Kea 3.1.0
gss_tsig_cfg.cc
Go to the documentation of this file.
1// Copyright (C) 2021-2025 Internet Systems Consortium, Inc. ("ISC")
2//
3// This Source Code Form is subject to the terms of the Mozilla Public
4// License, v. 2.0. If a copy of the MPL was not distributed with this
5// file, You can obtain one at http://mozilla.org/MPL/2.0/.
6
7#include <config.h>
8
9#include <dns/name.h>
10#include <gss_tsig_cfg.h>
11#include <stats/stats_mgr.h>
12
13#include <limits>
14
15using namespace isc::asiodns;
16using namespace isc::asiolink;
17using namespace isc::d2;
18using namespace isc::data;
19using namespace isc::dhcp;
20using namespace isc::stats;
21using namespace std;
22
23namespace isc {
24namespace gss_tsig {
25
26const SimpleKeywords DnsServer::SERVER_PARAMETERS = {
27 { "id", Element::string },
28 { "domain-names", Element::list },
29 { "ip-address", Element::string },
30 { "port", Element::integer },
31 { "server-principal", Element::string },
32 { "client-principal", Element::string },
33 { "gss-replay-flag", Element::boolean },
34 { "gss-sequence-flag", Element::boolean },
35 { "tkey-lifetime", Element::integer },
36 { "rekey-interval", Element::integer },
37 { "retry-interval", Element::integer },
38 { "tkey-protocol", Element::string },
39 { "fallback", Element::boolean },
40 { "exchange-timeout", Element::integer },
41 { "user-context", Element::map },
42 { "comment", Element::string }
43};
44
45const list<string> DnsServer::STAT_NAMES = {
46 "gss-tsig-key-created",
47 "tkey-sent",
48 "tkey-success",
49 "tkey-timeout",
50 "tkey-error"
51};
52
53DnsServer::DnsServer(const string& id, const set<string>& domains,
54 const IOAddress& ip_address, uint16_t port)
55 : id_(id), domains_(domains), ip_address_(ip_address), port_(port),
56 server_infos_(), server_principal_(""), key_name_suffix_(""),
57 cred_principal_(""), gss_replay_flag_(true),
58 gss_sequence_flag_(false), tkey_lifetime_(DEFAULT_KEY_LIFETIME),
59 rekey_interval_(DEFAULT_REKEY_INTERVAL),
60 retry_interval_(DEFAULT_RETRY_INTERVAL), tkey_proto_(IOFetch::TCP),
61 fallback_(false), exchange_timeout_(DEFAULT_EXCHANGE_TIMEOUT), timer_() {
62 BOOST_STATIC_ASSERT(DEFAULT_REKEY_INTERVAL < DEFAULT_KEY_LIFETIME);
63 BOOST_STATIC_ASSERT(DEFAULT_RETRY_INTERVAL < DEFAULT_REKEY_INTERVAL);
64 initStats();
65}
66
67DnsServer::~DnsServer() {
68 removeStats();
69}
70
71void
72DnsServer::initStats() {
73 StatsMgr& stats_mgr = StatsMgr::instance();
74 for (auto const& name : DnsServer::STAT_NAMES) {
75 const string& sname = StatsMgr::generateName("server", id_, name);
76 stats_mgr.setValue(sname, static_cast<int64_t>(0));
77 }
78}
79
80void
81DnsServer::removeStats() {
82 StatsMgr& stats_mgr = StatsMgr::instance();
83 for (auto const& name : DnsServer::STAT_NAMES) {
84 const string& sname = StatsMgr::generateName("server", id_, name);
85 stats_mgr.del(sname);
86 }
87}
88
89void
90DnsServer::resetStats() {
91 StatsMgr& stats_mgr = StatsMgr::instance();
92 for (auto const& name : DnsServer::STAT_NAMES) {
93 const string& sname = StatsMgr::generateName("server", id_, name);
94 stats_mgr.reset(sname);
95 }
96}
97
98void
99DnsServer::buildKeyNameSuffix() {
100 string suffix = server_principal_;
101 size_t pos = suffix.find_first_of("/");
102 if (pos != string::npos) {
103 suffix = suffix.substr(pos + 1);
104 }
105 pos = suffix.find_last_of("@");
106 if (pos != string::npos) {
107 suffix = suffix.substr(0, pos);
108 }
109 if (suffix.empty()) {
110 isc_throw(BadValue, "can't get the GSS-TSIG key name suffix from "
111 << "the DNS server principal '" << server_principal_
112 << "'");
113 }
114 key_name_suffix_ = string("sig-") + suffix;
115 checkKeyNameSuffix();
116}
117
118void
119DnsServer::checkKeyNameSuffix() {
120 // 32 bits mean at most 10 digits
121 string tname = "1234567890." + key_name_suffix_;
122 try {
123 dns::Name dname(tname);
124 string nname = dname.toText();
125 size_t pos = nname.find_first_of(".");
126 if (pos != 10) {
127 isc_throw(Unexpected, "string to FQDN failed (dot at "
128 << pos << " instead 10)");
129 }
130 key_name_suffix_ = nname.substr(pos + 1);
131 } catch (const std::exception& ex) {
132 isc_throw(BadValue, "check of the GSS-TSIG key name suffix '"
133 << key_name_suffix_ << "' failed: " << ex.what());
134 }
135}
136
137void
138DnsServer::buildServerInfo(isc::d2::D2CfgContextPtr d2_config) {
139 if (!d2_config) {
140 isc_throw(D2CfgError, "empty D2 config");
141 }
142 if (!server_infos_.empty()) {
143 isc_throw(D2CfgError, "server info list is not empty");
144 }
145 set<string> seen;
146 DdnsDomainListMgrPtr d2_dom_mgr = d2_config->getForwardMgr();
147 DdnsDomainMapPtr d2_dom_map;
148 if (d2_dom_mgr) {
149 d2_dom_map = d2_dom_mgr->getDomains();
150 }
151 if (d2_dom_map) {
152 for (auto const& it : *d2_dom_map) {
153 if (!domains_.empty()) {
154 if (domains_.count(it.first) == 0) {
155 continue;
156 }
157 static_cast<void>(seen.insert(it.first));
158 }
159 buildServerInfo(it.second);
160 }
161 }
162 d2_dom_mgr = d2_config->getReverseMgr();
163 if (d2_dom_mgr) {
164 d2_dom_map = d2_dom_mgr->getDomains();
165 } else {
166 d2_dom_map = DdnsDomainMapPtr();
167 }
168 if (d2_dom_map) {
169 for (auto const& it : *d2_dom_map) {
170 if (!domains_.empty()) {
171 if (domains_.count(it.first) == 0) {
172 continue;
173 }
174 static_cast<void>(seen.insert(it.first));
175 }
176 buildServerInfo(it.second);
177 }
178 }
179 if (getServerInfos().empty()) {
180 isc_throw(NotFound, "server info can't be found");
181 }
182 if (!domains_.empty()) {
183 for (auto const& domain : domains_) {
184 if (seen.count(domain) == 0) {
185 isc_throw(NotFound, "domain '" << domain << "' can't be found");
186 }
187 }
188 }
189}
190
191void
192DnsServer::buildServerInfo(isc::d2::DdnsDomainPtr d2_dns_domain) {
193 if (!d2_dns_domain) {
194 return;
195 }
196 DnsServerInfoStoragePtr servers = d2_dns_domain->getServers();
197 if (!servers) {
198 return;
199 }
200 for (auto const& info : *servers) {
201 if (!info) {
202 continue;
203 }
204 if (!info->isEnabled()) {
205 continue;
206 }
207 if (info->getIpAddress() != getIpAddress()) {
208 continue;
209 }
210 if (info->getPort() != getPort()) {
211 continue;
212 }
213 addServerInfo(info);
214 }
215}
216
217ElementPtr
218DnsServer::toElement() const {
219 ElementPtr map = Element::createMap();
220
221 // Add user-context.
222 contextToElement(map);
223
224 // ID..
225 map->set("id", Element::create(getID()));
226
227 // Domains.
228 if (!domains_.empty()) {
229 ElementPtr domains = Element::createList();
230 for (auto const& domain : domains_) {
231 domains->add(Element::create(domain));
232 }
233 map->set("domain-names", domains);
234 }
235
236 // IP address.
237 map->set("ip-address", Element::create(ip_address_.toText()));
238
239 // Port.
240 map->set("port", Element::create(static_cast<int>(port_)));
241
242 // Server principal.
243 map->set("server-principal", Element::create(server_principal_));
244
245 // GSS-TSIG key name suffix.
246 map->set("key-name-suffix", Element::create(key_name_suffix_));
247
248 // Client principal.
249 if (!cred_principal_.empty()) {
250 map->set("client-principal", Element::create(cred_principal_));
251 }
252
253 // GSS (anti) replay flag.
254 map->set("gss-replay-flag", Element::create(gss_replay_flag_));
255
256 // GSS sequence flag.
257 map->set("gss-sequence-flag", Element::create(gss_sequence_flag_));
258
259 // TKEY lifetime.
260 map->set("tkey-lifetime",
261 Element::create(static_cast<long long>(tkey_lifetime_)));
262
263 // Rekey interval.
264 map->set("rekey-interval",
265 Element::create(static_cast<long long>(rekey_interval_)));
266
267 // Retry interval.
268 map->set("retry-interval",
269 Element::create(static_cast<long long>(retry_interval_)));
270
271 // TKEY protocol.
272 string proto = (tkey_proto_ == IOFetch::TCP ? "TCP" : "UDP");
273 map->set("tkey-protocol", Element::create(proto));
274
275 // Fallback.
276 map->set("fallback", Element::create(fallback_));
277
278 // TKEY exchange timeout.
279 map->set("exchange-timeout",
280 Element::create(static_cast<long long>(exchange_timeout_)));
281
282 return (map);
283}
284
285const SimpleKeywords GssTsigCfg::GLOBAL_PARAMETERS = {
286 { "server-principal", Element::string },
287 { "client-principal", Element::string },
288 { "client-keytab", Element::string },
289 { "credentials-cache", Element::string },
290 { "gss-replay-flag", Element::boolean },
291 { "gss-sequence-flag", Element::boolean },
292 { "tkey-lifetime", Element::integer },
293 { "rekey-interval", Element::integer },
294 { "retry-interval", Element::integer },
295 { "tkey-protocol", Element::string },
296 { "fallback", Element::boolean },
297 { "servers", Element::list },
298 { "user-context", Element::map },
299 { "comment", Element::string }
300};
301
302GssTsigCfg::GssTsigCfg()
303 : servers_(), servers_rev_map_(), client_keytab_(""), creds_cache_(""),
304 max_tkey_lifetime_(0) {
305}
306
309
310DnsServerPtr
311GssTsigCfg::getServer(const isc::d2::DnsServerInfoPtr& server_info) const {
312 auto candidate = servers_rev_map_.find(server_info);
313 if (candidate == servers_rev_map_.end()) {
314 return (DnsServerPtr());
315 }
316 return (candidate->second);
317}
318
319DnsServerPtr
320GssTsigCfg::getServer(const string& id) const {
321 auto const& index = servers_.template get<DnsServerIdTag>();
322 auto const it = index.find(id);
323 if (it == index.cend()) {
324 return (DnsServerPtr());
325 }
326 return (*it);
327}
328
329void
330GssTsigCfg::buildServerRevMap(D2CfgContextPtr d2_config) {
331 if (!servers_rev_map_.empty()) {
332 isc_throw(D2CfgError, "server reverse map is not empty");
333 }
334 for (auto const& server : getServerList()) {
335 server->buildServerInfo(d2_config);
336 for (auto const& info : server->getServerInfos()) {
337 if (servers_rev_map_.count(info) > 0) {
338 isc_throw(D2CfgError, "duplicate");
339 }
340 servers_rev_map_[info] = server;
341 }
342 }
343}
344
345void
346GssTsigCfg::configure(ConstElementPtr params) {
347 if (!params) {
348 isc_throw(BadValue, "gss_tsig parameters entry is mandatory");
349 }
350 if (params->getType() != Element::map) {
351 isc_throw(BadValue, "gss_tsig parameters entry must be a map");
352 }
353 try {
354 SimpleParser::checkKeywords(GLOBAL_PARAMETERS, params);
355 } catch(const DhcpConfigError& ex) {
356 isc_throw(BadValue, "gss_tsig " << ex.what() << " ("
357 << params->getPosition() << ")");
358 }
359
360 ConstElementPtr client_keytab = params->get("client-keytab");
361 if (client_keytab) {
362 setClientKeyTab(client_keytab->stringValue());
363 }
364
365 ConstElementPtr credentials_cache = params->get("credentials-cache");
366 if (credentials_cache) {
367 setCredsCache(credentials_cache->stringValue());
368 }
369
370 string retry_interval_origin = "default";
371 string retry_interval_location = "";
372 int64_t global_retry_val = DnsServer::DEFAULT_RETRY_INTERVAL;
373 ConstElementPtr global_retry_interval = params->get("retry-interval");
374 if (global_retry_interval) {
375 retry_interval_origin = "global";
376 retry_interval_location += " (";
377 retry_interval_location += global_retry_interval->getPosition().str();
378 retry_interval_location += ")";
379 global_retry_val = global_retry_interval->intValue();
380 if ((global_retry_val < 0) ||
381 (global_retry_val > numeric_limits<uint32_t>::max())) {
382 isc_throw(BadValue, "'retry-interval' parameter is out of "
383 "range [0.." << numeric_limits<uint32_t>::max()
384 << "]" << retry_interval_location);
385 }
386 }
387
388 string rekey_interval_origin = "default";
389 string rekey_interval_location = "";
390 int64_t global_rekey_val = DnsServer::DEFAULT_REKEY_INTERVAL;
391 ConstElementPtr global_rekey_interval = params->get("rekey-interval");
392 if (global_rekey_interval) {
393 rekey_interval_origin = "global";
394 rekey_interval_location += " (";
395 rekey_interval_location += global_rekey_interval->getPosition().str();
396 rekey_interval_location += ")";
397 global_rekey_val = global_rekey_interval->intValue();
398 if ((global_rekey_val < 0) ||
399 (global_rekey_val > numeric_limits<uint32_t>::max())) {
400 isc_throw(BadValue, "'rekey-interval' parameter is out of "
401 "range [0.." << numeric_limits<uint32_t>::max()
402 << "]" << rekey_interval_location);
403 }
404 }
405
406 string tkey_lifetime_origin = "default";
407 string tkey_lifetime_location = "";
408 int64_t global_tkey_lifetime_val = DnsServer::DEFAULT_KEY_LIFETIME;
409 ConstElementPtr global_tkey_lifetime = params->get("tkey-lifetime");
410 if (global_tkey_lifetime) {
411 tkey_lifetime_origin = "global";
412 tkey_lifetime_location += " (";
413 tkey_lifetime_location += global_tkey_lifetime->getPosition().str();
414 tkey_lifetime_location += ")";
415 global_tkey_lifetime_val = global_tkey_lifetime->intValue();
416 if ((global_tkey_lifetime_val < 0) ||
417 (global_tkey_lifetime_val > numeric_limits<uint32_t>::max())) {
418 isc_throw(BadValue, "'tkey-lifetime' parameter is out of "
419 "range [0.." << numeric_limits<uint32_t>::max()
420 << "]" << tkey_lifetime_location);
421 }
422 }
423
424 if (global_retry_val >= global_rekey_val) {
425 isc_throw(BadValue, "the " << retry_interval_origin
426 << " 'retry-interval' parameter"
427 << retry_interval_location << " must be smaller then the "
428 << rekey_interval_origin << " 'rekey-interval' parameter"
429 << retry_interval_location << ": range [0.."
430 << global_rekey_val << "]");
431 }
432
433 if (global_rekey_val >= global_tkey_lifetime_val) {
434 isc_throw(BadValue, "the " << rekey_interval_origin
435 << " 'rekey-interval' parameter"
436 << rekey_interval_location << " must be smaller than the "
437 << tkey_lifetime_origin << " 'tkey-lifetime' parameter"
438 << tkey_lifetime_location << ": range [0.."
439 << global_tkey_lifetime_val << "]");
440 }
441
442 ConstElementPtr global_tkey_proto = params->get("tkey-protocol");
443 if (global_tkey_proto) {
444 string val = global_tkey_proto->stringValue();
445 if ((val != "UDP") && (val != "TCP")) {
446 isc_throw(BadValue, "'tkey-protocol' parameter must be UDP "
447 "or TCP (" << global_tkey_proto->getPosition() << ")");
448 }
449 }
450
451 ConstElementPtr global_fallback = params->get("fallback");
452
453 ConstElementPtr global_tkey_timeout = params->get("exchange-timeout");
454 if (global_tkey_timeout) {
455 int64_t val = global_tkey_timeout->intValue();
456 if ((val < 0) || (val > numeric_limits<uint32_t>::max())) {
457 isc_throw(BadValue, "'exchange-timeout' parameter is out of "
458 "range [0.." << numeric_limits<uint32_t>::max()
459 << "] (" << global_tkey_timeout->getPosition() << ")");
460 }
461 }
462
463 ConstElementPtr servers = params->get("servers");
464 if (!servers) {
465 return;
466 }
467
468 uint32_t max_tkey_lifetime = 0;
469 for (auto const& map : servers->listValue()) {
470 if (!map) {
471 continue;
472 }
473 if (map->getType() != Element::map) {
474 isc_throw(BadValue, "'servers' parameter must be a list of "
475 "maps (" << map->getPosition() << ")");
476 }
477 try {
478 SimpleParser::checkKeywords(DnsServer::SERVER_PARAMETERS, map);
479 } catch (const DhcpConfigError& ex) {
480 isc_throw(BadValue, "gss_tsig server " << ex.what() << " ("
481 << map->getPosition() << ")");
482 }
483
484 ConstElementPtr id_elem = map->get("id");
485 if (!id_elem) {
486 isc_throw(BadValue, "'id' parameter is required in "
487 "gss_tsig server entry (" << map->getPosition() << ")");
488 }
489 const string& id = id_elem->stringValue();
490 if (id.empty()) {
491 isc_throw(BadValue, "'id' parameter must be not empty in "
492 "gss_tsig server entry (" << map->getPosition() << ")");
493 }
494 if (getServer(id)) {
495 isc_throw(BadValue, "'" << id << "' id is already used in "
496 "gss_tsig server entry (" << map->getPosition() << ")");
497 }
498
499 ConstElementPtr domains_list = map->get("domain-names");
500 set<string> domains;
501 if (domains_list && !domains_list->empty()) {
502 for (auto const& domain : domains_list->listValue()) {
503 if (!domain) {
504 continue;
505 }
506 if (domain->getType() != Element::string) {
507 isc_throw(BadValue, "gss_tsig server 'domain-names' list "
508 << "must contain only strings ("
509 << domain->getPosition() << ")");
510 }
511 // Ignore duplicates.
512 static_cast<void>(domains.insert(domain->stringValue()));
513 }
514 }
515
516 DnsServerPtr srv;
517 ConstElementPtr ip_address = map->get("ip-address");
518 if (!ip_address) {
519 isc_throw(BadValue, "'ip-address' parameter is required in "
520 "gss_tsig server entry (" << map->getPosition() << ")");
521 }
522 try {
523 IOAddress addr(ip_address->stringValue());
524 if (map->contains("port")) {
525 int64_t port(SimpleParser::getInteger(map, "port", 0,
526 numeric_limits<uint16_t>::max()));
527 srv.reset(new DnsServer(id, domains, addr,
528 static_cast<uint16_t>(port)));
529 } else {
530 srv.reset(new DnsServer(id, domains, addr));
531 }
532 } catch (const DhcpConfigError& ex) {
533 isc_throw(BadValue, "gss_tsig bad server entry: " << ex.what());
534 } catch (const std::exception& ex) {
535 isc_throw(BadValue, "gss_tsig bad server entry: " << ex.what()
536 << " (" << map->getPosition() << ")");
537 }
538
539 ConstElementPtr server_principal = map->get("server-principal");
540 bool server_principal_global = false;
541 if (!server_principal) {
542 server_principal = params->get("server-principal");
543 server_principal_global = true;
544 }
545 if (!server_principal) {
546 isc_throw(BadValue, "'server-principal' parameter is required in "
547 "gss_tsig server entry (" << map->getPosition() << ")");
548 }
549 srv->setServerPrincipal(server_principal->stringValue());
550 try {
551 srv->buildKeyNameSuffix();
552 } catch (const std::exception& ex) {
553 if (server_principal_global) {
554 isc_throw(BadValue, "gss_tsig bad server-principal parameter: "
555 << ex.what() << " ("
556 << server_principal->getPosition() << ")");
557 } else {
558 isc_throw(BadValue, "gss_tsig bad server entry: " << ex.what()
559 << " (" << server_principal->getPosition() << ")");
560 }
561 }
562
563 ConstElementPtr gss_replay_flag = map->get("gss-replay-flag");
564 if (!gss_replay_flag) {
565 gss_replay_flag = params->get("gss-replay-flag");
566 }
567 if (gss_replay_flag) {
568 srv->setGssReplayFlag(gss_replay_flag->boolValue());
569 }
570
571 ConstElementPtr gss_sequence_flag = map->get("gss-sequence-flag");
572 if (!gss_sequence_flag) {
573 gss_sequence_flag = params->get("gss-sequence-flag");
574 }
575 if (gss_sequence_flag) {
576 srv->setGssSequenceFlag(gss_sequence_flag->boolValue());
577 }
578
579 ConstElementPtr cred_principal = map->get("client-principal");
580 if (!cred_principal) {
581 cred_principal = params->get("client-principal");
582 }
583 if (cred_principal) {
584 srv->setClientPrincipal(cred_principal->stringValue());
585 }
586
587 retry_interval_location = "";
588 ConstElementPtr retry_interval = map->get("retry-interval");
589 if (!retry_interval) {
590 retry_interval = global_retry_interval;
591 } else {
592 retry_interval_origin = "server";
593 }
594 int64_t retry_val = DnsServer::DEFAULT_RETRY_INTERVAL;
595 if (retry_interval) {
596 retry_interval_location += " (";
597 retry_interval_location += retry_interval->getPosition().str();
598 retry_interval_location += ")";
599 retry_val = retry_interval->intValue();
600 if ((retry_val < 0) ||
601 (retry_val > numeric_limits<uint32_t>::max())) {
602 isc_throw(BadValue, "'retry-interval' parameter is out of "
603 "range [0.." << numeric_limits<uint32_t>::max()
604 << "]" << retry_interval_location);
605 }
606 srv->setRetryInterval(retry_val);
607 }
608
609 rekey_interval_location = "";
610 ConstElementPtr rekey_interval = map->get("rekey-interval");
611 if (!rekey_interval) {
612 rekey_interval = global_rekey_interval;
613 } else {
614 rekey_interval_origin = "server";
615 }
616 int64_t rekey_val = DnsServer::DEFAULT_REKEY_INTERVAL;
617 if (rekey_interval) {
618 rekey_interval_location += " (";
619 rekey_interval_location += rekey_interval->getPosition().str();
620 rekey_interval_location += ")";
621 rekey_val = rekey_interval->intValue();
622 if ((rekey_val < 0) ||
623 (rekey_val > numeric_limits<uint32_t>::max())) {
624 isc_throw(BadValue, "'rekey-interval' parameter is out of "
625 "range [0.." << numeric_limits<uint32_t>::max()
626 << "]" << rekey_interval_location);
627 }
628 srv->setRekeyInterval(rekey_val);
629 }
630
631 tkey_lifetime_location = "";
632 ConstElementPtr tkey_lifetime = map->get("tkey-lifetime");
633 if (!tkey_lifetime) {
634 tkey_lifetime = global_tkey_lifetime;
635 } else {
636 tkey_lifetime_origin = "server";
637 }
638 int64_t tkey_lifetime_val = DnsServer::DEFAULT_KEY_LIFETIME;
639 if (tkey_lifetime) {
640 tkey_lifetime_location += " (";
641 tkey_lifetime_location += tkey_lifetime->getPosition().str();
642 tkey_lifetime_location += ")";
643 tkey_lifetime_val = tkey_lifetime->intValue();
644 if ((tkey_lifetime_val < 0) ||
645 (tkey_lifetime_val > numeric_limits<uint32_t>::max())) {
646 isc_throw(BadValue, "'tkey-lifetime' parameter is out of "
647 "range [0.." << numeric_limits<uint32_t>::max()
648 << "]" << tkey_lifetime_location);
649 }
650 srv->setKeyLifetime(tkey_lifetime_val);
651 }
652 if (tkey_lifetime_val > max_tkey_lifetime) {
653 max_tkey_lifetime = tkey_lifetime_val;
654 }
655
656 if (retry_val >= rekey_val) {
657 isc_throw(BadValue, "the " << retry_interval_origin
658 << " 'retry-interval' parameter"
659 << retry_interval_location << " must be smaller then the "
660 << rekey_interval_origin << " 'rekey-interval' parameter"
661 << retry_interval_location << ": range [0.."
662 << rekey_val << "]");
663 }
664
665 if (rekey_val >= tkey_lifetime_val) {
666 isc_throw(BadValue, "the " << rekey_interval_origin
667 << " 'rekey-interval' parameter"
668 << rekey_interval_location << " must be smaller than the "
669 << tkey_lifetime_origin << " 'tkey-lifetime' parameter"
670 << tkey_lifetime_location << ": range [0.."
671 << tkey_lifetime_val << "]");
672 }
673
674 ConstElementPtr tkey_proto = map->get("tkey-protocol");
675 if (!tkey_proto) {
676 tkey_proto = global_tkey_proto;
677 }
678 if (tkey_proto) {
679 string val = tkey_proto->stringValue();
680 if (val == "UDP") {
681 srv->setKeyProto(IOFetch::UDP);
682 } else if (val == "TCP") {
683 srv->setKeyProto(IOFetch::TCP);
684 } else {
685 isc_throw(BadValue, "'tkey-protocol' parameter must be UDP "
686 "or TCP (" << tkey_proto->getPosition() << ")");
687 }
688 }
689
690 ConstElementPtr fallback = map->get("fallback");
691 if (!fallback) {
692 fallback = global_fallback;
693 }
694 if (fallback) {
695 srv->setFallback(fallback->boolValue());
696 }
697
698 ConstElementPtr tkey_timeout = params->get("exchange-timeout");
699 if (!tkey_timeout) {
700 tkey_timeout = global_tkey_timeout;
701 }
702 if (tkey_timeout) {
703 int64_t val = tkey_timeout->intValue();
704 if ((val < 0) || (val > numeric_limits<uint32_t>::max())) {
705 isc_throw(BadValue, "'exchange-timeout' parameter is out of "
706 "range [0.." << numeric_limits<uint32_t>::max()
707 << "] (" << tkey_timeout->getPosition() << ")");
708 }
709 srv->setExchangeTimeout(val);
710 }
711
712 addServer(srv);
713 }
714 setMaxKeyLifetime(max_tkey_lifetime);
715}
716
717} // end of namespace isc::gss_tsig
718} // end of namespace isc
Element::create
static ElementPtr create(const Position &pos=ZERO_POSITION())
Definition data.cc:249
Element::map
@ map
Definition data.h:147
Element::integer
@ integer
Definition data.h:140
Element::boolean
@ boolean
Definition data.h:142
Element::list
@ list
Definition data.h:146
Element::string
@ string
Definition data.h:144
Element::createMap
static ElementPtr createMap(const Position &pos=ZERO_POSITION())
Creates an empty MapElement type ElementPtr.
Definition data.cc:304
Element::createList
static ElementPtr createList(const Position &pos=ZERO_POSITION())
Creates an empty ListElement type ElementPtr.
Definition data.cc:299
isc::BadValue
A generic exception that is thrown if a parameter given to a method is considered invalid in that con...
Definition exceptions/exceptions.h:132
isc::Exception::what
virtual const char * what() const
Returns a C-style character string of the cause of the exception.
Definition exceptions/exceptions.cc:32
isc::NotFound
A generic exception that is thrown when an object can not be found.
Definition exceptions/exceptions.h:175
isc::Unexpected
A generic exception that is thrown when an unexpected error condition occurs.
Definition exceptions/exceptions.h:153
isc::asiodns::IOFetch
Upstream Fetch Processing.
Definition io_fetch.h:33
isc::d2::D2CfgError
Exception thrown when the error during configuration handling occurs.
Definition d2_config.h:136
isc::data::SimpleParser::checkKeywords
static void checkKeywords(const SimpleKeywords &keywords, isc::data::ConstElementPtr scope)
Checks acceptable keywords with their expected type.
Definition lib/cc/simple_parser.cc:35
isc::data::SimpleParser::getInteger
static int64_t getInteger(isc::data::ConstElementPtr scope, const std::string &name)
Returns an integer parameter from a scope.
Definition lib/cc/simple_parser.cc:77
isc::dhcp::DhcpConfigError
To be removed. Please use ConfigError instead.
Definition dhcp_config_error.h:58
isc::dns::Name
The Name class encapsulates DNS names.
Definition name.h:219
isc::dns::Name::toText
std::string toText(bool omit_final_dot=false) const
Convert the Name to a string.
Definition name.cc:503
isc::gss_tsig::DnsServer
GSS-TSIG hook configuration for a server.
Definition gss_tsig_cfg.h:33
isc::gss_tsig::DnsServer::STAT_NAMES
static const std::list< std::string > STAT_NAMES
Server TKEY exchange statistics names.
Definition gss_tsig_cfg.h:45
isc::gss_tsig::DnsServer::checkKeyNameSuffix
void checkKeyNameSuffix()
Check and fix the GSS-TSIG key name suffix.
Definition gss_tsig_cfg.cc:119
isc::gss_tsig::DnsServer::SERVER_PARAMETERS
static const isc::data::SimpleKeywords SERVER_PARAMETERS
This table defines all server parameters.
Definition gss_tsig_cfg.h:36
isc::gss_tsig::DnsServer::resetStats
virtual void resetStats()
Reset statistics.
Definition gss_tsig_cfg.cc:90
isc::gss_tsig::DnsServer::getPort
uint16_t getPort() const
Get the server port.
Definition gss_tsig_cfg.h:99
isc::gss_tsig::DnsServer::~DnsServer
virtual ~DnsServer()
Destructor.
Definition gss_tsig_cfg.cc:67
isc::gss_tsig::DnsServer::getServerInfos
const isc::d2::DnsServerInfoStorage & getServerInfos() const
Get the server info list.
Definition gss_tsig_cfg.h:106
isc::gss_tsig::DnsServer::DnsServer
DnsServer(const std::string &id, const std::set< std::string > &domains, const isc::asiolink::IOAddress &ip_address, uint16_t port=isc::d2::DnsServerInfo::STANDARD_DNS_PORT)
Constructor.
Definition gss_tsig_cfg.cc:53
isc::gss_tsig::DnsServer::buildKeyNameSuffix
void buildKeyNameSuffix()
Build the GSS-TSIG key name suffix.
Definition gss_tsig_cfg.cc:99
isc::gss_tsig::DnsServer::getID
std::string getID() const
Get the ID.
Definition gss_tsig_cfg.h:71
isc::gss_tsig::DnsServer::addServerInfo
void addServerInfo(isc::d2::DnsServerInfoPtr server_info)
Add a server info to the list.
Definition gss_tsig_cfg.h:113
isc::gss_tsig::DnsServer::DEFAULT_REKEY_INTERVAL
static constexpr size_t DEFAULT_REKEY_INTERVAL
The rekey timer interval (expressed in seconds).
Definition gss_tsig_cfg.h:321
isc::gss_tsig::DnsServer::toElement
isc::data::ElementPtr toElement() const
Unparse a DNS server object.
Definition gss_tsig_cfg.cc:218
isc::gss_tsig::DnsServer::getIpAddress
const isc::asiolink::IOAddress & getIpAddress() const
Get the server IP address.
Definition gss_tsig_cfg.h:85
isc::gss_tsig::DnsServer::DEFAULT_KEY_LIFETIME
static constexpr size_t DEFAULT_KEY_LIFETIME
The default TKEY lifetime (expressed in seconds).
Definition gss_tsig_cfg.h:316
isc::gss_tsig::DnsServer::DEFAULT_EXCHANGE_TIMEOUT
static constexpr size_t DEFAULT_EXCHANGE_TIMEOUT
The default TKEY exchange timeout (expressed in milliseconds).
Definition gss_tsig_cfg.h:331
isc::gss_tsig::DnsServer::DEFAULT_RETRY_INTERVAL
static constexpr size_t DEFAULT_RETRY_INTERVAL
The retry timer interval (expressed in seconds).
Definition gss_tsig_cfg.h:326
isc::gss_tsig::DnsServer::buildServerInfo
void buildServerInfo(isc::d2::D2CfgContextPtr d2_config)
Convert the list of DNS domains to the server info list.
Definition gss_tsig_cfg.cc:138
isc::gss_tsig::GssTsigCfg::getServerList
const DnsServerList & getServerList() const
Get the DNS server list.
Definition gss_tsig_cfg.h:444
isc::gss_tsig::GssTsigCfg::GssTsigCfg
GssTsigCfg()
Constructor.
Definition gss_tsig_cfg.cc:302
isc::gss_tsig::GssTsigCfg::~GssTsigCfg
virtual ~GssTsigCfg()
Destructor.
Definition gss_tsig_cfg.cc:307
isc::gss_tsig::GssTsigCfg::getServer
DnsServerPtr getServer(const isc::d2::DnsServerInfoPtr &server_info) const
Get the DNS server from a server info.
Definition gss_tsig_cfg.cc:311
isc::gss_tsig::GssTsigCfg::setClientKeyTab
void setClientKeyTab(const std::string &client_keytab)
Set the client key table specification.
Definition gss_tsig_cfg.h:497
isc::gss_tsig::GssTsigCfg::setCredsCache
void setCredsCache(const std::string &creds_cache)
Set the credentials cache specification.
Definition gss_tsig_cfg.h:511
isc::gss_tsig::GssTsigCfg::buildServerRevMap
void buildServerRevMap(isc::d2::D2CfgContextPtr d2_config)
Build the reverse map.
Definition gss_tsig_cfg.cc:330
isc::gss_tsig::GssTsigCfg::configure
void configure(isc::data::ConstElementPtr params)
Configure.
Definition gss_tsig_cfg.cc:346
isc::gss_tsig::GssTsigCfg::GLOBAL_PARAMETERS
static const isc::data::SimpleKeywords GLOBAL_PARAMETERS
This table defines all global parameters.
Definition gss_tsig_cfg.h:433
isc::gss_tsig::GssTsigCfg::setMaxKeyLifetime
void setMaxKeyLifetime(uint32_t max_tkey_lifetime)
Set the maximum TKEY lifetime.
Definition gss_tsig_cfg.h:531
isc::gss_tsig::GssTsigCfg::addServer
void addServer(DnsServerPtr server)
Add a DNS server to the list.
Definition gss_tsig_cfg.h:453
isc::stats::StatsMgr
Statistics Manager class.
Definition lib/stats/stats_mgr.h:65
isc::stats::StatsMgr::instance
static StatsMgr & instance()
Statistics Manager accessor method.
Definition lib/stats/stats_mgr.cc:30
isc::stats::StatsMgr::generateName
static std::string generateName(const std::string &context, Type index, const std::string &stat_name)
Generates statistic name in a given context.
Definition lib/stats/stats_mgr.h:298
isc_throw
#define isc_throw(type, stream)
A shortcut macro to insert known values into exception arguments.
Definition exceptions/exceptions.h:210
isc::stats::StatsMgr::reset
bool reset(const std::string &name)
Resets specified statistic.
Definition lib/stats/stats_mgr.cc:239
isc::stats::StatsMgr::del
bool del(const std::string &name)
Removes specified statistic.
Definition lib/stats/stats_mgr.cc:255
isc::stats::StatsMgr::setValue
void setValue(const std::string &name, const int64_t value)
Records absolute integer observation.
Definition lib/stats/stats_mgr.cc:40
get
int get(CalloutHandle &handle)
The gss-tsig-get command.
Definition gss_tsig_callouts.cc:47
gss_tsig_cfg.h
stats_mgr.h
isc::d2::DdnsDomainListMgrPtr
boost::shared_ptr< DdnsDomainListMgr > DdnsDomainListMgrPtr
Defines a pointer for DdnsDomain instances.
Definition d2_cfg_mgr.h:175
isc::d2::DdnsDomainPtr
boost::shared_ptr< DdnsDomain > DdnsDomainPtr
Defines a pointer for DdnsDomain instances.
Definition d2_config.h:624
isc::d2::DdnsDomainMapPtr
boost::shared_ptr< DdnsDomainMap > DdnsDomainMapPtr
Defines a pointer to DdnsDomain storage containers.
Definition d2_config.h:633
isc::d2::DnsServerInfoPtr
boost::shared_ptr< DnsServerInfo > DnsServerInfoPtr
Defines a pointer for DnsServerInfo instances.
Definition d2_config.h:554
isc::d2::D2CfgContextPtr
boost::shared_ptr< D2CfgContext > D2CfgContextPtr
Pointer to a configuration context.
Definition d2_cfg_mgr.h:26
isc::d2::DnsServerInfoStoragePtr
boost::shared_ptr< DnsServerInfoStorage > DnsServerInfoStoragePtr
Defines a pointer to DnsServerInfo storage containers.
Definition d2_config.h:560
isc::data::ConstElementPtr
boost::shared_ptr< const Element > ConstElementPtr
Definition data.h:29
isc::data::ElementPtr
boost::shared_ptr< Element > ElementPtr
Definition data.h:28
isc::data::SimpleKeywords
std::map< std::string, isc::data::Element::types > SimpleKeywords
This specifies all accepted keywords with their types.
Definition lib/cc/simple_parser.h:36
isc::db::info
@ info
Definition db_log.h:120
isc::gss_tsig
Definition gss_tsig_api.cc:17
isc::gss_tsig::DnsServerPtr
boost::shared_ptr< DnsServer > DnsServerPtr
A pointer to a DNS server.
Definition gss_tsig_cfg.h:399
isc
Defines the logger used by the top-level component of kea-lfc.
Definition agent_parser.cc:148
isc::data::UserContext::contextToElement
void contextToElement(data::ElementPtr map) const
Merge unparse a user_context object.
Definition user_context.cc:15