Commit f11ce448 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡

Make kasp opaque

parent 70da58c8
......@@ -1187,7 +1187,7 @@ main(int argc, char **argv) {
fatal("failed to load dnssec-policy '%s'",
ctx.policy);
}
if (ISC_LIST_EMPTY(kasp->keys)) {
if (ISC_LIST_EMPTY(dns_kasp_keys(kasp))) {
fatal("dnssec-policy '%s' has no keys "
"configured", ctx.policy);
}
......@@ -1195,7 +1195,7 @@ main(int argc, char **argv) {
ctx.ttl = dns_kasp_dnskeyttl(kasp);
ctx.setttl = true;
kaspkey = ISC_LIST_HEAD(kasp->keys);
kaspkey = ISC_LIST_HEAD(dns_kasp_keys(kasp));
while (kaspkey != NULL) {
ctx.use_nsec3 = false;
......
......@@ -237,6 +237,16 @@ dns_kasp_sigrefresh(dns_kasp_t *kasp);
*\li signature refresh interval.
*/
void
dns_kasp_setsigrefresh(dns_kasp_t *kasp, uint32_t value);
/*%<
* Set signature refresh interval.
*
* Requires:
*
*\li 'kasp' is a valid, thawed kasp.
*/
uint32_t
dns_kasp_sigvalidity(dns_kasp_t *kasp);
uint32_t
......@@ -253,10 +263,22 @@ dns_kasp_sigvalidity_dnskey(dns_kasp_t *kasp);
*\li signature validity.
*/
void
dns_kasp_setsigvalidity(dns_kasp_t *kasp, uint32_t value);
void
dns_kasp_setsigvalidity_dnskey(dns_kasp_t *kasp, uint32_t value);
/*%<
* Set signature validity.
*
* Requires:
*
*\li 'kasp' is a valid, thawed kasp.
*/
dns_ttl_t
dns_kasp_dnskeyttl(dns_kasp_t *kasp);
/*%<
* Get dnskey ttl.
* Get DNSKEY TTL.
*
* Requires:
*
......@@ -267,6 +289,16 @@ dns_kasp_dnskeyttl(dns_kasp_t *kasp);
*\li DNSKEY TTL.
*/
void
dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl);
/*%<
* Set DNSKEY TTL.
*
* Requires:
*
*\li 'kasp' is a valid, thawed kasp.
*/
uint32_t
dns_kasp_publishsafety(dns_kasp_t *kasp);
/*%<
......@@ -281,6 +313,16 @@ dns_kasp_publishsafety(dns_kasp_t *kasp);
*\li Publish safety interval.
*/
void
dns_kasp_setpublishsafety(dns_kasp_t *kasp, uint32_t value);
/*%<
* Set publish safety interval.
*
* Requires:
*
*\li 'kasp' is a valid, thawed kasp.
*/
uint32_t
dns_kasp_retiresafety(dns_kasp_t *kasp);
/*%<
......@@ -295,6 +337,16 @@ dns_kasp_retiresafety(dns_kasp_t *kasp);
*\li Retire safety interval.
*/
void
dns_kasp_setretiresafety(dns_kasp_t *kasp, uint32_t value);
/*%<
* Set retire safety interval.
*
* Requires:
*
*\li 'kasp' is a valid, thawed kasp.
*/
dns_ttl_t
dns_kasp_zonemaxttl(dns_kasp_t *kasp);
/*%<
......@@ -309,6 +361,16 @@ dns_kasp_zonemaxttl(dns_kasp_t *kasp);
*\li Maximum zone TTL.
*/
void
dns_kasp_setzonemaxttl(dns_kasp_t *kasp, dns_ttl_t ttl);
/*%<
* Set maximum zone TTL.
*
* Requires:
*
*\li 'kasp' is a valid, thawed kasp.
