1 /* 2 * unbound-anchor.c - update the root anchor if necessary. 3 * 4 * Copyright (c) 2010, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file checks to see that the current 5011 keys work to prime the 40 * current root anchor. If not a certificate is used to update the anchor. 41 * 42 * This is a concept solution for distribution of the DNSSEC root 43 * trust anchor. It is a small tool, called "unbound-anchor", that 44 * runs before the main validator starts. I.e. in the init script: 45 * unbound-anchor; unbound. Thus it is meant to run at system boot time. 46 * 47 * Management-Abstract: 48 * * first run: fill root.key file with hardcoded DS record. 49 * * mostly: use RFC5011 tracking, quick . DNSKEY UDP query. 50 * * failover: use builtin certificate, do https and update. 51 * Special considerations: 52 * * 30-days RFC5011 timer saves a lot of https traffic. 53 * * DNSKEY probe must be NOERROR, saves a lot of https traffic. 54 * * fail if clock before sign date of the root, if cert expired. 55 * * if the root goes back to unsigned, deals with it. 56 * 57 * It has hardcoded the root DS anchors and the ICANN CA root certificate. 58 * It allows with options to override those. It also takes root-hints (it 59 * has to do a DNS resolve), and also has hardcoded defaults for those. 60 * 61 * Once it starts, just before the validator starts, it quickly checks if 62 * the root anchor file needs to be updated. First it tries to use 63 * RFC5011-tracking of the root key. If that fails (and for 30-days since 64 * last successful probe), then it attempts to update using the 65 * certificate. So most of the time, the RFC5011 tracking will work fine, 66 * and within a couple milliseconds, the main daemon can start. It will 67 * have only probed the . DNSKEY, not done expensive https transfers on the 68 * root infrastructure. 69 * 70 * If there is no root key in the root.key file, it bootstraps the 71 * RFC5011-tracking with its builtin DS anchors; if that fails it 72 * bootstraps the RFC5011-tracking using the certificate. (again to avoid 73 * https, and it is also faster). 74 * 75 * It uses the XML file by converting it to DS records and writing that to the 76 * key file. Unbound can detect that the 'special comments' are gone, and 77 * the file contains a list of normal DNSKEY/DS records, and uses that to 78 * bootstrap 5011 (the KSK is made VALID). 79 * 80 * The certificate update is done by fetching root-anchors.xml and 81 * root-anchors.p7s via SSL. The HTTPS certificate can be logged but is 82 * not validated (https for channel security; the security comes from the 83 * certificate). The 'data.iana.org' domain name A and AAAA are resolved 84 * without DNSSEC. It tries a random IP until the transfer succeeds. It 85 * then checks the p7s signature. 86 * 87 * On any failure, it leaves the root key file untouched. The main 88 * validator has to cope with it, it cannot fix things (So a failure does 89 * not go 'without DNSSEC', no downgrade). If it used its builtin stuff or 90 * did the https, it exits with an exit code, so that this can trigger the 91 * init script to log the event and potentially alert the operator that can 92 * do a manual check. 93 * 94 * The date is also checked. Before 2010-07-15 is a failure (root not 95 * signed yet; avoids attacks on system clock). The 96 * last-successful-RFC5011-probe (if available) has to be more than 30 days 97 * in the past (otherwise, RFC5011 should have worked). This keeps 98 * unneccesary https traffic down. If the main certificate is expired, it 99 * fails. 100 * 101 * The dates on the keys in the xml are checked (uses the libexpat xml 102 * parser), only the valid ones are used to re-enstate RFC5011 tracking. 103 * If 0 keys are valid, the zone has gone to insecure (a special marker is 104 * written in the keyfile that tells the main validator daemon the zone is 105 * insecure). 106 * 107 * Only the root ICANN CA is shipped, not the intermediate ones. The 108 * intermediate CAs are included in the p7s file that was downloaded. (the 109 * root cert is valid to 2028 and the intermediate to 2014, today). 110 * 111 * Obviously, the tool also has options so the operator can provide a new 112 * keyfile, a new certificate and new URLs, and fresh root hints. By 113 * default it logs nothing on failure and success; it 'just works'. 114 * 115 */ 116 117 #include "config.h" 118 #include "libunbound/unbound.h" 119 #include "sldns/rrdef.h" 120 #include <expat.h> 121 #ifndef HAVE_EXPAT_H 122 #error "need libexpat to parse root-anchors.xml file." 123 #endif 124 #ifdef HAVE_GETOPT_H 125 #include <getopt.h> 126 #endif 127 #ifdef HAVE_OPENSSL_SSL_H 128 #include <openssl/ssl.h> 129 #endif 130 #ifdef HAVE_OPENSSL_ERR_H 131 #include <openssl/err.h> 132 #endif 133 #ifdef HAVE_OPENSSL_RAND_H 134 #include <openssl/rand.h> 135 #endif 136 #include <openssl/x509.h> 137 #include <openssl/x509v3.h> 138 #include <openssl/pem.h> 139 140 /** name of server in URL to fetch HTTPS from */ 141 #define URLNAME "data.iana.org" 142 /** path on HTTPS server to xml file */ 143 #define XMLNAME "root-anchors/root-anchors.xml" 144 /** path on HTTPS server to p7s file */ 145 #define P7SNAME "root-anchors/root-anchors.p7s" 146 /** name of the signer of the certificate */ 147 #define P7SIGNER "dnssec@iana.org" 148 /** port number for https access */ 149 #define HTTPS_PORT 443 150 151 #ifdef USE_WINSOCK 152 /* sneakily reuse the the wsa_strerror function, on windows */ 153 char* wsa_strerror(int err); 154 #endif 155 156 /** verbosity for this application */ 157 static int verb = 0; 158 159 /** list of IP addresses */ 160 struct ip_list { 161 /** next in list */ 162 struct ip_list* next; 163 /** length of addr */ 164 socklen_t len; 165 /** address ready to connect to */ 166 struct sockaddr_storage addr; 167 /** has the address been used */ 168 int used; 169 }; 170 171 /** Give unbound-anchor usage, and exit (1). */ 172 static void 173 usage() 174 { 175 printf("Usage: unbound-anchor [opts]\n"); 176 printf(" Setup or update root anchor. " 177 "Most options have defaults.\n"); 178 printf(" Run this program before you start the validator.\n"); 179 printf("\n"); 180 printf(" The anchor and cert have default builtin content\n"); 181 printf(" if the file does not exist or is empty.\n"); 182 printf("\n"); 183 printf("-a file root key file, default %s\n", ROOT_ANCHOR_FILE); 184 printf(" The key is input and output for this tool.\n"); 185 printf("-c file cert file, default %s\n", ROOT_CERT_FILE); 186 printf("-l list builtin key and cert on stdout\n"); 187 printf("-u name server in https url, default %s\n", URLNAME); 188 printf("-x path pathname to xml in url, default %s\n", XMLNAME); 189 printf("-s path pathname to p7s in url, default %s\n", P7SNAME); 190 printf("-n name signer's subject emailAddress, default %s\n", P7SIGNER); 191 printf("-4 work using IPv4 only\n"); 192 printf("-6 work using IPv6 only\n"); 193 printf("-f resolv.conf use given resolv.conf to resolve -u name\n"); 194 printf("-r root.hints use given root.hints to resolve -u name\n" 195 " builtin root hints are used by default\n"); 196 printf("-v more verbose\n"); 197 printf("-C conf debug, read config\n"); 198 printf("-P port use port for https connect, default 443\n"); 199 printf("-F debug, force update with cert\n"); 200 printf("-h show this usage help\n"); 201 printf("Version %s\n", PACKAGE_VERSION); 202 printf("BSD licensed, see LICENSE in source package for details.\n"); 203 printf("Report bugs to %s\n", PACKAGE_BUGREPORT); 204 exit(1); 205 } 206 207 /** return the built in root update certificate */ 208 static const char* 209 get_builtin_cert(void) 210 { 211 return 212 /* The ICANN CA fetched at 24 Sep 2010. Valid to 2028 */ 213 "-----BEGIN CERTIFICATE-----\n" 214 "MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n" 215 "TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n" 216 "BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX\n" 217 "DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O\n" 218 "IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB\n" 219 "MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb\n" 220 "cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S\n" 221 "G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg\n" 222 "ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2\n" 223 "paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7\n" 224 "MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29\n" 225 "iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B\n" 226 "Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3\n" 227 "DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH\n" 228 "6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD\n" 229 "2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h\n" 230 "15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF\n" 231 "0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg\n" 232 "j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n" 233 "-----END CERTIFICATE-----\n" 234 ; 235 } 236 237 /** return the built in root DS trust anchor */ 238 static const char* 239 get_builtin_ds(void) 240 { 241 return 242 ". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"; 243 } 244 245 /** print hex data */ 246 static void 247 print_data(const char* msg, const char* data, int len) 248 { 249 int i; 250 printf("%s: ", msg); 251 for(i=0; i<len; i++) { 252 printf(" %2.2x", (unsigned char)data[i]); 253 } 254 printf("\n"); 255 } 256 257 /** print ub context creation error and exit */ 258 static void 259 ub_ctx_error_exit(struct ub_ctx* ctx, const char* str, const char* str2) 260 { 261 ub_ctx_delete(ctx); 262 if(str && str2 && verb) printf("%s: %s\n", str, str2); 263 if(verb) printf("error: could not create unbound resolver context\n"); 264 exit(0); 265 } 266 267 /** 268 * Create a new unbound context with the commandline settings applied 269 */ 270 static struct ub_ctx* 271 create_unbound_context(const char* res_conf, const char* root_hints, 272 const char* debugconf, int ip4only, int ip6only) 273 { 274 int r; 275 struct ub_ctx* ctx = ub_ctx_create(); 276 if(!ctx) { 277 if(verb) printf("out of memory\n"); 278 exit(0); 279 } 280 /* do not waste time and network traffic to fetch extra nameservers */ 281 r = ub_ctx_set_option(ctx, "target-fetch-policy:", "0 0 0 0 0"); 282 if(r && verb) printf("ctx targetfetchpolicy: %s\n", ub_strerror(r)); 283 /* read config file first, so its settings can be overridden */ 284 if(debugconf) { 285 r = ub_ctx_config(ctx, debugconf); 286 if(r) ub_ctx_error_exit(ctx, debugconf, ub_strerror(r)); 287 } 288 if(res_conf) { 289 r = ub_ctx_resolvconf(ctx, res_conf); 290 if(r) ub_ctx_error_exit(ctx, res_conf, ub_strerror(r)); 291 } 292 if(root_hints) { 293 r = ub_ctx_set_option(ctx, "root-hints:", root_hints); 294 if(r) ub_ctx_error_exit(ctx, root_hints, ub_strerror(r)); 295 } 296 if(ip4only) { 297 r = ub_ctx_set_option(ctx, "do-ip6:", "no"); 298 if(r) ub_ctx_error_exit(ctx, "ip4only", ub_strerror(r)); 299 } 300 if(ip6only) { 301 r = ub_ctx_set_option(ctx, "do-ip4:", "no"); 302 if(r) ub_ctx_error_exit(ctx, "ip6only", ub_strerror(r)); 303 } 304 return ctx; 305 } 306 307 /** printout certificate in detail */ 308 static void 309 verb_cert(const char* msg, X509* x) 310 { 311 if(verb == 0 || verb == 1) return; 312 if(verb == 2) { 313 if(msg) printf("%s\n", msg); 314 X509_print_ex_fp(stdout, x, 0, (unsigned long)-1 315 ^(X509_FLAG_NO_SUBJECT 316 |X509_FLAG_NO_ISSUER|X509_FLAG_NO_VALIDITY)); 317 return; 318 } 319 if(msg) printf("%s\n", msg); 320 X509_print_fp(stdout, x); 321 } 322 323 /** printout certificates in detail */ 324 static void 325 verb_certs(const char* msg, STACK_OF(X509)* sk) 326 { 327 int i, num = sk_X509_num(sk); 328 if(verb == 0 || verb == 1) return; 329 for(i=0; i<num; i++) { 330 printf("%s (%d/%d)\n", msg, i, num); 331 verb_cert(NULL, sk_X509_value(sk, i)); 332 } 333 } 334 335 /** read certificates from a PEM bio */ 336 static STACK_OF(X509)* 337 read_cert_bio(BIO* bio) 338 { 339 STACK_OF(X509) *sk = sk_X509_new_null(); 340 if(!sk) { 341 if(verb) printf("out of memory\n"); 342 exit(0); 343 } 344 while(!BIO_eof(bio)) { 345 X509* x = PEM_read_bio_X509(bio, NULL, 0, NULL); 346 if(x == NULL) { 347 if(verb) { 348 printf("failed to read X509\n"); 349 ERR_print_errors_fp(stdout); 350 } 351 continue; 352 } 353 if(!sk_X509_push(sk, x)) { 354 if(verb) printf("out of memory\n"); 355 exit(0); 356 } 357 } 358 return sk; 359 } 360 361 /* read the certificate file */ 362 static STACK_OF(X509)* 363 read_cert_file(const char* file) 364 { 365 STACK_OF(X509)* sk; 366 FILE* in; 367 int content = 0; 368 char buf[128]; 369 if(file == NULL || strcmp(file, "") == 0) { 370 return NULL; 371 } 372 sk = sk_X509_new_null(); 373 if(!sk) { 374 if(verb) printf("out of memory\n"); 375 exit(0); 376 } 377 in = fopen(file, "r"); 378 if(!in) { 379 if(verb) printf("%s: %s\n", file, strerror(errno)); 380 #ifndef S_SPLINT_S 381 sk_X509_pop_free(sk, X509_free); 382 #endif 383 return NULL; 384 } 385 while(!feof(in)) { 386 X509* x = PEM_read_X509(in, NULL, 0, NULL); 387 if(x == NULL) { 388 if(verb) { 389 printf("failed to read X509 file\n"); 390 ERR_print_errors_fp(stdout); 391 } 392 continue; 393 } 394 if(!sk_X509_push(sk, x)) { 395 if(verb) printf("out of memory\n"); 396 fclose(in); 397 exit(0); 398 } 399 content = 1; 400 /* read away newline after --END CERT-- */ 401 if(!fgets(buf, (int)sizeof(buf), in)) 402 break; 403 } 404 fclose(in); 405 if(!content) { 406 if(verb) printf("%s is empty\n", file); 407 #ifndef S_SPLINT_S 408 sk_X509_pop_free(sk, X509_free); 409 #endif 410 return NULL; 411 } 412 return sk; 413 } 414 415 /** read certificates from the builtin certificate */ 416 static STACK_OF(X509)* 417 read_builtin_cert(void) 418 { 419 const char* builtin_cert = get_builtin_cert(); 420 STACK_OF(X509)* sk; 421 BIO *bio = BIO_new_mem_buf((void*)builtin_cert, 422 (int)strlen(builtin_cert)); 423 if(!bio) { 424 if(verb) printf("out of memory\n"); 425 exit(0); 426 } 427 sk = read_cert_bio(bio); 428 if(!sk) { 429 if(verb) printf("internal error, out of memory\n"); 430 exit(0); 431 } 432 BIO_free(bio); 433 return sk; 434 } 435 436 /** read update cert file or use builtin */ 437 static STACK_OF(X509)* 438 read_cert_or_builtin(const char* file) 439 { 440 STACK_OF(X509) *sk = read_cert_file(file); 441 if(!sk) { 442 if(verb) printf("using builtin certificate\n"); 443 sk = read_builtin_cert(); 444 } 445 if(verb) printf("have %d trusted certificates\n", sk_X509_num(sk)); 446 verb_certs("trusted certificates", sk); 447 return sk; 448 } 449 450 static void 451 do_list_builtin(void) 452 { 453 const char* builtin_cert = get_builtin_cert(); 454 const char* builtin_ds = get_builtin_ds(); 455 printf("%s\n", builtin_ds); 456 printf("%s\n", builtin_cert); 457 exit(0); 458 } 459 460 /** printout IP address with message */ 461 static void 462 verb_addr(const char* msg, struct ip_list* ip) 463 { 464 if(verb) { 465 char out[100]; 466 void* a = &((struct sockaddr_in*)&ip->addr)->sin_addr; 467 if(ip->len != (socklen_t)sizeof(struct sockaddr_in)) 468 a = &((struct sockaddr_in6*)&ip->addr)->sin6_addr; 469 470 if(inet_ntop((int)((struct sockaddr_in*)&ip->addr)->sin_family, 471 a, out, (socklen_t)sizeof(out))==0) 472 printf("%s (inet_ntop error)\n", msg); 473 else printf("%s %s\n", msg, out); 474 } 475 } 476 477 /** free ip_list */ 478 static void 479 ip_list_free(struct ip_list* p) 480 { 481 struct ip_list* np; 482 while(p) { 483 np = p->next; 484 free(p); 485 p = np; 486 } 487 } 488 489 /** create ip_list entry for a RR record */ 490 static struct ip_list* 491 RR_to_ip(int tp, char* data, int len, int port) 492 { 493 struct ip_list* ip = (struct ip_list*)calloc(1, sizeof(*ip)); 494 uint16_t p = (uint16_t)port; 495 if(tp == LDNS_RR_TYPE_A) { 496 struct sockaddr_in* sa = (struct sockaddr_in*)&ip->addr; 497 ip->len = (socklen_t)sizeof(*sa); 498 sa->sin_family = AF_INET; 499 sa->sin_port = (in_port_t)htons(p); 500 if(len != (int)sizeof(sa->sin_addr)) { 501 if(verb) printf("skipped badly formatted A\n"); 502 free(ip); 503 return NULL; 504 } 505 memmove(&sa->sin_addr, data, sizeof(sa->sin_addr)); 506 507 } else if(tp == LDNS_RR_TYPE_AAAA) { 508 struct sockaddr_in6* sa = (struct sockaddr_in6*)&ip->addr; 509 ip->len = (socklen_t)sizeof(*sa); 510 sa->sin6_family = AF_INET6; 511 sa->sin6_port = (in_port_t)htons(p); 512 if(len != (int)sizeof(sa->sin6_addr)) { 513 if(verb) printf("skipped badly formatted AAAA\n"); 514 free(ip); 515 return NULL; 516 } 517 memmove(&sa->sin6_addr, data, sizeof(sa->sin6_addr)); 518 } else { 519 if(verb) printf("internal error: bad type in RRtoip\n"); 520 free(ip); 521 return NULL; 522 } 523 verb_addr("resolved server address", ip); 524 return ip; 525 } 526 527 /** Resolve name, type, class and add addresses to iplist */ 528 static void 529 resolve_host_ip(struct ub_ctx* ctx, const char* host, int port, int tp, int cl, 530 struct ip_list** head) 531 { 532 struct ub_result* res = NULL; 533 int r; 534 int i; 535 536 r = ub_resolve(ctx, host, tp, cl, &res); 537 if(r) { 538 if(verb) printf("error: resolve %s %s: %s\n", host, 539 (tp==LDNS_RR_TYPE_A)?"A":"AAAA", ub_strerror(r)); 540 return; 541 } 542 if(!res) { 543 if(verb) printf("out of memory\n"); 544 ub_ctx_delete(ctx); 545 exit(0); 546 } 547 if(!res->havedata || res->rcode || !res->data) { 548 if(verb) printf("resolve %s %s: no result\n", host, 549 (tp==LDNS_RR_TYPE_A)?"A":"AAAA"); 550 return; 551 } 552 for(i = 0; res->data[i]; i++) { 553 struct ip_list* ip = RR_to_ip(tp, res->data[i], res->len[i], 554 port); 555 if(!ip) continue; 556 ip->next = *head; 557 *head = ip; 558 } 559 ub_resolve_free(res); 560 } 561 562 /** parse a text IP address into a sockaddr */ 563 static struct ip_list* 564 parse_ip_addr(const char* str, int port) 565 { 566 socklen_t len = 0; 567 union { 568 struct sockaddr_in6 a6; 569 struct sockaddr_in a; 570 } addr; 571 struct ip_list* ip; 572 uint16_t p = (uint16_t)port; 573 memset(&addr, 0, sizeof(addr)); 574 575 if(inet_pton(AF_INET6, str, &addr.a6.sin6_addr) > 0) { 576 /* it is an IPv6 */ 577 addr.a6.sin6_family = AF_INET6; 578 addr.a6.sin6_port = (in_port_t)htons(p); 579 len = (socklen_t)sizeof(addr.a6); 580 } 581 if(inet_pton(AF_INET, str, &addr.a.sin_addr) > 0) { 582 /* it is an IPv4 */ 583 addr.a.sin_family = AF_INET; 584 addr.a.sin_port = (in_port_t)htons(p); 585 len = (socklen_t)sizeof(struct sockaddr_in); 586 } 587 if(!len) return NULL; 588 ip = (struct ip_list*)calloc(1, sizeof(*ip)); 589 if(!ip) { 590 if(verb) printf("out of memory\n"); 591 exit(0); 592 } 593 ip->len = len; 594 memmove(&ip->addr, &addr, len); 595 if(verb) printf("server address is %s\n", str); 596 return ip; 597 } 598 599 /** 600 * Resolve a domain name (even though the resolver is down and there is 601 * no trust anchor). Without DNSSEC validation. 602 * @param host: the name to resolve. 603 * If this name is an IP4 or IP6 address this address is returned. 604 * @param port: the port number used for the returned IP structs. 605 * @param res_conf: resolv.conf (if any). 606 * @param root_hints: root hints (if any). 607 * @param debugconf: unbound.conf for debugging options. 608 * @param ip4only: use only ip4 for resolve and only lookup A 609 * @param ip6only: use only ip6 for resolve and only lookup AAAA 610 * default is to lookup A and AAAA using ip4 and ip6. 611 * @return list of IP addresses. 612 */ 613 static struct ip_list* 614 resolve_name(const char* host, int port, const char* res_conf, 615 const char* root_hints, const char* debugconf, int ip4only, int ip6only) 616 { 617 struct ub_ctx* ctx; 618 struct ip_list* list = NULL; 619 /* first see if name is an IP address itself */ 620 if( (list=parse_ip_addr(host, port)) ) { 621 return list; 622 } 623 624 /* create resolver context */ 625 ctx = create_unbound_context(res_conf, root_hints, debugconf, 626 ip4only, ip6only); 627 628 /* try resolution of A */ 629 if(!ip6only) { 630 resolve_host_ip(ctx, host, port, LDNS_RR_TYPE_A, 631 LDNS_RR_CLASS_IN, &list); 632 } 633 634 /* try resolution of AAAA */ 635 if(!ip4only) { 636 resolve_host_ip(ctx, host, port, LDNS_RR_TYPE_AAAA, 637 LDNS_RR_CLASS_IN, &list); 638 } 639 640 ub_ctx_delete(ctx); 641 if(!list) { 642 if(verb) printf("%s has no IP addresses I can use\n", host); 643 exit(0); 644 } 645 return list; 646 } 647 648 /** clear used flags */ 649 static void 650 wipe_ip_usage(struct ip_list* p) 651 { 652 while(p) { 653 p->used = 0; 654 p = p->next; 655 } 656 } 657 658 /** cound unused IPs */ 659 static int 660 count_unused(struct ip_list* p) 661 { 662 int num = 0; 663 while(p) { 664 if(!p->used) num++; 665 p = p->next; 666 } 667 return num; 668 } 669 670 /** pick random unused element from IP list */ 671 static struct ip_list* 672 pick_random_ip(struct ip_list* list) 673 { 674 struct ip_list* p = list; 675 int num = count_unused(list); 676 int sel; 677 if(num == 0) return NULL; 678 /* not perfect, but random enough */ 679 sel = (int)arc4random_uniform((uint32_t)num); 680 /* skip over unused elements that we did not select */ 681 while(sel > 0 && p) { 682 if(!p->used) sel--; 683 p = p->next; 684 } 685 /* find the next unused element */ 686 while(p && p->used) 687 p = p->next; 688 if(!p) return NULL; /* robustness */ 689 return p; 690 } 691 692 /** close the fd */ 693 static void 694 fd_close(int fd) 695 { 696 #ifndef USE_WINSOCK 697 close(fd); 698 #else 699 closesocket(fd); 700 #endif 701 } 702 703 /** printout socket errno */ 704 static void 705 print_sock_err(const char* msg) 706 { 707 #ifndef USE_WINSOCK 708 if(verb) printf("%s: %s\n", msg, strerror(errno)); 709 #else 710 if(verb) printf("%s: %s\n", msg, wsa_strerror(WSAGetLastError())); 711 #endif 712 } 713 714 /** connect to IP address */ 715 static int 716 connect_to_ip(struct ip_list* ip) 717 { 718 int fd; 719 verb_addr("connect to", ip); 720 fd = socket(ip->len==(socklen_t)sizeof(struct sockaddr_in)? 721 AF_INET:AF_INET6, SOCK_STREAM, 0); 722 if(fd == -1) { 723 print_sock_err("socket"); 724 return -1; 725 } 726 if(connect(fd, (struct sockaddr*)&ip->addr, ip->len) < 0) { 727 print_sock_err("connect"); 728 fd_close(fd); 729 return -1; 730 } 731 return fd; 732 } 733 734 /** create SSL context */ 735 static SSL_CTX* 736 setup_sslctx(void) 737 { 738 SSL_CTX* sslctx = SSL_CTX_new(SSLv23_client_method()); 739 if(!sslctx) { 740 if(verb) printf("SSL_CTX_new error\n"); 741 return NULL; 742 } 743 return sslctx; 744 } 745 746 /** initiate TLS on a connection */ 747 static SSL* 748 TLS_initiate(SSL_CTX* sslctx, int fd) 749 { 750 X509* x; 751 int r; 752 SSL* ssl = SSL_new(sslctx); 753 if(!ssl) { 754 if(verb) printf("SSL_new error\n"); 755 return NULL; 756 } 757 SSL_set_connect_state(ssl); 758 (void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); 759 if(!SSL_set_fd(ssl, fd)) { 760 if(verb) printf("SSL_set_fd error\n"); 761 SSL_free(ssl); 762 return NULL; 763 } 764 while(1) { 765 ERR_clear_error(); 766 if( (r=SSL_do_handshake(ssl)) == 1) 767 break; 768 r = SSL_get_error(ssl, r); 769 if(r != SSL_ERROR_WANT_READ && r != SSL_ERROR_WANT_WRITE) { 770 if(verb) printf("SSL handshake failed\n"); 771 SSL_free(ssl); 772 return NULL; 773 } 774 /* wants to be called again */ 775 } 776 x = SSL_get_peer_certificate(ssl); 777 if(!x) { 778 if(verb) printf("Server presented no peer certificate\n"); 779 SSL_free(ssl); 780 return NULL; 781 } 782 verb_cert("server SSL certificate", x); 783 X509_free(x); 784 return ssl; 785 } 786 787 /** perform neat TLS shutdown */ 788 static void 789 TLS_shutdown(int fd, SSL* ssl, SSL_CTX* sslctx) 790 { 791 /* shutdown the SSL connection nicely */ 792 if(SSL_shutdown(ssl) == 0) { 793 SSL_shutdown(ssl); 794 } 795 SSL_free(ssl); 796 SSL_CTX_free(sslctx); 797 fd_close(fd); 798 } 799 800 /** write a line over SSL */ 801 static int 802 write_ssl_line(SSL* ssl, const char* str, const char* sec) 803 { 804 char buf[1024]; 805 size_t l; 806 if(sec) { 807 snprintf(buf, sizeof(buf), str, sec); 808 } else { 809 snprintf(buf, sizeof(buf), "%s", str); 810 } 811 l = strlen(buf); 812 if(l+2 >= sizeof(buf)) { 813 if(verb) printf("line too long\n"); 814 return 0; 815 } 816 if(verb >= 2) printf("SSL_write: %s\n", buf); 817 buf[l] = '\r'; 818 buf[l+1] = '\n'; 819 buf[l+2] = 0; 820 /* add \r\n */ 821 if(SSL_write(ssl, buf, (int)strlen(buf)) <= 0) { 822 if(verb) printf("could not SSL_write %s", str); 823 return 0; 824 } 825 return 1; 826 } 827 828 /** process header line, check rcode and keeping track of size */ 829 static int 830 process_one_header(char* buf, size_t* clen, int* chunked) 831 { 832 if(verb>=2) printf("header: '%s'\n", buf); 833 if(strncasecmp(buf, "HTTP/1.1 ", 9) == 0) { 834 /* check returncode */ 835 if(buf[9] != '2') { 836 if(verb) printf("bad status %s\n", buf+9); 837 return 0; 838 } 839 } else if(strncasecmp(buf, "Content-Length: ", 16) == 0) { 840 if(!*chunked) 841 *clen = (size_t)atoi(buf+16); 842 } else if(strncasecmp(buf, "Transfer-Encoding: chunked", 19+7) == 0) { 843 *clen = 0; 844 *chunked = 1; 845 } 846 return 1; 847 } 848 849 /** 850 * Read one line from SSL 851 * zero terminates. 852 * skips "\r\n" (but not copied to buf). 