OpenDNSSEC-enforcer  2.0.4
enforcer.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2011 NLNet Labs. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  * notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  * notice, this list of conditions and the following disclaimer in the
11  * documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
15  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
17  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
19  * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
20  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
21  * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
22  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
23  * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  *
25  */
26 
27 /*
28  * @section DESCRIPTION
29  *
30  * This module controls the order and time for keys to be introduced,
31  * generated and discarded. It can be called for one zone at a time. It
32  * will then manipulate its keys and bring them closer to their goal,
33  * within bounds of the zone's policy. New keys may be fetched from the
34  * HSM and old keys discarded. When done, the update function returns
35  * a time at which it need to be called again for this zone. Unless
36  * there is an unscheduled change for this zone (some user input) it
37  * should not be called sooner. Calling sooner is not harmful in any
38  * way but also not effective. Calling later does not do any harm as
39  * well, however rollovers may be delayed.
40  */
41 
42 #include "config.h"
43 
44 #include <time.h>
45 
46 #include "libhsm.h"
47 #include "hsmkey/hsm_key_factory.h"
48 
49 #include <libhsmdns.h>
50 #include <ldns/ldns.h>
51 
52 #include "duration.h"
53 #include "log.h"
54 #include "daemon/engine.h"
55 
56 #include "db/zone.h"
57 #include "db/policy.h"
58 #include "db/policy_key.h"
59 #include "db/hsm_key.h"
60 #include "db/key_data.h"
61 #include "db/key_dependency.h"
62 #include "db/db_error.h"
63 
64 #include "enforcer/enforcer.h"
65 
66 #define HIDDEN KEY_STATE_STATE_HIDDEN
67 #define RUMOURED KEY_STATE_STATE_RUMOURED
68 #define OMNIPRESENT KEY_STATE_STATE_OMNIPRESENT
69 #define UNRETENTIVE KEY_STATE_STATE_UNRETENTIVE
70 #define NA KEY_STATE_STATE_NA
71 
72 static const char *module_str = "enforcer";
73 
75 #define NOKEY_TIMEOUT 60
76 
77 struct future_key {
82 };
83 
84 static int max(int a, int b) { return a>b?a:b; }
85 static int min(int a, int b) { return a<b?a:b; }
86 
96 static inline void
97 minTime(const time_t t, time_t* min)
98 {
99  assert(min); /* TODO: proper error */
100  if ( (t < *min || *min < 0) && t >= 0 ) *min = t;
101 }
102 
112 static time_t
113 addtime(const time_t t, const int seconds)
114 {
115  struct tm *tp = localtime(&t);
116  if (!tp) return -1; /* bad, but mktime also returns -1 on error */
117  tp->tm_sec += seconds;
118  return mktime(tp);
119 }
120 
127 static inline const key_state_t*
128 getRecord(key_data_t* key, key_state_type_t type)
129 {
130  if (!key) {
131  return NULL;
132  }
133 
134  switch (type) {
135  case KEY_STATE_TYPE_DS:
136  return key_data_cached_ds(key);
137 
139  return key_data_cached_dnskey(key);
140 
142  return key_data_cached_rrsig(key);
143 
145  return key_data_cached_rrsigdnskey(key);
146 
147  default:
148  break;
149  }
150 
151  return NULL;
152 }
153 
159 static inline key_state_state_t
160 getState(key_data_t* key, key_state_type_t type, struct future_key *future_key)
161 {
162  int cmp;
163 
164  if (!key) {
166  }
167 
168  if (future_key
169  && future_key->pretend_update
170  && future_key->type == type
171  && future_key->key)
172  {
173  if (db_value_cmp(key_data_id(key), key_data_id(future_key->key), &cmp)) {
175  }
176  if (!cmp) {
177  return future_key->next_state;
178  }
179  }
180 
181  return key_state_state(getRecord(key, type));
182 }
183 
195 static key_state_state_t
196 getDesiredState(int introducing, key_state_state_t state)
197 {
198  /*
199  * Given goal and state, what will be the next state?
200  */
201  if (!introducing) {
202  /*
203  * We are outroducing this key so we would like to move rumoured and
204  * omnipresent keys to unretentive and unretentive keys to hidden.
205  */
206  switch (state) {
207  case HIDDEN:
208  break;
209 
210  case RUMOURED:
211  state = UNRETENTIVE;
212  break;
213 
214  case OMNIPRESENT:
215  state = UNRETENTIVE;
216  break;
217 
218  case UNRETENTIVE:
219  state = HIDDEN;
220  break;
221 
222  case NA:
223  break;
224 
225  default:
226  state = KEY_STATE_STATE_INVALID;
227  break;
228  }
229  }
230  else {
231  /*
232  * We are introducing this key so we would like to move hidden and
233  * unretentive keys to rumoured and rumoured keys to omnipresent.
234  */
235  switch (state) {
236  case HIDDEN:
237  state = RUMOURED;
238  break;
239 
240  case RUMOURED:
241  state = OMNIPRESENT;
242  break;
243 
244  case OMNIPRESENT:
245  break;
246 
247  case UNRETENTIVE:
248  state = RUMOURED;
249  break;
250 
251  case NA:
252  break;
253 
254  default:
255  state = KEY_STATE_STATE_INVALID;
256  break;
257  }
258  }
259 
260  return state;
261 }
262 
269 static int
270 match(key_data_t* key, struct future_key *future_key, int same_algorithm,
271  const key_state_state_t mask[4])
272 {
273  if (!key) {
274  return -1;
275  }
276  if (!future_key) {
277  return -1;
278  }
279  if (!future_key->key) {
280  return -1;
281  }
282 
283  if (same_algorithm
284  && key_data_algorithm(key) != key_data_algorithm(future_key->key))
285  {
286  return 0;
287  }
288 
289  /*
290  * Check the states against the mask, for each mask that is not NA we
291  * need a match on that key state.
292  */
293  if ((mask[0] != NA
294  && getState(key, KEY_STATE_TYPE_DS, future_key) != mask[0])
295  || (mask[1] != NA
296  && getState(key, KEY_STATE_TYPE_DNSKEY, future_key) != mask[1])
297  || (mask[2] != NA
298  && getState(key, KEY_STATE_TYPE_RRSIGDNSKEY, future_key) != mask[2])
299  || (mask[3] != NA
300  && getState(key, KEY_STATE_TYPE_RRSIG, future_key) != mask[3]))
301  {
302  return 0;
303  }
304  return 1;
305 }
306 
313 static int
314 exists(key_data_t** keylist, size_t keylist_size, struct future_key *future_key,
315  int same_algorithm, const key_state_state_t mask[4])
316 {
317  size_t i;
318 
319  if (!keylist) {
320  return -1;
321  }
322  if (!future_key) {
323  return -1;
324  }
325  if (!future_key->key) {
326  return -1;
327  }
328 
329  for (i = 0; i < keylist_size; i++) {
330  /*
331  * Check the states against the mask. If we have a match we return a
332  * positive value.
333  */
334  if (match(keylist[i], future_key, same_algorithm, mask) > 0) {
335  return 1;
336  }
337  }
338 
339  /*
340  * We got no match, return zero.
341  */
342  return 0;
343 }
344 
351 static int
352 isPotentialSuccessor(key_data_t* successor_key, key_data_t* predecessor_key,
353  struct future_key *future_key, key_state_type_t type)
354 {
355  if (!successor_key) {
356  return -1;
357  }
358  if (!predecessor_key) {
359  return -1;
360  }
361  if (!future_key) {
362  return -1;
363  }
364 
365  /* You can't be a successor of yourself */
366  if (!key_data_cmp(successor_key, predecessor_key)) return 0;
367 
368  /*
369  * TODO
370  */
371  if (getState(successor_key, type, future_key) != RUMOURED
372  || key_data_algorithm(successor_key) != key_data_algorithm(predecessor_key))
373  {
374  return 0;
375  }
376 
377  /*
378  * TODO
379  */
380  switch (type) {
381  case KEY_STATE_TYPE_DS: /* Intentional fall-through */
383  /*
384  * TODO
385  */
386  if (getState(successor_key, KEY_STATE_TYPE_DNSKEY, future_key) == OMNIPRESENT) {
387  return 1;
388  }
389  break;
390 
392  /*
393  * Either both DS's should be omnipresent or both signatures, for the
394  * keys to be in a potential relationship for the DNSKEY.
395  */
396  if ((getState(predecessor_key, KEY_STATE_TYPE_DS, future_key) == OMNIPRESENT
397  && getState(successor_key, KEY_STATE_TYPE_DS, future_key) == OMNIPRESENT)
398  || (getState(predecessor_key, KEY_STATE_TYPE_RRSIG, future_key) == OMNIPRESENT
399  && getState(successor_key, KEY_STATE_TYPE_RRSIG, future_key) == OMNIPRESENT))
400  {
401  return 1;
402  }
403  break;
404 
406  /*
407  * TODO
408  */
409  break;
410 
411  default:
412  return -1;
413  }
414 
415  return 0;
416 }
417 
424 static int
425 successor_rec(key_data_t** keylist, size_t keylist_size,
426  key_data_t* successor_key, key_data_t* predecessor_key,
427  struct future_key *future_key,
429 {
430  size_t i;
431  int cmp;
432  const key_dependency_t* dep;
433  key_data_t *from_key;
434  key_dependency_list_t* deplist;
435 
436  if (!keylist) {
437  return -1;
438  }
439  if (!successor_key) {
440  return -1;
441  }
442  if (!predecessor_key) {
443  return -1;
444  }
445  if (!future_key) {
446  return -1;
447  }
448  if (!future_key->key) {
449  return -1;
450  }
451  if (!deplist_ext) {
452  return -1;
453  }
454 
455  /*
456  * Make a copy of the deplist in order to preserve where we are in the list
457  * if we are calling ourselves later on.
458  *
459  * TODO: This can be optimized with the implementation of *_list_ref_t or
460  * allocating an array as with keylist.
461  */
462  if (!(deplist = key_dependency_list_new_copy(deplist_ext))) {
463  return -1;
464  }
465 
466  /*
467  * Check the trivial case where the predecessor key is already a predecessor
468  * for the successor key.
469  */
470  for (dep = key_dependency_list_begin(deplist); dep; dep = key_dependency_list_next(deplist)) {
471  switch (key_dependency_type(dep)) {
473  if (type != KEY_STATE_TYPE_DS) {
474  continue;
475  }
476  break;
477 
479  if (type != KEY_STATE_TYPE_RRSIG) {
480  continue;
481  }
482  break;
483 
485  if (type != KEY_STATE_TYPE_DNSKEY) {
486  continue;
487  }
488  break;
489 
492  continue;
493  }
494  break;
495 
496  default:
497  continue;
498  }
499 
500  if (db_value_cmp(key_data_id(predecessor_key), key_dependency_from_key_data_id(dep), &cmp)) {
501  return -1;
502  }
503  if (cmp) {
504  continue;
505  }
506 
507  if (db_value_cmp(key_data_id(successor_key), key_dependency_to_key_data_id(dep), &cmp)) {
508  return -1;
509  }
510  if (cmp) {
511  continue;
512  }
513 
514  key_dependency_list_free(deplist);
515  return 1;
516  }
517 
518  /*
519  * Check the trivial case where there is a direct relationship in the future
520  */
521  if (future_key->pretend_update) {
522  if (db_value_cmp(key_data_id(future_key->key), key_data_id(predecessor_key), &cmp)) {
523  key_dependency_list_free(deplist);
524  return -1;
525  }
526  if (!cmp && isPotentialSuccessor(successor_key, predecessor_key, future_key, type) > 0) {
527  key_dependency_list_free(deplist);
528  return 1;
529  }
530  }
531 
532  /*
533  * Check for indirect relationship where X depends on S and X is in the same
534  * state as P and X is a successor of P.
535  */
536  for (dep = key_dependency_list_begin(deplist); dep; dep = key_dependency_list_next(deplist)) {
537  switch (key_dependency_type(dep)) {
539  if (type != KEY_STATE_TYPE_DS) {
540  continue;
541  }
542  break;
543 
545  if (type != KEY_STATE_TYPE_RRSIG) {
546  continue;
547  }
548  break;
549 
551  if (type != KEY_STATE_TYPE_DNSKEY) {
552  continue;
553  }
554  break;
555 
558  continue;
559  }
560  break;
561 
562  default:
563  continue;
564  }
565 
566  if (db_value_cmp(key_data_id(successor_key), key_dependency_to_key_data_id(dep), &cmp)) {
567  key_dependency_list_free(deplist);
568  return -1;
569  }
570  if (cmp) {
571  continue;
572  }
573 
574  /*
575  * TODO: This may be optimized by searching for the key in the keylist
576  * first, only retrieving it from the database if needed or giving an
577  * error if it does not exist in the keylist.
578  */
579  if (!(from_key = key_dependency_get_from_key_data(dep))) {
580  key_dependency_list_free(deplist);
581  return -1;
582  }
583 
584  /*
585  * The RRSIGDNSKEY is not compared because TODO .
