1 /* 2 * unbound-anchor.c - update the root anchor if necessary. 3 * 4 * Copyright (c) 2010, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file checks to see that the current 5011 keys work to prime the 40 * current root anchor. If not a certificate is used to update the anchor, 41 * with RFC7958 https xml fetch. 42 * 43 * This is a concept solution for distribution of the DNSSEC root 44 * trust anchor. It is a small tool, called "unbound-anchor", that 45 * runs before the main validator starts. I.e. in the init script: 46 * unbound-anchor; unbound. Thus it is meant to run at system boot time. 47 * 48 * Management-Abstract: 49 * * first run: fill root.key file with hardcoded DS record. 50 * * mostly: use RFC5011 tracking, quick . DNSKEY UDP query. 51 * * failover: use RFC7958 builtin certificate, do https and update. 52 * Special considerations: 53 * * 30-days RFC5011 timer saves a lot of https traffic. 54 * * DNSKEY probe must be NOERROR, saves a lot of https traffic. 55 * * fail if clock before sign date of the root, if cert expired. 56 * * if the root goes back to unsigned, deals with it. 57 * 58 * It has hardcoded the root DS anchors and the ICANN CA root certificate. 59 * It allows with options to override those. It also takes root-hints (it 60 * has to do a DNS resolve), and also has hardcoded defaults for those. 61 * 62 * Once it starts, just before the validator starts, it quickly checks if 63 * the root anchor file needs to be updated. First it tries to use 64 * RFC5011-tracking of the root key. If that fails (and for 30-days since 65 * last successful probe), then it attempts to update using the 66 * certificate. So most of the time, the RFC5011 tracking will work fine, 67 * and within a couple milliseconds, the main daemon can start. It will 68 * have only probed the . DNSKEY, not done expensive https transfers on the 69 * root infrastructure. 70 * 71 * If there is no root key in the root.key file, it bootstraps the 72 * RFC5011-tracking with its builtin DS anchors; if that fails it 73 * bootstraps the RFC5011-tracking using the certificate. (again to avoid 74 * https, and it is also faster). 75 * 76 * It uses the XML file by converting it to DS records and writing that to the 77 * key file. Unbound can detect that the 'special comments' are gone, and 78 * the file contains a list of normal DNSKEY/DS records, and uses that to 79 * bootstrap 5011 (the KSK is made VALID). 80 * 81 * The certificate RFC7958 update is done by fetching root-anchors.xml and 82 * root-anchors.p7s via SSL. The HTTPS certificate can be logged but is 83 * not validated (https for channel security; the security comes from the 84 * certificate). The 'data.iana.org' domain name A and AAAA are resolved 85 * without DNSSEC. It tries a random IP until the transfer succeeds. It 86 * then checks the p7s signature. 87 * 88 * On any failure, it leaves the root key file untouched. The main 89 * validator has to cope with it, it cannot fix things (So a failure does 90 * not go 'without DNSSEC', no downgrade). If it used its builtin stuff or 91 * did the https, it exits with an exit code, so that this can trigger the 92 * init script to log the event and potentially alert the operator that can 93 * do a manual check. 94 * 95 * The date is also checked. Before 2010-07-15 is a failure (root not 96 * signed yet; avoids attacks on system clock). The 97 * last-successful-RFC5011-probe (if available) has to be more than 30 days 98 * in the past (otherwise, RFC5011 should have worked). This keeps 99 * unnecessary https traffic down. If the main certificate is expired, it 100 * fails. 101 * 102 * The dates on the keys in the xml are checked (uses the libexpat xml 103 * parser), only the valid ones are used to re-enstate RFC5011 tracking. 104 * If 0 keys are valid, the zone has gone to insecure (a special marker is 105 * written in the keyfile that tells the main validator daemon the zone is 106 * insecure). 107 * 108 * Only the root ICANN CA is shipped, not the intermediate ones. The 109 * intermediate CAs are included in the p7s file that was downloaded. (the 110 * root cert is valid to 2028 and the intermediate to 2014, today). 111 * 112 * Obviously, the tool also has options so the operator can provide a new 113 * keyfile, a new certificate and new URLs, and fresh root hints. By 114 * default it logs nothing on failure and success; it 'just works'. 115 * 116 */ 117 118 #include "config.h" 119 #include "libunbound/unbound.h" 120 #include "sldns/rrdef.h" 121 #include "sldns/parseutil.h" 122 #include <expat.h> 123 #ifndef HAVE_EXPAT_H 124 #error "need libexpat to parse root-anchors.xml file." 125 #endif 126 #ifdef HAVE_GETOPT_H 127 #include <getopt.h> 128 #endif 129 #ifdef HAVE_OPENSSL_SSL_H 130 #include <openssl/ssl.h> 131 #endif 132 #ifdef HAVE_OPENSSL_ERR_H 133 #include <openssl/err.h> 134 #endif 135 #ifdef HAVE_OPENSSL_RAND_H 136 #include <openssl/rand.h> 137 #endif 138 #include <openssl/x509.h> 139 #include <openssl/x509v3.h> 140 #include <openssl/pem.h> 141 142 /** name of server in URL to fetch HTTPS from */ 143 #define URLNAME "data.iana.org" 144 /** path on HTTPS server to xml file */ 145 #define XMLNAME "root-anchors/root-anchors.xml" 146 /** path on HTTPS server to p7s file */ 147 #define P7SNAME "root-anchors/root-anchors.p7s" 148 /** name of the signer of the certificate */ 149 #define P7SIGNER "dnssec@iana.org" 150 /** port number for https access */ 151 #define HTTPS_PORT 443 152 153 #ifdef USE_WINSOCK 154 /* sneakily reuse the the wsa_strerror function, on windows */ 155 char* wsa_strerror(int err); 156 #endif 157 158 /** verbosity for this application */ 159 static int verb = 0; 160 161 /** list of IP addresses */ 162 struct ip_list { 163 /** next in list */ 164 struct ip_list* next; 165 /** length of addr */ 166 socklen_t len; 167 /** address ready to connect to */ 168 struct sockaddr_storage addr; 169 /** has the address been used */ 170 int used; 171 }; 172 173 /** Give unbound-anchor usage, and exit (1). */ 174 static void 175 usage(void) 176 { 177 printf("Usage: local-unbound-anchor [opts]\n"); 178 printf(" Setup or update root anchor. " 179 "Most options have defaults.\n"); 180 printf(" Run this program before you start the validator.\n"); 181 printf("\n"); 182 printf(" The anchor and cert have default builtin content\n"); 183 printf(" if the file does not exist or is empty.\n"); 184 printf("\n"); 185 printf("-a file root key file, default %s\n", ROOT_ANCHOR_FILE); 186 printf(" The key is input and output for this tool.\n"); 187 printf("-c file cert file, default %s\n", ROOT_CERT_FILE); 188 printf("-l list builtin key and cert on stdout\n"); 189 printf("-u name server in https url, default %s\n", URLNAME); 190 printf("-x path pathname to xml in url, default %s\n", XMLNAME); 191 printf("-s path pathname to p7s in url, default %s\n", P7SNAME); 192 printf("-n name signer's subject emailAddress, default %s\n", P7SIGNER); 193 printf("-b address source address to bind to\n"); 194 printf("-4 work using IPv4 only\n"); 195 printf("-6 work using IPv6 only\n"); 196 printf("-f resolv.conf use given resolv.conf\n"); 197 printf("-r root.hints use given root.hints\n" 198 " builtin root hints are used by default\n"); 199 printf("-R fallback from -f to root query on error\n"); 200 printf("-v more verbose\n"); 201 printf("-C conf debug, read config\n"); 202 printf("-P port use port for https connect, default 443\n"); 203 printf("-F debug, force update with cert\n"); 204 printf("-h show this usage help\n"); 205 printf("Version %s\n", PACKAGE_VERSION); 206 printf("BSD licensed, see LICENSE in source package for details.\n"); 207 printf("Report bugs to %s\n", PACKAGE_BUGREPORT); 208 exit(1); 209 } 210 211 /** return the built in root update certificate */ 212 static const char* 213 get_builtin_cert(void) 214 { 215 return 216 /* The ICANN CA fetched at 24 Sep 2010. Valid to 2028 */ 217 "-----BEGIN CERTIFICATE-----\n" 218 "MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n" 219 "TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n" 220 "BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX\n" 221 "DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O\n" 222 "IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB\n" 223 "MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb\n" 224 "cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S\n" 225 "G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg\n" 226 "ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2\n" 227 "paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7\n" 228 "MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29\n" 229 "iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B\n" 230 "Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3\n" 231 "DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH\n" 232 "6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD\n" 233 "2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h\n" 234 "15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF\n" 235 "0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg\n" 236 "j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n" 237 "-----END CERTIFICATE-----\n" 238 ; 239 } 240 241 /** return the built in root DS trust anchor */ 242 static const char* 243 get_builtin_ds(void) 244 { 245 return 246 /* The anchors must start on a new line with ". IN DS and end with \n"[;] 247 * because the makedist script greps on the source here */ 248 /* anchor 19036 is from 2010 */ 249 /* anchor 20326 is from 2017 */ 250 ". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n" 251 ". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n"; 252 } 253 254 /** print hex data */ 255 static void 256 print_data(const char* msg, const char* data, int len) 257 { 258 int i; 259 printf("%s: ", msg); 260 for(i=0; i<len; i++) { 261 printf(" %2.2x", (unsigned char)data[i]); 262 } 263 printf("\n"); 264 } 265 266 /** print ub context creation error and exit */ 267 static void 268 ub_ctx_error_exit(struct ub_ctx* ctx, const char* str, const char* str2) 269 { 270 ub_ctx_delete(ctx); 271 if(str && str2 && verb) printf("%s: %s\n", str, str2); 272 if(verb) printf("error: could not create unbound resolver context\n"); 273 exit(0); 274 } 275 276 /** 277 * Create a new unbound context with the commandline settings applied 278 */ 279 static struct ub_ctx* 280 create_unbound_context(const char* res_conf, const char* root_hints, 281 const char* debugconf, const char* srcaddr, int ip4only, int ip6only) 282 { 283 int r; 284 struct ub_ctx* ctx = ub_ctx_create(); 285 if(!ctx) { 286 if(verb) printf("out of memory\n"); 287 exit(0); 288 } 289 /* do not waste time and network traffic to fetch extra nameservers */ 290 r = ub_ctx_set_option(ctx, "target-fetch-policy:", "0 0 0 0 0"); 291 if(r && verb) printf("ctx targetfetchpolicy: %s\n", ub_strerror(r)); 292 /* read config file first, so its settings can be overridden */ 293 if(debugconf) { 294 r = ub_ctx_config(ctx, debugconf); 295 if(r) ub_ctx_error_exit(ctx, debugconf, ub_strerror(r)); 296 } 297 if(res_conf) { 298 r = ub_ctx_resolvconf(ctx, res_conf); 299 if(r) ub_ctx_error_exit(ctx, res_conf, ub_strerror(r)); 300 } 301 if(root_hints) { 302 r = ub_ctx_set_option(ctx, "root-hints:", root_hints); 303 if(r) ub_ctx_error_exit(ctx, root_hints, ub_strerror(r)); 304 } 305 if(srcaddr) { 306 r = ub_ctx_set_option(ctx, "outgoing-interface:", srcaddr); 307 if(r) ub_ctx_error_exit(ctx, srcaddr, ub_strerror(r)); 308 } 309 if(ip4only) { 310 r = ub_ctx_set_option(ctx, "do-ip6:", "no"); 311 if(r) ub_ctx_error_exit(ctx, "ip4only", ub_strerror(r)); 312 } 313 if(ip6only) { 314 r = ub_ctx_set_option(ctx, "do-ip4:", "no"); 315 if(r) ub_ctx_error_exit(ctx, "ip6only", ub_strerror(r)); 316 } 317 return ctx; 318 } 319 320 /** printout certificate in detail */ 321 static void 322 verb_cert(const char* msg, X509* x) 323 { 324 if(verb == 0 || verb == 1) return; 325 if(verb == 2) { 326 if(msg) printf("%s\n", msg); 327 X509_print_ex_fp(stdout, x, 0, (unsigned long)-1 328 ^(X509_FLAG_NO_SUBJECT 329 |X509_FLAG_NO_ISSUER|X509_FLAG_NO_VALIDITY)); 330 return; 331 } 332 if(msg) printf("%s\n", msg); 333 X509_print_fp(stdout, x); 334 } 335 336 /** printout certificates in detail */ 337 static void 338 verb_certs(const char* msg, STACK_OF(X509)* sk) 339 { 340 int i, num = sk_X509_num(sk); 341 if(verb == 0 || verb == 1) return; 342 for(i=0; i<num; i++) { 343 printf("%s (%d/%d)\n", msg, i, num); 344 verb_cert(NULL, sk_X509_value(sk, i)); 345 } 346 } 347 348 /** read certificates from a PEM bio */ 349 static STACK_OF(X509)* 350 read_cert_bio(BIO* bio) 351 { 352 STACK_OF(X509) *sk = sk_X509_new_null(); 353 if(!sk) { 354 if(verb) printf("out of memory\n"); 355 exit(0); 356 } 357 while(!BIO_eof(bio)) { 358 X509* x = PEM_read_bio_X509(bio, NULL, NULL, NULL); 359 if(x == NULL) { 360 if(verb) { 361 printf("failed to read X509\n"); 362 ERR_print_errors_fp(stdout); 363 } 364 continue; 365 } 366 if(!sk_X509_push(sk, x)) { 367 if(verb) printf("out of memory\n"); 368 exit(0); 369 } 370 } 371 return sk; 372 } 373 374 /* read the certificate file */ 375 static STACK_OF(X509)* 376 read_cert_file(const char* file) 377 { 378 STACK_OF(X509)* sk; 379 FILE* in; 380 int content = 0; 381 char buf[128]; 382 if(file == NULL || strcmp(file, "") == 0) { 383 return NULL; 384 } 385 sk = sk_X509_new_null(); 386 if(!sk) { 387 if(verb) printf("out of memory\n"); 388 exit(0); 389 } 390 in = fopen(file, "r"); 391 if(!in) { 392 if(verb) printf("%s: %s\n", file, strerror(errno)); 393 #ifndef S_SPLINT_S 394 sk_X509_pop_free(sk, X509_free); 395 #endif 396 return NULL; 397 } 398 while(!feof(in)) { 399 X509* x = PEM_read_X509(in, NULL, NULL, NULL); 400 if(x == NULL) { 401 if(verb) { 402 printf("failed to read X509 file\n"); 403 ERR_print_errors_fp(stdout); 404 } 405 continue; 406 } 407 if(!sk_X509_push(sk, x)) { 408 if(verb) printf("out of memory\n"); 409 fclose(in); 410 exit(0); 411 } 412 content = 1; 413 /* read away newline after --END CERT-- */ 414 if(!fgets(buf, (int)sizeof(buf), in)) 415 break; 416 } 417 fclose(in); 418 if(!content) { 419 if(verb) printf("%s is empty\n", file); 420 #ifndef S_SPLINT_S 421 sk_X509_pop_free(sk, X509_free); 422 #endif 423 return NULL; 424 } 425 return sk; 426 } 427 428 /** read certificates from the builtin certificate */ 429 static STACK_OF(X509)* 430 read_builtin_cert(void) 431 { 432 const char* builtin_cert = get_builtin_cert(); 433 STACK_OF(X509)* sk; 434 BIO *bio = BIO_new_mem_buf(builtin_cert, 435 (int)strlen(builtin_cert)); 436 if(!bio) { 437 if(verb) printf("out of memory\n"); 438 exit(0); 439 } 440 sk = read_cert_bio(bio); 441 if(!sk) { 442 if(verb) printf("internal error, out of memory\n"); 443 exit(0); 444 } 445 BIO_free(bio); 446 return sk; 447 } 448 449 /** read update cert file or use builtin */ 450 static STACK_OF(X509)* 451 read_cert_or_builtin(const char* file) 452 { 453 STACK_OF(X509) *sk = read_cert_file(file); 454 if(!sk) { 455 if(verb) printf("using builtin certificate\n"); 456 sk = read_builtin_cert(); 457 } 458 if(verb) printf("have %d trusted certificates\n", sk_X509_num(sk)); 459 verb_certs("trusted certificates", sk); 460 return sk; 461 } 462 463 static void 464 do_list_builtin(void) 465 { 466 const char* builtin_cert = get_builtin_cert(); 467 const char* builtin_ds = get_builtin_ds(); 468 printf("%s\n", builtin_ds); 469 printf("%s\n", builtin_cert); 470 exit(0); 471 } 472 473 /** printout IP address with message */ 474 static void 475 verb_addr(const char* msg, struct ip_list* ip) 476 { 477 if(verb) { 478 char out[100]; 479 void* a = &((struct sockaddr_in*)&ip->addr)->sin_addr; 480 if(ip->len != (socklen_t)sizeof(struct sockaddr_in)) 481 a = &((struct sockaddr_in6*)&ip->addr)->sin6_addr; 482 483 if(inet_ntop((int)((struct sockaddr_in*)&ip->addr)->sin_family, 484 a, out, (socklen_t)sizeof(out))==0) 485 printf("%s (inet_ntop error)\n", msg); 486 else printf("%s %s\n", msg, out); 487 } 488 } 489 490 /** free ip_list */ 491 static void 492 ip_list_free(struct ip_list* p) 493 { 494 struct ip_list* np; 495 while(p) { 496 np = p->next; 497 free(p); 498 p = np; 499 } 500 } 501 502 /** create ip_list entry for a RR record */ 503 static struct ip_list* 504 RR_to_ip(int tp, char* data, int len, int port) 505 { 506 struct ip_list* ip = (struct ip_list*)calloc(1, sizeof(*ip)); 507 uint16_t p = (uint16_t)port; 508 if(tp == LDNS_RR_TYPE_A) { 509 struct sockaddr_in* sa = (struct sockaddr_in*)&ip->addr; 510 ip->len = (socklen_t)sizeof(*sa); 511 sa->sin_family = AF_INET; 512 sa->sin_port = (in_port_t)htons(p); 513 if(len != (int)sizeof(sa->sin_addr)) { 514 if(verb) printf("skipped badly formatted A\n"); 515 free(ip); 516 return NULL; 517 } 518 memmove(&sa->sin_addr, data, sizeof(sa->sin_addr)); 519 520 } else if(tp == LDNS_RR_TYPE_AAAA) { 521 struct sockaddr_in6* sa = (struct sockaddr_in6*)&ip->addr; 522 ip->len = (socklen_t)sizeof(*sa); 523 sa->sin6_family = AF_INET6; 524 sa->sin6_port = (in_port_t)htons(p); 525 if(len != (int)sizeof(sa->sin6_addr)) { 526 if(verb) printf("skipped badly formatted AAAA\n"); 527 free(ip); 528 return NULL; 529 } 530 memmove(&sa->sin6_addr, data, sizeof(sa->sin6_addr)); 531 } else { 532 if(verb) printf("internal error: bad type in RRtoip\n"); 533 free(ip); 534 return NULL; 535 } 536 verb_addr("resolved server address", ip); 537 return ip; 538 } 539 540 /** Resolve name, type, class and add addresses to iplist */ 541 static void 542 resolve_host_ip(struct ub_ctx* ctx, const char* host, int port, int