Commit bacd2b0b authored by Daniel Salzman's avatar Daniel Salzman Committed by Libor Peltan

dnssec: context cleanup + get rid of string policy and keystore identifiers

parent 4f5b9645
......@@ -202,7 +202,6 @@ src/knot/dnssec/kasp/keystate.c
src/knot/dnssec/kasp/keystate.h
src/knot/dnssec/kasp/keystore.c
src/knot/dnssec/kasp/keystore.h
src/knot/dnssec/kasp/policy.c
src/knot/dnssec/kasp/policy.h
src/knot/dnssec/key-events.c
src/knot/dnssec/key-events.h
......
......@@ -255,7 +255,6 @@ libknotd_la_SOURCES = \
knot/dnssec/kasp/keystate.h \
knot/dnssec/kasp/keystore.c \
knot/dnssec/kasp/keystore.h \
knot/dnssec/kasp/policy.c \
knot/dnssec/kasp/policy.h \
knot/dnssec/key-events.c \
knot/dnssec/key-events.h \
......
......@@ -14,124 +14,126 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <assert.h>
#include <stdio.h>
#include <string.h>
#include <time.h>
#include <dnssec/error.h>
#include <dnssec/keystore.h>
#include "libknot/libknot.h"
#include "knot/conf/conf.h"
#include "knot/dnssec/context.h"
#include "knot/dnssec/kasp/keystore.h"
#include "contrib/files.h"
static int policy_load(knot_kasp_policy_t *policy)
static void policy_load(knot_kasp_policy_t *policy, conf_val_t *id)
{
const uint8_t *id = (const uint8_t *)policy->name;
const size_t id_len = strlen(policy->name) + 1;
conf_val_t val = conf_rawid_get(conf(), C_POLICY, C_KEYSTORE, id, id_len);
policy->keystore = strdup(conf_str(&val));
val = conf_rawid_get(conf(), C_POLICY, C_MANUAL, id, id_len);
conf_val_t val = conf_id_get(conf(), C_POLICY, C_MANUAL, id);
policy->manual = conf_bool(&val);
val = conf_rawid_get(conf(), C_POLICY, C_SINGLE_TYPE_SIGNING, id, id_len);
val = conf_id_get(conf(), C_POLICY, C_SINGLE_TYPE_SIGNING, id);
policy->singe_type_signing = conf_bool(&val);
val = conf_rawid_get(conf(), C_POLICY, C_ALG, id, id_len);
val = conf_id_get(conf(), C_POLICY, C_ALG, id);
policy->algorithm = conf_opt(&val);
val = conf_rawid_get(conf(), C_POLICY, C_KSK_SIZE, id, id_len);
val = conf_id_get(conf(), C_POLICY, C_KSK_SIZE, id);
int64_t num = conf_int(&val);
policy->ksk_size = (num != YP_NIL) ? num :
dnssec_algorithm_key_size_default(policy->algorithm);
val = conf_rawid_get(conf(), C_POLICY, C_ZSK_SIZE, id, id_len);
val = conf_id_get(conf(), C_POLICY, C_ZSK_SIZE, id);
num = conf_int(&val);
policy->zsk_size = (num != YP_NIL) ? num :
dnssec_algorithm_key_size_default(policy->algorithm);
val = conf_rawid_get(conf(), C_POLICY, C_DNSKEY_TTL, id, id_len);
val = conf_id_get(conf(), C_POLICY, C_DNSKEY_TTL, id);
policy->dnskey_ttl = conf_int(&val);
val = conf_rawid_get(conf(), C_POLICY, C_ZSK_LIFETIME, id, id_len);
val = conf_id_get(conf(), C_POLICY, C_ZSK_LIFETIME, id);
policy->zsk_lifetime = conf_int(&val);
val = conf_rawid_get(conf(), C_POLICY, C_PROPAG_DELAY, id, id_len);
val = conf_id_get(conf(), C_POLICY, C_PROPAG_DELAY, id);
policy->propagation_delay = conf_int(&val);
val = conf_rawid_get(conf(), C_POLICY, C_RRSIG_LIFETIME, id, id_len);
val = conf_id_get(conf(), C_POLICY, C_RRSIG_LIFETIME, id);
policy->rrsig_lifetime = conf_int(&val);
val = conf_rawid_get(conf(), C_POLICY, C_RRSIG_REFRESH, id, id_len);
val = conf_id_get(conf(), C_POLICY, C_RRSIG_REFRESH, id);
policy->rrsig_refresh_before = conf_int(&val);
val = conf_rawid_get(conf(), C_POLICY, C_NSEC3, id, id_len);
val = conf_id_get(conf(), C_POLICY, C_NSEC3, id);
policy->nsec3_enabled = conf_bool(&val);
val = conf_rawid_get(conf(), C_POLICY, C_NSEC3_ITER, id, id_len);
val = conf_id_get(conf(), C_POLICY, C_NSEC3_ITER, id);
policy->nsec3_iterations = conf_int(&val);
val = conf_rawid_get(conf(), C_POLICY, C_NSEC3_SALT_LEN, id, id_len);
val = conf_id_get(conf(), C_POLICY, C_NSEC3_SALT_LEN, id);
policy->nsec3_salt_length = conf_int(&val);
val = conf_rawid_get(conf(), C_POLICY, C_NSEC3_SALT_LIFETIME, id, id_len);
val = conf_id_get(conf(), C_POLICY, C_NSEC3_SALT_LIFETIME, id);
policy->nsec3_salt_lifetime = conf_int(&val);
return KNOT_EOK;
}
int kdnssec_kasp_init(kdnssec_ctx_t *ctx, const char *kasp_path, size_t kasp_mapsize,
const knot_dname_t *zone_name, const char *policy_name)
int kdnssec_ctx_init(conf_t *conf, kdnssec_ctx_t *ctx, const knot_dname_t *zone_name)
{
if (ctx == NULL || kasp_path == NULL || zone_name == NULL) {
if (ctx == NULL || zone_name == NULL) {
return KNOT_EINVAL;
}
int ret;
memset(ctx, 0, sizeof(*ctx));
ctx->zone = calloc(1, sizeof(*ctx->zone));
if (ctx->zone == NULL) {
return KNOT_ENOMEM;
ret = KNOT_ENOMEM;
goto init_error;
}
ctx->kasp_db = kaspdb();
int r = kasp_db_open(*ctx->kasp_db);
if (r != KNOT_EOK) {
return r;
ret = kasp_db_open(*ctx->kasp_db);
if (ret != KNOT_EOK) {
goto init_error;
}
r = kasp_zone_load(ctx->zone, zone_name, *ctx->kasp_db);
if (r != KNOT_EOK) {
return r;
ret = kasp_zone_load(ctx->zone, zone_name, *ctx->kasp_db);
if (ret != KNOT_EOK) {
goto init_error;
}
ctx->kasp_zone_path = strdup(kasp_path);
ctx->kasp_zone_path = conf_kaspdir(conf);
if (ctx->kasp_zone_path == NULL) {
ret = KNOT_ENOMEM;
goto init_error;
}
ctx->policy = knot_kasp_policy_new(policy_name);
ctx->policy = calloc(1, sizeof(*ctx->policy));
if (ctx->policy == NULL) {
return KNOT_ENOMEM;
ret = KNOT_ENOMEM;
goto init_error;
}
r = policy_load(ctx->policy);
if (r != KNOT_EOK) {
return r;
}
conf_val_t policy_id = conf_zone_get(conf, C_DNSSEC_POLICY, zone_name);
conf_id_fix_default(&policy_id);
policy_load(ctx->policy, &policy_id);
const uint8_t *id = (const uint8_t *)policy_name;
const size_t id_len = strlen(policy_name) + 1;
conf_val_t val = conf_rawid_get(conf(), C_KEYSTORE, C_BACKEND, id, id_len);
int backend = conf_opt(&val);
val = conf_rawid_get(conf(), C_KEYSTORE, C_CONFIG, id, id_len);
conf_val_t keystore_id = conf_id_get(conf, C_POLICY, C_KEYSTORE, &policy_id);
conf_id_fix_default(&keystore_id);
r = keystore_load(conf_str(&val), backend, kasp_path, &ctx->keystore);
if (r != KNOT_EOK) {
return r;
conf_val_t val = conf_id_get(conf, C_KEYSTORE, C_BACKEND, &keystore_id);
unsigned backend = conf_opt(&val);
val = conf_id_get(conf, C_KEYSTORE, C_CONFIG, &keystore_id);
const char *config = conf_str(&val);
ret = keystore_load(config, backend, ctx->kasp_zone_path, &ctx->keystore);
if (ret != KNOT_EOK) {
goto init_error;
}
ctx->now = time(NULL);
return KNOT_EOK;
init_error:
kdnssec_ctx_deinit(ctx);
return ret;
}
int kdnssec_ctx_commit(kdnssec_ctx_t *ctx)
......@@ -151,35 +153,10 @@ void kdnssec_ctx_deinit(kdnssec_ctx_t *ctx)
return;
}
free(ctx->policy);
dnssec_keystore_deinit(ctx->keystore);
knot_kasp_policy_free(ctx->policy);
kasp_zone_free(&ctx->zone);
free(ctx->kasp_zone_path);
memset(ctx, 0, sizeof(*ctx));
}
int kdnssec_ctx_init(kdnssec_ctx_t *ctx, const knot_dname_t *zone_name,
conf_val_t *policy)
{
if (ctx == NULL || zone_name == NULL) {
return KNOT_EINVAL;
}
kdnssec_ctx_t new_ctx = { 0 };
char *kasp_dir = conf_kaspdir(conf());
conf_val_t kasp_db_mapsize = conf_default_get(conf(), C_KASP_DB_MAPSIZE);
int r = kdnssec_kasp_init(&new_ctx, kasp_dir, conf_int(&kasp_db_mapsize), zone_name, conf_str(policy));
free(kasp_dir);
if (r != KNOT_EOK) {
kdnssec_ctx_deinit(&new_ctx);
return r;
}
new_ctx.now = time(NULL);
*ctx = new_ctx;
return KNOT_EOK;
}
......@@ -23,12 +23,11 @@
#include "knot/conf/conf.h"
#include "knot/dnssec/kasp/kasp_zone.h"
#include "knot/dnssec/kasp/policy.h"
#include "libknot/dname.h"
/*!
* \brief DNSSEC signing context.
*/
struct kdnssec_ctx {
typedef struct {
time_t now;
kasp_db_t **kasp_db;
......@@ -41,28 +40,17 @@ struct kdnssec_ctx {
uint32_t old_serial;
uint32_t new_serial;
bool rrsig_drop_existing;
};
typedef struct kdnssec_ctx kdnssec_ctx_t;
/*!
* \brief Initialize DNSSEC parameters of the DNSSEC context.
*
* No cleanup is performed on failure.
*/
int kdnssec_kasp_init(kdnssec_ctx_t *ctx, const char *kasp_path, size_t kasp_mapsize,
const knot_dname_t *zone_name, const char *policy_name);
} kdnssec_ctx_t;
/*!
* \brief Initialize DNSSEC signing context.
*
* \param ctx Signing context to be initialized.
* \param zone_name Name of the zone.
* \param policy DNSSEC policy configuration reference.
* \param disable_legacy Disable legacy detection indication.
* \param conf Configuration.
* \param ctx Signing context to be initialized.
* \param zone_name Name of the zone.
* \param from_module Module identifier if initialized from a module.
*/
int kdnssec_ctx_init(kdnssec_ctx_t *ctx, const knot_dname_t *zone_name,
conf_val_t *policy);
int kdnssec_ctx_init(conf_t *conf, kdnssec_ctx_t *ctx, const knot_dname_t *zone_name);
/*!
* \brief Save the changes in ctx (in kasp zone).
......
......@@ -14,7 +14,12 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "keystore.h"
#include <assert.h>
#include <stdio.h>
#include "knot/conf/scheme.h"
#include "knot/dnssec/kasp/keystore.h"
#include "libknot/error.h"
char *fix_path(const char *config, const char *base_path)
{
......@@ -34,7 +39,7 @@ char *fix_path(const char *config, const char *base_path)
return path;
}
int keystore_load(const char *config, int backend,
int keystore_load(const char *config, unsigned backend,
const char *kasp_base_path, dnssec_keystore_t **keystore)
{
int ret = KNOT_EINVAL;
......
......@@ -16,9 +16,7 @@
#pragma once
#include <dnssec/keystore.h>
#include "knot/dnssec/kasp/kasp_zone.h"
#include "libknot/dname.h"
#include "dnssec/lib/dnssec/keystore.h"
int keystore_load(const char *config, int backend,
int keystore_load(const char *config, unsigned backend,
const char *kasp_base_path, dnssec_keystore_t **keystore);
/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <string.h>
#include "knot/dnssec/kasp/policy.h"
knot_kasp_policy_t *knot_kasp_policy_new(const char *name)
{
knot_kasp_policy_t *policy = malloc(sizeof(*policy));
memset(policy, 0, sizeof(*policy));
if (name) {
policy->name = strdup(name);
if (!policy->name) {
free(policy);
return NULL;
}
}
return policy;
}
void knot_kasp_policy_free(knot_kasp_policy_t *policy)
{
if (!policy) {
return;
}
free(policy->name);
free(policy->keystore);
free(policy);
}
......@@ -16,14 +16,15 @@
#pragma once
#include "dnssec/lib/dnssec/key.h"
#include <stdbool.h>
#include <time.h>
#include "dnssec/lib/dnssec/key.h"
/*!
* KASP key timing information.
*/
typedef struct knot_kasp_key_timing {
typedef struct {
time_t created; /*!< Time the key was generated/imported. */
time_t publish; /*!< Time of DNSKEY record publication. */
time_t ready; /*!< Start of RRSIG generation, waiting for parent zone. */
......@@ -35,21 +36,19 @@ typedef struct knot_kasp_key_timing {
/*!
* Key parameters as writing in zone config file.
*/
struct key_params {
typedef struct {
char *id;
bool is_ksk;
uint16_t keytag;
uint8_t algorithm;
dnssec_binary_t public_key;
bool is_ksk;
struct knot_kasp_key_timing timing;
};
typedef struct key_params key_params_t;
knot_kasp_key_timing_t timing;
} key_params_t;
/*!
* Zone key.
*/
typedef struct knot_kasp_key {
typedef struct {
char *id; /*!< Keystore unique key ID. */
dnssec_key_t *key; /*!< Instance of the key. */
knot_kasp_key_timing_t timing; /*!< Key timing information. */
......@@ -57,13 +56,9 @@ typedef struct knot_kasp_key {
/*!
* Key and signature policy.
*
* \todo Move into internal API and add getters/setters (probably).
*/
typedef struct knot_kasp_policy {
char *name;
typedef struct {
bool manual;
char *keystore;
// DNSKEY
dnssec_key_algorithm_t algorithm;
uint16_t ksk_size;
......@@ -86,19 +81,3 @@ typedef struct knot_kasp_policy {
// data propagation delay
uint32_t propagation_delay;
} knot_kasp_policy_t;
/*!
* Create new KASP policy.
*
* \param name Name of the policy to be created.
*
* \return Pointer to KASP policy.
*/
knot_kasp_policy_t *knot_kasp_policy_new(const char *name);
/*!
* Free a KASP policy.
*
* \param policy Policy to be freed.
*/
void knot_kasp_policy_free(knot_kasp_policy_t *policy);
......@@ -37,9 +37,7 @@ static int sign_init(const zone_contents_t *zone, int flags, kdnssec_ctx_t *ctx)
const knot_dname_t *zone_name = zone->apex->owner;
conf_val_t policy = conf_zone_get(conf(), C_DNSSEC_POLICY, zone_name);
int r = kdnssec_ctx_init(ctx, zone_name, &policy);
int r = kdnssec_ctx_init(conf(), ctx, zone_name);
if (r != KNOT_EOK) {
return r;
}
......
......@@ -14,10 +14,6 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <assert.h>
#include "knot/conf/conf.h"
#include "knot/zone/zone.h"
#include "knot/dnssec/context.h"
#include "knot/dnssec/zone-events.h"
......@@ -26,11 +22,9 @@ int event_nsec3resalt(conf_t *conf, zone_t *zone)
bool salt_changed = false;
time_t next_resalt = 0;
conf_val_t policy = conf_zone_get(conf, C_DNSSEC_POLICY, zone->name);
kdnssec_ctx_t kctx = { 0 };
int ret = kdnssec_ctx_init(&kctx, zone->name, &policy);
int ret = kdnssec_ctx_init(conf, &kctx, zone->name);
if (ret != KNOT_EOK) {
return ret;
}
......
......@@ -14,23 +14,17 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <assert.h>
#include <time.h>
#include "knot/conf/conf.h"
#include "knot/zone/zone.h"
#include "knot/dnssec/key-events.h"
#include "knot/zone/zone.h"
int event_zsk_rollover(conf_t *conf, zone_t *zone)
{
bool keys_updated = false;
time_t next_rollover = 0;
conf_val_t policy = conf_zone_get(conf, C_DNSSEC_POLICY, zone->name);
kdnssec_ctx_t kctx = { 0 };
int ret = kdnssec_ctx_init(&kctx, zone->name, &policy);
int ret = kdnssec_ctx_init(conf, &kctx, zone->name);
if (ret != KNOT_EOK) {
return ret;
}
......
......@@ -431,9 +431,7 @@ static int get_online_key(dnssec_key_t **key_ptr, struct query_module *module)
{
kdnssec_ctx_t kctx = { 0 };
conf_val_t policy = conf_mod_get(module->config, MOD_POLICY, module->id);
int r = kdnssec_ctx_init(&kctx, module->zone, &policy);
int r = kdnssec_ctx_init(module->config, &kctx, module->zone);
if (r != DNSSEC_EOK) {
return r;
}
......
......@@ -228,9 +228,8 @@ int zone_load_post(conf_t *conf, zone_t *zone, zone_contents_t *contents,
bool build_diffs = conf_bool(&val);
if (dnssec_enable) {
/* Perform NSEC3 resalt and ZSK rollover if needed. */
conf_val_t policy = conf_zone_get(conf, C_DNSSEC_POLICY, zone->name);
kdnssec_ctx_t kctx = { 0 };
ret = kdnssec_ctx_init(&kctx, zone->name, &policy);
ret = kdnssec_ctx_init(conf, &kctx, zone->name);
if (ret != KNOT_EOK) {
changeset_clear(&change);
return ret;
......
......@@ -182,13 +182,14 @@ int main(int argc, char *argv[])
kdnssec_ctx_t kctx = { 0 };
int ret = kasp_db_init(kaspdb(), kasp_path, 500*1024*1024 /* TODO */);
conf_val_t mapsize = conf_default_get(conf(), C_KASP_DB_MAPSIZE);
int ret = kasp_db_init(kaspdb(), kasp_path, conf_int(&mapsize));
if (ret != KNOT_EOK) {
printf("Failed to initialize KASP db (%s)\n", knot_strerror(ret));
goto main_end;
}
ret = kdnssec_kasp_init(&kctx, kasp_path, 500*1024*1024 /* TODO */, zone_name, "default");
ret = kdnssec_ctx_init(conf(), &kctx, zone_name);
if (ret != KNOT_EOK) {
printf("Failed to initializize KASP (%s)\n", knot_strerror(ret));
goto main_end;
......@@ -264,6 +265,7 @@ main_end:
kasp_db_close(kaspdb());
free(kasp_path);
free(zone_name);
conf_free(conf());
return (ret == KNOT_EOK ? EXIT_SUCCESS : EXIT_FAILURE);
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment