Commit 58aa084e authored by Evan Hunt's avatar Evan Hunt Committed by Matthijs Mekking
Browse files

add support for key algorithm mnemonics in dnssec-policy

parent 8c0db909
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-policy "badalg" {
keys {
csk lifetime unlimited algorithm ceasarscipher;
};
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "badalg";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-policy "badalg" {
keys {
csk lifetime unlimited algorithm 8 4097;
};
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "badalg";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-policy "badalg" {
keys {
csk lifetime unlimited algorithm rsasha512 1023;
};
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "badalg";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-policy "badalg" {
keys {
csk lifetime unlimited algorithm 5 511;
};
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "badalg";
};
......@@ -17,9 +17,9 @@
dnssec-policy "test" {
dnskey-ttl 3600;
keys {
ksk key-directory lifetime P1Y algorithm 13;
ksk key-directory lifetime P1Y algorithm ecdsa256;
zsk lifetime P30D algorithm 13;
csk key-directory lifetime unlimited algorithm 8 2048;
csk key-directory lifetime unlimited algorithm rsasha256 2048;
};
max-zone-ttl 86400;
parent-ds-ttl 7200;
......
......@@ -12,9 +12,7 @@
dnssec-policy "warn-length" {
keys {
// Algorithm 13 has predefined length, warn about length param.
csk lifetime unlimited algorithm 13 2048;
// Algorithm 5 length out of range, warn about length param.
csk lifetime unlimited algorithm 5 4097;
csk lifetime unlimited algorithm ecdsa256 2048;
};
};
......
......@@ -475,9 +475,9 @@ if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking named-checkconf kasp warnings ($n)"
echo_i "checking named-checkconf kasp errors ($n)"
ret=0
$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1
$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1
grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
......@@ -490,11 +490,10 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking named-checkconf kasp key warnings ($n)"
echo_i "checking named-checkconf kasp predefined key lengths ($n)"
ret=0
$CHECKCONF kasp-ignore-keylen.conf > checkconf.out$n 2>&1
grep "dnssec-policy: key algorithm 13 has predefined length, ignoring length value 2048" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-policy: key with algorithm 5 has invalid key length, ignoring length value 4097" < checkconf.out$n > /dev/null || ret=1
$CHECKCONF kasp-ignore-keylen.conf > checkconf.out$n 2>&1 || ret=1
grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......
......@@ -11113,9 +11113,9 @@ example.com CNAME rpz-tcp-only.
</para>
 
<programlisting>keys {
ksk key-directory lifetime unlimited algorithm 8 2048;
ksk key-directory lifetime unlimited algorithm rsasha1 2048;
zsk key-directory lifetime P30D algorithm 8;
csk key-directory lifetime P6MT12H3M15S algorithm 13;
csk key-directory lifetime P6MT12H3M15S algorithm ecdsa256;
};
</programlisting>
 
