1743
1745
static isc_result_t
1746
check_trusted_key(const cfg_obj_t *key, isc_boolean_t managed,
1749
const char *keystr, *keynamestr;
1750
dns_fixedname_t fkeyname;
1751
dns_name_t *keyname;
1752
isc_buffer_t keydatabuf;
1754
isc_result_t result = ISC_R_SUCCESS;
1755
isc_result_t tresult;
1756
isc_uint32_t flags, proto, alg;
1757
unsigned char keydata[4096];
1759
flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
1760
proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
1761
alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
1762
keyname = dns_fixedname_name(&fkeyname);
1763
keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
1765
if (flags > 0xffff) {
1766
cfg_obj_log(key, logctx, ISC_LOG_WARNING,
1767
"flags too big: %u\n", flags);
1768
result = ISC_R_FAILURE;
1771
cfg_obj_log(key, logctx, ISC_LOG_WARNING,
1772
"protocol too big: %u\n", proto);
1773
result = ISC_R_FAILURE;
1776
cfg_obj_log(key, logctx, ISC_LOG_WARNING,
1777
"algorithm too big: %u\n", alg);
1778
result = ISC_R_FAILURE;
1782
const char *initmethod;
1783
initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init"));
1785
if (strcasecmp(initmethod, "initial-key") != 0) {
1786
cfg_obj_log(key, logctx, ISC_LOG_ERROR,
1787
"managed key '%s': "
1788
"invalid initialization method '%s'",
1789
keynamestr, initmethod);
1790
result = ISC_R_FAILURE;
1794
isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
1796
keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
1797
tresult = isc_base64_decodestring(keystr, &keydatabuf);
1799
if (tresult != ISC_R_SUCCESS) {
1800
cfg_obj_log(key, logctx, ISC_LOG_ERROR,
1801
"%s", isc_result_totext(tresult));
1802
result = ISC_R_FAILURE;
1804
isc_buffer_usedregion(&keydatabuf, &r);
1806
if ((alg == DST_ALG_RSASHA1 || alg == DST_ALG_RSAMD5) &&
1807
r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
1808
cfg_obj_log(key, logctx, ISC_LOG_WARNING,
1809
"%s key '%s' has a weak exponent",
1810
managed ? "managed" : "trusted",
1744
1818
check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
1745
1819
const char *viewname, dns_rdataclass_t vclass,
1746
1820
isc_log_t *logctx, isc_mem_t *mctx)
1748
1822
const cfg_obj_t *zones = NULL;
1749
1823
const cfg_obj_t *keys = NULL;
1750
const cfg_listelt_t *element;
1824
const cfg_listelt_t *element, *element2;
1751
1825
isc_symtab_t *symtab = NULL;
1752
1826
isc_result_t result = ISC_R_SUCCESS;
1753
1827
isc_result_t tresult = ISC_R_SUCCESS;
1888
1962
cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
1889
1963
"'dnssec-validation yes;' and 'dnssec-enable no;'");
1966
* Check trusted-keys and managed-keys.
1969
if (voptions != NULL)
1970
(void)cfg_map_get(voptions, "trusted-keys", &keys);
1972
(void)cfg_map_get(config, "trusted-keys", &keys);
1974
for (element = cfg_list_first(keys);
1976
element = cfg_list_next(element))
1978
const cfg_obj_t *keylist = cfg_listelt_value(element);
1979
for (element2 = cfg_list_first(keylist);
1981
element2 = cfg_list_next(element2)) {
1982
obj = cfg_listelt_value(element2);
1983
tresult = check_trusted_key(obj, ISC_FALSE, logctx);
1984
if (tresult != ISC_R_SUCCESS)
1990
if (voptions != NULL)
1991
(void)cfg_map_get(voptions, "managed-keys", &keys);
1993
(void)cfg_map_get(config, "managed-keys", &keys);
1995
for (element = cfg_list_first(keys);
1997
element = cfg_list_next(element))
1999
const cfg_obj_t *keylist = cfg_listelt_value(element);
2000
for (element2 = cfg_list_first(keylist);
2002
element2 = cfg_list_next(element2)) {
2003
obj = cfg_listelt_value(element2);
2004
tresult = check_trusted_key(obj, ISC_TRUE, logctx);
2005
if (tresult != ISC_R_SUCCESS)
1891
2012
if (voptions != NULL)
1892
2013
tresult = check_options(voptions, logctx, mctx);