1 /*
2 * smallapp/unbound-host.c - replacement for host that supports validation.
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36 /**
37 * \file
38 *
39 * This file performs functionality like 'host', and also supports validation.
40 * It uses the libunbound library.
41 */
42
43 #include "config.h"
44 #ifdef HAVE_GETOPT_H
45 #include <getopt.h>
46 #endif
47 /* remove alloc checks, not in this part of the code */
48 #ifdef UNBOUND_ALLOC_STATS
49 #undef malloc
50 #undef calloc
51 #undef free
52 #undef realloc
53 #undef reallocarray
54 #undef strdup
55 #endif
56 #ifdef UNBOUND_ALLOC_LITE
57 #undef malloc
58 #undef calloc
59 #undef free
60 #undef realloc
61 #undef strdup
62 #define unbound_lite_wrapstr(s) s
63 #endif
64 #include "libunbound/unbound.h"
65 #include "sldns/rrdef.h"
66 #include "sldns/wire2str.h"
67 #ifdef HAVE_NSS
68 /* nss3 */
69 #include "nss.h"
70 #endif
71 #ifdef HAVE_SSL
72 #ifdef HAVE_OPENSSL_SSL_H
73 #include <openssl/ssl.h>
74 #endif
75 #ifdef HAVE_OPENSSL_ERR_H
76 #include <openssl/err.h>
77 #endif
78 #endif /* HAVE_SSL */
79
80 /** verbosity for unbound-host app */
81 static int verb = 0;
82
83 /** Give unbound-host usage, and exit (1). */
84 static void
usage(void)85 usage(void)
86 {
87 printf("Usage: unbound-host [-C configfile] [-vdhr46] [-c class] [-t type]\n");
88 printf(" [-y key] [-f keyfile] [-F namedkeyfile] hostname\n");
89 printf(" Queries the DNS for information.\n");
90 printf(" The hostname is looked up for IP4, IP6 and mail.\n");
91 printf(" If an ip-address is given a reverse lookup is done.\n");
92 printf(" Use the -v option to see DNSSEC security information.\n");
93 printf(" -t type what type to look for.\n");
94 printf(" -c class what class to look for, if not class IN.\n");
95 printf(" -y 'keystring' specify trust anchor, DS or DNSKEY, like\n");
96 printf(" -y 'example.com DS 31560 5 1 1CFED8478...'\n");
97 printf(" -D DNSSEC enable with default root anchor\n");
98 printf(" from %s\n", ROOT_ANCHOR_FILE);
99 printf(" -f keyfile read trust anchors from file, with lines as -y.\n");
100 printf(" -F keyfile read named.conf-style trust anchors.\n");
101 printf(" -C config use the specified unbound.conf (none read by default)\n");
102 printf(" pass as first argument if you want to override some\n");
103 printf(" options with further arguments\n");
104 printf(" -r read forwarder information from /etc/resolv.conf\n");
105 printf(" breaks validation if the forwarder does not do DNSSEC.\n");
106 printf(" -v be more verbose, shows nodata and security.\n");
107 printf(" -d debug, traces the action, -d -d shows more.\n");
108 printf(" -4 use ipv4 network, avoid ipv6.\n");
109 printf(" -6 use ipv6 network, avoid ipv4.\n");
110 printf(" -h show this usage help.\n");
111 printf("Version %s\n", PACKAGE_VERSION);
112 printf("BSD licensed, see LICENSE in source package for details.\n");
113 printf("Report bugs to %s\n", PACKAGE_BUGREPORT);
114 exit(1);
115 }
116
117 /** determine if str is ip4 and put into reverse lookup format */
118 static int
isip4(const char * nm,char ** res)119 isip4(const char* nm, char** res)
120 {
121 struct in_addr addr;
122 /* ddd.ddd.ddd.ddd.in-addr.arpa. is less than 32 */
123 char buf[32];
124 if(inet_pton(AF_INET, nm, &addr) <= 0) {
125 return 0;
126 }
127 snprintf(buf, sizeof(buf), "%u.%u.%u.%u.in-addr.arpa",
128 (unsigned)((uint8_t*)&addr)[3], (unsigned)((uint8_t*)&addr)[2],
129 (unsigned)((uint8_t*)&addr)[1], (unsigned)((uint8_t*)&addr)[0]);
130 *res = strdup(buf);
131 return 1;
132 }
133
134 /** determine if str is ip6 and put into reverse lookup format */
135 static int
isip6(const char * nm,char ** res)136 isip6(const char* nm, char** res)
137 {
138 struct in6_addr addr;
139 /* [nibble.]{32}.ip6.arpa. is less than 128 */
140 const char* hex = "0123456789abcdef";
141 char buf[128];
142 char *p;
143 int i;
144 if(inet_pton(AF_INET6, nm, &addr) <= 0) {
145 return 0;
146 }
147 p = buf;
148 for(i=15; i>=0; i--) {
149 uint8_t b = ((uint8_t*)&addr)[i];
150 *p++ = hex[ (b&0x0f) ];
151 *p++ = '.';
152 *p++ = hex[ (b&0xf0) >> 4 ];
153 *p++ = '.';
154 }
155 snprintf(buf+16*4, sizeof(buf)-16*4, "ip6.arpa");
156 *res = strdup(buf);
157 if(!*res) {
158 fprintf(stderr, "error: out of memory\n");
159 exit(1);
160 }
161 return 1;
162 }
163
164 /** massage input name */
165 static char*
massage_qname(const char * nm,int * reverse)166 massage_qname(const char* nm, int* reverse)
167 {
168 /* recognise IP4 and IP6, create reverse addresses if needed */
169 char* res;
170 if(isip4(nm, &res)) {
171 *reverse = 1;
172 } else if(isip6(nm, &res)) {
173 *reverse = 1;
174 } else {
175 res = strdup(nm);
176 }
177 if(!res) {
178 fprintf(stderr, "error: out of memory\n");
179 exit(1);
180 }
181 return res;
182 }
183
184 /** massage input type */
185 static int
massage_type(const char * t,int reverse,int * multi)186 massage_type(const char* t, int reverse, int* multi)
187 {
188 if(t) {
189 int r = sldns_get_rr_type_by_name(t);
190 if(r == 0 && strcasecmp(t, "TYPE0") != 0 &&
191 strcmp(t, "") != 0) {
192 fprintf(stderr, "error unknown type %s\n", t);
193 exit(1);
194 }
195 return r;
196 }
197 if(!t && reverse)
198 return LDNS_RR_TYPE_PTR;
199 *multi = 1;
200 return LDNS_RR_TYPE_A;
201 }
202
203 /** massage input class */
204 static int
massage_class(const char * c)205 massage_class(const char* c)
206 {
207 if(c) {
208 int r = sldns_get_rr_class_by_name(c);
209 if(r == 0 && strcasecmp(c, "CLASS0") != 0 &&
210 strcmp(c, "") != 0) {
211 fprintf(stderr, "error unknown class %s\n", c);
212 exit(1);
213 }
214 return r;
215 }
216 return LDNS_RR_CLASS_IN;
217 }
218
219 /** nice security status string */
220 static const char*
secure_str(struct ub_result * result)221 secure_str(struct ub_result* result)
222 {
223 if(result->rcode != 0 && result->rcode != 3) return "(error)";
224 if(result->secure) return "(secure)";
225 if(result->bogus) return "(BOGUS (security failure))";
226 return "(insecure)";
227 }
228
229 /** nice string for type */
230 static void
pretty_type(char * s,size_t len,int t)231 pretty_type(char* s, size_t len, int t)
232 {
233 char d[16];
234 sldns_wire2str_type_buf((uint16_t)t, d, sizeof(d));
235 snprintf(s, len, "%s", d);
236 }
237
238 /** nice string for class */
239 static void
pretty_class(char * s,size_t len,int c)240 pretty_class(char* s, size_t len, int c)
241 {
242 char d[16];
243 sldns_wire2str_class_buf((uint16_t)c, d, sizeof(d));
244 snprintf(s, len, "%s", d);
245 }
246
247 /** nice string for rcode */
248 static void
pretty_rcode(char * s,size_t len,int r)249 pretty_rcode(char* s, size_t len, int r)
250 {
251 char d[16];
252 sldns_wire2str_rcode_buf(r, d, sizeof(d));
253 snprintf(s, len, "%s", d);
254 }
255
256 /** convert and print rdata */
257 static void
print_rd(int t,char * data,size_t len)258 print_rd(int t, char* data, size_t len)
259 {
260 char s[65535];
261 sldns_wire2str_rdata_buf((uint8_t*)data, len, s, sizeof(s), (uint16_t)t);
262 printf(" %s", s);
263 }
264
265 /** pretty line of RR data for results */
266 static void
pretty_rdata(char * q,char * cstr,char * tstr,int t,const char * sec,char * data,size_t len)267 pretty_rdata(char* q, char* cstr, char* tstr, int t, const char* sec,
268 char* data, size_t len)
269 {
270 printf("%s", q);
271 if(strcmp(cstr, "IN") != 0)
272 printf(" in class %s", cstr);
273 if(t == LDNS_RR_TYPE_A)
274 printf(" has address");
275 else if(t == LDNS_RR_TYPE_AAAA)
276 printf(" has IPv6 address");
