From f11ce44818f0f9c10088b64cacba5b3921a13faf Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 4 Nov 2019 16:26:39 +0100 Subject: [PATCH] Make kasp opaque --- bin/dnssec/dnssec-keygen.c | 4 +- lib/dns/include/dns/kasp.h | 150 +++++++++++++++++++++++++++++++++++- lib/dns/kasp.c | 109 +++++++++++++++++++++++++- lib/dns/keymgr.c | 2 +- lib/dns/win32/libdns.def.in | 14 ++++ lib/dns/zone.c | 2 +- lib/isccfg/kaspconf.c | 56 +++++++------- 7 files changed, 298 insertions(+), 39 deletions(-) diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index f0600232ef..40cffe2168 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -1187,7 +1187,7 @@ main(int argc, char **argv) { fatal("failed to load dnssec-policy '%s'", ctx.policy); } - if (ISC_LIST_EMPTY(kasp->keys)) { + if (ISC_LIST_EMPTY(dns_kasp_keys(kasp))) { fatal("dnssec-policy '%s' has no keys " "configured", ctx.policy); } @@ -1195,7 +1195,7 @@ main(int argc, char **argv) { ctx.ttl = dns_kasp_dnskeyttl(kasp); ctx.setttl = true; - kaspkey = ISC_LIST_HEAD(kasp->keys); + kaspkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); while (kaspkey != NULL) { ctx.use_nsec3 = false; diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h index 01cc0cee33..396ef5cade 100644 --- a/lib/dns/include/dns/kasp.h +++ b/lib/dns/include/dns/kasp.h @@ -237,6 +237,16 @@ dns_kasp_sigrefresh(dns_kasp_t *kasp); *\li signature refresh interval. */ +void +dns_kasp_setsigrefresh(dns_kasp_t *kasp, uint32_t value); +/*%< + * Set signature refresh interval. + * + * Requires: + * + *\li 'kasp' is a valid, thawed kasp. + */ + uint32_t dns_kasp_sigvalidity(dns_kasp_t *kasp); uint32_t @@ -253,10 +263,22 @@ dns_kasp_sigvalidity_dnskey(dns_kasp_t *kasp); *\li signature validity. */ +void +dns_kasp_setsigvalidity(dns_kasp_t *kasp, uint32_t value); +void +dns_kasp_setsigvalidity_dnskey(dns_kasp_t *kasp, uint32_t value); +/*%< + * Set signature validity. + * + * Requires: + * + *\li 'kasp' is a valid, thawed kasp. + */ + dns_ttl_t dns_kasp_dnskeyttl(dns_kasp_t *kasp); /*%< - * Get dnskey ttl. + * Get DNSKEY TTL. * * Requires: * @@ -267,6 +289,16 @@ dns_kasp_dnskeyttl(dns_kasp_t *kasp); *\li DNSKEY TTL. */ +void +dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl); +/*%< + * Set DNSKEY TTL. + * + * Requires: + * + *\li 'kasp' is a valid, thawed kasp. + */ + uint32_t dns_kasp_publishsafety(dns_kasp_t *kasp); /*%< @@ -281,6 +313,16 @@ dns_kasp_publishsafety(dns_kasp_t *kasp); *\li Publish safety interval. */ +void +dns_kasp_setpublishsafety(dns_kasp_t *kasp, uint32_t value); +/*%< + * Set publish safety interval. + * + * Requires: + * + *\li 'kasp' is a valid, thawed kasp. + */ + uint32_t dns_kasp_retiresafety(dns_kasp_t *kasp); /*%< @@ -295,6 +337,16 @@ dns_kasp_retiresafety(dns_kasp_t *kasp); *\li Retire safety interval. */ +void +dns_kasp_setretiresafety(dns_kasp_t *kasp, uint32_t value); +/*%< + * Set retire safety interval. + * + * Requires: + * + *\li 'kasp' is a valid, thawed kasp. + */ + dns_ttl_t dns_kasp_zonemaxttl(dns_kasp_t *kasp); /*%< @@ -309,6 +361,16 @@ dns_kasp_zonemaxttl(dns_kasp_t *kasp); *\li Maximum zone TTL. */ +void +dns_kasp_setzonemaxttl(dns_kasp_t *kasp, dns_ttl_t ttl); +/*%< + * Set maximum zone TTL. + * + * Requires: + * + *\li 'kasp' is a valid, thawed kasp. + */ + uint32_t dns_kasp_zonepropagationdelay(dns_kasp_t *kasp); /*%< @@ -323,6 +385,16 @@ dns_kasp_zonepropagationdelay(dns_kasp_t *kasp); *\li Zone propagation delay. */ +void +dns_kasp_setzonepropagationdelay(dns_kasp_t *kasp, uint32_t value); +/*%< + * Set zone propagation delay. + * + * Requires: + * + *\li 'kasp' is a valid, thawed kasp. + */ + dns_ttl_t dns_kasp_dsttl(dns_kasp_t *kasp); /*%< @@ -337,6 +409,16 @@ dns_kasp_dsttl(dns_kasp_t *kasp); *\li Expected parent DS TTL. */ +void +dns_kasp_setdsttl(dns_kasp_t *kasp, dns_ttl_t ttl); +/*%< + * Set DS TTL. + * + * Requires: + * + *\li 'kasp' is a valid, thawed kasp. + */ + uint32_t dns_kasp_parentpropagationdelay(dns_kasp_t *kasp); /*%< @@ -351,6 +433,16 @@ dns_kasp_parentpropagationdelay(dns_kasp_t *kasp); *\li Parent zone propagation delay. */ +void +dns_kasp_setparentpropagationdelay(dns_kasp_t *kasp, uint32_t value); +/*%< + * Set parent propagation delay. + * + * Requires: + * + *\li 'kasp' is a valid, thawed kasp. + */ + uint32_t dns_kasp_parentregistrationdelay(dns_kasp_t *kasp); /*%< @@ -365,6 +457,16 @@ dns_kasp_parentregistrationdelay(dns_kasp_t *kasp); *\li Parent registration delay. */ +void +dns_kasp_setparentregistrationdelay(dns_kasp_t *kasp, uint32_t value); +/*%< + * Set parent registration delay. + * + * Requires: + * + *\li 'kasp' is a valid, thawed kasp. + */ + isc_result_t dns_kasplist_find(dns_kasplist_t *list, const char *name, dns_kasp_t **kaspp); /*%< @@ -381,14 +483,56 @@ dns_kasplist_find(dns_kasplist_t *list, const char *name, dns_kasp_t **kaspp); *\li #ISC_R_NOTFOUND No matching kasp was found. */ +dns_kasp_keylist_t +dns_kasp_keys(dns_kasp_t *kasp); +/*%< + * Get the list of kasp keys. + * + * Requires: + * + *\li 'kasp' is a valid, frozen kasp. + * + * Returns: + * + *\li #ISC_R_SUCCESS + *\li #ISC_R_NOMEMORY + * + *\li Other errors are possible. + */ + +bool +dns_kasp_keylist_empty(dns_kasp_t *kasp); +/*%< + * Check if the keylist is empty. + * + * Requires: + * + *\li 'kasp' is a valid kasp. + * + * Returns: + * + *\li true if the keylist is empty, false otherwise. + */ + +void +dns_kasp_addkey(dns_kasp_t *kasp, dns_kasp_key_t *key); +/*%< + * Add a key. + * + * Requires: + * + *\li 'kasp' is a valid, thawed kasp. + *\li 'key' is not NULL. + */ + isc_result_t -dns_kasp_key_create(isc_mem_t* mctx, dns_kasp_key_t **keyp); +dns_kasp_key_create(dns_kasp_t *kasp, dns_kasp_key_t **keyp); /*%< * Create a key inside a KASP. * * Requires: * - *\li 'mctx' is a valid memory context. + *\li 'kasp' is a valid kasp. * *\li keyp != NULL && *keyp == NULL * diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c index ff9293790b..66938d91e4 100644 --- a/lib/dns/kasp.c +++ b/lib/dns/kasp.c @@ -138,6 +138,13 @@ dns_kasp_sigrefresh(dns_kasp_t *kasp) { return (kasp->signatures_refresh); } +void +dns_kasp_setsigrefresh(dns_kasp_t *kasp, uint32_t value) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(!kasp->frozen); + kasp->signatures_refresh = value; +} + uint32_t dns_kasp_sigvalidity(dns_kasp_t *kasp) { REQUIRE(DNS_KASP_VALID(kasp)); @@ -145,6 +152,13 @@ dns_kasp_sigvalidity(dns_kasp_t *kasp) { return (kasp->signatures_validity); } +void +dns_kasp_setsigvalidity(dns_kasp_t *kasp, uint32_t value) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(!kasp->frozen); + kasp->signatures_validity = value; +} + uint32_t dns_kasp_sigvalidity_dnskey(dns_kasp_t *kasp) { REQUIRE(DNS_KASP_VALID(kasp)); @@ -152,6 +166,13 @@ dns_kasp_sigvalidity_dnskey(dns_kasp_t *kasp) { return (kasp->signatures_validity_dnskey); } +void +dns_kasp_setsigvalidity_dnskey(dns_kasp_t *kasp, uint32_t value) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(!kasp->frozen); + kasp->signatures_validity = value; +} + dns_ttl_t dns_kasp_dnskeyttl(dns_kasp_t *kasp) { REQUIRE(DNS_KASP_VALID(kasp)); @@ -159,6 +180,13 @@ dns_kasp_dnskeyttl(dns_kasp_t *kasp) { return (kasp->dnskey_ttl); } +void +dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(!kasp->frozen); + kasp->dnskey_ttl = ttl; +} + uint32_t dns_kasp_publishsafety(dns_kasp_t *kasp) { REQUIRE(DNS_KASP_VALID(kasp)); @@ -166,6 +194,13 @@ dns_kasp_publishsafety(dns_kasp_t *kasp) { return (kasp->publish_safety); } +void +dns_kasp_setpublishsafety(dns_kasp_t *kasp, uint32_t value) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(!kasp->frozen); + kasp->publish_safety = value; +} + uint32_t dns_kasp_retiresafety(dns_kasp_t *kasp) { REQUIRE(DNS_KASP_VALID(kasp)); @@ -173,6 +208,13 @@ dns_kasp_retiresafety(dns_kasp_t *kasp) { return (kasp->retire_safety); } +void +dns_kasp_setretiresafety(dns_kasp_t *kasp, uint32_t value) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(!kasp->frozen); + kasp->retire_safety = value; +} + dns_ttl_t dns_kasp_zonemaxttl(dns_kasp_t *kasp) { REQUIRE(DNS_KASP_VALID(kasp)); @@ -180,6 +222,13 @@ dns_kasp_zonemaxttl(dns_kasp_t *kasp) { return (kasp->zone_max_ttl); } +void +dns_kasp_setzonemaxttl(dns_kasp_t *kasp, dns_ttl_t ttl) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(!kasp->frozen); + kasp->zone_max_ttl = ttl; +} + uint32_t dns_kasp_zonepropagationdelay(dns_kasp_t *kasp) { REQUIRE(DNS_KASP_VALID(kasp)); @@ -187,6 +236,13 @@ dns_kasp_zonepropagationdelay(dns_kasp_t *kasp) { return (kasp->zone_propagation_delay); } +void +dns_kasp_setzonepropagationdelay(dns_kasp_t *kasp, uint32_t value) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(!kasp->frozen); + kasp->zone_propagation_delay = value; +} + dns_ttl_t dns_kasp_dsttl(dns_kasp_t *kasp) { REQUIRE(DNS_KASP_VALID(kasp)); @@ -194,6 +250,13 @@ dns_kasp_dsttl(dns_kasp_t *kasp) { return (kasp->parent_ds_ttl); } +void +dns_kasp_setdsttl(dns_kasp_t *kasp, dns_ttl_t ttl) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(!kasp->frozen); + kasp->parent_ds_ttl = ttl; +} + uint32_t dns_kasp_parentpropagationdelay(dns_kasp_t *kasp) { REQUIRE(DNS_KASP_VALID(kasp)); @@ -201,6 +264,13 @@ dns_kasp_parentpropagationdelay(dns_kasp_t *kasp) { return (kasp->parent_propagation_delay); } +void +dns_kasp_setparentpropagationdelay(dns_kasp_t *kasp, uint32_t value) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(!kasp->frozen); + kasp->parent_propagation_delay = value; +} + uint32_t dns_kasp_parentregistrationdelay(dns_kasp_t *kasp) { REQUIRE(DNS_KASP_VALID(kasp)); @@ -208,6 +278,13 @@ dns_kasp_parentregistrationdelay(dns_kasp_t *kasp) { return (kasp->parent_registration_delay); } +void +dns_kasp_setparentregistrationdelay(dns_kasp_t *kasp, uint32_t value) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(!kasp->frozen); + kasp->parent_registration_delay = value; +} + isc_result_t dns_kasplist_find(dns_kasplist_t *list, const char *name, dns_kasp_t **kaspp) { @@ -234,16 +311,42 @@ dns_kasplist_find(dns_kasplist_t *list, const char *name, dns_kasp_t **kaspp) return (ISC_R_SUCCESS); } +dns_kasp_keylist_t +dns_kasp_keys(dns_kasp_t *kasp) +{ + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(kasp->frozen); + return (kasp->keys); +} + +bool +dns_kasp_keylist_empty(dns_kasp_t *kasp) +{ + REQUIRE(DNS_KASP_VALID(kasp)); + return (ISC_LIST_EMPTY(kasp->keys)); +} + +void +dns_kasp_addkey(dns_kasp_t *kasp, dns_kasp_key_t *key) +{ + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(!kasp->frozen); + REQUIRE(key != NULL); + + ISC_LIST_APPEND(kasp->keys, key, link); +} + isc_result_t -dns_kasp_key_create(isc_mem_t* mctx, dns_kasp_key_t **keyp) +dns_kasp_key_create(dns_kasp_t *kasp, dns_kasp_key_t **keyp) { dns_kasp_key_t *key; + REQUIRE(DNS_KASP_VALID(kasp)); REQUIRE(keyp != NULL && *keyp == NULL); - key = isc_mem_get(mctx, sizeof(*key)); + key = isc_mem_get(kasp->mctx, sizeof(*key)); key->mctx = NULL; - isc_mem_attach(mctx, &key->mctx); + isc_mem_attach(kasp->mctx, &key->mctx); ISC_LINK_INIT(key, link); diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c index c8eacc23bd..8c1441cacd 100644 --- a/lib/dns/keymgr.c +++ b/lib/dns/keymgr.c @@ -1330,7 +1330,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass, } /* Create keys according to the policy, if come in short. */ - for (kkey = ISC_LIST_HEAD(kasp->keys); kkey != NULL; + for (kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); kkey != NULL; kkey = ISC_LIST_NEXT(kkey, link)) { isc_stdtime_t retire = 0, active = 0, prepub = 0; diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in index 2d90054b6b..31af4b1c1e 100644 --- a/lib/dns/win32/libdns.def.in +++ b/lib/dns/win32/libdns.def.in @@ -414,6 +414,7 @@ dns_journal_rollforward dns_journal_set_sourceserial dns_journal_write_transaction dns_journal_writediff +dns_kasp_addkey dns_kasp_attach dns_kasp_create dns_kasp_detach @@ -428,10 +429,23 @@ dns_kasp_key_ksk dns_kasp_key_lifetime dns_kasp_key_size dns_kasp_key_zsk +dns_kasp_keylist_empty +dns_kasp_keys dns_kasp_parentpropagationdelay dns_kasp_parentregistrationdelay dns_kasp_publishsafety dns_kasp_retiresafety +dns_kasp_setdnskeyttl +dns_kasp_setdsttl +dns_kasp_setparentpropagationdelay +dns_kasp_setparentregistrationdelay +dns_kasp_setpublishsafety +dns_kasp_setretiresafety +dns_kasp_setsigrefresh +dns_kasp_setsigvalidity +dns_kasp_setsigvalidity_dnskey +dns_kasp_setzonemaxttl +dns_kasp_setzonepropagationdelay dns_kasp_signdelay dns_kasp_sigrefresh dns_kasp_sigvalidity diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 89d008bc89..41af9487ac 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -7039,7 +7039,7 @@ signed_with_good_key(dns_zone_t* zone, dns_db_t *db, dns_dbnode_t *node, int zsk_count = 0; bool approved; - for (kkey = ISC_LIST_HEAD(kasp->keys); kkey != NULL; + for (kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); kkey != NULL; kkey = ISC_LIST_NEXT(kkey, link)) { if (dns_kasp_key_algorithm(kkey) != dst_key_alg(key)) { diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index 0d19d882e4..b1111f6891 