41#include <libxml/tree.h>
42#include <libxml/parser.h>
43#include <libxml/xpath.h>
44#include <libxml/xpathInternals.h>
45#include <libxml/relaxng.h>
47#define StrFree(ptr) {if(ptr != NULL) {free(ptr); (ptr) = NULL;}}
51void log_init(
int facility,
const char *program_name)
53 openlog(program_name, 0, facility);
57#pragma GCC diagnostic push
58#pragma GCC diagnostic ignored "-Wformat-nonliteral"
64 va_start(args, format);
67 if (strncmp(format,
"ERROR:", 6) == 0) {
68 vsyslog(LOG_ERR, format, args);
69 }
else if (strncmp(format,
"WARNING:", 8) == 0) {
70 vsyslog(LOG_WARNING, format, args);
71 }
else if (strncmp(format,
"DEBUG:", 6) == 0) {
72 vsyslog(LOG_DEBUG, format, args);
74 vsyslog(LOG_INFO, format, args);
78 vprintf(format, args2);
85#pragma GCC diagnostic pop
88int check_rng(
const char *filename,
const char *rngfilename,
int verbose)
91 xmlDocPtr rngdoc = NULL;
92 xmlRelaxNGParserCtxtPtr rngpctx = NULL;
93 xmlRelaxNGValidCtxtPtr rngctx = NULL;
94 xmlRelaxNGPtr schema = NULL;
97 dual_log(
"DEBUG: About to check XML validity in %s with %s",
98 filename, rngfilename);
102 doc = xmlParseFile(filename);
104 dual_log(
"ERROR: unable to parse file \"%s\"", filename);
112 rngdoc = xmlParseFile(rngfilename);
113 if (rngdoc == NULL) {
114 dual_log(
"ERROR: unable to parse file \"%s\"", rngfilename);
124 rngpctx = xmlRelaxNGNewDocParserCtxt(rngdoc);
125 if (rngpctx == NULL) {
126 dual_log(
"ERROR: unable to create XML RelaxNGs parser context");
134 xmlRelaxNGSetParserErrors(rngpctx,
135 (xmlRelaxNGValidityErrorFunc) fprintf,
136 (xmlRelaxNGValidityWarningFunc) fprintf,
141 schema = xmlRelaxNGParse(rngpctx);
142 if (schema == NULL) {
143 dual_log(
"ERROR: unable to parse a schema definition resource");
145 xmlRelaxNGFreeParserCtxt(rngpctx);
153 rngctx = xmlRelaxNGNewValidCtxt(schema);
154 if (rngctx == NULL) {
155 dual_log(
"ERROR: unable to create RelaxNGs validation context based on the schema");
157 xmlRelaxNGFree(schema);
158 xmlRelaxNGFreeParserCtxt(rngpctx);
165 xmlRelaxNGSetValidErrors(rngctx,
166 (xmlRelaxNGValidityErrorFunc) fprintf,
167 (xmlRelaxNGValidityWarningFunc) fprintf,
171 if (xmlRelaxNGValidateDoc(rngctx,doc) != 0) {
172 dual_log(
"ERROR: %s fails to validate", filename);
174 xmlRelaxNGFreeValidCtxt(rngctx);
175 xmlRelaxNGFree(schema);
176 xmlRelaxNGFreeParserCtxt(rngpctx);
183 xmlRelaxNGFreeValidCtxt(rngctx);
184 xmlRelaxNGFree(schema);
185 xmlRelaxNGFreeParserCtxt(rngpctx);
192int check_file(
const char *filename,
const char *log_string) {
193 struct stat stat_ret;
195 if (stat(filename, &stat_ret) != 0) {
197 if (errno != ENOENT) {
198 dual_log(
"ERROR: cannot stat file %s: %s",
199 filename, strerror(errno));
203 dual_log(
"ERROR: %s (%s) does not exist", log_string, filename);
207 if (S_ISREG(stat_ret.st_mode)) {
212 dual_log(
"ERROR: %s (%s) does not exist", log_string, filename);
218 xmlXPathObjectPtr xpath_obj;
219 char* temp_char = NULL;
222 xpath_obj = xmlXPathEvalExpression(file_xexpr, xpath_ctx);
223 if(xpath_obj == NULL) {
224 dual_log(
"ERROR: unable to evaluate xpath expression: %s", file_xexpr);
227 if (xpath_obj->nodesetval != NULL && xpath_obj->nodesetval->nodeNr > 0) {
228 temp_char = (
char*) xmlXPathCastToString(xpath_obj);
231 str = strrchr(temp_char,
' ');
241 xmlXPathFreeObject(xpath_obj);
245 xmlXPathFreeObject(xpath_obj);
249int check_path(
const char *pathname,
const char *log_string) {
250 struct stat stat_ret;
252 if (stat(pathname, &stat_ret) != 0) {
253 if (errno != ENOENT) {
254 dual_log(
"ERROR: cannot stat directory %s: %s",
255 pathname, strerror(errno));
259 dual_log(
"ERROR: %s (%s) does not exist", log_string, pathname);
263 if (S_ISDIR(stat_ret.st_mode)) {
268 dual_log(
"ERROR: %s (%s) is not a directory", log_string, pathname);
274 xmlXPathObjectPtr xpath_obj;
275 char* temp_char = NULL;
277 xpath_obj = xmlXPathEvalExpression(path_xexpr, xpath_ctx);
278 if(xpath_obj == NULL) {
279 dual_log(
"ERROR: unable to evaluate xpath expression: %s", path_xexpr);
282 if (xpath_obj->nodesetval != NULL && xpath_obj->nodesetval->nodeNr > 0) {