*/
uint32_t
dns_kasp_zonepropagationdelay(dns_kasp_t *kasp);
/*%<
......@@ -323,6 +385,16 @@ dns_kasp_zonepropagationdelay(dns_kasp_t *kasp);
*\li Zone propagation delay.
*/
void
dns_kasp_setzonepropagationdelay(dns_kasp_t *kasp, uint32_t value);
/*%<
* Set zone propagation delay.
*
* Requires:
*
*\li 'kasp' is a valid, thawed kasp.
*/
dns_ttl_t
dns_kasp_dsttl(dns_kasp_t *kasp);
/*%<
......@@ -337,6 +409,16 @@ dns_kasp_dsttl(dns_kasp_t *kasp);
*\li Expected parent DS TTL.
*/
void
dns_kasp_setdsttl(dns_kasp_t *kasp, dns_ttl_t ttl);
/*%<
* Set DS TTL.
*
* Requires:
*
*\li 'kasp' is a valid, thawed kasp.
*/
uint32_t
dns_kasp_parentpropagationdelay(dns_kasp_t *kasp);
/*%<
......@@ -351,6 +433,16 @@ dns_kasp_parentpropagationdelay(dns_kasp_t *kasp);
*\li Parent zone propagation delay.
*/
void
dns_kasp_setparentpropagationdelay(dns_kasp_t *kasp, uint32_t value);
/*%<
* Set parent propagation delay.
*
* Requires:
*
*\li 'kasp' is a valid, thawed kasp.
*/
uint32_t
dns_kasp_parentregistrationdelay(dns_kasp_t *kasp);
/*%<
......@@ -365,6 +457,16 @@ dns_kasp_parentregistrationdelay(dns_kasp_t *kasp);
*\li Parent registration delay.
*/
void
dns_kasp_setparentregistrationdelay(dns_kasp_t *kasp, uint32_t value);
/*%<
* Set parent registration delay.
*
* Requires:
*
*\li 'kasp' is a valid, thawed kasp.
*/
isc_result_t
dns_kasplist_find(dns_kasplist_t *list, const char *name, dns_kasp_t **kaspp);
/*%<
......@@ -381,14 +483,56 @@ dns_kasplist_find(dns_kasplist_t *list, const char *name, dns_kasp_t **kaspp);
*\li #ISC_R_NOTFOUND No matching kasp was found.
*/
dns_kasp_keylist_t
dns_kasp_keys(dns_kasp_t *kasp);
/*%<
* Get the list of kasp keys.
*
* Requires:
*
*\li 'kasp' is a valid, frozen kasp.
*
* Returns:
*
*\li #ISC_R_SUCCESS
*\li #ISC_R_NOMEMORY
*
*\li Other errors are possible.
*/
bool
dns_kasp_keylist_empty(dns_kasp_t *kasp);
/*%<
* Check if the keylist is empty.
*
* Requires:
*
*\li 'kasp' is a valid kasp.
*
* Returns:
*
*\li true if the keylist is empty, false otherwise.
*/
void
dns_kasp_addkey(dns_kasp_t *kasp, dns_kasp_key_t *key);
/*%<
* Add a key.
*
* Requires:
*
*\li 'kasp' is a valid, thawed kasp.
*\li 'key' is not NULL.
*/
isc_result_t
dns_kasp_key_create(isc_mem_t* mctx, dns_kasp_key_t **keyp);
dns_kasp_key_create(dns_kasp_t *kasp, dns_kasp_key_t **keyp);
/*%<
* Create a key inside a KASP.
*
* Requires:
*
*\li 'mctx' is a valid memory context.
*\li 'kasp' is a valid kasp.
*
*\li keyp != NULL && *keyp == NULL
*
......
