xref: /freebsd/contrib/unbound/smallapp/unbound-anchor.c (revision f81cdf24ba5436367377f7c8e8f51f6df2a75ca7)
1 /*
2  * unbound-anchor.c - update the root anchor if necessary.
3  *
4  * Copyright (c) 2010, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file checks to see that the current 5011 keys work to prime the
40  * current root anchor.  If not a certificate is used to update the anchor,
41  * with RFC7958 https xml fetch.
42  *
43  * This is a concept solution for distribution of the DNSSEC root
44  * trust anchor.  It is a small tool, called "unbound-anchor", that
45  * runs before the main validator starts.  I.e. in the init script:
46  * unbound-anchor; unbound.  Thus it is meant to run at system boot time.
47  *
48  * Management-Abstract:
49  *    * first run: fill root.key file with hardcoded DS record.
50  *    * mostly: use RFC5011 tracking, quick . DNSKEY UDP query.
51  *    * failover: use RFC7958 builtin certificate, do https and update.
52  * Special considerations:
53  *    * 30-days RFC5011 timer saves a lot of https traffic.
54  *    * DNSKEY probe must be NOERROR, saves a lot of https traffic.
55  *    * fail if clock before sign date of the root, if cert expired.
56  *    * if the root goes back to unsigned, deals with it.
57  *
58  * It has hardcoded the root DS anchors and the ICANN CA root certificate.
59  * It allows with options to override those.  It also takes root-hints (it
60  * has to do a DNS resolve), and also has hardcoded defaults for those.
61  *
62  * Once it starts, just before the validator starts, it quickly checks if
63  * the root anchor file needs to be updated.  First it tries to use
64  * RFC5011-tracking of the root key.  If that fails (and for 30-days since
65  * last successful probe), then it attempts to update using the
66  * certificate.  So most of the time, the RFC5011 tracking will work fine,
67  * and within a couple milliseconds, the main daemon can start.  It will
68  * have only probed the . DNSKEY, not done expensive https transfers on the
69  * root infrastructure.
70  *
71  * If there is no root key in the root.key file, it bootstraps the
72  * RFC5011-tracking with its builtin DS anchors; if that fails it
73  * bootstraps the RFC5011-tracking using the certificate.  (again to avoid
74  * https, and it is also faster).
75  *
76  * It uses the XML file by converting it to DS records and writing that to the
77  * key file.  Unbound can detect that the 'special comments' are gone, and
78  * the file contains a list of normal DNSKEY/DS records, and uses that to
79  * bootstrap 5011 (the KSK is made VALID).
80  *
81  * The certificate RFC7958 update is done by fetching root-anchors.xml and
82  * root-anchors.p7s via SSL.  The HTTPS certificate can be logged but is
83  * not validated (https for channel security; the security comes from the
84  * certificate).  The 'data.iana.org' domain name A and AAAA are resolved
85  * without DNSSEC.  It tries a random IP until the transfer succeeds.  It
86  * then checks the p7s signature.
87  *
88  * On any failure, it leaves the root key file untouched.  The main
89  * validator has to cope with it, it cannot fix things (So a failure does
90  * not go 'without DNSSEC', no downgrade).  If it used its builtin stuff or
91  * did the https, it exits with an exit code, so that this can trigger the
92  * init script to log the event and potentially alert the operator that can
93  * do a manual check.
94  *
95  * The date is also checked.  Before 2010-07-15 is a failure (root not
96  * signed yet; avoids attacks on system clock).  The
97  * last-successful-RFC5011-probe (if available) has to be more than 30 days
98  * in the past (otherwise, RFC5011 should have worked).  This keeps
99  * unnecessary https traffic down.  If the main certificate is expired, it
100  * fails.
101  *
102  * The dates on the keys in the xml are checked (uses the libexpat xml
103  * parser), only the valid ones are used to re-enstate RFC5011 tracking.
104  * If 0 keys are valid, the zone has gone to insecure (a special marker is
105  * written in the keyfile that tells the main validator daemon the zone is
106  * insecure).
107  *
108  * Only the root ICANN CA is shipped, not the intermediate ones.  The
109  * intermediate CAs are included in the p7s file that was downloaded.  (the
110  * root cert is valid to 2028 and the intermediate to 2014, today).
111  *
112  * Obviously, the tool also has options so the operator can provide a new
113  * keyfile, a new certificate and new URLs, and fresh root hints.  By
114  * default it logs nothing on failure and success; it 'just works'.
115  *
116  */
117 
118 #include "config.h"
119 #include "libunbound/unbound.h"
120 #include "sldns/rrdef.h"
121 #include "sldns/parseutil.h"
122 #include <expat.h>
123 #ifndef HAVE_EXPAT_H
124 #error "need libexpat to parse root-anchors.xml file."
125 #endif
126 #ifdef HAVE_GETOPT_H
127 #include <getopt.h>
128 #endif
129 #ifdef HAVE_OPENSSL_SSL_H
130 #include <openssl/ssl.h>
131 #endif
132 #ifdef HAVE_OPENSSL_ERR_H
133 #include <openssl/err.h>
134 #endif
135 #ifdef HAVE_OPENSSL_RAND_H
136 #include <openssl/rand.h>
137 #endif
138 #include <openssl/x509.h>
139 #include <openssl/x509v3.h>
140 #include <openssl/pem.h>
141 
142 /** name of server in URL to fetch HTTPS from */
143 #define URLNAME "data.iana.org"
144 /** path on HTTPS server to xml file */
145 #define XMLNAME "root-anchors/root-anchors.xml"
146 /** path on HTTPS server to p7s file */
147 #define P7SNAME "root-anchors/root-anchors.p7s"
148 /** name of the signer of the certificate */
149 #define P7SIGNER "dnssec@iana.org"
150 /** port number for https access */
151 #define HTTPS_PORT 443
152 
153 #ifdef USE_WINSOCK
154 /* sneakily reuse the the wsa_strerror function, on windows */
155 char* wsa_strerror(int err);
156 #endif
157 
158 static const char ICANN_UPDATE_CA[] =
159 	/* The ICANN CA fetched at 24 Sep 2010.  Valid to 2028 */
160 	"-----BEGIN CERTIFICATE-----\n"
161 	"MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n"
162 	"TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n"
163 	"BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX\n"
164 	"DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O\n"
165 	"IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB\n"
166 	"MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb\n"
167 	"cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S\n"
168 	"G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg\n"
169 	"ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2\n"
170 	"paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7\n"
171 	"MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29\n"
172 	"iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B\n"
173 	"Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3\n"
174 	"DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH\n"
175 	"6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD\n"
176 	"2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h\n"
177 	"15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF\n"
178 	"0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg\n"
179 	"j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n"
180 	"-----END CERTIFICATE-----\n";
181 
182 static const char DS_TRUST_ANCHOR[] =
183 	/* The anchors must start on a new line with ". IN DS and end with \n"[;]
184 	 * because the makedist script greps on the source here */
185 	/* anchor 20326 is from 2017 */
186 ". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n";
187 
188 /** verbosity for this application */
189 static int verb = 0;
190 
191 /** list of IP addresses */
192 struct ip_list {
193 	/** next in list */
194 	struct ip_list* next;
195 	/** length of addr */
196 	socklen_t len;
197 	/** address ready to connect to */
198 	struct sockaddr_storage addr;
199 	/** has the address been used */
200 	int used;
201 };
202 
203 /** Give unbound-anchor usage, and exit (1). */
204 static void
205 usage(void)
206 {
207 	printf("Usage:	local-unbound-anchor [opts]\n");
208 	printf("	Setup or update root anchor. "
209 		"Most options have defaults.\n");
210 	printf("	Run this program before you start the validator.\n");
211 	printf("\n");
212 	printf("	The anchor and cert have default builtin content\n");
213 	printf("	if the file does not exist or is empty.\n");
214 	printf("\n");
215 	printf("-a file		root key file, default %s\n", ROOT_ANCHOR_FILE);
216 	printf("		The key is input and output for this tool.\n");
217 	printf("-c file		cert file, default %s\n", ROOT_CERT_FILE);
218 	printf("-l		list builtin key and cert on stdout\n");
219 	printf("-u name		server in https url, default %s\n", URLNAME);
220 	printf("-S		do not use SNI for the https connection\n");
221 	printf("-x path		pathname to xml in url, default %s\n", XMLNAME);
222 	printf("-s path		pathname to p7s in url, default %s\n", P7SNAME);
223 	printf("-n name		signer's subject emailAddress, default %s\n", P7SIGNER);
224 	printf("-b address	source address to bind to\n");
225 	printf("-4		work using IPv4 only\n");
226 	printf("-6		work using IPv6 only\n");
227 	printf("-f resolv.conf	use given resolv.conf\n");
228 	printf("-r root.hints	use given root.hints\n"
229 		"		builtin root hints are used by default\n");
230 	printf("-R		fallback from -f to root query on error\n");
231 	printf("-v		more verbose\n");
232 	printf("-C conf		debug, read config\n");
233 	printf("-P port		use port for https connect, default 443\n");
234 	printf("-F 		debug, force update with cert\n");
235 	printf("-h		show this usage help\n");
236 	printf("Version %s\n", PACKAGE_VERSION);
237 	printf("BSD licensed, see LICENSE in source package for details.\n");
238 	printf("Report bugs to %s\n", PACKAGE_BUGREPORT);
239 	exit(1);
240 }
241 
242 /** return the built in root update certificate */
243 static const char*
244 get_builtin_cert(void)
245 {
246 	return ICANN_UPDATE_CA;
247 }
248 
249 /** return the built in root DS trust anchor */
250 static const char*
251 get_builtin_ds(void)
252 {
253 	return DS_TRUST_ANCHOR;
254 }
255 
256 /** print hex data */
257 static void
258 print_data(const char* msg, const char* data, size_t len)
259 {
260 	size_t i;
261 	printf("%s: ", msg);
262 	for(i=0; i<len; i++) {
263 		printf(" %2.2x", (unsigned char)data[i]);
264 	}
265 	printf("\n");
266 }
267 
268 /** print ub context creation error and exit */
269 static void
270 ub_ctx_error_exit(struct ub_ctx* ctx, const char* str, const char* str2)
271 {
272 	ub_ctx_delete(ctx);
273 	if(str && str2 && verb) printf("%s: %s\n", str, str2);
274 	if(verb) printf("error: could not create unbound resolver context\n");
275 	exit(0);
276 }
277 
278 /**
279  * Create a new unbound context with the commandline settings applied
280  */
281 static struct ub_ctx*
282 create_unbound_context(const char* res_conf, const char* root_hints,
283 	const char* debugconf, const char* srcaddr, int ip4only, int ip6only)
284 {
285 	int r;
286 	struct ub_ctx* ctx = ub_ctx_create();
287 	if(!ctx) {
288 		if(verb) printf("out of memory\n");
289 		exit(0);
290 	}
291 	/* do not waste time and network traffic to fetch extra nameservers */
292 	r = ub_ctx_set_option(ctx, "target-fetch-policy:", "0 0 0 0 0");
293 	if(r && verb) printf("ctx targetfetchpolicy: %s\n", ub_strerror(r));
294 	/* read config file first, so its settings can be overridden */
295 	if(debugconf) {
296 		r = ub_ctx_config(ctx, debugconf);
297 		if(r) ub_ctx_error_exit(ctx, debugconf, ub_strerror(r));
298 	}
299 	if(res_conf) {
300 		r = ub_ctx_resolvconf(ctx, res_conf);
301 		if(r) ub_ctx_error_exit(ctx, res_conf, ub_strerror(r));
302 	}
303 	if(root_hints) {
304 		r = ub_ctx_set_option(ctx, "root-hints:", root_hints);
305 		if(r) ub_ctx_error_exit(ctx, root_hints, ub_strerror(r));
306 	}
307 	if(srcaddr) {
308 		r = ub_ctx_set_option(ctx, "outgoing-interface:", srcaddr);
309 		if(r) ub_ctx_error_exit(ctx, srcaddr, ub_strerror(r));
310 	}
311 	if(ip4only) {
312 		r = ub_ctx_set_option(ctx, "do-ip6:", "no");
313 		if(r) ub_ctx_error_exit(ctx, "ip4only", ub_strerror(r));
314 	}
315 	if(ip6only) {
316 		r = ub_ctx_set_option(ctx, "do-ip4:", "no");
317 		if(r) ub_ctx_error_exit(ctx, "ip6only", ub_strerror(r));
318 	}
319 	return ctx;
320 }
321 
322 /** printout certificate in detail */
323 static void
324 verb_cert(const char* msg, X509* x)
325 {
326 	if(verb == 0 || verb == 1) return;
327 	if(verb == 2) {
328 		if(msg) printf("%s\n", msg);
329 		X509_print_ex_fp(stdout, x, 0, (unsigned long)-1
330 			^(X509_FLAG_NO_SUBJECT
331 			|X509_FLAG_NO_ISSUER|X509_FLAG_NO_VALIDITY));
332 		return;
333 	}
334 	if(msg) printf("%s\n", msg);
335 	X509_print_fp(stdout, x);
336 }
337 
338 /** printout certificates in detail */
339 static void
340 verb_certs(const char* msg, STACK_OF(X509)* sk)
341 {
342 	int i, num = sk_X509_num(sk);
343 	if(verb == 0 || verb == 1) return;
344 	for(i=0; i<num; i++) {
345 		printf("%s (%d/%d)\n", msg, i, num);
346 		verb_cert(NULL, sk_X509_value(sk, i));
347 	}
348 }
349 
350 /** read certificates from a PEM bio */
351 static STACK_OF(X509)*
352 read_cert_bio(BIO* bio)
353 {
354 	STACK_OF(X509) *sk = sk_X509_new_null();
355 	if(!sk) {
356 		if(verb) printf("out of memory\n");
357 		exit(0);
358 	}
359 	while(!BIO_eof(bio)) {
360 		X509* x = PEM_read_bio_X509(bio, NULL, NULL, NULL);
361 		if(x == NULL) {
362 			if(verb) {
363 				printf("failed to read X509\n");
364 			 	ERR_print_errors_fp(stdout);
365 			}
366 			continue;
367 		}
368 		if(!sk_X509_push(sk, x)) {
369 			if(verb) printf("out of memory\n");
370 			exit(0);
371 		}
372 	}
373 	return sk;
374 }
375 
376 /* read the certificate file */
377 static STACK_OF(X509)*
378 read_cert_file(const char* file)
379 {
380 	STACK_OF(X509)* sk;
381 	FILE* in;
382 	int content = 0;
383 	char buf[128];
384 	if(file == NULL || strcmp(file, "") == 0) {
385 		return NULL;
386 	}
387 	sk = sk_X509_new_null();
388 	if(!sk) {
389 		if(verb) printf("out of memory\n");
390 		exit(0);
391 	}
392 	in = fopen(file, "r");
393 	if(!in) {
394 		if(verb) printf("%s: %s\n", file, strerror(errno));
395 #ifndef S_SPLINT_S
396 		sk_X509_pop_free(sk, X509_free);
397 #endif
398 		return NULL;
399 	}
400 	while(!feof(in)) {
401 		X509* x = PEM_read_X509(in, NULL, NULL, NULL);
402 		if(x == NULL) {
403 			if(verb) {
404 				printf("failed to read X509 file\n");
405 			 	ERR_print_errors_fp(stdout);
406 			}
407 			continue;
408 		}
409 		if(!sk_X509_push(sk, x)) {
410 			if(verb) printf("out of memory\n");
411 			fclose(in);
412 			exit(0);
413 		}
414 		content = 1;
415 		/* read away newline after --END CERT-- */
416 		if(!fgets(buf, (int)sizeof(buf), in))
417 			break;
418 	}
419 	fclose(in);
420 	if(!content) {
421 		if(verb) printf("%s is empty\n", file);
422 #ifndef S_SPLINT_S
423 		sk_X509_pop_free(sk, X509_free);
424 #endif
425 		return NULL;
426 	}
427 	return sk;
428 }
429 
430 /** read certificates from the builtin certificate */
431 static STACK_OF(X509)*
432 read_builtin_cert(void)
433 {
434 	const char* builtin_cert = get_builtin_cert();
435 	STACK_OF(X509)* sk;
436 	BIO *bio = BIO_new_mem_buf(builtin_cert,
437 		(int)strlen(builtin_cert));
438 	if(!bio) {
439 		if(verb) printf("out of memory\n");
440 		exit(0);
441 	}
442 	sk = read_cert_bio(bio);
443 	if(!sk) {
444 		if(verb) printf("internal error, out of memory\n");
445 		exit(0);
446 	}
447 	BIO_free(bio);
448 	return sk;
449 }
450 
451 /** read update cert file or use builtin */
452 static STACK_OF(X509)*
453 read_cert_or_builtin(const char* file)
454 {
455 	STACK_OF(X509) *sk = read_cert_file(file);
456 	if(!sk) {
457 		if(verb) printf("using builtin certificate\n");
458 		sk = read_builtin_cert();
459 	}
460 	if(verb) printf("have %d trusted certificates\n", sk_X509_num(sk));
461 	verb_certs("trusted certificates", sk);
462 	return sk;
463 }
464 
465 static void
466 do_list_builtin(void)
467 {
468 	const char* builtin_cert = get_builtin_cert();
469 	const char* builtin_ds = get_builtin_ds();
470 	printf("%s\n", builtin_ds);
471 	printf("%s\n", builtin_cert);
472 	exit(0);
473 }
474 
475 /** printout IP address with message */
476 static void
477 verb_addr(const char* msg, struct ip_list* ip)
478 {
479 	if(verb) {
480 		char out[100];
481 		void* a = &((struct sockaddr_in*)&ip->addr)->sin_addr;
482 		if(ip->len != (socklen_t)sizeof(struct sockaddr_in))
483 			a = &((struct sockaddr_in6*)&ip->addr)->sin6_addr;
484 
485 		if(inet_ntop((int)((struct sockaddr_in*)&ip->addr)->sin_family,
486 			a, out, (socklen_t)sizeof(out))==0)
487 			printf("%s (inet_ntop error)\n", msg);
488 		else printf("%s %s\n", msg, out);
489 	}
490 }
491 
492 /** free ip_list */
493 static void
494 ip_list_free(struct ip_list* p)
495 {
496 	struct ip_list* np;
497 	while(p) {
498 		np = p->next;
499 		free(p);
500 		p = np;
501 	}
502 }
503 
504 /** create ip_list entry for a RR record */
505 static struct ip_list*
506 RR_to_ip(int tp, char* data, int len, int port)
507 {
508 	struct ip_list* ip = (struct ip_list*)calloc(1, sizeof(*ip));
509 	uint16_t p = (uint16_t)port;
510 	if(tp == LDNS_RR_TYPE_A) {
511 		struct sockaddr_in* sa = (struct sockaddr_in*)&ip->addr;
512 		ip->len = (socklen_t)sizeof(*sa);
513 		sa->sin_family = AF_INET;
514 		sa->sin_port = (in_port_t)htons(p);
515 		if(len != (int)sizeof(sa->sin_addr)) {
516 			if(verb) printf("skipped badly formatted A\n");
517 			free(ip);
518 			return NULL;
519 		}
520 		memmove(&sa->sin_addr, data, sizeof(sa->sin_addr));
521 
522 	} else if(tp == LDNS_RR_TYPE_AAAA) {
523 		struct sockaddr_in6* sa = (struct sockaddr_in6*)&ip->addr;
524 		ip->len = (socklen_t)sizeof(*sa);
525 		sa->sin6_family = AF_INET6;
526 		sa->sin6_port = (in_port_t)htons(p);
527 		if(len != (int)sizeof(sa->sin6_addr)) {
528 			if(verb) printf("skipped badly formatted AAAA\n");
529 			free(ip);
530 			return NULL;
531 		}
532 		memmove(&sa->sin6_addr, data, sizeof(sa->sin6_addr));
533 	} else {
534 		if(verb) printf("internal error: bad type in RRtoip\n");
535 		free(ip);
536 		return NULL;
537 	}
538 	verb_addr("resolved server address", ip);
539 	return ip;
540 }
541 
542 /** Resolve name, type, class and add addresses to iplist */
543 static void
544 resolve_host_ip(struct ub_ctx* ctx, const char* host, int port, int tp, int cl,
545 	struct ip_list** head)
546 {
547 	struct ub_result* res = NULL;
548 	int r;
549 	int i;
550 
551 	r = ub_resolve(ctx, host, tp, cl, &res);
552 	if(r) {
553 		if(verb) printf("error: resolve %s %s: %s\n", host,
554 			(tp==LDNS_RR_TYPE_A)?"A":"AAAA", ub_strerror(r));
555 		return;
556 	}
557 	if(!res) {
558 		if(verb) printf("out of memory\n");
559 		ub_ctx_delete(ctx);
560 		exit(0);
561 	}
562 	if(!res->havedata || res->rcode || !res->data) {
563 		if(verb) printf("resolve %s %s: no result\n", host,
564 			(tp==LDNS_RR_TYPE_A)?"A":"AAAA");
565 		return;
566 	}
567 	for(i = 0; res->data[i]; i++) {
568 		struct ip_list* ip = RR_to_ip(tp, res->data[i], res->len[i],
569 			port);
570 		if(!ip) continue;
571 		ip->next = *head;
572 		*head = ip;
573 	}
574 	ub_resolve_free(res);
575 }
576 
577 /** parse a text IP address into a sockaddr */
578 static struct ip_list*
579 parse_ip_addr(const char* str, int port)
580 {
581 	socklen_t len = 0;
582 	union {
583 		struct sockaddr_in6 a6;
584 		struct sockaddr_in a;
585 	} addr;
586 	struct ip_list* ip;
587 	uint16_t p = (uint16_t)port;
588 	memset(&addr, 0, sizeof(addr));
589 
590 	if(inet_pton(AF_INET6, str, &addr.a6.sin6_addr) > 0) {
591 		/* it is an IPv6 */
592 		addr.a6.sin6_family = AF_INET6;
593 		addr.a6.sin6_port = (in_port_t)htons(p);
594 		len = (socklen_t)sizeof(addr.a6);
595 	}
596 	if(inet_pton(AF_INET, str, &addr.a.sin_addr) > 0) {
597 		/* it is an IPv4 */
598 		addr.a.sin_family = AF_INET;
599 		addr.a.sin_port = (in_port_t)htons(p);
600 		len = (socklen_t)sizeof(struct sockaddr_in);
601 	}
602 	if(!len) return NULL;
603 	ip = (struct ip_list*)calloc(1, sizeof(*ip));
604 	if(!ip) {
605 		if(verb) printf("out of memory\n");
606 		exit(0);
607 	}
608 	ip->len = len;
609 	memmove(&ip->addr, &addr, len);
610 	if(verb) printf("server address is %s\n", str);
611 	return ip;
612 }
613 
614 /**
615  * Resolve a domain name (even though the resolver is down and there is
616  * no trust anchor).  Without DNSSEC validation.
617  * @param host: the name to resolve.
618  * 	If this name is an IP4 or IP6 address this address is returned.
619  * @param port: the port number used for the returned IP structs.
620  * @param res_conf: resolv.conf (if any).
621  * @param root_hints: root hints (if any).
622  * @param debugconf: unbound.conf for debugging options.
623  * @param srcaddr: source address option (if any).
624  * @param ip4only: use only ip4 for resolve and only lookup A
625  * @param ip6only: use only ip6 for resolve and only lookup AAAA
626  * 	default is to lookup A and AAAA using ip4 and ip6.
627  * @return list of IP addresses.
628  */
629 static struct ip_list*
630 resolve_name(const char* host, int port, const char* res_conf,
631 	const char* root_hints, const char* debugconf,
632 	const char* srcaddr, int ip4only, int ip6only)
633 {
634 	struct ub_ctx* ctx;
635 	struct ip_list* list = NULL;
636 	/* first see if name is an IP address itself */
637 	if( (list=parse_ip_addr(host, port)) ) {
638 		return list;
639 	}
640 
641 	/* create resolver context */
642 	ctx = create_unbound_context(res_conf, root_hints, debugconf,
643         	srcaddr, ip4only, ip6only);
644 
645 	/* try resolution of A */
646 	if(!ip6only) {
647 		resolve_host_ip(ctx, host, port, LDNS_RR_TYPE_A,
648 			LDNS_RR_CLASS_IN, &list);
649 	}
650 
651 	/* try resolution of AAAA */
652 	if(!ip4only) {
653 		resolve_host_ip(ctx, host, port, LDNS_RR_TYPE_AAAA,
654 			LDNS_RR_CLASS_IN, &list);
655 	}
656 
657 	ub_ctx_delete(ctx);
658 	if(!list) {
659 		if(verb) printf("%s has no IP addresses I can use\n", host);
660 		exit(0);
661 	}
662 	return list;
663 }
664 
665 /** clear used flags */
666 static void
667 wipe_ip_usage(struct ip_list* p)
668 {
669 	while(p) {
670 		p->used = 0;
671 		p = p->next;
672 	}
673 }
674 
675 /** count unused IPs */
676 static int
677 count_unused(struct ip_list* p)
678 {
679 	int num = 0;
680 	while(p) {
681 		if(!p->used) num++;
682 		p = p->next;
683 	}
684 	return num;
685 }
686 
687 /** pick random unused element from IP list */
688 static struct ip_list*
689 pick_random_ip(struct ip_list* list)
690 {
691 	struct ip_list* p = list;
692 	int num = count_unused(list);
693 	int sel;
694 	if(num == 0) return NULL;
695 	/* not perfect, but random enough */
696 	sel = (int)arc4random_uniform((uint32_t)num);
697 	/* skip over unused elements that we did not select */
698 	while(sel > 0 && p) {
699 		if(!p->used) sel--;
700 		p = p->next;
701 	}
702 	/* find the next unused element */
703 	while(p && p->used)
704 		p = p->next;
705 	if(!p) return NULL; /* robustness */
706 	return p;
707 }
708 
709 /** close the fd */
710 static void
711 fd_close(int fd)
712 {
713 #ifndef USE_WINSOCK
714 	close(fd);
715 #else
716 	closesocket(fd);
717 #endif
718 }
719 
720 /** printout socket errno */
721 static void
722 print_sock_err(const char* msg)
723 {
724 #ifndef USE_WINSOCK
725 	if(verb) printf("%s: %s\n", msg, strerror(errno));
726 #else
727 	if(verb) printf("%s: %s\n", msg, wsa_strerror(WSAGetLastError()));
728 #endif
729 }
730 
731 /** connect to IP address */
732 static int
733 connect_to_ip(struct ip_list* ip, struct ip_list* src)
734 {
735 	int fd;
736 	verb_addr("connect to", ip);
737 	fd = socket(ip->len==(socklen_t)sizeof(struct sockaddr_in)?
738 		AF_INET:AF_INET6, SOCK_STREAM, 0);
739 	if(fd == -1) {
740 		print_sock_err("socket");
741 		return -1;
742 	}
743 	if(src && bind(fd, (struct sockaddr*)&src->addr, src->len) < 0) {
744 		print_sock_err("bind");
745 		fd_close(fd);
746 		return -1;
747 	}
748 	if(connect(fd, (struct sockaddr*)&ip->addr, ip->len) < 0) {
749 		print_sock_err("connect");
750 		fd_close(fd);
751 		return -1;
752 	}
753 	return fd;
754 }
755 
756 /** create SSL context */
757 static SSL_CTX*
758 setup_sslctx(void)
759 {
760 	SSL_CTX* sslctx = SSL_CTX_new(SSLv23_client_method());
761 	if(!sslctx) {
762 		if(verb) printf("SSL_CTX_new error\n");
763 		return NULL;
764 	}
765 	return sslctx;
766 }
767 
768 /** initiate TLS on a connection */
769 static SSL*
770 TLS_initiate(SSL_CTX* sslctx, int fd, const char* urlname, int use_sni)
771 {
772 	X509* x;
773 	int r;
774 	SSL* ssl = SSL_new(sslctx);
775 	if(!ssl) {
776 		if(verb) printf("SSL_new error\n");
777 		return NULL;
778 	}
779 	SSL_set_connect_state(ssl);
780 	(void)SSL_set_mode(ssl, (long)SSL_MODE_AUTO_RETRY);
781 	if(!SSL_set_fd(ssl, fd)) {
782 		if(verb) printf("SSL_set_fd error\n");
783 		SSL_free(ssl);
784 		return NULL;
785 	}
786 	if(use_sni) {
787 		(void)SSL_set_tlsext_host_name(ssl, urlname);
788 	}
789 	while(1) {
790 		ERR_clear_error();
791 		if( (r=SSL_do_handshake(ssl)) == 1)
792 			break;
793 		r = SSL_get_error(ssl, r);
794 		if(r != SSL_ERROR_WANT_READ && r != SSL_ERROR_WANT_WRITE) {
795 			if(verb) printf("SSL handshake failed\n");
796 			SSL_free(ssl);
797 			return NULL;
798 		}
799 		/* wants to be called again */
800 	}
801 	x = SSL_get_peer_certificate(ssl);
802 	if(!x) {
803 		if(verb) printf("Server presented no peer certificate\n");
804 		SSL_free(ssl);
805 		return NULL;
806 	}
807 	verb_cert("server SSL certificate", x);
808 	X509_free(x);
809 	return ssl;
810 }
811 
812 /** perform neat TLS shutdown */
813 static void
814 TLS_shutdown(int fd, SSL* ssl, SSL_CTX* sslctx)
815 {
816 	/* shutdown the SSL connection nicely */
817 	if(SSL_shutdown(ssl) == 0) {
818 		SSL_shutdown(ssl);
819 	}
820 	SSL_free(ssl);
821 	SSL_CTX_free(sslctx);
822 	fd_close(fd);
823 }
824 
825 /** write a line over SSL */
826 static int
827 write_ssl_line(SSL* ssl, const char* str, const char* sec)
828 {
829 	char buf[1024];
830 	size_t l;
831 	if(sec) {
832 		snprintf(buf, sizeof(buf), str, sec);
833 	} else {
834 		snprintf(buf, sizeof(buf), "%s", str);
835 	}
836 	l = strlen(buf);
837 	if(l+2 >= sizeof(buf)) {
838 		if(verb) printf("line too long\n");
839 		return 0;
840 	}
841 	if(verb >= 2) printf("SSL_write: %s\n", buf);
842 	buf[l] = '\r';
843 	buf[l+1] = '\n';
844 	buf[l+2] = 0;
845 	/* add \r\n */
846 	if(SSL_write(ssl, buf, (int)strlen(buf)) <= 0) {
847 		if(verb) printf("could not SSL_write %s", str);
848 		return 0;
849 	}
850 	return 1;
851 }
852 
853 /** process header line, check rcode and keeping track of size */
854 static int
855 process_one_header(char* buf, size_t* clen, int* chunked)
856 {
857 	if(verb>=2) printf("header: '%s'\n", buf);
858 	if(strncasecmp(buf, "HTTP/1.1 ", 9) == 0) {
859 		/* check returncode */
860 		if(buf[9] != '2') {
861 			if(verb) printf("bad status %s\n", buf+9);
862 			return 0;
863 		}
864 	} else if(strncasecmp(buf, "Content-Length: ", 16) == 0) {
865 		if(!*chunked)
866 			*clen = (size_t)atoi(buf+16);
867 	} else if(strncasecmp(buf, "Transfer-Encoding: chunked", 19+7) == 0) {
868 		*clen = 0;
869 		*chunked = 1;
870 	}
871 	return 1;
872 }
873 
874 /**
875  * Read one line from SSL
876  * zero terminates.
877  * skips "\r\n" (but not copied to buf).
878  * @param ssl: the SSL connection to read from (blocking).
879  * @param buf: buffer to return line in.
880  * @param len: size of the buffer.
881  * @return 0 on error, 1 on success.
