diff --git a/bin/dnssec/Makefile.am b/bin/dnssec/Makefile.am index f3ecdffb0e..0268fc196b 100644 --- a/bin/dnssec/Makefile.am +++ b/bin/dnssec/Makefile.am @@ -2,6 +2,7 @@ include $(top_srcdir)/Makefile.top AM_CPPFLAGS += \ $(LIBISC_CFLAGS) \ + $(LIBISCCFG_CFLAGS) \ $(LIBDNS_CFLAGS) AM_CPPFLAGS += \ @@ -12,6 +13,7 @@ noinst_LTLIBRARIES = libdnssectool.la LDADD += \ libdnssectool.la \ $(LIBISC_LIBS) \ + $(LIBISCCFG_LIBS) \ $(LIBDNS_LIBS) \ $(OPENSSL_LIBS) @@ -33,20 +35,16 @@ libdnssectool_la_SOURCES = \ dnssec_keygen_CPPFLAGS = \ $(AM_CPPFLAGS) \ - $(LIBISCCFG_CFLAGS) \ $(OPENSSL_CFLAGS) dnssec_keygen_LDADD = \ $(LDADD) \ - $(LIBISCCFG_LIBS) \ $(OPENSSL_LIBS) dnssec_signzone_CPPFLAGS = \ $(AM_CPPFLAGS) \ - $(LIBISCCFG_CFLAGS) \ $(OPENSSL_CFLAGS) dnssec_signzone_LDADD = \ $(LDADD) \ - $(LIBISCCFG_LIBS) \ $(OPENSSL_LIBS) diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 0a2cadbfe2..ba68504234 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -56,10 +56,6 @@ #include -#include -#include -#include -#include #if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 #include #include @@ -67,9 +63,6 @@ #include "dnssectool.h" -#define MAX_RSA 4096 /* should be long enough... */ -#define MAX_DH 4096 /* should be long enough... */ - const char *program = "dnssec-keygen"; /* @@ -254,90 +247,6 @@ progress(int p) { (void)fflush(stderr); } -static void -kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, const char *name, - const char *keydir, const char *engine, dns_kasp_t **kaspp) { - isc_result_t result = ISC_R_NOTFOUND; - const cfg_listelt_t *element; - const cfg_obj_t *kasps = NULL; - dns_kasp_t *kasp = NULL, *kasp_next; - dns_kasplist_t kasplist; - const cfg_obj_t *keystores = NULL; - dns_keystore_t *ks = NULL, *ks_next; - dns_keystorelist_t kslist; - - ISC_LIST_INIT(kasplist); - ISC_LIST_INIT(kslist); - - (void)cfg_map_get(config, "key-store", &keystores); - for (element = cfg_list_first(keystores); element != NULL; - element = cfg_list_next(element)) - { - cfg_obj_t *kconfig = cfg_listelt_value(element); - ks = NULL; - result = cfg_keystore_fromconfig(kconfig, mctx, lctx, engine, - &kslist, NULL); - if (result != ISC_R_SUCCESS) { - fatal("failed to configure key-store '%s': %s", - cfg_obj_asstring(cfg_tuple_get(kconfig, "name")), - isc_result_totext(result)); - } - } - /* Default key-directory key store. */ - ks = NULL; - (void)cfg_keystore_fromconfig(NULL, mctx, lctx, engine, &kslist, &ks); - INSIST(ks != NULL); - if (keydir != NULL) { - /* '-K keydir' takes priority */ - dns_keystore_setdirectory(ks, keydir); - } - dns_keystore_detach(&ks); - - (void)cfg_map_get(config, "dnssec-policy", &kasps); - for (element = cfg_list_first(kasps); element != NULL; - element = cfg_list_next(element)) - { - cfg_obj_t *kconfig = cfg_listelt_value(element); - kasp = NULL; - if (strcmp(cfg_obj_asstring(cfg_tuple_get(kconfig, "name")), - name) != 0) - { - continue; - } - - result = cfg_kasp_fromconfig(kconfig, NULL, true, mctx, lctx, - &kslist, &kasplist, &kasp); - if (result != ISC_R_SUCCESS) { - fatal("failed to configure dnssec-policy '%s': %s", - cfg_obj_asstring(cfg_tuple_get(kconfig, "name")), - isc_result_totext(result)); - } - INSIST(kasp != NULL); - dns_kasp_freeze(kasp); - break; - } - - *kaspp = kasp; - - /* - * Cleanup kasp list. - */ - for (kasp = ISC_LIST_HEAD(kasplist); kasp != NULL; kasp = kasp_next) { - kasp_next = ISC_LIST_NEXT(kasp, link); - ISC_LIST_UNLINK(kasplist, kasp, link); - dns_kasp_detach(&kasp); - } - - /* - * Cleanup keystore list. - */ - for (ks = ISC_LIST_HEAD(kslist); ks != NULL; ks = ks_next) { - ks_next = ISC_LIST_NEXT(ks, link); - ISC_LIST_UNLINK(kslist, ks, link); - dns_keystore_detach(&ks); - } -} - static void keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { char filename[255]; @@ -1330,8 +1239,8 @@ main(int argc, char **argv) { ctx.policy, ctx.configfile); } - kasp_from_conf(config, mctx, ctx.policy, ctx.directory, - engine, &kasp); + kasp_from_conf(config, mctx, lctx, ctx.policy, + ctx.directory, engine, &kasp); if (kasp == NULL) { fatal("failed to load dnssec-policy '%s'", ctx.policy); @@ -1361,6 +1270,7 @@ main(int argc, char **argv) { if (ctx.keystore != NULL) { check_keystore_options(&ctx); } + keygen(&ctx, mctx, argc, argv); kaspkey = ISC_LIST_NEXT(kaspkey, link); diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index 6f54444647..69f93c0852 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -602,3 +602,88 @@ loadjournal(isc_mem_t *mctx, dns_db_t *db, const char *file) { cleanup: dns_journal_destroy(&jnl); } + +void +kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx, + const char *name, const char *keydir, const char *engine, + dns_kasp_t **kaspp) { + isc_result_t result = ISC_R_NOTFOUND; + const cfg_listelt_t *element; + const cfg_obj_t *kasps = NULL; + dns_kasp_t *kasp = NULL, *kasp_next; + dns_kasplist_t kasplist; + const cfg_obj_t *keystores = NULL; + dns_keystore_t *ks = NULL, *ks_next; + dns_keystorelist_t kslist; + + ISC_LIST_INIT(kasplist); + ISC_LIST_INIT(kslist); + + (void)cfg_map_get(config, "key-store", &keystores); + for (element = cfg_list_first(keystores); element != NULL; + element = cfg_list_next(element)) + { + cfg_obj_t *kconfig = cfg_listelt_value(element); + ks = NULL; + result = cfg_keystore_fromconfig(kconfig, mctx, lctx, engine, + &kslist, NULL); + if (result != ISC_R_SUCCESS) { + fatal("failed to configure key-store '%s': %s", + cfg_obj_asstring(cfg_tuple_get(kconfig, "name")), + isc_result_totext(result)); + } + } + /* Default key-directory key store. */ + ks = NULL; + (void)cfg_keystore_fromconfig(NULL, mctx, lctx, engine, &kslist, &ks); + INSIST(ks != NULL); + if (keydir != NULL) { + /* '-K keydir' takes priority */ + dns_keystore_setdirectory(ks, keydir); + } + dns_keystore_detach(&ks); + + (void)cfg_map_get(config, "dnssec-policy", &kasps); + for (element = cfg_list_first(kasps); element != NULL; + element = cfg_list_next(element)) + { + cfg_obj_t *kconfig = cfg_listelt_value(element); + kasp = NULL; + if (strcmp(cfg_obj_asstring(cfg_tuple_get(kconfig, "name")), + name) != 0) + { + continue; + } + + result = cfg_kasp_fromconfig(kconfig, NULL, true, mctx, lctx, + &kslist, &kasplist, &kasp); + if (result != ISC_R_SUCCESS) { + fatal("failed to configure dnssec-policy '%s': %s", + cfg_obj_asstring(cfg_tuple_get(kconfig, "name")), + isc_result_totext(result)); + } + INSIST(kasp != NULL); + dns_kasp_freeze(kasp); + break; + } + + *kaspp = kasp; + + /* + * Cleanup kasp list. + */ + for (kasp = ISC_LIST_HEAD(kasplist); kasp != NULL; kasp = kasp_next) { + kasp_next = ISC_LIST_NEXT(kasp, link); + ISC_LIST_UNLINK(kasplist, kasp, link); + dns_kasp_detach(&kasp); + } + + /* + * Cleanup keystore list. + */ + for (ks = ISC_LIST_HEAD(kslist); ks != NULL; ks = ks_next) { + ks_next = ISC_LIST_NEXT(ks, link); + ISC_LIST_UNLINK(kslist, ks, link); + dns_keystore_detach(&ks); + } +} diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h index 5bc69cd14d..c9a1a5f757 100644 --- a/bin/dnssec/dnssectool.h +++ b/bin/dnssec/dnssectool.h @@ -20,10 +20,18 @@ #include #include +#include #include #include +#include +#include +#include + +#define MAX_RSA 4096 /* should be long enough... */ +#define MAX_DH 4096 /* should be long enough... */ + /*! verbosity: set by -v and -q option in each program, defined in dnssectool.c */ extern int verbose; @@ -108,3 +116,8 @@ isoptarg(const char *arg, char **argv, void (*usage)(void)); void loadjournal(isc_mem_t *mctx, dns_db_t *db, const char *journal); + +void +kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx, + const char *name, const char *keydir, const char *engine, + dns_kasp_t **kaspp);