......@@ -138,6 +138,13 @@ dns_kasp_sigrefresh(dns_kasp_t *kasp) {
return (kasp->signatures_refresh);
}
void
dns_kasp_setsigrefresh(dns_kasp_t *kasp, uint32_t value) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(!kasp->frozen);
kasp->signatures_refresh = value;
}
uint32_t
dns_kasp_sigvalidity(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
......@@ -145,6 +152,13 @@ dns_kasp_sigvalidity(dns_kasp_t *kasp) {
return (kasp->signatures_validity);
}
void
dns_kasp_setsigvalidity(dns_kasp_t *kasp, uint32_t value) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(!kasp->frozen);
kasp->signatures_validity = value;
}
uint32_t
dns_kasp_sigvalidity_dnskey(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
......@@ -152,6 +166,13 @@ dns_kasp_sigvalidity_dnskey(dns_kasp_t *kasp) {
return (kasp->signatures_validity_dnskey);
}
void
dns_kasp_setsigvalidity_dnskey(dns_kasp_t *kasp, uint32_t value) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(!kasp->frozen);
kasp->signatures_validity = value;
}
dns_ttl_t
dns_kasp_dnskeyttl(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
......@@ -159,6 +180,13 @@ dns_kasp_dnskeyttl(dns_kasp_t *kasp) {
return (kasp->dnskey_ttl);
}
void
dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(!kasp->frozen);
kasp->dnskey_ttl = ttl;
}
uint32_t
dns_kasp_publishsafety(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
......@@ -166,6 +194,13 @@ dns_kasp_publishsafety(dns_kasp_t *kasp) {
return (kasp->publish_safety);
}
void
dns_kasp_setpublishsafety(dns_kasp_t *kasp, uint32_t value) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(!kasp->frozen);
kasp->publish_safety = value;
}
uint32_t
dns_kasp_retiresafety(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
......@@ -173,6 +208,13 @@ dns_kasp_retiresafety(dns_kasp_t *kasp) {
return (kasp->retire_safety);
}
void
dns_kasp_setretiresafety(dns_kasp_t *kasp, uint32_t value) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(!kasp->frozen);
kasp->retire_safety = value;
}
dns_ttl_t
dns_kasp_zonemaxttl(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
......@@ -180,6 +222,13 @@ dns_kasp_zonemaxttl(dns_kasp_t *kasp) {
return (kasp->zone_max_ttl);
}
void
dns_kasp_setzonemaxttl(dns_kasp_t *kasp, dns_ttl_t ttl) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(!kasp->frozen);
kasp->zone_max_ttl = ttl;
}
uint32_t
dns_kasp_zonepropagationdelay(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
......@@ -187,6 +236,13 @@ dns_kasp_zonepropagationdelay(dns_kasp_t *kasp) {
return (kasp->zone_propagation_delay);
}
void
dns_kasp_setzonepropagationdelay(dns_kasp_t *kasp, uint32_t value) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(!kasp->frozen);
kasp->zone_propagation_delay = value;
}
dns_ttl_t
dns_kasp_dsttl(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
......@@ -194,6 +250,13 @@ dns_kasp_dsttl(dns_kasp_t *kasp) {
return (kasp->parent_ds_ttl);
}
void
dns_kasp_setdsttl(dns_kasp_t *kasp, dns_ttl_t ttl) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(!kasp->frozen);
kasp->parent_ds_ttl = ttl;
}
uint32_t
dns_kasp_parentpropagationdelay(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
......@@ -201,6 +264,13 @@ dns_kasp_parentpropagationdelay(dns_kasp_t *kasp) {
return (kasp->parent_propagation_delay);
