OpenDNSSEC-enforcer  2.1.9
enforcer.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2011 NLNet Labs. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  * notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  * notice, this list of conditions and the following disclaimer in the
11  * documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
15  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
17  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
19  * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
20  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
21  * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
22  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
23  * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  *
25  */
26 
27 /*
28  * @section DESCRIPTION
29  *
30  * This module controls the order and time for keys to be introduced,
31  * generated and discarded. It can be called for one zone at a time. It
32  * will then manipulate its keys and bring them closer to their goal,
33  * within bounds of the zone's policy. New keys may be fetched from the
34  * HSM and old keys discarded. When done, the update function returns
35  * a time at which it need to be called again for this zone. Unless
36  * there is an unscheduled change for this zone (some user input) it
37  * should not be called sooner. Calling sooner is not harmful in any
38  * way but also not effective. Calling later does not do any harm as
39  * well, however rollovers may be delayed.
40  */
41 
42 #include "config.h"
43 
44 #include <time.h>
45 
46 #include "libhsm.h"
47 #include "hsmkey/hsm_key_factory.h"
48 
49 #include <libhsmdns.h>
50 #include <ldns/ldns.h>
51 
52 #include "duration.h"
53 #include "log.h"
54 #include "daemon/engine.h"
55 
56 #include "db/zone_db.h"
57 #include "db/policy.h"
58 #include "db/policy_key.h"
59 #include "db/hsm_key.h"
60 #include "db/key_data.h"
61 #include "db/key_dependency.h"
62 #include "db/db_error.h"
63 
64 #include "enforcer/enforcer.h"
65 
66 #define HIDDEN KEY_STATE_STATE_HIDDEN
67 #define RUMOURED KEY_STATE_STATE_RUMOURED
68 #define OMNIPRESENT KEY_STATE_STATE_OMNIPRESENT
69 #define UNRETENTIVE KEY_STATE_STATE_UNRETENTIVE
70 #define NA KEY_STATE_STATE_NA
71 
72 static const char *module_str = "enforcer";
73 
75 #define NOKEY_TIMEOUT 60
76 
77 struct future_key {
82 };
83 
84 static int max(int a, int b) { return a>b?a:b; }
85 static int min(int a, int b) { return a<b?a:b; }
86 
96 static inline void
97 minTime(const time_t t, time_t* min)
98 {
99  assert(min); /* TODO: proper error */
100  if ( (t < *min || *min < 0) && t >= 0 ) *min = t;
101 }
102 
112 static time_t
113 addtime(const time_t t, const int seconds)
114 {
115  struct tm *tp = localtime(&t);
116  if (!tp) return -1; /* bad, but mktime also returns -1 on error */
117  tp->tm_sec += seconds;
118  return mktime(tp);
119 }
120 
127 static inline const key_state_t*
128 getRecord(key_data_t* key, key_state_type_t type)
129 {
130  if (!key) {
131  return NULL;
132  }
133 
134  switch (type) {
135  case KEY_STATE_TYPE_DS:
136  return key_data_cached_ds(key);
137 
139  return key_data_cached_dnskey(key);
140 
142  return key_data_cached_rrsig(key);
143 
145  return key_data_cached_rrsigdnskey(key);
146 
147  default:
148  break;
149  }
150 
151  return NULL;
152 }
153 
159 static inline key_state_state_t
160 getState(key_data_t* key, key_state_type_t type, struct future_key *future_key)
161 {
162  int cmp;
163 
164  if (!key) {
166  }
167 
168  if (future_key
170  && future_key->type == type
171  && future_key->key)
172  {
173  if (db_value_cmp(key_data_id(key), key_data_id(future_key->key), &cmp)) {
175  }
176  if (!cmp) {
177  return future_key->next_state;
178  }
179  }
180 
181  return key_state_state(getRecord(key, type));
182 }
183 
195 static key_state_state_t
196 getDesiredState(int introducing, key_state_state_t state)
197 {
198  /*
199  * Given goal and state, what will be the next state?
200  */
201  if (!introducing) {
202  /*
203  * We are outroducing this key so we would like to move rumoured and
204  * omnipresent keys to unretentive and unretentive keys to hidden.
205  */
206  switch (state) {
207  case HIDDEN:
208  break;
209 
210  case RUMOURED:
211  state = UNRETENTIVE;
212  break;
213 
214  case OMNIPRESENT:
215  state = UNRETENTIVE;
216  break;
217 
218  case UNRETENTIVE:
219  state = HIDDEN;
220  break;
221 
222  case NA:
223  break;
224 
225  default:
226  state = KEY_STATE_STATE_INVALID;
227  break;
228  }
229  }
230  else {
231  /*
232  * We are introducing this key so we would like to move hidden and
233  * unretentive keys to rumoured and rumoured keys to omnipresent.
234  */
235  switch (state) {
236  case HIDDEN:
237  state = RUMOURED;
238  break;
239 
240  case RUMOURED:
241  state = OMNIPRESENT;
242  break;
243 
244  case OMNIPRESENT:
245  break;
246 
247  case UNRETENTIVE:
248  state = RUMOURED;
249  break;
250 
251  case NA:
252  break;
253 
254  default:
255  state = KEY_STATE_STATE_INVALID;
256  break;
257  }
258  }
259 
260  return state;
261 }
262 
269 static int
270 match(key_data_t* key, struct future_key *future_key, int same_algorithm,
271  const key_state_state_t mask[4])
272 {
273  if (!key) {
274  return -1;
275  }
276  if (!future_key) {
277  return -1;
278  }
279  if (!future_key->key) {
280  return -1;
281  }
282 
283  if (same_algorithm
285  {
286  return 0;
287  }
288 
289  /*
290  * Check the states against the mask, for each mask that is not NA we
291  * need a match on that key state.
292  */
293  if ((mask[0] != NA
294  && getState(key, KEY_STATE_TYPE_DS, future_key) != mask[0])
295  || (mask[1] != NA
296  && getState(key, KEY_STATE_TYPE_DNSKEY, future_key) != mask[1])
297  || (mask[2] != NA
298  && getState(key, KEY_STATE_TYPE_RRSIGDNSKEY, future_key) != mask[2])
299  || (mask[3] != NA
300  && getState(key, KEY_STATE_TYPE_RRSIG, future_key) != mask[3]))
301  {
302  return 0;
303  }
304  return 1;
305 }
306 
313 static int
314 exists(key_data_t** keylist, size_t keylist_size, struct future_key *future_key,
315  int same_algorithm, const key_state_state_t mask[4])
316 {
317  size_t i;
318  if (!keylist || !future_key || !future_key->key)
319  return -1;
320  /* Check the states against the mask. If we have a match we return a
321  * positive value. */
322  for (i = 0; i < keylist_size; i++) {
323  if (match(keylist[i], future_key, same_algorithm, mask) > 0)
324  return 1;
325  }
326  return 0; /* We've got no match. */
327 }
328 
335 static int
336 isPotentialSuccessor(key_data_t* successor_key, key_data_t* predecessor_key,
337  struct future_key *future_key, key_state_type_t type)
338 {
339  if (!successor_key || !predecessor_key || !future_key)
340  return -1;
341 
342  /* You can't be a successor of yourself */
343  if (!key_data_cmp(successor_key, predecessor_key)) return 0;
344 
345  /*
346  * TODO
347  */
348  if (getState(successor_key, type, future_key) != RUMOURED
349  || key_data_algorithm(successor_key) != key_data_algorithm(predecessor_key))
350  {
351  return 0;
352  }
353 
354  /*
355  * TODO
356  */
357  switch (type) {
358  case KEY_STATE_TYPE_DS: /* Intentional fall-through */
360  /*
361  * TODO
362  */
363  if (getState(successor_key, KEY_STATE_TYPE_DNSKEY, future_key) == OMNIPRESENT) {
364  return 1;
365  }
366  break;
367 
369  /*
370  * Either both DS's should be omnipresent or both signatures, for the
371  * keys to be in a potential relationship for the DNSKEY.
372  */
373  if ((getState(predecessor_key, KEY_STATE_TYPE_DS, future_key) == OMNIPRESENT
374  && getState(successor_key, KEY_STATE_TYPE_DS, future_key) == OMNIPRESENT)
375  || (getState(predecessor_key, KEY_STATE_TYPE_RRSIG, future_key) == OMNIPRESENT
376  && getState(successor_key, KEY_STATE_TYPE_RRSIG, future_key) == OMNIPRESENT))
377  {
378  return 1;
379  }
380  break;
381 
383  /*
384  * TODO
385  */
386  break;
387 
388  default:
389  return -1;
390  }
391 
392  return 0;
393 }
394 
401 static int
402 successor_rec(key_data_t** keylist, size_t keylist_size,
403  key_data_t* successor_key, key_data_t* predecessor_key,
404  struct future_key *future_key,
405  key_state_type_t type, key_dependency_list_t* deplist_ext)
406 {
407  size_t i;
408  int cmp;
409  const key_dependency_t* dep;
410  key_data_t *from_key;
411  key_dependency_list_t* deplist;
412 
413  if (!keylist) {
414  return -1;
415  }
416  if (!successor_key) {
417  return -1;
418  }
419  if (!predecessor_key) {
420  return -1;
421  }
422  if (!future_key) {
423  return -1;
424  }
425  if (!future_key->key) {
426  return -1;
427  }
428  if (!deplist_ext) {
429  return -1;
430  }
431 
432  /*
433  * Make a copy of the deplist in order to preserve where we are in the list
434  * if we are calling ourselves later on.
435  *
436  * TODO: This can be optimized with the implementation of *_list_ref_t or
437  * allocating an array as with keylist.
438  */
439  if (!(deplist = key_dependency_list_new_copy(deplist_ext))) {
440  return -1;
441  }
442 
443  /*
444  * Check the trivial case where the predecessor key is already a predecessor
445  * for the successor key.
446  */
447  for (dep = key_dependency_list_begin(deplist); dep; dep = key_dependency_list_next(deplist)) {
448  switch (key_dependency_type(dep)) {
450  if (type != KEY_STATE_TYPE_DS) {
451  continue;
452  }
453  break;
454 
456  if (type != KEY_STATE_TYPE_RRSIG) {
457  continue;
458  }
459  break;
460 
462  if (type != KEY_STATE_TYPE_DNSKEY) {
463  continue;
464  }
465  break;
466 
468  if (type != KEY_STATE_TYPE_RRSIGDNSKEY) {
469  continue;
470  }
471  break;
472 
473  default:
474  continue;
475  }
476 
477  if (db_value_cmp(key_data_id(predecessor_key), key_dependency_from_key_data_id(dep), &cmp)) {
478  key_dependency_list_free(deplist);
479  return -1;
480  }
481  if (cmp) {
482  continue;
483  }
484 
485  if (db_value_cmp(key_data_id(successor_key), key_dependency_to_key_data_id(dep), &cmp)) {
486  key_dependency_list_free(deplist);
487  return -1;
488  }
489  if (cmp) {
490  continue;
491  }
492 
493  key_dependency_list_free(deplist);
494  return 1;
495  }
496 
497  /*
498  * Check the trivial case where there is a direct relationship in the future
499  */
500  if (future_key->pretend_update) {
501  if (db_value_cmp(key_data_id(future_key->key), key_data_id(predecessor_key), &cmp)) {
502  key_dependency_list_free(deplist);
503  return -1;
504  }
505  if (!cmp && isPotentialSuccessor(successor_key, predecessor_key, future_key, type) > 0) {
506  key_dependency_list_free(deplist);
507  return 1;
508  }
509  }
510 
511  /*
512  * Check for indirect relationship where X depends on S and X is in the same
513  * state as P and X is a successor of P.
514  */
515  for (dep = key_dependency_list_begin(deplist); dep; dep = key_dependency_list_next(deplist)) {
516  switch (key_dependency_type(dep)) {
518  if (type != KEY_STATE_TYPE_DS) {
519  continue;
520  }
521  break;
522 
524  if (type != KEY_STATE_TYPE_RRSIG) {
525  continue;
526  }
527  break;
528 
530  if (type != KEY_STATE_TYPE_DNSKEY) {
531  continue;
532  }
533  break;
534 
536  if (type != KEY_STATE_TYPE_RRSIGDNSKEY) {
537  continue;
538  }
539  break;
540 
541  default:
542  continue;
543  }
544 
545  if (db_value_cmp(key_data_id(successor_key), key_dependency_to_key_data_id(dep), &cmp)) {
546  key_dependency_list_free(deplist);
547  return -1;
548  }
549  if (cmp) {
550  continue;
551  }
552 
553  /*
554  * TODO: This may be optimized by searching for the key in the keylist
555  * first, only retrieving it from the database if needed or giving an
556  * error if it does not exist in the keylist.
557  */
558  if (!(from_key = key_dependency_get_from_key_data(dep))) {
559  key_dependency_list_free(deplist);
560  return -1;
561  }
562 
563  /*
564  * The RRSIGDNSKEY is not compared because TODO .
565  */
566  if (getState(predecessor_key, KEY_STATE_TYPE_DS, future_key) != getState(from_key, KEY_STATE_TYPE_DS, future_key)
567  || getState(predecessor_key, KEY_STATE_TYPE_DNSKEY, future_key) != getState(from_key, KEY_STATE_TYPE_DNSKEY, future_key)
568  || getState(predecessor_key, KEY_STATE_TYPE_RRSIG, future_key) != getState(from_key, KEY_STATE_TYPE_RRSIG, future_key))
569  {
570  key_data_free(from_key);
571  continue;
572  }
573  if (successor_rec(keylist, keylist_size, from_key, predecessor_key, future_key, type, deplist_ext) > 0) {
574  key_data_free(from_key);
575  key_dependency_list_free(deplist);
576  return 1;
577  }
578  key_data_free(from_key);
579  }
580  key_dependency_list_free(deplist);
581 
582  /*
583  * TODO
584  */
585  if (future_key->pretend_update) {
586  for (i = 0; i < keylist_size; i++) {
587  if (db_value_cmp(key_data_id(predecessor_key), key_data_id(keylist[i]), &cmp)) {
588  return -1;
589  }
590  if (!cmp) {
591  continue;
592  }
593 
594  if (isPotentialSuccessor(successor_key, keylist[i], future_key, type) > 0) {
595  /*
596  * The RRSIGDNSKEY is not compared because TODO .
597  */
598  if (getState(predecessor_key, KEY_STATE_TYPE_DS, future_key) != getState(keylist[i], KEY_STATE_TYPE_DS, future_key)
599  || getState(predecessor_key, KEY_STATE_TYPE_DNSKEY, future_key) != getState(keylist[i], KEY_STATE_TYPE_DNSKEY, future_key)
600  || getState(predecessor_key, KEY_STATE_TYPE_RRSIG, future_key) != getState(keylist[i], KEY_STATE_TYPE_RRSIG, future_key))
601  {
602  continue;
603  }
604  if (successor_rec(keylist+1, keylist_size-1, successor_key, keylist[i], future_key, type, deplist_ext) > 0) {
605  return 1;
606  }
607  }
608  }
609  }
610 
611  return 0;
612 }
613 
620 static int
621 successor(key_data_t** keylist, size_t keylist_size, key_data_t* successor_key,
622  key_data_t* predecessor_key, struct future_key *future_key,
624 {
625  int cmp;
626  const key_dependency_t* dep;
627 
628  if (!keylist) {
629  return -1;
630  }
631  if (!successor_key) {
632  return -1;
633  }
634  if (!predecessor_key) {
635  return -1;
636  }
637  if (!future_key) {
638  return -1;
639  }
640  if (!future_key->key) {
641  return -1;
642  }
643  if (!deplist) {
644  return -1;
645  }
646 
647  /*
648  * Nothing may depend on our predecessor.
649  */
650  for (dep = key_dependency_list_begin(deplist); dep; dep = key_dependency_list_next(deplist)) {
651  if (db_value_cmp(key_data_id(predecessor_key), key_dependency_to_key_data_id(dep), &cmp)) {
652  return -1;
653  }
654  if (!cmp) {
655  return 0;
656  }
657  }
658  return successor_rec(keylist, keylist_size, successor_key, predecessor_key, future_key, type, deplist);
659 }
660 
667 static int
668 exists_with_successor(key_data_t** keylist, size_t keylist_size,
669  struct future_key *future_key, int same_algorithm,
670  const key_state_state_t predecessor_mask[4],
671  const key_state_state_t successor_mask[4], key_state_type_t type,
672  key_dependency_list_t* deplist)
673 {
674  size_t i, j;
675 
676  if (!keylist) {
677  return -1;
678  }
679  if (!future_key) {
680  return -1;
681  }
682 
683  /*
684  * Walk the list of keys, for each key that matches the successor mask we
685  * walk the list again and check that key against the keys that match the
686  * predecessor mask if has a valid successor/predecessor relationship.
687  */
688  for (i = 0; i < keylist_size; i++) {
689  if (match(keylist[i], future_key, same_algorithm, successor_mask) < 1) {
690  continue;
691  }
692 
693  for (j = 0; j < keylist_size; j++) {
694  if (j == i
695  || match(keylist[j], future_key, same_algorithm, predecessor_mask) < 1)
696  {
697  continue;
698  }
699 
700  if (successor(keylist, keylist_size, keylist[i], keylist[j], future_key, type, deplist) > 0) {
701  return 1;
702  }
703  }
704  }
705  return 0;
706 }
707 
714 static int
715 unsignedOk(key_data_t** keylist, size_t keylist_size,
716  struct future_key *future_key,
717  const key_state_state_t mask[4], key_state_type_t type)
718 {
719  size_t i;
720  key_state_state_t cmp_mask[4];
721 
722  if (!keylist) {
723  return -1;
724  }
725  if (!future_key) {
726  return -1;
727  }
728  if (!future_key->key) {
729  return -1;
730  }
731 
732  for (i = 0; i < keylist_size; i++) {
733  if (key_data_algorithm(keylist[i]) != key_data_algorithm(future_key->key)) {
734  continue;
735  }
736 
737  cmp_mask[0] = type == KEY_STATE_TYPE_DS
738  ? getState(keylist[i], type, future_key)
739  : mask[0];
740  cmp_mask[1] = type == KEY_STATE_TYPE_DNSKEY
741  ? getState(keylist[i], type, future_key)
742  : mask[1];
743  cmp_mask[2] = type == KEY_STATE_TYPE_RRSIGDNSKEY
744  ? getState(keylist[i], type, future_key)
745  : mask[2];
746  cmp_mask[3] = type == KEY_STATE_TYPE_RRSIG
747  ? getState(keylist[i], type, future_key)
748  : mask[3];
749 
750  /*
751  * If the state is hidden or NA for the given type this key is okay.
752  */
753  switch (type) {
754  case KEY_STATE_TYPE_DS:
755  if (cmp_mask[0] == HIDDEN || cmp_mask[0] == NA) {
756  continue;
757  }
758  break;
759 
761  if (cmp_mask[1] == HIDDEN || cmp_mask[1] == NA) {
762  continue;
763  }
764  break;
765 
767  if (cmp_mask[2] == HIDDEN || cmp_mask[2] == NA) {
768  continue;
769  }
770  break;
771 
773  if (cmp_mask[3] == HIDDEN || cmp_mask[3] == NA) {
774  continue;
775  }
776  break;
777 
778  default:
779  return -1;
780  }
781 
782  if (exists(keylist, keylist_size, future_key, 1, cmp_mask) < 1) {
783  return 0;
784  }
785  }
786 
787  return 1;
788 }
789 
790 /* Check if ALL DS records for this algorithm are hidden
791  *
792  * \return 0 if !HIDDEN DS is found, 1 if no such DS where found */
793 static int
794 all_DS_hidden(key_data_t** keylist, size_t keylist_size,
795  struct future_key *future_key)
796 {
797  size_t i;
798  key_state_state_t state;
799 
800  assert(keylist);
801  assert(future_key);
802  assert(future_key->key);
803 
804  for (i = 0; i < keylist_size; i++) {
805  /*If not same algorithm. Doesn't affect us.*/
806  if (key_data_algorithm(keylist[i]) != key_data_algorithm(future_key->key)) continue;
807  state = getState(keylist[i], KEY_STATE_TYPE_DS, future_key);
808  if (state != HIDDEN && state != NA) return 0; /*Test failed. Found DS.*/
809  }
810  return 1; /*No DS where found.*/
811 }
812 
819 static int
820 rule1(key_data_t** keylist, size_t keylist_size, struct future_key *future_key,
821  int pretend_update)
822 {
823  static const key_state_state_t mask[2][4] = {
824  { OMNIPRESENT, NA, NA, NA },/* a good key state. */
825  { RUMOURED, NA, NA, NA } /* the DS is introducing. */
826  };
827 
828  if (!keylist || !future_key || !future_key->key) {
829  return -1;
830  }
831 
832  future_key->pretend_update = pretend_update;
833 
834  /* Return positive value if any of the masks are found. */
835  return (exists(keylist, keylist_size, future_key, 0, mask[0]) > 0
836  || exists(keylist, keylist_size, future_key, 0, mask[1]) > 0);
837 }
838 
845 static int
846 rule2(key_data_t** keylist, size_t keylist_size, struct future_key *future_key,
847  int pretend_update, key_dependency_list_t* deplist)
848 {
849  static const key_state_state_t mask[8][4] = {
850  { OMNIPRESENT, OMNIPRESENT, OMNIPRESENT, NA },/*good key state.*/
851  { RUMOURED, OMNIPRESENT, OMNIPRESENT, NA },/*introducing DS state.*/
852  { UNRETENTIVE, OMNIPRESENT, OMNIPRESENT, NA },/*outroducing DS state.*/
853  { OMNIPRESENT, RUMOURED, RUMOURED, NA },/*introducing DNSKEY state.*/
855  { OMNIPRESENT, UNRETENTIVE, UNRETENTIVE, NA },/*outroducing DNSKEY state.*/
857  { HIDDEN, OMNIPRESENT, OMNIPRESENT, NA } /*unsigned state.*/
858  };
859 
860  if (!keylist || !future_key || !future_key->key) {
861  return -1;
862  }
863 
864  future_key->pretend_update = pretend_update;
865 
866  /* Return positive value if any of the masks are found. */
867  return (exists(keylist, keylist_size, future_key, 1, mask[0]) > 0
868  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[2], mask[1], KEY_STATE_TYPE_DS, deplist) > 0
869  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[5], mask[3], KEY_STATE_TYPE_DNSKEY, deplist) > 0
870  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[5], mask[4], KEY_STATE_TYPE_DNSKEY, deplist) > 0
871  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[6], mask[3], KEY_STATE_TYPE_DNSKEY, deplist) > 0
872  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[6], mask[4], KEY_STATE_TYPE_DNSKEY, deplist) > 0
873  || unsignedOk(keylist, keylist_size, future_key, mask[7], KEY_STATE_TYPE_DS) > 0);
874 }
875 
882 static int
883 rule3(key_data_t** keylist, size_t keylist_size, struct future_key *future_key,
884  int pretend_update, key_dependency_list_t* deplist)
885 {
886  static const key_state_state_t mask[6][4] = {
887  { NA, OMNIPRESENT, NA, OMNIPRESENT },/* good key state. */
888  { NA, RUMOURED, NA, OMNIPRESENT },/* introducing DNSKEY state. */
889  { NA, UNRETENTIVE, NA, OMNIPRESENT },/* outroducing DNSKEY state. */
890  { NA, OMNIPRESENT, NA, RUMOURED },/* introducing RRSIG state. */
891  { NA, OMNIPRESENT, NA, UNRETENTIVE },/* outroducing RRSIG state. */
892  { NA, HIDDEN, NA, OMNIPRESENT } /* unsigned state. */
893  };
894 
895  if (!keylist || !future_key || !future_key->key) {
896  return -1;
897  }
898 
899  future_key->pretend_update = pretend_update;
900 
901  /* Return positive value if any of the masks are found. */
902  return (exists(keylist, keylist_size, future_key, 1, mask[0]) > 0
903  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[2], mask[1], KEY_STATE_TYPE_DNSKEY, deplist) > 0
904  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[4], mask[3], KEY_STATE_TYPE_RRSIG, deplist) > 0
905  || unsignedOk(keylist, keylist_size, future_key, mask[5], KEY_STATE_TYPE_DNSKEY) > 0
906  || all_DS_hidden(keylist, keylist_size, future_key) > 0);
907 }
908 
915 static int
916 dnssecApproval(key_data_t** keylist, size_t keylist_size,
917  struct future_key* future_key, int allow_unsigned,
918  key_dependency_list_t* deplist)
919 {
920  if (!keylist) {
921  return -1;
922  }
923  if (!future_key) {
924  return -1;
925  }
926  if (!deplist) {
927  return -1;
928  }
929 
930  /*
931  * Check if DNSSEC state will be invalid by the transition by checking that
932  * all 3 DNSSEC rules apply. Rule 1 only applies if we are not allowing an
933  * unsigned state.
934  *
935  * A rule is first checked against the current state of the key_state and if
936  * the current state is not valid an transition is allowed for that rule in
937  * order to try and move out of an invalid DNSSEC state.
938  *
939  * Next the rule is checked against the desired state and if that state is a
940  * valid DNSSEC state then the transition is allowed.
941  *
942  * rule1 - Handles DS states
943  * rule2 - Handles DNSKEY states.
944  * rule3 - Handles signatures.
945  */
946  if ((allow_unsigned
947  || !rule1(keylist, keylist_size, future_key, 0)
948  || rule1(keylist, keylist_size, future_key, 1) > 0)
949  && (!rule2(keylist, keylist_size, future_key, 0, deplist)
950  || rule2(keylist, keylist_size, future_key, 1, deplist) > 0)
951  && (!rule3(keylist, keylist_size, future_key, 0, deplist)
952  || rule3(keylist, keylist_size, future_key, 1, deplist) > 0))
953  {
954  /*
955  * All rules apply, we allow transition.
956  */
957  return 1;
958  }
959 
960  return 0;
961 }
962 
971 static time_t
972 minTransitionTime(policy_t const *policy, key_state_type_t type,
973  key_state_state_t next_state, const time_t lastchange, const int ttl)
974 {
975  if (!policy) {
976  return -1;
977  }
978 
979  /*
980  * We may freely move a record to a uncertain state.