853 * @param ssl: the SSL connection to read from (blocking). 854 * @param buf: buffer to return line in. 855 * @param len: size of the buffer. 856 * @return 0 on error, 1 on success. 857 */ 858 static int 859 read_ssl_line(SSL* ssl, char* buf, size_t len) 860 { 861 size_t n = 0; 862 int r; 863 int endnl = 0; 864 while(1) { 865 if(n >= len) { 866 if(verb) printf("line too long\n"); 867 return 0; 868 } 869 if((r = SSL_read(ssl, buf+n, 1)) <= 0) { 870 if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) { 871 /* EOF */ 872 break; 873 } 874 if(verb) printf("could not SSL_read\n"); 875 return 0; 876 } 877 if(endnl && buf[n] == '\n') { 878 break; 879 } else if(endnl) { 880 /* bad data */ 881 if(verb) printf("error: stray linefeeds\n"); 882 return 0; 883 } else if(buf[n] == '\r') { 884 /* skip \r, and also \n on the wire */ 885 endnl = 1; 886 continue; 887 } else if(buf[n] == '\n') { 888 /* skip the \n, we are done */ 889 break; 890 } else n++; 891 } 892 buf[n] = 0; 893 return 1; 894 } 895 896 /** read http headers and process them */ 897 static size_t 898 read_http_headers(SSL* ssl, size_t* clen) 899 { 900 char buf[1024]; 901 int chunked = 0; 902 *clen = 0; 903 while(read_ssl_line(ssl, buf, sizeof(buf))) { 904 if(buf[0] == 0) 905 return 1; 906 if(!process_one_header(buf, clen, &chunked)) 907 return 0; 908 } 909 return 0; 910 } 911 912 /** read a data chunk */ 913 static char* 914 read_data_chunk(SSL* ssl, size_t len) 915 { 916 size_t got = 0; 917 int r; 918 char* data; 919 if(len >= 0xfffffff0) 920 return NULL; /* to protect against integer overflow in malloc*/ 921 data = malloc(len+1); 922 if(!data) { 923 if(verb) printf("out of memory\n"); 924 return NULL; 925 } 926 while(got < len) { 927 if((r = SSL_read(ssl, data+got, (int)(len-got))) <= 0) { 928 if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) { 929 /* EOF */ 930 if(verb) printf("could not SSL_read: unexpected EOF\n"); 931 free(data); 932 return NULL; 933 } 934 if(verb) printf("could not SSL_read\n"); 935 free(data); 936 return NULL; 937 } 938 if(verb >= 2) printf("at %d/%d\n", (int)got, (int)len); 939 got += r; 940 } 941 if(verb>=2) printf("read %d data\n", (int)len); 942 data[len] = 0; 943 return data; 944 } 945 946 /** parse chunk header */ 947 static int 948 parse_chunk_header(char* buf, size_t* result) 949 { 950 char* e = NULL; 951 size_t v = (size_t)strtol(buf, &e, 16); 952 if(e == buf) 953 return 0; 954 *result = v; 955 return 1; 956 } 957 958 /** read chunked data from connection */ 959 static BIO* 960 do_chunked_read(SSL* ssl) 961 { 962 char buf[1024]; 963 size_t len; 964 char* body; 965 BIO* mem = BIO_new(BIO_s_mem()); 966 if(verb>=3) printf("do_chunked_read\n"); 967 if(!mem) { 968 if(verb) printf("out of memory\n"); 969 return NULL; 970 } 971 while(read_ssl_line(ssl, buf, sizeof(buf))) { 972 /* read the chunked start line */ 973 if(verb>=2) printf("chunk header: %s\n", buf); 974 if(!parse_chunk_header(buf, &len)) { 975 BIO_free(mem); 976 if(verb>=3) printf("could not parse chunk header\n"); 977 return NULL; 978 } 979 if(verb>=2) printf("chunk len: %d\n", (int)len); 980 /* are we done? */ 981 if(len == 0) { 982 char z = 0; 983 /* skip end-of-chunk-trailer lines, 984 * until the empty line after that */ 985 do { 986 if(!read_ssl_line(ssl, buf, sizeof(buf))) { 987 BIO_free(mem); 988 return NULL; 989 } 990 } while (strlen(buf) > 0); 991 /* end of chunks, zero terminate it */ 992 if(BIO_write(mem, &z, 1) <= 0) { 993 if(verb) printf("out of memory\n"); 994 BIO_free(mem); 995 return NULL; 996 } 997 return mem; 998 } 999 /* read the chunked body */ 1000 body = read_data_chunk(ssl, len); 1001 if(!body) { 1002 BIO_free(mem); 1003 return NULL; 1004 } 1005 if(BIO_write(mem, body, (int)len) <= 0) { 1006 if(verb) printf("out of memory\n"); 1007 free(body); 1008 BIO_free(mem); 1009 return NULL; 1010 } 1011 free(body); 1012 /* skip empty line after data chunk */ 1013 if(!read_ssl_line(ssl, buf, sizeof(buf))) { 1014 BIO_free(mem); 1015 return NULL; 1016 } 1017 } 1018 BIO_free(mem); 1019 return NULL; 1020 } 1021 1022 /** start HTTP1.1 transaction on SSL */ 1023 static int 1024 write_http_get(SSL* ssl, const char* pathname, const char* urlname) 1025 { 1026 if(write_ssl_line(ssl, "GET /%s HTTP/1.1", pathname) && 1027 write_ssl_line(ssl, "Host: %s", urlname) && 1028 write_ssl_line(ssl, "User-Agent: unbound-anchor/%s", 1029 PACKAGE_VERSION) && 1030 /* We do not really do multiple queries per connection, 1031 * but this header setting is also not needed. 1032 * write_ssl_line(ssl, "Connection: close", NULL) &&*/ 1033 write_ssl_line(ssl, "", NULL)) { 1034 return 1; 1035 } 1036 return 0; 1037 } 1038 1039 /** read chunked data and zero terminate; len is without zero */ 1040 static char* 1041 read_chunked_zero_terminate(SSL* ssl, size_t* len) 1042 { 1043 /* do the chunked version */ 1044 BIO* tmp = do_chunked_read(ssl); 1045 char* data, *d = NULL; 1046 size_t l; 1047 if(!tmp) { 1048 if(verb) printf("could not read from https\n"); 1049 return NULL; 1050 } 1051 l = (size_t)BIO_get_mem_data(tmp, &d); 1052 if(verb>=2) printf("chunked data is %d\n", (int)l); 1053 if(l == 0 || d == NULL) { 1054 if(verb) printf("out of memory\n"); 1055 return NULL; 1056 } 1057 *len = l-1; 1058 data = (char*)malloc(l); 1059 if(data == NULL) { 1060 if(verb) printf("out of memory\n"); 1061 return NULL; 1062 } 1063 memcpy(data, d, l); 1064 BIO_free(tmp); 1065 return data; 1066 } 1067 1068 /** read HTTP result from SSL */ 1069 static BIO* 1070 read_http_result(SSL* ssl) 1071 { 1072 size_t len = 0; 1073 char* data; 1074 BIO* m; 1075 if(!read_http_headers(ssl, &len)) { 1076 return NULL; 1077 } 1078 if(len == 0) { 1079 data = read_chunked_zero_terminate(ssl, &len); 1080 } else { 1081 data = read_data_chunk(ssl, len); 1082 } 1083 if(!data) return NULL; 1084 if(verb >= 4) print_data("read data", data, (int)len); 1085 m = BIO_new_mem_buf(data, (int)len); 1086 if(!m) { 1087 if(verb) printf("out of memory\n"); 1088 exit(0); 1089 } 1090 return m; 1091 } 1092 1093 /** https to an IP addr, return BIO with pathname or NULL */ 1094 static BIO* 1095 https_to_ip(struct ip_list* ip, const char* pathname, const char* urlname) 1096 { 1097 int fd; 1098 SSL* ssl; 1099 BIO* bio; 1100 SSL_CTX* sslctx = setup_sslctx(); 1101 if(!sslctx) { 1102 return NULL; 1103 } 1104 fd = connect_to_ip(ip); 1105 if(fd == -1) { 1106 SSL_CTX_free(sslctx); 1107 return NULL; 1108 } 1109 ssl = TLS_initiate(sslctx, fd); 1110 if(!ssl) { 1111 SSL_CTX_free(sslctx); 1112 fd_close(fd); 1113 return NULL; 1114 } 1115 if(!write_http_get(ssl, pathname, urlname)) { 1116 if(verb) printf("could not write to server\n"); 1117 SSL_free(ssl); 1118 SSL_CTX_free(sslctx); 1119 fd_close(fd); 1120 return NULL; 1121 } 1122 bio = read_http_result(ssl); 1123 TLS_shutdown(fd, ssl, sslctx); 1124 return bio; 1125 } 1126 1127 /** 1128 * Do a HTTPS, HTTP1.1 over TLS, to fetch a file 1129 * @param ip_list: list of IP addresses to use to fetch from. 1130 * @param pathname: pathname of file on server to GET. 1131 * @param urlname: name to pass as the virtual host for this request. 1132 * @return a memory BIO with the file in it. 1133 */ 1134 static BIO* 1135 https(struct ip_list* ip_list, const char* pathname, const char* urlname) 1136 { 1137 struct ip_list* ip; 1138 BIO* bio = NULL; 1139 /* try random address first, and work through the list */ 1140 wipe_ip_usage(ip_list); 1141 while( (ip = pick_random_ip(ip_list)) ) { 1142 ip->used = 1; 1143 bio = https_to_ip(ip, pathname, urlname); 1144 if(bio) break; 1145 } 1146 if(!bio) { 1147 if(verb) printf("could not fetch %s\n", pathname); 1148 exit(0); 1149 } else { 1150 if(verb) printf("fetched %s (%d bytes)\n", 1151 pathname, (int)BIO_ctrl_pending(bio)); 1152 } 1153 return bio; 1154 } 1155 1156 /** free up a downloaded file BIO */ 1157 static void 1158 free_file_bio(BIO* bio) 1159 { 1160 char* pp = NULL; 1161 (void)BIO_reset(bio); 1162 (void)BIO_get_mem_data(bio, &pp); 1163 free(pp); 1164 BIO_free(bio); 1165 } 1166 1167 /** XML parse private data during the parse */ 1168 struct xml_data { 1169 /** the parser, reference */ 1170 XML_Parser parser; 1171 /** the current tag; malloced; or NULL outside of tags */ 1172 char* tag; 1173 /** current date to use during the parse */ 1174 time_t date; 1175 /** number of keys usefully read in */ 1176 int num_keys; 1177 /** the compiled anchors as DS records */ 1178 BIO* ds; 1179 1180 /** do we want to use this anchor? */ 1181 int use_key; 1182 /** the current anchor: Zone */ 1183 BIO* czone; 1184 /** the current anchor: KeyTag */ 1185 BIO* ctag; 1186 /** the current anchor: Algorithm */ 1187 BIO* calgo; 1188 /** the current anchor: DigestType */ 1189 BIO* cdigtype; 1190 /** the current anchor: Digest*/ 1191 BIO* cdigest; 1192 }; 1193 1194 /** The BIO for the tag */ 1195 static BIO* 1196 xml_selectbio(struct xml_data* data, const char* tag) 1197 { 1198 BIO* b = NULL; 1199 if(strcasecmp(tag, "KeyTag") == 0) 1200 b = data->ctag; 1201 else if(strcasecmp(tag, "Algorithm") == 0) 1202 b = data->calgo; 1203 else if(strcasecmp(tag, "DigestType") == 0) 1204 b = data->cdigtype; 1205 else if(strcasecmp(tag, "Digest") == 0) 1206 b = data->cdigest; 1207 return b; 1208 } 1209 1210 /** 1211 * XML handle character data, the data inside an element. 