283 temp_char = (
char*) xmlXPathCastToString(xpath_obj);
290 xmlXPathFreeObject(xpath_obj);
294 xmlXPathFreeObject(xpath_obj);
298int check_user_group(xmlXPathContextPtr xpath_ctx,
const xmlChar *user_xexpr,
const xmlChar *group_xexpr) {
300 xmlXPathObjectPtr xpath_obj;
301 char* temp_char = NULL;
307 xpath_obj = xmlXPathEvalExpression(group_xexpr, xpath_ctx);
308 if(xpath_obj == NULL) {
309 dual_log(
"ERROR: unable to evaluate xpath expression: %s", group_xexpr);
312 if (xpath_obj->nodesetval != NULL && xpath_obj->nodesetval->nodeNr > 0) {
313 temp_char = (
char*) xmlXPathCastToString(xpath_obj);
315 if ((grp = getgrnam(temp_char)) == NULL) {
316 dual_log(
"ERROR: Group '%s' does not exist", temp_char);
323 xmlXPathFreeObject(xpath_obj);
326 xpath_obj = xmlXPathEvalExpression(user_xexpr, xpath_ctx);
327 if(xpath_obj == NULL) {
328 dual_log(
"ERROR: unable to evaluate xpath expression: %s", user_xexpr);
331 if (xpath_obj->nodesetval != NULL && xpath_obj->nodesetval->nodeNr > 0) {
332 temp_char = (
char*) xmlXPathCastToString(xpath_obj);
334 if ((pwd = getpwnam(temp_char)) == NULL) {
335 dual_log(
"ERROR: User '%s' does not exist", temp_char);
343 xmlXPathFreeObject(xpath_obj);
348int check_time_def(
const char *time_expr,
const char *location,
const char *field,
const char *filename,
int* interval) {
355 dual_log(
"WARNING: In %s M used in duration field for %s (%s) in %s - this will be interpreted as 31 days", location, field, time_expr, filename);
358 dual_log(
"WARNING: In %s Y used in duration field for %s (%s) in %s - this will be interpreted as 365 days", location, field, time_expr, filename);
361 dual_log(
"WARNING: In %s M & Y used in duration field for %s (%s) in %s - these will be interpreted as 31 and 365 days respectively", location, field, time_expr, filename);
364 dual_log(
"ERROR: unable to translate %s (%s) to seconds.", field, time_expr);
367 dual_log(
"ERROR: %s (%s) too long to be an int. E.g. Maximum is ~68 years on a system with 32-bit integers.", field, time_expr);
370 dual_log(
"ERROR: invalid pointers or text string NULL in %s (%s).", field, time_expr);
373 dual_log(
"ERROR: unknown error converting %s (%s) to seconds", field, time_expr);
385int check_time_def_from_xpath(xmlXPathContextPtr xpath_ctx,
const xmlChar *time_xexpr,
const char *location,
const char *field,
const char *filename) {
387 xmlXPathObjectPtr xpath_obj;
388 char* temp_char = NULL;
392 xpath_obj = xmlXPathEvalExpression(time_xexpr, xpath_ctx);
393 if(xpath_obj == NULL) {
394 dual_log(
"ERROR: unable to evaluate xpath expression: %s", time_xexpr);
397 if (xpath_obj->nodesetval != NULL && xpath_obj->nodesetval->nodeNr > 0) {
398 temp_char = (
char *)xmlXPathCastToString(xpath_obj);
399 status +=
check_time_def(temp_char, location, field, filename, &ignore);
403 xmlXPathFreeObject(xpath_obj);
411 char* temp_char = NULL;
417 int resigns_per_day = 0;
434 enum {KSK = 1, ZSK, CSK};
443 struct key *tmpkey, *firstkey = NULL, *curkey = NULL;
449 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Signatures")) {
450 childNode = curNode->children;
452 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Resign")) {
453 temp_char = (
char *) xmlNodeGetContent(childNode);
454 status +=
check_time_def(temp_char, my_policy,
"Signatures/Resign", kasp, &resign);
457 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Refresh")) {
458 temp_char = (
char *) xmlNodeGetContent(childNode);
459 status +=
check_time_def(temp_char, my_policy,
"Signatures/Refresh", kasp, &refresh);
462 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Validity")) {
463 childNode2 = childNode->children;
465 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Default")) {
466 temp_char = (
char *) xmlNodeGetContent(childNode2);
467 status +=
check_time_def(temp_char, my_policy,
"Signatures/Validity/Default", kasp, &defalt);
470 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Denial")) {
471 temp_char = (
char *) xmlNodeGetContent(childNode2);
472 status +=
check_time_def(temp_char, my_policy,
"Signatures/Validity/Denial", kasp, &denial);
475 childNode2 = childNode2->next;
478 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Jitter")) {
479 temp_char = (
char *) xmlNodeGetContent(childNode);
480 status +=
check_time_def(temp_char, my_policy,
"Signatures/Jitter", kasp, &jitter);
483 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"InceptionOffset")) {
484 temp_char = (
char *) xmlNodeGetContent(childNode);
485 status +=
check_time_def(temp_char, my_policy,
"Signatures/InceptionOffset", kasp, &inception);
488 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"MaxZoneTTL")) {
489 temp_char = (
char *) xmlNodeGetContent(childNode);
490 status +=
check_time_def(temp_char, my_policy,
"Signatures/MaxZoneTTL", kasp, &maxzone_ttl);
494 childNode = childNode->next;
497 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Denial")) {
498 childNode = curNode->children;
501 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"NSEC")) {
504 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"NSEC3")) {
506 childNode2 = childNode->children;
509 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Resalt")) {
510 temp_char = (
char *) xmlNodeGetContent(childNode2);
511 status +=
check_time_def(temp_char, my_policy,
"Denial/NSEC3/Resalt", kasp, &resalt);
513 }
else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Hash")) {
514 childNode3 = childNode2->children;
516 if (xmlStrEqual(childNode3->name, (
const xmlChar *)
"Algorithm")) {
517 temp_char = (
char *) xmlNodeGetContent(childNode3);
519 hash_algo = atoi(temp_char);
520 if (hash_algo != 1) {
521 dual_log(
"ERROR: NSEC3 Hash algorithm for %s Policy "
527 }
else if (xmlStrEqual(childNode3->name, (
const xmlChar *)
"Iterations")) {
528 temp_char = (
char *) xmlNodeGetContent(childNode3);
530 hash_iters = atoi(temp_char);
531 if (hash_iters > 100) {
532 dual_log(
"WARNING: NSEC3 Hash iterations for %s Policy in %s is %d which is larger than the recommended maximum of 100",
policy_name, kasp, hash_iters);
536 childNode3 = childNode3->next;
540 childNode2 = childNode2->next;
544 childNode = childNode->next;
547 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Keys")) {
548 childNode = curNode->children;
551 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"TTL")) {
552 temp_char = (
char *) xmlNodeGetContent(childNode);
553 status +=
check_time_def(temp_char, my_policy,
"Keys/TTL", kasp, &ttl);
556 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"RetireSafety")) {
557 temp_char = (
char *) xmlNodeGetContent(childNode);
558 status +=
check_time_def(temp_char, my_policy,
"Keys/RetireSafety", kasp, &retire);
561 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"PublishSafety")) {
562 temp_char = (
char *) xmlNodeGetContent(childNode);
563 status +=
check_time_def(temp_char, my_policy,
"Keys/PublishSafety", kasp, &publish);
566 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"KSK")) {
567 childNode2 = childNode->children;
569 firstkey = curkey = (
struct key*) malloc(
sizeof *curkey);
571 curkey->next = (
struct key*) malloc(
sizeof *curkey);
572 curkey = curkey->next;
574 memset(curkey, 0,
sizeof *curkey);
579 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
580 temp_char = (
char *) xmlNodeGetContent(childNode2);
584 temp_char = (
char *)xmlGetProp(childNode2, (
const xmlChar *)
"length");
588 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Lifetime")) {
589 temp_char = (
char *) xmlNodeGetContent(childNode2);
590 status +=
check_time_def(temp_char, my_policy,
"Keys/KSK Lifetime", kasp, &curkey->life);
593 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Repository")) {
594 curkey->repo = (
char *) xmlNodeGetContent(childNode2);
597 childNode2 = childNode2->next;
600 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"ZSK")) {
601 childNode2 = childNode->children;
603 firstkey = curkey = (
struct key*) malloc(
sizeof *curkey);
605 curkey->next = (
struct key*) malloc(
sizeof *curkey);
606 curkey = curkey->next;
608 memset(curkey, 0,
sizeof *curkey);
613 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
614 temp_char = (
char *) xmlNodeGetContent(childNode2);
618 temp_char = (
char *)xmlGetProp(childNode2, (
const xmlChar *)
"length");
623 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Lifetime")) {
624 temp_char = (
char *) xmlNodeGetContent(childNode2);
625 status +=
check_time_def(temp_char, my_policy,
"Keys/ZSK Lifetime", kasp, &curkey->life);
628 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Repository")) {
629 curkey->repo = (
char *) xmlNodeGetContent(childNode2);
632 childNode2 = childNode2->next;
635 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"CSK")) {
636 childNode2 = childNode->children;
638 firstkey = curkey = (
struct key*) malloc(
sizeof *curkey);
640 curkey->next = (
struct key*) malloc(
sizeof *curkey);
641 curkey = curkey->next;
643 memset(curkey, 0,
sizeof *curkey);
648 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
649 temp_char = (
char *) xmlNodeGetContent(childNode2);
653 temp_char = (
char *)xmlGetProp(childNode2, (
const xmlChar *)
"length");
658 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Lifetime")) {
659 temp_char = (
char *) xmlNodeGetContent(childNode2);
660 status +=
check_time_def(temp_char, my_policy,
"Keys/CSK Lifetime", kasp, &curkey->life);
663 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Repository")) {
664 curkey->repo = (
char *) xmlNodeGetContent(childNode2);
667 childNode2 = childNode2->next;
671 childNode = childNode->next;
674 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Zone")) {
675 childNode = curNode->children;
678 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"SOA")) {
679 childNode2 = childNode->children;
682 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Serial")) {
683 serial = (
char *) xmlNodeGetContent(childNode2);
686 childNode2 = childNode2->next;
690 childNode = childNode->next;
693 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Parent")) {
694 childNode = curNode->children;
697 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"DS")) {
698 childNode2 = childNode->children;
701 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"TTL")) {
702 temp_char = (
char *) xmlNodeGetContent(childNode2);
703 status +=
check_time_def(temp_char, my_policy,
"Parent/DS/TTL", kasp, &ds_ttl);
707 childNode2 = childNode2->next;
711 childNode = childNode->next;
716 curNode = curNode->next;
722 for (curkey = firstkey; curkey; curkey = curkey->next) {
723 if ((curkey->type & KSK) && ds_ttl + ttl >= curkey->life) {
724 dual_log(
"ERROR: KSK/Lifetime (%d seconds) for policy '%s' "
725 "must be greater than the DNSKEY record TTL (%d seconds) plus "
726 "the DS record TTL (%d seconds). This time is needed to pass for the "
727 "KSK to be able to reach the ready state.",
732 if ((curkey->type & ZSK) && maxzone_ttl + ttl >= curkey->life) {
733 dual_log(
"ERROR: ZSK/Lifetime (%d seconds) for policy '%s' "
734 "must be greater than the DNSKEY record TTL (%d seconds) plus "
735 "the MaxZoneTTL (%d seconds). This time is needed to pass for the "
736 "ZSK to be able to reach the ready state.",
740 if ((curkey->type & ZSK) && defalt > curkey->life) {
741 dual_log(
"WARNING: ZSK/Lifetime (%d seconds) for policy '%s' "
742 "is less than Validity/Default (%d seconds), this might "
743 "be a configuration error.",
749 if (refresh <= resign) {
750 dual_log(
"ERROR: The Refresh interval (%d seconds) for "
751 "%s Policy in %s is less than or equal to the Resign interval "
752 "(%d seconds)", refresh,
policy_name, kasp, resign);
758 if (defalt <= refresh) {
759 dual_log(
"ERROR: Validity/Default (%d seconds) for "
760 "%s policy in %s is less than or equal to the Refresh interval "
761 "(%d seconds)", defalt,
policy_name, kasp, refresh);
764 if (denial <= refresh) {
765 dual_log(
"ERROR: Validity/Denial (%d seconds) for "
766 "%s policy in %s is less than or equal to the Refresh interval "
767 "(%d seconds)", denial,
policy_name, kasp, refresh);
775 if (defalt > denial) {
776 if (jitter > (defalt * 0.5)) {
777 dual_log(
"WARNING: Jitter time (%d seconds) is large "
778 "compared to Validity/Default (%d seconds) "
779 "for %s policy in %s", jitter, defalt,
policy_name, kasp);
782 if (jitter > (denial * 0.5)) {
783 dual_log(
"WARNING: Jitter time (%d seconds) is large "
784 "compared to Validity/Denial (%d seconds) "
785 "for %s policy in %s", jitter, denial,
policy_name, kasp);
793 if (inception > 3600) {
794 dual_log(
"WARNING: InceptionOffset is higher than expected "
795 "(%d seconds) for %s policy in %s",
801 if (publish < (ttl * 0.1)) {
802 dual_log(
"WARNING: Keys/PublishSafety (%d seconds) is less than "
803 "0.1 * TTL (%d seconds) for %s policy in %s",
806 else if (publish > (ttl * 5)) {
807 dual_log(
"WARNING: Keys/PublishSafety (%d seconds) is greater than "
808 "5 * TTL (%d seconds) for %s policy in %s",
812 if (retire < (ttl * 0.1)) {
813 dual_log(
"WARNING: Keys/RetireSafety (%d seconds) is less than "
814 "0.1 * TTL (%d seconds) for %s policy in %s",
817 else if (retire > (ttl * 5)) {
818 dual_log(
"WARNING: Keys/RetireSafety (%d seconds) is greater than "
819 "5 * TTL (%d seconds) for %s policy in %s",
827 else if (nsec == 3) {
828 for (curkey = firstkey; curkey; curkey = curkey->next) {
829 if ((curkey->type & KSK) && curkey->algo <= 5) {
830 dual_log(
"ERROR: In policy %s, incompatible algorithm (%d) used for "
831 "KSK NSEC3 in %s.",
policy_name, curkey->algo, kasp);
834 if ((curkey->type & ZSK) && curkey->algo <= 5) {
835 dual_log(
"ERROR: In policy %s, incompatible algorithm (%d) used for "
836 "ZSK NSEC3 in %s.",
policy_name, curkey->algo, kasp);
842 if (resalt < resign) {
843 dual_log(
"WARNING: NSEC3 resalt interval (%d secs) is less than "
844 "signature resign interval (%d secs) for %s Policy",
853 if (serial != NULL && strncmp(serial,
"datecounter", 11) == 0) {
855 resigns_per_day = (60 * 60 * 24) / resign;
856 if (resigns_per_day > 99) {
857 dual_log(
"ERROR: In %s, policy %s, serial type datecounter used "
858 "but %d re-signs requested. No more than 99 re-signs per "
859 "day should be used with datecounter as only 2 digits are "
860 "allocated for the version number.",
870 for (curkey = firstkey; curkey; curkey = curkey->next) {
871 if ((curkey->type & KSK) && (curkey->algo == 5 ||
872 curkey->algo == 7 ||curkey->algo == 8 ||
873 curkey->algo == 10)) {
874 if (curkey->length < 1024) {
875 dual_log(
"WARNING: Key length of %d used for KSK in %s policy in %s. Should "
876 "probably be 1024 or more", curkey->length,
policy_name, kasp);
878 else if (curkey->length > 4096) {
879 dual_log(
"ERROR: Key length of %d used for KSK in %s policy in %s. Should "
880 "be 4096 or less", curkey->length,
policy_name, kasp);
884 if ((curkey->type & ZSK) && (curkey->algo == 5 ||
885 curkey->algo == 7 || curkey->algo == 8 ||
886 curkey->algo == 10)) {
887 if (curkey->length < 1024) {
888 dual_log(
"WARNING: Key length of %d used for ZSK in %s policy in %s. Should "
889 "probably be 1024 or more", curkey->length,
policy_name, kasp);
891 else if (curkey->length > 4096) {
892 dual_log(
"ERROR: Key length of %d used for ZSK in %s policy in %s. Should "
893 "be 4096 or less", curkey->length,
policy_name, kasp);
902 for (curkey = firstkey; curkey; curkey = curkey->next) {
903 if ((curkey->type & KSK) && curkey->repo != NULL) {
904 for (i = 0; i < repo_count; i++) {
905 if (strcmp(curkey->repo, repo_list[i]) == 0) {
909 if (i >= repo_count) {
910 dual_log(
"ERROR: Unknown repository (%s) defined for KSK in "
911 "%s policy in %s", curkey->repo,
policy_name, kasp);
916 if ((curkey->type & ZSK) && curkey->repo != NULL) {
917 for (i = 0; i < repo_count; i++) {
918 if (strcmp(curkey->repo, repo_list[i]) == 0) {
922 if (i >= repo_count) {
923 dual_log(
"ERROR: Unknown repository (%s) defined for ZSK in "
931 for (curkey = firstkey; curkey; curkey = curkey->next) {
932 if (!(curkey->type & KSK))
continue;
934 for (tmpkey = firstkey; tmpkey; tmpkey = tmpkey->next) {
935 if (!(tmpkey->type & ZSK))
continue;
936 if (tmpkey->algo != curkey->algo)
continue;
939 if (curkey->life < tmpkey->life) {
940 dual_log(
"WARNING: KSK minimum lifetime (%d seconds) is less than "
941 "ZSK minimum lifetime (%d seconds) for %s Policy in %s",
946 dual_log(
"ERROR: ZSK with algorithm %i not found, algorithm mismatch between ZSK and KSK", curkey->algo);
954 if (jitter > defalt) {
955 dual_log(
"ERROR: Jitter time (%d seconds) is greater than the "
956 "Default Validity (%d seconds) for %s policy in %s",
960 if (jitter > denial) {
961 dual_log(
"ERROR: Jitter time (%d seconds) is greater than the "
962 "Denial Validity (%d seconds) for %s policy in %s",
968 firstkey = firstkey->next;
1040 const char *ptr = text;
1042 long temp_interval = 0;
1044 if (!text || !interval || !*text)
return 4;
1045 length = strlen(text);
1046 if (length <= 2)
return 2;
1052 if (*ptr !=
'P')
return 2;
1055 end = text + length;
1059 if (!got_temp || !is_time)
return 2;
1060 temp_interval += temp;
1066 if (!got_temp)
return 2;
1068 temp_interval += 60 * temp;
1070 temp_interval += 31 * 24 * 60 * 60 * temp;
1078 if (!got_temp || !is_time)
return 2;
1079 temp_interval += 60 * 60 * temp;
1085 if (!got_temp || is_time)
return 2;
1086 temp_interval += 24 * 60 * 60 * temp;
1092 if (!got_temp || is_time)
return 2;
1093 temp_interval += 7 * 24 * 60 * 60 * temp;
1099 if (!got_temp || is_time)
return 2;
1100 temp_interval += 365 * 24 * 60 * 60 * temp;
1122 temp = strtol(ptr, &endptr, 10);
1123 if (temp == LONG_MIN || temp == LONG_MAX)
1132 if (ptr != end)
return 2;
1139 if (temp && !is_time)
return 2;
1140 temp_interval += temp;
1142 if (is_neg) temp_interval *= -1;
1143 *interval = (int) temp_interval;
1173 if (value == NULL) {
1174 dual_log(
"ERROR: NULL value passed to StrStrtoi");
1179 if ((longval >= INT_MIN) && (longval <= INT_MAX)) {
1180 *value = (int) longval;
1219 if (value == NULL) {
1220 dual_log(
"ERROR: NULL value passed to StrStrtol");
1232 *value = strtol(start, &endptr, 10);
1237 status = (*endptr ==
'\0') ? 0 : 1;
1268 char* duplicate = NULL;
1271 duplicate = strdup(
string);
1272 if (duplicate == NULL) {
1273 dual_log(
"ERROR: StrStrdup: Call to malloc() returned null - out of swap space?");
1330 int textlen = strlen(text);
1331 while (-- textlen >= 0) {
1332 if (! isspace((
int) text[textlen])) {
1333 text[textlen + 1] =
'\0';
1365 while (*text && isspace((
int) *text)) {
1375 void *ptr = calloc(nmemb, size);
1377 dual_log(
"ERROR: calloc: Out of swap space");
1384static void quiet_error_func(
void * ctx,
const char * msg, ...)
1386 (void)ctx; (void)msg;
1396 char ***repo_listout,
int *repo_countout,
int verbose)
1401 int temp_status = 0;
1406 xmlXPathContextPtr xpath_ctx;
1407 xmlXPathObjectPtr xpath_obj;
1410 char* signer_dir = NULL;
1411 int signer_dir_default = 0;
1412 char* enforcer_dir = NULL;
1413 int enforcer_dir_default = 0;
1416 int* repo_mods = NULL;
1419 xmlSetGenericErrorFunc(NULL, quiet_error_func);
1422 status =
check_rng(conf, OPENDNSSEC_SCHEMA_DIR
"/conf.rng", verbose);
1425 if (status != 0)
return status;
1426 dual_log(
"INFO: The XML in %s is valid", conf);
1429 doc = xmlParseFile(conf);
1430 if (doc == NULL)
return 1;
1433 xpath_ctx = xmlXPathNewContext(doc);
1434 if(xpath_ctx == NULL) {
1440 xexpr = (xmlChar *)
"//Configuration/RepositoryList/Repository";
1441 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
1442 if(xpath_obj == NULL) {
1443 xmlXPathFreeContext(xpath_ctx);
1448 if (xpath_obj->nodesetval) {
1449 repo_count = xpath_obj->nodesetval->nodeNr;
1450 *repo_countout = repo_count;
1453 repo_mods = (
int*)malloc(
sizeof(
int) * repo_count);
1454 repo_list = (
char**)malloc(
sizeof(
char*) * repo_count);
1455 *repo_listout = repo_list;
1457 if (repo == NULL || repo_mods == NULL || repo_list == NULL) {
1458 dual_log(
"ERROR: malloc for repo information failed");
1462 for (i = 0; i < repo_count; i++) {
1465 curNode = xpath_obj->nodesetval->nodeTab[i]->xmlChildrenNode;
1468 repo[i].
name = (
char *) xmlGetProp(xpath_obj->nodesetval->nodeTab[i],
1469 (
const xmlChar *)
"name");
1473 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"TokenLabel"))
1474 repo[i].
TokenLabel = (
char *) xmlNodeGetContent(curNode);
1475 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Module"))
1476 repo[i].module = (
char *) xmlNodeGetContent(curNode);
1477 curNode = curNode->next;
1481 xmlXPathFreeObject(xpath_obj);
1484 for (i = 0; i < repo_count; i++) {
1486 if (repo_mods[i] == 0) {
1489 status +=
check_file(repo[i].module,
"Module");
1494 for (j = i+1; j < repo_count; j++) {
1495 if ( repo_mods[j] == 0 &&
1496 (strcmp(repo[i].module, repo[j].module) == 0) ) {
1499 if (strcmp(repo[i].TokenLabel, repo[j].TokenLabel) == 0) {
1500 dual_log(
"ERROR: Multiple Repositories (%s and %s) in %s have the same Module (%s) and TokenLabel (%s)", repo[i].name, repo[j].name, conf, repo[i].module, repo[i].TokenLabel);
1508 for (j = i+1; j < repo_count; j++) {
1509 if (strcmp(repo[i].name, repo[j].name) == 0) {
1510 dual_log(
"ERROR: Two repositories exist with the same name (%s)", repo[i].name);
1518 if (*kasp == NULL) {
1519 xexpr = (xmlChar *)
"//Configuration/Common/PolicyFile";
1520 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
1521 if(xpath_obj == NULL) {
1522 xmlXPathFreeContext(xpath_ctx);
1525 for (i = 0; i < repo_count; i++) {
1527 free(repo[i].module);
1528 free(repo[i].TokenLabel);
1535 *kasp = (
char*) xmlXPathCastToString(xpath_obj);
1536 xmlXPathFreeObject(xpath_obj);
1539 if (*zonelist == NULL) {
1540 xexpr = (xmlChar *)
"//Configuration/Common/ZoneListFile";
1541 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
1542 if(xpath_obj == NULL) {
1543 xmlXPathFreeContext(xpath_ctx);
1546 for (i = 0; i < repo_count; i++) {
1548 free(repo[i].module);
1549 free(repo[i].TokenLabel);
1556 *zonelist = (
char*) xmlXPathCastToString(xpath_obj);
1557 xmlXPathFreeObject(xpath_obj);
1564 (xmlChar *)
"//Configuration/Enforcer/Privileges/User",
1565 (xmlChar *)
"//Configuration/Enforcer/Privileges/Group");
1570 (xmlChar *)
"//Configuration/Enforcer/Datastore/SQLite");
1571 if (temp_status == -1) {
1577 status += temp_status;
1585 status +=
check_time_def_from_xpath(xpath_ctx, (xmlChar *)
"//Configuration/Enforcer/RolloverNotification",
"Configuration",
"Enforcer/RolloverNotification", conf);
1589 (xmlChar *)
"//Configuration/Enforcer/DelegationSignerSubmitCommand");
1590 if (temp_status > 0) {
1591 status += temp_status;
1596 (xmlChar *)
"//Configuration/Enforcer/WorkingDirectory");
1597 if (temp_status == -1) {
1599 temp_status =
check_path(OPENDNSSEC_STATE_DIR
"/enforcer",
1600 "default Enforcer WorkingDirectory");
1602 if (temp_status > 0) {
1603 status += temp_status;
1609 (xmlChar *)
"//Configuration/Signer/Privileges/User",
1610 (xmlChar *)
"//Configuration/Signer/Privileges/Group");
1614 (xmlChar *)
"//Configuration/Signer/WorkingDirectory");
1615 if (temp_status == -1) {
1617 temp_status =
check_path(OPENDNSSEC_STATE_DIR
"/signer",
1618 "default Signer WorkingDirectory");
1620 if (temp_status > 0) {
1621 status += temp_status;
1625 xexpr = (xmlChar *)
"//Configuration/Signer/WorkingDirectory";
1626 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
1627 if (NULL == xpath_obj || xpath_obj->nodesetval->nodeNr == 0) {
1628 signer_dir = (
char*) OPENDNSSEC_STATE_DIR
"/signer";
1629 signer_dir_default = 1;
1632 signer_dir = (
char*) xmlXPathCastToString(xpath_obj);
1633 xmlXPathFreeObject(xpath_obj);
1635 xexpr = (xmlChar *)
"//Configuration/Enforcer/WorkingDirectory";
1636 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
1637 if (NULL == xpath_obj || xpath_obj->nodesetval->nodeNr == 0) {
1638 enforcer_dir = (
char*) OPENDNSSEC_STATE_DIR
"/enforcer";
1639 enforcer_dir_default = 1;
1642 enforcer_dir = (
char*) xmlXPathCastToString(xpath_obj);
1643 xmlXPathFreeObject(xpath_obj);
1645 temp_status = strcmp(signer_dir, enforcer_dir);
1646 if (0 == temp_status) {
1648 dual_log(
"ERROR: signer workingdirectory is the same as the one of enforcer");
1650 if (0 == signer_dir_default)
1652 if (0 == enforcer_dir_default)
1655 xmlXPathFreeContext(xpath_ctx);
1658 for (i = 0; i < repo_count; i++) {
1660 free(repo[i].module);
1661 free(repo[i].TokenLabel);
1677 xmlXPathContextPtr xpath_ctx;
1678 xmlXPathObjectPtr xpath_obj;
1680 int i, j, found, status = 0;
1683 if (!zonelist || !strncmp(zonelist,
"", 1)) {
1684 dual_log(
"ERROR: No location for zonelist.xml set");
1689 xmlSetGenericErrorFunc(NULL, quiet_error_func);
1692 if (
check_rng(zonelist, OPENDNSSEC_SCHEMA_DIR
"/zonelist.rng", verbose) != 0)
1696 doc = xmlParseFile(zonelist);
1701 xpath_ctx = xmlXPathNewContext(doc);
1702 if(xpath_ctx == NULL) {
1707 xexpr = (xmlChar *)
"//ZoneList/Zone/Policy";
1708 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
1709 if(xpath_obj == NULL) {
1710 xmlXPathFreeContext(xpath_ctx);
1715 if (xpath_obj->nodesetval) {
1716 for (i = 0; i < xpath_obj->nodesetval->nodeNr; i++) {
1717 policy_name = (
char*)xmlNodeGetContent(xpath_obj->nodesetval->nodeTab[i]);
1721 for (j = 0; j < policy_count; j++) {
1736 xmlXPathFreeObject(xpath_obj);
1737 xmlXPathFreeContext(xpath_ctx);
1741 if (!status)
dual_log(
"INFO: The XML in %s is valid", zonelist);
1749int check_kasp(
const char *kasp,
char **repo_list,
int repo_count,
int verbose,
1750 char ***policy_names_out,
int *policy_count_out)
1756 xmlXPathContextPtr xpath_ctx;
1757 xmlXPathObjectPtr xpath_obj;
1761 int policy_count = 0;
1762 char **policy_names = NULL;
1763 int default_found = 0;
1766 xmlSetGenericErrorFunc(NULL, quiet_error_func);
1769 dual_log(
"ERROR: No location for kasp.xml set");
1774 status =
check_rng(kasp, OPENDNSSEC_SCHEMA_DIR
"/kasp.rng", verbose);
1777 dual_log(
"INFO: The XML in %s is valid", kasp);
1783 doc = xmlParseFile(kasp);
1789 xpath_ctx = xmlXPathNewContext(doc);
1790 if(xpath_ctx == NULL) {
1797 xexpr = (xmlChar *)
"//KASP/Policy";
1798 xpath_obj = xmlXPathEvalExpression(xexpr, xpath_ctx);
1799 if(xpath_obj == NULL) {
1800 xmlXPathFreeContext(xpath_ctx);
1805 if (xpath_obj->nodesetval) {
1806 policy_count = xpath_obj->nodesetval->nodeNr;
1808 policy_names = (
char**)malloc(
sizeof(
char*) * policy_count);
1809 if (policy_names == NULL) {
1810 dual_log(
"ERROR: Malloc for policy names failed");
1814 for (i = 0; i < policy_count; i++) {
1816 policy_names[i] = (
char *) xmlGetProp(xpath_obj->nodesetval->nodeTab[i],
1817 (
const xmlChar *)
"name");
1822 for (i = 0; i < policy_count; i++) {
1823 if (strcmp(policy_names[i],
"default") == 0) {
1826 for (j = i+1; j < policy_count; j++) {
1827 if ( (strcmp(policy_names[i], policy_names[j]) == 0) ) {
1828 dual_log(
"ERROR: Two policies exist with the same name (%s)", policy_names[i]);
1833 if (default_found == 0) {
1834 dual_log(
"WARNING: No policy named 'default' in %s. This means you will need to refer explicitly to the policy for each zone", kasp);
1838 for (i = 0; i < policy_count; i++) {
1839 curNode = xpath_obj->nodesetval->nodeTab[i]->xmlChildrenNode;
1841 status +=
check_policy(curNode, policy_names[i], repo_list, repo_count, kasp);
1844 if (!status && policy_names_out && policy_count_out) {
1845 *policy_names_out = policy_names;
1846 *policy_count_out = policy_count;
1849 for (i = 0; i < policy_count; i++) {
1850 free(policy_names[i]);
1855 xmlXPathFreeObject(xpath_obj);
1856 xmlXPathFreeContext(xpath_ctx);
int check_time_def(const char *time_expr, const char *location, const char *field, const char *filename, int *interval)
int check_user_group(xmlXPathContextPtr xpath_ctx, const xmlChar *user_xexpr, const xmlChar *group_xexpr)
void log_init(int facility, const char *program_name)
int check_kasp(const char *kasp, char **repo_list, int repo_count, int verbose, char ***policy_names_out, int *policy_count_out)
int check_path(const char *pathname, const char *log_string)
char * StrStrdup(const char *string)
int check_rng(const char *filename, const char *rngfilename, int verbose)
int check_policy(xmlNode *curNode, const char *policy_name, char **repo_list, int repo_count, const char *kasp)
void * MemCalloc(size_t nmemb, size_t size)
int check_path_from_xpath(xmlXPathContextPtr xpath_ctx, const char *log_string, const xmlChar *path_xexpr)
int StrStrtol(const char *string, long *value)
int check_time_def_from_xpath(xmlXPathContextPtr xpath_ctx, const xmlChar *time_xexpr, const char *location, const char *field, const char *filename)
void dual_log(const char *format,...)
int StrStrtoi(const char *string, int *value)
int kc_helper_printto_stdout
int check_zonelist(const char *zonelist, int verbose, char **policy_names, int policy_count)
char * StrTrimL(char *text)
void StrTrimR(char *text)
int DtXMLIntervalSeconds(const char *text, int *interval)
int check_conf(const char *conf, char **kasp, char **zonelist, char ***repo_listout, int *repo_countout, int verbose)
int check_file_from_xpath(xmlXPathContextPtr xpath_ctx, const char *log_string, const xmlChar *file_xexpr)
int check_file(const char *filename, const char *log_string)
const char * policy_name(const policy_t *policy)