882  */
883 static int
884 read_ssl_line(SSL* ssl, char* buf, size_t len)
885 {
886 	size_t n = 0;
887 	int r;
888 	int endnl = 0;
889 	while(1) {
890 		if(n >= len) {
891 			if(verb) printf("line too long\n");
892 			return 0;
893 		}
894 		if((r = SSL_read(ssl, buf+n, 1)) <= 0) {
895 			if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) {
896 				/* EOF */
897 				break;
898 			}
899 			if(verb) printf("could not SSL_read\n");
900 			return 0;
901 		}
902 		if(endnl && buf[n] == '\n') {
903 			break;
904 		} else if(endnl) {
905 			/* bad data */
906 			if(verb) printf("error: stray linefeeds\n");
907 			return 0;
908 		} else if(buf[n] == '\r') {
909 			/* skip \r, and also \n on the wire */
910 			endnl = 1;
911 			continue;
912 		} else if(buf[n] == '\n') {
913 			/* skip the \n, we are done */
914 			break;
915 		} else n++;
916 	}
917 	buf[n] = 0;
918 	return 1;
919 }
920 
921 /** read http headers and process them */
922 static size_t
923 read_http_headers(SSL* ssl, size_t* clen)
924 {
925 	char buf[1024];
926 	int chunked = 0;
927 	*clen = 0;
928 	while(read_ssl_line(ssl, buf, sizeof(buf))) {
929 		if(buf[0] == 0)
930 			return 1;
931 		if(!process_one_header(buf, clen, &chunked))
932 			return 0;
933 	}
934 	return 0;
935 }
936 
937 /** read a data chunk */
938 static char*
939 read_data_chunk(SSL* ssl, size_t len)
940 {
941 	size_t got = 0;
942 	int r;
943 	char* data;
944 	if((unsigned)len >= (unsigned)0xfffffff0)
945 		return NULL; /* to protect against integer overflow in malloc*/
946 	data = malloc(len+1);
947 	if(!data) {
948 		if(verb) printf("out of memory\n");
949 		return NULL;
950 	}
951 	while(got < len) {
952 		if((r = SSL_read(ssl, data+got, (int)(len-got))) <= 0) {
953 			if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) {
954 				/* EOF */
955 				if(verb) printf("could not SSL_read: unexpected EOF\n");
956 				free(data);
957 				return NULL;
958 			}
959 			if(verb) printf("could not SSL_read\n");
960 			free(data);
961 			return NULL;
962 		}
963 		if(verb >= 2) printf("at %d/%d\n", (int)got, (int)len);
964 		got += r;
965 	}
966 	if(verb>=2) printf("read %d data\n", (int)len);
967 	data[len] = 0;
968 	return data;
969 }
970 
971 /** parse chunk header */
972 static int
973 parse_chunk_header(char* buf, size_t* result)
974 {
975 	char* e = NULL;
976 	size_t v = (size_t)strtol(buf, &e, 16);
977 	if(e == buf)
978 		return 0;
979 	*result = v;
980 	return 1;
981 }
982 
983 /** read chunked data from connection */
984 static BIO*
985 do_chunked_read(SSL* ssl)
986 {
987 	char buf[1024];
988 	size_t len;
989 	char* body;
990 	BIO* mem = BIO_new(BIO_s_mem());
991 	if(verb>=3) printf("do_chunked_read\n");
992 	if(!mem) {
993 		if(verb) printf("out of memory\n");
994 		return NULL;
995 	}
996 	while(read_ssl_line(ssl, buf, sizeof(buf))) {
997 		/* read the chunked start line */
998 		if(verb>=2) printf("chunk header: %s\n", buf);
999 		if(!parse_chunk_header(buf, &len)) {
1000 			BIO_free(mem);
1001 			if(verb>=3) printf("could not parse chunk header\n");
1002 			return NULL;
1003 		}
1004 		if(verb>=2) printf("chunk len: %d\n", (int)len);
1005 		/* are we done? */
1006 		if(len == 0) {
1007 			char z = 0;
1008 			/* skip end-of-chunk-trailer lines,
1009 			 * until the empty line after that */
1010 			do {
1011 				if(!read_ssl_line(ssl, buf, sizeof(buf))) {
1012 					BIO_free(mem);
1013 					return NULL;
1014 				}
1015 			} while (strlen(buf) > 0);
1016 			/* end of chunks, zero terminate it */
1017 			if(BIO_write(mem, &z, 1) <= 0) {
1018 				if(verb) printf("out of memory\n");
1019 				BIO_free(mem);
1020 				return NULL;
1021 			}
1022 			return mem;
1023 		}
1024 		/* read the chunked body */
1025 		body = read_data_chunk(ssl, len);
1026 		if(!body) {
1027 			BIO_free(mem);
1028 			return NULL;
1029 		}
1030 		if(BIO_write(mem, body, (int)len) <= 0) {
1031 			if(verb) printf("out of memory\n");
1032 			free(body);
1033 			BIO_free(mem);
1034 			return NULL;
1035 		}
1036 		free(body);
1037 		/* skip empty line after data chunk */
1038 		if(!read_ssl_line(ssl, buf, sizeof(buf))) {
1039 			BIO_free(mem);
1040 			return NULL;
1041 		}
1042 	}
1043 	BIO_free(mem);
1044 	return NULL;
1045 }
1046 
1047 /** start HTTP1.1 transaction on SSL */
1048 static int
1049 write_http_get(SSL* ssl, const char* pathname, const char* urlname)
1050 {
1051 	if(write_ssl_line(ssl, "GET /%s HTTP/1.1", pathname) &&
1052 	   write_ssl_line(ssl, "Host: %s", urlname) &&
1053 	   write_ssl_line(ssl, "User-Agent: unbound-anchor/%s",
1054 	   	PACKAGE_VERSION) &&
1055 	   /* We do not really do multiple queries per connection,
1056 	    * but this header setting is also not needed.
1057 	    * write_ssl_line(ssl, "Connection: close", NULL) &&*/
1058 	   write_ssl_line(ssl, "", NULL)) {
1059 		return 1;
1060 	}
1061 	return 0;
1062 }
1063 
1064 /** read chunked data and zero terminate; len is without zero */
1065 static char*
1066 read_chunked_zero_terminate(SSL* ssl, size_t* len)
1067 {
1068 	/* do the chunked version */
1069 	BIO* tmp = do_chunked_read(ssl);
1070 	char* data, *d = NULL;
1071 	size_t l;
1072 	if(!tmp) {
1073 		if(verb) printf("could not read from https\n");
1074 		return NULL;
1075 	}
1076 	l = (size_t)BIO_get_mem_data(tmp, &d);
1077 	if(verb>=2) printf("chunked data is %d\n", (int)l);
1078 	if(l == 0 || d == NULL) {
1079 		if(verb) printf("out of memory\n");
1080 		return NULL;
1081 	}
1082 	*len = l-1;
1083 	data = (char*)malloc(l);
1084 	if(data == NULL) {
1085 		if(verb) printf("out of memory\n");
1086 		return NULL;
1087 	}
1088 	memcpy(data, d, l);
1089 	BIO_free(tmp);
1090 	return data;
1091 }
1092 
1093 /** read HTTP result from SSL */
1094 static BIO*
1095 read_http_result(SSL* ssl)
1096 {
1097 	size_t len = 0;
1098 	char* data;
1099 	BIO* m;
1100 	if(!read_http_headers(ssl, &len)) {
1101 		return NULL;
1102 	}
1103 	if(len == 0) {
1104 		data = read_chunked_zero_terminate(ssl, &len);
1105 	} else {
1106 		data = read_data_chunk(ssl, len);
1107 	}
1108 	if(!data) return NULL;
1109 	if(verb >= 4) print_data("read data", data, len);
1110 	m = BIO_new(BIO_s_mem());
1111 	if(!m) {
1112 		if(verb) printf("out of memory\n");
1113 		free(data);
1114 		exit(0);
1115 	}
1116 	BIO_write(m, data, (int)len);
1117 	free(data);
1118 	return m;
1119 }
1120 
1121 /** https to an IP addr, return BIO with pathname or NULL */
1122 static BIO*
1123 https_to_ip(struct ip_list* ip, const char* pathname, const char* urlname,
1124 	struct ip_list* src, int use_sni)
1125 {
1126 	int fd;
1127 	SSL* ssl;
1128 	BIO* bio;
1129 	SSL_CTX* sslctx = setup_sslctx();
1130 	if(!sslctx) {
1131 		return NULL;
1132 	}
1133 	fd = connect_to_ip(ip, src);
1134 	if(fd == -1) {
1135 		SSL_CTX_free(sslctx);
1136 		return NULL;
1137 	}
1138 	ssl = TLS_initiate(sslctx, fd, urlname, use_sni);
1139 	if(!ssl) {
1140 		SSL_CTX_free(sslctx);
1141 		fd_close(fd);
1142 		return NULL;
1143 	}
1144 	if(!write_http_get(ssl, pathname, urlname)) {
1145 		if(verb) printf("could not write to server\n");
1146 		SSL_free(ssl);
1147 		SSL_CTX_free(sslctx);
1148 		fd_close(fd);
1149 		return NULL;
1150 	}
1151 	bio = read_http_result(ssl);
1152 	TLS_shutdown(fd, ssl, sslctx);
1153 	return bio;
1154 }
1155 
1156 /**
1157  * Do a HTTPS, HTTP1.1 over TLS, to fetch a file
1158  * @param ip_list: list of IP addresses to use to fetch from.
1159  * @param pathname: pathname of file on server to GET.
1160  * @param urlname: name to pass as the virtual host for this request.
1161  * @param src: if nonNULL, source address to bind to.
1162  * @param use_sni: if SNI will be used.
1163  * @return a memory BIO with the file in it.
1164  */
1165 static BIO*
1166 https(struct ip_list* ip_list, const char* pathname, const char* urlname,
1167 	struct ip_list* src, int use_sni)
1168 {
1169 	struct ip_list* ip;
1170 	BIO* bio = NULL;
1171 	/* try random address first, and work through the list */
1172 	wipe_ip_usage(ip_list);
1173 	while( (ip = pick_random_ip(ip_list)) ) {
1174 		ip->used = 1;
1175 		bio = https_to_ip(ip, pathname, urlname, src, use_sni);
1176 		if(bio) break;
1177 	}
1178 	if(!bio) {
1179 		if(verb) printf("could not fetch %s\n", pathname);
1180 		exit(0);
1181 	} else {
1182 		if(verb) printf("fetched %s (%d bytes)\n",
1183 			pathname, (int)BIO_ctrl_pending(bio));
1184 	}
1185 	return bio;
1186 }
1187 
1188 /** XML parse private data during the parse */
1189 struct xml_data {
1190 	/** the parser, reference */
1191 	XML_Parser parser;
1192 	/** the current tag; malloced; or NULL outside of tags */
1193 	char* tag;
1194 	/** current date to use during the parse */
1195 	time_t date;
1196 	/** number of keys usefully read in */
1197 	int num_keys;
1198 	/** the compiled anchors as DS records */
1199 	BIO* ds;
1200 
1201 	/** do we want to use this anchor? */
1202 	int use_key;
1203 	/** the current anchor: Zone */
1204 	BIO* czone;
1205 	/** the current anchor: KeyTag */
1206 	BIO* ctag;
1207 	/** the current anchor: Algorithm */
1208 	BIO* calgo;
1209 	/** the current anchor: DigestType */
1210 	BIO* cdigtype;
1211 	/** the current anchor: Digest*/
1212 	BIO* cdigest;
1213 };
1214 
1215 /** The BIO for the tag */
1216 static BIO*
1217 xml_selectbio(struct xml_data* data, const char* tag)
1218 {
1219 	BIO* b = NULL;
1220 	if(strcasecmp(tag, "KeyTag") == 0)
1221 		b = data->ctag;
1222 	else if(strcasecmp(tag, "Algorithm") == 0)
1223 		b = data->calgo;
1224 	else if(strcasecmp(tag, "DigestType") == 0)
1225 		b = data->cdigtype;
1226 	else if(strcasecmp(tag, "Digest") == 0)
1227 		b = data->cdigest;
1228 	return b;
1229 }
1230 
1231 /**
1232  * XML handle character data, the data inside an element.
1233  * @param userData: xml_data structure
1234  * @param s: the character data.  May not all be in one callback.
1235  * 	NOT zero terminated.
1236  * @param len: length of this part of the data.