586  */
587  if (getState(predecessor_key, KEY_STATE_TYPE_DS, future_key) != getState(from_key, KEY_STATE_TYPE_DS, future_key)
588  || getState(predecessor_key, KEY_STATE_TYPE_DNSKEY, future_key) != getState(from_key, KEY_STATE_TYPE_DNSKEY, future_key)
589  || getState(predecessor_key, KEY_STATE_TYPE_RRSIG, future_key) != getState(from_key, KEY_STATE_TYPE_RRSIG, future_key))
590  {
591  key_data_free(from_key);
592  continue;
593  }
594  if (successor_rec(keylist, keylist_size, from_key, predecessor_key, future_key, type, deplist_ext) > 0) {
595  key_data_free(from_key);
596  key_dependency_list_free(deplist);
597  return 1;
598  }
599  key_data_free(from_key);
600  }
601  key_dependency_list_free(deplist);
602 
603  /*
604  * TODO
605  */
606  if (future_key->pretend_update) {
607  for (i = 0; i < keylist_size; i++) {
608  if (db_value_cmp(key_data_id(predecessor_key), key_data_id(keylist[i]), &cmp)) {
609  return -1;
610  }
611  if (!cmp) {
612  continue;
613  }
614 
615  if (isPotentialSuccessor(successor_key, keylist[i], future_key, type) > 0) {
616  /*
617  * The RRSIGDNSKEY is not compared because TODO .
618  */
619  if (getState(predecessor_key, KEY_STATE_TYPE_DS, future_key) != getState(keylist[i], KEY_STATE_TYPE_DS, future_key)
620  || getState(predecessor_key, KEY_STATE_TYPE_DNSKEY, future_key) != getState(keylist[i], KEY_STATE_TYPE_DNSKEY, future_key)
621  || getState(predecessor_key, KEY_STATE_TYPE_RRSIG, future_key) != getState(keylist[i], KEY_STATE_TYPE_RRSIG, future_key))
622  {
623  continue;
624  }
625  if (successor_rec(keylist+1, keylist_size-1, successor_key, keylist[i], future_key, type, deplist_ext) > 0) {
626  return 1;
627  }
628  }
629  }
630  }
631 
632  return 0;
633 }
634 
641 static int
642 successor(key_data_t** keylist, size_t keylist_size, key_data_t* successor_key,
643  key_data_t* predecessor_key, struct future_key *future_key,
645 {
646  int cmp;
647  const key_dependency_t* dep;
648 
649  if (!keylist) {
650  return -1;
651  }
652  if (!successor_key) {
653  return -1;
654  }
655  if (!predecessor_key) {
656  return -1;
657  }
658  if (!future_key) {
659  return -1;
660  }
661  if (!future_key->key) {
662  return -1;
663  }
664  if (!deplist) {
665  return -1;
666  }
667 
668  /*
669  * Nothing may depend on our predecessor.
670  */
671  for (dep = key_dependency_list_begin(deplist); dep; dep = key_dependency_list_next(deplist)) {
672  if (db_value_cmp(key_data_id(predecessor_key), key_dependency_to_key_data_id(dep), &cmp)) {
673  return -1;
674  }
675  if (!cmp) {
676  return 0;
677  }
678  }
679  return successor_rec(keylist, keylist_size, successor_key, predecessor_key, future_key, type, deplist);
680 }
681 
688 static int
689 exists_with_successor(key_data_t** keylist, size_t keylist_size,
690  struct future_key *future_key, int same_algorithm,
691  const key_state_state_t predecessor_mask[4],
692  const key_state_state_t successor_mask[4], key_state_type_t type,
693  key_dependency_list_t* deplist)
694 {
695  size_t i, j;
696 
697  if (!keylist) {
698  return -1;
699  }
700  if (!future_key) {
701  return -1;
702  }
703 
704  /*
705  * Walk the list of keys, for each key that matches the successor mask we
706  * walk the list again and check that key against the keys that match the
707  * predecessor mask if has a valid successor/predecessor relationship.
708  */
709  for (i = 0; i < keylist_size; i++) {
710  if (match(keylist[i], future_key, same_algorithm, successor_mask) < 1) {
711  continue;
712  }
713 
714  for (j = 0; j < keylist_size; j++) {
715  if (j == i
716  || match(keylist[j], future_key, same_algorithm, predecessor_mask) < 1)
717  {
718  continue;
719  }
720 
721  if (successor(keylist, keylist_size, keylist[i], keylist[j], future_key, type, deplist) > 0) {
722  return 1;
723  }
724  }
725  }
726  return 0;
727 }
728 
735 static int
736 unsignedOk(key_data_t** keylist, size_t keylist_size,
737  struct future_key *future_key,
738  const key_state_state_t mask[4], key_state_type_t type)
739 {
740  size_t i;
741  key_state_state_t cmp_mask[4];
742 
743  if (!keylist) {
744  return -1;
745  }
746  if (!future_key) {
747  return -1;
748  }
749  if (!future_key->key) {
750  return -1;
751  }
752 
753  for (i = 0; i < keylist_size; i++) {
754  if (key_data_algorithm(keylist[i]) != key_data_algorithm(future_key->key)) {
755  continue;
756  }
757 
758  cmp_mask[0] = type == KEY_STATE_TYPE_DS
759  ? getState(keylist[i], type, future_key)
760  : mask[0];
761  cmp_mask[1] = type == KEY_STATE_TYPE_DNSKEY
762  ? getState(keylist[i], type, future_key)
763  : mask[1];
764  cmp_mask[2] = type == KEY_STATE_TYPE_RRSIGDNSKEY
765  ? getState(keylist[i], type, future_key)
766  : mask[2];
767  cmp_mask[3] = type == KEY_STATE_TYPE_RRSIG
768  ? getState(keylist[i], type, future_key)
769  : mask[3];
770 
771  /*
772  * If the state is hidden or NA for the given type this key is okay.
773  */
774  switch (type) {
775  case KEY_STATE_TYPE_DS:
776  if (cmp_mask[0] == HIDDEN || cmp_mask[0] == NA) {
777  continue;
778  }
779  break;
780 
782  if (cmp_mask[1] == HIDDEN || cmp_mask[1] == NA) {
783  continue;
784  }
785  break;
786 
788  if (cmp_mask[2] == HIDDEN || cmp_mask[2] == NA) {
789  continue;
790  }
791  break;
792 
794  if (cmp_mask[3] == HIDDEN || cmp_mask[3] == NA) {
795  continue;
796  }
797  break;
798 
799  default:
800  return -1;
801  }
802 
803  if (exists(keylist, keylist_size, future_key, 1, cmp_mask) < 1) {
804  return 0;
805  }
806  }
807 
808  return 1;
809 }
810 
817 static int
818 rule1(key_data_t** keylist, size_t keylist_size, struct future_key *future_key,
819  int pretend_update)
820 {
821  static const key_state_state_t mask[2][4] = {
822  /*
823  * This indicates a good key state.
824  */
825  { OMNIPRESENT, NA, NA, NA },
826  /*
827  * This indicates that the DS is introducing.
828  */
829  { RUMOURED, NA, NA, NA }
830  };
831 
832  if (!keylist) {
833  return -1;
834  }
835  if (!future_key) {
836  return -1;
837  }
838  if (!future_key->key) {
839  return -1;
840  }
841 
842  future_key->pretend_update = pretend_update;
843 
844  /*
845  * Return positive value if any of the masks are found.
846  */
847  if (exists(keylist, keylist_size, future_key, 0, mask[0]) > 0
848  || exists(keylist, keylist_size, future_key, 0, mask[1]) > 0)
849  {
850  return 1;
851  }
852  return 0;
853 }
854 
861 static int
862 rule2(key_data_t** keylist, size_t keylist_size, struct future_key *future_key,
864 {
865  static const key_state_state_t mask[8][4] = {
866  { OMNIPRESENT, OMNIPRESENT, OMNIPRESENT, NA }, /*This indicates a good key state.*/
867  { RUMOURED, OMNIPRESENT, OMNIPRESENT, NA }, /*This indicates an introducing DS state.*/
868  { UNRETENTIVE, OMNIPRESENT, OMNIPRESENT, NA }, /*This indicates an outroducing DS state.*/
869  { OMNIPRESENT, RUMOURED, RUMOURED, NA }, /*These indicates an introducing DNSKEY state.*/
870  { OMNIPRESENT, OMNIPRESENT, RUMOURED, NA },
871  { OMNIPRESENT, UNRETENTIVE, UNRETENTIVE, NA }, /*These indicates an outroducing DNSKEY state.*/
873  { HIDDEN, OMNIPRESENT, OMNIPRESENT, NA } /*This indicates an unsigned state.*/
874  };
875 
876  if (!keylist || !future_key || !future_key->key) {
877  return -1;
878  }
879 
880  future_key->pretend_update = pretend_update;
881 
882  /*
883  * Return positive value if any of the masks are found.
884  */
885  if (exists(keylist, keylist_size, future_key, 1, mask[0]) > 0
886  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[2], mask[1], KEY_STATE_TYPE_DS, deplist) > 0
887  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[5], mask[3], KEY_STATE_TYPE_DNSKEY, deplist) > 0
888  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[5], mask[4], KEY_STATE_TYPE_DNSKEY, deplist) > 0
889  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[6], mask[3], KEY_STATE_TYPE_DNSKEY, deplist) > 0
890  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[6], mask[4], KEY_STATE_TYPE_DNSKEY, deplist) > 0
891  || unsignedOk(keylist, keylist_size, future_key, mask[7], KEY_STATE_TYPE_DS) > 0)
892  {
893  return 1;
894  }
895  return 0;
896 }
897 
904 static int
905 rule3(key_data_t** keylist, size_t keylist_size, struct future_key *future_key,
907 {
908  static const key_state_state_t mask[6][4] = {
909  /*
910  * This indicates a good key state.
911  */
912  { NA, OMNIPRESENT, NA, OMNIPRESENT },
913  /*
914  * This indicates a introducing DNSKEY state.
915  */
916  { NA, RUMOURED, NA, OMNIPRESENT },
917  /*
918  * This indicates a outroducing DNSKEY state.
919  */
920  { NA, UNRETENTIVE, NA, OMNIPRESENT },
921  /*
922  * This indicates a introducing RRSIG state.
923  */
924  { NA, OMNIPRESENT, NA, RUMOURED },
925  /*
926  * This indicates a outroducing RRSIG state.
927  */
928  { NA, OMNIPRESENT, NA, UNRETENTIVE },
929  /*
930  * This indicates an unsigned state.
931  */
932  { NA, HIDDEN, NA, OMNIPRESENT }
933  };
934 
935  if (!keylist) {
936  return -1;
937  }
938  if (!future_key) {
939  return -1;
940  }
941  if (!future_key->key) {
942  return -1;
943  }
944 
945  future_key->pretend_update = pretend_update;
946 
947  /*
948  * Return positive value if any of the masks are found.
949  */
950  if (exists(keylist, keylist_size, future_key, 1, mask[0]) > 0
951  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[2], mask[1], KEY_STATE_TYPE_DNSKEY, deplist) > 0
952  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[4], mask[3], KEY_STATE_TYPE_RRSIG, deplist) > 0
953  || unsignedOk(keylist, keylist_size, future_key, mask[5], KEY_STATE_TYPE_DNSKEY) > 0)
954  {
955  return 1;
956  }
957  return 0;
958 }
959 
966 static int
967 dnssecApproval(key_data_t** keylist, size_t keylist_size,
968  struct future_key* future_key, int allow_unsigned,
969  key_dependency_list_t* deplist)
970 {
971  if (!keylist) {
972  return -1;
973  }
974  if (!future_key) {
975  return -1;
976  }
977  if (!deplist) {
978  return -1;
979  }
980 
981  /*
982  * Check if DNSSEC state will be invalid by the transition by checking that
983  * all 3 DNSSEC rules apply. Rule 1 only applies if we are not allowing an
984  * unsigned state.
985  *
986  * A rule is first checked against the current state of the key_state and if
987  * the current state is not valid an transition is allowed for that rule in
988  * order to try and move out of an invalid DNSSEC state.
989  *
990  * Next the rule is checked against the desired state and if that state is a
991  * valid DNSSEC state then the transition is allowed.
992  *
993  * rule1 - Handles DS states
994  * rule2 - Handles DNSKEY states.
995  * rule3 - Handles signatures.
996  */
997  if ((allow_unsigned
998  || !rule1(keylist, keylist_size, future_key, 0)
999  || rule1(keylist, keylist_size, future_key, 1) > 0)
1000  && (!rule2(keylist, keylist_size, future_key, 0, deplist)
1001  || rule2(keylist, keylist_size, future_key, 1, deplist) > 0)
1002  && (!rule3(keylist, keylist_size, future_key, 0, deplist)
1003  || rule3(keylist, keylist_size, future_key, 1, deplist) > 0))
1004  {
1005  /*
1006  * All rules apply, we allow transition.
1007  */
1008  return 1;
1009  }
1010 
1011  return 0;
1012 }
1013 
1022 static time_t
1023 minTransitionTime(policy_t* policy, key_state_type_t type,
1024  key_state_state_t next_state, const time_t lastchange, const int ttl)
1025 {
1026  if (!policy) {
1027  return -1;
1028  }
1029 
1030  /*
1031  * We may freely move a record to a uncertain state.
