHM); +} + +/*! + * Parse binary data encoded in Base64. + * + * Example: AQAB + */ +static int parse_binary(char *string, void *_binary) +{ + dnssec_binary_t base64 = { + .data = (uint8_t *)string, + .size = strlen(string) + }; + + dnssec_binary_t *binary = _binary; + return dnssec_binary_from_base64(&base64, binary); +} + +#define LEGACY_DATE_FORMAT "%Y%m%d%H%M%S" + +/*! + * Parse timestamp in a format in \ref LEGACY_DATE_FORMAT. + * + * Example: 20140415151855 + */ +static int parse_time(char *string, void *_time) +{ + struct tm tm = { 0 }; + + char *end = strptime(string, LEGACY_DATE_FORMAT, &tm); + if (end == NULL || *end != '\0') { + return DNSSEC_MALFORMED_DATA; + } + + time_t *time = _time; + *time = timegm(&tm); + + return DNSSEC_EOK; +} + +/* -- key parsing ---------------------------------------------------------- */ + +/*! + * Strip string value of left and right whitespaces. + * + * \param[in,out] value Start of the string. + * \param[in,out] length Length of the string. + * + */ +static void strip(char **value, size_t *length) +{ + // strip from left + while (*length > 0 && is_space(**value)) { + *value += 1; + *length -= 1; + } + // strip from right + while (*length > 0 && is_space((*value)[*length - 1])) { + *length -= 1; + } +} + +/*! + * Parse one line of the private key file. + */ +static int parse_line(bind_privkey_t *params, char *line, size_t length) +{ + assert(params); + assert(line); + + strip(&line, &length); + if (length == 0) { + return KNOT_EOK; // blank line + } + + char *separator = memchr(line, ':', length); + if (!separator) { + return DNSSEC_MALFORMED_DATA; + } + + char *key = line; + size_t key_length = separator - key; + strip(&key, &key_length); + + char *value = separator + 1; + size_t value_length = (line + length) - value; + strip(&value, &value_length); + + if (key_length == 0 || value_length == 0) { + return DNSSEC_MALFORMED_DATA; + } + + key[key_length] = '\0'; + value[value_length] = '\0'; + + for (const param_t *p = PRIVKEY_CONVERSION_TABLE; p->name != NULL; p++) { + size_t name_length = strlen(p->name); + if (name_length != key_length) { + continue; + } + + if (strcasecmp(p->name, key) != 0) { + continue; + } + + return p->parse_cb(value, (void *)params + p->offset); + } + + // ignore unknown attributes + + return DNSSEC_EOK; +} + +int bind_privkey_parse(const char *filename, bind_privkey_t *params_ptr) +{ + _cleanup_fclose_ FILE *file = fopen(filename, "r"); + if (!file) { + return DNSSEC_NOT_FOUND; + } + + bind_privkey_t params = { 0 }; + + _cleanup_free_ char *line = NULL; + size_t size = 0; + ssize_t read = 0; + while ((read = getline(&line, &size, file)) != -1) { + int r = parse_line(¶ms, line, read); + if (r != DNSSEC_EOK) { + bind_privkey_free(¶ms); + return r; + } + } + + *params_ptr = params; + + return DNSSEC_EOK; +} + +/* -- freeing -------------------------------------------------------------- */ + +/*! + * Free private key parameters. + */ +void bind_privkey_free(bind_privkey_t *params) +{ + if (!params) { + return; + } + + for (const param_t *p = PRIVKEY_CONVERSION_TABLE; p->name != NULL; p++) { + if (p->free_cb) { + p->free_cb((void *)params + p->offset); + } + } + + clear_struct(params); +} + +/* -- export to PEM -------------------------------------------------------- */ + +static int rsa_params_to_pem(const bind_privkey_t *params, dnssec_binary_t *pem) +{ + _cleanup_x509_privkey_ gnutls_x509_privkey_t key = NULL; + int result = gnutls_x509_privkey_init(&key); + if (result != GNUTLS_E_SUCCESS) { + return DNSSEC_ENOMEM; + } + + gnutls_datum_t m = binary_to_datum(¶ms->modulus); + gnutls_datum_t e = binary_to_datum(¶ms->public_exponent); + gnutls_datum_t d = binary_to_datum(¶ms->private_exponent); + gnutls_datum_t p = binary_to_datum(¶ms->prime_one); + gnutls_datum_t q = binary_to_datum(¶ms->prime_two); + gnutls_datum_t u = binary_to_datum(¶ms->coefficient); + + result = gnutls_x509_privkey_import_rsa_raw(key, &m, &e, &d, &p, &q, &u); + if (result != GNUTLS_E_SUCCESS) { + return DNSSEC_KEY_IMPORT_ERROR; + } + + return dnssec_pem_from_x509(key, pem); +} + +/*! + * \see lib/key/convert.h + */ +static gnutls_ecc_curve_t choose_ecdsa_curve(size_t pubkey_size) +{ + switch (pubkey_size) { +#ifdef HAVE_ED25519 + case 32: return GNUTLS_ECC_CURVE_ED25519; +#endif +#ifdef HAVE_ED448 + case 57: return GNUTLS_ECC_CURVE_ED448; +#endif + case 64: return GNUTLS_ECC_CURVE_SECP256R1; + case 96: return GNUTLS_ECC_CURVE_SECP384R1; + default: return GNUTLS_ECC_CURVE_INVALID; + } +} + +static void ecdsa_extract_public_params(dnssec_key_t *key, gnutls_ecc_curve_t *curve, + gnutls_datum_t *x, gnutls_datum_t *y) +{ + dnssec_binary_t pubkey = { 0 }; + dnssec_key_get_pubkey(key, &pubkey); + + *curve = choose_ecdsa_curve(pubkey.size); + + size_t param_size = pubkey.size / 2; + x->data = pubkey.data; + x->size = param_size; + y->data = pubkey.data + param_size; + y->size = param_size; +} + +static int ecdsa_params_to_pem(dnssec_key_t *dnskey, const bind_privkey_t *params, + dnssec_binary_t *pem) +{ + _cleanup_x509_privkey_ gnutls_x509_privkey_t key = NULL; + int result = gnutls_x509_privkey_init(&key); + if (result != GNUTLS_E_SUCCESS) { + return DNSSEC_ENOMEM; + } + + gnutls_ecc_curve_t curve = 0; + gnutls_datum_t x = { 0 }; + gnutls_datum_t y = { 0 }; + ecdsa_extract_public_params(dnskey, &curve, &x, &y); + + gnutls_datum_t k = binary_to_datum(¶ms->private_key); + + result = gnutls_x509_privkey_import_ecc_raw(key, curve, &x, &y, &k); + if (result != DNSSEC_EOK) { + return DNSSEC_KEY_IMPORT_ERROR; + } + + gnutls_x509_privkey_fix(key); + + return dnssec_pem_from_x509(key, pem); +} + +#if defined(HAVE_ED25519) || defined(HAVE_ED448) +static void eddsa_extract_public_params(dnssec_key_t *key, gnutls_ecc_curve_t *curve, + gnutls_datum_t *x) +{ + dnssec_binary_t pubkey = { 0 }; + dnssec_key_get_pubkey(key, &pubkey); + + *curve = choose_ecdsa_curve(pubkey.size); + + x->data = pubkey.data; + x->size = pubkey.size; +} + +static int eddsa_params_to_pem(dnssec_key_t *dnskey, const bind_privkey_t *params, + dnssec_binary_t *pem) +{ + _cleanup_x509_privkey_ gnutls_x509_privkey_t key = NULL; + int result = gnutls_x509_privkey_init(&key); + if (result != GNUTLS_E_SUCCESS) { + return DNSSEC_ENOMEM; + } + + gnutls_ecc_curve_t curve = 0; + gnutls_datum_t x = { 0 }; + eddsa_extract_public_params(dnskey, &curve, &x); + + gnutls_datum_t k = binary_to_datum(¶ms->private_key); + + result = gnutls_x509_privkey_import_ecc_raw(key, curve, &x, NULL, &k); + if (result != DNSSEC_EOK) { + return DNSSEC_KEY_IMPORT_ERROR; + } + + gnutls_x509_privkey_fix(key); + + return dnssec_pem_from_x509(key, pem); +} +#endif + +int bind_privkey_to_pem(dnssec_key_t *key, bind_privkey_t *params, dnssec_binary_t *pem) +{ + dnssec_key_algorithm_t algorithm = dnssec_key_get_algorithm(key); + switch (algorithm) { + case DNSSEC_KEY_ALGORITHM_RSA_SHA1: + case DNSSEC_KEY_ALGORITHM_RSA_SHA1_NSEC3: + case DNSSEC_KEY_ALGORITHM_RSA_SHA256: + case DNSSEC_KEY_ALGORITHM_RSA_SHA512: + return rsa_params_to_pem(params, pem); + case DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256: + case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384: + return ecdsa_params_to_pem(key, params, pem); +#ifdef HAVE_ED25519 + case DNSSEC_KEY_ALGORITHM_ED25519: +#endif +#ifdef HAVE_ED448 + case DNSSEC_KEY_ALGORITHM_ED448: +#endif +#if defined(HAVE_ED25519) || defined(HAVE_ED448) + return eddsa_params_to_pem(key, params, pem); +#endif + default: + return DNSSEC_INVALID_KEY_ALGORITHM; + } +} + +void bind_privkey_to_timing(bind_privkey_t *params, knot_kasp_key_timing_t *timing) +{ + // timing->created remains "now" + timing->publish = (knot_time_t)params->time_publish; + timing->ready = 0; + timing->active = (knot_time_t)params->time_activate; + timing->retire = (knot_time_t)params->time_inactive; + timing->revoke = (knot_time_t)params->time_revoke; + timing->remove = (knot_time_t)params->time_delete; +} diff --git a/src/utils/keymgr/bind_privkey.h b/src/utils/keymgr/bind_privkey.h new file mode 100644 index 0000000..cdb4924 --- /dev/null +++ b/src/utils/keymgr/bind_privkey.h @@ -0,0 +1,72 @@ +/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include <stdint.h> +#include <time.h> + +#include "libdnssec/binary.h" +#include "knot/dnssec/kasp/policy.h" + +/*! + * Legacy private key parameters. + */ +typedef struct { + // key information + uint8_t algorithm; + + // RSA + dnssec_binary_t modulus; + dnssec_binary_t public_exponent; + dnssec_binary_t private_exponent; + dnssec_binary_t prime_one; + dnssec_binary_t prime_two; + dnssec_binary_t exponent_one; + dnssec_binary_t exponent_two; + dnssec_binary_t coefficient; + + // ECDSA + dnssec_binary_t private_key; + + // key lifetime + time_t time_created; + time_t time_publish; + time_t time_activate; + time_t time_revoke; + time_t time_inactive; + time_t time_delete; +} bind_privkey_t; + +/*! + * Extract parameters from legacy private key file. + */ +int bind_privkey_parse(const char *filename, bind_privkey_t *params); + +/*! + * Free private key parameters. + */ +void bind_privkey_free(bind_privkey_t *params); + +/*! + * Generate PEM from pub&priv key. + */ +int bind_privkey_to_pem(dnssec_key_t *key, bind_privkey_t *params, dnssec_binary_t *pem); + +/*! + * Extract timing info. + */ +void bind_privkey_to_timing(bind_privkey_t *params, knot_kasp_key_timing_t *timing); diff --git a/src/utils/keymgr/functions.c b/src/utils/keymgr/functions.c new file mode 100644 index 0000000..0a5bbb4 --- /dev/null +++ b/src/utils/keymgr/functions.c @@ -0,0 +1,951 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <limits.h> +#include <string.h> +#include <strings.h> +#include <time.h> +#include <fcntl.h> + +#include "utils/keymgr/functions.h" +#include "utils/keymgr/bind_privkey.h" +#include "contrib/base64.h" +#include "contrib/ctype.h" +#include "contrib/string.h" +#include "contrib/strtonum.h" +#include "contrib/tolower.h" +#include "contrib/wire_ctx.h" +#include "libdnssec/error.h" +#include "libdnssec/keyid.h" +#include "libdnssec/shared/shared.h" +#include "knot/dnssec/kasp/policy.h" +#include "knot/dnssec/key-events.h" +#include "knot/dnssec/rrset-sign.h" +#include "knot/dnssec/zone-events.h" +#include "knot/dnssec/zone-keys.h" +#include "knot/dnssec/zone-sign.h" +#include "libzscanner/scanner.h" + +int parse_timestamp(char *arg, knot_time_t *stamp) +{ + int ret = knot_time_parse("YMDhms|'now'+-#u|'t'+-#u|+-#u|'t'+-#|+-#|#", + arg, stamp); + if (ret < 0) { + ERROR("invalid timestamp: %s\n", arg); + return KNOT_EINVAL; + } + return KNOT_EOK; +} + +static bool init_timestamps(char *arg, knot_kasp_key_timing_t *timing) +{ + knot_time_t *dst = NULL; + + if (strncasecmp(arg, "created=", 8) == 0) { + dst = &timing->created; + } else if (strncasecmp(arg, "publish=", 8) == 0) { + dst = &timing->publish; + } else if (strncasecmp(arg, "ready=", 6) == 0) { + dst = &timing->ready; + } else if (strncasecmp(arg, "active=", 7) == 0) { + dst = &timing->active; + } else if (strncasecmp(arg, "retire=", 7) == 0) { + dst = &timing->retire; + } else if (strncasecmp(arg, "remove=", 7) == 0) { + dst = &timing->remove; + } else if (strncasecmp(arg, "pre_active=", 11) == 0) { + dst = &timing->pre_active; + } else if (strncasecmp(arg, "post_active=", 12) == 0) { + dst = &timing->post_active; + } else if (strncasecmp(arg, "retire_active=", 14) == 0) { + dst = &timing->retire_active; + } else if (strncasecmp(arg, "revoke=", 7) == 0) { + dst = &timing->revoke; + } else { + return false; + } + + knot_time_t stamp; + int ret = parse_timestamp(strchr(arg, '=') + 1, &stamp); + if (ret != KNOT_EOK) { + return true; + } + + *dst = stamp; + + return true; +} + +static bool str2bool(const char *s) +{ + switch (knot_tolower(s[0])) { + case '1': + case 'y': + case 't': + return true; + default: + return false; + } +} + +static void bitmap_set(kdnssec_generate_flags_t *bitmap, int flag, bool onoff) +{ + if (onoff) { + *bitmap |= flag; + } else { + *bitmap &= ~flag; + } +} + +static bool genkeyargs(int argc, char *argv[], bool just_timing, + kdnssec_generate_flags_t *flags, dnssec_key_algorithm_t *algorithm, + uint16_t *keysize, knot_kasp_key_timing_t *timing, + const char **addtopolicy) +{ + // generate algorithms field + char *algnames[256] = { 0 }; + algnames[DNSSEC_KEY_ALGORITHM_RSA_SHA1] = "rsasha1"; + algnames[DNSSEC_KEY_ALGORITHM_RSA_SHA1_NSEC3] = "rsasha1nsec3sha1"; + algnames[DNSSEC_KEY_ALGORITHM_RSA_SHA256] = "rsasha256"; + algnames[DNSSEC_KEY_ALGORITHM_RSA_SHA512] = "rsasha512"; + algnames[DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256] = "ecdsap256sha256"; + algnames[DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384] = "ecdsap384sha384"; + algnames[DNSSEC_KEY_ALGORITHM_ED25519] = "ed25519"; + + // parse args + for (int i = 0; i < argc; i++) { + if (!just_timing && strncasecmp(argv[i], "algorithm=", 10) == 0) { + int alg = 256; // invalid value + (void)str_to_int(argv[i] + 10, &alg, 0, 255); + for (int al = 0; al < 256 && alg > 255; al++) { + if (algnames[al] != NULL && + strcasecmp(argv[i] + 10, algnames[al]) == 0) { + alg = al; + } + } + if (alg > 255) { + ERROR("unknown algorithm: %s\n", argv[i] + 10); + return false; + } + *algorithm = alg; + } else if (strncasecmp(argv[i], "ksk=", 4) == 0) { + bitmap_set(flags, DNSKEY_GENERATE_KSK, str2bool(argv[i] + 4)); + } else if (strncasecmp(argv[i], "zsk=", 4) == 0) { + bitmap_set(flags, DNSKEY_GENERATE_ZSK, str2bool(argv[i] + 4)); + } else if (strncasecmp(argv[i], "sep=", 4) == 0) { + bitmap_set(flags, DNSKEY_GENERATE_SEP_SPEC, true); + bitmap_set(flags, DNSKEY_GENERATE_SEP_ON, str2bool(argv[i] + 4)); + } else if (!just_timing && strncasecmp(argv[i], "size=", 5) == 0) { + if (str_to_u16(argv[i] + 5, keysize) != KNOT_EOK) { + ERROR("invalid size: '%s'\n", argv[i] + 5); + return false; + } + } else if (!just_timing && strncasecmp(argv[i], "addtopolicy=", 12) == 0) { + *addtopolicy = argv[i] + 12; + } else if (!init_timestamps(argv[i], timing)) { + ERROR("invalid parameter: %s\n", argv[i]); + return false; + } + } + + return true; +} + +static bool _check_lower(knot_time_t a, knot_time_t b, + const char *a_name, const char *b_name) +{ + if (knot_time_cmp(a, b) > 0) { + ERROR("semantic error: expected '%s' before '%s'\n", a_name, b_name); + return false; + } + return true; +} + +#define check_lower(t, a, b) if (!_check_lower(t->a, t->b, #a, #b)) return KNOT_ESEMCHECK + +static int check_timers(const knot_kasp_key_timing_t *t) +{ + if (t->pre_active != 0) { + check_lower(t, pre_active, publish); + } + check_lower(t, publish, active); + check_lower(t, active, retire_active); + check_lower(t, active, retire); + check_lower(t, active, post_active); + if (t->post_active == 0) { + check_lower(t, retire, remove); + } + return KNOT_EOK; +} + +#undef check_lower + +// modifies ctx->policy options, so don't do anything afterwards ! +int keymgr_generate_key(kdnssec_ctx_t *ctx, int argc, char *argv[]) +{ + knot_time_t now = knot_time(), infty = 0; + knot_kasp_key_timing_t gen_timing = { now, infty, now, infty, now, infty, infty, infty, infty }; + kdnssec_generate_flags_t flags = 0; + uint16_t keysize = 0; + const char *addtopolicy = NULL; + if (!genkeyargs(argc, argv, false, &flags, &ctx->policy->algorithm, + &keysize, &gen_timing, &addtopolicy)) { + return KNOT_EINVAL; + } + + int ret = check_timers(&gen_timing); + if (ret != KNOT_EOK) { + return ret; + } + + if ((flags & DNSKEY_GENERATE_KSK) && gen_timing.ready == infty) { + gen_timing.ready = gen_timing.active; + } + + if (keysize > 0) { + if ((flags & DNSKEY_GENERATE_KSK)) { + ctx->policy->ksk_size = keysize; + } else { + ctx->policy->zsk_size = keysize; + } + } + + for (size_t i = 0; i < ctx->zone->num_keys; i++) { + knot_kasp_key_t *kasp_key = &ctx->zone->keys[i]; + if ((kasp_key->is_ksk && (flags & DNSKEY_GENERATE_KSK)) && + dnssec_key_get_algorithm(kasp_key->key) != ctx->policy->algorithm) { + printf("warning: creating key with different algorithm than " + "configured in the policy\n"); + break; + } + } + + knot_kasp_key_t *key = NULL; + ret = kdnssec_generate_key(ctx, flags, &key); + if (ret != KNOT_EOK) { + return ret; + } + + key->timing = gen_timing; + + if (addtopolicy != NULL) { + char *last_policy_last = NULL; + + knot_dname_t *unused = NULL; + ret = kasp_db_get_policy_last(ctx->kasp_db, addtopolicy, &unused, + &last_policy_last); + knot_dname_free(unused, NULL); + if (ret != KNOT_EOK && ret != KNOT_ENOENT) { + return ret; + } + + ret = kasp_db_set_policy_last(ctx->kasp_db, addtopolicy, last_policy_last, + ctx->zone->dname, key->id); + free(last_policy_last); + if (ret != KNOT_EOK) { + return ret; + } + } + + ret = kdnssec_ctx_commit(ctx); + + if (ret == KNOT_EOK) { + printf("%s\n", key->id); + } + + return ret; +} + +static void parse_record(zs_scanner_t *scanner) +{ + dnssec_key_t *key = scanner->process.data; + + if (dnssec_key_get_dname(key) != NULL || + scanner->r_type != KNOT_RRTYPE_DNSKEY) { + scanner->state = ZS_STATE_STOP; + return; + } + + dnssec_binary_t rdata = { + .data = scanner->r_data, + .size = scanner->r_data_length + }; + dnssec_key_set_dname(key, scanner->dname); + dnssec_key_set_rdata(key, &rdata); +} + +int bind_pubkey_parse(const char *filename, dnssec_key_t **key_ptr) +{ + dnssec_key_t *key = NULL; + int result = dnssec_key_new(&key); + if (result != DNSSEC_EOK) { + return KNOT_ENOMEM; + } + + uint16_t cls = KNOT_CLASS_IN; + uint32_t ttl = 0; + zs_scanner_t *scanner = malloc(sizeof(zs_scanner_t)); + if (scanner == NULL) { + dnssec_key_free(key); + return KNOT_ENOMEM; + } + + if (zs_init(scanner, ".", cls, ttl) != 0 || + zs_set_input_file(scanner, filename) != 0 || + zs_set_processing(scanner, parse_record, NULL, key) != 0 || + zs_parse_all(scanner) != 0) { + int ret; + switch (scanner->error.code) { + case ZS_FILE_OPEN: + case ZS_FILE_INVALID: + ret = KNOT_EFILE; + break; + default: + ret = KNOT_EPARSEFAIL; + } + zs_deinit(scanner); + free(scanner); + dnssec_key_free(key); + return ret; + } + zs_deinit(scanner); + free(scanner); + + if (dnssec_key_get_dname(key) == NULL) { + dnssec_key_free(key); + return KNOT_INVALID_PUBLIC_KEY; + } + + *key_ptr = key; + return KNOT_EOK; +} + +static char *gen_keyfilename(const char *orig, const char *wantsuff, const char *altsuff) +{ + assert(orig && wantsuff && altsuff); + + const char *dot = strrchr(orig, '.'); + + if (dot != NULL && strcmp(dot, wantsuff) == 0) { // Full match. + return strdup(orig); + } else if (dot != NULL && strcmp(dot, altsuff) == 0) { // Replace suffix. + return sprintf_alloc("%.*s%s", (int)(dot - orig), orig, wantsuff); + } else { // Add wanted suffix. + return sprintf_alloc("%s%s", orig, wantsuff); + } +} + +int keymgr_import_bind(kdnssec_ctx_t *ctx, const char *import_file, bool pub_only) +{ + if (ctx == NULL || import_file == NULL) { + return KNOT_EINVAL; + } + + knot_kasp_key_timing_t timing = { ctx->now, 0 }; + dnssec_key_t *key = NULL; + char *keyid = NULL; + + char *pubname = gen_keyfilename(import_file, ".key", ".private"); + if (pubname == NULL) { + return KNOT_EINVAL; + } + + int ret = bind_pubkey_parse(pubname, &key); + free(pubname); + if (ret != KNOT_EOK) { + goto fail; + } + + if (!pub_only) { + bind_privkey_t bpriv = { 0 }; + + char *privname = gen_keyfilename(import_file, ".private", ".key"); + if (privname == NULL) { + goto fail; + } + + ret = bind_privkey_parse(privname, &bpriv); + free(privname); + if (ret != DNSSEC_EOK) { + goto fail; + } + + dnssec_binary_t pem = { 0 }; + ret = bind_privkey_to_pem(key, &bpriv, &pem); + if (ret != DNSSEC_EOK) { + bind_privkey_free(&bpriv); + goto fail; + } + + bind_privkey_to_timing(&bpriv, &timing); + + bind_privkey_free(&bpriv); + + ret = dnssec_keystore_import(ctx->keystore, &pem, &keyid); + dnssec_binary_free(&pem); + if (ret != DNSSEC_EOK) { + goto fail; + } + } else { + timing.publish = ctx->now; + + ret = dnssec_key_get_keyid(key, &keyid); + if (ret != DNSSEC_EOK) { + goto fail; + } + } + + // allocate kasp key + knot_kasp_key_t *kkey = calloc(1, sizeof(*kkey)); + if (!kkey) { + ret = KNOT_ENOMEM; + goto fail; + } + + kkey->id = keyid; + kkey->key = key; + kkey->timing = timing; + kkey->is_pub_only = pub_only; + kkey->is_ksk = (dnssec_key_get_flags(kkey->key) == DNSKEY_FLAGS_KSK); + kkey->is_zsk = !kkey->is_ksk; + + // append to zone + ret = kasp_zone_append(ctx->zone, kkey); + free(kkey); + if (ret != KNOT_EOK) { + goto fail; + } + ret = kdnssec_ctx_commit(ctx); + if (ret == KNOT_EOK) { + printf("%s\n", keyid); + return KNOT_EOK; + } +fail: + dnssec_key_free(key); + free(keyid); + return knot_error_from_libdnssec(ret); +} + +static int import_key(kdnssec_ctx_t *ctx, unsigned backend, const char *param, + int argc, char *argv[]) +{ + if (ctx == NULL || param == NULL) { + return KNOT_EINVAL; + } + + // parse params + knot_time_t now = knot_time(); + knot_kasp_key_timing_t timing = { .publish = now, .active = now }; + kdnssec_generate_flags_t flags = 0; + uint16_t keysize = 0; + if (!genkeyargs(argc, argv, false, &flags, &ctx->policy->algorithm, + &keysize, &timing, NULL)) { + return KNOT_EINVAL; + } + + int ret = check_timers(&timing); + if (ret != KNOT_EOK) { + return ret; + } + + normalize_generate_flags(&flags); + + dnssec_key_t *key = NULL; + char *keyid = NULL; + + if (backend == KEYSTORE_BACKEND_PEM) { + // open file + int fd = open(param, O_RDONLY, 0); + if (fd == -1) { + return knot_map_errno(); + } + + // determine size + off_t fsize = lseek(fd, 0, SEEK_END); + if (fsize == -1) { + close(fd); + return knot_map_errno(); + } + if (lseek(fd, 0, SEEK_SET) == -1) { + close(fd); + return knot_map_errno(); + } + + // alloc memory + dnssec_binary_t pem = { 0 }; + ret = dnssec_binary_alloc(&pem, fsize); + if (ret != DNSSEC_EOK) { + close(fd); + goto fail; + } + + // read pem + ssize_t read_count = read(fd, pem.data, pem.size); + close(fd); + if (read_count == -1) { + dnssec_binary_free(&pem); + ret = knot_map_errno(); + goto fail; + } + + // put pem to kesytore + ret = dnssec_keystore_import(ctx->keystore, &pem, &keyid); + dnssec_binary_free(&pem); + if (ret != DNSSEC_EOK) { + goto fail; + } + } else { + assert(backend == KEYSTORE_BACKEND_PKCS11); + keyid = strdup(param); + } + + // create dnssec key + ret = dnssec_key_new(&key); + if (ret != DNSSEC_EOK) { + goto fail; + } + ret = dnssec_key_set_dname(key, ctx->zone->dname); + if (ret != DNSSEC_EOK) { + goto fail; + } + dnssec_key_set_flags(key, dnskey_flags(flags & DNSKEY_GENERATE_SEP_ON)); + dnssec_key_set_algorithm(key, ctx->policy->algorithm); + + // fill key structure from keystore (incl. pubkey from privkey computation) + ret = dnssec_keystore_get_private(ctx->keystore, keyid, key); + if (ret != DNSSEC_EOK) { + goto fail; + } + + // allocate kasp key + knot_kasp_key_t *kkey = calloc(1, sizeof(*kkey)); + if (kkey == NULL) { + ret = KNOT_ENOMEM; + goto fail; + } + kkey->id = keyid; + kkey->key = key; + kkey->timing = timing; + kkey->is_ksk = (flags & DNSKEY_GENERATE_KSK); + kkey->is_zsk = (flags & DNSKEY_GENERATE_ZSK); + + // append to zone + ret = kasp_zone_append(ctx->zone, kkey); + free(kkey); + if (ret != KNOT_EOK) { + goto fail; + } + ret = kdnssec_ctx_commit(ctx); + if (ret == KNOT_EOK) { + printf("%s\n", keyid); + return KNOT_EOK; + } +fail: + dnssec_key_free(key); + free(keyid); + return knot_error_from_libdnssec(ret); +} + +int keymgr_import_pem(kdnssec_ctx_t *ctx, const char *import_file, int argc, char *argv[]) +{ + return import_key(ctx, KEYSTORE_BACKEND_PEM, import_file, argc, argv); +} + +int keymgr_import_pkcs11(kdnssec_ctx_t *ctx, char *key_id, int argc, char *argv[]) +{ + if (!dnssec_keyid_is_valid(key_id)) { + return DNSSEC_INVALID_KEY_ID; + } + dnssec_keyid_normalize(key_id); + return import_key(ctx, KEYSTORE_BACKEND_PKCS11, key_id, argc, argv); +} + +int keymgr_nsec3_salt_print(kdnssec_ctx_t *ctx) +{ + dnssec_binary_t salt_bin; + knot_time_t created; + int ret = kasp_db_load_nsec3salt(ctx->kasp_db, ctx->zone->dname, + &salt_bin, &created); + switch (ret) { + case KNOT_EOK: + printf("Current salt: "); + if (salt_bin.size == 0) { + printf("-"); + } + for (size_t i = 0; i < salt_bin.size; i++) { + printf("%02X", (unsigned)salt_bin.data[i]); + } + printf("\n"); + free(salt_bin.data); + break; + case KNOT_ENOENT: + printf("-- no salt --\n"); + ret = KNOT_EOK; + break; + } + return ret; +} + +int keymgr_nsec3_salt_set(kdnssec_ctx_t *ctx, const char *new_salt) +{ + assert(new_salt); + + dnssec_binary_t salt_bin = { 0 }; + if (strcmp(new_salt, "-") != 0) { + salt_bin.data = hex_to_bin(new_salt, &salt_bin.size); + if (salt_bin.data == NULL) { + return KNOT_EMALF; + } + } + if (salt_bin.size != ctx->policy->nsec3_salt_length) { + printf("Warning: specified salt doesn't match configured " + "salt length (%d).\n", + (int)ctx->policy->nsec3_salt_length); + } + int ret = kasp_db_store_nsec3salt(ctx->kasp_db, ctx->zone->dname, + &salt_bin, knot_time()); + if (salt_bin.size > 0) { + free(salt_bin.data); + } + return ret; +} + +int keymgr_serial_print(kdnssec_ctx_t *ctx) +{ + uint32_t serial = 0; + int ret = kasp_db_load_serial(ctx->kasp_db, ctx->zone->dname, + KASPDB_SERIAL_LASTSIGNED, &serial); + switch (ret) { + case KNOT_EOK: + printf("Current serial: %u\n", serial); + break; + case KNOT_ENOENT: + printf("-- no serial --\n"); + ret = KNOT_EOK; + break; + } + return ret; +} + +int keymgr_serial_set(kdnssec_ctx_t *ctx, uint32_t new_serial) +{ + return kasp_db_store_serial(ctx->kasp_db, ctx->zone->dname, + KASPDB_SERIAL_LASTSIGNED, new_serial); +} + +static void print_tsig(dnssec_tsig_algorithm_t mac, const char *name, + const dnssec_binary_t *secret) +{ + assert(name); + assert(secret); + + const char *mac_name = dnssec_tsig_algorithm_to_name(mac); + assert(mac_name); + + // client format (as a comment) + printf("# %s:%s:%.*s\n", mac_name, name, (int)secret->size, secret->data); + + // server format + printf("key:\n"); + printf(" - id: %s\n", name); + printf(" algorithm: %s\n", mac_name); + printf(" secret: %.