981  */
982  if (next_state == RUMOURED || next_state == UNRETENTIVE) {
983  return lastchange;
984  }
985 
986  switch (type) {
987  case KEY_STATE_TYPE_DS:
988  return addtime(lastchange, ttl
991 
992  /* TODO: 5011 will create special case here */
993  case KEY_STATE_TYPE_DNSKEY: /* intentional fall-through */
995  return addtime(lastchange, ttl
997  + ( next_state == OMNIPRESENT
1000 
1001  case KEY_STATE_TYPE_RRSIG:
1002  return addtime(lastchange, ttl
1004 
1005  default:
1006  break;
1007  }
1008 
1009  return -1;
1010 }
1011 
1021 static int
1022 policyApproval(key_data_t** keylist, size_t keylist_size,
1023  struct future_key* future_key, key_dependency_list_t* deplist)
1024 {
1025  static const key_state_state_t dnskey_algorithm_rollover[4] = { OMNIPRESENT, OMNIPRESENT, OMNIPRESENT, NA };
1026  static const key_state_state_t mask[14][4] = {
1027  /*ZSK*/
1028  { NA, OMNIPRESENT, NA, OMNIPRESENT }, /*This indicates a good key state.*/
1029  { NA, RUMOURED, NA, OMNIPRESENT }, /*This indicates a introducing DNSKEY state.*/
1030  { NA, UNRETENTIVE, NA, OMNIPRESENT }, /*This indicates a outroducing DNSKEY state.*/
1031  { NA, OMNIPRESENT, NA, RUMOURED }, /*This indicates a introducing RRSIG state.*/
1032  { NA, OMNIPRESENT, NA, UNRETENTIVE }, /*This indicates a outroducing RRSIG state.*/
1033  { NA, HIDDEN, NA, OMNIPRESENT }, /*This indicates an unsigned state.*/
1034 
1035  /*KSK*/
1036  { OMNIPRESENT, OMNIPRESENT, OMNIPRESENT, NA }, /*This indicates a good key state.*/
1037  { RUMOURED, OMNIPRESENT, OMNIPRESENT, NA }, /*This indicates an introducing DS state.*/
1038  { UNRETENTIVE, OMNIPRESENT, OMNIPRESENT, NA }, /*This indicates an outroducing DS state.*/
1039  { OMNIPRESENT, RUMOURED, RUMOURED, NA }, /*These indicates an introducing DNSKEY state.*/
1041  { OMNIPRESENT, UNRETENTIVE, UNRETENTIVE, NA }, /*These indicates an outroducing DNSKEY state.*/
1043  { HIDDEN, OMNIPRESENT, OMNIPRESENT, NA } /*This indicates an unsigned state.*/
1044  };
1045 
1046  if (!keylist || !future_key || !future_key->key) {
1047  return -1;
1048  }
1049 
1050  /*
1051  * Once the record is introduced the policy has no influence.
1052  */
1053  if (future_key->next_state != RUMOURED) {
1054  return 1;
1055  }
1056 
1057  /*
1058  * Check if policy prevents transition if the next state is rumoured.
1059  */
1060  switch (future_key->type) {
1061  case KEY_STATE_TYPE_DS:
1062  /*
1063  * If we want to minimize the DS transitions make sure the DNSKEY is
1064  * fully propagated.
1065  */
1068  {
1069  /*
1070  * DNSKEY is not fully propagated so we will not do any transitions.
1071  */
1072  return 0;
1073  }
1074  break;
1075 
1076  case KEY_STATE_TYPE_DNSKEY:
1078  /* There are no restrictions for the DNSKEY transition so we can
1079  * just continue. */
1080  return 1;
1081  }
1082  /* Check that signatures has been propagated for CSK/ZSK. */
1086  {
1087  /* RRSIG fully propagated so we will do the transitions. */
1088  return 1;
1089  }
1090  }
1091  /* Check if the DS is introduced and continue if it is. */
1095  {
1096  return 1;
1097  }
1098  }
1099  /* We might be doing an algorithm rollover so we check if there are
1100  * no other good KSK available and ignore the minimize flag if so. */
1101  return !(exists(keylist, keylist_size, future_key, 1, mask[6]) > 0
1102  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[8], mask[7], KEY_STATE_TYPE_DS, deplist) > 0
1103  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[11], mask[9], KEY_STATE_TYPE_DNSKEY, deplist) > 0);
1104 
1106  /*
1107  * The only time not to introduce RRSIG DNSKEY is when the DNSKEY is
1108  * still hidden.
1109  *
1110  * TODO: How do we know we are introducing the RRSIG DNSKEY? We might be
1111  * outroducing it.
1112  */
1114  return 0;
1115  }
1116  break;
1117 
1118  case KEY_STATE_TYPE_RRSIG:
1120  /*
1121  * There are no restrictions for the RRSIG transition so we can
1122  * just continue.
1123  */
1124  break;
1125  }
1126 
1127  /*
1128  * Check if the DNSKEY is introduced and continue if it is.
1129  */
1131  break;
1132  }
1133 
1134  /*
1135  * We might be doing an algorithm rollover so we check if there are
1136  * no other good ZSK available and ignore the minimize flag if so.
1137  *
1138  * TODO: How is this related to ZSK/CSK? There are no check for key_data_role().
1139  */
1140  if (exists(keylist, keylist_size, future_key, 1, mask[0]) > 0
1141  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[2], mask[1], KEY_STATE_TYPE_DNSKEY, deplist) > 0
1142  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[4], mask[3], KEY_STATE_TYPE_RRSIG, deplist) > 0
1143  )
1144  {
1145  /*
1146  * We found a good key, so we will not do any transition.
1147  */
1148  return 0;
1149  }
1150  break;
1151 
1152  default:
1153  return 0;
1154  }
1155 
1156  return 1;
1157 }
1158 
1168 static int
1169 getZoneTTL(policy_t const *policy, zone_db_t* zone, key_state_type_t type,
1170  const time_t now)
1171 {
1172  time_t end_date;
1173  int ttl;
1174 
1175  if (!policy) {
1176  return -1;
1177  }
1178  if (!zone) {
1179  return -1;
1180  }
1181 
1182  switch (type) {
1183  case KEY_STATE_TYPE_DS:
1184  end_date = zone_db_ttl_end_ds(zone);
1186  break;
1187 
1188  case KEY_STATE_TYPE_DNSKEY: /* Intentional fall-through */
1190  end_date = zone_db_ttl_end_dk(zone);
1191  ttl = policy_keys_ttl(policy);
1192  break;
1193 
1194  case KEY_STATE_TYPE_RRSIG:
1195  end_date = zone_db_ttl_end_rs(zone);
1202  break;
1203 
1204  default:
1205  return -1;
1206  }
1207 
1208  return max((int)difftime(end_date, now), ttl);
1209 }
1210 
1217 static int
1218 isSuccessable(struct future_key* future_key)
1219 {
1220  if (!future_key) {
1221  return -1;
1222  }
1223 
1224  if (future_key->next_state != UNRETENTIVE) {
1225  return 0;
1226  }
1227 
1228  switch (future_key->type) {
1229  case KEY_STATE_TYPE_DS:
1230  case KEY_STATE_TYPE_RRSIG:
1232  return 0;
1233  }
1234  break;
1235 
1237  return 0;
1238 
1239  case KEY_STATE_TYPE_DNSKEY:
1242  {
1243  return 0;
1244  }
1245  break;
1246 
1247  default:
1248  return -1;
1249  }
1250 
1251  return 1;
1252 }
1253 
1261 static int
1262 markSuccessors(db_connection_t *dbconn, key_data_t** keylist,
1263  size_t keylist_size, struct future_key *future_key,
1264  key_dependency_list_t* deplist, const zone_db_t* zone)
1265 {
1266  static const char *scmd = "markSuccessors";
1267  size_t i;
1270  int cmp;
1271 
1272  if (!dbconn || !keylist || !future_key || !deplist || !zone) {
1273  return -1;
1274  }
1275 
1276  /* If key,type in deplist and new state is omnipresent it is no
1277  * longer relevant for the dependencies */
1278  if (future_key->next_state == OMNIPRESENT) {
1279  /* Remove any entries for this key,type tuple from successors */
1280  for (kd = key_dependency_list_get_begin(deplist); kd;
1281  key_dependency_free(kd),
1282  kd = key_dependency_list_get_next(deplist))
1283  {
1285  key_dependency_to_key_data_id(kd), &cmp) == DB_OK &&
1286  !cmp && kd->type == (key_dependency_type_t)future_key->type)
1287  {
1289  }
1290 
1291  }
1292  }
1293 
1294  if (isSuccessable(future_key) < 1) {
1295  return 0;
1296  }
1297 
1298  for (i = 0; i < keylist_size; i++) {
1299  if (isPotentialSuccessor(keylist[i], future_key->key, future_key, future_key->type) > 0) {
1300  switch (future_key->type) {
1301  case KEY_STATE_TYPE_DS:
1303  break;
1304 
1305  case KEY_STATE_TYPE_DNSKEY:
1307  break;
1308 
1311  break;
1312 
1313  case KEY_STATE_TYPE_RRSIG:
1315  break;
1316 
1317  default:
1318  return -1;
1319  }
1320 
1321  if (!(key_dependency = key_dependency_new(dbconn))
1327  {
1328  ods_log_error("[%s] %s: unable to create key dependency between %s and %s",
1329  module_str, scmd,
1333  return -1;
1334  }
1336  }
1337  }
1338 
1339  return 1;
1340 }
1341 
1351 static time_t
1352 updateZone(db_connection_t *dbconn, policy_t const *policy, zone_db_t* zone,
1353  const time_t now, int allow_unsigned, int *zone_updated,
1354  key_data_t** keylist, size_t keylist_size, key_dependency_list_t *deplist)
1355 {
1356  time_t returntime_zone = -1;
1357  unsigned int ttl;
1358  static const char *scmd = "updateZone";
1359  size_t i;
1360  unsigned int j, change;
1361  static const key_state_type_t type[] = {
1366  };
1367  struct future_key future_key;
1369  key_state_state_t state;
1370  time_t returntime_key;
1372  int key_data_updated, process, key_state_created;
1373  const db_enum_t* state_enum, *next_state_enum, *type_enum;
1374  key_dependency_list_t *deplisttmp = NULL;
1375 
1376  if (!dbconn) {
1377  /* TODO: better log error */
1378  ods_log_error("[%s] %s: no dbconn", module_str, scmd);
1379  return returntime_zone;
1380  }
1381  if (!policy) {
1382  /* TODO: better log error */
1383  ods_log_error("[%s] %s: no policy", module_str, scmd);
1384  return returntime_zone;
1385  }
1386  if (!zone) {
1387  /* TODO: better log error */
1388  ods_log_error("[%s] %s: no zone", module_str, scmd);
1389  return returntime_zone;
1390  }
1391  if (!zone_updated) {
1392  /* TODO: better log error */
1393  ods_log_error("[%s] %s: no zone_updated", module_str, scmd);
1394  return returntime_zone;
1395  }
1396  if (!keylist) {
1397  /* TODO: better log error */
1398  ods_log_error("[%s] %s: no keylist", module_str, scmd);
1399  return returntime_zone;
1400  }
1401  if (!deplist) {
1402  /* TODO: better log error */
1403  ods_log_error("[%s] %s: no deplist", module_str, scmd);
1404  return returntime_zone;
1405  }
1406 
1407  ods_log_verbose("[%s] %s: processing %s with policyName %s", module_str, scmd, zone_db_name(zone), policy_name(policy));
1408 
1409  deplisttmp = zone_db_get_key_dependencies(zone);
1410 
1411  /*
1412  * The process variable will indicate if we are processing, if something
1413  * fails and sets it to 0 then it will fall through to the end.
1414  */
1415  process = 1;
1416 
1417  /*
1418  * This code keeps track of TTL changes. If in the past a large TTL is used,
1419  * our keys *may* need to transition extra careful to make sure each
1420  * resolver picks up the RRset. When this date passes we may start using the
1421  * policies TTL.
1422  */
1423  if (process && zone_db_ttl_end_ds(zone) <= now) {
1424  if (zone_db_set_ttl_end_ds(zone, addtime(now, policy_parent_ds_ttl(policy)))) {
1425  ods_log_error("[%s] %s: zone_db_set_ttl_end_ds() failed", module_str, scmd);
1426  process = 0;
1427  }
1428  else {
1429  *zone_updated = 1;
1430  }
1431  }
1432  if (process && zone_db_ttl_end_dk(zone) <= now) {
1433  /*
1434  * If no DNSKEY is currently published we must take negative caching
1435  * into account.
1436  */
1437  for (i = 0; i < keylist_size; i++) {
1438  if (key_state_state(key_data_cached_dnskey(keylist[i])) == OMNIPRESENT) {
1439  break;
1440  }
1441  }
1442  if (keylist_size < i) {
1443  ttl = max(policy_keys_ttl(policy),
1445  }
1446  else {
1447  ttl = policy_keys_ttl(policy);
1448  }
1449  if (zone_db_set_ttl_end_dk(zone, addtime(now, ttl))) {
1450  ods_log_error("[%s] %s: zone_db_set_ttl_end_dk() failed", module_str, scmd);
1451  process = 0;
1452  }
1453  else {
1454  *zone_updated = 1;
1455  }
1456  }
1457  if (process && zone_db_ttl_end_rs(zone) <= now) {
1460  }
1461  else {
1463  }
1464  if (zone_db_set_ttl_end_rs(zone, addtime(now, max(
1466  ttl))))
1467  {
1468  ods_log_error("[%s] %s: zone_db_set_ttl_end_rs() failed", module_str, scmd);
1469  process = 0;
1470  }
1471  else {
1472  *zone_updated = 1;
1473  }
1474  }
1475 
1476  /*
1477  * Create key states that do not exist.
