xref: /freebsd/contrib/unbound/smallapp/unbound-anchor.c (revision a521f2116473fbd8c09db395518f060a27d02334)
1 /*
2  * unbound-anchor.c - update the root anchor if necessary.
3  *
4  * Copyright (c) 2010, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file checks to see that the current 5011 keys work to prime the
40  * current root anchor.  If not a certificate is used to update the anchor,
41  * with RFC7958 https xml fetch.
42  *
43  * This is a concept solution for distribution of the DNSSEC root
44  * trust anchor.  It is a small tool, called "unbound-anchor", that
45  * runs before the main validator starts.  I.e. in the init script:
46  * unbound-anchor; unbound.  Thus it is meant to run at system boot time.
47  *
48  * Management-Abstract:
49  *    * first run: fill root.key file with hardcoded DS record.
50  *    * mostly: use RFC5011 tracking, quick . DNSKEY UDP query.
51  *    * failover: use RFC7958 builtin certificate, do https and update.
52  * Special considerations:
53  *    * 30-days RFC5011 timer saves a lot of https traffic.
54  *    * DNSKEY probe must be NOERROR, saves a lot of https traffic.
55  *    * fail if clock before sign date of the root, if cert expired.
56  *    * if the root goes back to unsigned, deals with it.
57  *
58  * It has hardcoded the root DS anchors and the ICANN CA root certificate.
59  * It allows with options to override those.  It also takes root-hints (it
60  * has to do a DNS resolve), and also has hardcoded defaults for those.
61  *
62  * Once it starts, just before the validator starts, it quickly checks if
63  * the root anchor file needs to be updated.  First it tries to use
64  * RFC5011-tracking of the root key.  If that fails (and for 30-days since
65  * last successful probe), then it attempts to update using the
66  * certificate.  So most of the time, the RFC5011 tracking will work fine,
67  * and within a couple milliseconds, the main daemon can start.  It will
68  * have only probed the . DNSKEY, not done expensive https transfers on the
69  * root infrastructure.
70  *
71  * If there is no root key in the root.key file, it bootstraps the
72  * RFC5011-tracking with its builtin DS anchors; if that fails it
73  * bootstraps the RFC5011-tracking using the certificate.  (again to avoid
74  * https, and it is also faster).
75  *
76  * It uses the XML file by converting it to DS records and writing that to the
77  * key file.  Unbound can detect that the 'special comments' are gone, and
78  * the file contains a list of normal DNSKEY/DS records, and uses that to
79  * bootstrap 5011 (the KSK is made VALID).
80  *
81  * The certificate RFC7958 update is done by fetching root-anchors.xml and
82  * root-anchors.p7s via SSL.  The HTTPS certificate can be logged but is
83  * not validated (https for channel security; the security comes from the
84  * certificate).  The 'data.iana.org' domain name A and AAAA are resolved
85  * without DNSSEC.  It tries a random IP until the transfer succeeds.  It
86  * then checks the p7s signature.
87  *
88  * On any failure, it leaves the root key file untouched.  The main
89  * validator has to cope with it, it cannot fix things (So a failure does
90  * not go 'without DNSSEC', no downgrade).  If it used its builtin stuff or
91  * did the https, it exits with an exit code, so that this can trigger the
92  * init script to log the event and potentially alert the operator that can
93  * do a manual check.
94  *
95  * The date is also checked.  Before 2010-07-15 is a failure (root not
96  * signed yet; avoids attacks on system clock).  The
97  * last-successful-RFC5011-probe (if available) has to be more than 30 days
98  * in the past (otherwise, RFC5011 should have worked).  This keeps
99  * unnecessary https traffic down.  If the main certificate is expired, it
100  * fails.
101  *
102  * The dates on the keys in the xml are checked (uses the libexpat xml
103  * parser), only the valid ones are used to re-enstate RFC5011 tracking.
104  * If 0 keys are valid, the zone has gone to insecure (a special marker is
105  * written in the keyfile that tells the main validator daemon the zone is
106  * insecure).
107  *
108  * Only the root ICANN CA is shipped, not the intermediate ones.  The
109  * intermediate CAs are included in the p7s file that was downloaded.  (the
110  * root cert is valid to 2028 and the intermediate to 2014, today).
111  *
112  * Obviously, the tool also has options so the operator can provide a new
113  * keyfile, a new certificate and new URLs, and fresh root hints.  By
114  * default it logs nothing on failure and success; it 'just works'.
115  *
116  */
117 
118 #include "config.h"
119 #include "libunbound/unbound.h"
120 #include "sldns/rrdef.h"
121 #include "sldns/parseutil.h"
122 #include <expat.h>
123 #ifndef HAVE_EXPAT_H
124 #error "need libexpat to parse root-anchors.xml file."
125 #endif
126 #ifdef HAVE_GETOPT_H
127 #include <getopt.h>
128 #endif
129 #ifdef HAVE_OPENSSL_SSL_H
130 #include <openssl/ssl.h>
131 #endif
132 #ifdef HAVE_OPENSSL_ERR_H
133 #include <openssl/err.h>
134 #endif
135 #ifdef HAVE_OPENSSL_RAND_H
136 #include <openssl/rand.h>
137 #endif
138 #include <openssl/x509.h>
139 #include <openssl/x509v3.h>
140 #include <openssl/pem.h>
141 
142 /** name of server in URL to fetch HTTPS from */
143 #define URLNAME "data.iana.org"
144 /** path on HTTPS server to xml file */
145 #define XMLNAME "root-anchors/root-anchors.xml"
146 /** path on HTTPS server to p7s file */
147 #define P7SNAME "root-anchors/root-anchors.p7s"
148 /** name of the signer of the certificate */
149 #define P7SIGNER "dnssec@iana.org"
150 /** port number for https access */
151 #define HTTPS_PORT 443
152 
153 #ifdef USE_WINSOCK
154 /* sneakily reuse the the wsa_strerror function, on windows */
155 char* wsa_strerror(int err);
156 #endif
157 
158 /** verbosity for this application */
159 static int verb = 0;
160 
161 /** list of IP addresses */
162 struct ip_list {
163 	/** next in list */
164 	struct ip_list* next;
165 	/** length of addr */
166 	socklen_t len;
167 	/** address ready to connect to */
168 	struct sockaddr_storage addr;
169 	/** has the address been used */
170 	int used;
171 };
172 
173 /** Give unbound-anchor usage, and exit (1). */
174 static void
175 usage(void)
176 {
177 	printf("Usage:	local-unbound-anchor [opts]\n");
178 	printf("	Setup or update root anchor. "
179 		"Most options have defaults.\n");
180 	printf("	Run this program before you start the validator.\n");
181 	printf("\n");
182 	printf("	The anchor and cert have default builtin content\n");
183 	printf("	if the file does not exist or is empty.\n");
184 	printf("\n");
185 	printf("-a file		root key file, default %s\n", ROOT_ANCHOR_FILE);
186 	printf("		The key is input and output for this tool.\n");
187 	printf("-c file		cert file, default %s\n", ROOT_CERT_FILE);
188 	printf("-l		list builtin key and cert on stdout\n");
189 	printf("-u name		server in https url, default %s\n", URLNAME);
190 	printf("-S		do not use SNI for the https connection\n");
191 	printf("-x path		pathname to xml in url, default %s\n", XMLNAME);
192 	printf("-s path		pathname to p7s in url, default %s\n", P7SNAME);
193 	printf("-n name		signer's subject emailAddress, default %s\n", P7SIGNER);
194 	printf("-b address	source address to bind to\n");
195 	printf("-4		work using IPv4 only\n");
196 	printf("-6		work using IPv6 only\n");
197 	printf("-f resolv.conf	use given resolv.conf\n");
198 	printf("-r root.hints	use given root.hints\n"
199 		"		builtin root hints are used by default\n");
200 	printf("-R		fallback from -f to root query on error\n");
201 	printf("-v		more verbose\n");
202 	printf("-C conf		debug, read config\n");
203 	printf("-P port		use port for https connect, default 443\n");
204 	printf("-F 		debug, force update with cert\n");
205 	printf("-h		show this usage help\n");
206 	printf("Version %s\n", PACKAGE_VERSION);
207 	printf("BSD licensed, see LICENSE in source package for details.\n");
208 	printf("Report bugs to %s\n", PACKAGE_BUGREPORT);
209 	exit(1);
210 }
211 
212 /** return the built in root update certificate */
213 static const char*
214 get_builtin_cert(void)
215 {
216 	return
217 /* The ICANN CA fetched at 24 Sep 2010.  Valid to 2028 */
218 "-----BEGIN CERTIFICATE-----\n"
219 "MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n"
220 "TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n"
221 "BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX\n"
222 "DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O\n"
223 "IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB\n"
224 "MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb\n"
225 "cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S\n"
226 "G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg\n"
227 "ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2\n"
228 "paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7\n"
229 "MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29\n"
230 "iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B\n"
231 "Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3\n"
232 "DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH\n"
233 "6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD\n"
234 "2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h\n"
235 "15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF\n"
236 "0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg\n"
237 "j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n"
238 "-----END CERTIFICATE-----\n"
239 		;
240 }
241 
242 /** return the built in root DS trust anchor */
243 static const char*
244 get_builtin_ds(void)
245 {
246 	return
247 /* The anchors must start on a new line with ". IN DS and end with \n"[;]
248  * because the makedist script greps on the source here */
249 /* anchor 20326 is from 2017 */
250 ". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n";
251 }
252 
253 /** print hex data */
254 static void
255 print_data(const char* msg, const char* data, int len)
256 {
257 	int i;
258 	printf("%s: ", msg);
259 	for(i=0; i<len; i++) {
260 		printf(" %2.2x", (unsigned char)data[i]);
261 	}
262 	printf("\n");
263 }
264 
265 /** print ub context creation error and exit */
266 static void
267 ub_ctx_error_exit(struct ub_ctx* ctx, const char* str, const char* str2)
268 {
269 	ub_ctx_delete(ctx);
270 	if(str && str2 && verb) printf("%s: %s\n", str, str2);
271 	if(verb) printf("error: could not create unbound resolver context\n");
272 	exit(0);
273 }
274 
275 /**
276  * Create a new unbound context with the commandline settings applied
277  */
278 static struct ub_ctx*
279 create_unbound_context(const char* res_conf, const char* root_hints,
280 	const char* debugconf, const char* srcaddr, int ip4only, int ip6only)
281 {
282 	int r;
283 	struct ub_ctx* ctx = ub_ctx_create();
284 	if(!ctx) {
285 		if(verb) printf("out of memory\n");
286 		exit(0);
287 	}
288 	/* do not waste time and network traffic to fetch extra nameservers */
289 	r = ub_ctx_set_option(ctx, "target-fetch-policy:", "0 0 0 0 0");
290 	if(r && verb) printf("ctx targetfetchpolicy: %s\n", ub_strerror(r));
291 	/* read config file first, so its settings can be overridden */
292 	if(debugconf) {
293 		r = ub_ctx_config(ctx, debugconf);
294 		if(r) ub_ctx_error_exit(ctx, debugconf, ub_strerror(r));
295 	}
296 	if(res_conf) {
297 		r = ub_ctx_resolvconf(ctx, res_conf);
298 		if(r) ub_ctx_error_exit(ctx, res_conf, ub_strerror(r));
299 	}
300 	if(root_hints) {
301 		r = ub_ctx_set_option(ctx, "root-hints:", root_hints);
302 		if(r) ub_ctx_error_exit(ctx, root_hints, ub_strerror(r));
303 	}
304 	if(srcaddr) {
305 		r = ub_ctx_set_option(ctx, "outgoing-interface:", srcaddr);
306 		if(r) ub_ctx_error_exit(ctx, srcaddr, ub_strerror(r));
307 	}
308 	if(ip4only) {
309 		r = ub_ctx_set_option(ctx, "do-ip6:", "no");
310 		if(r) ub_ctx_error_exit(ctx, "ip4only", ub_strerror(r));
311 	}
312 	if(ip6only) {
313 		r = ub_ctx_set_option(ctx, "do-ip4:", "no");
314 		if(r) ub_ctx_error_exit(ctx, "ip6only", ub_strerror(r));
315 	}
316 	return ctx;
317 }
318 
319 /** printout certificate in detail */
320 static void
321 verb_cert(const char* msg, X509* x)
322 {
323 	if(verb == 0 || verb == 1) return;
324 	if(verb == 2) {
325 		if(msg) printf("%s\n", msg);
326 		X509_print_ex_fp(stdout, x, 0, (unsigned long)-1
327 			^(X509_FLAG_NO_SUBJECT
328 			|X509_FLAG_NO_ISSUER|X509_FLAG_NO_VALIDITY));
329 		return;
330 	}
331 	if(msg) printf("%s\n", msg);
332 	X509_print_fp(stdout, x);
333 }
334 
335 /** printout certificates in detail */
336 static void
337 verb_certs(const char* msg, STACK_OF(X509)* sk)
338 {
339 	int i, num = sk_X509_num(sk);
340 	if(verb == 0 || verb == 1) return;
341 	for(i=0; i<num; i++) {
342 		printf("%s (%d/%d)\n", msg, i, num);
343 		verb_cert(NULL, sk_X509_value(sk, i));
344 	}
345 }
346 
347 /** read certificates from a PEM bio */
348 static STACK_OF(X509)*
349 read_cert_bio(BIO* bio)
350 {
351 	STACK_OF(X509) *sk = sk_X509_new_null();
352 	if(!sk) {
353 		if(verb) printf("out of memory\n");
354 		exit(0);
355 	}
356 	while(!BIO_eof(bio)) {
357 		X509* x = PEM_read_bio_X509(bio, NULL, NULL, NULL);
358 		if(x == NULL) {
359 			if(verb) {
360 				printf("failed to read X509\n");
361 			 	ERR_print_errors_fp(stdout);
362 			}
363 			continue;
364 		}
365 		if(!sk_X509_push(sk, x)) {
366 			if(verb) printf("out of memory\n");
367 			exit(0);
368 		}
369 	}
370 	return sk;
371 }
372 
373 /* read the certificate file */
374 static STACK_OF(X509)*
375 read_cert_file(const char* file)
376 {
377 	STACK_OF(X509)* sk;
378 	FILE* in;
379 	int content = 0;
380 	char buf[128];
381 	if(file == NULL || strcmp(file, "") == 0) {
382 		return NULL;
383 	}
384 	sk = sk_X509_new_null();
385 	if(!sk) {
386 		if(verb) printf("out of memory\n");
387 		exit(0);
388 	}
389 	in = fopen(file, "r");
390 	if(!in) {
391 		if(verb) printf("%s: %s\n", file, strerror(errno));
392 #ifndef S_SPLINT_S
393 		sk_X509_pop_free(sk, X509_free);
394 #endif
395 		return NULL;
396 	}
397 	while(!feof(in)) {
398 		X509* x = PEM_read_X509(in, NULL, NULL, NULL);
399 		if(x == NULL) {
400 			if(verb) {
401 				printf("failed to read X509 file\n");
402 			 	ERR_print_errors_fp(stdout);
403 			}
404 			continue;
405 		}
406 		if(!sk_X509_push(sk, x)) {
407 			if(verb) printf("out of memory\n");
408 			fclose(in);
409 			exit(0);
410 		}
411 		content = 1;
412 		/* read away newline after --END CERT-- */
413 		if(!fgets(buf, (int)sizeof(buf), in))
414 			break;
415 	}
416 	fclose(in);
417 	if(!content) {
418 		if(verb) printf("%s is empty\n", file);
419 #ifndef S_SPLINT_S
420 		sk_X509_pop_free(sk, X509_free);
421 #endif
422 		return NULL;
423 	}
424 	return sk;
425 }
426 
427 /** read certificates from the builtin certificate */
428 static STACK_OF(X509)*
429 read_builtin_cert(void)
430 {
431 	const char* builtin_cert = get_builtin_cert();
432 	STACK_OF(X509)* sk;
433 	BIO *bio = BIO_new_mem_buf(builtin_cert,
434 		(int)strlen(builtin_cert));
435 	if(!bio) {
436 		if(verb) printf("out of memory\n");
437 		exit(0);
438 	}
439 	sk = read_cert_bio(bio);
440 	if(!sk) {
441 		if(verb) printf("internal error, out of memory\n");
442 		exit(0);
443 	}
444 	BIO_free(bio);
445 	return sk;
446 }
447 
448 /** read update cert file or use builtin */
449 static STACK_OF(X509)*
450 read_cert_or_builtin(const char* file)
451 {
452 	STACK_OF(X509) *sk = read_cert_file(file);
453 	if(!sk) {
454 		if(verb) printf("using builtin certificate\n");
455 		sk = read_builtin_cert();
456 	}
457 	if(verb) printf("have %d trusted certificates\n", sk_X509_num(sk));
458 	verb_certs("trusted certificates", sk);
459 	return sk;
460 }
461 
462 static void
463 do_list_builtin(void)
464 {
465 	const char* builtin_cert = get_builtin_cert();
466 	const char* builtin_ds = get_builtin_ds();
467 	printf("%s\n", builtin_ds);
468 	printf("%s\n", builtin_cert);
469 	exit(0);
470 }
471 
472 /** printout IP address with message */
473 static void
474 verb_addr(const char* msg, struct ip_list* ip)
475 {
476 	if(verb) {
477 		char out[100];
478 		void* a = &((struct sockaddr_in*)&ip->addr)->sin_addr;
479 		if(ip->len != (socklen_t)sizeof(struct sockaddr_in))
480 			a = &((struct sockaddr_in6*)&ip->addr)->sin6_addr;
481 
482 		if(inet_ntop((int)((struct sockaddr_in*)&ip->addr)->sin_family,
483 			a, out, (socklen_t)sizeof(out))==0)
484 			printf("%s (inet_ntop error)\n", msg);
485 		else printf("%s %s\n", msg, out);
486 	}
487 }
488 
489 /** free ip_list */
490 static void
491 ip_list_free(struct ip_list* p)
492 {
493 	struct ip_list* np;
494 	while(p) {
495 		np = p->next;
496 		free(p);
497 		p = np;
498 	}
499 }
500 
501 /** create ip_list entry for a RR record */
502 static struct ip_list*
503 RR_to_ip(int tp, char* data, int len, int port)
504 {
505 	struct ip_list* ip = (struct ip_list*)calloc(1, sizeof(*ip));
506 	uint16_t p = (uint16_t)port;
507 	if(tp == LDNS_RR_TYPE_A) {
508 		struct sockaddr_in* sa = (struct sockaddr_in*)&ip->addr;
509 		ip->len = (socklen_t)sizeof(*sa);
510 		sa->sin_family = AF_INET;
511 		sa->sin_port = (in_port_t)htons(p);
512 		if(len != (int)sizeof(sa->sin_addr)) {
513 			if(verb) printf("skipped badly formatted A\n");
514 			free(ip);
515 			return NULL;
516 		}
517 		memmove(&sa->sin_addr, data, sizeof(sa->sin_addr));
518 
519 	} else if(tp == LDNS_RR_TYPE_AAAA) {
520 		struct sockaddr_in6* sa = (struct sockaddr_in6*)&ip->addr;
521 		ip->len = (socklen_t)sizeof(*sa);
522 		sa->sin6_family = AF_INET6;
523 		sa->sin6_port = (in_port_t)htons(p);
524 		if(len != (int)sizeof(sa->sin6_addr)) {
525 			if(verb) printf("skipped badly formatted AAAA\n");
526 			free(ip);
527 			return NULL;
528 		}
529 		memmove(&sa->sin6_addr, data, sizeof(sa->sin6_addr));
530 	} else {
531 		if(verb) printf("internal error: bad type in RRtoip\n");
532 		free(ip);
533 		return NULL;
534 	}
535 	verb_addr("resolved server address", ip);
536 	return ip;
537 }
538 
539 /** Resolve name, type, class and add addresses to iplist */
540 static void
541 resolve_host_ip(struct ub_ctx* ctx, const char* host, int port, int tp, int cl,
542 	struct ip_list** head)
543 {
544 	struct ub_result* res = NULL;
545 	int r;
546 	int i;
547 
548 	r = ub_resolve(ctx, host, tp, cl, &res);
549 	if(r) {
550 		if(verb) printf("error: resolve %s %s: %s\n", host,
551 			(tp==LDNS_RR_TYPE_A)?"A":"AAAA", ub_strerror(r));
552 		return;
553 	}
554 	if(!res) {
555 		if(verb) printf("out of memory\n");
556 		ub_ctx_delete(ctx);
557 		exit(0);
558 	}
559 	if(!res->havedata || res->rcode || !res->data) {
560 		if(verb) printf("resolve %s %s: no result\n", host,
561 			(tp==LDNS_RR_TYPE_A)?"A":"AAAA");
562 		return;
563 	}
564 	for(i = 0; res->data[i]; i++) {
565 		struct ip_list* ip = RR_to_ip(tp, res->data[i], res->len[i],
566 			port);
567 		if(!ip) continue;
568 		ip->next = *head;
569 		*head = ip;
570 	}
571 	ub_resolve_free(res);
572 }
573 
574 /** parse a text IP address into a sockaddr */
575 static struct ip_list*
576 parse_ip_addr(const char* str, int port)
577 {
578 	socklen_t len = 0;
579 	union {
580 		struct sockaddr_in6 a6;
581 		struct sockaddr_in a;
582 	} addr;
583 	struct ip_list* ip;
584 	uint16_t p = (uint16_t)port;
585 	memset(&addr, 0, sizeof(addr));
586 
587 	if(inet_pton(AF_INET6, str, &addr.a6.sin6_addr) > 0) {
588 		/* it is an IPv6 */
589 		addr.a6.sin6_family = AF_INET6;
590 		addr.a6.sin6_port = (in_port_t)htons(p);
591 		len = (socklen_t)sizeof(addr.a6);
592 	}
593 	if(inet_pton(AF_INET, str, &addr.a.sin_addr) > 0) {
594 		/* it is an IPv4 */
595 		addr.a.sin_family = AF_INET;
596 		addr.a.sin_port = (in_port_t)htons(p);
597 		len = (socklen_t)sizeof(struct sockaddr_in);
598 	}
599 	if(!len) return NULL;
600 	ip = (struct ip_list*)calloc(1, sizeof(*ip));
601 	if(!ip) {
602 		if(verb) printf("out of memory\n");
603 		exit(0);
604 	}
605 	ip->len = len;
606 	memmove(&ip->addr, &addr, len);
607 	if(verb) printf("server address is %s\n", str);
608 	return ip;
609 }
610 
611 /**
612  * Resolve a domain name (even though the resolver is down and there is
613  * no trust anchor).  Without DNSSEC validation.
614  * @param host: the name to resolve.
615  * 	If this name is an IP4 or IP6 address this address is returned.
616  * @param port: the port number used for the returned IP structs.
617  * @param res_conf: resolv.conf (if any).
618  * @param root_hints: root hints (if any).
619  * @param debugconf: unbound.conf for debugging options.
620  * @param srcaddr: source address option (if any).
621  * @param ip4only: use only ip4 for resolve and only lookup A
622  * @param ip6only: use only ip6 for resolve and only lookup AAAA
623  * 	default is to lookup A and AAAA using ip4 and ip6.
624  * @return list of IP addresses.
625  */
626 static struct ip_list*
627 resolve_name(const char* host, int port, const char* res_conf,
628 	const char* root_hints, const char* debugconf,
629 	const char* srcaddr, int ip4only, int ip6only)
630 {
631 	struct ub_ctx* ctx;
632 	struct ip_list* list = NULL;
633 	/* first see if name is an IP address itself */
634 	if( (list=parse_ip_addr(host, port)) ) {
635 		return list;
636 	}
637 
638 	/* create resolver context */
639 	ctx = create_unbound_context(res_conf, root_hints, debugconf,
640         	srcaddr, ip4only, ip6only);
641 
642 	/* try resolution of A */
643 	if(!ip6only) {
644 		resolve_host_ip(ctx, host, port, LDNS_RR_TYPE_A,
645 			LDNS_RR_CLASS_IN, &list);
646 	}
647 
648 	/* try resolution of AAAA */
649 	if(!ip4only) {
650 		resolve_host_ip(ctx, host, port, LDNS_RR_TYPE_AAAA,
651 			LDNS_RR_CLASS_IN, &list);
652 	}
653 
654 	ub_ctx_delete(ctx);
655 	if(!list) {
656 		if(verb) printf("%s has no IP addresses I can use\n", host);
657 		exit(0);
658 	}
659 	return list;
660 }
661 
662 /** clear used flags */
663 static void
664 wipe_ip_usage(struct ip_list* p)
665 {
666 	while(p) {
667 		p->used = 0;
668 		p = p->next;
669 	}
670 }
671 
672 /** count unused IPs */
673 static int
674 count_unused(struct ip_list* p)
675 {
676 	int num = 0;
677 	while(p) {
678 		if(!p->used) num++;
679 		p = p->next;
680 	}
681 	return num;
682 }
683 
684 /** pick random unused element from IP list */
685 static struct ip_list*
686 pick_random_ip(struct ip_list* list)
687 {
688 	struct ip_list* p = list;
689 	int num = count_unused(list);
690 	int sel;
691 	if(num == 0) return NULL;
692 	/* not perfect, but random enough */
693 	sel = (int)arc4random_uniform((uint32_t)num);
694 	/* skip over unused elements that we did not select */
695 	while(sel > 0 && p) {
696 		if(!p->used) sel--;
697 		p = p->next;
698 	}
699 	/* find the next unused element */
700 	while(p && p->used)
701 		p = p->next;
702 	if(!p) return NULL; /* robustness */
703 	return p;
704 }
705 
706 /** close the fd */
707 static void
708 fd_close(int fd)
709 {
710 #ifndef USE_WINSOCK
711 	close(fd);
712 #else
713 	closesocket(fd);
714 #endif
715 }
716 
717 /** printout socket errno */
718 static void
719 print_sock_err(const char* msg)
720 {
721 #ifndef USE_WINSOCK
722 	if(verb) printf("%s: %s\n", msg, strerror(errno));
723 #else
724 	if(verb) printf("%s: %s\n", msg, wsa_strerror(WSAGetLastError()));
725 #endif
726 }
727 
728 /** connect to IP address */
729 static int
730 connect_to_ip(struct ip_list* ip, struct ip_list* src)
731 {
732 	int fd;
733 	verb_addr("connect to", ip);
734 	fd = socket(ip->len==(socklen_t)sizeof(struct sockaddr_in)?
735 		AF_INET:AF_INET6, SOCK_STREAM, 0);
736 	if(fd == -1) {
737 		print_sock_err("socket");
738 		return -1;
739 	}
740 	if(src && bind(fd, (struct sockaddr*)&src->addr, src->len) < 0) {
741 		print_sock_err("bind");
742 		fd_close(fd);
743 		return -1;
744 	}
745 	if(connect(fd, (struct sockaddr*)&ip->addr, ip->len) < 0) {
746 		print_sock_err("connect");
747 		fd_close(fd);
748 		return -1;
749 	}
750 	return fd;
751 }
752 
753 /** create SSL context */
754 static SSL_CTX*
755 setup_sslctx(void)
756 {
757 	SSL_CTX* sslctx = SSL_CTX_new(SSLv23_client_method());
758 	if(!sslctx) {
759 		if(verb) printf("SSL_CTX_new error\n");
760 		return NULL;
761 	}
762 	return sslctx;
763 }
764 
765 /** initiate TLS on a connection */
766 static SSL*
767 TLS_initiate(SSL_CTX* sslctx, int fd, const char* urlname, int use_sni)
768 {
769 	X509* x;
770 	int r;
771 	SSL* ssl = SSL_new(sslctx);
772 	if(!ssl) {
773 		if(verb) printf("SSL_new error\n");
774 		return NULL;
775 	}
776 	SSL_set_connect_state(ssl);
777 	(void)SSL_set_mode(ssl, (long)SSL_MODE_AUTO_RETRY);
778 	if(!SSL_set_fd(ssl, fd)) {
779 		if(verb) printf("SSL_set_fd error\n");
780 		SSL_free(ssl);
781 		return NULL;
782 	}
783 	if(use_sni) {
784 		(void)SSL_set_tlsext_host_name(ssl, urlname);
785 	}
786 	while(1) {
787 		ERR_clear_error();
788 		if( (r=SSL_do_handshake(ssl)) == 1)
789 			break;
790 		r = SSL_get_error(ssl, r);
791 		if(r != SSL_ERROR_WANT_READ && r != SSL_ERROR_WANT_WRITE) {
792 			if(verb) printf("SSL handshake failed\n");
793 			SSL_free(ssl);
794 			return NULL;
795 		}
796 		/* wants to be called again */
797 	}
798 	x = SSL_get_peer_certificate(ssl);
799 	if(!x) {
800 		if(verb) printf("Server presented no peer certificate\n");
801 		SSL_free(ssl);
802 		return NULL;
803 	}
804 	verb_cert("server SSL certificate", x);
805 	X509_free(x);
806 	return ssl;
807 }
808 
809 /** perform neat TLS shutdown */
810 static void
811 TLS_shutdown(int fd, SSL* ssl, SSL_CTX* sslctx)
812 {
813 	/* shutdown the SSL connection nicely */
814 	if(SSL_shutdown(ssl) == 0) {
815 		SSL_shutdown(ssl);
816 	}
817 	SSL_free(ssl);
818 	SSL_CTX_free(sslctx);
819 	fd_close(fd);
820 }
821 
822 /** write a line over SSL */
823 static int
824 write_ssl_line(SSL* ssl, const char* str, const char* sec)
825 {
826 	char buf[1024];
827 	size_t l;
828 	if(sec) {
829 		snprintf(buf, sizeof(buf), str, sec);
830 	} else {
831 		snprintf(buf, sizeof(buf), "%s", str);
832 	}
833 	l = strlen(buf);
834 	if(l+2 >= sizeof(buf)) {
835 		if(verb) printf("line too long\n");
836 		return 0;
837 	}
838 	if(verb >= 2) printf("SSL_write: %s\n", buf);
839 	buf[l] = '\r';
840 	buf[l+1] = '\n';
841 	buf[l+2] = 0;
842 	/* add \r\n */
843 	if(SSL_write(ssl, buf, (int)strlen(buf)) <= 0) {
844 		if(verb) printf("could not SSL_write %s", str);
845 		return 0;
846 	}
847 	return 1;
848 }
849 
850 /** process header line, check rcode and keeping track of size */
851 static int
852 process_one_header(char* buf, size_t* clen, int* chunked)
853 {
854 	if(verb>=2) printf("header: '%s'\n", buf);
855 	if(strncasecmp(buf, "HTTP/1.1 ", 9) == 0) {
856 		/* check returncode */
857 		if(buf[9] != '2') {
858 			if(verb) printf("bad status %s\n", buf+9);
859 			return 0;
860 		}
861 	} else if(strncasecmp(buf, "Content-Length: ", 16) == 0) {
862 		if(!*chunked)
863 			*clen = (size_t)atoi(buf+16);
864 	} else if(strncasecmp(buf, "Transfer-Encoding: chunked", 19+7) == 0) {
865 		*clen = 0;
866 		*chunked = 1;
867 	}
868 	return 1;
869 }
870 
871 /**
872  * Read one line from SSL
873  * zero terminates.
874  * skips "\r\n" (but not copied to buf).
875  * @param ssl: the SSL connection to read from (blocking).
876  * @param buf: buffer to return line in.
877  * @param len: size of the buffer.
878  * @return 0 on error, 1 on success.
879  */
880 static int
881 read_ssl_line(SSL* ssl, char* buf, size_t len)
882 {
883 	size_t n = 0;
884 	int r;
885 	int endnl = 0;
886 	while(1) {
887 		if(n >= len) {
888 			if(verb) printf("line too long\n");
889 			return 0;
890 		}
891 		if((r = SSL_read(ssl, buf+n, 1)) <= 0) {
892 			if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) {
893 				/* EOF */
894 				break;
895 			}
896 			if(verb) printf("could not SSL_read\n");
897 			return 0;
898 		}
899 		if(endnl && buf[n] == '\n') {
900 			break;
901 		} else if(endnl) {
902 			/* bad data */
903 			if(verb) printf("error: stray linefeeds\n");
904 			return 0;
905 		} else if(buf[n] == '\r') {
906 			/* skip \r, and also \n on the wire */
907 			endnl = 1;
908 			continue;
909 		} else if(buf[n] == '\n') {
910 			/* skip the \n, we are done */
911 			break;
912 		} else n++;
913 	}
914 	buf[n] = 0;
915 	return 1;
916 }
917 
918 /** read http headers and process them */
919 static size_t
920 read_http_headers(SSL* ssl, size_t* clen)
921 {
922 	char buf[1024];
923 	int chunked = 0;
924 	*clen = 0;
925 	while(read_ssl_line(ssl, buf, sizeof(buf))) {
926 		if(buf[0] == 0)
927 			return 1;
928 		if(!process_one_header(buf, clen, &chunked))
929 			return 0;
930 	}
931 	return 0;
932 }
933 
934 /** read a data chunk */
935 static char*
936 read_data_chunk(SSL* ssl, size_t len)
937 {
938 	size_t got = 0;
939 	int r;
940 	char* data;
941 	if((unsigned)len >= (unsigned)0xfffffff0)
942 		return NULL; /* to protect against integer overflow in malloc*/
943 	data = malloc(len+1);
944 	if(!data) {
945 		if(verb) printf("out of memory\n");
946 		return NULL;
947 	}
948 	while(got < len) {
949 		if((r = SSL_read(ssl, data+got, (int)(len-got))) <= 0) {
950 			if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) {
951 				/* EOF */
952 				if(verb) printf("could not SSL_read: unexpected EOF\n");
953 				free(data);
954 				return NULL;
955 			}
956 			if(verb) printf("could not SSL_read\n");
957 			free(data);
958 			return NULL;
959 		}
960 		if(verb >= 2) printf("at %d/%d\n", (int)got, (int)len);
961 		got += r;
962 	}
963 	if(verb>=2) printf("read %d data\n", (int)len);
964 	data[len] = 0;
965 	return data;
966 }
967 
968 /** parse chunk header */
969 static int
970 parse_chunk_header(char* buf, size_t* result)
971 {
972 	char* e = NULL;
973 	size_t v = (size_t)strtol(buf, &e, 16);
974 	if(e == buf)
975 		return 0;
976 	*result = v;
977 	return 1;
978 }
979 
980 /** read chunked data from connection */
981 static BIO*
982 do_chunked_read(SSL* ssl)
983 {
984 	char buf[1024];
985 	size_t len;
986 	char* body;
987 	BIO* mem = BIO_new(BIO_s_mem());
988 	if(verb>=3) printf("do_chunked_read\n");
989 	if(!mem) {
990 		if(verb) printf("out of memory\n");
991 		return NULL;
992 	}
993 	while(read_ssl_line(ssl, buf, sizeof(buf))) {
994 		/* read the chunked start line */
995 		if(verb>=2) printf("chunk header: %s\n", buf);
996 		if(!parse_chunk_header(buf, &len)) {
997 			BIO_free(mem);
998 			if(verb>=3) printf("could not parse chunk header\n");
999 			return NULL;
1000 		}
1001 		if(verb>=2) printf("chunk len: %d\n", (int)len);
1002 		/* are we done? */
1003 		if(len == 0) {
1004 			char z = 0;
1005 			/* skip end-of-chunk-trailer lines,
1006 			 * until the empty line after that */
1007 			do {
1008 				if(!read_ssl_line(ssl, buf, sizeof(buf))) {
1009 					BIO_free(mem);
1010 					return NULL;
1011 				}
1012 			} while (strlen(buf) > 0);
1013 			/* end of chunks, zero terminate it */
1014 			if(BIO_write(mem, &z, 1) <= 0) {
1015 				if(verb) printf("out of memory\n");
1016 				BIO_free(mem);
1017 				return NULL;
1018 			}
1019 			return mem;
1020 		}
1021 		/* read the chunked body */
1022 		body = read_data_chunk(ssl, len);
1023 		if(!body) {
1024 			BIO_free(mem);
1025 			return NULL;
1026 		}
1027 		if(BIO_write(mem, body, (int)len) <= 0) {
1028 			if(verb) printf("out of memory\n");
1029 			free(body);
1030 			BIO_free(mem);
1031 			return NULL;
1032 		}
1033 		free(body);
1034 		/* skip empty line after data chunk */
1035 		if(!read_ssl_line(ssl, buf, sizeof(buf))) {
1036 			BIO_free(mem);
1037 			return NULL;
1038 		}
1039 	}
1040 	BIO_free(mem);
1041 	return NULL;
1042 }
1043 
1044 /** start HTTP1.1 transaction on SSL */
1045 static int
1046 write_http_get(SSL* ssl, const char* pathname, const char* urlname)
1047 {
1048 	if(write_ssl_line(ssl, "GET /%s HTTP/1.1", pathname) &&
1049 	   write_ssl_line(ssl, "Host: %s", urlname) &&
1050 	   write_ssl_line(ssl, "User-Agent: unbound-anchor/%s",
1051 	   	PACKAGE_VERSION) &&
1052 	   /* We do not really do multiple queries per connection,
1053 	    * but this header setting is also not needed.
1054 	    * write_ssl_line(ssl, "Connection: close", NULL) &&*/
1055 	   write_ssl_line(ssl, "", NULL)) {
1056 		return 1;
1057 	}
1058 	return 0;
1059 }
1060 
1061 /** read chunked data and zero terminate; len is without zero */
1062 static char*
1063 read_chunked_zero_terminate(SSL* ssl, size_t* len)
1064 {
1065 	/* do the chunked version */
1066 	BIO* tmp = do_chunked_read(ssl);
1067 	char* data, *d = NULL;
1068 	size_t l;
1069 	if(!tmp) {
1070 		if(verb) printf("could not read from https\n");
1071 		return NULL;
1072 	}
1073 	l = (size_t)BIO_get_mem_data(tmp, &d);
1074 	if(verb>=2) printf("chunked data is %d\n", (int)l);
1075 	if(l == 0 || d == NULL) {
1076 		if(verb) printf("out of memory\n");
1077 		return NULL;
1078 	}
1079 	*len = l-1;
1080 	data = (char*)malloc(l);
1081 	if(data == NULL) {
1082 		if(verb) printf("out of memory\n");
1083 		return NULL;
1084 	}
1085 	memcpy(data, d, l);
1086 	BIO_free(tmp);
1087 	return data;
1088 }
1089 
1090 /** read HTTP result from SSL */
1091 static BIO*
1092 read_http_result(SSL* ssl)
1093 {
1094 	size_t len = 0;
1095 	char* data;
1096 	BIO* m;
1097 	if(!read_http_headers(ssl, &len)) {
1098 		return NULL;
1099 	}
1100 	if(len == 0) {
1101 		data = read_chunked_zero_terminate(ssl, &len);
1102 	} else {
1103 		data = read_data_chunk(ssl, len);
1104 	}
1105 	if(!data) return NULL;
1106 	if(verb >= 4) print_data("read data", data, (int)len);
1107 	m = BIO_new(BIO_s_mem());
1108 	if(!m) {
1109 		if(verb) printf("out of memory\n");
1110 		free(data);
1111 		exit(0);
1112 	}
1113 	BIO_write(m, data, (int)len);
1114 	free(data);
1115 	return m;
1116 }
1117 
1118 /** https to an IP addr, return BIO with pathname or NULL */
1119 static BIO*
1120 https_to_ip(struct ip_list* ip, const char* pathname, const char* urlname,
1121 	struct ip_list* src, int use_sni)
1122 {
1123 	int fd;
1124 	SSL* ssl;
1125 	BIO* bio;
1126 	SSL_CTX* sslctx = setup_sslctx();
1127 	if(!sslctx) {
1128 		return NULL;
1129 	}
1130 	fd = connect_to_ip(ip, src);
1131 	if(fd == -1) {
1132 		SSL_CTX_free(sslctx);
1133 		return NULL;
1134 	}
1135 	ssl = TLS_initiate(sslctx, fd, urlname, use_sni);
1136 	if(!ssl) {
1137 		SSL_CTX_free(sslctx);
1138 		fd_close(fd);
1139 		return NULL;
1140 	}
1141 	if(!write_http_get(ssl, pathname, urlname)) {
1142 		if(verb) printf("could not write to server\n");
1143 		SSL_free(ssl);
1144 		SSL_CTX_free(sslctx);
1145 		fd_close(fd);
1146 		return NULL;
1147 	}
1148 	bio = read_http_result(ssl);
1149 	TLS_shutdown(fd, ssl, sslctx);
1150 	return bio;
1151 }
1152 
1153 /**
1154  * Do a HTTPS, HTTP1.1 over TLS, to fetch a file
1155  * @param ip_list: list of IP addresses to use to fetch from.
1156  * @param pathname: pathname of file on server to GET.
1157  * @param urlname: name to pass as the virtual host for this request.
1158  * @param src: if nonNULL, source address to bind to.
1159  * @param use_sni: if SNI will be used.
1160  * @return a memory BIO with the file in it.
1161  */
1162 static BIO*
1163 https(struct ip_list* ip_list, const char* pathname, const char* urlname,
1164 	struct ip_list* src, int use_sni)
1165 {
1166 	struct ip_list* ip;
1167 	BIO* bio = NULL;
1168 	/* try random address first, and work through the list */
1169 	wipe_ip_usage(ip_list);
1170 	while( (ip = pick_random_ip(ip_list)) ) {
1171 		ip->used = 1;
1172 		bio = https_to_ip(ip, pathname, urlname, src, use_sni);
1173 		if(bio) break;
1174 	}
1175 	if(!bio) {
1176 		if(verb) printf("could not fetch %s\n", pathname);
1177 		exit(0);
1178 	} else {
1179 		if(verb) printf("fetched %s (%d bytes)\n",
1180 			pathname, (int)BIO_ctrl_pending(bio));
1181 	}
1182 	return bio;
1183 }
1184 
1185 /** XML parse private data during the parse */
1186 struct xml_data {
1187 	/** the parser, reference */
1188 	XML_Parser parser;
1189 	/** the current tag; malloced; or NULL outside of tags */
1190 	char* tag;
1191 	/** current date to use during the parse */
1192 	time_t date;
1193 	/** number of keys usefully read in */
1194 	int num_keys;
1195 	/** the compiled anchors as DS records */
1196 	BIO* ds;
1197 
1198 	/** do we want to use this anchor? */
1199 	int use_key;
1200 	/** the current anchor: Zone */
1201 	BIO* czone;
1202 	/** the current anchor: KeyTag */
1203 	BIO* ctag;
1204 	/** the current anchor: Algorithm */
1205 	BIO* calgo;
1206 	/** the current anchor: DigestType */
1207 	BIO* cdigtype;
1208 	/** the current anchor: Digest*/
1209 	BIO* cdigest;
1210 };
1211 
1212 /** The BIO for the tag */
1213 static BIO*
1214 xml_selectbio(struct xml_data* data, const char* tag)
1215 {
1216 	BIO* b = NULL;
1217 	if(strcasecmp(tag, "KeyTag") == 0)
1218 		b = data->ctag;
1219 	else if(strcasecmp(tag, "Algorithm") == 0)
1220 		b = data->calgo;
1221 	else if(strcasecmp(tag, "DigestType") == 0)
1222 		b = data->cdigtype;
1223 	else if(strcasecmp(tag, "Digest") == 0)
1224 		b = data->cdigest;
1225 	return b;
1226 }
1227 
1228 /**
1229  * XML handle character data, the data inside an element.
1230  * @param userData: xml_data structure
1231  * @param s: the character data.  May not all be in one callback.
1232  * 	NOT zero terminated.
1233  * @param len: length of this part of the data.
1234  */
1235 static void
1236 xml_charhandle(void *userData, const XML_Char *s, int len)
1237 {
1238 	struct xml_data* data = (struct xml_data*)userData;
1239 	BIO* b = NULL;
1240 	/* skip characters outside of elements */
1241 	if(!data->tag)
1242 		return;
1243 	if(verb>=4) {
1244 		int i;
1245 		printf("%s%s charhandle: '",
1246 			data->use_key?"use ":"",
1247 			data->tag?data->tag:"none");
1248 		for(i=0; i<len; i++)
1249 			printf("%c", s[i]);
1250 		printf("'\n");
1251 	}
1252 	if(strcasecmp(data->tag, "Zone") == 0) {
1253 		if(BIO_write(data->czone, s, len) < 0) {
1254 			if(verb) printf("out of memory in BIO_write\n");
1255 			exit(0);
1256 		}
1257 		return;
1258 	}
1259 	/* only store if key is used */
1260 	if(!data->use_key)
1261 		return;
1262 	b = xml_selectbio(data, data->tag);
1263 	if(b) {
1264 		if(BIO_write(b, s, len) < 0) {
1265 			if(verb) printf("out of memory in BIO_write\n");
1266 			exit(0);
1267 		}
1268 	}
1269 }
1270 
1271 /**
1272  * XML fetch value of particular attribute(by name) or NULL if not present.
1273  * @param atts: attribute array (from xml_startelem).
1274  * @param name: name of attribute to look for.
1275  * @return the value or NULL. (ptr into atts).
1276  */
1277 static const XML_Char*
1278 find_att(const XML_Char **atts, const XML_Char* name)
1279 {
1280 	int i;
1281 	for(i=0; atts[i]; i+=2) {
1282 		if(strcasecmp(atts[i], name) == 0)
1283 			return atts[i+1];
1284 	}
1285 	return NULL;
1286 }
1287 
1288 /**
1289  * XML convert DateTime element to time_t.
1290  * [-]CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm]
1291  * (with optional .ssssss fractional seconds)
1292  * @param str: the string
1293  * @return a time_t representation or 0 on failure.
1294  */
1295 static time_t
1296 xml_convertdate(const char* str)
1297 {
1298 	time_t t = 0;
1299 	struct tm tm;
1300 	const char* s;
1301 	/* for this application, ignore minus in front;
1302 	 * only positive dates are expected */
1303 	s = str;
1304 	if(s[0] == '-') s++;
1305 	memset(&tm, 0, sizeof(tm));
1306 	/* parse initial content of the string (lots of whitespace allowed) */
1307 	s = strptime(s, "%t%Y%t-%t%m%t-%t%d%tT%t%H%t:%t%M%t:%t%S%t", &tm);
1308 	if(!s) {
1309 		if(verb) printf("xml_convertdate parse failure %s\n", str);
1310 		return 0;
1311 	}
1312 	/* parse remainder of date string */
1313 	if(*s == '.') {
1314 		/* optional '.' and fractional seconds */
1315 		int frac = 0, n = 0;
1316 		if(sscanf(s+1, "%d%n", &frac, &n) < 1) {
1317 			if(verb) printf("xml_convertdate f failure %s\n", str);
1318 			return 0;
1319 		}
1320 		/* fraction is not used, time_t has second accuracy */
1321 		s++;
1322 		s+=n;
1323 	}
1324 	if(*s == 'Z' || *s == 'z') {
1325 		/* nothing to do for this */
1326 		s++;
1327 	} else if(*s == '+' || *s == '-') {
1328 		/* optional timezone spec: Z or +hh:mm or -hh:mm */
1329 		int hr = 0, mn = 0, n = 0;
1330 		if(sscanf(s+1, "%d:%d%n", &hr, &mn, &n) < 2) {
1331 			if(verb) printf("xml_convertdate tz failure %s\n", str);
1332 			return 0;
1333 		}
1334 		if(*s == '+') {
1335 			tm.tm_hour += hr;
1336 			tm.tm_min += mn;
1337 		} else {
1338 			tm.tm_hour -= hr;
1339 			tm.tm_min -= mn;
1340 		}
1341 		s++;
1342 		s += n;
1343 	}
1344 	if(*s != 0) {
1345 		/* not ended properly */
1346 		/* but ignore, (lenient) */
1347 	}
1348 
1349 	t = sldns_mktime_from_utc(&tm);
1350 	if(t == (time_t)-1) {
1351 		if(verb) printf("xml_convertdate mktime failure\n");
1352 		return 0;
1353 	}
1354 	return t;
1355 }
1356 
1357 /**
1358  * XML handle the KeyDigest start tag, check validity periods.
1359  */
1360 static void
1361 handle_keydigest(struct xml_data* data, const XML_Char **atts)
1362 {
1363 	data->use_key = 0;
1364 	if(find_att(atts, "validFrom")) {
1365 		time_t from = xml_convertdate(find_att(atts, "validFrom"));
1366 		if(from == 0) {
1367 			if(verb) printf("error: xml cannot be parsed\n");
1368 			exit(0);
1369 		}
1370 		if(data->date < from)
1371 			return;
1372 	}
1373 	if(find_att(atts, "validUntil")) {
1374 		time_t until = xml_convertdate(find_att(atts, "validUntil"));
1375 		if(until == 0) {
1376 			if(verb) printf("error: xml cannot be parsed\n");
1377 			exit(0);
1378 		}
1379 		if(data->date > until)
1380 			return;
1381 	}
1382 	/* yes we want to use this key */
1383 	data->use_key = 1;
1384 	(void)BIO_reset(data->ctag);
1385 	(void)BIO_reset(data->calgo);
1386 	(void)BIO_reset(data->cdigtype);
1387 	(void)BIO_reset(data->cdigest);
1388 }
1389 
1390 /** See if XML element equals the zone name */
1391 static int
1392 xml_is_zone_name(BIO* zone, const char* name)
1393 {
1394 	char buf[1024];
1395 	char* z = NULL;
1396 	long zlen;
1397 	(void)BIO_seek(zone, 0);
1398 	zlen = BIO_get_mem_data(zone, &z);
1399 	if(!zlen || !z) return 0;
1400 	/* zero terminate */
1401 	if(zlen >= (long)sizeof(buf)) return 0;
1402 	memmove(buf, z, (size_t)zlen);
1403 	buf[zlen] = 0;
1404 	/* compare */
1405 	return (strncasecmp(buf, name, strlen(name)) == 0);
1406 }
1407 
1408 /**
1409  * XML start of element. This callback is called whenever an XML tag starts.
1410  * XML_Char is UTF8.
1411  * @param userData: the xml_data structure.
1412  * @param name: the tag that starts.
1413  * @param atts: array of strings, pairs of attr = value, ends with NULL.
1414  * 	i.e. att[0]="att[1]" att[2]="att[3]" att[4]isNull
1415  */
1416 static void
1417 xml_startelem(void *userData, const XML_Char *name, const XML_Char **atts)
1418 {
1419 	struct xml_data* data = (struct xml_data*)userData;
1420 	BIO* b;
1421 	if(verb>=4) printf("xml tag start '%s'\n", name);
1422 	free(data->tag);
1423 	data->tag = strdup(name);
1424 	if(!data->tag) {
1425 		if(verb) printf("out of memory\n");
1426 		exit(0);
1427 	}
1428 	if(verb>=4) {
1429 		int i;
1430 		for(i=0; atts[i]; i+=2) {
1431 			printf("  %s='%s'\n", atts[i], atts[i+1]);
1432 		}
1433 	}
1434 	/* handle attributes to particular types */
1435 	if(strcasecmp(name, "KeyDigest") == 0) {
1436 		handle_keydigest(data, atts);
1437 		return;
1438 	} else if(strcasecmp(name, "Zone") == 0) {
1439 		(void)BIO_reset(data->czone);
1440 		return;
1441 	}
1442 
1443 	/* for other types we prepare to pick up the data */
1444 	if(!data->use_key)
1445 		return;
1446 	b = xml_selectbio(data, data->tag);
1447 	if(b) {
1448 		/* empty it */
1449 		(void)BIO_reset(b);
1450 	}
1451 }
1452 
1453 /** Append str to bio */
1454 static void
1455 xml_append_str(BIO* b, const char* s)
1456 {
1457 	if(BIO_write(b, s, (int)strlen(s)) < 0) {
1458 		if(verb) printf("out of memory in BIO_write\n");
1459 		exit(0);
1460 	}
1461 }
1462 
1463 /** Append bio to bio */
1464 static void
1465 xml_append_bio(BIO* b, BIO* a)
1466 {
1467 	char* z = NULL;
1468 	long i, len;
1469 	(void)BIO_seek(a, 0);
1470 	len = BIO_get_mem_data(a, &z);
1471 	if(!len || !z) {
1472 		if(verb) printf("out of memory in BIO_write\n");
1473 		exit(0);
1474 	}
1475 	/* remove newlines in the data here */
1476 	for(i=0; i<len; i++) {
1477 		if(z[i] == '\r' || z[i] == '\n')
1478 			z[i] = ' ';
1479 	}
1480 	/* write to BIO */
1481 	if(BIO_write(b, z, len) < 0) {
1482 		if(verb) printf("out of memory in BIO_write\n");
1483 		exit(0);
1484 	}
1485 }
1486 
1487 /** write the parsed xml-DS to the DS list */
1488 static void
1489 xml_append_ds(struct xml_data* data)
1490 {
1491 	/* write DS to accumulated DS */
1492 	xml_append_str(data->ds, ". IN DS ");
1493 	xml_append_bio(data->ds, data->ctag);
1494 	xml_append_str(data->ds, " ");
1495 	xml_append_bio(data->ds, data->calgo);
1496 	xml_append_str(data->ds, " ");
1497 	xml_append_bio(data->ds, data->cdigtype);
1498 	xml_append_str(data->ds, " ");
1499 	xml_append_bio(data->ds, data->cdigest);
1500 	xml_append_str(data->ds, "\n");
1501 	data->num_keys++;
1502 }
1503 
1504 /**
1505  * XML end of element. This callback is called whenever an XML tag ends.
1506  * XML_Char is UTF8.
1507  * @param userData: the xml_data structure
1508  * @param name: the tag that ends.
1509  */
1510 static void
1511 xml_endelem(void *userData, const XML_Char *name)
1512 {
1513 	struct xml_data* data = (struct xml_data*)userData;
1514 	if(verb>=4) printf("xml tag end   '%s'\n", name);
1515 	free(data->tag);
1516 	data->tag = NULL;
1517 	if(strcasecmp(name, "KeyDigest") == 0) {
1518 		if(data->use_key)
1519 			xml_append_ds(data);
1520 		data->use_key = 0;
1521 	} else if(strcasecmp(name, "Zone") == 0) {
1522 		if(!xml_is_zone_name(data->czone, ".")) {
1523 			if(verb) printf("xml not for the right zone\n");
1524 			exit(0);
1525 		}
1526 	}
1527 }
1528 
1529 /* Stop the parser when an entity declaration is encountered. For safety. */
1530 static void
1531 xml_entitydeclhandler(void *userData,
1532 	const XML_Char *ATTR_UNUSED(entityName),
1533 	int ATTR_UNUSED(is_parameter_entity),
1534 	const XML_Char *ATTR_UNUSED(value), int ATTR_UNUSED(value_length),
1535 	const XML_Char *ATTR_UNUSED(base),
1536 	const XML_Char *ATTR_UNUSED(systemId),
1537 	const XML_Char *ATTR_UNUSED(publicId),
1538 	const XML_Char *ATTR_UNUSED(notationName))
1539 {
1540 #if HAVE_DECL_XML_STOPPARSER
1541 	(void)XML_StopParser((XML_Parser)userData, XML_FALSE);
1542 #else
1543 	(void)userData;
1544 #endif
1545 }
1546 
1547 /**
1548  * XML parser setup of the callbacks for the tags
1549  */
1550 static void
1551 xml_parse_setup(XML_Parser parser, struct xml_data* data, time_t now)
1552 {
1553 	char buf[1024];
1554 	memset(data, 0, sizeof(*data));
1555 	XML_SetUserData(parser, data);
1556 	data->parser = parser;
1557 	data->date = now;
1558 	data->ds = BIO_new(BIO_s_mem());
1559 	data->ctag = BIO_new(BIO_s_mem());
1560 	data->czone = BIO_new(BIO_s_mem());
1561 	data->calgo = BIO_new(BIO_s_mem());
1562 	data->cdigtype = BIO_new(BIO_s_mem());
1563 	data->cdigest = BIO_new(BIO_s_mem());
1564 	if(!data->ds || !data->ctag || !data->calgo || !data->czone ||
1565 		!data->cdigtype || !data->cdigest) {
1566 		if(verb) printf("out of memory\n");
1567 		exit(0);
1568 	}
1569 	snprintf(buf, sizeof(buf), "; created by unbound-anchor on %s",
1570 		ctime(&now));
1571 	if(BIO_write(data->ds, buf, (int)strlen(buf)) < 0) {
1572 		if(verb) printf("out of memory\n");
1573 		exit(0);
1574 	}
1575 	XML_SetEntityDeclHandler(parser, xml_entitydeclhandler);
1576 	XML_SetElementHandler(parser, xml_startelem, xml_endelem);
1577 	XML_SetCharacterDataHandler(parser, xml_charhandle);
1578 }
1579 
1580 /**
1581  * Perform XML parsing of the root-anchors file
1582  * Its format description can be read here
1583  * https://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.txt
1584  * It uses libexpat.
1585  * @param xml: BIO with xml data.
1586  * @param now: the current time for checking DS validity periods.
1587  * @return memoryBIO with the DS data in zone format.
1588  * 	or NULL if the zone is insecure.
1589  * 	(It exit()s on error)
1590  */
1591 static BIO*
1592 xml_parse(BIO* xml, time_t now)
1593 {
1594 	char* pp;
1595 	int len;
1596 	XML_Parser parser;
1597 	struct xml_data data;
1598 
1599 	parser = XML_ParserCreate(NULL);
1600 	if(!parser) {
1601 		if(verb) printf("could not XML_ParserCreate\n");
1602 		exit(0);
1603 	}
1604 
1605 	/* setup callbacks */
1606 	xml_parse_setup(parser, &data, now);
1607 
1608 	/* parse it */
1609 	(void)BIO_seek(xml, 0);
1610 	len = (int)BIO_get_mem_data(xml, &pp);
1611 	if(!len || !pp) {
1612 		if(verb) printf("out of memory\n");
1613 		exit(0);
1614 	}
1615 	if(!XML_Parse(parser, pp, len, 1 /*isfinal*/ )) {
1616 		const char *e = XML_ErrorString(XML_GetErrorCode(parser));
1617 		if(verb) printf("XML_Parse failure %s\n", e?e:"");
1618 		exit(0);
1619 	}
1620 
1621 	/* parsed */
1622 	if(verb) printf("XML was parsed successfully, %d keys\n",
1623 			data.num_keys);
1624 	free(data.tag);
1625 	XML_ParserFree(parser);
1626 
1627 	if(verb >= 4) {
1628 		(void)BIO_seek(data.ds, 0);
1629 		len = BIO_get_mem_data(data.ds, &pp);
1630 		printf("got DS bio %d: '", len);
1631 		if(!fwrite(pp, (size_t)len, 1, stdout))
1632 			/* compilers do not allow us to ignore fwrite .. */
1633 			fprintf(stderr, "error writing to stdout\n");
1634 		printf("'\n");
1635 	}
1636 	BIO_free(data.czone);
1637 	BIO_free(data.ctag);
1638 	BIO_free(data.calgo);
1639 	BIO_free(data.cdigtype);
1640 	BIO_free(data.cdigest);
1641 
1642 	if(data.num_keys == 0) {
1643 		/* the root zone seems to have gone insecure */
1644 		BIO_free(data.ds);
1645 		return NULL;
1646 	} else {
1647 		return data.ds;
1648 	}
1649 }
1650 
1651 /* get key usage out of its extension, returns 0 if no key_usage extension */
1652 static unsigned long
1653 get_usage_of_ex(X509* cert)
1654 {
1655 	unsigned long val = 0;
1656 	ASN1_BIT_STRING* s;
1657 	if((s=X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL))) {
1658 		if(s->length > 0) {
1659 			val = s->data[0];
1660 			if(s->length > 1)
1661 				val |= s->data[1] << 8;
1662 		}
1663 		ASN1_BIT_STRING_free(s);
1664 	}
1665 	return val;
1666 }
1667 
1668 /** get valid signers from the list of signers in the signature */
1669 static STACK_OF(X509)*
1670 get_valid_signers(PKCS7* p7, const char* p7signer)
1671 {
1672 	int i;
1673 	STACK_OF(X509)* validsigners = sk_X509_new_null();
1674 	STACK_OF(X509)* signers = PKCS7_get0_signers(p7, NULL, 0);
1675 	unsigned long usage = 0;
1676 	if(!validsigners) {
1677 		if(verb) printf("out of memory\n");
1678 		sk_X509_free(signers);
1679 		return NULL;
1680 	}
1681 	if(!signers) {
1682 		if(verb) printf("no signers in pkcs7 signature\n");
1683 		sk_X509_free(validsigners);
1684 		return NULL;
1685 	}
1686 	for(i=0; i<sk_X509_num(signers); i++) {
1687 		X509_NAME* nm = X509_get_subject_name(
1688 			sk_X509_value(signers, i));
1689 		char buf[1024];
1690 		if(!nm) {
1691 			if(verb) printf("signer %d: cert has no subject name\n", i);
1692 			continue;
1693 		}
1694 		if(verb && nm) {
1695 			char* nmline = X509_NAME_oneline(nm, buf,
1696 				(int)sizeof(buf));
1697 			printf("signer %d: Subject: %s\n", i,
1698 				nmline?nmline:"no subject");
1699 			if(verb >= 3 && X509_NAME_get_text_by_NID(nm,
1700 				NID_commonName, buf, (int)sizeof(buf)))
1701 				printf("commonName: %s\n", buf);
1702 			if(verb >= 3 && X509_NAME_get_text_by_NID(nm,
1703 				NID_pkcs9_emailAddress, buf, (int)sizeof(buf)))
1704 				printf("emailAddress: %s\n", buf);
1705 		}
1706 		if(verb) {
1707 			int ku_loc = X509_get_ext_by_NID(
1708 				sk_X509_value(signers, i), NID_key_usage, -1);
1709 			if(verb >= 3 && ku_loc >= 0) {
1710 				X509_EXTENSION *ex = X509_get_ext(
1711 					sk_X509_value(signers, i), ku_loc);
1712 				if(ex) {
1713 					printf("keyUsage: ");
1714 					X509V3_EXT_print_fp(stdout, ex, 0, 0);
1715 					printf("\n");
1716 				}
1717 			}
1718 		}
1719 		if(!p7signer || strcmp(p7signer, "")==0) {
1720 			/* there is no name to check, return all records */
1721 			if(verb) printf("did not check commonName of signer\n");
1722 		} else {
1723 			if(!X509_NAME_get_text_by_NID(nm,
1724 				NID_pkcs9_emailAddress,
1725 				buf, (int)sizeof(buf))) {
1726 				if(verb) printf("removed cert with no name\n");
1727 				continue; /* no name, no use */
1728 			}
1729 			if(strcmp(buf, p7signer) != 0) {
1730 				if(verb) printf("removed cert with wrong name\n");
1731 				continue; /* wrong name, skip it */
1732 			}
1733 		}
1734 
1735 		/* check that the key usage allows digital signatures
1736 		 * (the p7s) */
1737 		usage = get_usage_of_ex(sk_X509_value(signers, i));
1738 		if(!(usage & KU_DIGITAL_SIGNATURE)) {
1739 			if(verb) printf("removed cert with no key usage Digital Signature allowed\n");
1740 			continue;
1741 		}
1742 
1743 		/* we like this cert, add it to our list of valid
1744 		 * signers certificates */
1745 		sk_X509_push(validsigners, sk_X509_value(signers, i));
1746 	}
1747 	sk_X509_free(signers);
1748 	return validsigners;
1749 }
1750 
1751 /** verify a PKCS7 signature, false on failure */
1752 static int
1753 verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust, const char* p7signer)
1754 {
1755 	PKCS7* p7;
1756 	X509_STORE *store = X509_STORE_new();
1757 	STACK_OF(X509)* validsigners;
1758 	int secure = 0;
1759 	int i;
1760 #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE
1761 	X509_VERIFY_PARAM* param = X509_VERIFY_PARAM_new();
1762 	if(!param) {
1763 		if(verb) printf("out of memory\n");
1764 		X509_STORE_free(store);
1765 		return 0;
1766 	}
1767 	/* do the selfcheck on the root certificate; it checks that the
1768 	 * input is valid */
1769 	X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CHECK_SS_SIGNATURE);
1770 	if(store) X509_STORE_set1_param(store, param);
1771 #endif
1772 	if(!store) {
1773 		if(verb) printf("out of memory\n");
1774 #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE
1775 		X509_VERIFY_PARAM_free(param);
1776 #endif
1777 		return 0;
1778 	}
1779 #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE
1780 	X509_VERIFY_PARAM_free(param);
1781 #endif
1782 
1783 	(void)BIO_seek(p7s, 0);
1784 	(void)BIO_seek(data, 0);
1785 
1786 	/* convert p7s to p7 (the signature) */
1787 	p7 = d2i_PKCS7_bio(p7s, NULL);
1788 	if(!p7) {
1789 		if(verb) printf("could not parse p7s signature file\n");
1790 		X509_STORE_free(store);
1791 		return 0;
1792 	}
1793 	if(verb >= 2) printf("parsed the PKCS7 signature\n");
1794 
1795 	/* convert trust to trusted certificate store */
1796 	for(i=0; i<sk_X509_num(trust); i++) {
1797 		if(!X509_STORE_add_cert(store, sk_X509_value(trust, i))) {
1798 			if(verb) printf("failed X509_STORE_add_cert\n");
1799 			X509_STORE_free(store);
1800 			PKCS7_free(p7);
1801 			return 0;
1802 		}
1803 	}
1804 	if(verb >= 2) printf("setup the X509_STORE\n");
1805 
1806 	/* check what is in the Subject name of the certificates,
1807 	 * and build a stack that contains only the right certificates */
1808 	validsigners = get_valid_signers(p7, p7signer);
1809 	if(!validsigners) {
1810 			X509_STORE_free(store);
1811 			PKCS7_free(p7);
1812 			return 0;
1813 	}
1814 	if(PKCS7_verify(p7, validsigners, store, data, NULL, PKCS7_NOINTERN) == 1) {
1815 		secure = 1;
1816 		if(verb) printf("the PKCS7 signature verified\n");
1817 	} else {
1818 		if(verb) {
1819 			ERR_print_errors_fp(stdout);
1820 		}
1821 	}
1822 
1823 	sk_X509_free(validsigners);
1824 	X509_STORE_free(store);
1825 	PKCS7_free(p7);
1826 	return secure;
1827 }
1828 
1829 /** write unsigned root anchor file, a 5011 revoked tp */
1830 static void
1831 write_unsigned_root(const char* root_anchor_file)
1832 {
1833 	FILE* out;
1834 	time_t now = time(NULL);
1835 	out = fopen(root_anchor_file, "w");
1836 	if(!out) {
1837 		if(verb) printf("%s: %s\n", root_anchor_file, strerror(errno));
1838 		return;
1839 	}
1840 	if(fprintf(out, "; autotrust trust anchor file\n"
1841 		";;REVOKED\n"
1842 		";;id: . 1\n"
1843 		"; This file was written by unbound-anchor on %s"
1844 		"; It indicates that the root does not use DNSSEC\n"
1845 		"; to restart DNSSEC overwrite this file with a\n"
1846 		"; valid trustanchor or (empty-it and run unbound-anchor)\n"
1847 		, ctime(&now)) < 0) {
1848 		if(verb) printf("failed to write 'unsigned' to %s\n",
1849 			root_anchor_file);
1850 		if(verb && errno != 0) printf("%s\n", strerror(errno));
1851 	}
1852 	fflush(out);
1853 #ifdef HAVE_FSYNC
1854 	fsync(fileno(out));
1855 #else
1856 	FlushFileBuffers((HANDLE)_get_osfhandle(_fileno(out)));
1857 #endif
1858 	fclose(out);
1859 }
1860 
1861 /** write root anchor file */
1862 static void
1863 write_root_anchor(const char* root_anchor_file, BIO* ds)
1864 {
1865 	char* pp = NULL;
1866 	int len;
1867 	FILE* out;
1868 	(void)BIO_seek(ds, 0);
1869 	len = BIO_get_mem_data(ds, &pp);
1870 	if(!len || !pp) {
1871 		if(verb) printf("out of memory\n");
1872 		return;
1873 	}
1874 	out = fopen(root_anchor_file, "w");
1875 	if(!out) {
1876 		if(verb) printf("%s: %s\n", root_anchor_file, strerror(errno));
1877 		return;
1878 	}
1879 	if(fwrite(pp, (size_t)len, 1, out) != 1) {
1880 		if(verb) printf("failed to write all data to %s\n",
1881 			root_anchor_file);
1882 		if(verb && errno != 0) printf("%s\n", strerror(errno));
1883 	}
1884 	fflush(out);
1885 #ifdef HAVE_FSYNC
1886 	fsync(fileno(out));
1887 #else
1888 	FlushFileBuffers((HANDLE)_get_osfhandle(_fileno(out)));
1889 #endif
1890 	fclose(out);
1891 }
1892 
1893 /** Perform the verification and update of the trustanchor file */
1894 static void
1895 verify_and_update_anchor(const char* root_anchor_file, BIO* xml, BIO* p7s,
1896 	STACK_OF(X509)* cert, const char* p7signer)
1897 {
1898 	BIO* ds;
1899 
1900 	/* verify xml file */
1901 	if(!verify_p7sig(xml, p7s, cert, p7signer)) {
1902 		printf("the PKCS7 signature failed\n");
1903 		exit(0);
1904 	}
1905 
1906 	/* parse the xml file into DS records */
1907 	ds = xml_parse(xml, time(NULL));
1908 	if(!ds) {
1909 		/* the root zone is unsigned now */
1910 		write_unsigned_root(root_anchor_file);
1911 	} else {
1912 		/* reinstate 5011 tracking */
1913 		write_root_anchor(root_anchor_file, ds);
1914 	}
1915 	BIO_free(ds);
1916 }
1917 
1918 #ifdef USE_WINSOCK
1919 static void do_wsa_cleanup(void) { WSACleanup(); }
1920 #endif
1921 
1922 /** perform actual certupdate work */
1923 static int
1924 do_certupdate(const char* root_anchor_file, const char* root_cert_file,
1925 	const char* urlname, const char* xmlname, const char* p7sname,
1926 	const char* p7signer, const char* res_conf, const char* root_hints,
1927 	const char* debugconf, const char* srcaddr, int ip4only, int ip6only,
1928 	int port, int use_sni)
1929 
1930 {
1931 	STACK_OF(X509)* cert;
1932 	BIO *xml, *p7s;
1933 	struct ip_list* ip_list = NULL;
1934 	struct ip_list* src = NULL;
1935 
1936 	/* read pem file or provide builtin */
1937 	cert = read_cert_or_builtin(root_cert_file);
1938 
1939 	/* lookup A, AAAA for the urlname (or parse urlname if IP address) */
1940 	ip_list = resolve_name(urlname, port, res_conf, root_hints, debugconf,
1941 	        srcaddr, ip4only, ip6only);
1942 
1943 	if(srcaddr && !(src = parse_ip_addr(srcaddr, 0))) {
1944 		if(verb) printf("cannot parse source address: %s\n", srcaddr);
1945 		exit(0);
1946 	}
1947 
1948 #ifdef USE_WINSOCK
1949 	if(1) { /* libunbound finished, startup WSA for the https connection */
1950 		WSADATA wsa_data;
1951 		int r;
1952 		if((r = WSAStartup(MAKEWORD(2,2), &wsa_data)) != 0) {
1953 			if(verb) printf("WSAStartup failed: %s\n",
1954 				wsa_strerror(r));
1955 			exit(0);
1956 		}
1957 		atexit(&do_wsa_cleanup);
1958 	}
1959 #endif
1960 
1961 	/* fetch the necessary files over HTTPS */
1962 	xml = https(ip_list, xmlname, urlname, src, use_sni);
1963 	p7s = https(ip_list, p7sname, urlname, src, use_sni);
1964 
1965 	/* verify and update the root anchor */
1966 	verify_and_update_anchor(root_anchor_file, xml, p7s, cert, p7signer);
1967 	if(verb) printf("success: the anchor has been updated "
1968 			"using the cert\n");
1969 
1970 	BIO_free(xml);
1971 	BIO_free(p7s);
1972 #ifndef S_SPLINT_S
1973 	sk_X509_pop_free(cert, X509_free);
1974 #endif
1975 	ip_list_free(ip_list);
1976 	return 1;
1977 }
1978 
1979 /**
1980  * Try to read the root RFC5011 autotrust anchor file,
1981  * @param file: filename.
1982  * @return:
1983  * 	0 if does not exist or empty
1984  * 	1 if trust-point-revoked-5011
1985  * 	2 if it is OK.
1986  */
1987 static int
1988 try_read_anchor(const char* file)
1989 {
1990 	int empty = 1;
1991 	char line[10240];
1992 	char* p;
1993 	FILE* in = fopen(file, "r");
1994 	if(!in) {
1995 		/* only if the file does not exist, can we fix it */
1996 		if(errno != ENOENT) {
1997 			if(verb) printf("%s: %s\n", file, strerror(errno));
1998 			if(verb) printf("error: cannot access the file\n");
1999 			exit(0);
2000 		}
2001 		if(verb) printf("%s does not exist\n", file);
2002 		return 0;
2003 	}
2004 	while(fgets(line, (int)sizeof(line), in)) {
2005 		line[sizeof(line)-1] = 0;
2006 		if(strncmp(line, ";;REVOKED", 9) == 0) {
2007 			fclose(in);
2008 			if(verb) printf("%s : the trust point is revoked\n"
2009 				"and the zone is considered unsigned.\n"
2010 				"if you wish to re-enable, delete the file\n",
2011 				file);
2012 			return 1;
2013 		}
2014 		p=line;
2015 		while(*p == ' ' || *p == '\t')
2016 			p++;
2017 		if(p[0]==0 || p[0]=='\n' || p[0]==';') continue;
2018 		/* this line is a line of content */
2019 		empty = 0;
2020 	}
2021 	fclose(in);
2022 	if(empty) {
2023 		if(verb) printf("%s is empty\n", file);
2024 		return 0;
2025 	}
2026 	if(verb) printf("%s has content\n", file);
2027 	return 2;
2028 }
2029 
2030 /** Write the builtin root anchor to a file */
2031 static void
2032 write_builtin_anchor(const char* file)
2033 {
2034 	const char* builtin_root_anchor = get_builtin_ds();
2035 	FILE* out = fopen(file, "w");
2036 	if(!out) {
2037 		if(verb) printf("%s: %s\n", file, strerror(errno));
2038 		if(verb) printf("  could not write builtin anchor\n");
2039 		return;
2040 	}
2041 	if(!fwrite(builtin_root_anchor, strlen(builtin_root_anchor), 1, out)) {
2042 		if(verb) printf("%s: %s\n", file, strerror(errno));
2043 		if(verb) printf("  could not complete write builtin anchor\n");
2044 	}
2045 	fclose(out);
2046 }
2047 
2048 /**
2049  * Check the root anchor file.
2050  * If does not exist, provide builtin and write file.
2051  * If empty, provide builtin and write file.
2052  * If trust-point-revoked-5011 file: make the program exit.
2053  * @param root_anchor_file: filename of the root anchor.
2054  * @param used_builtin: set to 1 if the builtin is written.
2055  * @return 0 if trustpoint is insecure, 1 on success.  Exit on failure.
2056  */
2057 static int
2058 provide_builtin(const char* root_anchor_file, int* used_builtin)
2059 {
2060 	/* try to read it */
2061 	switch(try_read_anchor(root_anchor_file))
2062 	{
2063 		case 0: /* no exist or empty */
2064 			write_builtin_anchor(root_anchor_file);
2065 			*used_builtin = 1;
2066 			break;
2067 		case 1: /* revoked tp */
2068 			return 0;
2069 		case 2: /* it is fine */
2070 		default:
2071 			break;
2072 	}
2073 	return 1;
2074 }
2075 
2076 /**
2077  * add an autotrust anchor for the root to the context
2078  */
2079 static void
2080 add_5011_probe_root(struct ub_ctx* ctx, const char* root_anchor_file)
2081 {
2082 	int r;
2083 	r = ub_ctx_set_option(ctx, "auto-trust-anchor-file:", root_anchor_file);
2084 	if(r) {
2085 		if(verb) printf("add 5011 probe to ctx: %s\n", ub_strerror(r));
2086 		ub_ctx_delete(ctx);
2087 		exit(0);
2088 	}
2089 }
2090 
2091 /**
2092  * Prime the root key and return the result.  Exit on error.
2093  * @param ctx: the unbound context to perform the priming with.
2094  * @return: the result of the prime, on error it exit()s.
2095  */
2096 static struct ub_result*
2097 prime_root_key(struct ub_ctx* ctx)
2098 {
2099 	struct ub_result* res = NULL;
2100 	int r;
2101 	r = ub_resolve(ctx, ".", LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN, &res);
2102 	if(r) {
2103 		if(verb) printf("resolve DNSKEY: %s\n", ub_strerror(r));
2104 		ub_ctx_delete(ctx);
2105 		exit(0);
2106 	}
2107 	if(!res) {
2108 		if(verb) printf("out of memory\n");
2109 		ub_ctx_delete(ctx);
2110 		exit(0);
2111 	}
2112 	return res;
2113 }
2114 
2115 /** see if ADDPEND keys exist in autotrust file (if possible) */
2116 static int
2117 read_if_pending_keys(const char* file)
2118 {
2119 	FILE* in = fopen(file, "r");
2120 	char line[8192];
2121 	if(!in) {
2122 		if(verb>=2) printf("%s: %s\n", file, strerror(errno));
2123 		return 0;
2124 	}
2125 	while(fgets(line, (int)sizeof(line), in)) {
2126 		if(line[0]==';') continue;
2127 		if(strstr(line, "[ ADDPEND ]")) {
2128 			fclose(in);
2129 			if(verb) printf("RFC5011-state has ADDPEND keys\n");
2130 			return 1;
2131 		}
2132 	}
2133 	fclose(in);
2134 	return 0;
2135 }
2136 
2137 /** read last successful probe time from autotrust file (if possible) */
2138 static int32_t
2139 read_last_success_time(const char* file)
2140 {
2141 	FILE* in = fopen(file, "r");
2142 	char line[1024];
2143 	if(!in) {
2144 		if(verb) printf("%s: %s\n", file, strerror(errno));
2145 		return 0;
2146 	}
2147 	while(fgets(line, (int)sizeof(line), in)) {
2148 		if(strncmp(line, ";;last_success: ", 16) == 0) {
2149 			char* e;
2150 			time_t x = (unsigned int)strtol(line+16, &e, 10);
2151 			fclose(in);
2152 			if(line+16 == e) {
2153 				if(verb) printf("failed to parse "
2154 					"last_success probe time\n");
2155 				return 0;
2156 			}
2157 			if(verb) printf("last successful probe: %s", ctime(&x));
2158 			return (int32_t)x;
2159 		}
2160 	}
2161 	fclose(in);
2162 	if(verb) printf("no last_success probe time in anchor file\n");
2163 	return 0;
2164 }
2165 
2166 /**
2167  * Read autotrust 5011 probe file and see if the date
2168  * compared to the current date allows a certupdate.
2169  * If the last successful probe was recent then 5011 cannot be behind,
2170  * and the failure cannot be solved with a certupdate.
2171  * The debugconf is to validation-override the date for testing.
2172  * @param root_anchor_file: filename of root key
2173  * @return true if certupdate is ok.
2174  */
2175 static int
2176 probe_date_allows_certupdate(const char* root_anchor_file)
2177 {
2178 	int has_pending_keys = read_if_pending_keys(root_anchor_file);
2179 	int32_t last_success = read_last_success_time(root_anchor_file);
2180 	int32_t now = (int32_t)time(NULL);
2181 	int32_t leeway = 30 * 24 * 3600; /* 30 days leeway */
2182 	/* if the date is before 2010-07-15:00.00.00 then the root has not
2183 	 * been signed yet, and thus we refuse to take action. */
2184 	if(time(NULL) < xml_convertdate("2010-07-15T00:00:00")) {
2185 		if(verb) printf("the date is before the root was first signed,"
2186 			" please correct the clock\n");
2187 		return 0;
2188 	}
2189 	if(last_success == 0)
2190 		return 1; /* no probe time */
2191 	if(has_pending_keys)
2192 		return 1; /* key in ADDPEND state, a previous probe has
2193 		inserted that, and it was present in all recent probes,
2194 		but it has not become active.  The 30 day timer may not have
2195 		expired, but we know(for sure) there is a rollover going on.
2196 		If we only managed to pickup the new key on its last day
2197 		of announcement (for example) this can happen. */
2198 	if(now - last_success < 0) {
2199 		if(verb) printf("the last successful probe is in the future,"
2200 			" clock was modified\n");
2201 		return 0;
2202 	}
2203 	if(now - last_success >= leeway) {
2204 		if(verb) printf("the last successful probe was more than 30 "
2205 			"days ago\n");
2206 		return 1;
2207 	}
2208 	if(verb) printf("the last successful probe is recent\n");
2209 	return 0;
2210 }
2211 
2212 static struct ub_result *
2213 fetch_root_key(const char* root_anchor_file, const char* res_conf,
2214 	const char* root_hints, const char* debugconf, const char* srcaddr,
2215 	int ip4only, int ip6only)
2216 {
2217 	struct ub_ctx* ctx;
2218 	struct ub_result* dnskey;
2219 
2220 	ctx = create_unbound_context(res_conf, root_hints, debugconf,
2221 		srcaddr, ip4only, ip6only);
2222 	add_5011_probe_root(ctx, root_anchor_file);
2223 	dnskey = prime_root_key(ctx);
2224 	ub_ctx_delete(ctx);
2225 	return dnskey;
2226 }
2227 
2228 /** perform the unbound-anchor work */
2229 static int
2230 do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
2231 	const char* urlname, const char* xmlname, const char* p7sname,
2232 	const char* p7signer, const char* res_conf, const char* root_hints,
2233 	const char* debugconf, const char* srcaddr, int ip4only, int ip6only,
2234 	int force, int res_conf_fallback, int port, int use_sni)
2235 {
2236 	struct ub_result* dnskey;
2237 	int used_builtin = 0;
2238 	int rcode;
2239 
2240 	/* see if builtin rootanchor needs to be provided, or if
2241 	 * rootanchor is 'revoked-trust-point' */
2242 	if(!provide_builtin(root_anchor_file, &used_builtin))
2243 		return 0;
2244 
2245 	/* make unbound context with 5011-probe for root anchor,
2246 	 * and probe . DNSKEY */
2247 	dnskey = fetch_root_key(root_anchor_file, res_conf,
2248 		root_hints, debugconf, srcaddr, ip4only, ip6only);
2249 	rcode = dnskey->rcode;
2250 
2251 	if (res_conf_fallback && res_conf && !dnskey->secure) {
2252 		if (verb) printf("%s failed, retrying direct\n", res_conf);
2253 		ub_resolve_free(dnskey);
2254 		/* try direct query without res_conf */
2255 		dnskey = fetch_root_key(root_anchor_file, NULL,
2256 			root_hints, debugconf, srcaddr, ip4only, ip6only);
2257 		if (rcode != 0 && dnskey->rcode == 0) {
2258 			res_conf = NULL;
2259 			rcode = 0;
2260 		}
2261 	}
2262 
2263 	/* if secure: exit */
2264 	if(dnskey->secure && !force) {
2265 		if(verb) printf("success: the anchor is ok\n");
2266 		ub_resolve_free(dnskey);
2267 		return used_builtin;
2268 	}
2269 	if(force && verb) printf("debug cert update forced\n");
2270 	ub_resolve_free(dnskey);
2271 
2272 	/* if not (and NOERROR): check date and do certupdate */
2273 	if((rcode == 0 &&
2274 		probe_date_allows_certupdate(root_anchor_file)) || force) {
2275 		if(do_certupdate(root_anchor_file, root_cert_file, urlname,
2276 			xmlname, p7sname, p7signer, res_conf, root_hints,
2277 			debugconf, srcaddr, ip4only, ip6only, port, use_sni))
2278 			return 1;
2279 		return used_builtin;
2280 	}
2281 	if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n");
2282 	return used_builtin;
2283 }
2284 
2285 /** getopt global, in case header files fail to declare it. */
2286 extern int optind;
2287 /** getopt global, in case header files fail to declare it. */
2288 extern char* optarg;
2289 
2290 /** Main routine for unbound-anchor */
2291 int main(int argc, char* argv[])
2292 {
2293 	int c;
2294 	const char* root_anchor_file = ROOT_ANCHOR_FILE;
2295 	const char* root_cert_file = ROOT_CERT_FILE;
2296 	const char* urlname = URLNAME;
2297 	const char* xmlname = XMLNAME;
2298 	const char* p7sname = P7SNAME;
2299 	const char* p7signer = P7SIGNER;
2300 	const char* res_conf = NULL;
2301 	const char* root_hints = NULL;
2302 	const char* debugconf = NULL;
2303 	const char* srcaddr = NULL;
2304 	int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT;
2305 	int res_conf_fallback = 0;
2306 	int use_sni = 1;
2307 	/* parse the options */
2308 	while( (c=getopt(argc, argv, "46C:FRSP:a:b:c:f:hln:r:s:u:vx:")) != -1) {
2309 		switch(c) {
2310 		case 'l':
2311 			dolist = 1;
2312 			break;
2313 		case '4':
2314 			ip4only = 1;
2315 			break;
2316 		case '6':
2317 			ip6only = 1;
2318 			break;
2319 		case 'a':
2320 			root_anchor_file = optarg;
2321 			break;
2322 		case 'b':
2323 			srcaddr = optarg;
2324 			break;
2325 		case 'c':
2326 			root_cert_file = optarg;
2327 			break;
2328 		case 'u':
2329 			urlname = optarg;
2330 			break;
2331 		case 'S':
2332 			use_sni = 0;
2333 			break;
2334 		case 'x':
2335 			xmlname = optarg;
2336 			break;
2337 		case 's':
2338 			p7sname = optarg;
2339 			break;
2340 		case 'n':
2341 			p7signer = optarg;
2342 			break;
2343 		case 'f':
2344 			res_conf = optarg;
2345 			break;
2346 		case 'r':
2347 			root_hints = optarg;
2348 			break;
2349 		case 'R':
2350 			res_conf_fallback = 1;
2351 			break;
2352 		case 'C':
2353 			debugconf = optarg;
2354 			break;
2355 		case 'F':
2356 			force = 1;
2357 			break;
2358 		case 'P':
2359 			port = atoi(optarg);
2360 			break;
2361 		case 'v':
2362 			verb++;
2363 			break;
2364 		case '?':
2365 		case 'h':
2366 		default:
2367 			usage();
2368 		}
2369 	}
2370 	argc -= optind;
2371 	/* argv += optind; not using further arguments */
2372 	if(argc != 0)
2373 		usage();
2374 
2375 #ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
2376 	ERR_load_crypto_strings();
2377 #endif
2378 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
2379 	ERR_load_SSL_strings();
2380 #endif
2381 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
2382 #  ifndef S_SPLINT_S
2383 	OpenSSL_add_all_algorithms();
2384 #  endif
2385 #else
2386 	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
2387 		| OPENSSL_INIT_ADD_ALL_DIGESTS
2388 		| OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
2389 #endif
2390 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
2391 	(void)SSL_library_init();
2392 #else
2393 	(void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
2394 #endif
2395 
2396 	if(dolist) do_list_builtin();
2397 
2398 	return do_root_update_work(root_anchor_file, root_cert_file, urlname,
2399 		xmlname, p7sname, p7signer, res_conf, root_hints, debugconf,
2400 		srcaddr, ip4only, ip6only, force, res_conf_fallback, port, use_sni);
2401 }
2402