summaryrefslogtreecommitdiffstats
path: root/src/utils/keymgr
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-09-12 04:45:07 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-09-12 04:45:07 +0000
commit0335817ced71e8355806ea0445aa3b105a22364c (patch)
treedffe735f2668a4728d8567feaf7ccb2d73076bac /src/utils/keymgr
parentAdding upstream version 3.3.9. (diff)
downloadknot-0335817ced71e8355806ea0445aa3b105a22364c.tar.xz
knot-0335817ced71e8355806ea0445aa3b105a22364c.zip
Adding upstream version 3.4.0.upstream/3.4.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/utils/keymgr')
-rw-r--r--src/utils/keymgr/bind_privkey.c8
-rw-r--r--src/utils/keymgr/main.c10
-rw-r--r--src/utils/keymgr/offline_ksk.c31
3 files changed, 16 insertions, 33 deletions
diff --git a/src/utils/keymgr/bind_privkey.c b/src/utils/keymgr/bind_privkey.c
index 9ab895c..bbb61a5 100644
--- a/src/utils/keymgr/bind_privkey.c
+++ b/src/utils/keymgr/bind_privkey.c
@@ -281,9 +281,7 @@ static int rsa_params_to_pem(const bind_privkey_t *params, dnssec_binary_t *pem)
static gnutls_ecc_curve_t choose_ecdsa_curve(size_t pubkey_size)
{
switch (pubkey_size) {
-#ifdef HAVE_ED25519
case 32: return GNUTLS_ECC_CURVE_ED25519;
-#endif
#ifdef HAVE_ED448
case 57: return GNUTLS_ECC_CURVE_ED448;
#endif
@@ -334,7 +332,6 @@ static int ecdsa_params_to_pem(dnssec_key_t *dnskey, const bind_privkey_t *param
return dnssec_pem_from_x509(key, pem);
}
-#if defined(HAVE_ED25519) || defined(HAVE_ED448)
static void eddsa_extract_public_params(dnssec_key_t *key, gnutls_ecc_curve_t *curve,
gnutls_datum_t *x)
{
@@ -371,7 +368,6 @@ static int eddsa_params_to_pem(dnssec_key_t *dnskey, const bind_privkey_t *param
return dnssec_pem_from_x509(key, pem);
}
-#endif
int bind_privkey_to_pem(dnssec_key_t *key, bind_privkey_t *params, dnssec_binary_t *pem)
{
@@ -385,15 +381,11 @@ int bind_privkey_to_pem(dnssec_key_t *key, bind_privkey_t *params, dnssec_binary
case DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256:
case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384:
return ecdsa_params_to_pem(key, params, pem);
-#ifdef HAVE_ED25519
case DNSSEC_KEY_ALGORITHM_ED25519:
-#endif
#ifdef HAVE_ED448
case DNSSEC_KEY_ALGORITHM_ED448:
#endif
-#if defined(HAVE_ED25519) || defined(HAVE_ED448)
return eddsa_params_to_pem(key, params, pem);
-#endif
default:
return DNSSEC_INVALID_KEY_ALGORITHM;
}
diff --git a/src/utils/keymgr/main.c b/src/utils/keymgr/main.c
index b46aaa0..999b5c5 100644
--- a/src/utils/keymgr/main.c
+++ b/src/utils/keymgr/main.c
@@ -333,11 +333,10 @@ int main(int argc, char *argv[])
{ "tsig", required_argument, NULL, 't' },
{ "extended", no_argument, NULL, 'e' },
{ "list", no_argument, NULL, 'l' },
- { "brief", no_argument, NULL, 'b' }, // Legacy.
{ "mono", no_argument, NULL, 'x' },
{ "color", no_argument, NULL, 'X' },
{ "help", no_argument, NULL, 'h' },
- { "version", no_argument, NULL, 'V' },
+ { "version", optional_argument, NULL, 'V' },
{ "json", no_argument, NULL, 'j' },
{ NULL }
};
@@ -358,7 +357,7 @@ int main(int argc, char *argv[])
list_params.color = isatty(STDOUT_FILENO);
int opt = 0, parm = 0;
- while ((opt = getopt_long(argc, argv, "c:C:D:t:ejlbxXhV", opts, NULL)) != -1) {
+ while ((opt = getopt_long(argc, argv, "c:C:D:t:ejlxXhV::", opts, NULL)) != -1) {
switch (opt) {
case 'c':
if (util_conf_init_file(optarg) != KNOT_EOK) {
@@ -394,9 +393,6 @@ int main(int argc, char *argv[])
case 'l':
just_list = true;
break;
- case 'b':
- WARN2("option '--brief' is deprecated and enabled by default");
- break;
case 'x':
list_params.color = false;
break;
@@ -407,7 +403,7 @@ int main(int argc, char *argv[])
print_help();
goto success;
case 'V':
- print_version(PROGRAM_NAME);
+ print_version(PROGRAM_NAME, optarg != NULL);
goto success;
default:
print_help();
diff --git a/src/utils/keymgr/offline_ksk.c b/src/utils/keymgr/offline_ksk.c
index b4260b9..05b2d2b 100644
--- a/src/utils/keymgr/offline_ksk.c
+++ b/src/utils/keymgr/offline_ksk.c
@@ -37,6 +37,8 @@ static int pregenerate_once(kdnssec_ctx_t *ctx, knot_time_t *next)
{
zone_sign_reschedule_t resch = { 0 };
+ memset(ctx->stats, 0, sizeof(*ctx->stats));
+
// generate ZSKs
int ret = knot_dnssec_key_rollover(ctx, KEY_ROLL_ALLOW_ZSK_ROLL | KEY_ROLL_PRESERVE_FUTURE, &resch);
if (ret != KNOT_EOK) {
@@ -245,6 +247,9 @@ static int ksr_once(kdnssec_ctx_t *ctx, char **buf, size_t *buf_size, knot_time_
{
knot_rrset_t *dnskey = NULL;
zone_keyset_t keyset = { 0 };
+
+ memset(ctx->stats, 0, sizeof(*ctx->stats));
+
int ret = load_dnskey_rrset(ctx, &dnskey, &keyset);
if (ret != KNOT_EOK) {
goto done;
@@ -322,10 +327,10 @@ static int ksr_sign_dnskey(kdnssec_ctx_t *ctx, knot_rrset_t *zsk, knot_time_t no
zone_keyset_t keyset = { 0 };
char *buf = NULL;
size_t buf_size = 4096;
- knot_time_t rrsigs_expire = 0;
ctx->now = now;
ctx->policy->dnskey_ttl = zsk->ttl;
+ memset(ctx->stats, 0, sizeof(*ctx->stats));
knot_timediff_t rrsig_refresh = ctx->policy->rrsig_refresh_before;
if (rrsig_refresh == UINT32_MAX) { // not setting rrsig-refresh prohibited by documentation, but we need to do something
@@ -352,7 +357,7 @@ static int ksr_sign_dnskey(kdnssec_ctx_t *ctx, knot_rrset_t *zsk, knot_time_t no
// no check if the KSK used for signing (in keyset) is contained in DNSKEY record being signed (in KSR) !
for (int i = 0; i < keyset.count; i++) {
- ret = key_records_sign(&keyset.keys[i], &r, ctx, &rrsigs_expire);
+ ret = key_records_sign(&keyset.keys[i], &r, ctx);
if (ret != KNOT_EOK) {
goto done;
}
@@ -362,7 +367,7 @@ static int ksr_sign_dnskey(kdnssec_ctx_t *ctx, knot_rrset_t *zsk, knot_time_t no
print_header("SignedKeyResponse "KSR_SKR_VER, ctx->now, buf);
*next_sign = knot_time_min(
knot_get_next_zone_key_event(&keyset),
- knot_time_add(rrsigs_expire, -rrsig_refresh)
+ knot_time_add(ctx->stats->expire, -rrsig_refresh)
);
}
@@ -446,6 +451,7 @@ static void skr_import_header(zs_scanner_t *sc)
// trailing header without timestamp
next_timestamp = 0;
}
+ knot_time_t validity_ts = next_timestamp != 0 ? next_timestamp : ctx->timestamp;
// delete possibly existing conflicting offline records
ctx->ret = kasp_db_delete_offline_records(
@@ -454,16 +460,11 @@ static void skr_import_header(zs_scanner_t *sc)
// store previous SKR
if (ctx->timestamp > 0 && ctx->ret == KNOT_EOK) {
- ctx->ret = key_records_verify(&ctx->r, ctx->kctx, ctx->timestamp);
+ ctx->ret = key_records_verify(&ctx->r, ctx->kctx, ctx->timestamp, validity_ts);
if (ctx->ret != KNOT_EOK) {
return;
}
- if (next_timestamp > 0) {
- ctx->ret = key_records_verify(&ctx->r, ctx->kctx, next_timestamp - 1);
- if (ctx->ret != KNOT_EOK) {
- return;
- }
- }
+
ctx->ret = kasp_db_store_offline_records(ctx->kctx->kasp_db,
ctx->timestamp, &ctx->r);
key_records_clear_rdatasets(&ctx->r);
@@ -490,20 +491,14 @@ static void skr_validate_header(zs_scanner_t *sc)
// trailing header without timestamp
next_timestamp = 0;
}
+ knot_time_t validity_ts = next_timestamp != 0 ? next_timestamp : ctx->timestamp;
if (ctx->timestamp > 0 && ctx->ret == KNOT_EOK) {
- int ret = key_records_verify(&ctx->r, ctx->kctx, ctx->timestamp);
+ int ret = key_records_verify(&ctx->r, ctx->kctx, ctx->timestamp, validity_ts);
if (ret != KNOT_EOK) { // ctx->ret untouched
ERR2("invalid SignedKeyResponse for %"KNOT_TIME_PRINTF" (%s)",
ctx->timestamp, knot_strerror(ret));
}
- if (next_timestamp > 0) {
- ret = key_records_verify(&ctx->r, ctx->kctx, next_timestamp - 1);
- if (ret != KNOT_EOK) { // ctx->ret untouched
- ERR2("invalid SignedKeyResponse for %"KNOT_TIME_PRINTF" (%s)",
- next_timestamp - 1, knot_strerror(ret));
- }
- }
key_records_clear_rdatasets(&ctx->r);
}