1032  */
1033  if (next_state == RUMOURED || next_state == UNRETENTIVE) {
1034  return lastchange;
1035  }
1036 
1037  switch (type) {
1038  case KEY_STATE_TYPE_DS:
1039  return addtime(lastchange, ttl
1042 
1043  /* TODO: 5011 will create special case here */
1044  case KEY_STATE_TYPE_DNSKEY: /* intentional fall-through */
1046  return addtime(lastchange, ttl
1048  + ( next_state == OMNIPRESENT
1049  ? policy_keys_publish_safety(policy)
1050  : policy_keys_retire_safety(policy) ));
1051 
1052  case KEY_STATE_TYPE_RRSIG:
1053  return addtime(lastchange, ttl
1054  + policy_zone_propagation_delay(policy));
1055 
1056  default:
1057  break;
1058  }
1059 
1060  return -1;
1061 }
1062 
1072 static int
1073 policyApproval(key_data_t** keylist, size_t keylist_size,
1074  struct future_key* future_key, key_dependency_list_t* deplist)
1075 {
1076  static const key_state_state_t dnskey_algorithm_rollover[4] = { OMNIPRESENT, OMNIPRESENT, OMNIPRESENT, NA };
1077  static const key_state_state_t mask[14][4] = {
1078  /*ZSK*/
1079  { NA, OMNIPRESENT, NA, OMNIPRESENT }, /*This indicates a good key state.*/
1080  { NA, RUMOURED, NA, OMNIPRESENT }, /*This indicates a introducing DNSKEY state.*/
1081  { NA, UNRETENTIVE, NA, OMNIPRESENT }, /*This indicates a outroducing DNSKEY state.*/
1082  { NA, OMNIPRESENT, NA, RUMOURED }, /*This indicates a introducing RRSIG state.*/
1083  { NA, OMNIPRESENT, NA, UNRETENTIVE }, /*This indicates a outroducing RRSIG state.*/
1084  { NA, HIDDEN, NA, OMNIPRESENT }, /*This indicates an unsigned state.*/
1085 
1086  /*KSK*/
1087  { OMNIPRESENT, OMNIPRESENT, OMNIPRESENT, NA }, /*This indicates a good key state.*/
1088  { RUMOURED, OMNIPRESENT, OMNIPRESENT, NA }, /*This indicates an introducing DS state.*/
1089  { UNRETENTIVE, OMNIPRESENT, OMNIPRESENT, NA }, /*This indicates an outroducing DS state.*/
1090  { OMNIPRESENT, RUMOURED, RUMOURED, NA }, /*These indicates an introducing DNSKEY state.*/
1091  { OMNIPRESENT, OMNIPRESENT, RUMOURED, NA },
1092  { OMNIPRESENT, UNRETENTIVE, UNRETENTIVE, NA }, /*These indicates an outroducing DNSKEY state.*/
1094  { HIDDEN, OMNIPRESENT, OMNIPRESENT, NA } /*This indicates an unsigned state.*/
1095  };
1096 
1097  if (!keylist || !future_key || !future_key->key) {
1098  return -1;
1099  }
1100 
1101  /*
1102  * Once the record is introduced the policy has no influence.
1103  */
1104  if (future_key->next_state != RUMOURED) {
1105  return 1;
1106  }
1107 
1108  /*
1109  * Check if policy prevents transition if the next state is rumoured.
1110  */
1111  switch (future_key->type) {
1112  case KEY_STATE_TYPE_DS:
1113  /*
1114  * If we want to minimize the DS transitions make sure the DNSKEY is
1115  * fully propagated.
1116  */
1117  if (key_state_minimize(key_data_cached_ds(future_key->key))
1119  {
1120  /*
1121  * DNSKEY is not fully propagated so we will not do any transitions.
1122  */
1123  return 0;
1124  }
1125  break;
1126 
1127  case KEY_STATE_TYPE_DNSKEY:
1128  if (!key_state_minimize(key_data_cached_dnskey(future_key->key))) {
1129  /*
1130  * There are no restrictions for the DNSKEY transition so we can
1131  * just continue.
1132  */
1133  break;
1134  }
1135 
1136  /*
1137  * Check that signatures has been propagated for CSK/ZSK.
1138  *
1139  * TODO: How is this related to CSK/ZSK, there is no check for key_data_role().
1140  */
1142  && key_state_state(key_data_cached_rrsig(future_key->key)) != NA)
1143  {
1144  /*
1145  * RRSIG not fully propagated so we will not do any transitions.
1146  */
1147  return 0;
1148  }
1149 
1150  /*
1151  * Check if the DS is introduced and continue if it is.
1152  */
1153  if (key_state_state(key_data_cached_ds(future_key->key)) == OMNIPRESENT
1154  || key_state_state(key_data_cached_ds(future_key->key)) == NA)
1155  {
1156  break;
1157  }
1158 
1159  /*
1160  * We might be doing an algorithm rollover so we check if there are
1161  * no other good KSK available and ignore the minimize flag if so.
1162  *
1163  * TODO: How is this related to KSK/CSK? There are no check for key_data_role().
1164  */
1165  if (exists(keylist, keylist_size, future_key, 1, mask[6]) > 0
1166  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[8], mask[7], KEY_STATE_TYPE_DS, deplist) > 0
1167  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[11], mask[9], KEY_STATE_TYPE_DNSKEY, deplist) > 0)
1168  {
1169  /*
1170  * We found a good key, so we will not do any transition.
1171  */
1172  return 0;
1173  }
1174  break;
1175 
1177  /*
1178  * The only time not to introduce RRSIG DNSKEY is when the DNSKEY is
1179  * still hidden.
1180  *
1181  * TODO: How do we know we are introducing the RRSIG DNSKEY? We might be
1182  * outroducing it.
1183  */
1184  if (key_state_state(key_data_cached_dnskey(future_key->key)) == HIDDEN) {
1185  return 0;
1186  }
1187  break;
1188 
1189  case KEY_STATE_TYPE_RRSIG:
1190  if (!key_state_minimize(key_data_cached_rrsig(future_key->key))) {
1191  /*
1192  * There are no restrictions for the RRSIG transition so we can
1193  * just continue.
1194  */
1195  break;
1196  }
1197 
1198  /*
1199  * Check if the DNSKEY is introduced and continue if it is.
1200  */
1201  if (key_state_state(key_data_cached_dnskey(future_key->key)) == OMNIPRESENT) {
1202  break;
1203  }
1204 
1205  /*
1206  * We might be doing an algorithm rollover so we check if there are
1207  * no other good ZSK available and ignore the minimize flag if so.
1208  *
1209  * TODO: How is this related to ZSK/CSK? There are no check for key_data_role().
1210  */
1211  if (exists(keylist, keylist_size, future_key, 1, mask[0]) > 0
1212  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[2], mask[1], KEY_STATE_TYPE_DNSKEY, deplist) > 0
1213  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[4], mask[3], KEY_STATE_TYPE_RRSIG, deplist) > 0
1214  )
1215  {
1216  /*
1217  * We found a good key, so we will not do any transition.
1218  */
1219  return 0;
1220  }
1221  break;
1222 
1223  default:
1224  return 0;
1225  }
1226 
1227  return 1;
1228 }
1229 
1239 static int
1240 getZoneTTL(policy_t* policy, zone_t* zone, key_state_type_t type,
1241  const time_t now)
1242 {
1243  time_t end_date;
1244  int ttl;
1245 
1246  if (!policy) {
1247  return -1;
1248  }
1249  if (!zone) {
1250  return -1;
1251  }
1252 
1253  switch (type) {
1254  case KEY_STATE_TYPE_DS:
1255  end_date = zone_ttl_end_ds(zone);
1256  ttl = policy_parent_ds_ttl(policy);
1257  break;
1258 
1259  case KEY_STATE_TYPE_DNSKEY: /* Intentional fall-through */
1261  end_date = zone_ttl_end_dk(zone);
1262  ttl = policy_keys_ttl(policy);
1263  break;
1264 
1265  case KEY_STATE_TYPE_RRSIG:
1266  end_date = zone_ttl_end_rs(zone);
1267  ttl = max(min(policy_zone_soa_ttl(policy), policy_zone_soa_minimum(policy)),
1270  ? policy_denial_ttl(policy)
1271  : policy_signatures_max_zone_ttl(policy) )
1272  : policy_signatures_max_zone_ttl(policy) ));
1273  break;
1274 
1275  default:
1276  return -1;
1277  }
1278 
1279  return max((int)difftime(end_date, now), ttl);
1280 }
1281 
1288 static int
1289 isSuccessable(struct future_key* future_key)
1290 {
1291  if (!future_key) {
1292  return -1;
1293  }
1294 
1295  if (future_key->next_state != UNRETENTIVE) {
1296  return 0;
1297  }
1298 
1299  switch (future_key->type) {
1300  case KEY_STATE_TYPE_DS:
1301  case KEY_STATE_TYPE_RRSIG:
1302  if (key_state_state(key_data_cached_dnskey(future_key->key)) != OMNIPRESENT) {
1303  return 0;
1304  }
1305  break;
1306 
1308  return 0;
1309 
1310  case KEY_STATE_TYPE_DNSKEY:
1311  if (key_state_state(key_data_cached_ds(future_key->key)) != OMNIPRESENT
1313  {
1314  return 0;
1315  }
1316  break;
1317 
1318  default:
1319  return -1;
1320  }
1321 
1322  return 1;
1323 }
1324 
1331 static int
1332 markSuccessors(db_connection_t *dbconn, key_data_t** keylist,
1333  size_t keylist_size, struct future_key *future_key,
1334  key_dependency_list_t* deplist, const zone_t* zone)
1335 {
1336  static const char *scmd = "markSuccessors";
1337  size_t i;
1340 
1341  if (!dbconn) {
1342  return -1;
1343  }
1344  if (!keylist) {
1345  return -1;
1346  }
1347  if (!future_key) {
1348  return -1;
1349  }
1350  if (!deplist) {
1351  return -1;
1352  }
1353  if (!zone) {
1354  return -1;
1355  }
1356 
1357  if (isSuccessable(future_key) < 1) {
1358  return 0;
1359  }
1360 
1361  for (i = 0; i < keylist_size; i++) {
1362  if (isPotentialSuccessor(keylist[i], future_key->key, future_key, future_key->type) > 0) {
1363  switch (future_key->type) {
1364  case KEY_STATE_TYPE_DS:
1365  key_dependency_type = KEY_DEPENDENCY_TYPE_DS;
1366  break;
1367 
1368  case KEY_STATE_TYPE_DNSKEY:
1369  key_dependency_type = KEY_DEPENDENCY_TYPE_DNSKEY;
1370  break;
1371 
1373  key_dependency_type = KEY_DEPENDENCY_TYPE_RRSIGDNSKEY;
1374  break;
1375 
1376  case KEY_STATE_TYPE_RRSIG:
1377  key_dependency_type = KEY_DEPENDENCY_TYPE_RRSIG;
1378  break;
1379 
1380  default:
1381  return -1;
1382  }
1383 
1384  if (!(key_dependency = key_dependency_new(dbconn))
1385  || key_dependency_set_from_key_data_id(key_dependency, key_data_id(future_key->key))
1386  || key_dependency_set_to_key_data_id(key_dependency, key_data_id(keylist[i]))
1387  || key_dependency_set_type(key_dependency, key_dependency_type)
1388  || key_dependency_set_zone_id(key_dependency, zone_id(zone))
1389  || key_dependency_create(key_dependency))
1390  {
1391  ods_log_error("[%s] %s: unable to create key dependency between %s and %s",
1392  module_str, scmd,
1395  key_dependency_free(key_dependency);
1396  return -1;
1397  }
1398  key_dependency_free(key_dependency);
1399  }
1400  }
1401 
1402  return 1;
1403 }
1404 
1414 static time_t
1415 updateZone(db_connection_t *dbconn, policy_t* policy, zone_t* zone,
1416  const time_t now, int allow_unsigned, int *zone_updated,
1417  key_data_t** keylist, size_t keylist_size, key_dependency_list_t *deplist)
1418 {
1419  time_t returntime_zone = -1;
1420  unsigned int ttl;
1421  static const char *scmd = "updateZone";
1422  size_t i;
1423  unsigned int j, change;
1424  static const key_state_type_t type[] = {
1429  };
1430  struct future_key future_key;
1432  key_state_state_t state;
1433  time_t returntime_key;
1435  int key_data_updated, process, key_state_created;
1436  const db_enum_t* state_enum, *next_state_enum, *type_enum;
1437  key_dependency_list_t *deplisttmp = NULL;
1438 
1439  if (!dbconn) {
1440  /* TODO: better log error */
1441  ods_log_error("[%s] %s: no dbconn", module_str, scmd);
1442  return returntime_zone;
1443  }
1444  if (!policy) {
1445  /* TODO: better log error */
1446  ods_log_error("[%s] %s: no policy", module_str, scmd);
1447  return returntime_zone;
1448  }
1449  if (!zone) {
1450  /* TODO: better log error */
1451  ods_log_error("[%s] %s: no zone", module_str, scmd);
1452  return returntime_zone;
1453  }
1454  if (!zone_updated) {
1455  /* TODO: better log error */
1456  ods_log_error("[%s] %s: no zone_updated", module_str, scmd);
1457  return returntime_zone;
1458  }
1459  if (!keylist) {
1460  /* TODO: better log error */
1461  ods_log_error("[%s] %s: no keylist", module_str, scmd);
1462  return returntime_zone;
1463  }
1464  if (!deplist) {
1465  /* TODO: better log error */
1466  ods_log_error("[%s] %s: no deplist", module_str, scmd);
1467  return returntime_zone;
1468  }
1469 
1470  ods_log_verbose("[%s] %s: processing %s with policyName %s", module_str, scmd, zone_name(zone), policy_name(policy));
1471 
1472  deplisttmp = zone_get_key_dependencies(zone);
1473 
1474  /*
1475  * The process variable will indicate if we are processing, if something
1476  * fails and sets it to 0 then it will fall through to the end.
1477  */
1478  process = 1;
1479 
1480  /*
1481  * This code keeps track of TTL changes. If in the past a large TTL is used,
1482  * our keys *may* need to transition extra careful to make sure each
1483  * resolver picks up the RRset. When this date passes we may start using the
1484  * policies TTL.
