← Back to branch summary

~ubuntu-branches/ubuntu/natty/bind9/natty-updates

« back to all changes in this revision

Viewing changes to lib/bind9/check.c

  • Committer: Bazaar Package Importer
  • Author(s): LaMont Jones, Internet Software Consortium, Inc, LaMont Jones
  • Date: 2010-06-21 09:53:30 UTC
  • mfrom: (1.6.7 upstream)
  • Revision ID: james.westby@ubuntu.com-20100621095330-k6874kbj59lfo3xm
Tags: 1:9.7.1.dfsg-1
http://bugs.debian.org/578447
https://launchpad.net/bugs/596363
[Internet Software Consortium, Inc]

* 9.7.1

[LaMont Jones]

* Add freebsd support.  Closes: #578447
* soname changes
* freshen root cache.  LP: #596363

Show diffs side-by-side

added added

removed removed

Lines of Context:
lib/bind9/check.c
1
1
/*
2
 
 * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
 
2
 * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
3
3
 * Copyright (C) 2001-2003  Internet Software Consortium.
4
4
 *
5
5
 * Permission to use, copy, modify, and/or distribute this software for any
15
15
 * PERFORMANCE OF THIS SOFTWARE.
16
16
 */
17
17
 
18
 
/* $Id: check.c,v 1.114 2009/12/04 21:09:33 marka Exp $ */
 
18
/* $Id: check.c,v 1.114.4.2 2010/03/04 23:49:19 tbox Exp $ */
19
19
 
20
20
/*! \file */
21
21
 
42
42
#include <dns/rdatatype.h>
43
43
#include <dns/secalg.h>
44
44
 
 
45
#include <dst/dst.h>
 
46
 
45
47
#include <isccfg/aclconf.h>
46
48
#include <isccfg/cfg.h>
47
49
 
1741
1743
}
1742
1744
 
1743
1745
static isc_result_t
 
1746
check_trusted_key(const cfg_obj_t *key, isc_boolean_t managed,
 
1747
                  isc_log_t *logctx)
 
1748
{
 
1749
        const char *keystr, *keynamestr;
 
1750
        dns_fixedname_t fkeyname;
 
1751
        dns_name_t *keyname;
 
1752
        isc_buffer_t keydatabuf;
 
1753
        isc_region_t r;
 
1754
        isc_result_t result = ISC_R_SUCCESS;
 
1755
        isc_result_t tresult;
 
1756
        isc_uint32_t flags, proto, alg;
 
1757
        unsigned char keydata[4096];
 
1758
 
 
1759
        flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
 
1760
        proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
 
1761
        alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
 
1762
        keyname = dns_fixedname_name(&fkeyname);
 
1763
        keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
 
1764
 
 
1765
        if (flags > 0xffff) {
 
1766
                cfg_obj_log(key, logctx, ISC_LOG_WARNING,
 
1767
                            "flags too big: %u\n", flags);
 
1768
                result = ISC_R_FAILURE;
 
1769
        }
 
1770
        if (proto > 0xff) {
 
1771
                cfg_obj_log(key, logctx, ISC_LOG_WARNING,
 
1772
                            "protocol too big: %u\n", proto);
 
1773
                result = ISC_R_FAILURE;
 
1774
        }
 
1775
        if (alg > 0xff) {
 
1776
                cfg_obj_log(key, logctx, ISC_LOG_WARNING,
 
1777
                            "algorithm too big: %u\n", alg);
 
1778
                result = ISC_R_FAILURE;
 
1779
        }
 
1780
 
 
1781
        if (managed) {
 
1782
                const char *initmethod;
 
1783
                initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init"));
 
1784
 
 
1785
                if (strcasecmp(initmethod, "initial-key") != 0) {
 
1786
                        cfg_obj_log(key, logctx, ISC_LOG_ERROR,
 
1787
                                    "managed key '%s': "
 
1788
                                    "invalid initialization method '%s'",
 
1789
                                    keynamestr, initmethod);
 
1790
                        result = ISC_R_FAILURE;
 
1791
                }
 
1792
        }
 
1793
 
 
1794
        isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
 
1795
 
 
1796
        keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
 
1797
        tresult = isc_base64_decodestring(keystr, &keydatabuf);
 
1798
 
 
1799
        if (tresult != ISC_R_SUCCESS) {
 
1800
                cfg_obj_log(key, logctx, ISC_LOG_ERROR,
 
1801
                            "%s", isc_result_totext(tresult));
 
1802
                result = ISC_R_FAILURE;
 
1803
        } else {
 
1804
                isc_buffer_usedregion(&keydatabuf, &r);
 
1805
 
 
1806
                if ((alg == DST_ALG_RSASHA1 || alg == DST_ALG_RSAMD5) &&
 
1807
                    r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
 
1808
                        cfg_obj_log(key, logctx, ISC_LOG_WARNING,
 
1809
                                    "%s key '%s' has a weak exponent",
 
1810
                                    managed ? "managed" : "trusted",
 
1811
                                    keynamestr);
 
1812
        }
 
1813
 
 
1814
        return (result);
 
1815
}
 
1816
 
 
1817
static isc_result_t
1744
1818
check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
1745
1819
               const char *viewname, dns_rdataclass_t vclass,
1746
1820
               isc_log_t *logctx, isc_mem_t *mctx)
1747
1821
{
1748
1822
        const cfg_obj_t *zones = NULL;
1749
1823
        const cfg_obj_t *keys = NULL;
1750
 
        const cfg_listelt_t *element;
 
1824
        const cfg_listelt_t *element, *element2;
1751
1825
        isc_symtab_t *symtab = NULL;
1752
1826
        isc_result_t result = ISC_R_SUCCESS;
1753
1827
        isc_result_t tresult = ISC_R_SUCCESS;
1888
1962
                cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
1889
1963
                            "'dnssec-validation yes;' and 'dnssec-enable no;'");
1890
1964
 
 
1965
        /*
 
1966
         * Check trusted-keys and managed-keys.
 
1967
         */
 
1968
        keys = NULL;
 
1969
        if (voptions != NULL)
 
1970
                (void)cfg_map_get(voptions, "trusted-keys", &keys);
 
1971
        if (keys == NULL)
 
1972
                (void)cfg_map_get(config, "trusted-keys", &keys);
 
1973
 
 
1974
        for (element = cfg_list_first(keys);
 
1975
             element != NULL;
 
1976
             element = cfg_list_next(element))
 
1977
        {
 
1978
                const cfg_obj_t *keylist = cfg_listelt_value(element);
 
1979
                for (element2 = cfg_list_first(keylist);
 
1980
                     element2 != NULL;
 
1981
                     element2 = cfg_list_next(element2)) {
 
1982
                        obj = cfg_listelt_value(element2);
 
1983
                        tresult = check_trusted_key(obj, ISC_FALSE, logctx);
 
1984
                        if (tresult != ISC_R_SUCCESS)
 
1985
                                result = tresult;
 
1986
                }
 
1987
        }
 
1988
 
 
1989
        keys = NULL;
 
1990
        if (voptions != NULL)
 
1991
                (void)cfg_map_get(voptions, "managed-keys", &keys);
 
1992
        if (keys == NULL)
 
1993
                (void)cfg_map_get(config, "managed-keys", &keys);
 
1994
 
 
1995
        for (element = cfg_list_first(keys);
 
1996
             element != NULL;
 
1997
             element = cfg_list_next(element))
 
1998
        {
 
1999
                const cfg_obj_t *keylist = cfg_listelt_value(element);
 
2000
                for (element2 = cfg_list_first(keylist);
 
2001
                     element2 != NULL;
 
2002
                     element2 = cfg_list_next(element2)) {
 
2003
                        obj = cfg_listelt_value(element2);
 
2004
                        tresult = check_trusted_key(obj, ISC_TRUE, logctx);
 
2005
                        if (tresult != ISC_R_SUCCESS)
 
2006
                                result = tresult;
 
2007
                }
 
2008
        }
 
2009
        /*
 
2010
         * Check options.
 
2011
         */
1891
2012
        if (voptions != NULL)
1892
2013
                tresult = check_options(voptions, logctx, mctx);
1893
2014
        else