41 #include <libxml/tree.h> 42 #include <libxml/parser.h> 43 #include <libxml/xpath.h> 44 #include <libxml/xpathInternals.h> 45 #include <libxml/relaxng.h> 47 #define StrFree(ptr) {if(ptr != NULL) {free(ptr); (ptr) = NULL;}} 51 void log_init(
int facility,
const char *program_name)
53 openlog(program_name, 0, facility);
57 #pragma GCC diagnostic push 58 #pragma GCC diagnostic ignored "-Wformat-nonliteral" 64 va_start(args, format);
67 if (strncmp(format,
"ERROR:", 6) == 0) {
68 vsyslog(LOG_ERR, format, args);
69 }
else if (strncmp(format,
"WARNING:", 8) == 0) {
70 vsyslog(LOG_WARNING, format, args);
71 }
else if (strncmp(format,
"DEBUG:", 6) == 0) {
72 vsyslog(LOG_DEBUG, format, args);
74 vsyslog(LOG_INFO, format, args);
78 vprintf(format, args2);
85 #pragma GCC diagnostic pop 88 int check_rng(
const char *filename,
const char *rngfilename,
int verbose)
91 xmlDocPtr rngdoc = NULL;
92 xmlRelaxNGParserCtxtPtr rngpctx = NULL;
93 xmlRelaxNGValidCtxtPtr rngctx = NULL;
94 xmlRelaxNGPtr schema = NULL;
97 dual_log(
"DEBUG: About to check XML validity in %s with %s",
98 filename, rngfilename);
102 doc = xmlParseFile(filename);
104 dual_log(
"ERROR: unable to parse file \"%s\"", filename);
112 rngdoc = xmlParseFile(rngfilename);
113 if (rngdoc == NULL) {
114 dual_log(
"ERROR: unable to parse file \"%s\"", rngfilename);
124 rngpctx = xmlRelaxNGNewDocParserCtxt(rngdoc);
125 if (rngpctx == NULL) {
126 dual_log(
"ERROR: unable to create XML RelaxNGs parser context");
134 xmlRelaxNGSetParserErrors(rngpctx,
135 (xmlRelaxNGValidityErrorFunc) fprintf,
136 (xmlRelaxNGValidityWarningFunc) fprintf,
141 schema = xmlRelaxNGParse(rngpctx);
142 if (schema == NULL) {
143 dual_log(
"ERROR: unable to parse a schema definition resource");
145 xmlRelaxNGFreeParserCtxt(rngpctx);
153 rngctx = xmlRelaxNGNewValidCtxt(schema);
154 if (rngctx == NULL) {
155 dual_log(
"ERROR: unable to create RelaxNGs validation context based on the schema");
157 xmlRelaxNGFree(schema);
158 xmlRelaxNGFreeParserCtxt(rngpctx);
165 xmlRelaxNGSetValidErrors(rngctx,
166 (xmlRelaxNGValidityErrorFunc) fprintf,
167 (xmlRelaxNGValidityWarningFunc) fprintf,
171 if (xmlRelaxNGValidateDoc(rngctx,doc) != 0) {
172 dual_log(
"ERROR: %s fails to validate", filename);
174 xmlRelaxNGFreeValidCtxt(rngctx);
175 xmlRelaxNGFree(schema);
176 xmlRelaxNGFreeParserCtxt(rngpctx);
183 xmlRelaxNGFreeValidCtxt(rngctx);
184 xmlRelaxNGFree(schema);
185 xmlRelaxNGFreeParserCtxt(rngpctx);
192 int check_file(
const char *filename,
const char *log_string) {
193 struct stat stat_ret;
195 if (stat(filename, &stat_ret) != 0) {
197 if (errno != ENOENT) {
198 dual_log(
"ERROR: cannot stat file %s: %s",
199 filename, strerror(errno));
203 dual_log(
"ERROR: %s (%s) does not exist", log_string, filename);
207 if (S_ISREG(stat_ret.st_mode)) {
212 dual_log(
"ERROR: %s (%s) does not exist", log_string, filename);
218 xmlXPathObjectPtr xpath_obj;
219 char* temp_char = NULL;
222 xpath_obj = xmlXPathEvalExpression(file_xexpr, xpath_ctx);
223 if(xpath_obj == NULL) {
224 dual_log(
"ERROR: unable to evaluate xpath expression: %s", file_xexpr);
227 if (xpath_obj->nodesetval != NULL && xpath_obj->nodesetval->nodeNr > 0) {
228 temp_char = (
char*) xmlXPathCastToString(xpath_obj);
231 str = strrchr(temp_char,
' ');
241 xmlXPathFreeObject(xpath_obj);
245 xmlXPathFreeObject(xpath_obj);
249 int check_path(
const char *pathname,
const char *log_string) {
250 struct stat stat_ret;
252 if (stat(pathname, &stat_ret) != 0) {
253 if (errno != ENOENT) {
254 dual_log(
"ERROR: cannot stat directory %s: %s",
255 pathname, strerror(errno));
259 dual_log(
"ERROR: %s (%s) does not exist", log_string, pathname);
263 if (S_ISDIR(stat_ret.st_mode)) {
268 dual_log(
"ERROR: %s (%s) is not a directory", log_string, pathname);
274 xmlXPathObjectPtr xpath_obj;
275 char* temp_char = NULL;
277 xpath_obj = xmlXPathEvalExpression(path_xexpr, xpath_ctx);
278 if(xpath_obj == NULL) {
279 dual_log(
"ERROR: unable to evaluate xpath expression: %s", path_xexpr);
282 if (xpath_obj->nodesetval != NULL && xpath_obj->nodesetval->nodeNr > 0) {
283 temp_char = (
char*) xmlXPathCastToString(xpath_obj);
290 xmlXPathFreeObject(xpath_obj);
294 xmlXPathFreeObject(xpath_obj);
298 int check_user_group(xmlXPathContextPtr xpath_ctx,
const xmlChar *user_xexpr,
const xmlChar *group_xexpr) {
300 xmlXPathObjectPtr xpath_obj;
301 char* temp_char = NULL;
307 xpath_obj = xmlXPathEvalExpression(group_xexpr, xpath_ctx);
308 if(xpath_obj == NULL) {
309 dual_log(
"ERROR: unable to evaluate xpath expression: %s", group_xexpr);
312 if (xpath_obj->nodesetval != NULL && xpath_obj->nodesetval->nodeNr > 0) {
313 temp_char = (
char*) xmlXPathCastToString(xpath_obj);
315 if ((grp = getgrnam(temp_char)) == NULL) {
316 dual_log(
"ERROR: Group '%s' does not exist", temp_char);
323 xmlXPathFreeObject(xpath_obj);
326 xpath_obj = xmlXPathEvalExpression(user_xexpr, xpath_ctx);
327 if(xpath_obj == NULL) {
328 dual_log(
"ERROR: unable to evaluate xpath expression: %s", user_xexpr);
331 if (xpath_obj->nodesetval != NULL && xpath_obj->nodesetval->nodeNr > 0) {
332 temp_char = (
char*) xmlXPathCastToString(xpath_obj);
334 if ((pwd = getpwnam(temp_char)) == NULL) {
335 dual_log(
"ERROR: User '%s' does not exist", temp_char);
343 xmlXPathFreeObject(xpath_obj);
348 int check_time_def(
const char *time_expr,
const char *location,
const char *field,
const char *filename,
int* interval) {
355 dual_log(
"WARNING: In %s M used in duration field for %s (%s) in %s - this will be interpreted as 31 days", location, field, time_expr, filename);
358 dual_log(
"WARNING: In %s Y used in duration field for %s (%s) in %s - this will be interpreted as 365 days", location, field, time_expr, filename);
361 dual_log(
"WARNING: In %s M & Y used in duration field for %s (%s) in %s - these will be interpreted as 31 and 365 days respectively", location, field, time_expr, filename);
364 dual_log(
"ERROR: unable to translate %s (%s) to seconds.", field, time_expr);
367 dual_log(
"ERROR: %s (%s) too long to be an int. E.g. Maximum is ~68 years on a system with 32-bit integers.", field, time_expr);
370 dual_log(
"ERROR: invalid pointers or text string NULL in %s (%s).", field, time_expr);
373 dual_log(
"ERROR: unknown error converting %s (%s) to seconds", field, time_expr);
385 int check_time_def_from_xpath(xmlXPathContextPtr xpath_ctx,
const xmlChar *time_xexpr,
const char *location,
const char *field,
const char *filename) {
387 xmlXPathObjectPtr xpath_obj;
388 char* temp_char = NULL;
392 xpath_obj = xmlXPathEvalExpression(time_xexpr, xpath_ctx);
393 if(xpath_obj == NULL) {
394 dual_log(
"ERROR: unable to evaluate xpath expression: %s", time_xexpr);
397 if (xpath_obj->nodesetval != NULL && xpath_obj->nodesetval->nodeNr > 0) {
398 temp_char = (
char *)xmlXPathCastToString(xpath_obj);
399 status +=
check_time_def(temp_char, location, field, filename, &ignore);
403 xmlXPathFreeObject(xpath_obj);
411 char* temp_char = NULL;
417 int resigns_per_day = 0;
433 enum {KSK = 1, ZSK, CSK};
442 struct key *tmpkey, *firstkey = NULL, *curkey = NULL;
448 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Signatures")) {
449 childNode = curNode->children;
451 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Resign")) {
452 temp_char = (
char *) xmlNodeGetContent(childNode);
453 status +=
check_time_def(temp_char, my_policy,
"Signatures/Resign", kasp, &resign);
456 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Refresh")) {
457 temp_char = (
char *) xmlNodeGetContent(childNode);
458 status +=
check_time_def(temp_char, my_policy,
"Signatures/Refresh", kasp, &refresh);
461 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Validity")) {
462 childNode2 = childNode->children;
464 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Default")) {
465 temp_char = (
char *) xmlNodeGetContent(childNode2);
466 status +=
check_time_def(temp_char, my_policy,
"Signatures/Validity/Default", kasp, &defalt);
469 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Denial")) {
470 temp_char = (
char *) xmlNodeGetContent(childNode2);
471 status +=
check_time_def(temp_char, my_policy,
"Signatures/Validity/Denial", kasp, &denial);
474 childNode2 = childNode2->next;
477 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Jitter")) {
478 temp_char = (
char *) xmlNodeGetContent(childNode);
479 status +=
check_time_def(temp_char, my_policy,
"Signatures/Jitter", kasp, &jitter);
482 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"InceptionOffset")) {
483 temp_char = (
char *) xmlNodeGetContent(childNode);
484 status +=
check_time_def(temp_char, my_policy,
"Signatures/InceptionOffset", kasp, &inception);
487 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"MaxZoneTTL")) {
488 temp_char = (
char *) xmlNodeGetContent(childNode);
489 status +=
check_time_def(temp_char, my_policy,
"Signatures/MaxZoneTTL", kasp, &maxzone_ttl);
493 childNode = childNode->next;
496 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Denial")) {
497 childNode = curNode->children;
500 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"NSEC")) {
503 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"NSEC3")) {
505 childNode2 = childNode->children;
508 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Resalt")) {
509 temp_char = (
char *) xmlNodeGetContent(childNode2);
510 status +=
check_time_def(temp_char, my_policy,
"Denial/NSEC3/Resalt", kasp, &resalt);
512 }
else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Hash")) {
513 childNode3 = childNode2->children;
515 if (xmlStrEqual(childNode3->name, (
const xmlChar *)
"Algorithm")) {
516 temp_char = (
char *) xmlNodeGetContent(childNode3);
518 hash_algo = atoi(temp_char);
519 if (hash_algo != 1) {
520 dual_log(
"ERROR: NSEC3 Hash algorithm for %s Policy " 521 "in %s is %d but should be 1", policy_name,
527 childNode3 = childNode3->next;
531 childNode2 = childNode2->next;
535 childNode = childNode->next;
538 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Keys")) {
539 childNode = curNode->children;
542 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"TTL")) {
543 temp_char = (
char *) xmlNodeGetContent(childNode);
544 status +=
check_time_def(temp_char, my_policy,
"Keys/TTL", kasp, &ttl);
547 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"RetireSafety")) {
548 temp_char = (
char *) xmlNodeGetContent(childNode);
549 status +=
check_time_def(temp_char, my_policy,
"Keys/RetireSafety", kasp, &retire);
552 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"PublishSafety")) {
553 temp_char = (
char *) xmlNodeGetContent(childNode);
554 status +=
check_time_def(temp_char, my_policy,
"Keys/PublishSafety", kasp, &publish);
557 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"KSK")) {
558 childNode2 = childNode->children;
560 firstkey = curkey = (
struct key*) malloc(
sizeof *curkey);
562 curkey->next = (
struct key*) malloc(
sizeof *curkey);
563 curkey = curkey->next;
565 memset(curkey, 0,
sizeof *curkey);
570 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
571 temp_char = (
char *) xmlNodeGetContent(childNode2);
575 temp_char = (
char *)xmlGetProp(childNode2, (
const xmlChar *)
"length");
579 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Lifetime")) {
580 temp_char = (
char *) xmlNodeGetContent(childNode2);
581 status +=
check_time_def(temp_char, my_policy,
"Keys/KSK Lifetime", kasp, &curkey->life);
584 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Repository")) {
585 curkey->repo = (
char *) xmlNodeGetContent(childNode2);
588 childNode2 = childNode2->next;
591 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"ZSK")) {
592 childNode2 = childNode->children;
594 firstkey = curkey = (
struct key*) malloc(
sizeof *curkey);
596 curkey->next = (
struct key*) malloc(
sizeof *curkey);
597 curkey = curkey->next;
599 memset(curkey, 0,
sizeof *curkey);
604 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
605 temp_char = (
char *) xmlNodeGetContent(childNode2);
609 temp_char = (
char *)xmlGetProp(childNode2, (
const xmlChar *)
"length");
614 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Lifetime")) {
615 temp_char = (
char *) xmlNodeGetContent(childNode2);
616 status +=
check_time_def(temp_char, my_policy,
"Keys/ZSK Lifetime", kasp, &curkey->life);
619 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Repository")) {
620 curkey->repo = (
char *) xmlNodeGetContent(childNode2);
623 childNode2 = childNode2->next;
626 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"CSK")) {
627 childNode2 = childNode->children;
629 firstkey = curkey = (
struct key*) malloc(
sizeof *curkey);
631 curkey->next = (
struct key*) malloc(
sizeof *curkey);
632 curkey = curkey->next;
634 memset(curkey, 0,
sizeof *curkey);
639 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
640 temp_char = (
char *) xmlNodeGetContent(childNode2);
644 temp_char = (
char *)xmlGetProp(childNode2, (
const xmlChar *)
"length");
649 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Lifetime")) {
650 temp_char = (
char *) xmlNodeGetContent(childNode2);
651 status +=
check_time_def(temp_char, my_policy,
"Keys/CSK Lifetime", kasp, &curkey->life);
654 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Repository")) {
655 curkey->repo = (
char *) xmlNodeGetContent(childNode2);
658 childNode2 = childNode2->next;
662 childNode = childNode->next;
665 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Zone")) {
666 childNode = curNode->children;
669 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"SOA")) {
670 childNode2 = childNode->children;
673 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Serial")) {
674 serial = (
char *) xmlNodeGetContent(childNode2);
677 childNode2 = childNode2->next;
681 childNode = childNode->next;
684 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Parent")) {
685 childNode = curNode->children;
688 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"DS")) {
689 childNode2 = childNode->children;
692 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"TTL")) {
693 temp_char = (
char *) xmlNodeGetContent(childNode2);
694 status +=
check_time_def(temp_char, my_policy,
"Parent/DS/TTL", kasp, &ds_ttl);
698 childNode2 = childNode2->next;
702 childNode = childNode->next;
707 curNode = curNode->next;
713 for (curkey = firstkey; curkey; curkey = curkey->next) {
714 if ((curkey->type & KSK) && ds_ttl + ttl >= curkey->life) {
715 dual_log(
"ERROR: KSK/Lifetime (%d seconds) for policy '%s' " 716 "must be greater than the DNSKEY record TTL (%d seconds) plus " 717 "the DS record TTL (%d seconds). This time is needed to pass for the " 718 "KSK to be able to reach the ready state.",
719 curkey->life, policy_name, ttl, ds_ttl);
723 if ((curkey->type & ZSK) && maxzone_ttl + ttl >= curkey->life) {
724 dual_log(
"ERROR: ZSK/Lifetime (%d seconds) for policy '%s' " 725 "must be greater than the DNSKEY record TTL (%d seconds) plus " 726 "the MaxZoneTTL (%d seconds). This time is needed to pass for the " 727 "ZSK to be able to reach the ready state.",
728 curkey->life, policy_name, ttl, maxzone_ttl);
731 if ((curkey->type & ZSK) && defalt > curkey->life) {
732 dual_log(
"WARNING: ZSK/Lifetime (%d seconds) for policy '%s' " 733 "is less than Validity/Default (%d seconds), this might " 734 "be a configuration error.",
735 curkey->life, policy_name, defalt);
740 if (refresh <= resign) {
741 dual_log(
"ERROR: The Refresh interval (%d seconds) for " 742 "%s Policy in %s is less than or equal to the Resign interval " 743 "(%d seconds)", refresh, policy_name, kasp, resign);
749 if (defalt <= refresh) {
750 dual_log(
"ERROR: Validity/Default (%d seconds) for " 751 "%s policy in %s is less than or equal to the Refresh interval " 752 "(%d seconds)", defalt, policy_name, kasp, refresh);
755 if (denial <= refresh) {
756 dual_log(
"ERROR: Validity/Denial (%d seconds) for " 757 "%s policy in %s is less than or equal to the Refresh interval " 758 "(%d seconds)", denial, policy_name, kasp, refresh);
766 if (defalt > denial) {
767 if (jitter > (defalt * 0.5)) {
768 dual_log(
"WARNING: Jitter time (%d seconds) is large " 769 "compared to Validity/Default (%d seconds) " 770 "for %s policy in %s", jitter, defalt, policy_name, kasp);
773 if (jitter > (denial * 0.5)) {
774 dual_log(
"WARNING: Jitter time (%d seconds) is large " 775 "compared to Validity/Denial (%d seconds) " 776 "for %s policy in %s", jitter, denial, policy_name, kasp);
784 if (inception > 3600) {
785 dual_log(
"WARNING: InceptionOffset is higher than expected " 786 "(%d seconds) for %s policy in %s",
787 inception, policy_name, kasp);
792 if (publish < (ttl * 0.1)) {
793 dual_log(
"WARNING: Keys/PublishSafety (%d seconds) is less than " 794 "0.1 * TTL (%d seconds) for %s policy in %s",
795 publish, ttl, policy_name, kasp);
797 else if (publish > (ttl * 5)) {
798 dual_log(
"WARNING: Keys/PublishSafety (%d seconds) is greater than " 799 "5 * TTL (%d seconds) for %s policy in %s",
800 publish, ttl, policy_name, kasp);
803 if (retire < (ttl * 0.1)) {
804 dual_log(
"WARNING: Keys/RetireSafety (%d seconds) is less than " 805 "0.1 * TTL (%d seconds) for %s policy in %s",
806 retire, ttl, policy_name, kasp);
808 else if (retire > (ttl * 5)) {
809 dual_log(
"WARNING: Keys/RetireSafety (%d seconds) is greater than " 810 "5 * TTL (%d seconds) for %s policy in %s",
811 retire, ttl, policy_name, kasp);
818 else if (nsec == 3) {
819 for (curkey = firstkey; curkey; curkey = curkey->next) {
820 if ((curkey->type & KSK) && curkey->algo <= 5) {
821 dual_log(
"ERROR: In policy %s, incompatible algorithm (%d) used for " 822 "KSK NSEC3 in %s.", policy_name, curkey->algo, kasp);
825 if ((curkey->type & ZSK) && curkey->algo <= 5) {
826 dual_log(
"ERROR: In policy %s, incompatible algorithm (%d) used for " 827 "ZSK NSEC3 in %s.", policy_name, curkey->algo, kasp);
833 if (resalt < resign) {
834 dual_log(
"WARNING: NSEC3 resalt interval (%d secs) is less than " 835 "signature resign interval (%d secs) for %s Policy",
836 resalt, resign, policy_name);
844 if (serial != NULL && strncmp(serial,
"datecounter", 11) == 0) {
846 resigns_per_day = (60 * 60 * 24) / resign;
847 if (resigns_per_day > 99) {
848 dual_log(
"ERROR: In %s, policy %s, serial type datecounter used " 849 "but %d re-signs requested. No more than 99 re-signs per " 850 "day should be used with datecounter as only 2 digits are " 851 "allocated for the version number.",
852 kasp, policy_name, resigns_per_day);
861 for (curkey = firstkey; curkey; curkey = curkey->next) {
862 if ((curkey->type & KSK) && (curkey->algo == 5 ||
863 curkey->algo == 7 ||curkey->algo == 8 ||
864 curkey->algo == 10)) {
865 if (curkey->length < 1024) {
866 dual_log(
"WARNING: Key length of %d used for KSK in %s policy in %s. Should " 867 "probably be 1024 or more", curkey->length, policy_name, kasp);
869 else if (curkey->length > 4096) {
870 dual_log(
"ERROR: Key length of %d used for KSK in %s policy in %s. Should " 871 "be 4096 or less", curkey->length, policy_name, kasp);
875 if ((curkey->type & ZSK) && (curkey->algo == 5 ||
876 curkey->algo == 7 || curkey->algo == 8 ||
877 curkey->algo == 10)) {
878 if (curkey->length < 1024) {
879 dual_log(
"WARNING: Key length of %d used for ZSK in %s policy in %s. Should " 880 "probably be 1024 or more", curkey->length, policy_name, kasp);
882 else if (curkey->length > 4096) {
883 dual_log(
"ERROR: Key length of %d used for ZSK in %s policy in %s. Should " 884 "be 4096 or less", curkey->length, policy_name, kasp);
893 for (curkey = firstkey; curkey; curkey = curkey->next) {
894 if ((curkey->type & KSK) && curkey->repo != NULL) {
895 for (i = 0; i < repo_count; i++) {
896 if (strcmp(curkey->repo, repo_list[i]) == 0) {
900 if (i >= repo_count) {
901 dual_log(
"ERROR: Unknown repository (%s) defined for KSK in " 902 "%s policy in %s", curkey->repo, policy_name, kasp);
907 if ((curkey->type & ZSK) && curkey->repo != NULL) {
908 for (i = 0; i < repo_count; i++) {
909 if (strcmp(curkey->repo, repo_list[i]) == 0) {
913 if (i >= repo_count) {
914 dual_log(
"ERROR: Unknown repository (%s) defined for ZSK in " 915 "%s policy", curkey->repo, policy_name);
922 for (curkey = firstkey; curkey; curkey = curkey->next) {
923 if (!(curkey->type & KSK))
continue;
925 for (tmpkey = firstkey; tmpkey; tmpkey = tmpkey->next) {
926 if (!(tmpkey->type & ZSK))
continue;
927 if (tmpkey->algo != curkey->algo)
continue;
930 if (curkey->life < tmpkey->life) {
931 dual_log(
"WARNING: KSK minimum lifetime (%d seconds) is less than " 932 "ZSK minimum lifetime (%d seconds) for %s Policy in %s",
933 curkey->life, tmpkey->life, policy_name, kasp);
937 dual_log(
"ERROR: ZSK with algorithm %i not found, algorithm mismatch between ZSK and KSK", curkey->algo);
945 if (jitter > defalt) {
946 dual_log(
"ERROR: Jitter time (%d seconds) is greater than the " 947 "Default Validity (%d seconds) for %s policy in %s",
948 jitter, defalt, policy_name, kasp);
951 if (jitter > denial) {
952 dual_log(
"ERROR: Jitter time (%d seconds) is greater than the " 953 "Denial Validity (%d seconds) for %s policy in %s",
954 jitter, denial, policy_name, kasp);
959 firstkey = firstkey->next;
1031 const char *ptr = text;
1033 long temp_interval = 0;
1035 if (!text || !interval || !*text)
return 4;
1036 length = strlen(text);
1037 if (length <= 2)
return 2;
1043 if (*ptr !=
'P')
return 2;
1046 end = text + length;
1050 if (!got_temp || !is_time)
return 2;
1051 temp_interval += temp;
1057 if (!got_temp)
return 2;
1059 temp_interval += 60 * temp;
1061 temp_interval += 31 * 24 * 60 * 60 * temp;
1069 if (!got_temp || !is_time)
return 2;
1070 temp_interval += 60 * 60 * temp;
1076 if (!got_temp || is_time)
return 2;
1077 temp_interval += 24 * 60 * 60 * temp;
1083 if (!got_temp || is_time)
return 2;
1084 temp_interval += 7 * 24 * 60 * 60 * temp;
1090 if (!got_temp || is_time)
return 2;
1091 temp_interval += 365 * 24 * 60 * 60 * temp;
1113 temp = strtol(ptr, &endptr, 10);
1114 if (temp == LONG_MIN || temp == LONG_MAX)
1123 if (ptr != end)
return 2;
1130 if (temp && !is_time)
return 2;
1131 temp_interval += temp;
1133 if (is_neg) temp_interval *= -1;
1134 *interval = (int) temp_interval;
1164 if (value == NULL) {
1165 dual_log(
"ERROR: NULL value passed to StrStrtoi");
1170 if ((longval >= INT_MIN) && (longval <= INT_MAX)) {
1171 *value = (int) longval;
1210 if (value == NULL) {
1211 dual_log(
"ERROR: NULL value passed to StrStrtol");
1223 *value = strtol(start, &endptr, 10);
1228 status = (*endptr ==
'\0') ? 0 : 1;
1259 char* duplicate = NULL;
1262 duplicate = strdup(
string);
1263 if (duplicate == NULL) {
1264 dual_log(
"ERROR: StrStrdup: Call to malloc() returned null - out of swap space?");
1321 int textlen = strlen(text);
1322 while (-- textlen >= 0) {
1323 if (! isspace((
int) text[textlen])) {
1324 text[textlen + 1] =
'\0';
1356 while (*text && isspace((
int) *text)) {
1366 void *ptr = calloc(nmemb, size);
1368 dual_log(
"ERROR: calloc: Out of swap space");
1375 static void quiet_error_func(
void * ctx,
const char * msg, ...)
1377 (void)ctx; (void)msg;
1387 char ***repo_listout,
int *repo_countout,
int verbose)
1392 int temp_status = 0;
1397 xmlXPathContextPtr xpath_ctx;
1398 xmlXPathObjectPtr xpath_obj;
1401 char* signer_dir = NULL;
1402 int signer_dir_default = 0;
1403 char* enforcer_dir = NULL;
1404 int enforcer_dir_default = 0;
1407 int* repo_mods = NULL;
1410 xmlSetGenericErrorFunc(NULL, quiet_error_func);
1413 status =
check_rng(conf, OPENDNSSEC_SCHEMA_DIR
"/conf.rng", verbose);
1416 if (status != 0)
return status;
1417 dual_log(
"INFO: The XML in %s is valid", conf);
1420 doc = xmlParseFile(conf);
1421 if (doc == NULL)
return 1;
1424 xpath_ctx = xmlXPathNewContext(doc);
1425 if(xpath_ctx == NULL) {
1431 xexpr = (xmlChar *)
"//Configuration/RepositoryList/Repository";
1432 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
1433 if(xpath_obj == NULL) {
1434 xmlXPathFreeContext(xpath_ctx);
1439 if (xpath_obj->nodesetval) {
1440 repo_count = xpath_obj->nodesetval->nodeNr;
1441 *repo_countout = repo_count;
1444 repo_mods = (
int*)malloc(
sizeof(
int) * repo_count);
1445 repo_list = (
char**)malloc(
sizeof(
char*) * repo_count);
1446 *repo_listout = repo_list;
1448 if (repo == NULL || repo_mods == NULL || repo_list == NULL) {
1449 dual_log(
"ERROR: malloc for repo information failed");
1453 for (i = 0; i < repo_count; i++) {
1456 curNode = xpath_obj->nodesetval->nodeTab[i]->xmlChildrenNode;
1459 repo[i].
name = (
char *) xmlGetProp(xpath_obj->nodesetval->nodeTab[i],
1460 (
const xmlChar *)
"name");
1464 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"TokenLabel"))
1465 repo[i].
TokenLabel = (
char *) xmlNodeGetContent(curNode);
1466 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Module"))
1467 repo[i].module = (
char *) xmlNodeGetContent(curNode);
1468 curNode = curNode->next;
1472 xmlXPathFreeObject(xpath_obj);
1475 for (i = 0; i < repo_count; i++) {
1477 if (repo_mods[i] == 0) {
1480 status +=
check_file(repo[i].module,
"Module");
1485 for (j = i+1; j < repo_count; j++) {
1486 if ( repo_mods[j] == 0 &&
1487 (strcmp(repo[i].module, repo[j].module) == 0) ) {
1490 if (strcmp(repo[i].TokenLabel, repo[j].TokenLabel) == 0) {
1491 dual_log(
"ERROR: Multiple Repositories (%s and %s) in %s have the same Module (%s) and TokenLabel (%s)", repo[i].name, repo[j].name, conf, repo[i].module, repo[i].TokenLabel);
1499 for (j = i+1; j < repo_count; j++) {
1500 if (strcmp(repo[i].name, repo[j].name) == 0) {
1501 dual_log(
"ERROR: Two repositories exist with the same name (%s)", repo[i].name);
1509 if (*kasp == NULL) {
1510 xexpr = (xmlChar *)
"//Configuration/Common/PolicyFile";
1511 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
1512 if(xpath_obj == NULL) {
1513 xmlXPathFreeContext(xpath_ctx);
1516 for (i = 0; i < repo_count; i++) {
1518 free(repo[i].module);
1519 free(repo[i].TokenLabel);
1526 *kasp = (
char*) xmlXPathCastToString(xpath_obj);
1527 xmlXPathFreeObject(xpath_obj);
1530 if (*zonelist == NULL) {
1531 xexpr = (xmlChar *)
"//Configuration/Common/ZoneListFile";
1532 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
1533 if(xpath_obj == NULL) {
1534 xmlXPathFreeContext(xpath_ctx);
1537 for (i = 0; i < repo_count; i++) {
1539 free(repo[i].module);
1540 free(repo[i].TokenLabel);
1547 *zonelist = (
char*) xmlXPathCastToString(xpath_obj);
1548 xmlXPathFreeObject(xpath_obj);
1555 (xmlChar *)
"//Configuration/Enforcer/Privileges/User",
1556 (xmlChar *)
"//Configuration/Enforcer/Privileges/Group");
1561 (xmlChar *)
"//Configuration/Enforcer/Datastore/SQLite");
1562 if (temp_status == -1) {
1568 status += temp_status;
1576 status +=
check_time_def_from_xpath(xpath_ctx, (xmlChar *)
"//Configuration/Enforcer/RolloverNotification",
"Configuration",
"Enforcer/RolloverNotification", conf);
1580 (xmlChar *)
"//Configuration/Enforcer/DelegationSignerSubmitCommand");
1581 if (temp_status > 0) {
1582 status += temp_status;
1587 (xmlChar *)
"//Configuration/Enforcer/WorkingDirectory");
1588 if (temp_status == -1) {
1590 temp_status =
check_path(OPENDNSSEC_STATE_DIR
"/enforcer",
1591 "default Enforcer WorkingDirectory");
1593 if (temp_status > 0) {
1594 status += temp_status;
1600 (xmlChar *)
"//Configuration/Signer/Privileges/User",
1601 (xmlChar *)
"//Configuration/Signer/Privileges/Group");
1605 (xmlChar *)
"//Configuration/Signer/WorkingDirectory");
1606 if (temp_status == -1) {
1608 temp_status =
check_path(OPENDNSSEC_STATE_DIR
"/signer",
1609 "default Signer WorkingDirectory");
1611 if (temp_status > 0) {
1612 status += temp_status;
1616 xexpr = (xmlChar *)
"//Configuration/Signer/WorkingDirectory";
1617 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
1618 if (NULL == xpath_obj || xpath_obj->nodesetval->nodeNr == 0) {
1619 signer_dir = (
char*) OPENDNSSEC_STATE_DIR
"/signer";
1620 signer_dir_default = 1;
1623 signer_dir = (
char*) xmlXPathCastToString(xpath_obj);
1624 xmlXPathFreeObject(xpath_obj);
1626 xexpr = (xmlChar *)
"//Configuration/Enforcer/WorkingDirectory";
1627 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
1628 if (NULL == xpath_obj || xpath_obj->nodesetval->nodeNr == 0) {
1629 enforcer_dir = (
char*) OPENDNSSEC_STATE_DIR
"/enforcer";
1630 enforcer_dir_default = 1;
1633 enforcer_dir = (
char*) xmlXPathCastToString(xpath_obj);
1634 xmlXPathFreeObject(xpath_obj);
1636 temp_status = strcmp(signer_dir, enforcer_dir);
1637 if (0 == temp_status) {
1639 dual_log(
"ERROR: signer workingdirectory is the same as the one of enforcer");
1641 if (0 == signer_dir_default)
1643 if (0 == enforcer_dir_default)
1646 xmlXPathFreeContext(xpath_ctx);
1649 for (i = 0; i < repo_count; i++) {
1651 free(repo[i].module);
1652 free(repo[i].TokenLabel);
1668 xmlXPathContextPtr xpath_ctx;
1669 xmlXPathObjectPtr xpath_obj;
1671 int i, j, found, status = 0;
1674 if (!zonelist || !strncmp(zonelist,
"", 1)) {
1675 dual_log(
"ERROR: No location for zonelist.xml set");
1680 xmlSetGenericErrorFunc(NULL, quiet_error_func);
1683 if (
check_rng(zonelist, OPENDNSSEC_SCHEMA_DIR
"/zonelist.rng", verbose) != 0)
1687 doc = xmlParseFile(zonelist);
1692 xpath_ctx = xmlXPathNewContext(doc);
1693 if(xpath_ctx == NULL) {
1698 xexpr = (xmlChar *)
"//ZoneList/Zone/Policy";
1699 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
1700 if(xpath_obj == NULL) {
1701 xmlXPathFreeContext(xpath_ctx);
1706 if (xpath_obj->nodesetval) {
1707 for (i = 0; i < xpath_obj->nodesetval->nodeNr; i++) {
1708 policy_name = (
char*)xmlNodeGetContent(xpath_obj->nodesetval->nodeTab[i]);
1712 for (j = 0; j < policy_count; j++) {
1713 if (!strcmp(policy_name, policy_names[j])) {
1720 dual_log(
"ERROR: Policy %s in zonelist does not exist!", policy_name);
1723 if (policy_name) free(policy_name);
1727 xmlXPathFreeObject(xpath_obj);
1728 xmlXPathFreeContext(xpath_ctx);
1732 if (!status)
dual_log(
"INFO: The XML in %s is valid", zonelist);
1740 int check_kasp(
const char *kasp,
char **repo_list,
int repo_count,
int verbose,
1741 char ***policy_names_out,
int *policy_count_out)
1747 xmlXPathContextPtr xpath_ctx;
1748 xmlXPathObjectPtr xpath_obj;
1752 int policy_count = 0;
1753 char **policy_names = NULL;
1754 int default_found = 0;
1757 xmlSetGenericErrorFunc(NULL, quiet_error_func);
1760 dual_log(
"ERROR: No location for kasp.xml set");
1765 status =
check_rng(kasp, OPENDNSSEC_SCHEMA_DIR
"/kasp.rng", verbose);
1768 dual_log(
"INFO: The XML in %s is valid", kasp);
1774 doc = xmlParseFile(kasp);
1780 xpath_ctx = xmlXPathNewContext(doc);
1781 if(xpath_ctx == NULL) {
1788 xexpr = (xmlChar *)
"//KASP/Policy";
1789 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
1790 if(xpath_obj == NULL) {
1791 xmlXPathFreeContext(xpath_ctx);
1796 if (xpath_obj->nodesetval) {
1797 policy_count = xpath_obj->nodesetval->nodeNr;
1799 policy_names = (
char**)malloc(
sizeof(
char*) * policy_count);
1800 if (policy_names == NULL) {
1801 dual_log(
"ERROR: Malloc for policy names failed");
1805 for (i = 0; i < policy_count; i++) {
1807 policy_names[i] = (
char *) xmlGetProp(xpath_obj->nodesetval->nodeTab[i],
1808 (
const xmlChar *)
"name");
1813 for (i = 0; i < policy_count; i++) {
1814 if (strcmp(policy_names[i],
"default") == 0) {
1817 for (j = i+1; j < policy_count; j++) {
1818 if ( (strcmp(policy_names[i], policy_names[j]) == 0) ) {
1819 dual_log(
"ERROR: Two policies exist with the same name (%s)", policy_names[i]);
1824 if (default_found == 0) {
1825 dual_log(
"WARNING: No policy named 'default' in %s. This means you will need to refer explicitly to the policy for each zone", kasp);
1829 for (i = 0; i < policy_count; i++) {
1830 curNode = xpath_obj->nodesetval->nodeTab[i]->xmlChildrenNode;
1832 status +=
check_policy(curNode, policy_names[i], repo_list, repo_count, kasp);
1835 if (!status && policy_names_out && policy_count_out) {
1836 *policy_names_out = policy_names;
1837 *policy_count_out = policy_count;
1840 for (i = 0; i < policy_count; i++) {
1841 free(policy_names[i]);
1846 xmlXPathFreeObject(xpath_obj);
1847 xmlXPathFreeContext(xpath_ctx);
int check_time_def(const char *time_expr, const char *location, const char *field, const char *filename, int *interval)
char * StrStrdup(const char *string)
int check_path(const char *pathname, const char *log_string)
int check_conf(const char *conf, char **kasp, char **zonelist, char ***repo_listout, int *repo_countout, int verbose)
int DtXMLIntervalSeconds(const char *text, int *interval)
void StrTrimR(char *text)
const char * policy_name(const policy_t *policy)
int check_policy(xmlNode *curNode, const char *policy_name, char **repo_list, int repo_count, const char *kasp)
int check_kasp(const char *kasp, char **repo_list, int repo_count, int verbose, char ***policy_names_out, int *policy_count_out)
int check_zonelist(const char *zonelist, int verbose, char **policy_names, int policy_count)
void * MemCalloc(size_t nmemb, size_t size)
int check_rng(const char *filename, const char *rngfilename, int verbose)
int check_path_from_xpath(xmlXPathContextPtr xpath_ctx, const char *log_string, const xmlChar *path_xexpr)
int check_file(const char *filename, const char *log_string)
int StrStrtol(const char *string, long *value)
int kc_helper_printto_stdout
void log_init(int facility, const char *program_name)
int StrStrtoi(const char *string, int *value)
void dual_log(const char *format,...)
int check_time_def_from_xpath(xmlXPathContextPtr xpath_ctx, const xmlChar *time_xexpr, const char *location, const char *field, const char *filename)
int check_user_group(xmlXPathContextPtr xpath_ctx, const xmlChar *user_xexpr, const xmlChar *group_xexpr)
int check_file_from_xpath(xmlXPathContextPtr xpath_ctx, const char *log_string, const xmlChar *file_xexpr)
char * StrTrimL(char *text)