xref: /freebsd/contrib/unbound/smallapp/unbound-anchor.c (revision cdebaff820b2a4915a16cedfd511823d78aab171)
1 /*
2  * unbound-anchor.c - update the root anchor if necessary.
3  *
4  * Copyright (c) 2010, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file checks to see that the current 5011 keys work to prime the
40  * current root anchor.  If not a certificate is used to update the anchor,
41  * with RFC7958 https xml fetch.
42  *
43  * This is a concept solution for distribution of the DNSSEC root
44  * trust anchor.  It is a small tool, called "unbound-anchor", that
45  * runs before the main validator starts.  I.e. in the init script:
46  * unbound-anchor; unbound.  Thus it is meant to run at system boot time.
47  *
48  * Management-Abstract:
49  *    * first run: fill root.key file with hardcoded DS record.
50  *    * mostly: use RFC5011 tracking, quick . DNSKEY UDP query.
51  *    * failover: use RFC7958 builtin certificate, do https and update.
52  * Special considerations:
53  *    * 30-days RFC5011 timer saves a lot of https traffic.
54  *    * DNSKEY probe must be NOERROR, saves a lot of https traffic.
55  *    * fail if clock before sign date of the root, if cert expired.
56  *    * if the root goes back to unsigned, deals with it.
57  *
58  * It has hardcoded the root DS anchors and the ICANN CA root certificate.
59  * It allows with options to override those.  It also takes root-hints (it
60  * has to do a DNS resolve), and also has hardcoded defaults for those.
61  *
62  * Once it starts, just before the validator starts, it quickly checks if
63  * the root anchor file needs to be updated.  First it tries to use
64  * RFC5011-tracking of the root key.  If that fails (and for 30-days since
65  * last successful probe), then it attempts to update using the
66  * certificate.  So most of the time, the RFC5011 tracking will work fine,
67  * and within a couple milliseconds, the main daemon can start.  It will
68  * have only probed the . DNSKEY, not done expensive https transfers on the
69  * root infrastructure.
70  *
71  * If there is no root key in the root.key file, it bootstraps the
72  * RFC5011-tracking with its builtin DS anchors; if that fails it
73  * bootstraps the RFC5011-tracking using the certificate.  (again to avoid
74  * https, and it is also faster).
75  *
76  * It uses the XML file by converting it to DS records and writing that to the
77  * key file.  Unbound can detect that the 'special comments' are gone, and
78  * the file contains a list of normal DNSKEY/DS records, and uses that to
79  * bootstrap 5011 (the KSK is made VALID).
80  *
81  * The certificate RFC7958 update is done by fetching root-anchors.xml and
82  * root-anchors.p7s via SSL.  The HTTPS certificate can be logged but is
83  * not validated (https for channel security; the security comes from the
84  * certificate).  The 'data.iana.org' domain name A and AAAA are resolved
85  * without DNSSEC.  It tries a random IP until the transfer succeeds.  It
86  * then checks the p7s signature.
87  *
88  * On any failure, it leaves the root key file untouched.  The main
89  * validator has to cope with it, it cannot fix things (So a failure does
90  * not go 'without DNSSEC', no downgrade).  If it used its builtin stuff or
91  * did the https, it exits with an exit code, so that this can trigger the
92  * init script to log the event and potentially alert the operator that can
93  * do a manual check.
94  *
95  * The date is also checked.  Before 2010-07-15 is a failure (root not
96  * signed yet; avoids attacks on system clock).  The
97  * last-successful-RFC5011-probe (if available) has to be more than 30 days
98  * in the past (otherwise, RFC5011 should have worked).  This keeps
99  * unnecessary https traffic down.  If the main certificate is expired, it
100  * fails.
101  *
102  * The dates on the keys in the xml are checked (uses the libexpat xml
103  * parser), only the valid ones are used to re-enstate RFC5011 tracking.
104  * If 0 keys are valid, the zone has gone to insecure (a special marker is
105  * written in the keyfile that tells the main validator daemon the zone is
106  * insecure).
107  *
108  * Only the root ICANN CA is shipped, not the intermediate ones.  The
109  * intermediate CAs are included in the p7s file that was downloaded.  (the
110  * root cert is valid to 2028 and the intermediate to 2014, today).
111  *
112  * Obviously, the tool also has options so the operator can provide a new
113  * keyfile, a new certificate and new URLs, and fresh root hints.  By
114  * default it logs nothing on failure and success; it 'just works'.
115  *
116  */
117 
118 #include "config.h"
119 #include "libunbound/unbound.h"
120 #include "sldns/rrdef.h"
121 #include "sldns/parseutil.h"
122 #include <expat.h>
123 #ifndef HAVE_EXPAT_H
124 #error "need libexpat to parse root-anchors.xml file."
125 #endif
126 #ifdef HAVE_GETOPT_H
127 #include <getopt.h>
128 #endif
129 #ifdef HAVE_OPENSSL_SSL_H
130 #include <openssl/ssl.h>
131 #endif
132 #ifdef HAVE_OPENSSL_ERR_H
133 #include <openssl/err.h>
134 #endif
135 #ifdef HAVE_OPENSSL_RAND_H
136 #include <openssl/rand.h>
137 #endif
138 #include <openssl/x509.h>
139 #include <openssl/x509v3.h>
140 #include <openssl/pem.h>
141 
142 /** name of server in URL to fetch HTTPS from */
143 #define URLNAME "data.iana.org"
144 /** path on HTTPS server to xml file */
145 #define XMLNAME "root-anchors/root-anchors.xml"
146 /** path on HTTPS server to p7s file */
147 #define P7SNAME "root-anchors/root-anchors.p7s"
148 /** name of the signer of the certificate */
149 #define P7SIGNER "dnssec@iana.org"
150 /** port number for https access */
151 #define HTTPS_PORT 443
152 
153 #ifdef USE_WINSOCK
154 /* sneakily reuse the the wsa_strerror function, on windows */
155 char* wsa_strerror(int err);
156 #endif
157 
158 /** verbosity for this application */
159 static int verb = 0;
160 
161 /** list of IP addresses */
162 struct ip_list {
163 	/** next in list */
164 	struct ip_list* next;
165 	/** length of addr */
166 	socklen_t len;
167 	/** address ready to connect to */
168 	struct sockaddr_storage addr;
169 	/** has the address been used */
170 	int used;
171 };
172 
173 /** Give unbound-anchor usage, and exit (1). */
174 static void
175 usage(void)
176 {
177 	printf("Usage:	unbound-anchor [opts]\n");
178 	printf("	Setup or update root anchor. "
179 		"Most options have defaults.\n");
180 	printf("	Run this program before you start the validator.\n");
181 	printf("\n");
182 	printf("	The anchor and cert have default builtin content\n");
183 	printf("	if the file does not exist or is empty.\n");
184 	printf("\n");
185 	printf("-a file		root key file, default %s\n", ROOT_ANCHOR_FILE);
186 	printf("		The key is input and output for this tool.\n");
187 	printf("-c file		cert file, default %s\n", ROOT_CERT_FILE);
188 	printf("-l		list builtin key and cert on stdout\n");
189 	printf("-u name		server in https url, default %s\n", URLNAME);
190 	printf("-x path		pathname to xml in url, default %s\n", XMLNAME);
191 	printf("-s path		pathname to p7s in url, default %s\n", P7SNAME);
192 	printf("-n name		signer's subject emailAddress, default %s\n", P7SIGNER);
193 	printf("-4		work using IPv4 only\n");
194 	printf("-6		work using IPv6 only\n");
195 	printf("-f resolv.conf	use given resolv.conf to resolve -u name\n");
196 	printf("-r root.hints	use given root.hints to resolve -u name\n"
197 		"		builtin root hints are used by default\n");
198 	printf("-v		more verbose\n");
199 	printf("-C conf		debug, read config\n");
200 	printf("-P port		use port for https connect, default 443\n");
201 	printf("-F 		debug, force update with cert\n");
202 	printf("-h		show this usage help\n");
203 	printf("Version %s\n", PACKAGE_VERSION);
204 	printf("BSD licensed, see LICENSE in source package for details.\n");
205 	printf("Report bugs to %s\n", PACKAGE_BUGREPORT);
206 	exit(1);
207 }
208 
209 /** return the built in root update certificate */
210 static const char*
211 get_builtin_cert(void)
212 {
213 	return
214 /* The ICANN CA fetched at 24 Sep 2010.  Valid to 2028 */
215 "-----BEGIN CERTIFICATE-----\n"
216 "MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n"
217 "TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n"
218 "BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX\n"
219 "DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O\n"
220 "IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB\n"
221 "MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb\n"
222 "cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S\n"
223 "G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg\n"
224 "ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2\n"
225 "paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7\n"
226 "MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29\n"
227 "iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B\n"
228 "Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3\n"
229 "DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH\n"
230 "6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD\n"
231 "2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h\n"
232 "15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF\n"
233 "0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg\n"
234 "j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n"
235 "-----END CERTIFICATE-----\n"
236 		;
237 }
238 
239 /** return the built in root DS trust anchor */
240 static const char*
241 get_builtin_ds(void)
242 {
243 	return
244 ". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n";
245 }
246 
247 /** print hex data */
248 static void
249 print_data(const char* msg, const char* data, int len)
250 {
251 	int i;
252 	printf("%s: ", msg);
253 	for(i=0; i<len; i++) {
254 		printf(" %2.2x", (unsigned char)data[i]);
255 	}
256 	printf("\n");
257 }
258 
259 /** print ub context creation error and exit */
260 static void
261 ub_ctx_error_exit(struct ub_ctx* ctx, const char* str, const char* str2)
262 {
263 	ub_ctx_delete(ctx);
264 	if(str && str2 && verb) printf("%s: %s\n", str, str2);
265 	if(verb) printf("error: could not create unbound resolver context\n");
266 	exit(0);
267 }
268 
269 /**
270  * Create a new unbound context with the commandline settings applied
271  */
272 static struct ub_ctx*
273 create_unbound_context(const char* res_conf, const char* root_hints,
274 	const char* debugconf, int ip4only, int ip6only)
275 {
276 	int r;
277 	struct ub_ctx* ctx = ub_ctx_create();
278 	if(!ctx) {
279 		if(verb) printf("out of memory\n");
280 		exit(0);
281 	}
282 	/* do not waste time and network traffic to fetch extra nameservers */
283 	r = ub_ctx_set_option(ctx, "target-fetch-policy:", "0 0 0 0 0");
284 	if(r && verb) printf("ctx targetfetchpolicy: %s\n", ub_strerror(r));
285 	/* read config file first, so its settings can be overridden */
286 	if(debugconf) {
287 		r = ub_ctx_config(ctx, debugconf);
288 		if(r) ub_ctx_error_exit(ctx, debugconf, ub_strerror(r));
289 	}
290 	if(res_conf) {
291 		r = ub_ctx_resolvconf(ctx, res_conf);
292 		if(r) ub_ctx_error_exit(ctx, res_conf, ub_strerror(r));
293 	}
294 	if(root_hints) {
295 		r = ub_ctx_set_option(ctx, "root-hints:", root_hints);
296 		if(r) ub_ctx_error_exit(ctx, root_hints, ub_strerror(r));
297 	}
298 	if(ip4only) {
299 		r = ub_ctx_set_option(ctx, "do-ip6:", "no");
300 		if(r) ub_ctx_error_exit(ctx, "ip4only", ub_strerror(r));
301 	}
302 	if(ip6only) {
303 		r = ub_ctx_set_option(ctx, "do-ip4:", "no");
304 		if(r) ub_ctx_error_exit(ctx, "ip6only", ub_strerror(r));
305 	}
306 	return ctx;
307 }
308 
309 /** printout certificate in detail */
310 static void
311 verb_cert(const char* msg, X509* x)
312 {
313 	if(verb == 0 || verb == 1) return;
314 	if(verb == 2) {
315 		if(msg) printf("%s\n", msg);
316 		X509_print_ex_fp(stdout, x, 0, (unsigned long)-1
317 			^(X509_FLAG_NO_SUBJECT
318 			|X509_FLAG_NO_ISSUER|X509_FLAG_NO_VALIDITY));
319 		return;
320 	}
321 	if(msg) printf("%s\n", msg);
322 	X509_print_fp(stdout, x);
323 }
324 
325 /** printout certificates in detail */
326 static void
327 verb_certs(const char* msg, STACK_OF(X509)* sk)
328 {
329 	int i, num = sk_X509_num(sk);
330 	if(verb == 0 || verb == 1) return;
331 	for(i=0; i<num; i++) {
332 		printf("%s (%d/%d)\n", msg, i, num);
333 		verb_cert(NULL, sk_X509_value(sk, i));
334 	}
335 }
336 
337 /** read certificates from a PEM bio */
338 static STACK_OF(X509)*
339 read_cert_bio(BIO* bio)
340 {
341 	STACK_OF(X509) *sk = sk_X509_new_null();
342 	if(!sk) {
343 		if(verb) printf("out of memory\n");
344 		exit(0);
345 	}
346 	while(!BIO_eof(bio)) {
347 		X509* x = PEM_read_bio_X509(bio, NULL, 0, NULL);
348 		if(x == NULL) {
349 			if(verb) {
350 				printf("failed to read X509\n");
351 			 	ERR_print_errors_fp(stdout);
352 			}
353 			continue;
354 		}
355 		if(!sk_X509_push(sk, x)) {
356 			if(verb) printf("out of memory\n");
357 			exit(0);
358 		}
359 	}
360 	return sk;
361 }
362 
363 /* read the certificate file */
364 static STACK_OF(X509)*
365 read_cert_file(const char* file)
366 {
367 	STACK_OF(X509)* sk;
368 	FILE* in;
369 	int content = 0;
370 	char buf[128];
371 	if(file == NULL || strcmp(file, "") == 0) {
372 		return NULL;
373 	}
374 	sk = sk_X509_new_null();
375 	if(!sk) {
376 		if(verb) printf("out of memory\n");
377 		exit(0);
378 	}
379 	in = fopen(file, "r");
380 	if(!in) {
381 		if(verb) printf("%s: %s\n", file, strerror(errno));
382 #ifndef S_SPLINT_S
383 		sk_X509_pop_free(sk, X509_free);
384 #endif
385 		return NULL;
386 	}
387 	while(!feof(in)) {
388 		X509* x = PEM_read_X509(in, NULL, 0, NULL);
389 		if(x == NULL) {
390 			if(verb) {
391 				printf("failed to read X509 file\n");
392 			 	ERR_print_errors_fp(stdout);
393 			}
394 			continue;
395 		}
396 		if(!sk_X509_push(sk, x)) {
397 			if(verb) printf("out of memory\n");
398 			fclose(in);
399 			exit(0);
400 		}
401 		content = 1;
402 		/* read away newline after --END CERT-- */
403 		if(!fgets(buf, (int)sizeof(buf), in))
404 			break;
405 	}
406 	fclose(in);
407 	if(!content) {
408 		if(verb) printf("%s is empty\n", file);
409 #ifndef S_SPLINT_S
410 		sk_X509_pop_free(sk, X509_free);
411 #endif
412 		return NULL;
413 	}
414 	return sk;
415 }
416 
417 /** read certificates from the builtin certificate */
418 static STACK_OF(X509)*
419 read_builtin_cert(void)
420 {
421 	const char* builtin_cert = get_builtin_cert();
422 	STACK_OF(X509)* sk;
423 	BIO *bio = BIO_new_mem_buf(builtin_cert,
424 		(int)strlen(builtin_cert));
425 	if(!bio) {
426 		if(verb) printf("out of memory\n");
427 		exit(0);
428 	}
429 	sk = read_cert_bio(bio);
430 	if(!sk) {
431 		if(verb) printf("internal error, out of memory\n");
432 		exit(0);
433 	}
434 	BIO_free(bio);
435 	return sk;
436 }
437 
438 /** read update cert file or use builtin */
439 static STACK_OF(X509)*
440 read_cert_or_builtin(const char* file)
441 {
442 	STACK_OF(X509) *sk = read_cert_file(file);
443 	if(!sk) {
444 		if(verb) printf("using builtin certificate\n");
445 		sk = read_builtin_cert();
446 	}
447 	if(verb) printf("have %d trusted certificates\n", sk_X509_num(sk));
448 	verb_certs("trusted certificates", sk);
449 	return sk;
450 }
451 
452 static void
453 do_list_builtin(void)
454 {
455 	const char* builtin_cert = get_builtin_cert();
456 	const char* builtin_ds = get_builtin_ds();
457 	printf("%s\n", builtin_ds);
458 	printf("%s\n", builtin_cert);
459 	exit(0);
460 }
461 
462 /** printout IP address with message */
463 static void
464 verb_addr(const char* msg, struct ip_list* ip)
465 {
466 	if(verb) {
467 		char out[100];
468 		void* a = &((struct sockaddr_in*)&ip->addr)->sin_addr;
469 		if(ip->len != (socklen_t)sizeof(struct sockaddr_in))
470 			a = &((struct sockaddr_in6*)&ip->addr)->sin6_addr;
471 
472 		if(inet_ntop((int)((struct sockaddr_in*)&ip->addr)->sin_family,
473 			a, out, (socklen_t)sizeof(out))==0)
474 			printf("%s (inet_ntop error)\n", msg);
475 		else printf("%s %s\n", msg, out);
476 	}
477 }
478 
479 /** free ip_list */
480 static void
481 ip_list_free(struct ip_list* p)
482 {
483 	struct ip_list* np;
484 	while(p) {
485 		np = p->next;
486 		free(p);
487 		p = np;
488 	}
489 }
490 
491 /** create ip_list entry for a RR record */
492 static struct ip_list*
493 RR_to_ip(int tp, char* data, int len, int port)
494 {
495 	struct ip_list* ip = (struct ip_list*)calloc(1, sizeof(*ip));
496 	uint16_t p = (uint16_t)port;
497 	if(tp == LDNS_RR_TYPE_A) {
498 		struct sockaddr_in* sa = (struct sockaddr_in*)&ip->addr;
499 		ip->len = (socklen_t)sizeof(*sa);
500 		sa->sin_family = AF_INET;
501 		sa->sin_port = (in_port_t)htons(p);
502 		if(len != (int)sizeof(sa->sin_addr)) {
503 			if(verb) printf("skipped badly formatted A\n");
504 			free(ip);
505 			return NULL;
506 		}
507 		memmove(&sa->sin_addr, data, sizeof(sa->sin_addr));
508 
509 	} else if(tp == LDNS_RR_TYPE_AAAA) {
510 		struct sockaddr_in6* sa = (struct sockaddr_in6*)&ip->addr;
511 		ip->len = (socklen_t)sizeof(*sa);
512 		sa->sin6_family = AF_INET6;
513 		sa->sin6_port = (in_port_t)htons(p);
514 		if(len != (int)sizeof(sa->sin6_addr)) {
515 			if(verb) printf("skipped badly formatted AAAA\n");
516 			free(ip);
517 			return NULL;
518 		}
519 		memmove(&sa->sin6_addr, data, sizeof(sa->sin6_addr));
520 	} else {
521 		if(verb) printf("internal error: bad type in RRtoip\n");
522 		free(ip);
523 		return NULL;
524 	}
525 	verb_addr("resolved server address", ip);
526 	return ip;
527 }
528 
529 /** Resolve name, type, class and add addresses to iplist */
530 static void
531 resolve_host_ip(struct ub_ctx* ctx, const char* host, int port, int tp, int cl,
532 	struct ip_list** head)
533 {
534 	struct ub_result* res = NULL;
535 	int r;
536 	int i;
537 
538 	r = ub_resolve(ctx, host, tp, cl, &res);
539 	if(r) {
540 		if(verb) printf("error: resolve %s %s: %s\n", host,
541 			(tp==LDNS_RR_TYPE_A)?"A":"AAAA", ub_strerror(r));
542 		return;
543 	}
544 	if(!res) {
545 		if(verb) printf("out of memory\n");
546 		ub_ctx_delete(ctx);
547 		exit(0);
548 	}
549 	if(!res->havedata || res->rcode || !res->data) {
550 		if(verb) printf("resolve %s %s: no result\n", host,
551 			(tp==LDNS_RR_TYPE_A)?"A":"AAAA");
552 		return;
553 	}
554 	for(i = 0; res->data[i]; i++) {
555 		struct ip_list* ip = RR_to_ip(tp, res->data[i], res->len[i],
556 			port);
557 		if(!ip) continue;
558 		ip->next = *head;
559 		*head = ip;
560 	}
561 	ub_resolve_free(res);
562 }
563 
564 /** parse a text IP address into a sockaddr */
565 static struct ip_list*
566 parse_ip_addr(const char* str, int port)
567 {
568 	socklen_t len = 0;
569 	union {
570 		struct sockaddr_in6 a6;
571 		struct sockaddr_in a;
572 	} addr;
573 	struct ip_list* ip;
574 	uint16_t p = (uint16_t)port;
575 	memset(&addr, 0, sizeof(addr));
576 
577 	if(inet_pton(AF_INET6, str, &addr.a6.sin6_addr) > 0) {
578 		/* it is an IPv6 */
579 		addr.a6.sin6_family = AF_INET6;
580 		addr.a6.sin6_port = (in_port_t)htons(p);
581 		len = (socklen_t)sizeof(addr.a6);
582 	}
583 	if(inet_pton(AF_INET, str, &addr.a.sin_addr) > 0) {
584 		/* it is an IPv4 */
585 		addr.a.sin_family = AF_INET;
586 		addr.a.sin_port = (in_port_t)htons(p);
587 		len = (socklen_t)sizeof(struct sockaddr_in);
588 	}
589 	if(!len) return NULL;
590 	ip = (struct ip_list*)calloc(1, sizeof(*ip));
591 	if(!ip) {
592 		if(verb) printf("out of memory\n");
593 		exit(0);
594 	}
595 	ip->len = len;
596 	memmove(&ip->addr, &addr, len);
597 	if(verb) printf("server address is %s\n", str);
598 	return ip;
599 }
600 
601 /**
602  * Resolve a domain name (even though the resolver is down and there is
603  * no trust anchor).  Without DNSSEC validation.
604  * @param host: the name to resolve.
605  * 	If this name is an IP4 or IP6 address this address is returned.
606  * @param port: the port number used for the returned IP structs.
607  * @param res_conf: resolv.conf (if any).
608  * @param root_hints: root hints (if any).
609  * @param debugconf: unbound.conf for debugging options.
610  * @param ip4only: use only ip4 for resolve and only lookup A
611  * @param ip6only: use only ip6 for resolve and only lookup AAAA
612  * 	default is to lookup A and AAAA using ip4 and ip6.
613  * @return list of IP addresses.
614  */
615 static struct ip_list*
616 resolve_name(const char* host, int port, const char* res_conf,
617 	const char* root_hints, const char* debugconf, int ip4only, int ip6only)
618 {
619 	struct ub_ctx* ctx;
620 	struct ip_list* list = NULL;
621 	/* first see if name is an IP address itself */
622 	if( (list=parse_ip_addr(host, port)) ) {
623 		return list;
624 	}
625 
626 	/* create resolver context */
627 	ctx = create_unbound_context(res_conf, root_hints, debugconf,
628         	ip4only, ip6only);
629 
630 	/* try resolution of A */
631 	if(!ip6only) {
632 		resolve_host_ip(ctx, host, port, LDNS_RR_TYPE_A,
633 			LDNS_RR_CLASS_IN, &list);
634 	}
635 
636 	/* try resolution of AAAA */
637 	if(!ip4only) {
638 		resolve_host_ip(ctx, host, port, LDNS_RR_TYPE_AAAA,
639 			LDNS_RR_CLASS_IN, &list);
640 	}
641 
642 	ub_ctx_delete(ctx);
643 	if(!list) {
644 		if(verb) printf("%s has no IP addresses I can use\n", host);
645 		exit(0);
646 	}
647 	return list;
648 }
649 
650 /** clear used flags */
651 static void
652 wipe_ip_usage(struct ip_list* p)
653 {
654 	while(p) {
655 		p->used = 0;
656 		p = p->next;
657 	}
658 }
659 
660 /** cound unused IPs */
661 static int
662 count_unused(struct ip_list* p)
663 {
664 	int num = 0;
665 	while(p) {
666 		if(!p->used) num++;
667 		p = p->next;
668 	}
669 	return num;
670 }
671 
672 /** pick random unused element from IP list */
673 static struct ip_list*
674 pick_random_ip(struct ip_list* list)
675 {
676 	struct ip_list* p = list;
677 	int num = count_unused(list);
678 	int sel;
679 	if(num == 0) return NULL;
680 	/* not perfect, but random enough */
681 	sel = (int)arc4random_uniform((uint32_t)num);
682 	/* skip over unused elements that we did not select */
683 	while(sel > 0 && p) {
684 		if(!p->used) sel--;
685 		p = p->next;
686 	}
687 	/* find the next unused element */
688 	while(p && p->used)
689 		p = p->next;
690 	if(!p) return NULL; /* robustness */
691 	return p;
692 }
693 
694 /** close the fd */
695 static void
696 fd_close(int fd)
697 {
698 #ifndef USE_WINSOCK
699 	close(fd);
700 #else
701 	closesocket(fd);
702 #endif
703 }
704 
705 /** printout socket errno */
706 static void
707 print_sock_err(const char* msg)
708 {
709 #ifndef USE_WINSOCK
710 	if(verb) printf("%s: %s\n", msg, strerror(errno));
711 #else
712 	if(verb) printf("%s: %s\n", msg, wsa_strerror(WSAGetLastError()));
713 #endif
714 }
715 
716 /** connect to IP address */
717 static int
718 connect_to_ip(struct ip_list* ip)
719 {
720 	int fd;
721 	verb_addr("connect to", ip);
722 	fd = socket(ip->len==(socklen_t)sizeof(struct sockaddr_in)?
723 		AF_INET:AF_INET6, SOCK_STREAM, 0);
724 	if(fd == -1) {
725 		print_sock_err("socket");
726 		return -1;
727 	}
728 	if(connect(fd, (struct sockaddr*)&ip->addr, ip->len) < 0) {
729 		print_sock_err("connect");
730 		fd_close(fd);
731 		return -1;
732 	}
733 	return fd;
734 }
735 
736 /** create SSL context */
737 static SSL_CTX*
738 setup_sslctx(void)
739 {
740 	SSL_CTX* sslctx = SSL_CTX_new(SSLv23_client_method());
741 	if(!sslctx) {
742 		if(verb) printf("SSL_CTX_new error\n");
743 		return NULL;
744 	}
745 	return sslctx;
746 }
747 
748 /** initiate TLS on a connection */
749 static SSL*
750 TLS_initiate(SSL_CTX* sslctx, int fd)
751 {
752 	X509* x;
753 	int r;
754 	SSL* ssl = SSL_new(sslctx);
755 	if(!ssl) {
756 		if(verb) printf("SSL_new error\n");
757 		return NULL;
758 	}
759 	SSL_set_connect_state(ssl);
760 	(void)SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
761 	if(!SSL_set_fd(ssl, fd)) {
762 		if(verb) printf("SSL_set_fd error\n");
763 		SSL_free(ssl);
764 		return NULL;
765 	}
766 	while(1) {
767 		ERR_clear_error();
768 		if( (r=SSL_do_handshake(ssl)) == 1)
769 			break;
770 		r = SSL_get_error(ssl, r);
771 		if(r != SSL_ERROR_WANT_READ && r != SSL_ERROR_WANT_WRITE) {
772 			if(verb) printf("SSL handshake failed\n");
773 			SSL_free(ssl);
774 			return NULL;
775 		}
776 		/* wants to be called again */
777 	}
778 	x = SSL_get_peer_certificate(ssl);
779 	if(!x) {
780 		if(verb) printf("Server presented no peer certificate\n");
781 		SSL_free(ssl);
782 		return NULL;
783 	}
784 	verb_cert("server SSL certificate", x);
785 	X509_free(x);
786 	return ssl;
787 }
788 
789 /** perform neat TLS shutdown */
790 static void
791 TLS_shutdown(int fd, SSL* ssl, SSL_CTX* sslctx)
792 {
793 	/* shutdown the SSL connection nicely */
794 	if(SSL_shutdown(ssl) == 0) {
795 		SSL_shutdown(ssl);
796 	}
797 	SSL_free(ssl);
798 	SSL_CTX_free(sslctx);
799 	fd_close(fd);
800 }
801 
802 /** write a line over SSL */
803 static int
804 write_ssl_line(SSL* ssl, const char* str, const char* sec)
805 {
806 	char buf[1024];
807 	size_t l;
808 	if(sec) {
809 		snprintf(buf, sizeof(buf), str, sec);
810 	} else {
811 		snprintf(buf, sizeof(buf), "%s", str);
812 	}
813 	l = strlen(buf);
814 	if(l+2 >= sizeof(buf)) {
815 		if(verb) printf("line too long\n");
816 		return 0;
817 	}
818 	if(verb >= 2) printf("SSL_write: %s\n", buf);
819 	buf[l] = '\r';
820 	buf[l+1] = '\n';
821 	buf[l+2] = 0;
822 	/* add \r\n */
823 	if(SSL_write(ssl, buf, (int)strlen(buf)) <= 0) {
824 		if(verb) printf("could not SSL_write %s", str);
825 		return 0;
826 	}
827 	return 1;
828 }
829 
830 /** process header line, check rcode and keeping track of size */
831 static int
832 process_one_header(char* buf, size_t* clen, int* chunked)
833 {
834 	if(verb>=2) printf("header: '%s'\n", buf);
835 	if(strncasecmp(buf, "HTTP/1.1 ", 9) == 0) {
836 		/* check returncode */
837 		if(buf[9] != '2') {
838 			if(verb) printf("bad status %s\n", buf+9);
839 			return 0;
840 		}
841 	} else if(strncasecmp(buf, "Content-Length: ", 16) == 0) {
842 		if(!*chunked)
843 			*clen = (size_t)atoi(buf+16);
844 	} else if(strncasecmp(buf, "Transfer-Encoding: chunked", 19+7) == 0) {
845 		*clen = 0;
846 		*chunked = 1;
847 	}
848 	return 1;
849 }
850 
851 /**
852  * Read one line from SSL
853  * zero terminates.
854  * skips "\r\n" (but not copied to buf).
855  * @param ssl: the SSL connection to read from (blocking).
856  * @param buf: buffer to return line in.
857  * @param len: size of the buffer.
858  * @return 0 on error, 1 on success.
859  */
860 static int
861 read_ssl_line(SSL* ssl, char* buf, size_t len)
862 {
863 	size_t n = 0;
864 	int r;
865 	int endnl = 0;
866 	while(1) {
867 		if(n >= len) {
868 			if(verb) printf("line too long\n");
869 			return 0;
870 		}
871 		if((r = SSL_read(ssl, buf+n, 1)) <= 0) {
872 			if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) {
873 				/* EOF */
874 				break;
875 			}
876 			if(verb) printf("could not SSL_read\n");
877 			return 0;
878 		}
879 		if(endnl && buf[n] == '\n') {
880 			break;
881 		} else if(endnl) {
882 			/* bad data */
883 			if(verb) printf("error: stray linefeeds\n");
884 			return 0;
885 		} else if(buf[n] == '\r') {
886 			/* skip \r, and also \n on the wire */
887 			endnl = 1;
888 			continue;
889 		} else if(buf[n] == '\n') {
890 			/* skip the \n, we are done */
891 			break;
892 		} else n++;
893 	}
894 	buf[n] = 0;
895 	return 1;
896 }
897 
898 /** read http headers and process them */
899 static size_t
900 read_http_headers(SSL* ssl, size_t* clen)
901 {
902 	char buf[1024];
903 	int chunked = 0;
904 	*clen = 0;
905 	while(read_ssl_line(ssl, buf, sizeof(buf))) {
906 		if(buf[0] == 0)
907 			return 1;
908 		if(!process_one_header(buf, clen, &chunked))
909 			return 0;
910 	}
911 	return 0;
912 }
913 
914 /** read a data chunk */
915 static char*
916 read_data_chunk(SSL* ssl, size_t len)
917 {
918 	size_t got = 0;
919 	int r;
920 	char* data;
921 	if(len >= 0xfffffff0)
922 		return NULL; /* to protect against integer overflow in malloc*/
923 	data = malloc(len+1);
924 	if(!data) {
925 		if(verb) printf("out of memory\n");
926 		return NULL;
927 	}
928 	while(got < len) {
929 		if((r = SSL_read(ssl, data+got, (int)(len-got))) <= 0) {
930 			if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) {
931 				/* EOF */
932 				if(verb) printf("could not SSL_read: unexpected EOF\n");
933 				free(data);
934 				return NULL;
935 			}
936 			if(verb) printf("could not SSL_read\n");
937 			free(data);
938 			return NULL;
939 		}
940 		if(verb >= 2) printf("at %d/%d\n", (int)got, (int)len);
941 		got += r;
942 	}
943 	if(verb>=2) printf("read %d data\n", (int)len);
944 	data[len] = 0;
945 	return data;
946 }
947 
948 /** parse chunk header */
949 static int
950 parse_chunk_header(char* buf, size_t* result)
951 {
952 	char* e = NULL;
953 	size_t v = (size_t)strtol(buf, &e, 16);
954 	if(e == buf)
955 		return 0;
956 	*result = v;
957 	return 1;
958 }
959 
960 /** read chunked data from connection */
961 static BIO*
962 do_chunked_read(SSL* ssl)
963 {
964 	char buf[1024];
965 	size_t len;
966 	char* body;
967 	BIO* mem = BIO_new(BIO_s_mem());
968 	if(verb>=3) printf("do_chunked_read\n");
969 	if(!mem) {
970 		if(verb) printf("out of memory\n");
971 		return NULL;
972 	}
973 	while(read_ssl_line(ssl, buf, sizeof(buf))) {
974 		/* read the chunked start line */
975 		if(verb>=2) printf("chunk header: %s\n", buf);
976 		if(!parse_chunk_header(buf, &len)) {
977 			BIO_free(mem);
978 			if(verb>=3) printf("could not parse chunk header\n");
979 			return NULL;
980 		}
981 		if(verb>=2) printf("chunk len: %d\n", (int)len);
982 		/* are we done? */
983 		if(len == 0) {
984 			char z = 0;
985 			/* skip end-of-chunk-trailer lines,
986 			 * until the empty line after that */
987 			do {
988 				if(!read_ssl_line(ssl, buf, sizeof(buf))) {
989 					BIO_free(mem);
990 					return NULL;
991 				}
992 			} while (strlen(buf) > 0);
993 			/* end of chunks, zero terminate it */
994 			if(BIO_write(mem, &z, 1) <= 0) {
995 				if(verb) printf("out of memory\n");
996 				BIO_free(mem);
997 				return NULL;
998 			}
999 			return mem;
1000 		}
1001 		/* read the chunked body */
1002 		body = read_data_chunk(ssl, len);
1003 		if(!body) {
1004 			BIO_free(mem);
1005 			return NULL;
1006 		}
1007 		if(BIO_write(mem, body, (int)len) <= 0) {
1008 			if(verb) printf("out of memory\n");
1009 			free(body);
1010 			BIO_free(mem);
1011 			return NULL;
1012 		}
1013 		free(body);
1014 		/* skip empty line after data chunk */
1015 		if(!read_ssl_line(ssl, buf, sizeof(buf))) {
1016 			BIO_free(mem);
1017 			return NULL;
1018 		}
1019 	}
1020 	BIO_free(mem);
1021 	return NULL;
1022 }
1023 
1024 /** start HTTP1.1 transaction on SSL */
1025 static int
1026 write_http_get(SSL* ssl, const char* pathname, const char* urlname)
1027 {
1028 	if(write_ssl_line(ssl, "GET /%s HTTP/1.1", pathname) &&
1029 	   write_ssl_line(ssl, "Host: %s", urlname) &&
1030 	   write_ssl_line(ssl, "User-Agent: unbound-anchor/%s",
1031 	   	PACKAGE_VERSION) &&
1032 	   /* We do not really do multiple queries per connection,
1033 	    * but this header setting is also not needed.
1034 	    * write_ssl_line(ssl, "Connection: close", NULL) &&*/
1035 	   write_ssl_line(ssl, "", NULL)) {
1036 		return 1;
1037 	}
1038 	return 0;
1039 }
1040 
1041 /** read chunked data and zero terminate; len is without zero */
1042 static char*
1043 read_chunked_zero_terminate(SSL* ssl, size_t* len)
1044 {
1045 	/* do the chunked version */
1046 	BIO* tmp = do_chunked_read(ssl);
1047 	char* data, *d = NULL;
1048 	size_t l;
1049 	if(!tmp) {
1050 		if(verb) printf("could not read from https\n");
1051 		return NULL;
1052 	}
1053 	l = (size_t)BIO_get_mem_data(tmp, &d);
1054 	if(verb>=2) printf("chunked data is %d\n", (int)l);
1055 	if(l == 0 || d == NULL) {
1056 		if(verb) printf("out of memory\n");
1057 		return NULL;
1058 	}
1059 	*len = l-1;
1060 	data = (char*)malloc(l);
1061 	if(data == NULL) {
1062 		if(verb) printf("out of memory\n");
1063 		return NULL;
1064 	}
1065 	memcpy(data, d, l);
1066 	BIO_free(tmp);
1067 	return data;
1068 }
1069 
1070 /** read HTTP result from SSL */
1071 static BIO*
1072 read_http_result(SSL* ssl)
1073 {
1074 	size_t len = 0;
1075 	char* data;
1076 	BIO* m;
1077 	if(!read_http_headers(ssl, &len)) {
1078 		return NULL;
1079 	}
1080 	if(len == 0) {
1081 		data = read_chunked_zero_terminate(ssl, &len);
1082 	} else {
1083 		data = read_data_chunk(ssl, len);
1084 	}
1085 	if(!data) return NULL;
1086 	if(verb >= 4) print_data("read data", data, (int)len);
1087 	m = BIO_new_mem_buf(data, (int)len);
1088 	if(!m) {
1089 		if(verb) printf("out of memory\n");
1090 		exit(0);
1091 	}
1092 	return m;
1093 }
1094 
1095 /** https to an IP addr, return BIO with pathname or NULL */
1096 static BIO*
1097 https_to_ip(struct ip_list* ip, const char* pathname, const char* urlname)
1098 {
1099 	int fd;
1100 	SSL* ssl;
1101 	BIO* bio;
1102 	SSL_CTX* sslctx = setup_sslctx();
1103 	if(!sslctx) {
1104 		return NULL;
1105 	}
1106 	fd = connect_to_ip(ip);
1107 	if(fd == -1) {
1108 		SSL_CTX_free(sslctx);
1109 		return NULL;
1110 	}
1111 	ssl = TLS_initiate(sslctx, fd);
1112 	if(!ssl) {
1113 		SSL_CTX_free(sslctx);
1114 		fd_close(fd);
1115 		return NULL;
1116 	}
1117 	if(!write_http_get(ssl, pathname, urlname)) {
1118 		if(verb) printf("could not write to server\n");
1119 		SSL_free(ssl);
1120 		SSL_CTX_free(sslctx);
1121 		fd_close(fd);
1122 		return NULL;
1123 	}
1124 	bio = read_http_result(ssl);
1125 	TLS_shutdown(fd, ssl, sslctx);
1126 	return bio;
1127 }
1128 
1129 /**
1130  * Do a HTTPS, HTTP1.1 over TLS, to fetch a file
1131  * @param ip_list: list of IP addresses to use to fetch from.
1132  * @param pathname: pathname of file on server to GET.
1133  * @param urlname: name to pass as the virtual host for this request.
1134  * @return a memory BIO with the file in it.
1135  */
1136 static BIO*
1137 https(struct ip_list* ip_list, const char* pathname, const char* urlname)
1138 {
1139 	struct ip_list* ip;
1140 	BIO* bio = NULL;
1141 	/* try random address first, and work through the list */
1142 	wipe_ip_usage(ip_list);
1143 	while( (ip = pick_random_ip(ip_list)) ) {
1144 		ip->used = 1;
1145 		bio = https_to_ip(ip, pathname, urlname);
1146 		if(bio) break;
1147 	}
1148 	if(!bio) {
1149 		if(verb) printf("could not fetch %s\n", pathname);
1150 		exit(0);
1151 	} else {
1152 		if(verb) printf("fetched %s (%d bytes)\n",
1153 			pathname, (int)BIO_ctrl_pending(bio));
1154 	}
1155 	return bio;
1156 }
1157 
1158 /** free up a downloaded file BIO */
1159 static void
1160 free_file_bio(BIO* bio)
1161 {
1162 	char* pp = NULL;
1163 	(void)BIO_reset(bio);
1164 	(void)BIO_get_mem_data(bio, &pp);
1165 	free(pp);
1166 	BIO_free(bio);
1167 }
1168 
1169 /** XML parse private data during the parse */
1170 struct xml_data {
1171 	/** the parser, reference */
1172 	XML_Parser parser;
1173 	/** the current tag; malloced; or NULL outside of tags */
1174 	char* tag;
1175 	/** current date to use during the parse */
1176 	time_t date;
1177 	/** number of keys usefully read in */
1178 	int num_keys;
1179 	/** the compiled anchors as DS records */
1180 	BIO* ds;
1181 
1182 	/** do we want to use this anchor? */
1183 	int use_key;
1184 	/** the current anchor: Zone */
1185 	BIO* czone;
1186 	/** the current anchor: KeyTag */
1187 	BIO* ctag;
1188 	/** the current anchor: Algorithm */
1189 	BIO* calgo;
1190 	/** the current anchor: DigestType */
1191 	BIO* cdigtype;
1192 	/** the current anchor: Digest*/
1193 	BIO* cdigest;
1194 };
1195 
1196 /** The BIO for the tag */
1197 static BIO*
1198 xml_selectbio(struct xml_data* data, const char* tag)
1199 {
1200 	BIO* b = NULL;
1201 	if(strcasecmp(tag, "KeyTag") == 0)
1202 		b = data->ctag;
1203 	else if(strcasecmp(tag, "Algorithm") == 0)
1204 		b = data->calgo;
1205 	else if(strcasecmp(tag, "DigestType") == 0)
1206 		b = data->cdigtype;
1207 	else if(strcasecmp(tag, "Digest") == 0)
1208 		b = data->cdigest;
1209 	return b;
1210 }
1211 
1212 /**
1213  * XML handle character data, the data inside an element.
1214  * @param userData: xml_data structure
1215  * @param s: the character data.  May not all be in one callback.
1216  * 	NOT zero terminated.
1217  * @param len: length of this part of the data.
1218  */
1219 static void
1220 xml_charhandle(void *userData, const XML_Char *s, int len)
1221 {
1222 	struct xml_data* data = (struct xml_data*)userData;
1223 	BIO* b = NULL;
1224 	/* skip characters outside of elements */
1225 	if(!data->tag)
1226 		return;
1227 	if(verb>=4) {
1228 		int i;
1229 		printf("%s%s charhandle: '",
1230 			data->use_key?"use ":"",
1231 			data->tag?data->tag:"none");
1232 		for(i=0; i<len; i++)
1233 			printf("%c", s[i]);
1234 		printf("'\n");
1235 	}
1236 	if(strcasecmp(data->tag, "Zone") == 0) {
1237 		if(BIO_write(data->czone, s, len) < 0) {
1238 			if(verb) printf("out of memory in BIO_write\n");
1239 			exit(0);
1240 		}
1241 		return;
1242 	}
1243 	/* only store if key is used */
1244 	if(!data->use_key)
1245 		return;
1246 	b = xml_selectbio(data, data->tag);
1247 	if(b) {
1248 		if(BIO_write(b, s, len) < 0) {
1249 			if(verb) printf("out of memory in BIO_write\n");
1250 			exit(0);
1251 		}
1252 	}
1253 }
1254 
1255 /**
1256  * XML fetch value of particular attribute(by name) or NULL if not present.
1257  * @param atts: attribute array (from xml_startelem).
1258  * @param name: name of attribute to look for.
1259  * @return the value or NULL. (ptr into atts).
1260  */
1261 static const XML_Char*
1262 find_att(const XML_Char **atts, const XML_Char* name)
1263 {
1264 	int i;
1265 	for(i=0; atts[i]; i+=2) {
1266 		if(strcasecmp(atts[i], name) == 0)
1267 			return atts[i+1];
1268 	}
1269 	return NULL;
1270 }
1271 
1272 /**
1273  * XML convert DateTime element to time_t.
1274  * [-]CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm]
1275  * (with optional .ssssss fractional seconds)
1276  * @param str: the string
1277  * @return a time_t representation or 0 on failure.
1278  */
1279 static time_t
1280 xml_convertdate(const char* str)
1281 {
1282 	time_t t = 0;
1283 	struct tm tm;
1284 	const char* s;
1285 	/* for this application, ignore minus in front;
1286 	 * only positive dates are expected */
1287 	s = str;
1288 	if(s[0] == '-') s++;
1289 	memset(&tm, 0, sizeof(tm));
1290 	/* parse initial content of the string (lots of whitespace allowed) */
1291 	s = strptime(s, "%t%Y%t-%t%m%t-%t%d%tT%t%H%t:%t%M%t:%t%S%t", &tm);
1292 	if(!s) {
1293 		if(verb) printf("xml_convertdate parse failure %s\n", str);
1294 		return 0;
1295 	}
1296 	/* parse remainder of date string */
1297 	if(*s == '.') {
1298 		/* optional '.' and fractional seconds */
1299 		int frac = 0, n = 0;
1300 		if(sscanf(s+1, "%d%n", &frac, &n) < 1) {
1301 			if(verb) printf("xml_convertdate f failure %s\n", str);
1302 			return 0;
1303 		}
1304 		/* fraction is not used, time_t has second accuracy */
1305 		s++;
1306 		s+=n;
1307 	}
1308 	if(*s == 'Z' || *s == 'z') {
1309 		/* nothing to do for this */
1310 		s++;
1311 	} else if(*s == '+' || *s == '-') {
1312 		/* optional timezone spec: Z or +hh:mm or -hh:mm */
1313 		int hr = 0, mn = 0, n = 0;
1314 		if(sscanf(s+1, "%d:%d%n", &hr, &mn, &n) < 2) {
1315 			if(verb) printf("xml_convertdate tz failure %s\n", str);
1316 			return 0;
1317 		}
1318 		if(*s == '+') {
1319 			tm.tm_hour += hr;
1320 			tm.tm_min += mn;
1321 		} else {
1322 			tm.tm_hour -= hr;
1323 			tm.tm_min -= mn;
1324 		}
1325 		s++;
1326 		s += n;
1327 	}
1328 	if(*s != 0) {
1329 		/* not ended properly */
1330 		/* but ignore, (lenient) */
1331 	}
1332 
1333 	t = sldns_mktime_from_utc(&tm);
1334 	if(t == (time_t)-1) {
1335 		if(verb) printf("xml_convertdate mktime failure\n");
1336 		return 0;
1337 	}
1338 	return t;
1339 }
1340 
1341 /**
1342  * XML handle the KeyDigest start tag, check validity periods.
1343  */
1344 static void
1345 handle_keydigest(struct xml_data* data, const XML_Char **atts)
1346 {
1347 	data->use_key = 0;
1348 	if(find_att(atts, "validFrom")) {
1349 		time_t from = xml_convertdate(find_att(atts, "validFrom"));
1350 		if(from == 0) {
1351 			if(verb) printf("error: xml cannot be parsed\n");
1352 			exit(0);
1353 		}
1354 		if(data->date < from)
1355 			return;
1356 	}
1357 	if(find_att(atts, "validUntil")) {
1358 		time_t until = xml_convertdate(find_att(atts, "validUntil"));
1359 		if(until == 0) {
1360 			if(verb) printf("error: xml cannot be parsed\n");
1361 			exit(0);
1362 		}
1363 		if(data->date > until)
1364 			return;
1365 	}
1366 	/* yes we want to use this key */
1367 	data->use_key = 1;
1368 	(void)BIO_reset(data->ctag);
1369 	(void)BIO_reset(data->calgo);
1370 	(void)BIO_reset(data->cdigtype);
1371 	(void)BIO_reset(data->cdigest);
1372 }
1373 
1374 /** See if XML element equals the zone name */
1375 static int
1376 xml_is_zone_name(BIO* zone, const char* name)
1377 {
1378 	char buf[1024];
1379 	char* z = NULL;
1380 	long zlen;
1381 	(void)BIO_seek(zone, 0);
1382 	zlen = BIO_get_mem_data(zone, &z);
1383 	if(!zlen || !z) return 0;
1384 	/* zero terminate */
1385 	if(zlen >= (long)sizeof(buf)) return 0;
1386 	memmove(buf, z, (size_t)zlen);
1387 	buf[zlen] = 0;
1388 	/* compare */
1389 	return (strncasecmp(buf, name, strlen(name)) == 0);
1390 }
1391 
1392 /**
1393  * XML start of element. This callback is called whenever an XML tag starts.
1394  * XML_Char is UTF8.
1395  * @param userData: the xml_data structure.
1396  * @param name: the tag that starts.
1397  * @param atts: array of strings, pairs of attr = value, ends with NULL.
1398  * 	i.e. att[0]="att[1]" att[2]="att[3]" att[4]isNull
1399  */
1400 static void
1401 xml_startelem(void *userData, const XML_Char *name, const XML_Char **atts)
1402 {
1403 	struct xml_data* data = (struct xml_data*)userData;
1404 	BIO* b;
1405 	if(verb>=4) printf("xml tag start '%s'\n", name);
1406 	free(data->tag);
1407 	data->tag = strdup(name);
1408 	if(!data->tag) {
1409 		if(verb) printf("out of memory\n");
1410 		exit(0);
1411 	}
1412 	if(verb>=4) {
1413 		int i;
1414 		for(i=0; atts[i]; i+=2) {
1415 			printf("  %s='%s'\n", atts[i], atts[i+1]);
1416 		}
1417 	}
1418 	/* handle attributes to particular types */
1419 	if(strcasecmp(name, "KeyDigest") == 0) {
1420 		handle_keydigest(data, atts);
1421 		return;
1422 	} else if(strcasecmp(name, "Zone") == 0) {
1423 		(void)BIO_reset(data->czone);
1424 		return;
1425 	}
1426 
1427 	/* for other types we prepare to pick up the data */
1428 	if(!data->use_key)
1429 		return;
1430 	b = xml_selectbio(data, data->tag);
1431 	if(b) {
1432 		/* empty it */
1433 		(void)BIO_reset(b);
1434 	}
1435 }
1436 
1437 /** Append str to bio */
1438 static void
1439 xml_append_str(BIO* b, const char* s)
1440 {
1441 	if(BIO_write(b, s, (int)strlen(s)) < 0) {
1442 		if(verb) printf("out of memory in BIO_write\n");
1443 		exit(0);
1444 	}
1445 }
1446 
1447 /** Append bio to bio */
1448 static void
1449 xml_append_bio(BIO* b, BIO* a)
1450 {
1451 	char* z = NULL;
1452 	long i, len;
1453 	(void)BIO_seek(a, 0);
1454 	len = BIO_get_mem_data(a, &z);
1455 	if(!len || !z) {
1456 		if(verb) printf("out of memory in BIO_write\n");
1457 		exit(0);
1458 	}
1459 	/* remove newlines in the data here */
1460 	for(i=0; i<len; i++) {
1461 		if(z[i] == '\r' || z[i] == '\n')
1462 			z[i] = ' ';
1463 	}
1464 	/* write to BIO */
1465 	if(BIO_write(b, z, len) < 0) {
1466 		if(verb) printf("out of memory in BIO_write\n");
1467 		exit(0);
1468 	}
1469 }
1470 
1471 /** write the parsed xml-DS to the DS list */
1472 static void
1473 xml_append_ds(struct xml_data* data)
1474 {
1475 	/* write DS to accumulated DS */
1476 	xml_append_str(data->ds, ". IN DS ");
1477 	xml_append_bio(data->ds, data->ctag);
1478 	xml_append_str(data->ds, " ");
1479 	xml_append_bio(data->ds, data->calgo);
1480 	xml_append_str(data->ds, " ");
1481 	xml_append_bio(data->ds, data->cdigtype);
1482 	xml_append_str(data->ds, " ");
1483 	xml_append_bio(data->ds, data->cdigest);
1484 	xml_append_str(data->ds, "\n");
1485 	data->num_keys++;
1486 }
1487 
1488 /**
1489  * XML end of element. This callback is called whenever an XML tag ends.
1490  * XML_Char is UTF8.
1491  * @param userData: the xml_data structure
1492  * @param name: the tag that ends.
1493  */
1494 static void
1495 xml_endelem(void *userData, const XML_Char *name)
1496 {
1497 	struct xml_data* data = (struct xml_data*)userData;
1498 	if(verb>=4) printf("xml tag end   '%s'\n", name);
1499 	free(data->tag);
1500 	data->tag = NULL;
1501 	if(strcasecmp(name, "KeyDigest") == 0) {
1502 		if(data->use_key)
1503 			xml_append_ds(data);
1504 		data->use_key = 0;
1505 	} else if(strcasecmp(name, "Zone") == 0) {
1506 		if(!xml_is_zone_name(data->czone, ".")) {
1507 			if(verb) printf("xml not for the right zone\n");
1508 			exit(0);
1509 		}
1510 	}
1511 }
1512 
1513 /* Stop the parser when an entity declaration is encountered. For safety. */
1514 static void
1515 xml_entitydeclhandler(void *userData,
1516 	const XML_Char *ATTR_UNUSED(entityName),
1517 	int ATTR_UNUSED(is_parameter_entity),
1518 	const XML_Char *ATTR_UNUSED(value), int ATTR_UNUSED(value_length),
1519 	const XML_Char *ATTR_UNUSED(base),
1520 	const XML_Char *ATTR_UNUSED(systemId),
1521 	const XML_Char *ATTR_UNUSED(publicId),
1522 	const XML_Char *ATTR_UNUSED(notationName))
1523 {
1524 #if HAVE_DECL_XML_STOPPARSER
1525 	(void)XML_StopParser((XML_Parser)userData, XML_FALSE);
1526 #else
1527 	(void)userData;
1528 #endif
1529 }
1530 
1531 /**
1532  * XML parser setup of the callbacks for the tags
1533  */
1534 static void
1535 xml_parse_setup(XML_Parser parser, struct xml_data* data, time_t now)
1536 {
1537 	char buf[1024];
1538 	memset(data, 0, sizeof(*data));
1539 	XML_SetUserData(parser, data);
1540 	data->parser = parser;
1541 	data->date = now;
1542 	data->ds = BIO_new(BIO_s_mem());
1543 	data->ctag = BIO_new(BIO_s_mem());
1544 	data->czone = BIO_new(BIO_s_mem());
1545 	data->calgo = BIO_new(BIO_s_mem());
1546 	data->cdigtype = BIO_new(BIO_s_mem());
1547 	data->cdigest = BIO_new(BIO_s_mem());
1548 	if(!data->ds || !data->ctag || !data->calgo || !data->czone ||
1549 		!data->cdigtype || !data->cdigest) {
1550 		if(verb) printf("out of memory\n");
1551 		exit(0);
1552 	}
1553 	snprintf(buf, sizeof(buf), "; created by unbound-anchor on %s",
1554 		ctime(&now));
1555 	if(BIO_write(data->ds, buf, (int)strlen(buf)) < 0) {
1556 		if(verb) printf("out of memory\n");
1557 		exit(0);
1558 	}
1559 	XML_SetEntityDeclHandler(parser, xml_entitydeclhandler);
1560 	XML_SetElementHandler(parser, xml_startelem, xml_endelem);
1561 	XML_SetCharacterDataHandler(parser, xml_charhandle);
1562 }
1563 
1564 /**
1565  * Perform XML parsing of the root-anchors file
1566  * Its format description can be read here
1567  * https://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.txt
1568  * It uses libexpat.
1569  * @param xml: BIO with xml data.
1570  * @param now: the current time for checking DS validity periods.
1571  * @return memoryBIO with the DS data in zone format.
1572  * 	or NULL if the zone is insecure.
1573  * 	(It exit()s on error)
1574  */
1575 static BIO*
1576 xml_parse(BIO* xml, time_t now)
1577 {
1578 	char* pp;
1579 	int len;
1580 	XML_Parser parser;
1581 	struct xml_data data;
1582 
1583 	parser = XML_ParserCreate(NULL);
1584 	if(!parser) {
1585 		if(verb) printf("could not XML_ParserCreate\n");
1586 		exit(0);
1587 	}
1588 
1589 	/* setup callbacks */
1590 	xml_parse_setup(parser, &data, now);
1591 
1592 	/* parse it */
1593 	(void)BIO_reset(xml);
1594 	len = (int)BIO_get_mem_data(xml, &pp);
1595 	if(!len || !pp) {
1596 		if(verb) printf("out of memory\n");
1597 		exit(0);
1598 	}
1599 	if(!XML_Parse(parser, pp, len, 1 /*isfinal*/ )) {
1600 		const char *e = XML_ErrorString(XML_GetErrorCode(parser));
1601 		if(verb) printf("XML_Parse failure %s\n", e?e:"");
1602 		exit(0);
1603 	}
1604 
1605 	/* parsed */
1606 	if(verb) printf("XML was parsed successfully, %d keys\n",
1607 			data.num_keys);
1608 	free(data.tag);
1609 	XML_ParserFree(parser);
1610 
1611 	if(verb >= 4) {
1612 		(void)BIO_seek(data.ds, 0);
1613 		len = BIO_get_mem_data(data.ds, &pp);
1614 		printf("got DS bio %d: '", len);
1615 		if(!fwrite(pp, (size_t)len, 1, stdout))
1616 			/* compilers do not allow us to ignore fwrite .. */
1617 			fprintf(stderr, "error writing to stdout\n");
1618 		printf("'\n");
1619 	}
1620 	BIO_free(data.czone);
1621 	BIO_free(data.ctag);
1622 	BIO_free(data.calgo);
1623 	BIO_free(data.cdigtype);
1624 	BIO_free(data.cdigest);
1625 
1626 	if(data.num_keys == 0) {
1627 		/* the root zone seems to have gone insecure */
1628 		BIO_free(data.ds);
1629 		return NULL;
1630 	} else {
1631 		return data.ds;
1632 	}
1633 }
1634 
1635 /* get key usage out of its extension, returns 0 if no key_usage extension */
1636 static unsigned long
1637 get_usage_of_ex(X509* cert)
1638 {
1639 	unsigned long val = 0;
1640 	ASN1_BIT_STRING* s;
1641 	if((s=X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL))) {
1642 		if(s->length > 0) {
1643 			val = s->data[0];
1644 			if(s->length > 1)
1645 				val |= s->data[1] << 8;
1646 		}
1647 		ASN1_BIT_STRING_free(s);
1648 	}
1649 	return val;
1650 }
1651 
1652 /** get valid signers from the list of signers in the signature */
1653 static STACK_OF(X509)*
1654 get_valid_signers(PKCS7* p7, const char* p7signer)
1655 {
1656 	int i;
1657 	STACK_OF(X509)* validsigners = sk_X509_new_null();
1658 	STACK_OF(X509)* signers = PKCS7_get0_signers(p7, NULL, 0);
1659 	unsigned long usage = 0;
1660 	if(!validsigners) {
1661 		if(verb) printf("out of memory\n");
1662 		sk_X509_free(signers);
1663 		return NULL;
1664 	}
1665 	if(!signers) {
1666 		if(verb) printf("no signers in pkcs7 signature\n");
1667 		sk_X509_free(validsigners);
1668 		return NULL;
1669 	}
1670 	for(i=0; i<sk_X509_num(signers); i++) {
1671 		X509_NAME* nm = X509_get_subject_name(
1672 			sk_X509_value(signers, i));
1673 		char buf[1024];
1674 		if(!nm) {
1675 			if(verb) printf("signer %d: cert has no subject name\n", i);
1676 			continue;
1677 		}
1678 		if(verb && nm) {
1679 			char* nmline = X509_NAME_oneline(nm, buf,
1680 				(int)sizeof(buf));
1681 			printf("signer %d: Subject: %s\n", i,
1682 				nmline?nmline:"no subject");
1683 			if(verb >= 3 && X509_NAME_get_text_by_NID(nm,
1684 				NID_commonName, buf, (int)sizeof(buf)))
1685 				printf("commonName: %s\n", buf);
1686 			if(verb >= 3 && X509_NAME_get_text_by_NID(nm,
1687 				NID_pkcs9_emailAddress, buf, (int)sizeof(buf)))
1688 				printf("emailAddress: %s\n", buf);
1689 		}
1690 		if(verb) {
1691 			int ku_loc = X509_get_ext_by_NID(
1692 				sk_X509_value(signers, i), NID_key_usage, -1);
1693 			if(verb >= 3 && ku_loc >= 0) {
1694 				X509_EXTENSION *ex = X509_get_ext(
1695 					sk_X509_value(signers, i), ku_loc);
1696 				if(ex) {
1697 					printf("keyUsage: ");
1698 					X509V3_EXT_print_fp(stdout, ex, 0, 0);
1699 					printf("\n");
1700 				}
1701 			}
1702 		}
1703 		if(!p7signer || strcmp(p7signer, "")==0) {
1704 			/* there is no name to check, return all records */
1705 			if(verb) printf("did not check commonName of signer\n");
1706 		} else {
1707 			if(!X509_NAME_get_text_by_NID(nm,
1708 				NID_pkcs9_emailAddress,
1709 				buf, (int)sizeof(buf))) {
1710 				if(verb) printf("removed cert with no name\n");
1711 				continue; /* no name, no use */
1712 			}
1713 			if(strcmp(buf, p7signer) != 0) {
1714 				if(verb) printf("removed cert with wrong name\n");
1715 				continue; /* wrong name, skip it */
1716 			}
1717 		}
1718 
1719 		/* check that the key usage allows digital signatures
1720 		 * (the p7s) */
1721 		usage = get_usage_of_ex(sk_X509_value(signers, i));
1722 		if(!(usage & KU_DIGITAL_SIGNATURE)) {
1723 			if(verb) printf("removed cert with no key usage Digital Signature allowed\n");
1724 			continue;
1725 		}
1726 
1727 		/* we like this cert, add it to our list of valid
1728 		 * signers certificates */
1729 		sk_X509_push(validsigners, sk_X509_value(signers, i));
1730 	}
1731 	sk_X509_free(signers);
1732 	return validsigners;
1733 }
1734 
1735 /** verify a PKCS7 signature, false on failure */
1736 static int
1737 verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust, const char* p7signer)
1738 {
1739 	PKCS7* p7;
1740 	X509_STORE *store = X509_STORE_new();
1741 	STACK_OF(X509)* validsigners;
1742 	int secure = 0;
1743 	int i;
1744 #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE
1745 	X509_VERIFY_PARAM* param = X509_VERIFY_PARAM_new();
1746 	if(!param) {
1747 		if(verb) printf("out of memory\n");
1748 		X509_STORE_free(store);
1749 		return 0;
1750 	}
1751 	/* do the selfcheck on the root certificate; it checks that the
1752 	 * input is valid */
1753 	X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CHECK_SS_SIGNATURE);
1754 	if(store) X509_STORE_set1_param(store, param);
1755 #endif
1756 	if(!store) {
1757 		if(verb) printf("out of memory\n");
1758 #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE
1759 		X509_VERIFY_PARAM_free(param);
1760 #endif
1761 		return 0;
1762 	}
1763 #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE
1764 	X509_VERIFY_PARAM_free(param);
1765 #endif
1766 
1767 	(void)BIO_reset(p7s);
1768 	(void)BIO_reset(data);
1769 
1770 	/* convert p7s to p7 (the signature) */
1771 	p7 = d2i_PKCS7_bio(p7s, NULL);
1772 	if(!p7) {
1773 		if(verb) printf("could not parse p7s signature file\n");
1774 		X509_STORE_free(store);
1775 		return 0;
1776 	}
1777 	if(verb >= 2) printf("parsed the PKCS7 signature\n");
1778 
1779 	/* convert trust to trusted certificate store */
1780 	for(i=0; i<sk_X509_num(trust); i++) {
1781 		if(!X509_STORE_add_cert(store, sk_X509_value(trust, i))) {
1782 			if(verb) printf("failed X509_STORE_add_cert\n");
1783 			X509_STORE_free(store);
1784 			PKCS7_free(p7);
1785 			return 0;
1786 		}
1787 	}
1788 	if(verb >= 2) printf("setup the X509_STORE\n");
1789 
1790 	/* check what is in the Subject name of the certificates,
1791 	 * and build a stack that contains only the right certificates */
1792 	validsigners = get_valid_signers(p7, p7signer);
1793 	if(!validsigners) {
1794 			X509_STORE_free(store);
1795 			PKCS7_free(p7);
1796 			return 0;
1797 	}
1798 	if(PKCS7_verify(p7, validsigners, store, data, NULL, PKCS7_NOINTERN) == 1) {
1799 		secure = 1;
1800 		if(verb) printf("the PKCS7 signature verified\n");
1801 	} else {
1802 		if(verb) {
1803 			ERR_print_errors_fp(stdout);
1804 		}
1805 	}
1806 
1807 	sk_X509_free(validsigners);
1808 	X509_STORE_free(store);
1809 	PKCS7_free(p7);
1810 	return secure;
1811 }
1812 
1813 /** write unsigned root anchor file, a 5011 revoked tp */
1814 static void
1815 write_unsigned_root(const char* root_anchor_file)
1816 {
1817 	FILE* out;
1818 	time_t now = time(NULL);
1819 	out = fopen(root_anchor_file, "w");
1820 	if(!out) {
1821 		if(verb) printf("%s: %s\n", root_anchor_file, strerror(errno));
1822 		return;
1823 	}
1824 	if(fprintf(out, "; autotrust trust anchor file\n"
1825 		";;REVOKED\n"
1826 		";;id: . 1\n"
1827 		"; This file was written by unbound-anchor on %s"
1828 		"; It indicates that the root does not use DNSSEC\n"
1829 		"; to restart DNSSEC overwrite this file with a\n"
1830 		"; valid trustanchor or (empty-it and run unbound-anchor)\n"
1831 		, ctime(&now)) < 0) {
1832 		if(verb) printf("failed to write 'unsigned' to %s\n",
1833 			root_anchor_file);
1834 		if(verb && errno != 0) printf("%s\n", strerror(errno));
1835 	}
1836 	fflush(out);
1837 #ifdef HAVE_FSYNC
1838 	fsync(fileno(out));
1839 #else
1840 	FlushFileBuffers((HANDLE)_get_osfhandle(_fileno(out)));
1841 #endif
1842 	fclose(out);
1843 }
1844 
1845 /** write root anchor file */
1846 static void
1847 write_root_anchor(const char* root_anchor_file, BIO* ds)
1848 {
1849 	char* pp = NULL;
1850 	int len;
1851 	FILE* out;
1852 	(void)BIO_seek(ds, 0);
1853 	len = BIO_get_mem_data(ds, &pp);
1854 	if(!len || !pp) {
1855 		if(verb) printf("out of memory\n");
1856 		return;
1857 	}
1858 	out = fopen(root_anchor_file, "w");
1859 	if(!out) {
1860 		if(verb) printf("%s: %s\n", root_anchor_file, strerror(errno));
1861 		return;
1862 	}
1863 	if(fwrite(pp, (size_t)len, 1, out) != 1) {
1864 		if(verb) printf("failed to write all data to %s\n",
1865 			root_anchor_file);
1866 		if(verb && errno != 0) printf("%s\n", strerror(errno));
1867 	}
1868 	fflush(out);
1869 #ifdef HAVE_FSYNC
1870 	fsync(fileno(out));
1871 #else
1872 	FlushFileBuffers((HANDLE)_get_osfhandle(_fileno(out)));
1873 #endif
1874 	fclose(out);
1875 }
1876 
1877 /** Perform the verification and update of the trustanchor file */
1878 static void
1879 verify_and_update_anchor(const char* root_anchor_file, BIO* xml, BIO* p7s,
1880 	STACK_OF(X509)* cert, const char* p7signer)
1881 {
1882 	BIO* ds;
1883 
1884 	/* verify xml file */
1885 	if(!verify_p7sig(xml, p7s, cert, p7signer)) {
1886 		printf("the PKCS7 signature failed\n");
1887 		exit(0);
1888 	}
1889 
1890 	/* parse the xml file into DS records */
1891 	ds = xml_parse(xml, time(NULL));
1892 	if(!ds) {
1893 		/* the root zone is unsigned now */
1894 		write_unsigned_root(root_anchor_file);
1895 	} else {
1896 		/* reinstate 5011 tracking */
1897 		write_root_anchor(root_anchor_file, ds);
1898 	}
1899 	BIO_free(ds);
1900 }
1901 
1902 #ifdef USE_WINSOCK
1903 static void do_wsa_cleanup(void) { WSACleanup(); }
1904 #endif
1905 
1906 /** perform actual certupdate work */
1907 static int
1908 do_certupdate(const char* root_anchor_file, const char* root_cert_file,
1909 	const char* urlname, const char* xmlname, const char* p7sname,
1910 	const char* p7signer, const char* res_conf, const char* root_hints,
1911 	const char* debugconf, int ip4only, int ip6only, int port,
1912 	struct ub_result* dnskey)
1913 {
1914 	STACK_OF(X509)* cert;
1915 	BIO *xml, *p7s;
1916 	struct ip_list* ip_list = NULL;
1917 
1918 	/* read pem file or provide builtin */
1919 	cert = read_cert_or_builtin(root_cert_file);
1920 
1921 	/* lookup A, AAAA for the urlname (or parse urlname if IP address) */
1922 	ip_list = resolve_name(urlname, port, res_conf, root_hints, debugconf,
1923 		ip4only, ip6only);
1924 
1925 #ifdef USE_WINSOCK
1926 	if(1) { /* libunbound finished, startup WSA for the https connection */
1927 		WSADATA wsa_data;
1928 		int r;
1929 		if((r = WSAStartup(MAKEWORD(2,2), &wsa_data)) != 0) {
1930 			if(verb) printf("WSAStartup failed: %s\n",
1931 				wsa_strerror(r));
1932 			exit(0);
1933 		}
1934 		atexit(&do_wsa_cleanup);
1935 	}
1936 #endif
1937 
1938 	/* fetch the necessary files over HTTPS */
1939 	xml = https(ip_list, xmlname, urlname);
1940 	p7s = https(ip_list, p7sname, urlname);
1941 
1942 	/* verify and update the root anchor */
1943 	verify_and_update_anchor(root_anchor_file, xml, p7s, cert, p7signer);
1944 	if(verb) printf("success: the anchor has been updated "
1945 			"using the cert\n");
1946 
1947 	free_file_bio(xml);
1948 	free_file_bio(p7s);
1949 #ifndef S_SPLINT_S
1950 	sk_X509_pop_free(cert, X509_free);
1951 #endif
1952 	ub_resolve_free(dnskey);
1953 	ip_list_free(ip_list);
1954 	return 1;
1955 }
1956 
1957 /**
1958  * Try to read the root RFC5011 autotrust anchor file,
1959  * @param file: filename.
1960  * @return:
1961  * 	0 if does not exist or empty
1962  * 	1 if trust-point-revoked-5011
1963  * 	2 if it is OK.
1964  */
1965 static int
1966 try_read_anchor(const char* file)
1967 {
1968 	int empty = 1;
1969 	char line[10240];
1970 	char* p;
1971 	FILE* in = fopen(file, "r");
1972 	if(!in) {
1973 		/* only if the file does not exist, can we fix it */
1974 		if(errno != ENOENT) {
1975 			if(verb) printf("%s: %s\n", file, strerror(errno));
1976 			if(verb) printf("error: cannot access the file\n");
1977 			exit(0);
1978 		}
1979 		if(verb) printf("%s does not exist\n", file);
1980 		return 0;
1981 	}
1982 	while(fgets(line, (int)sizeof(line), in)) {
1983 		line[sizeof(line)-1] = 0;
1984 		if(strncmp(line, ";;REVOKED", 9) == 0) {
1985 			fclose(in);
1986 			if(verb) printf("%s : the trust point is revoked\n"
1987 				"and the zone is considered unsigned.\n"
1988 				"if you wish to re-enable, delete the file\n",
1989 				file);
1990 			return 1;
1991 		}
1992 		p=line;
1993 		while(*p == ' ' || *p == '\t')
1994 			p++;
1995 		if(p[0]==0 || p[0]=='\n' || p[0]==';') continue;
1996 		/* this line is a line of content */
1997 		empty = 0;
1998 	}
1999 	fclose(in);
2000 	if(empty) {
2001 		if(verb) printf("%s is empty\n", file);
2002 		return 0;
2003 	}
2004 	if(verb) printf("%s has content\n", file);
2005 	return 2;
2006 }
2007 
2008 /** Write the builtin root anchor to a file */
2009 static void
2010 write_builtin_anchor(const char* file)
2011 {
2012 	const char* builtin_root_anchor = get_builtin_ds();
2013 	FILE* out = fopen(file, "w");
2014 	if(!out) {
2015 		if(verb) printf("%s: %s\n", file, strerror(errno));
2016 		if(verb) printf("  could not write builtin anchor\n");
2017 		return;
2018 	}
2019 	if(!fwrite(builtin_root_anchor, strlen(builtin_root_anchor), 1, out)) {
2020 		if(verb) printf("%s: %s\n", file, strerror(errno));
2021 		if(verb) printf("  could not complete write builtin anchor\n");
2022 	}
2023 	fclose(out);
2024 }
2025 
2026 /**
2027  * Check the root anchor file.
2028  * If does not exist, provide builtin and write file.
2029  * If empty, provide builtin and write file.
2030  * If trust-point-revoked-5011 file: make the program exit.
2031  * @param root_anchor_file: filename of the root anchor.
2032  * @param used_builtin: set to 1 if the builtin is written.
2033  * @return 0 if trustpoint is insecure, 1 on success.  Exit on failure.
2034  */
2035 static int
2036 provide_builtin(const char* root_anchor_file, int* used_builtin)
2037 {
2038 	/* try to read it */
2039 	switch(try_read_anchor(root_anchor_file))
2040 	{
2041 		case 0: /* no exist or empty */
2042 			write_builtin_anchor(root_anchor_file);
2043 			*used_builtin = 1;
2044 			break;
2045 		case 1: /* revoked tp */
2046 			return 0;
2047 		case 2: /* it is fine */
2048 		default:
2049 			break;
2050 	}
2051 	return 1;
2052 }
2053 
2054 /**
2055  * add an autotrust anchor for the root to the context
2056  */
2057 static void
2058 add_5011_probe_root(struct ub_ctx* ctx, const char* root_anchor_file)
2059 {
2060 	int r;
2061 	r = ub_ctx_set_option(ctx, "auto-trust-anchor-file:", root_anchor_file);
2062 	if(r) {
2063 		if(verb) printf("add 5011 probe to ctx: %s\n", ub_strerror(r));
2064 		ub_ctx_delete(ctx);
2065 		exit(0);
2066 	}
2067 }
2068 
2069 /**
2070  * Prime the root key and return the result.  Exit on error.
2071  * @param ctx: the unbound context to perform the priming with.
2072  * @return: the result of the prime, on error it exit()s.
2073  */
2074 static struct ub_result*
2075 prime_root_key(struct ub_ctx* ctx)
2076 {
2077 	struct ub_result* res = NULL;
2078 	int r;
2079 	r = ub_resolve(ctx, ".", LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN, &res);
2080 	if(r) {
2081 		if(verb) printf("resolve DNSKEY: %s\n", ub_strerror(r));
2082 		ub_ctx_delete(ctx);
2083 		exit(0);
2084 	}
2085 	if(!res) {
2086 		if(verb) printf("out of memory\n");
2087 		ub_ctx_delete(ctx);
2088 		exit(0);
2089 	}
2090 	return res;
2091 }
2092 
2093 /** see if ADDPEND keys exist in autotrust file (if possible) */
2094 static int
2095 read_if_pending_keys(const char* file)
2096 {
2097 	FILE* in = fopen(file, "r");
2098 	char line[8192];
2099 	if(!in) {
2100 		if(verb>=2) printf("%s: %s\n", file, strerror(errno));
2101 		return 0;
2102 	}
2103 	while(fgets(line, (int)sizeof(line), in)) {
2104 		if(line[0]==';') continue;
2105 		if(strstr(line, "[ ADDPEND ]")) {
2106 			fclose(in);
2107 			if(verb) printf("RFC5011-state has ADDPEND keys\n");
2108 			return 1;
2109 		}
2110 	}
2111 	fclose(in);
2112 	return 0;
2113 }
2114 
2115 /** read last successful probe time from autotrust file (if possible) */
2116 static int32_t
2117 read_last_success_time(const char* file)
2118 {
2119 	FILE* in = fopen(file, "r");
2120 	char line[1024];
2121 	if(!in) {
2122 		if(verb) printf("%s: %s\n", file, strerror(errno));
2123 		return 0;
2124 	}
2125 	while(fgets(line, (int)sizeof(line), in)) {
2126 		if(strncmp(line, ";;last_success: ", 16) == 0) {
2127 			char* e;
2128 			time_t x = (unsigned int)strtol(line+16, &e, 10);
2129 			fclose(in);
2130 			if(line+16 == e) {
2131 				if(verb) printf("failed to parse "
2132 					"last_success probe time\n");
2133 				return 0;
2134 			}
2135 			if(verb) printf("last successful probe: %s", ctime(&x));
2136 			return (int32_t)x;
2137 		}
2138 	}
2139 	fclose(in);
2140 	if(verb) printf("no last_success probe time in anchor file\n");
2141 	return 0;
2142 }
2143 
2144 /**
2145  * Read autotrust 5011 probe file and see if the date
2146  * compared to the current date allows a certupdate.
2147  * If the last successful probe was recent then 5011 cannot be behind,
2148  * and the failure cannot be solved with a certupdate.
2149  * The debugconf is to validation-override the date for testing.
2150  * @param root_anchor_file: filename of root key
2151  * @return true if certupdate is ok.
2152  */
2153 static int
2154 probe_date_allows_certupdate(const char* root_anchor_file)
2155 {
2156 	int has_pending_keys = read_if_pending_keys(root_anchor_file);
2157 	int32_t last_success = read_last_success_time(root_anchor_file);
2158 	int32_t now = (int32_t)time(NULL);
2159 	int32_t leeway = 30 * 24 * 3600; /* 30 days leeway */
2160 	/* if the date is before 2010-07-15:00.00.00 then the root has not
2161 	 * been signed yet, and thus we refuse to take action. */
2162 	if(time(NULL) < xml_convertdate("2010-07-15T00:00:00")) {
2163 		if(verb) printf("the date is before the root was first signed,"
2164 			" please correct the clock\n");
2165 		return 0;
2166 	}
2167 	if(last_success == 0)
2168 		return 1; /* no probe time */
2169 	if(has_pending_keys)
2170 		return 1; /* key in ADDPEND state, a previous probe has
2171 		inserted that, and it was present in all recent probes,
2172 		but it has not become active.  The 30 day timer may not have
2173 		expired, but we know(for sure) there is a rollover going on.
2174 		If we only managed to pickup the new key on its last day
2175 		of announcement (for example) this can happen. */
2176 	if(now - last_success < 0) {
2177 		if(verb) printf("the last successful probe is in the future,"
2178 			" clock was modified\n");
2179 		return 0;
2180 	}
2181 	if(now - last_success >= leeway) {
2182 		if(verb) printf("the last successful probe was more than 30 "
2183 			"days ago\n");
2184 		return 1;
2185 	}
2186 	if(verb) printf("the last successful probe is recent\n");
2187 	return 0;
2188 }
2189 
2190 /** perform the unbound-anchor work */
2191 static int
2192 do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
2193 	const char* urlname, const char* xmlname, const char* p7sname,
2194 	const char* p7signer, const char* res_conf, const char* root_hints,
2195 	const char* debugconf, int ip4only, int ip6only, int force, int port)
2196 {
2197 	struct ub_ctx* ctx;
2198 	struct ub_result* dnskey;
2199 	int used_builtin = 0;
2200 
2201 	/* see if builtin rootanchor needs to be provided, or if
2202 	 * rootanchor is 'revoked-trust-point' */
2203 	if(!provide_builtin(root_anchor_file, &used_builtin))
2204 		return 0;
2205 
2206 	/* make unbound context with 5011-probe for root anchor,
2207 	 * and probe . DNSKEY */
2208 	ctx = create_unbound_context(res_conf, root_hints, debugconf,
2209 		ip4only, ip6only);
2210 	add_5011_probe_root(ctx, root_anchor_file);
2211 	dnskey = prime_root_key(ctx);
2212 	ub_ctx_delete(ctx);
2213 
2214 	/* if secure: exit */
2215 	if(dnskey->secure && !force) {
2216 		if(verb) printf("success: the anchor is ok\n");
2217 		ub_resolve_free(dnskey);
2218 		return used_builtin;
2219 	}
2220 	if(force && verb) printf("debug cert update forced\n");
2221 
2222 	/* if not (and NOERROR): check date and do certupdate */
2223 	if((dnskey->rcode == 0 &&
2224 		probe_date_allows_certupdate(root_anchor_file)) || force) {
2225 		if(do_certupdate(root_anchor_file, root_cert_file, urlname,
2226 			xmlname, p7sname, p7signer, res_conf, root_hints,
2227 			debugconf, ip4only, ip6only, port, dnskey))
2228 			return 1;
2229 		return used_builtin;
2230 	}
2231 	if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n");
2232 	ub_resolve_free(dnskey);
2233 	return used_builtin;
2234 }
2235 
2236 /** getopt global, in case header files fail to declare it. */
2237 extern int optind;
2238 /** getopt global, in case header files fail to declare it. */
2239 extern char* optarg;
2240 
2241 /** Main routine for unbound-anchor */
2242 int main(int argc, char* argv[])
2243 {
2244 	int c;
2245 	const char* root_anchor_file = ROOT_ANCHOR_FILE;
2246 	const char* root_cert_file = ROOT_CERT_FILE;
2247 	const char* urlname = URLNAME;
2248 	const char* xmlname = XMLNAME;
2249 	const char* p7sname = P7SNAME;
2250 	const char* p7signer = P7SIGNER;
2251 	const char* res_conf = NULL;
2252 	const char* root_hints = NULL;
2253 	const char* debugconf = NULL;
2254 	int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT;
2255 	/* parse the options */
2256 	while( (c=getopt(argc, argv, "46C:FP:a:c:f:hln:r:s:u:vx:")) != -1) {
2257 		switch(c) {
2258 		case 'l':
2259 			dolist = 1;
2260 			break;
2261 		case '4':
2262 			ip4only = 1;
2263 			break;
2264 		case '6':
2265 			ip6only = 1;
2266 			break;
2267 		case 'a':
2268 			root_anchor_file = optarg;
2269 			break;
2270 		case 'c':
2271 			root_cert_file = optarg;
2272 			break;
2273 		case 'u':
2274 			urlname = optarg;
2275 			break;
2276 		case 'x':
2277 			xmlname = optarg;
2278 			break;
2279 		case 's':
2280 			p7sname = optarg;
2281 			break;
2282 		case 'n':
2283 			p7signer = optarg;
2284 			break;
2285 		case 'f':
2286 			res_conf = optarg;
2287 			break;
2288 		case 'r':
2289 			root_hints = optarg;
2290 			break;
2291 		case 'C':
2292 			debugconf = optarg;
2293 			break;
2294 		case 'F':
2295 			force = 1;
2296 			break;
2297 		case 'P':
2298 			port = atoi(optarg);
2299 			break;
2300 		case 'v':
2301 			verb++;
2302 			break;
2303 		case '?':
2304 		case 'h':
2305 		default:
2306 			usage();
2307 		}
2308 	}
2309 	argc -= optind;
2310 	argv += optind;
2311 	if(argc != 0)
2312 		usage();
2313 
2314 #ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
2315 	ERR_load_crypto_strings();
2316 #endif
2317 	ERR_load_SSL_strings();
2318 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
2319 	OpenSSL_add_all_algorithms();
2320 #else
2321 	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
2322 		| OPENSSL_INIT_ADD_ALL_DIGESTS
2323 		| OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
2324 #endif
2325 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
2326 	(void)SSL_library_init();
2327 #else
2328 	(void)OPENSSL_init_ssl(0, NULL);
2329 #endif
2330 
2331 	if(dolist) do_list_builtin();
2332 
2333 	return do_root_update_work(root_anchor_file, root_cert_file, urlname,
2334 		xmlname, p7sname, p7signer, res_conf, root_hints, debugconf,
2335 		ip4only, ip6only, force, port);
2336 }
2337