1237  */
1238 static void
1239 xml_charhandle(void *userData, const XML_Char *s, int len)
1240 {
1241 	struct xml_data* data = (struct xml_data*)userData;
1242 	BIO* b = NULL;
1243 	/* skip characters outside of elements */
1244 	if(!data->tag)
1245 		return;
1246 	if(verb>=4) {
1247 		int i;
1248 		printf("%s%s charhandle: '",
1249 			data->use_key?"use ":"",
1250 			data->tag?data->tag:"none");
1251 		for(i=0; i<len; i++)
1252 			printf("%c", s[i]);
1253 		printf("'\n");
1254 	}
1255 	if(strcasecmp(data->tag, "Zone") == 0) {
1256 		if(BIO_write(data->czone, s, len) < 0) {
1257 			if(verb) printf("out of memory in BIO_write\n");
1258 			exit(0);
1259 		}
1260 		return;
1261 	}
1262 	/* only store if key is used */
1263 	if(!data->use_key)
1264 		return;
1265 	b = xml_selectbio(data, data->tag);
1266 	if(b) {
1267 		if(BIO_write(b, s, len) < 0) {
1268 			if(verb) printf("out of memory in BIO_write\n");
1269 			exit(0);
1270 		}
1271 	}
1272 }
1273 
1274 /**
1275  * XML fetch value of particular attribute(by name) or NULL if not present.
1276  * @param atts: attribute array (from xml_startelem).
1277  * @param name: name of attribute to look for.
1278  * @return the value or NULL. (ptr into atts).
1279  */
1280 static const XML_Char*
1281 find_att(const XML_Char **atts, const XML_Char* name)
1282 {
1283 	int i;
1284 	for(i=0; atts[i]; i+=2) {
1285 		if(strcasecmp(atts[i], name) == 0)
1286 			return atts[i+1];
1287 	}
1288 	return NULL;
1289 }
1290 
1291 /**
1292  * XML convert DateTime element to time_t.
1293  * [-]CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm]
1294  * (with optional .ssssss fractional seconds)
1295  * @param str: the string
1296  * @return a time_t representation or 0 on failure.
1297  */
1298 static time_t
1299 xml_convertdate(const char* str)
1300 {
1301 	time_t t = 0;
1302 	struct tm tm;
1303 	const char* s;
1304 	/* for this application, ignore minus in front;
1305 	 * only positive dates are expected */
1306 	s = str;
1307 	if(s[0] == '-') s++;
1308 	memset(&tm, 0, sizeof(tm));
1309 	/* parse initial content of the string (lots of whitespace allowed) */
1310 	s = strptime(s, "%t%Y%t-%t%m%t-%t%d%tT%t%H%t:%t%M%t:%t%S%t", &tm);
1311 	if(!s) {
1312 		if(verb) printf("xml_convertdate parse failure %s\n", str);
1313 		return 0;
1314 	}
1315 	/* parse remainder of date string */
1316 	if(*s == '.') {
1317 		/* optional '.' and fractional seconds */
1318 		int frac = 0, n = 0;
1319 		if(sscanf(s+1, "%d%n", &frac, &n) < 1) {
1320 			if(verb) printf("xml_convertdate f failure %s\n", str);
1321 			return 0;
1322 		}
1323 		/* fraction is not used, time_t has second accuracy */
1324 		s++;
1325 		s+=n;
1326 	}
1327 	if(*s == 'Z' || *s == 'z') {
1328 		/* nothing to do for this */
1329 		s++;
1330 	} else if(*s == '+' || *s == '-') {
1331 		/* optional timezone spec: Z or +hh:mm or -hh:mm */
1332 		int hr = 0, mn = 0, n = 0;
1333 		if(sscanf(s+1, "%d:%d%n", &hr, &mn, &n) < 2) {
1334 			if(verb) printf("xml_convertdate tz failure %s\n", str);
1335 			return 0;
1336 		}
1337 		if(*s == '+') {
1338 			tm.tm_hour += hr;
1339 			tm.tm_min += mn;
1340 		} else {
1341 			tm.tm_hour -= hr;
1342 			tm.tm_min -= mn;
1343 		}
1344 		s++;
1345 		s += n;
1346 	}
1347 	if(*s != 0) {
1348 		/* not ended properly */
1349 		/* but ignore, (lenient) */
1350 	}
1351 
1352 	t = sldns_mktime_from_utc(&tm);
1353 	if(t == (time_t)-1) {
1354 		if(verb) printf("xml_convertdate mktime failure\n");
1355 		return 0;
1356 	}
1357 	return t;
1358 }
1359 
1360 /**
1361  * XML handle the KeyDigest start tag, check validity periods.
1362  */
1363 static void
1364 handle_keydigest(struct xml_data* data, const XML_Char **atts)
1365 {
1366 	data->use_key = 0;
1367 	if(find_att(atts, "validFrom")) {
1368 		time_t from = xml_convertdate(find_att(atts, "validFrom"));
1369 		if(from == 0) {
1370 			if(verb) printf("error: xml cannot be parsed\n");
1371 			exit(0);
1372 		}
1373 		if(data->date < from)
1374 			return;
1375 	}
1376 	if(find_att(atts, "validUntil")) {
1377 		time_t until = xml_convertdate(find_att(atts, "validUntil"));
1378 		if(until == 0) {
1379 			if(verb) printf("error: xml cannot be parsed\n");
1380 			exit(0);
1381 		}
1382 		if(data->date > until)
1383 			return;
1384 	}
1385 	/* yes we want to use this key */
1386 	data->use_key = 1;
1387 	(void)BIO_reset(data->ctag);
1388 	(void)BIO_reset(data->calgo);
1389 	(void)BIO_reset(data->cdigtype);
1390 	(void)BIO_reset(data->cdigest);
1391 }
1392 
1393 /** See if XML element equals the zone name */
1394 static int
1395 xml_is_zone_name(BIO* zone, const char* name)
1396 {
1397 	char buf[1024];
1398 	char* z = NULL;
1399 	long zlen;
1400 	(void)BIO_seek(zone, 0);
1401 	zlen = BIO_get_mem_data(zone, &z);
1402 	if(!zlen || !z) return 0;
1403 	/* zero terminate */
1404 	if(zlen >= (long)sizeof(buf)) return 0;
1405 	memmove(buf, z, (size_t)zlen);
1406 	buf[zlen] = 0;
1407 	/* compare */
1408 	return (strncasecmp(buf, name, strlen(name)) == 0);
1409 }
1410 
1411 /**
1412  * XML start of element. This callback is called whenever an XML tag starts.
1413  * XML_Char is UTF8.
1414  * @param userData: the xml_data structure.
1415  * @param name: the tag that starts.
1416  * @param atts: array of strings, pairs of attr = value, ends with NULL.
1417  * 	i.e. att[0]="att[1]" att[2]="att[3]" att[4]isNull
1418  */
1419 static void
1420 xml_startelem(void *userData, const XML_Char *name, const XML_Char **atts)
1421 {
1422 	struct xml_data* data = (struct xml_data*)userData;
1423 	BIO* b;
1424 	if(verb>=4) printf("xml tag start '%s'\n", name);
1425 	free(data->tag);
1426 	data->tag = strdup(name);
1427 	if(!data->tag) {
1428 		if(verb) printf("out of memory\n");
1429 		exit(0);
1430 	}
1431 	if(verb>=4) {
1432 		int i;
1433 		for(i=0; atts[i]; i+=2) {
1434 			printf("  %s='%s'\n", atts[i], atts[i+1]);
1435 		}
1436 	}
1437 	/* handle attributes to particular types */
1438 	if(strcasecmp(name, "KeyDigest") == 0) {
1439 		handle_keydigest(data, atts);
1440 		return;
1441 	} else if(strcasecmp(name, "Zone") == 0) {
1442 		(void)BIO_reset(data->czone);
1443 		return;
1444 	}
1445 
1446 	/* for other types we prepare to pick up the data */
1447 	if(!data->use_key)
1448 		return;
1449 	b = xml_selectbio(data, data->tag);
1450 	if(b) {
1451 		/* empty it */
1452 		(void)BIO_reset(b);
1453 	}
1454 }
1455 
1456 /** Append str to bio */
1457 static void
1458 xml_append_str(BIO* b, const char* s)
1459 {
1460 	if(BIO_write(b, s, (int)strlen(s)) < 0) {
1461 		if(verb) printf("out of memory in BIO_write\n");
1462 		exit(0);
1463 	}
1464 }
1465 
1466 /** Append bio to bio */
1467 static void
1468 xml_append_bio(BIO* b, BIO* a)
1469 {
1470 	char* z = NULL;
1471 	long i, len;
1472 	(void)BIO_seek(a, 0);
1473 	len = BIO_get_mem_data(a, &z);
1474 	if(!len || !z) {
1475 		if(verb) printf("out of memory in BIO_write\n");
1476 		exit(0);
1477 	}
1478 	/* remove newlines in the data here */
1479 	for(i=0; i<len; i++) {
1480 		if(z[i] == '\r' || z[i] == '\n')
1481 			z[i] = ' ';
1482 	}
1483 	/* write to BIO */
1484 	if(BIO_write(b, z, len) < 0) {
1485 		if(verb) printf("out of memory in BIO_write\n");
1486 		exit(0);
1487 	}
1488 }
1489 
1490 /** write the parsed xml-DS to the DS list */
1491 static void
1492 xml_append_ds(struct xml_data* data)
1493 {
1494 	/* write DS to accumulated DS */
1495 	xml_append_str(data->ds, ". IN DS ");
1496 	xml_append_bio(data->ds, data->ctag);
1497 	xml_append_str(data->ds, " ");
1498 	xml_append_bio(data->ds, data->calgo);
1499 	xml_append_str(data->ds, " ");
1500 	xml_append_bio(data->ds, data->cdigtype);
1501 	xml_append_str(data->ds, " ");
1502 	xml_append_bio(data->ds, data->cdigest);
1503 	xml_append_str(data->ds, "\n");
1504 	data->num_keys++;
1505 }
1506 
1507 /**
1508  * XML end of element. This callback is called whenever an XML tag ends.
1509  * XML_Char is UTF8.
1510  * @param userData: the xml_data structure
1511  * @param name: the tag that ends.
1512  */
1513 static void
1514 xml_endelem(void *userData, const XML_Char *name)
1515 {
1516 	struct xml_data* data = (struct xml_data*)userData;
1517 	if(verb>=4) printf("xml tag end   '%s'\n", name);
1518 	free(data->tag);
1519 	data->tag = NULL;
1520 	if(strcasecmp(name, "KeyDigest") == 0) {
1521 		if(data->use_key)
1522 			xml_append_ds(data);
1523 		data->use_key = 0;
1524 	} else if(strcasecmp(name, "Zone") == 0) {
1525 		if(!xml_is_zone_name(data->czone, ".")) {
1526 			if(verb) printf("xml not for the right zone\n");
1527 			exit(0);
1528 		}
1529 	}
1530 }
1531 
1532 /* Stop the parser when an entity declaration is encountered. For safety. */
1533 static void
1534 xml_entitydeclhandler(void *userData,
1535 	const XML_Char *ATTR_UNUSED(entityName),
1536 	int ATTR_UNUSED(is_parameter_entity),
1537 	const XML_Char *ATTR_UNUSED(value), int ATTR_UNUSED(value_length),
1538 	const XML_Char *ATTR_UNUSED(base),
1539 	const XML_Char *ATTR_UNUSED(systemId),
1540 	const XML_Char *ATTR_UNUSED(publicId),
1541 	const XML_Char *ATTR_UNUSED(notationName))
1542 {
1543 #if HAVE_DECL_XML_STOPPARSER
1544 	(void)XML_StopParser((XML_Parser)userData, XML_FALSE);
1545 #else
1546 	(void)userData;
1547 #endif
1548 }
1549 
1550 /**
1551  * XML parser setup of the callbacks for the tags
1552  */
1553 static void
1554 xml_parse_setup(XML_Parser parser, struct xml_data* data, time_t now)
1555 {
1556 	char buf[1024];
1557 	memset(data, 0, sizeof(*data));
1558 	XML_SetUserData(parser, data);
1559 	data->parser = parser;
1560 	data->date = now;
1561 	data->ds = BIO_new(BIO_s_mem());
1562 	data->ctag = BIO_new(BIO_s_mem());
1563 	data->czone = BIO_new(BIO_s_mem());
1564 	data->calgo = BIO_new(BIO_s_mem());
1565 	data->cdigtype = BIO_new(BIO_s_mem());
1566 	data->cdigest = BIO_new(BIO_s_mem());
1567 	if(!data->ds || !data->ctag || !data->calgo || !data->czone ||
1568 		!data->cdigtype || !data->cdigest) {
1569 		if(verb) printf("out of memory\n");
1570 		exit(0);
1571 	}
1572 	snprintf(buf, sizeof(buf), "; created by unbound-anchor on %s",
1573 		ctime(&now));
1574 	if(BIO_write(data->ds, buf, (int)strlen(buf)) < 0) {
1575 		if(verb) printf("out of memory\n");
1576 		exit(0);
1577 	}
1578 	XML_SetEntityDeclHandler(parser, xml_entitydeclhandler);
1579 	XML_SetElementHandler(parser, xml_startelem, xml_endelem);
1580 	XML_SetCharacterDataHandler(parser, xml_charhandle);
1581 }
1582 
1583 /**
1584  * Perform XML parsing of the root-anchors file
1585  * Its format description can be found in RFC 7958.
1586  * It uses libexpat.
1587  * @param xml: BIO with xml data.
1588  * @param now: the current time for checking DS validity periods.
1589  * @return memoryBIO with the DS data in zone format.
1590  * 	or NULL if the zone is insecure.
1591  * 	(It exit()s on error)
1592  */
1593 static BIO*
1594 xml_parse(BIO* xml, time_t now)
1595 {
1596 	char* pp;
1597 	int len;
1598 	XML_Parser parser;
1599 	struct xml_data data;
1600 
1601 	parser = XML_ParserCreate(NULL);
1602 	if(!parser) {
1603 		if(verb) printf("could not XML_ParserCreate\n");
1604 		exit(0);
1605 	}
1606 
1607 	/* setup callbacks */
1608 	xml_parse_setup(parser, &data, now);
1609 
1610 	/* parse it */
1611 	(void)BIO_seek(xml, 0);
1612 	len = (int)BIO_get_mem_data(xml, &pp);
1613 	if(!len || !pp) {
1614 		if(verb) printf("out of memory\n");
1615 		exit(0);
1616 	}
1617 	if(!XML_Parse(parser, pp, len, 1 /*isfinal*/ )) {
1618 		const char *e = XML_ErrorString(XML_GetErrorCode(parser));
1619 		if(verb) printf("XML_Parse failure %s\n", e?e:"");
1620 		exit(0);
1621 	}
1622 
1623 	/* parsed */
1624 	if(verb) printf("XML was parsed successfully, %d keys\n",
1625 			data.num_keys);
1626 	free(data.tag);
1627 	XML_ParserFree(parser);
1628 
1629 	if(verb >= 4) {
1630 		(void)BIO_seek(data.ds, 0);
1631 		len = BIO_get_mem_data(data.ds, &pp);
1632 		printf("got DS bio %d: '", len);
1633 		if(!fwrite(pp, (size_t)len, 1, stdout))
1634 			/* compilers do not allow us to ignore fwrite .. */
1635 			fprintf(stderr, "error writing to stdout\n");
1636 		printf("'\n");
1637 	}
1638 	BIO_free(data.czone);
1639 	BIO_free(data.ctag);
1640 	BIO_free(data.calgo);
1641 	BIO_free(data.cdigtype);
1642 	BIO_free(data.cdigest);
1643 
1644 	if(data.num_keys == 0) {
1645 		/* the root zone seems to have gone insecure */
1646 		BIO_free(data.ds);
1647 		return NULL;
1648 	} else {
1649 		return data.ds;
1650 	}
1651 }
1652 
1653 /* get key usage out of its extension, returns 0 if no key_usage extension */
1654 static unsigned long
1655 get_usage_of_ex(X509* cert)
1656 {
1657 	unsigned long val = 0;
1658 	ASN1_BIT_STRING* s;
1659 	if((s=X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL))) {
1660 		if(s->length > 0) {
1661 			val = s->data[0];
1662 			if(s->length > 1)
1663 				val |= s->data[1] << 8;
1664 		}
1665 		ASN1_BIT_STRING_free(s);
1666 	}
1667 	return val;
1668 }
1669 
1670 /** get valid signers from the list of signers in the signature */
1671 static STACK_OF(X509)*
1672 get_valid_signers(PKCS7* p7, const char* p7signer)
1673 {
1674 	int i;
1675 	STACK_OF(X509)* validsigners = sk_X509_new_null();
1676 	STACK_OF(X509)* signers = PKCS7_get0_signers(p7, NULL, 0);
1677 	unsigned long usage = 0;
1678 	if(!validsigners) {
1679 		if(verb) printf("out of memory\n");
1680 		sk_X509_free(signers);
1681 		return NULL;
1682 	}
1683 	if(!signers) {
1684 		if(verb) printf("no signers in pkcs7 signature\n");
1685 		sk_X509_free(validsigners);
1686 		return NULL;
1687 	}
1688 	for(i=0; i<sk_X509_num(signers); i++) {
1689 		X509_NAME* nm = X509_get_subject_name(
1690 			sk_X509_value(signers, i));
1691 		char buf[1024];
1692 		if(!nm) {
1693 			if(verb) printf("signer %d: cert has no subject name\n", i);
1694 			continue;
1695 		}
1696 		if(verb && nm) {
1697 			char* nmline = X509_NAME_oneline(nm, buf,
1698 				(int)sizeof(buf));
1699 			printf("signer %d: Subject: %s\n", i,
1700 				nmline?nmline:"no subject");
1701 			if(verb >= 3 && X509_NAME_get_text_by_NID(nm,
1702 				NID_commonName, buf, (int)sizeof(buf)))
1703 				printf("commonName: %s\n", buf);
1704 			if(verb >= 3 && X509_NAME_get_text_by_NID(nm,
1705 				NID_pkcs9_emailAddress, buf, (int)sizeof(buf)))
1706 				printf("emailAddress: %s\n", buf);
1707 		}
1708 		if(verb) {
1709 			int ku_loc = X509_get_ext_by_NID(
1710 				sk_X509_value(signers, i), NID_key_usage, -1);
1711 			if(verb >= 3 && ku_loc >= 0) {
1712 				X509_EXTENSION *ex = X509_get_ext(
1713 					sk_X509_value(signers, i), ku_loc);
1714 				if(ex) {
1715 					printf("keyUsage: ");
1716 					X509V3_EXT_print_fp(stdout, ex, 0, 0);
1717 					printf("\n");
1718 				}
1719 			}
1720 		}
1721 		if(!p7signer || strcmp(p7signer, "")==0) {
1722 			/* there is no name to check, return all records */
1723 			if(verb) printf("did not check commonName of signer\n");
1724 		} else {
1725 			if(!X509_NAME_get_text_by_NID(nm,
1726 				NID_pkcs9_emailAddress,
1727 				buf, (int)sizeof(buf))) {
1728 				if(verb) printf("removed cert with no name\n");
1729 				continue; /* no name, no use */
1730 			}
1731 			if(strcmp(buf, p7signer) != 0) {
1732 				if(verb) printf("removed cert with wrong name\n");
1733 				continue; /* wrong name, skip it */
1734 			}
1735 		}
1736 
1737 		/* check that the key usage allows digital signatures
1738 		 * (the p7s) */
1739 		usage = get_usage_of_ex(sk_X509_value(signers, i));
1740 		if(!(usage & KU_DIGITAL_SIGNATURE)) {
1741 			if(verb) printf("removed cert with no key usage Digital Signature allowed\n");
1742 			continue;
1743 		}
1744 
1745 		/* we like this cert, add it to our list of valid
1746 		 * signers certificates */
1747 		sk_X509_push(validsigners, sk_X509_value(signers, i));
1748 	}
1749 	sk_X509_free(signers);
1750 	return validsigners;
1751 }
1752 
1753 /** verify a PKCS7 signature, false on failure */
1754 static int
1755 verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust, const char* p7signer)
1756 {
1757 	PKCS7* p7;
1758 	X509_STORE *store = X509_STORE_new();
1759 	STACK_OF(X509)* validsigners;
1760 	int secure = 0;
1761 	int i;
1762 #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE
1763 	X509_VERIFY_PARAM* param = X509_VERIFY_PARAM_new();
1764 	if(!param) {
1765 		if(verb) printf("out of memory\n");
1766 		X509_STORE_free(store);
1767 		return 0;
1768 	}
1769 	/* do the selfcheck on the root certificate; it checks that the
1770 	 * input is valid */
1771 	X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CHECK_SS_SIGNATURE);
1772 	if(store) X509_STORE_set1_param(store, param);
1773 #endif
1774 	if(!store) {
1775 		if(verb) printf("out of memory\n");
1776 #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE
1777 		X509_VERIFY_PARAM_free(param);
1778 #endif
1779 		return 0;
1780 	}
1781 #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE
1782 	X509_VERIFY_PARAM_free(param);
1783 #endif
1784 
1785 	(void)BIO_seek(p7s, 0);
1786 	(void)BIO_seek(data, 0);
1787 
1788 	/* convert p7s to p7 (the signature) */
1789 	p7 = d2i_PKCS7_bio(p7s, NULL);
1790 	if(!p7) {
1791 		if(verb) printf("could not parse p7s signature file\n");
1792 		X509_STORE_free(store);
1793 		return 0;
1794 	}
1795 	if(verb >= 2) printf("parsed the PKCS7 signature\n");
1796 
1797 	/* convert trust to trusted certificate store */
1798 	for(i=0; i<sk_X509_num(trust); i++) {
1799 		if(!X509_STORE_add_cert(store, sk_X509_value(trust, i))) {
1800 			if(verb) printf("failed X509_STORE_add_cert\n");
1801 			X509_STORE_free(store);
1802 			PKCS7_free(p7);
1803 			return 0;
1804 		}
1805 	}
1806 	if(verb >= 2) printf("setup the X509_STORE\n");
1807 
1808 	/* check what is in the Subject name of the certificates,
1809 	 * and build a stack that contains only the right certificates */
1810 	validsigners = get_valid_signers(p7, p7signer);
1811 	if(!validsigners) {
1812 			X509_STORE_free(store);
1813 			PKCS7_free(p7);
1814 			return 0;
1815 	}
1816 	if(PKCS7_verify(p7, validsigners, store, data, NULL, PKCS7_NOINTERN) == 1) {
1817 		secure = 1;
1818 		if(verb) printf("the PKCS7 signature verified\n");
1819 	} else {
1820 		if(verb) {
1821 			ERR_print_errors_fp(stdout);
1822 		}
1823 	}
1824 
1825 	sk_X509_free(validsigners);
1826 	X509_STORE_free(store);
1827 	PKCS7_free(p7);
1828 	return secure;
1829 }
1830 
1831 /** write unsigned root anchor file, a 5011 revoked tp */
1832 static void
1833 write_unsigned_root(const char* root_anchor_file)
1834 {
1835 	FILE* out;
1836 	time_t now = time(NULL);
1837 	out = fopen(root_anchor_file, "w");
1838 	if(!out) {
1839 		if(verb) printf("%s: %s\n", root_anchor_file, strerror(errno));
1840 		return;
1841 	}
1842 	if(fprintf(out, "; autotrust trust anchor file\n"
1843 		";;REVOKED\n"
1844 		";;id: . 1\n"
1845 		"; This file was written by unbound-anchor on %s"
1846 		"; It indicates that the root does not use DNSSEC\n"
1847 		"; to restart DNSSEC overwrite this file with a\n"
1848 		"; valid trustanchor or (empty-it and run unbound-anchor)\n"
1849 		, ctime(&now)) < 0) {
1850 		if(verb) printf("failed to write 'unsigned' to %s\n",
1851 			root_anchor_file);
1852 		if(verb && errno != 0) printf("%s\n", strerror(errno));
1853 	}
1854 	fflush(out);
1855 #ifdef HAVE_FSYNC
1856 	fsync(fileno(out));
1857 #else
1858 	FlushFileBuffers((HANDLE)_get_osfhandle(_fileno(out)));
1859 #endif
1860 	fclose(out);
1861 }
1862 
1863 /** write root anchor file */
1864 static void
1865 write_root_anchor(const char* root_anchor_file, BIO* ds)
1866 {
1867 	char* pp = NULL;
1868 	int len;
1869 	FILE* out;
1870 	(void)BIO_seek(ds, 0);
1871 	len = BIO_get_mem_data(ds, &pp);
1872 	if(!len || !pp) {
1873 		if(verb) printf("out of memory\n");
1874 		return;
1875 	}
1876 	out = fopen(root_anchor_file, "w");
1877 	if(!out) {
1878 		if(verb) printf("%s: %s\n", root_anchor_file, strerror(errno));
1879 		return;
1880 	}
1881 	if(fwrite(pp, (size_t)len, 1, out) != 1) {
1882 		if(verb) printf("failed to write all data to %s\n",
1883 			root_anchor_file);
1884 		if(verb && errno != 0) printf("%s\n", strerror(errno));
1885 	}
1886 	fflush(out);
1887 #ifdef HAVE_FSYNC
1888 	fsync(fileno(out));
1889 #else
1890 	FlushFileBuffers((HANDLE)_get_osfhandle(_fileno(out)));
1891 #endif
1892 	fclose(out);
1893 }
1894 
1895 /** Perform the verification and update of the trustanchor file */
1896 static void
1897 verify_and_update_anchor(const char* root_anchor_file, BIO* xml, BIO* p7s,
1898 	STACK_OF(X509)* cert, const char* p7signer)
1899 {
1900 	BIO* ds;
1901 
1902 	/* verify xml file */
1903 	if(!verify_p7sig(xml, p7s, cert, p7signer)) {
1904 		printf("the PKCS7 signature failed\n");
1905 		exit(0);
1906 	}
1907 
1908 	/* parse the xml file into DS records */
1909 	ds = xml_parse(xml, time(NULL));
1910 	if(!ds) {
1911 		/* the root zone is unsigned now */
1912 		write_unsigned_root(root_anchor_file);
1913 	} else {
1914 		/* reinstate 5011 tracking */
1915 		write_root_anchor(root_anchor_file, ds);
1916 	}
1917 	BIO_free(ds);
1918 }
1919 
1920 #ifdef USE_WINSOCK
1921 static void do_wsa_cleanup(void) { WSACleanup(); }
1922 #endif
1923 
1924 /** perform actual certupdate work */
1925 static int
1926 do_certupdate(const char* root_anchor_file, const char* root_cert_file,
1927 	const char* urlname, const char* xmlname, const char* p7sname,
1928 	const char* p7signer, const char* res_conf, const char* root_hints,
1929 	const char* debugconf, const char* srcaddr, int ip4only, int ip6only,
1930 	int port, int use_sni)
1931 
1932 {
1933 	STACK_OF(X509)* cert;
1934 	BIO *xml, *p7s;
1935 	struct ip_list* ip_list = NULL;
1936 	struct ip_list* src = NULL;
1937 
1938 	/* read pem file or provide builtin */
1939 	cert = read_cert_or_builtin(root_cert_file);
1940 
1941 	/* lookup A, AAAA for the urlname (or parse urlname if IP address) */
1942 	ip_list = resolve_name(urlname, port, res_conf, root_hints, debugconf,
1943 	        srcaddr, ip4only, ip6only);
1944 
1945 	if(srcaddr && !(src = parse_ip_addr(srcaddr, 0))) {
1946 		if(verb) printf("cannot parse source address: %s\n", srcaddr);
1947 		exit(0);
1948 	}
1949 
1950 #ifdef USE_WINSOCK
1951 	if(1) { /* libunbound finished, startup WSA for the https connection */
1952 		WSADATA wsa_data;
1953 		int r;
1954 		if((r = WSAStartup(MAKEWORD(2,2), &wsa_data)) != 0) {
1955 			if(verb) printf("WSAStartup failed: %s\n",
1956 				wsa_strerror(r));
1957 			exit(0);
1958 		}
1959 		atexit(&do_wsa_cleanup);
1960 	}
1961 #endif
1962 
1963 	/* fetch the necessary files over HTTPS */
1964 	xml = https(ip_list, xmlname, urlname, src, use_sni);
1965 	p7s = https(ip_list, p7sname, urlname, src, use_sni);
1966 
1967 	/* verify and update the root anchor */
1968 	verify_and_update_anchor(root_anchor_file, xml, p7s, cert, p7signer);
1969 	if(verb) printf("success: the anchor has been updated "
1970 			"using the cert\n");
1971 
1972 	BIO_free(xml);
1973 	BIO_free(p7s);
1974 #ifndef S_SPLINT_S
1975 	sk_X509_pop_free(cert, X509_free);
1976 #endif
1977 	ip_list_free(ip_list);
1978 	return 1;
1979 }
1980 
1981 /**
1982  * Try to read the root RFC5011 autotrust anchor file,
1983  * @param file: filename.
1984  * @return:
1985  * 	0 if does not exist or empty
1986  * 	1 if trust-point-revoked-5011
1987  * 	2 if it is OK.
1988  */
1989 static int
1990 try_read_anchor(const char* file)
1991 {
1992 	int empty = 1;
1993 	char line[10240];
1994 	char* p;
1995 	FILE* in = fopen(file, "r");
1996 	if(!in) {
1997 		/* only if the file does not exist, can we fix it */
1998 		if(errno != ENOENT) {
1999 			if(verb) printf("%s: %s\n", file, strerror(errno));
2000 			if(verb) printf("error: cannot access the file\n");
2001 			exit(0);
2002 		}
2003 		if(verb) printf("%s does not exist\n", file);
2004 		return 0;
2005 	}
2006 	while(fgets(line, (int)sizeof(line), in)) {
2007 		line[sizeof(line)-1] = 0;
2008 		if(strncmp(line, ";;REVOKED", 9) == 0) {
2009 			fclose(in);
2010 			if(verb) printf("%s : the trust point is revoked\n"
2011 				"and the zone is considered unsigned.\n"
2012 				"if you wish to re-enable, delete the file\n",
2013 				file);
2014 			return 1;
2015 		}
2016 		p=line;
2017 		while(*p == ' ' || *p == '\t')
2018 			p++;
2019 		if(p[0]==0 || p[0]=='\n' || p[0]==';') continue;
2020 		/* this line is a line of content */
2021 		empty = 0;
2022 	}
2023 	fclose(in);
2024 	if(empty) {
2025 		if(verb) printf("%s is empty\n", file);
2026 		return 0;
2027 	}
2028 	if(verb) printf("%s has content\n", file);
2029 	return 2;
2030 }
2031 
2032 /** Write the builtin root anchor to a file */
2033 static void
2034 write_builtin_anchor(const char* file)
2035 {
2036 	const char* builtin_root_anchor = get_builtin_ds();
2037 	FILE* out = fopen(file, "w");
2038 	if(!out) {
2039 		printf("could not write builtin anchor, to file %s: %s\n",
2040 			file, strerror(errno));
2041 		return;
2042 	}
2043 	if(!fwrite(builtin_root_anchor, strlen(builtin_root_anchor), 1, out)) {
2044 		printf("could not complete write builtin anchor, to file %s: %s\n",
2045 			file, strerror(errno));
2046 	}
2047 	fclose(out);
2048 }
2049 
2050 /**
2051  * Check the root anchor file.
2052  * If does not exist, provide builtin and write file.
2053  * If empty, provide builtin and write file.
2054  * If trust-point-revoked-5011 file: make the program exit.
2055  * @param root_anchor_file: filename of the root anchor.
2056  * @param used_builtin: set to 1 if the builtin is written.
2057  * @return 0 if trustpoint is insecure, 1 on success.  Exit on failure.
2058  */
2059 static int
2060 provide_builtin(const char* root_anchor_file, int* used_builtin)
2061 {
2062 	/* try to read it */
2063 	switch(try_read_anchor(root_anchor_file))
2064 	{
2065 		case 0: /* no exist or empty */
2066 			write_builtin_anchor(root_anchor_file);
2067 			*used_builtin = 1;
2068 			break;
2069 		case 1: /* revoked tp */
2070 			return 0;
2071 		case 2: /* it is fine */
2072 		default:
2073 			break;
2074 	}
2075 	return 1;
2076 }
2077 
2078 /**
2079  * add an autotrust anchor for the root to the context
2080  */
2081 static void
2082 add_5011_probe_root(struct ub_ctx* ctx, const char* root_anchor_file)
2083 {
2084 	int r;
2085 	r = ub_ctx_set_option(ctx, "auto-trust-anchor-file:", root_anchor_file);
2086 	if(r) {
2087 		if(verb) printf("add 5011 probe to ctx: %s\n", ub_strerror(r));
2088 		ub_ctx_delete(ctx);
2089 		exit(0);
2090 	}
2091 }
2092 
2093 /**
2094  * Prime the root key and return the result.  Exit on error.
2095  * @param ctx: the unbound context to perform the priming with.
2096  * @return: the result of the prime, on error it exit()s.
