OpenDNSSEC-enforcer  2.1.12
enforcer.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2011 NLNet Labs. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  * notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  * notice, this list of conditions and the following disclaimer in the
11  * documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
15  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
17  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
19  * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
20  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
21  * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
22  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
23  * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  *
25  */
26 
27 /*
28  * @section DESCRIPTION
29  *
30  * This module controls the order and time for keys to be introduced,
31  * generated and discarded. It can be called for one zone at a time. It
32  * will then manipulate its keys and bring them closer to their goal,
33  * within bounds of the zone's policy. New keys may be fetched from the
34  * HSM and old keys discarded. When done, the update function returns
35  * a time at which it need to be called again for this zone. Unless
36  * there is an unscheduled change for this zone (some user input) it
37  * should not be called sooner. Calling sooner is not harmful in any
38  * way but also not effective. Calling later does not do any harm as
39  * well, however rollovers may be delayed.
40  */
41 
42 #include "config.h"
43 
44 #include <time.h>
45 
46 #include "libhsm.h"
47 #include "hsmkey/hsm_key_factory.h"
48 
49 #include <libhsmdns.h>
50 #include <ldns/ldns.h>
51 
52 #include "duration.h"
53 #include "log.h"
54 #include "daemon/engine.h"
55 
56 #include "db/zone_db.h"
57 #include "db/policy.h"
58 #include "db/policy_key.h"
59 #include "db/hsm_key.h"
60 #include "db/key_data.h"
61 #include "db/key_dependency.h"
62 #include "db/db_error.h"
63 
64 #include "enforcer/enforcer.h"
65 
66 #define HIDDEN KEY_STATE_STATE_HIDDEN
67 #define RUMOURED KEY_STATE_STATE_RUMOURED
68 #define OMNIPRESENT KEY_STATE_STATE_OMNIPRESENT
69 #define UNRETENTIVE KEY_STATE_STATE_UNRETENTIVE
70 #define NA KEY_STATE_STATE_NA
71 
72 static const char *module_str = "enforcer";
73 
75 #define NOKEY_TIMEOUT 60
76 
77 struct future_key {
82 };
83 
84 static int max(int a, int b) { return a>b?a:b; }
85 static int min(int a, int b) { return a<b?a:b; }
86 
96 static inline void
97 minTime(const time_t t, time_t* min)
98 {
99  assert(min); /* TODO: proper error */
100  if ( (t < *min || *min < 0) && t >= 0 ) *min = t;
101 }
102 
112 static time_t
113 addtime(const time_t t, const int seconds)
114 {
115  struct tm *tp = localtime(&t);
116  if (!tp) return -1; /* bad, but mktime also returns -1 on error */
117  tp->tm_sec += seconds;
118  return mktime(tp);
119 }
120 
127 static inline const key_state_t*
128 getRecord(key_data_t* key, key_state_type_t type)
129 {
130  if (!key) {
131  return NULL;
132  }
133 
134  switch (type) {
135  case KEY_STATE_TYPE_DS:
136  return key_data_cached_ds(key);
137 
139  return key_data_cached_dnskey(key);
140 
142  return key_data_cached_rrsig(key);
143 
145  return key_data_cached_rrsigdnskey(key);
146 
147  default:
148  break;
149  }
150 
151  return NULL;
152 }
153 
159 static inline key_state_state_t
160 getState(key_data_t* key, key_state_type_t type, struct future_key *future_key)
161 {
162  int cmp;
163 
164  if (!key) {
166  }
167 
168  if (future_key
170  && future_key->type == type
171  && future_key->key)
172  {
173  if (db_value_cmp(key_data_id(key), key_data_id(future_key->key), &cmp)) {
175  }
176  if (!cmp) {
177  return future_key->next_state;
178  }
179  }
180 
181  return key_state_state(getRecord(key, type));
182 }
183 
195 static key_state_state_t
196 getDesiredState(int introducing, key_state_state_t state)
197 {
198  /*
199  * Given goal and state, what will be the next state?
200  */
201  if (!introducing) {
202  /*
203  * We are outroducing this key so we would like to move rumoured and
204  * omnipresent keys to unretentive and unretentive keys to hidden.
205  */
206  switch (state) {
207  case HIDDEN:
208  break;
209 
210  case RUMOURED:
211  state = UNRETENTIVE;
212  break;
213 
214  case OMNIPRESENT:
215  state = UNRETENTIVE;
216  break;
217 
218  case UNRETENTIVE:
219  state = HIDDEN;
220  break;
221 
222  case NA:
223  break;
224 
225  default:
226  state = KEY_STATE_STATE_INVALID;
227  break;
228  }
229  }
230  else {
231  /*
232  * We are introducing this key so we would like to move hidden and
233  * unretentive keys to rumoured and rumoured keys to omnipresent.
234  */
235  switch (state) {
236  case HIDDEN:
237  state = RUMOURED;
238  break;
239 
240  case RUMOURED:
241  state = OMNIPRESENT;
242  break;
243 
244  case OMNIPRESENT:
245  break;
246 
247  case UNRETENTIVE:
248  state = RUMOURED;
249  break;
250 
251  case NA:
252  break;
253 
254  default:
255  state = KEY_STATE_STATE_INVALID;
256  break;
257  }
258  }
259 
260  return state;
261 }
262 
269 static int
270 match(key_data_t* key, struct future_key *future_key, int same_algorithm,
271  const key_state_state_t mask[4])
272 {
273  if (!key) {
274  return -1;
275  }
276  if (!future_key) {
277  return -1;
278  }
279  if (!future_key->key) {
280  return -1;
281  }
282 
283  if (same_algorithm
285  {
286  return 0;
287  }
288 
289  /*
290  * Check the states against the mask, for each mask that is not NA we
291  * need a match on that key state.
292  */
293  if ((mask[0] != NA
294  && getState(key, KEY_STATE_TYPE_DS, future_key) != mask[0])
295  || (mask[1] != NA
296  && getState(key, KEY_STATE_TYPE_DNSKEY, future_key) != mask[1])
297  || (mask[2] != NA
298  && getState(key, KEY_STATE_TYPE_RRSIGDNSKEY, future_key) != mask[2])
299  || (mask[3] != NA
300  && getState(key, KEY_STATE_TYPE_RRSIG, future_key) != mask[3]))
301  {
302  return 0;
303  }
304  return 1;
305 }
306 
313 static int
314 exists(key_data_t** keylist, size_t keylist_size, struct future_key *future_key,
315  int same_algorithm, const key_state_state_t mask[4])
316 {
317  size_t i;
318  if (!keylist || !future_key || !future_key->key)
319  return -1;
320  /* Check the states against the mask. If we have a match we return a
321  * positive value. */
322  for (i = 0; i < keylist_size; i++) {
323  if (match(keylist[i], future_key, same_algorithm, mask) > 0)
324  return 1;
325  }
326  return 0; /* We've got no match. */
327 }
328 
335 static int
336 isPotentialSuccessor(key_data_t* successor_key, key_data_t* predecessor_key,
337  struct future_key *future_key, key_state_type_t type)
338 {
339  if (!successor_key || !predecessor_key || !future_key)
340  return -1;
341 
342  /* You can't be a successor of yourself */
343  if (!key_data_cmp(successor_key, predecessor_key)) return 0;
344 
345  /*
346  * TODO
347  */
348  if (getState(successor_key, type, future_key) != RUMOURED
349  || key_data_algorithm(successor_key) != key_data_algorithm(predecessor_key))
350  {
351  return 0;
352  }
353 
354  /*
355  * TODO
356  */
357  switch (type) {
358  case KEY_STATE_TYPE_DS: /* Intentional fall-through */
360  /*
361  * TODO
362  */
363  if (getState(successor_key, KEY_STATE_TYPE_DNSKEY, future_key) == OMNIPRESENT) {
364  return 1;
365  }
366  break;
367 
369  /*
370  * Either both DS's should be omnipresent or both signatures, for the
371  * keys to be in a potential relationship for the DNSKEY.
372  */
373  if ((getState(predecessor_key, KEY_STATE_TYPE_DS, future_key) == OMNIPRESENT
374  && getState(successor_key, KEY_STATE_TYPE_DS, future_key) == OMNIPRESENT)
375  || (getState(predecessor_key, KEY_STATE_TYPE_RRSIG, future_key) == OMNIPRESENT
376  && getState(successor_key, KEY_STATE_TYPE_RRSIG, future_key) == OMNIPRESENT))
377  {
378  return 1;
379  }
380  break;
381 
383  /*
384  * TODO
385  */
386  break;
387 
388  default:
389  return -1;
390  }
391 
392  return 0;
393 }
394 
401 static int
402 successor_rec(key_data_t** keylist, size_t keylist_size,
403  key_data_t* successor_key, key_data_t* predecessor_key,
404  struct future_key *future_key,
405  key_state_type_t type, key_dependency_list_t* deplist_ext)
406 {
407  size_t i;
408  int cmp;
409  const key_dependency_t* dep;
410  key_data_t *from_key;
411  key_dependency_list_t* deplist;
412 
413  if (!keylist) {
414  return -1;
415  }
416  if (!successor_key) {
417  return -1;
418  }
419  if (!predecessor_key) {
420  return -1;
421  }
422  if (!future_key) {
423  return -1;
424  }
425  if (!future_key->key) {
426  return -1;
427  }
428  if (!deplist_ext) {
429  return -1;
430  }
431 
432  /*
433  * Make a copy of the deplist in order to preserve where we are in the list
434  * if we are calling ourselves later on.
435  *
436  * TODO: This can be optimized with the implementation of *_list_ref_t or
437  * allocating an array as with keylist.
438  */
439  if (!(deplist = key_dependency_list_new_copy(deplist_ext))) {
440  return -1;
441  }
442 
443  /*
444  * Check the trivial case where the predecessor key is already a predecessor
445  * for the successor key.
446  */
447  for (dep = key_dependency_list_begin(deplist); dep; dep = key_dependency_list_next(deplist)) {
448  switch (key_dependency_type(dep)) {
450  if (type != KEY_STATE_TYPE_DS) {
451  continue;
452  }
453  break;
454 
456  if (type != KEY_STATE_TYPE_RRSIG) {
457  continue;
458  }
459  break;
460 
462  if (type != KEY_STATE_TYPE_DNSKEY) {
463  continue;
464  }
465  break;
466 
468  if (type != KEY_STATE_TYPE_RRSIGDNSKEY) {
469  continue;
470  }
471  break;
472 
473  default:
474  continue;
475  }
476 
477  if (db_value_cmp(key_data_id(predecessor_key), key_dependency_from_key_data_id(dep), &cmp)) {
478  key_dependency_list_free(deplist);
479  return -1;
480  }
481  if (cmp) {
482  continue;
483  }
484 
485  if (db_value_cmp(key_data_id(successor_key), key_dependency_to_key_data_id(dep), &cmp)) {
486  key_dependency_list_free(deplist);
487  return -1;
488  }
489  if (cmp) {
490  continue;
491  }
492 
493  key_dependency_list_free(deplist);
494  return 1;
495  }
496 
497  /*
498  * Check the trivial case where there is a direct relationship in the future
499  */
500  if (future_key->pretend_update) {
501  if (db_value_cmp(key_data_id(future_key->key), key_data_id(predecessor_key), &cmp)) {
502  key_dependency_list_free(deplist);
503  return -1;
504  }
505  if (!cmp && isPotentialSuccessor(successor_key, predecessor_key, future_key, type) > 0) {
506  key_dependency_list_free(deplist);
507  return 1;
508  }
509  }
510 
511  /*
512  * Check for indirect relationship where X depends on S and X is in the same
513  * state as P and X is a successor of P.
514  */
515  for (dep = key_dependency_list_begin(deplist); dep; dep = key_dependency_list_next(deplist)) {
516  switch (key_dependency_type(dep)) {
518  if (type != KEY_STATE_TYPE_DS) {
519  continue;
520  }
521  break;
522 
524  if (type != KEY_STATE_TYPE_RRSIG) {
525  continue;
526  }
527  break;
528 
530  if (type != KEY_STATE_TYPE_DNSKEY) {
531  continue;
532  }
533  break;
534 
536  if (type != KEY_STATE_TYPE_RRSIGDNSKEY) {
537  continue;
538  }
539  break;
540 
541  default:
542  continue;
543  }
544 
545  if (db_value_cmp(key_data_id(successor_key), key_dependency_to_key_data_id(dep), &cmp)) {
546  key_dependency_list_free(deplist);
547  return -1;
548  }
549  if (cmp) {
550  continue;
551  }
552 
553  /*
554  * TODO: This may be optimized by searching for the key in the keylist
555  * first, only retrieving it from the database if needed or giving an
556  * error if it does not exist in the keylist.
557  */
558  if (!(from_key = key_dependency_get_from_key_data(dep))) {
559  key_dependency_list_free(deplist);
560  return -1;
561  }
562 
563  /*
564  * The RRSIGDNSKEY is not compared because TODO .
565  */
566  if (getState(predecessor_key, KEY_STATE_TYPE_DS, future_key) != getState(from_key, KEY_STATE_TYPE_DS, future_key)
567  || getState(predecessor_key, KEY_STATE_TYPE_DNSKEY, future_key) != getState(from_key, KEY_STATE_TYPE_DNSKEY, future_key)
568  || getState(predecessor_key, KEY_STATE_TYPE_RRSIG, future_key) != getState(from_key, KEY_STATE_TYPE_RRSIG, future_key))
569  {
570  key_data_free(from_key);
571  continue;
572  }
573  if (successor_rec(keylist, keylist_size, from_key, predecessor_key, future_key, type, deplist_ext) > 0) {
574  key_data_free(from_key);
575  key_dependency_list_free(deplist);
576  return 1;
577  }
578  key_data_free(from_key);
579  }
580  key_dependency_list_free(deplist);
581 
582  /*
583  * TODO
584  */
585  if (future_key->pretend_update) {
586  for (i = 0; i < keylist_size; i++) {
587  if (db_value_cmp(key_data_id(predecessor_key), key_data_id(keylist[i]), &cmp)) {
588  return -1;
589  }
590  if (!cmp) {
591  continue;
592  }
593 
594  if (isPotentialSuccessor(successor_key, keylist[i], future_key, type) > 0) {
595  /*
596  * The RRSIGDNSKEY is not compared because TODO .
597  */
598  if (getState(predecessor_key, KEY_STATE_TYPE_DS, future_key) != getState(keylist[i], KEY_STATE_TYPE_DS, future_key)
599  || getState(predecessor_key, KEY_STATE_TYPE_DNSKEY, future_key) != getState(keylist[i], KEY_STATE_TYPE_DNSKEY, future_key)
600  || getState(predecessor_key, KEY_STATE_TYPE_RRSIG, future_key) != getState(keylist[i], KEY_STATE_TYPE_RRSIG, future_key))
601  {
602  continue;
603  }
604  if (successor_rec(keylist+1, keylist_size-1, successor_key, keylist[i], future_key, type, deplist_ext) > 0) {
605  return 1;
606  }
607  }
608  }
609  }
610 
611  return 0;
612 }
613 
620 static int
621 successor(key_data_t** keylist, size_t keylist_size, key_data_t* successor_key,
622  key_data_t* predecessor_key, struct future_key *future_key,
624 {
625  int cmp;
626  const key_dependency_t* dep;
627 
628  if (!keylist) {
629  return -1;
630  }
631  if (!successor_key) {
632  return -1;
633  }
634  if (!predecessor_key) {
635  return -1;
636  }
637  if (!future_key) {
638  return -1;
639  }
640  if (!future_key->key) {
641  return -1;
642  }
643  if (!deplist) {
644  return -1;
645  }
646 
647  /*
648  * Nothing may depend on our predecessor.
649  */
650  for (dep = key_dependency_list_begin(deplist); dep; dep = key_dependency_list_next(deplist)) {
651  if (db_value_cmp(key_data_id(predecessor_key), key_dependency_to_key_data_id(dep), &cmp)) {
652  return -1;
653  }
654  if (!cmp) {
655  return 0;
656  }
657  }
658  return successor_rec(keylist, keylist_size, successor_key, predecessor_key, future_key, type, deplist);
659 }
660 
667 static int
668 exists_with_successor(key_data_t** keylist, size_t keylist_size,
669  struct future_key *future_key, int same_algorithm,
670  const key_state_state_t predecessor_mask[4],
671  const key_state_state_t successor_mask[4], key_state_type_t type,
672  key_dependency_list_t* deplist)
673 {
674  size_t i, j;
675 
676  if (!keylist) {
677  return -1;
678  }
679  if (!future_key) {
680  return -1;
681  }
682 
683  /*
684  * Walk the list of keys, for each key that matches the successor mask we
685  * walk the list again and check that key against the keys that match the
686  * predecessor mask if has a valid successor/predecessor relationship.
687  */
688  for (i = 0; i < keylist_size; i++) {
689  if (match(keylist[i], future_key, same_algorithm, successor_mask) < 1) {
690  continue;
691  }
692 
693  for (j = 0; j < keylist_size; j++) {
694  if (j == i
695  || match(keylist[j], future_key, same_algorithm, predecessor_mask) < 1)
696  {
697  continue;
698  }
699 
700  if (successor(keylist, keylist_size, keylist[i], keylist[j], future_key, type, deplist) > 0) {
701  return 1;
702  }
703  }
704  }
705  return 0;
706 }
707 
714 static int
715 unsignedOk(key_data_t** keylist, size_t keylist_size,
716  struct future_key *future_key,
717  const key_state_state_t mask[4], key_state_type_t type)
718 {
719  size_t i;
720  key_state_state_t cmp_mask[4];
721 
722  if (!keylist) {
723  return -1;
724  }
725  if (!future_key) {
726  return -1;
727  }
728  if (!future_key->key) {
729  return -1;
730  }
731 
732  for (i = 0; i < keylist_size; i++) {
733  if (key_data_algorithm(keylist[i]) != key_data_algorithm(future_key->key)) {
734  continue;
735  }
736 
737  cmp_mask[0] = type == KEY_STATE_TYPE_DS
738  ? getState(keylist[i], type, future_key)
739  : mask[0];
740  cmp_mask[1] = type == KEY_STATE_TYPE_DNSKEY
741  ? getState(keylist[i], type, future_key)
742  : mask[1];
743  cmp_mask[2] = type == KEY_STATE_TYPE_RRSIGDNSKEY
744  ? getState(keylist[i], type, future_key)
745  : mask[2];
746  cmp_mask[3] = type == KEY_STATE_TYPE_RRSIG
747  ? getState(keylist[i], type, future_key)
748  : mask[3];
749 
750  /*
751  * If the state is hidden or NA for the given type this key is okay.
752  */
753  switch (type) {
754  case KEY_STATE_TYPE_DS:
755  if (cmp_mask[0] == HIDDEN || cmp_mask[0] == NA) {
756  continue;
757  }
758  break;
759 
761  if (cmp_mask[1] == HIDDEN || cmp_mask[1] == NA) {
762  continue;
763  }
764  break;
765 
767  if (cmp_mask[2] == HIDDEN || cmp_mask[2] == NA) {
768  continue;
769  }
770  break;
771 
773  if (cmp_mask[3] == HIDDEN || cmp_mask[3] == NA) {
774  continue;
775  }
776  break;
777 
778  default:
779  return -1;
780  }
781 
782  if (exists(keylist, keylist_size, future_key, 1, cmp_mask) < 1) {
783  return 0;
784  }
785  }
786 
787  return 1;
788 }
789 
790 /* Check if ALL DS records for this algorithm are hidden
791  *
792  * \return 0 if !HIDDEN DS is found, 1 if no such DS where found */
793 static int
794 all_DS_hidden(key_data_t** keylist, size_t keylist_size,
795  struct future_key *future_key)
796 {
797  size_t i;
798  key_state_state_t state;
799 
800  assert(keylist);
801  assert(future_key);
802  assert(future_key->key);
803 
804  for (i = 0; i < keylist_size; i++) {
805  /*If not same algorithm. Doesn't affect us.*/
806  if (key_data_algorithm(keylist[i]) != key_data_algorithm(future_key->key)) continue;
807  state = getState(keylist[i], KEY_STATE_TYPE_DS, future_key);
808  if (state != HIDDEN && state != NA) return 0; /*Test failed. Found DS.*/
809  }
810  return 1; /*No DS where found.*/
811 }
812 
819 static int
820 rule1(key_data_t** keylist, size_t keylist_size, struct future_key *future_key,
821  int pretend_update)
822 {
823  static const key_state_state_t mask[2][4] = {
824  { OMNIPRESENT, NA, NA, NA },/* a good key state. */
825  { RUMOURED, NA, NA, NA } /* the DS is introducing. */
826  };
827 
828  if (!keylist || !future_key || !future_key->key) {
829  return -1;
830  }
831 
832  future_key->pretend_update = pretend_update;
833 
834  /* Return positive value if any of the masks are found. */
835  return (exists(keylist, keylist_size, future_key, 0, mask[0]) > 0
836  || exists(keylist, keylist_size, future_key, 0, mask[1]) > 0);
837 }
838 
845 static int
846 rule2(key_data_t** keylist, size_t keylist_size, struct future_key *future_key,
847  int pretend_update, key_dependency_list_t* deplist)
848 {
849  static const key_state_state_t mask[8][4] = {
850  { OMNIPRESENT, OMNIPRESENT, OMNIPRESENT, NA },/*good key state.*/
851  { RUMOURED, OMNIPRESENT, OMNIPRESENT, NA },/*introducing DS state.*/
852  { UNRETENTIVE, OMNIPRESENT, OMNIPRESENT, NA },/*outroducing DS state.*/
853  { OMNIPRESENT, RUMOURED, RUMOURED, NA },/*introducing DNSKEY state.*/
855  { OMNIPRESENT, UNRETENTIVE, UNRETENTIVE, NA },/*outroducing DNSKEY state.*/
857  { HIDDEN, OMNIPRESENT, OMNIPRESENT, NA } /*unsigned state.*/
858  };
859 
860  if (!keylist || !future_key || !future_key->key) {
861  return -1;
862  }
863 
864  future_key->pretend_update = pretend_update;
865 
866  /* Return positive value if any of the masks are found. */
867  return (exists(keylist, keylist_size, future_key, 1, mask[0]) > 0
868  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[2], mask[1], KEY_STATE_TYPE_DS, deplist) > 0
869  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[5], mask[3], KEY_STATE_TYPE_DNSKEY, deplist) > 0
870  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[5], mask[4], KEY_STATE_TYPE_DNSKEY, deplist) > 0
871  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[6], mask[3], KEY_STATE_TYPE_DNSKEY, deplist) > 0
872  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[6], mask[4], KEY_STATE_TYPE_DNSKEY, deplist) > 0
873  || unsignedOk(keylist, keylist_size, future_key, mask[7], KEY_STATE_TYPE_DS) > 0);
874 }
875 
882 static int
883 rule3(key_data_t** keylist, size_t keylist_size, struct future_key *future_key,
884  int pretend_update, key_dependency_list_t* deplist)
885 {
886  static const key_state_state_t mask[6][4] = {
887  { NA, OMNIPRESENT, NA, OMNIPRESENT },/* good key state. */
888  { NA, RUMOURED, NA, OMNIPRESENT },/* introducing DNSKEY state. */
889  { NA, UNRETENTIVE, NA, OMNIPRESENT },/* outroducing DNSKEY state. */
890  { NA, OMNIPRESENT, NA, RUMOURED },/* introducing RRSIG state. */
891  { NA, OMNIPRESENT, NA, UNRETENTIVE },/* outroducing RRSIG state. */
892  { NA, HIDDEN, NA, OMNIPRESENT } /* unsigned state. */
893  };
894 
895  if (!keylist || !future_key || !future_key->key) {
896  return -1;
897  }
898 
899  future_key->pretend_update = pretend_update;
900 
901  /* Return positive value if any of the masks are found. */
902  return (exists(keylist, keylist_size, future_key, 1, mask[0]) > 0
903  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[2], mask[1], KEY_STATE_TYPE_DNSKEY, deplist) > 0
904  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[4], mask[3], KEY_STATE_TYPE_RRSIG, deplist) > 0
905  || unsignedOk(keylist, keylist_size, future_key, mask[5], KEY_STATE_TYPE_DNSKEY) > 0
906  || all_DS_hidden(keylist, keylist_size, future_key) > 0);
907 }
908 
915 static int
916 dnssecApproval(key_data_t** keylist, size_t keylist_size,
917  struct future_key* future_key, int allow_unsigned,
918  key_dependency_list_t* deplist)
919 {
920  if (!keylist) {
921  return -1;
922  }
923  if (!future_key) {
924  return -1;
925  }
926  if (!deplist) {
927  return -1;
928  }
929 
930  /*
931  * Check if DNSSEC state will be invalid by the transition by checking that
932  * all 3 DNSSEC rules apply. Rule 1 only applies if we are not allowing an
933  * unsigned state.
934  *
935  * A rule is first checked against the current state of the key_state and if
936  * the current state is not valid an transition is allowed for that rule in
937  * order to try and move out of an invalid DNSSEC state.
938  *
939  * Next the rule is checked against the desired state and if that state is a
940  * valid DNSSEC state then the transition is allowed.
941  *
942  * rule1 - Handles DS states
943  * rule2 - Handles DNSKEY states.
944  * rule3 - Handles signatures.
945  */
946  if ((allow_unsigned
947  || !rule1(keylist, keylist_size, future_key, 0)
948  || rule1(keylist, keylist_size, future_key, 1) > 0)
949  && (!rule2(keylist, keylist_size, future_key, 0, deplist)
950  || rule2(keylist, keylist_size, future_key, 1, deplist) > 0)
951  && (!rule3(keylist, keylist_size, future_key, 0, deplist)
952  || rule3(keylist, keylist_size, future_key, 1, deplist) > 0))
953  {
954  /*
955  * All rules apply, we allow transition.
956  */
957  return 1;
958  }
959 
960  return 0;
961 }
962 
971 static time_t
972 minTransitionTime(policy_t const *policy, key_state_type_t type,
973  key_state_state_t next_state, const time_t lastchange, const int ttl)
974 {
975  if (!policy) {
976  return -1;
977  }
978 
979  /*
980  * We may freely move a record to a uncertain state.
981  */
982  if (next_state == RUMOURED || next_state == UNRETENTIVE) {
983  return lastchange;
984  }
985 
986  switch (type) {
987  case KEY_STATE_TYPE_DS:
988  return addtime(lastchange, ttl
991 
992  /* TODO: 5011 will create special case here */
993  case KEY_STATE_TYPE_DNSKEY: /* intentional fall-through */
995  return addtime(lastchange, ttl
997  + ( next_state == OMNIPRESENT
1000 
1001  case KEY_STATE_TYPE_RRSIG:
1002  return addtime(lastchange, ttl
1004 
1005  default:
1006  break;
1007  }
1008 
1009  return -1;
1010 }
1011 
1021 static int
1022 policyApproval(key_data_t** keylist, size_t keylist_size,
1023  struct future_key* future_key, key_dependency_list_t* deplist)
1024 {
1025  static const key_state_state_t dnskey_algorithm_rollover[4] = { OMNIPRESENT, OMNIPRESENT, OMNIPRESENT, NA };
1026  static const key_state_state_t mask[14][4] = {
1027  /*ZSK*/
1028  { NA, OMNIPRESENT, NA, OMNIPRESENT }, /*This indicates a good key state.*/
1029  { NA, RUMOURED, NA, OMNIPRESENT }, /*This indicates a introducing DNSKEY state.*/
1030  { NA, UNRETENTIVE, NA, OMNIPRESENT }, /*This indicates a outroducing DNSKEY state.*/
1031  { NA, OMNIPRESENT, NA, RUMOURED }, /*This indicates a introducing RRSIG state.*/
1032  { NA, OMNIPRESENT, NA, UNRETENTIVE }, /*This indicates a outroducing RRSIG state.*/
1033  { NA, HIDDEN, NA, OMNIPRESENT }, /*This indicates an unsigned state.*/
1034 
1035  /*KSK*/
1036  { OMNIPRESENT, OMNIPRESENT, OMNIPRESENT, NA }, /*This indicates a good key state.*/
1037  { RUMOURED, OMNIPRESENT, OMNIPRESENT, NA }, /*This indicates an introducing DS state.*/
1038  { UNRETENTIVE, OMNIPRESENT, OMNIPRESENT, NA }, /*This indicates an outroducing DS state.*/
1039  { OMNIPRESENT, RUMOURED, RUMOURED, NA }, /*These indicates an introducing DNSKEY state.*/
1041  { OMNIPRESENT, UNRETENTIVE, UNRETENTIVE, NA }, /*These indicates an outroducing DNSKEY state.*/
1043  { HIDDEN, OMNIPRESENT, OMNIPRESENT, NA } /*This indicates an unsigned state.*/
1044  };
1045 
1046  if (!keylist || !future_key || !future_key->key) {
1047  return -1;
1048  }
1049 
1050  /*
1051  * Once the record is introduced the policy has no influence.
1052  */
1053  if (future_key->next_state != RUMOURED) {
1054  return 1;
1055  }
1056 
1057  /*
1058  * Check if policy prevents transition if the next state is rumoured.
1059  */
1060  switch (future_key->type) {
1061  case KEY_STATE_TYPE_DS:
1062  /*
1063  * If we want to minimize the DS transitions make sure the DNSKEY is
1064  * fully propagated.
1065  */
1068  {
1069  /*
1070  * DNSKEY is not fully propagated so we will not do any transitions.
1071  */
1072  return 0;
1073  }
1074  break;
1075 
1076  case KEY_STATE_TYPE_DNSKEY:
1078  /* There are no restrictions for the DNSKEY transition so we can
1079  * just continue. */
1080  return 1;
1081  }
1082  /* Check that signatures has been propagated for CSK/ZSK. */
1086  {
1087  /* RRSIG fully propagated so we will do the transitions. */
1088  return 1;
1089  }
1090  }
1091  /* Check if the DS is introduced and continue if it is. */
1095  {
1096  return 1;
1097  }
1098  }
1099  /* We might be doing an algorithm rollover so we check if there are
1100  * no other good KSK available and ignore the minimize flag if so. */
1101  return !(exists(keylist, keylist_size, future_key, 1, mask[6]) > 0
1102  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[8], mask[7], KEY_STATE_TYPE_DS, deplist) > 0
1103  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[11], mask[9], KEY_STATE_TYPE_DNSKEY, deplist) > 0);
1104 
1106  /*
1107  * The only time not to introduce RRSIG DNSKEY is when the DNSKEY is
1108  * still hidden.
1109  *
1110  * TODO: How do we know we are introducing the RRSIG DNSKEY? We might be
1111  * outroducing it.
1112  */
1114  return 0;
1115  }
1116  break;
1117 
1118  case KEY_STATE_TYPE_RRSIG:
1120  /*
1121  * There are no restrictions for the RRSIG transition so we can
1122  * just continue.
1123  */
1124  break;
1125  }
1126 
1127  /*
1128  * Check if the DNSKEY is introduced and continue if it is.
1129  */
1131  break;
1132  }
1133 
1134  /*
1135  * We might be doing an algorithm rollover so we check if there are
1136  * no other good ZSK available and ignore the minimize flag if so.
1137  *
1138  * TODO: How is this related to ZSK/CSK? There are no check for key_data_role().
1139  */
1140  if (exists(keylist, keylist_size, future_key, 1, mask[0]) > 0
1141  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[2], mask[1], KEY_STATE_TYPE_DNSKEY, deplist) > 0
1142  || exists_with_successor(keylist, keylist_size, future_key, 1, mask[4], mask[3], KEY_STATE_TYPE_RRSIG, deplist) > 0
1143  )
1144  {
1145  /*
1146  * We found a good key, so we will not do any transition.
1147  */
1148  return 0;
1149  }
1150  break;
1151 
1152  default:
1153  return 0;
1154  }
1155 
1156  return 1;
1157 }
1158 
1168 static int
1169 getZoneTTL(policy_t const *policy, zone_db_t* zone, key_state_type_t type,
1170  const time_t now)
1171 {
1172  time_t end_date;
1173  int ttl;
1174 
1175  if (!policy) {
1176  return -1;
1177  }
1178  if (!zone) {
1179  return -1;
1180  }
1181 
1182  switch (type) {
1183  case KEY_STATE_TYPE_DS:
1184  end_date = zone_db_ttl_end_ds(zone);
1186  break;
1187 
1188  case KEY_STATE_TYPE_DNSKEY: /* Intentional fall-through */
1190  end_date = zone_db_ttl_end_dk(zone);
1191  ttl = policy_keys_ttl(policy);
1192  break;
1193 
1194  case KEY_STATE_TYPE_RRSIG:
1195  end_date = zone_db_ttl_end_rs(zone);
1202  break;
1203 
1204  default:
1205  return -1;
1206  }
1207 
1208  return max((int)difftime(end_date, now), ttl);
1209 }
1210 
1217 static int
1218 isSuccessable(struct future_key* future_key)
1219 {
1220  if (!future_key) {
1221  return -1;
1222  }
1223 
1224  if (future_key->next_state != UNRETENTIVE) {
1225  return 0;
1226  }
1227 
1228  switch (future_key->type) {
1229  case KEY_STATE_TYPE_DS:
1230  case KEY_STATE_TYPE_RRSIG:
1232  return 0;
1233  }
1234  break;
1235 
1237  return 0;
1238 
1239  case KEY_STATE_TYPE_DNSKEY:
1242  {
1243  return 0;
1244  }
1245  break;
1246 
1247  default:
1248  return -1;
1249  }
1250 
1251  return 1;
1252 }
1253 
1261 static int
1262 markSuccessors(db_connection_t *dbconn, key_data_t** keylist,
1263  size_t keylist_size, struct future_key *future_key,
1264  key_dependency_list_t* deplist, const zone_db_t* zone)
1265 {
1266  static const char *scmd = "markSuccessors";
1267  size_t i;
1270  int cmp;
1271 
1272  if (!dbconn || !keylist || !future_key || !deplist || !zone) {
1273  return -1;
1274  }
1275 
1276  /* If key,type in deplist and new state is omnipresent it is no
1277  * longer relevant for the dependencies */
1278  if (future_key->next_state == OMNIPRESENT) {
1279  /* Remove any entries for this key,type tuple from successors */
1280  for (kd = key_dependency_list_get_begin(deplist); kd;
1281  key_dependency_free(kd),
1282  kd = key_dependency_list_get_next(deplist))
1283  {
1285  key_dependency_to_key_data_id(kd), &cmp) == DB_OK &&
1286  !cmp && kd->type == (key_dependency_type_t)future_key->type)
1287  {
1289  }
1290 
1291  }
1292  }
1293 
1294  if (isSuccessable(future_key) < 1) {
1295  return 0;
1296  }
1297 
1298  for (i = 0; i < keylist_size; i++) {
1299  if (isPotentialSuccessor(keylist[i], future_key->key, future_key, future_key->type) > 0) {
1300  switch (future_key->type) {
1301  case KEY_STATE_TYPE_DS:
1303  break;
1304 
1305  case KEY_STATE_TYPE_DNSKEY:
1307  break;
1308 
1311  break;
1312 
1313  case KEY_STATE_TYPE_RRSIG:
1315  break;
1316 
1317  default:
1318  return -1;
1319  }
1320 
1321  if (!(key_dependency = key_dependency_new(dbconn))
1327  {
1328  ods_log_error("[%s] %s: unable to create key dependency between %s and %s",
1329  module_str, scmd,
1333  return -1;
1334  }
1336  }
1337  }
1338 
1339  return 1;
1340 }
1341 
1351 static time_t
1352 updateZone(db_connection_t *dbconn, policy_t const *policy, zone_db_t* zone,
1353  const time_t now, int allow_unsigned, int *zone_updated,
1354  key_data_t** keylist, size_t keylist_size, key_dependency_list_t *deplist)
1355 {
1356  time_t returntime_zone = -1;
1357  unsigned int ttl;
1358  static const char *scmd = "updateZone";
1359  size_t i;
1360  unsigned int j, change;
1361  static const key_state_type_t type[] = {
1366  };
1367  struct future_key future_key;
1369  key_state_state_t state;
1370  time_t returntime_key;
1372  int key_data_updated, process, key_state_created;
1373  const db_enum_t* state_enum, *next_state_enum, *type_enum;
1374  key_dependency_list_t *deplisttmp = NULL;
1375 
1376  if (!dbconn) {
1377  /* TODO: better log error */
1378  ods_log_error("[%s] %s: no dbconn", module_str, scmd);
1379  return returntime_zone;
1380  }
1381  if (!policy) {
1382  /* TODO: better log error */
1383  ods_log_error("[%s] %s: no policy", module_str, scmd);
1384  return returntime_zone;
1385  }
1386  if (!zone) {
1387  /* TODO: better log error */
1388  ods_log_error("[%s] %s: no zone", module_str, scmd);
1389  return returntime_zone;
1390  }
1391  if (!zone_updated) {
1392  /* TODO: better log error */
1393  ods_log_error("[%s] %s: no zone_updated", module_str, scmd);
1394  return returntime_zone;
1395  }
1396  if (!keylist) {
1397  /* TODO: better log error */
1398  ods_log_error("[%s] %s: no keylist", module_str, scmd);
1399  return returntime_zone;
1400  }
1401  if (!deplist) {
1402  /* TODO: better log error */
1403  ods_log_error("[%s] %s: no deplist", module_str, scmd);
1404  return returntime_zone;
1405  }
1406 
1407  ods_log_verbose("[%s] %s: processing %s with policyName %s", module_str, scmd, zone_db_name(zone), policy_name(policy));
1408 
1409  deplisttmp = zone_db_get_key_dependencies(zone);
1410 
1411  /*
1412  * The process variable will indicate if we are processing, if something
1413  * fails and sets it to 0 then it will fall through to the end.
1414  */
1415  process = 1;
1416 
1417  /*
1418  * This code keeps track of TTL changes. If in the past a large TTL is used,
1419  * our keys *may* need to transition extra careful to make sure each
1420  * resolver picks up the RRset. When this date passes we may start using the
1421  * policies TTL.
1422  */
1423  if (process && zone_db_ttl_end_ds(zone) <= now) {
1424  if (zone_db_set_ttl_end_ds(zone, addtime(now, policy_parent_ds_ttl(policy)))) {
1425  ods_log_error("[%s] %s: zone_db_set_ttl_end_ds() failed", module_str, scmd);
1426  process = 0;
1427  }
1428  else {
1429  *zone_updated = 1;
1430  }
1431  }
1432  if (process && zone_db_ttl_end_dk(zone) <= now) {
1433  /*
1434  * If no DNSKEY is currently published we must take negative caching
1435  * into account.
1436  */
1437  for (i = 0; i < keylist_size; i++) {
1438  if (key_state_state(key_data_cached_dnskey(keylist[i])) == OMNIPRESENT) {
1439  break;
1440  }
1441  }
1442  if (keylist_size < i) {
1443  ttl = max(policy_keys_ttl(policy),
1445  }
1446  else {
1447  ttl = policy_keys_ttl(policy);
1448  }
1449  if (zone_db_set_ttl_end_dk(zone, addtime(now, ttl))) {
1450  ods_log_error("[%s] %s: zone_db_set_ttl_end_dk() failed", module_str, scmd);
1451  process = 0;
1452  }
1453  else {
1454  *zone_updated = 1;
1455  }
1456  }
1457  if (process && zone_db_ttl_end_rs(zone) <= now) {
1460  }
1461  else {
1463  }
1464  if (zone_db_set_ttl_end_rs(zone, addtime(now, max(
1466  ttl))))
1467  {
1468  ods_log_error("[%s] %s: zone_db_set_ttl_end_rs() failed", module_str, scmd);
1469  process = 0;
1470  }
1471  else {
1472  *zone_updated = 1;
1473  }
1474  }
1475 
1476  /*
1477  * Create key states that do not exist.
1478  */
1479  for (i = 0; process && i < keylist_size; i++) {
1480  key_state_created = 0;
1481  if (!key_data_cached_ds(keylist[i])) {
1482  if (!(key_state = key_state_new(dbconn))
1485  || key_state_set_minimize(key_state, (key_data_minimize(keylist[i]) >> 2) & 1)
1488  || key_state_set_ttl(key_state, getZoneTTL(policy, zone, KEY_STATE_TYPE_DS, now))
1490  {
1491  ods_log_error("[%s] %s: key state DS creation failed", module_str, scmd);
1492  process = 0;
1494  key_state = NULL;
1495  break;
1496  }
1497  key_state_created = 1;
1499  key_state = NULL;
1500 
1501  if (!zone_db_signconf_needs_writing(zone)) {
1502  if (zone_db_set_signconf_needs_writing(zone, 1)) {
1503  ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1504  process = 0;
1505  break;
1506  }
1507  else {
1508  *zone_updated = 1;
1509  }
1510  }
1511  }
1512  if (!key_data_cached_dnskey(keylist[i])) {
1513  if (!(key_state = key_state_new(dbconn))
1516  || key_state_set_minimize(key_state, (key_data_minimize(keylist[i]) >> 1) & 1)
1519  || key_state_set_ttl(key_state, getZoneTTL(policy, zone, KEY_STATE_TYPE_DNSKEY, now))
1521  {
1522  ods_log_error("[%s] %s: key state DNSKEY creation failed", module_str, scmd);
1523  process = 0;
1525  key_state = NULL;
1526  break;
1527  }
1528  key_state_created = 1;
1530  key_state = NULL;
1531 
1532  if (!zone_db_signconf_needs_writing(zone)) {
1533  if (zone_db_set_signconf_needs_writing(zone, 1)) {
1534  ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1535  process = 0;
1536  break;
1537  }
1538  else {
1539  *zone_updated = 1;
1540  }
1541  }
1542  }
1543  if (!key_data_cached_rrsigdnskey(keylist[i])) {
1544  if (!(key_state = key_state_new(dbconn))
1549  || key_state_set_ttl(key_state, getZoneTTL(policy, zone, KEY_STATE_TYPE_RRSIGDNSKEY, now))
1551  {
1552  ods_log_error("[%s] %s: key state RRSIGDNSKEY creation failed", module_str, scmd);
1553  process = 0;
1555  key_state = NULL;
1556  break;
1557  }
1558  key_state_created = 1;
1560  key_state = NULL;
1561 
1562  if (!zone_db_signconf_needs_writing(zone)) {
1563  if (zone_db_set_signconf_needs_writing(zone, 1)) {
1564  ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1565  process = 0;
1566  break;
1567  }
1568  else {
1569  *zone_updated = 1;
1570  }
1571  }
1572  }
1573  if (!key_data_cached_rrsig(keylist[i])) {
1574  if (!(key_state = key_state_new(dbconn))
1580  || key_state_set_ttl(key_state, getZoneTTL(policy, zone, KEY_STATE_TYPE_RRSIG, now))
1582  {
1583  ods_log_error("[%s] %s: key state RRSIG creation failed", module_str, scmd);
1584  process = 0;
1586  key_state = NULL;
1587  break;
1588  }
1589  key_state_created = 1;
1591  key_state = NULL;
1592 
1593  if (!zone_db_signconf_needs_writing(zone)) {
1594  if (zone_db_set_signconf_needs_writing(zone, 1)) {
1595  ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1596  process = 0;
1597  break;
1598  }
1599  else {
1600  *zone_updated = 1;
1601  }
1602  }
1603  }
1604  if (key_state_created) {
1605  if (key_data_cache_key_states(keylist[i])) {
1606  ods_log_error("[%s] %s: Unable to recache key states after creating some", module_str, scmd);
1607  process = 0;
1608  break;
1609  }
1610  }
1611  }
1612 
1613  /*
1614  * Keep looping till there are no state changes and find the earliest update
1615  * time to return.
1616  */
1617  do {
1618  change = 0;
1619  for (i = 0; process && i < keylist_size; i++) {
1620  ods_log_verbose("[%s] %s: processing key %s %u", module_str, scmd,
1621  hsm_key_locator(key_data_cached_hsm_key(keylist[i])), key_data_minimize(keylist[i]));
1622 
1623  for (j = 0; process && j < (sizeof(type) / sizeof(key_state_state_t)); j++) {
1624  /*
1625  * If the state or desired_state is invalid something went wrong
1626  * and we should return.
1627  */
1628  if ((state = getState(keylist[i], type[j], NULL)) == KEY_STATE_STATE_INVALID
1629  || (next_state = getDesiredState(key_data_introducing(keylist[i]), state)) == KEY_STATE_STATE_INVALID)
1630  {
1631  ods_log_error("[%s] %s: (state || next_state) == INVALID", module_str, scmd);
1632  process = 0;
1633  break;
1634  }
1635 
1636  /*
1637  * If there is no change in key state we continue.
1638  */
1639  if (state == next_state) {
1640  continue;
1641  }
1642 
1643  /*
1644  * If the key state is a DS then we need to check if we still
1645  * are waiting for user input before we can transition the key.
1646  */
1647  if (type[j] == KEY_STATE_TYPE_DS) {
1648  if ((next_state == OMNIPRESENT
1650  || (next_state == HIDDEN
1652  {
1653  continue;
1654  }
1655  }
1656 
1657  for (type_enum = key_state_enum_set_type; type_enum->text; type_enum++) {
1658  if (type_enum->value == (int)type[j]) {
1659  break;
1660  }
1661  }
1662  for (state_enum = key_state_enum_set_state; state_enum->text; state_enum++) {
1663  if (state_enum->value == (int)state) {
1664  break;
1665  }
1666  }
1667  for (next_state_enum = key_state_enum_set_state; next_state_enum->text; next_state_enum++) {
1668  if (next_state_enum->value == (int)next_state) {
1669  break;
1670  }
1671  }
1672  ods_log_verbose("[%s] %s: May %s %s %s in state %s transition to %s?", module_str, scmd,
1673  key_data_role_text(keylist[i]),
1675  type_enum->text,
1676  state_enum->text,
1677  next_state_enum->text);
1678 
1679  future_key.key = keylist[i];
1680  future_key.type = type[j];
1682 
1683  /*
1684  * Check if policy prevents transition.
1685  */
1686  if (policyApproval(keylist, keylist_size, &future_key, deplist) < 1) {
1687  continue;
1688  }
1689  ods_log_verbose("[%s] %s Policy says we can (1/3)", module_str, scmd);
1690 
1691  /*
1692  * Check if DNSSEC state prevents transition.
1693  */
1694  if (dnssecApproval(keylist, keylist_size, &future_key, allow_unsigned, deplisttmp) < 1) {
1695  continue;
1696  }
1697  ods_log_verbose("[%s] %s DNSSEC says we can (2/3)", module_str, scmd);
1698 
1699  returntime_key = minTransitionTime(policy, type[j], next_state,
1700  key_state_last_change(getRecord(keylist[i], type[j])),
1701  getZoneTTL(policy, zone, type[j], now));
1702 
1703  /*
1704  * If this is an RRSIG and the DNSKEY is omnipresent and next
1705  * state is a certain state, wait an additional signature
1706  * lifetime to allow for 'smooth rollover'.
1707  */
1708  static const key_state_state_t mask[2][4] = {
1710  {NA, OMNIPRESENT, NA, RUMOURED}
1711  };
1712  int zsk_out = exists(keylist, keylist_size, &future_key,
1713  1, mask[0]);
1714  int zsk_in = exists(keylist, keylist_size, &future_key,
1715  1, mask[1]);
1716 
1717  if (type[j] == KEY_STATE_TYPE_RRSIG
1719  && ((next_state == OMNIPRESENT && zsk_out)
1720  || (next_state == HIDDEN && zsk_in)))
1721  {
1722  returntime_key = addtime(returntime_key,
1728  }
1729 
1730  /*
1731  * It is to soon to make this change. Schedule it.
1732  */
1733  if (returntime_key > now) {
1734  minTime(returntime_key, &returntime_zone);
1735  continue;
1736  }
1737 
1738  ods_log_verbose("[%s] %s Timing says we can (3/3) now: %lu key: %lu",
1739  module_str, scmd, (unsigned long)now, (unsigned long)returntime_key);
1740 
1741  /*
1742  * A record can only reach Omnipresent if properly backed up.
1743  */
1744  if (next_state == OMNIPRESENT) {
1747  {
1748  ods_log_crit("[%s] %s Ready for transition but key material not backed up yet (%s)",
1749  module_str, scmd, hsm_key_locator(key_data_cached_hsm_key(keylist[i])));
1750 
1751  /*
1752  * Try again in 60 seconds
1753  */
1754  returntime_key = addtime(now, 60);
1755  minTime(returntime_key, &returntime_zone);
1756  continue;
1757  }
1758  }
1759 
1760  /*
1761  * If we are handling a DS we depend on the user or
1762  * some other external process. We must communicate
1763  * through the DSSeen and -submit flags.
1764  */
1765  if (type[j] == KEY_STATE_TYPE_DS) {
1766  key_data_updated = 0;
1767 
1768  /*
1769  * Ask the user to submit the DS to the parent.
1770  */
1771  if (next_state == RUMOURED) {
1772  switch (key_data_ds_at_parent(keylist[i])) {
1776  break;
1777 
1779  /*
1780  * Hypothetical case where we reintroduce keys.
1781  */
1783  key_data_updated = 1;
1784  break;
1785 
1786  default:
1788  key_data_updated = 1;
1789  }
1790  }
1791  /*
1792  * Ask the user to remove the DS from the parent.
1793  */
1794  else if (next_state == UNRETENTIVE) {
1795  switch(key_data_ds_at_parent(keylist[i])) {
1797  /*
1798  * Never submitted.
1799  * NOTE: not safe if we support reintroducing of keys.
1800  */
1802  key_data_updated = 1;
1803  break;
1804 
1808  break;
1809 
1810  default:
1812  key_data_updated = 1;
1813  }
1814  }
1815 
1816  /*
1817  * Save the changes made to the key data if any.
1818  */
1819  if (key_data_updated) {
1820  if (key_data_update(keylist[i])) {
1821  ods_log_info("[%s] %s: key data update failed", module_str, scmd);
1822  process = 0;
1823  break;
1824  }
1825  /*
1826  * We now need to reread the key data object.
1827  *
1828  * TODO: This needs investigation how to do better.
1829  */
1830  if (key_data_get_by_id(keylist[i], key_data_id(keylist[i]))
1831  || key_data_cache_key_states(keylist[i])
1832  || key_data_cache_hsm_key(keylist[i]))
1833  {
1834  ods_log_error("[%s] %s: key data reread failed", module_str, scmd);
1835  process = 0;
1836  break;
1837  }
1838  }
1839  }
1840 
1841  /*
1842  * We've passed all tests! Make the transition.
1843  */
1844  key_state = NULL;
1845 
1846  switch (future_key.type) {
1847  case KEY_STATE_TYPE_DS:
1849  break;
1850 
1851  case KEY_STATE_TYPE_DNSKEY:
1853  break;
1854 
1855  case KEY_STATE_TYPE_RRSIG:
1857  break;
1858 
1861  break;
1862 
1863  default:
1864  ods_log_error("[%s] %s: future key type error", module_str, scmd);
1865  process = 0;
1866  break;
1867  }
1868 
1869  for (next_state_enum = key_state_enum_set_state; next_state_enum->text; next_state_enum++) {
1870  if (next_state_enum->value == (int)next_state) {
1871  break;
1872  }
1873  }
1874  ods_log_verbose("[%s] %s: Transitioning %s %s %s from %s to %s", module_str, scmd,
1875  key_data_role_text(keylist[i]),
1879  next_state_enum->text);
1880 
1883  || key_state_set_ttl(key_state, getZoneTTL(policy, zone, future_key.type, now))
1885  {
1886  ods_log_error("[%s] %s: key state transition failed", module_str, scmd);
1887  process = 0;
1889  break;
1890  }
1892 
1893  if (!zone_db_signconf_needs_writing(zone)) {
1894  if (zone_db_set_signconf_needs_writing(zone, 1)) {
1895  ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
1896  process = 0;
1897  break;
1898  }
1899  else {
1900  *zone_updated = 1;
1901  }
1902  }
1903 
1904  if (markSuccessors(dbconn, keylist, keylist_size, &future_key, deplisttmp, zone) < 0) {
1905  ods_log_error("[%s] %s: markSuccessors() error", module_str, scmd);
1906  process = 0;
1907  break;
1908  }
1909  /*deps have changed reload*/
1910  key_dependency_list_free(deplisttmp);
1911  deplisttmp = zone_db_get_key_dependencies(zone);
1912 
1913 
1914  if (key_data_cache_key_states(keylist[i])) {
1915  ods_log_error("[%s] %s: Unable to recache key states after transition", module_str, scmd);
1916  process = 0;
1917  break;
1918  }
1919 
1920  change = true;
1921  }
1922  }
1923  } while (process && change);
1924  key_dependency_list_free(deplisttmp);
1925  return returntime_zone;
1926 }
1927 
1931 static const hsm_key_t*
1932 getLastReusableKey(key_data_list_t *key_list, const policy_key_t *pkey)
1933 {
1934  const key_data_t *key;
1935  hsm_key_t *hkey, *hkey_young = NULL;
1936  hsm_key_list_t* hsmkeylist;
1937  int match;
1938  int cmp;
1939 
1940  if (!key_list || !pkey)
1941  return NULL;
1942 
1943  hsmkeylist = hsm_key_list_new_get_by_policy_key(pkey);
1944  for (hkey = hsm_key_list_get_begin(hsmkeylist); hkey;
1945  hkey = hsm_key_list_get_next(hsmkeylist))
1946  {
1948  if ((~hsm_key_role(hkey) & policy_key_role(pkey)) != 0 ||
1951  hkey->state == HSM_KEY_STATE_UNUSED ||
1952  hkey->state == HSM_KEY_STATE_DELETE )
1953  {
1954  hsm_key_free(hkey);
1955  continue;
1956  }
1957 
1959  for (match = 0, key = key_data_list_begin(key_list); key; key = key_data_list_next(key_list)) {
1960  if (!db_value_cmp(key_data_hsm_key_id(key), hsm_key_id(hkey), &cmp)
1961  && cmp == 0)
1962  {
1964  match = 1;
1965  break;
1966  }
1967  }
1968  if (match) {
1969  hsm_key_free(hkey);
1970  continue;
1971  }
1972 
1974  if (!hkey_young || hsm_key_inception(hkey_young) < hsm_key_inception(hkey)) {
1975  hsm_key_free(hkey_young);
1976  hkey_young = hkey;
1977  }
1978  }
1979 
1980  hsm_key_list_free(hsmkeylist);
1981  return hkey_young;
1982 }
1983 
1992 static int
1993 existsPolicyForKey(policy_key_list_t *policykeylist, const key_data_t *key)
1994 {
1995  static const char *scmd = "existsPolicyForKey";
1996  const policy_key_t *pkey;
1997  hsm_key_t *hkey;
1998 
1999  if (!policykeylist) {
2000  return -1;
2001  }
2002  if (!key) {
2003  return -1;
2004  }
2005 
2006  if (!(hkey = key_data_get_hsm_key(key))) {
2007  /*
2008  * This key is not associated with actual key material!
2009  * This is a bug or database corruption.
2010  * Crashing here is an option but we just return false so the
2011  * key will be thrown away in a graceful manner.
2012  */
2013  ods_log_verbose("[%s] %s no hsmkey!", module_str, scmd);
2014  return 0;
2015  }
2016  pkey = policy_key_list_begin(policykeylist);
2017  while (pkey) {
2018  if ((int)policy_key_role(pkey) == (int)key_data_role(key) &&
2019  hsm_key_repository(hkey) && policy_key_repository(pkey) &&
2020  strcmp(hsm_key_repository(hkey), policy_key_repository(pkey)) == 0 &&
2021  hsm_key_algorithm(hkey) == policy_key_algorithm(pkey) &&
2022  hsm_key_bits(hkey) == policy_key_bits(pkey))
2023  {
2024  hsm_key_free(hkey);
2025  return 1;
2026  }
2027  pkey = policy_key_list_next(policykeylist);
2028  }
2029  ods_log_verbose("[%s] %s not found such config", module_str, scmd);
2030  hsm_key_free(hkey);
2031  return 0;
2032 }
2033 
2034 static int
2035 last_inception_policy(key_data_list_t *key_list, const policy_key_t *pkey)
2036 {
2037  const key_data_t *key = NULL;
2038  hsm_key_t *hsmkey = NULL;
2039  int max_inception = -1;
2040 
2041  if (!key_list || !pkey) return -1;
2042 
2043  /*
2044  * Must match: role, bits, algorithm and repository.
2045  */
2046  for (key = key_data_list_begin(key_list); key;
2047  key = key_data_list_next(key_list))
2048  {
2049  if ((int)policy_key_role(pkey) != (int)key_data_role(key) ||
2051  (hsmkey = key_data_get_hsm_key(key)) == NULL ||
2052  policy_key_bits(pkey) != hsm_key_bits(hsmkey) ||
2053  policy_key_algorithm(pkey) != hsm_key_algorithm(hsmkey) ||
2054  strcmp(policy_key_repository(pkey), hsm_key_repository(hsmkey)))
2055  {
2056  hsm_key_free(hsmkey);
2057  hsmkey = NULL;
2058  continue;
2059  }
2060  hsm_key_free(hsmkey);
2061  hsmkey = NULL;
2063  if (max_inception == -1 || max_inception < (signed int)key_data_inception(key))
2064  {
2065  max_inception = key_data_inception(key);
2066  }
2067  }
2068  return max_inception;
2069 }
2070 
2079 static int
2080 key_for_conf(key_data_list_t *key_list, const policy_key_t *pkey)
2081 {
2082  const key_data_t *key;
2083 
2084  if (!key_list) {
2085  return 0;
2086  }
2087  if (!pkey) {
2088  return 0;
2089  }
2090 
2091  for (key = key_data_list_begin(key_list); key;
2092  key = key_data_list_next(key_list))
2093  {
2095  (int)policy_key_role(pkey) == (int)key_data_role(key))
2096  {
2097  return 1;
2098  }
2099  }
2100  return 0;
2101 }
2102 
2109 static void
2110 setnextroll(zone_db_t *zone, const policy_key_t *pkey, time_t t)
2111 {
2112  assert(zone);
2113  assert(pkey);
2114 
2115  switch(policy_key_role(pkey)) {
2116  case POLICY_KEY_ROLE_KSK:
2117  zone->next_ksk_roll = (unsigned int)t;
2118  break;
2119  case POLICY_KEY_ROLE_ZSK:
2120  zone->next_zsk_roll = (unsigned int)t;
2121  break;
2122  case POLICY_KEY_ROLE_CSK:
2123  zone->next_csk_roll = (unsigned int)t;
2124  break;
2125  default:
2126  assert(0);
2127  }
2128 }
2129 
2130 static int
2131 enforce_roll(const zone_db_t *zone, const policy_key_t *pkey)
2132 {
2133  if (!zone) {
2134  return 0;
2135  }
2136  if (!pkey) {
2137  return 0;
2138  }
2139 
2140  switch(policy_key_role(pkey)) {
2141  case POLICY_KEY_ROLE_KSK:
2142  return zone_db_roll_ksk_now(zone);
2143  case POLICY_KEY_ROLE_ZSK:
2144  return zone_db_roll_zsk_now(zone);
2145  case POLICY_KEY_ROLE_CSK:
2146  return zone_db_roll_csk_now(zone);
2147  default:
2148  return 0;
2149  }
2150 }
2151 
2152 static int
2153 set_roll(zone_db_t *zone, const policy_key_t *pkey, unsigned int roll)
2154 {
2155  if (!zone) {
2156  return 0;
2157  }
2158  if (!pkey) {
2159  return 0;
2160  }
2161 
2162  switch(policy_key_role(pkey)) {
2163  case POLICY_KEY_ROLE_KSK:
2164  return zone_db_set_roll_ksk_now(zone, roll);
2165  case POLICY_KEY_ROLE_ZSK:
2166  return zone_db_set_roll_zsk_now(zone, roll);
2167  case POLICY_KEY_ROLE_CSK:
2168  return zone_db_set_roll_csk_now(zone, roll);
2169  default:
2170  return 1;
2171  }
2172 }
2173 
2183 static time_t
2184 updatePolicy(engine_type *engine, db_connection_t *dbconn, policy_t const *policy,
2185  zone_db_t *zone, const time_t now, int *allow_unsigned, int *zone_updated)
2186 {
2187  time_t return_at = -1;
2188  key_data_list_t *keylist;
2189  policy_key_list_t *policykeylist;
2190  const key_data_t *key;
2191  key_data_t *mutkey = NULL;
2192  key_data_t *mutkey2 = NULL;
2193  const policy_key_t *pkey;
2194  const hsm_key_t *hsmkey;
2195  hsm_key_t *hsmkey2 = NULL;
2196  hsm_key_t *newhsmkey = NULL;
2197  static const char *scmd = "updatePolicy";
2198  int force_roll;
2199  time_t t_ret;
2200  key_data_role_t key_role;
2201  int err;
2202  uint16_t tag;
2203  int ret;
2204 
2205  if (!dbconn) {
2206  /* TODO: better log error */
2207  ods_log_error("[%s] %s: no dbconn", module_str, scmd);
2208  return now + 60;
2209  }
2210  if (!policy) {
2211  /* TODO: better log error */
2212  ods_log_error("[%s] %s: no policy", module_str, scmd);
2213  return now + 60;
2214  }
2215  if (!zone) {
2216  /* TODO: better log error */
2217  ods_log_error("[%s] %s: no zone", module_str, scmd);
2218  return now + 60;
2219  }
2220  if (!allow_unsigned) {
2221  /* TODO: better log error */
2222  ods_log_error("[%s] %s: no allow_unsigned", module_str, scmd);
2223  return now + 60;
2224  }
2225  if (!zone_updated) {
2226  /* TODO: better log error */
2227  ods_log_error("[%s] %s: no zone_updated", module_str, scmd);
2228  return now + 60;
2229  }
2230 
2231  ods_log_verbose("[%s] %s: policyName: %s", module_str, scmd, policy_name(policy));
2232 
2233  /*
2234  * Get all policy keys (configurations) for the given policy and fetch all
2235  * the policy key database objects so we can iterate over it more then once.
2236  */
2237  if (!(policykeylist = policy_get_policy_keys(policy))) {
2238  /* TODO: better log error */
2239  ods_log_error("[%s] %s: error policy_get_policy_keys()", module_str, scmd);
2240  policy_key_list_free(policykeylist);
2241  return now + 60;
2242  }
2243 
2244  /*
2245  * Get all key data objects for the given zone and fetch all the objects
2246  * from the database so we can use the list again later.
2247  */
2248  if (!(keylist = zone_db_get_keys(zone))) {
2249  /* TODO: better log error */
2250  ods_log_error("[%s] %s: error zone_db_get_keys()", module_str, scmd);
2251  key_data_list_free(keylist);
2252  policy_key_list_free(policykeylist);
2253  return now + 60;
2254  }
2255 
2256  /*
2257  * Decommission all key data objects without any matching policy key config.
2258  */
2259  while ((key = key_data_list_next(keylist))) {
2260  ret = existsPolicyForKey(policykeylist, key);
2261  if (ret < 0) {
2262  /* TODO: better log error */
2263  ods_log_error("[%s] %s: error existsPolicyForKey() < 0", module_str, scmd);
2264  key_data_list_free(keylist);
2265  policy_key_list_free(policykeylist);
2266  return now + 60;
2267  }
2268  if (!ret) {
2269  if (!(mutkey = key_data_new_copy(key))
2270  || key_data_set_introducing(mutkey, 0)
2271  || key_data_update(mutkey))
2272  {
2273  /* TODO: better log error */
2274  ods_log_error("[%s] %s: error update mutkey", module_str, scmd);
2275  key_data_free(mutkey);
2276  key_data_list_free(keylist);
2277  policy_key_list_free(policykeylist);
2278  return now + 60;
2279  }
2280  key_data_free(mutkey);
2281  mutkey = NULL;
2282  }
2283  }
2284 
2285  pkey = policy_key_list_begin(policykeylist);
2286 
2287  /*
2288  * If no keys are configured an unsigned zone is okay.
2289  */
2290  *allow_unsigned = pkey ? 0 : 1;
2291 
2292  /* If there are no keys configured set 'signconf_needs_writing'
2293  * every time this function is called */
2294  if (!policy_key_list_size(policykeylist)) {
2295  if (zone_db_set_signconf_needs_writing(zone, 1)) {
2296  ods_log_error("[%s] %s: zone_db_set_signconf_needs_writing() failed", module_str, scmd);
2297  } else {
2298  *zone_updated = 1;
2299  }
2300  }
2301 
2302  for (; pkey; pkey = policy_key_list_next(policykeylist)) {
2303  newhsmkey = NULL;
2304  /*
2305  * Check if we should roll, first get the roll state from the zone then
2306  * check if the policy key is set to manual rollover and last check the
2307  * key timings.
2308  */
2309  force_roll = enforce_roll(zone, pkey);
2310  if (policy_key_manual_rollover(pkey)) {
2311  /*
2312  * If this policy key is set to manual rollover and we do not have
2313  * a key yet (for ex first run) then we should roll anyway.
2314  */
2315  if (!key_for_conf(keylist, pkey)) {
2316  force_roll = 1;
2317  }
2318  else if (!force_roll) {
2319  /*
2320  * Since this is set to manual rollover we do not want it to
2321  * roll unless we have zone state saying that we should roll.
2322  */
2323  continue;
2324  }
2325  }
2326  if (!force_roll) {
2327  int inception = -1;
2328  /*
2329  * We do not need to roll but we should check if the youngest key
2330  * needs to be replaced. If not we reschedule for later based on the
2331  * youngest key.
2332  * TODO: Describe better why the youngest?!?
2333  */
2334  inception = last_inception_policy(keylist, pkey);
2335  if (inception != -1 &&
2336  inception + policy_key_lifetime(pkey) > now)
2337  {
2338  t_ret = addtime(inception, policy_key_lifetime(pkey));
2339  minTime(t_ret, &return_at);
2340  setnextroll(zone, pkey, t_ret);
2341  *zone_updated = 1;
2342  continue;
2343  }
2344  }
2345 
2346  /*
2347  * Time for a new key
2348  */
2349  ods_log_verbose("[%s] %s: New key needed for role %s",
2350  module_str, scmd, policy_key_role_text(pkey));
2351 
2352  /*
2353  * Sanity check for unreasonable short key lifetime.
2354  * This would produce silly output and give the signer lots of useless
2355  * work to do otherwise.
2356  */
2357  if ((policy_key_role(pkey) == POLICY_KEY_ROLE_KSK ||
2360  policy_key_lifetime(pkey))
2361  {
2362  ods_log_error("[%s] %s: For policy %s %s key lifetime of %d "
2363  "is unreasonably short with respect to sum of parent "
2364  "TTL (%d) and key TTL (%d). Will not insert key!",
2365  module_str, scmd, policy_name(policy), policy_key_role_text(pkey),
2368  setnextroll(zone, pkey, now);
2369  *zone_updated = 1;
2370  continue;
2371  }
2372  if ((policy_key_role(pkey) == POLICY_KEY_ROLE_ZSK ||
2375  policy_key_lifetime(pkey))
2376  {
2377  ods_log_crit("[%s] %s: For policy %s %s key lifetime of %d "
2378  "is unreasonably short with respect to sum of "
2379  "MaxZoneTTL (%d) and key TTL (%d). Will not insert key!",
2380  module_str, scmd, policy_name(policy), policy_key_role_text(pkey),
2383  setnextroll(zone, pkey, now);
2384  *zone_updated = 1;
2385  continue;
2386  }
2387 
2388  /*
2389  * Get a new key, either a existing/shared key if the policy is set to
2390  * share keys or create a new key.
2391  */
2392  if (policy_keys_shared(policy)) {
2393  hsmkey = getLastReusableKey(keylist, pkey);
2394 
2395  if (!hsmkey) {
2396  newhsmkey = hsm_key_factory_get_key(engine, dbconn, pkey, HSM_KEY_STATE_SHARED);
2397  hsmkey = newhsmkey;
2398  }
2399  } else {
2400  newhsmkey = hsm_key_factory_get_key(engine, dbconn, pkey, HSM_KEY_STATE_PRIVATE);
2401  hsmkey = newhsmkey;
2402  }
2403 
2404  if (!hsmkey) {
2405  /*
2406  * Unable to get/create a HSM key at this time, retry later.
2407  */
2408  ods_log_warning("[%s] %s: No keys available in HSM for policy %s, retry in %d seconds",
2409  module_str, scmd, policy_name(policy), NOKEY_TIMEOUT);
2410  minTime(now + NOKEY_TIMEOUT, &return_at);
2411  setnextroll(zone, pkey, now);
2412  *zone_updated = 1;
2413  continue;
2414  }
2415  ods_log_verbose("[%s] %s: got new key from HSM", module_str, scmd);
2416 
2417  /*
2418  * TODO: This will be replaced once roles are global
2419  */
2420  key_role = KEY_DATA_ROLE_INVALID;
2421  switch (policy_key_role(pkey)) {
2422  case POLICY_KEY_ROLE_KSK:
2423  key_role = KEY_DATA_ROLE_KSK;
2424  break;
2425 
2426  case POLICY_KEY_ROLE_ZSK:
2427  key_role = KEY_DATA_ROLE_ZSK;
2428  break;
2429 
2430  case POLICY_KEY_ROLE_CSK:
2431  key_role = KEY_DATA_ROLE_CSK;
2432  break;
2433 
2434  default:
2435  break;
2436  }
2437 
2438  /*
2439  * Create a new key data object.
2440  */
2441  if (!(mutkey = key_data_new(dbconn))
2442  || key_data_set_zone_id(mutkey, zone_db_id(zone))
2443  || key_data_set_hsm_key_id(mutkey, hsm_key_id(hsmkey))
2445  || key_data_set_inception(mutkey, now)
2446  || key_data_set_role(mutkey, key_role)
2447  || key_data_set_minimize(mutkey, policy_key_minimize(pkey))
2448  || key_data_set_introducing(mutkey, 1)
2450  {
2451  /* TODO: better log error */
2452  ods_log_error("[%s] %s: error new key", module_str, scmd);
2453  key_data_free(mutkey);
2454  if (newhsmkey) {
2455  hsm_key_factory_release_key(newhsmkey, dbconn);
2456  }
2457  hsm_key_free(newhsmkey);
2458  key_data_list_free(keylist);
2459  policy_key_list_free(policykeylist);
2460  return now + 60;
2461  }
2462 
2463  /*
2464  * Generate keytag for the new key and set it.
2465  */
2466  err = hsm_keytag(hsm_key_locator(hsmkey), hsm_key_algorithm(hsmkey),
2467  HSM_KEY_ROLE_SEP(hsm_key_role(hsmkey)), &tag);
2468  if (err || key_data_set_keytag(mutkey, tag))
2469  {
2470  /* TODO: better log error */
2471  ods_log_error("[%s] %s: error keytag", module_str, scmd);
2472  key_data_free(mutkey);
2473  if (newhsmkey) {
2474  hsm_key_factory_release_key(newhsmkey, dbconn);
2475  }
2476  hsm_key_free(newhsmkey);
2477  key_data_list_free(keylist);
2478  policy_key_list_free(policykeylist);
2479  return now + 60;
2480  }
2481 
2482  /*
2483  * Create the new key in the database, if successful we set the next
2484  * roll after the lifetime of the key.
2485  */
2486  if (key_data_create(mutkey)) {
2487  /* TODO: better log error */
2488  ods_log_error("[%s] %s: error key_data_create()", module_str, scmd);
2489  key_data_free(mutkey);
2490  if (newhsmkey) {
2491  hsm_key_factory_release_key(newhsmkey, dbconn);
2492  }
2493  hsm_key_free(newhsmkey);
2494  key_data_list_free(keylist);
2495  policy_key_list_free(policykeylist);
2496  return now + 60;
2497  }
2498  t_ret = addtime(now, policy_key_lifetime(pkey));
2499  minTime(t_ret, &return_at);
2500  setnextroll(zone, pkey, t_ret);
2501  *zone_updated = 1;
2502 
2503  /*
2504  * Tell similar keys to out-troduce.
2505  * Similar keys are those that match role, algorithm, bits and repository
2506  * and are introduced.
2507  *
2508  * NOTE:
2509  * Will not work if a policy has 2 or more keys of the same role, algorithm,
2510  * bits and repository. Unclear how to fix this since keys are not directly
2511  * related to a policy key.
2512  * We currently do not allow two policy keys with the same attributes.
2513  */
2514  for (key = key_data_list_begin(keylist); key; key = key_data_list_next(keylist)) {
2516  && key_data_role(key) == key_data_role(mutkey)
2518  && (hsmkey2 = key_data_get_hsm_key(key))
2519  && hsm_key_bits(hsmkey2) == hsm_key_bits(hsmkey)
2520  && !strcmp(hsm_key_repository(hsmkey2), hsm_key_repository(hsmkey)))
2521  {
2522  if (!(mutkey2 = key_data_new_copy(key))
2523  || key_data_set_introducing(mutkey2, 0)
2524  || key_data_update(mutkey2))
2525  {
2526  /* TODO: better log error */
2527  ods_log_error("[%s] %s: error update mutkey2", module_str, scmd);
2528  key_data_free(mutkey2);
2529  hsm_key_free(hsmkey2);
2530  key_data_free(mutkey);
2531  hsm_key_free(newhsmkey);
2532  key_data_list_free(keylist);
2533  policy_key_list_free(policykeylist);
2534  return now + 60;
2535  }
2536 
2537  ods_log_verbose("[%s] %s: decommissioning old key: %s", module_str, scmd, hsm_key_locator(hsmkey2));
2538 
2539  key_data_free(mutkey2);
2540  mutkey2 = NULL;
2541  }
2542  hsm_key_free(hsmkey2);
2543  hsmkey2 = NULL;
2544  }
2545 
2546  key_data_free(mutkey);
2547  mutkey = NULL;
2548  hsm_key_free(newhsmkey);
2549  newhsmkey = NULL;
2550 
2551  /*
2552  * Clear roll now (if set) in the zone for this policy key.
2553  */
2554  if (enforce_roll(zone, pkey)) {
2555  if (set_roll(zone, pkey, 0)) {
2556  /* TODO: better log error */
2557  ods_log_error("[%s] %s: error set_roll()", module_str, scmd);
2558  key_data_list_free(keylist);
2559  policy_key_list_free(policykeylist);
2560  return now + 60;
2561  }
2562  *zone_updated = 1;
2563  }
2564  }
2565 
2566  key_data_list_free(keylist);
2567  policy_key_list_free(policykeylist);
2568 
2569  return return_at;
2570 }
2571 
2572 static time_t
2573 removeDeadKeys(db_connection_t *dbconn, key_data_t** keylist,
2574  size_t keylist_size, key_dependency_list_t *deplist, const time_t now,
2575  const int purgetime)
2576 {
2577  static const char *scmd = "removeDeadKeys";
2578  time_t first_purge = -1, key_time;
2579  size_t i, deplist2_size = 0;
2580  int key_purgable, cmp;
2581  unsigned int j;
2582  const key_state_t* state = NULL;
2583  key_dependency_t **deplist2 = NULL;
2584 
2585  assert(keylist);
2586  assert(deplist);
2587 
2588  deplist2_size = key_dependency_list_size(deplist);
2589  deplist2 = (key_dependency_t**)calloc(deplist2_size, sizeof(key_dependency_t*));
2590  /* deplist might be NULL but is always freeable */
2591  if (deplist2_size > 0)
2592  deplist2[0] = key_dependency_list_get_begin(deplist);
2593  for (i = 1; i < deplist2_size; i++)
2594  deplist2[i] = key_dependency_list_get_next(deplist);
2595 
2596  for (i = 0; i < keylist_size; i++) {
2597  if (key_data_introducing(keylist[i])) continue;
2598  key_time = -1;
2599  key_purgable = 1;
2600  for (j = 0; j<4; j++) {
2601  switch(j){
2602  case 0: state = key_data_cached_ds(keylist[i]); break;
2603  case 1: state = key_data_cached_dnskey(keylist[i]); break;
2604  case 2: state = key_data_cached_rrsigdnskey(keylist[i]); break;
2605  case 3: state = key_data_cached_rrsig(keylist[i]);
2606  }
2607  if (key_state_state(state) == NA) continue;
2608  if (key_state_state(state) != HIDDEN) {
2609  key_purgable = 0;
2610  break;
2611  }
2612  if (key_time == -1 || key_state_last_change(state) > (unsigned int)key_time) {
2613  key_time = key_state_last_change(state);
2614  }
2615  }
2616  if (key_time != -1) key_time = addtime(key_time, purgetime);
2617  if (key_purgable) {
2618  /* key is purgable, is it time yet? */
2619  if (now >= key_time) {
2620  key_state_t* ks_ds = key_data_get_cached_ds(keylist[i]);
2621  key_state_t* ks_dk = key_data_get_cached_dnskey(keylist[i]);
2622  key_state_t* ks_rd = key_data_get_cached_rrsigdnskey(keylist[i]);
2623  key_state_t* ks_rs = key_data_get_cached_rrsig(keylist[i]);
2624 
2625  ods_log_info("[%s] %s deleting key: %s", module_str, scmd,
2627 
2628  if ( key_state_delete(ks_ds) || key_state_delete(ks_dk)
2629  || key_state_delete(ks_rd) || key_state_delete(ks_rs)
2630  || key_data_delete(keylist[i])
2632  {
2633  /* TODO: better log error */
2634  ods_log_error("[%s] %s: key_state_delete() || key_data_delete() || hsm_key_factory_release_key() failed", module_str, scmd);
2635  }
2636  key_state_free(ks_ds);
2637  key_state_free(ks_dk);
2638  key_state_free(ks_rd);
2639  key_state_free(ks_rs);
2640  } else {
2641  minTime(key_time, &first_purge);
2642  }
2643  /* we can clean up dependency because key is purgable */
2644 
2645  for (j = 0; j < deplist2_size; j++) {
2646  if (!deplist2[j]) continue;
2647  if (db_value_cmp(key_data_id(keylist[i]), key_dependency_from_key_data_id(deplist2[j]), &cmp)) {
2648  /* TODO: better log error */
2649  ods_log_error("[%s] %s: cmp deplist from failed", module_str, scmd);
2650  break;
2651  }
2652  if(cmp) continue;
2653 
2654  if (key_dependency_delete(deplist2[j])) {
2655  /* TODO: better log error */
2656  ods_log_error("[%s] %s: key_dependency_delete() failed", module_str, scmd);
2657  break;
2658  }
2659  }
2660  }
2661  }
2662  for (i = 0; i < deplist2_size; i++){
2663  key_dependency_free(deplist2[i]);
2664  }
2665  free(deplist2);
2666 
2667  int deleteCount = hsm_key_factory_delete_key(dbconn);
2668  ods_log_info("[%s] %s: keys deleted from HSM: %d", module_str, scmd, deleteCount);
2669 
2670  if(deleteCount > 0) {
2671  return -1 - deleteCount;
2672  } else {
2673  return first_purge;
2674  }
2675 }
2676 
2677 time_t
2678 update(engine_type *engine, db_connection_t *dbconn, zone_db_t *zone, policy_t const *policy, time_t now, int *zone_updated)
2679 {
2680  int allow_unsigned = 0;
2681  time_t policy_return_time, zone_return_time, purge_return_time = -1, return_time;
2682  key_data_list_t *key_list;
2683  const key_data_t* key;
2684  key_data_t** keylist = NULL;
2685  size_t keylist_size, i;
2686  key_dependency_list_t *deplist;
2687  static const char *scmd = "update";
2688  int key_data_updated;
2689 
2690  if (!engine) {
2691  ods_log_error("[%s] no engine", module_str);
2692  return now + 60;
2693  }
2694  if (!dbconn) {
2695  ods_log_error("[%s] no dbconn", module_str);
2696  return now + 60;
2697  }
2698  if (!zone) {
2699  ods_log_error("[%s] no zone", module_str);
2700  return now + 60;
2701  }
2702  if (!policy) {
2703  ods_log_error("[%s] no policy", module_str);
2704  return now + 60;
2705  }
2706  if (!zone_updated) {
2707  ods_log_error("[%s] no zone_updated", module_str);
2708  return now + 60;
2709  }
2710 
2711  ods_log_info("[%s] update zone: %s", module_str, zone_db_name(zone));
2712 
2713  if (engine->config->rollover_notification && zone_db_next_ksk_roll(zone) > 0) {
2714  if ((time_t)zone_db_next_ksk_roll(zone) - engine->config->rollover_notification <= now
2715  && (time_t)zone_db_next_ksk_roll(zone) != now) {
2716  time_t t = (time_t) zone_db_next_ksk_roll(zone);
2717  ods_log_info("[%s] KSK Rollover for zone %s is impending, "
2718  "rollover will happen at %s",
2719  module_str, zone_db_name(zone), ctime(&t));
2720  }
2721  }
2722  else if (engine->config->rollover_notification && zone_db_next_csk_roll(zone) > 0) {
2723  if ((time_t)zone_db_next_csk_roll(zone) - engine->config->rollover_notification <= now
2724  && (time_t)zone_db_next_csk_roll(zone) != now) {
2725  time_t t = (time_t) zone_db_next_csk_roll(zone);
2726  ods_log_info("[%s] CSK Rollover for zone %s is impending, "
2727  "rollover will happen at %s",
2728  module_str, zone_db_name(zone), ctime(&t));
2729  }
2730  }
2731 
2732 
2733  /*
2734  * Update policy.
2735  */
2736  policy_return_time = updatePolicy(engine, dbconn, policy, zone, now, &allow_unsigned, zone_updated);
2737 
2738  if (allow_unsigned) {
2739  ods_log_info("[%s] No keys configured for %s, zone will become unsigned eventually",
2740  module_str, zone_db_name(zone));
2741  }
2742 
2743  /*
2744  * Get all key data/state/hsm objects for later processing.
2745  */
2746  if (!(deplist = zone_db_get_key_dependencies(zone))) {
2747  /* TODO: better log error */
2748  ods_log_error("[%s] %s: error zone_db_get_key_dependencies()", module_str, scmd);
2749  key_dependency_list_free(deplist);
2750  return now + 60;
2751  }
2752  if (!(key_list = zone_db_get_keys(zone))) {
2753  /* TODO: better log error */
2754  ods_log_error("[%s] %s: error zone_db_get_keys()", module_str, scmd);
2755  key_data_list_free(key_list);
2756  key_dependency_list_free(deplist);
2757  return now + 60;
2758  }
2759  /*WTF DOES THIS CODE DO?*/
2760  if (!(keylist_size = key_data_list_size(key_list))) {
2761  if ((key = key_data_list_begin(key_list))) {
2762  while (key) {
2763  keylist_size++;
2764  key = key_data_list_next(key_list);
2765  }
2766  }
2767  }
2768  if (keylist_size) {
2769  if (!(keylist = (key_data_t**)calloc(keylist_size, sizeof(key_data_t*)))) {
2770  /* TODO: better log error */
2771  ods_log_error("[%s] %s: error calloc(keylist_size)", module_str, scmd);
2772  key_data_list_free(key_list);
2773  key_dependency_list_free(deplist);
2774  return now + 60;
2775  }
2776  for (i = 0; i < keylist_size; i++) {
2777  if (!i) {
2778  keylist[i] = key_data_list_get_begin(key_list);
2779  }
2780  else {
2781  keylist[i] = key_data_list_get_next(key_list);
2782  }
2783  if (!keylist[i]
2784  || key_data_cache_hsm_key(keylist[i])
2785  || key_data_cache_key_states(keylist[i]))
2786  {
2787  ods_log_error("[%s] %s: error key_data_list cache", module_str, scmd);
2788  for (i = 0; i < keylist_size; i++) {
2789  if (keylist[i]) {
2790  key_data_free(keylist[i]);
2791  }
2792  }
2793  free(keylist);
2794  key_data_list_free(key_list);
2795  key_dependency_list_free(deplist);
2796  return now + 60;
2797  }
2798  }
2799  }
2800  key_data_list_free(key_list);
2801 
2802 
2803  /*
2804  * Only purge old keys if the policy says so.
2805  */
2806  if (policy_keys_purge_after(policy) && keylist) {
2807  purge_return_time = removeDeadKeys(dbconn, keylist, keylist_size, deplist, now,
2809  if(purge_return_time < -1) {
2810  ods_log_info("[%s] reschedule enforcing policy due to deleting keys", module_str, scmd);
2811  /* Keys have been deleted, we cannot continue in this same session, reschedule. */
2812  return now + 60;
2813  }
2814  }
2815 
2816 
2817  /*
2818  * Update zone.
2819  */
2820  zone_return_time = updateZone(dbconn, policy, zone, now, allow_unsigned, zone_updated,
2821  keylist, keylist_size, deplist);
2822 
2823 
2824  /*
2825  * Always set these flags. Normally this needs to be done _only_ when the
2826  * Signer config needs writing. However a previous Signer config might not
2827  * be available, we have no way of telling. :(
2828  */
2829  for (i = 0; i < keylist_size; i++) {
2830  key_data_updated = 0;
2831 
2832  /* hack */
2833  key_data_set_publish(keylist[i], 0);
2834  key_data_set_active_ksk(keylist[i], 0);
2835  key_data_set_active_zsk(keylist[i], 0);
2836  key_data_updated = 1;
2837  /*
2838  * TODO: description
2839  */
2841  || key_state_state(key_data_cached_dnskey(keylist[i])) == RUMOURED)
2842  {
2843  if (!key_data_publish(keylist[i])) {
2844  if (key_data_set_publish(keylist[i], 1)) {
2845  ods_log_error("[%s] %s: key_data_set_publish() failed",
2846  module_str, scmd);
2847  break;
2848  }
2849 
2850  key_data_updated = 1;
2851  }
2852  }
2853 
2854  /*
2855  * TODO: description
2856  */
2859  {
2860  if (!key_data_active_ksk(keylist[i])) {
2861  if (key_data_set_active_ksk(keylist[i], 1)) {
2862  ods_log_error("[%s] %s: key_data_set_active_ksk() failed",
2863  module_str, scmd);
2864  break;
2865  }
2866 
2867  key_data_updated = 1;
2868  }
2869  }
2870 
2871  /*
2872  * TODO: description
2873  */
2875  || key_state_state(key_data_cached_rrsig(keylist[i])) == RUMOURED)
2876  {
2877  if (!key_data_active_zsk(keylist[i])) {
2878  if (key_data_set_active_zsk(keylist[i], 1)) {
2879  ods_log_error("[%s] %s: key_data_set_active_zsk() failed",
2880  module_str, scmd);
2881  break;
2882  }
2883 
2884  key_data_updated = 1;
2885  }
2886  }
2887 
2888  if (key_data_updated) {
2889  if (key_data_update(keylist[i])) {
2890  ods_log_error("[%s] %s: key_data_update() failed",
2891  module_str, scmd);
2892  break;
2893  }
2894  }
2895  }
2896 
2897  /*
2898  * Release cached objects.
2899  */
2900  for (i = 0; i < keylist_size; i++) {
2901  if (keylist[i]) {
2902  key_data_free(keylist[i]);
2903  }
2904  }
2905  free(keylist);
2906  key_dependency_list_free(deplist);
2907 
2908  return_time = zone_return_time;
2909  minTime(policy_return_time, &return_time);
2910  /*
2911  * Take the rollover notification time into account when scheduling
2912  * this zone. We will need to print a message at that time.
2913  */
2914  if (zone_db_next_ksk_roll(zone) > 0
2915  && (zone_db_next_ksk_roll(zone) - engine->config->rollover_notification > now)) {
2916  minTime(zone_db_next_ksk_roll(zone) - engine->config->rollover_notification, &return_time);
2917  }
2918  else if (zone_db_next_csk_roll(zone) > 0
2919  && (zone_db_next_csk_roll(zone) - engine->config->rollover_notification > now)) {
2920  minTime(zone_db_next_csk_roll(zone) - engine->config->rollover_notification, &return_time);
2921  }
2922 
2923  minTime(purge_return_time, &return_time);
2924  return return_time;
2925 }
#define DB_OK
Definition: db_error.h:36
int db_value_cmp(const db_value_t *value_a, const db_value_t *value_b, int *result)
Definition: db_value.c:102
#define OMNIPRESENT
Definition: enforcer.c:68
time_t update(engine_type *engine, db_connection_t *dbconn, zone_db_t *zone, policy_t const *policy, time_t now, int *zone_updated)
Definition: enforcer.c:2678
#define NOKEY_TIMEOUT
Definition: enforcer.c:75
#define NA
Definition: enforcer.c:70
#define HIDDEN
Definition: enforcer.c:66
#define RUMOURED
Definition: enforcer.c:67
#define UNRETENTIVE
Definition: enforcer.c:69
void hsm_key_free(hsm_key_t *hsm_key)
Definition: hsm_key.c:286
const char * hsm_key_repository(const hsm_key_t *hsm_key)
Definition: hsm_key.c:568
hsm_key_t * hsm_key_list_get_begin(hsm_key_list_t *hsm_key_list)
Definition: hsm_key.c:1888
hsm_key_t * hsm_key_list_get_next(hsm_key_list_t *hsm_key_list)
Definition: hsm_key.c:1990
void hsm_key_list_free(hsm_key_list_t *hsm_key_list)
Definition: hsm_key.c:1496
unsigned int hsm_key_algorithm(const hsm_key_t *hsm_key)
Definition: hsm_key.c:544
unsigned int hsm_key_bits(const hsm_key_t *hsm_key)
Definition: hsm_key.c:536
const char * hsm_key_locator(const hsm_key_t *hsm_key)
Definition: hsm_key.c:520
const db_value_t * hsm_key_id(const hsm_key_t *hsm_key)
Definition: hsm_key.c:504
unsigned int hsm_key_inception(const hsm_key_t *hsm_key)
Definition: hsm_key.c:560
@ HSM_KEY_STATE_UNUSED
Definition: hsm_key.h:42
@ HSM_KEY_STATE_PRIVATE
Definition: hsm_key.h:43
@ HSM_KEY_STATE_SHARED
Definition: hsm_key.h:44
@ HSM_KEY_STATE_DELETE
Definition: hsm_key.h:45
hsm_key_backup
Definition: hsm_key.h:64
@ HSM_KEY_BACKUP_BACKUP_REQUESTED
Definition: hsm_key.h:68
@ HSM_KEY_BACKUP_BACKUP_REQUIRED
Definition: hsm_key.h:67
hsm_key_role
Definition: hsm_key.h:49
#define HSM_KEY_ROLE_SEP(role)
Definition: hsm_key.h:57
hsm_key_list_t * hsm_key_list_new_get_by_policy_key(const policy_key_t *pkey)
Definition: hsm_key_ext.c:43
hsm_key_t * hsm_key_factory_get_key(engine_type *engine, const db_connection_t *connection, const policy_key_t *policy_key, hsm_key_state_t hsm_key_state)
int hsm_key_factory_delete_key(const db_connection_t *connection)
int hsm_key_factory_release_key_id(const db_value_t *hsm_key_id, const db_connection_t *connection)
int hsm_key_factory_release_key(hsm_key_t *hsm_key, const db_connection_t *connection)
int key_data_set_minimize(key_data_t *key_data, unsigned int minimize)
Definition: key_data.c:966
int key_data_cmp(const key_data_t *key_data_a, const key_data_t *key_data_b)
Definition: key_data.c:402
const db_value_t * key_data_hsm_key_id(const key_data_t *key_data)
Definition: key_data.c:607
unsigned int key_data_active_ksk(const key_data_t *key_data)
Definition: key_data.c:751
const key_data_t * key_data_list_next(key_data_list_t *key_data_list)
Definition: key_data.c:2359
size_t key_data_list_size(key_data_list_t *key_data_list)
Definition: key_data.c:2461
int key_data_get_by_id(key_data_t *key_data, const db_value_t *id)
Definition: key_data.c:1296
int key_data_update(key_data_t *key_data)
Definition: key_data.c:1349
const db_value_t * key_data_id(const key_data_t *key_data)
Definition: key_data.c:553
int key_data_delete(key_data_t *key_data)
Definition: key_data.c:1587
void key_data_free(key_data_t *key_data)
Definition: key_data.c:304
key_data_t * key_data_list_get_next(key_data_list_t *key_data_list)
Definition: key_data.c:2425
int key_data_set_role(key_data_t *key_data, key_data_role_t role)
Definition: key_data.c:890
const char * key_data_role_text(const key_data_t *key_data)
Definition: key_data.c:711
int key_data_set_introducing(key_data_t *key_data, unsigned int introducing)
Definition: key_data.c:903
const key_data_t * key_data_list_begin(key_data_list_t *key_data_list)
Definition: key_data.c:2267
int key_data_set_active_zsk(key_data_t *key_data, unsigned int active_zsk)
Definition: key_data.c:913
int key_data_set_publish(key_data_t *key_data, unsigned int publish)
Definition: key_data.c:923
int key_data_set_zone_id(key_data_t *key_data, const db_value_t *zone_id)
Definition: key_data.c:832
unsigned int key_data_publish(const key_data_t *key_data)
Definition: key_data.c:743
int key_data_set_algorithm(key_data_t *key_data, unsigned int algorithm)
Definition: key_data.c:870
void key_data_list_free(key_data_list_t *key_data_list)
Definition: key_data.c:1694
int key_data_set_inception(key_data_t *key_data, unsigned int inception)
Definition: key_data.c:880
unsigned int key_data_introducing(const key_data_t *key_data)
Definition: key_data.c:727
int key_data_set_hsm_key_id(key_data_t *key_data, const db_value_t *hsm_key_id)
Definition: key_data.c:851
unsigned int key_data_inception(const key_data_t *key_data)
Definition: key_data.c:695
unsigned int key_data_active_zsk(const key_data_t *key_data)
Definition: key_data.c:735
key_data_t * key_data_list_get_begin(key_data_list_t *key_data_list)
Definition: key_data.c:2323
key_data_t * key_data_new_copy(const key_data_t *key_data)
Definition: key_data.c:285
int key_data_cache_hsm_key(key_data_t *key_data)
Definition: key_data.c:615
int key_data_set_keytag(key_data_t *key_data, unsigned int keytag)
Definition: key_data.c:956
int key_data_create(key_data_t *key_data)
Definition: key_data.c:1093
int key_data_set_ds_at_parent(key_data_t *key_data, key_data_ds_at_parent_t ds_at_parent)
Definition: key_data.c:943
key_data_t * key_data_new(const db_connection_t *connection)
Definition: key_data.c:264