......@@ -11150,10 +11150,11 @@ example.com CNAME rpz-tcp-only.
</para>
<para>
The <command>algorithm</command> parameter(s) are the key's
algorithm, expressed numerically, and its size in bits. The
size may be omitted, as shown in the example for the
second and third keys; in this case an appropriate
default size will be used.
algorithm, expressed either as a string ("rsasha256",
"ecdsa384", etc) or as a decimal number, and the key's
size in bits. The size may be omitted, as shown in
the example for the second and third keys; in this case
an appropriate default size will be used.
</para>
</listitem>
</varlistentry>
......
......@@ -976,11 +976,12 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
if (obj != NULL) {
bool bad_kasp = false;
bool bad_name = false;
if (optlevel != optlevel_config && !cfg_obj_isstring(obj)) {
bad_kasp = true;
} else if (optlevel == optlevel_config) {
dns_kasplist_t list;
dns_kasp_t* kasp, *kasp_next;
dns_kasp_t *kasp = NULL, *kasp_next = NULL;
ISC_LIST_INIT(list);
......@@ -989,11 +990,11 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
element != NULL;
element = cfg_list_next(element))
{
isc_result_t ret;
cfg_obj_t *kconfig =
cfg_listelt_value(element);
if (!cfg_obj_istuple(kconfig))
{
if (!cfg_obj_istuple(kconfig)) {
bad_kasp = true;
continue;
}
......@@ -1001,17 +1002,24 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
bad_name = true;
continue;
}
kasp = NULL;
(void)cfg_kasp_fromconfig(kconfig, mctx,
ret = cfg_kasp_fromconfig(kconfig, mctx,
logctx,
&list, &kasp);
if (ret != ISC_R_SUCCESS) {
if (result == ISC_R_SUCCESS) {
result = ret;
}
}
if (kasp != NULL) {
dns_kasp_detach(&kasp);
}
}
}
for (kasp = ISC_LIST_HEAD(list); kasp != NULL;
for (kasp = ISC_LIST_HEAD(list);
kasp != NULL;
kasp = kasp_next)
{
kasp_next = ISC_LIST_NEXT(kasp, link);
......
......@@ -45,7 +45,7 @@ struct dns_kasp_key {
/* Configuration */
uint32_t lifetime;
uint32_t algorithm;
uint8_t algorithm;
int length;
uint8_t role;
};
......
......@@ -15,6 +15,7 @@
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/region.h>
#include <isc/string.h>
#include <isc/util.h>
......@@ -25,6 +26,8 @@
#include <dns/kasp.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dns/result.h>
#include <dns/secalg.h>
/*
......@@ -65,7 +68,7 @@ get_duration(const cfg_obj_t **maps, const char* option, uint32_t dfl)
* Create a new kasp key derived from configuration.
*/
static isc_result_t
cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t* kasp,
cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
isc_log_t *logctx)
{
isc_result_t result;
......@@ -86,6 +89,7 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t* kasp,
} else {
const char *rolestr = NULL;
const cfg_obj_t *obj = NULL;
isc_consttextregion_t alg;
rolestr = cfg_obj_asstring(cfg_tuple_get(config, "role"));
if (strcmp(rolestr, "ksk") == 0) {
......@@ -104,7 +108,17 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t* kasp,
}
obj = cfg_tuple_get(config, "algorithm");
key->algorithm = cfg_obj_asuint32(obj);
alg.base = cfg_obj_asstring(obj);
alg.length = strlen(alg.base);
result = dns_secalg_fromtext(&key->algorithm,
(isc_textregion_t *) &alg);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"dnssec-policy: bad algorithm %s",
alg.base);
result = DNS_R_BADALG;
goto cleanup;
}
obj = cfg_tuple_get(config, "length");
if (cfg_obj_isuint32(obj)) {
......@@ -121,10 +135,11 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t* kasp,
cfg_obj_log(obj, logctx,
ISC_LOG_ERROR,
"dnssec-policy: key with "
"algorithm %u has invalid "
"key length",
key->algorithm);
return (ISC_R_RANGE);
"algorithm %s has invalid "
"key length %u",
alg.base, size);
result = ISC_R_RANGE;
goto cleanup;
}
break;
case DNS_KEYALG_ECDSA256:
......@@ -132,10 +147,9 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t* kasp,
case DNS_KEYALG_ED25519:
case DNS_KEYALG_ED448:
cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
"dnssec-policy: key algorithm %u "
"dnssec-policy: key algorithm %s "
"has predefined length; ignoring "
"length value %u", key->algorithm,
size);
"length value %u", alg.base, size);
default:
break;
}
......@@ -145,7 +159,13 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t* kasp,
}
dns_kasp_addkey(kasp, key);
return (ISC_R_SUCCESS);
cleanup:
dns_kasp_key_destroy(key);
return (result);
}
isc_result_t
......
......@@ -540,10 +540,10 @@ static cfg_type_t cfg_type_dnsseckeystore = {
/*%
* A dnssec key, as used in the "keys" statement in a "dnssec-policy".
*/
static keyword_type_t algorithm_kw = { "algorithm", &cfg_type_uint32 };
static keyword_type_t algorithm_kw = { "algorithm", &cfg_type_ustring };
static cfg_type_t cfg_type_algorithm = {
"algorithm", parse_keyvalue, print_keyvalue,
doc_keyvalue, &cfg_rep_uint32, &algorithm_kw
doc_keyvalue, &cfg_rep_string, &algorithm_kw
};
static keyword_type_t lifetime_kw = { "lifetime",
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment