From: Evan Hunt Date: Thu, 6 Feb 2014 23:59:14 +0000 (-0800) Subject: [master] dnssec-keygen fixes X-Git-Tag: v9.10.0b1~150^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a165a17a81ff3285f4f4d79785fafb465e626183;p=thirdparty%2Fbind9.git [master] dnssec-keygen fixes 3730. [cleanup] Added "never" as a synonym for "none" when configuring key event dates in the dnssec tools. [RT #35277] 3729. [bug] dnssec-kegeyn could set the publication date incorrectly when only the activation date was specified on the command line. [RT #35278] --- diff --git a/CHANGES b/CHANGES index a9ef418455b..aad5f8be881 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,11 @@ +3730. [cleanup] Added "never" as a synonym for "none" when + configuring key event dates in the dnssec tools. + [RT #35277] + +3729. [bug] dnssec-kegeyn could set the publication date + incorrectly when only the activation date was + specified on the command line. [RT #35278] + 3728. [doc] Expanded native-PKCS#11 documentation, specifically pkcs11: URI labels. [RT #35287] diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c index 563dc09948b..2948e8d6902 100644 --- a/bin/dnssec/dnssec-importkey.c +++ b/bin/dnssec/dnssec-importkey.c @@ -313,8 +313,8 @@ main(int argc, char **argv) { if (setdel) fatal("-D specified more than once"); - setdel = ISC_TRUE; - del = strtotime(isc_commandline_argument, now, now); + del = strtotime(isc_commandline_argument, + now, now, &setdel); break; case 'K': dir = isc_commandline_argument; @@ -322,18 +322,15 @@ main(int argc, char **argv) { fatal("directory must be non-empty string"); break; case 'L': - if (strcmp(isc_commandline_argument, "none") == 0) - ttl = 0; - else - ttl = strtottl(isc_commandline_argument); + ttl = strtottl(isc_commandline_argument); setttl = ISC_TRUE; break; case 'P': if (setpub) fatal("-P specified more than once"); - setpub = ISC_TRUE; - pub = strtotime(isc_commandline_argument, now, now); + pub = strtotime(isc_commandline_argument, + now, now, &setpub); break; case 'f': filename = isc_commandline_argument; diff --git a/bin/dnssec/dnssec-importkey.docbook b/bin/dnssec/dnssec-importkey.docbook index f9b322c884b..3a8babb9360 100644 --- a/bin/dnssec/dnssec-importkey.docbook +++ b/bin/dnssec/dnssec-importkey.docbook @@ -160,7 +160,8 @@ then the offset is computed in years (defined as 365 24-hour days, ignoring leap years), months (defined as 30 24-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset - is computed in seconds. To unset a date, use 'none'. + is computed in seconds. To explicitly prevent a date from being + set, use 'none' or 'never'. diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index 1b8accdb20f..3609be5a229 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -212,10 +212,7 @@ main(int argc, char **argv) { options |= DST_TYPE_KEY; break; case 'L': - if (strcmp(isc_commandline_argument, "none") == 0) - ttl = 0; - else - ttl = strtottl(isc_commandline_argument); + ttl = strtottl(isc_commandline_argument); setttl = ISC_TRUE; break; case 'l': @@ -248,61 +245,41 @@ main(int argc, char **argv) { if (setpub || unsetpub) fatal("-P specified more than once"); - if (strcasecmp(isc_commandline_argument, "none")) { - setpub = ISC_TRUE; - publish = strtotime(isc_commandline_argument, - now, now); - } else { - unsetpub = ISC_TRUE; - } + publish = strtotime(isc_commandline_argument, + now, now, &setpub); + unsetpub = !setpub; break; case 'A': if (setact || unsetact) fatal("-A specified more than once"); - if (strcasecmp(isc_commandline_argument, "none")) { - setact = ISC_TRUE; - activate = strtotime(isc_commandline_argument, - now, now); - } else { - unsetact = ISC_TRUE; - } + activate = strtotime(isc_commandline_argument, + now, now, &setact); + unsetact = !setact; break; case 'R': if (setrev || unsetrev) fatal("-R specified more than once"); - if (strcasecmp(isc_commandline_argument, "none")) { - setrev = ISC_TRUE; - revoke = strtotime(isc_commandline_argument, - now, now); - } else { - unsetrev = ISC_TRUE; - } + revoke = strtotime(isc_commandline_argument, + now, now, &setrev); + unsetrev = !setrev; break; case 'I': if (setinact || unsetinact) fatal("-I specified more than once"); - if (strcasecmp(isc_commandline_argument, "none")) { - setinact = ISC_TRUE; - inactive = strtotime(isc_commandline_argument, - now, now); - } else { - unsetinact = ISC_TRUE; - } + inactive = strtotime(isc_commandline_argument, + now, now, &setinact); + unsetinact = !setinact; break; case 'D': if (setdel || unsetdel) fatal("-D specified more than once"); - if (strcasecmp(isc_commandline_argument, "none")) { - setdel = ISC_TRUE; - delete = strtotime(isc_commandline_argument, - now, now); - } else { - unsetdel = ISC_TRUE; - } + delete = strtotime(isc_commandline_argument, + now, now, &setdel); + unsetdel = !setdel; break; case 'F': /* Reserved for FIPS mode */ diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook index 29b6972735d..ad88562164e 100644 --- a/bin/dnssec/dnssec-keyfromlabel.docbook +++ b/bin/dnssec/dnssec-keyfromlabel.docbook @@ -342,7 +342,8 @@ then the offset is computed in years (defined as 365 24-hour days, ignoring leap years), months (defined as 30 24-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset - is computed in seconds. + is computed in seconds. To explicitly prevent a date from being + set, use 'none' or 'never'. diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index f0a1217504b..610fc24d061 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -347,10 +347,7 @@ main(int argc, char **argv) { "To generate a key with TYPE=KEY, use -T KEY.\n"); break; case 'L': - if (strcmp(isc_commandline_argument, "none") == 0) - ttl = 0; - else - ttl = strtottl(isc_commandline_argument); + ttl = strtottl(isc_commandline_argument); setttl = ISC_TRUE; break; case 'n': @@ -407,61 +404,41 @@ main(int argc, char **argv) { if (setpub || unsetpub) fatal("-P specified more than once"); - if (strcasecmp(isc_commandline_argument, "none")) { - setpub = ISC_TRUE; - publish = strtotime(isc_commandline_argument, - now, now); - } else { - unsetpub = ISC_TRUE; - } + publish = strtotime(isc_commandline_argument, + now, now, &setpub); + unsetpub = !setpub; break; case 'A': if (setact || unsetact) fatal("-A specified more than once"); - if (strcasecmp(isc_commandline_argument, "none")) { - setact = ISC_TRUE; - activate = strtotime(isc_commandline_argument, - now, now); - } else { - unsetact = ISC_TRUE; - } + activate = strtotime(isc_commandline_argument, + now, now, &setact); + unsetact = !setact; break; case 'R': if (setrev || unsetrev) fatal("-R specified more than once"); - if (strcasecmp(isc_commandline_argument, "none")) { - setrev = ISC_TRUE; - revoke = strtotime(isc_commandline_argument, - now, now); - } else { - unsetrev = ISC_TRUE; - } + revoke = strtotime(isc_commandline_argument, + now, now, &setrev); + unsetrev = !setrev; break; case 'I': if (setinact || unsetinact) fatal("-I specified more than once"); - if (strcasecmp(isc_commandline_argument, "none")) { - setinact = ISC_TRUE; - inactive = strtotime(isc_commandline_argument, - now, now); - } else { - unsetinact = ISC_TRUE; - } + inactive = strtotime(isc_commandline_argument, + now, now, &setinact); + unsetinact = !setinact; break; case 'D': if (setdel || unsetdel) fatal("-D specified more than once"); - if (strcasecmp(isc_commandline_argument, "none")) { - setdel = ISC_TRUE; - delete = strtotime(isc_commandline_argument, - now, now); - } else { - unsetdel = ISC_TRUE; - } + delete = strtotime(isc_commandline_argument, + now, now, &setdel); + unsetdel = !setdel; break; case 'S': predecessor = isc_commandline_argument; @@ -940,9 +917,9 @@ main(int argc, char **argv) { if (setpub) dst_key_settime(key, DST_TIME_PUBLISH, publish); - else if (setact) + else if (setact && !unsetpub) dst_key_settime(key, DST_TIME_PUBLISH, - activate); + activate - prepub); else if (!genonly && !unsetpub) dst_key_settime(key, DST_TIME_PUBLISH, now); diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook index 6301b521051..ec74bc644c3 100644 --- a/bin/dnssec/dnssec-keygen.docbook +++ b/bin/dnssec/dnssec-keygen.docbook @@ -437,7 +437,8 @@ then the offset is computed in years (defined as 365 24-hour days, ignoring leap years), months (defined as 30 24-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset - is computed in seconds. + is computed in seconds. To explicitly prevent a date from being + set, use 'none' or 'never'. @@ -460,7 +461,9 @@ Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. If not set, and if the -G option has not been used, the - default is "now". + default is "now". If set, if and -P is not set, then + the publication date will be set to the activation date + minus the prepublication interval. diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index cb0c384c499..3cb989f53d0 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -239,10 +239,7 @@ main(int argc, char **argv) { } break; case 'L': - if (strcmp(isc_commandline_argument, "none") == 0) - ttl = 0; - else - ttl = strtottl(isc_commandline_argument); + ttl = strtottl(isc_commandline_argument); setttl = ISC_TRUE; break; case 'v': @@ -255,65 +252,45 @@ main(int argc, char **argv) { fatal("-P specified more than once"); changed = ISC_TRUE; - if (!strcasecmp(isc_commandline_argument, "none")) { - unsetpub = ISC_TRUE; - } else { - setpub = ISC_TRUE; - pub = strtotime(isc_commandline_argument, - now, now); - } + pub = strtotime(isc_commandline_argument, + now, now, &setpub); + unsetpub = !setpub; break; case 'A': if (setact || unsetact) fatal("-A specified more than once"); changed = ISC_TRUE; - if (!strcasecmp(isc_commandline_argument, "none")) { - unsetact = ISC_TRUE; - } else { - setact = ISC_TRUE; - act = strtotime(isc_commandline_argument, - now, now); - } + act = strtotime(isc_commandline_argument, + now, now, &setact); + unsetact = !setact; break; case 'R': if (setrev || unsetrev) fatal("-R specified more than once"); changed = ISC_TRUE; - if (!strcasecmp(isc_commandline_argument, "none")) { - unsetrev = ISC_TRUE; - } else { - setrev = ISC_TRUE; - rev = strtotime(isc_commandline_argument, - now, now); - } + rev = strtotime(isc_commandline_argument, + now, now, &setrev); + unsetrev = !setrev; break; case 'I': if (setinact || unsetinact) fatal("-I specified more than once"); changed = ISC_TRUE; - if (!strcasecmp(isc_commandline_argument, "none")) { - unsetinact = ISC_TRUE; - } else { - setinact = ISC_TRUE; - inact = strtotime(isc_commandline_argument, - now, now); - } + inact = strtotime(isc_commandline_argument, + now, now, &setinact); + unsetinact = !setinact; break; case 'D': if (setdel || unsetdel) fatal("-D specified more than once"); changed = ISC_TRUE; - if (!strcasecmp(isc_commandline_argument, "none")) { - unsetdel = ISC_TRUE; - } else { - setdel = ISC_TRUE; - del = strtotime(isc_commandline_argument, - now, now); - } + del = strtotime(isc_commandline_argument, + now, now, &setdel); + unsetdel = !setdel; break; case 'S': predecessor = isc_commandline_argument; diff --git a/bin/dnssec/dnssec-settime.docbook b/bin/dnssec/dnssec-settime.docbook index f63c97179ac..bcaadceee6e 100644 --- a/bin/dnssec/dnssec-settime.docbook +++ b/bin/dnssec/dnssec-settime.docbook @@ -179,7 +179,7 @@ then the offset is computed in years (defined as 365 24-hour days, ignoring leap years), months (defined as 30 24-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset - is computed in seconds. To unset a date, use 'none'. + is computed in seconds. To unset a date, use 'none' or 'never'. diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 6361daead0b..7b2f414e2a0 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -3365,17 +3365,18 @@ main(int argc, char *argv[]) { isc_stdtime_get(&now); if (startstr != NULL) { - starttime = strtotime(startstr, now, now); + starttime = strtotime(startstr, now, now, NULL); } else starttime = now - 3600; /* Allow for some clock skew. */ if (endstr != NULL) - endtime = strtotime(endstr, now, starttime); + endtime = strtotime(endstr, now, starttime, NULL); else endtime = starttime + (30 * 24 * 60 * 60); if (dnskey_endstr != NULL) { - dnskey_endtime = strtotime(dnskey_endstr, now, starttime); + dnskey_endtime = strtotime(dnskey_endstr, now, starttime, + NULL); if (endstr != NULL && dnskey_endtime == endtime) fprintf(stderr, "WARNING: -e and -X were both set, " "but have identical values.\n"); diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index 74698e1b17e..d8069bdbf9a 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -300,12 +300,21 @@ time_units(isc_stdtime_t offset, char *suffix, const char *str) { return(0); /* silence compiler warning */ } +static inline isc_boolean_t +isnone(const char *str) { + return (ISC_TF((strcasecmp(str, "none") == 0) || + (strcasecmp(str, "never") == 0))); +} + dns_ttl_t strtottl(const char *str) { const char *orig = str; dns_ttl_t ttl; char *endp; + if (isnone(str)) + return ((dns_ttl_t) 0); + ttl = strtol(str, &endp, 0); if (ttl == 0 && endp == str) fatal("TTL must be numeric"); @@ -314,13 +323,24 @@ strtottl(const char *str) { } isc_stdtime_t -strtotime(const char *str, isc_int64_t now, isc_int64_t base) { +strtotime(const char *str, isc_int64_t now, isc_int64_t base, + isc_boolean_t *setp) +{ isc_int64_t val, offset; isc_result_t result; const char *orig = str; char *endp; int n; + if (isnone(str)) { + if (setp != NULL) + *setp = ISC_FALSE; + return ((isc_stdtime_t) 0); + } + + if (setp != NULL) + *setp = ISC_TRUE; + if ((str[0] == '0' || str[0] == '-') && str[1] == '\0') return ((isc_stdtime_t) 0); diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h index 09b4fb103b1..7449406cfc7 100644 --- a/bin/dnssec/dnssectool.h +++ b/bin/dnssec/dnssectool.h @@ -68,7 +68,8 @@ cleanup_entropy(isc_entropy_t **ectx); dns_ttl_t strtottl(const char *str); isc_stdtime_t -strtotime(const char *str, isc_int64_t now, isc_int64_t base); +strtotime(const char *str, isc_int64_t now, isc_int64_t base, + isc_boolean_t *setp); dns_rdataclass_t strtoclass(const char *str); diff --git a/bin/tests/system/metadata/tests.sh b/bin/tests/system/metadata/tests.sh index 73ceb25be33..28d5ac5740f 100644 --- a/bin/tests/system/metadata/tests.sh +++ b/bin/tests/system/metadata/tests.sh @@ -174,5 +174,22 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:checking correct behavior setting activation without publication date ($n)" +ret=0 +key=`$KEYGEN -q -r $RANDFILE -A +1w $czone` +pub=`$SETTIME -upP $key | awk '{print $2}'` +act=`$SETTIME -upA $key | awk '{print $2}'` +[ $pub -eq $act ] || ret=1 +key=`$KEYGEN -q -r $RANDFILE -A +1w -i 1d $czone` +pub=`$SETTIME -upP $key | awk '{print $2}'` +act=`$SETTIME -upA $key | awk '{print $2}'` +[ $pub -lt $act ] || ret=1 +key=`$KEYGEN -q -r $RANDFILE -A +1w -P never $czone` +pub=`$SETTIME -upP $key | awk '{print $2}'` +[ $pub = "UNSET" ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status