1478  */
1479  for (i = 0; process && i < keylist_size; i++) {
1480  key_state_created = 0;
1481  if (!key_data_cached_ds(keylist[i])) {
1482  if (!(key_state = key_state_new(dbconn))
1485  || key_state_set_minimize(key_state, (key_data_minimize(keylist[i]) >> 2) & 1)
1488  || key_state_set_ttl(key_state, getZoneTTL(policy, zone, KEY_STATE_TYPE_DS, now))
1490  {
1491  ods_log_error("[%s] %s: key state DS creation failed", module_str, scmd);
1492  process = 0;
1494  key_state = NULL;
1495  break;
1496  }
1497  key_state_created = 1;
1499  key_state = NULL;
1500 
1501  if (!zone_db_signconf_needs_writing(zone)) {
1502  if (zone_db_set_signconf_needs_writing(zone, 1)) {
1503  ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1504  process = 0;
1505  break;
1506  }
1507  else {
1508  *zone_updated = 1;
1509  }
1510  }
1511  }
1512  if (!key_data_cached_dnskey(keylist[i])) {
1513  if (!(key_state = key_state_new(dbconn))
1516  || key_state_set_minimize(key_state, (key_data_minimize(keylist[i]) >> 1) & 1)
1519  || key_state_set_ttl(key_state, getZoneTTL(policy, zone, KEY_STATE_TYPE_DNSKEY, now))
1521  {
1522  ods_log_error("[%s] %s: key state DNSKEY creation failed", module_str, scmd);
1523  process = 0;
1525  key_state = NULL;
1526  break;
1527  }
1528  key_state_created = 1;
1530  key_state = NULL;
1531 
1532  if (!zone_db_signconf_needs_writing(zone)) {
1533  if (zone_db_set_signconf_needs_writing(zone, 1)) {
1534  ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1535  process = 0;
1536  break;
1537  }
1538  else {
1539  *zone_updated = 1;
1540  }
1541  }
1542  }
1543  if (!key_data_cached_rrsigdnskey(keylist[i])) {
1544  if (!(key_state = key_state_new(dbconn))
1549  || key_state_set_ttl(key_state, getZoneTTL(policy, zone, KEY_STATE_TYPE_RRSIGDNSKEY, now))
1551  {
1552  ods_log_error("[%s] %s: key state RRSIGDNSKEY creation failed", module_str, scmd);
1553  process = 0;
1555  key_state = NULL;
1556  break;
1557  }
1558  key_state_created = 1;
1560  key_state = NULL;
1561 
1562  if (!zone_db_signconf_needs_writing(zone)) {
1563  if (zone_db_set_signconf_needs_writing(zone, 1)) {
1564  ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1565  process = 0;
1566  break;
1567  }
1568  else {
1569  *zone_updated = 1;
1570  }
1571  }
1572  }
1573  if (!key_data_cached_rrsig(keylist[i])) {
1574  if (!(key_state = key_state_new(dbconn))
1580  || key_state_set_ttl(key_state, getZoneTTL(policy, zone, KEY_STATE_TYPE_RRSIG, now))
1582  {
1583  ods_log_error("[%s] %s: key state RRSIG creation failed", module_str, scmd);
1584  process = 0;
1586  key_state = NULL;
1587  break;
1588  }
1589  key_state_created = 1;
1591  key_state = NULL;
1592 
1593  if (!zone_db_signconf_needs_writing(zone)) {
1594  if (zone_db_set_signconf_needs_writing(zone, 1)) {
1595  ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1596  process = 0;
1597  break;
1598  }
1599  else {
1600  *zone_updated = 1;
1601  }
1602  }
1603  }
1604  if (key_state_created) {
1605  if (key_data_cache_key_states(keylist[i])) {
1606  ods_log_error("[%s] %s: Unable to recache key states after creating some", module_str, scmd);
1607  process = 0;
1608  break;
1609  }
1610  }
1611  }
1612 
1613  /*
1614  * Keep looping till there are no state changes and find the earliest update
1615  * time to return.
1616  */
1617  do {
1618  change = 0;
1619  for (i = 0; process && i < keylist_size; i++) {
1620  ods_log_verbose("[%s] %s: processing key %s %u", module_str, scmd,
1621  hsm_key_locator(key_data_cached_hsm_key(keylist[i])), key_data_minimize(keylist[i]));
1622 
1623  for (j = 0; process && j < (sizeof(type) / sizeof(key_state_state_t)); j++) {
1624  /*
1625  * If the state or desired_state is invalid something went wrong
1626  * and we should return.
1627  */
1628  if ((state = getState(keylist[i], type[j], NULL)) == KEY_STATE_STATE_INVALID
1629  || (next_state = getDesiredState(key_data_introducing(keylist[i]), state)) == KEY_STATE_STATE_INVALID)
1630  {
1631  ods_log_error("[%s] %s: (state || next_state) == INVALID", module_str, scmd);
1632  process = 0;
1633  break;
1634  }
1635 
1636  /*
1637  * If there is no change in key state we continue.
1638  */
1639  if (state == next_state) {
1640  continue;
1641  }
1642 
1643  /*
1644  * If the key state is a DS then we need to check if we still
1645  * are waiting for user input before we can transition the key.
1646  */
1647  if (type[j] == KEY_STATE_TYPE_DS) {
1648  if ((next_state == OMNIPRESENT
1650  || (next_state == HIDDEN
1652  {
1653  continue;
1654  }
1655  }
1656 
1657  for (type_enum = key_state_enum_set_type; type_enum->text; type_enum++) {
1658  if (type_enum->value == (int)type[j]) {
1659  break;
1660  }
1661  }
1662  for (state_enum = key_state_enum_set_state; state_enum->text; state_enum++) {
1663  if (state_enum->value == (int)state) {
1664  break;
1665  }
1666  }
1667  for (next_state_enum = key_state_enum_set_state; next_state_enum->text; next_state_enum++) {
1668  if (next_state_enum->value == (int)next_state) {
1669  break;
1670  }
1671  }
1672  ods_log_verbose("[%s] %s: May %s %s %s in state %s transition to %s?", module_str, scmd,
1673  key_data_role_text(keylist[i]),
1675  type_enum->text,
1676  state_enum->text,
1677  next_state_enum->text);
1678 
1679  future_key.key = keylist[i];
1680  future_key.type = type[j];
1682 
1683  /*
1684  * Check if policy prevents transition.
1685  */
1686  if (policyApproval(keylist, keylist_size, &future_key, deplist) < 1) {
1687  continue;
1688  }
1689  ods_log_verbose("[%s] %s Policy says we can (1/3)", module_str, scmd);
1690 
1691  /*
1692  * Check if DNSSEC state prevents transition.
1693  */
1694  if (dnssecApproval(keylist, keylist_size, &future_key, allow_unsigned, deplisttmp) < 1) {
1695  continue;
1696  }
1697  ods_log_verbose("[%s] %s DNSSEC says we can (2/3)", module_str, scmd);
1698 
1699  returntime_key = minTransitionTime(policy, type[j], next_state,
1700  key_state_last_change(getRecord(keylist[i], type[j])),
1701  getZoneTTL(policy, zone, type[j], now));
1702 
1703  /*
1704  * If this is an RRSIG and the DNSKEY is omnipresent and next
1705  * state is a certain state, wait an additional signature
1706  * lifetime to allow for 'smooth rollover'.
1707  */
1708  static const key_state_state_t mask[2][4] = {
1710  {NA, OMNIPRESENT, NA, RUMOURED}
1711  };
1712  int zsk_out = exists(keylist, keylist_size, &future_key,
1713  1, mask[0]);
1714  int zsk_in = exists(keylist, keylist_size, &future_key,
1715  1, mask[1]);
1716 
1717  if (type[j] == KEY_STATE_TYPE_RRSIG
1719  && ((next_state == OMNIPRESENT && zsk_out)
1720  || (next_state == HIDDEN && zsk_in)))
1721  {
1722  returntime_key = addtime(returntime_key,
1728  }
1729 
1730  /*
1731  * It is to soon to make this change. Schedule it.
1732  */
1733  if (returntime_key > now) {
1734  minTime(returntime_key, &returntime_zone);
1735  continue;
1736  }
1737 
1738  ods_log_verbose("[%s] %s Timing says we can (3/3) now: %lu key: %lu",
1739  module_str, scmd, (unsigned long)now, (unsigned long)returntime_key);
1740 
1741  /*
1742  * A record can only reach Omnipresent if properly backed up.
1743  */
1744  if (next_state == OMNIPRESENT) {
1747  {
1748  ods_log_crit("[%s] %s Ready for transition but key material not backed up yet (%s)",
1749  module_str, scmd, hsm_key_locator(key_data_cached_hsm_key(keylist[i])));
1750 
1751  /*
1752  * Try again in 60 seconds
1753  */
1754  returntime_key = addtime(now, 60);
1755  minTime(returntime_key, &returntime_zone);
1756  continue;
1757  }
1758  }
1759 
1760  /*
1761  * If we are handling a DS we depend on the user or
1762  * some other external process. We must communicate
1763  * through the DSSeen and -submit flags.
1764  */
1765  if (type[j] == KEY_STATE_TYPE_DS) {
1766  key_data_updated = 0;
1767 
1768  /*
1769  * Ask the user to submit the DS to the parent.
1770  */
1771  if (next_state == RUMOURED) {
1772  switch (key_data_ds_at_parent(keylist[i])) {
1776  break;
1777 
1779  /*
1780  * Hypothetical case where we reintroduce keys.
1781  */
1783  key_data_updated = 1;
1784  break;
1785 
1786  default:
1788  key_data_updated = 1;
1789  }
1790  }
1791  /*
1792  * Ask the user to remove the DS from the parent.
1793  */
1794  else if (next_state == UNRETENTIVE) {
1795  switch(key_data_ds_at_parent(keylist[i])) {
1797  /*
1798  * Never submitted.
1799  * NOTE: not safe if we support reintroducing of keys.
1800  */
1802  key_data_updated = 1;
1803  break;
1804 
1808  break;
1809 
1810  default:
1812  key_data_updated = 1;
1813  }
1814  }
1815 
1816  /*
1817  * Save the changes made to the key data if any.
1818  */
1819  if (key_data_updated) {
1820  if (key_data_update(keylist[i])) {
1821  ods_log_error("[%s] %s: key data update failed", module_str, scmd);
1822  process = 0;
1823  break;
1824  }
1825  /*
1826  * We now need to reread the key data object.
1827  *
1828  * TODO: This needs investigation how to do better.
1829  */
1830  if (key_data_get_by_id(keylist[i], key_data_id(keylist[i]))
1831  || key_data_cache_key_states(keylist[i])
1832  || key_data_cache_hsm_key(keylist[i]))
1833  {
1834  ods_log_error("[%s] %s: key data reread failed", module_str, scmd);
1835  process = 0;
1836  break;
1837  }
1838  }
1839  }
1840 
1841  /*
1842  * We've passed all tests! Make the transition.
1843  */
1844  key_state = NULL;
1845 
1846  switch (future_key.type) {
1847  case KEY_STATE_TYPE_DS:
1849  break;
1850 
1851  case KEY_STATE_TYPE_DNSKEY:
1853  break;
1854 
1855  case KEY_STATE_TYPE_RRSIG:
1857  break;
1858 
1861  break;
1862 
1863  default:
1864  ods_log_error("[%s] %s: future key type error", module_str, scmd);
1865  process = 0;
1866  break;
1867  }
1868 
1869  for (next_state_enum = key_state_enum_set_state; next_state_enum->text; next_state_enum++) {
1870  if (next_state_enum->value == (int)next_state) {
1871  break;
1872  }
1873  }
1874  ods_log_verbose("[%s] %s: Transitioning %s %s %s from %s to %s", module_str, scmd,
1875  key_data_role_text(keylist[i]),
1879  next_state_enum->text);
1880 
1883  || key_state_set_ttl(key_state, getZoneTTL(policy, zone, future_key.type, now))
1885  {
1886  ods_log_error("[%s] %s: key state transition failed", module_str, scmd);
1887  process = 0;
1889  break;
1890  }
1892 
1893  if (!zone_db_signconf_needs_writing(zone)) {
1894  if (zone_db_set_signconf_needs_writing(zone, 1)) {
1895  ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1896  process = 0;
1897  break;
1898  }
1899  else {
1900  *zone_updated = 1;
1901  }
1902  }
1903 
1904  if (markSuccessors(dbconn, keylist, keylist_size, &future_key, deplisttmp, zone) < 0) {
1905  ods_log_error("[%s] %s: markSuccessors() error", module_str, scmd);
1906  process = 0;
1907  break;
1908  }
1909  /*deps have changed reload*/
1910  key_dependency_list_free(deplisttmp);
1911  deplisttmp = zone_db_get_key_dependencies(zone);
1912 
1913 
1914  if (key_data_cache_key_states(keylist[i])) {
1915  ods_log_error("[%s] %s: Unable to recache key states after transition", module_str, scmd);
1916  process = 0;
1917  break;
1918  }
1919 
1920  change = true;
1921  }
1922  }
1923  } while (process && change);
1924  key_dependency_list_free(deplisttmp);
1925  return returntime_zone;
1926 }
1927 
1931 static const hsm_key_t*
1932 getLastReusableKey(key_data_list_t *key_list, const policy_key_t *pkey)
1933 {
1934  const key_data_t *key;
1935  hsm_key_t *hkey, *hkey_young = NULL;
1936  hsm_key_list_t* hsmkeylist;
1937  int match;
1938  int cmp;
1939 
1940  if (!key_list || !pkey)
1941  return NULL;
1942 
1943  hsmkeylist = hsm_key_list_new_get_by_policy_key(pkey);
1944  for (hkey = hsm_key_list_get_begin(hsmkeylist); hkey;
1945  hkey = hsm_key_list_get_next(hsmkeylist))
1946  {
1948  if ((~hsm_key_role(hkey) & policy_key_role(pkey)) != 0 ||
1951  hkey->state == HSM_KEY_STATE_UNUSED )
1952  {
1953  hsm_key_free(hkey);
1954  continue;
1955  }
1956 
1958  for (match = 0, key = key_data_list_begin(key_list); key; key = key_data_list_next(key_list)) {
1959  if (!db_value_cmp(key_data_hsm_key_id(key), hsm_key_id(hkey), &cmp)
1960  && cmp == 0)
1961  {
1963  match = 1;
1964  break;
1965  }
1966  }
1967  if (match) {
1968  hsm_key_free(hkey);
1969  continue;
1970  }
1971 
1973  if (!hkey_young || hsm_key_inception(hkey_young) < hsm_key_inception(hkey)) {
1974  hsm_key_free(hkey_young);
1975  hkey_young = hkey;
1976  }
1977  }
1978 
1979  hsm_key_list_free(hsmkeylist);
1980  return hkey_young;
1981 }
1982 
1991 static int
1992 existsPolicyForKey(policy_key_list_t *policykeylist, const key_data_t *key)
1993 {
1994  static const char *scmd = "existsPolicyForKey";
1995  const policy_key_t *pkey;
1996  hsm_key_t *hkey;
1997 
1998  if (!policykeylist) {
1999  return -1;
2000  }
2001  if (!key) {
2002  return -1;
2003  }
2004 
2005  if (!(hkey = key_data_get_hsm_key(key))) {
2006  /*
2007  * This key is not associated with actual key material!
2008  * This is a bug or database corruption.
2009  * Crashing here is an option but we just return false so the
2010  * key will be thrown away in a graceful manner.
2011  */
2012  ods_log_verbose("[%s] %s no hsmkey!", module_str, scmd);
2013  return 0;
2014  }
2015  pkey = policy_key_list_begin(policykeylist);
2016  while (pkey) {
2017  if ((int)policy_key_role(pkey) == (int)key_data_role(key) &&
2018  hsm_key_repository(hkey) && policy_key_repository(pkey) &&
2019  strcmp(hsm_key_repository(hkey), policy_key_repository(pkey)) == 0 &&
2020  hsm_key_algorithm(hkey) == policy_key_algorithm(pkey) &&
2021  hsm_key_bits(hkey) == policy_key_bits(pkey))
2022  {
2023  hsm_key_free(hkey);
2024  return 1;
2025  }
2026  pkey = policy_key_list_next(policykeylist);
2027  }
2028  ods_log_verbose("[%s] %s not found such config", module_str, scmd);
2029  hsm_key_free(hkey);
2030  return 0;
2031 }
2032 
2033 static int
2034 last_inception_policy(key_data_list_t *key_list, const policy_key_t *pkey)
2035 {
2036  const key_data_t *key = NULL;
2037  hsm_key_t *hsmkey = NULL;
2038  int max_inception = -1;
2039 
2040  if (!key_list || !pkey) return -1;
2041 
2042  /*
2043  * Must match: role, bits, algorithm and repository.
2044  */
2045  for (key = key_data_list_begin(key_list); key;
2046  key = key_data_list_next(key_list))
2047  {
2048  if ((int)policy_key_role(pkey) != (int)key_data_role(key) ||
2050  (hsmkey = key_data_get_hsm_key(key)) == NULL ||
2051  policy_key_bits(pkey) != hsm_key_bits(hsmkey) ||
2052  policy_key_algorithm(pkey) != hsm_key_algorithm(hsmkey) ||
2053  strcmp(policy_key_repository(pkey), hsm_key_repository(hsmkey)))
2054  {
2055  hsm_key_free(hsmkey);
2056  hsmkey = NULL;
2057  continue;
2058  }
2059  hsm_key_free(hsmkey);
2060  hsmkey = NULL;
2062  if (max_inception == -1 || max_inception < (signed int)key_data_inception(key))
2063  {
2064  max_inception = key_data_inception(key);
2065  }
2066  }
2067  return max_inception;
2068 }
2069 
2078 static int
2079 key_for_conf(key_data_list_t *key_list, const policy_key_t *pkey)
2080 {
2081  const key_data_t *key;
2082 
2083  if (!key_list) {
2084  return 0;
2085  }
2086  if (!pkey) {
2087  return 0;
2088  }
2089 
2090  for (key = key_data_list_begin(key_list); key;
2091  key = key_data_list_next(key_list))
2092  {
2094  (int)policy_key_role(pkey) == (int)key_data_role(key))
2095  {
2096  return 1;
2097  }
2098  }
2099  return 0;
2100 }
2101 
2108 static void
2109 setnextroll(zone_db_t *zone, const policy_key_t *pkey, time_t t)
2110 {
2111  assert(zone);
2112  assert(pkey);
2113 
2114  switch(policy_key_role(pkey)) {
2115  case POLICY_KEY_ROLE_KSK:
2116  zone->next_ksk_roll = (unsigned int)t;
2117  break;
2118  case POLICY_KEY_ROLE_ZSK:
2119  zone->next_zsk_roll = (unsigned int)t;
2120  break;
2121  case POLICY_KEY_ROLE_CSK:
2122  zone->next_csk_roll = (unsigned int)t;
2123  break;
2124  default:
2125  assert(0);
2126  }
2127 }
2128 
2129 static int
2130 enforce_roll(const zone_db_t *zone, const policy_key_t *pkey)
2131 {
2132  if (!zone) {
2133  return 0;
2134  }
2135  if (!pkey) {
2136  return 0;
2137  }
2138 
2139  switch(policy_key_role(pkey)) {
2140  case POLICY_KEY_ROLE_KSK:
2141  return zone_db_roll_ksk_now(zone);
2142  case POLICY_KEY_ROLE_ZSK:
2143  return zone_db_roll_zsk_now(zone);
2144  case POLICY_KEY_ROLE_CSK:
2145  return zone_db_roll_csk_now(zone);
2146  default:
2147  return 0;
2148  }
2149 }
2150 
2151 static int
2152 set_roll(zone_db_t *zone, const policy_key_t *pkey, unsigned int roll)
2153 {
2154  if (!zone) {
2155  return 0;
2156  }
2157  if (!pkey) {
2158  return 0;
2159  }
2160 
2161  switch(policy_key_role(pkey)) {
2162  case POLICY_KEY_ROLE_KSK:
2163  return zone_db_set_roll_ksk_now(zone, roll);
2164  case POLICY_KEY_ROLE_ZSK:
2165  return zone_db_set_roll_zsk_now(zone, roll);
2166  case POLICY_KEY_ROLE_CSK:
2167  return zone_db_set_roll_csk_now(zone, roll);
2168  default:
2169  return 1;
2170  }
2171 }
2172 
2182 static time_t
2183 updatePolicy(engine_type *engine, db_connection_t *dbconn, policy_t const *policy,
2184  zone_db_t *zone, const time_t now, int *allow_unsigned, int *zone_updated)
2185 {
2186  time_t return_at = -1;
2187  key_data_list_t *keylist;
2188  policy_key_list_t *policykeylist;
2189  const key_data_t *key;
2190  key_data_t *mutkey = NULL;
2191  key_data_t *mutkey2 = NULL;
2192  const policy_key_t *pkey;
2193  const hsm_key_t *hsmkey;
2194  hsm_key_t *hsmkey2 = NULL;
2195  hsm_key_t *newhsmkey = NULL;
2196  static const char *scmd = "updatePolicy";
2197  int force_roll;
2198  time_t t_ret;
2199  key_data_role_t key_role;
2200  int err;
2201  uint16_t tag;
2202  int ret;
2203 
2204  if (!dbconn) {
2205  /* TODO: better log error */
2206  ods_log_error("[%s] %s: no dbconn", module_str, scmd);
2207  return now + 60;
2208  }
2209  if (!policy) {
2210  /* TODO: better log error */
2211  ods_log_error("[%s] %s: no policy", module_str, scmd);
2212  return now + 60;
2213  }
2214  if (!zone) {
2215  /* TODO: better log error */
2216  ods_log_error("[%s] %s: no zone", module_str, scmd);
2217  return now + 60;
2218  }
2219  if (!allow_unsigned) {
2220  /* TODO: better log error */
2221  ods_log_error("[%s] %s: no allow_unsigned", module_str, scmd);
2222  return now + 60;
2223  }
2224  if (!zone_updated) {
2225  /* TODO: better log error */
2226  ods_log_error("[%s] %s: no zone_updated", module_str, scmd);
2227  return now + 60;
2228  }
2229 
2230  ods_log_verbose("[%s] %s: policyName: %s", module_str, scmd, policy_name(policy));
2231 
2232  /*
2233  * Get all policy keys (configurations) for the given policy and fetch all
2234  * the policy key database objects so we can iterate over it more then once.
2235  */
2236  if (!(policykeylist = policy_get_policy_keys(policy))) {
2237  /* TODO: better log error */
2238  ods_log_error("[%s] %s: error policy_get_policy_keys()", module_str, scmd);
2239  policy_key_list_free(policykeylist);
2240  return now + 60;
2241  }
2242 
2243  /*
2244  * Get all key data objects for the given zone and fetch all the objects
2245  * from the database so we can use the list again later.
2246  */
2247  if (!(keylist = zone_db_get_keys(zone))) {
2248  /* TODO: better log error */
2249  ods_log_error("[%s] %s: error zone_db_get_keys()", module_str, scmd);
2250  key_data_list_free(keylist);
2251  policy_key_list_free(policykeylist);
2252  return now + 60;
2253  }
2254 
2255  /*
2256  * Decommission all key data objects without any matching policy key config.
2257  */
2258  while ((key = key_data_list_next(keylist))) {
2259  ret = existsPolicyForKey(policykeylist, key);
2260  if (ret < 0) {
2261  /* TODO: better log error */
2262  ods_log_error("[%s] %s: error existsPolicyForKey() < 0", module_str, scmd);
2263  key_data_list_free(keylist);
2264  policy_key_list_free(policykeylist);
2265  return now + 60;
2266  }
2267  if (!ret) {
2268  if (!(mutkey = key_data_new_copy(key))
2269  || key_data_set_introducing(mutkey, 0)
2270  || key_data_update(mutkey))
2271  {
2272  /* TODO: better log error */
2273  ods_log_error("[%s] %s: error update mutkey", module_str, scmd);
2274  key_data_free(mutkey);
2275  key_data_list_free(keylist);
2276  policy_key_list_free(policykeylist);
2277  return now + 60;
2278  }
2279  key_data_free(mutkey);
2280  mutkey = NULL;
2281  }
2282  }
2283 
2284  pkey = policy_key_list_begin(policykeylist);
2285 
2286  /*
2287  * If no keys are configured an unsigned zone is okay.
2288  */
2289  *allow_unsigned = pkey ? 0 : 1;
2290 
2291  /* If there are no keys configured set 'signconf_needs_writing'
2292  * every time this function is called */
2293  if (!policy_key_list_size(policykeylist)) {
2294  if (zone_db_set_signconf_needs_writing(zone, 1)) {
2295  ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
2296  } else {
2297  *zone_updated = 1;
2298  }
2299  }
2300 
2301  for (; pkey; pkey = policy_key_list_next(policykeylist)) {
2302  newhsmkey = NULL;
2303  /*
2304  * Check if we should roll, first get the roll state from the zone then
2305  * check if the policy key is set to manual rollover and last check the
2306  * key timings.
2307  */
2308  force_roll = enforce_roll(zone, pkey);
2309  if (policy_key_manual_rollover(pkey)) {
2310  /*
2311  * If this policy key is set to manual rollover and we do not have
2312  * a key yet (for ex first run) then we should roll anyway.
2313  */
2314  if (!key_for_conf(keylist, pkey)) {
2315  force_roll = 1;
2316  }
2317  else if (!force_roll) {
2318  /*
2319  * Since this is set to manual rollover we do not want it to
2320  * roll unless we have zone state saying that we should roll.
2321  */
2322  continue;
2323  }
2324  }
2325  if (!force_roll) {
2326  int inception = -1;
2327  /*
2328  * We do not need to roll but we should check if the youngest key
2329  * needs to be replaced. If not we reschedule for later based on the
2330  * youngest key.
2331  * TODO: Describe better why the youngest?!?
2332  */
2333  inception = last_inception_policy(keylist, pkey);
2334  if (inception != -1 &&
2335  inception + policy_key_lifetime(pkey) > now)
2336  {
2337  t_ret = addtime(inception, policy_key_lifetime(pkey));
2338  minTime(t_ret, &return_at);
2339  setnextroll(zone, pkey, t_ret);
2340  *zone_updated = 1;
2341  continue;
2342  }
2343  }
2344 
2345  /*
2346  * Time for a new key
2347  */
2348  ods_log_verbose("[%s] %s: New key needed for role %s",
2349  module_str, scmd, policy_key_role_text(pkey));
2350 
2351  /*
2352  * Sanity check for unreasonable short key lifetime.
2353  * This would produce silly output and give the signer lots of useless
2354  * work to do otherwise.
2355  */
2356  if ((policy_key_role(pkey) == POLICY_KEY_ROLE_KSK ||
2359  policy_key_lifetime(pkey))
2360  {
2361  ods_log_error("[%s] %s: For policy %s %s key lifetime of %d "
2362  "is unreasonably short with respect to sum of parent "
2363  "TTL (%d) and key TTL (%d). Will not insert key!",
2364  module_str, scmd, policy_name(policy), policy_key_role_text(pkey),
2367  setnextroll(zone, pkey, now);
2368  *zone_updated = 1;
2369  continue;
2370  }
2371  if ((policy_key_role(pkey) == POLICY_KEY_ROLE_ZSK ||
2374  policy_key_lifetime(pkey))
2375  {
2376  ods_log_crit("[%s] %s: For policy %s %s key lifetime of %d "
2377  "is unreasonably short with respect to sum of "
2378  "MaxZoneTTL (%d) and key TTL (%d). Will not insert key!",
2379  module_str, scmd, policy_name(policy), policy_key_role_text(pkey),
2382  setnextroll(zone, pkey, now);
2383  *zone_updated = 1;
2384  continue;
2385  }
2386 
2387  /*
2388  * Get a new key, either a existing/shared key if the policy is set to
2389  * share keys or create a new key.
2390  */
2391  if (policy_keys_shared(policy)) {
2392  hsmkey = getLastReusableKey(keylist, pkey);
2393 
2394  if (!hsmkey) {
2395  newhsmkey = hsm_key_factory_get_key(engine, dbconn, pkey, HSM_KEY_STATE_SHARED);
2396  hsmkey = newhsmkey;
2397  }
2398  } else {
2399  newhsmkey = hsm_key_factory_get_key(engine, dbconn, pkey, HSM_KEY_STATE_PRIVATE);
2400  hsmkey = newhsmkey;
2401  }
2402 
2403  if (!hsmkey) {
2404  /*
2405  * Unable to get/create a HSM key at this time, retry later.
2406  */
2407  ods_log_warning("[%s] %s: No keys available in HSM for policy %s, retry in %d seconds",
2408  module_str, scmd, policy_name(policy), NOKEY_TIMEOUT);
2409  minTime(now + NOKEY_TIMEOUT, &return_at);
2410  setnextroll(zone, pkey, now);
2411  *zone_updated = 1;
2412  continue;
2413  }
2414  ods_log_verbose("[%s] %s: got new key from HSM", module_str, scmd);
2415 
2416  /*
2417  * TODO: This will be replaced once roles are global
2418  */
2419  key_role = KEY_DATA_ROLE_INVALID;
2420  switch (policy_key_role(pkey)) {
2421  case POLICY_KEY_ROLE_KSK:
2422  key_role = KEY_DATA_ROLE_KSK;
2423  break;
2424 
2425  case POLICY_KEY_ROLE_ZSK:
2426  key_role = KEY_DATA_ROLE_ZSK;
2427  break;
2428 
2429  case POLICY_KEY_ROLE_CSK:
2430  key_role = KEY_DATA_ROLE_CSK;
2431  break;
2432 
2433  default:
2434  break;
2435  }
2436 
2437  /*
2438  * Create a new key data object.
2439  */
2440  if (!(mutkey = key_data_new(dbconn))
2441  || key_data_set_zone_id(mutkey, zone_db_id(zone))
2442  || key_data_set_hsm_key_id(mutkey, hsm_key_id(hsmkey))
2444  || key_data_set_inception(mutkey, now)
2445  || key_data_set_role(mutkey, key_role)
2446  || key_data_set_minimize(mutkey, policy_key_minimize(pkey))
2447  || key_data_set_introducing(mutkey, 1)
2449  {
2450  /* TODO: better log error */
2451  ods_log_error("[%s] %s: error new key", module_str, scmd);
2452  key_data_free(mutkey);
2453  if (newhsmkey) {
2454  hsm_key_factory_release_key(newhsmkey, dbconn);
2455  }
2456  hsm_key_free(newhsmkey);
2457  key_data_list_free(keylist);
2458  policy_key_list_free(policykeylist);
2459  return now + 60;
2460  }
2461 
2462  /*
2463  * Generate keytag for the new key and set it.
2464  */
2465  err = hsm_keytag(hsm_key_locator(hsmkey), hsm_key_algorithm(hsmkey),
2466  HSM_KEY_ROLE_SEP(hsm_key_role(hsmkey)), &tag);
2467  if (err || key_data_set_keytag(mutkey, tag))
2468  {
2469  /* TODO: better log error */
2470  ods_log_error("[%s] %s: error keytag", module_str, scmd);
2471  key_data_free(mutkey);
2472  if (newhsmkey) {
2473  hsm_key_factory_release_key(newhsmkey, dbconn);
2474  }
2475  hsm_key_free(newhsmkey);
2476  key_data_list_free(keylist);
2477  policy_key_list_free(policykeylist);
2478  return now + 60;
2479  }
2480 
2481  /*
2482  * Create the new key in the database, if successful we set the next
2483  * roll after the lifetime of the key.
2484  */
2485  if (key_data_create(mutkey)) {
2486  /* TODO: better log error */
2487  ods_log_error("[%s] %s: error key_data_create()", module_str, scmd);
2488  key_data_free(mutkey);
2489  if (newhsmkey) {
2490  hsm_key_factory_release_key(newhsmkey, dbconn);
2491  }
2492  hsm_key_free(newhsmkey);
2493  key_data_list_free(keylist);
2494  policy_key_list_free(policykeylist);
2495  return now + 60;
2496  }
2497  t_ret = addtime(now, policy_key_lifetime(pkey));
2498  minTime(t_ret, &return_at);
2499  setnextroll(zone, pkey, t_ret);
2500  *zone_updated = 1;
2501 
2502  /*
2503  * Tell similar keys to out-troduce.
2504  * Similar keys are those that match role, algorithm, bits and repository
2505  * and are introduced.
2506  *
2507  * NOTE:
2508  * Will not work if a policy has 2 or more keys of the same role, algorithm,
2509  * bits and repository. Unclear how to fix this since keys are not directly
2510  * related to a policy key.
2511  * We currently do not allow two policy keys with the same attributes.
2512  */
2513  for (key = key_data_list_begin(keylist); key; key = key_data_list_next(keylist)) {
2515  && key_data_role(key) == key_data_role(mutkey)
2517  && (hsmkey2 = key_data_get_hsm_key(key))
2518  && hsm_key_bits(hsmkey2) == hsm_key_bits(hsmkey)
2519  && !strcmp(hsm_key_repository(hsmkey2), hsm_key_repository(hsmkey)))
2520  {
2521  if (!(mutkey2 = key_data_new_copy(key))
2522  || key_data_set_introducing(mutkey2, 0)
2523  || key_data_update(mutkey2))
2524  {
2525  /* TODO: better log error */
2526  ods_log_error("[%s] %s: error update mutkey2", module_str, scmd);
2527  key_data_free(mutkey2);
2528  hsm_key_free(hsmkey2);
2529  key_data_free(mutkey);
2530  hsm_key_free(newhsmkey);
2531  key_data_list_free(keylist);
2532  policy_key_list_free(policykeylist);
2533  return now + 60;
2534  }
2535 
2536  ods_log_verbose("[%s] %s: decommissioning old key: %s", module_str, scmd, hsm_key_locator(hsmkey2));
2537 
2538  key_data_free(mutkey2);
2539  mutkey2 = NULL;
2540  }
2541  hsm_key_free(hsmkey2);
2542  hsmkey2 = NULL;
2543  }
2544 
2545  key_data_free(mutkey);
2546  mutkey = NULL;
2547  hsm_key_free(newhsmkey);
2548  newhsmkey = NULL;
2549 
2550  /*
2551  * Clear roll now (if set) in the zone for this policy key.
2552  */
2553  if (enforce_roll(zone, pkey)) {
2554  if (set_roll(zone, pkey, 0)) {
2555  /* TODO: better log error */
2556  ods_log_error("[%s] %s: error set_roll()", module_str, scmd);
2557  key_data_list_free(keylist);
2558  policy_key_list_free(policykeylist);
2559  return now + 60;
2560  }
2561  *zone_updated = 1;
2562  }
2563  }
2564 
2565  key_data_list_free(keylist);
2566  policy_key_list_free(policykeylist);
2567 
2568  return return_at;
2569 }
2570 
2571 static time_t
2572 removeDeadKeys(db_connection_t *dbconn, key_data_t** keylist,
2573  size_t keylist_size, key_dependency_list_t *deplist, const time_t now,
2574  const int purgetime)
2575 {
2576  static const char *scmd = "removeDeadKeys";
2577  time_t first_purge = -1, key_time;
2578  size_t i, deplist2_size = 0;
2579  int key_purgable, cmp;
2580  unsigned int j;
2581  const key_state_t* state = NULL;
2582  key_dependency_t **deplist2 = NULL;
2583 
2584  assert(keylist);
2585  assert(deplist);
2586 
2587  deplist2_size = key_dependency_list_size(deplist);
2588  deplist2 = (key_dependency_t**)calloc(deplist2_size, sizeof(key_dependency_t*));
2589  /* deplist might be NULL but is always freeable */
2590  if (deplist2_size > 0)
2591  deplist2[0] = key_dependency_list_get_begin(deplist);
2592  for (i = 1; i < deplist2_size; i++)
2593  deplist2[i] = key_dependency_list_get_next(deplist);
2594 
2595  for (i = 0; i < keylist_size; i++) {
2596  if (key_data_introducing(keylist[i])) continue;
2597  key_time = -1;
2598  key_purgable = 1;
2599  for (j = 0; j<4; j++) {
2600  switch(j){
2601  case 0: state = key_data_cached_ds(keylist[i]); break;
2602  case 1: state = key_data_cached_dnskey(keylist[i]); break;
2603  case 2: state = key_data_cached_rrsigdnskey(keylist[i]); break;
2604  case 3: state = key_data_cached_rrsig(keylist[i]);
2605  }
2606  if (key_state_state(state) == NA) continue;
2607  if (key_state_state(state) != HIDDEN) {
2608  key_purgable = 0;
2609  break;
2610  }
2611  if (key_time == -1 || key_state_last_change(state) > (unsigned int)key_time) {
2612  key_time = key_state_last_change(state);
2613  }
2614  }
2615  if (key_time != -1) key_time = addtime(key_time, purgetime);
2616  if (key_purgable) {
2617  /* key is purgable, is it time yet? */
2618  if (now >= key_time) {
2619  key_state_t* ks_ds = key_data_get_cached_ds(keylist[i]);
2620  key_state_t* ks_dk = key_data_get_cached_dnskey(keylist[i]);
2621  key_state_t* ks_rd = key_data_get_cached_rrsigdnskey(keylist[i]);
2622  key_state_t* ks_rs = key_data_get_cached_rrsig(keylist[i]);
2623 
2624  ods_log_info("[%s] %s deleting key: %s", module_str, scmd,
2626 
2627  if ( key_state_delete(ks_ds) || key_state_delete(ks_dk)
2628  || key_state_delete(ks_rd) || key_state_delete(ks_rs)
2629  || key_data_delete(keylist[i])
2631  {
2632  /* TODO: better log error */
2633  ods_log_error("[%s] %s: key_state_delete() || key_data_delete() || hsm_key_factory_release_key() failed", module_str, scmd);
2634  }
2635  key_state_free(ks_ds);
2636  key_state_free(ks_dk);
2637  key_state_free(ks_rd);
2638  key_state_free(ks_rs);
2639  } else {
2640  minTime(key_time, &first_purge);
2641  }
2642  /* we can clean up dependency because key is purgable */
2643 
2644  for (j = 0; j < deplist2_size; j++) {
2645  if (!deplist2[j]) continue;
2646  if (db_value_cmp(key_data_id(keylist[i]), key_dependency_from_key_data_id(deplist2[j]), &cmp)) {
2647  /* TODO: better log error */
2648  ods_log_error("[%s] %s: cmp deplist from failed", module_str, scmd);
2649  break;
2650  }
2651  if(cmp) continue;
2652 
2653  if (key_dependency_delete(deplist2[j])) {
2654  /* TODO: better log error */
2655  ods_log_error("[%s] %s: key_dependency_delete() failed", module_str, scmd);
2656  break;
2657  }
2658  }
2659  }
2660  }
2661  for (i = 0; i < deplist2_size; i++){
2662  key_dependency_free(deplist2[i]);
2663  }
2664  free(deplist2);
2665 
2666  int deleteCount = hsm_key_factory_delete_key(dbconn);
2667  ods_log_info("[%s] %s: keys deleted from HSM: %d", module_str, scmd, deleteCount);
2668 
2669  return first_purge;
2670 }
2671 
2672 time_t
2673 update(engine_type *engine, db_connection_t *dbconn, zone_db_t *zone, policy_t const *policy, time_t now, int *zone_updated)
2674 {
2675  int allow_unsigned = 0;
2676  time_t policy_return_time, zone_return_time, purge_return_time = -1, return_time;
2677  key_data_list_t *key_list;
2678  const key_data_t* key;
2679  key_data_t** keylist = NULL;
2680  size_t keylist_size, i;
2681  key_dependency_list_t *deplist;
2682  static const char *scmd = "update";
2683  int key_data_updated;
2684 
2685  if (!engine) {
2686  ods_log_error("[%s] no engine", module_str);
2687  return now + 60;
2688  }
2689  if (!dbconn) {
2690  ods_log_error("[%s] no dbconn", module_str);
2691  return now + 60;
2692  }
2693  if (!zone) {
2694  ods_log_error("[%s] no zone", module_str);
2695  return now + 60;
2696  }
2697  if (!policy) {
2698  ods_log_error("[%s] no policy", module_str);
2699  return now + 60;
2700  }
2701  if (!zone_updated) {
2702  ods_log_error("[%s] no zone_updated", module_str);
2703  return now + 60;
2704  }
2705 
2706  ods_log_info("[%s] update zone: %s", module_str, zone_db_name(zone));
2707 
2708  if (engine->config->rollover_notification && zone_db_next_ksk_roll(zone) > 0) {
2709  if ((time_t)zone_db_next_ksk_roll(zone) - engine->config->rollover_notification <= now
2710  && (time_t)zone_db_next_ksk_roll(zone) != now) {
2711  time_t t = (time_t) zone_db_next_ksk_roll(zone);
2712  ods_log_info("[%s] KSK Rollover for zone %s is impending, "
2713  "rollover will happen at %s",
2714  module_str, zone_db_name(zone), ctime(&t));
2715  }
2716  }
2717  else if (engine->config->rollover_notification && zone_db_next_csk_roll(zone) > 0) {
2718  if ((time_t)zone_db_next_csk_roll(zone) - engine->config->rollover_notification <= now
2719  && (time_t)zone_db_next_csk_roll(zone) != now) {
2720  time_t t = (time_t) zone_db_next_csk_roll(zone);
2721  ods_log_info("[%s] CSK Rollover for zone %s is impending, "
2722  "rollover will happen at %s",
2723  module_str, zone_db_name(zone), ctime(&t));
2724  }
2725  }
2726 
2727 
2728  /*
2729  * Update policy.