}
void
dns_kasp_setparentpropagationdelay(dns_kasp_t *kasp, uint32_t value) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(!kasp->frozen);
kasp->parent_propagation_delay = value;
}
uint32_t
dns_kasp_parentregistrationdelay(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
......@@ -208,6 +278,13 @@ dns_kasp_parentregistrationdelay(dns_kasp_t *kasp) {
return (kasp->parent_registration_delay);
}
void
dns_kasp_setparentregistrationdelay(dns_kasp_t *kasp, uint32_t value) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(!kasp->frozen);
kasp->parent_registration_delay = value;
}
isc_result_t
dns_kasplist_find(dns_kasplist_t *list, const char *name, dns_kasp_t **kaspp)
{
......@@ -234,16 +311,42 @@ dns_kasplist_find(dns_kasplist_t *list, const char *name, dns_kasp_t **kaspp)
return (ISC_R_SUCCESS);
}
dns_kasp_keylist_t
dns_kasp_keys(dns_kasp_t *kasp)
{
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(kasp->frozen);
return (kasp->keys);
}
bool
dns_kasp_keylist_empty(dns_kasp_t *kasp)
{
REQUIRE(DNS_KASP_VALID(kasp));
return (ISC_LIST_EMPTY(kasp->keys));
}
void
dns_kasp_addkey(dns_kasp_t *kasp, dns_kasp_key_t *key)
{
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(!kasp->frozen);
REQUIRE(key != NULL);
ISC_LIST_APPEND(kasp->keys, key, link);
}
isc_result_t
dns_kasp_key_create(isc_mem_t* mctx, dns_kasp_key_t **keyp)
dns_kasp_key_create(dns_kasp_t *kasp, dns_kasp_key_t **keyp)
{
dns_kasp_key_t *key;
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(keyp != NULL && *keyp == NULL);
key = isc_mem_get(mctx, sizeof(*key));
key = isc_mem_get(kasp->mctx, sizeof(*key));
key->mctx = NULL;
isc_mem_attach(mctx, &key->mctx);
isc_mem_attach(kasp->mctx, &key->mctx);
ISC_LINK_INIT(key, link);
......
......@@ -1330,7 +1330,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
}
/* Create keys according to the policy, if come in short. */
for (kkey = ISC_LIST_HEAD(kasp->keys); kkey != NULL;
for (kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); kkey != NULL;
kkey = ISC_LIST_NEXT(kkey, link))
{
isc_stdtime_t retire = 0, active = 0, prepub = 0;
......
......@@ -414,6 +414,7 @@ dns_journal_rollforward
dns_journal_set_sourceserial
dns_journal_write_transaction
dns_journal_writediff
dns_kasp_addkey
dns_kasp_attach
dns_kasp_create
dns_kasp_detach
......@@ -428,10 +429,23 @@ dns_kasp_key_ksk
dns_kasp_key_lifetime
dns_kasp_key_size
dns_kasp_key_zsk
dns_kasp_keylist_empty
dns_kasp_keys
dns_kasp_parentpropagationdelay
dns_kasp_parentregistrationdelay
dns_kasp_publishsafety
dns_kasp_retiresafety
dns_kasp_setdnskeyttl
dns_kasp_setdsttl
dns_kasp_setparentpropagationdelay
dns_kasp_setparentregistrationdelay
dns_kasp_setpublishsafety
dns_kasp_setretiresafety
dns_kasp_setsigrefresh
dns_kasp_setsigvalidity
dns_kasp_setsigvalidity_dnskey
dns_kasp_setzonemaxttl
dns_kasp_setzonepropagationdelay
dns_kasp_signdelay
dns_kasp_sigrefresh
dns_kasp_sigvalidity
......
......@@ -7039,7 +7039,7 @@ signed_with_good_key(dns_zone_t* zone, dns_db_t *db, dns_dbnode_t *node,
int zsk_count = 0;
bool approved;
for (kkey = ISC_LIST_HEAD(kasp->keys); kkey != NULL;
for (kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); kkey != NULL;
kkey = ISC_LIST_NEXT(kkey, link))
{
if (dns_kasp_key_algorithm(kkey) != dst_key_alg(key)) {
......
