dnssec: clean NSEC3 parameters in policy and zone

src/dnssec/lib/dnssec/kasp.h

@@ -150,7 +150,9 @@ typedef struct dnssec_kasp_zone {
 	char *policy;
 
 	dnssec_list_t *keys;
-	dnssec_binary_t *nsec3_salt;
+
+	dnssec_binary_t nsec3_salt;
+	time_t nsec3_salt_created;
 } dnssec_kasp_zone_t;
 
 /*!
@@ -302,8 +304,9 @@ typedef struct dnssec_kasp_policy {
 	uint32_t rrsig_refresh_before;
 	// NSEC3
 	bool nsec3_enabled;
-	uint32_t nsec3_resalt;
-	dnssec_nsec3_params_t nsec3_params;
+	uint32_t nsec3_salt_lifetime;
+	uint16_t nsec3_iterations;
+	uint8_t nsec3_salt_length;
 	// SOA
 	uint32_t soa_minimal_ttl;
 	// zone

src/dnssec/lib/kasp/dir/zone.c

@@ -282,8 +282,8 @@ static int export_zone_config(const dnssec_kasp_zone_t *zone, json_t **config_pt
 	}
 
 	_json_cleanup_ json_t *salt = NULL;
-	if (zone->nsec3_salt) {
-		r = encode_binary(zone->nsec3_salt, &salt);
+	if (zone->nsec3_salt.data) {
+		r = encode_binary(&zone->nsec3_salt, &salt);
 		if (r != DNSSEC_EOK) {
 			return r;
 		}
@@ -291,13 +291,22 @@ static int export_zone_config(const dnssec_kasp_zone_t *zone, json_t **config_pt
 		salt = json_null();
 	}
 
+	_json_cleanup_ json_t *salt_created = NULL;
+	r = encode_time(&zone->nsec3_salt_created, &salt_created);
+	if (r != DNSSEC_EOK) {
+		return DNSSEC_ENOMEM;
+	}
+
 	_json_cleanup_ json_t *policy = zone->policy ? json_string(zone->policy) : json_null();
 	if (!policy) {
 		return DNSSEC_ENOMEM;
 	}
 
-	json_t *config = json_pack("{sOsOsO}", "policy", policy,
-				   "nsec3_salt", salt, "keys", keys);
+	json_t *config = json_pack("{sOsOsOsO}",
+				   "policy", policy,
+				   "nsec3_salt", salt,
+				   "nsec3_salt_created", salt_created,
+				   "keys", keys);
 	if (!config) {
 		return DNSSEC_ENOMEM;
 	}
@@ -322,21 +331,24 @@ static int parse_zone_config(dnssec_kasp_zone_t *zone, json_t *config)
 		}
 	}
 
-	// get nsec3_salt
+	// get NSEC3 salt
 
-	dnssec_binary_t *salt = NULL;
+	dnssec_binary_t salt = { 0 };
 	json_t *json_salt = json_object_get(config, "nsec3_salt");
 	if (json_salt && !json_is_null(json_salt)) {
-		salt = malloc(sizeof(*salt));
-		if (!salt) {
+		int r = decode_binary(json_salt, &salt);
+		if (r != DNSSEC_EOK) {
 			free(policy);
-			return DNSSEC_ENOMEM;
+			return r;
 		}
-		clear_struct(salt);
+	}
 
-		int r = decode_binary(json_salt, salt);
+	time_t salt_created = 0;
+	json_t *json_salt_created = json_object_get(config, "nsec3_salt_created");
+	if (json_salt_created && !json_is_null(json_salt_created)) {
+		int r = decode_time(json_salt_created, &salt_created);
 		if (r != DNSSEC_EOK) {
-			free(salt);
+			dnssec_binary_free(&salt);
 			free(policy);
 			return r;
 		}
@@ -348,8 +360,7 @@ static int parse_zone_config(dnssec_kasp_zone_t *zone, json_t *config)
 	json_t *json_keys = json_object_get(config, "keys");
 	int r = load_zone_keys(zone->dname, &keys, json_keys);
 	if (r != DNSSEC_EOK) {
-		dnssec_binary_free(salt);
-		free(salt);
+		dnssec_binary_free(&salt);
 		free(policy);
 		return r;
 	}
@@ -357,7 +368,9 @@ static int parse_zone_config(dnssec_kasp_zone_t *zone, json_t *config)
 	// store the result
 
 	zone->policy = policy;
+	dnssec_binary_free(&zone->nsec3_salt);
 	zone->nsec3_salt = salt;
+	zone->nsec3_salt_created = salt_created;
 	kasp_zone_keys_free(zone->keys);
 	zone->keys = keys;
 

src/dnssec/lib/kasp/policy.c

@@ -94,7 +94,6 @@ void dnssec_kasp_policy_free(dnssec_kasp_policy_t *policy)
 
 	free(policy->name);
 	free(policy->keystore);
-	dnssec_nsec3_params_free(&policy->nsec3_params);
 	free(policy);
 }
 

src/dnssec/lib/kasp/zone.c

@@ -82,8 +82,7 @@ void dnssec_kasp_zone_free(dnssec_kasp_zone_t *zone)
 	free(zone->dname);
 	free(zone->name);
 	free(zone->policy);
-	dnssec_binary_free(zone->nsec3_salt);
-	free(zone->nsec3_salt);
+	dnssec_binary_free(&zone->nsec3_salt);
 
 	free(zone);
 }