1485  */
1486  if (process && zone_ttl_end_ds(zone) <= now) {
1487  if (zone_set_ttl_end_ds(zone, addtime(now, policy_parent_ds_ttl(policy)))) {
1488  ods_log_error("[%s] %s: zone_set_ttl_end_ds() failed", module_str, scmd);
1489  process = 0;
1490  }
1491  else {
1492  *zone_updated = 1;
1493  }
1494  }
1495  if (process && zone_ttl_end_dk(zone) <= now) {
1496  /*
1497  * If no DNSKEY is currently published we must take negative caching
1498  * into account.
1499  */
1500  for (i = 0; i < keylist_size; i++) {
1501  if (key_state_state(key_data_cached_dnskey(keylist[i])) == OMNIPRESENT) {
1502  break;
1503  }
1504  }
1505  if (keylist_size < i) {
1506  ttl = max(policy_keys_ttl(policy),
1507  min(policy_zone_soa_ttl(policy), policy_zone_soa_minimum(policy)));
1508  }
1509  else {
1510  ttl = policy_keys_ttl(policy);
1511  }
1512  if (zone_set_ttl_end_dk(zone, addtime(now, ttl))) {
1513  ods_log_error("[%s] %s: zone_set_ttl_end_dk() failed", module_str, scmd);
1514  process = 0;
1515  }
1516  else {
1517  *zone_updated = 1;
1518  }
1519  }
1520  if (process && zone_ttl_end_rs(zone) <= now) {
1522  ttl = max(policy_signatures_max_zone_ttl(policy), policy_denial_ttl(policy));
1523  }
1524  else {
1525  ttl = policy_signatures_max_zone_ttl(policy);
1526  }
1527  if (zone_set_ttl_end_rs(zone, addtime(now, max(
1528  min(policy_zone_soa_ttl(policy), policy_zone_soa_minimum(policy)),
1529  ttl))))
1530  {
1531  ods_log_error("[%s] %s: zone_set_ttl_end_rs() failed", module_str, scmd);
1532  process = 0;
1533  }
1534  else {
1535  *zone_updated = 1;
1536  }
1537  }
1538 
1539  /*
1540  * Create key states that do not exist.
1541  */
1542  for (i = 0; process && i < keylist_size; i++) {
1543  key_state_created = 0;
1544  if (!key_data_cached_ds(keylist[i])) {
1545  if (!(key_state = key_state_new(dbconn))
1546  || key_state_set_key_data_id(key_state, key_data_id(keylist[i]))
1547  || key_state_set_type(key_state, KEY_STATE_TYPE_DS)
1548  || key_state_set_minimize(key_state, (key_data_minimize(keylist[i]) >> 2) & 1)
1549  || key_state_set_state(key_state, key_data_role(keylist[i]) & KEY_DATA_ROLE_KSK ? HIDDEN : NA)
1550  || key_state_set_last_change(key_state, now)
1551  || key_state_set_ttl(key_state, getZoneTTL(policy, zone, KEY_STATE_TYPE_DS, now))
1552  || key_state_create(key_state))
1553  {
1554  ods_log_error("[%s] %s: key state DS creation failed", module_str, scmd);
1555  process = 0;
1556  key_state_free(key_state);
1557  key_state = NULL;
1558  break;
1559  }
1560  key_state_created = 1;
1561  key_state_free(key_state);
1562  key_state = NULL;
1563 
1564  if (!zone_signconf_needs_writing(zone)) {
1565  if (zone_set_signconf_needs_writing(zone, 1)) {
1566  ods_log_error("[%s] %s: zone_set_signconf_needs_writing() failed", module_str, scmd);
1567  process = 0;
1568  break;
1569  }
1570  else {
1571  *zone_updated = 1;
1572  }
1573  }
1574  }
1575  if (!key_data_cached_dnskey(keylist[i])) {
1576  if (!(key_state = key_state_new(dbconn))
1577  || key_state_set_key_data_id(key_state, key_data_id(keylist[i]))
1579  || key_state_set_minimize(key_state, (key_data_minimize(keylist[i]) >> 1) & 1)
1580  || key_state_set_state(key_state, HIDDEN)
1581  || key_state_set_last_change(key_state, now)
1582  || key_state_set_ttl(key_state, getZoneTTL(policy, zone, KEY_STATE_TYPE_DNSKEY, now))
1583  || key_state_create(key_state))
1584  {
1585  ods_log_error("[%s] %s: key state DNSKEY creation failed", module_str, scmd);
1586  process = 0;
1587  key_state_free(key_state);
1588  key_state = NULL;
1589  break;
1590  }
1591  key_state_created = 1;
1592  key_state_free(key_state);
1593  key_state = NULL;
1594 
1595  if (!zone_signconf_needs_writing(zone)) {
1596  if (zone_set_signconf_needs_writing(zone, 1)) {
1597  ods_log_error("[%s] %s: zone_set_signconf_needs_writing() failed", module_str, scmd);
1598  process = 0;
1599  break;
1600  }
1601  else {
1602  *zone_updated = 1;
1603  }
1604  }
1605  }
1606  if (!key_data_cached_rrsigdnskey(keylist[i])) {
1607  if (!(key_state = key_state_new(dbconn))
1608  || key_state_set_key_data_id(key_state, key_data_id(keylist[i]))
1610  || key_state_set_state(key_state, key_data_role(keylist[i]) & KEY_DATA_ROLE_KSK ? HIDDEN : NA)
1611  || key_state_set_last_change(key_state, now)
1612  || key_state_set_ttl(key_state, getZoneTTL(policy, zone, KEY_STATE_TYPE_RRSIGDNSKEY, now))
1613  || key_state_create(key_state))
1614  {
1615  ods_log_error("[%s] %s: key state RRSIGDNSKEY creation failed", module_str, scmd);
1616  process = 0;
1617  key_state_free(key_state);
1618  key_state = NULL;
1619  break;
1620  }
1621  key_state_created = 1;
1622  key_state_free(key_state);
1623  key_state = NULL;
1624 
1625  if (!zone_signconf_needs_writing(zone)) {
1626  if (zone_set_signconf_needs_writing(zone, 1)) {
1627  ods_log_error("[%s] %s: zone_set_signconf_needs_writing() failed", module_str, scmd);
1628  process = 0;
1629  break;
1630  }
1631  else {
1632  *zone_updated = 1;
1633  }
1634  }
1635  }
1636  if (!key_data_cached_rrsig(keylist[i])) {
1637  if (!(key_state = key_state_new(dbconn))
1638  || key_state_set_key_data_id(key_state, key_data_id(keylist[i]))
1639  || key_state_set_type(key_state, KEY_STATE_TYPE_RRSIG)
1640  || key_state_set_minimize(key_state, key_data_minimize(keylist[i]) & 1)
1641  || key_state_set_state(key_state, key_data_role(keylist[i]) & KEY_DATA_ROLE_ZSK ? HIDDEN : NA)
1642  || key_state_set_last_change(key_state, now)
1643  || key_state_set_ttl(key_state, getZoneTTL(policy, zone, KEY_STATE_TYPE_RRSIG, now))
1644  || key_state_create(key_state))
1645  {
1646  ods_log_error("[%s] %s: key state RRSIG creation failed", module_str, scmd);
1647  process = 0;
1648  key_state_free(key_state);
1649  key_state = NULL;
1650  break;
1651  }
1652  key_state_created = 1;
1653  key_state_free(key_state);
1654  key_state = NULL;
1655 
1656  if (!zone_signconf_needs_writing(zone)) {
1657  if (zone_set_signconf_needs_writing(zone, 1)) {
1658  ods_log_error("[%s] %s: zone_set_signconf_needs_writing() failed", module_str, scmd);
1659  process = 0;
1660  break;
1661  }
1662  else {
1663  *zone_updated = 1;
1664  }
1665  }
1666  }
1667  if (key_state_created) {
1668  if (key_data_cache_key_states(keylist[i])) {
1669  ods_log_error("[%s] %s: Unable to recache key states after creating some", module_str, scmd);
1670  process = 0;
1671  break;
1672  }
1673  }
1674  }
1675 
1676  /*
1677  * Keep looping till there are no state changes and find the earliest update
1678  * time to return.
1679  */
1680  do {
1681  change = 0;
1682  for (i = 0; process && i < keylist_size; i++) {
1683  ods_log_verbose("[%s] %s: processing key %s %u", module_str, scmd,
1684  hsm_key_locator(key_data_cached_hsm_key(keylist[i])), key_data_minimize(keylist[i]));
1685 
1686  for (j = 0; process && j < (sizeof(type) / sizeof(key_state_state_t)); j++) {
1687  /*
1688  * If the state or desired_state is invalid something went wrong
1689  * and we should return.
1690  */
1691  if ((state = getState(keylist[i], type[j], NULL)) == KEY_STATE_STATE_INVALID
1692  || (next_state = getDesiredState(key_data_introducing(keylist[i]), state)) == KEY_STATE_STATE_INVALID)
1693  {
1694  ods_log_error("[%s] %s: (state || next_state) == INVALID", module_str, scmd);
1695  process = 0;
1696  break;
1697  }
1698 
1699  /*
1700  * If there is no change in key state we continue.
1701  */
1702  if (state == next_state) {
1703  continue;
1704  }
1705 
1706  /*
1707  * If the key state is a DS then we need to check if we still
1708  * are waiting for user input before we can transition the key.
1709  */
1710  if (type[j] == KEY_STATE_TYPE_DS) {
1711  if ((next_state == OMNIPRESENT
1713  || (next_state == HIDDEN
1715  {
1716  continue;
1717  }
1718  }
1719 
1720  for (type_enum = key_state_enum_set_type; type_enum->text; type_enum++) {
1721  if (type_enum->value == (int)type[j]) {
1722  break;
1723  }
1724  }
1725  for (state_enum = key_state_enum_set_state; state_enum->text; state_enum++) {
1726  if (state_enum->value == (int)state) {
1727  break;
1728  }
1729  }
1730  for (next_state_enum = key_state_enum_set_state; next_state_enum->text; next_state_enum++) {
1731  if (next_state_enum->value == (int)next_state) {
1732  break;
1733  }
1734  }
1735  ods_log_verbose("[%s] %s: May %s %s %s in state %s transition to %s?", module_str, scmd,
1736  key_data_role_text(keylist[i]),
1738  type_enum->text,
1739  state_enum->text,
1740  next_state_enum->text);
1741 
1742  future_key.key = keylist[i];
1743  future_key.type = type[j];
1744  future_key.next_state = next_state;
1745 
1746  /*
1747  * Check if policy prevents transition.
1748  */
1749  if (policyApproval(keylist, keylist_size, &future_key, deplist) < 1) {
1750  continue;
1751  }
1752  ods_log_verbose("[%s] %s Policy says we can (1/3)", module_str, scmd);
1753 
1754  /*
1755  * Check if DNSSEC state prevents transition.
1756  */
1757  if (dnssecApproval(keylist, keylist_size, &future_key, allow_unsigned, deplisttmp) < 1) {
1758  continue;
1759  }
1760  ods_log_verbose("[%s] %s DNSSEC says we can (2/3)", module_str, scmd);
1761 
1762  returntime_key = minTransitionTime(policy, type[j], next_state,
1763  key_state_last_change(getRecord(keylist[i], type[j])),
1764  getZoneTTL(policy, zone, type[j], now));
1765 
1766  /*
1767  * If this is an RRSIG and the DNSKEY is omnipresent and next
1768  * state is a certain state, wait an additional signature
1769  * lifetime to allow for 'smooth rollover'.
1770  */
1771  if (type[j] == KEY_STATE_TYPE_RRSIG
1773  && (next_state == OMNIPRESENT || next_state == HIDDEN))
1774  {
1775  returntime_key = addtime(returntime_key,
1776  policy_signatures_jitter(policy)
1777  + max(policy_signatures_validity_default(policy),
1779  + policy_signatures_resign(policy)
1780  - policy_signatures_refresh(policy));
1781  }
1782 
1783  /*
1784  * It is to soon to make this change. Schedule it.
1785  */
1786  if (returntime_key > now) {
1787  minTime(returntime_key, &returntime_zone);
1788  continue;
1789  }
1790 
1791  ods_log_verbose("[%s] %s Timing says we can (3/3) now: %lu key: %lu",
1792  module_str, scmd, (unsigned long)now, (unsigned long)returntime_key);
1793 
1794  /*
1795  * A record can only reach Omnipresent if properly backed up.
1796  */
1797  if (next_state == OMNIPRESENT) {
1800  {
1801  ods_log_crit("[%s] %s Ready for transition but key material not backed up yet (%s)",
1802  module_str, scmd, hsm_key_locator(key_data_cached_hsm_key(keylist[i])));
1803 
1804  /*
1805  * Try again in 60 seconds
1806  */
1807  returntime_key = addtime(now, 60);
1808  minTime(returntime_key, &returntime_zone);
1809  continue;
1810  }
1811  }
1812 
1813  /*
1814  * If we are handling a DS we depend on the user or
1815  * some other external process. We must communicate
1816  * through the DSSeen and -submit flags.
1817  */
1818  if (type[j] == KEY_STATE_TYPE_DS) {
1819  key_data_updated = 0;
1820 
1821  /*
1822  * Ask the user to submit the DS to the parent.
1823  */
1824  if (next_state == RUMOURED) {
1825  switch (key_data_ds_at_parent(keylist[i])) {
1829  break;
1830 
1832  /*
1833  * Hypothetical case where we reintroduce keys.
1834  */
1836  key_data_updated = 1;
1837  break;
1838 
1839  default:
1841  key_data_updated = 1;
1842  }
1843  }
1844  /*
1845  * Ask the user to remove the DS from the parent.
1846  */
1847  else if (next_state == UNRETENTIVE) {
1848  switch(key_data_ds_at_parent(keylist[i])) {
1850  /*
1851  * Never submitted.