*s\n", (int)secret->size, secret->data); +} + +int keymgr_generate_tsig(const char *tsig_name, const char *alg_name, int bits) +{ + dnssec_tsig_algorithm_t alg = dnssec_tsig_algorithm_from_name(alg_name); + if (alg == DNSSEC_TSIG_UNKNOWN) { + return KNOT_INVALID_KEY_ALGORITHM; + } + + int optimal_bits = dnssec_tsig_optimal_key_size(alg); + if (bits == 0) { + bits = optimal_bits; // TODO review + } + + // round up bits to bytes + bits = (bits + CHAR_BIT - 1) / CHAR_BIT * CHAR_BIT; + + if (bits != optimal_bits) { + printf("Notice: Optimal key size for %s is %d bits.", + dnssec_tsig_algorithm_to_name(alg), optimal_bits); + } + assert(bits % CHAR_BIT == 0); + + _cleanup_binary_ dnssec_binary_t key = { 0 }; + int r = dnssec_binary_alloc(&key, bits / CHAR_BIT); + if (r != DNSSEC_EOK) { + ERROR("failed to allocate memory\n"); + return knot_error_from_libdnssec(r); + } + + r = gnutls_rnd(GNUTLS_RND_KEY, key.data, key.size); + if (r != 0) { + ERROR("failed to generate secret the key\n"); + return knot_error_from_libdnssec(r); + } + + _cleanup_binary_ dnssec_binary_t key_b64 = { 0 }; + r = dnssec_binary_to_base64(&key, &key_b64); + if (r != DNSSEC_EOK) { + ERROR("failed to convert the key to Base64\n"); + return knot_error_from_libdnssec(r); + } + + print_tsig(alg, tsig_name, &key_b64); + + return KNOT_EOK; +} + +static bool is_hex(const char *string) +{ + for (const char *p = string; *p != '\0'; p++) { + if (!is_xdigit(*p)) { + return false; + } + } + return (*string != '\0'); +} + +int keymgr_get_key(kdnssec_ctx_t *ctx, const char *key_spec, knot_kasp_key_t **key) +{ + // Check if type of key spec is prescribed. + bool is_keytag = false, is_id = false; + if (strncasecmp(key_spec, "keytag=", 7) == 0) { + key_spec += 7; + is_keytag = true; + } else if (strncasecmp(key_spec, "id=", 3) == 0) { + key_spec += 3; + is_id = true; + } + + uint16_t keytag = 0; + bool can_be_keytag = (str_to_u16(key_spec, &keytag) == KNOT_EOK); + long spec_len = strlen(key_spec); + + // Check if input is a valid key spec. + if ((is_keytag && !can_be_keytag) || + (is_id && !is_hex(key_spec)) || + (!can_be_keytag && !is_hex(key_spec))) { + ERROR("invalid key specification\n"); + return KNOT_EINVAL; + } + + *key = NULL; + for (size_t i = 0; i < ctx->zone->num_keys; i++) { + knot_kasp_key_t *candidate = &ctx->zone->keys[i]; + + bool keyid_match = strncmp(candidate->id, key_spec, spec_len) == 0; // May be just a prefix. + bool keytag_match = can_be_keytag && + dnssec_key_get_keytag(candidate->key) == keytag; + + // Terminate if found exact key ID match. + if (keyid_match && !is_keytag && strlen(candidate->id) == spec_len) { + *key = candidate; + break; + } + // Check for key ID prefix or tag match. + if ((is_keytag && keytag_match) || // Tag is prescribed. + (is_id && keyid_match) || // Key ID is prescribed. + ((!is_keytag && !is_id) && (keyid_match || keytag_match))) { // Nothing is prescribed. + if (*key == NULL) { + *key = candidate; + } else { + ERROR("key is not specified uniquely. Please use id=Full_Key_ID\n"); + return KNOT_EINVAL; + } + } + } + if (*key == NULL) { + ERROR("key not found\n"); + return KNOT_ENOENT; + } + return KNOT_EOK; +} + +int keymgr_foreign_key_id(char *argv[], knot_lmdb_db_t *kaspdb, knot_dname_t **key_zone, char **key_id) +{ + *key_zone = knot_dname_from_str_alloc(argv[3]); + if (*key_zone == NULL) { + return KNOT_ENOMEM; + } + knot_dname_to_lower(*key_zone); + + kdnssec_ctx_t kctx = { 0 }; + int ret = kdnssec_ctx_init(conf(), &kctx, *key_zone, kaspdb, NULL); + if (ret != KNOT_EOK) { + ERROR("failed to initialize zone %s (%s)\n", argv[0], knot_strerror(ret)); + free(*key_zone); + *key_zone = NULL; + return KNOT_ENOZONE; + } + knot_kasp_key_t *key; + ret = keymgr_get_key(&kctx, argv[2], &key); + if (ret == KNOT_EOK) { + *key_id = strdup(key->id); + if (*key_id == NULL) { + ret = KNOT_ENOMEM; + } + } + kdnssec_ctx_deinit(&kctx); + return ret; +} + +int keymgr_set_timing(knot_kasp_key_t *key, int argc, char *argv[]) +{ + knot_kasp_key_timing_t temp = key->timing; + kdnssec_generate_flags_t flags = ((key->is_ksk ? DNSKEY_GENERATE_KSK : 0) | (key->is_zsk ? DNSKEY_GENERATE_ZSK : 0)); + + if (genkeyargs(argc, argv, true, &flags, NULL, NULL, &temp, NULL)) { + int ret = check_timers(&temp); + if (ret != KNOT_EOK) { + return ret; + } + key->timing = temp; + if (key->is_ksk != (bool)(flags & DNSKEY_GENERATE_KSK) || + key->is_zsk != (bool)(flags & DNSKEY_GENERATE_ZSK) || + flags & DNSKEY_GENERATE_SEP_SPEC) { + normalize_generate_flags(&flags); + key->is_ksk = (flags & DNSKEY_GENERATE_KSK); + key->is_zsk = (flags & DNSKEY_GENERATE_ZSK); + return dnssec_key_set_flags(key->key, dnskey_flags(flags & DNSKEY_GENERATE_SEP_ON)); + } + return KNOT_EOK; + } + return KNOT_EINVAL; +} + +static void print_timer(const char *name, knot_time_t t, knot_time_print_t format, + char separator) +{ + static char buff[100]; + if (knot_time_print(format, t, buff, sizeof(buff)) < 0) { + printf("%s=(error)%c", name, separator); // shall not happen + } else { + printf("%s=%s%c", name, buff, separator); + } +} + +int keymgr_list_keys(kdnssec_ctx_t *ctx, knot_time_print_t format) +{ + for (size_t i = 0; i < ctx->zone->num_keys; i++) { + knot_kasp_key_t *key = &ctx->zone->keys[i]; + printf("%s ksk=%s zsk=%s tag=%05d algorithm=%-2d size=%-4u public-only=%s ", key->id, + (key->is_ksk ? "yes" : "no "), (key->is_zsk ? "yes" : "no "), + dnssec_key_get_keytag(key->key), (int)dnssec_key_get_algorithm(key->key), + dnssec_key_get_size(key->key), (key->is_pub_only ? "yes" : "no ")); + print_timer("pre-active", key->timing.pre_active, format, ' '); + print_timer("publish", key->timing.publish, format, ' '); + print_timer("ready", key->timing.ready, format, ' '); + print_timer("active", key->timing.active, format, ' '); + print_timer("retire-active", key->timing.retire_active, format, ' '); + print_timer("retire", key->timing.retire, format, ' '); + print_timer("post-active", key->timing.post_active, format, ' '); + print_timer("revoke", key->timing.revoke, format, ' '); + print_timer("remove", key->timing.remove, format, '\n'); + } + return KNOT_EOK; +} + +static int print_ds(const knot_dname_t *dname, const dnssec_binary_t *rdata) +{ + wire_ctx_t ctx = wire_ctx_init(rdata->data, rdata->size); + if (wire_ctx_available(&ctx) < 4) { + return KNOT_EMALF; + } + + char *name = knot_dname_to_str_alloc(dname); + if (!name) { + return KNOT_ENOMEM; + } + + uint16_t keytag = wire_ctx_read_u16(&ctx); + uint8_t algorithm = wire_ctx_read_u8(&ctx); + uint8_t digest_type = wire_ctx_read_u8(&ctx); + + size_t digest_size = wire_ctx_available(&ctx); + + printf("%s DS %d %d %d ", name, keytag, algorithm, digest_type); + for (size_t i = 0; i < digest_size; i++) { + printf("%02x", ctx.position[i]); + } + printf("\n"); + + free(name); + return KNOT_EOK; +} + +static int create_and_print_ds(const knot_dname_t *zone_name, + const dnssec_key_t *key, dnssec_key_digest_t digest) +{ + _cleanup_binary_ dnssec_binary_t rdata = { 0 }; + int r = dnssec_key_create_ds(key, digest, &rdata); + if (r != DNSSEC_EOK) { + return knot_error_from_libdnssec(r); + } + + return print_ds(zone_name, &rdata); +} + +int keymgr_generate_ds(const knot_dname_t *dname, const knot_kasp_key_t *key) +{ + static const dnssec_key_digest_t digests[] = { + DNSSEC_KEY_DIGEST_SHA256, + DNSSEC_KEY_DIGEST_SHA384, + 0 + }; + + int ret = KNOT_EOK; + for (int i = 0; digests[i] != 0 && ret == KNOT_EOK; i++) { + ret = create_and_print_ds(dname, key->key, digests[i]); + } + + return ret; +} + +int keymgr_generate_dnskey(const knot_dname_t *dname, const knot_kasp_key_t *key) +{ + const dnssec_key_t *dnskey = key->key; + + char *name = knot_dname_to_str_alloc(dname); + if (!name) { + return KNOT_ENOMEM; + } + + uint16_t flags = dnssec_key_get_flags(dnskey); + uint8_t algorithm = dnssec_key_get_algorithm(dnskey); + + dnssec_binary_t pubkey = { 0 }; + int ret = dnssec_key_get_pubkey(dnskey, &pubkey); + if (ret != DNSSEC_EOK) { + free(name); + return knot_error_from_libdnssec(ret); + } + + uint8_t *base64_output = NULL; + int len = knot_base64_encode_alloc(pubkey.data, pubkey.size, &base64_output); + if (len < 0) { + free(name); + return len; + } + + printf("%s DNSKEY %u 3 %u %.*s\n", name, flags, algorithm, len, base64_output); + + free(base64_output); + free(name); + return KNOT_EOK; +} diff --git a/src/utils/keymgr/functions.h b/src/utils/keymgr/functions.h new file mode 100644 index 0000000..9a46140 --- /dev/null +++ b/src/utils/keymgr/functions.h @@ -0,0 +1,55 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include <stdio.h> + +#include "knot/dnssec/context.h" + +#define ERROR(msg, ...) { fprintf(stderr, "Error: " msg, ##__VA_ARGS__); fflush(stderr); } + +int parse_timestamp(char *arg, knot_time_t *stamp); + +int keymgr_generate_key(kdnssec_ctx_t *ctx, int argc, char *argv[]); + +int keymgr_import_bind(kdnssec_ctx_t *ctx, const char *import_file, bool pub_only); + +int keymgr_import_pem(kdnssec_ctx_t *ctx, const char *import_file, int argc, char *argv[]); + +int keymgr_import_pkcs11(kdnssec_ctx_t *ctx, char *key_id, int argc, char *argv[]); + +int keymgr_nsec3_salt_print(kdnssec_ctx_t *ctx); + +int keymgr_nsec3_salt_set(kdnssec_ctx_t *ctx, const char *new_salt); + +int keymgr_serial_print(kdnssec_ctx_t *ctx); + +int keymgr_serial_set(kdnssec_ctx_t *ctx, uint32_t new_serial); + +int keymgr_generate_tsig(const char *tsig_name, const char *alg_name, int bits); + +int keymgr_get_key(kdnssec_ctx_t *ctx, const char *key_spec, knot_kasp_key_t **key); + +int keymgr_foreign_key_id(char *argv[], knot_lmdb_db_t *kaspdb, knot_dname_t **key_zone, char **key_id); + +int keymgr_set_timing(knot_kasp_key_t *key, int argc, char *argv[]); + +int keymgr_list_keys(kdnssec_ctx_t *ctx, knot_time_print_t format); + +int keymgr_generate_ds(const knot_dname_t *dname, const knot_kasp_key_t *key); + +int keymgr_generate_dnskey(const knot_dname_t *dname, const knot_kasp_key_t *key); diff --git a/src/utils/keymgr/main.c b/src/utils/keymgr/main.c new file mode 100644 index 0000000..133ebb7 --- /dev/null +++ b/src/utils/keymgr/main.c @@ -0,0 +1,439 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <getopt.h> +#include <stdlib.h> +#include <unistd.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <unistd.h> + +#include "contrib/string.h" +#include "contrib/strtonum.h" +#include "knot/conf/conf.h" +#include "knot/dnssec/zone-keys.h" +#include "libknot/libknot.h" +#include "utils/common/params.h" +#include "utils/keymgr/functions.h" +#include "utils/keymgr/offline_ksk.h" + +#define PROGRAM_NAME "keymgr" + +static void print_help(void) +{ + printf("Usage:\n" + " %s -h | -V\n" + " %s -t <tsig_name> [<algorithm>] [<bits>]\n" + " %s [-c | -C | -d <path>] <zone> <command> [<argument>...]\n" + "\n" + "Parameters:\n" + " -c, --config <file> Use a textual configuration file.\n" + " (default %s)\n" + " -C, --confdb <dir> Use a binary configuration database directory.\n" + " (default %s)\n" + " -d, --dir <path> Use specified KASP database path and default configuration.\n" + " -t, --tsig <name> [alg] Generate a TSIG key.\n" + " -h, --help Print the program help.\n" + " -V, --version Print the program version.\n" + "\n" + "Commands:\n" + " list List all zone's DNSSEC keys.\n" + " generate Generate new DNSSEC key.\n" + " (syntax: generate <attribute_name>=<value>...)\n" + " import-bind Import BIND-style key file pair (.key + .private).\n" + " (syntax: import-bind <key_file_name>)\n" + " import-pub Import public-only key to be published in the zone (in BIND .key format).\n" + " (syntax: import-pub <key_file_name>)\n" + " import-pem Import key in PEM format. Specify its parameters manually.\n" + " (syntax: import-pem <pem_file_path> <attribute_name>=<value>...)\n" + " import-pkcs11 Import key stored in PKCS11 storage. Specify its parameters manually.\n" + " (syntax: import-pkcs11 <key_id> <attribute_name>=<value>...)\n" + " nsec3-salt Print current NSEC3 salt. If a parameter is specified, set new salt.\n" + " (syntax: nsec3salt [<new_salt>])\n" + " local-serial Print SOA serial stored in KASP database when using on-slave signing.\n" + " If a parameter is specified, set new serial.\n" + " (syntax: serial <new_serial>)\n" + " ds Generate DS record(s) for specified key.\n" + " (syntax: ds <key_spec>)\n" + " dnskey Generate DNSKEY record for specified key.\n" + " (syntax: dnskey <key_spec>)\n" + " share Share an existing key of another zone with the specified zone.\n" + " (syntax: share <full_key_ID> <zone2share_from>\n" + " delete Remove the specified key from zone.\n" + " (syntax: delete <key_spec>)\n" + " set Set existing key's timing attribute.\n" + " (syntax: set <key_spec> <attribute_name>=<value>...)\n" + "\n" + "Commands related to Offline KSK feature:\n" + " pregenerate Pre-generate ZSKs for later rollovers with offline KSK.\n" + " (syntax: pregenerate <timestamp>)\n" + " show-offline Print pre-generated offline key-related records for specified time interval (possibly to infinity).\n" + " (syntax: show-offline <from> [<to>])\n" + " del-offline Delete pre-generated offline key-related records in specified time interval.\n" + " (syntax: del-offline <from> <to>)\n" + " del-all-old Delete old keys that are in state 'removed'.\n" + " generate-ksr Print to stdout KeySigningRequest based on pre-generated ZSKS.\n" + " (syntax: generate-ksr <from> <to>)\n" + " sign-ksr Read KeySigningRequest from a file, sign it and print SignedKeyResponse to stdout.\n" + " (syntax: sign-ksr <ksr_file>)\n" + " validate-skr Validate RRSIGs in a SignedKeyResponse (if not corrupt).\n" + " (syntax: validate-skr <skr_file>)\n" + " import-skr Import DNSKEY record signatures from a SignedKeyResponse.\n" + " (syntax: import-skr <skr_file>)\n" + "\n" + "Key specification:\n" + " either the key tag (number) or [a prefix of] key ID, with an optional\n" + " [id=|keytag=] prefix.\n" + "\n" + "Key attributes:\n" + " algorithm The key cryptographic algorithm: either name (e.g. RSASHA256) or\n" + " number.\n" + " size The key size in bits.\n" + " ksk Whether the generated/imported key shall be Key Signing Key.\n" + " created/publish/ready/active/retire/remove The timestamp of the key\n" + " lifetime event (e.g. published=+1d active=1499770874)\n", + PROGRAM_NAME, PROGRAM_NAME, PROGRAM_NAME, CONF_DEFAULT_FILE, CONF_DEFAULT_DBDIR); +} + +static int key_command(int argc, char *argv[], int opt_ind) +{ + if (argc < opt_ind + 2) { + ERROR("zone name and/or command not specified\n"); + print_help(); + return KNOT_EINVAL; + } + argc -= opt_ind; + argv += opt_ind; + + knot_dname_t *zone_name = knot_dname_from_str_alloc(argv[0]); + if (zone_name == NULL) { + return KNOT_ENOMEM; + } + knot_dname_to_lower(zone_name); + + knot_lmdb_db_t kaspdb = { 0 }; + kdnssec_ctx_t kctx = { 0 }; + + conf_val_t mapsize = conf_db_param(conf(), C_KASP_DB_MAX_SIZE, C_MAX_KASP_DB_SIZE); + char *kasp_dir = conf_db(conf(), C_KASP_DB); + knot_lmdb_init(&kaspdb, kasp_dir, conf_int(&mapsize), 0, "keys_db"); + free(kasp_dir); + + int ret = kdnssec_ctx_init(conf(), &kctx, zone_name, &kaspdb, NULL); + if (ret != KNOT_EOK) { + ERROR("failed to initialize KASP (%s)\n", knot_strerror(ret)); + goto main_end; + } + +#define CHECK_MISSING_ARG(msg) \ + if (argc < 3) { \ + ERROR("%s\n", (msg)); \ + ret = KNOT_EINVAL; \ + goto main_end; \ + } + +#define CHECK_MISSING_ARG2(msg) \ + if (argc < 4) { \ + ERROR("%s\n", (msg)); \ + ret = KNOT_EINVAL; \ + goto main_end; \ + } + + bool print_ok_on_succes = true; + if (strcmp(argv[1], "generate") == 0) { + ret = keymgr_generate_key(&kctx, argc - 2, argv + 2); + print_ok_on_succes = false; + } else if (strcmp(argv[1], "import-bind") == 0) { + CHECK_MISSING_ARG("BIND-style key to import not specified"); + ret = keymgr_import_bind(&kctx, argv[2], false); + } else if (strcmp(argv[1], "import-pub") == 0) { + CHECK_MISSING_ARG("BIND-style key to import not specified"); + ret = keymgr_import_bind(&kctx, argv[2], true); + } else if (strcmp(argv[1], "import-pem") == 0) { + CHECK_MISSING_ARG("PEM file to import not specified"); + ret = keymgr_import_pem(&kctx, argv[2], argc - 3, argv + 3); + } else if (strcmp(argv[1], "import-pkcs11") == 0) { + CHECK_MISSING_ARG("Key ID to import not specified"); + ret = keymgr_import_pkcs11(&kctx, argv[2], argc - 3, argv + 3); + } else if (strcmp(argv[1], "nsec3-salt") == 0) { + if (argc > 2) { + ret = keymgr_nsec3_salt_set(&kctx, argv[2]); + } else { + ret = keymgr_nsec3_salt_print(&kctx); + print_ok_on_succes = false; + } + } else if (strcmp(argv[1], "local-serial") == 0) { + if (argc > 2) { + uint32_t new_serial = 0; + if ((ret = str_to_u32(argv[2], &new_serial)) == KNOT_EOK) { + ret = keymgr_serial_set(&kctx, new_serial); + } + } else { + ret = keymgr_serial_print(&kctx); + print_ok_on_succes = false; + } + } else if (strcmp(argv[1], "set") == 0) { + CHECK_MISSING_ARG("Key is not specified"); + knot_kasp_key_t *key2set; + ret = keymgr_get_key(&kctx, argv[2], &key2set); + if (ret == KNOT_EOK) { + ret = keymgr_set_timing(key2set, argc - 3, argv + 3); + if (ret == KNOT_EOK) { + ret = kdnssec_ctx_commit(&kctx); + } + } + } else if (strcmp(argv[1], "list") == 0) { + knot_time_print_t format = TIME_PRINT_UNIX; + if (argc > 2 && strcmp(argv[2], "human") == 0) { + format = TIME_PRINT_HUMAN_MIXED; + } else if (argc > 2 && strcmp(argv[2], "iso") == 0) { + format = TIME_PRINT_ISO8601; + } + ret = keymgr_list_keys(&kctx, format); + print_ok_on_succes = false; + } else if (strcmp(argv[1], "ds") == 0 || strcmp(argv[1], "dnskey") == 0) { + int (*generate_rr)(const knot_dname_t *, const knot_kasp_key_t *) = keymgr_generate_dnskey; + if (strcmp(argv[1], "ds") == 0) { + generate_rr = keymgr_generate_ds; + } + if (argc < 3) { + for (int i = 0; i < kctx.zone->num_keys && ret == KNOT_EOK; i++) { + if (kctx.zone->keys[i].is_ksk) { + ret = generate_rr(zone_name, &kctx.zone->keys[i]); + } + } + } else { + knot_kasp_key_t *key2rr; + ret = keymgr_get_key(&kctx, argv[2], &key2rr); + if (ret == KNOT_EOK) { + ret = generate_rr(zone_name, key2rr); + } + } + print_ok_on_succes = false; + } else if (strcmp(argv[1], "share") == 0) { + CHECK_MISSING_ARG("Key to be shared is not specified"); + CHECK_MISSING_ARG2("Zone to be shared from not specified"); + knot_dname_t *other_zone = NULL; + char *key_to_share = NULL; + ret = keymgr_foreign_key_id(argv, &kaspdb, &other_zone, &key_to_share); + if (ret == KNOT_EOK) { + ret = kasp_db_share_key(kctx.kasp_db, other_zone, kctx.zone->dname, key_to_share); + } + free(other_zone); + free(key_to_share); + } else if (strcmp(argv[1], "delete") == 0) { + CHECK_MISSING_ARG("Key is not specified"); + knot_kasp_key_t *key2del; + ret = keymgr_get_key(&kctx, argv[2], &key2del); + if (ret == KNOT_EOK) { + ret = kdnssec_delete_key(&kctx, key2del); + } + } else if (strcmp(argv[1], "pregenerate") == 0) { + CHECK_MISSING_ARG("Period not specified"); + ret = keymgr_pregenerate_zsks(&kctx, argv[2]); + } else if (strcmp(argv[1], "show-offline") == 0) { + CHECK_MISSING_ARG("Timestamp not specified"); + ret = keymgr_print_offline_records(&kctx, argv[2], argc > 3 ? argv[3] : NULL); + } else if (strcmp(argv[1], "del-offline") == 0) { + CHECK_MISSING_ARG2("Timestamps from-to not specified"); + ret = keymgr_delete_offline_records(&kctx, argv[2], argv[3]); + } else if (strcmp(argv[1], "del-all-old") == 0) { + ret = keymgr_del_all_old(&kctx); + } else if (strcmp(argv[1], "generate-ksr") == 0) { + CHECK_MISSING_ARG2("Timestamps from-to not specified"); + ret = keymgr_print_ksr(&kctx, argv[2], argv[3]); + print_ok_on_succes = false; + } else if (strcmp(argv[1], "sign-ksr") == 0) { + CHECK_MISSING_ARG("Input file not specified"); + ret = keymgr_sign_ksr(&kctx, argv[2]); + print_ok_on_succes = false; + } else if (strcmp(argv[1], "validate-skr") == 0) { + CHECK_MISSING_ARG("Input file not specified"); + ret = keymgr_validate_skr(&kctx, argv[2]); + } else if (strcmp(argv[1], "import-skr") == 0) { + CHECK_MISSING_ARG("Input file not specified"); + ret = keymgr_import_skr(&kctx, argv[2]); + } else { + ERROR("wrong zone-key command: %s\n", argv[1]); + goto main_end; + } + +#undef CHECK_MISSING_ARG + + if (ret == KNOT_EOK) { + printf("%s", print_ok_on_succes ? "OK\n" : ""); + } else { + ERROR("%s\n", knot_strerror(ret)); + } + +main_end: + kdnssec_ctx_deinit(&kctx); + knot_lmdb_deinit(&kaspdb); + free(zone_name); + + return ret; +} + +static bool init_conf(const char *confdb) +{ + size_t max_conf_size = (size_t)CONF_MAPSIZE * 1024 * 1024; + + conf_flag_t flags = CONF_FNOHOSTNAME | CONF_FOPTMODULES; + if (confdb != NULL) { + flags |= CONF_FREADONLY; + } + + conf_t *new_conf = NULL; + int ret = conf_new(&new_conf, conf_schema, confdb, max_conf_size, flags); + if (ret != KNOT_EOK) { + ERROR("failed opening configuration database %s (%s)\n", + (confdb == NULL ? "" : confdb), knot_strerror(ret)); + return false; + } + conf_update(new_conf, CONF_UPD_FNONE); + return true; +} + +static bool init_confile(const char *confile) +{ + int ret = conf_import(conf(), confile, true, false); + if (ret != KNOT_EOK) { + ERROR("failed opening configuration file %s (%s)\n", + confile, knot_strerror(ret)); + return false; + } + return true; +} + +static bool init_conf_blank(const char *kasp_dir) +{ + char *confstr = sprintf_alloc("database:\n" + " storage: .\n" + " kasp-db: \"%s\"\n", kasp_dir); + int ret = conf_import(conf(), confstr, false, false); + free(confstr); + if (ret != KNOT_EOK) { + ERROR("failed creating fake configuration (%s)\n", + knot_strerror(ret)); + return false; + } + return true; +} + +static void update_privileges(void) +{ + int uid, gid; + if (conf_user(conf(), &uid, &gid) != KNOT_EOK) { + return; + } + + // Just try to alter process privileges if different from configured. + int unused __attribute__((unused)); + if ((gid_t)gid != getgid()) { + unused = setregid(gid, gid); + } + if ((uid_t)uid != getuid()) { + unused = setreuid(uid, uid); + } +} + +static bool conf_initialized = false; // This is a singleton as well as conf() is. + +#define CHECK_CONF_UNINIT \ + if ((conf_initialized = !conf_initialized) == false) { \ + ERROR("multiple arguments attempting configuration initializatioin\n"); \ + return EXIT_FAILURE; \ + } + +int main(int argc, char *argv[]) +{ + int ret; + + struct option opts[] = { + { "config", required_argument, NULL, 'c' }, + { "confdb", required_argument, NULL, 'C' }, + { "dir", required_argument, NULL, 'd' }, + { "tsig", required_argument, NULL, 't' }, + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, 'V' }, + { NULL } + }; + + tzset(); + + int opt = 0, parm = 0; + while ((opt = getopt_long(argc, argv, "hVd:c:C:t:", opts, NULL)) != -1) { + switch (opt) { + case 'h': + print_help(); + return EXIT_SUCCESS; + case 'V': + print_version(PROGRAM_NAME); + return EXIT_SUCCESS; + case 'd': + CHECK_CONF_UNINIT + if (!init_conf(NULL) || !init_conf_blank(optarg)) { + return EXIT_FAILURE; + } + break; + case 'c': + CHECK_CONF_UNINIT + if (!init_conf(NULL) || !init_confile(optarg)) { + return EXIT_FAILURE; + } + break; + case 'C': + CHECK_CONF_UNINIT + if (!init_conf(argv[2])) { + return EXIT_FAILURE; + } + break; + case 't': + if (argc > optind + 1) { + (void)str_to_int(argv[optind + 1], &parm, 0, 65536); + } + ret = keymgr_generate_tsig(optarg, (argc > optind ? argv[optind] : "hmac-sha256"), parm); + if (ret != KNOT_EOK) { + ERROR("failed to generate TSIG (%s)\n", knot_strerror(ret)); + } + return (ret == KNOT_EOK ? EXIT_SUCCESS : EXIT_FAILURE); + default: + print_help(); + return EXIT_FAILURE; + } + } + + if (!conf_initialized) { + struct stat st; + if (conf_db_exists(CONF_DEFAULT_DBDIR) && init_conf(CONF_DEFAULT_DBDIR)) { + // initialized conf from default DB location + } else if (stat(CONF_DEFAULT_FILE, &st) == 0 && + init_conf(NULL) && init_confile(CONF_DEFAULT_FILE)) { + // initialized conf from default confile + } else { + ERROR("couldn't initialize configuration, please provide -c, -C, or -d option\n"); + return EXIT_FAILURE; + } + } + + update_privileges(); + + ret = key_command(argc, argv, optind); + + conf_free(conf()); + + return (ret == KNOT_EOK ? EXIT_SUCCESS : EXIT_FAILURE); +} diff --git a/src/utils/keymgr/offline_ksk.c b/src/utils/keymgr/offline_ksk.c new file mode 100644 index 0000000..f4fc1dd --- /dev/null +++ b/src/utils/keymgr/offline_ksk.c @@ -0,0 +1,502 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <string.h> +#include <stdio.h> +#include <time.h> + +#include "utils/keymgr/offline_ksk.h" +#include "knot/dnssec/kasp/policy.h" +#include "knot/dnssec/key-events.h" +#include "knot/dnssec/key_records.h" +#include "knot/dnssec/rrset-sign.h" +#include "knot/dnssec/zone-events.h" +#include "knot/dnssec/zone-keys.h" +#include "knot/dnssec/zone-sign.h" +#include "libzscanner/scanner.h" +#include "utils/keymgr/functions.h" + +#define KSR_SKR_VER "1.0" + +static int pregenerate_once(kdnssec_ctx_t *ctx, knot_time_t *next) +{ + zone_sign_reschedule_t resch = { 0 }; + + // generate ZSKs + int ret = knot_dnssec_key_rollover(ctx, KEY_ROLL_ALLOW_ZSK_ROLL, &resch); + if (ret != KNOT_EOK) { + ERROR("key rollover failed\n"); + return ret; + } + // we don't need to do anything explicitly with the generated ZSKs + // they're simply stored in KASP db + + *next = resch.next_rollover; + return KNOT_EOK; +} + +// please free *_dnskey and keyset even if returned error +static int load_dnskey_rrset(kdnssec_ctx_t *ctx, knot_rrset_t **_dnskey, zone_keyset_t *keyset) +{ + // prepare the DNSKEY rrset to be signed + knot_rrset_t *dnskey = knot_rrset_new(ctx->zone->dname, KNOT_RRTYPE_DNSKEY, + KNOT_CLASS_IN, ctx->policy->dnskey_ttl, NULL); + if (dnskey == NULL) { + return KNOT_ENOMEM; + } + *_dnskey = dnskey; + + int ret = load_zone_keys(ctx, keyset, false); + if (ret != KNOT_EOK) { + ERROR("failed to load keys\n"); + return ret; + } + + for (int i = 0; i < keyset->count; i++) { + zone_key_t *key = &keyset->keys[i]; + if (key->is_public) { + ret = rrset_add_zone_key(dnskey, key); + if (ret != KNOT_EOK) { + ERROR("failed to add zone key\n"); + return ret; + } + } + } + + return KNOT_EOK; +} + +int keymgr_pregenerate_zsks(kdnssec_ctx_t *ctx, char *arg) +{ + knot_time_t upto; + int ret = parse_timestamp(arg, &upto); + if (ret != KNOT_EOK) { + return ret; + } + + knot_time_t next = ctx->now; + ret = KNOT_EOK; + + ctx->keep_deleted_keys = true; + ctx->policy->manual = false; + + if (ctx->policy->dnskey_ttl == UINT32_MAX || + ctx->policy->zone_maximal_ttl == UINT32_MAX) { + ERROR("dnskey-ttl or zone-max-ttl not configured\n"); + return KNOT_ESEMCHECK; + } + + while (ret == KNOT_EOK && knot_time_cmp(next, upto) <= 0) { + ctx->now = next; + ret = pregenerate_once(ctx, &next); + } + + return ret; +} + +static int dump_rrset_to_buf(const knot_rrset_t *rrset, char **buf, size_t *buf_size) +{ + if (*buf == NULL) { + *buf = malloc(*buf_size); + if (*buf == NULL) { + return KNOT_ENOMEM; + } + } + + knot_dump_style_t style = { + .wrap = true, + .show_ttl = true, + .verbose = true, + .original_ttl = true, + .human_tmstamp = true + }; + return knot_rrset_txt_dump(rrset, buf, buf_size, &style); +} + +static void print_header(const char *of_what, knot_time_t timestamp, const char *contents) +{ + char date[64] = { 0 }; + (void)knot_time_print(TIME_PRINT_ISO8601, timestamp, date, sizeof(date)); + printf(";; %s %"PRIu64" (%s) =========\n%s", of_what, + timestamp, date, contents); +} + +int keymgr_print_offline_records(kdnssec_ctx_t *ctx, char *arg_from, char *arg_to) +{ + knot_time_t from = 0, to = 0, next = 0; + int ret = parse_timestamp(arg_from, &from); + if (ret != KNOT_EOK) { + return ret; + } + if (arg_to != NULL) { + ret = parse_timestamp(arg_to, &to); + if (ret != KNOT_EOK) { + return ret; + } + } + char *buf = NULL; + size_t buf_size = 512; + for (knot_time_t i = from; ret == KNOT_EOK && i != 0 && (arg_to == NULL || knot_time_cmp(i, to) < 0); i = next) { + key_records_t r = { { 0 } }; + ret = kasp_db_load_offline_records(ctx->kasp_db, ctx->zone->dname, i, &next, &r); + if (ret == KNOT_EOK) { + ret = key_records_dump(&buf, &buf_size, &r, true); + } + if (ret == KNOT_EOK) { + print_header("Offline records for", i, buf); + } + key_records_clear(&r); + } + free(buf); + + return ret; +} + +int keymgr_delete_offline_records(kdnssec_ctx_t *ctx, char *arg_from, char *arg_to) +{ + knot_time_t from, to; + int ret = parse_timestamp(arg_from, &from); + if (ret != KNOT_EOK) { + return ret; + } + ret = parse_timestamp(arg_to, &to); + if (ret != KNOT_EOK) { + return ret; + } + return kasp_db_delete_offline_records(ctx->kasp_db, ctx->zone->dname, from, to); +} + +int keymgr_del_all_old(kdnssec_ctx_t *ctx) +{ + for (size_t i = 0; i < ctx->zone->num_keys; i++) { + knot_kasp_key_t *key = &ctx->zone->keys[i]; + if (knot_time_cmp(key->timing.remove, ctx->now) < 0) { + int ret = kdnssec_delete_key(ctx, key); + printf("- %s\n", knot_strerror(ret)); + } + } + return kdnssec_ctx_commit(ctx); +} + +static void print_generated_message(void) +{ + char buf[64] = { 0 }; + knot_time_print(TIME_PRINT_ISO8601, knot_time(), buf, sizeof(buf)); + printf("generated at %s by Knot DNS %s\n", buf, VERSION); +} + +static int ksr_once(kdnssec_ctx_t *ctx, char **buf, size_t *buf_size, knot_time_t *next_ksr) +{ + knot_rrset_t *dnskey = NULL; + zone_keyset_t keyset = { 0 }; + int ret = load_dnskey_rrset(ctx, &dnskey, &keyset); + if (ret != KNOT_EOK) { + goto done; + } + ret = dump_rrset_to_buf(dnskey, buf, buf_size); + if (ret >= 0) { + print_header("KeySigningRequest "KSR_SKR_VER, ctx->now, *buf); + ret = KNOT_EOK; + } + +done: + if (ret == KNOT_EOK && next_ksr != NULL) { + *next_ksr = knot_get_next_zone_key_event(&keyset); + } + knot_rrset_free(dnskey, NULL); + free_zone_keys(&keyset); + return ret; +} + +#define OFFLINE_KSK_CONF_CHECK \ + if (!ctx->policy->offline_ksk || !ctx->policy->manual) { \ + ERROR("offline-ksk and manual must be enabled in configuration\n"); \ + return KNOT_ESEMCHECK; \ + } + +int keymgr_print_ksr(kdnssec_ctx_t *ctx, char *arg_from, char *arg_to) +{ + OFFLINE_KSK_CONF_CHECK + + knot_time_t from, to; + int ret = parse_timestamp(arg_from, &from); + if (ret != KNOT_EOK) { + return ret; + } + ret = parse_timestamp(arg_to, &to); + if (ret != KNOT_EOK) { + return ret; + } + + char *buf = NULL; + size_t buf_size = 4096; + while (ret == KNOT_EOK && knot_time_cmp(from, to) < 0) { + ctx->now = from; + ret = ksr_once(ctx, &buf, &buf_size, &from); + } + if (ret != KNOT_EOK) { + free(buf); + return ret; + } + ctx->now = to; + // force end of period as a KSR timestamp + ret = ksr_once(ctx, &buf, &buf_size, NULL); + + printf(";; KeySigningRequest %s ", KSR_SKR_VER); + print_generated_message(); + + free(buf); + return ret; +} + +typedef struct { + int ret; + key_records_t r; + knot_time_t timestamp; + kdnssec_ctx_t *kctx; +} ksr_sign_ctx_t; + +static int ksr_sign_dnskey(kdnssec_ctx_t *ctx, knot_rrset_t *zsk, knot_time_t now, + knot_time_t *next_sign) +{ + zone_keyset_t keyset = { 0 }; + char *buf = NULL; + size_t buf_size = 4096; + knot_time_t rrsigs_expire = 0; + + ctx->now = now; + + int ret = load_zone_keys(ctx, &keyset, false); + if (ret != KNOT_EOK) { + return ret; + } + + key_records_t r; + key_records_init(ctx, &r); + + ret = knot_zone_sign_add_dnskeys(&keyset, ctx, &r); + if (ret != KNOT_EOK) { + goto done; + } + + ret = knot_rdataset_merge(&r.dnskey.rrs, &zsk->rrs, NULL); + if (ret != KNOT_EOK) { + goto done; + } + + // no check if the KSK used for signing (in keyset) is contained in DNSKEY record being signed (in KSR) ! + for (int i = 0; i < keyset.count; i++) { + ret = key_records_sign(&keyset.keys[i], &r, ctx, &rrsigs_expire); + if (ret != KNOT_EOK) { + goto done; + } + } + ret = key_records_dump(&buf, &buf_size, &r, true); + if (ret == KNOT_EOK) { + print_header("SignedKeyResponse "KSR_SKR_VER, ctx->now, buf); + *next_sign = knot_time_min( + knot_get_next_zone_key_event(&keyset), + knot_time_add(rrsigs_expire, -(knot_timediff_t)ctx->policy->rrsig_refresh_before) + ); + } + +done: + free(buf); + key_records_clear(&r); + free_zone_keys(&keyset); + return ret; +} + +static int process_skr_between_ksrs(ksr_sign_ctx_t *ctx, knot_time_t from, knot_time_t to) +{ + for (knot_time_t t = from; t < to /* if (t == infinity) stop */; ) { + int ret = ksr_sign_dnskey(ctx->kctx, &ctx->r.dnskey, t, &t); + if (ret != KNOT_EOK) { + return ret; + } + } + return KNOT_EOK; +} + +static void ksr_sign_header(zs_scanner_t *sc) +{ + ksr_sign_ctx_t *ctx = sc->process.data; + + // parse header + float header_ver; + knot_time_t next_timestamp = 0; + if (sc->error.code != 0 || ctx->ret != KNOT_EOK || + sscanf((const char *)sc->buffer, "; KeySigningRequest %f %"PRIu64, + &header_ver, &next_timestamp) < 1) { + return; + } + (void)header_ver; + + // sign previous KSR and inbetween KSK changes + if (ctx->timestamp > 0) { + knot_time_t inbetween_from; + ctx->ret = ksr_sign_dnskey(ctx->kctx, &ctx->r.dnskey, ctx->timestamp, + &inbetween_from); + if (next_timestamp > 0 && ctx->ret == KNOT_EOK) { + ctx->ret = process_skr_between_ksrs(ctx, inbetween_from, + next_timestamp); + } + key_records_clear_rdatasets(&ctx->r); + } + + // start new KSR + ctx->timestamp = next_timestamp; +} + +static void ksr_sign_once(zs_scanner_t *sc) +{ + ksr_sign_ctx_t *ctx = sc->process.data; + if (sc->error.code == 0 && ctx->ret == KNOT_EOK) { + ctx->ret = knot_rrset_add_rdata(&ctx->r.dnskey, sc->r_data, sc->r_data_length, NULL); + ctx->r.dnskey.ttl = sc->r_ttl; + } +} + +static void skr_import_header(zs_scanner_t *sc) +{ + ksr_sign_ctx_t *ctx = sc->process.data; + + // parse header + float header_ver; + knot_time_t next_timestamp; + if (sc->error.code != 0 || ctx->ret != KNOT_EOK || + sscanf((const char *)sc->buffer, "; SignedKeyResponse %f %"PRIu64, + &header_ver, &next_timestamp) < 1) { + return; + } + (void)header_ver; + + // delete possibly existing conflicting offline records + ctx->ret = kasp_db_delete_offline_records( + ctx->kctx->kasp_db, ctx->kctx->zone->dname, next_timestamp, 0 + ); + + // store previous SKR + if (ctx->timestamp > 0 && ctx->ret == KNOT_EOK) { + ctx->ret = key_records_verify(&ctx->r, ctx->kctx, ctx->timestamp); + if (ctx->ret != KNOT_EOK) { + return; + } + + ctx->ret = kasp_db_store_offline_records(ctx->kctx->kasp_db, + ctx->timestamp, &ctx->r); + key_records_clear_rdatasets(&ctx->r); + } + + // start new SKR + ctx->timestamp = next_timestamp; +} + +static void skr_validate_header(zs_scanner_t *sc) +{ + ksr_sign_ctx_t *ctx = sc->process.data; + + float header_ver; + knot_time_t next_timestamp; + if (sc->error.code != 0 || ctx->ret != KNOT_EOK || + sscanf((const char *)sc->buffer, "; SignedKeyResponse %f %"PRIu64, + &header_ver, &next_timestamp) < 1) { + return; + } + (void)header_ver; + + if (ctx->timestamp > 0 && ctx->ret == KNOT_EOK) { + int ret = key_records_verify(&ctx->r, ctx->kctx, ctx->timestamp); + if (ret != KNOT_EOK) { // ctx->ret untouched + ERROR("invalid SignedKeyResponse for %"KNOT_TIME_PRINTF" (%s)\n", + ctx->timestamp, knot_strerror(ret)); + } + key_records_clear_rdatasets(&ctx->r); + } + + ctx->timestamp = next_timestamp; +} + +static void skr_import_once(zs_scanner_t *sc) +{ + ksr_sign_ctx_t *ctx = sc->process.data; + if (sc->error.code == 0 && ctx->ret == KNOT_EOK) { + ctx->ret = key_records_add_rdata(&ctx->r, sc->r_type, sc->r_data, + sc->r_data_length, sc->r_ttl); + } +} + +static int read_ksr_skr(kdnssec_ctx_t *ctx, const char *infile, + void (*cb_header)(zs_scanner_t *), void (*cb_record)(zs_scanner_t *)) +{ + zs_scanner_t sc = { 0 }; + int ret = zs_init(&sc, "", KNOT_CLASS_IN, 0); + if (ret < 0) { + return KNOT_ERROR; + } + + ret = zs_set_input_file(&sc, infile); + if (ret < 0) { + zs_deinit(&sc); + return KNOT_EFILE; + } + + ksr_sign_ctx_t pctx = { 0 }; + key_records_init(ctx, &pctx.r); + pctx.kctx = ctx; + ret = zs_set_processing(&sc, cb_record, NULL, &pctx); + if (ret < 0) { + zs_deinit(&sc); + return KNOT_EBUSY; + } + sc.process.comment = cb_header; + + ret = zs_parse_all(&sc); + + if (sc.error.code != 0) { + ret = KNOT_EMALF; + } else if (pctx.ret != KNOT_EOK) { + ret = pctx.ret; + } else if (ret < 0 || pctx.r.dnskey.rrs.count > 0 || pctx.r.cdnskey.rrs.count > 0 || + pctx.r.cds.rrs.count > 0 || pctx.r.rrsig.rrs.count > 0) { + ret = KNOT_EMALF; + } + key_records_clear(&pctx.r); + zs_deinit(&sc); + return ret; +} + +int keymgr_sign_ksr(kdnssec_ctx_t *ctx, const char *ksr_file) +{ + OFFLINE_KSK_CONF_CHECK + + int ret = read_ksr_skr(ctx, ksr_file, ksr_sign_header, ksr_sign_once); + printf(";; SignedKeyResponse %s ", KSR_SKR_VER); + print_generated_message(); + return ret; +} + +int keymgr_import_skr(kdnssec_ctx_t *ctx, const char *skr_file) +{ + OFFLINE_KSK_CONF_CHECK + + return read_ksr_skr(ctx, skr_file, skr_import_header, skr_import_once); +} + +int keymgr_validate_skr(kdnssec_ctx_t *ctx, const char *skr_file) +{ + return read_ksr_skr(ctx, skr_file, skr_validate_header, skr_import_once); +} diff --git a/src/utils/keymgr/offline_ksk.h b/src/utils/keymgr/offline_ksk.h new file mode 100644 index 0000000..21b0eb8 --- /dev/null +++ b/src/utils/keymgr/offline_ksk.h @@ -0,0 +1,35 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include "knot/dnssec/context.h" + +int keymgr_pregenerate_zsks(kdnssec_ctx_t *ctx, char *arg); + +int keymgr_print_offline_records(kdnssec_ctx_t *ctx, char *arg_from, char *arg_to); + +int keymgr_delete_offline_records(kdnssec_ctx_t *ctx, char *arg_from, char *arg_to); + +int keymgr_del_all_old(kdnssec_ctx_t *ctx); + +int keymgr_print_ksr(kdnssec_ctx_t *ctx, char *arg_from, char *arg_to); + +int keymgr_sign_ksr(kdnssec_ctx_t *ctx, const char *ksr_file); + +int keymgr_import_skr(kdnssec_ctx_t *ctx, const char *skr_file); + +int keymgr_validate_skr(kdnssec_ctx_t *ctx, const char *skr_file); diff --git a/src/utils/khost/khost_main.c b/src/utils/khost/khost_main.c new file mode 100644 index 0000000..75b0db7 --- /dev/null +++ b/src/utils/khost/khost_main.c @@ -0,0 +1,45 @@ +/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <stdlib.h> + +#include "libdnssec/crypto.h" +#include "utils/khost/khost_params.h" +#include "utils/kdig/kdig_exec.h" +#include "libknot/libknot.h" + +int main(int argc, char *argv[]) +{ + int ret = EXIT_SUCCESS; + + tzset(); + + kdig_params_t params; + if (khost_parse(¶ms, argc, argv) == KNOT_EOK) { + if (!params.stop) { + dnssec_crypto_init(); + if (kdig_exec(¶ms) != KNOT_EOK) { + ret = EXIT_FAILURE; + } + dnssec_crypto_cleanup(); + } + } else { + ret = EXIT_FAILURE; + } + + khost_clean(¶ms); + return ret; +} diff --git a/src/utils/khost/khost_params.c b/src/utils/khost/khost_params.c new file mode 100644 index 0000000..d2e6795 --- /dev/null +++ b/src/utils/khost/khost_params.c @@ -0,0 +1,365 @@ +/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <getopt.h> +#include <locale.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#include "utils/khost/khost_params.h" +#include "utils/kdig/kdig_params.h" +#include "utils/common/msg.h" +#include "utils/common/params.h" +#include "utils/common/resolv.h" +#include "libknot/libknot.h" +#include "contrib/strtonum.h" +#include "contrib/ucw/lists.h" + +#define PROGRAM_NAME "khost" + +#define DEFAULT_RETRIES_HOST 1 +#define DEFAULT_TIMEOUT_HOST 2 + +static const style_t DEFAULT_STYLE_HOST = { + .format = FORMAT_HOST, + .style = { + .wrap = false, + .show_class = true, + .show_ttl = true, + .verbose = false, + .original_ttl = false, + .empty_ttl = false, + .human_ttl = false, + .human_tmstamp = true, + .generic = false, + .ascii_to_idn = name_to_idn + }, + .show_query = false, + .show_header = false, + .show_edns = false, + .show_question = true, + .show_answer = true, + .show_authority = true, + .show_additional = true, + .show_tsig = false, + .show_footer = false +}; + +static int khost_init(kdig_params_t *params) +{ + // Initialize params with kdig defaults. + int ret = kdig_init(params); + + if (ret != KNOT_EOK) { + return ret; + } + + // Set khost specific defaults. + free(params->config->port); + params->config->port = strdup(DEFAULT_DNS_PORT); + params->config->retries = DEFAULT_RETRIES_HOST; + params->config->wait = DEFAULT_TIMEOUT_HOST; + params->config->class_num = KNOT_CLASS_IN; + params->config->style = DEFAULT_STYLE_HOST; + params->config->idn = true; + + // Check port. + if (params->config->port == NULL) { + query_free(params->config); + return KNOT_ENOMEM; + } + + return KNOT_EOK; +} + +void khost_clean(kdig_params_t *params) +{ + if (params == NULL) { + DBG_NULL; + return; + } + + kdig_clean(params); +} + +static int parse_server(const char *value, list_t *servers, const char *def_port) +{ + if (params_parse_server(value, servers, def_port) != KNOT_EOK) { + ERR("invalid server %s\n", value); + return KNOT_EINVAL; + } + + return KNOT_EOK; +} + +static int parse_name(const char *value, list_t *queries, const query_t *conf) +{ + char *reverse = get_reverse_name(value); + char *ascii_name = (char *)value; + query_t *query; + + if (conf->idn) { + ascii_name = name_from_idn(value); + if (ascii_name == NULL) { + free(reverse); + return KNOT_EINVAL; + } + } + + // If name is not FQDN, append trailing dot. + char *fqd_name = get_fqd_name(ascii_name); + + if (conf->idn) { + free(ascii_name); + } + + // RR type is known. + if (conf->type_num >= 0) { + if (conf->type_num == KNOT_RRTYPE_PTR) { + free(fqd_name); + + // Check for correct address. + if (reverse == NULL) { + ERR("invalid IPv4/IPv6 address %s\n", value); + return KNOT_EINVAL; + } + + // Add reverse query for address. + query = query_create(reverse, conf); + free(reverse); + if (query == NULL) { + return KNOT_ENOMEM; + } + add_tail(queries, (node_t *)query); + } else { + free(reverse); + + // Add query for name and specified type. + query = query_create(fqd_name, conf); + free(fqd_name); + if (query == NULL) { + return KNOT_ENOMEM; + } + add_tail(queries, (node_t *)query); + } + // RR type is unknown, use defaults. + } else { + if (reverse == NULL) { + // Add query for name and type A. + query = query_create(fqd_name, conf); + if (query == NULL) { + free(fqd_name); + return KNOT_ENOMEM; + } + query->type_num = KNOT_RRTYPE_A; + add_tail(queries, (node_t *)query); + + // Add query for name and type AAAA. + query = query_create(fqd_name, conf); + if (query == NULL) { + free(fqd_name); + return KNOT_ENOMEM; + } + query->type_num = KNOT_RRTYPE_AAAA; + query->style.hide_cname = true; + add_tail(queries, (node_t *)query); + + // Add query for name and type MX. + query = query_create(fqd_name, conf); + if (query == NULL) { + free(fqd_name); + return KNOT_ENOMEM; + } + free(fqd_name); + query->type_num = KNOT_RRTYPE_MX; + query->style.hide_cname = true; + add_tail(queries, (node_t *)query); + } else { + free(fqd_name); + + // Add reverse query for address. + query = query_create(reverse, conf); + free(reverse); + if (query == NULL) { + return KNOT_ENOMEM; + } + query->type_num = KNOT_RRTYPE_PTR; + add_tail(queries, (node_t *)query); + } + } + + return KNOT_EOK; +} + +static void print_help(void) +{ + printf("Usage: %s [-4] [-6] [-adhrsTvVw] [-c class] [-t type]\n" + " [-R retries] [-W time] name [server]\n\n" + " -4 Use IPv4 protocol only.\n" + " -6 Use IPv6 protocol only.\n" + " -a Same as -t ANY -v.\n" + " -d Allow debug messages.\n" + " -h, --help Print the program help.\n" + " -r Disable recursion.\n" + " -T Use TCP protocol.\n" + " -v Verbose output.\n" + " -V, --version Print the program version.\n" + " -w Wait forever.\n" + " -c Set query class.\n" + " -t Set query type.\n" + " -R Set number of UDP retries.\n" + " -W Set wait interval.\n", + PROGRAM_NAME); +} + +int khost_parse(kdig_params_t *params, int argc, char *argv[]) +{ + if (params == NULL || argv == NULL) { + DBG_NULL; + return KNOT_EINVAL; + } + + if (khost_init(params) != KNOT_EOK) { + return KNOT_ERROR; + } + +#ifdef LIBIDN + // Set up localization. + if (setlocale(LC_CTYPE, "") == NULL) { + params->config->idn = false; + } +#endif + + query_t *conf = params->config; + uint16_t rclass, rtype; + int64_t serial; + bool notify; + + // Long options. + struct option opts[] = { + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, 'V' }, + { NULL } + }; + + // Command line options processing. + int opt = 0; + while ((opt = getopt_long(argc, argv, "46adhrsTvVwc:t:R:W:", opts, NULL)) + != -1) { + switch (opt) { + case '4': + conf->ip = IP_4; + break; + case '6': + conf->ip = IP_6; + break; + case 'a': + conf->type_num = KNOT_RRTYPE_ANY; + conf->style.format = FORMAT_FULL; + conf->style.show_header = true; + conf->style.show_edns = true; + conf->style.show_footer = true; + break; + case 'd': + msg_enable_debug(1); + break; + case 'h': + print_help(); + params->stop = false; + return KNOT_EOK; + case 'r': + conf->flags.rd_flag = false; + break; + case 'T': + conf->protocol = PROTO_TCP; + break; + case 'v': + conf->style.format = FORMAT_FULL; + conf->style.show_header = true; + conf->style.show_edns = true; + conf->style.show_footer = true; + break; + case 'V': + print_version(PROGRAM_NAME); + params->stop = false; + return KNOT_EOK; + case 'w': + conf->wait = -1; + break; + case 'c': + if (params_parse_class(optarg, &rclass) != KNOT_EOK) { + ERR("invalid class '%s'\n", optarg); + return KNOT_EINVAL; + } + conf->class_num = rclass; + break; + case 't': + if (params_parse_type(optarg, &rtype, &serial, ¬ify) + != KNOT_EOK) { + ERR("invalid type '%s'\n", optarg); + return KNOT_EINVAL; + } + conf->type_num = rtype; + conf->serial = serial; + conf->notify = notify; + + // If NOTIFY, reset default RD flag. + if (conf->notify) { + conf->flags.rd_flag = false; + } + break; + case 'R': + if (str_to_u32(optarg, &conf->retries) != KNOT_EOK) { + ERR("invalid retries '%s'\n", optarg); + return KNOT_EINVAL; + } + break; + case 'W': + if (params_parse_wait(optarg, &conf->wait) != KNOT_EOK) { + ERR("invalid wait '%s'\n", optarg); + return KNOT_EINVAL; + } + break; + default: + print_help(); + return KNOT_ENOTSUP; + } + } + + // Process non-option parameters. + switch (argc - optind) { + case 2: + if (parse_server(argv[optind + 1], &conf->servers, conf->port) + != KNOT_EOK) { + return KNOT_EINVAL; + } + case 1: // Fall through. + if (parse_name(argv[optind], ¶ms->queries, conf) + != KNOT_EOK) { + return KNOT_EINVAL; + } + break; + default: + print_help(); + return KNOT_ENOTSUP; + } + + // Complete missing data in queries based on defaults. + complete_queries(¶ms->queries, params->config); + + return KNOT_EOK; +} diff --git a/src/utils/khost/khost_params.h b/src/utils/khost/khost_params.h new file mode 100644 index 0000000..6f019fe --- /dev/null +++ b/src/utils/khost/khost_params.h @@ -0,0 +1,22 @@ +/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include "utils/kdig/kdig_params.h" + +int khost_parse(kdig_params_t *params, int argc, char *argv[]); +void khost_clean(kdig_params_t *params); diff --git a/src/utils/kjournalprint/main.c b/src/utils/kjournalprint/main.c new file mode 100644 index 0000000..a1dc3d7 --- /dev/null +++ b/src/utils/kjournalprint/main.c @@ -0,0 +1,430 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <getopt.h> +#include <stdlib.h> +#include <sys/stat.h> + +#include "libknot/libknot.h" +#include "knot/journal/journal_basic.h" +#include "knot/journal/journal_metadata.h" +#include "knot/journal/journal_read.h" +#include "knot/journal/serialization.h" +#include "knot/zone/zone-dump.h" +#include "utils/common/params.h" +#include "contrib/dynarray.h" +#include "contrib/strtonum.h" +#include "contrib/string.h" + +#define PROGRAM_NAME "kjournalprint" + +static void print_help(void) +{ + printf("Usage: %s [parameters] <journal_dir> <zone_name>\n" + "\n" + "Parameters:\n" + " -l, --limit <num> Read only <num> newest changes.\n" + " -s, --serial <soa> Start with specific SOA serial.\n" + " -n, --no-color Get output without terminal coloring.\n" + " -z, --zone-list Instead of reading jurnal, display the list\n" + " of zones in the DB (<zone_name> not needed).\n" + " -c, --check Additional journal semantic checks.\n" + " -d, --debug Debug mode output.\n" + " -h, --help Print the program help.\n" + " -V, --version Print the program version.\n", + PROGRAM_NAME); +} + +typedef struct { + bool debug; + bool color; + bool check; + int limit; + int counter; + uint32_t serial; + bool from_serial; + size_t changes; +} print_params_t; + +static void print_changeset(const changeset_t *chs, print_params_t *params) +{ + static size_t count = 1; + const char *YLW = "\x1B[93m"; + printf("%s", params->color ? YLW : ""); + + if (chs->soa_from == NULL) { + printf(";; Zone-in-journal, serial: %u, changeset: %zu\n", + knot_soa_serial(chs->soa_to->rrs.rdata), + count++); + } else { + printf(";; Changes between zone versions: %u -> %u, changeset: %zu\n", + knot_soa_serial(chs->soa_from->rrs.rdata), + knot_soa_serial(chs->soa_to->rrs.rdata), + count++); + } + changeset_print(chs, stdout, params->color); +} + +dynarray_declare(rrtype, uint16_t, DYNARRAY_VISIBILITY_STATIC, 100) +dynarray_define(rrtype, uint16_t, DYNARRAY_VISIBILITY_STATIC) + +typedef struct { + rrtype_dynarray_t *arr; + size_t *counter; +} rrtypelist_ctx_t; + +static void rrtypelist_add(rrtype_dynarray_t *arr, uint16_t add_type) +{ + bool already_present = false; + dynarray_foreach(rrtype, uint16_t, i, *arr) { + if (*i == add_type) { + already_present = true; + break; + } + } + if (!already_present) { + rrtype_dynarray_add(arr, &add_type); + } +} + +static int rrtypelist_callback(zone_node_t *node, void *data) +{ + rrtypelist_ctx_t *ctx = data; + for (int i = 0; i < node->rrset_count; i++) { + knot_rrset_t rrset = node_rrset_at(node, i); + rrtypelist_add(ctx->arr, rrset.type); + *ctx->counter += rrset.rrs.count; + } + return KNOT_EOK; +} + +static void print_changeset_debugmode(const changeset_t *chs) +{ + // detect all types + rrtype_dynarray_t types = { 0 }; + size_t count_minus = 1, count_plus = 1; // 1 for SOA which is always present but not iterated + rrtypelist_ctx_t ctx_minus = { &types, &count_minus }, ctx_plus = { &types, &count_plus }; + (void)zone_contents_apply(chs->remove, rrtypelist_callback, &ctx_minus); + (void)zone_contents_nsec3_apply(chs->remove, rrtypelist_callback, &ctx_minus); + (void)zone_contents_apply(chs->add, rrtypelist_callback, &ctx_plus); + (void)zone_contents_nsec3_apply(chs->add, rrtypelist_callback, &ctx_plus); + + if (chs->soa_from == NULL) { + printf("Zone-in-journal %u +++: %zu\t size: %zu\t", knot_soa_serial(chs->soa_to->rrs.rdata), + count_plus, changeset_serialized_size(chs)); + } else { + printf("%u -> %u ---: %zu\t +++: %zu\t size: %zu\t", knot_soa_serial(chs->soa_from->rrs.rdata), + knot_soa_serial(chs->soa_to->rrs.rdata), count_minus, count_plus, changeset_serialized_size(chs)); + } + + char temp[100]; + dynarray_foreach(rrtype, uint16_t, i, types) { + (void)knot_rrtype_to_string(*i, temp, sizeof(temp)); + printf(" %s", temp); + } + printf("\n"); +} + +static int count_changeset_cb(bool special, const changeset_t *ch, void *ctx) +{ + UNUSED(special); + + print_params_t *params = ctx; + if (ch != NULL) { + params->counter++; + } + return KNOT_EOK; +} + +static int print_changeset_cb(bool special, const changeset_t *ch, void *ctx) +{ + print_params_t *params = ctx; + if (ch != NULL && params->counter++ >= params->limit) { + if (params->debug) { + print_changeset_debugmode(ch); + params->changes++; + } else { + print_changeset(ch, params); + } + if (special && params->debug) { + printf("---------------------------------------------\n"); + } + } + return KNOT_EOK; +} + +int print_journal(char *path, knot_dname_t *name, print_params_t *params) +{ + knot_lmdb_db_t jdb = { 0 }; + zone_journal_t j = { &jdb, name }; + bool exists; + uint64_t occupied, occupied_all; + + knot_lmdb_init(&jdb, path, 0, journal_env_flags(JOURNAL_MODE_ROBUST, true), NULL); + if (!knot_lmdb_exists(&jdb)) { + knot_lmdb_deinit(&jdb); + return KNOT_EFILE; + } + + int ret = knot_lmdb_open(&jdb); + if (ret != KNOT_EOK) { + knot_lmdb_deinit(&jdb); + return ret; + } + + ret = journal_info(j, &exists, NULL, NULL, NULL, NULL, NULL, &occupied, &occupied_all); + if (ret != KNOT_EOK || !exists) { + fprintf(stderr, "This zone does not exist in DB %s\n", path); + knot_lmdb_deinit(&jdb); + return ret == KNOT_EOK ? KNOT_ENOENT : ret; + } + + if (params->check) { + ret = journal_sem_check(j); + if (ret > 0) { + fprintf(stderr, "Journal semantic check error: %d\n", ret); + } else if (ret != KNOT_EOK) { + fprintf(stderr, "Journal semantic check failed (%s).\n", knot_strerror(ret)); + } + } + + if (params->limit >= 0 && ret == KNOT_EOK) { + if (params->from_serial) { + ret = journal_walk_from(j, params->serial, count_changeset_cb, params); + } else { + ret = journal_walk(j, count_changeset_cb, params); + } + } + if (ret == KNOT_EOK) { + if (params->limit < 0 || params->counter <= params->limit) { + params->limit = 0; + } else { + params->limit = params->counter - params->limit; + } + params->counter = 0; + if (params->from_serial) { + ret = journal_walk_from(j, params->serial, print_changeset_cb, params); + } else { + ret = journal_walk(j, print_changeset_cb, params); + } + } + + if (params->debug && ret == KNOT_EOK) { + printf("Total number of changesets: %zu\n", params->changes); + printf("Occupied this zone (approx): %"PRIu64" KiB\n", occupied / 1024); + printf("Occupied all zones together: %"PRIu64" KiB\n", occupied_all / 1024); + } + + knot_lmdb_deinit(&jdb); + return ret; +} + +static int add_zone_to_list(const knot_dname_t *zone, void *list) +{ + knot_dname_t *copy = knot_dname_copy(zone, NULL); + if (copy == NULL) { + return KNOT_ENOMEM; + } + return ptrlist_add(list, copy, NULL) == NULL ? KNOT_ENOMEM : KNOT_EOK; +} + +static int list_zone(const knot_dname_t *zone, bool detailed, knot_lmdb_db_t *jdb, uint64_t *occupied_all) +{ + knot_dname_txt_storage_t zone_str; + if (knot_dname_to_str(zone_str, zone, sizeof(zone_str)) == NULL) { + return KNOT_EINVAL; + } + + if (detailed) { + zone_journal_t j = { jdb, zone }; + bool exists; + uint64_t occupied; + + int ret = journal_info(j, &exists, NULL, NULL, NULL, NULL, NULL, &occupied, occupied_all); + if (ret != KNOT_EOK) { + return ret; + } + assert(exists); + printf("%s \t%"PRIu64" KiB\n", zone_str, occupied / 1024); + } else { + printf("%s\n", zone_str); + } + return KNOT_EOK; +} + +int list_zones(char *path, bool detailed) +{ + knot_lmdb_db_t jdb = { 0 }; + knot_lmdb_init(&jdb, path, 0, journal_env_flags(JOURNAL_MODE_ROBUST, true), NULL); + + list_t zones; + init_list(&zones); + ptrnode_t *zone; + uint64_t occupied_all = 0; + + int ret = journals_walk(&jdb, add_zone_to_list, &zones); + WALK_LIST(zone, zones) { + if (ret != KNOT_EOK) { + break; + } + ret = list_zone(zone->d, detailed, &jdb, &occupied_all); + } + + knot_lmdb_deinit(&jdb); + ptrlist_deep_free(&zones, NULL); + + if (detailed && ret == KNOT_EOK) { + printf("Occupied all zones together: %"PRIu64" KiB\n", occupied_all / 1024); + } + return ret; +} + +int main(int argc, char *argv[]) +{ + bool justlist = false; + + print_params_t params = { + .debug = false, + .color = true, + .check = false, + .limit = -1, + .from_serial = false, + }; + + struct option opts[] = { + { "limit", required_argument, NULL, 'l' }, + { "serial", required_argument, NULL, 's' }, + { "no-color", no_argument, NULL, 'n' }, + { "zone-list", no_argument, NULL, 'z' }, + { "check", no_argument, NULL, 'c' }, + { "debug", no_argument, NULL, 'd' }, + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, 'V' }, + { NULL } + }; + + int opt = 0; + while ((opt = getopt_long(argc, argv, "l:s:nzcdhV", opts, NULL)) != -1) { + switch (opt) { + case 'l': + if (str_to_int(optarg, ¶ms.limit, 0, INT_MAX) != KNOT_EOK) { + print_help(); + return EXIT_FAILURE; + } + break; + case 's': + if (str_to_u32(optarg, ¶ms.serial) != KNOT_EOK) { + print_help(); + return EXIT_FAILURE; + } + params.from_serial = true; + break; + case 'n': + params.color = false; + break; + case 'z': + justlist = true; + break; + case 'c': + params.check = true; + break; + case 'd': + params.debug = true; + break; + case 'h': + print_help(); + return EXIT_SUCCESS; + case 'V': + print_version(PROGRAM_NAME); + return EXIT_SUCCESS; + default: + print_help(); + return EXIT_FAILURE; + } + } + + char *db = NULL; + knot_dname_t *name = NULL; + + switch (argc - optind) { + case 2: + name = knot_dname_from_str_alloc(argv[optind + 1]); + knot_dname_to_lower(name); + // FALLTHROUGH + case 1: + db = argv[optind]; + break; + default: + print_help(); + return EXIT_FAILURE; + } + + if (db == NULL) { + fprintf(stderr, "Journal DB path not specified\n"); + return EXIT_FAILURE; + } + + if (justlist) { + int ret = list_zones(db, params.debug); + switch (ret) { + case KNOT_ENOENT: + printf("No zones in journal DB\n"); + // FALLTHROUGH + case KNOT_EOK: + return EXIT_SUCCESS; + case KNOT_EFILE: + fprintf(stderr, "The specified journal DB is invalid\n"); + return EXIT_FAILURE; + case KNOT_EMALF: + fprintf(stderr, "The journal DB is broken\n"); + return EXIT_FAILURE; + default: + fprintf(stderr, "Failed to load zone list (%s)\n", knot_strerror(ret)); + return EXIT_FAILURE; + } + } + + if (name == NULL) { + fprintf(stderr, "Zone not specified\n"); + return EXIT_FAILURE; + } + + int ret = print_journal(db, name, ¶ms); + free(name); + + switch (ret) { + case KNOT_ENOENT: + if (params.from_serial) { + printf("The journal is empty or the serial not present\n"); + } else { + printf("The journal is empty\n"); + } + break; + case KNOT_EFILE: + fprintf(stderr, "The specified journal DB is invalid\n"); + return EXIT_FAILURE; + case KNOT_EOUTOFZONE: + fprintf(stderr, "The specified journal DB does not contain the specified zone\n"); + return EXIT_FAILURE; + case KNOT_EOK: + break; + default: + fprintf(stderr, "Failed to load changesets (%s)\n", knot_strerror(ret)); + return EXIT_FAILURE; + } + + return EXIT_SUCCESS; +} diff --git a/src/utils/knotc/commands.c b/src/utils/knotc/commands.c new file mode 100644 index 0000000..f0be025 --- /dev/null +++ b/src/utils/knotc/commands.c @@ -0,0 +1,1138 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#include "libknot/libknot.h" +#include "knot/common/log.h" +#include "knot/ctl/commands.h" +#include "knot/conf/conf.h" +#include "knot/conf/confdb.h" +#include "knot/zone/zonefile.h" +#include "knot/zone/zone-load.h" +#include "contrib/macros.h" +#include "contrib/string.h" +#include "contrib/strtonum.h" +#include "contrib/openbsd/strlcat.h" +#include "utils/knotc/commands.h" + +#define CMD_EXIT "exit" + +#define CMD_STATUS "status" +#define CMD_STOP "stop" +#define CMD_RELOAD "reload" +#define CMD_STATS "stats" + +#define CMD_ZONE_CHECK "zone-check" +#define CMD_ZONE_STATUS "zone-status" +#define CMD_ZONE_RELOAD "zone-reload" +#define CMD_ZONE_REFRESH "zone-refresh" +#define CMD_ZONE_RETRANSFER "zone-retransfer" +#define CMD_ZONE_NOTIFY "zone-notify" +#define CMD_ZONE_FLUSH "zone-flush" +#define CMD_ZONE_BACKUP "zone-backup" +#define CMD_ZONE_RESTORE "zone-restore" +#define CMD_ZONE_SIGN "zone-sign" +#define CMD_ZONE_KEY_ROLL "zone-key-rollover" +#define CMD_ZONE_KSK_SBM "zone-ksk-submitted" +#define CMD_ZONE_FREEZE "zone-freeze" +#define CMD_ZONE_THAW "zone-thaw" + +#define CMD_ZONE_READ "zone-read" +#define CMD_ZONE_BEGIN "zone-begin" +#define CMD_ZONE_COMMIT "zone-commit" +#define CMD_ZONE_ABORT "zone-abort" +#define CMD_ZONE_DIFF "zone-diff" +#define CMD_ZONE_GET "zone-get" +#define CMD_ZONE_SET "zone-set" +#define CMD_ZONE_UNSET "zone-unset" +#define CMD_ZONE_PURGE "zone-purge" +#define CMD_ZONE_STATS "zone-stats" + +#define CMD_CONF_INIT "conf-init" +#define CMD_CONF_CHECK "conf-check" +#define CMD_CONF_IMPORT "conf-import" +#define CMD_CONF_EXPORT "conf-export" +#define CMD_CONF_LIST "conf-list" +#define CMD_CONF_READ "conf-read" +#define CMD_CONF_BEGIN "conf-begin" +#define CMD_CONF_COMMIT "conf-commit" +#define CMD_CONF_ABORT "conf-abort" +#define CMD_CONF_DIFF "conf-diff" +#define CMD_CONF_GET "conf-get" +#define CMD_CONF_SET "conf-set" +#define CMD_CONF_UNSET "conf-unset" + +#define CTL_LOG_STR "failed to control" + +#define CTL_SEND(type, data) \ + ret = knot_ctl_send(args->ctl, (type), (data)); \ + if (ret != KNOT_EOK) { \ + log_error(CTL_LOG_STR" (%s)", knot_strerror(ret)); \ + return ret; \ + } + +#define CTL_SEND_DATA CTL_SEND(KNOT_CTL_TYPE_DATA, &data) +#define CTL_SEND_BLOCK CTL_SEND(KNOT_CTL_TYPE_BLOCK, NULL) + +static int check_args(cmd_args_t *args, int min, int max) +{ + if (max == 0 && args->argc > 0) { + log_error("command doesn't take arguments"); + return KNOT_EINVAL; + } else if (min == max && args->argc != min) { + log_error("command requires %i arguments", min); + return KNOT_EINVAL; + } else if (args->argc < min) { + log_error("command requires at least %i arguments", min); + return KNOT_EINVAL; + } else if (max > 0 && args->argc > max) { + log_error("command takes at most %i arguments", max); + return KNOT_EINVAL; + } + + return KNOT_EOK; +} + +static int check_conf_args(cmd_args_t *args) +{ + // Mask relevant flags. + cmd_flag_t flags = args->desc->flags; + flags &= CMD_FOPT_ITEM | CMD_FREQ_ITEM | CMD_FOPT_DATA; + + switch (args->argc) { + case 0: + if (flags == CMD_FNONE || (flags & CMD_FOPT_ITEM)) { + return KNOT_EOK; + } + break; + case 1: + if (flags & (CMD_FOPT_ITEM | CMD_FREQ_ITEM)) { + return KNOT_EOK; + } + break; + default: + if (flags != CMD_FNONE) { + return KNOT_EOK; + } + break; + } + + log_error("invalid number of arguments"); + + return KNOT_EINVAL; +} + +static int get_conf_key(const char *key, knot_ctl_data_t *data) +{ + // Get key0. + const char *key0 = key; + + // Check for id. + char *id = strchr(key, '['); + if (id != NULL) { + // Separate key0 and id. + *id++ = '\0'; + + // Check for id end. + char *id_end = id; + while ((id_end = strchr(id_end, ']')) != NULL) { + // Check for escaped character. + if (*(id_end - 1) != '\\') { + break; + } + id_end++; + } + + // Check for unclosed id. + if (id_end == NULL) { + log_error("(missing bracket after identifier) %s", id); + return KNOT_EINVAL; + } + + // Separate id and key1. + *id_end = '\0'; + + key = id_end + 1; + + // Key1 or nothing must follow. + if (*key != '.' && *key != '\0') { + log_error("(unexpected token) %s", key); + return KNOT_EINVAL; + } + } + + // Check for key1. + char *key1 = strchr(key, '.'); + if (key1 != NULL) { + // Separate key0/id and key1. + *key1++ = '\0'; + + if (*key1 == '\0') { + log_error("(missing item specification)"); + return KNOT_EINVAL; + } + } + + (*data)[KNOT_CTL_IDX_SECTION] = key0; + (*data)[KNOT_CTL_IDX_ITEM] = key1; + (*data)[KNOT_CTL_IDX_ID] = id; + + return KNOT_EOK; +} + +static void format_data(ctl_cmd_t cmd, knot_ctl_type_t data_type, + knot_ctl_data_t *data, bool *empty) +{ + const char *error = (*data)[KNOT_CTL_IDX_ERROR]; + const char *flags = (*data)[KNOT_CTL_IDX_FLAGS]; + const char *key0 = (*data)[KNOT_CTL_IDX_SECTION]; + const char *key1 = (*data)[KNOT_CTL_IDX_ITEM]; + const char *id = (*data)[KNOT_CTL_IDX_ID]; + const char *zone = (*data)[KNOT_CTL_IDX_ZONE]; + const char *owner = (*data)[KNOT_CTL_IDX_OWNER]; + const char *ttl = (*data)[KNOT_CTL_IDX_TTL]; + const char *type = (*data)[KNOT_CTL_IDX_TYPE]; + const char *value = (*data)[KNOT_CTL_IDX_DATA]; + + const char *sign = NULL; + if (ctl_has_flag(flags, CTL_FLAG_ADD)) { + sign = CTL_FLAG_ADD; + } else if (ctl_has_flag(flags, CTL_FLAG_REM)) { + sign = CTL_FLAG_REM; + } + + switch (cmd) { + case CTL_STATUS: + if (error != NULL) { + printf("error: (%s)%s%s", error, + (type != NULL) ? " " : "", + (type != NULL) ? type : ""); + } else if (value != NULL) { + printf("%s", value); + *empty = false; + } + break; + case CTL_STOP: + case CTL_RELOAD: + case CTL_CONF_BEGIN: + case CTL_CONF_ABORT: + // Only error message is expected here. + if (error != NULL) { + printf("error: (%s)", error); + } + break; + case CTL_ZONE_STATUS: + case CTL_ZONE_RELOAD: + case CTL_ZONE_REFRESH: + case CTL_ZONE_RETRANSFER: + case CTL_ZONE_NOTIFY: + case CTL_ZONE_FLUSH: + case CTL_ZONE_BACKUP: + case CTL_ZONE_RESTORE: + case CTL_ZONE_SIGN: + case CTL_ZONE_KEY_ROLL: + case CTL_ZONE_KSK_SBM: + case CTL_ZONE_FREEZE: + case CTL_ZONE_THAW: + case CTL_ZONE_BEGIN: + case CTL_ZONE_COMMIT: + case CTL_ZONE_ABORT: + case CTL_ZONE_PURGE: + if (data_type == KNOT_CTL_TYPE_DATA) { + printf("%s%s%s%s%s%s%s%s", + (!(*empty) ? "\n" : ""), + (error != NULL ? "error: " : ""), + (zone != NULL ? "[" : ""), + (zone != NULL ? zone : ""), + (zone != NULL ? "]" : ""), + (error != NULL ? " (" : ""), + (error != NULL ? error : ""), + (error != NULL ? ")" : "")); + *empty = false; + } + if (cmd == CTL_ZONE_STATUS && type != NULL) { + printf("%s %s: %s", + (data_type != KNOT_CTL_TYPE_DATA ? " |" : ""), + type, value); + } + break; + case CTL_CONF_COMMIT: // Can return a check error context. + case CTL_CONF_LIST: + case CTL_CONF_READ: + case CTL_CONF_DIFF: + case CTL_CONF_GET: + case CTL_CONF_SET: + case CTL_CONF_UNSET: + if (data_type == KNOT_CTL_TYPE_DATA) { + printf("%s%s%s%s%s%s%s%s%s%s%s%s", + (!(*empty) ? "\n" : ""), + (error != NULL ? "error: (" : ""), + (error != NULL ? error : ""), + (error != NULL ? ") " : ""), + (sign != NULL ? sign : ""), + (key0 != NULL ? key0 : ""), + (id != NULL ? "[" : ""), + (id != NULL ? id : ""), + (id != NULL ? "]" : ""), + (key1 != NULL ? "." : ""), + (key1 != NULL ? key1 : ""), + (value != NULL ? " =" : "")); + *empty = false; + } + if (value != NULL) { + printf(" %s", value); + } + break; + case CTL_ZONE_READ: + case CTL_ZONE_DIFF: + case CTL_ZONE_GET: + case CTL_ZONE_SET: + case CTL_ZONE_UNSET: + printf("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s", + (!(*empty) ? "\n" : ""), + (error != NULL ? "error: (" : ""), + (error != NULL ? error : ""), + (error != NULL ? ") " : ""), + (zone != NULL ? "[" : ""), + (zone != NULL ? zone : ""), + (zone != NULL ? "] " : ""), + (sign != NULL ? sign : ""), + (owner != NULL ? owner : ""), + (ttl != NULL ? " " : ""), + (ttl != NULL ? ttl : ""), + (type != NULL ? " " : ""), + (type != NULL ? type : ""), + (value != NULL ? " " : ""), + (value != NULL ? value : "")); + *empty = false; + break; + case CTL_STATS: + case CTL_ZONE_STATS: + printf("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s", + (!(*empty) ? "\n" : ""), + (error != NULL ? "error: (" : ""), + (error != NULL ? error : ""), + (error != NULL ? ") " : ""), + (zone != NULL ? "[" : ""), + (zone != NULL ? zone : ""), + (zone != NULL ? "] " : ""), + (key0 != NULL ? key0 : ""), + (key1 != NULL ? "." : ""), + (key1 != NULL ? key1 : ""), + (id != NULL ? "[" : ""), + (id != NULL ? id : ""), + (id != NULL ? "]" : ""), + (value != NULL ? " = " : ""), + (value != NULL ? value : "")); + *empty = false; + break; + default: + assert(0); + } +} + +static void format_block(ctl_cmd_t cmd, bool failed, bool empty) +{ + switch (cmd) { + case CTL_STATUS: + printf("%s\n", (failed || !empty) ? "" : "Running"); + break; + case CTL_STOP: + printf("%s\n", failed ? "" : "Stopped"); + break; + case CTL_RELOAD: + printf("%s\n", failed ? "" : "Reloaded"); + break; + case CTL_CONF_BEGIN: + case CTL_CONF_COMMIT: + case CTL_CONF_ABORT: + case CTL_CONF_SET: + case CTL_CONF_UNSET: + case CTL_ZONE_RELOAD: + case CTL_ZONE_REFRESH: + case CTL_ZONE_RETRANSFER: + case CTL_ZONE_NOTIFY: + case CTL_ZONE_FLUSH: + case CTL_ZONE_BACKUP: + case CTL_ZONE_RESTORE: + case CTL_ZONE_SIGN: + case CTL_ZONE_KEY_ROLL: + case CTL_ZONE_KSK_SBM: + case CTL_ZONE_FREEZE: + case CTL_ZONE_THAW: + case CTL_ZONE_BEGIN: + case CTL_ZONE_COMMIT: + case CTL_ZONE_ABORT: + case CTL_ZONE_SET: + case CTL_ZONE_UNSET: + case CTL_ZONE_PURGE: + printf("%s\n", failed ? "" : "OK"); + break; + case CTL_ZONE_STATUS: + case CTL_ZONE_READ: + case CTL_ZONE_DIFF: + case CTL_ZONE_GET: + case CTL_CONF_LIST: + case CTL_CONF_READ: + case CTL_CONF_DIFF: + case CTL_CONF_GET: + case CTL_ZONE_STATS: + case CTL_STATS: + printf("%s", empty ? "" : "\n"); + break; + default: + assert(0); + } +} + +static int ctl_receive(cmd_args_t *args) +{ + bool failed = false; + bool empty = true; + + while (true) { + knot_ctl_type_t type; + knot_ctl_data_t data; + + int ret = knot_ctl_receive(args->ctl, &type, &data); + if (ret != KNOT_EOK) { + log_error(CTL_LOG_STR" (%s)", knot_strerror(ret)); + return ret; + } + + switch (type) { + case KNOT_CTL_TYPE_END: + log_error(CTL_LOG_STR" (%s)", knot_strerror(KNOT_EMALF)); + return KNOT_EMALF; + case KNOT_CTL_TYPE_BLOCK: + format_block(args->desc->cmd, failed, empty); + return failed ? KNOT_ERROR : KNOT_EOK; + case KNOT_CTL_TYPE_DATA: + case KNOT_CTL_TYPE_EXTRA: + format_data(args->desc->cmd, type, &data, &empty); + break; + default: + assert(0); + return KNOT_EINVAL; + } + + if (data[KNOT_CTL_IDX_ERROR] != NULL) { + failed = true; + } + } + + return KNOT_EOK; +} + +static int cmd_ctl(cmd_args_t *args) +{ + int ret = check_args(args, 0, (args->desc->cmd == CTL_STATUS ? 1 : 0)); + if (ret != KNOT_EOK) { + return ret; + } + + knot_ctl_data_t data = { + [KNOT_CTL_IDX_CMD] = ctl_cmd_to_str(args->desc->cmd), + [KNOT_CTL_IDX_FLAGS] = args->flags, + [KNOT_CTL_IDX_TYPE] = args->argc > 0 ? args->argv[0] : NULL + }; + + CTL_SEND_DATA + CTL_SEND_BLOCK + + return ctl_receive(args); +} + +static int set_stats_items(cmd_args_t *args, knot_ctl_data_t *data) +{ + int min_args, max_args; + switch (args->desc->cmd) { + case CTL_STATS: min_args = 0; max_args = 1; break; + case CTL_ZONE_STATS: min_args = 1; max_args = 2; break; + default: + assert(0); + return KNOT_EINVAL; + } + + // Check the number of arguments. + int ret = check_args(args, min_args, max_args); + if (ret != KNOT_EOK) { + return ret; + } + + int idx = 0; + + // Set ZONE name. + if (args->argc > idx && args->desc->cmd == CTL_ZONE_STATS) { + if (strcmp(args->argv[idx], "--") != 0) { + (*data)[KNOT_CTL_IDX_ZONE] = args->argv[idx]; + } + idx++; + } + + if (args->argc > idx) { + (*data)[KNOT_CTL_IDX_SECTION] = args->argv[idx]; + + char *item = strchr(args->argv[idx], '.'); + if (item != NULL) { + // Separate section and item. + *item++ = '\0'; + (*data)[KNOT_CTL_IDX_ITEM] = item; + } + } + + return KNOT_EOK; +} + +static int cmd_stats_ctl(cmd_args_t *args) +{ + knot_ctl_data_t data = { + [KNOT_CTL_IDX_CMD] = ctl_cmd_to_str(args->desc->cmd), + [KNOT_CTL_IDX_FLAGS] = args->flags, + }; + + int ret = set_stats_items(args, &data); + if (ret != KNOT_EOK) { + return ret; + } + + CTL_SEND_DATA + CTL_SEND_BLOCK + + return ctl_receive(args); +} + +static int zone_exec(cmd_args_t *args, int (*fcn)(const knot_dname_t *, void *), + void *data) +{ + bool failed = false; + + // Process specified zones. + if (args->argc > 0) { + knot_dname_storage_t id; + + for (int i = 0; i < args->argc; i++) { + if (knot_dname_from_str(id, args->argv[i], sizeof(id)) == NULL) { + log_zone_str_error(args->argv[i], "invalid name"); + failed = true; + continue; + } + knot_dname_to_lower(id); + + if (!conf_rawid_exists(conf(), C_ZONE, id, knot_dname_size(id))) { + log_zone_error(id, "%s", knot_strerror(KNOT_ENOZONE)); + failed = true; + continue; + } + + if (fcn(id, data) != KNOT_EOK) { + failed = true; + } + } + // Process all configured zones. + } else { + for (conf_iter_t iter = conf_iter(conf(), C_ZONE); + iter.code == KNOT_EOK; conf_iter_next(conf(), &iter)) { + conf_val_t val = conf_iter_id(conf(), &iter); + const knot_dname_t *id = conf_dname(&val); + + if (fcn(id, data) != KNOT_EOK) { + failed = true; + } + } + } + + return failed ? KNOT_ERROR : KNOT_EOK; +} + +static int zone_check(const knot_dname_t *dname, void *data) +{ + cmd_args_t *args = data; + + zone_contents_t *contents = NULL; + int ret = zone_load_contents(conf(), dname, &contents, args->force); + zone_contents_deep_free(contents); + return ret; +} + +static int cmd_zone_check(cmd_args_t *args) +{ + return zone_exec(args, zone_check, args); +} + +static int cmd_zone_key_roll_ctl(cmd_args_t *args) +{ + int ret = check_args(args, 2, 2); + if (ret != KNOT_EOK) { + return ret; + } + + knot_ctl_data_t data = { + [KNOT_CTL_IDX_CMD] = ctl_cmd_to_str(args->desc->cmd), + [KNOT_CTL_IDX_FLAGS] = args->flags, + [KNOT_CTL_IDX_ZONE] = args->argv[0], + [KNOT_CTL_IDX_TYPE] = args->argv[1], + }; + + CTL_SEND_DATA + CTL_SEND_BLOCK + + return ctl_receive(args); +} + +static int cmd_zone_ctl(cmd_args_t *args) +{ + knot_ctl_data_t data = { + [KNOT_CTL_IDX_CMD] = ctl_cmd_to_str(args->desc->cmd), + [KNOT_CTL_IDX_FLAGS] = args->flags, + }; + + // Check the number of arguments. + int ret = check_args(args, (args->desc->flags & CMD_FREQ_ZONE) ? 1 : 0, -1); + if (ret != KNOT_EOK) { + return ret; + } + + if (args->desc->cmd == CTL_ZONE_PURGE && !args->force) { + log_error("force option required!"); + return KNOT_EDENIED; + } + + // Ignore all zones argument. + if (args->argc == 1 && strcmp(args->argv[0], "--") == 0) { + args->argc = 0; + } + + if (args->argc == 0) { + CTL_SEND_DATA + } + for (int i = 0; i < args->argc; i++) { + data[KNOT_CTL_IDX_ZONE] = args->argv[i]; + + CTL_SEND_DATA + } + + CTL_SEND_BLOCK + + return ctl_receive(args); +} + +#define MAX_FILTERS 7 + +typedef struct { + const char *name; + char id; + bool with_data; // Only ONE filter of each filter_desc_t may have data! +} filter_desc_t; + +const filter_desc_t zone_flush_filters[MAX_FILTERS] = { + { "+outdir", CTL_FILTER_FLUSH_OUTDIR, true }, +}; + +const filter_desc_t zone_backup_filters[MAX_FILTERS] = { + { "+backupdir", CTL_FILTER_FLUSH_OUTDIR, true }, + { "+journal", CTL_FILTER_PURGE_JOURNAL, false }, + { "+nozonefile", CTL_FILTER_PURGE_ZONEFILE, false }, +}; + +const filter_desc_t zone_status_filters[MAX_FILTERS] = { + { "+role", CTL_FILTER_STATUS_ROLE }, + { "+serial", CTL_FILTER_STATUS_SERIAL }, + { "+transaction", CTL_FILTER_STATUS_TRANSACTION }, + { "+freeze", CTL_FILTER_STATUS_FREEZE }, + { "+events", CTL_FILTER_STATUS_EVENTS }, +}; + +const filter_desc_t zone_purge_filters[MAX_FILTERS] = { + { "+expire", CTL_FILTER_PURGE_EXPIRE }, + { "+timers", CTL_FILTER_PURGE_TIMERS }, + { "+zonefile", CTL_FILTER_PURGE_ZONEFILE }, + { "+journal", CTL_FILTER_PURGE_JOURNAL }, + { "+kaspdb", CTL_FILTER_PURGE_KASPDB }, + { "+orphan", CTL_FILTER_PURGE_ORPHAN }, +}; + +const filter_desc_t null_filter = { 0 }; + +static const filter_desc_t *get_filter(ctl_cmd_t cmd, const char *filter_name) +{ + const filter_desc_t *fd = NULL; + switch (cmd) { + case CTL_ZONE_FLUSH: + fd = zone_flush_filters; + break; + case CTL_ZONE_BACKUP: + case CTL_ZONE_RESTORE: + fd = zone_backup_filters; + break; + case CTL_ZONE_STATUS: + fd = zone_status_filters; + break; + case CTL_ZONE_PURGE: + fd = zone_purge_filters; + break; + default: + return &null_filter; + } + for (size_t i = 0; i < MAX_FILTERS && fd[i].name != NULL; i++) { + if (strcmp(fd[i].name, filter_name) == 0) { + return &fd[i]; + } + } + return &null_filter; +} + +static int cmd_zone_filter_ctl(cmd_args_t *args) +{ + knot_ctl_data_t data = { + [KNOT_CTL_IDX_CMD] = ctl_cmd_to_str(args->desc->cmd), + [KNOT_CTL_IDX_FLAGS] = args->flags, + }; + + if (args->desc->cmd == CTL_ZONE_PURGE && !args->force) { + log_error("force option required!"); + return KNOT_EDENIED; + } + + char filter_buff[MAX_FILTERS + 1] = { 0 }; + + // First, process the filters. + for (int i = 0; i < args->argc; i++) { + if (args->argv[i][0] == '+') { + if (data[KNOT_CTL_IDX_FILTER] == NULL) { + data[KNOT_CTL_IDX_FILTER] = filter_buff; + } + char filter_id[2] = { get_filter(args->desc->cmd, args->argv[i])->id, 0 }; + if (filter_id[0] == '\0') { + log_error("unknown filter: %s", args->argv[i]); + return KNOT_EINVAL; + } + if (strchr(filter_buff, filter_id[0]) == NULL) { + assert(strlen(filter_buff) < MAX_FILTERS); + strlcat(filter_buff, filter_id, sizeof(filter_buff)); + } + if (get_filter(args->desc->cmd, args->argv[i])->with_data) { + data[KNOT_CTL_IDX_DATA] = args->argv[++i]; + } + } + } + + // Second, process zones. + int ret; + int sentzones = 0; + bool twodash = false; + for (int i = 0; i < args->argc; i++) { + // Skip filters. + if (args->argv[i][0] == '+') { + if (get_filter(args->desc->cmd, args->argv[i])->with_data) { + i++; + } + continue; + } + + if (strcmp(args->argv[i], "--") != 0) { + data[KNOT_CTL_IDX_ZONE] = args->argv[i]; + CTL_SEND_DATA + sentzones++; + } else { + twodash = true; + } + } + + if ((args->desc->flags & CMD_FREQ_ZONE) && sentzones == 0 && !twodash) { + log_error("zone must be specified (or -- for all zones)"); + return KNOT_EDENIED; + } + + if (sentzones == 0) { + CTL_SEND_DATA + } + CTL_SEND_BLOCK + + return ctl_receive(args); +} + +static int set_rdata(cmd_args_t *args, int pos, char *rdata, size_t rdata_len) +{ + rdata[0] = '\0'; + + for (int i = pos; i < args->argc; i++) { + if (i > pos && strlcat(rdata, " ", rdata_len) >= rdata_len) { + return KNOT_ESPACE; + } + if (strlcat(rdata, args->argv[i], rdata_len) >= rdata_len) { + return KNOT_ESPACE; + } + } + + return KNOT_EOK; +} + +static int set_node_items(cmd_args_t *args, knot_ctl_data_t *data, char *rdata, + size_t rdata_len) +{ + int min_args, max_args; + switch (args->desc->cmd) { + case CTL_ZONE_READ: + case CTL_ZONE_GET: min_args = 1; max_args = 3; break; + case CTL_ZONE_DIFF: min_args = 1; max_args = 1; break; + case CTL_ZONE_SET: min_args = 3; max_args = -1; break; + case CTL_ZONE_UNSET: min_args = 2; max_args = -1; break; + default: + assert(0); + return KNOT_EINVAL; + } + + // Check the number of arguments. + int ret = check_args(args, min_args, max_args); + if (ret != KNOT_EOK) { + return ret; + } + + int idx = 0; + + // Set ZONE name. + assert(args->argc > idx); + if (strcmp(args->argv[idx], "--") != 0) { + (*data)[KNOT_CTL_IDX_ZONE] = args->argv[idx]; + } + idx++; + + // Set OWNER name if specified. + if (args->argc > idx) { + (*data)[KNOT_CTL_IDX_OWNER] = args->argv[idx]; + idx++; + } + + // Set TTL only with an editing operation. + if (args->argc > idx) { + uint32_t num; + uint16_t type; + if (knot_rrtype_from_string(args->argv[idx], &type) != 0 && + str_to_u32(args->argv[idx], &num) == KNOT_EOK) { + switch (args->desc->cmd) { + case CTL_ZONE_SET: + case CTL_ZONE_UNSET: + (*data)[KNOT_CTL_IDX_TTL] = args->argv[idx]; + idx++; + break; + default: + break; + } + } + } + + // Set record TYPE if specified. + if (args->argc > idx) { + (*data)[KNOT_CTL_IDX_TYPE] = args->argv[idx]; + idx++; + } + + // Set record DATA if specified. + if (args->argc > idx) { + ret = set_rdata(args, idx, rdata, rdata_len); + if (ret != KNOT_EOK) { + return ret; + } + (*data)[KNOT_CTL_IDX_DATA] = rdata; + } + + return KNOT_EOK; +} + +static int cmd_zone_node_ctl(cmd_args_t *args) +{ + knot_ctl_data_t data = { + [KNOT_CTL_IDX_CMD] = ctl_cmd_to_str(args->desc->cmd), + [KNOT_CTL_IDX_FLAGS] = args->flags, + }; + + char rdata[65536]; // Maximum item size in libknot control interface. + + int ret = set_node_items(args, &data, rdata, sizeof(rdata)); + if (ret != KNOT_EOK) { + return ret; + } + + CTL_SEND_DATA + CTL_SEND_BLOCK + + return ctl_receive(args); +} + +static int cmd_conf_init(cmd_args_t *args) +{ + int ret = check_args(args, 0, 0); + if (ret != KNOT_EOK) { + return ret; + } + + ret = conf_db_check(conf(), &conf()->read_txn); + if ((ret >= KNOT_EOK || ret == KNOT_CONF_EVERSION)) { + if (ret != KNOT_EOK && !args->force) { + log_error("use force option to overwrite the existing " + "destination and ensure the server is not running!"); + return KNOT_EDENIED; + } + + ret = conf_import(conf(), "", false, false); + } + + if (ret == KNOT_EOK) { + log_info("OK"); + } else { + log_error("init (%s)", knot_strerror(ret)); + } + + return ret; +} + +static int cmd_conf_check(cmd_args_t *args) +{ + int ret = check_args(args, 0, 0); + if (ret != KNOT_EOK) { + return ret; + } + + log_info("Configuration is valid"); + + return 0; +} + +static int cmd_conf_import(cmd_args_t *args) +{ + int ret = check_args(args, 1, 1); + if (ret != KNOT_EOK) { + return ret; + } + + ret = conf_db_check(conf(), &conf()->read_txn); + if ((ret >= KNOT_EOK || ret == KNOT_CONF_EVERSION)) { + if (ret != KNOT_EOK && !args->force) { + log_error("use force option to overwrite the existing " + "destination and ensure the server is not running!"); + return KNOT_EDENIED; + } + + log_debug("importing confdb from file '%s'", args->argv[0]); + + ret = conf_import(conf(), args->argv[0], true, false); + } + + if (ret == KNOT_EOK) { + log_info("OK"); + } else { + log_error("import (%s)", knot_strerror(ret)); + } + + return ret; +} + +static int cmd_conf_export(cmd_args_t *args) +{ + int ret = check_args(args, 0, 1); + if (ret != KNOT_EOK) { + return ret; + } + + // Stdout is the default output file. + const char *file_name = NULL; + if (args->argc > 0) { + file_name = args->argv[0]; + log_debug("exporting confdb into file '%s'", file_name); + } + + ret = conf_export(conf(), file_name, YP_SNONE); + + if (ret == KNOT_EOK) { + if (args->argc > 0) { + log_info("OK"); + } + } else { + log_error("export (%s)", knot_strerror(ret)); + } + + return ret; +} + +static int cmd_conf_ctl(cmd_args_t *args) +{ + // Check the number of arguments. + int ret = check_conf_args(args); + if (ret != KNOT_EOK) { + return ret; + } + + knot_ctl_data_t data = { + [KNOT_CTL_IDX_CMD] = ctl_cmd_to_str(args->desc->cmd), + [KNOT_CTL_IDX_FLAGS] = args->flags, + }; + + // Send the command without parameters. + if (args->argc == 0) { + CTL_SEND_DATA + // Set the first item argument. + } else { + ret = get_conf_key(args->argv[0], &data); + if (ret != KNOT_EOK) { + return ret; + } + + // Send if only one argument or item without values. + if (args->argc == 1 || !(args->desc->flags & CMD_FOPT_DATA)) { + CTL_SEND_DATA + } + } + + // Send the item values or the other items. + for (int i = 1; i < args->argc; i++) { + if (args->desc->flags & CMD_FOPT_DATA) { + data[KNOT_CTL_IDX_DATA] = args->argv[i]; + } else { + ret = get_conf_key(args->argv[i], &data); + if (ret != KNOT_EOK) { + return ret; + } + } + + CTL_SEND_DATA + } + + CTL_SEND_BLOCK + + return ctl_receive(args); +} + +const cmd_desc_t cmd_table[] = { + { CMD_EXIT, NULL, CTL_NONE }, + + { CMD_STATUS, cmd_ctl, CTL_STATUS, CMD_FOPT_DATA}, + { CMD_STOP, cmd_ctl, CTL_STOP }, + { CMD_RELOAD, cmd_ctl, CTL_RELOAD }, + { CMD_STATS, cmd_stats_ctl, CTL_STATS }, + + { CMD_ZONE_CHECK, cmd_zone_check, CTL_NONE, CMD_FOPT_ZONE | CMD_FREAD }, + { CMD_ZONE_STATUS, cmd_zone_filter_ctl, CTL_ZONE_STATUS, CMD_FOPT_ZONE }, + { CMD_ZONE_RELOAD, cmd_zone_ctl, CTL_ZONE_RELOAD, CMD_FOPT_ZONE }, + { CMD_ZONE_REFRESH, cmd_zone_ctl, CTL_ZONE_REFRESH, CMD_FOPT_ZONE }, + { CMD_ZONE_RETRANSFER, cmd_zone_ctl, CTL_ZONE_RETRANSFER, CMD_FOPT_ZONE }, + { CMD_ZONE_NOTIFY, cmd_zone_ctl, CTL_ZONE_NOTIFY, CMD_FOPT_ZONE }, + { CMD_ZONE_FLUSH, cmd_zone_filter_ctl, CTL_ZONE_FLUSH, CMD_FOPT_ZONE }, + { CMD_ZONE_BACKUP, cmd_zone_filter_ctl, CTL_ZONE_BACKUP, CMD_FOPT_ZONE }, + { CMD_ZONE_RESTORE, cmd_zone_filter_ctl, CTL_ZONE_RESTORE, CMD_FOPT_ZONE }, + { CMD_ZONE_SIGN, cmd_zone_ctl, CTL_ZONE_SIGN, CMD_FOPT_ZONE }, + { CMD_ZONE_KEY_ROLL, cmd_zone_key_roll_ctl, CTL_ZONE_KEY_ROLL, CMD_FREQ_ZONE }, + { CMD_ZONE_KSK_SBM, cmd_zone_ctl, CTL_ZONE_KSK_SBM, CMD_FREQ_ZONE | CMD_FOPT_ZONE }, + { CMD_ZONE_FREEZE, cmd_zone_ctl, CTL_ZONE_FREEZE, CMD_FOPT_ZONE }, + { CMD_ZONE_THAW, cmd_zone_ctl, CTL_ZONE_THAW, CMD_FOPT_ZONE }, + + { CMD_ZONE_READ, cmd_zone_node_ctl, CTL_ZONE_READ, CMD_FREQ_ZONE }, + { CMD_ZONE_BEGIN, cmd_zone_ctl, CTL_ZONE_BEGIN, CMD_FREQ_ZONE | CMD_FOPT_ZONE }, + { CMD_ZONE_COMMIT, cmd_zone_ctl, CTL_ZONE_COMMIT, CMD_FREQ_ZONE | CMD_FOPT_ZONE }, + { CMD_ZONE_ABORT, cmd_zone_ctl, CTL_ZONE_ABORT, CMD_FREQ_ZONE | CMD_FOPT_ZONE }, + { CMD_ZONE_DIFF, cmd_zone_node_ctl, CTL_ZONE_DIFF, CMD_FREQ_ZONE }, + { CMD_ZONE_GET, cmd_zone_node_ctl, CTL_ZONE_GET, CMD_FREQ_ZONE }, + { CMD_ZONE_SET, cmd_zone_node_ctl, CTL_ZONE_SET, CMD_FREQ_ZONE }, + { CMD_ZONE_UNSET, cmd_zone_node_ctl, CTL_ZONE_UNSET, CMD_FREQ_ZONE }, + { CMD_ZONE_PURGE, cmd_zone_filter_ctl, CTL_ZONE_PURGE, CMD_FREQ_ZONE }, + { CMD_ZONE_STATS, cmd_stats_ctl, CTL_ZONE_STATS, CMD_FREQ_ZONE }, + + { CMD_CONF_INIT, cmd_conf_init, CTL_NONE, CMD_FWRITE }, + { CMD_CONF_CHECK, cmd_conf_check, CTL_NONE, CMD_FREAD | CMD_FREQ_MOD }, + { CMD_CONF_IMPORT, cmd_conf_import, CTL_NONE, CMD_FWRITE | CMD_FOPT_MOD }, + { CMD_CONF_EXPORT, cmd_conf_export, CTL_NONE, CMD_FREAD | CMD_FOPT_MOD }, + { CMD_CONF_LIST, cmd_conf_ctl, CTL_CONF_LIST, CMD_FOPT_ITEM }, + { CMD_CONF_READ, cmd_conf_ctl, CTL_CONF_READ, CMD_FOPT_ITEM }, + { CMD_CONF_BEGIN, cmd_conf_ctl, CTL_CONF_BEGIN }, + { CMD_CONF_COMMIT, cmd_conf_ctl, CTL_CONF_COMMIT }, + { CMD_CONF_ABORT, cmd_conf_ctl, CTL_CONF_ABORT }, + { CMD_CONF_DIFF, cmd_conf_ctl, CTL_CONF_DIFF, CMD_FOPT_ITEM | CMD_FREQ_TXN }, + { CMD_CONF_GET, cmd_conf_ctl, CTL_CONF_GET, CMD_FOPT_ITEM | CMD_FREQ_TXN }, + { CMD_CONF_SET, cmd_conf_ctl, CTL_CONF_SET, CMD_FREQ_ITEM | CMD_FOPT_DATA | CMD_FREQ_TXN }, + { CMD_CONF_UNSET, cmd_conf_ctl, CTL_CONF_UNSET, CMD_FOPT_ITEM | CMD_FOPT_DATA | CMD_FREQ_TXN }, + { NULL } +}; + +static const cmd_help_t cmd_help_table[] = { + { CMD_EXIT, "", "Exit interactive mode." }, + { "", "", "" }, + { CMD_STATUS, "[<detail>]", "Check if the server is running." }, + { CMD_STOP, "", "Stop the server if running." }, + { CMD_RELOAD, "", "Reload the server configuration and modified zones." }, + { CMD_STATS, "[<module>[.<counter>]]", "Show global statistics counter(s)." }, + { "", "", "" }, + { CMD_ZONE_CHECK, "[<zone>...]", "Check if the zone can be loaded. (*)" }, + { CMD_ZONE_RELOAD, "[<zone>...]", "Reload a zone from a disk. (#)" }, + { CMD_ZONE_REFRESH, "[<zone>...]", "Force slave zone refresh. (#)" }, + { CMD_ZONE_NOTIFY, "[<zone>...]", "Send a NOTIFY message to all configured remotes. (#)" }, + { CMD_ZONE_RETRANSFER, "[<zone>...]", "Force slave zone retransfer (no serial check). (#)" }, + { CMD_ZONE_FLUSH, "[<zone>...] [<filter>...]", "Flush zone journal into the zone file. (#)" }, + { CMD_ZONE_BACKUP, "[<zone>...] [<filter>...] +backupdir <dir>", "Backup zone data and metadata. (#)" }, + { CMD_ZONE_RESTORE, "[<zone>...] [<filter>...] +backupdir <dir>", "Restore zone data and metadata. (#)" }, + { CMD_ZONE_SIGN, "[<zone>...]", "Re-sign the automatically signed zone. (#)" }, + { CMD_ZONE_KEY_ROLL, " <zone> ksk|zsk", "Trigger immediate key rollover. (#)" }, + { CMD_ZONE_KSK_SBM, " <zone>...", "When KSK submission, confirm parent's DS presence. (#)" }, + { CMD_ZONE_FREEZE, "[<zone>...]", "Temporarily postpone automatic zone-changing events. (#)" }, + { CMD_ZONE_THAW, "[<zone>...]", "Dismiss zone freeze. (#)" }, + { "", "", "" }, + { CMD_ZONE_READ, "<zone> [<owner> [<type>]]", "Get zone data that are currently being presented." }, + { CMD_ZONE_BEGIN, "<zone>...", "Begin a zone transaction." }, + { CMD_ZONE_COMMIT, "<zone>...", "Commit the zone transaction." }, + { CMD_ZONE_ABORT, "<zone>...", "Abort the zone transaction." }, + { CMD_ZONE_DIFF, "<zone>", "Get zone changes within the transaction." }, + { CMD_ZONE_GET, "<zone> [<owner> [<type>]]", "Get zone data within the transaction." }, + { CMD_ZONE_SET, "<zone> <owner> [<ttl>] <type> <rdata>", "Add zone record within the transaction." }, + { CMD_ZONE_UNSET, "<zone> <owner> [<type> [<rdata>]]", "Remove zone data within the transaction." }, + { CMD_ZONE_PURGE, "<zone>... [<filter>...]", "Purge zone data, zone file, journal, timers, and KASP data. (#)" }, + { CMD_ZONE_STATS, "<zone> [<module>[.<counter>]]", "Show zone statistics counter(s)."}, + { CMD_ZONE_STATUS, "<zone> [<filter>...]", "Show the zone status." }, + { "", "", "" }, + { CMD_CONF_INIT, "", "Initialize the confdb. (*)" }, + { CMD_CONF_CHECK, "", "Check the server configuration. (*)" }, + { CMD_CONF_IMPORT, " <filename>", "Import a config file into the confdb. (*)" }, + { CMD_CONF_EXPORT, "[<filename>]", "Export the confdb into a config file or stdout. (*)" }, + { CMD_CONF_LIST, "[<item>...]", "List the confdb sections or section items." }, + { CMD_CONF_READ, "[<item>...]", "Get the item from the active confdb." }, + { CMD_CONF_BEGIN, "", "Begin a writing confdb transaction." }, + { CMD_CONF_COMMIT, "", "Commit the confdb transaction." }, + { CMD_CONF_ABORT, "", "Rollback the confdb transaction." }, + { CMD_CONF_DIFF, "[<item>...]", "Get the item difference within the transaction." }, + { CMD_CONF_GET, "[<item>...]", "Get the item data within the transaction." }, + { CMD_CONF_SET, " <item> [<data>...]", "Set the item data within the transaction." }, + { CMD_CONF_UNSET, "[<item>] [<data>...]", "Unset the item data within the transaction." }, + { NULL } +}; + +void print_commands(void) +{ + printf("\nActions:\n"); + + for (const cmd_help_t *cmd = cmd_help_table; cmd->name != NULL; cmd++) { + printf(" %-18s %-38s %s\n", cmd->name, cmd->params, cmd->desc); + } + + printf("\n" + "Note:\n" + " Use @ owner to denote the zone name.\n" + " Empty or '--' <zone> parameter means all zones or all zones with a transaction.\n" + " Type <item> parameter in the form of <section>[<identifier>].<name>.\n" + " (*) indicates a local operation which requires a configuration.\n" + " (#) indicates an optionally blocking operation.\n" + " The '-b' and '-f' options can be placed right after the command name.\n"); +} diff --git a/src/utils/knotc/commands.h b/src/utils/knotc/commands.h new file mode 100644 index 0000000..96aaf5b --- /dev/null +++ b/src/utils/knotc/commands.h @@ -0,0 +1,70 @@ +/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include "libknot/control/control.h" +#include "knot/ctl/commands.h" + +/*! \brief Command condition flags. */ +typedef enum { + CMD_FNONE = 0, /*!< Empty flag. */ + CMD_FREAD = 1 << 0, /*!< Required read access to config or confdb. */ + CMD_FWRITE = 1 << 1, /*!< Required write access to confdb. */ + CMD_FOPT_ITEM = 1 << 2, /*!