1212 * @param userData: xml_data structure 1213 * @param s: the character data. May not all be in one callback. 1214 * NOT zero terminated. 1215 * @param len: length of this part of the data. 1216 */ 1217 static void 1218 xml_charhandle(void *userData, const XML_Char *s, int len) 1219 { 1220 struct xml_data* data = (struct xml_data*)userData; 1221 BIO* b = NULL; 1222 /* skip characters outside of elements */ 1223 if(!data->tag) 1224 return; 1225 if(verb>=4) { 1226 int i; 1227 printf("%s%s charhandle: '", 1228 data->use_key?"use ":"", 1229 data->tag?data->tag:"none"); 1230 for(i=0; i<len; i++) 1231 printf("%c", s[i]); 1232 printf("'\n"); 1233 } 1234 if(strcasecmp(data->tag, "Zone") == 0) { 1235 if(BIO_write(data->czone, s, len) < 0) { 1236 if(verb) printf("out of memory in BIO_write\n"); 1237 exit(0); 1238 } 1239 return; 1240 } 1241 /* only store if key is used */ 1242 if(!data->use_key) 1243 return; 1244 b = xml_selectbio(data, data->tag); 1245 if(b) { 1246 if(BIO_write(b, s, len) < 0) { 1247 if(verb) printf("out of memory in BIO_write\n"); 1248 exit(0); 1249 } 1250 } 1251 } 1252 1253 /** 1254 * XML fetch value of particular attribute(by name) or NULL if not present. 1255 * @param atts: attribute array (from xml_startelem). 1256 * @param name: name of attribute to look for. 1257 * @return the value or NULL. (ptr into atts). 1258 */ 1259 static const XML_Char* 1260 find_att(const XML_Char **atts, const XML_Char* name) 1261 { 1262 int i; 1263 for(i=0; atts[i]; i+=2) { 1264 if(strcasecmp(atts[i], name) == 0) 1265 return atts[i+1]; 1266 } 1267 return NULL; 1268 } 1269 1270 /** 1271 * XML convert DateTime element to time_t. 1272 * [-]CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] 1273 * (with optional .ssssss fractional seconds) 1274 * @param str: the string 1275 * @return a time_t representation or 0 on failure. 1276 */ 1277 static time_t 1278 xml_convertdate(const char* str) 1279 { 1280 time_t t = 0; 1281 struct tm tm; 1282 const char* s; 1283 /* for this application, ignore minus in front; 1284 * only positive dates are expected */ 1285 s = str; 1286 if(s[0] == '-') s++; 1287 memset(&tm, 0, sizeof(tm)); 1288 /* parse initial content of the string (lots of whitespace allowed) */ 1289 s = strptime(s, "%t%Y%t-%t%m%t-%t%d%tT%t%H%t:%t%M%t:%t%S%t", &tm); 1290 if(!s) { 1291 if(verb) printf("xml_convertdate parse failure %s\n", str); 1292 return 0; 1293 } 1294 /* parse remainder of date string */ 1295 if(*s == '.') { 1296 /* optional '.' and fractional seconds */ 1297 int frac = 0, n = 0; 1298 if(sscanf(s+1, "%d%n", &frac, &n) < 1) { 1299 if(verb) printf("xml_convertdate f failure %s\n", str); 1300 return 0; 1301 } 1302 /* fraction is not used, time_t has second accuracy */ 1303 s++; 1304 s+=n; 1305 } 1306 if(*s == 'Z' || *s == 'z') { 1307 /* nothing to do for this */ 1308 s++; 1309 } else if(*s == '+' || *s == '-') { 1310 /* optional timezone spec: Z or +hh:mm or -hh:mm */ 1311 int hr = 0, mn = 0, n = 0; 1312 if(sscanf(s+1, "%d:%d%n", &hr, &mn, &n) < 2) { 1313 if(verb) printf("xml_convertdate tz failure %s\n", str); 1314 return 0; 1315 } 1316 if(*s == '+') { 1317 tm.tm_hour += hr; 1318 tm.tm_min += mn; 1319 } else { 1320 tm.tm_hour -= hr; 1321 tm.tm_min -= mn; 1322 } 1323 s++; 1324 s += n; 1325 } 1326 if(*s != 0) { 1327 /* not ended properly */ 1328 /* but ignore, (lenient) */ 1329 } 1330 1331 t = mktime(&tm); 1332 if(t == (time_t)-1) { 1333 if(verb) printf("xml_convertdate mktime failure\n"); 1334 return 0; 1335 } 1336 return t; 1337 } 1338 1339 /** 1340 * XML handle the KeyDigest start tag, check validity periods. 1341 */ 1342 static void 1343 handle_keydigest(struct xml_data* data, const XML_Char **atts) 1344 { 1345 data->use_key = 0; 1346 if(find_att(atts, "validFrom")) { 1347 time_t from = xml_convertdate(find_att(atts, "validFrom")); 1348 if(from == 0) { 1349 if(verb) printf("error: xml cannot be parsed\n"); 1350 exit(0); 1351 } 1352 if(data->date < from) 1353 return; 1354 } 1355 if(find_att(atts, "validUntil")) { 1356 time_t until = xml_convertdate(find_att(atts, "validUntil")); 1357 if(until == 0) { 1358 if(verb) printf("error: xml cannot be parsed\n"); 1359 exit(0); 1360 } 1361 if(data->date > until) 1362 return; 1363 } 1364 /* yes we want to use this key */ 1365 data->use_key = 1; 1366 (void)BIO_reset(data->ctag); 1367 (void)BIO_reset(data->calgo); 1368 (void)BIO_reset(data->cdigtype); 1369 (void)BIO_reset(data->cdigest); 1370 } 1371 1372 /** See if XML element equals the zone name */ 1373 static int 1374 xml_is_zone_name(BIO* zone, const char* name) 1375 { 1376 char buf[1024]; 1377 char* z = NULL; 1378 long zlen; 1379 (void)BIO_seek(zone, 0); 1380 zlen = BIO_get_mem_data(zone, &z); 1381 if(!zlen || !z) return 0; 1382 /* zero terminate */ 1383 if(zlen >= (long)sizeof(buf)) return 0; 1384 memmove(buf, z, (size_t)zlen); 1385 buf[zlen] = 0; 1386 /* compare */ 1387 return (strncasecmp(buf, name, strlen(name)) == 0); 1388 } 1389 1390 /** 1391 * XML start of element. This callback is called whenever an XML tag starts. 1392 * XML_Char is UTF8. 1393 * @param userData: the xml_data structure. 1394 * @param name: the tag that starts. 1395 * @param atts: array of strings, pairs of attr = value, ends with NULL. 1396 * i.e. att[0]="att[1]" att[2]="att[3]" att[4]isNull 1397 */ 1398 static void 1399 xml_startelem(void *userData, const XML_Char *name, const XML_Char **atts) 1400 { 1401 struct xml_data* data = (struct xml_data*)userData; 1402 BIO* b; 1403 if(verb>=4) printf("xml tag start '%s'\n", name); 1404 free(data->tag); 1405 data->tag = strdup(name); 1406 if(!data->tag) { 1407 if(verb) printf("out of memory\n"); 1408 exit(0); 1409 } 1410 if(verb>=4) { 1411 int i; 1412 for(i=0; atts[i]; i+=2) { 1413 printf(" %s='%s'\n", atts[i], atts[i+1]); 1414 } 1415 } 1416 /* handle attributes to particular types */ 1417 if(strcasecmp(name, "KeyDigest") == 0) { 1418 handle_keydigest(data, atts); 1419 return; 1420 } else if(strcasecmp(name, "Zone") == 0) { 1421 (void)BIO_reset(data->czone); 1422 return; 1423 } 1424 1425 /* for other types we prepare to pick up the data */ 1426 if(!data->use_key) 1427 return; 1428 b = xml_selectbio(data, data->tag); 1429 if(b) { 1430 /* empty it */ 1431 (void)BIO_reset(b); 1432 } 1433 } 1434 1435 /** Append str to bio */ 1436 static void 1437 xml_append_str(BIO* b, const char* s) 1438 { 1439 if(BIO_write(b, s, (int)strlen(s)) < 0) { 1440 if(verb) printf("out of memory in BIO_write\n"); 1441 exit(0); 1442 } 1443 } 1444 1445 /** Append bio to bio */ 1446 static void 1447 xml_append_bio(BIO* b, BIO* a) 1448 { 1449 char* z = NULL; 1450 long i, len; 1451 (void)BIO_seek(a, 0); 1452 len = BIO_get_mem_data(a, &z); 1453 if(!len || !z) { 1454 if(verb) printf("out of memory in BIO_write\n"); 1455 exit(0); 1456 } 1457 /* remove newlines in the data here */ 1458 for(i=0; i<len; i++) { 1459 if(z[i] == '\r' || z[i] == '\n') 1460 z[i] = ' '; 1461 } 1462 /* write to BIO */ 1463 if(BIO_write(b, z, len) < 0) { 1464 if(verb) printf("out of memory in BIO_write\n"); 1465 exit(0); 1466 } 1467 } 1468 1469 /** write the parsed xml-DS to the DS list */ 1470 static void 1471 xml_append_ds(struct xml_data* data) 1472 { 1473 /* write DS to accumulated DS */ 1474 xml_append_str(data->ds, ". IN DS "); 1475 xml_append_bio(data->ds, data->ctag); 1476 xml_append_str(data->ds, " "); 1477 xml_append_bio(data->ds, data->calgo); 1478 xml_append_str(data->ds, " "); 1479 xml_append_bio(data->ds, data->cdigtype); 1480 xml_append_str(data->ds, " "); 1481 xml_append_bio(data->ds, data->cdigest); 1482 xml_append_str(data->ds, "\n"); 1483 data->num_keys++; 1484 } 1485 1486 /** 1487 * XML end of element. This callback is called whenever an XML tag ends. 1488 * XML_Char is UTF8. 1489 * @param userData: the xml_data structure 1490 * @param name: the tag that ends. 1491 */ 1492 static void 1493 xml_endelem(void *userData, const XML_Char *name) 1494 { 1495 struct xml_data* data = (struct xml_data*)userData; 1496 if(verb>=4) printf("xml tag end '%s'\n", name); 1497 free(data->tag); 1498 data->tag = NULL; 1499 if(strcasecmp(name, "KeyDigest") == 0) { 1500 if(data->use_key) 1501 xml_append_ds(data); 1502 data->use_key = 0; 1503 } else if(strcasecmp(name, "Zone") == 0) { 1504 if(!xml_is_zone_name(data->czone, ".")) { 1505 if(verb) printf("xml not for the right zone\n"); 1506 exit(0); 1507 } 1508 } 1509 } 1510 1511 /* Stop the parser when an entity declaration is encountered. For safety. */ 1512 static void 1513 xml_entitydeclhandler(void *userData, 1514 const XML_Char *ATTR_UNUSED(entityName), 1515 int ATTR_UNUSED(is_parameter_entity), 1516 const XML_Char *ATTR_UNUSED(value), int ATTR_UNUSED(value_length), 1517 const XML_Char *ATTR_UNUSED(base), 1518 const XML_Char *ATTR_UNUSED(systemId), 1519 const XML_Char *ATTR_UNUSED(publicId), 1520 const XML_Char *ATTR_UNUSED(notationName)) 1521 { 1522 (void)XML_StopParser((XML_Parser)userData, XML_FALSE); 1523 } 1524 1525 /** 1526 * XML parser setup of the callbacks for the tags 1527 */ 1528 static void 1529 xml_parse_setup(XML_Parser parser, struct xml_data* data, time_t now) 1530 { 1531 char buf[1024]; 1532 memset(data, 0, sizeof(*data)); 1533 XML_SetUserData(parser, data); 1534 data->parser = parser; 1535 data->date = now; 1536 data->ds = BIO_new(BIO_s_mem()); 1537 data->ctag = BIO_new(BIO_s_mem()); 1538 data->czone = BIO_new(BIO_s_mem()); 1539 data->calgo = BIO_new(BIO_s_mem()); 1540 data->cdigtype = BIO_new(BIO_s_mem()); 1541 data->cdigest = BIO_new(BIO_s_mem()); 1542 if(!data->ds || !data->ctag || !data->calgo || !data->czone || 1543 !data->cdigtype || !data->cdigest) { 1544 if(verb) printf("out of memory\n"); 1545 exit(0); 1546 } 1547 snprintf(buf, sizeof(buf), "; created by unbound-anchor on %s", 1548 ctime(&now)); 1549 if(BIO_write(data->ds, buf, (int)strlen(buf)) < 0) { 1550 if(verb) printf("out of memory\n"); 1551 exit(0); 1552 } 1553 XML_SetEntityDeclHandler(parser, xml_entitydeclhandler); 1554 XML_SetElementHandler(parser, xml_startelem, xml_endelem); 1555 XML_SetCharacterDataHandler(parser, xml_charhandle); 1556 } 1557 1558 /** 1559 * Perform XML parsing of the root-anchors file 1560 * Its format description can be read here 1561 * https://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.txt 1562 * It uses libexpat. 1563 * @param xml: BIO with xml data. 1564 * @param now: the current time for checking DS validity periods. 1565 * @return memoryBIO with the DS data in zone format. 1566 * or NULL if the zone is insecure. 1567 * (It exit()s on error) 1568 */ 1569 static BIO* 1570 xml_parse(BIO* xml, time_t now) 1571 { 1572 char* pp; 1573 int len; 1574 XML_Parser parser; 1575 struct xml_data data; 1576 1577 parser = XML_ParserCreate(NULL); 1578 if(!parser) { 1579 if(verb) printf("could not XML_ParserCreate\n"); 1580 exit(0); 1581 } 1582 1583 /* setup callbacks */ 1584 xml_parse_setup(parser, &data, now); 1585 1586 /* parse it */ 1587 (void)BIO_reset(xml); 1588 len = (int)BIO_get_mem_data(xml, &pp); 1589 if(!len || !pp) { 1590 if(verb) printf("out of memory\n"); 1591 exit(0); 1592 } 1593 if(!XML_Parse(parser, pp, len, 1 /*isfinal*/ )) { 1594 const char *e = XML_ErrorString(XML_GetErrorCode(parser)); 1595 if(verb) printf("XML_Parse failure %s\n", e?e:""); 1596 exit(0); 1597 } 1598 1599 /* parsed */ 1600 if(verb) printf("XML was parsed successfully, %d keys\n", 1601 data.num_keys); 1602 free(data.tag); 1603 XML_ParserFree(parser); 1604 1605 if(verb >= 4) { 1606 (void)BIO_seek(data.ds, 0); 1607 len = BIO_get_mem_data(data.ds, &pp); 1608 printf("got DS bio %d: '", len); 1609 if(!fwrite(pp, (size_t)len, 1, stdout)) 1610 /* compilers do not allow us to ignore fwrite .. */ 1611 fprintf(stderr, "error writing to stdout\n"); 1612 printf("'\n"); 1613 } 1614 BIO_free(data.czone); 1615 BIO_free(data.ctag); 1616 BIO_free(data.calgo); 1617 BIO_free(data.cdigtype); 1618 BIO_free(data.cdigest); 1619 1620 if(data.num_keys == 0) { 1621 /* the root zone seems to have gone insecure */ 1622 BIO_free(data.ds); 1623 return NULL; 1624 } else { 1625 return data.ds; 1626 } 1627 } 1628 1629 /* get key usage out of its extension, returns 0 if no key_usage extension */ 1630 static unsigned long 1631 get_usage_of_ex(X509* cert) 1632 { 1633 unsigned long val = 0; 1634 ASN1_BIT_STRING* s; 1635 if((s=X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL))) { 1636 if(s->length > 0) { 1637 val = s->data[0]; 1638 if(s->length > 1) 1639 val |= s->data[1] << 8; 1640 } 1641 ASN1_BIT_STRING_free(s); 1642 } 1643 return val; 1644 } 1645 1646 /** get valid signers from the list of signers in the signature */ 1647 static STACK_OF(X509)* 1648 get_valid_signers(PKCS7* p7, const char* p7signer) 1649 { 1650 int i; 1651 STACK_OF(X509)* validsigners = sk_X509_new_null(); 1652 STACK_OF(X509)* signers = PKCS7_get0_signers(p7, NULL, 0); 1653 unsigned long usage = 0; 1654 if(!validsigners) { 1655 if(verb) printf("out of memory\n"); 1656 sk_X509_free(signers); 1657 return NULL; 1658 } 1659 if(!signers) { 1660 if(verb) printf("no signers in pkcs7 signature\n"); 1661 sk_X509_free(validsigners); 1662 return NULL; 1663 } 1664 for(i=0; i<sk_X509_num(signers); i++) { 1665 X509_NAME* nm = X509_get_subject_name( 1666 sk_X509_value(signers, i)); 1667 char buf[1024]; 1668 if(!nm) { 1669 if(verb) printf("signer %d: cert has no subject name\n", i); 1670 continue; 1671 } 1672 if(verb && nm) { 1673 char* nmline = X509_NAME_oneline(nm, buf, 1674 (int)sizeof(buf)); 1675 printf("signer %d: Subject: %s\n", i, 1676 nmline?nmline:"no subject"); 1677 if(verb >= 3 && X509_NAME_get_text_by_NID(nm, 1678 NID_commonName, buf, (int)sizeof(buf))) 1679 printf("commonName: %s\n", buf); 1680 if(verb >= 3 && X509_NAME_get_text_by_NID(nm, 1681 NID_pkcs9_emailAddress, buf, (int)sizeof(buf))) 1682 printf("emailAddress: %s\n", buf); 1683 } 1684 if(verb) { 1685 int ku_loc = X509_get_ext_by_NID( 1686 sk_X509_value(signers, i), NID_key_usage, -1); 1687 if(verb >= 3 && ku_loc >= 0) { 1688 X509_EXTENSION *ex = X509_get_ext( 1689 sk_X509_value(signers, i), ku_loc); 1690 if(ex) { 1691 printf("keyUsage: "); 1692 X509V3_EXT_print_fp(stdout, ex, 0, 0); 1693 printf("\n"); 1694 } 1695 } 1696 } 1697 if(!p7signer || strcmp(p7signer, "")==0) { 1698 /* there is no name to check, return all records */ 1699 if(verb) printf("did not check commonName of signer\n"); 1700 } else { 1701 if(!X509_NAME_get_text_by_NID(nm, 1702 NID_pkcs9_emailAddress, 1703 buf, (int)sizeof(buf))) { 1704 if(verb) printf("removed cert with no name\n"); 1705 continue; /* no name, no use */ 1706 } 1707 if(strcmp(buf, p7signer) != 0) { 1708 if(verb) printf("removed cert with wrong name\n"); 1709 continue; /* wrong name, skip it */ 1710 } 1711 } 1712 1713 /* check that the key usage allows digital signatures 1714 * (the p7s) */ 1715 usage = get_usage_of_ex(sk_X509_value(signers, i)); 1716 if(!(usage & KU_DIGITAL_SIGNATURE)) { 1717 if(verb) printf("removed cert with no key usage Digital Signature allowed\n"); 1718 continue; 1719 } 1720 1721 /* we like this cert, add it to our list of valid 1722 * signers certificates */ 1723 sk_X509_push(validsigners, sk_X509_value(signers, i)); 1724 } 1725 sk_X509_free(signers); 1726 return validsigners; 1727 } 1728 1729 /** verify a PKCS7 signature, false on failure */ 1730 static int 1731 verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust, const char* p7signer) 1732 { 1733 PKCS7* p7; 1734 X509_STORE *store = X509_STORE_new(); 1735 STACK_OF(X509)* validsigners; 1736 int secure = 0; 1737 int i; 1738 #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE 1739 X509_VERIFY_PARAM* param = X509_VERIFY_PARAM_new(); 1740 if(!param) { 1741 if(verb) printf("out of memory\n"); 1742 X509_STORE_free(store); 1743 return 0; 1744 } 1745 /* do the selfcheck on the root certificate; it checks that the 1746 * input is valid */ 1747 X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CHECK_SS_SIGNATURE); 1748 if(store) X509_STORE_set1_param(store, param); 1749 #endif 1750 if(!store) { 1751 if(verb) printf("out of memory\n"); 1752 #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE 1753 X509_VERIFY_PARAM_free(param); 1754 #endif 1755 return 0; 1756 } 1757 #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE 1758 X509_VERIFY_PARAM_free(param); 1759 #endif 1760 1761 (void)BIO_reset(p7s); 1762 (void)BIO_reset(data); 1763 1764 /* convert p7s to p7 (the signature) */ 1765 p7 = d2i_PKCS7_bio(p7s, NULL); 1766 if(!p7) { 1767 if(verb) printf("could not parse p7s signature file\n"); 1768 X509_STORE_free(store); 1769 return 0; 1770 } 1771 if(verb >= 2) printf("parsed the PKCS7 signature\n"); 1772 1773 /* convert trust to trusted certificate store */ 1774 for(i=0; i<sk_X509_num(trust); i++) { 1775 if(!X509_STORE_add_cert(store, sk_X509_value(trust, i))) { 1776 if(verb) printf("failed X509_STORE_add_cert\n"); 1777 X509_STORE_free(store); 1778 PKCS7_free(p7); 1779 return 0; 1780 } 1781 } 1782 if(verb >= 2) printf("setup the X509_STORE\n"); 1783 1784 /* check what is in the Subject name of the certificates, 1785 * and build a stack that contains only the right certificates */ 1786 validsigners = get_valid_signers(p7, p7signer); 1787 if(!validsigners) { 1788 X509_STORE_free(store); 1789 PKCS7_free(p7); 1790 return 0; 1791 } 1792 if(PKCS7_verify(p7, validsigners, store, data, NULL, PKCS7_NOINTERN) == 1) { 1793 secure = 1; 1794 if(verb) printf("the PKCS7 signature verified\n"); 1795 } else { 1796 if(verb) { 1797 ERR_print_errors_fp(stdout); 1798 } 1799 } 1800 1801 sk_X509_free(validsigners); 1802 X509_STORE_free(store); 1803 PKCS7_free(p7); 1804 return secure; 1805 } 1806 1807 /** write unsigned root anchor file, a 5011 revoked tp */ 1808 static void 1809 write_unsigned_root(const char* root_anchor_file) 1810 { 1811 FILE* out; 1812 time_t now = time(NULL); 1813 out = fopen(root_anchor_file, "w"); 1814 if(!out) { 1815 if(verb) printf("%s: %s\n", root_anchor_file, strerror(errno)); 1816 return; 1817 } 1818 if(fprintf(out, "; autotrust trust anchor file\n" 1819 ";;REVOKED\n" 1820 ";;id: . 1\n" 1821 "; This file was written by unbound-anchor on %s" 1822 "; It indicates that the root does not use DNSSEC\n" 1823 "; to restart DNSSEC overwrite this file with a\n" 1824 "; valid trustanchor or (empty-it and run unbound-anchor)\n" 1825 , ctime(&now)) < 0) { 1826 if(verb) printf("failed to write 'unsigned' to %s\n", 1827 root_anchor_file); 1828 if(verb && errno != 0) printf("%s\n", strerror(errno)); 1829 } 1830 fclose(out); 1831 } 1832 1833 /** write root anchor file */ 1834 static void 1835 write_root_anchor(const char* root_anchor_file, BIO* ds) 1836 { 1837 char* pp = NULL; 1838 int len; 1839 FILE* out; 1840 (void)BIO_seek(ds, 0); 1841 len = BIO_get_mem_data(ds, &pp); 1842 if(!len || !pp) { 1843 if(verb) printf("out of memory\n"); 1844 return; 1845 } 1846 out = fopen(root_anchor_file, "w"); 1847 if(!out) { 1848 if(verb) printf("%s: %s\n", root_anchor_file, strerror(errno)); 1849 return; 1850 } 1851 if(fwrite(pp, (size_t)len, 1, out) != 1) { 1852 if(verb) printf("failed to write all data to %s\n", 1853 root_anchor_file); 1854 if(verb && errno != 0) printf("%s\n", strerror(errno)); 1855 } 1856 fclose(out); 1857 } 1858 1859 /** Perform the verification and update of the trustanchor file */ 1860 static void 1861 verify_and_update_anchor(const char* root_anchor_file, BIO* xml, BIO* p7s, 1862 STACK_OF(X509)* cert, const char* p7signer) 1863 { 1864 BIO* ds; 1865 1866 /* verify xml file */ 1867 if(!verify_p7sig(xml, p7s, cert, p7signer)) { 1868 printf("the PKCS7 signature failed\n"); 1869 exit(0); 1870 } 1871 1872 /* parse the xml file into DS records */ 1873 ds = xml_parse(xml, time(NULL)); 1874 if(!ds) { 1875 /* the root zone is unsigned now */ 1876 write_unsigned_root(root_anchor_file); 1877 } else { 1878 /* reinstate 5011 tracking */ 1879 write_root_anchor(root_anchor_file, ds); 1880 } 1881 BIO_free(ds); 1882 } 1883 1884 #ifdef USE_WINSOCK 1885 static void do_wsa_cleanup(void) { WSACleanup(); } 1886 #endif 1887 1888 /** perform actual certupdate work */ 1889 static int 1890 do_certupdate(const char* root_anchor_file, const char* root_cert_file, 1891 const char* urlname, const char* xmlname, const char* p7sname, 1892 const char* p7signer, const char* res_conf, const char* root_hints, 1893 const char* debugconf, int ip4only, int ip6only, int port, 1894 struct ub_result* dnskey) 1895 { 1896 STACK_OF(X509)* cert; 1897 BIO *xml, *p7s; 1898 struct ip_list* ip_list = NULL; 1899 1900 /* read pem file or provide builtin */ 1901 cert = read_cert_or_builtin(root_cert_file); 1902 1903 /* lookup A, AAAA for the urlname (or parse urlname if IP address) */ 1904 ip_list = resolve_name(urlname, port, res_conf, root_hints, debugconf, 1905 ip4only, ip6only); 1906 1907 #ifdef USE_WINSOCK 1908 if(1) { /* libunbound finished, startup WSA for the https connection */ 1909 WSADATA wsa_data; 1910 int r; 1911 if((r = WSAStartup(MAKEWORD(2,2), &wsa_data)) != 0) { 1912 if(verb) printf("WSAStartup failed: %s\n", 1913 wsa_strerror(r)); 1914 exit(0); 1915 } 1916 atexit(&do_wsa_cleanup); 1917 } 1918 #endif 1919 1920 /* fetch the necessary files over HTTPS */ 1921 xml = https(ip_list, xmlname, urlname); 1922 p7s = https(ip_list, p7sname, urlname); 1923 1924 /* verify and update the root anchor */ 1925 verify_and_update_anchor(root_anchor_file, xml, p7s, cert, p7signer); 1926 if(verb) printf("success: the anchor has been updated " 1927 "using the cert\n"); 1928 1929 free_file_bio(xml); 1930 free_file_bio(p7s); 1931 #ifndef S_SPLINT_S 1932 sk_X509_pop_free(cert, X509_free); 1933 #endif 1934 ub_resolve_free(dnskey); 1935 ip_list_free(ip_list); 1936 return 1; 1937 } 1938 1939 /** 1940 * Try to read the root RFC5011 autotrust anchor file, 1941 * @param file: filename. 1942 * @return: 1943 * 0 if does not exist or empty 1944 * 1 if trust-point-revoked-5011 1945 * 2 if it is OK. 1946 */ 1947 static int 1948 try_read_anchor(const char* file) 1949 { 1950 int empty = 1; 1951 char line[10240]; 1952 char* p; 1953 FILE* in = fopen(file, "r"); 1954 if(!in) { 1955 /* only if the file does not exist, can we fix it */ 1956 if(errno != ENOENT) { 1957 if(verb) printf("%s: %s\n", file, strerror(errno)); 1958 if(verb) printf("error: cannot access the file\n"); 1959 exit(0); 1960 } 1961 if(verb) printf("%s does not exist\n", file); 1962 return 0; 1963 } 1964 while(fgets(line, (int)sizeof(line), in)) { 1965 line[sizeof(line)-1] = 0; 1966 if(strncmp(line, ";;REVOKED", 9) == 0) { 1967 fclose(in); 1968 if(verb) printf("%s : the trust point is revoked\n" 1969 "and the zone is considered unsigned.\n" 1970 "if you wish to re-enable, delete the file\n", 1971 file); 1972 return 1; 1973 } 1974 p=line; 1975 while(*p == ' ' || *p == '\t') 1976 p++; 1977 if(p[0]==0 || p[0]=='\n' || p[0]==';') continue; 1978 /* this line is a line of content */ 1979 empty = 0; 1980 } 1981 fclose(in); 1982 if(empty) { 1983 if(verb) printf("%s is empty\n", file); 1984 return 0; 1985 } 1986 if(verb) printf("%s has content\n", file); 1987 return 2; 1988 } 1989 1990 /** Write the builtin root anchor to a file */ 1991 static void 1992 write_builtin_anchor(const char* file) 1993 { 1994 const char* builtin_root_anchor = get_builtin_ds(); 1995 FILE* out = fopen(file, "w"); 1996 if(!out) { 1997 if(verb) printf("%s: %s\n", file, strerror(errno)); 1998 if(verb) printf(" could not write builtin anchor\n"); 1999 return; 2000 } 2001 if(!fwrite(builtin_root_anchor, strlen(builtin_root_anchor), 1, out)) { 2002 if(verb) printf("%s: %s\n", file, strerror(errno)); 2003 if(verb) printf(" could not complete write builtin anchor\n"); 2004 } 2005 fclose(out); 2006 } 2007 2008 /** 2009 * Check the root anchor file. 2010 * If does not exist, provide builtin and write file. 2011 * If empty, provide builtin and write file. 2012 * If trust-point-revoked-5011 file: make the program exit. 2013 * @param root_anchor_file: filename of the root anchor. 2014 * @param used_builtin: set to 1 if the builtin is written. 2015 * @return 0 if trustpoint is insecure, 1 on success. Exit on failure. 2016 */ 2017 static int 2018 provide_builtin(const char* root_anchor_file, int* used_builtin) 2019 { 2020 /* try to read it */ 2021 switch(try_read_anchor(root_anchor_file)) 2022 { 2023 case 0: /* no exist or empty */ 2024 write_builtin_anchor(root_anchor_file); 2025 *used_builtin = 1; 2026 break; 2027 case 1: /* revoked tp */ 2028 return 0; 2029 case 2: /* it is fine */ 2030 default: 2031 break; 2032 } 2033 return 1; 2034 } 2035 2036 /** 2037 * add an autotrust anchor for the root to the context 2038 */ 2039 static void 2040 add_5011_probe_root(struct ub_ctx* ctx, const char* root_anchor_file) 2041 { 2042 int r; 2043 r = ub_ctx_set_option(ctx, "auto-trust-anchor-file:", root_anchor_file); 2044 if(r) { 2045 if(verb) printf("add 5011 probe to ctx: %s\n", ub_strerror(r)); 2046 ub_ctx_delete(ctx); 2047 exit(0); 2048 } 2049 } 2050 2051 /** 2052 * Prime the root key and return the result. Exit on error. 2053 * @param ctx: the unbound context to perform the priming with. 2054 * @return: the result of the prime, on error it exit()s. 2055 */ 2056 static struct ub_result* 2057 prime_root_key(struct ub_ctx* ctx) 2058 { 2059 struct ub_result* res = NULL; 2060 int r; 2061 r = ub_resolve(ctx, ".", LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN, &res); 2062 if(r) { 2063 if(verb) printf("resolve DNSKEY: %s\n", ub_strerror(r)); 2064 ub_ctx_delete(ctx); 2065 exit(0); 2066 } 2067 if(!res) { 2068 if(verb) printf("out of memory\n"); 2069 ub_ctx_delete(ctx); 2070 exit(0); 2071 } 2072 return res; 2073 } 2074 2075 /** see if ADDPEND keys exist in autotrust file (if possible) */ 2076 static int 2077 read_if_pending_keys(const char* file) 2078 { 2079 FILE* in = fopen(file, "r"); 2080 char line[8192]; 2081 if(!in) { 2082 if(verb>=2) printf("%s: %s\n", file, strerror(errno)); 2083 return 0; 2084 } 2085 while(fgets(line, (int)sizeof(line), in)) { 2086 if(line[0]==';') continue; 2087 if(strstr(line, "[ ADDPEND ]")) { 2088 fclose(in); 2089 if(verb) printf("RFC5011-state has ADDPEND keys\n"); 2090 return 1; 2091 } 2092 } 2093 fclose(in); 2094 return 0; 2095 } 2096 2097 /** read last successful probe time from autotrust file (if possible) */ 2098 static int32_t 2099 read_last_success_time(const char* file) 2100 { 2101 FILE* in = fopen(file, "r"); 2102 char line[1024]; 2103 if(!in) { 2104 if(verb) printf("%s: %s\n", file, strerror(errno)); 2105 return 0; 2106 } 2107 while(fgets(line, (int)sizeof(line), in)) { 2108 if(strncmp(line, ";;last_success: ", 16) == 0) { 2109 char* e; 2110 time_t x = (unsigned int)strtol(line+16, &e, 10); 2111 fclose(in); 2112 if(line+16 == e) { 2113 if(verb) printf("failed to parse " 2114 "last_success probe time\n"); 2115 return 0; 2116 } 2117 if(verb) printf("last successful probe: %s", ctime(&x)); 2118 return (int32_t)x; 2119 } 2120 } 2121 fclose(in); 2122 if(verb) printf("no last_success probe time in anchor file\n"); 2123 return 0; 2124 } 2125 2126 /** 2127 * Read autotrust 5011 probe file and see if the date 2128 * compared to the current date allows a certupdate. 2129 * If the last successful probe was recent then 5011 cannot be behind, 2130 * and the failure cannot be solved with a certupdate. 2131 * The debugconf is to validation-override the date for testing. 2132 * @param root_anchor_file: filename of root key 2133 * @return true if certupdate is ok. 2134 */ 2135 static int 2136 probe_date_allows_certupdate(const char* root_anchor_file) 2137 { 2138 int has_pending_keys = read_if_pending_keys(root_anchor_file); 2139 int32_t last_success = read_last_success_time(root_anchor_file); 2140 int32_t now = (int32_t)time(NULL); 2141 int32_t leeway = 30 * 24 * 3600; /* 30 days leeway */ 2142 /* if the date is before 2010-07-15:00.00.00 then the root has not 2143 * been signed yet, and thus we refuse to take action. */ 2144 if(time(NULL) < xml_convertdate("2010-07-15T00:00:00")) { 2145 if(verb) printf("the date is before the root was first signed," 2146 " please correct the clock\n"); 2147 return 0; 2148 } 2149 if(last_success == 0) 2150 return 1; /* no probe time */ 2151 if(has_pending_keys) 2152 return 1; /* key in ADDPEND state, a previous probe has 2153 inserted that, and it was present in all recent probes, 2154 but it has not become active. The 30 day timer may not have 2155 expired, but we know(for sure) there is a rollover going on. 2156 If we only managed to pickup the new key on its last day 2157 of announcement (for example) this can happen. */ 2158 if(now - last_success < 0) { 2159 if(verb) printf("the last successful probe is in the future," 2160 " clock was modified\n"); 2161 return 0; 2162 } 2163 if(now - last_success >= leeway) { 2164 if(verb) printf("the last successful probe was more than 30 " 2165 "days ago\n"); 2166 return 1; 2167 } 2168 if(verb) printf("the last successful probe is recent\n"); 2169 return 0; 2170 } 2171 2172 /** perform the unbound-anchor work */ 2173 static int 2174 do_root_update_work(const char* root_anchor_file, const char* root_cert_file, 2175 const char* urlname, const char* xmlname, const char* p7sname, 2176 const char* p7signer, const char* res_conf, const char* root_hints, 2177 const char* debugconf, int ip4only, int ip6only, int force, int port) 2178 { 2179 struct ub_ctx* ctx; 2180 struct ub_result* dnskey; 2181 int used_builtin = 0; 2182 2183 /* see if builtin rootanchor needs to be provided, or if 2184 * rootanchor is 'revoked-trust-point' */ 2185 if(!provide_builtin(root_anchor_file, &used_builtin)) 2186 return 0; 2187 2188 /* make unbound context with 5011-probe for root anchor, 2189 * and probe . DNSKEY */ 2190 ctx = create_unbound_context(res_conf, root_hints, debugconf, 2191 ip4only, ip6only); 2192 add_5011_probe_root(ctx, root_anchor_file); 2193 dnskey = prime_root_key(ctx); 2194 ub_ctx_delete(ctx); 2195 2196 /* if secure: exit */ 2197 if(dnskey->secure && !force) { 2198 if(verb) printf("success: the anchor is ok\n"); 2199 ub_resolve_free(dnskey); 2200 return used_builtin; 2201 } 2202 if(force && verb) printf("debug cert update forced\n"); 2203 2204 /* if not (and NOERROR): check date and do certupdate */ 2205 if((dnskey->rcode == 0 && 2206 probe_date_allows_certupdate(root_anchor_file)) || force) { 2207 if(do_certupdate(root_anchor_file, root_cert_file, urlname, 2208 xmlname, p7sname, p7signer, res_conf, root_hints, 2209 debugconf, ip4only, ip6only, port, dnskey)) 2210 return 1; 2211 return used_builtin; 2212 } 2213 if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n"); 2214 ub_resolve_free(dnskey); 2215 return used_builtin; 2216 } 2217 2218 /** getopt global, in case header files fail to declare it. */ 2219 extern int optind; 2220 /** getopt global, in case header files fail to declare it. */ 2221 extern char* optarg; 2222 2223 /** Main routine for unbound-anchor */ 2224 int main(int argc, char* argv[]) 2225 { 2226 int c; 2227 const char* root_anchor_file = ROOT_ANCHOR_FILE; 2228 const char* root_cert_file = ROOT_CERT_FILE; 2229 const char* urlname = URLNAME; 2230 const char* xmlname = XMLNAME; 2231 const char* p7sname = P7SNAME; 2232 const char* p7signer = P7SIGNER; 2233 const char* res_conf = NULL; 2234 const char* root_hints = NULL; 2235 const char* debugconf = NULL; 2236 int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT; 2237 /* parse the options */ 2238 while( (c=getopt(argc, argv, "46C:FP:a:c:f:hln:r:s:u:vx:")) != -1) { 2239 switch(c) { 2240 case 'l': 2241 dolist = 1; 2242 break; 2243 case '4': 2244 ip4only = 1; 2245 break; 2246 case '6': 2247 ip6only = 1; 2248 break; 2249 case 'a': 2250 root_anchor_file = optarg; 2251 break; 2252 case 'c': 2253 root_cert_file = optarg; 2254 break; 2255 case 'u': 2256 urlname = optarg; 2257 break; 2258 case 'x': 2259 xmlname = optarg; 2260 break; 2261 case 's': 2262 p7sname = optarg; 2263 break; 2264 case 'n': 2265 p7signer = optarg; 2266 break; 2267 case 'f': 2268 res_conf = optarg; 2269 break; 2270 case 'r': 2271 root_hints = optarg; 2272 break; 2273 case 'C': 2274 debugconf = optarg; 2275 break; 2276 case 'F': 2277 force = 1; 2278 break; 2279 case 'P': 2280 port = atoi(optarg); 2281 break; 2282 case 'v': 2283 verb++; 2284 break; 2285 case '?': 2286 case 'h': 2287 default: 2288 usage(); 2289 } 2290 } 2291 argc -= optind; 2292 argv += optind; 2293 if(argc != 0) 2294 usage(); 2295 2296 ERR_load_crypto_strings(); 2297 ERR_load_SSL_strings(); 2298 OpenSSL_add_all_algorithms(); 2299 (void)SSL_library_init(); 2300 2301 if(dolist) do_list_builtin(); 2302 2303 return do_root_update_work(root_anchor_file, root_cert_file, urlname, 2304 xmlname, p7sname, p7signer, res_conf, root_hints, debugconf, 2305 ip4only, ip6only, force, port); 2306 } 2307