1852  * NOTE: not safe if we support reintroducing of keys.
1853  */
1855  key_data_updated = 1;
1856  break;
1857 
1861  break;
1862 
1863  default:
1865  key_data_updated = 1;
1866  }
1867  }
1868 
1869  /*
1870  * Save the changes made to the key data if any.
1871  */
1872  if (key_data_updated) {
1873  if (key_data_update(keylist[i])) {
1874  ods_log_error("[%s] %s: key data update failed", module_str, scmd);
1875  process = 0;
1876  break;
1877  }
1878  /*
1879  * We now need to reread the key data object.
1880  *
1881  * TODO: This needs investigation how to do better.
1882  */
1883  if (key_data_get_by_id(keylist[i], key_data_id(keylist[i]))
1884  || key_data_cache_key_states(keylist[i])
1885  || key_data_cache_hsm_key(keylist[i]))
1886  {
1887  ods_log_error("[%s] %s: key data reread failed", module_str, scmd);
1888  process = 0;
1889  break;
1890  }
1891  }
1892  }
1893 
1894  /*
1895  * We've passed all tests! Make the transition.
1896  */
1897  key_state = NULL;
1898 
1899  switch (future_key.type) {
1900  case KEY_STATE_TYPE_DS:
1901  key_state = key_data_get_cached_ds(future_key.key);
1902  break;
1903 
1904  case KEY_STATE_TYPE_DNSKEY:
1905  key_state = key_data_get_cached_dnskey(future_key.key);
1906  break;
1907 
1908  case KEY_STATE_TYPE_RRSIG:
1909  key_state = key_data_get_cached_rrsig(future_key.key);
1910  break;
1911 
1913  key_state = key_data_get_cached_rrsigdnskey(future_key.key);
1914  break;
1915 
1916  default:
1917  ods_log_error("[%s] %s: future key type error", module_str, scmd);
1918  process = 0;
1919  break;
1920  }
1921 
1922  for (next_state_enum = key_state_enum_set_state; next_state_enum->text; next_state_enum++) {
1923  if (next_state_enum->value == (int)next_state) {
1924  break;
1925  }
1926  }
1927  ods_log_verbose("[%s] %s: Transitioning %s %s %s from %s to %s", module_str, scmd,
1928  key_data_role_text(keylist[i]),
1930  key_state_type_text(key_state),
1931  key_state_state_text(key_state),
1932  next_state_enum->text);
1933 
1934  if (key_state_set_state(key_state, future_key.next_state)
1935  || key_state_set_last_change(key_state, now)
1936  || key_state_set_ttl(key_state, getZoneTTL(policy, zone, future_key.type, now))
1937  || key_state_update(key_state))
1938  {
1939  ods_log_error("[%s] %s: key state transition failed", module_str, scmd);
1940  process = 0;
1941  key_state_free(key_state);
1942  break;
1943  }
1944  key_state_free(key_state);
1945 
1946  if (!zone_signconf_needs_writing(zone)) {
1947  if (zone_set_signconf_needs_writing(zone, 1)) {
1948  ods_log_error("[%s] %s: zone_set_signconf_needs_writing() failed", module_str, scmd);
1949  process = 0;
1950  break;
1951  }
1952  else {
1953  *zone_updated = 1;
1954  }
1955  }
1956 
1957  if (markSuccessors(dbconn, keylist, keylist_size, &future_key, deplisttmp, zone) < 0) {
1958  ods_log_error("[%s] %s: markSuccessors() error", module_str, scmd);
1959  process = 0;
1960  break;
1961  }
1962  /*deps have changed reload*/
1963  key_dependency_list_free(deplisttmp);
1964  deplisttmp = zone_get_key_dependencies(zone);
1965 
1966 
1967  if (key_data_cache_key_states(keylist[i])) {
1968  ods_log_error("[%s] %s: Unable to recache key states after transition", module_str, scmd);
1969  process = 0;
1970  break;
1971  }
1972 
1973  change = true;
1974  }
1975  }
1976  } while (process && change);
1977  key_dependency_list_free(deplisttmp);
1978  return returntime_zone;
1979 }
1980 
1984 static const hsm_key_t*
1985 getLastReusableKey(key_data_list_t *key_list, const policy_key_t *pkey)
1986 {
1987  const key_data_t *key;
1988  const hsm_key_t *hkey, *hkey_young = NULL;
1989  hsm_key_list_t* hsmkeylist;
1990  int match;
1991  int cmp;
1992 
1993  if (!key_list || !pkey)
1994  return NULL;
1995 
1996  hsmkeylist = hsm_key_list_new_get_by_policy_key(pkey);
1997  for (hkey = hsm_key_list_get_begin(hsmkeylist); hkey;
1998  hkey = hsm_key_list_get_next(hsmkeylist))
1999  {
2001  if ((~hsm_key_role(hkey) & policy_key_role(pkey)) != 0)
2002  continue;
2003 
2006  if (hkey->state == HSM_KEY_STATE_UNUSED)
2007  continue;
2008 
2010  for (match = 0, key = key_data_list_begin(key_list); key; key = key_data_list_next(key_list)) {
2011  if (!db_value_cmp(key_data_hsm_key_id(key), hsm_key_id(hkey), &cmp)
2012  && cmp == 0)
2013  {
2015  match = 1;
2016  break;
2017  }
2018  }
2019  if (match) continue;
2020 
2022  if (!hkey_young || hsm_key_inception(hkey_young) < hsm_key_inception(hkey))
2023  hkey_young = hkey;
2024  }
2025 
2026  hsm_key_list_free(hsmkeylist);
2027  return hkey_young;
2028 }
2029 
2038 static int
2039 existsPolicyForKey(policy_key_list_t *policykeylist, const key_data_t *key)
2040 {
2041  static const char *scmd = "existsPolicyForKey";
2042  const policy_key_t *pkey;
2043  hsm_key_t *hkey;
2044 
2045  if (!policykeylist) {
2046  return -1;
2047  }
2048  if (!key) {
2049  return -1;
2050  }
2051 
2052  if (!(hkey = key_data_get_hsm_key(key))) {
2053  /*
2054  * This key is not associated with actual key material!
2055  * This is a bug or database corruption.
2056  * Crashing here is an option but we just return false so the
2057  * key will be thrown away in a graceful manner.
2058  */
2059  ods_log_verbose("[%s] %s no hsmkey!", module_str, scmd);
2060  return 0;
2061  }
2062  pkey = policy_key_list_begin(policykeylist);
2063  while (pkey) {
2064  if ((int)policy_key_role(pkey) == (int)key_data_role(key) &&
2065  hsm_key_repository(hkey) && policy_key_repository(pkey) &&
2066  strcmp(hsm_key_repository(hkey), policy_key_repository(pkey)) == 0 &&
2067  hsm_key_algorithm(hkey) == policy_key_algorithm(pkey) &&
2068  hsm_key_bits(hkey) == policy_key_bits(pkey))
2069  {
2070  hsm_key_free(hkey);
2071  return 1;
2072  }
2073  pkey = policy_key_list_next(policykeylist);
2074  }
2075  ods_log_verbose("[%s] %s not found such config", module_str, scmd);
2076  hsm_key_free(hkey);
2077  return 0;
2078 }
2079 
2080 static int
2081 last_inception_policy(key_data_list_t *key_list, const policy_key_t *pkey)
2082 {
2083  const key_data_t *key = NULL;
2084  hsm_key_t *hsmkey = NULL;
2085  int max_inception = -1;
2086 
2087  if (!key_list || !pkey) return -1;
2088 
2089  /*
2090  * Must match: role, bits, algorithm and repository.
2091  */
2092  for (key = key_data_list_begin(key_list); key;
2093  key = key_data_list_next(key_list))
2094  {
2095  if ((int)policy_key_role(pkey) != (int)key_data_role(key) ||
2096  policy_key_algorithm(pkey) != key_data_algorithm(key) ||
2097  (hsmkey = key_data_get_hsm_key(key)) == NULL ||
2098  policy_key_bits(pkey) != hsm_key_bits(hsmkey) ||
2099  policy_key_algorithm(pkey) != hsm_key_algorithm(hsmkey) ||
2100  strcmp(policy_key_repository(pkey), hsm_key_repository(hsmkey)))
2101  {
2102  hsm_key_free(hsmkey);
2103  hsmkey = NULL;
2104  continue;
2105  }
2106  hsm_key_free(hsmkey);
2107  hsmkey = NULL;
2109  if (max_inception == -1 || max_inception < (signed int)key_data_inception(key))
2110  {
2111  max_inception = key_data_inception(key);
2112  }
2113  }
2114  return max_inception;
2115 }
2116 
2125 static int
2126 key_for_conf(key_data_list_t *key_list, const policy_key_t *pkey)
2127 {
2128  const key_data_t *key;
2129 
2130  if (!key_list) {
2131  return 0;
2132  }
2133  if (!pkey) {
2134  return 0;
2135  }
2136 
2137  for (key = key_data_list_begin(key_list); key;
2138  key = key_data_list_next(key_list))
2139  {
2140  if (policy_key_algorithm(pkey) == key_data_algorithm(key) &&
2141  (int)policy_key_role(pkey) == (int)key_data_role(key))
2142  {
2143  return 1;
2144  }
2145  }
2146  return 0;
2147 }
2148 
2155 static void
2156 setnextroll(zone_t *zone, const policy_key_t *pkey, time_t t)
2157 {
2158  assert(zone);
2159  assert(pkey);
2160 
2161  switch(policy_key_role(pkey)) {
2162  case POLICY_KEY_ROLE_KSK:
2163  zone->next_ksk_roll = (unsigned int)t;
2164  break;
2165  case POLICY_KEY_ROLE_ZSK:
2166  zone->next_zsk_roll = (unsigned int)t;
2167  break;
2168  case POLICY_KEY_ROLE_CSK:
2169  zone->next_csk_roll = (unsigned int)t;
2170  break;
2171  default:
2172  assert(0);
2173  }
2174 }
2175 
2176 static int
2177 enforce_roll(const zone_t *zone, const policy_key_t *pkey)
2178 {
2179  if (!zone) {
2180  return 0;
2181  }
2182  if (!pkey) {
2183  return 0;
2184  }
2185 
2186  switch(policy_key_role(pkey)) {
2187  case POLICY_KEY_ROLE_KSK:
2188  return zone_roll_ksk_now(zone);
2189  case POLICY_KEY_ROLE_ZSK:
2190  return zone_roll_zsk_now(zone);
2191  case POLICY_KEY_ROLE_CSK:
2192  return zone_roll_csk_now(zone);
2193  default:
2194  return 0;
2195  }
2196 }
2197 
2198 static int
2199 set_roll(zone_t *zone, const policy_key_t *pkey, unsigned int roll)
2200 {
2201  if (!zone) {
2202  return 0;
2203  }
2204  if (!pkey) {
2205  return 0;
2206  }
2207 
2208  switch(policy_key_role(pkey)) {
2209  case POLICY_KEY_ROLE_KSK:
2210  return zone_set_roll_ksk_now(zone, roll);
2211  case POLICY_KEY_ROLE_ZSK:
2212  return zone_set_roll_zsk_now(zone, roll);
2213  case POLICY_KEY_ROLE_CSK:
2214  return zone_set_roll_csk_now(zone, roll);
2215  default:
2216  return 1;
2217  }
2218 }
2219 
2229 static time_t
2230 updatePolicy(engine_type *engine, db_connection_t *dbconn, policy_t *policy,
2231  zone_t *zone, const time_t now, int *allow_unsigned, int *zone_updated)
2232 {
2233  time_t return_at = -1;
2234  key_data_list_t *keylist;
2235  policy_key_list_t *policykeylist;
2236  const key_data_t *key;
2237  key_data_t *mutkey = NULL;
2238  key_data_t *mutkey2 = NULL;
2239  const policy_key_t *pkey;
2240  const hsm_key_t *hsmkey;
2241  hsm_key_t *hsmkey2 = NULL;
2242  hsm_key_t *newhsmkey = NULL;
2243  static const char *scmd = "updatePolicy";
2244  int force_roll;
2245  time_t t_ret;
2246  key_data_role_t key_role;
2247  int err;
2248  uint16_t tag;
2249  int ret;
2250 
2251  if (!dbconn) {
2252  /* TODO: better log error */
2253  ods_log_error("[%s] %s: no dbconn", module_str, scmd);
2254  return now + 60;
2255  }
2256  if (!policy) {
2257  /* TODO: better log error */
2258  ods_log_error("[%s] %s: no policy", module_str, scmd);
2259  return now + 60;
2260  }
2261  if (!zone) {
2262  /* TODO: better log error */
2263  ods_log_error("[%s] %s: no zone", module_str, scmd);
2264  return now + 60;
2265  }
2266  if (!allow_unsigned) {
2267  /* TODO: better log error */
2268  ods_log_error("[%s] %s: no allow_unsigned", module_str, scmd);
2269  return now + 60;
2270  }
2271  if (!zone_updated) {
2272  /* TODO: better log error */
2273  ods_log_error("[%s] %s: no zone_updated", module_str, scmd);
2274  return now + 60;
2275  }
2276 
2277  ods_log_verbose("[%s] %s: policyName: %s", module_str, scmd, policy_name(policy));
2278 
2279  /*
2280  * Get all policy keys (configurations) for the given policy and fetch all
2281  * the policy key database objects so we can iterate over it more then once.
2282  */
2283  if (!(policykeylist = policy_get_policy_keys(policy))) {
2284  /* TODO: better log error */
2285  ods_log_error("[%s] %s: error policy_get_policy_keys()", module_str, scmd);
2286  policy_key_list_free(policykeylist);
2287  return now + 60;
2288  }
2289 
2290  /*
2291  * Get all key data objects for the given zone and fetch all the objects
2292  * from the database so we can use the list again later.
