49 #include <libhsmdns.h>
50 #include <ldns/ldns.h>
66 #define HIDDEN KEY_STATE_STATE_HIDDEN
67 #define RUMOURED KEY_STATE_STATE_RUMOURED
68 #define OMNIPRESENT KEY_STATE_STATE_OMNIPRESENT
69 #define UNRETENTIVE KEY_STATE_STATE_UNRETENTIVE
70 #define NA KEY_STATE_STATE_NA
72 static const char *module_str =
"enforcer";
75 #define NOKEY_TIMEOUT 60
84 static int max(
int a,
int b) {
return a>b?a:b; }
85 static int min(
int a,
int b) {
return a<b?a:b; }
97 minTime(
const time_t t, time_t* min)
100 if ( (t < *min || *min < 0) && t >= 0 ) *min = t;
113 addtime(
const time_t t,
const int seconds)
115 struct tm *tp = localtime(&t);
117 tp->tm_sec += seconds;
322 for (i = 0; i < keylist_size; i++) {
323 if (match(keylist[i],
future_key, same_algorithm, mask) > 0)
339 if (!successor_key || !predecessor_key || !
future_key)
343 if (!
key_data_cmp(successor_key, predecessor_key))
return 0;
402 successor_rec(
key_data_t** keylist,
size_t keylist_size,
416 if (!successor_key) {
419 if (!predecessor_key) {
505 if (!cmp && isPotentialSuccessor(successor_key, predecessor_key,
future_key, type) > 0) {
573 if (successor_rec(keylist, keylist_size, from_key, predecessor_key,
future_key, type, deplist_ext) > 0) {
586 for (i = 0; i < keylist_size; i++) {
594 if (isPotentialSuccessor(successor_key, keylist[i],
future_key, type) > 0) {
604 if (successor_rec(keylist+1, keylist_size-1, successor_key, keylist[i],
future_key, type, deplist_ext) > 0) {
631 if (!successor_key) {
634 if (!predecessor_key) {
658 return successor_rec(keylist, keylist_size, successor_key, predecessor_key,
future_key, type, deplist);
668 exists_with_successor(
key_data_t** keylist,
size_t keylist_size,
688 for (i = 0; i < keylist_size; i++) {
689 if (match(keylist[i],
future_key, same_algorithm, successor_mask) < 1) {
693 for (j = 0; j < keylist_size; j++) {
695 || match(keylist[j],
future_key, same_algorithm, predecessor_mask) < 1)
700 if (successor(keylist, keylist_size, keylist[i], keylist[j],
future_key, type, deplist) > 0) {
715 unsignedOk(
key_data_t** keylist,
size_t keylist_size,
732 for (i = 0; i < keylist_size; i++) {
755 if (cmp_mask[0] ==
HIDDEN || cmp_mask[0] ==
NA) {
761 if (cmp_mask[1] ==
HIDDEN || cmp_mask[1] ==
NA) {
767 if (cmp_mask[2] ==
HIDDEN || cmp_mask[2] ==
NA) {
773 if (cmp_mask[3] ==
HIDDEN || cmp_mask[3] ==
NA) {
782 if (exists(keylist, keylist_size,
future_key, 1, cmp_mask) < 1) {
794 all_DS_hidden(
key_data_t** keylist,
size_t keylist_size,
804 for (i = 0; i < keylist_size; i++) {
808 if (state !=
HIDDEN && state !=
NA)
return 0;
835 return (exists(keylist, keylist_size,
future_key, 0, mask[0]) > 0
836 || exists(keylist, keylist_size,
future_key, 0, mask[1]) > 0);
867 return (exists(keylist, keylist_size,
future_key, 1, mask[0]) > 0
902 return (exists(keylist, keylist_size,
future_key, 1, mask[0]) > 0
906 || all_DS_hidden(keylist, keylist_size,
future_key) > 0);
916 dnssecApproval(
key_data_t** keylist,
size_t keylist_size,
947 || !rule1(keylist, keylist_size,
future_key, 0)
948 || rule1(keylist, keylist_size,
future_key, 1) > 0)
949 && (!rule2(keylist, keylist_size,
future_key, 0, deplist)
950 || rule2(keylist, keylist_size,
future_key, 1, deplist) > 0)
951 && (!rule3(keylist, keylist_size,
future_key, 0, deplist)
952 || rule3(keylist, keylist_size,
future_key, 1, deplist) > 0))
988 return addtime(lastchange, ttl
995 return addtime(lastchange, ttl
1002 return addtime(lastchange, ttl
1022 policyApproval(
key_data_t** keylist,
size_t keylist_size,
1101 return !(exists(keylist, keylist_size,
future_key, 1, mask[6]) > 0
1140 if (exists(keylist, keylist_size,
future_key, 1, mask[0]) > 0
1208 return max((
int)difftime(end_date, now), ttl);
1266 static const char *scmd =
"markSuccessors";
1272 if (!dbconn || !keylist || !