< Optional item argument. */ + CMD_FREQ_ITEM = 1 << 3, /*!< Required item argument. */ + CMD_FOPT_DATA = 1 << 4, /*!< Optional item data argument. */ + CMD_FOPT_ZONE = 1 << 5, /*!< Optional zone name argument. */ + CMD_FREQ_ZONE = 1 << 6, /*!< Required zone name argument. */ + CMD_FREQ_TXN = 1 << 7, /*!< Required open confdb transaction. */ + CMD_FOPT_MOD = 1 << 8, /*!< Optional configured modules dependency. */ + CMD_FREQ_MOD = 1 << 9, /*!< Required configured modules dependency. */ +} cmd_flag_t; + +struct cmd_desc; +typedef struct cmd_desc cmd_desc_t; + +/*! \brief Command callback arguments. */ +typedef struct { + const cmd_desc_t *desc; + knot_ctl_t *ctl; + int argc; + const char **argv; + char flags[4]; + bool force; + bool blocking; +} cmd_args_t; + +/*! \brief Command callback description. */ +struct cmd_desc { + const char *name; + int (*fcn)(cmd_args_t *); + ctl_cmd_t cmd; + cmd_flag_t flags; +}; + +/*! \brief Command description. */ +typedef struct { + const char *name; + const char *params; + const char *desc; +} cmd_help_t; + +/*! \brief Table of commands. */ +extern const cmd_desc_t cmd_table[]; + +/*! \brief Prints commands help. */ +void print_commands(void); diff --git a/src/utils/knotc/interactive.c b/src/utils/knotc/interactive.c new file mode 100644 index 0000000..1c001c4 --- /dev/null +++ b/src/utils/knotc/interactive.c @@ -0,0 +1,434 @@ +/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <stdio.h> +#include <histedit.h> + +#include "knot/common/log.h" +#include "utils/common/lookup.h" +#include "utils/knotc/interactive.h" +#include "utils/knotc/commands.h" +#include "contrib/string.h" + +#define PROGRAM_NAME "knotc" +#define HISTORY_FILE ".knotc_history" + +extern params_t params; + +static void cmds_lookup(EditLine *el, const char *str, size_t str_len) +{ + lookup_t lookup; + int ret = lookup_init(&lookup); + if (ret != KNOT_EOK) { + return; + } + + // Fill the lookup with command names. + for (const cmd_desc_t *desc = cmd_table; desc->name != NULL; desc++) { + ret = lookup_insert(&lookup, desc->name, NULL); + if (ret != KNOT_EOK) { + goto cmds_lookup_finish; + } + } + + lookup_complete(&lookup, str, str_len, el, true); + +cmds_lookup_finish: + lookup_deinit(&lookup); +} + +static void local_zones_lookup(EditLine *el, const char *str, size_t str_len) +{ + lookup_t lookup; + int ret = lookup_init(&lookup); + if (ret != KNOT_EOK) { + return; + } + + knot_dname_txt_storage_t buff; + + // Fill the lookup with local zone names. + for (conf_iter_t iter = conf_iter(conf(), C_ZONE); + iter.code == KNOT_EOK; conf_iter_next(conf(), &iter)) { + conf_val_t val = conf_iter_id(conf(), &iter); + char *name = knot_dname_to_str(buff, conf_dname(&val), sizeof(buff)); + + ret = lookup_insert(&lookup, name, NULL); + if (ret != KNOT_EOK) { + conf_iter_finish(conf(), &iter); + goto local_zones_lookup_finish; + } + } + + lookup_complete(&lookup, str, str_len, el, true); + +local_zones_lookup_finish: + lookup_deinit(&lookup); +} + +static char *get_id_name(const char *section) +{ + const cmd_desc_t *desc = cmd_table; + while (desc->name != NULL && desc->cmd != CTL_CONF_LIST) { + desc++; + } + assert(desc->name != NULL); + + knot_ctl_data_t query = { + [KNOT_CTL_IDX_CMD] = ctl_cmd_to_str(desc->cmd), + [KNOT_CTL_IDX_SECTION] = section + }; + + knot_ctl_t *ctl = NULL; + knot_ctl_type_t type; + knot_ctl_data_t reply; + + // Try to get the first group item (possible id). + if (set_ctl(&ctl, desc, ¶ms) != KNOT_EOK || + knot_ctl_send(ctl, KNOT_CTL_TYPE_DATA, &query) != KNOT_EOK || + knot_ctl_send(ctl, KNOT_CTL_TYPE_BLOCK, NULL) != KNOT_EOK || + knot_ctl_receive(ctl, &type, &reply) != KNOT_EOK || + type != KNOT_CTL_TYPE_DATA || reply[KNOT_CTL_IDX_ERROR] != NULL) { + unset_ctl(ctl); + return NULL; + } + + char *id_name = strdup(reply[KNOT_CTL_IDX_ITEM]); + + unset_ctl(ctl); + + return id_name; +} + +static void id_lookup(EditLine *el, const char *str, size_t str_len, + const cmd_desc_t *cmd_desc, const char *section, bool add_space) +{ + // Decide which confdb transaction to ask. + unsigned ctl_code = (cmd_desc->flags & CMD_FREQ_TXN) ? + CTL_CONF_GET : CTL_CONF_READ; + + const cmd_desc_t *desc = cmd_table; + while (desc->name != NULL && desc->cmd != ctl_code) { + desc++; + } + assert(desc->name != NULL); + + char *id_name = get_id_name(section); + if (id_name == NULL) { + return; + } + + knot_ctl_data_t query = { + [KNOT_CTL_IDX_CMD] = ctl_cmd_to_str(desc->cmd), + [KNOT_CTL_IDX_SECTION] = section, + [KNOT_CTL_IDX_ITEM] = id_name + }; + + lookup_t lookup; + knot_ctl_t *ctl = NULL; + + if (set_ctl(&ctl, desc, ¶ms) != KNOT_EOK || + knot_ctl_send(ctl, KNOT_CTL_TYPE_DATA, &query) != KNOT_EOK || + knot_ctl_send(ctl, KNOT_CTL_TYPE_BLOCK, NULL) != KNOT_EOK || + lookup_init(&lookup) != KNOT_EOK) { + unset_ctl(ctl); + free(id_name); + return; + } + + free(id_name); + + while (true) { + knot_ctl_type_t type; + knot_ctl_data_t reply; + + // Receive one section id. + if (knot_ctl_receive(ctl, &type, &reply) != KNOT_EOK) { + goto id_lookup_finish; + } + + // Stop if finished transfer. + if (type != KNOT_CTL_TYPE_DATA) { + break; + } + + // Insert the id into the lookup. + if (reply[KNOT_CTL_IDX_ERROR] != NULL || + lookup_insert(&lookup, reply[KNOT_CTL_IDX_DATA], NULL) != KNOT_EOK) { + goto id_lookup_finish; + } + } + + lookup_complete(&lookup, str, str_len, el, add_space); + +id_lookup_finish: + lookup_deinit(&lookup); + unset_ctl(ctl); +} + +static void list_lookup(EditLine *el, const char *section, const char *item) +{ + const cmd_desc_t *desc = cmd_table; + while (desc->name != NULL && desc->cmd != CTL_CONF_LIST) { + desc++; + } + assert(desc->name != NULL); + + knot_ctl_data_t query = { + [KNOT_CTL_IDX_CMD] = ctl_cmd_to_str(desc->cmd), + [KNOT_CTL_IDX_SECTION] = section + }; + + lookup_t lookup; + knot_ctl_t *ctl = NULL; + + if (set_ctl(&ctl, desc, ¶ms) != KNOT_EOK || + knot_ctl_send(ctl, KNOT_CTL_TYPE_DATA, &query) != KNOT_EOK || + knot_ctl_send(ctl, KNOT_CTL_TYPE_BLOCK, NULL) != KNOT_EOK || + lookup_init(&lookup) != KNOT_EOK) { + unset_ctl(ctl); + return; + } + + while (true) { + knot_ctl_type_t type; + knot_ctl_data_t reply; + + // Receive one section/item name. + if (knot_ctl_receive(ctl, &type, &reply) != KNOT_EOK) { + goto list_lookup_finish; + } + + // Stop if finished transfer. + if (type != KNOT_CTL_TYPE_DATA) { + break; + } + + const char *str = (section == NULL) ? reply[KNOT_CTL_IDX_SECTION] : + reply[KNOT_CTL_IDX_ITEM]; + + // Insert the name into the lookup. + if (reply[KNOT_CTL_IDX_ERROR] != NULL || + lookup_insert(&lookup, str, NULL) != KNOT_EOK) { + goto list_lookup_finish; + } + } + + lookup_complete(&lookup, item, strlen(item), el, section != NULL); + +list_lookup_finish: + lookup_deinit(&lookup); + unset_ctl(ctl); +} + +static void item_lookup(EditLine *el, const char *str, const cmd_desc_t *cmd_desc) +{ + // List all sections. + if (str == NULL) { + list_lookup(el, NULL, ""); + return; + } + + // Check for id specification. + char *id = (strchr(str, '[')); + if (id != NULL) { + char *section = strndup(str, id - str); + + // Check for completed id specification. + char *id_stop = (strchr(id, ']')); + if (id_stop != NULL) { + // Complete the item name. + if (*(id_stop + 1) == '.') { + list_lookup(el, section, id_stop + 2); + } + } else { + // Complete the section id. + id_lookup(el, id + 1, strlen(id + 1), cmd_desc, section, false); + } + + free(section); + } else { + // Check for item specification. + char *dot = (strchr(str, '.')); + if (dot != NULL) { + // Complete the item name. + char *section = strndup(str, dot - str); + list_lookup(el, section, dot + 1); + free(section); + } else { + // Complete the section name. + list_lookup(el, NULL, str); + } + } +} + +static unsigned char complete(EditLine *el, int ch) +{ + int argc, token, pos; + const char **argv; + + const LineInfo *li = el_line(el); + Tokenizer *tok = tok_init(NULL); + + // Parse the line. + int ret = tok_line(tok, li, &argc, &argv, &token, &pos); + if (ret != 0) { + goto complete_exit; + } + + // Show possible commands. + if (argc == 0) { + print_commands(); + goto complete_exit; + } + + // Complete the command name. + if (token == 0) { + cmds_lookup(el, argv[0], pos); + goto complete_exit; + } + + // Find the command descriptor. + const cmd_desc_t *desc = cmd_table; + while (desc->name != NULL && strcmp(desc->name, argv[0]) != 0) { + desc++; + } + if (desc->name == NULL) { + goto complete_exit; + } + + // Finish if a command with no or unsupported arguments. + if (desc->flags == CMD_FNONE || desc->flags == CMD_FREAD || + desc->flags == CMD_FWRITE) { + goto complete_exit; + } + + ret = set_config(desc, ¶ms); + if (ret != KNOT_EOK) { + goto complete_exit; + } + + // Complete the zone name. + if (desc->flags & (CMD_FREQ_ZONE | CMD_FOPT_ZONE)) { + if (token > 1 && !(desc->flags & CMD_FOPT_ZONE)) { + goto complete_exit; + } + + if (desc->flags & CMD_FREAD) { + local_zones_lookup(el, argv[token], pos); + } else { + id_lookup(el, argv[token], pos, desc, "zone", true); + } + goto complete_exit; + // Complete the section/id/item name. + } else if (desc->flags & (CMD_FOPT_ITEM | CMD_FREQ_ITEM)) { + if (token == 1) { + item_lookup(el, argv[1], desc); + } + goto complete_exit; + } + +complete_exit: + conf_update(NULL, CONF_UPD_FNONE); + tok_reset(tok); + tok_end(tok); + + return CC_REDISPLAY; +} + +static char *prompt(EditLine *el) +{ + return PROGRAM_NAME"> "; +} + +int interactive_loop(params_t *process_params) +{ + char *hist_file = NULL; + const char *home = getenv("HOME"); + if (home != NULL) { + hist_file = sprintf_alloc("%s/%s", home, HISTORY_FILE); + } + if (hist_file == NULL) { + log_notice("failed to get home directory"); + } + + EditLine *el = el_init(PROGRAM_NAME, stdin, stdout, stderr); + if (el == NULL) { + log_error("interactive mode not available"); + free(hist_file); + return KNOT_ERROR; + } + + History *hist = history_init(); + if (hist == NULL) { + log_error("interactive mode not available"); + el_end(el); + free(hist_file); + return KNOT_ERROR; + } + + HistEvent hev = { 0 }; + history(hist, &hev, H_SETSIZE, 1000); + history(hist, &hev, H_SETUNIQUE, 1); + el_set(el, EL_HIST, history, hist); + history(hist, &hev, H_LOAD, hist_file); + + el_set(el, EL_TERMINAL, NULL); + el_set(el, EL_EDITOR, "emacs"); + el_set(el, EL_PROMPT, prompt); + el_set(el, EL_SIGNAL, 1); + el_source(el, NULL); + + el_set(el, EL_ADDFN, PROGRAM_NAME"-complete", + "Perform "PROGRAM_NAME" completion.", complete); + el_set(el, EL_BIND, "^I", PROGRAM_NAME"-complete", NULL); + + int count; + const char *line; + while ((line = el_gets(el, &count)) != NULL && count > 0) { + Tokenizer *tok = tok_init(NULL); + + // Tokenize the current line. + int argc; + const char **argv; + const LineInfo *li = el_line(el); + int ret = tok_line(tok, li, &argc, &argv, NULL, NULL); + if (ret != 0 || argc == 0) { + continue; + } + + history(hist, &hev, H_ENTER, line); + history(hist, &hev, H_SAVE, hist_file); + + // Process the command. + ret = process_cmd(argc, argv, process_params); + + tok_reset(tok); + tok_end(tok); + + // Check for the exit command. + if (ret == KNOT_CTL_ESTOP) { + break; + } + } + + history_end(hist); + free(hist_file); + + el_end(el); + + return KNOT_EOK; +} diff --git a/src/utils/knotc/interactive.h b/src/utils/knotc/interactive.h new file mode 100644 index 0000000..59690c7 --- /dev/null +++ b/src/utils/knotc/interactive.h @@ -0,0 +1,26 @@ +/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include "utils/knotc/process.h" + +/*! + * Executes an interactive processing loop. + * + * \param[in] params Utility parameters. + */ +int interactive_loop(params_t *params); diff --git a/src/utils/knotc/main.c b/src/utils/knotc/main.c new file mode 100644 index 0000000..a1c2e6f --- /dev/null +++ b/src/utils/knotc/main.c @@ -0,0 +1,153 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <getopt.h> +#include <stdio.h> + +#include "contrib/strtonum.h" +#include "knot/common/log.h" +#include "utils/common/params.h" +#include "utils/knotc/commands.h" +#include "utils/knotc/interactive.h" +#include "utils/knotc/process.h" + +#define PROGRAM_NAME "knotc" +#define SPACE " " +#define DEFAULT_CTL_TIMEOUT 60 + +static void print_help(void) +{ + printf("Usage: %s [parameters] <action> [action_args]\n" + "\n" + "Parameters:\n" + " -c, --config <file> "SPACE"Use a textual configuration file.\n" + " "SPACE" (default %s)\n" + " -C, --confdb <dir> "SPACE"Use a binary configuration database directory.\n" + " "SPACE" (default %s)\n" + " -m, --max-conf-size <MiB>"SPACE"Set maximum size of the configuration database (max 10000 MiB).\n" + " "SPACE" (default %d MiB)\n" + " -s, --socket <path> "SPACE"Use a control UNIX socket path.\n" + " "SPACE" (default %s)\n" + " -t, --timeout <sec> "SPACE"Use a control socket timeout (max 7200 seconds).\n" + " "SPACE" (default %u seconds)\n" + " -b, --blocking "SPACE"Zone event trigger commands wait until the event is finished.\n" + " -f, --force "SPACE"Forced operation. Overrides some checks.\n" + " -v, --verbose "SPACE"Enable debug output.\n" + " -h, --help "SPACE"Print the program help.\n" + " -V, --version "SPACE"Print the program version.\n", + PROGRAM_NAME, CONF_DEFAULT_FILE, CONF_DEFAULT_DBDIR, + CONF_MAPSIZE, RUN_DIR "/knot.sock", DEFAULT_CTL_TIMEOUT); + + print_commands(); +} + +params_t params = { + .max_conf_size = (size_t)CONF_MAPSIZE * 1024 * 1024, + .timeout = DEFAULT_CTL_TIMEOUT * 1000 +}; + +int main(int argc, char **argv) +{ + /* Long options. */ + struct option opts[] = { + { "config", required_argument, NULL, 'c' }, + { "confdb", required_argument, NULL, 'C' }, + { "max-conf-size", required_argument, NULL, 'm' }, + { "socket", required_argument, NULL, 's' }, + { "timeout", required_argument, NULL, 't' }, + { "blocking", no_argument, NULL, 'b' }, + { "force", no_argument, NULL, 'f' }, + { "verbose", no_argument, NULL, 'v' }, + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, 'V' }, + { NULL } + }; + + /* Set the time zone. */ + tzset(); + + /* Parse command line arguments */ + int opt = 0; + while ((opt = getopt_long(argc, argv, "+c:C:m:s:t:bfvhV", opts, NULL)) != -1) { + switch (opt) { + case 'c': + params.config = optarg; + break; + case 'C': + params.confdb = optarg; + break; + case 'm': + if (str_to_size(optarg, ¶ms.max_conf_size, 1, 10000) != KNOT_EOK) { + print_help(); + return EXIT_FAILURE; + } + /* Convert to bytes. */ + params.max_conf_size *= 1024 * 1024; + break; + case 's': + params.socket = optarg; + break; + case 't': + if (str_to_int(optarg, ¶ms.timeout, 0, 7200) != KNOT_EOK) { + print_help(); + return EXIT_FAILURE; + } + /* Convert to milliseconds. */ + params.timeout *= 1000; + break; + case 'b': + params.blocking = true; + break; + case 'f': + params.force = true; + break; + case 'v': + params.verbose = true; + break; + case 'h': + print_help(); + return EXIT_SUCCESS; + case 'V': + print_version(PROGRAM_NAME); + return EXIT_SUCCESS; + default: + print_help(); + return EXIT_FAILURE; + } + } + + /* Set up simplified logging just to stdout/stderr. */ + log_init(); + log_levels_set(LOG_TARGET_STDOUT, LOG_SOURCE_ANY, + LOG_MASK(LOG_INFO) | LOG_MASK(LOG_NOTICE)); + log_levels_set(LOG_TARGET_STDERR, LOG_SOURCE_ANY, LOG_UPTO(LOG_WARNING)); + log_levels_set(LOG_TARGET_SYSLOG, LOG_SOURCE_ANY, 0); + log_flag_set(LOG_FLAG_NOTIMESTAMP | LOG_FLAG_NOINFO); + if (params.verbose) { + log_levels_add(LOG_TARGET_STDOUT, LOG_SOURCE_ANY, LOG_MASK(LOG_DEBUG)); + } + + int ret; + if (argc - optind < 1) { + ret = interactive_loop(¶ms); + } else { + ret = process_cmd(argc - optind, (const char **)argv + optind, ¶ms); + } + + log_close(); + + return (ret == KNOT_EOK) ? EXIT_SUCCESS : EXIT_FAILURE; +} diff --git a/src/utils/knotc/process.c b/src/utils/knotc/process.c new file mode 100644 index 0000000..4c25d36 --- /dev/null +++ b/src/utils/knotc/process.c @@ -0,0 +1,280 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <stddef.h> +#include <sys/stat.h> + +#include "contrib/openbsd/strlcat.h" +#include "knot/conf/conf.h" +#include "knot/common/log.h" +#include "utils/knotc/commands.h" +#include "utils/knotc/process.h" + +static const cmd_desc_t *get_cmd_desc(const char *command) +{ + /* Find requested command. */ + const cmd_desc_t *desc = cmd_table; + while (desc->name != NULL) { + if (strcmp(desc->name, command) == 0) { + break; + } + desc++; + } + if (desc->name == NULL) { + log_error("invalid command '%s'", command); + return NULL; + } + + return desc; +} + +static bool get_cmd_force_flag(const char *arg) +{ + if (strcmp(arg, "-f") == 0 || strcmp(arg, "--force") == 0) { + return true; + } + return false; +} + +static bool get_cmd_blocking_flag(const char *arg) +{ + if (strcmp(arg, "-b") == 0 || strcmp(arg, "--blocking") == 0) { + return true; + } + return false; +} + +int set_config(const cmd_desc_t *desc, params_t *params) +{ + if (params->config != NULL && params->confdb != NULL) { + log_error("ambiguous configuration source"); + return KNOT_EINVAL; + } + + /* Mask relevant flags. */ + cmd_flag_t flags = desc->flags & (CMD_FREAD | CMD_FWRITE); + cmd_flag_t mod_flags = desc->flags & (CMD_FOPT_MOD | CMD_FREQ_MOD); + + /* Choose the optimal config source. */ + struct stat st; + bool import = false; + if (flags == CMD_FNONE && params->socket != NULL) { + /* Control operation, known socket, skip configuration. */ + return KNOT_EOK; + } else if (params->confdb != NULL) { + import = false; + } else if (flags == CMD_FWRITE) { + import = false; + params->confdb = CONF_DEFAULT_DBDIR; + } else if (params->config != NULL){ + import = true; + } else if (conf_db_exists(CONF_DEFAULT_DBDIR)) { + import = false; + params->confdb = CONF_DEFAULT_DBDIR; + } else if (stat(CONF_DEFAULT_FILE, &st) == 0) { + import = true; + params->config = CONF_DEFAULT_FILE; + } else if (flags != CMD_FNONE) { + log_error("no configuration source available"); + return KNOT_EINVAL; + } + + const char *src = import ? params->config : params->confdb; + log_debug("%s '%s'", import ? "config" : "confdb", + (src != NULL) ? src : "empty"); + + /* Prepare config flags. */ + conf_flag_t conf_flags = CONF_FNOHOSTNAME; + if (params->confdb != NULL && !(flags & CMD_FWRITE)) { + conf_flags |= CONF_FREADONLY; + } + if (import || mod_flags & CMD_FOPT_MOD) { + conf_flags |= CONF_FOPTMODULES; + } else if (mod_flags & CMD_FREQ_MOD) { + conf_flags |= CONF_FREQMODULES; + } + + /* Open confdb. */ + conf_t *new_conf = NULL; + int ret = conf_new(&new_conf, conf_schema, params->confdb, + params->max_conf_size, conf_flags); + if (ret != KNOT_EOK) { + log_error("failed to open configuration database '%s' (%s)", + (params->confdb != NULL) ? params->confdb : "", + knot_strerror(ret)); + return ret; + } + + /* Import the config file. */ + if (import) { + ret = conf_import(new_conf, params->config, true, false); + if (ret != KNOT_EOK) { + log_error("failed to load configuration file '%s' (%s)", + params->config, knot_strerror(ret)); + conf_free(new_conf); + return ret; + } + } + + /* Update to the new config. */ + conf_update(new_conf, CONF_UPD_FNONE); + + return KNOT_EOK; +} + +int set_ctl(knot_ctl_t **ctl, const cmd_desc_t *desc, params_t *params) +{ + if (desc == NULL) { + *ctl = NULL; + return KNOT_EINVAL; + } + + /* Mask relevant flags. */ + cmd_flag_t flags = desc->flags & (CMD_FREAD | CMD_FWRITE); + + /* Check if control socket is required. */ + if (flags != CMD_FNONE) { + *ctl = NULL; + return KNOT_EOK; + } + + /* Get control socket path. */ + char *path = NULL; + if (params->socket != NULL) { + path = strdup(params->socket); + } else { + conf_val_t listen_val = conf_get(conf(), C_CTL, C_LISTEN); + conf_val_t rundir_val = conf_get(conf(), C_SRV, C_RUNDIR); + char *rundir = conf_abs_path(&rundir_val, NULL); + path = conf_abs_path(&listen_val, rundir); + free(rundir); + } + if (path == NULL) { + log_error("empty control socket path"); + return KNOT_EINVAL; + } + + log_debug("socket '%s'", path); + + *ctl = knot_ctl_alloc(); + if (*ctl == NULL) { + free(path); + return KNOT_ENOMEM; + } + + knot_ctl_set_timeout(*ctl, params->timeout); + + int ret = knot_ctl_connect(*ctl, path); + if (ret != KNOT_EOK) { + knot_ctl_free(*ctl); + *ctl = NULL; + log_error("failed to connect to socket '%s' (%s)", path, + knot_strerror(ret)); + free(path); + return ret; + } + + free(path); + + return KNOT_EOK; +} + +void unset_ctl(knot_ctl_t *ctl) +{ + if (ctl == NULL) { + return; + } + + int ret = knot_ctl_send(ctl, KNOT_CTL_TYPE_END, NULL); + if (ret != KNOT_EOK && ret != KNOT_ECONN) { + log_error("failed to finish control (%s)", knot_strerror(ret)); + } + + knot_ctl_close(ctl); + knot_ctl_free(ctl); +} + +int process_cmd(int argc, const char **argv, params_t *params) +{ + if (argc == 0) { + return KNOT_ENOTSUP; + } + + /* Check the command name. */ + const cmd_desc_t *desc = get_cmd_desc(argv[0]); + if (desc == NULL) { + return KNOT_ENOENT; + } + + /* Check for exit. */ + if (desc->fcn == NULL) { + return KNOT_CTL_ESTOP; + } + + /* Set up the configuration. */ + int ret = set_config(desc, params); + if (ret != KNOT_EOK) { + return ret; + } + + /* Prepare command parameters. */ + cmd_args_t args = { + .desc = desc, + .argc = argc - 1, + .argv = argv + 1, + .force = params->force, + .blocking = params->blocking + }; + + /* Check for special flags after command. */ + while (args.argc > 0) { + if (get_cmd_force_flag(args.argv[0])) { + args.force = true; + args.argc--; + args.argv++; + } else if (get_cmd_blocking_flag(args.argv[0])) { + args.blocking = true; + args.argc--; + args.argv++; + } else { + break; + } + } + + /* Prepare flags parameter. */ + if (args.force) { + strlcat(args.flags, CTL_FLAG_FORCE, sizeof(args.flags)); + } + if (args.blocking) { + strlcat(args.flags, CTL_FLAG_BLOCKING, sizeof(args.flags)); + } + + /* Set control interface if necessary. */ + ret = set_ctl(&args.ctl, desc, params); + if (ret != KNOT_EOK) { + conf_update(NULL, CONF_UPD_FNONE); + return ret; + } + + /* Execute the command. */ + ret = desc->fcn(&args); + + /* Cleanup */ + unset_ctl(args.ctl); + conf_update(NULL, CONF_UPD_FNONE); + + return ret; +} diff --git a/src/utils/knotc/process.h b/src/utils/knotc/process.h new file mode 100644 index 0000000..add7ded --- /dev/null +++ b/src/utils/knotc/process.h @@ -0,0 +1,70 @@ +/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include "utils/knotc/commands.h" + +/*! Utility command line parameters. */ +typedef struct { + const char *config; + const char *confdb; + size_t max_conf_size; + const char *socket; + bool verbose; + bool force; + bool blocking; + int timeout; +} params_t; + +/*! + * Prepares a proper configuration according to the specified command. + * + * \param[in] desc Utility command descriptor. + * \param[in] params Utility parameters. + * + * \return Error code, KNOT_EOK if successful. + */ +int set_config(const cmd_desc_t *desc, params_t *params); + +/*! + * Estabilishes a control interface if necessary. + * + * \param[in] ctl Control context. + * \param[in] desc Utility command descriptor. + * \param[in] params Utility parameters. + * + * \return Error code, KNOT_EOK if successful. + */ +int set_ctl(knot_ctl_t **ctl, const cmd_desc_t *desc, params_t *params); + +/*! + * Cleans up the control context. + * + * \param[in] ctl Control context. + */ +void unset_ctl(knot_ctl_t *ctl); + +/*! + * Processes the given utility command. + * + * \param[in] argc Number of command arguments. + * \param[in] argv Command arguments. + * \param[in] params Utility parameters. + * + * \return Error code, KNOT_EOK if successful. + */ +int process_cmd(int argc, const char **argv, params_t *params); diff --git a/src/utils/knotd/main.c b/src/utils/knotd/main.c new file mode 100644 index 0000000..232ae75 --- /dev/null +++ b/src/utils/knotd/main.c @@ -0,0 +1,609 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <dirent.h> +#include <fcntl.h> +#include <poll.h> +#include <stdbool.h> +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <getopt.h> +#include <sys/stat.h> +#include <urcu.h> + +#ifdef ENABLE_CAP_NG +#include <cap-ng.h> +#endif + +#ifdef ENABLE_SYSTEMD +#include <systemd/sd-daemon.h> +#endif + +#include "libdnssec/crypto.h" +#include "libknot/libknot.h" +#include "contrib/strtonum.h" +#include "knot/ctl/process.h" +#include "knot/conf/conf.h" +#include "knot/conf/migration.h" +#include "knot/conf/module.h" +#include "knot/common/log.h" +#include "knot/common/process.h" +#include "knot/common/stats.h" +#include "knot/server/server.h" +#include "knot/server/tcp-handler.h" + +#define PROGRAM_NAME "knotd" + +/* Signal flags. */ +static volatile bool sig_req_stop = false; +static volatile bool sig_req_reload = false; +static volatile bool sig_req_zones_reload = false; + +/* \brief Signal started state to the init system. */ +static void init_signal_started(void) +{ +#ifdef ENABLE_SYSTEMD + sd_notify(0, "READY=1"); +#endif +} + +static int make_daemon(int nochdir, int noclose) +{ + int ret; + + switch (fork()) { + case -1: + /* Error */ + return -1; + case 0: + /* Forked */ + break; + default: + /* Exit the main process */ + _exit(0); + } + + if (setsid() == -1) { + return -1; + } + + if (!nochdir) { + ret = chdir("/"); + if (ret == -1) + return errno; + } + + if (!noclose) { + ret = close(STDIN_FILENO); + ret += close(STDOUT_FILENO); + ret += close(STDERR_FILENO); + if (ret < 0) { + return errno; + } + + int fd = open("/dev/null", O_RDWR); + if (fd == -1) { + return errno; + } + + if (dup2(fd, STDIN_FILENO) < 0) { + close(fd); + return errno; + } + if (dup2(fd, STDOUT_FILENO) < 0) { + close(fd); + return errno; + } + if (dup2(fd, STDERR_FILENO) < 0) { + close(fd); + return errno; + } + close(fd); + } + + return 0; +} + +struct signal { + int signum; + bool handle; +}; + +/*! \brief Signals used by the server. */ +static const struct signal SIGNALS[] = { + { SIGHUP, true }, /* Reload server. */ + { SIGUSR1, true }, /* Reload zones. */ + { SIGINT, true }, /* Terminate server. */ + { SIGTERM, true }, /* Terminate server. */ + { SIGALRM, false }, /* Internal thread synchronization. */ + { SIGPIPE, false }, /* Ignored. Some I/O errors. */ + { 0 } +}; + +/*! \brief Server signal handler. */ +static void handle_signal(int signum) +{ + switch (signum) { + case SIGHUP: + sig_req_reload = true; + break; + case SIGUSR1: + sig_req_zones_reload = true; + break; + case SIGINT: + case SIGTERM: + if (sig_req_stop) { + exit(EXIT_FAILURE); + } + sig_req_stop = true; + break; + default: + /* ignore */ + break; + } +} + +/*! \brief Setup signal handlers and blocking mask. */ +static void setup_signals(void) +{ + /* Block all signals. */ + static sigset_t all; + sigfillset(&all); + sigdelset(&all, SIGPROF); + sigdelset(&all, SIGQUIT); + sigdelset(&all, SIGILL); + sigdelset(&all, SIGABRT); + sigdelset(&all, SIGBUS); + sigdelset(&all, SIGFPE); + sigdelset(&all, SIGSEGV); + pthread_sigmask(SIG_SETMASK, &all, NULL); + + /* Setup handlers. */ + struct sigaction action = { .sa_handler = handle_signal }; + for (const struct signal *s = SIGNALS; s->signum > 0; s++) { + sigaction(s->signum, &action, NULL); + } +} + +/*! \brief Unblock server control signals. */ +static void enable_signals(void) +{ + sigset_t mask; + sigemptyset(&mask); + + for (const struct signal *s = SIGNALS; s->signum > 0; s++) { + if (s->handle) { + sigaddset(&mask, s->signum); + } + } + + pthread_sigmask(SIG_UNBLOCK, &mask, NULL); +} + +/*! \brief Drop POSIX 1003.1e capabilities. */ +static void drop_capabilities(void) +{ +#ifdef ENABLE_CAP_NG + /* Drop all capabilities. */ + if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { + capng_clear(CAPNG_SELECT_BOTH); + + /* Apply. */ + if (capng_apply(CAPNG_SELECT_BOTH) < 0) { + log_error("failed to set process capabilities (%s)", + strerror(errno)); + } + } else { + log_info("process not allowed to set capabilities, skipping"); + } +#endif /* ENABLE_CAP_NG */ +} + +/*! \brief Event loop listening for signals and remote commands. */ +static void event_loop(server_t *server, const char *socket) +{ + knot_ctl_t *ctl = knot_ctl_alloc(); + if (ctl == NULL) { + log_fatal("control, failed to initialize (%s)", + knot_strerror(KNOT_ENOMEM)); + return; + } + + // Set control timeout. + knot_ctl_set_timeout(ctl, conf()->cache.ctl_timeout); + + /* Get control socket configuration. */ + char *listen; + if (socket == NULL) { + conf_val_t listen_val = conf_get(conf(), C_CTL, C_LISTEN); + conf_val_t rundir_val = conf_get(conf(), C_SRV, C_RUNDIR); + char *rundir = conf_abs_path(&rundir_val, NULL); + listen = conf_abs_path(&listen_val, rundir); + free(rundir); + } else { + listen = strdup(socket); + } + if (listen == NULL) { + knot_ctl_free(ctl); + log_fatal("control, empty socket path"); + return; + } + + log_info("control, binding to '%s'", listen); + + /* Bind the control socket. */ + int ret = knot_ctl_bind(ctl, listen); + if (ret != KNOT_EOK) { + knot_ctl_free(ctl); + log_fatal("control, failed to bind socket '%s' (%s)", + listen, knot_strerror(ret)); + free(listen); + return; + } + free(listen); + + enable_signals(); + + /* Run event loop. */ + for (;;) { + /* Interrupts. */ + if (sig_req_stop) { + break; + } + if (sig_req_reload) { + sig_req_reload = false; + server_reload(server); + } + if (sig_req_zones_reload) { + sig_req_zones_reload = false; + server_update_zones(conf(), server); + } + + // Update control timeout. + knot_ctl_set_timeout(ctl, conf()->cache.ctl_timeout); + + ret = knot_ctl_accept(ctl); + if (ret != KNOT_EOK) { + continue; + } + + ret = ctl_process(ctl, server); + knot_ctl_close(ctl); + if (ret == KNOT_CTL_ESTOP) { + break; + } + } + + /* Unbind the control socket. */ + knot_ctl_unbind(ctl); + knot_ctl_free(ctl); +} + +static void print_help(void) +{ + printf("Usage: %s [parameters]\n" + "\n" + "Parameters:\n" + " -c, --config <file> Use a textual configuration file.\n" + " (default %s)\n" + " -C, --confdb <dir> Use a binary configuration database directory.\n" + " (default %s)\n" + " -m, --max-conf-size <MiB> Set maximum size of the configuration database (max 10000 MiB).\n" + " (default %d MiB)\n" + " -s, --socket <path> Use a remote control UNIX socket path.\n" + " (default %s)\n" + " -d, --daemonize=[dir] Run the server as a daemon (with new root directory).\n" + " -v, --verbose Enable debug output.\n" + " -h, --help Print the program help.\n" + " -V, --version Print the program version.\n", + PROGRAM_NAME, CONF_DEFAULT_FILE, CONF_DEFAULT_DBDIR, + CONF_MAPSIZE, RUN_DIR "/knot.sock"); +} + +static void print_version(void) +{ + printf("%s (Knot DNS), version %s\n", PROGRAM_NAME, PACKAGE_VERSION); +} + +static int set_config(const char *confdb, const char *config, size_t max_conf_size) +{ + if (config != NULL && confdb != NULL) { + log_fatal("ambiguous configuration source"); + return KNOT_EINVAL; + } + + /* Choose the optimal config source. */ + bool import = false; + if (confdb != NULL) { + import = false; + } else if (config != NULL){ + import = true; + } else if (conf_db_exists(CONF_DEFAULT_DBDIR)) { + import = false; + confdb = CONF_DEFAULT_DBDIR; + } else { + import = true; + config = CONF_DEFAULT_FILE; + } + + /* Open confdb. */ + conf_t *new_conf = NULL; + int ret = conf_new(&new_conf, conf_schema, confdb, max_conf_size, CONF_FREQMODULES); + if (ret != KNOT_EOK) { + log_fatal("failed to open configuration database '%s' (%s)", + (confdb != NULL) ? confdb : "", knot_strerror(ret)); + return ret; + } + + /* Import the config file. */ + if (import) { + ret = conf_import(new_conf, config, true, true); + if (ret != KNOT_EOK) { + log_fatal("failed to load configuration file '%s' (%s)", + config, knot_strerror(ret)); + conf_free(new_conf); + return ret; + } + } + + // Migrate from old schema. + ret = conf_migrate(new_conf); + if (ret != KNOT_EOK) { + log_error("failed to migrate configuration (%s)", knot_strerror(ret)); + } + + /* Update to the new config. */ + conf_update(new_conf, CONF_UPD_FNONE); + + return KNOT_EOK; +} + +int main(int argc, char **argv) +{ + bool daemonize = false; + const char *config = NULL; + const char *confdb = NULL; + size_t max_conf_size = (size_t)CONF_MAPSIZE * 1024 * 1024; + const char *daemon_root = "/"; + char *socket = NULL; + bool verbose = false; + + /* Long options. */ + struct option opts[] = { + { "config", required_argument, NULL, 'c' }, + { "confdb", required_argument, NULL, 'C' }, + { "max-conf-size", required_argument, NULL, 'm' }, + { "socket", required_argument, NULL, 's' }, + { "daemonize", optional_argument, NULL, 'd' }, + { "verbose", no_argument, NULL, 'v' }, + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, 'V' }, + { NULL } + }; + + /* Set the time zone. */ + tzset(); + + /* Parse command line arguments. */ + int opt = 0; + while ((opt = getopt_long(argc, argv, "c:C:m:s:dvhV", opts, NULL)) != -1) { + switch (opt) { + case 'c': + config = optarg; + break; + case 'C': + confdb = optarg; + break; + case 'm': + if (str_to_size(optarg, &max_conf_size, 1, 10000) != KNOT_EOK) { + print_help(); + return EXIT_FAILURE; + } + /* Convert to bytes. */ + max_conf_size *= 1024 * 1024; + break; + case 's': + socket = optarg; + break; + case 'd': + daemonize = true; + if (optarg) { + daemon_root = optarg; + } + break; + case 'v': + verbose = true; + break; + case 'h': + print_help(); + return EXIT_SUCCESS; + case 'V': + print_version(); + return EXIT_SUCCESS; + default: + print_help(); + return EXIT_FAILURE; + } + } + + /* Check for non-option parameters. */ + if (argc - optind > 0) { + print_help(); + return EXIT_FAILURE; + } + + /* Set file creation mask to remove all permissions for others. */ + umask(S_IROTH|S_IWOTH|S_IXOTH); + + /* Now check if we want to daemonize. */ + if (daemonize) { + if (make_daemon(1, 0) != 0) { + fprintf(stderr, "Daemonization failed, shutting down...\n"); + return EXIT_FAILURE; + } + } + + /* Setup base signal handling. */ + setup_signals(); + + /* Initialize cryptographic backend. */ + dnssec_crypto_init(); + atexit(dnssec_crypto_cleanup); + + /* Initialize pseudorandom number generator. */ + srand(time(NULL)); + + /* Initialize logging subsystem. */ + log_init(); + if (verbose) { + log_levels_add(LOG_TARGET_STDOUT, LOG_SOURCE_ANY, LOG_MASK(LOG_DEBUG)); + } + + /* Set up the configuration */ + int ret = set_config(confdb, config, max_conf_size); + if (ret != KNOT_EOK) { + log_close(); + return EXIT_FAILURE; + } + + /* Reconfigure logging. */ + log_reconfigure(conf()); + + /* Initialize server. */ + server_t server; + ret = server_init(&server, conf()->cache.srv_bg_threads); + if (ret != KNOT_EOK) { + log_fatal("failed to initialize server (%s)", knot_strerror(ret)); + conf_free(conf()); + log_close(); + return EXIT_FAILURE; + } + + /* Reconfigure server workers, interfaces, and databases. + * @note This MUST be done before we drop privileges. */ + ret = server_reconfigure(conf(), &server); + if (ret != KNOT_EOK) { + log_fatal("failed to configure server"); + server_wait(&server); + server_deinit(&server); + conf_free(conf()); + log_close(); + return EXIT_FAILURE; + } + + /* Alter privileges. */ + int uid, gid; + if (conf_user(conf(), &uid, &gid) != KNOT_EOK || + log_update_privileges(uid, gid) != KNOT_EOK || + proc_update_privileges(uid, gid) != KNOT_EOK) { + log_fatal("failed to drop privileges"); + server_wait(&server); + server_deinit(&server); + conf_free(conf()); + log_close(); + return EXIT_FAILURE; + } + + /* Drop POSIX capabilities. */ + drop_capabilities(); + + /* Activate global query modules. */ + conf_activate_modules(conf(), &server, NULL, conf()->query_modules, + &conf()->query_plan); + + /* Check and create PID file. */ + long pid = (long)getpid(); + if (daemonize) { + char *pidfile = pid_check_and_create(); + if (pidfile == NULL) { + server_wait(&server); + server_deinit(&server); + conf_free(conf()); + log_close(); + return EXIT_FAILURE; + } + + log_info("PID stored in '%s'", pidfile); + free(pidfile); + if (chdir(daemon_root) != 0) { + log_warning("failed to change working directory to %s", + daemon_root); + } else { + log_info("changed directory to %s", daemon_root); + } + } + + /* Now we're going multithreaded. */ + rcu_register_thread(); + + /* Populate zone database. */ + log_info("loading %zu zones", conf_id_count(conf(), C_ZONE)); + server_update_zones(conf(), &server); + + /* Check number of loaded zones. */ + if (knot_zonedb_size(server.zone_db) == 0) { + log_warning("no zones loaded"); + } + + stats_reconfigure(conf(), &server); + + /* Start it up. */ + log_info("starting server"); + conf_val_t async_val = conf_get(conf(), C_SRV, C_ASYNC_START); + ret = server_start(&server, conf_bool(&async_val)); + if (ret != KNOT_EOK) { + log_fatal("failed to start server (%s)", knot_strerror(ret)); + server_wait(&server); + stats_deinit(); + server_deinit(&server); + rcu_unregister_thread(); + pid_cleanup(); + log_close(); + conf_free(conf()); + return EXIT_FAILURE; + } + + if (daemonize) { + log_info("server started as a daemon, PID %ld", pid); + } else { + log_info("server started in the foreground, PID %ld", pid); + init_signal_started(); + } + + /* Start the event loop. */ + event_loop(&server, socket); + + /* Teardown server. */ + server_stop(&server); + server_wait(&server); + stats_deinit(); + + /* Cleanup PID file. */ + pid_cleanup(); + + /* Free server and configuration. */ + server_deinit(&server); + conf_free(conf()); + + /* Unhook from RCU. */ + rcu_unregister_thread(); + + log_info("shutting down"); + log_close(); + + return EXIT_SUCCESS; +} diff --git a/src/utils/knsec3hash/knsec3hash.c b/src/utils/knsec3hash/knsec3hash.c new file mode 100644 index 0000000..6a02440 --- /dev/null +++ b/src/utils/knsec3hash/knsec3hash.c @@ -0,0 +1,176 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <getopt.h> +#include <stdbool.h> +#include <stdint.h> +#include <stdio.h> +#include <string.h> + +#include "contrib/base32hex.h" +#include "contrib/string.h" +#include "contrib/strtonum.h" +#include "libdnssec/error.h" +#include "libdnssec/nsec.h" +#include "libknot/libknot.h" +#include "utils/common/params.h" + +#define PROGRAM_NAME "knsec3hash" + +#define error(fmt, ...) fprintf(stderr, fmt "\n", ##__VA_ARGS__) + +/*! + * \brief Print program help (and example). + */ +static void print_help(void) +{ + printf("Usage: " PROGRAM_NAME " <salt> <algorithm> <iterations> <domain-name>\n"); + printf("Example: " PROGRAM_NAME " c01dcafe 1 10 knot-dns.cz\n"); +} + +/*! + * \brief Parse NSEC3 salt. + */ +static int str_to_salt(const char *str, dnssec_binary_t *salt) +{ + if (strcmp(str, "-") == 0) { + salt->size = 0; + return DNSSEC_EOK; + } else { + salt->data = hex_to_bin(str, &salt->size); + return (salt->data != NULL ? DNSSEC_EOK : DNSSEC_EINVAL); + } +} + +/*! + * \brief Parse NSEC3 parameters and fill structure with NSEC3 parameters. + */ +static bool parse_nsec3_params(dnssec_nsec3_params_t *params, const char *salt_str, + const char *algorithm_str, const char *iterations_str) +{ + uint8_t algorithm = 0; + int r = str_to_u8(algorithm_str, &algorithm); + if (r != KNOT_EOK) { + error("Invalid algorithm number."); + return false; + } + + uint16_t iterations = 0; + r = str_to_u16(iterations_str, &iterations); + if (r != KNOT_EOK) { + error("Invalid iteration count."); + return false; + } + + dnssec_binary_t salt = { 0 }; + r = str_to_salt(salt_str, &salt); + if (r != DNSSEC_EOK) { + error("Invalid salt, %s.", knot_strerror(r)); + return false; + } + + if (salt.size > UINT8_MAX) { + error("Invalid salt, maximum length is %d bytes.", UINT8_MAX); + dnssec_binary_free(&salt); + return false; + } + + params->algorithm = algorithm; + params->iterations = iterations; + params->salt = salt; + params->flags = 0; + + return true; +} + +/*! + * \brief Entry point of 'knsec3hash'. + */ +int main(int argc, char *argv[]) +{ + struct option options[] = { + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, 'V' }, + { NULL } + }; + + int opt = 0; + while ((opt = getopt_long(argc, argv, "hV", options, NULL)) != -1) { + switch(opt) { + case 'h': + print_help(); + return EXIT_SUCCESS; + case 'V': + print_version(PROGRAM_NAME); + return EXIT_SUCCESS; + default: + print_help(); + return EXIT_FAILURE; + } + } + + // knsec3hash <salt> <algorithm> <iterations> <domain> + if (argc != 5) { + print_help(); + return EXIT_FAILURE; + } + + int exit_code = EXIT_FAILURE; + dnssec_nsec3_params_t nsec3_params = { 0 }; + + dnssec_binary_t dname = { 0 }; + dnssec_binary_t digest = { 0 }; + dnssec_binary_t digest_print = { 0 }; + + if (!parse_nsec3_params(&nsec3_params, argv[1], argv[2], argv[3])) { + goto fail; + } + + dname.data = knot_dname_from_str_alloc(argv[4]); + if (dname.data == NULL) { + error("Cannot parse domain name."); + goto fail; + } + knot_dname_to_lower(dname.data); + dname.size = knot_dname_size(dname.data); + + int r = dnssec_nsec3_hash(&dname, &nsec3_params, &digest); + if (r != DNSSEC_EOK) { + error("Cannot compute NSEC3 hash, %s.", knot_strerror(r)); + goto fail; + } + + r = knot_base32hex_encode_alloc(digest.data, digest.size, &digest_print.data); + if (r < 0) { + error("Cannot encode computed hash, %s.", knot_strerror(r)); + goto fail; + } + digest_print.size = r; + + exit_code = EXIT_SUCCESS; + + printf("%.*s (salt=%s, hash=%d, iterations=%d)\n", (int)digest_print.size, + digest_print.data, argv[1], nsec3_params.algorithm, + nsec3_params.iterations); + +fail: + dnssec_nsec3_params_free(&nsec3_params); + dnssec_binary_free(&dname); + dnssec_binary_free(&digest); + dnssec_binary_free(&digest_print); + + return exit_code; +} diff --git a/src/utils/knsupdate/knsupdate_exec.c b/src/utils/knsupdate/knsupdate_exec.c new file mode 100644 index 0000000..dc0b526 --- /dev/null +++ b/src/utils/knsupdate/knsupdate_exec.c @@ -0,0 +1,1059 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <assert.h> +#include <errno.h> +#include <stdio.h> +#include <stdlib.h> +#include <sys/socket.h> +#include <unistd.h> + +#include "libdnssec/random.h" +#include "utils/knsupdate/knsupdate_exec.h" +#include "utils/common/exec.h" +#include "utils/common/msg.h" +#include "utils/common/netio.h" +#include "utils/common/params.h" +#include "utils/common/sign.h" +#include "utils/common/token.h" +#include "libknot/libknot.h" +#include "contrib/ctype.h" +#include "contrib/getline.h" +#include "contrib/macros.h" +#include "contrib/string.h" +#include "contrib/strtonum.h" +#include "contrib/openbsd/strlcpy.h" + +/* Declarations of cmd parse functions. */ +typedef int (*cmd_handle_f)(const char *lp, knsupdate_params_t *params); +int cmd_add(const char* lp, knsupdate_params_t *params); +int cmd_answer(const char* lp, knsupdate_params_t *params); +int cmd_class(const char* lp, knsupdate_params_t *params); +int cmd_debug(const char* lp, knsupdate_params_t *params); +int cmd_del(const char* lp, knsupdate_params_t *params); +int cmd_gsstsig(const char* lp, knsupdate_params_t *params); +int cmd_key(const char* lp, knsupdate_params_t *params); +int cmd_local(const char* lp, knsupdate_params_t *params); +int cmd_nxdomain(const char *lp, knsupdate_params_t *params); +int cmd_nxrrset(const char *lp, knsupdate_params_t *params); +int cmd_oldgsstsig(const char* lp, knsupdate_params_t *params); +int cmd_origin(const char* lp, knsupdate_params_t *params); +int cmd_prereq(const char* lp, knsupdate_params_t *params); +int cmd_quit(const char* lp, knsupdate_params_t *params); +int cmd_realm(const char* lp, knsupdate_params_t *params); +int cmd_send(const char* lp, knsupdate_params_t *params); +int cmd_server(const char* lp, knsupdate_params_t *params); +int cmd_show(const char* lp, knsupdate_params_t *params); +int cmd_ttl(const char* lp, knsupdate_params_t *params); +int cmd_update(const char* lp, knsupdate_params_t *params); +int cmd_yxdomain(const char *lp, knsupdate_params_t *params); +int cmd_yxrrset(const char *lp, knsupdate_params_t *params); +int cmd_zone(const char* lp, knsupdate_params_t *params); + +/* Sorted list of commands. + * This way we could identify command byte-per-byte and + * cancel early if the next is lexicographically greater. + */ +const char* cmd_array[] = { + "\x3" "add", + "\x6" "answer", + "\x5" "class", /* {classname} */ + "\x5" "debug", + "\x3" "del", + "\x6" "delete", + "\x7" "gsstsig", + "\x3" "key", /* {[alg:]name} {secret} */ + "\x5" "local", /* {address} [port] */ + "\x8" "nxdomain", + "\x7" "nxrrset", + "\xa" "oldgsstsig", + "\x6" "origin", /* {name} */ + "\x6" "prereq", /* (nx|yx)(domain|rrset) {domain-name} ... */ + "\x4" "quit", + "\x5" "realm", /* {[realm_name]} */ + "\x4" "send", + "\x6" "server", /* {servername} [port] */ + "\x4" "show", + "\x3" "ttl", /* {seconds} */ + "\x6" "update", /* (add|delete) {domain-name} ... */ + "\x8" "yxdomain", + "\x7" "yxrrset", + "\x4" "zone", /* {zonename} */ + NULL +}; + +cmd_handle_f cmd_handle[] = { + cmd_add, + cmd_answer, + cmd_class, + cmd_debug, + cmd_del, + cmd_del, /* delete/del synonyms */ + cmd_gsstsig, + cmd_key, + cmd_local, + cmd_nxdomain, + cmd_nxrrset, + cmd_oldgsstsig, + cmd_origin, + cmd_prereq, + cmd_quit, + cmd_realm, + cmd_send, + cmd_server, + cmd_show, + cmd_ttl, + cmd_update, + cmd_yxdomain, + cmd_yxrrset, + cmd_zone, +}; + +/* {prereq} command table. */ +const char* pq_array[] = { + "\x8" "nxdomain", + "\x7" "nxrrset", + "\x8" "yxdomain", + "\x7" "yxrrset", + NULL +}; + +enum { + PQ_NXDOMAIN = 0, + PQ_NXRRSET, + PQ_YXDOMAIN, + PQ_YXRRSET +}; + +/* RR parser flags */ +enum { + PARSE_NODEFAULT = 1 << 0, /* Do not fill defaults. */ + PARSE_NAMEONLY = 1 << 1, /* Parse only name. */ + PARSE_NOTTL = 1 << 2 /* Ignore TTL item. */ +}; + +static bool dname_isvalid(const char *lp) +{ + knot_dname_t *dn = knot_dname_from_str_alloc(lp); + if (dn == NULL) { + return false; + } + knot_dname_free(dn, NULL); + return true; +} + +/* This is probably redundant, but should be a bit faster so let's keep it. */ +static int parse_full_rr(zs_scanner_t *s, const char* lp) +{ + if (zs_set_input_string(s, lp, strlen(lp)) != 0 || + zs_parse_all(s) != 0) { + ERR("invalid record (%s)\n", zs_strerror(s->error.code)); + return KNOT_EPARSEFAIL; + } + + /* Class must not differ from specified. */ + if (s->r_class != s->default_class) { + char cls_s[16] = ""; + knot_rrclass_to_string(s->default_class, cls_s, sizeof(cls_s)); + ERR("class mismatch '%s'\n", cls_s); + return KNOT_EPARSEFAIL; + } + + return KNOT_EOK; +} + +static int parse_partial_rr(zs_scanner_t *s, const char *lp, unsigned flags) +{ + /* Extract owner. */ + size_t len = strcspn(lp, SEP_CHARS); + char *owner_str = calloc(1, len + 2); // 2 ~ ('.' + '\0') + memcpy(owner_str, lp, len); + + /* Make dname FQDN if it isn't. */ + bool fqdn = true; + if (owner_str[len - 1] != '.') { + owner_str[len] = '.'; + fqdn = false; + } + + knot_dname_t *owner = knot_dname_from_str_alloc(owner_str); + free(owner_str); + if (owner == NULL) { + return KNOT_ENOMEM; + } + + s->r_owner_length = knot_dname_size(owner); + memcpy(s->r_owner, owner, s->r_owner_length); + knot_dname_free(owner, NULL); + + /* Append origin if not FQDN. */ + if (!fqdn) { + s->r_owner_length--; + memcpy(s->r_owner + s->r_owner_length, s->zone_origin, + s->zone_origin_length); + s->r_owner_length += s->zone_origin_length; + } + + lp = tok_skipspace(lp + len); + + /* Initialize */ + s->r_type = KNOT_RRTYPE_ANY; + s->r_class = s->default_class; + s->r_data_length = 0; + if (flags & PARSE_NODEFAULT) { + s->r_ttl = 0; + } else { + s->r_ttl = s->default_ttl; + } + + /* Parse only name? */ + if (flags & PARSE_NAMEONLY) { + if (*lp != '\0') { + WARN("ignoring input data '%s'\n", lp); + } + return KNOT_EOK; + } + + /* Now there could be [ttl] [class] [type [data...]]. */ + char *np = NULL; + long ttl = strtol(lp, &np, 10); + if (ttl >= 0 && np && (*np == '\0' || is_space(*np))) { + DBG("%s: parsed ttl=%lu\n", __func__, ttl); + if (flags & PARSE_NOTTL) { + WARN("ignoring TTL value '%ld'\n", ttl); + } else { + s->r_ttl = ttl; + } + lp = tok_skipspace(np); + } + + uint16_t num; + char *buff = NULL; + char *cls = NULL; + char *type = NULL; + + /* Try to find class. */ + len = strcspn(lp, SEP_CHARS); + if (len > 0) { + buff = strndup(lp, len); + } + + if (knot_rrclass_from_string(buff, &num) == 0) { + /* Class must not differ from specified. */ + if (num != s->default_class) { + ERR("class mismatch '%s'\n", buff); + free(buff); + return KNOT_EPARSEFAIL; + } + cls = buff; + buff = NULL; + s->r_class = num; + DBG("%s: parsed class=%u '%s'\n", __func__, s->r_class, cls); + lp = tok_skipspace(lp + len); + } + + /* Try to parser type. */ + if (cls != NULL) { + len = strcspn(lp, SEP_CHARS); + if (len > 0) { + buff = strndup(lp, len); + } + } + if (knot_rrtype_from_string(buff, &num) == 0) { + type = buff; + buff = NULL; + s->r_type = num; + DBG("%s: parsed type=%u '%s'\n", __func__, s->r_type, type); + lp = tok_skipspace(lp + len); + } + + free(buff); + + /* Remainder */ + if (*lp == '\0') { + free(cls); + free(type); + return KNOT_EOK; + } + + /* Need to parse rdata, synthetize input. */ + char *rr = sprintf_alloc(" %u IN %s %s\n", s->r_ttl, type, lp); + free(cls); + free(type); + if (rr == NULL) { + return KNOT_ENOMEM; + } + if (zs_set_input_string(s, rr, strlen(rr)) != 0 || + zs_parse_all(s) != 0) { + ERR("invalid rdata (%s)\n", zs_strerror(s->error.code)); + return KNOT_EPARSEFAIL; + } + free(rr); + + return KNOT_EOK; +} + +static srv_info_t *parse_host(const char *lp, const char* default_port) +{ + /* Extract server address. */ + srv_info_t *srv = NULL; + size_t len = strcspn(lp, SEP_CHARS); + char *addr = strndup(lp, len); + if (!addr) return NULL; + DBG("%s: parsed addr: %s\n", __func__, addr); + + /* Store port/service if present. */ + lp = tok_skipspace(lp + len); + if (*lp == '\0') { + srv = srv_info_create(addr, default_port); + free(addr); + return srv; + } + + len = strcspn(lp, SEP_CHARS); + char *port = strndup(lp, len); + if (!port) { + free(addr); + return NULL; + } + DBG("%s: parsed port: %s\n", __func__, port); + + /* Create server struct. */ + srv = srv_info_create(addr, port); + free(addr); + free(port); + return srv; +} + +/* Append parsed RRSet to list. */ +static int rr_list_append(zs_scanner_t *s, list_t *target_list, knot_mm_t *mm) +{ + knot_rrset_t *rr = knot_rrset_new(s->r_owner, s->r_type, s->r_class, + s->r_ttl, NULL); + if (!rr) { + DBG("%s: failed to create rrset\n", __func__); + return KNOT_ENOMEM; + } + + /* Create RDATA. */ + int ret = knot_rrset_add_rdata(rr, s->r_data, s->r_data_length, NULL); + if (ret != KNOT_EOK) { + DBG("%s: failed to set rrset from wire (%s)\n", + __func__, knot_strerror(ret)); + knot_rrset_free(rr, NULL); + return ret; + } + + if (ptrlist_add(target_list, rr, mm) == NULL) { + knot_rrset_free(rr, NULL); + return KNOT_ENOMEM; + } + + return KNOT_EOK; +} + +/*! \brief Write RRSet list to packet section. */ +static int rr_list_to_packet(knot_pkt_t *dst, list_t *list) +{ + assert(dst != NULL); + assert(list != NULL); + + ptrnode_t *node; + WALK_LIST(node, *list) { + int ret = knot_pkt_put(dst, KNOT_COMPR_HINT_NONE, + (knot_rrset_t *)node->d, 0); + if (ret != KNOT_EOK) { + return ret; + } + } + + return KNOT_EOK; +} + +/*! \brief Build UPDATE query. */ +static int build_query(knsupdate_params_t *params) +{ + /* Clear old query. */ + knot_pkt_t *query = params->query; + knot_pkt_clear(query); + + /* Write question. */ + knot_wire_set_id(query->wire, dnssec_random_uint16_t()); + knot_wire_set_opcode(query->wire, KNOT_OPCODE_UPDATE); + knot_dname_t *qname = knot_dname_from_str_alloc(params->zone); + int ret = knot_pkt_put_question(query, qname, params->class_num, + params->type_num); + knot_dname_free(qname, NULL); + if (ret != KNOT_EOK) { + return ret; + } + + /* Now, PREREQ => ANSWER section. */ + ret = knot_pkt_begin(query, KNOT_ANSWER); + if (ret != KNOT_EOK) { + return ret; + } + + /* Write PREREQ. */ + ret = rr_list_to_packet(query, ¶ms->prereq_list); + if (ret != KNOT_EOK) { + return ret; + } + + /* Now, UPDATE data => AUTHORITY section. */ + ret = knot_pkt_begin(query, KNOT_AUTHORITY); + if (ret != KNOT_EOK) { + return ret; + } + + /* Write UPDATE data. */ + return rr_list_to_packet(query, ¶ms->update_list); +} + +static int pkt_sendrecv(knsupdate_params_t *params) +{ + net_t net; + int ret; + + ret = net_init(params->srcif, + params->server, + get_iptype(params->ip), + get_socktype(params->protocol, KNOT_RRTYPE_SOA), + params->wait, + NET_FLAGS_NONE, + NULL, + NULL, + &net); + if (ret != KNOT_EOK) { + return -1; + } + + ret = net_connect(&net); + DBG("%s: send_msg = %d\n", __func__, net.sockfd); + if (ret != KNOT_EOK) { + net_clean(&net); + return -1; + } + + ret = net_send(&net, params->query->wire, params->query->size); + if (ret != KNOT_EOK) { + net_close(&net); + net_clean(&net); + return -1; + } + + /* Clear response buffer. */ + knot_pkt_clear(params->answer); + + /* Wait for reception. */ + int rb = net_receive(&net, params->answer->wire, params->answer->max_size); + DBG("%s: receive_msg = %d\n", __func__, rb); + if (rb <= 0) { + net_close(&net); + net_clean(&net); + return -1; + } else { + params->answer->size = rb; + } + + net_close(&net); + net_clean(&net); + + return rb; +} + +static int process_line(char *lp, void *arg) +{ + knsupdate_params_t *params = (knsupdate_params_t *)arg; + + /* Check for empty line or comment. */ + if (lp[0] == '\0' || lp[0] == ';') { + return KNOT_EOK; + } + + int ret = tok_find(lp, cmd_array); + if (ret < 0) { + return ret; /* Syntax error - do nothing. */ + } + + const char *cmd = cmd_array[ret]; + const char *val = tok_skipspace(lp + TOK_L(cmd)); + ret = cmd_handle[ret](val, params); + if (ret != KNOT_EOK) { + DBG("operation '%s' failed (%s) on line '%s'\n", + TOK_S(cmd), knot_strerror(ret), lp); + } + + return ret; +} + +static bool is_terminal(FILE *file) +{ + int fd = fileno(file); + assert(fd >= 0); + return isatty(fd); +} + +static int process_lines(knsupdate_params_t *params, FILE *input) +{ + char *buf = NULL; + size_t buflen = 0; + bool interactive = is_terminal(input); + int ret = KNOT_EOK; + + /* Print first program prompt if interactive. */ + if (interactive) { + fprintf(stderr, "> "); + } + + /* Process lines. */ + while (!params->stop && knot_getline(&buf, &buflen, input) != -1) { + /* Remove leading and trailing white space. */ + char *line = strstrip(buf); + int call_ret = process_line(line, params); + memset(line, 0, strlen(line)); + free(line); + if (call_ret != KNOT_EOK) { + /* Return the first error. */ + if (ret == KNOT_EOK) { + ret = call_ret; + } + + /* Exit if error and not interactive. */ + if (!interactive) { + break; + } + } + + /* Print program prompt if interactive. */ + if (interactive && !params->stop) { + fprintf(stderr, "> "); + } + } + + if (interactive && feof(input)) { + /* Terminate line after empty prompt. */ + fprintf(stderr, "\n"); + } + + if (buf != NULL) { + memset(buf, 0, buflen); + free(buf); + } + + return ret; +} + +int knsupdate_exec(knsupdate_params_t *params) +{ + if (!params) { + return KNOT_EINVAL; + } + + int ret = KNOT_EOK; + + /* If no file specified, use stdin. */ + if (EMPTY_LIST(params->qfiles)) { + ret = process_lines(params, stdin); + } + + /* Read from each specified file. */ + ptrnode_t *n; + WALK_LIST(n, params->qfiles) { + const char *filename = (const char*)n->d; + if (strcmp(filename, "-") == 0) { + ret = process_lines(params, stdin); + if (ret != KNOT_EOK) { + break; + } + continue; + } + + FILE *fp = fopen(filename, "r"); + if (!fp) { + ERR("failed to open '%s' (%s)\n", + filename, strerror(errno)); + ret = KNOT_EFILE; + break; + } + ret = process_lines(params, fp); + fclose(fp); + if (ret != KNOT_EOK) { + break; + } + } + + return ret; +} + +int cmd_update(const char* lp, knsupdate_params_t *params) +{ + DBG("%s: lp='%s'\n", __func__, lp); + + /* update is optional token, next add|del|delete */ + int bp = tok_find(lp, cmd_array); + if (bp < 0) return bp; /* Syntax error. */ + + /* allow only specific tokens */ + cmd_handle_f *h = cmd_handle; + if (h[bp] != cmd_add && h[bp] != cmd_del) { + ERR("unexpected token '%s' after 'update', allowed: '%s'\n", + lp, "{add|del|delete}"); + return KNOT_EPARSEFAIL; + } + + return h[bp](tok_skipspace(lp + TOK_L(cmd_array[bp])), params); +} + +int cmd_add(const char* lp, knsupdate_params_t *params) +{ + DBG("%s: lp='%s'\n", __func__, lp); + + if (parse_full_rr(¶ms->parser, lp) != KNOT_EOK) { + return KNOT_EPARSEFAIL; + } + + return rr_list_append(¶ms->parser, ¶ms->update_list, ¶ms->mm); +} + +int cmd_del(const char* lp, knsupdate_params_t *params) +{ + DBG("%s: lp='%s'\n", __func__, lp); + + zs_scanner_t *rrp = ¶ms->parser; + int ret = parse_partial_rr(rrp, lp, PARSE_NODEFAULT); + if (ret != KNOT_EOK) { + return ret; + } + + /* Check owner name. */ + if (rrp->r_owner_length == 0) { + ERR("failed to parse owner name '%s'\n", lp); + return KNOT_EPARSEFAIL; + } + + rrp->r_ttl = 0; /* Set TTL = 0 when deleting. */ + + /* When deleting whole RRSet, use ANY class */ + if (rrp->r_data_length == 0) { + rrp->r_class = KNOT_CLASS_ANY; + } else { + rrp->r_class = KNOT_CLASS_NONE; + } + + return rr_list_append(rrp, ¶ms->update_list, ¶ms->mm); +} + +int cmd_class(const char* lp, knsupdate_params_t *params) +{ + DBG("%s: lp='%s'\n", __func__, lp); + + uint16_t cls; + + if (knot_rrclass_from_string(lp, &cls) != 0) { + ERR("failed to parse class '%s'\n", lp); + return KNOT_EPARSEFAIL; + } + + params->class_num = cls; + params->parser.default_class = params->class_num; + + return KNOT_EOK; +} + +int cmd_ttl(const char* lp, knsupdate_params_t *params) +{ + DBG("%s: lp='%s'\n", __func__, lp); + + uint32_t ttl = 0; + + if (str_to_u32(lp, &ttl) != KNOT_EOK) { + ERR("failed to parse ttl '%s'\n", lp); + return KNOT_EPARSEFAIL; + } + + return knsupdate_set_ttl(params, ttl); +} + +int cmd_debug(const char* lp, knsupdate_params_t *params) +{ + UNUSED(params); + DBG("%s: lp='%s'\n", __func__, lp); + + msg_enable_debug(1); + + return KNOT_EOK; +} + +int cmd_nxdomain(const char *lp, knsupdate_params_t *params) +{ + DBG("%s: lp='%s'\n", __func__, lp); + + zs_scanner_t *s = ¶ms->parser; + int ret = parse_partial_rr(s, lp, PARSE_NODEFAULT | PARSE_NAMEONLY); + if (ret != KNOT_EOK) { + return ret; + } + + s->r_ttl = 0; + s->r_class = KNOT_CLASS_NONE; + + return rr_list_append(s, ¶ms->prereq_list, ¶ms->mm); +} + +int cmd_yxdomain(const char *lp, knsupdate_params_t *params) +{ + DBG("%s: lp='%s'\n", __func__, lp); + + zs_scanner_t *s = ¶ms->parser; + int ret = parse_partial_rr(s, lp, PARSE_NODEFAULT | PARSE_NAMEONLY); + if (ret != KNOT_EOK) { + return ret; + } + + s->r_ttl = 0; + s->r_class = KNOT_CLASS_ANY; + + return rr_list_append(s, ¶ms->prereq_list, ¶ms->mm); +} + +int cmd_nxrrset(const char *lp, knsupdate_params_t *params) +{ + DBG("%s: lp='%s'\n", __func__, lp); + + zs_scanner_t *s = ¶ms->parser; + int ret = parse_partial_rr(s, lp, PARSE_NOTTL); + if (ret != KNOT_EOK) { + return ret; + } + + /* Check owner name. */ + if (s->r_owner_length == 0) { + ERR("failed to parse prereq owner name '%s'\n", lp); + return KNOT_EPARSEFAIL; + } + + s->r_ttl = 0; + s->r_class = KNOT_CLASS_NONE; + + return rr_list_append(s, ¶ms->prereq_list, ¶ms->mm); +} + +int cmd_yxrrset(const char *lp, knsupdate_params_t *params) +{ + DBG("%s: lp='%s'\n", __func__, lp); + + zs_scanner_t *s = ¶ms->parser; + int ret = parse_partial_rr(s, lp, PARSE_NOTTL); + if (ret != KNOT_EOK) { + return ret; + } + + /* Check owner name. */ + if (s->r_owner_length == 0) { + ERR("failed to parse prereq owner name '%s'\n", lp); + return KNOT_EPARSEFAIL; + } + + s->r_ttl = 0; + if (s->r_data_length > 0) { + s->r_class = KNOT_CLASS_IN; + } else { + s->r_class = KNOT_CLASS_ANY; + } + + return rr_list_append(s, ¶ms->prereq_list, ¶ms->mm); +} + +int cmd_prereq(const char* lp, knsupdate_params_t *params) +{ + DBG("%s: lp='%s'\n", __func__, lp); + + /* Scan prereq specifier ([ny]xrrset|[ny]xdomain) */ + int prereq_type = tok_find(lp, pq_array); + if (prereq_type < 0) { + return prereq_type; + } + + const char *tok = pq_array[prereq_type]; + DBG("%s: type %s\n", __func__, TOK_S(tok)); + lp = tok_skipspace(lp + TOK_L(tok)); + + int ret = KNOT_EOK; + switch(prereq_type) { + case PQ_NXDOMAIN: + ret = cmd_nxdomain(lp, params); + break; + case PQ_YXDOMAIN: + ret = cmd_yxdomain(lp, params); + break; + case PQ_NXRRSET: + ret = cmd_nxrrset(lp, params); + break; + case PQ_YXRRSET: + ret = cmd_yxrrset(lp, params); + break; + default: + ret = KNOT_ERROR; + } + + return ret; +} + +int cmd_quit(const char* lp, knsupdate_params_t *params) +{ + DBG("%s: lp='%s'\n", __func__, lp); + + params->stop = true; + + return KNOT_EOK; +} + +int cmd_send(const char* lp, knsupdate_params_t *params) +{ + DBG("%s: lp='%s'\n", __func__, lp); + DBG("sending packet\n"); + + /* Build query packet. */ + int ret = build_query(params); + if (ret != KNOT_EOK) { + ERR("failed to build UPDATE message (%s)\n", knot_strerror(ret)); + return ret; + } + + /* Sign if key specified. */ + sign_context_t sign_ctx = { 0 }; + if (params->tsig_key.name) { + ret = sign_context_init_tsig(&sign_ctx, ¶ms->tsig_key); + if (ret != KNOT_EOK) { + ERR("failed to initialize signing context (%s)\n", + knot_strerror(ret)); + return ret; + } + + ret = sign_packet(params->query, &sign_ctx); + if (ret != KNOT_EOK) { + ERR("failed to sign UPDATE message (%s)\n", + knot_strerror(ret)); + sign_context_deinit(&sign_ctx); + return ret; + } + } + + int rb = 0; + /* Send/recv message (1 try + N retries). */ + int tries = 1 + params->retries; + for (; tries > 0; --tries) { + rb = pkt_sendrecv(params); + if (rb > 0) { + break; + } + } + + /* Check Send/recv result. */ + if (rb <= 0) { + sign_context_deinit(&sign_ctx); + return KNOT_ECONNREFUSED; + } + + /* Parse response. */ + ret = knot_pkt_parse(params->answer, 0); + if (ret != KNOT_EOK) { + ERR("failed to parse response (%s)\n", knot_strerror(ret)); + sign_context_deinit(&sign_ctx); + return ret; + } + + /* Check signature if expected. */ + if (params->tsig_key.name) { + ret = verify_packet(params->answer, &sign_ctx); + sign_context_deinit(&sign_ctx); + if (ret != KNOT_EOK) { + print_packet(params->answer, NULL, 0, -1, 0, true, + ¶ms->style); + ERR("reply verification (%s)\n", knot_strerror(ret)); + return ret; + } + } + + /* Free RRSet lists. */ + knsupdate_reset(params); + + /* Check return code. */ + if (knot_pkt_ext_rcode(params->answer) != KNOT_RCODE_NOERROR) { + print_packet(params->answer, NULL, 0, -1, 0, true, ¶ms->style); + ERR("update failed with error '%s'\n", + knot_pkt_ext_rcode_name(params->answer)); + ret = KNOT_ERROR; + } else { + DBG("update success\n"); + } + + return ret; +} + +int cmd_zone(const char* lp, knsupdate_params_t *params) +{ + DBG("%s: lp='%s'\n", __func__, lp); + + /* Check zone name. */ + if (!dname_isvalid(lp)) { + ERR("failed to parse zone '%s'\n", lp); + return KNOT_EPARSEFAIL; + } + + free(params->zone); + params->zone = strdup(lp); + + return KNOT_EOK; +} + +int cmd_server(const char* lp, knsupdate_params_t *params) +{ + DBG("%s: lp='%s'\n", __func__, lp); + + /* Parse host. */ + srv_info_t *srv = parse_host(lp, params->server->service); + if (!srv) { + ERR("failed to parse server '%s'\n", lp); + return KNOT_ENOMEM; + } + + srv_info_free(params->server); + params->server = srv; + + return KNOT_EOK; +} + +int cmd_local(const char* lp, knsupdate_params_t *params) +{ + DBG("%s: lp='%s'\n", __func__, lp); + + /* Parse host. */ + srv_info_t *srv = parse_host(lp, "0"); + if (!srv) { + ERR("failed to parse local '%s'\n", lp); + return KNOT_ENOMEM; + } + + srv_info_free(params->srcif); + params->srcif = srv; + + return KNOT_EOK; +} + +int cmd_show(const char* lp, knsupdate_params_t *params) +{ + DBG("%s: lp='%s'\n", __func__, lp); + + if (!params->query) { + return KNOT_EOK; + } + + printf("Update query:\n"); + build_query(params); + print_packet(params->query, NULL, 0, -1, 0, false, ¶ms->style); + printf("\n"); + + return KNOT_EOK; +} + +int cmd_answer(const char* lp, knsupdate_params_t *params) +{ + DBG("%s: lp='%s'\n", __func__, lp); + + if (!params->answer) { + return KNOT_EOK; + } + + printf("\nAnswer:\n"); + print_packet(params->answer, NULL, 0, -1, 0, true, ¶ms->style); + + return KNOT_EOK; +} + +int cmd_key(const char* lp, knsupdate_params_t *params) +{ + DBG("%s: lp='%s'\n", __func__, lp); + + /* Convert to default format. */ + char *kstr = strdup(lp); + if (!kstr) { + return KNOT_ENOMEM; + } + + int ret = KNOT_EOK; + + /* Search for the name secret separation. Allow also alg:name:key form. */ + char *sep = strchr(kstr, ' '); + if (sep != NULL) { + /* Replace ' ' with ':'. More spaces are ignored in base64. */ + *sep = ':'; + } + + /* Override existing key. */ + knot_tsig_key_deinit(¶ms->tsig_key); + + ret = knot_tsig_key_init_str(¶ms->tsig_key, kstr); + if (ret != KNOT_EOK) { + ERR("invalid key specification\n"); + } + + free(kstr); + + return ret; +} + +int cmd_origin(const char* lp, knsupdate_params_t *params) +{ + DBG("%s: lp='%s'\n", __func__, lp); + + /* Check zone name. */ + if (!dname_isvalid(lp)) { + ERR("failed to parse zone '%s'\n", lp); + return KNOT_EPARSEFAIL; + } + + return knsupdate_set_origin(params, lp); +} + +/* + * Not implemented. + */ + +int cmd_gsstsig(const char* lp, knsupdate_params_t *params) +{ + UNUSED(params); + DBG("%s: lp='%s'\n", __func__, lp); + + return KNOT_ENOTSUP; +} + +int cmd_oldgsstsig(const char* lp, knsupdate_params_t *params) +{ + UNUSED(params); + DBG("%s: lp='%s'\n", __func__, lp); + + return KNOT_ENOTSUP; +} + +int cmd_realm(const char* lp, knsupdate_params_t *params) +{ + UNUSED(params); + DBG("%s: lp='%s'\n", __func__, lp); + + return KNOT_ENOTSUP; +} diff --git a/src/utils/knsupdate/knsupdate_exec.h b/src/utils/knsupdate/knsupdate_exec.h new file mode 100644 index 0000000..1cf8708 --- /dev/null +++ b/src/utils/knsupdate/knsupdate_exec.h @@ -0,0 +1,21 @@ +/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include "utils/knsupdate/knsupdate_params.h" + +int knsupdate_exec(knsupdate_params_t *params); diff --git a/src/utils/knsupdate/knsupdate_main.c b/src/utils/knsupdate/knsupdate_main.c new file mode 100644 index 0000000..ab65c1e --- /dev/null +++ b/src/utils/knsupdate/knsupdate_main.c @@ -0,0 +1,46 @@ +/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <stdlib.h> + +#include "libdnssec/crypto.h" +#include "utils/knsupdate/knsupdate_exec.h" +#include "utils/knsupdate/knsupdate_params.h" +#include "libknot/libknot.h" + +int main(int argc, char *argv[]) +{ + + int ret = EXIT_SUCCESS; + + tzset(); + + knsupdate_params_t params; + if (knsupdate_parse(¶ms, argc, argv) == KNOT_EOK) { + if (!params.stop) { + dnssec_crypto_init(); + if (knsupdate_exec(¶ms) != KNOT_EOK) { + ret = EXIT_FAILURE; + } + dnssec_crypto_cleanup(); + } + } else { + ret = EXIT_FAILURE; + } + + knsupdate_clean(¶ms); + return ret; +} diff --git a/src/utils/knsupdate/knsupdate_params.c b/src/utils/knsupdate/knsupdate_params.c new file mode 100644 index 0000000..0789bf2 --- /dev/null +++ b/src/utils/knsupdate/knsupdate_params.c @@ -0,0 +1,314 @@ +/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <assert.h> +#include <getopt.h> +#include <stdarg.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#include "utils/knsupdate/knsupdate_params.h" +#include "utils/common/msg.h" +#include "utils/common/netio.h" +#include "libknot/libknot.h" +#include "libknot/tsig.h" +#include "contrib/mempattern.h" +#include "contrib/strtonum.h" +#include "contrib/ucw/mempool.h" + +#define PROGRAM_NAME "knsupdate" + +#define DEFAULT_RETRIES_NSUPDATE 3 +#define DEFAULT_TIMEOUT_NSUPDATE 12 + +static const style_t DEFAULT_STYLE_NSUPDATE = { + .format = FORMAT_NSUPDATE, + .style = { + .wrap = false, + .show_class = true, + .show_ttl = true, + .verbose = false, + .original_ttl = false, + .empty_ttl = false, + .human_ttl = false, + .human_tmstamp = true, + .generic = false, + .ascii_to_idn = NULL + }, + .show_query = false, + .show_header = true, + .show_edns = false, + .show_question = true, + .show_answer = true, + .show_authority = true, + .show_additional = true, + .show_tsig = true, + .show_footer = false +}; + +static void parse_err(zs_scanner_t *s) { + ERR("failed to parse RR: %s\n", zs_strerror(s->error.code)); +} + +static int parser_set_default(zs_scanner_t *s, const char *fmt, ...) +{ + /* Format string. */ + char buf[512]; /* Must suffice for domain name and TTL. */ + va_list ap; + va_start(ap, fmt); + int n = vsnprintf(buf, sizeof(buf), fmt, ap); + va_end(ap); + + if (n < 0 || (size_t)n >= sizeof(buf)) { + return KNOT_ESPACE; + } + + /* Buffer must contain newline */ + if (zs_set_input_string(s, buf, n) != 0 || + zs_parse_all(s) != 0) { + return KNOT_EPARSEFAIL; + } + + return KNOT_EOK; +} + +static int knsupdate_init(knsupdate_params_t *params) +{ + memset(params, 0, sizeof(knsupdate_params_t)); + + /* Initialize lists. */ + init_list(¶ms->qfiles); + init_list(¶ms->update_list); + init_list(¶ms->prereq_list); + + /* Initialize memory context. */ + mm_ctx_mempool(¶ms->mm, MM_DEFAULT_BLKSIZE); + + /* Default server. */ + params->server = srv_info_create(DEFAULT_IPV4_NAME, DEFAULT_DNS_PORT); + if (!params->server) + return KNOT_ENOMEM; + + /* Default settings. */ + params->ip = IP_ALL; + params->protocol = PROTO_ALL; + params->class_num = KNOT_CLASS_IN; + params->type_num = KNOT_RRTYPE_SOA; + params->ttl = 0; + params->retries = DEFAULT_RETRIES_NSUPDATE; + params->wait = DEFAULT_TIMEOUT_NSUPDATE; + params->zone = strdup("."); + + /* Initialize RR parser. */ + if (zs_init(¶ms->parser, ".", params->class_num, 0) != 0 || + zs_set_processing(¶ms->parser, NULL, parse_err, NULL) != 0) { + zs_deinit(¶ms->parser); + return KNOT_ENOMEM; + } + + /* Default style. */ + params->style = DEFAULT_STYLE_NSUPDATE; + + /* Create query/answer packets. */ + params->query = knot_pkt_new(NULL, KNOT_WIRE_MAX_PKTSIZE, ¶ms->mm); + params->answer = knot_pkt_new(NULL, KNOT_WIRE_MAX_PKTSIZE, ¶ms->mm); + + return KNOT_EOK; +} + +void knsupdate_clean(knsupdate_params_t *params) +{ + if (params == NULL) { + return; + } + + /* Clear current query. */ + knsupdate_reset(params); + + /* Free qfiles. */ + ptrlist_free(¶ms->qfiles, ¶ms->mm); + + srv_info_free(params->server); + srv_info_free(params->srcif); + free(params->zone); + zs_deinit(¶ms->parser); + knot_pkt_free(params->query); + knot_pkt_free(params->answer); + knot_tsig_key_deinit(¶ms->tsig_key); + + /* Clean up the structure. */ + mp_delete(params->mm.ctx); + memset(params, 0, sizeof(*params)); +} + +/*! \brief Free RRSet list. */ +static void rr_list_free(list_t *list, knot_mm_t *mm) +{ + assert(list != NULL); + assert(mm != NULL); + + ptrnode_t *node; + WALK_LIST(node, *list) { + knot_rrset_t *rrset = (knot_rrset_t *)node->d; + knot_rrset_free(rrset, NULL); + } + ptrlist_free(list, mm); +} + +void knsupdate_reset(knsupdate_params_t *params) +{ + /* Free ADD/REMOVE RRSets. */ + rr_list_free(¶ms->update_list, ¶ms->mm); + + /* Free PREREQ RRSets. */ + rr_list_free(¶ms->prereq_list, ¶ms->mm); +} + +static void print_help(void) +{ + printf("Usage: %s [-d] [-v] [-k keyfile | -y [hmac:]name:key]\n" + " [-p port] [-t timeout] [-r retries] [filename]\n", + PROGRAM_NAME); +} + +int knsupdate_parse(knsupdate_params_t *params, int argc, char *argv[]) +{ + if (params == NULL || argv == NULL) { + return KNOT_EINVAL; + } + + int ret = knsupdate_init(params); + if (ret != KNOT_EOK) { + return ret; + } + + // Long options. + struct option opts[] = { + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, 'V' }, + { NULL } + }; + + /* Command line options processing. */ + int opt = 0; + while ((opt = getopt_long(argc, argv, "dhDvVp:t:r:y:k:", opts, NULL)) + != -1) { + switch (opt) { + case 'd': + case 'D': /* Extra debugging. */ + msg_enable_debug(1); + break; + case 'h': + print_help(); + params->stop = true; + return KNOT_EOK; + case 'v': + params->protocol = PROTO_TCP; + break; + case 'V': + print_version(PROGRAM_NAME); + params->stop = true; + return KNOT_EOK; + case 'p': + free(params->server->service); + params->server->service = strdup(optarg); + if (!params->server->service) { + ERR("failed to set default port '%s'\n", optarg); + return KNOT_ENOMEM; + } + break; + case 'r': + ret = str_to_u32(optarg, ¶ms->retries); + if (ret != KNOT_EOK) { + ERR("invalid retries '%s'\n", optarg); + return ret; + } + break; + case 't': + ret = params_parse_wait(optarg, ¶ms->wait); + if (ret != KNOT_EOK) { + ERR("invalid timeout '%s'\n", optarg); + return ret; + } + break; + case 'y': + knot_tsig_key_deinit(¶ms->tsig_key); + ret = knot_tsig_key_init_str(¶ms->tsig_key, optarg); + if (ret != KNOT_EOK) { + ERR("failed to parse key '%s'\n", optarg); + return ret; + } + break; + case 'k': + knot_tsig_key_deinit(¶ms->tsig_key); + ret = knot_tsig_key_init_file(¶ms->tsig_key, optarg); + if (ret != KNOT_EOK) { + ERR("failed to parse keyfile '%s'\n", optarg); + return ret; + } + break; + default: + print_help(); + return KNOT_ENOTSUP; + } + } + + /* No retries for TCP. */ + if (params->protocol == PROTO_TCP) { + params->retries = 0; + } else { + /* If wait/tries < 1 s, set 1 second for each try. */ + if (params->wait > 0 && + (uint32_t)params->wait < ( 1 + params->retries)) { + params->wait = 1; + } else { + params->wait /= (1 + params->retries); + } + } + + /* Process non-option parameters. */ + for (; optind < argc; ++optind) { + ptrlist_add(¶ms->qfiles, argv[optind], ¶ms->mm); + } + + return ret; +} + +int knsupdate_set_ttl(knsupdate_params_t *params, const uint32_t ttl) +{ + int ret = parser_set_default(¶ms->parser, "$TTL %u\n", ttl); + if (ret == KNOT_EOK) { + params->ttl = ttl; + } else { + ERR("failed to set default TTL, %s\n", knot_strerror(ret)); + } + return ret; +} + +int knsupdate_set_origin(knsupdate_params_t *params, const char *origin) +{ + char *fqdn = get_fqd_name(origin); + + int ret = parser_set_default(¶ms->parser, "$ORIGIN %s\n", fqdn); + + free(fqdn); + + if (ret != KNOT_EOK) { + ERR("failed to set default origin, %s\n", knot_strerror(ret)); + } + return ret; +} diff --git a/src/utils/knsupdate/knsupdate_params.h b/src/utils/knsupdate/knsupdate_params.h new file mode 100644 index 0000000..5b0bda6 --- /dev/null +++ b/src/utils/knsupdate/knsupdate_params.h @@ -0,0 +1,74 @@ +/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include <stdint.h> + +#include "utils/common/netio.h" +#include "utils/common/params.h" +#include "utils/common/sign.h" +#include "libknot/libknot.h" +#include "libzscanner/scanner.h" +#include "contrib/ucw/lists.h" + +/*! \brief knsupdate-specific params data. */ +typedef struct { + /*!< Stop processing - just print help, version,... */ + bool stop; + /*!< List of files with query data. */ + list_t qfiles; + /*!< List of nameservers to query to. */ + srv_info_t *server; + /*!< Local interface (optional). */ + srv_info_t *srcif; + /*!< Version of ip protocol to use. */ + ip_t ip; + /*!< Type (TCP, UDP) protocol to use. */ + protocol_t protocol; + /*!< Default class number. */ + uint16_t class_num; + /*!< Default type number. */ + uint16_t type_num; + /*!< Default TTL. */ + uint32_t ttl; + /*!< Number of UDP retries. */ + uint32_t retries; + /*!< Wait for network response in seconds (-1 means forever). */ + int32_t wait; + /*!< Current zone. */ + char *zone; + /*!< RR parser. */ + zs_scanner_t parser; + /*!< Current packet. */ + knot_pkt_t *query; + /*!< Current response. */ + knot_pkt_t *answer; + /*< Lists of RRSets. */ + list_t update_list, prereq_list; + /*!< Transaction signature context. */ + knot_tsig_key_t tsig_key; + /*!< Default output settings. */ + style_t style; + /*!< Memory context. */ + knot_mm_t mm; +} knsupdate_params_t; + +int knsupdate_parse(knsupdate_params_t *params, int argc, char *argv[]); +int knsupdate_set_ttl(knsupdate_params_t *params, const uint32_t ttl); +int knsupdate_set_origin(knsupdate_params_t *params, const char *origin); +void knsupdate_clean(knsupdate_params_t *params); +void knsupdate_reset(knsupdate_params_t *params); diff --git a/src/utils/kxdpgun/load_queries.c b/src/utils/kxdpgun/load_queries.c new file mode 100644 index 0000000..9f2851e --- /dev/null +++ b/src/utils/kxdpgun/load_queries.c @@ -0,0 +1,159 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <assert.h> +#include <errno.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#include <libknot/descriptor.h> +#include <libknot/dname.h> + +#include "load_queries.h" + +#define ERR_PREFIX "failed loading queries " + +uint16_t global_edns_size = 1232; + +enum qflags { + QFLAG_EDNS = 1, + QFLAG_DO = 2, +}; + +struct pkt_payload *global_payloads = NULL; + +void free_global_payloads() +{ + struct pkt_payload *g_payloads_p = global_payloads, *tmp; + while (g_payloads_p != NULL) { + tmp = g_payloads_p; + g_payloads_p = tmp->next; + free(tmp); + } +} + +bool load_queries(const char *filename) +{ + FILE *f = fopen(filename, "r"); + if (f == NULL) { + printf(ERR_PREFIX "file '%s' (%s)\n", filename, strerror(errno)); + return false; + } + struct pkt_payload *g_payloads_top = NULL; + + struct { + char line[KNOT_DNAME_TXT_MAXLEN + 256]; + char dname_txt[KNOT_DNAME_TXT_MAXLEN + 1]; + uint8_t dname[KNOT_DNAME_MAXLEN]; + char type_txt[128]; + char flags_txt[128]; + } *bufs; + bufs = malloc(sizeof(*bufs)); // avoiding too much stuff on stack + if (bufs == NULL) { + printf(ERR_PREFIX "(out of memory)\n"); + goto fail; + } + + while (fgets(bufs->line, sizeof(bufs->line), f) != NULL) { + bufs->flags_txt[0] = '\0'; + int ret = sscanf(bufs->line, "%s%s%s", bufs->dname_txt, bufs->type_txt, bufs->flags_txt); + if (ret < 2) { + printf(ERR_PREFIX "(faulty line): '%.*s'\n", + (int)strcspn(bufs->line, "\n"), bufs->line); + goto fail; + } + + void *pret = knot_dname_from_str(bufs->dname, bufs->dname_txt, sizeof(bufs->dname)); + if (pret == NULL) { + printf(ERR_PREFIX "(faulty dname): '%s'\n", bufs->dname_txt); + goto fail; + } + + uint16_t type; + ret = knot_rrtype_from_string(bufs->type_txt, &type); + if (ret < 0) { + printf(ERR_PREFIX "(faulty type): '%s'\n", bufs->type_txt); + } + + enum qflags flags = 0; + switch (bufs->flags_txt[0]) { + case '\0': + break; + case 'e': + case 'E': + flags |= QFLAG_EDNS; + break; + case 'd': + case 'D': + flags |= QFLAG_EDNS | QFLAG_DO; + break; + default: + printf(ERR_PREFIX "(faulty flag): '%s'\n", bufs->flags_txt); + goto fail; + } + + size_t dname_len = knot_dname_size(bufs->dname); + size_t pkt_len = 16 + dname_len; + if (flags & QFLAG_EDNS) { + pkt_len += 11; + } + + struct pkt_payload *pkt = calloc(1, sizeof(void *) + sizeof(size_t) + pkt_len); + if (pkt == NULL) { + printf(ERR_PREFIX "(out of memory)\n"); + goto fail; + } + pkt->len = pkt_len; + pkt->payload[2] = 0x01; // QR bit + pkt->payload[5] = 0x01; // 1 question + pkt->payload[11] = (flags & QFLAG_EDNS) ? 0x01 : 0x00; + memcpy(pkt->payload + 12, bufs->dname, dname_len); + pkt->payload[dname_len + 12] = type >> 8; + pkt->payload[dname_len + 13] = type & 0xff; + pkt->payload[dname_len + 15] = 0x01; // class IN + if (flags & QFLAG_EDNS) { + pkt->payload[dname_len + 18] = 41; // OPT RRtype + pkt->payload[dname_len + 19] = global_edns_size >> 8; + pkt->payload[dname_len + 20] = global_edns_size & 0xff; + pkt->payload[dname_len + 23] = (flags & QFLAG_DO) ? 0x80 : 0x00; + } + + // add pkt to list global_payloads + if (g_payloads_top == NULL) { + global_payloads = pkt; + g_payloads_top = pkt; + } else { + g_payloads_top->next = pkt; + g_payloads_top = pkt; + } + } + + if (global_payloads == NULL) { + printf(ERR_PREFIX "(no queries in file)\n"); + goto fail; + } + + free(bufs); + fclose(f); + return true; + +fail: + free_global_payloads(); + free(bufs); + fclose(f); + return false; +} diff --git a/src/utils/kxdpgun/load_queries.h b/src/utils/kxdpgun/load_queries.h new file mode 100644 index 0000000..3e3b31e --- /dev/null +++ b/src/utils/kxdpgun/load_queries.h @@ -0,0 +1,32 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include <stdbool.h> +#include <stdint.h> + +struct pkt_payload { + struct pkt_payload *next; + size_t len; + uint8_t payload[]; +}; + +extern struct pkt_payload *global_payloads; + +bool load_queries(const char *filename); + +void free_global_payloads(void); diff --git a/src/utils/kxdpgun/main.c b/src/utils/kxdpgun/main.c new file mode 100644 index 0000000..f3c06dc --- /dev/null +++ b/src/utils/kxdpgun/main.c @@ -0,0 +1,746 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <assert.h> +#include <errno.h> +#include <getopt.h> +#include <ifaddrs.h> +#include <poll.h> +#include <pthread.h> +#include <stdbool.h> +#include <stdint.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <time.h> +#include <unistd.h> + +#include <arpa/inet.h> +#include <netinet/in.h> +#include <net/if.h> +#include <sys/ioctl.h> +#include <sys/socket.h> +#include <sys/resource.h> + +#include "libknot/libknot.h" +#include "contrib/openbsd/strlcpy.h" +#include "utils/common/params.h" +#include "utils/kxdpgun/load_queries.h" +#include "utils/kxdpgun/popenve.h" + +#define PROGRAM_NAME "kxdpgun" + +uint16_t TRANSACTION_ID; // random constant to distinguish foreign replies + +volatile bool xdp_trigger = false; + +pthread_mutex_t global_mutex; +uint64_t global_pkts_sent = 0; +uint64_t global_pkts_recv = 0; +uint64_t global_size_recv = 0; +unsigned global_cpu_aff_start = 0; +unsigned global_cpu_aff_step = 1; + +#define LOCAL_PORT_MIN 1024 +#define LOCAL_PORT_MAX 65535 + +#define KNOWN_RCODE_MAX (KNOT_RCODE_NOTZONE + 1) + +typedef struct { + char dev[IFNAMSIZ]; + uint64_t qps, duration; + unsigned at_once; + uint8_t local_mac[6], target_mac[6]; + struct in_addr local_ipv4, target_ipv4; + struct in6_addr local_ipv6, target_ipv6; + uint8_t local_ip_range; + bool ipv6; + uint16_t target_port; + uint32_t listen_port; // KNOT_XDP_LISTEN_PORT_ALL, KNOT_XDP_LISTEN_PORT_DROP + unsigned n_threads, thread_id; + uint64_t rcode_counts[KNOWN_RCODE_MAX]; +} xdp_gun_ctx_t; + +const static xdp_gun_ctx_t ctx_defaults = { + .dev[0] = '\0', + .qps = 1000, + .duration = 5000000UL, // usecs + .at_once = 10, + .target_port = 53, + .listen_port = KNOT_XDP_LISTEN_PORT_ALL, +}; + +inline static void timer_start(struct timespec *timesp) +{ + clock_gettime(CLOCK_MONOTONIC, timesp); +} + +inline static uint64_t timer_end(struct timespec *timesp) +{ + struct timespec end; + clock_gettime(CLOCK_MONOTONIC, &end); + uint64_t res = (end.tv_sec - timesp->tv_sec) * (uint64_t)1000000; + res += ((int64_t)end.tv_nsec - timesp->tv_nsec) / 1000; + return res; +} + +static void set_sockaddr(void *sa_in, struct in_addr *addr, uint16_t port, uint64_t increment) +{ + struct sockaddr_in *saddr = sa_in; + saddr->sin_family = AF_INET; + saddr->sin_port = htobe16(port); + saddr->sin_addr = *addr; + if (increment > 0) { + saddr->sin_addr.s_addr = htobe32(be32toh(addr->s_addr) + increment); + } +} + +static void set_sockaddr6(void *sa_in, struct in6_addr *addr, uint16_t port, uint64_t increment) +{ + struct sockaddr_in6 *saddr = sa_in; + saddr->sin6_family = AF_INET6; + saddr->sin6_port = htobe16(port); + saddr->sin6_addr = *addr; + if (increment > 0) { + saddr->sin6_addr.__in6_u.__u6_addr32[2] = + htobe32(be32toh(addr->__in6_u.__u6_addr32[2]) + (increment >> 32)); + saddr->sin6_addr.__in6_u.__u6_addr32[3] = + htobe32(be32toh(addr->__in6_u.__u6_addr32[3]) + (increment & 0xffffffff)); + } +} + +static void next_payload(struct pkt_payload **payload, int increment) +{ + if (*payload == NULL) { + *payload = global_payloads; + } + for (int i = 0; i < increment; i++) { + if ((*payload)->next == NULL) { + *payload = global_payloads; + } else { + *payload = (*payload)->next; + } + } +} + +static int alloc_pkts(knot_xdp_msg_t *pkts, int npkts, struct knot_xdp_socket *xsk, + xdp_gun_ctx_t *ctx, uint64_t tick, struct pkt_payload **payl) +{ + uint64_t unique = (tick * ctx->n_threads + ctx->thread_id) * ctx->at_once; + + for (int i = 0; i < npkts; i++) { + int ret = knot_xdp_send_alloc(xsk, ctx->ipv6, &pkts[i], NULL); + if (ret != KNOT_EOK) { + return ret; + } + + uint16_t local_port = LOCAL_PORT_MIN + unique % (LOCAL_PORT_MAX + 1 - LOCAL_PORT_MIN); + if (ctx->ipv6) { + uint64_t ip_incr = unique % (1 << (128 - ctx->local_ip_range)); + set_sockaddr6(&pkts[i].ip_from, &ctx->local_ipv6, local_port, ip_incr); + set_sockaddr6(&pkts[i].ip_to, &ctx->target_ipv6, ctx->target_port, 0); + } else { + uint64_t ip_incr = unique % (1 << (32 - ctx->local_ip_range)); + set_sockaddr(&pkts[i].ip_from, &ctx->local_ipv4, local_port, ip_incr); + set_sockaddr(&pkts[i].ip_to, &ctx->target_ipv4, ctx->target_port, 0); + } + + memcpy(pkts[i].eth_from, ctx->local_mac, 6); + memcpy(pkts[i].eth_to, ctx->target_mac, 6); + + memcpy(pkts[i].payload.iov_base, (*payl)->payload, (*payl)->len); + pkts[i].payload.iov_len = (*payl)->len; + + *(uint16_t *)(pkts[i].payload.iov_base + 0) = TRANSACTION_ID; + + unique++; + next_payload(payl, ctx->n_threads); + } + return KNOT_EOK; +} + +void *xdp_gun_thread(void *_ctx) +{ + xdp_gun_ctx_t *ctx = _ctx; + struct knot_xdp_socket *xsk; + struct timespec timer; + knot_xdp_msg_t pkts[ctx->at_once]; + uint64_t tot_sent = 0, tot_recv = 0, tot_size = 0, errors = 0; + uint64_t duration = 0; + + knot_xdp_load_bpf_t mode = (ctx->thread_id == 0 ? + KNOT_XDP_LOAD_BPF_ALWAYS : KNOT_XDP_LOAD_BPF_NEVER); + int ret = knot_xdp_init(&xsk, ctx->dev, ctx->thread_id, ctx->listen_port, mode); + if (ret != KNOT_EOK) { + printf("failed to initialize XDP socket#%u: %s\n", + ctx->thread_id, knot_strerror(ret)); + return NULL; + } + + struct pollfd pfd = { knot_xdp_socket_fd(xsk), POLLIN, 0 }; + + while (!xdp_trigger) { + usleep(1000); + } + + uint64_t tick = 0; + struct pkt_payload *payload_ptr = NULL; + next_payload(&payload_ptr, ctx->thread_id); + + timer_start(&timer); + + while (duration < ctx->duration + 1000000) { + + // sending part + if (duration < ctx->duration) { + while (1) { + knot_xdp_send_prepare(xsk); + ret = alloc_pkts(pkts, ctx->at_once, xsk, ctx, + tick, &payload_ptr); + if (ret != KNOT_EOK) { + errors++; + break; + } + + uint32_t really_sent = 0; + ret = knot_xdp_send(xsk, pkts, ctx->at_once, + &really_sent); + if (ret != KNOT_EOK) { + errors++; + break; + } + assert(really_sent == ctx->at_once); + tot_sent += really_sent; + + ret = knot_xdp_send_finish(xsk); + if (ret != KNOT_EOK) { + errors++; + break; + } + + break; + } + } + + // receiving part + if (ctx->listen_port == KNOT_XDP_LISTEN_PORT_ALL) { + while (1) { + ret = poll(&pfd, 1, 0); + if (ret < 0) { + errors++; + break; + } + if (!pfd.revents) { + break; + } + + uint32_t recvd = 0; + ret = knot_xdp_recv(xsk, pkts, ctx->at_once, &recvd); + if (ret != KNOT_EOK) { + errors++; + break; + } + for (int i = 0; i < recvd; i++) { + if (pkts[i].payload.iov_len < KNOT_WIRE_HEADER_SIZE || + *(uint16_t *)(pkts[i].payload.iov_base + 0) != TRANSACTION_ID) { + continue; + } + ctx->rcode_counts[((uint8_t *)pkts[i].payload.iov_base)[3] & 0xf]++; + tot_size += pkts[i].payload.iov_len; + tot_recv++; + } + knot_xdp_recv_finish(xsk, pkts, recvd); + pfd.revents = 0; + } + } + + // speed part + uint64_t dura_exp = (tot_sent * 1000000) / ctx->qps; + duration = timer_end(&timer); + if (dura_exp > duration) { + usleep(dura_exp - duration); + } + if (duration > ctx->duration) { + usleep(1000); + } + tick++; + } + + knot_xdp_deinit(xsk); + + printf("thread#%02u: sent %lu, received %lu, errors %lu\n", + ctx->thread_id, tot_sent, tot_recv, errors); + pthread_mutex_lock(&global_mutex); + global_pkts_sent += tot_sent; + global_pkts_recv += tot_recv; + global_size_recv += tot_size; + pthread_mutex_unlock(&global_mutex); + + return NULL; +} + +static int dev2mac(const char *dev, uint8_t *mac) +{ + struct ifreq ifr; + memset(&ifr, 0, sizeof(ifr)); + int fd = socket(AF_INET, SOCK_DGRAM, 0); + if (fd < 0) { + return -errno; + } + strlcpy(ifr.ifr_name, dev, IFNAMSIZ); + + int ret = ioctl(fd, SIOCGIFHWADDR, &ifr); + if (ret >= 0) { + memcpy(mac, ifr.ifr_hwaddr.sa_data, 6); + } else { + ret = -errno; + } + close(fd); + return ret; +} + +static int send_pkt_to(void *ip, bool ipv6) +{ + int fd = socket(ipv6 ? AF_INET6 : AF_INET, SOCK_RAW, ipv6 ? IPPROTO_ICMPV6 : IPPROTO_ICMP); + if (fd < 0) { + return -errno; + } + + struct sockaddr_in6 s = { 0 }; + struct sockaddr_in *sin = (struct sockaddr_in *)&s; + struct sockaddr_in6 *sin6 = &s; + if (ipv6) { + sin6->sin6_family = AF_INET6; + memcpy(&sin6->sin6_addr, ip, sizeof(struct in6_addr)); + } else { + sin->sin_family = AF_INET; + memcpy(&sin->sin_addr, ip, sizeof(struct in_addr)); + } + + static const uint8_t dummy_pkt[] = { + 0x08, 0x00, 0xec, 0x72, 0x0b, 0x87, 0x00, 0x06, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // padding + }; + static const size_t dummy_pkt_size = sizeof(dummy_pkt); + + int ret = sendto(fd, dummy_pkt, dummy_pkt_size, 0, &s, ipv6 ? sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in)); + if (ret < 0) { + ret = -errno; + } + close(fd); + return ret; +} + +static bool str2mac(const char *str, uint8_t mac[]) +{ + unsigned mac_int[6] = { 0 }; + + int ret = sscanf(str, "%x:%x:%x:%x:%x:%x", &mac_int[0], &mac_int[1], + &mac_int[2], &mac_int[3], &mac_int[4], &mac_int[5]); + if (ret != 6) { + return false; + } + for (int i = 0; i < 6; i++) { + if (mac_int[i] > 0xff) { + return false; + } + mac[i] = mac_int[i]; + } + return true; +} + +static FILE *popen_ip(char *arg1, char *arg2, char *arg3) +{ + char *args[5] = { "ip", arg1, arg2, arg3, NULL }; + char *env[] = { NULL }; + return kpopenve("/sbin/ip", args, env, true); +} + +static int ip_route_get(const char *ip_str, const char *what, char **res) +{ + errno = 0; + FILE *p = popen_ip("route", "get", (char *)ip_str); // hope ip_str gets not broken + if (p == NULL) { + return (errno != 0) ? knot_map_errno() : KNOT_ENOMEM; + } + + char buf[256] = { 0 }; + bool hit = false; + while (fscanf(p, "%255s", buf) == 1) { + if (hit) { + *res = strdup(buf); + fclose(p); + return *res == NULL ? KNOT_ENOMEM : KNOT_EOK; + } + if (strcmp(buf, what) == 0) { + hit = true; + } + } + fclose(p); + return KNOT_ENOENT; +} + +static int remoteIP2MAC(const char *ip_str, bool ipv6, char devname[], uint8_t remote_mac[]) +{ + errno = 0; + FILE *p = popen_ip(ipv6 ? "-6" : "-4", "neigh", NULL); + if (p == NULL) { + return (errno != 0) ? knot_map_errno() : KNOT_ENOMEM; + } + + char line_buf[1024] = { 0 }; + int ret = KNOT_ENOENT; + while (fgets(line_buf, sizeof(line_buf) - 1, p) != NULL && ret == KNOT_ENOENT) { + char fields[5][strlen(line_buf) + 1]; + if (sscanf(line_buf, "%s%s%s%s%s", fields[0], fields[1], fields[2], fields[3], fields[4]) != 5) { + continue; + } + if (strcmp(fields[0], ip_str) != 0) { + continue; + } + if (!str2mac(fields[4], remote_mac)) { + ret = KNOT_EMALF; + } else { + strlcpy(devname, fields[2], IFNAMSIZ); + ret = KNOT_EOK; + } + } + fclose(p); + return ret; +} + +static int distantIP2MAC(const char *ip_str, bool ipv6, char devname[], uint8_t remote_mac[]) +{ + char *via = NULL; + int ret = ip_route_get(ip_str, "via", &via); + switch (ret) { + case KNOT_ENOENT: // same subnet, no via + return remoteIP2MAC(ip_str, ipv6, devname, remote_mac); + case KNOT_EOK: + assert(via); + ret = remoteIP2MAC(via, ipv6, devname, remote_mac); + free(via); + return ret; + default: + return ret; + } +} + +static int remoteIP2local(const char *ip_str, bool ipv6, char devname[], void *local) +{ + char *dev = NULL, *loc = NULL; + int ret = ip_route_get(ip_str, "dev", &dev); + if (ret != KNOT_EOK) { + return ret; + } + strlcpy(devname, dev, IFNAMSIZ); + free(dev); + + ret = ip_route_get(ip_str, "src", &loc); + if (ret != KNOT_EOK) { + return ret; + } + ret = (inet_pton(ipv6 ? AF_INET6 : AF_INET, loc, local) <= 0 ? KNOT_EMALF : KNOT_EOK); + free(loc); + + return ret; +} + +static bool configure_target(char *target_str, char *local_ip, xdp_gun_ctx_t *ctx) +{ + int val; + char *at = strrchr(target_str, '@'); + if (at != NULL && (val = atoi(at + 1)) > 0 && val <= 0xffff) { + ctx->target_port = val; + *at = '\0'; + } + + ctx->ipv6 = false; + if (!inet_aton(target_str, &ctx->target_ipv4)) { + ctx->ipv6 = true; + if (inet_pton(AF_INET6, target_str, &ctx->target_ipv6) <= 0) { + printf("invalid target IP\n"); + return false; + } + } + + int ret = ctx->ipv6 ? send_pkt_to(&ctx->target_ipv6, true) : + send_pkt_to(&ctx->target_ipv4, false); + if (ret < 0) { + printf("can't send dummy packet to `%s`: %s\n", + target_str, strerror(-ret)); + return false; + } + usleep(10000); + + char dev1[IFNAMSIZ], dev2[IFNAMSIZ]; + ret = distantIP2MAC(target_str, ctx->ipv6, dev1, ctx->target_mac); + if (ret != KNOT_EOK) { + printf("can't get remote MAC of `%s`: %s\n", + target_str, knot_strerror(ret)); + return false; + } + ctx->local_ip_range = ctx->ipv6 ? 128 : 32; // by default use one IP + if (local_ip != NULL) { + at = strrchr(local_ip, '/'); + if (at != NULL && (val = atoi(at + 1)) > 0 && val <= ctx->local_ip_range) { + ctx->local_ip_range = val; + *at = '\0'; + } + if (ctx->ipv6) { + if (ctx->local_ip_range < 64 || + inet_pton(AF_INET6, local_ip, &ctx->local_ipv6) <= 0) { + printf("invalid local IPv6 or unsupported prefix length\n"); + return false; + } + } else { + if (inet_pton(AF_INET, local_ip, &ctx->local_ipv4) <= 0) { + printf("invalid local IPv4\n"); + return false; + } + } + } else { + ret = remoteIP2local(target_str, ctx->ipv6, dev2, ctx->ipv6 ? (void *)&ctx->local_ipv6 : + (void *)&ctx->local_ipv4); + if (ret != KNOT_EOK) { + printf("can't get local IP reachig remote `%s`: %s\n", + target_str, knot_strerror(ret)); + return false; + } + if (strncmp(dev1, dev2, IFNAMSIZ) != 0) { + printf("device names coming from `ip` and `arp` differ (%s != %s)\n", + dev1, dev2); + return false; + } + } + + if (ctx->dev[0] == '\0') { + strlcpy(ctx->dev, dev1, IFNAMSIZ); + } + ret = dev2mac(ctx->dev, ctx->local_mac); + if (ret < 0) { + printf("failed to get MAC of device `%s`: %s\n", ctx->dev, strerror(-ret)); + return false; + } + + ret = knot_eth_queues(ctx->dev); + if (ret >= 0) { + ctx->n_threads = ret; + } else { + printf("unable to get number of queues for %s: %s\n", ctx->dev, + knot_strerror(ret)); + return false; + } + + return true; +} + +static void print_help(void) { + printf("Usage: %s [-t duration] [-Q qps] [-b batch_size] [-r] [-p port] " + "[-F cpu_affinity] [-I interface] [-l local_ip] -i queries_file dest_ip\n", + PROGRAM_NAME); +} + +static bool get_opts(int argc, char *argv[], xdp_gun_ctx_t *ctx) +{ + struct option opts[] = { + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, 'V' }, + { "duration", required_argument, NULL, 't' }, + { "qps", required_argument, NULL, 'Q' }, + { "batch", required_argument, NULL, 'b' }, + { "drop", no_argument, NULL, 'r' }, + { "port", required_argument, NULL, 'p' }, + { "affinity", required_argument, NULL, 'F' }, + { "interface", required_argument, NULL, 'I' }, + { "local", required_argument, NULL, 'l' }, + { "infile", required_argument, NULL, 'i' }, + { NULL } + }; + + int opt = 0, arg; + double argf; + char *argcp, *local_ip = NULL; + while ((opt = getopt_long(argc, argv, "hVt:Q:b:rp:F:I:l:i:", opts, NULL)) != -1) { + switch (opt) { + case 'h': + print_help(); + exit(EXIT_SUCCESS); + break; + case 'V': + print_version(PROGRAM_NAME); + exit(EXIT_SUCCESS); + break; + case 't': + argf = atof(optarg); + if (argf > 0) { + ctx->duration = argf * 1000000.0; + assert(ctx->duration >= 1000); + } else { + return false; + } + break; + case 'Q': + arg = atoi(optarg); + if (arg > 0) { + ctx->qps = arg; + } else { + return false; + } + break; + case 'b': + arg = atoi(optarg); + if (arg > 0) { + ctx->at_once = arg; + } else { + return false; + } + break; + case 'r': + ctx->listen_port = KNOT_XDP_LISTEN_PORT_DROP; + break; + case 'p': + arg = atoi(optarg); + if (arg > 0 && arg <= 0xffff) { + ctx->target_port = arg; + } else { + return false; + } + break; + case 'F': + if ((arg = atoi(optarg)) > 0) { + global_cpu_aff_start = arg; + } + argcp = strchr(optarg, 's'); + if (argcp != NULL && (arg = atoi(argcp + 1)) > 0) { + global_cpu_aff_step = arg; + } + break; + case 'I': + strlcpy(ctx->dev, optarg, IFNAMSIZ); + break; + case 'l': + local_ip = optarg; + break; + case 'i': + if (!load_queries(optarg)) { + return false; + } + break; + default: + return false; + } + } + if (global_payloads == NULL || argc - optind != 1 || + !configure_target(argv[optind], local_ip, ctx)) { + return false; + } + + if (ctx->qps < ctx->n_threads) { + printf("QPS must be at least the number of threads (%u)\n", ctx->n_threads); + return false; + } + ctx->qps /= ctx->n_threads; + printf("using interface %s, XDP threads %d\n", ctx->dev, ctx->n_threads); + + return true; +} + +int main(int argc, char *argv[]) +{ + xdp_gun_ctx_t ctx = ctx_defaults, *thread_ctxs = NULL; + pthread_t *threads = NULL; + + if (!get_opts(argc, argv, &ctx)) { + print_help(); + free_global_payloads(); + return EXIT_FAILURE; + } + + TRANSACTION_ID = time(NULL) % UINT16_MAX; + + thread_ctxs = calloc(ctx.n_threads, sizeof(*thread_ctxs)); + threads = calloc(ctx.n_threads, sizeof(*threads)); + if (thread_ctxs == NULL || threads == NULL) { + printf("out of memory\n"); + free(thread_ctxs); + free(threads); + free_global_payloads(); + return EXIT_FAILURE; + } + for (int i = 0; i < ctx.n_threads; i++) { + thread_ctxs[i] = ctx; + thread_ctxs[i].thread_id = i; + } + + struct rlimit no_limit = { RLIM_INFINITY, RLIM_INFINITY }; + int ret = setrlimit(RLIMIT_MEMLOCK, &no_limit); + if (ret != 0) { + printf("unable to unset memory lock limit: %s\n", strerror(errno)); + free(thread_ctxs); + free(threads); + free_global_payloads(); + return EXIT_FAILURE; + } + pthread_mutex_init(&global_mutex, NULL); + + for (size_t i = 0; i < ctx.n_threads; i++) { + unsigned affinity = global_cpu_aff_start + i * global_cpu_aff_step; + cpu_set_t set; + CPU_ZERO(&set); + CPU_SET(affinity, &set); + (void)pthread_create(&threads[i], NULL, xdp_gun_thread, &thread_ctxs[i]); + ret = pthread_setaffinity_np(threads[i], sizeof(cpu_set_t), &set); + if (ret != 0) { + printf("failed to set affinity of thread#%zu to CPU#%u\n", i, affinity); + } + usleep(20000); + } + usleep(1000000); + + xdp_trigger = true; + usleep(1000000); + xdp_trigger = false; + + for (size_t i = 0; i < ctx.n_threads; i++) { + pthread_join(threads[i], NULL); + } + pthread_mutex_destroy(&global_mutex); + printf("total queries: %lu (%lu pps)\n", global_pkts_sent, global_pkts_sent * 1000 / (ctx.duration / 1000)); + if (global_pkts_sent > 0 && ctx.listen_port != KNOT_XDP_LISTEN_PORT_DROP) { + printf("total replies: %lu (%lu pps) (%lu%%)\n", global_pkts_recv, + global_pkts_recv * 1000 / (ctx.duration / 1000), global_pkts_recv * 100 / global_pkts_sent); + printf("average DNS reply size: %lu B\n", global_pkts_recv > 0 ? global_size_recv / global_pkts_recv : 0); + size_t bytes_recv = global_size_recv + (ctx.ipv6 ? KNOT_XDP_PAYLOAD_OFFSET6 : KNOT_XDP_PAYLOAD_OFFSET4) * global_pkts_recv; + printf("average Ethernet reply rate: %lu bps\n", bytes_recv * 8 * 1000 / (ctx.duration / 1000)); + for (int i = 0; i < KNOWN_RCODE_MAX; i++) { + uint64_t rcode_count = 0; + for (size_t j = 0; j < ctx.n_threads; j++) { + rcode_count += thread_ctxs[j].rcode_counts[i]; + } + if (rcode_count > 0) { + const knot_lookup_t *rcode = knot_lookup_by_id(knot_rcode_names, i); + const char *rcname = rcode == NULL ? "unknown" : rcode->name; + printf("responded %s: %lu\n", rcname, rcode_count); + } + } + } + + free(thread_ctxs); + free(threads); + free_global_payloads(); + return EXIT_SUCCESS; +} diff --git a/src/utils/kxdpgun/popenve.c b/src/utils/kxdpgun/popenve.c new file mode 100644 index 0000000..116a2c2 --- /dev/null +++ b/src/utils/kxdpgun/popenve.c @@ -0,0 +1,101 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <errno.h> +#include <fcntl.h> +#include <stdlib.h> +#include <unistd.h> + +#include "utils/kxdpgun/popenve.h" + +#ifdef ENABLE_CAP_NG +#include <cap-ng.h> + +static void drop_capabilities(void) +{ + /* Drop all capabilities. */ + if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { + capng_clear(CAPNG_SELECT_BOTH); + capng_apply(CAPNG_SELECT_BOTH); + } +} +#else /* ENABLE_CAP_NG */ +static void drop_capabilities(void) { } +#endif + +int kpopenvef(const char *binfile, char *const args[], char *const env[], bool drop_cap) +{ + int pipefds[2]; + if (pipe(pipefds) < 0) { + return -errno; + } + if (fcntl(pipefds[0], F_SETFD, FD_CLOEXEC) < 0) { + int fcntlerrno = errno; + close(pipefds[0]); + close(pipefds[1]); + return -fcntlerrno; + } + + pid_t forkpid = fork(); + if (forkpid < 0) { + int forkerrno = errno; + close(pipefds[0]); + close(pipefds[1]); + return -forkerrno; + } + + if (forkpid == 0) { +dup_stdout: + if (dup2(pipefds[1], STDOUT_FILENO) < 0) { + if (errno == EINTR) { + goto dup_stdout; + } + perror("dup_stdout"); + close(pipefds[0]); + close(pipefds[1]); + exit(EXIT_FAILURE); + } + close(pipefds[1]); + + if (drop_cap) { + drop_capabilities(); + } + + execve(binfile, args, env); + perror("execve"); + exit(EXIT_FAILURE); + } + + close(pipefds[1]); + return pipefds[0]; +} + +FILE *kpopenve(const char *binfile, char *const args[], char *const env[], bool drop_cap) +{ + int p = kpopenvef(binfile, args, env, drop_cap); + if (p < 0) { + errno = -p; + return NULL; + } + + FILE *res = fdopen(p, "r"); + if (res == NULL) { + int fdoerrno = errno; + close(p); + errno = fdoerrno; + } + return res; +} diff --git a/src/utils/kxdpgun/popenve.h b/src/utils/kxdpgun/popenve.h new file mode 100644 index 0000000..feb8414 --- /dev/null +++ b/src/utils/kxdpgun/popenve.h @@ -0,0 +1,55 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include <stdbool.h> +#include <stdio.h> + +/*! + * \brief Hybrid of popen() and execve() returning a file descriptor + * + * This function is a safer altervative to popen(), it is the same to + * popen() as execve() is to system(). + * + * Warning: this function is designed to be as simple as possible, + * for reliable operation proper checking for transient + * error is needed. + * + * \param binfile Executable file to be executed. + * \param args NULL-terminated arguments; first shall be the prog name! + * \param env NULL-terminated environment variables "key=value" + * \param drop_cap Drop capabilities for the subprocess. + * + * \retval < 0 Error occured, set to -errno. + * \return > 0 File descriptor of the pipe reading end. + */ +int kpopenvef(const char *binfile, char *const args[], char *const env[], bool drop_cap); + +/*! + * \brief Variant of kpopenvef() returning FILE* + * + * Warning: the same warning as for kpopenvef() applies here too. + * + * \param binfile Executable file to be executed. + * \param args NULL-terminated arguments; first shall be the prog name! + * \param env NULL-terminated environment variables "key=value" + * \param drop_cap Drop capabilities for the subprocess. + * + * \retval NULL Error occured, see errno. + * \return Pointer to open file descriptor. + */ +FILE *kpopenve(const char *binfile, char *const args[], char *const env[], bool drop_cap); diff --git a/src/utils/kzonecheck/main.c b/src/utils/kzonecheck/main.c new file mode 100644 index 0000000..1506aef --- /dev/null +++ b/src/utils/kzonecheck/main.c @@ -0,0 +1,174 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <getopt.h> +#include <libgen.h> +#include <stdio.h> + +#include "contrib/time.h" +#include "contrib/tolower.h" +#include "libknot/libknot.h" +#include "knot/common/log.h" +#include "knot/zone/semantic-check.h" +#include "utils/common/params.h" +#include "utils/kzonecheck/zone_check.h" + +#define PROGRAM_NAME "kzonecheck" + +static void print_help(void) +{ + printf("Usage: %s [parameters] <filename>\n" + "\n" + "Parameters:\n" + " -o, --origin <zone_origin> Zone name.\n" + " (default filename without .zone)\n" + " -d, --dnssec <on|off> Also check DNSSEC-related records.\n" + " -t, --time <timestamp> Current time specification.\n" + " (default current UNIX time)\n" + " -v, --verbose Enable debug output.\n" + " -h, --help Print the program help.\n" + " -V, --version Print the program version.\n" + "\n", + PROGRAM_NAME); +} + +static bool str2bool(const char *s) +{ + switch (knot_tolower(s[0])) { + case '1': + case 'y': + case 't': + return true; + case 'o': + return knot_tolower(s[1]) == 'n'; + default: + return false; + } +} + +int main(int argc, char *argv[]) +{ + const char *origin = NULL; + bool verbose = false; + semcheck_optional_t optional = SEMCHECK_AUTO_DNSSEC; // default value for --dnssec + knot_time_t check_time = (knot_time_t)time(NULL); + + /* Long options. */ + struct option opts[] = { + { "origin", required_argument, NULL, 'o' }, + { "time", required_argument, NULL, 't' }, + { "dnssec", required_argument, NULL, 'd' }, + { "verbose", no_argument, NULL, 'v' }, + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, 'V' }, + { NULL } + }; + + /* Set the time zone. */ + tzset(); + + /* Parse command line arguments */ + int opt = 0; + while ((opt = getopt_long(argc, argv, "o:t:d:vVh", opts, NULL)) != -1) { + switch (opt) { + case 'o': + origin = optarg; + break; + case 'v': + verbose = true; + break; + case 'h': + print_help(); + return EXIT_SUCCESS; + case 'V': + print_version(PROGRAM_NAME); + return EXIT_SUCCESS; + case 'd': + optional = str2bool(optarg) ? SEMCHECK_DNSSEC : SEMCHECK_NO_DNSSEC; + break; + case 't': + if (knot_time_parse("YMDhms|#|+-#U|+-#", + optarg, &check_time) != KNOT_EOK) { + fprintf(stderr, "Unknown time format\n"); + return EXIT_FAILURE; + } + break; + default: + print_help(); + return EXIT_FAILURE; + } + } + + /* Check if there's at least one remaining non-option. */ + if (optind >= argc) { + fprintf(stderr, "Expected zone file name\n"); + print_help(); + return EXIT_FAILURE; + } + + char *filename = argv[optind]; + + char *zonename; + if (origin == NULL) { + /* Get zone name from file name. */ + const char *ext = ".zone"; + zonename = basename(filename); + if (strcmp(zonename + strlen(zonename) - strlen(ext), ext) == 0) { + zonename = strndup(zonename, strlen(zonename) - strlen(ext)); + } else { + zonename = strdup(zonename); + } + } else { + zonename = strdup(origin); + } + + log_init(); + log_levels_set(LOG_TARGET_STDOUT, LOG_SOURCE_ANY, 0); + log_levels_set(LOG_TARGET_STDERR, LOG_SOURCE_ANY, 0); + log_levels_set(LOG_TARGET_SYSLOG, LOG_SOURCE_ANY, 0); + log_flag_set(LOG_FLAG_NOTIMESTAMP | LOG_FLAG_NOINFO); + if (verbose) { + log_levels_add(LOG_TARGET_STDOUT, LOG_SOURCE_ANY, LOG_UPTO(LOG_DEBUG)); + } + + knot_dname_t *dname = knot_dname_from_str_alloc(zonename); + knot_dname_to_lower(dname); + free(zonename); + int ret = zone_check(filename, dname, stdout, optional, (time_t)check_time); + knot_dname_free(dname, NULL); + + log_close(); + + switch (ret) { + case KNOT_EOK: + if (verbose) { + fprintf(stdout, "No semantic error found\n"); + } + return EXIT_SUCCESS; + case KNOT_EZONEINVAL: + fprintf(stdout, "Serious semantic error detected\n"); + // FALLTHROUGH + case KNOT_ESEMCHECK: + return EXIT_FAILURE; + case KNOT_EACCES: + case KNOT_EFILE: + fprintf(stderr, "Failed to load the zone file\n"); + return EXIT_FAILURE; + default: + fprintf(stderr, "Failed to run semantic checks (%s)\n", knot_strerror(ret)); + return EXIT_FAILURE; + } +} diff --git a/src/utils/kzonecheck/zone_check.c b/src/utils/kzonecheck/zone_check.c new file mode 100644 index 0000000..f45be89 --- /dev/null +++ b/src/utils/kzonecheck/zone_check.c @@ -0,0 +1,94 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <stdio.h> +#include <assert.h> + +#include "knot/zone/contents.h" +#include "knot/zone/zonefile.h" +#include "utils/kzonecheck/zone_check.h" + +typedef struct { + sem_handler_t handler; + FILE *outfile; + unsigned errors[SEM_ERR_UNKNOWN + 1]; /*!< Counting errors by type. */ + unsigned error_count; /*!< Total error count. */ +} err_handler_stats_t; + +static void err_callback(sem_handler_t *handler, const zone_contents_t *zone, + const zone_node_t *node, sem_error_t error, const char *data) +{ + assert(handler != NULL); + assert(zone != NULL); + err_handler_stats_t *stats = (err_handler_stats_t *)handler; + + knot_dname_txt_storage_t buff; + char *owner = knot_dname_to_str(buff, (node != NULL ? node->owner : zone->apex->owner), + sizeof(buff)); + if (owner == NULL) { + owner = ""; + } + + fprintf(stats->outfile, "[%s] %s%s%s\n", + owner, sem_error_msg(error), + (data != NULL ? " " : ""), + (data != NULL ? data : "")); + + stats->errors[error]++; + stats->error_count++; +} + +static void print_statistics(err_handler_stats_t *stats) +{ + fprintf(stats->outfile, "\nError summary:\n"); + for (sem_error_t i = 0; i <= SEM_ERR_UNKNOWN; ++i) { + if (stats->errors[i] > 0) { + fprintf(stats->outfile, "%4u\t%s\n", stats->errors[i], + sem_error_msg(i)); + } + } +} + +int zone_check(const char *zone_file, const knot_dname_t *zone_name, + FILE *outfile, semcheck_optional_t optional, time_t time) +{ + err_handler_stats_t stats = { + .handler = { .cb = err_callback }, + .outfile = outfile + }; + + zloader_t zl; + int ret = zonefile_open(&zl, zone_file, zone_name, optional, time); + if (ret != KNOT_EOK) { + return ret; + } + zl.err_handler = (sem_handler_t *)&stats; + zl.creator->master = true; + + zone_contents_t *contents = zonefile_load(&zl); + zonefile_close(&zl); + if (contents == NULL && !stats.handler.error) { + return KNOT_ERROR; + } + zone_contents_deep_free(contents); + + if (stats.error_count > 0) { + print_statistics(&stats); + return stats.handler.error ? KNOT_EZONEINVAL : KNOT_ESEMCHECK; + } else { + return KNOT_EOK; + } +} diff --git a/src/utils/kzonecheck/zone_check.h b/src/utils/kzonecheck/zone_check.h new file mode 100644 index 0000000..9e38115 --- /dev/null +++ b/src/utils/kzonecheck/zone_check.h @@ -0,0 +1,23 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include "knot/zone/semantic-check.h" +#include "libknot/libknot.h" + +int zone_check(const char *zone_file, const knot_dname_t *zone_name, + FILE *outfile, semcheck_optional_t optional, time_t time); diff --git a/src/utils/kzonesign/main.c b/src/utils/kzonesign/main.c new file mode 100644 index 0000000..2264aee --- /dev/null +++ b/src/utils/kzonesign/main.c @@ -0,0 +1,224 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include <getopt.h> +#include <stdlib.h> + +#include "knot/conf/conf.h" +#include "knot/updates/zone-update.h" +#include "knot/zone/zone-load.h" +#include "knot/zone/zonefile.h" +#include "utils/common/params.h" + +#define PROGRAM_NAME "kzonesign" + +static const char *global_outdir = NULL; + +// copy-pasted from keymgr +static bool init_conf(const char *confdb) +{ + size_t max_conf_size = (size_t)CONF_MAPSIZE * 1024 * 1024; + + conf_flag_t flags = CONF_FNOHOSTNAME | CONF_FOPTMODULES; + if (confdb != NULL) { + flags |= CONF_FREADONLY; + } + + conf_t *new_conf = NULL; + int ret = conf_new(&new_conf, conf_schema, confdb, max_conf_size, flags); + if (ret != KNOT_EOK) { + printf("Failed opening configuration database %s (%s)\n", + (confdb == NULL ? "" : confdb), knot_strerror(ret)); + return false; + } + conf_update(new_conf, CONF_UPD_FNONE); + return true; +} + +static void print_help(void) +{ + printf("Usage: %s [parameters] -c <conf_file> <zone_name>\n" + "\n" + "Parameters:\n" + " -o, --outdir <dir_name> Output directory.\n" + " -r, --rollover Allow key rollovers and NSEC3 re-salt.\n" + " -t, --time <timestamp> Current time specification.\n" + " (default current UNIX time)\n" + " -h, --help Print the program help.\n" + " -V, --version Print the program version.\n" + "\n", + PROGRAM_NAME); +} + +int main(int argc, char *argv[]) +{ + const char *confile = NULL, *zone_str = NULL; + knot_dname_t *zone_name = NULL; + zone_contents_t *unsigned_conts = NULL; + zone_t *zone_struct = NULL; + zone_update_t up = { 0 }; + knot_lmdb_db_t kasp_db = { 0 }; + zone_sign_roll_flags_t rollover = 0; + int64_t timestamp = 0; + zone_sign_reschedule_t next_sign = { 0 }; + + struct option opts[] = { + { "config", required_argument, NULL, 'c' }, + { "outdir", required_argument, NULL, 'o' }, + { "rollover", no_argument, NULL, 'r' }, + { "time", required_argument, NULL, 't' }, + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, 'V' }, + { NULL } + }; + + tzset(); + + int opt; + while ((opt = getopt_long(argc, argv, "c:o:rt:hV", opts, NULL)) != -1) { + switch (opt) { + case 'c': + confile = optarg; + break; + case 'o': + global_outdir = optarg; + break; + case 'r': + rollover = KEY_ROLL_ALLOW_ALL; + break; + case 't': + timestamp = atol(optarg); + if (timestamp <= 0) { + print_help(); + return EXIT_FAILURE; + } + break; + case 'h': + print_help(); + return EXIT_SUCCESS; + case 'V': + print_version(PROGRAM_NAME); + return EXIT_SUCCESS; + default: + print_help(); + return EXIT_FAILURE; + } + } + if (confile == NULL || argc - optind != 1) { + print_help(); + return EXIT_FAILURE; + } + + zone_str = argv[optind]; + zone_name = knot_dname_from_str_alloc(zone_str); + if (zone_name == NULL) { + printf("Invalid zone name '%s'\n", zone_str); + return EXIT_FAILURE; + } + + if (!init_conf(NULL)) { + free(zone_name); + return EXIT_FAILURE; + } + + int ret = conf_import(conf(), confile, true, false); + if (ret != KNOT_EOK) { + printf("Failed opening configuration file '%s' (%s)\n", + confile, knot_strerror(ret)); + goto fail; + } + + conf_val_t val = conf_zone_get(conf(), C_DOMAIN, zone_name); + if (val.code != KNOT_EOK) { + printf("Zone '%s' not configured\n", zone_str); + ret = val.code; + goto fail; + } + val = conf_zone_get(conf(), C_DNSSEC_POLICY, zone_name); + if (val.code != KNOT_EOK) { + printf("Waring: DNSSEC policy not configured for zone '%s', taking defaults\n", zone_str); + } + + zone_struct = zone_new(zone_name); + if (zone_struct == NULL) { + printf("out of memory\n"); + ret = KNOT_ENOMEM; + goto fail; + } + + ret = zone_load_contents(conf(), zone_name, &unsigned_conts, false); + if (ret != KNOT_EOK) { + printf("Failed to load zone contents (%s)\n", knot_strerror(ret)); + goto fail; + } + + ret = zone_update_from_contents(&up, zone_struct, unsigned_conts, UPDATE_FULL); + if (ret != KNOT_EOK) { + printf("Failed to initialize zone update (%s)\n", knot_strerror(ret)); + zone_contents_deep_free(unsigned_conts); + goto fail; + } + + kasp_db_ensure_init(&kasp_db, conf()); + zone_struct->kaspdb = &kasp_db; + + ret = knot_dnssec_zone_sign(&up, 0, rollover, timestamp, &next_sign); + if (ret == KNOT_DNSSEC_ENOKEY) { // exception: allow generating initial keys + rollover = KEY_ROLL_ALLOW_ALL; + ret = knot_dnssec_zone_sign(&up, 0, rollover, timestamp, &next_sign); + } + if (ret != KNOT_EOK) { + printf("Failed to sign the zone (%s)\n", knot_strerror(ret)); + zone_update_clear(&up); + goto fail; + } + + if (global_outdir == NULL) { + char *zonefile = conf_zonefile(conf(), zone_name); + ret = zonefile_write(zonefile, up.new_cont); + free(zonefile); + } else { + zone_contents_t *temp = zone_struct->contents; + zone_struct->contents = up.new_cont; + ret = zone_dump_to_dir(conf(), zone_struct, global_outdir); + zone_struct->contents = temp; + } + zone_update_clear(&up); + if (ret != KNOT_EOK) { + printf("Failed to flush signed zone file (%s)\n", knot_strerror(ret)); + goto fail; + } + + printf("Next signing: %"KNOT_TIME_PRINTF"\n", next_sign.next_sign); + if (rollover) { + printf("Next roll-over: %"KNOT_TIME_PRINTF"\n", next_sign.next_rollover); + if (next_sign.next_nsec3resalt) { + printf("Next NSEC3 re-salt: %"KNOT_TIME_PRINTF"\n", next_sign.next_nsec3resalt); + } + if (next_sign.plan_ds_check) { + printf("KSK submittion to parent zone needed\n"); + } + } + +fail: + if (kasp_db.path != NULL) { + knot_lmdb_deinit(&kasp_db); + } + zone_free(&zone_struct); + conf_free(conf()); + free(zone_name); + return ret == KNOT_EOK ? EXIT_SUCCESS : EXIT_FAILURE; +} |