tp, int cl, 543 struct ip_list** head) 544 { 545 struct ub_result* res = NULL; 546 int r; 547 int i; 548 549 r = ub_resolve(ctx, host, tp, cl, &res); 550 if(r) { 551 if(verb) printf("error: resolve %s %s: %s\n", host, 552 (tp==LDNS_RR_TYPE_A)?"A":"AAAA", ub_strerror(r)); 553 return; 554 } 555 if(!res) { 556 if(verb) printf("out of memory\n"); 557 ub_ctx_delete(ctx); 558 exit(0); 559 } 560 if(!res->havedata || res->rcode || !res->data) { 561 if(verb) printf("resolve %s %s: no result\n", host, 562 (tp==LDNS_RR_TYPE_A)?"A":"AAAA"); 563 return; 564 } 565 for(i = 0; res->data[i]; i++) { 566 struct ip_list* ip = RR_to_ip(tp, res->data[i], res->len[i], 567 port); 568 if(!ip) continue; 569 ip->next = *head; 570 *head = ip; 571 } 572 ub_resolve_free(res); 573 } 574 575 /** parse a text IP address into a sockaddr */ 576 static struct ip_list* 577 parse_ip_addr(const char* str, int port) 578 { 579 socklen_t len = 0; 580 union { 581 struct sockaddr_in6 a6; 582 struct sockaddr_in a; 583 } addr; 584 struct ip_list* ip; 585 uint16_t p = (uint16_t)port; 586 memset(&addr, 0, sizeof(addr)); 587 588 if(inet_pton(AF_INET6, str, &addr.a6.sin6_addr) > 0) { 589 /* it is an IPv6 */ 590 addr.a6.sin6_family = AF_INET6; 591 addr.a6.sin6_port = (in_port_t)htons(p); 592 len = (socklen_t)sizeof(addr.a6); 593 } 594 if(inet_pton(AF_INET, str, &addr.a.sin_addr) > 0) { 595 /* it is an IPv4 */ 596 addr.a.sin_family = AF_INET; 597 addr.a.sin_port = (in_port_t)htons(p); 598 len = (socklen_t)sizeof(struct sockaddr_in); 599 } 600 if(!len) return NULL; 601 ip = (struct ip_list*)calloc(1, sizeof(*ip)); 602 if(!ip) { 603 if(verb) printf("out of memory\n"); 604 exit(0); 605 } 606 ip->len = len; 607 memmove(&ip->addr, &addr, len); 608 if(verb) printf("server address is %s\n", str); 609 return ip; 610 } 611 612 /** 613 * Resolve a domain name (even though the resolver is down and there is 614 * no trust anchor). Without DNSSEC validation. 615 * @param host: the name to resolve. 616 * If this name is an IP4 or IP6 address this address is returned. 617 * @param port: the port number used for the returned IP structs. 618 * @param res_conf: resolv.conf (if any). 619 * @param root_hints: root hints (if any). 620 * @param debugconf: unbound.conf for debugging options. 621 * @param srcaddr: source address option (if any). 622 * @param ip4only: use only ip4 for resolve and only lookup A 623 * @param ip6only: use only ip6 for resolve and only lookup AAAA 624 * default is to lookup A and AAAA using ip4 and ip6. 625 * @return list of IP addresses. 626 */ 627 static struct ip_list* 628 resolve_name(const char* host, int port, const char* res_conf, 629 const char* root_hints, const char* debugconf, 630 const char* srcaddr, int ip4only, int ip6only) 631 { 632 struct ub_ctx* ctx; 633 struct ip_list* list = NULL; 634 /* first see if name is an IP address itself */ 635 if( (list=parse_ip_addr(host, port)) ) { 636 return list; 637 } 638 639 /* create resolver context */ 640 ctx = create_unbound_context(res_conf, root_hints, debugconf, 641 srcaddr, ip4only, ip6only); 642 643 /* try resolution of A */ 644 if(!ip6only) { 645 resolve_host_ip(ctx, host, port, LDNS_RR_TYPE_A, 646 LDNS_RR_CLASS_IN, &list); 647 } 648 649 /* try resolution of AAAA */ 650 if(!ip4only) { 651 resolve_host_ip(ctx, host, port, LDNS_RR_TYPE_AAAA, 652 LDNS_RR_CLASS_IN, &list); 653 } 654 655 ub_ctx_delete(ctx); 656 if(!list) { 657 if(verb) printf("%s has no IP addresses I can use\n", host); 658 exit(0); 659 } 660 return list; 661 } 662 663 /** clear used flags */ 664 static void 665 wipe_ip_usage(struct ip_list* p) 666 { 667 while(p) { 668 p->used = 0; 669 p = p->next; 670 } 671 } 672 673 /** count unused IPs */ 674 static int 675 count_unused(struct ip_list* p) 676 { 677 int num = 0; 678 while(p) { 679 if(!p->used) num++; 680 p = p->next; 681 } 682 return num; 683 } 684 685 /** pick random unused element from IP list */ 686 static struct ip_list* 687 pick_random_ip(struct ip_list* list) 688 { 689 struct ip_list* p = list; 690 int num = count_unused(list); 691 int sel; 692 if(num == 0) return NULL; 693 /* not perfect, but random enough */ 694 sel = (int)arc4random_uniform((uint32_t)num); 695 /* skip over unused elements that we did not select */ 696 while(sel > 0 && p) { 697 if(!p->used) sel--; 698 p = p->next; 699 } 700 /* find the next unused element */ 701 while(p && p->used) 702 p = p->next; 703 if(!p) return NULL; /* robustness */ 704 return p; 705 } 706 707 /** close the fd */ 708 static void 709 fd_close(int fd) 710 { 711 #ifndef USE_WINSOCK 712 close(fd); 713 #else 714 closesocket(fd); 715 #endif 716 } 717 718 /** printout socket errno */ 719 static void 720 print_sock_err(const char* msg) 721 { 722 #ifndef USE_WINSOCK 723 if(verb) printf("%s: %s\n", msg, strerror(errno)); 724 #else 725 if(verb) printf("%s: %s\n", msg, wsa_strerror(WSAGetLastError())); 726 #endif 727 } 728 729 /** connect to IP address */ 730 static int 731 connect_to_ip(struct ip_list* ip, struct ip_list* src) 732 { 733 int fd; 734 verb_addr("connect to", ip); 735 fd = socket(ip->len==(socklen_t)sizeof(struct sockaddr_in)? 736 AF_INET:AF_INET6, SOCK_STREAM, 0); 737 if(fd == -1) { 738 print_sock_err("socket"); 739 return -1; 740 } 741 if(src && bind(fd, (struct sockaddr*)&src->addr, src->len) < 0) { 742 print_sock_err("bind"); 743 fd_close(fd); 744 return -1; 745 } 746 if(connect(fd, (struct sockaddr*)&ip->addr, ip->len) < 0) { 747 print_sock_err("connect"); 748 fd_close(fd); 749 return -1; 750 } 751 return fd; 752 } 753 754 /** create SSL context */ 755 static SSL_CTX* 756 setup_sslctx(void) 757 { 758 SSL_CTX* sslctx = SSL_CTX_new(SSLv23_client_method()); 759 if(!sslctx) { 760 if(verb) printf("SSL_CTX_new error\n"); 761 return NULL; 762 } 763 return sslctx; 764 } 765 766 /** initiate TLS on a connection */ 767 static SSL* 768 TLS_initiate(SSL_CTX* sslctx, int fd) 769 { 770 X509* x; 771 int r; 772 SSL* ssl = SSL_new(sslctx); 773 if(!ssl) { 774 if(verb) printf("SSL_new error\n"); 775 return NULL; 776 } 777 SSL_set_connect_state(ssl); 778 (void)SSL_set_mode(ssl, (long)SSL_MODE_AUTO_RETRY); 779 if(!SSL_set_fd(ssl, fd)) { 780 if(verb) printf("SSL_set_fd error\n"); 781 SSL_free(ssl); 782 return NULL; 783 } 784 while(1) { 785 ERR_clear_error(); 786 if( (r=SSL_do_handshake(ssl)) == 1) 787 break; 788 r = SSL_get_error(ssl, r); 789 if(r != SSL_ERROR_WANT_READ && r != SSL_ERROR_WANT_WRITE) { 790 if(verb) printf("SSL handshake failed\n"); 791 SSL_free(ssl); 792 return NULL; 793 } 794 /* wants to be called again */ 795 } 796 x = SSL_get_peer_certificate(ssl); 797 if(!x) { 798 if(verb) printf("Server presented no peer certificate\n"); 799 SSL_free(ssl); 800 return NULL; 801 } 802 verb_cert("server SSL certificate", x); 803 X509_free(x); 804 return ssl; 805 } 806 807 /** perform neat TLS shutdown */ 808 static void 809 TLS_shutdown(int fd, SSL* ssl, SSL_CTX* sslctx) 810 { 811 /* shutdown the SSL connection nicely */ 812 if(SSL_shutdown(ssl) == 0) { 813 SSL_shutdown(ssl); 814 } 815 SSL_free(ssl); 816 SSL_CTX_free(sslctx); 817 fd_close(fd); 818 } 819 820 /** write a line over SSL */ 821 static int 822 write_ssl_line(SSL* ssl, const char* str, const char* sec) 823 { 824 char buf[1024]; 825 size_t l; 826 if(sec) { 827 snprintf(buf, sizeof(buf), str, sec); 828 } else { 829 snprintf(buf, sizeof(buf), "%s", str); 830 } 831 l = strlen(buf); 832 if(l+2 >= sizeof(buf)) { 833 if(verb) printf("line too long\n"); 834 return 0; 835 } 836 if(verb >= 2) printf("SSL_write: %s\n", buf); 837 buf[l] = '\r'; 838 buf[l+1] = '\n'; 839 buf[l+2] = 0; 840 /* add \r\n */ 841 if(SSL_write(ssl, buf, (int)strlen(buf)) <= 0) { 842 if(verb) printf("could not SSL_write %s", str); 843 return 0; 844 } 845 return 1; 846 } 847 848 /** process header line, check rcode and keeping track of size */ 849 static int 850 process_one_header(char* buf, size_t* clen, int* chunked) 851 { 852 if(verb>=2) printf("header: '%s'\n", buf); 853 if(strncasecmp(buf, "HTTP/1.1 ", 9) == 0) { 854 /* check returncode */ 855 if(buf[9] != '2') { 856 if(verb) printf("bad status %s\n", buf+9); 857 return 0; 858 } 859 } else if(strncasecmp(buf, "Content-Length: ", 16) == 0) { 860 if(!*chunked) 861 *clen = (size_t)atoi(buf+16); 862 } else if(strncasecmp(buf, "Transfer-Encoding: chunked", 19+7) == 0) { 863 *clen = 0; 864 *chunked = 1; 865 } 866 return 1; 867 } 868 869 /** 870 * Read one line from SSL 871 * zero terminates. 872 * skips "\r\n" (but not copied to buf). 873 * @param ssl: the SSL connection to read from (blocking). 874 * @param buf: buffer to return line in. 875 * @param len: size of the buffer. 876 * @return 0 on error, 1 on success. 877 */ 878 static int 879 read_ssl_line(SSL* ssl, char* buf, size_t len) 880 { 881 size_t n = 0; 882 int r; 883 int endnl = 0; 884 while(1) { 885 if(n >= len) { 886 if(verb) printf("line too long\n"); 887 return 0; 888 } 889 if((r = SSL_read(ssl, buf+n, 1)) <= 0) { 890 if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) { 891 /* EOF */ 892 break; 893 } 894 if(verb) printf("could not SSL_read\n"); 895 return 0; 896 } 897 if(endnl && buf[n] == '\n') { 898 break; 899 } else if(endnl) { 900 /* bad data */ 901 if(verb) printf("error: stray linefeeds\n"); 902 return 0; 903 } else if(buf[n] == '\r') { 904 /* skip \r, and also \n on the wire */ 905 endnl = 1; 906 continue; 907 } else if(buf[n] == '\n') { 908 /* skip the \n, we are done */ 909 break; 910 } else n++; 911 } 912 buf[n] = 0; 913 return 1; 914 } 915 916 /** read http headers and process them */ 917 static size_t 918 read_http_headers(SSL* ssl, size_t* clen) 919 { 920 char buf[1024]; 921 int chunked = 0; 922 *clen = 0; 923 while(read_ssl_line(ssl, buf, sizeof(buf))) { 924 if(buf[0] == 0) 925 return 1; 926 if(!process_one_header(buf, clen, &chunked)) 927 return 0; 928 } 929 return 0; 930 } 931 932 /** read a data chunk */ 933 static char* 934 read_data_chunk(SSL* ssl, size_t len) 935 { 936 size_t got = 0; 937 int r; 938 char* data; 939 if((unsigned)len >= (unsigned)0xfffffff0) 940 return NULL; /* to protect against integer overflow in malloc*/ 941 data = malloc(len+1); 942 if(!data) { 943 if(verb) printf("out of memory\n"); 944 return NULL; 945 } 946 while(got < len) { 947 if((r = SSL_read(ssl, data+got, (int)(len-got))) <= 0) { 948 if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) { 949 /* EOF */ 950 if(verb) printf("could not SSL_read: unexpected EOF\n"); 951 free(data); 952 return NULL; 953 } 954 if(verb) printf("could not SSL_read\n"); 955 free(data); 956 return NULL; 957 } 958 if(verb >= 2) printf("at %d/%d\n", (int)got, (int)len); 959 got += r; 960 } 961 if(verb>=2) printf("read %d data\n", (int)len); 962 data[len] = 0; 963 return data; 964 } 965 966 /** parse chunk header */ 967 static int 968 parse_chunk_header(char* buf, size_t* result) 969 { 970 char* e = NULL; 971 size_t v = (size_t)strtol(buf, &e, 16); 972 if(e == buf) 973 return 0; 974 *result = v; 975 return 1; 976 } 977 978 /** read chunked data from connection */ 979 static BIO* 980 do_chunked_read(SSL* ssl) 981 { 982 char buf[1024]; 983 size_t len; 984 char* body; 985 BIO* mem = BIO_new(BIO_s_mem()); 986 if(verb>=3) printf("do_chunked_read\n"); 987 if(!mem) { 988 if(verb) printf("out of memory\n"); 989 return NULL; 990 } 991 while(read_ssl_line(ssl, buf, sizeof(buf))) { 992 /* read the chunked start line */ 993 if(verb>=2) printf("chunk header: %s\n", buf); 994 if(!parse_chunk_header(buf, &len)) { 995 BIO_free(mem); 996 if(verb>=3) printf("could not parse chunk header\n"); 997 return NULL; 998 } 999 if(verb>=2) printf("chunk len: %d\n", (int)len); 1000 /* are we done? */ 1001 if(len == 0) { 1002 char z = 0; 1003 /* skip end-of-chunk-trailer lines, 1004 * until the empty line after that */ 1005 do { 1006 if(!read_ssl_line(ssl, buf, sizeof(buf))) { 1007 BIO_free(mem); 1008 return NULL; 1009 } 1010 } while (strlen(buf) > 0); 1011 /* end of chunks, zero terminate it */ 1012 if(BIO_write(mem, &z, 1) <= 0) { 1013 if(verb) printf("out of memory\n"); 1014 BIO_free(mem); 1015 return NULL; 1016 } 1017 return mem; 1018 } 1019 /* read the chunked body */ 1020 body = read_data_chunk(ssl, len); 1021 if(!body) { 1022 BIO_free(mem); 1023 return NULL; 1024 } 1025 if(BIO_write(mem, body, (int)len) <= 0) { 1026 if(verb) printf("out of memory\n"); 1027 free(body); 1028 BIO_free(mem); 1029 return NULL; 1030 } 1031 free(body); 1032 /* skip empty line after data chunk */ 1033 if(!read_ssl_line(ssl, buf, sizeof(buf))) { 1034 BIO_free(mem); 1035 return NULL; 1036 } 1037 } 1038 BIO_free(mem); 1039 return NULL; 1040 } 1041 1042 /** start HTTP1.1 transaction on SSL */ 1043 static int 1044 write_http_get(SSL* ssl, const char* pathname, const char* urlname) 1045 { 1046 if(write_ssl_line(ssl, "GET /%s HTTP/1.1", pathname) && 1047 write_ssl_line(ssl, "Host: %s", urlname) && 1048 write_ssl_line(ssl, "User-Agent: unbound-anchor/%s", 1049 PACKAGE_VERSION) && 1050 /* We do not really do multiple queries per connection, 1051 * but this header setting is also not needed. 1052 * write_ssl_line(ssl, "Connection: close", NULL) &&*/ 1053 write_ssl_line(ssl, "", NULL)) { 1054 return 1; 1055 } 1056 return 0; 1057 } 1058 1059 /** read chunked data and zero terminate; len is without zero */ 1060 static char* 1061 read_chunked_zero_terminate(SSL* ssl, size_t* len) 1062 { 1063 /* do the chunked version */ 1064 BIO* tmp = do_chunked_read(ssl); 1065 char* data, *d = NULL; 1066 size_t l; 1067 if(!tmp) { 1068 if(verb) printf("could not read from https\n"); 1069 return NULL; 1070 } 1071 l = (size_t)BIO_get_mem_data(tmp, &d); 1072 if(verb>=2) printf("chunked data is %d\n", (int)l); 1073 if(l == 0 || d == NULL) { 1074 if(verb) printf("out of memory\n"); 1075 return NULL; 1076 } 1077 *len = l-1; 1078 data = (char*)malloc(l); 1079 if(data == NULL) { 1080 if(verb) printf("out of memory\n"); 1081 return NULL; 1082 } 1083 memcpy(data, d, l); 1084 BIO_free(tmp); 1085 return data; 1086 } 1087 1088 /** read HTTP result from SSL */ 1089 static BIO* 1090 read_http_result(SSL* ssl) 1091 { 1092 size_t len = 0; 1093 char* data; 1094 BIO* m; 1095 if(!read_http_headers(ssl, &len)) { 1096 return NULL; 1097 } 1098 if(len == 0) { 1099 data = read_chunked_zero_terminate(ssl, &len); 1100 } else { 1101 data = read_data_chunk(ssl, len); 1102 } 1103 if(!data) return NULL; 1104 if(verb >= 4) print_data("read data", data, (int)len); 1105 m = BIO_new(BIO_s_mem()); 1106 if(!m) { 1107 if(verb) printf("out of memory\n"); 1108 free(data); 1109 exit(0); 1110 } 1111 BIO_write(m, data, (int)len); 1112 free(data); 1113 return m; 1114 } 1115 1116 /** https to an IP addr, return BIO with pathname or NULL */ 1117 static BIO* 1118 https_to_ip(struct ip_list* ip, const char* pathname, const char* urlname, 1119 struct ip_list* src) 1120 { 1121 int fd; 1122 SSL* ssl; 1123 BIO* bio; 1124 SSL_CTX* sslctx = setup_sslctx(); 1125 if(!sslctx) { 1126 return NULL; 1127 } 1128 fd = connect_to_ip(ip, src); 1129 if(fd == -1) { 1130 SSL_CTX_free(sslctx); 1131 return NULL; 1132 } 1133 ssl = TLS_initiate(sslctx, fd); 1134 if(!ssl) { 1135 SSL_CTX_free(sslctx); 1136 fd_close(fd); 1137 return NULL; 1138 } 1139 if(!write_http_get(ssl, pathname, urlname)) { 1140 if(verb) printf("could not write to server\n"); 1141 SSL_free(ssl); 1142 SSL_CTX_free(sslctx); 1143 fd_close(fd); 1144 return NULL; 1145 } 1146 bio = read_http_result(ssl); 1147 TLS_shutdown(fd, ssl, sslctx); 1148 return bio; 1149 } 1150 1151 /** 1152 * Do a HTTPS, HTTP1.1 over TLS, to fetch a file 1153 * @param ip_list: list of IP addresses to use to fetch from. 1154 * @param pathname: pathname of file on server to GET. 1155 * @param urlname: name to pass as the virtual host for this request. 1156 * @param src: if nonNULL, source address to bind to. 1157 * @return a memory BIO with the file in it. 1158 */ 1159 static BIO* 1160 https(struct ip_list* ip_list, const char* pathname, const char* urlname, 1161 struct ip_list* src) 1162 { 1163 struct ip_list* ip; 1164 BIO* bio = NULL; 1165 /* try random address first, and work through the list */ 1166 wipe_ip_usage(ip_list); 1167 while( (ip = pick_random_ip(ip_list)) ) { 1168 ip->used = 1; 1169 bio = https_to_ip(ip, pathname, urlname, src); 1170 if(bio) break; 1171 } 1172 if(!bio) { 1173 if(verb) printf("could not fetch %s\n", pathname); 1174 exit(0); 1175 } else { 1176 if(verb) printf("fetched %s (%d bytes)\n", 1177 pathname, (int)BIO_ctrl_pending(bio)); 1178 } 1179 return bio; 1180 } 1181 1182 /** XML parse private data during the parse */ 1183 struct xml_data { 1184 /** the parser, reference */ 1185 XML_Parser parser; 1186 /** the current tag; malloced; or NULL outside of tags */ 1187 char* tag; 1188 /** current date to use during the parse */ 1189 time_t date; 1190 /** number of keys usefully read in */ 1191 int num_keys; 1192 /** the compiled anchors as DS records */ 1193 BIO* ds; 1194 1195 /** do we want to use this anchor? */ 1196 int use_key; 1197 /** the current anchor: Zone */ 1198 BIO* czone; 1199 /** the current anchor: KeyTag */ 1200 BIO* ctag; 1201 /** the current anchor: Algorithm */ 1202 BIO* calgo; 1203 /** the current anchor: DigestType */ 1204 BIO* cdigtype; 1205 /** the current anchor: Digest*/ 1206 BIO* cdigest; 1207 }; 1208 1209 /** The BIO for the tag */ 1210 static BIO* 1211 xml_selectbio(struct xml_data* data, const char* tag) 1212 { 1213 BIO* b = NULL; 1214 if(strcasecmp(tag, "KeyTag") == 0) 1215 b = data->ctag; 1216 else if(strcasecmp(tag, "Algorithm") == 0) 1217 b = data->calgo; 1218 else if(strcasecmp(tag, "DigestType") == 0) 1219 b = data->cdigtype; 1220 else if(strcasecmp(tag, "Digest") == 0) 1221 b = data->cdigest; 1222 return b; 1223 } 1224 1225 /** 1226 * XML handle character data, the data inside an element. 1227 * @param userData: xml_data structure 1228 * @param s: the character data. May not all be in one callback. 1229 * NOT zero terminated. 1230 * @param len: length of this part of the data. 1231 */ 1232 static void 1233 xml_charhandle(void *userData, const XML_Char *s, int len) 1234 { 1235 struct xml_data* data = (struct xml_data*)userData; 1236 BIO* b = NULL; 1237 /* skip characters outside of elements */ 1238 if(!data->tag) 1239 return; 1240 if(verb>=4) { 1241 int i; 1242 printf("%s%s charhandle: '", 1243 data->use_key?"use ":"", 1244 data->tag?data->tag:"none"); 1245 for(i=0; i<len; i++) 1246 printf("%c", s[i]); 1247 printf("'\n"); 1248 } 1249 if(strcasecmp(data->tag, "Zone") == 0) { 1250 if(BIO_write(data->czone, s, len) < 0) { 1251 if(verb) printf("out of memory in BIO_write\n"); 1252 exit(0); 1253 } 1254 return; 1255 } 1256 /* only store if key is used */ 1257 if(!data->use_key) 1258 return; 1259 b = xml_selectbio(data, data->tag); 1260 if(b) { 1261 if(BIO_write(b, s, len) < 0) { 1262 if(verb) printf("out of memory in BIO_write\n"); 1263 exit(0); 1264 } 1265 } 1266 } 1267 1268 /** 1269 * XML fetch value of particular attribute(by name) or NULL if not present. 1270 * @param atts: attribute array (from xml_startelem). 1271 * @param name: name of attribute to look for. 1272 * @return the value or NULL. (ptr into atts). 1273 */ 1274 static const XML_Char* 1275 find_att(const XML_Char **atts, const XML_Char* name) 1276 { 1277 int i; 1278 for(i=0; atts[i]; i+=2) { 1279 if(strcasecmp(atts[i], name) == 0) 1280 return atts[i+1]; 1281 } 1282 return NULL; 1283 } 1284 1285 /** 1286 * XML convert DateTime element to time_t. 1287 * [-]CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] 1288 * (with optional .ssssss fractional seconds) 1289 * @param str: the string 1290 * @return a time_t representation or 0 on failure. 1291 */ 1292 static time_t 1293 xml_convertdate(const char* str) 1294 { 1295 time_t t = 0; 1296 struct tm tm; 1297 const char* s; 1298 /* for this application, ignore minus in front; 1299 * only positive dates are expected */ 1300 s = str; 1301 if(s[0] == '-') s++; 1302 memset(&tm, 0, sizeof(tm)); 1303 /* parse initial content of the string (lots of whitespace allowed) */ 1304 s = strptime(s, "%t%Y%t-%t%m%t-%t%d%tT%t%H%t:%t%M%t:%t%S%t", &tm); 1305 if(!s) { 1306 if(verb) printf("xml_convertdate parse failure %s\n", str); 1307 return 0; 1308 } 1309 /* parse remainder of date string */ 1310 if(*s == '.') { 1311 /* optional '.' and fractional seconds */ 1312 int frac = 0, n = 0; 1313 if(sscanf(s+1, "%d%n", &frac, &n) < 1) { 1314 if(verb) printf("xml_convertdate f failure %s\n", str); 1315 return 0; 1316 } 1317 /* fraction is not used, time_t has second accuracy */ 1318 s++; 1319 s+=n; 1320 } 1321 if(*s == 'Z' || *s == 'z') { 1322 /* nothing to do for this */ 1323 s++; 1324 } else if(*s == '+' || *s == '-') { 1325 /* optional timezone spec: Z or +hh:mm or -hh:mm */ 1326 int hr = 0, mn = 0, n = 0; 1327 if(sscanf(s+1, "%d:%d%n", &hr, &mn, &n) < 2) { 1328 if(verb) printf("xml_convertdate tz failure %s\n", str); 1329 return 0; 1330 } 1331 if(*s == '+') { 1332 tm.tm_hour += hr; 1333 tm.tm_min += mn; 1334 } else { 1335 tm.tm_hour -= hr; 1336 tm.tm_min -= mn; 1337 } 1338 s++; 1339 s += n; 1340 } 1341 if(*s != 0) { 1342 /* not ended properly */ 1343 /* but ignore, (lenient) */ 1344 } 1345 1346 t = sldns_mktime_from_utc(&tm); 1347 if(t == (time_t)-1) { 1348 if(verb) printf("xml_convertdate mktime failure\n"); 1349 return 0; 1350 } 1351 return t; 1352 } 1353 1354 /** 1355 * XML handle the KeyDigest start tag, check validity periods. 1356 */ 1357 static void 1358 handle_keydigest(struct xml_data* data, const XML_Char **atts) 1359 { 1360 data->use_key = 0; 1361 if(find_att(atts, "validFrom")) { 1362 time_t from = xml_convertdate(find_att(atts, "validFrom")); 1363 if(from == 0) { 1364 if(verb) printf("error: xml cannot be parsed\n"); 1365 exit(0); 1366 } 1367 if(data->date < from) 1368 return; 1369 } 1370 if(find_att(atts, "validUntil")) { 1371 time_t until = xml_convertdate(find_att(atts, "validUntil")); 1372 if(until == 0) { 1373 if(verb) printf("error: xml cannot be parsed\n"); 1374 exit(0); 1375 } 1376 if(data->date > until) 1377 return; 1378 } 1379 /* yes we want to use this key */ 1380 data->use_key = 1; 1381 (void)BIO_reset(data->ctag); 1382 (void)BIO_reset(data->calgo); 1383 (void)BIO_reset(data->cdigtype); 1384 (void)BIO_reset(data->cdigest); 1385 } 1386 1387 /** See if XML element equals the zone name */ 1388 static int 1389 xml_is_zone_name(BIO* zone, const char* name) 1390 { 1391 char buf[1024]; 1392 char* z = NULL; 1393 long zlen; 1394 (void)BIO_seek(zone, 0); 1395 zlen = BIO_get_mem_data(zone, &z); 1396 if(!zlen || !z) return 0; 1397 /* zero terminate */ 1398 if(zlen >= (long)sizeof(buf)) return 0; 1399 memmove(buf, z, (size_t)zlen); 1400 buf[zlen] = 0; 1401 /* compare */ 1402 return (strncasecmp(buf, name, strlen(name)) == 0); 1403 } 1404 1405 /** 1406 * XML start of element. This callback is called whenever an XML tag starts. 1407 * XML_Char is UTF8. 1408 * @param userData: the xml_data structure. 1409 * @param name: the tag that starts. 1410 * @param atts: array of strings, pairs of attr = value, ends with NULL. 1411 * i.e. att[0]="att[1]" att[2]="att[3]" att[4]isNull 1412 */ 1413 static void 1414 xml_startelem(void *userData, const XML_Char *name, const XML_Char **atts) 1415 { 1416 struct xml_data* data = (struct xml_data*)userData; 1417 BIO* b; 1418 if(verb>=4) printf("xml tag start '%s'\n", name); 1419 free(data->tag); 1420 data->tag = strdup(name); 1421 if(!data->tag) { 1422 if(verb) printf("out of memory\n"); 1423 exit(0); 1424 } 1425 if(verb>=4) { 1426 int i; 1427 for(i=0; atts[i]; i+=2) { 1428 printf(" %s='%s'\n", atts[i], atts[i+1]); 1429 } 1430 } 1431 /* handle attributes to particular types */ 1432 if(strcasecmp(name, "KeyDigest") == 0) { 1433 handle_keydigest(data, atts); 1434 return; 1435 } else if(strcasecmp(name, "Zone") == 0) { 1436 (void)BIO_reset(data->czone); 1437 return; 1438 } 1439 1440 /* for other types we prepare to pick up the data */ 1441 if(!data->use_key) 1442 return; 1443 b = xml_selectbio(data, data->tag); 1444 if(b) { 1445 /* empty it */ 1446 (void)BIO_reset(b); 1447 } 1448 } 1449 1450 /** Append str to bio */ 1451 static void 1452 xml_append_str(BIO* b, const char* s) 1453 { 1454 if(BIO_write(b, s, (int)strlen(s)) < 0) { 1455 if(verb) printf("out of memory in BIO_write\n"); 1456 exit(0); 1457 } 1458 } 1459 1460 /** Append bio to bio */ 1461 static void 1462 xml_append_bio(BIO* b, BIO* a) 1463 { 1464 char* z = NULL; 1465 long i, len; 1466 (void)BIO_seek(a, 0); 1467 len = BIO_get_mem_data(a, &z); 1468 if(!len || !z) { 1469 if(verb) printf("out of memory in BIO_write\n"); 1470 exit(0); 1471 } 1472 /* remove newlines in the data here */ 1473 for(i=0; i<len; i++) { 1474 if(z[i] == '\r' || z[i] == '\n') 1475 z[i] = ' '; 1476 } 1477 /* write to BIO */ 1478 if(BIO_write(b, z, len) < 0) { 1479 if(verb) printf("out of memory in BIO_write\n"); 1480 exit(0); 1481 } 1482 } 1483 1484 /** write the parsed xml-DS to the DS list */ 1485 static void 1486 xml_append_ds(struct xml_data* data) 1487 { 1488 /* write DS to accumulated DS */ 1489 xml_append_str(data->ds, ". IN DS "); 1490 xml_append_bio(data->ds, data->ctag); 1491 xml_append_str(data->ds, " "); 1492 xml_append_bio(data->ds, data->calgo); 1493 xml_append_str(data->ds, " "); 1494 xml_append_bio(data->ds, data->cdigtype); 1495 xml_append_str(data->ds, " "); 1496 xml_append_bio(data->ds, data->cdigest); 1497 xml_append_str(data->ds, "\n"); 1498 data->num_keys++; 1499 } 1500 1501 /** 1502 * XML end of element. This callback is called whenever an XML tag ends. 1503 * XML_Char is UTF8. 1504 * @param userData: the xml_data structure 1505 * @param name: the tag that ends. 1506 */ 1507 static void 1508 xml_endelem(void *userData, const XML_Char *name) 1509 { 1510 struct xml_data* data = (struct xml_data*)userData; 1511 if(verb>=4) printf("xml tag end '%s'\n", name); 1512 free(data->tag); 1513 data->tag = NULL; 1514 if(strcasecmp(name, "KeyDigest") == 0) { 1515 if(data->use_key) 1516 xml_append_ds(data); 1517 data->use_key = 0; 1518 } else if(strcasecmp(name, "Zone") == 0) { 1519 if(!xml_is_zone_name(data->czone, ".")) { 1520 if(verb) printf("xml not for the right zone\n"); 1521 exit(0); 1522 } 1523 } 1524 } 1525 1526 /* Stop the parser when an entity declaration is encountered. For safety. */ 1527 static void 1528 xml_entitydeclhandler(void *userData, 1529 const XML_Char *ATTR_UNUSED(entityName), 1530 int ATTR_UNUSED(is_parameter_entity), 1531 const XML_Char *ATTR_UNUSED(value), int ATTR_UNUSED(value_length), 1532 const XML_Char *ATTR_UNUSED(base), 1533 const XML_Char *ATTR_UNUSED(systemId), 1534 const XML_Char *ATTR_UNUSED(publicId), 1535 const XML_Char *ATTR_UNUSED(notationName)) 1536 { 1537 #if HAVE_DECL_XML_STOPPARSER 1538 (void)XML_StopParser((XML_Parser)userData, XML_FALSE); 1539 #else 1540 (void)userData; 1541 #endif 1542 } 1543 1544 /** 1545 * XML parser setup of the callbacks for the tags 1546 */ 1547 static void 1548 xml_parse_setup(XML_Parser parser, struct xml_data* data, time_t now) 1549 { 1550 char buf[1024]; 1551 memset(data, 0, sizeof(*data)); 1552 XML_SetUserData(parser, data); 1553 data->parser = parser; 1554 data->date = now; 1555 data->ds = BIO_new(BIO_s_mem()); 1556 data->ctag = BIO_new(BIO_s_mem()); 1557 data->czone = BIO_new(BIO_s_mem()); 1558 data->calgo = BIO_new(BIO_s_mem()); 1559 data->cdigtype = BIO_new(BIO_s_mem()); 1560 data->cdigest = BIO_new(BIO_s_mem()); 1561 if(!data->ds || !data->ctag || !data->calgo || !data->czone || 1562 !data->cdigtype || !data->cdigest) { 1563 if(verb) printf("out of memory\n"); 1564 exit(0); 1565 } 1566 snprintf(buf, sizeof(buf), "; created by unbound-anchor on %s", 1567 ctime(&now)); 1568 if(BIO_write(data->ds, buf, (int)strlen(buf)) < 0) { 1569 if(verb) printf("out of memory\n"); 1570 exit(0); 1571 } 1572 XML_SetEntityDeclHandler(parser, xml_entitydeclhandler); 1573 XML_SetElementHandler(parser, xml_startelem, xml_endelem); 1574 XML_SetCharacterDataHandler(parser, xml_charhandle); 1575 } 1576 1577 /** 1578 * Perform XML parsing of the root-anchors file 1579 * Its format description can be read here 1580 * https://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.txt 1581 * It uses libexpat. 1582 * @param xml: BIO with xml data. 1583 * @param now: the current time for checking DS validity periods. 1584 * @return memoryBIO with the DS data in zone format. 1585 * or NULL if the zone is insecure. 1586 * (It exit()s on error) 1587 */ 1588 static BIO* 1589 xml_parse(BIO* xml, time_t now) 1590 { 1591 char* pp; 1592 int len; 1593 XML_Parser parser; 1594 struct xml_data data; 1595 1596 parser = XML_ParserCreate(NULL); 1597 if(!parser) { 1598 if(verb) printf("could not XML_ParserCreate\n"); 1599 exit(0); 1600 } 1601 1602 /* setup callbacks */ 1603 xml_parse_setup(parser, &data, now); 1604 1605 /* parse it */ 1606 (void)BIO_seek(xml, 0); 1607 len = (int)BIO_get_mem_data(xml, &pp); 1608 if(!len || !pp) { 1609 if(verb) printf("out of memory\n"); 1610 exit(0); 1611 } 1612 if(!XML_Parse(parser, pp, len, 1 /*isfinal*/ )) { 1613 const char *e = XML_ErrorString(XML_GetErrorCode(parser)); 1614 if(verb) printf("XML_Parse failure %s\n", e?e:""); 1615 exit(0); 1616 } 1617 1618 /* parsed */ 1619 if(verb) printf("XML was parsed successfully, %d keys\n", 1620 data.num_keys); 1621 free(data.tag); 1622 XML_ParserFree(parser); 1623 1624 if(verb >= 4) { 1625 (void)BIO_seek(data.ds, 0); 1626 len = BIO_get_mem_data(data.ds, &pp); 1627 printf("got DS bio %d: '", len); 1628 if(!fwrite(pp, (size_t)len, 1, stdout)) 1629 /* compilers do not allow us to ignore fwrite .. */ 1630 fprintf(stderr, "error writing to stdout\n"); 1631 printf("'\n"); 1632 } 1633 BIO_free(data.czone); 1634 BIO_free(data.ctag); 1635 BIO_free(data.calgo); 1636 BIO_free(data.cdigtype); 1637 BIO_free(data.cdigest); 1638 1639 if(data.num_keys == 0) { 1640 /* the root zone seems to have gone insecure */ 1641 BIO_free(data.ds); 1642 return NULL; 1643 } else { 1644 return data.ds; 1645 } 1646 } 1647 1648 /* get key usage out of its extension, returns 0 if no key_usage extension */ 1649 static unsigned long 1650 get_usage_of_ex(X509* cert) 1651 { 1652 unsigned long val = 0; 1653 ASN1_BIT_STRING* s; 1654 if((s=X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL))) { 1655 if(s->length > 0) { 1656 val = s->data[0]; 1657 if(s->length > 1) 1658 val |= s->data[1] << 8; 1659 } 1660 ASN1_BIT_STRING_free(s); 1661 } 1662 return val; 1663 } 1664 1665 /** get valid signers from the list of signers in the signature */ 1666 static STACK_OF(X509)* 1667 get_valid_signers(PKCS7* p7, const char* p7signer) 1668 { 1669 int i; 1670 STACK_OF(X509)* validsigners = sk_X509_new_null(); 1671 STACK_OF(X509)* signers = PKCS7_get0_signers(p7, NULL, 0); 1672 unsigned long usage = 0; 1673 if(!validsigners) { 1674 if(verb) printf("out of memory\n"); 1675 sk_X509_free(signers); 1676 return NULL; 1677 } 1678 if(!signers) { 1679 if(verb) printf("no signers in pkcs7 signature\n"); 1680 sk_X509_free(validsigners); 1681 return NULL; 1682 } 1683 for(i=0; i<sk_X509_num(signers); i++) { 1684 X509_NAME* nm = X509_get_subject_name( 1685 sk_X509_value(signers, i)); 1686 char buf[1024]; 1687 if(!nm) { 1688 if(verb) printf("signer %d: cert has no subject name\n", i); 1689 continue; 1690 } 1691 if(verb && nm) { 1692 char* nmline = X509_NAME_oneline(nm, buf, 1693 (int)sizeof(buf)); 1694 printf("signer %d: Subject: %s\n", i, 1695 nmline?nmline:"no subject"); 1696 if(verb >= 3 && X509_NAME_get_text_by_NID(nm, 1697 NID_commonName, buf, (int)sizeof(buf))) 1698 printf("commonName: %s\n", buf); 1699 if(verb >= 3 && X509_NAME_get_text_by_NID(nm, 1700 NID_pkcs9_emailAddress, buf, (int)sizeof(buf))) 1701 printf("emailAddress: %s\n", buf); 1702 } 1703 if(verb) { 1704 int ku_loc = X509_get_ext_by_NID( 1705 sk_X509_value(signers, i), NID_key_usage, -1); 1706 if(verb >= 3 && ku_loc >= 0) { 1707 X509_EXTENSION *ex = X509_get_ext( 1708 sk_X509_value(signers, i), ku_loc); 1709 if(ex) { 1710 printf("keyUsage: "); 1711 X509V3_EXT_print_fp(stdout, ex, 0, 0); 1712 printf("\n"); 1713 } 1714 } 1715 } 1716 if(!p7signer || strcmp(p7signer, "")==0) { 1717 /* there is no name to check, return all records */ 1718 if(verb) printf("did not check commonName of signer\n"); 1719 } else { 1720 if(!X509_NAME_get_text_by_NID(nm, 1721 NID_pkcs9_emailAddress, 1722 buf, (int)sizeof(buf))) { 1723 if(verb) printf("removed cert with no name\n"); 1724 continue; /* no name, no use */ 1725 } 1726 if(strcmp(buf, p7signer) != 0) { 1727 if(verb) printf("removed cert with wrong name\n"); 1728 continue; /* wrong name, skip it */ 1729 } 1730 } 1731 1732 /* check that the key usage allows digital signatures 1733 * (the p7s) */ 1734 usage = get_usage_of_ex(sk_X509_value(signers, i)); 1735 if(!(usage & KU_DIGITAL_SIGNATURE)) { 1736 if(verb) printf("removed cert with no key usage Digital Signature allowed\n"); 1737 continue; 1738 } 1739 1740 /* we like this cert, add it to our list of valid 1741 * signers certificates */ 1742 sk_X509_push(validsigners, sk_X509_value(signers, i)); 1743 } 1744 sk_X509_free(signers); 1745 return validsigners; 1746 } 1747 1748 /** verify a PKCS7 signature, false on failure */ 1749 static int 1750 verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust, const char* p7signer) 1751 { 1752 PKCS7* p7; 1753 X509_STORE *store = X509_STORE_new(); 1754 STACK_OF(X509)* validsigners; 1755 int secure = 0; 1756 int i; 1757 #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE 1758 X509_VERIFY_PARAM* param = X509_VERIFY_PARAM_new(); 1759 if(!param) { 1760 if(verb) printf("out of memory\n"); 1761 X509_STORE_free(store); 1762 return 0; 1763 } 1764 /* do the selfcheck on the root certificate; it checks that the 1765 * input is valid */ 1766 X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CHECK_SS_SIGNATURE); 1767 if(store) X509_STORE_set1_param(store, param); 1768 #endif 1769 if(!store) { 1770 if(verb) printf("out of memory\n"); 1771 #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE 1772 X509_VERIFY_PARAM_free(param); 1773 #endif 1774 return 0; 1775 } 1776 #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE 1777 X509_VERIFY_PARAM_free(param); 1778 #endif 1779 1780 (void)BIO_seek(p7s, 0); 1781 (void)BIO_seek(data, 0); 1782 1783 /* convert p7s to p7 (the signature) */ 1784 p7 = d2i_PKCS7_bio(p7s, NULL); 1785 if(!p7) { 1786 if(verb) printf("could not parse p7s signature file\n"); 1787 X509_STORE_free(store); 1788 return 0; 1789 } 1790 if(verb >= 2) printf("parsed the PKCS7 signature\n"); 1791 1792 /* convert trust to trusted certificate store */ 1793 for(i=0; i<sk_X509_num(trust); i++) { 1794 if(!X509_STORE_add_cert(store, sk_X509_value(trust, i))) { 1795 if(verb) printf("failed X509_STORE_add_cert\n"); 1796 X509_STORE_free(store); 1797 PKCS7_free(p7); 1798 return 0; 1799 } 1800 } 1801 if(verb >= 2) printf("setup the X509_STORE\n"); 1802 1803 /* check what is in the Subject name of the certificates, 1804 * and build a stack that contains only the right certificates */ 1805 validsigners = get_valid_signers(p7, p7signer); 1806 if(!validsigners) { 1807 X509_STORE_free(store); 1808 PKCS7_free(p7); 1809 return 0; 1810 } 1811 if(PKCS7_verify(p7, validsigners, store, data, NULL, PKCS7_NOINTERN) == 1) { 1812 secure = 1; 1813 if(verb) printf("the PKCS7 signature verified\n"); 1814 } else { 1815 if(verb) { 1816 ERR_print_errors_fp(stdout); 1817 } 1818 } 1819 1820 sk_X509_free(validsigners); 1821 X509_STORE_free(store); 1822 PKCS7_free(p7); 1823 return secure; 1824 } 1825 1826 /** write unsigned root anchor file, a 5011 revoked tp */ 1827 static void 1828 write_unsigned_root(const char* root_anchor_file) 1829 { 1830 FILE* out; 1831 time_t now = time(NULL); 1832 out = fopen(root_anchor_file, "w"); 1833 if(!out) { 1834 if(verb) printf("%s: %s\n", root_anchor_file, strerror(errno)); 1835 return; 1836 } 1837 if(fprintf(out, "; autotrust trust anchor file\n" 1838 ";;REVOKED\n" 1839 ";;id: . 1\n" 1840 "; This file was written by unbound-anchor on %s" 1841 "; It indicates that the root does not use DNSSEC\n" 1842 "; to restart DNSSEC overwrite this file with a\n" 1843 "; valid trustanchor or (empty-it and run unbound-anchor)\n" 1844 , ctime(&now)) < 0) { 1845 if(verb) printf("failed to write 'unsigned' to %s\n", 1846 root_anchor_file); 1847 if(verb && errno != 0) printf("%s\n", strerror(errno)); 1848 } 1849 fflush(out); 1850 #ifdef HAVE_FSYNC 1851 fsync(fileno(out)); 1852 #else 1853 FlushFileBuffers((HANDLE)_get_osfhandle(_fileno(out))); 1854 #endif 1855 fclose(out); 1856 } 1857 1858 /** write root anchor file */ 1859 static void 1860 write_root_anchor(const char* root_anchor_file, BIO* ds) 1861 { 1862 char* pp = NULL; 1863 int len; 1864 FILE* out; 1865 (void)BIO_seek(ds, 0); 1866 len = BIO_get_mem_data(ds, &pp); 1867 if(!len || !pp) { 1868 if(verb) printf("out of memory\n"); 1869 return; 1870 } 1871 out = fopen(root_anchor_file, "w"); 1872 if(!out) { 1873 if(verb) printf("%s: %s\n", root_anchor_file, strerror(errno)); 1874 return; 1875 } 1876 if(fwrite(pp, (size_t)len, 1, out) != 1) { 1877 if(verb) printf("failed to write all data to %s\n", 1878 root_anchor_file); 1879 if(verb && errno != 0) printf("%s\n", strerror(errno)); 1880 } 1881 fflush(out); 1882 #ifdef HAVE_FSYNC 1883 fsync(fileno(out)); 1884 #else 1885 FlushFileBuffers((HANDLE)_get_osfhandle(_fileno(out))); 1886 #endif 1887 fclose(out); 1888 } 1889 1890 /** Perform the verification and update of the trustanchor file */ 1891 static void 1892 verify_and_update_anchor(const char* root_anchor_file, BIO* xml, BIO* p7s, 1893 STACK_OF(X509)* cert, const char* p7signer) 1894 { 1895 BIO* ds; 1896 1897 /* verify xml file */ 1898 if(!verify_p7sig(xml, p7s, cert, p7signer)) { 1899 printf("the PKCS7 signature failed\n"); 1900 exit(0); 1901 } 1902 1903 /* parse the xml file into DS records */ 1904 ds = xml_parse(xml, time(NULL)); 1905 if(!ds) { 1906 /* the root zone is unsigned now */ 1907 write_unsigned_root(root_anchor_file); 1908 } else { 1909 /* reinstate 5011 tracking */ 1910 write_root_anchor(root_anchor_file, ds); 1911 } 1912 BIO_free(ds); 1913 } 1914 1915 #ifdef USE_WINSOCK 1916 static void do_wsa_cleanup(void) { WSACleanup(); } 1917 #endif 1918 1919 /** perform actual certupdate work */ 1920 static int 1921 do_certupdate(const char* root_anchor_file, const char* root_cert_file, 1922 const char* urlname, const char* xmlname, const char* p7sname, 1923 const char* p7signer, const char* res_conf, const char* root_hints, 1924 const char* debugconf, const char* srcaddr, int ip4only, int ip6only, 1925 int port) 1926 1927 { 1928 STACK_OF(X509)* cert; 1929 BIO *xml, *p7s; 1930 struct ip_list* ip_list = NULL; 1931 struct ip_list* src = NULL; 1932 1933 /* read pem file or provide builtin */ 1934 cert = read_cert_or_builtin(root_cert_file); 1935 1936 /* lookup A, AAAA for the urlname (or parse urlname if IP address) */ 1937 ip_list = resolve_name(urlname, port, res_conf, root_hints, debugconf, 1938 srcaddr, ip4only, ip6only); 1939 1940 if(srcaddr && !(src = parse_ip_addr(srcaddr, 0))) { 1941 if(verb) printf("cannot parse source address: %s\n", srcaddr); 1942 exit(0); 1943 } 1944 1945 #ifdef USE_WINSOCK 1946 if(1) { /* libunbound finished, startup WSA for the https connection */ 1947 WSADATA wsa_data; 1948 int r; 1949 if((r = WSAStartup(MAKEWORD(2,2), &wsa_data)) != 0) { 1950 if(verb) printf("WSAStartup failed: %s\n", 1951 wsa_strerror(r)); 1952 exit(0); 1953 } 1954 atexit(&do_wsa_cleanup); 1955 } 1956 #endif 1957 1958 /* fetch the necessary files over HTTPS */ 1959 xml = https(ip_list, xmlname, urlname, src); 1960 p7s = https(ip_list, p7sname, urlname, src); 1961 1962 /* verify and update the root anchor */ 1963 verify_and_update_anchor(root_anchor_file, xml, p7s, cert, p7signer); 1964 if(verb) printf("success: the anchor has been updated " 1965 "using the cert\n"); 1966 1967 BIO_free(xml); 1968 BIO_free(p7s); 1969 #ifndef S_SPLINT_S 1970 sk_X509_pop_free(cert, X509_free); 1971 #endif 1972 ip_list_free(ip_list); 1973 return 1; 1974 } 1975 1976 /** 1977 * Try to read the root RFC5011 autotrust anchor file, 1978 * @param file: filename. 1979 * @return: 1980 * 0 if does not exist or empty 1981 * 1 if trust-point-revoked-5011 1982 * 2 if it is OK. 1983 */ 1984 static int 1985 try_read_anchor(const char* file) 1986 { 1987 int empty = 1; 1988 char line[10240]; 1989 char* p; 1990 FILE* in = fopen(file, "r"); 1991 if(!in) { 1992 /* only if the file does not exist, can we fix it */ 1993 if(errno != ENOENT) { 1994 if(verb) printf("%s: %s\n", file, strerror(errno)); 1995 if(verb) printf("error: cannot access the file\n"); 1996 exit(0); 1997 } 1998 if(verb) printf("%s does not exist\n", file); 1999 return 0; 2000 } 2001 while(fgets(line, (int)sizeof(line), in)) { 2002 line[sizeof(line)-1] = 0; 2003 if(strncmp(line, ";;REVOKED", 9) == 0) { 2004 fclose(in); 2005 if(verb) printf("%s : the trust point is revoked\n" 2006 "and the zone is considered unsigned.\n" 2007 "if you wish to re-enable, delete the file\n", 2008 file); 2009 return 1; 2010 } 2011 p=line; 2012 while(*p == ' ' || *p == '\t') 2013 p++; 2014 if(p[0]==0 || p[0]=='\n' || p[0]==';') continue; 2015 /* this line is a line of content */ 2016 empty = 0; 2017 } 2018 fclose(in); 2019 if(empty) { 2020 if(verb) printf("%s is empty\n", file); 2021 return 0; 2022 } 2023 if(verb) printf("%s has content\n", file); 2024 return 2; 2025 } 2026 2027 /** Write the builtin root anchor to a file */ 2028 static void 2029 write_builtin_anchor(const char* file) 2030 { 2031 const char* builtin_root_anchor = get_builtin_ds(); 2032 FILE* out = fopen(file, "w"); 2033 if(!out) { 2034 if(verb) printf("%s: %s\n", file, strerror(errno)); 2035 if(verb) printf(" could not write builtin anchor\n"); 2036 return; 2037 } 2038 if(!fwrite(builtin_root_anchor, strlen(builtin_root_anchor), 1, out)) { 2039 if(verb) printf("%s: %s\n", file, strerror(errno)); 2040 if(verb) printf(" could not complete write builtin anchor\n"); 2041 } 2042 fclose(out); 2043 } 2044 2045 /** 2046 * Check the root anchor file. 2047 * If does not exist, provide builtin and write file. 2048 * If empty, provide builtin and write file. 2049 * If trust-point-revoked-5011 file: make the program exit. 2050 * @param root_anchor_file: filename of the root anchor. 2051 * @param used_builtin: set to 1 if the builtin is written. 2052 * @return 0 if trustpoint is insecure, 1 on success. Exit on failure. 2053 */ 2054 static int 2055 provide_builtin(const char* root_anchor_file, int* used_builtin) 2056 { 2057 /* try to read it */ 2058 switch(try_read_anchor(root_anchor_file)) 2059 { 2060 case 0: /* no exist or empty */ 2061 write_builtin_anchor(root_anchor_file); 2062 *used_builtin = 1; 2063 break; 2064 case 1: /* revoked tp */ 2065 return 0; 2066 case 2: /* it is fine */ 2067 default: 2068 break; 2069 } 2070 return 1; 2071 } 2072 2073 /** 2074 * add an autotrust anchor for the root to the context 2075 */ 2076 static void 2077 add_5011_probe_root(struct ub_ctx* ctx, const char* root_anchor_file) 2078 { 2079 int r; 2080 r = ub_ctx_set_option(ctx, "auto-trust-anchor-file:", root_anchor_file); 2081 if(r) { 2082 if(verb) printf("add 5011 probe to ctx: %s\n", ub_strerror(r)); 2083 ub_ctx_delete(ctx); 2084 exit(0); 2085 } 2086 } 2087 2088 /** 2089 * Prime the root key and return the result. Exit on error. 2090 * @param ctx: the unbound context to perform the priming with. 2091 * @return: the result of the prime, on error it exit()s. 2092 */ 2093 static struct ub_result* 2094 prime_root_key(struct ub_ctx* ctx) 2095 { 2096 struct ub_result* res = NULL; 2097 int r; 2098 r = ub_resolve(ctx, ".", LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN, &res); 2099 if(r) { 2100 if(verb) printf("resolve DNSKEY: %s\n", ub_strerror(r)); 2101 ub_ctx_delete(ctx); 2102 exit(0); 2103 } 2104 if(!res) { 2105 if(verb) printf("out of memory\n"); 2106 ub_ctx_delete(ctx); 2107 exit(0); 2108 } 2109 return res; 2110 } 2111 2112 /** see if ADDPEND keys exist in autotrust file (if possible) */ 2113 static int 2114 read_if_pending_keys(const char* file) 2115 { 2116 FILE* in = fopen(file, "r"); 2117 char line[8192]; 2118 if(!in) { 2119 if(verb>=2) printf("%s: %s\n", file, strerror(errno)); 2120 return 0; 2121 } 2122 while(fgets(line, (int)sizeof(line), in)) { 2123 if(line[0]==';') continue; 2124 if(strstr(line, "[ ADDPEND ]")) { 2125 fclose(in); 2126 if(verb) printf("RFC5011-state has ADDPEND keys\n"); 2127 return 1; 2128 } 2129 } 2130 fclose(in); 2131 return 0; 2132 } 2133 2134 /** read last successful probe time from autotrust file (if possible) */ 2135 static int32_t 2136 read_last_success_time(const char* file) 2137 { 2138 FILE* in = fopen(file, "r"); 2139 char line[1024]; 2140 if(!in) { 2141 if(verb) printf("%s: %s\n", file, strerror(errno)); 2142 return 0; 2143 } 2144 while(fgets(line, (int)sizeof(line), in)) { 2145 if(strncmp(line, ";;last_success: ", 16) == 0) { 2146 char* e; 2147 time_t x = (unsigned int)strtol(line+16, &e, 10); 2148 fclose(in); 2149 if(line+16 == e) { 2150 if(verb) printf("failed to parse " 2151 "last_success probe time\n"); 2152 return 0; 2153 } 2154 if(verb) printf("last successful probe: %s", ctime(&x)); 2155 return (int32_t)x; 2156 } 2157 } 2158 fclose(in); 2159 if(verb) printf("no last_success probe time in anchor file\n"); 2160 return 0; 2161 } 2162 2163 /** 2164 * Read autotrust 5011 probe file and see if the date 2165 * compared to the current date allows a certupdate. 2166 * If the last successful probe was recent then 5011 cannot be behind, 2167 * and the failure cannot be solved with a certupdate. 2168 * The debugconf is to validation-override the date for testing. 2169 * @param root_anchor_file: filename of root key 2170 * @return true if certupdate is ok. 2171 */ 2172 static int 2173 probe_date_allows_certupdate(const char* root_anchor_file) 2174 { 2175 int has_pending_keys = read_if_pending_keys(root_anchor_file); 2176 int32_t last_success = read_last_success_time(root_anchor_file); 2177 int32_t now = (int32_t)time(NULL); 2178 int32_t leeway = 30 * 24 * 3600; /* 30 days leeway */ 2179 /* if the date is before 2010-07-15:00.00.00 then the root has not 2180 * been signed yet, and thus we refuse to take action. */ 2181 if(time(NULL) < xml_convertdate("2010-07-15T00:00:00")) { 2182 if(verb) printf("the date is before the root was first signed," 2183 " please correct the clock\n"); 2184 return 0; 2185 } 2186 if(last_success == 0) 2187 return 1; /* no probe time */ 2188 if(has_pending_keys) 2189 return 1; /* key in ADDPEND state, a previous probe has 2190 inserted that, and it was present in all recent probes, 2191 but it has not become active. The 30 day timer may not have 2192 expired, but we know(for sure) there is a rollover going on. 2193 If we only managed to pickup the new key on its last day 2194 of announcement (for example) this can happen. */ 2195 if(now - last_success < 0) { 2196 if(verb) printf("the last successful probe is in the future," 2197 " clock was modified\n"); 2198 return 0; 2199 } 2200 if(now - last_success >= leeway) { 2201 if(verb) printf("the last successful probe was more than 30 " 2202 "days ago\n"); 2203 return 1; 2204 } 2205 if(verb) printf("the last successful probe is recent\n"); 2206 return 0; 2207 } 2208 2209 static struct ub_result * 2210 fetch_root_key(const char* root_anchor_file, const char* res_conf, 2211 const char* root_hints, const char* debugconf, const char* srcaddr, 2212 int ip4only, int ip6only) 2213 { 2214 struct ub_ctx* ctx; 2215 struct ub_result* dnskey; 2216 2217 ctx = create_unbound_context(res_conf, root_hints, debugconf, 2218 srcaddr, ip4only, ip6only); 2219 add_5011_probe_root(ctx, root_anchor_file); 2220 dnskey = prime_root_key(ctx); 2221 ub_ctx_delete(ctx); 2222 return dnskey; 2223 } 2224 2225 /** perform the unbound-anchor work */ 2226 static int 2227 do_root_update_work(const char* root_anchor_file, const char* root_cert_file, 2228 const char* urlname, const char* xmlname, const char* p7sname, 2229 const char* p7signer, const char* res_conf, const char* root_hints, 2230 const char* debugconf, const char* srcaddr, int ip4only, int ip6only, 2231 int force, int res_conf_fallback, int port) 2232 { 2233 struct ub_result* dnskey; 2234 int used_builtin = 0; 2235 int rcode; 2236 2237 /* see if builtin rootanchor needs to be provided, or if 2238 * rootanchor is 'revoked-trust-point' */ 2239 if(!provide_builtin(root_anchor_file, &used_builtin)) 2240 return 0; 2241 2242 /* make unbound context with 5011-probe for root anchor, 2243 * and probe . DNSKEY */ 2244 dnskey = fetch_root_key(root_anchor_file, res_conf, 2245 root_hints, debugconf, srcaddr, ip4only, ip6only); 2246 rcode = dnskey->rcode; 2247 2248 if (res_conf_fallback && res_conf && !dnskey->secure) { 2249 if (verb) printf("%s failed, retrying direct\n", res_conf); 2250 ub_resolve_free(dnskey); 2251 /* try direct query without res_conf */ 2252 dnskey = fetch_root_key(root_anchor_file, NULL, 2253 root_hints, debugconf, srcaddr, ip4only, ip6only); 2254 if (rcode != 0 && dnskey->rcode == 0) { 2255 res_conf = NULL; 2256 rcode = 0; 2257 } 2258 } 2259 2260 /* if secure: exit */ 2261 if(dnskey->secure && !force) { 2262 if(verb) printf("success: the anchor is ok\n"); 2263 ub_resolve_free(dnskey); 2264 return used_builtin; 2265 } 2266 if(force && verb) printf("debug cert update forced\n"); 2267 ub_resolve_free(dnskey); 2268 2269 /* if not (and NOERROR): check date and do certupdate */ 2270 if((rcode == 0 && 2271 probe_date_allows_certupdate(root_anchor_file)) || force) { 2272 if(do_certupdate(root_anchor_file, root_cert_file, urlname, 2273 xmlname, p7sname, p7signer, res_conf, root_hints, 2274 debugconf, srcaddr, ip4only, ip6only, port)) 2275 return 1; 2276 return used_builtin; 2277 } 2278 if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n"); 2279 return used_builtin; 2280 } 2281 2282 /** getopt global, in case header files fail to declare it. */ 2283 extern int optind; 2284 /** getopt global, in case header files fail to declare it. */ 2285 extern char* optarg; 2286 2287 /** Main routine for unbound-anchor */ 2288 int main(int argc, char* argv[]) 2289 { 2290 int c; 2291 const char* root_anchor_file = ROOT_ANCHOR_FILE; 2292 const char* root_cert_file = ROOT_CERT_FILE; 2293 const char* urlname = URLNAME; 2294 const char* xmlname = XMLNAME; 2295 const char* p7sname = P7SNAME; 2296 const char* p7signer = P7SIGNER; 2297 const char* res_conf = NULL; 2298 const char* root_hints = NULL; 2299 const char* debugconf = NULL; 2300 const char* srcaddr = NULL; 2301 int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT; 2302 int res_conf_fallback = 0; 2303 /* parse the options */ 2304 while( (c=getopt(argc, argv, "46C:FRP:a:b:c:f:hln:r:s:u:vx:")) != -1) { 2305 switch(c) { 2306 case 'l': 2307 dolist = 1; 2308 break; 2309 case '4': 2310 ip4only = 1; 2311 break; 2312 case '6': 2313 ip6only = 1; 2314 break; 2315 case 'a': 2316 root_anchor_file = optarg; 2317 break; 2318 case 'b': 2319 srcaddr = optarg; 2320 break; 2321 case 'c': 2322 root_cert_file = optarg; 2323 break; 2324 case 'u': 2325 urlname = optarg; 2326 break; 2327 case 'x': 2328 xmlname = optarg; 2329 break; 2330 case 's': 2331 p7sname = optarg; 2332 break; 2333 case 'n': 2334 p7signer = optarg; 2335 break; 2336 case 'f': 2337 res_conf = optarg; 2338 break; 2339 case 'r': 2340 root_hints = optarg; 2341 break; 2342 case 'R': 2343 res_conf_fallback = 1; 2344 break; 2345 case 'C': 2346 debugconf = optarg; 2347 break; 2348 case 'F': 2349 force = 1; 2350 break; 2351 case 'P': 2352 port = atoi(optarg); 2353 break; 2354 case 'v': 2355 verb++; 2356 break; 2357 case '?': 2358 case 'h': 2359 default: 2360 usage(); 2361 } 2362 } 2363 argc -= optind; 2364 /* argv += optind; not using further arguments */ 2365 if(argc != 0) 2366 usage(); 2367 2368 #ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS 2369 ERR_load_crypto_strings(); 2370 #endif 2371 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL) 2372 ERR_load_SSL_strings(); 2373 #endif 2374 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO) 2375 # ifndef S_SPLINT_S 2376 OpenSSL_add_all_algorithms(); 2377 # endif 2378 #else 2379 OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS 2380 | OPENSSL_INIT_ADD_ALL_DIGESTS 2381 | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); 2382 #endif 2383 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL) 2384 (void)SSL_library_init(); 2385 #else 2386 (void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); 2387 #endif 2388 2389 if(dolist) do_list_builtin(); 2390 2391 return do_root_update_work(root_anchor_file, root_cert_file, urlname, 2392 xmlname, p7sname, p7signer, res_conf, root_hints, debugconf, 2393 srcaddr, ip4only, ip6only, force, res_conf_fallback, port); 2394 } 2395