2293  */
2294  if (!(keylist = zone_get_keys(zone))) {
2295  /* TODO: better log error */
2296  ods_log_error("[%s] %s: error zone_get_keys()", module_str, scmd);
2297  key_data_list_free(keylist);
2298  policy_key_list_free(policykeylist);
2299  return now + 60;
2300  }
2301 
2302  /*
2303  * Decommission all key data objects without any matching policy key config.
2304  */
2305  while ((key = key_data_list_next(keylist))) {
2306  ret = existsPolicyForKey(policykeylist, key);
2307  if (ret < 0) {
2308  /* TODO: better log error */
2309  ods_log_error("[%s] %s: error existsPolicyForKey() < 0", module_str, scmd);
2310  key_data_list_free(keylist);
2311  policy_key_list_free(policykeylist);
2312  return now + 60;
2313  }
2314  if (!ret) {
2315  if (!(mutkey = key_data_new_copy(key))
2316  || key_data_set_introducing(mutkey, 0)
2317  || key_data_update(mutkey))
2318  {
2319  /* TODO: better log error */
2320  ods_log_error("[%s] %s: error update mutkey", module_str, scmd);
2321  key_data_free(mutkey);
2322  key_data_list_free(keylist);
2323  policy_key_list_free(policykeylist);
2324  return now + 60;
2325  }
2326  key_data_free(mutkey);
2327  mutkey = NULL;
2328  }
2329  }
2330 
2331  pkey = policy_key_list_begin(policykeylist);
2332 
2333  /*
2334  * If no keys are configured an unsigned zone is okay.
2335  */
2336  *allow_unsigned = pkey ? 0 : 1;
2337 
2338  /* If there are no keys configured set 'signconf_needs_writing'
2339  * every time this function is called */
2340  if (!policy_key_list_size(policykeylist)) {
2341  if (zone_set_signconf_needs_writing(zone, 1)) {
2342  ods_log_error("[%s] %s: zone_set_signconf_needs_writing() failed", module_str, scmd);
2343  } else {
2344  *zone_updated = 1;
2345  }
2346  }
2347 
2348  for (; pkey; pkey = policy_key_list_next(policykeylist)) {
2349  newhsmkey = NULL;
2350  /*
2351  * Check if we should roll, first get the roll state from the zone then
2352  * check if the policy key is set to manual rollover and last check the
2353  * key timings.
2354  */
2355  force_roll = enforce_roll(zone, pkey);
2356  if (policy_key_manual_rollover(pkey)) {
2357  /*
2358  * If this policy key is set to manual rollover and we do not have
2359  * a key yet (for ex first run) then we should roll anyway.
2360  */
2361  if (!key_for_conf(keylist, pkey)) {
2362  force_roll = 1;
2363  }
2364  else if (!force_roll) {
2365  /*
2366  * Since this is set to manual rollover we do not want it to
2367  * roll unless we have zone state saying that we should roll.
2368  */
2369  continue;
2370  }
2371  }
2372  if (!force_roll) {
2373  int inception = -1;
2374  /*
2375  * We do not need to roll but we should check if the youngest key
2376  * needs to be replaced. If not we reschedule for later based on the
2377  * youngest key.
2378  * TODO: Describe better why the youngest?!?
2379  */
2380  inception = last_inception_policy(keylist, pkey);
2381  if (inception != -1 &&
2382  inception + policy_key_lifetime(pkey) > now)
2383  {
2384  t_ret = addtime(inception, policy_key_lifetime(pkey));
2385  minTime(t_ret, &return_at);
2386  setnextroll(zone, pkey, t_ret);
2387  *zone_updated = 1;
2388  continue;
2389  }
2390  }
2391 
2392  /*
2393  * Time for a new key
2394  */
2395  ods_log_verbose("[%s] %s: New key needed for role %s",
2396  module_str, scmd, policy_key_role_text(pkey));
2397 
2398  /*
2399  * Sanity check for unreasonable short key lifetime.
2400  * This would produce silly output and give the signer lots of useless
2401  * work to do otherwise.
2402  */
2403  if ((policy_key_role(pkey) == POLICY_KEY_ROLE_KSK ||
2405  policy_parent_ds_ttl(policy) + policy_keys_ttl(policy) >=
2406  policy_key_lifetime(pkey))
2407  {
2408  ods_log_crit("[%s] %s: For policy %s %s key lifetime of %d "
2409  "is unreasonably short with respect to sum of parent "
2410  "TTL (%d) and key TTL (%d). Will not insert key!",
2411  module_str, scmd, policy_name(policy), policy_key_role_text(pkey),
2413  policy_keys_ttl(policy));
2414  setnextroll(zone, pkey, now);
2415  *zone_updated = 1;
2416  continue;
2417  }
2418  if ((policy_key_role(pkey) == POLICY_KEY_ROLE_ZSK ||
2420  policy_signatures_max_zone_ttl(policy) + policy_keys_ttl(policy) >=
2421  policy_key_lifetime(pkey))
2422  {
2423  ods_log_crit("[%s] %s: For policy %s %s key lifetime of %d "
2424  "is unreasonably short with respect to sum of "
2425  "MaxZoneTTL (%d) and key TTL (%d). Will not insert key!",
2426  module_str, scmd, policy_name(policy), policy_key_role_text(pkey),
2428  policy_keys_ttl(policy));
2429  setnextroll(zone, pkey, now);
2430  *zone_updated = 1;
2431  continue;
2432  }
2433 
2434  /*
2435  * Get a new key, either a existing/shared key if the policy is set to
2436  * share keys or create a new key.
2437  */
2438  if (policy_keys_shared(policy)) {
2439  hsmkey = getLastReusableKey(keylist, pkey);
2440 
2441  if (!hsmkey) {
2442  newhsmkey = hsm_key_factory_get_key(engine, dbconn, pkey, HSM_KEY_STATE_SHARED);
2443  hsmkey = newhsmkey;
2444  }
2445  } else {
2446  newhsmkey = hsm_key_factory_get_key(engine, dbconn, pkey, HSM_KEY_STATE_PRIVATE);
2447  hsmkey = newhsmkey;
2448  }
2449 
2450  if (!hsmkey) {
2451  /*
2452  * Unable to get/create a HSM key at this time, retry later.
2453  */
2454  ods_log_warning("[%s] %s: No keys available in HSM for policy %s, retry in %d seconds",
2455  module_str, scmd, policy_name(policy), NOKEY_TIMEOUT);
2456  minTime(now + NOKEY_TIMEOUT, &return_at);
2457  setnextroll(zone, pkey, now);
2458  *zone_updated = 1;
2459  continue;
2460  }
2461  ods_log_verbose("[%s] %s: got new key from HSM", module_str, scmd);
2462 
2463  /*
2464  * TODO: This will be replaced once roles are global
2465  */
2466  key_role = KEY_DATA_ROLE_INVALID;
2467  switch (policy_key_role(pkey)) {
2468  case POLICY_KEY_ROLE_KSK:
2469  key_role = KEY_DATA_ROLE_KSK;
2470  break;
2471 
2472  case POLICY_KEY_ROLE_ZSK:
2473  key_role = KEY_DATA_ROLE_ZSK;
2474  break;
2475 
2476  case POLICY_KEY_ROLE_CSK:
2477  key_role = KEY_DATA_ROLE_CSK;
2478  break;
2479 
2480  default:
2481  break;
2482  }
2483 
2484  /*
2485  * Create a new key data object.
2486  */
2487  if (!(mutkey = key_data_new(dbconn))
2488  || key_data_set_zone_id(mutkey, zone_id(zone))
2489  || key_data_set_hsm_key_id(mutkey, hsm_key_id(hsmkey))
2491  || key_data_set_inception(mutkey, now)
2492  || key_data_set_role(mutkey, key_role)
2493  || key_data_set_minimize(mutkey, policy_key_minimize(pkey))
2494  || key_data_set_introducing(mutkey, 1)
2496  {
2497  /* TODO: better log error */
2498  ods_log_error("[%s] %s: error new key", module_str, scmd);
2499  key_data_free(mutkey);
2500  if (newhsmkey) {
2501  hsm_key_factory_release_key(newhsmkey, dbconn);
2502  }
2503  hsm_key_free(newhsmkey);
2504  key_data_list_free(keylist);
2505  policy_key_list_free(policykeylist);
2506  return now + 60;
2507  }
2508 
2509  /*
2510  * Generate keytag for the new key and set it.
2511  */
2512  err = hsm_keytag(hsm_key_locator(hsmkey), hsm_key_algorithm(hsmkey),
2513  ((hsm_key_role(hsmkey) == HSM_KEY_ROLE_KSK
2514  || hsm_key_role(hsmkey) == HSM_KEY_ROLE_CSK)
2515  ? 1 : 0),
2516  &tag);
2517  if (err || key_data_set_keytag(mutkey, tag))
2518  {
2519  /* TODO: better log error */
2520  ods_log_error("[%s] %s: error keytag", module_str, scmd);
2521  key_data_free(mutkey);
2522  if (newhsmkey) {
2523  hsm_key_factory_release_key(newhsmkey, dbconn);
2524  }
2525  hsm_key_free(newhsmkey);
2526  key_data_list_free(keylist);
2527  policy_key_list_free(policykeylist);
2528  return now + 60;
2529  }
2530 
2531  /*
2532  * Create the new key in the database, if successful we set the next
2533  * roll after the lifetime of the key.
2534  */
2535  if (key_data_create(mutkey)) {
2536  /* TODO: better log error */
2537  ods_log_error("[%s] %s: error key_data_create()", module_str, scmd);
2538  key_data_free(mutkey);
2539  if (newhsmkey) {
2540  hsm_key_factory_release_key(newhsmkey, dbconn);
2541  }
2542  hsm_key_free(newhsmkey);
2543  key_data_list_free(keylist);
2544  policy_key_list_free(policykeylist);
2545  return now + 60;
2546  }
2547  t_ret = addtime(now, policy_key_lifetime(pkey));
2548  minTime(t_ret, &return_at);
2549  setnextroll(zone, pkey, t_ret);
2550  *zone_updated = 1;
2551 
2552  /*
2553  * Tell similar keys to out-troduce.
2554  * Similar keys are those that match role, algorithm, bits and repository
2555  * and are introduced.
2556  *
2557  * NOTE:
2558  * Will not work if a policy has 2 or more keys of the same role, algorithm,
2559  * bits and repository. Unclear how to fix this since keys are not directly
2560  * related to a policy key.
2561  * We currently do not allow two policy keys with the same attributes.
2562  */
2563  for (key = key_data_list_begin(keylist); key; key = key_data_list_next(keylist)) {
2564  if (key_data_introducing(key)
2565  && key_data_role(key) == key_data_role(mutkey)
2566  && key_data_algorithm(key) == key_data_algorithm(mutkey)
2567  && (hsmkey2 = key_data_get_hsm_key(key))
2568  && hsm_key_bits(hsmkey2) == hsm_key_bits(hsmkey)
2569  && !strcmp(hsm_key_repository(hsmkey2), hsm_key_repository(hsmkey)))
2570  {
2571  if (!(mutkey2 = key_data_new_copy(key))
2572  || key_data_set_introducing(mutkey2, 0)
2573  || key_data_update(mutkey2))
2574  {
2575  /* TODO: better log error */
2576  ods_log_error("[%s] %s: error update mutkey2", module_str, scmd);
2577  key_data_free(mutkey2);
2578  hsm_key_free(hsmkey2);
2579  key_data_free(mutkey);
2580  hsm_key_free(newhsmkey);
2581  key_data_list_free(keylist);
2582  policy_key_list_free(policykeylist);
2583  return now + 60;
2584  }
2585 
2586  ods_log_verbose("[%s] %s: decommissioning old key: %s", module_str, scmd, hsm_key_locator(hsmkey2));
2587 
2588  key_data_free(mutkey2);
2589  mutkey2 = NULL;
2590  }
2591  hsm_key_free(hsmkey2);
2592  hsmkey2 = NULL;
2593  }
2594 
2595  key_data_free(mutkey);
2596  mutkey = NULL;
2597  hsm_key_free(newhsmkey);
2598  newhsmkey = NULL;
2599 
2600  /*
2601  * Clear roll now (if set) in the zone for this policy key.