future_key || !deplist || !zone) {
1298 for (i = 0; i < keylist_size; i++) {
1328 ods_log_error(
"[%s] %s: unable to create key dependency between %s and %s",
1353 const time_t now,
int allow_unsigned,
int *zone_updated,
1356 time_t returntime_zone = -1;
1358 static const char *scmd =
"updateZone";
1360 unsigned int j, change;
1370 time_t returntime_key;
1372 int key_data_updated, process, key_state_created;
1373 const db_enum_t* state_enum, *next_state_enum, *type_enum;
1378 ods_log_error(
"[%s] %s: no dbconn", module_str, scmd);
1379 return returntime_zone;
1383 ods_log_error(
"[%s] %s: no policy", module_str, scmd);
1384 return returntime_zone;
1388 ods_log_error(
"[%s] %s: no zone", module_str, scmd);
1389 return returntime_zone;
1391 if (!zone_updated) {
1393 ods_log_error(
"[%s] %s: no zone_updated", module_str, scmd);
1394 return returntime_zone;
1398 ods_log_error(
"[%s] %s: no keylist", module_str, scmd);
1399 return returntime_zone;
1403 ods_log_error(
"[%s] %s: no deplist", module_str, scmd);
1404 return returntime_zone;
1425 ods_log_error(
"[%s] %s: zone_db_set_ttl_end_ds() failed", module_str, scmd);
1437 for (i = 0; i < keylist_size; i++) {
1442 if (keylist_size < i) {
1450 ods_log_error(
"[%s] %s: zone_db_set_ttl_end_dk() failed", module_str, scmd);
1468 ods_log_error(
"[%s] %s: zone_db_set_ttl_end_rs() failed", module_str, scmd);
1479 for (i = 0; process && i < keylist_size; i++) {
1480 key_state_created = 0;
1491 ods_log_error(
"[%s] %s: key state DS creation failed", module_str, scmd);
1497 key_state_created = 1;
1503 ods_log_error(
"[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1522 ods_log_error(
"[%s] %s: key state DNSKEY creation failed", module_str, scmd);
1528 key_state_created = 1;
1534 ods_log_error(
"[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1552 ods_log_error(
"[%s] %s: key state RRSIGDNSKEY creation failed", module_str, scmd);
1558 key_state_created = 1;
1564 ods_log_error(
"[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1583 ods_log_error(
"[%s] %s: key state RRSIG creation failed", module_str, scmd);
1589 key_state_created = 1;
1595 ods_log_error(
"[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1604 if (key_state_created) {
1606 ods_log_error(
"[%s] %s: Unable to recache key states after creating some", module_str, scmd);
1619 for (i = 0; process && i < keylist_size; i++) {
1620 ods_log_verbose(
"[%s] %s: processing key %s %u", module_str, scmd,
1631 ods_log_error(
"[%s] %s: (state || next_state) == INVALID", module_str, scmd);
1663 if (state_enum->
value == (
int)state) {
1672 ods_log_verbose(
"[%s] %s: May %s %s %s in state %s transition to %s?", module_str, scmd,
1677 next_state_enum->
text);
1686 if (policyApproval(keylist, keylist_size, &
future_key, deplist) < 1) {
1689 ods_log_verbose(
"[%s] %s Policy says we can (1/3)", module_str, scmd);
1694 if (dnssecApproval(keylist, keylist_size, &
future_key, allow_unsigned, deplisttmp) < 1) {
1697 ods_log_verbose(
"[%s] %s DNSSEC says we can (2/3)", module_str, scmd);
1712 int zsk_out = exists(keylist, keylist_size, &
future_key,
1714 int zsk_in = exists(keylist, keylist_size, &
future_key,
1722 returntime_key = addtime(returntime_key,
1733 if (returntime_key > now) {
1734 minTime(returntime_key, &returntime_zone);
1738 ods_log_verbose(
"[%s] %s Timing says we can (3/3) now: %lu key: %lu",
1739 module_str, scmd, (
unsigned long)now, (
unsigned long)returntime_key);
1748 ods_log_crit(
"[%s] %s Ready for transition but key material not backed up yet (%s)",
1754 returntime_key = addtime(now, 60);
1755 minTime(returntime_key, &returntime_zone);
1766 key_data_updated = 0;
1783 key_data_updated = 1;
1788 key_data_updated = 1;
1802 key_data_updated = 1;
1812 key_data_updated = 1;
1819 if (key_data_updated) {
1821 ods_log_error(
"[%s] %s: key data update failed", module_str, scmd);
1834 ods_log_error(
"[%s] %s: key data reread failed", module_str, scmd);
1864 ods_log_error(
"[%s] %s: future key type error", module_str, scmd);
1874 ods_log_verbose(
"[%s] %s: Transitioning %s %s %s from %s to %s", module_str, scmd,
1879 next_state_enum->
text);
1886 ods_log_error(
"[%s] %s: key state transition failed", module_str, scmd);
1895 ods_log_error(
"[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1904 if (markSuccessors(dbconn, keylist, keylist_size, &
future_key, deplisttmp, zone) < 0) {
1905 ods_log_error(
"[%s] %s: markSuccessors() error", module_str, scmd);
1915 ods_log_error(
"[%s] %s: Unable to recache key states after transition", module_str, scmd);
1923 }
while (process && change);
1925 return returntime_zone;
1940 if (!key_list || !pkey)
1994 static const char *scmd =
"existsPolicyForKey";
1998 if (!policykeylist) {
2012 ods_log_verbose(
"[%s] %s no hsmkey!", module_str, scmd);
2028 ods_log_verbose(
"[%s] %s not found such config", module_str, scmd);
2038 int max_inception = -1;
2040 if (!key_list || !pkey)
return -1;
2067 return max_inception;
2184 zone_db_t *zone,
const time_t now,
int *allow_unsigned,
int *zone_updated)
2186 time_t return_at = -1;
2196 static const char *scmd =
"updatePolicy";
2206 ods_log_error(
"[%s] %s: no dbconn", module_str, scmd);
2211 ods_log_error(
"[%s] %s: no policy", module_str, scmd);
2216 ods_log_error(
"[%s] %s: no zone", module_str, scmd);
2219 if (!allow_unsigned) {
2221 ods_log_error(
"[%s] %s: no allow_unsigned", module_str, scmd);
2224 if (!zone_updated) {
2226 ods_log_error(
"[%s] %s: no zone_updated", module_str, scmd);
2230 ods_log_verbose(
"[%s] %s: policyName: %s", module_str, scmd,
policy_name(
policy));
2238 ods_log_error(
"[%s] %s: error policy_get_policy_keys()", module_str, scmd);
2249 ods_log_error(
"[%s] %s: error zone_db_get_keys()", module_str, scmd);
2259 ret = existsPolicyForKey(policykeylist,
key);
2262 ods_log_error(
"[%s] %s: error existsPolicyForKey() < 0", module_str, scmd);
2273 ods_log_error(
"[%s] %s: error update mutkey", module_str, scmd);
2289 *allow_unsigned = pkey ? 0 : 1;
2295 ods_log_error(
"[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
2308 force_roll = enforce_roll(zone, pkey);
2314 if (!key_for_conf(keylist, pkey)) {
2317 else if (!force_roll) {
2333 inception = last_inception_policy(keylist, pkey);
2334 if (inception != -1 &&
2338 minTime(t_ret, &return_at);
2339 setnextroll(zone, pkey, t_ret);
2348 ods_log_verbose(
"[%s] %s: New key needed for role %s",
2361 ods_log_error(
"[%s] %s: For policy %s %s key lifetime of %d "
2362 "is unreasonably short with respect to sum of parent "
2363 "TTL (%d) and key TTL (%d). Will not insert key!",
2367 setnextroll(zone, pkey, now);
2376 ods_log_crit(
"[%s] %s: For policy %s %s key lifetime of %d "
2377 "is unreasonably short with respect to sum of "
2378 "MaxZoneTTL (%d) and key TTL (%d). Will not insert key!",
2382 setnextroll(zone, pkey, now);
2392 hsmkey = getLastReusableKey(keylist, pkey);
2407 ods_log_warning(
"[%s] %s: No keys available in HSM for policy %s, retry in %d seconds",
2410 setnextroll(zone, pkey, now);
2414 ods_log_verbose(
"[%s] %s: got new key from HSM", module_str, scmd);
2451 ods_log_error(
"[%s] %s: error new key", module_str, scmd);
2470 ods_log_error(
"[%s] %s: error keytag", module_str, scmd);
2487 ods_log_error(
"[%s] %s: error key_data_create()", module_str, scmd);
2498 minTime(t_ret, &return_at);
2499 setnextroll(zone, pkey, t_ret);
2526 ods_log_error(
"[%s] %s: error update mutkey2", module_str, scmd);
2536 ods_log_verbose(
"[%s] %s: decommissioning old key: %s", module_str, scmd,
hsm_key_locator(hsmkey2));
2553 if (enforce_roll(zone, pkey)) {
2554 if (set_roll(zone, pkey, 0)) {
2556 ods_log_error(
"[%s] %s: error set_roll()", module_str, scmd);
2574 const int purgetime)
2576 static const char *scmd =
"removeDeadKeys";
2577 time_t first_purge = -1, key_time;
2578 size_t i, deplist2_size = 0;
2579 int key_purgable, cmp;
2590 if (deplist2_size > 0)
2592 for (i = 1; i < deplist2_size; i++)
2595 for (i = 0; i < keylist_size; i++) {
2599 for (j = 0; j<4; j++) {
2615 if (key_time != -1) key_time = addtime(key_time, purgetime);
2618 if (now >= key_time) {
2624 ods_log_info(
"[%s] %s deleting key: %s", module_str, scmd,
2633 ods_log_error(
"[%s] %s: key_state_delete() || key_data_delete() || hsm_key_factory_release_key() failed", module_str, scmd);
2640 minTime(key_time, &first_purge);
2644 for (j = 0; j < deplist2_size; j++) {
2645 if (!deplist2[j])
continue;
2648 ods_log_error(
"[%s] %s: cmp deplist from failed", module_str, scmd);
2655 ods_log_error(
"[%s] %s: key_dependency_delete() failed", module_str, scmd);
2661 for (i = 0; i < deplist2_size; i++){
2671 int allow_unsigned = 0;
2672 time_t policy_return_time, zone_return_time, purge_return_time = -1, return_time;
2676 size_t keylist_size, i;
2678 static const char *scmd =
"update";
2679 int key_data_updated;
2682 ods_log_error(
"[%s] no engine", module_str);
2686 ods_log_error(
"[%s] no dbconn", module_str);
2690 ods_log_error(
"[%s] no zone", module_str);
2694 ods_log_error(
"[%s] no policy", module_str);
2697 if (!zone_updated) {
2698 ods_log_error(
"[%s] no zone_updated", module_str);
2702 ods_log_info(
"[%s] update zone: %s", module_str,
zone_db_name(zone));
2708 ods_log_info(
"[%s] KSK Rollover for zone %s is impending, "
2709 "rollover will happen at %s",
2717 ods_log_info(
"[%s] CSK Rollover for zone %s is impending, "
2718 "rollover will happen at %s",
2727 policy_return_time = updatePolicy(engine, dbconn,
policy, zone, now, &allow_unsigned, zone_updated);
2729 if (allow_unsigned) {
2730 ods_log_info(
"[%s] No keys configured for %s, zone will become unsigned eventually",
2739 ods_log_error(
"[%s] %s: error zone_db_get_key_dependencies()", module_str, scmd);
2745 ods_log_error(
"[%s] %s: error zone_db_get_keys()", module_str, scmd);
2762 ods_log_error(
"[%s] %s: error calloc(keylist_size)", module_str, scmd);
2767 for (i = 0; i < keylist_size; i++) {
2778 ods_log_error(
"[%s] %s: error key_data_list cache", module_str, scmd);
2779 for (i = 0; i < keylist_size; i++) {
2796 zone_return_time = updateZone(dbconn,
policy, zone, now, allow_unsigned, zone_updated,
2797 keylist, keylist_size, deplist);
2803 purge_return_time = removeDeadKeys(dbconn, keylist, keylist_size, deplist, now,
2812 for (i = 0; i < keylist_size; i++) {
2813 key_data_updated = 0;
2819 key_data_updated = 1;
2828 ods_log_error(
"[%s] %s: key_data_set_publish() failed",
2833 key_data_updated = 1;
2845 ods_log_error(
"[%s] %s: key_data_set_active_ksk() failed",
2850 key_data_updated = 1;
2862 ods_log_error(
"[%s] %s: key_data_set_active_zsk() failed",
2867 key_data_updated = 1;
2871 if (key_data_updated) {
2873 ods_log_error(
"[%s] %s: key_data_update() failed",
2883 for (i = 0; i < keylist_size; i++) {
2891 return_time = zone_return_time;
2892 minTime(policy_return_time, &return_time);
2906 minTime(purge_return_time, &return_time);