......@@ -71,7 +71,7 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t* kasp)
dns_kasp_key_t *key = NULL;
/* Create a new key reference. */
result = dns_kasp_key_create(kasp->mctx, &key);
result = dns_kasp_key_create(kasp, &key);
if (result != ISC_R_SUCCESS) {
return (result);
}
......@@ -103,8 +103,7 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t* kasp)
key->length = cfg_obj_asuint32(obj);
}
}
ISC_LIST_APPEND(kasp->keys, key, link);
ISC_INSIST(!(ISC_LIST_EMPTY(kasp->keys)));
dns_kasp_addkey(kasp, key);
return (result);
}
......@@ -158,20 +157,21 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t* mctx,
maps[i] = NULL;
/* Configuration: Signatures */
kasp->signatures_refresh = get_duration(
maps, "signatures-refresh", DNS_KASP_SIG_REFRESH);
kasp->signatures_validity = get_duration(
maps, "signatures-validity", DNS_KASP_SIG_VALIDITY);
kasp->signatures_validity_dnskey = get_duration(
maps, "signatures-validity-dnskey",
DNS_KASP_SIG_VALIDITY_DNSKEY);
dns_kasp_setsigrefresh(kasp, get_duration(maps, "signatures-refresh",
DNS_KASP_SIG_REFRESH));
dns_kasp_setsigvalidity(kasp, get_duration(maps, "signatures-validity",
DNS_KASP_SIG_VALIDITY));
dns_kasp_setsigvalidity_dnskey(kasp, get_duration(maps,
"signatures-validity-dnskey",
DNS_KASP_SIG_VALIDITY_DNSKEY));
/* Configuration: Keys */
kasp->dnskey_ttl = get_duration(maps, "dnskey-ttl", DNS_KASP_KEY_TTL);
kasp->publish_safety = get_duration(maps, "publish-safety",
DNS_KASP_PUBLISH_SAFETY);
kasp->retire_safety = get_duration(maps, "retire-safety",
DNS_KASP_RETIRE_SAFETY);
dns_kasp_setdnskeyttl(kasp, get_duration(maps, "dnskey-ttl",
DNS_KASP_KEY_TTL));
dns_kasp_setpublishsafety(kasp, get_duration(maps, "publish-safety",
DNS_KASP_PUBLISH_SAFETY));
dns_kasp_setretiresafety(kasp, get_duration(maps, "retire-safety",
DNS_KASP_RETIRE_SAFETY));
(void)confget(maps, "keys", &keys);
if (keys == NULL) {
......@@ -190,26 +190,24 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t* mctx,
}
}
}
ISC_INSIST(!(ISC_LIST_EMPTY(kasp->keys)));
ISC_INSIST(!(dns_kasp_keylist_empty(kasp)));
/* Configuration: Zone settings */
kasp->zone_max_ttl = get_duration(maps, "zone-max-ttl",
DNS_KASP_ZONE_MAXTTL);
kasp->zone_propagation_delay = get_duration(maps,
"zone-propagation-delay",
DNS_KASP_ZONE_PROPDELAY);
dns_kasp_setzonemaxttl(kasp, get_duration(maps, "zone-max-ttl",
DNS_KASP_ZONE_MAXTTL));
dns_kasp_setzonepropagationdelay(kasp, get_duration(maps,
"zone-propagation-delay",
DNS_KASP_ZONE_PROPDELAY));
/* Configuration: Parent settings */
kasp->parent_ds_ttl = get_duration(maps, "parent-ds-ttl",
DNS_KASP_DS_TTL);
kasp->parent_propagation_delay = get_duration(
maps,
dns_kasp_setdsttl(kasp, get_duration(maps, "parent-ds-ttl",
DNS_KASP_DS_TTL));
dns_kasp_setparentpropagationdelay(kasp, get_duration(maps,
"parent-propagation-delay",
DNS_KASP_PARENT_PROPDELAY);
kasp->parent_registration_delay = get_duration(
maps,
DNS_KASP_PARENT_PROPDELAY));
dns_kasp_setparentregistrationdelay(kasp, get_duration(maps,
"parent-registration-delay",
DNS_KASP_PARENT_REGDELAY);
DNS_KASP_PARENT_REGDELAY));
// TODO: Rest of the configuration
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment