Tidy up keyvalue.h definitions

Use enums for DNS_KEYFLAG_, DNS_KEYTYPE_, DNS_KEYOWNER_, DNS_KEYALG_,
and DNS_KEYPROTO_ values.

Remove values that are never used.

Eliminate the obsolete DNS_KEYFLAG_SIGNATORYMASK. Instead, add three
more RESERVED bits for the key flag values that it covered but which
were never used.

(cherry picked from commit fee1ba40df939f25fc9258b2681a1a2bd7965f5d)

diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index cf45491f39b2c859403e72643b8f7ccdb38f89a5..6cf9ec98ad1c3f8aa7a8359ade3c9f562e818164 100644 (file)
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -563,7 +563,7 @@ main(int argc, char **argv) {
                {
                        flags |= DNS_KEYOWNER_ENTITY;
                } else if (strcasecmp(nametype, "user") == 0) {
-                       flags |= DNS_KEYOWNER_USER;
+                       /* no owner flags */
                } else {
                        fatal("invalid KEY nametype %s", nametype);
                }
@@ -592,19 +592,6 @@ main(int argc, char **argv) {
                fatal("invalid DNSKEY protocol: %d", protocol);
        }
 
-       if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
-               if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0) {
-                       fatal("specified null key with signing authority");
-               }
-       }
-
-       if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
-           alg == DNS_KEYALG_DH)
-       {
-               fatal("a key with algorithm '%s' cannot be a zone key",
-                     algname);
-       }
-
        isc_buffer_init(&buf, filename, sizeof(filename) - 1);
 
        /* associate the key */

diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index a79623a1df64b821e4c8ee059da9a6b24b958727..7e6d2d30dc48a425d9185c55d4d8bc0c29ec592d 100644 (file)
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -572,7 +572,7 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
                {
                        flags |= DNS_KEYOWNER_ENTITY;
                } else if (strcasecmp(ctx->nametype, "user") == 0) {
-                       flags |= DNS_KEYOWNER_USER;
+                       /* no owner flags */
                } else {
                        fatal("invalid KEY nametype %s", ctx->nametype);
                }
@@ -603,9 +603,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
                if (ctx->size > 0) {
                        fatal("specified null key with non-zero size");
                }
-               if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0) {
-                       fatal("specified null key with signing authority");
-               }
        }
 
        if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&

diff --git a/lib/dns/include/dns/keyvalues.h b/lib/dns/include/dns/keyvalues.h
index 21552661bc1f90ddc6acd19836cf8a445c0ffbda..5211a9ea75d688c2f1e3da1457e09d45165abeaf 100644 (file)
--- a/lib/dns/include/dns/keyvalues.h
+++ b/lib/dns/include/dns/keyvalues.h
@@ -16,89 +16,84 @@
 /*! \file dns/keyvalues.h */
 
 /*
- * Flags field of the KEY RR rdata
+ * Flags field of the KEY rdata. Also used by DNSKEY, CDNSKEY, RKEY,
+ * KEYDATA. Some values are only defined for KEY and not the others,
+ * and vice versa.
  */
-#define DNS_KEYFLAG_TYPEMASK 0xC000 /*%< Mask for "type" bits */
-#define DNS_KEYTYPE_AUTHCONF 0x0000 /*%< Key usable for both */
-#define DNS_KEYTYPE_CONFONLY 0x8000 /*%< Key usable for confidentiality */
-#define DNS_KEYTYPE_AUTHONLY 0x4000 /*%< Key usable for authentication */
-#define DNS_KEYTYPE_NOKEY    0xC000 /*%< No key usable for either; no key */
-#define DNS_KEYTYPE_NOAUTH   DNS_KEYTYPE_CONFONLY
-#define DNS_KEYTYPE_NOCONF   DNS_KEYTYPE_AUTHONLY
-
-#define DNS_KEYFLAG_RESERVED2  0x2000 /*%< reserved - must be zero */
-#define DNS_KEYFLAG_EXTENDED   0x1000 /*%< key has extended flags */
-#define DNS_KEYFLAG_RESERVED4  0x0800 /*%< reserved - must be zero */
-#define DNS_KEYFLAG_RESERVED5  0x0400 /*%< reserved - must be zero */
-#define DNS_KEYFLAG_OWNERMASK  0x0300 /*%< these bits determine the type */
-#define DNS_KEYOWNER_USER      0x0000 /*%< key is assoc. with user */
-#define DNS_KEYOWNER_ENTITY    0x0200 /*%< key is assoc. with entity eg host */
-#define DNS_KEYOWNER_ZONE      0x0100 /*%< key is zone key */
-#define DNS_KEYOWNER_RESERVED  0x0300 /*%< reserved meaning */
-#define DNS_KEYFLAG_REVOKE     0x0080 /*%< key revoked (per rfc5011) */
-#define DNS_KEYFLAG_RESERVED9  0x0040 /*%< reserved - must be zero */
-#define DNS_KEYFLAG_RESERVED10 0x0020 /*%< reserved - must be zero */
-#define DNS_KEYFLAG_RESERVED11 0x0010 /*%< reserved - must be zero */
-#define DNS_KEYFLAG_SIGNATORYMASK                  \
-       0x000F /*%< key can sign RR's of same name \
-               */
-
-#define DNS_KEYFLAG_RESERVEDMASK                         \
-       (DNS_KEYFLAG_RESERVED2 | DNS_KEYFLAG_RESERVED4 | \
-        DNS_KEYFLAG_RESERVED5 | DNS_KEYFLAG_RESERVED9 | \
-        DNS_KEYFLAG_RESERVED10 | DNS_KEYFLAG_RESERVED11)
-#define DNS_KEYFLAG_KSK 0x0001 /*%< key signing key */
-
-#define DNS_KEYFLAG_RESERVEDMASK2 0xFFFF /*%< no bits defined here */
+enum {
+       /* valid for KEY only. if both are set, there is no key data. */
+       DNS_KEYTYPE_NOAUTH = 1 << 15, /* cannot be used for authentication. */
+       DNS_KEYTYPE_NOCONF = 1 << 14, /* cannot be used for confidentiality. */
+
+       DNS_KEYFLAG_RESERVED2 = 1 << 13, /* reserved: must be zero. */
+
+       DNS_KEYFLAG_EXTENDED = 1 << 12, /* key has extended flags: if this is
+                                        * set, the first two octets of the
+                                        * key data are an additional flags
+                                        * field, at least one bit of which
+                                        * must be nonzero. (valid for KEY
+                                        * only.) */
+
+       DNS_KEYFLAG_RESERVED4 = 1 << 11, /* reserved: must be zero. */
+       DNS_KEYFLAG_RESERVED5 = 1 << 10, /* reserved: must be zero. */
+
+       /* if nether of these is set, this is a user key (valid for KEY only) */
+       DNS_KEYOWNER_ENTITY = 1 << 9, /* host key (valid for KEY only). */
+       DNS_KEYOWNER_ZONE = 1 << 8,   /* zone key (mandatory for DNSKEY). */
+
+       DNS_KEYFLAG_REVOKE = 1 << 7,     /* key revoked (per rfc5011) */
+       DNS_KEYFLAG_RESERVED9 = 1 << 6,  /* reserved: must be zero. */
+       DNS_KEYFLAG_RESERVED10 = 1 << 5, /* reserved: must be zero. */
+       DNS_KEYFLAG_RESERVED11 = 1 << 4, /* reserved: must be zero. */
+
+       DNS_KEYFLAG_RESERVED12 = 1 << 3, /* reserved: must be zero. */
+       DNS_KEYFLAG_RESERVED13 = 1 << 4, /* reserved: must be zero. */
+       DNS_KEYFLAG_RESERVED14 = 1 << 2, /* reserved: must be zero. */
+
+       DNS_KEYFLAG_KSK = 1 << 0, /* key signing key */
+};
+
+#define DNS_KEYFLAG_OWNERMASK (DNS_KEYOWNER_ENTITY | DNS_KEYOWNER_ZONE)
+#define DNS_KEYFLAG_TYPEMASK  (DNS_KEYTYPE_NOAUTH | DNS_KEYTYPE_NOCONF)
+#define DNS_KEYTYPE_NOKEY     DNS_KEYFLAG_TYPEMASK
 
 /* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
-#define DNS_KEYALG_RSAMD5      1 /*%< RSA with MD5 */
-#define DNS_KEYALG_RSA         1 /*%< Used just for tagging */
-#define DNS_KEYALG_DH          2 /*%< Diffie Hellman KEY */
-#define DNS_KEYALG_DSA         3 /*%< DSA KEY */
-#define DNS_KEYALG_NSEC3DSA    6
-#define DNS_KEYALG_DSS         DNS_ALG_DSA
-#define DNS_KEYALG_ECC         4
-#define DNS_KEYALG_RSASHA1     5
-#define DNS_KEYALG_NSEC3RSASHA1 7
-#define DNS_KEYALG_RSASHA256   8
-#define DNS_KEYALG_RSASHA512   10
-#define DNS_KEYALG_ECCGOST     12
-#define DNS_KEYALG_ECDSA256    13
-#define DNS_KEYALG_ECDSA384    14
-#define DNS_KEYALG_ED25519     15
-#define DNS_KEYALG_ED448       16
-#define DNS_KEYALG_INDIRECT    252
-#define DNS_KEYALG_PRIVATEDNS  253
-#define DNS_KEYALG_PRIVATEOID  254 /*%< Key begins with OID giving alg */
-#define DNS_KEYALG_MAX         255
+enum {
+       DNS_KEYALG_RSAMD5 = 1, /*%< RSA with MD5 */
+       DNS_KEYALG_DH = 2,     /*%< Diffie Hellman KEY */
+       DNS_KEYALG_DSA = 3,    /*%< DSA KEY */
+       DNS_KEYALG_RSASHA1 = 5,
+       DNS_KEYALG_NSEC3DSA = 6,
+       DNS_KEYALG_NSEC3RSASHA1 = 7,
+       DNS_KEYALG_RSASHA256 = 8,
+       DNS_KEYALG_RSASHA512 = 10,
+       DNS_KEYALG_ECCGOST = 12,
+       DNS_KEYALG_ECDSA256 = 13,
+       DNS_KEYALG_ECDSA384 = 14,
+       DNS_KEYALG_ED25519 = 15,
+       DNS_KEYALG_ED448 = 16,
+       DNS_KEYALG_INDIRECT = 252,
+       DNS_KEYALG_PRIVATEDNS = 253,
+       DNS_KEYALG_PRIVATEOID = 254, /*%< Key begins with OID giving alg */
+       DNS_KEYALG_MAX = 255,
+};
 
 /* Protocol values  */
-#define DNS_KEYPROTO_RESERVED 0
-#define DNS_KEYPROTO_TLS      1
-#define DNS_KEYPROTO_EMAIL    2
-#define DNS_KEYPROTO_DNSSEC   3
-#define DNS_KEYPROTO_IPSEC    4
-#define DNS_KEYPROTO_ANY      255
-
-/* Signatures */
-#define DNS_SIG_RSAMINBITS 512 /*%< Size of a mod or exp in bits */
-#define DNS_SIG_RSAMAXBITS 2552
-/* Total of binary mod and exp */
-#define DNS_SIG_RSAMAXBYTES ((DNS_SIG_RSAMAXBITS + 7 / 8) * 2 + 3)
-/*%< Max length of text sig block */
-#define DNS_SIG_RSAMAXBASE64 (((DNS_SIG_RSAMAXBYTES + 2) / 3) * 4)
-#define DNS_SIG_RSAMINSIZE   ((DNS_SIG_RSAMINBITS + 7) / 8)
-#define DNS_SIG_RSAMAXSIZE   ((DNS_SIG_RSAMAXBITS + 7) / 8)
+enum {
+       DNS_KEYPROTO_RESERVED = 0,
+       DNS_KEYPROTO_DNSSEC = 3,
+       DNS_KEYPROTO_ANY = 255,
+};
 
+/* Key and signature sizes */
+#define DNS_KEY_ECDSA256SIZE 64
 #define DNS_SIG_ECDSA256SIZE 64
-#define DNS_SIG_ECDSA384SIZE 96
 
-#define DNS_KEY_ECDSA256SIZE 64
 #define DNS_KEY_ECDSA384SIZE 96
+#define DNS_SIG_ECDSA384SIZE 96
 
+#define DNS_KEY_ED25519SIZE 32
 #define DNS_SIG_ED25519SIZE 64
-#define DNS_SIG_ED448SIZE   114
 
-#define DNS_KEY_ED25519SIZE 32
-#define DNS_KEY_ED448SIZE   57
+#define DNS_KEY_ED448SIZE 57
+#define DNS_SIG_ED448SIZE 114