unsigned int key_data_algorithm(const key_data_t *key_data)
Definition: key_data.c:687
hsm_key_t * key_data_get_hsm_key(const key_data_t *key_data)
Definition: key_data.c:649
unsigned int key_data_minimize(const key_data_t *key_data)
Definition: key_data.c:775
int key_data_set_active_ksk(key_data_t *key_data, unsigned int active_ksk)
Definition: key_data.c:933
key_data_role
Definition: key_data.h:40
@ KEY_DATA_ROLE_ZSK
Definition: key_data.h:43
@ KEY_DATA_ROLE_INVALID
Definition: key_data.h:41
@ KEY_DATA_ROLE_KSK
Definition: key_data.h:42
@ KEY_DATA_ROLE_CSK
Definition: key_data.h:44
enum key_data_role key_data_role_t
key_data_ds_at_parent
Definition: key_data.h:50
@ KEY_DATA_DS_AT_PARENT_SUBMITTED
Definition: key_data.h:54
@ KEY_DATA_DS_AT_PARENT_RETRACT
Definition: key_data.h:56
@ KEY_DATA_DS_AT_PARENT_UNSUBMITTED
Definition: key_data.h:52
@ KEY_DATA_DS_AT_PARENT_SEEN
Definition: key_data.h:55
@ KEY_DATA_DS_AT_PARENT_SUBMIT
Definition: key_data.h:53
@ KEY_DATA_DS_AT_PARENT_RETRACTED
Definition: key_data.h:57
key_state_t * key_data_get_cached_dnskey(key_data_t *key_data)
Definition: key_data_ext.c:92
int key_data_cache_key_states(key_data_t *key_data)
Definition: key_data_ext.c:33
key_state_t * key_data_get_cached_rrsigdnskey(key_data_t *key_data)
Definition: key_data_ext.c:100
const key_state_t * key_data_cached_rrsigdnskey(key_data_t *key_data)
Definition: key_data_ext.c:72
const key_state_t * key_data_cached_dnskey(key_data_t *key_data)
Definition: key_data_ext.c:68
const hsm_key_t * key_data_cached_hsm_key(const key_data_t *key_data)
Definition: key_data_ext.c:108
key_state_t * key_data_get_cached_rrsig(key_data_t *key_data)
Definition: key_data_ext.c:84
const key_state_t * key_data_cached_rrsig(key_data_t *key_data)
Definition: key_data_ext.c:64
key_state_t * key_data_get_cached_ds(key_data_t *key_data)
Definition: key_data_ext.c:76
const key_state_t * key_data_cached_ds(key_data_t *key_data)
Definition: key_data_ext.c:60
void key_dependency_free(key_dependency_t *key_dependency)
key_dependency_t * key_dependency_list_get_next(key_dependency_list_t *key_dependency_list)
int key_dependency_set_zone_id(key_dependency_t *key_dependency, const db_value_t *zone_id)
const key_dependency_t * key_dependency_list_next(key_dependency_list_t *key_dependency_list)
const db_value_t * key_dependency_from_key_data_id(const key_dependency_t *key_dependency)
key_dependency_list_t * key_dependency_list_new_copy(const key_dependency_list_t *from_key_dependency_list)
key_data_t * key_dependency_get_from_key_data(const key_dependency_t *key_dependency)
int key_dependency_set_type(key_dependency_t *key_dependency, key_dependency_type_t type)
const key_dependency_t * key_dependency_list_begin(key_dependency_list_t *key_dependency_list)
key_dependency_t * key_dependency_list_get_begin(key_dependency_list_t *key_dependency_list)
void key_dependency_list_free(key_dependency_list_t *key_dependency_list)
size_t key_dependency_list_size(key_dependency_list_t *key_dependency_list)
int key_dependency_set_from_key_data_id(key_dependency_t *key_dependency, const db_value_t *from_key_data_id)
const db_value_t * key_dependency_to_key_data_id(const key_dependency_t *key_dependency)
int key_dependency_delete(key_dependency_t *key_dependency)
int key_dependency_create(key_dependency_t *key_dependency)
int key_dependency_set_to_key_data_id(key_dependency_t *key_dependency, const db_value_t *to_key_data_id)
key_dependency_t * key_dependency_new(const db_connection_t *connection)
enum key_dependency_type key_dependency_type_t
key_dependency_type
@ KEY_DEPENDENCY_TYPE_DNSKEY
@ KEY_DEPENDENCY_TYPE_RRSIGDNSKEY
@ KEY_DEPENDENCY_TYPE_DS
@ KEY_DEPENDENCY_TYPE_RRSIG
unsigned int key_state_minimize(const key_state_t *key_state)
Definition: key_state.c:401
int key_state_set_minimize(key_state_t *key_state, unsigned int minimize)
Definition: key_state.c:472
int key_state_delete(const key_state_t *key_state)
Definition: key_state.c:831
const char * key_state_state_text(const key_state_t *key_state)
Definition: key_state.c:377
int key_state_set_ttl(key_state_t *key_state, unsigned int ttl)
Definition: key_state.c:482
void key_state_free(key_state_t *key_state)
Definition: key_state.c:214
int key_state_set_last_change(key_state_t *key_state, unsigned int last_change)
Definition: key_state.c:462
key_state_t * key_state_new(const db_connection_t *connection)
Definition: key_state.c:176
int key_state_set_type(key_state_t *key_state, key_state_type_t type)
Definition: key_state.c:436
const char * key_state_type_text(const key_state_t *key_state)
Definition: key_state.c:353
int key_state_create(key_state_t *key_state)
Definition: key_state.c:519
const db_enum_t key_state_enum_set_type[]
Definition: key_state.c:36
const db_enum_t key_state_enum_set_state[]
Definition: key_state.c:44
int key_state_set_key_data_id(key_state_t *key_state, const db_value_t *key_data_id)
Definition: key_state.c:417
unsigned int key_state_last_change(const key_state_t *key_state)
Definition: key_state.c:393
int key_state_set_state(key_state_t *key_state, key_state_state_t state)
Definition: key_state.c:449
int key_state_update(key_state_t *key_state)
Definition: key_state.c:684
enum key_state_state key_state_state_t
enum key_state_type key_state_type_t
@ KEY_STATE_TYPE_DNSKEY
Definition: key_state.h:44
@ KEY_STATE_TYPE_RRSIG
Definition: key_state.h:43
@ KEY_STATE_TYPE_DS
Definition: key_state.h:42
@ KEY_STATE_TYPE_RRSIGDNSKEY
Definition: key_state.h:45
key_state_state
Definition: key_state.h:49
@ KEY_STATE_STATE_INVALID
Definition: key_state.h:50
const char * policy_name(const policy_t *policy)
Definition: policy.c:813
unsigned int policy_zone_propagation_delay(const policy_t *policy)
Definition: policy.c:1005
unsigned int policy_signatures_validity_denial(const policy_t *policy)
Definition: policy.c:869
unsigned int policy_keys_purge_after(const policy_t *policy)
Definition: policy.c:997
unsigned int policy_parent_ds_ttl(const policy_t *policy)
Definition: policy.c:1061
unsigned int policy_signatures_resign(const policy_t *policy)
Definition: policy.c:829
unsigned int policy_keys_ttl(const policy_t *policy)
Definition: policy.c:965
unsigned int policy_parent_propagation_delay(const policy_t *policy)
Definition: policy.c:1053
unsigned int policy_zone_soa_ttl(const policy_t *policy)
Definition: policy.c:1013
unsigned int policy_zone_soa_minimum(const policy_t *policy)
Definition: policy.c:1021
unsigned int policy_signatures_refresh(const policy_t *policy)
Definition: policy.c:837
unsigned int policy_denial_ttl(const policy_t *policy)
Definition: policy.c:909
unsigned int policy_signatures_max_zone_ttl(const policy_t *policy)
Definition: policy.c:885
unsigned int policy_keys_shared(const policy_t *policy)
Definition: policy.c:989
unsigned int policy_signatures_jitter(const policy_t *policy)
Definition: policy.c:845
unsigned int policy_parent_registration_delay(const policy_t *policy)
Definition: policy.c:1045
unsigned int policy_signatures_validity_default(const policy_t *policy)
Definition: policy.c:861
unsigned int policy_keys_publish_safety(const policy_t *policy)
Definition: policy.c:981
unsigned int policy_keys_retire_safety(const policy_t *policy)
Definition: policy.c:973
policy_denial_type
Definition: policy.h:40
@ POLICY_DENIAL_TYPE_NSEC3
Definition: policy.h:43
policy_key_list_t * policy_get_policy_keys(const policy_t *policy)
Definition: policy_ext.c:1241
size_t policy_key_list_size(policy_key_list_t *policy_key_list)
Definition: policy_key.c:1480
const policy_key_t * policy_key_list_begin(policy_key_list_t *policy_key_list)
Definition: policy_key.c:1322
unsigned int policy_key_minimize(const policy_key_t *policy_key)
Definition: policy_key.c:566
unsigned int policy_key_lifetime(const policy_key_t *policy_key)
Definition: policy_key.c:526
unsigned int policy_key_manual_rollover(const policy_key_t *policy_key)
Definition: policy_key.c:550
const policy_key_t * policy_key_list_next(policy_key_list_t *policy_key_list)
Definition: policy_key.c:1378
const char * policy_key_repository(const policy_key_t *policy_key)
Definition: policy_key.c:534
void policy_key_list_free(policy_key_list_t *policy_key_list)
Definition: policy_key.c:1006
const char * policy_key_role_text(const policy_key_t *policy_key)
Definition: policy_key.c:494
unsigned int policy_key_algorithm(const policy_key_t *policy_key)
Definition: policy_key.c:510
unsigned int policy_key_bits(const policy_key_t *policy_key)
Definition: policy_key.c:518
policy_key_role
Definition: policy_key.h:40
@ POLICY_KEY_ROLE_KSK
Definition: policy_key.h:42
@ POLICY_KEY_ROLE_CSK
Definition: policy_key.h:44
@ POLICY_KEY_ROLE_ZSK
Definition: policy_key.h:43
int value
Definition: db_enum.h:40
const char * text
Definition: db_enum.h:39
engineconfig_type * config
Definition: engine.h:48
time_t rollover_notification
Definition: cfg.h:78
key_state_state_t next_state
Definition: enforcer.c:80
int pretend_update
Definition: enforcer.c:81
key_data_t * key
Definition: enforcer.c:78
key_state_type_t type
Definition: enforcer.c:79
hsm_key_state_t state
Definition: hsm_key.h:87
key_dependency_type_t type
Definition: policy.h:60
unsigned int next_zsk_roll
Definition: zone_db.h:68
unsigned int next_csk_roll
Definition: zone_db.h:69
unsigned int next_ksk_roll
Definition: zone_db.h:67
unsigned int zone_db_roll_zsk_now(const zone_db_t *zone)
Definition: zone_db.c:846
int zone_db_set_ttl_end_dk(zone_db_t *zone, unsigned int ttl_end_dk)
Definition: zone_db.c:1011
unsigned int zone_db_ttl_end_rs(const zone_db_t *zone)
Definition: zone_db.c:830
int zone_db_set_signconf_needs_writing(zone_db_t *zone, unsigned int signconf_needs_writing)
Definition: zone_db.c:959
const char * zone_db_name(const zone_db_t *zone)
Definition: zone_db.c:782
unsigned int zone_db_ttl_end_ds(const zone_db_t *zone)
Definition: zone_db.c:814
int zone_db_set_roll_zsk_now(zone_db_t *zone, unsigned int roll_zsk_now)
Definition: zone_db.c:1041
int zone_db_set_roll_csk_now(zone_db_t *zone, unsigned int roll_csk_now)
Definition: zone_db.c:1051
unsigned int zone_db_roll_ksk_now(const zone_db_t *zone)
Definition: zone_db.c:838
unsigned int zone_db_next_ksk_roll(const zone_db_t *zone)
Definition: zone_db.c:894
unsigned int zone_db_next_csk_roll(const zone_db_t *zone)
Definition: zone_db.c:910
int zone_db_set_ttl_end_ds(zone_db_t *zone, unsigned int ttl_end_ds)
Definition: zone_db.c:1001
int zone_db_set_roll_ksk_now(zone_db_t *zone, unsigned int roll_ksk_now)
Definition: zone_db.c:1031
unsigned int zone_db_ttl_end_dk(const zone_db_t *zone)
Definition: zone_db.c:822
unsigned int zone_db_signconf_needs_writing(const zone_db_t *zone)
Definition: zone_db.c:790
unsigned int zone_db_roll_csk_now(const zone_db_t *zone)
Definition: zone_db.c:854
int zone_db_set_ttl_end_rs(zone_db_t *zone, unsigned int ttl_end_rs)
Definition: zone_db.c:1021
const db_value_t * zone_db_id(const zone_db_t *zone)
Definition: zone_db.c:728
key_data_list_t * zone_db_get_keys(const zone_db_t *zone)
Definition: zone_db_ext.c:56
key_dependency_list_t * zone_db_get_key_dependencies(const zone_db_t *zone)
Definition: zone_db_ext.c:76