2097  */
2098 static struct ub_result*
2099 prime_root_key(struct ub_ctx* ctx)
2100 {
2101 	struct ub_result* res = NULL;
2102 	int r;
2103 	r = ub_resolve(ctx, ".", LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN, &res);
2104 	if(r) {
2105 		if(verb) printf("resolve DNSKEY: %s\n", ub_strerror(r));
2106 		ub_ctx_delete(ctx);
2107 		exit(0);
2108 	}
2109 	if(!res) {
2110 		if(verb) printf("out of memory\n");
2111 		ub_ctx_delete(ctx);
2112 		exit(0);
2113 	}
2114 	return res;
2115 }
2116 
2117 /** see if ADDPEND keys exist in autotrust file (if possible) */
2118 static int
2119 read_if_pending_keys(const char* file)
2120 {
2121 	FILE* in = fopen(file, "r");
2122 	char line[8192];
2123 	if(!in) {
2124 		if(verb>=2) printf("%s: %s\n", file, strerror(errno));
2125 		return 0;
2126 	}
2127 	while(fgets(line, (int)sizeof(line), in)) {
2128 		if(line[0]==';') continue;
2129 		if(strstr(line, "[ ADDPEND ]")) {
2130 			fclose(in);
2131 			if(verb) printf("RFC5011-state has ADDPEND keys\n");
2132 			return 1;
2133 		}
2134 	}
2135 	fclose(in);
2136 	return 0;
2137 }
2138 
2139 /** read last successful probe time from autotrust file (if possible) */
2140 static int32_t
2141 read_last_success_time(const char* file)
2142 {
2143 	FILE* in = fopen(file, "r");
2144 	char line[1024];
2145 	if(!in) {
2146 		if(verb) printf("%s: %s\n", file, strerror(errno));
2147 		return 0;
2148 	}
2149 	while(fgets(line, (int)sizeof(line), in)) {
2150 		if(strncmp(line, ";;last_success: ", 16) == 0) {
2151 			char* e;
2152 			time_t x = (unsigned int)strtol(line+16, &e, 10);
2153 			fclose(in);
2154 			if(line+16 == e) {
2155 				if(verb) printf("failed to parse "
2156 					"last_success probe time\n");
2157 				return 0;
2158 			}
2159 			if(verb) printf("last successful probe: %s", ctime(&x));
2160 			return (int32_t)x;
2161 		}
2162 	}
2163 	fclose(in);
2164 	if(verb) printf("no last_success probe time in anchor file\n");
2165 	return 0;
2166 }
2167 
2168 /**
2169  * Read autotrust 5011 probe file and see if the date
2170  * compared to the current date allows a certupdate.
2171  * If the last successful probe was recent then 5011 cannot be behind,
2172  * and the failure cannot be solved with a certupdate.
2173  * The debugconf is to validation-override the date for testing.
2174  * @param root_anchor_file: filename of root key
2175  * @return true if certupdate is ok.
2176  */
2177 static int
2178 probe_date_allows_certupdate(const char* root_anchor_file)
2179 {
2180 	int has_pending_keys = read_if_pending_keys(root_anchor_file);
2181 	int32_t last_success = read_last_success_time(root_anchor_file);
2182 	int32_t now = (int32_t)time(NULL);
2183 	int32_t leeway = 30 * 24 * 3600; /* 30 days leeway */
2184 	/* if the date is before 2010-07-15:00.00.00 then the root has not
2185 	 * been signed yet, and thus we refuse to take action. */
2186 	if(time(NULL) < xml_convertdate("2010-07-15T00:00:00")) {
2187 		if(verb) printf("the date is before the root was first signed,"
2188 			" please correct the clock\n");
2189 		return 0;
2190 	}
2191 	if(last_success == 0)
2192 		return 1; /* no probe time */
2193 	if(has_pending_keys)
2194 		return 1; /* key in ADDPEND state, a previous probe has
2195 		inserted that, and it was present in all recent probes,
2196 		but it has not become active.  The 30 day timer may not have
2197 		expired, but we know(for sure) there is a rollover going on.
2198 		If we only managed to pickup the new key on its last day
2199 		of announcement (for example) this can happen. */
2200 	if(now - last_success < 0) {
2201 		if(verb) printf("the last successful probe is in the future,"
2202 			" clock was modified\n");
2203 		return 0;
2204 	}
2205 	if(now - last_success >= leeway) {
2206 		if(verb) printf("the last successful probe was more than 30 "
2207 			"days ago\n");
2208 		return 1;
2209 	}
2210 	if(verb) printf("the last successful probe is recent\n");
2211 	return 0;
2212 }
2213 
2214 static struct ub_result *
2215 fetch_root_key(const char* root_anchor_file, const char* res_conf,
2216 	const char* root_hints, const char* debugconf, const char* srcaddr,
2217 	int ip4only, int ip6only)
2218 {
2219 	struct ub_ctx* ctx;
2220 	struct ub_result* dnskey;
2221 
2222 	ctx = create_unbound_context(res_conf, root_hints, debugconf,
2223 		srcaddr, ip4only, ip6only);
2224 	add_5011_probe_root(ctx, root_anchor_file);
2225 	dnskey = prime_root_key(ctx);
2226 	ub_ctx_delete(ctx);
2227 	return dnskey;
2228 }
2229 
2230 /** perform the unbound-anchor work */
2231 static int
2232 do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
2233 	const char* urlname, const char* xmlname, const char* p7sname,
2234 	const char* p7signer, const char* res_conf, const char* root_hints,
2235 	const char* debugconf, const char* srcaddr, int ip4only, int ip6only,
2236 	int force, int res_conf_fallback, int port, int use_sni)
2237 {
2238 	struct ub_result* dnskey;
2239 	int used_builtin = 0;
2240 	int rcode;
2241 
2242 	/* see if builtin rootanchor needs to be provided, or if
2243 	 * rootanchor is 'revoked-trust-point' */
2244 	if(!provide_builtin(root_anchor_file, &used_builtin))
2245 		return 0;
2246 
2247 	/* make unbound context with 5011-probe for root anchor,
2248 	 * and probe . DNSKEY */
2249 	dnskey = fetch_root_key(root_anchor_file, res_conf,
2250 		root_hints, debugconf, srcaddr, ip4only, ip6only);
2251 	rcode = dnskey->rcode;
2252 
2253 	if (res_conf_fallback && res_conf && !dnskey->secure) {
2254 		if (verb) printf("%s failed, retrying direct\n", res_conf);
2255 		ub_resolve_free(dnskey);
2256 		/* try direct query without res_conf */
2257 		dnskey = fetch_root_key(root_anchor_file, NULL,
2258 			root_hints, debugconf, srcaddr, ip4only, ip6only);
2259 		if (rcode != 0 && dnskey->rcode == 0) {
2260 			res_conf = NULL;
2261 			rcode = 0;
2262 		}
2263 	}
2264 
2265 	/* if secure: exit */
2266 	if(dnskey->secure && !force) {
2267 		if(verb) printf("success: the anchor is ok\n");
2268 		ub_resolve_free(dnskey);
2269 		return used_builtin;
2270 	}
2271 	if(force && verb) printf("debug cert update forced\n");
2272 	ub_resolve_free(dnskey);
2273 
2274 	/* if not (and NOERROR): check date and do certupdate */
2275 	if((rcode == 0 &&
2276 		probe_date_allows_certupdate(root_anchor_file)) || force) {
2277 		if(do_certupdate(root_anchor_file, root_cert_file, urlname,
2278 			xmlname, p7sname, p7signer, res_conf, root_hints,
2279 			debugconf, srcaddr, ip4only, ip6only, port, use_sni))
2280 			return 1;
2281 		return used_builtin;
2282 	}
2283 	if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n");
2284 	return used_builtin;
2285 }
2286 
2287 /** getopt global, in case header files fail to declare it. */
2288 extern int optind;
2289 /** getopt global, in case header files fail to declare it. */
2290 extern char* optarg;
2291 
2292 /** Main routine for unbound-anchor */
2293 int main(int argc, char* argv[])
2294 {
2295 	int c;
2296 	const char* root_anchor_file = ROOT_ANCHOR_FILE;
2297 	const char* root_cert_file = ROOT_CERT_FILE;
2298 	const char* urlname = URLNAME;
2299 	const char* xmlname = XMLNAME;
2300 	const char* p7sname = P7SNAME;
2301 	const char* p7signer = P7SIGNER;
2302 	const char* res_conf = NULL;
2303 	const char* root_hints = NULL;
2304 	const char* debugconf = NULL;
2305 	const char* srcaddr = NULL;
2306 	int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT;
2307 	int res_conf_fallback = 0;
2308 	int use_sni = 1;
2309 	/* parse the options */
2310 	while( (c=getopt(argc, argv, "46C:FRSP:a:b:c:f:hln:r:s:u:vx:")) != -1) {
2311 		switch(c) {
2312 		case 'l':
2313 			dolist = 1;
2314 			break;
2315 		case '4':
2316 			ip4only = 1;
2317 			break;
2318 		case '6':
2319 			ip6only = 1;
2320 			break;
2321 		case 'a':
2322 			root_anchor_file = optarg;
2323 			break;
2324 		case 'b':
2325 			srcaddr = optarg;
2326 			break;
2327 		case 'c':
2328 			root_cert_file = optarg;
2329 			break;
2330 		case 'u':
2331 			urlname = optarg;
2332 			break;
2333 		case 'S':
2334 			use_sni = 0;
2335 			break;
2336 		case 'x':
2337 			xmlname = optarg;
2338 			break;
2339 		case 's':
2340 			p7sname = optarg;
2341 			break;
2342 		case 'n':
2343 			p7signer = optarg;
2344 			break;
2345 		case 'f':
2346 			res_conf = optarg;
2347 			break;
2348 		case 'r':
2349 			root_hints = optarg;
2350 			break;
2351 		case 'R':
2352 			res_conf_fallback = 1;
2353 			break;
2354 		case 'C':
2355 			debugconf = optarg;
2356 			break;
2357 		case 'F':
2358 			force = 1;
2359 			break;
2360 		case 'P':
2361 			port = atoi(optarg);
2362 			break;
2363 		case 'v':
2364 			verb++;
2365 			break;
2366 		case '?':
2367 		case 'h':
2368 		default:
2369 			usage();
2370 		}
2371 	}
2372 	argc -= optind;
2373 	/* argv += optind; not using further arguments */
2374 	if(argc != 0)
2375 		usage();
2376 
2377 #ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
2378 	ERR_load_crypto_strings();
2379 #endif
2380 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
2381 	ERR_load_SSL_strings();
2382 #endif
2383 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
2384 #  ifndef S_SPLINT_S
2385 	OpenSSL_add_all_algorithms();
2386 #  endif
2387 #else
2388 	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
2389 		| OPENSSL_INIT_ADD_ALL_DIGESTS
2390 		| OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
2391 #endif
2392 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
2393 	(void)SSL_library_init();
2394 #else
2395 	(void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
2396 #endif
2397 
2398 	if(dolist) do_list_builtin();
2399 
2400 	return do_root_update_work(root_anchor_file, root_cert_file, urlname,
2401 		xmlname, p7sname, p7signer, res_conf, root_hints, debugconf,
2402 		srcaddr, ip4only, ip6only, force, res_conf_fallback, port, use_sni);
2403 }
2404