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -71,7 +71,7 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t* kasp) dns_kasp_key_t *key = NULL; /* Create a new key reference. */ - result = dns_kasp_key_create(kasp->mctx, &key); + result = dns_kasp_key_create(kasp, &key); if (result != ISC_R_SUCCESS) { return (result); } @@ -103,8 +103,7 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t* kasp) key->length = cfg_obj_asuint32(obj); } } - ISC_LIST_APPEND(kasp->keys, key, link); - ISC_INSIST(!(ISC_LIST_EMPTY(kasp->keys))); + dns_kasp_addkey(kasp, key); return (result); } @@ -158,20 +157,21 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t* mctx, maps[i] = NULL; /* Configuration: Signatures */ - kasp->signatures_refresh = get_duration( - maps, "signatures-refresh", DNS_KASP_SIG_REFRESH); - kasp->signatures_validity = get_duration( - maps, "signatures-validity", DNS_KASP_SIG_VALIDITY); - kasp->signatures_validity_dnskey = get_duration( - maps, "signatures-validity-dnskey", - DNS_KASP_SIG_VALIDITY_DNSKEY); + dns_kasp_setsigrefresh(kasp, get_duration(maps, "signatures-refresh", + DNS_KASP_SIG_REFRESH)); + dns_kasp_setsigvalidity(kasp, get_duration(maps, "signatures-validity", + DNS_KASP_SIG_VALIDITY)); + dns_kasp_setsigvalidity_dnskey(kasp, get_duration(maps, + "signatures-validity-dnskey", + DNS_KASP_SIG_VALIDITY_DNSKEY)); /* Configuration: Keys */ - kasp->dnskey_ttl = get_duration(maps, "dnskey-ttl", DNS_KASP_KEY_TTL); - kasp->publish_safety = get_duration(maps, "publish-safety", - DNS_KASP_PUBLISH_SAFETY); - kasp->retire_safety = get_duration(maps, "retire-safety", - DNS_KASP_RETIRE_SAFETY); + dns_kasp_setdnskeyttl(kasp, get_duration(maps, "dnskey-ttl", + DNS_KASP_KEY_TTL)); + dns_kasp_setpublishsafety(kasp, get_duration(maps, "publish-safety", + DNS_KASP_PUBLISH_SAFETY)); + dns_kasp_setretiresafety(kasp, get_duration(maps, "retire-safety", + DNS_KASP_RETIRE_SAFETY)); (void)confget(maps, "keys", &keys); if (keys == NULL) { @@ -190,26 +190,24 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t* mctx, } } } - ISC_INSIST(!(ISC_LIST_EMPTY(kasp->keys))); + ISC_INSIST(!(dns_kasp_keylist_empty(kasp))); /* Configuration: Zone settings */ - kasp->zone_max_ttl = get_duration(maps, "zone-max-ttl", - DNS_KASP_ZONE_MAXTTL); - kasp->zone_propagation_delay = get_duration(maps, - "zone-propagation-delay", - DNS_KASP_ZONE_PROPDELAY); + dns_kasp_setzonemaxttl(kasp, get_duration(maps, "zone-max-ttl", + DNS_KASP_ZONE_MAXTTL)); + dns_kasp_setzonepropagationdelay(kasp, get_duration(maps, + "zone-propagation-delay", + DNS_KASP_ZONE_PROPDELAY)); /* Configuration: Parent settings */ - kasp->parent_ds_ttl = get_duration(maps, "parent-ds-ttl", - DNS_KASP_DS_TTL); - kasp->parent_propagation_delay = get_duration( - maps, + dns_kasp_setdsttl(kasp, get_duration(maps, "parent-ds-ttl", + DNS_KASP_DS_TTL)); + dns_kasp_setparentpropagationdelay(kasp, get_duration(maps, "parent-propagation-delay", - DNS_KASP_PARENT_PROPDELAY); - kasp->parent_registration_delay = get_duration( - maps, + DNS_KASP_PARENT_PROPDELAY)); + dns_kasp_setparentregistrationdelay(kasp, get_duration(maps, "parent-registration-delay", - DNS_KASP_PARENT_REGDELAY); + DNS_KASP_PARENT_REGDELAY)); // TODO: Rest of the configuration