2602  */
2603  if (enforce_roll(zone, pkey)) {
2604  if (set_roll(zone, pkey, 0)) {
2605  /* TODO: better log error */
2606  ods_log_error("[%s] %s: error set_roll()", module_str, scmd);
2607  key_data_list_free(keylist);
2608  policy_key_list_free(policykeylist);
2609  return now + 60;
2610  }
2611  *zone_updated = 1;
2612  }
2613  }
2614 
2615  key_data_list_free(keylist);
2616  policy_key_list_free(policykeylist);
2617 
2618  return return_at;
2619 }
2620 
2621 static time_t
2622 removeDeadKeys(db_connection_t *dbconn, key_data_t** keylist,
2623  size_t keylist_size, key_dependency_list_t *deplist, const time_t now,
2624  const int purgetime)
2625 {
2626  static const char *scmd = "removeDeadKeys";
2627  time_t first_purge = -1, key_time;
2628  size_t i, deplist2_size = 0;
2629  int key_purgable, cmp;
2630  unsigned int j;
2631  const key_state_t* state = NULL;
2632  key_dependency_t **deplist2 = NULL;
2633 
2634  assert(keylist);
2635  assert(deplist);
2636 
2637  deplist2_size = key_dependency_list_size(deplist);
2638  deplist2 = (key_dependency_t**)calloc(deplist2_size, sizeof(key_dependency_t*));
2639  /* deplist might be NULL but is always freeable */
2640  if (deplist2_size > 0)
2641  deplist2[0] = key_dependency_list_get_begin(deplist);
2642  for (i = 1; i < deplist2_size; i++)
2643  deplist2[i] = key_dependency_list_get_next(deplist);
2644 
2645  for (i = 0; i < keylist_size; i++) {
2646  if (key_data_introducing(keylist[i])) continue;
2647  key_time = -1;
2648  key_purgable = 1;
2649  for (j = 0; j<4; j++) {
2650  switch(j){
2651  case 0: state = key_data_cached_ds(keylist[i]); break;
2652  case 1: state = key_data_cached_dnskey(keylist[i]); break;
2653  case 2: state = key_data_cached_rrsigdnskey(keylist[i]); break;
2654  case 3: state = key_data_cached_rrsig(keylist[i]);
2655  }
2656  if (key_state_state(state) == NA) continue;
2657  if (key_state_state(state) != HIDDEN) {
2658  key_purgable = 0;
2659  break;
2660  }
2661  if (key_state_last_change(state) > key_time) {
2662  key_time = key_state_last_change(state);
2663  }
2664  }
2665  if (key_time != -1) key_time = addtime(key_time, purgetime);
2666  if (key_purgable) {
2667  /* key is purgable, is it time yet? */
2668  if (now >= key_time) {
2669  key_state_t* ks_ds = key_data_get_cached_ds(keylist[i]);
2670  key_state_t* ks_dk = key_data_get_cached_dnskey(keylist[i]);
2671  key_state_t* ks_rd = key_data_get_cached_rrsigdnskey(keylist[i]);
2672  key_state_t* ks_rs = key_data_get_cached_rrsig(keylist[i]);
2673 
2674  ods_log_info("[%s] %s deleting key: %s", module_str, scmd,
2676 
2677  if ( key_state_delete(ks_ds) || key_state_delete(ks_dk)
2678  || key_state_delete(ks_rd) || key_state_delete(ks_rs)
2679  || key_data_delete(keylist[i])
2681  {
2682  /* TODO: better log error */
2683  ods_log_error("[%s] %s: key_state_delete() || key_data_delete() || hsm_key_factory_release_key() failed", module_str, scmd);
2684  }
2685  key_state_free(ks_ds);
2686  key_state_free(ks_dk);
2687  key_state_free(ks_rd);
2688  key_state_free(ks_rs);
2689  } else {
2690  minTime(key_time, &first_purge);
2691  }
2692  /* we can clean up dependency because key is purgable */
2693 
2694  for (j = 0; j < deplist2_size; j++) {
2695  if (!deplist2[j]) continue;
2696  if (db_value_cmp(key_data_id(keylist[i]), key_dependency_from_key_data_id(deplist2[j]), &cmp)) {
2697  /* TODO: better log error */
2698  ods_log_error("[%s] %s: cmp deplist from failed", module_str, scmd);
2699  break;
2700  }
2701  if(cmp) continue;
2702 
2703  if (key_dependency_delete(deplist2[j])) {
2704  /* TODO: better log error */
2705  ods_log_error("[%s] %s: key_dependency_delete() failed", module_str, scmd);
2706  break;
2707  }
2708  }
2709  }
2710  }
2711  for (i = 0; i < deplist2_size; i++){
2712  key_dependency_free(deplist2[i]);
2713  }
2714  free(deplist2);
2715  return first_purge;
2716 }
2717 
2718 time_t
2719 update(engine_type *engine, db_connection_t *dbconn, zone_t *zone, policy_t *policy, time_t now, int *zone_updated)
2720 {
2721  int allow_unsigned = 0;
2722  time_t policy_return_time, zone_return_time, purge_return_time = -1, return_time;
2723  key_data_list_t *key_list;
2724  const key_data_t* key;
2725  key_data_t** keylist = NULL;
2726  size_t keylist_size, i;
2727  key_dependency_list_t *deplist;
2728  static const char *scmd = "update";
2729  int key_data_updated;
2730 
2731  if (!engine) {
2732  ods_log_error("[%s] no engine", module_str);
2733  return now + 60;
2734  }
2735  if (!dbconn) {
2736  ods_log_error("[%s] no dbconn", module_str);
2737  return now + 60;
2738  }
2739  if (!zone) {
2740  ods_log_error("[%s] no zone", module_str);
2741  return now + 60;
2742  }
2743  if (!policy) {
2744  ods_log_error("[%s] no policy", module_str);
2745  return now + 60;
2746  }
2747  if (!zone_updated) {
2748  ods_log_error("[%s] no zone_updated", module_str);
2749  return now + 60;
2750  }
2751 
2752  ods_log_info("[%s] update zone: %s", module_str, zone_name(zone));
2753 
2754  /*
2755  * Update policy.
2756  */
2757  policy_return_time = updatePolicy(engine, dbconn, policy, zone, now, &allow_unsigned, zone_updated);
2758 
2759  if (allow_unsigned) {
2760  ods_log_info("[%s] No keys configured for %s, zone will become unsigned eventually",
2761  module_str, zone_name(zone));
2762  }
2763 
2764  /*
2765  * Get all key data/state/hsm objects for later processing.
2766  */
2767  if (!(deplist = zone_get_key_dependencies(zone))) {
2768  /* TODO: better log error */
2769  ods_log_error("[%s] %s: error zone_get_key_dependencies()", module_str, scmd);
2770  key_dependency_list_free(deplist);
2771  return now + 60;
2772  }
2773  if (!(key_list = zone_get_keys(zone))) {
2774  /* TODO: better log error */
2775  ods_log_error("[%s] %s: error zone_get_keys()", module_str, scmd);
2776  key_data_list_free(key_list);
2777  key_dependency_list_free(deplist);
2778  return now + 60;
2779  }
2780  /*WTF DOES THIS CODE DO?*/
2781  if (!(keylist_size = key_data_list_size(key_list))) {
2782  if ((key = key_data_list_begin(key_list))) {
2783  while (key) {
2784  keylist_size++;
2785  key = key_data_list_next(key_list);
2786  }
2787  }
2788  }
2789  if (keylist_size) {
2790  if (!(keylist = (key_data_t**)calloc(keylist_size, sizeof(key_data_t*)))) {
2791  /* TODO: better log error */
2792  ods_log_error("[%s] %s: error calloc(keylist_size)", module_str, scmd);
2793  key_data_list_free(key_list);
2794  key_dependency_list_free(deplist);
2795  return now + 60;
2796  }
2797  for (i = 0; i < keylist_size; i++) {
2798  if (!i) {
2799  keylist[i] = key_data_list_get_begin(key_list);
2800  }
2801  else {
2802  keylist[i] = key_data_list_get_next(key_list);
2803  }
2804  if (!keylist[i]
2805  || key_data_cache_hsm_key(keylist[i])
2806  || key_data_cache_key_states(keylist[i]))
2807  {
2808  ods_log_error("[%s] %s: error key_data_list cache", module_str, scmd);
2809  for (i = 0; i < keylist_size; i++) {
2810  if (keylist[i]) {
2811  key_data_free(keylist[i]);
2812  }
2813  }
2814  free(keylist);
2815  key_data_list_free(key_list);
2816  key_dependency_list_free(deplist);
2817  return now + 60;
2818  }
2819  }
2820  }
2821  key_data_list_free(key_list);
2822 
2823  /*
2824  * Update zone.
2825  */
2826  zone_return_time = updateZone(dbconn, policy, zone, now, allow_unsigned, zone_updated,
2827  keylist, keylist_size, deplist);
2828 
2829  /*
2830  * Only purge old keys if the policy says so.
2831  */
2832  if (policy_keys_purge_after(policy) && keylist) {
2833  purge_return_time = removeDeadKeys(dbconn, keylist, keylist_size, deplist, now,
2834  policy_keys_purge_after(policy));
2835  }
2836 
2837  /*
2838  * Always set these flags. Normally this needs to be done _only_ when the
2839  * Signer config needs writing. However a previous Signer config might not
2840  * be available, we have no way of telling. :(
2841  */
2842  for (i = 0; i < keylist_size; i++) {
2843  key_data_updated = 0;
2844 
2845  /* hack */
2846  key_data_set_publish(keylist[i], 0);
2847  key_data_set_active_ksk(keylist[i], 0);
2848  key_data_set_active_zsk(keylist[i], 0);
2849  key_data_updated = 1;
2850  /*
2851  * TODO: description
2852  */
2854  || key_state_state(key_data_cached_dnskey(keylist[i])) == RUMOURED)
2855  {
2856  if (!key_data_publish(keylist[i])) {
2857  if (key_data_set_publish(keylist[i], 1)) {
2858  ods_log_error("[%s] %s: key_data_set_publish() failed",
2859  module_str, scmd);
2860  break;
2861  }
2862 
2863  key_data_updated = 1;
2864  }
2865  }
2866 
2867  /*
2868  * TODO: description
2869  */
2872  {
2873  if (!key_data_active_ksk(keylist[i])) {
2874  if (key_data_set_active_ksk(keylist[i], 1)) {
2875  ods_log_error("[%s] %s: key_data_set_active_ksk() failed",
2876  module_str, scmd);
2877  break;
2878  }
2879 
2880  key_data_updated = 1;
2881  }
2882  }
2883 
2884  /*
2885  * TODO: description
2886  */
2888  || key_state_state(key_data_cached_rrsig(keylist[i])) == RUMOURED)
2889  {
2890  if (!key_data_active_zsk(keylist[i])) {
2891  if (key_data_set_active_zsk(keylist[i], 1)) {
2892  ods_log_error("[%s] %s: key_data_set_active_zsk() failed",
2893  module_str, scmd);
2894  break;
2895  }
2896 
2897  key_data_updated = 1;
2898  }
2899  }
2900 
2901  if (key_data_updated) {
2902  if (key_data_update(keylist[i])) {
2903  ods_log_error("[%s] %s: key_data_update() failed",
2904  module_str, scmd);
2905  break;
2906  }
2907  }
2908  }
2909 
2910  /*
2911  * Release cached objects.
2912  */
2913  for (i = 0; i < keylist_size; i++) {
2914  if (keylist[i]) {
2915  key_data_free(keylist[i]);
2916  }
2917  }
2918  free(keylist);
2919  key_dependency_list_free(deplist);
2920 
2921  return_time = zone_return_time;
2922  minTime(policy_return_time, &return_time);
2923  minTime(purge_return_time, &return_time);
2924  return return_time;
2925 }
const char * key_data_role_text(const key_data_t *key_data)
Definition: key_data.c:711
const char * key_state_state_text(const key_state_t *key_state)
Definition: key_state.c:377
const policy_key_t * policy_key_list_next(policy_key_list_t *policy_key_list)
Definition: policy_key.c:1378
key_data_role
Definition: key_data.h:40
int key_data_set_inception(key_data_t *key_data, unsigned int inception)
Definition: key_data.c:880
int key_data_get_by_id(key_data_t *key_data, const db_value_t *id)
Definition: key_data.c:1296
int key_state_set_ttl(key_state_t *key_state, unsigned int ttl)
Definition: key_state.c:482
int key_dependency_delete(key_dependency_t *key_dependency)
int key_state_delete(key_state_t *key_state)
Definition: key_state.c:831
hsm_key_t * key_data_get_hsm_key(const key_data_t *key_data)
Definition: key_data.c:649
int zone_set_roll_csk_now(zone_t *zone, unsigned int roll_csk_now)
Definition: zone.c:1051
unsigned int next_zsk_roll
Definition: zone.h:68
int zone_set_ttl_end_dk(zone_t *zone, unsigned int ttl_end_dk)
Definition: zone.c:1011
unsigned int zone_roll_zsk_now(const zone_t *zone)
Definition: zone.c:846
hsm_key_t * hsm_key_factory_get_key(engine_type *engine, const db_connection_t *connection, const policy_key_t *policy_key, hsm_key_state_t hsm_key_state)
unsigned int policy_parent_registration_delay(const policy_t *policy)
Definition: policy.c:1045
unsigned int key_data_publish(const key_data_t *key_data)
Definition: key_data.c:743
#define RUMOURED
Definition: enforcer.c:67
const char * key_state_type_text(const key_state_t *key_state)
Definition: key_state.c:353
key_state_t * key_data_get_cached_rrsig(key_data_t *key_data)
Definition: key_data_ext.c:84
const char * policy_name(const policy_t *policy)
Definition: policy.c:813
unsigned int key_data_active_zsk(const key_data_t *key_data)
Definition: key_data.c:735
#define NA
Definition: enforcer.c:70
int zone_set_roll_zsk_now(zone_t *zone, unsigned int roll_zsk_now)
Definition: zone.c:1041
key_state_type_t type
Definition: enforcer.c:79
unsigned int policy_signatures_max_zone_ttl(const policy_t *policy)
Definition: policy.c:885
int zone_set_ttl_end_ds(zone_t *zone, unsigned int ttl_end_ds)
Definition: zone.c:1001
int key_data_cmp(const key_data_t *key_data_a, const key_data_t *key_data_b)
Definition: key_data.c:402
enum key_state_state key_state_state_t
enum key_data_role key_data_role_t
void ods_log_info(const char *format,...)
Definition: log.c:55
unsigned int policy_signatures_refresh(const policy_t *policy)
Definition: policy.c:837
const db_value_t * key_data_id(const key_data_t *key_data)
Definition: key_data.c:553
unsigned int zone_ttl_end_rs(const zone_t *zone)
Definition: zone.c:830
key_data_list_t * zone_get_keys(const zone_t *zone)
Definition: zone_ext.c:38
const hsm_key_t * key_data_cached_hsm_key(const key_data_t *key_data)
Definition: key_data_ext.c:108
unsigned int policy_signatures_validity_default(const policy_t *policy)
Definition: policy.c:861
size_t key_data_list_size(key_data_list_t *key_data_list)
Definition: key_data.c:2461
unsigned int policy_parent_propagation_delay(const policy_t *policy)
Definition: policy.c:1053
int zone_set_signconf_needs_writing(zone_t *zone, unsigned int signconf_needs_writing)
Definition: zone.c:959
void ods_log_error(const char *format,...)
Definition: log.c:69
int key_state_set_key_data_id(key_state_t *key_state, const db_value_t *key_data_id)
Definition: key_state.c:417
unsigned int zone_roll_csk_now(const zone_t *zone)
Definition: zone.c:854
int pretend_update
Definition: enforcer.c:81
int key_dependency_set_zone_id(key_dependency_t *key_dependency, const db_value_t *zone_id)
int key_state_set_minimize(key_state_t *key_state, unsigned int minimize)
Definition: key_state.c:472
key_dependency_list_t * zone_get_key_dependencies(const zone_t *zone)
Definition: zone_ext.c:58
const db_enum_t key_state_enum_set_type[]
Definition: key_state.c:36
int key_data_set_role(key_data_t *key_data, key_data_role_t role)
Definition: key_data.c:890
unsigned int policy_signatures_validity_denial(const policy_t *policy)
Definition: policy.c:869
key_data_t * key_data_list_get_next(key_data_list_t *key_data_list)
Definition: key_data.c:2425
unsigned int policy_signatures_jitter(const policy_t *policy)
Definition: policy.c:845
const char * hsm_key_repository(const hsm_key_t *hsm_key)
Definition: hsm_key.c:568
time_t update(engine_type *engine, db_connection_t *dbconn, zone_t *zone, policy_t *policy, time_t now, int *zone_updated)
Definition: enforcer.c:2719
unsigned int next_csk_roll
Definition: zone.h:69
policy_denial_type
Definition: policy.h:40
int key_data_create(key_data_t *key_data)
Definition: key_data.c:1093
int key_data_set_hsm_key_id(key_data_t *key_data, const db_value_t *hsm_key_id)
Definition: key_data.c:851
unsigned int key_data_introducing(const key_data_t *key_data)
Definition: key_data.c:727
const db_value_t * key_dependency_to_key_data_id(const key_dependency_t *key_dependency)
int hsm_key_factory_release_key(hsm_key_t *hsm_key, const db_connection_t *connection)
unsigned int policy_zone_propagation_delay(const policy_t *policy)
Definition: policy.c:1005
int key_state_set_type(key_state_t *key_state, key_state_type_t type)
Definition: key_state.c:436
int key_state_update(key_state_t *key_state)
Definition: key_state.c:684
size_t policy_key_list_size(policy_key_list_t *policy_key_list)
Definition: policy_key.c:1480
int key_dependency_set_type(key_dependency_t *key_dependency, key_dependency_type_t type)
void ods_log_crit(const char *format,...)
Definition: log.c:80
unsigned int key_state_minimize(const key_state_t *key_state)
Definition: key_state.c:401
const key_state_t * key_data_cached_rrsigdnskey(key_data_t *key_data)
Definition: key_data_ext.c:72
key_dependency_t * key_dependency_new(const db_connection_t *connection)
int db_value_cmp(const db_value_t *value_a, const db_value_t *value_b, int *result)
Definition: db_value.c:102
void key_dependency_list_free(key_dependency_list_t *key_dependency_list)
unsigned int zone_ttl_end_dk(const zone_t *zone)
Definition: zone.c:822
unsigned int key_data_inception(const key_data_t *key_data)
Definition: key_data.c:695
int key_state_set_state(key_state_t *key_state, key_state_state_t state)
Definition: key_state.c:449
const char * policy_key_repository(const policy_key_t *policy_key)
Definition: policy_key.c:534
const key_dependency_t * key_dependency_list_next(key_dependency_list_t *key_dependency_list)
unsigned int policy_zone_soa_ttl(const policy_t *policy)
Definition: policy.c:1013
unsigned int zone_roll_ksk_now(const zone_t *zone)
Definition: zone.c:838
void key_state_free(key_state_t *key_state)
Definition: key_state.c:214
int zone_set_ttl_end_rs(zone_t *zone, unsigned int ttl_end_rs)
Definition: zone.c:1021
unsigned int hsm_key_inception(const hsm_key_t *hsm_key)
Definition: hsm_key.c:560
unsigned int policy_key_lifetime(const policy_key_t *policy_key)
Definition: policy_key.c:526
key_data_t * key_data_new(const db_connection_t *connection)
Definition: key_data.c:264
const key_data_t * key_data_list_begin(key_data_list_t *key_data_list)
Definition: key_data.c:2267
void key_dependency_free(key_dependency_t *key_dependency)
unsigned int policy_keys_publish_safety(const policy_t *policy)
Definition: policy.c:981
int zone_set_roll_ksk_now(zone_t *zone, unsigned int roll_ksk_now)
Definition: zone.c:1031
policy_key_list_t * policy_get_policy_keys(const policy_t *policy)
Definition: policy_ext.c:1248
const db_value_t * key_dependency_from_key_data_id(const key_dependency_t *key_dependency)
key_data_ds_at_parent
Definition: key_data.h:48
unsigned int zone_signconf_needs_writing(const zone_t *zone)
Definition: zone.c:790
key_dependency_type
const key_data_t * key_data_list_next(key_data_list_t *key_data_list)
Definition: key_data.c:2359
int key_data_set_publish(key_data_t *key_data, unsigned int publish)
Definition: key_data.c:923
int key_data_cache_key_states(key_data_t *key_data)
Definition: key_data_ext.c:33
hsm_key_t * hsm_key_list_get_begin(hsm_key_list_t *hsm_key_list)
Definition: hsm_key.c:1888
const db_enum_t key_state_enum_set_state[]
Definition: key_state.c:44
unsigned int key_state_last_change(const key_state_t *key_state)
Definition: key_state.c:393
const char * hsm_key_locator(const hsm_key_t *hsm_key)
Definition: hsm_key.c:520
int value
Definition: db_enum.h:40
int key_dependency_set_from_key_data_id(key_dependency_t *key_dependency, const db_value_t *from_key_data_id)
key_state_state
Definition: key_state.h:49
unsigned int policy_parent_ds_ttl(const policy_t *policy)
Definition: policy.c:1061
unsigned int policy_key_minimize(const policy_key_t *policy_key)
Definition: policy_key.c:566
const char * zone_name(const zone_t *zone)
Definition: zone.c:782
unsigned int policy_denial_ttl(const policy_t *policy)
Definition: policy.c:909
size_t key_dependency_list_size(key_dependency_list_t *key_dependency_list)
key_data_t * key
Definition: enforcer.c:78
const key_state_t * key_data_cached_rrsig(key_data_t *key_data)
Definition: key_data_ext.c:64
key_state_t * key_state_new(const db_connection_t *connection)
Definition: key_state.c:176
key_dependency_t * key_dependency_list_get_next(key_dependency_list_t *key_dependency_list)
key_state_t * key_data_get_cached_rrsigdnskey(key_data_t *key_data)
Definition: key_data_ext.c:100
const char * policy_key_role_text(const policy_key_t *policy_key)
Definition: policy_key.c:494
unsigned int policy_keys_retire_safety(const policy_t *policy)
Definition: policy.c:973
hsm_key_t * hsm_key_list_get_next(hsm_key_list_t *hsm_key_list)
Definition: hsm_key.c:1990
int key_data_set_zone_id(key_data_t *key_data, const db_value_t *zone_id)
Definition: key_data.c:832
int key_dependency_create(key_dependency_t *key_dependency)
key_state_t * key_data_get_cached_ds(key_data_t *key_data)
Definition: key_data_ext.c:76
void ods_log_verbose(const char *format,...)
Definition: log.c:48
unsigned int policy_key_manual_rollover(const policy_key_t *policy_key)
Definition: policy_key.c:550
int key_state_set_last_change(key_state_t *key_state, unsigned int last_change)
Definition: key_state.c:462
const key_state_t * key_data_cached_ds(key_data_t *key_data)
Definition: key_data_ext.c:60
int key_data_cache_hsm_key(key_data_t *key_data)
Definition: key_data.c:615
void key_data_list_free(key_data_list_t *key_data_list)
Definition: key_data.c:1694
int key_state_create(key_state_t *key_state)
Definition: key_state.c:519
key_dependency_t * key_dependency_list_get_begin(key_dependency_list_t *key_dependency_list)
const db_value_t * key_data_hsm_key_id(const key_data_t *key_data)
Definition: key_data.c:607
const key_state_t * key_data_cached_dnskey(key_data_t *key_data)
Definition: key_data_ext.c:68
unsigned int key_data_minimize(const key_data_t *key_data)
Definition: key_data.c:775
#define UNRETENTIVE
Definition: enforcer.c:69
hsm_key_role
Definition: hsm_key.h:49
int key_data_set_active_ksk(key_data_t *key_data, unsigned int active_ksk)
Definition: key_data.c:933
void key_data_free(key_data_t *key_data)
Definition: key_data.c:304
const key_dependency_t * key_dependency_list_begin(key_dependency_list_t *key_dependency_list)
const db_value_t * zone_id(const zone_t *zone)
Definition: zone.c:728
#define HIDDEN
Definition: enforcer.c:66
unsigned int hsm_key_algorithm(const hsm_key_t *hsm_key)
Definition: hsm_key.c:544
int key_data_set_ds_at_parent(key_data_t *key_data, key_data_ds_at_parent_t ds_at_parent)
Definition: key_data.c:943
hsm_key_backup
Definition: hsm_key.h:62
hsm_key_list_t * hsm_key_list_new_get_by_policy_key(const policy_key_t *pkey)
Definition: hsm_key_ext.c:33
void hsm_key_free(hsm_key_t *hsm_key)
Definition: hsm_key.c:286
key_data_t * key_data_new_copy(const key_data_t *key_data)
Definition: key_data.c:285
const char * text
Definition: db_enum.h:39
unsigned int key_data_active_ksk(const key_data_t *key_data)
Definition: key_data.c:751
Definition: policy.h:60
key_state_state_t next_state
Definition: enforcer.c:80
Definition: zone.h:46
unsigned int policy_key_algorithm(const policy_key_t *policy_key)
Definition: policy_key.c:510
int key_data_set_introducing(key_data_t *key_data, unsigned int introducing)
Definition: key_data.c:903
unsigned int key_data_algorithm(const key_data_t *key_data)
Definition: key_data.c:687
int key_data_update(key_data_t *key_data)
Definition: key_data.c:1349
#define OMNIPRESENT
Definition: enforcer.c:68
enum key_state_type key_state_type_t
unsigned int next_ksk_roll
Definition: zone.h:67
int key_data_set_keytag(key_data_t *key_data, unsigned int keytag)
Definition: key_data.c:956
int key_data_set_active_zsk(key_data_t *key_data, unsigned int active_zsk)
Definition: key_data.c:913
key_dependency_list_t * key_dependency_list_new_copy(const key_dependency_list_t *from_key_dependency_list)
int key_dependency_set_to_key_data_id(key_dependency_t *key_dependency, const db_value_t *to_key_data_id)
unsigned int policy_keys_shared(const policy_t *policy)
Definition: policy.c:989
void hsm_key_list_free(hsm_key_list_t *hsm_key_list)
Definition: hsm_key.c:1496
policy_key_role
Definition: policy_key.h:40
unsigned int policy_key_bits(const policy_key_t *policy_key)
Definition: policy_key.c:518
void policy_key_list_free(policy_key_list_t *policy_key_list)
Definition: policy_key.c:1006
const db_value_t * hsm_key_id(const hsm_key_t *hsm_key)
Definition: hsm_key.c:504
unsigned int hsm_key_bits(const hsm_key_t *hsm_key)
Definition: hsm_key.c:536
enum key_dependency_type key_dependency_type_t
int key_data_delete(key_data_t *key_data)
Definition: key_data.c:1587
const policy_key_t * policy_key_list_begin(policy_key_list_t *policy_key_list)
Definition: policy_key.c:1322
key_data_t * key_dependency_get_from_key_data(const key_dependency_t *key_dependency)
void ods_log_warning(const char *format,...)
Definition: log.c:62
unsigned int policy_zone_soa_minimum(const policy_t *policy)
Definition: policy.c:1021
int key_data_set_algorithm(key_data_t *key_data, unsigned int algorithm)
Definition: key_data.c:870
hsm_key_state_t state
Definition: hsm_key.h:85
int hsm_key_factory_release_key_id(const db_value_t *hsm_key_id, const db_connection_t *connection)
unsigned int policy_keys_purge_after(const policy_t *policy)
Definition: policy.c:997
unsigned int zone_ttl_end_ds(const zone_t *zone)
Definition: zone.c:814
unsigned int policy_keys_ttl(const policy_t *policy)
Definition: policy.c:965
key_state_t * key_data_get_cached_dnskey(key_data_t *key_data)
Definition: key_data_ext.c:92
int key_data_set_minimize(key_data_t *key_data, unsigned int minimize)
Definition: key_data.c:966
unsigned int policy_signatures_resign(const policy_t *policy)
Definition: policy.c:829
key_data_t * key_data_list_get_begin(key_data_list_t *key_data_list)
Definition: key_data.c:2323
#define NOKEY_TIMEOUT
Definition: enforcer.c:75