2730  */
2731  policy_return_time = updatePolicy(engine, dbconn, policy, zone, now, &allow_unsigned, zone_updated);
2732 
2733  if (allow_unsigned) {
2734  ods_log_info("[%s] No keys configured for %s, zone will become unsigned eventually",
2735  module_str, zone_db_name(zone));
2736  }
2737 
2738  /*
2739  * Get all key data/state/hsm objects for later processing.
2740  */
2741  if (!(deplist = zone_db_get_key_dependencies(zone))) {
2742  /* TODO: better log error */
2743  ods_log_error("[%s] %s: error zone_db_get_key_dependencies()", module_str, scmd);
2744  key_dependency_list_free(deplist);
2745  return now + 60;
2746  }
2747  if (!(key_list = zone_db_get_keys(zone))) {
2748  /* TODO: better log error */
2749  ods_log_error("[%s] %s: error zone_db_get_keys()", module_str, scmd);
2750  key_data_list_free(key_list);
2751  key_dependency_list_free(deplist);
2752  return now + 60;
2753  }
2754  /*WTF DOES THIS CODE DO?*/
2755  if (!(keylist_size = key_data_list_size(key_list))) {
2756  if ((key = key_data_list_begin(key_list))) {
2757  while (key) {
2758  keylist_size++;
2759  key = key_data_list_next(key_list);
2760  }
2761  }
2762  }
2763  if (keylist_size) {
2764  if (!(keylist = (key_data_t**)calloc(keylist_size, sizeof(key_data_t*)))) {
2765  /* TODO: better log error */
2766  ods_log_error("[%s] %s: error calloc(keylist_size)", module_str, scmd);
2767  key_data_list_free(key_list);
2768  key_dependency_list_free(deplist);
2769  return now + 60;
2770  }
2771  for (i = 0; i < keylist_size; i++) {
2772  if (!i) {
2773  keylist[i] = key_data_list_get_begin(key_list);
2774  }
2775  else {
2776  keylist[i] = key_data_list_get_next(key_list);
2777  }
2778  if (!keylist[i]
2779  || key_data_cache_hsm_key(keylist[i])
2780  || key_data_cache_key_states(keylist[i]))
2781  {
2782  ods_log_error("[%s] %s: error key_data_list cache", module_str, scmd);
2783  for (i = 0; i < keylist_size; i++) {
2784  if (keylist[i]) {
2785  key_data_free(keylist[i]);
2786  }
2787  }
2788  free(keylist);
2789  key_data_list_free(key_list);
2790  key_dependency_list_free(deplist);
2791  return now + 60;
2792  }
2793  }
2794  }
2795  key_data_list_free(key_list);
2796 
2797  /*
2798  * Update zone.
2799  */
2800  zone_return_time = updateZone(dbconn, policy, zone, now, allow_unsigned, zone_updated,
2801  keylist, keylist_size, deplist);
2802 
2803  /*
2804  * Only purge old keys if the policy says so.
2805  */
2806  if (policy_keys_purge_after(policy) && keylist) {
2807  purge_return_time = removeDeadKeys(dbconn, keylist, keylist_size, deplist, now,
2809  }
2810 
2811  /*
2812  * Always set these flags. Normally this needs to be done _only_ when the
2813  * Signer config needs writing. However a previous Signer config might not
2814  * be available, we have no way of telling. :(
2815  */
2816  for (i = 0; i < keylist_size; i++) {
2817  key_data_updated = 0;
2818 
2819  /* hack */
2820  key_data_set_publish(keylist[i], 0);
2821  key_data_set_active_ksk(keylist[i], 0);
2822  key_data_set_active_zsk(keylist[i], 0);
2823  key_data_updated = 1;
2824  /*
2825  * TODO: description
2826  */
2828  || key_state_state(key_data_cached_dnskey(keylist[i])) == RUMOURED)
2829  {
2830  if (!key_data_publish(keylist[i])) {
2831  if (key_data_set_publish(keylist[i], 1)) {
2832  ods_log_error("[%s] %s: key_data_set_publish() failed",
2833  module_str, scmd);
2834  break;
2835  }
2836 
2837  key_data_updated = 1;
2838  }
2839  }
2840 
2841  /*
2842  * TODO: description
2843  */
2846  {
2847  if (!key_data_active_ksk(keylist[i])) {
2848  if (key_data_set_active_ksk(keylist[i], 1)) {
2849  ods_log_error("[%s] %s: key_data_set_active_ksk() failed",
2850  module_str, scmd);
2851  break;
2852  }
2853 
2854  key_data_updated = 1;
2855  }
2856  }
2857 
2858  /*
2859  * TODO: description
2860  */
2862  || key_state_state(key_data_cached_rrsig(keylist[i])) == RUMOURED)
2863  {
2864  if (!key_data_active_zsk(keylist[i])) {
2865  if (key_data_set_active_zsk(keylist[i], 1)) {
2866  ods_log_error("[%s] %s: key_data_set_active_zsk() failed",
2867  module_str, scmd);
2868  break;
2869  }
2870 
2871  key_data_updated = 1;
2872  }
2873  }
2874 
2875  if (key_data_updated) {
2876  if (key_data_update(keylist[i])) {
2877  ods_log_error("[%s] %s: key_data_update() failed",
2878  module_str, scmd);
2879  break;
2880  }
2881  }
2882  }
2883 
2884  /*
2885  * Release cached objects.
2886  */
2887  for (i = 0; i < keylist_size; i++) {
2888  if (keylist[i]) {
2889  key_data_free(keylist[i]);
2890  }
2891  }
2892  free(keylist);
2893  key_dependency_list_free(deplist);
2894 
2895  return_time = zone_return_time;
2896  minTime(policy_return_time, &return_time);
2897  /*
2898  * Take the rollover notification time into account when scheduling
2899  * this zone. We will need to print a message at that time.
2900  */
2901  if (zone_db_next_ksk_roll(zone) > 0
2902  && (zone_db_next_ksk_roll(zone) - engine->config->rollover_notification > now)) {
2903  minTime(zone_db_next_ksk_roll(zone) - engine->config->rollover_notification, &return_time);
2904  }
2905  else if (zone_db_next_csk_roll(zone) > 0
2906  && (zone_db_next_csk_roll(zone) - engine->config->rollover_notification > now)) {
2907  minTime(zone_db_next_csk_roll(zone) - engine->config->rollover_notification, &return_time);
2908  }
2909 
2910  minTime(purge_return_time, &return_time);
2911  return return_time;
2912 }
#define DB_OK
Definition: db_error.h:36
int db_value_cmp(const db_value_t *value_a, const db_value_t *value_b, int *result)
Definition: db_value.c:102
#define OMNIPRESENT
Definition: enforcer.c:68
time_t update(engine_type *engine, db_connection_t *dbconn, zone_db_t *zone, policy_t const *policy, time_t now, int *zone_updated)
Definition: enforcer.c:2673
#define NOKEY_TIMEOUT
Definition: enforcer.c:75
#define NA
Definition: enforcer.c:70
#define HIDDEN
Definition: enforcer.c:66
#define RUMOURED
Definition: enforcer.c:67
#define UNRETENTIVE
Definition: enforcer.c:69
void hsm_key_free(hsm_key_t *hsm_key)
Definition: hsm_key.c:286
const char * hsm_key_repository(const hsm_key_t *hsm_key)
Definition: hsm_key.c:568
hsm_key_t * hsm_key_list_get_begin(hsm_key_list_t *hsm_key_list)
Definition: hsm_key.c:1888
hsm_key_t * hsm_key_list_get_next(hsm_key_list_t *hsm_key_list)
Definition: hsm_key.c:1990
void hsm_key_list_free(hsm_key_list_t *hsm_key_list)
Definition: hsm_key.c:1496
unsigned int hsm_key_algorithm(const hsm_key_t *hsm_key)
Definition: hsm_key.c:544
unsigned int hsm_key_bits(const hsm_key_t *hsm_key)
Definition: hsm_key.c:536
const char * hsm_key_locator(const hsm_key_t *hsm_key)
Definition: hsm_key.c:520
const db_value_t * hsm_key_id(const hsm_key_t *hsm_key)
Definition: hsm_key.c:504
unsigned int hsm_key_inception(const hsm_key_t *hsm_key)
Definition: hsm_key.c:560
@ HSM_KEY_STATE_UNUSED
Definition: hsm_key.h:42
@ HSM_KEY_STATE_PRIVATE
Definition: hsm_key.h:43
@ HSM_KEY_STATE_SHARED
Definition: hsm_key.h:44
hsm_key_backup
Definition: hsm_key.h:64
@ HSM_KEY_BACKUP_BACKUP_REQUESTED
Definition: hsm_key.h:68
@ HSM_KEY_BACKUP_BACKUP_REQUIRED
Definition: hsm_key.h:67
hsm_key_role
Definition: hsm_key.h:49
#define HSM_KEY_ROLE_SEP(role)
Definition: hsm_key.h:57
hsm_key_list_t * hsm_key_list_new_get_by_policy_key(const policy_key_t *pkey)
Definition: hsm_key_ext.c:43
hsm_key_t * hsm_key_factory_get_key(engine_type *engine, const db_connection_t *connection, const policy_key_t *policy_key, hsm_key_state_t hsm_key_state)
int hsm_key_factory_delete_key(const db_connection_t *connection)
int hsm_key_factory_release_key_id(const db_value_t *hsm_key_id, const db_connection_t *connection)
int hsm_key_factory_release_key(hsm_key_t *hsm_key, const db_connection_t *connection)
int key_data_set_minimize(key_data_t *key_data, unsigned int minimize)
Definition: key_data.c:966
int key_data_cmp(const key_data_t *key_data_a, const key_data_t *key_data_b)
Definition: key_data.c:402
const db_value_t * key_data_hsm_key_id(const key_data_t *key_data)
Definition: key_data.c:607
unsigned int key_data_active_ksk(const key_data_t *key_data)
Definition: key_data.c:751
const key_data_t * key_data_list_next(key_data_list_t *key_data_list)
Definition: key_data.c:2359
size_t key_data_list_size(key_data_list_t *key_data_list)
Definition: key_data.c:2461
int key_data_get_by_id(key_data_t *key_data, const db_value_t *id)
Definition: key_data.c:1296
int key_data_update(key_data_t *key_data)
Definition: key_data.c:1349
const db_value_t * key_data_id(const key_data_t *key_data)
Definition: key_data.c:553
int key_data_delete(key_data_t *key_data)
Definition: key_data.c:1587
void key_data_free(key_data_t *key_data)
Definition: key_data.c:304
key_data_t * key_data_list_get_next(key_data_list_t *key_data_list)
Definition: key_data.c:2425
int key_data_set_role(key_data_t *key_data, key_data_role_t role)
Definition: key_data.c:890
const char * key_data_role_text(const key_data_t *key_data)
Definition: key_data.c:711
int key_data_set_introducing(key_data_t *key_data, unsigned int introducing)
Definition: key_data.c:903
const key_data_t * key_data_list_begin(key_data_list_t *key_data_list)
Definition: key_data.c:2267
int key_data_set_active_zsk(key_data_t *key_data, unsigned int active_zsk)
Definition: key_data.c:913
int key_data_set_publish(key_data_t *key_data, unsigned int publish)
Definition: key_data.c:923
int key_data_set_zone_id(key_data_t *key_data, const db_value_t *zone_id)
Definition: key_data.c:832
unsigned int key_data_publish(const key_data_t *key_data)
Definition: key_data.c:743
int key_data_set_algorithm(key_data_t *key_data, unsigned int algorithm)
Definition: key_data.c:870
void key_data_list_free(key_data_list_t *key_data_list)
Definition: key_data.c:1694
int key_data_set_inception(key_data_t *key_data, unsigned int inception)
Definition: key_data.c:880
unsigned int key_data_introducing(const key_data_t *key_data)
Definition: key_data.c:727
int key_data_set_hsm_key_id(key_data_t *key_data, const db_value_t *hsm_key_id)
Definition: key_data.c:851
unsigned int key_data_inception(const key_data_t *key_data)
Definition: key_data.c:695
unsigned int key_data_active_zsk(const key_data_t *key_data)
Definition: key_data.c:735
key_data_t * key_data_list_get_begin(key_data_list_t *key_data_list)
Definition: key_data.c:2323
key_data_t * key_data_new_copy(const key_data_t *key_data)
Definition: key_data.c:285
int key_data_cache_hsm_key(key_data_t *key_data)
Definition: key_data.c:615
int key_data_set_keytag(key_data_t *key_data, unsigned int keytag)
Definition: key_data.c:956
int key_data_create(key_data_t *key_data)
Definition: key_data.c:1093
int key_data_set_ds_at_parent(key_data_t *key_data, key_data_ds_at_parent_t ds_at_parent)
Definition: key_data.c:943
key_data_t * key_data_new(const db_connection_t *connection)
Definition: key_data.c:264
unsigned int key_data_algorithm(const key_data_t *key_data)
Definition: key_data.c:687
hsm_key_t * key_data_get_hsm_key(const key_data_t *key_data)
Definition: key_data.c:649
unsigned int key_data_minimize(const key_data_t *key_data)
Definition: key_data.c:775
int key_data_set_active_ksk(key_data_t *key_data, unsigned int active_ksk)
Definition: key_data.c:933
key_data_role
Definition: key_data.h:40
@ KEY_DATA_ROLE_ZSK
Definition: key_data.h:43
@ KEY_DATA_ROLE_INVALID
Definition: key_data.h:41
@ KEY_DATA_ROLE_KSK
Definition: key_data.h:42
@ KEY_DATA_ROLE_CSK
Definition: key_data.h:44
enum key_data_role key_data_role_t
key_data_ds_at_parent
Definition: key_data.h:50
@ KEY_DATA_DS_AT_PARENT_SUBMITTED
Definition: key_data.h:54
@ KEY_DATA_DS_AT_PARENT_RETRACT
Definition: key_data.h:56
@ KEY_DATA_DS_AT_PARENT_UNSUBMITTED
Definition: key_data.h:52
@ KEY_DATA_DS_AT_PARENT_SEEN
Definition: key_data.h:55
@ KEY_DATA_DS_AT_PARENT_SUBMIT
Definition: key_data.h:53
@ KEY_DATA_DS_AT_PARENT_RETRACTED
Definition: key_data.h:57
key_state_t * key_data_get_cached_dnskey(key_data_t *key_data)
Definition: key_data_ext.c:92
int key_data_cache_key_states(key_data_t *key_data)
Definition: key_data_ext.c:33
key_state_t * key_data_get_cached_rrsigdnskey(key_data_t *key_data)
Definition: key_data_ext.c:100
const key_state_t * key_data_cached_rrsigdnskey(key_data_t *key_data)
Definition: key_data_ext.c:72
const key_state_t * key_data_cached_dnskey(key_data_t *key_data)
Definition: key_data_ext.c:68
const hsm_key_t * key_data_cached_hsm_key(const key_data_t *key_data)
Definition: key_data_ext.c:108
key_state_t * key_data_get_cached_rrsig(key_data_t *key_data)
Definition: key_data_ext.c:84
const key_state_t * key_data_cached_rrsig(key_data_t *key_data)
Definition: key_data_ext.c:64
key_state_t * key_data_get_cached_ds(key_data_t *key_data)
Definition: key_data_ext.c:76
const key_state_t * key_data_cached_ds(key_data_t *key_data)
Definition: key_data_ext.c:60
void key_dependency_free(key_dependency_t *key_dependency)
key_dependency_t * key_dependency_list_get_next(key_dependency_list_t *key_dependency_list)
int key_dependency_set_zone_id(key_dependency_t *key_dependency, const db_value_t *zone_id)
const key_dependency_t * key_dependency_list_next(key_dependency_list_t *key_dependency_list)
const db_value_t * key_dependency_from_key_data_id(const key_dependency_t *key_dependency)
key_dependency_list_t * key_dependency_list_new_copy(const key_dependency_list_t *from_key_dependency_list)
key_data_t * key_dependency_get_from_key_data(const key_dependency_t *key_dependency)
int key_dependency_set_type(key_dependency_t *key_dependency, key_dependency_type_t type)
const key_dependency_t * key_dependency_list_begin(key_dependency_list_t *key_dependency_list)
key_dependency_t * key_dependency_list_get_begin(key_dependency_list_t *key_dependency_list)
void key_dependency_list_free(key_dependency_list_t *key_dependency_list)
size_t key_dependency_list_size(key_dependency_list_t *key_dependency_list)
int key_dependency_set_from_key_data_id(key_dependency_t *key_dependency, const db_value_t *from_key_data_id)
const db_value_t * key_dependency_to_key_data_id(const key_dependency_t *key_dependency)
int key_dependency_delete(key_dependency_t *key_dependency)
int key_dependency_create(key_dependency_t *key_dependency)
int key_dependency_set_to_key_data_id(key_dependency_t *key_dependency, const db_value_t *to_key_data_id)
key_dependency_t * key_dependency_new(const db_connection_t *connection)
enum key_dependency_type key_dependency_type_t
key_dependency_type
@ KEY_DEPENDENCY_TYPE_DNSKEY
@ KEY_DEPENDENCY_TYPE_RRSIGDNSKEY
@ KEY_DEPENDENCY_TYPE_DS
@ KEY_DEPENDENCY_TYPE_RRSIG
unsigned int key_state_minimize(const key_state_t *key_state)
Definition: key_state.c:401
int key_state_set_minimize(key_state_t *key_state, unsigned int minimize)
Definition: key_state.c:472
int key_state_delete(const key_state_t *key_state)
Definition: key_state.c:831
const char * key_state_state_text(const key_state_t *key_state)
Definition: key_state.c:377
int key_state_set_ttl(key_state_t *key_state, unsigned int ttl)
Definition: key_state.c:482
void key_state_free(key_state_t *key_state)
Definition: key_state.c:214
int key_state_set_last_change(key_state_t *key_state, unsigned int last_change)
Definition: key_state.c:462
key_state_t * key_state_new(const db_connection_t *connection)
Definition: key_state.c:176
int key_state_set_type(key_state_t *key_state, key_state_type_t type)
Definition: key_state.c:436
const char * key_state_type_text(const key_state_t *key_state)
Definition: key_state.c:353
int key_state_create(key_state_t *key_state)
Definition: key_state.c:519
const db_enum_t key_state_enum_set_type[]
Definition: key_state.c:36
const db_enum_t key_state_enum_set_state[]
Definition: key_state.c:44
int key_state_set_key_data_id(key_state_t *key_state, const db_value_t *key_data_id)
Definition: key_state.c:417
unsigned int key_state_last_change(const key_state_t *key_state)
Definition: key_state.c:393
int key_state_set_state(key_state_t *key_state, key_state_state_t state)
Definition: key_state.c:449
int key_state_update(key_state_t *key_state)
Definition: key_state.c:684
enum key_state_state key_state_state_t
enum key_state_type key_state_type_t
@ KEY_STATE_TYPE_DNSKEY
Definition: key_state.h:44
@ KEY_STATE_TYPE_RRSIG
Definition: key_state.h:43
@ KEY_STATE_TYPE_DS
Definition: key_state.h:42
@ KEY_STATE_TYPE_RRSIGDNSKEY
Definition: key_state.h:45
key_state_state
Definition: key_state.h:49
@ KEY_STATE_STATE_INVALID
Definition: key_state.h:50
const char * policy_name(const policy_t *policy)
Definition: policy.c:813
unsigned int policy_zone_propagation_delay(const policy_t *policy)
Definition: policy.c:1005
unsigned int policy_signatures_validity_denial(const policy_t *policy)
Definition: policy.c:869
unsigned int policy_keys_purge_after(const policy_t *policy)
Definition: policy.c:997
unsigned int policy_parent_ds_ttl(const policy_t *policy)
Definition: policy.c:1061
unsigned int policy_signatures_resign(const policy_t *policy)
Definition: policy.c:829
unsigned int policy_keys_ttl(const policy_t *policy)
Definition: policy.c:965
unsigned int policy_parent_propagation_delay(const policy_t *policy)
Definition: policy.c:1053
unsigned int policy_zone_soa_ttl(const policy_t *policy)
Definition: policy.c:1013
unsigned int policy_zone_soa_minimum(const policy_t *policy)
Definition: policy.c:1021
unsigned int policy_signatures_refresh(const policy_t *policy)
Definition: policy.c:837
unsigned int policy_denial_ttl(const policy_t *policy)
Definition: policy.c:909
unsigned int policy_signatures_max_zone_ttl(const policy_t *policy)
Definition: policy.c:885
unsigned int policy_keys_shared(const policy_t *policy)
Definition: policy.c:989
unsigned int policy_signatures_jitter(const policy_t *policy)
Definition: policy.c:845
unsigned int policy_parent_registration_delay(const policy_t *policy)
Definition: policy.c:1045
unsigned int policy_signatures_validity_default(const policy_t *policy)
Definition: policy.c:861
unsigned int policy_keys_publish_safety(const policy_t *policy)
Definition: policy.c:981
unsigned int policy_keys_retire_safety(const policy_t *policy)
Definition: policy.c:973
policy_denial_type
Definition: policy.h:40
@ POLICY_DENIAL_TYPE_NSEC3
Definition: policy.h:43
policy_key_list_t * policy_get_policy_keys(const policy_t *policy)
Definition: policy_ext.c:1241
size_t policy_key_list_size(policy_key_list_t *policy_key_list)
Definition: policy_key.c:1480
const policy_key_t * policy_key_list_begin(policy_key_list_t *policy_key_list)
Definition: policy_key.c:1322
unsigned int policy_key_minimize(const policy_key_t *policy_key)
Definition: policy_key.c:566
unsigned int policy_key_lifetime(const policy_key_t *policy_key)
Definition: policy_key.c:526
unsigned int policy_key_manual_rollover(const policy_key_t *policy_key)
Definition: policy_key.c:550
const policy_key_t * policy_key_list_next(policy_key_list_t *policy_key_list)
Definition: policy_key.c:1378
const char * policy_key_repository(const policy_key_t *policy_key)
Definition: policy_key.c:534
void policy_key_list_free(policy_key_list_t *policy_key_list)
Definition: policy_key.c:1006
const char * policy_key_role_text(const policy_key_t *policy_key)
Definition: policy_key.c:494
unsigned int policy_key_algorithm(const policy_key_t *policy_key)
Definition: policy_key.c:510
unsigned int policy_key_bits(const policy_key_t *policy_key)
Definition: policy_key.c:518
policy_key_role
Definition: policy_key.h:40
@ POLICY_KEY_ROLE_KSK
Definition: policy_key.h:42
@ POLICY_KEY_ROLE_CSK
Definition: policy_key.h:44
@ POLICY_KEY_ROLE_ZSK
Definition: policy_key.h:43
int value
Definition: db_enum.h:40
const char * text
Definition: db_enum.h:39
engineconfig_type * config
Definition: engine.h:48
time_t rollover_notification
Definition: cfg.h:78
key_state_state_t next_state
Definition: enforcer.c:80
int pretend_update
Definition: enforcer.c:81
key_data_t * key
Definition: enforcer.c:78
key_state_type_t type
Definition: enforcer.c:79
hsm_key_state_t state
Definition: hsm_key.h:87
key_dependency_type_t type
Definition: policy.h:60
unsigned int next_zsk_roll
Definition: zone_db.h:68
unsigned int next_csk_roll
Definition: zone_db.h:69
unsigned int next_ksk_roll
Definition: zone_db.h:67
unsigned int zone_db_roll_zsk_now(const zone_db_t *zone)
Definition: zone_db.c:846
int zone_db_set_ttl_end_dk(zone_db_t *zone, unsigned int ttl_end_dk)
Definition: zone_db.c:1011
unsigned int zone_db_ttl_end_rs(const zone_db_t *zone)
Definition: zone_db.c:830
int zone_db_set_signconf_needs_writing(zone_db_t *zone, unsigned int signconf_needs_writing)
Definition: zone_db.c:959
const char * zone_db_name(const zone_db_t *zone)
Definition: zone_db.c:782
unsigned int zone_db_ttl_end_ds(const zone_db_t *zone)
Definition: zone_db.c:814
int zone_db_set_roll_zsk_now(zone_db_t *zone, unsigned int roll_zsk_now)
Definition: zone_db.c:1041
int zone_db_set_roll_csk_now(zone_db_t *zone, unsigned int roll_csk_now)
Definition: zone_db.c:1051
unsigned int zone_db_roll_ksk_now(const zone_db_t *zone)
Definition: zone_db.c:838
unsigned int zone_db_next_ksk_roll(const zone_db_t *zone)
Definition: zone_db.c:894
unsigned int zone_db_next_csk_roll(const zone_db_t *zone)
Definition: zone_db.c:910
int zone_db_set_ttl_end_ds(zone_db_t *zone, unsigned int ttl_end_ds)
Definition: zone_db.c:1001
int zone_db_set_roll_ksk_now(zone_db_t *zone, unsigned int roll_ksk_now)
Definition: zone_db.c:1031
unsigned int zone_db_ttl_end_dk(const zone_db_t *zone)
Definition: zone_db.c:822
unsigned int zone_db_signconf_needs_writing(const zone_db_t *zone)
Definition: zone_db.c:790
unsigned int zone_db_roll_csk_now(const zone_db_t *zone)
Definition: zone_db.c:854
int zone_db_set_ttl_end_rs(zone_db_t *zone, unsigned int ttl_end_rs)
Definition: zone_db.c:1021
const db_value_t * zone_db_id(const zone_db_t *zone)
Definition: zone_db.c:728
key_data_list_t * zone_db_get_keys(const zone_db_t *zone)
Definition: zone_db_ext.c:56
key_dependency_list_t * zone_db_get_key_dependencies(const zone_db_t *zone)
Definition: zone_db_ext.c:76