diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-09-12 04:45:07 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-09-12 04:45:07 +0000 |
commit | 0335817ced71e8355806ea0445aa3b105a22364c (patch) | |
tree | dffe735f2668a4728d8567feaf7ccb2d73076bac /src/utils/keymgr | |
parent | Adding upstream version 3.3.9. (diff) | |
download | knot-0335817ced71e8355806ea0445aa3b105a22364c.tar.xz knot-0335817ced71e8355806ea0445aa3b105a22364c.zip |
Adding upstream version 3.4.0.upstream/3.4.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/utils/keymgr')
-rw-r--r-- | src/utils/keymgr/bind_privkey.c | 8 | ||||
-rw-r--r-- | src/utils/keymgr/main.c | 10 | ||||
-rw-r--r-- | src/utils/keymgr/offline_ksk.c | 31 |
3 files changed, 16 insertions, 33 deletions
diff --git a/src/utils/keymgr/bind_privkey.c b/src/utils/keymgr/bind_privkey.c index 9ab895c..bbb61a5 100644 --- a/src/utils/keymgr/bind_privkey.c +++ b/src/utils/keymgr/bind_privkey.c @@ -281,9 +281,7 @@ static int rsa_params_to_pem(const bind_privkey_t *params, dnssec_binary_t *pem) static gnutls_ecc_curve_t choose_ecdsa_curve(size_t pubkey_size) { switch (pubkey_size) { -#ifdef HAVE_ED25519 case 32: return GNUTLS_ECC_CURVE_ED25519; -#endif #ifdef HAVE_ED448 case 57: return GNUTLS_ECC_CURVE_ED448; #endif @@ -334,7 +332,6 @@ static int ecdsa_params_to_pem(dnssec_key_t *dnskey, const bind_privkey_t *param return dnssec_pem_from_x509(key, pem); } -#if defined(HAVE_ED25519) || defined(HAVE_ED448) static void eddsa_extract_public_params(dnssec_key_t *key, gnutls_ecc_curve_t *curve, gnutls_datum_t *x) { @@ -371,7 +368,6 @@ static int eddsa_params_to_pem(dnssec_key_t *dnskey, const bind_privkey_t *param return dnssec_pem_from_x509(key, pem); } -#endif int bind_privkey_to_pem(dnssec_key_t *key, bind_privkey_t *params, dnssec_binary_t *pem) { @@ -385,15 +381,11 @@ int bind_privkey_to_pem(dnssec_key_t *key, bind_privkey_t *params, dnssec_binary case DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256: case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384: return ecdsa_params_to_pem(key, params, pem); -#ifdef HAVE_ED25519 case DNSSEC_KEY_ALGORITHM_ED25519: -#endif #ifdef HAVE_ED448 case DNSSEC_KEY_ALGORITHM_ED448: #endif -#if defined(HAVE_ED25519) || defined(HAVE_ED448) return eddsa_params_to_pem(key, params, pem); -#endif default: return DNSSEC_INVALID_KEY_ALGORITHM; } diff --git a/src/utils/keymgr/main.c b/src/utils/keymgr/main.c index b46aaa0..999b5c5 100644 --- a/src/utils/keymgr/main.c +++ b/src/utils/keymgr/main.c @@ -333,11 +333,10 @@ int main(int argc, char *argv[]) { "tsig", required_argument, NULL, 't' }, { "extended", no_argument, NULL, 'e' }, { "list", no_argument, NULL, 'l' }, - { "brief", no_argument, NULL, 'b' }, // Legacy. { "mono", no_argument, NULL, 'x' }, { "color", no_argument, NULL, 'X' }, { "help", no_argument, NULL, 'h' }, - { "version", no_argument, NULL, 'V' }, + { "version", optional_argument, NULL, 'V' }, { "json", no_argument, NULL, 'j' }, { NULL } }; @@ -358,7 +357,7 @@ int main(int argc, char *argv[]) list_params.color = isatty(STDOUT_FILENO); int opt = 0, parm = 0; - while ((opt = getopt_long(argc, argv, "c:C:D:t:ejlbxXhV", opts, NULL)) != -1) { + while ((opt = getopt_long(argc, argv, "c:C:D:t:ejlxXhV::", opts, NULL)) != -1) { switch (opt) { case 'c': if (util_conf_init_file(optarg) != KNOT_EOK) { @@ -394,9 +393,6 @@ int main(int argc, char *argv[]) case 'l': just_list = true; break; - case 'b': - WARN2("option '--brief' is deprecated and enabled by default"); - break; case 'x': list_params.color = false; break; @@ -407,7 +403,7 @@ int main(int argc, char *argv[]) print_help(); goto success; case 'V': - print_version(PROGRAM_NAME); + print_version(PROGRAM_NAME, optarg != NULL); goto success; default: print_help(); diff --git a/src/utils/keymgr/offline_ksk.c b/src/utils/keymgr/offline_ksk.c index b4260b9..05b2d2b 100644 --- a/src/utils/keymgr/offline_ksk.c +++ b/src/utils/keymgr/offline_ksk.c @@ -37,6 +37,8 @@ static int pregenerate_once(kdnssec_ctx_t *ctx, knot_time_t *next) { zone_sign_reschedule_t resch = { 0 }; + memset(ctx->stats, 0, sizeof(*ctx->stats)); + // generate ZSKs int ret = knot_dnssec_key_rollover(ctx, KEY_ROLL_ALLOW_ZSK_ROLL | KEY_ROLL_PRESERVE_FUTURE, &resch); if (ret != KNOT_EOK) { @@ -245,6 +247,9 @@ static int ksr_once(kdnssec_ctx_t *ctx, char **buf, size_t *buf_size, knot_time_ { knot_rrset_t *dnskey = NULL; zone_keyset_t keyset = { 0 }; + + memset(ctx->stats, 0, sizeof(*ctx->stats)); + int ret = load_dnskey_rrset(ctx, &dnskey, &keyset); if (ret != KNOT_EOK) { goto done; @@ -322,10 +327,10 @@ static int ksr_sign_dnskey(kdnssec_ctx_t *ctx, knot_rrset_t *zsk, knot_time_t no zone_keyset_t keyset = { 0 }; char *buf = NULL; size_t buf_size = 4096; - knot_time_t rrsigs_expire = 0; ctx->now = now; ctx->policy->dnskey_ttl = zsk->ttl; + memset(ctx->stats, 0, sizeof(*ctx->stats)); knot_timediff_t rrsig_refresh = ctx->policy->rrsig_refresh_before; if (rrsig_refresh == UINT32_MAX) { // not setting rrsig-refresh prohibited by documentation, but we need to do something @@ -352,7 +357,7 @@ static int ksr_sign_dnskey(kdnssec_ctx_t *ctx, knot_rrset_t *zsk, knot_time_t no // no check if the KSK used for signing (in keyset) is contained in DNSKEY record being signed (in KSR) ! for (int i = 0; i < keyset.count; i++) { - ret = key_records_sign(&keyset.keys[i], &r, ctx, &rrsigs_expire); + ret = key_records_sign(&keyset.keys[i], &r, ctx); if (ret != KNOT_EOK) { goto done; } @@ -362,7 +367,7 @@ static int ksr_sign_dnskey(kdnssec_ctx_t *ctx, knot_rrset_t *zsk, knot_time_t no print_header("SignedKeyResponse "KSR_SKR_VER, ctx->now, buf); *next_sign = knot_time_min( knot_get_next_zone_key_event(&keyset), - knot_time_add(rrsigs_expire, -rrsig_refresh) + knot_time_add(ctx->stats->expire, -rrsig_refresh) ); } @@ -446,6 +451,7 @@ static void skr_import_header(zs_scanner_t *sc) // trailing header without timestamp next_timestamp = 0; } + knot_time_t validity_ts = next_timestamp != 0 ? next_timestamp : ctx->timestamp; // delete possibly existing conflicting offline records ctx->ret = kasp_db_delete_offline_records( @@ -454,16 +460,11 @@ static void skr_import_header(zs_scanner_t *sc) // store previous SKR if (ctx->timestamp > 0 && ctx->ret == KNOT_EOK) { - ctx->ret = key_records_verify(&ctx->r, ctx->kctx, ctx->timestamp); + ctx->ret = key_records_verify(&ctx->r, ctx->kctx, ctx->timestamp, validity_ts); if (ctx->ret != KNOT_EOK) { return; } - if (next_timestamp > 0) { - ctx->ret = key_records_verify(&ctx->r, ctx->kctx, next_timestamp - 1); - if (ctx->ret != KNOT_EOK) { - return; - } - } + ctx->ret = kasp_db_store_offline_records(ctx->kctx->kasp_db, ctx->timestamp, &ctx->r); key_records_clear_rdatasets(&ctx->r); @@ -490,20 +491,14 @@ static void skr_validate_header(zs_scanner_t *sc) // trailing header without timestamp next_timestamp = 0; } + knot_time_t validity_ts = next_timestamp != 0 ? next_timestamp : ctx->timestamp; if (ctx->timestamp > 0 && ctx->ret == KNOT_EOK) { - int ret = key_records_verify(&ctx->r, ctx->kctx, ctx->timestamp); + int ret = key_records_verify(&ctx->r, ctx->kctx, ctx->timestamp, validity_ts); if (ret != KNOT_EOK) { // ctx->ret untouched ERR2("invalid SignedKeyResponse for %"KNOT_TIME_PRINTF" (%s)", ctx->timestamp, knot_strerror(ret)); } - if (next_timestamp > 0) { - ret = key_records_verify(&ctx->r, ctx->kctx, next_timestamp - 1); - if (ret != KNOT_EOK) { // ctx->ret untouched - ERR2("invalid SignedKeyResponse for %"KNOT_TIME_PRINTF" (%s)", - next_timestamp - 1, knot_strerror(ret)); - } - } key_records_clear_rdatasets(&ctx->r); } |