X-Git-Url: https://git.sesse.net/?p=itkacl;a=blobdiff_plain;f=itkacl-2.1%2Fitkacl.c;h=2795cf4d6885899058ab740cb436997a9276db5d;hp=f1cc09a8639d4c13a7b798051f8acc55e2806bfb;hb=b53d275766bb14e5d2e6d06ff306878b311c8123;hpb=8cbde0b30d77b656503a8e47deb68a6776dbcad9

diff --git a/itkacl-2.1/itkacl.c b/itkacl-2.1/itkacl.c
index f1cc09a..2795cf4 100644
--- a/itkacl-2.1/itkacl.c
+++ b/itkacl-2.1/itkacl.c
@@ -15,6 +15,8 @@
 
 struct itkacl_config {
 	char nszone[256];
+	int require_dnssec;
+	char dnssec_public_key[256];
 };
 
 #define CONFIG_FILENAME "/etc/itkacl.conf"
@@ -26,7 +28,10 @@ static int itkacl_read_config(const char * const filename,
 	FILE *fp;
 	int lineno = 0;
 
+	/* Defaults. */
 	strcpy(config->nszone, "");
+	config->require_dnssec = 0;
+	strcpy(config->dnssec_public_key, "");
 
 	fp = fopen(CONFIG_FILENAME, "r");
 	if (fp == NULL) {
@@ -70,6 +75,14 @@ static int itkacl_read_config(const char * const filename,
 			strcpy(config->nszone, arg);
 			continue;
 		}
+		if (strcmp(line, "require-dnssec") == 0) {
+			config->require_dnssec = 1;
+			continue;
+		}
+		if (sscanf(line, "dnssec-public-key %255s", arg) == 1) {
+			strcpy(config->dnssec_public_key, arg);
+			continue;
+		}
 
 		if (errmsg)
 			snprintf(errmsg, errmsg_size, "%s: Could not parse line %d",
@@ -204,6 +217,20 @@ int itkacl_check(const char * const realm, const char * const user,
 		return -1;
 	}
 
+	if (strlen(config.dnssec_public_key) != 0) {
+		ret = ub_ctx_add_ta_file(ctx, config.dnssec_public_key);
+		if (ret != 0) {
+			if (errmsg)
+				snprintf(errmsg, errmsg_size,
+					 "Host name lookup failure: Error adding keys from %s "
+					 "(resolver error: %s) (system error: %s)",
+					 config.dnssec_public_key,
+					 ub_strerror(ret), strerror(errno));
+			ub_ctx_delete(ctx);
+			return -1;
+		}
+	}
+
 	/* Do the actual DNS lookup (TYPE A, CLASS IN). */
 	ret = ub_resolve(ctx, nszone, 1, 1, &result);
 	if (ret != 0) {
@@ -214,6 +241,24 @@ int itkacl_check(const char * const realm, const char * const user,
 		return -1;
 	}
 
+	/* Verify DNSSEC. */
+	if (result->bogus) {
+		if (errmsg)
+			snprintf(errmsg, errmsg_size,
+			         "Host name lookup failure: Bogus DNSSEC result (security failure)");
+		ub_resolve_free(result);
+		ub_ctx_delete(ctx);
+		return -1;
+	}
+	if (config.require_dnssec && !result->secure) {
+		if (errmsg)
+			snprintf(errmsg, errmsg_size,
+			         "Host name lookup failure: Result was not secured with DNSSEC");
+		ub_resolve_free(result);
+		ub_ctx_delete(ctx);
+		return -1;
+	}
+
 	nxdomain = result->nxdomain;
 
 	ub_resolve_free(result);