41#include <libxml/tree.h>
42#include <libxml/parser.h>
43#include <libxml/xpath.h>
44#include <libxml/xpathInternals.h>
45#include <libxml/relaxng.h>
47#define StrFree(ptr) {if(ptr != NULL) {free(ptr); (ptr) = NULL;}}
51void log_init(
int facility,
const char *program_name)
53 openlog(program_name, 0, facility);
57#pragma GCC diagnostic push
58#pragma GCC diagnostic ignored "-Wformat-nonliteral"
64 va_start(args, format);
67 if (strncmp(format,
"ERROR:", 6) == 0) {
68 vsyslog(LOG_ERR, format, args);
69 }
else if (strncmp(format,
"WARNING:", 8) == 0) {
70 vsyslog(LOG_WARNING, format, args);
71 }
else if (strncmp(format,
"DEBUG:", 6) == 0) {
72 vsyslog(LOG_DEBUG, format, args);
74 vsyslog(LOG_INFO, format, args);
78 vprintf(format, args2);
85#pragma GCC diagnostic pop
88int check_rng(
const char *filename,
const char *rngfilename,
int verbose)
91 xmlDocPtr rngdoc = NULL;
92 xmlRelaxNGParserCtxtPtr rngpctx = NULL;
93 xmlRelaxNGValidCtxtPtr rngctx = NULL;
94 xmlRelaxNGPtr schema = NULL;
97 dual_log(
"DEBUG: About to check XML validity in %s with %s",
98 filename, rngfilename);
102 doc = xmlParseFile(filename);
104 dual_log(
"ERROR: unable to parse file \"%s\"", filename);
112 rngdoc = xmlParseFile(rngfilename);
113 if (rngdoc == NULL) {
114 dual_log(
"ERROR: unable to parse file \"%s\"", rngfilename);
124 rngpctx = xmlRelaxNGNewDocParserCtxt(rngdoc);
125 if (rngpctx == NULL) {
126 dual_log(
"ERROR: unable to create XML RelaxNGs parser context");
134 xmlRelaxNGSetParserErrors(rngpctx,
135 (xmlRelaxNGValidityErrorFunc) fprintf,
136 (xmlRelaxNGValidityWarningFunc) fprintf,
141 schema = xmlRelaxNGParse(rngpctx);
142 if (schema == NULL) {
143 dual_log(
"ERROR: unable to parse a schema definition resource");
145 xmlRelaxNGFreeParserCtxt(rngpctx);
153 rngctx = xmlRelaxNGNewValidCtxt(schema);
154 if (rngctx == NULL) {
155 dual_log(
"ERROR: unable to create RelaxNGs validation context based on the schema");
157 xmlRelaxNGFree(schema);
158 xmlRelaxNGFreeParserCtxt(rngpctx);
165 xmlRelaxNGSetValidErrors(rngctx,
166 (xmlRelaxNGValidityErrorFunc) fprintf,
167 (xmlRelaxNGValidityWarningFunc) fprintf,
171 if (xmlRelaxNGValidateDoc(rngctx,doc) != 0) {
172 dual_log(
"ERROR: %s fails to validate", filename);
174 xmlRelaxNGFreeValidCtxt(rngctx);
175 xmlRelaxNGFree(schema);
176 xmlRelaxNGFreeParserCtxt(rngpctx);
183 xmlRelaxNGFreeValidCtxt(rngctx);
184 xmlRelaxNGFree(schema);
185 xmlRelaxNGFreeParserCtxt(rngpctx);
192int check_file(
const char *filename,
const char *log_string) {
193 struct stat stat_ret;
195 if (stat(filename, &stat_ret) != 0) {
197 if (errno != ENOENT) {
198 dual_log(
"ERROR: cannot stat file %s: %s",
199 filename, strerror(errno));
203 dual_log(
"ERROR: %s (%s) does not exist", log_string, filename);
207 if (S_ISREG(stat_ret.st_mode)) {
212 dual_log(
"ERROR: %s (%s) does not exist", log_string, filename);
218 xmlXPathObjectPtr xpath_obj;
219 char* temp_char = NULL;
222 xpath_obj = xmlXPathEvalExpression(file_xexpr, xpath_ctx);
223 if(xpath_obj == NULL) {
224 dual_log(
"ERROR: unable to evaluate xpath expression: %s", file_xexpr);
227 if (xpath_obj->nodesetval != NULL && xpath_obj->nodesetval->nodeNr > 0) {
228 temp_char = (
char*) xmlXPathCastToString(xpath_obj);
231 str = strrchr(temp_char,
' ');
241 xmlXPathFreeObject(xpath_obj);
245 xmlXPathFreeObject(xpath_obj);
249int check_path(
const char *pathname,
const char *log_string) {
250 struct stat stat_ret;
252 if (stat(pathname, &stat_ret) != 0) {
253 if (errno != ENOENT) {
254 dual_log(
"ERROR: cannot stat directory %s: %s",
255 pathname, strerror(errno));
259 dual_log(
"ERROR: %s (%s) does not exist", log_string, pathname);
263 if (S_ISDIR(stat_ret.st_mode)) {
268 dual_log(
"ERROR: %s (%s) is not a directory", log_string, pathname);
274 xmlXPathObjectPtr xpath_obj;
275 char* temp_char = NULL;
277 xpath_obj = xmlXPathEvalExpression(path_xexpr, xpath_ctx);
278 if(xpath_obj == NULL) {
279 dual_log(
"ERROR: unable to evaluate xpath expression: %s", path_xexpr);
282 if (xpath_obj->nodesetval != NULL && xpath_obj->nodesetval->nodeNr > 0) {
283 temp_char = (
char*) xmlXPathCastToString(xpath_obj);
290 xmlXPathFreeObject(xpath_obj);
294 xmlXPathFreeObject(xpath_obj);
298int check_user_group(xmlXPathContextPtr xpath_ctx,
const xmlChar *user_xexpr,
const xmlChar *group_xexpr) {
300 xmlXPathObjectPtr xpath_obj;
301 char* temp_char = NULL;
307 xpath_obj = xmlXPathEvalExpression(group_xexpr, xpath_ctx);
308 if(xpath_obj == NULL) {
309 dual_log(
"ERROR: unable to evaluate xpath expression: %s", group_xexpr);
312 if (xpath_obj->nodesetval != NULL && xpath_obj->nodesetval->nodeNr > 0) {
313 temp_char = (
char*) xmlXPathCastToString(xpath_obj);
315 if ((grp = getgrnam(temp_char)) == NULL) {
316 dual_log(
"ERROR: Group '%s' does not exist", temp_char);
323 xmlXPathFreeObject(xpath_obj);
326 xpath_obj = xmlXPathEvalExpression(user_xexpr, xpath_ctx);
327 if(xpath_obj == NULL) {
328 dual_log(
"ERROR: unable to evaluate xpath expression: %s", user_xexpr);
331 if (xpath_obj->nodesetval != NULL && xpath_obj->nodesetval->nodeNr > 0) {
332 temp_char = (
char*) xmlXPathCastToString(xpath_obj);
334 if ((pwd = getpwnam(temp_char)) == NULL) {
335 dual_log(
"ERROR: User '%s' does not exist", temp_char);
343 xmlXPathFreeObject(xpath_obj);
348int check_time_def(
const char *time_expr,
const char *location,
const char *field,
const char *filename,
int* interval) {
355 dual_log(
"WARNING: In %s M used in duration field for %s (%s) in %s - this will be interpreted as 31 days", location, field, time_expr, filename);
358 dual_log(
"WARNING: In %s Y used in duration field for %s (%s) in %s - this will be interpreted as 365 days", location, field, time_expr, filename);
361 dual_log(
"WARNING: In %s M & Y used in duration field for %s (%s) in %s - these will be interpreted as 31 and 365 days respectively", location, field, time_expr, filename);
364 dual_log(
"ERROR: unable to translate %s (%s) to seconds.", field, time_expr);
367 dual_log(
"ERROR: %s (%s) too long to be an int. E.g. Maximum is ~68 years on a system with 32-bit integers.", field, time_expr);
370 dual_log(
"ERROR: invalid pointers or text string NULL in %s (%s).", field, time_expr);
373 dual_log(
"ERROR: unknown error converting %s (%s) to seconds", field, time_expr);
385int check_time_def_from_xpath(xmlXPathContextPtr xpath_ctx,
const xmlChar *time_xexpr,
const char *location,
const char *field,
const char *filename) {
387 xmlXPathObjectPtr xpath_obj;
388 char* temp_char = NULL;
392 xpath_obj = xmlXPathEvalExpression(time_xexpr, xpath_ctx);
393 if(xpath_obj == NULL) {
394 dual_log(
"ERROR: unable to evaluate xpath expression: %s", time_xexpr);
397 if (xpath_obj->nodesetval != NULL && xpath_obj->nodesetval->nodeNr > 0) {
398 temp_char = (
char *)xmlXPathCastToString(xpath_obj);
399 status +=
check_time_def(temp_char, location, field, filename, &ignore);
403 xmlXPathFreeObject(xpath_obj);
411 char* temp_char = NULL;
417 int resigns_per_day = 0;
434 int smallest_key_size = 0;
437 enum {KSK = 1, ZSK, CSK};
446 struct key *tmpkey, *firstkey = NULL, *curkey = NULL;
452 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Signatures")) {
453 childNode = curNode->children;
455 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Resign")) {
456 temp_char = (
char *) xmlNodeGetContent(childNode);
457 status +=
check_time_def(temp_char, my_policy,
"Signatures/Resign", kasp, &resign);
460 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Refresh")) {
461 temp_char = (
char *) xmlNodeGetContent(childNode);
462 status +=
check_time_def(temp_char, my_policy,
"Signatures/Refresh", kasp, &refresh);
465 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Validity")) {
466 childNode2 = childNode->children;
468 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Default")) {
469 temp_char = (
char *) xmlNodeGetContent(childNode2);
470 status +=
check_time_def(temp_char, my_policy,
"Signatures/Validity/Default", kasp, &defalt);
473 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Denial")) {
474 temp_char = (
char *) xmlNodeGetContent(childNode2);
475 status +=
check_time_def(temp_char, my_policy,
"Signatures/Validity/Denial", kasp, &denial);
478 childNode2 = childNode2->next;
481 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Jitter")) {
482 temp_char = (
char *) xmlNodeGetContent(childNode);
483 status +=
check_time_def(temp_char, my_policy,
"Signatures/Jitter", kasp, &jitter);
486 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"InceptionOffset")) {
487 temp_char = (
char *) xmlNodeGetContent(childNode);
488 status +=
check_time_def(temp_char, my_policy,
"Signatures/InceptionOffset", kasp, &inception);
491 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"MaxZoneTTL")) {
492 temp_char = (
char *) xmlNodeGetContent(childNode);
493 status +=
check_time_def(temp_char, my_policy,
"Signatures/MaxZoneTTL", kasp, &maxzone_ttl);
497 childNode = childNode->next;
500 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Denial")) {
501 childNode = curNode->children;
504 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"NSEC")) {
507 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"NSEC3")) {
509 childNode2 = childNode->children;
512 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Resalt")) {
513 temp_char = (
char *) xmlNodeGetContent(childNode2);
514 status +=
check_time_def(temp_char, my_policy,
"Denial/NSEC3/Resalt", kasp, &resalt);
516 }
else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Hash")) {
517 childNode3 = childNode2->children;
519 if (xmlStrEqual(childNode3->name, (
const xmlChar *)
"Algorithm")) {
520 temp_char = (
char *) xmlNodeGetContent(childNode3);
522 hash_algo = atoi(temp_char);
523 if (hash_algo != 1) {
524 dual_log(
"ERROR: NSEC3 Hash algorithm for %s Policy "
530 }
else if (xmlStrEqual(childNode3->name, (
const xmlChar *)
"Iterations")) {
531 temp_char = (
char *) xmlNodeGetContent(childNode3);
533 iter = atoi(temp_char);
534 hash_iters = atoi(temp_char);
535 if (hash_iters > 100) {
536 dual_log(
"WARNING: NSEC3 Hash iterations for %s Policy in %s is %d which is larger than the recommended maximum of 100",
policy_name, kasp, hash_iters);
540 childNode3 = childNode3->next;
544 childNode2 = childNode2->next;
548 childNode = childNode->next;
551 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Keys")) {
552 childNode = curNode->children;
555 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"TTL")) {
556 temp_char = (
char *) xmlNodeGetContent(childNode);
557 status +=
check_time_def(temp_char, my_policy,
"Keys/TTL", kasp, &ttl);
560 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"RetireSafety")) {
561 temp_char = (
char *) xmlNodeGetContent(childNode);
562 status +=
check_time_def(temp_char, my_policy,
"Keys/RetireSafety", kasp, &retire);
565 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"PublishSafety")) {
566 temp_char = (
char *) xmlNodeGetContent(childNode);
567 status +=
check_time_def(temp_char, my_policy,
"Keys/PublishSafety", kasp, &publish);
570 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"KSK")) {
571 childNode2 = childNode->children;
573 firstkey = curkey = (
struct key*) malloc(
sizeof *curkey);
575 curkey->next = (
struct key*) malloc(
sizeof *curkey);
576 curkey = curkey->next;
578 memset(curkey, 0,
sizeof *curkey);
583 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
584 temp_char = (
char *) xmlNodeGetContent(childNode2);
588 temp_char = (
char *)xmlGetProp(childNode2, (
const xmlChar *)
"length");
592 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Lifetime")) {
593 temp_char = (
char *) xmlNodeGetContent(childNode2);
594 status +=
check_time_def(temp_char, my_policy,
"Keys/KSK Lifetime", kasp, &curkey->life);
597 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Repository")) {
598 curkey->repo = (
char *) xmlNodeGetContent(childNode2);
601 childNode2 = childNode2->next;
604 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"ZSK")) {
605 childNode2 = childNode->children;
607 firstkey = curkey = (
struct key*) malloc(
sizeof *curkey);
609 curkey->next = (
struct key*) malloc(
sizeof *curkey);
610 curkey = curkey->next;
612 memset(curkey, 0,
sizeof *curkey);
617 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
618 temp_char = (
char *) xmlNodeGetContent(childNode2);
622 temp_char = (
char *)xmlGetProp(childNode2, (
const xmlChar *)
"length");
624 if (smallest_key_size == 0 || curkey->length < smallest_key_size)
625 smallest_key_size = curkey->length;
629 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Lifetime")) {
630 temp_char = (
char *) xmlNodeGetContent(childNode2);
631 status +=
check_time_def(temp_char, my_policy,
"Keys/ZSK Lifetime", kasp, &curkey->life);
634 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Repository")) {
635 curkey->repo = (
char *) xmlNodeGetContent(childNode2);
638 childNode2 = childNode2->next;
641 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"CSK")) {
642 childNode2 = childNode->children;
644 firstkey = curkey = (
struct key*) malloc(
sizeof *curkey);
646 curkey->next = (
struct key*) malloc(
sizeof *curkey);
647 curkey = curkey->next;
649 memset(curkey, 0,
sizeof *curkey);
654 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
655 temp_char = (
char *) xmlNodeGetContent(childNode2);
659 temp_char = (
char *)xmlGetProp(childNode2, (
const xmlChar *)
"length");
661 if (smallest_key_size == 0 || curkey->length < smallest_key_size)
662 smallest_key_size = curkey->length;
666 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Lifetime")) {
667 temp_char = (
char *) xmlNodeGetContent(childNode2);
668 status +=
check_time_def(temp_char, my_policy,
"Keys/CSK Lifetime", kasp, &curkey->life);
671 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Repository")) {
672 curkey->repo = (
char *) xmlNodeGetContent(childNode2);
675 childNode2 = childNode2->next;
679 childNode = childNode->next;
682 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Zone")) {
683 childNode = curNode->children;
686 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"SOA")) {
687 childNode2 = childNode->children;
690 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Serial")) {
691 serial = (
char *) xmlNodeGetContent(childNode2);
694 childNode2 = childNode2->next;
698 childNode = childNode->next;
701 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Parent")) {
702 childNode = curNode->children;
705 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"DS")) {
706 childNode2 = childNode->children;
709 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"TTL")) {
710 temp_char = (
char *) xmlNodeGetContent(childNode2);
711 status +=
check_time_def(temp_char, my_policy,
"Parent/DS/TTL", kasp, &ds_ttl);
715 childNode2 = childNode2->next;
719 childNode = childNode->next;
724 curNode = curNode->next;
730 for (curkey = firstkey; curkey; curkey = curkey->next) {
731 if ((curkey->type & KSK) && ds_ttl + ttl >= curkey->life) {
732 dual_log(
"ERROR: KSK/Lifetime (%d seconds) for policy '%s' "
733 "must be greater than the DNSKEY record TTL (%d seconds) plus "
734 "the DS record TTL (%d seconds). This time is needed to pass for the "
735 "KSK to be able to reach the ready state.",
740 if ((curkey->type & ZSK) && maxzone_ttl + ttl >= curkey->life) {
741 dual_log(
"ERROR: ZSK/Lifetime (%d seconds) for policy '%s' "
742 "must be greater than the DNSKEY record TTL (%d seconds) plus "
743 "the MaxZoneTTL (%d seconds). This time is needed to pass for the "
744 "ZSK to be able to reach the ready state.",
748 if ((curkey->type & ZSK) && defalt > curkey->life) {
749 dual_log(
"WARNING: ZSK/Lifetime (%d seconds) for policy '%s' "
750 "is less than Validity/Default (%d seconds), this might "
751 "be a configuration error.",
757 if (refresh <= resign) {
758 dual_log(
"ERROR: The Refresh interval (%d seconds) for "
759 "%s Policy in %s is less than or equal to the Resign interval "
760 "(%d seconds)", refresh,
policy_name, kasp, resign);
766 if (defalt <= refresh) {
767 dual_log(
"ERROR: Validity/Default (%d seconds) for "
768 "%s policy in %s is less than or equal to the Refresh interval "
769 "(%d seconds)", defalt,
policy_name, kasp, refresh);
772 if (denial <= refresh) {
773 dual_log(
"ERROR: Validity/Denial (%d seconds) for "
774 "%s policy in %s is less than or equal to the Refresh interval "
775 "(%d seconds)", denial,
policy_name, kasp, refresh);
783 if (defalt > denial) {
784 if (jitter > (defalt * 0.5)) {
785 dual_log(
"WARNING: Jitter time (%d seconds) is large "
786 "compared to Validity/Default (%d seconds) "
787 "for %s policy in %s", jitter, defalt,
policy_name, kasp);
790 if (jitter > (denial * 0.5)) {
791 dual_log(
"WARNING: Jitter time (%d seconds) is large "
792 "compared to Validity/Denial (%d seconds) "
793 "for %s policy in %s", jitter, denial,
policy_name, kasp);
801 if (inception > 3600) {
802 dual_log(
"WARNING: InceptionOffset is higher than expected "
803 "(%d seconds) for %s policy in %s",
809 if (publish < (ttl * 0.1)) {
810 dual_log(
"WARNING: Keys/PublishSafety (%d seconds) is less than "
811 "0.1 * TTL (%d seconds) for %s policy in %s",
814 else if (publish > (ttl * 5)) {
815 dual_log(
"WARNING: Keys/PublishSafety (%d seconds) is greater than "
816 "5 * TTL (%d seconds) for %s policy in %s",
820 if (retire < (ttl * 0.1)) {
821 dual_log(
"WARNING: Keys/RetireSafety (%d seconds) is less than "
822 "0.1 * TTL (%d seconds) for %s policy in %s",
825 else if (retire > (ttl * 5)) {
826 dual_log(
"WARNING: Keys/RetireSafety (%d seconds) is greater than "
827 "5 * TTL (%d seconds) for %s policy in %s",
835 else if (nsec == 3) {
836 for (curkey = firstkey; curkey; curkey = curkey->next) {
837 if ((curkey->type & KSK) && curkey->algo <= 5) {
838 dual_log(
"ERROR: In policy %s, incompatible algorithm (%d) used for "
839 "KSK NSEC3 in %s.",
policy_name, curkey->algo, kasp);
842 if ((curkey->type & ZSK) && curkey->algo <= 5) {
843 dual_log(
"ERROR: In policy %s, incompatible algorithm (%d) used for "
844 "ZSK NSEC3 in %s.",
policy_name, curkey->algo, kasp);
850 if (resalt < resign) {
851 dual_log(
"WARNING: NSEC3 resalt interval (%d secs) is less than "
852 "signature resign interval (%d secs) for %s Policy",
864 if (!(max_iter = 150) || (smallest_key_size <= 1024 && iter > 150) ||
865 !(max_iter = 500) || (smallest_key_size > 1024 && smallest_key_size <= 2048 && iter > 500) ||
866 !(max_iter = 2500) || (smallest_key_size > 2048 && iter > 2500)) {
867 dual_log(
"WARNING: In policy %s for the given key size (%d) for zone signing key, "
868 "iteration should not be higher than %d",
876 if (serial != NULL && strncmp(serial,
"datecounter", 11) == 0) {
878 resigns_per_day = (60 * 60 * 24) / resign;
879 if (resigns_per_day > 99) {
880 dual_log(
"ERROR: In %s, policy %s, serial type datecounter used "
881 "but %d re-signs requested. No more than 99 re-signs per "
882 "day should be used with datecounter as only 2 digits are "
883 "allocated for the version number.",
893 for (curkey = firstkey; curkey; curkey = curkey->next) {
894 if ((curkey->type & KSK) && (curkey->algo == 5 ||
895 curkey->algo == 7 ||curkey->algo == 8 ||
896 curkey->algo == 10)) {
897 if (curkey->length < 1024) {
898 dual_log(
"WARNING: Key length of %d used for KSK in %s policy in %s. Should "
899 "probably be 1024 or more", curkey->length,
policy_name, kasp);
901 else if (curkey->length > 4096) {
902 dual_log(
"ERROR: Key length of %d used for KSK in %s policy in %s. Should "
903 "be 4096 or less", curkey->length,
policy_name, kasp);
907 if ((curkey->type & ZSK) && (curkey->algo == 5 ||
908 curkey->algo == 7 || curkey->algo == 8 ||
909 curkey->algo == 10)) {
910 if (curkey->length < 1024) {
911 dual_log(
"WARNING: Key length of %d used for ZSK in %s policy in %s. Should "
912 "probably be 1024 or more", curkey->length,
policy_name, kasp);
914 else if (curkey->length > 4096) {
915 dual_log(
"ERROR: Key length of %d used for ZSK in %s policy in %s. Should "
916 "be 4096 or less", curkey->length,
policy_name, kasp);
925 for (curkey = firstkey; curkey; curkey = curkey->next) {
926 if ((curkey->type & KSK) && curkey->repo != NULL) {
927 for (i = 0; i < repo_count; i++) {
928 if (strcmp(curkey->repo, repo_list[i]) == 0) {
932 if (i >= repo_count) {
933 dual_log(
"ERROR: Unknown repository (%s) defined for KSK in "
934 "%s policy in %s", curkey->repo,
policy_name, kasp);
939 if ((curkey->type & ZSK) && curkey->repo != NULL) {
940 for (i = 0; i < repo_count; i++) {
941 if (strcmp(curkey->repo, repo_list[i]) == 0) {
945 if (i >= repo_count) {
946 dual_log(
"ERROR: Unknown repository (%s) defined for ZSK in "
954 for (curkey = firstkey; curkey; curkey = curkey->next) {
955 if (!(curkey->type & KSK))
continue;
957 for (tmpkey = firstkey; tmpkey; tmpkey = tmpkey->next) {
958 if (!(tmpkey->type & ZSK))
continue;
959 if (tmpkey->algo != curkey->algo)
continue;
962 if (curkey->life < tmpkey->life) {
963 dual_log(
"WARNING: KSK minimum lifetime (%d seconds) is less than "
964 "ZSK minimum lifetime (%d seconds) for %s Policy in %s",
969 dual_log(
"ERROR: ZSK with algorithm %i not found, algorithm mismatch between ZSK and KSK", curkey->algo);
977 if (jitter > defalt) {
978 dual_log(
"ERROR: Jitter time (%d seconds) is greater than the "
979 "Default Validity (%d seconds) for %s policy in %s",
983 if (jitter > denial) {
984 dual_log(
"ERROR: Jitter time (%d seconds) is greater than the "
985 "Denial Validity (%d seconds) for %s policy in %s",
991 firstkey = firstkey->next;
1063 const char *ptr = text;
1065 long temp_interval = 0;
1067 if (!text || !interval || !*text)
return 4;
1068 length = strlen(text);
1069 if (length <= 2)
return 2;
1075 if (*ptr !=
'P')
return 2;
1078 end = text + length;
1082 if (!got_temp || !is_time)
return 2;
1083 temp_interval += temp;
1089 if (!got_temp)
return 2;
1091 temp_interval += 60 * temp;
1093 temp_interval += 31 * 24 * 60 * 60 * temp;
1101 if (!got_temp || !is_time)
return 2;
1102 temp_interval += 60 * 60 * temp;
1108 if (!got_temp || is_time)
return 2;
1109 temp_interval += 24 * 60 * 60 * temp;
1115 if (!got_temp || is_time)
return 2;
1116 temp_interval += 7 * 24 * 60 * 60 * temp;
1122 if (!got_temp || is_time)
return 2;
1123 temp_interval += 365 * 24 * 60 * 60 * temp;
1145 temp = strtol(ptr, &endptr, 10);
1146 if (temp == LONG_MIN || temp == LONG_MAX)
1155 if (ptr != end)
return 2;
1162 if (temp && !is_time)
return 2;
1163 temp_interval += temp;
1165 if (is_neg) temp_interval *= -1;
1166 *interval = (int) temp_interval;
1196 if (value == NULL) {
1197 dual_log(
"ERROR: NULL value passed to StrStrtoi");
1202 if ((longval >= INT_MIN) && (longval <= INT_MAX)) {
1203 *value = (int) longval;
1242 if (value == NULL) {
1243 dual_log(
"ERROR: NULL value passed to StrStrtol");
1255 *value = strtol(start, &endptr, 10);
1260 status = (*endptr ==
'\0') ? 0 : 1;
1291 char* duplicate = NULL;
1294 duplicate = strdup(
string);
1295 if (duplicate == NULL) {
1296 dual_log(
"ERROR: StrStrdup: Call to malloc() returned null - out of swap space?");
1353 int textlen = strlen(text);
1354 while (-- textlen >= 0) {
1355 if (! isspace((
int) text[textlen])) {
1356 text[textlen + 1] =
'\0';
1388 while (*text && isspace((
int) *text)) {
1398 void *ptr = calloc(nmemb, size);
1400 dual_log(
"ERROR: calloc: Out of swap space");
1407static void quiet_error_func(
void * ctx,
const char * msg, ...)
1409 (void)ctx; (void)msg;
1419 char ***repo_listout,
int *repo_countout,
int verbose)
1424 int temp_status = 0;
1429 xmlXPathContextPtr xpath_ctx;
1430 xmlXPathObjectPtr xpath_obj;
1433 char* signer_dir = NULL;
1434 int signer_dir_default = 0;
1435 char* enforcer_dir = NULL;
1436 int enforcer_dir_default = 0;
1439 int* repo_mods = NULL;
1442 xmlSetGenericErrorFunc(NULL, quiet_error_func);
1445 status =
check_rng(conf, OPENDNSSEC_SCHEMA_DIR
"/conf.rng", verbose);
1448 if (status != 0)
return status;
1449 dual_log(
"INFO: The XML in %s is valid", conf);
1452 doc = xmlParseFile(conf);
1453 if (doc == NULL)
return 1;
1456 xpath_ctx = xmlXPathNewContext(doc);
1457 if(xpath_ctx == NULL) {
1463 xexpr = (xmlChar *)
"//Configuration/RepositoryList/Repository";
1464 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
1465 if(xpath_obj == NULL) {
1466 xmlXPathFreeContext(xpath_ctx);
1471 if (xpath_obj->nodesetval) {
1472 repo_count = xpath_obj->nodesetval->nodeNr;
1473 *repo_countout = repo_count;
1476 repo_mods = (
int*)malloc(
sizeof(
int) * repo_count);
1477 repo_list = (
char**)malloc(
sizeof(
char*) * repo_count);
1478 *repo_listout = repo_list;
1480 if (repo == NULL || repo_mods == NULL || repo_list == NULL) {
1481 dual_log(
"ERROR: malloc for repo information failed");
1485 for (i = 0; i < repo_count; i++) {
1488 curNode = xpath_obj->nodesetval->nodeTab[i]->xmlChildrenNode;
1491 repo[i].
name = (
char *) xmlGetProp(xpath_obj->nodesetval->nodeTab[i],
1492 (
const xmlChar *)
"name");
1496 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"TokenLabel"))
1497 repo[i].
TokenLabel = (
char *) xmlNodeGetContent(curNode);
1498 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Module"))
1499 repo[i].module = (
char *) xmlNodeGetContent(curNode);
1500 curNode = curNode->next;
1504 xmlXPathFreeObject(xpath_obj);
1507 for (i = 0; i < repo_count; i++) {
1509 if (repo_mods[i] == 0) {
1512 status +=
check_file(repo[i].module,
"Module");
1517 for (j = i+1; j < repo_count; j++) {
1518 if ( repo_mods[j] == 0 &&
1519 (strcmp(repo[i].module, repo[j].module) == 0) ) {
1522 if (strcmp(repo[i].TokenLabel, repo[j].TokenLabel) == 0) {
1523 dual_log(
"ERROR: Multiple Repositories (%s and %s) in %s have the same Module (%s) and TokenLabel (%s)", repo[i].name, repo[j].name, conf, repo[i].module, repo[i].TokenLabel);
1531 for (j = i+1; j < repo_count; j++) {
1532 if (strcmp(repo[i].name, repo[j].name) == 0) {
1533 dual_log(
"ERROR: Two repositories exist with the same name (%s)", repo[i].name);
1541 if (*kasp == NULL) {
1542 xexpr = (xmlChar *)
"//Configuration/Common/PolicyFile";
1543 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
1544 if(xpath_obj == NULL) {
1545 xmlXPathFreeContext(xpath_ctx);
1548 for (i = 0; i < repo_count; i++) {
1550 free(repo[i].module);
1551 free(repo[i].TokenLabel);
1558 *kasp = (
char*) xmlXPathCastToString(xpath_obj);
1559 xmlXPathFreeObject(xpath_obj);
1562 if (*zonelist == NULL) {
1563 xexpr = (xmlChar *)
"//Configuration/Common/ZoneListFile";
1564 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
1565 if(xpath_obj == NULL) {
1566 xmlXPathFreeContext(xpath_ctx);
1569 for (i = 0; i < repo_count; i++) {
1571 free(repo[i].module);
1572 free(repo[i].TokenLabel);
1579 *zonelist = (
char*) xmlXPathCastToString(xpath_obj);
1580 xmlXPathFreeObject(xpath_obj);
1587 (xmlChar *)
"//Configuration/Enforcer/Privileges/User",
1588 (xmlChar *)
"//Configuration/Enforcer/Privileges/Group");
1593 (xmlChar *)
"//Configuration/Enforcer/Datastore/SQLite");
1594 if (temp_status == -1) {
1600 status += temp_status;
1608 status +=
check_time_def_from_xpath(xpath_ctx, (xmlChar *)
"//Configuration/Enforcer/RolloverNotification",
"Configuration",
"Enforcer/RolloverNotification", conf);
1612 (xmlChar *)
"//Configuration/Enforcer/DelegationSignerSubmitCommand");
1613 if (temp_status > 0) {
1614 status += temp_status;
1619 (xmlChar *)
"//Configuration/Enforcer/WorkingDirectory");
1620 if (temp_status == -1) {
1622 temp_status =
check_path(OPENDNSSEC_STATE_DIR
"/enforcer",
1623 "default Enforcer WorkingDirectory");
1625 if (temp_status > 0) {
1626 status += temp_status;
1632 (xmlChar *)
"//Configuration/Signer/Privileges/User",
1633 (xmlChar *)
"//Configuration/Signer/Privileges/Group");
1637 (xmlChar *)
"//Configuration/Signer/WorkingDirectory");
1638 if (temp_status == -1) {
1640 temp_status =
check_path(OPENDNSSEC_STATE_DIR
"/signer",
1641 "default Signer WorkingDirectory");
1643 if (temp_status > 0) {
1644 status += temp_status;
1648 xexpr = (xmlChar *)
"//Configuration/Signer/WorkingDirectory";
1649 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
1650 if (NULL == xpath_obj || xpath_obj->nodesetval->nodeNr == 0) {
1651 signer_dir = (
char*) OPENDNSSEC_STATE_DIR
"/signer";
1652 signer_dir_default = 1;
1655 signer_dir = (
char*) xmlXPathCastToString(xpath_obj);
1656 xmlXPathFreeObject(xpath_obj);
1658 xexpr = (xmlChar *)
"//Configuration/Enforcer/WorkingDirectory";
1659 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
1660 if (NULL == xpath_obj || xpath_obj->nodesetval->nodeNr == 0) {
1661 enforcer_dir = (
char*) OPENDNSSEC_STATE_DIR
"/enforcer";
1662 enforcer_dir_default = 1;
1665 enforcer_dir = (
char*) xmlXPathCastToString(xpath_obj);
1666 xmlXPathFreeObject(xpath_obj);
1668 temp_status = strcmp(signer_dir, enforcer_dir);
1669 if (0 == temp_status) {
1671 dual_log(
"ERROR: signer workingdirectory is the same as the one of enforcer");
1673 if (0 == signer_dir_default)
1675 if (0 == enforcer_dir_default)
1678 xmlXPathFreeContext(xpath_ctx);
1681 for (i = 0; i < repo_count; i++) {
1683 free(repo[i].module);
1684 free(repo[i].TokenLabel);
1700 xmlXPathContextPtr xpath_ctx;
1701 xmlXPathObjectPtr xpath_obj;
1703 int i, j, found, status = 0;
1706 if (!zonelist || !strncmp(zonelist,
"", 1)) {
1707 dual_log(
"ERROR: No location for zonelist.xml set");
1712 xmlSetGenericErrorFunc(NULL, quiet_error_func);
1715 if (
check_rng(zonelist, OPENDNSSEC_SCHEMA_DIR
"/zonelist.rng", verbose) != 0)
1719 doc = xmlParseFile(zonelist);
1724 xpath_ctx = xmlXPathNewContext(doc);
1725 if(xpath_ctx == NULL) {
1730 xexpr = (xmlChar *)
"//ZoneList/Zone/Policy";
1731 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
1732 if(xpath_obj == NULL) {
1733 xmlXPathFreeContext(xpath_ctx);
1738 if (xpath_obj->nodesetval) {
1739 for (i = 0; i < xpath_obj->nodesetval->nodeNr; i++) {
1740 policy_name = (
char*)xmlNodeGetContent(xpath_obj->nodesetval->nodeTab[i]);
1744 for (j = 0; j < policy_count; j++) {
1759 xmlXPathFreeObject(xpath_obj);
1760 xmlXPathFreeContext(xpath_ctx);
1764 if (!status)
dual_log(
"INFO: The XML in %s is valid", zonelist);
1772int check_kasp(
const char *kasp,
char **repo_list,
int repo_count,
int verbose,
1773 char ***policy_names_out,
int *policy_count_out)
1779 xmlXPathContextPtr xpath_ctx;
1780 xmlXPathObjectPtr xpath_obj;
1784 int policy_count = 0;
1785 char **policy_names = NULL;
1786 int default_found = 0;
1789 xmlSetGenericErrorFunc(NULL, quiet_error_func);
1792 dual_log(
"ERROR: No location for kasp.xml set");
1797 status =
check_rng(kasp, OPENDNSSEC_SCHEMA_DIR
"/kasp.rng", verbose);
1800 dual_log(
"INFO: The XML in %s is valid", kasp);
1806 doc = xmlParseFile(kasp);
1812 xpath_ctx = xmlXPathNewContext(doc);
1813 if(xpath_ctx == NULL) {
1820 xexpr = (xmlChar *)
"//KASP/Policy";
1821 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
1822 if(xpath_obj == NULL) {
1823 xmlXPathFreeContext(xpath_ctx);
1828 if (xpath_obj->nodesetval) {
1829 policy_count = xpath_obj->nodesetval->nodeNr;
1831 policy_names = (
char**)malloc(
sizeof(
char*) * policy_count);
1832 if (policy_names == NULL) {
1833 dual_log(
"ERROR: Malloc for policy names failed");
1837 for (i = 0; i < policy_count; i++) {
1839 policy_names[i] = (
char *) xmlGetProp(xpath_obj->nodesetval->nodeTab[i],
1840 (
const xmlChar *)
"name");
1845 for (i = 0; i < policy_count; i++) {
1846 if (strcmp(policy_names[i],
"default") == 0) {
1849 for (j = i+1; j < policy_count; j++) {
1850 if ( (strcmp(policy_names[i], policy_names[j]) == 0) ) {
1851 dual_log(
"ERROR: Two policies exist with the same name (%s)", policy_names[i]);
1856 if (default_found == 0) {
1857 dual_log(
"WARNING: No policy named 'default' in %s. This means you will need to refer explicitly to the policy for each zone", kasp);
1861 for (i = 0; i < policy_count; i++) {
1862 curNode = xpath_obj->nodesetval->nodeTab[i]->xmlChildrenNode;
1864 status +=
check_policy(curNode, policy_names[i], repo_list, repo_count, kasp);
1867 if (!status && policy_names_out && policy_count_out) {
1868 *policy_names_out = policy_names;
1869 *policy_count_out = policy_count;
1872 for (i = 0; i < policy_count; i++) {
1873 free(policy_names[i]);
1878 xmlXPathFreeObject(xpath_obj);
1879 xmlXPathFreeContext(xpath_ctx);
int check_time_def(const char *time_expr, const char *location, const char *field, const char *filename, int *interval)
int check_user_group(xmlXPathContextPtr xpath_ctx, const xmlChar *user_xexpr, const xmlChar *group_xexpr)
void log_init(int facility, const char *program_name)
int check_kasp(const char *kasp, char **repo_list, int repo_count, int verbose, char ***policy_names_out, int *policy_count_out)
int check_path(const char *pathname, const char *log_string)
char * StrStrdup(const char *string)
int check_rng(const char *filename, const char *rngfilename, int verbose)
int check_policy(xmlNode *curNode, const char *policy_name, char **repo_list, int repo_count, const char *kasp)
void * MemCalloc(size_t nmemb, size_t size)
int check_path_from_xpath(xmlXPathContextPtr xpath_ctx, const char *log_string, const xmlChar *path_xexpr)
int StrStrtol(const char *string, long *value)
int check_time_def_from_xpath(xmlXPathContextPtr xpath_ctx, const xmlChar *time_xexpr, const char *location, const char *field, const char *filename)
void dual_log(const char *format,...)
int StrStrtoi(const char *string, int *value)
int kc_helper_printto_stdout
int check_zonelist(const char *zonelist, int verbose, char **policy_names, int policy_count)
char * StrTrimL(char *text)
void StrTrimR(char *text)
int DtXMLIntervalSeconds(const char *text, int *interval)
int check_conf(const char *conf, char **kasp, char **zonelist, char ***repo_listout, int *repo_countout, int verbose)
int check_file_from_xpath(xmlXPathContextPtr xpath_ctx, const char *log_string, const xmlChar *file_xexpr)
int check_file(const char *filename, const char *log_string)
const char * policy_name(const policy_t *policy)