277 else if(t == LDNS_RR_TYPE_MX)
278 printf(" mail is handled by");
279 else if(t == LDNS_RR_TYPE_PTR)
280 printf(" domain name pointer");
281 else printf(" has %s record", tstr);
282 print_rd(t, data, len);
283 if(verb > 0)
284 printf(" %s", sec);
285 printf("\n");
286 }
287
288 /** pretty line of output for results */
289 static void
pretty_output(char * q,int t,int c,struct ub_result * result,int docname)290 pretty_output(char* q, int t, int c, struct ub_result* result, int docname)
291 {
292 int i;
293 const char *secstatus = secure_str(result);
294 char tstr[16];
295 char cstr[16];
296 char rcodestr[16];
297 pretty_type(tstr, 16, t);
298 pretty_class(cstr, 16, c);
299 pretty_rcode(rcodestr, 16, result->rcode);
300
301 if(!result->havedata && result->rcode) {
302 printf("Host %s not found: %d(%s).",
303 q, result->rcode, rcodestr);
304 if(verb > 0)
305 printf(" %s", secstatus);
306 printf("\n");
307 if(result->bogus && result->why_bogus)
308 printf("%s\n", result->why_bogus);
309 return;
310 }
311 if(docname && result->canonname &&
312 result->canonname != result->qname) {
313 printf("%s is an alias for %s", result->qname,
314 result->canonname);
315 if(verb > 0)
316 printf(" %s", secstatus);
317 printf("\n");
318 }
319 /* remove trailing . from long canonnames for nicer output */
320 if(result->canonname && strlen(result->canonname) > 1 &&
321 result->canonname[strlen(result->canonname)-1] == '.')
322 result->canonname[strlen(result->canonname)-1] = 0;
323 if(!result->havedata) {
324 if(verb > 0) {
325 printf("%s", result->canonname?result->canonname:q);
326 if(strcmp(cstr, "IN") != 0)
327 printf(" in class %s", cstr);
328 if(t == LDNS_RR_TYPE_A)
329 printf(" has no address");
330 else if(t == LDNS_RR_TYPE_AAAA)
331 printf(" has no IPv6 address");
332 else if(t == LDNS_RR_TYPE_PTR)
333 printf(" has no domain name ptr");
334 else if(t == LDNS_RR_TYPE_MX)
335 printf(" has no mail handler record");
336 else if(t == LDNS_RR_TYPE_ANY) {
337 char* s = sldns_wire2str_pkt(
338 result->answer_packet,
339 (size_t)result->answer_len);
340 if(!s) {
341 fprintf(stderr, "alloc failure\n");
342 exit(1);
343 }
344 printf("%s\n", s);
345 free(s);
346 } else printf(" has no %s record", tstr);
347 printf(" %s\n", secstatus);
348 }
349 /* else: emptiness to indicate no data */
350 if(result->bogus && result->why_bogus)
351 printf("%s\n", result->why_bogus);
352 return;
353 }
354 i=0;
355 while(result->data[i])
356 {
357 pretty_rdata(
358 result->canonname?result->canonname:q,
359 cstr, tstr, t, secstatus, result->data[i],
360 (size_t)result->len[i]);
361 i++;
362 }
363 if(result->bogus && result->why_bogus)
364 printf("%s\n", result->why_bogus);
365 }
366
367 /** perform a lookup and printout return if domain existed */
368 static int
dnslook(struct ub_ctx * ctx,char * q,int t,int c,int docname)369 dnslook(struct ub_ctx* ctx, char* q, int t, int c, int docname)
370 {
371 int ret;
372 struct ub_result* result;
373
374 ret = ub_resolve(ctx, q, t, c, &result);
375 if(ret != 0) {
376 fprintf(stderr, "resolve error: %s\n", ub_strerror(ret));
377 exit(1);
378 }
379 pretty_output(q, t, c, result, docname);
380 ret = result->nxdomain;
381 ub_resolve_free(result);
382 return ret;
383 }
384
385 /** perform host lookup */
386 static void
lookup(struct ub_ctx * ctx,const char * nm,const char * qt,const char * qc)387 lookup(struct ub_ctx* ctx, const char* nm, const char* qt, const char* qc)
388 {
389 /* massage input into a query name, type and class */
390 int multi = 0; /* no type, so do A, AAAA, MX */
391 int reverse = 0; /* we are doing a reverse lookup */
392 char* realq = massage_qname(nm, &reverse);
393 int t = massage_type(qt, reverse, &multi);
394 int c = massage_class(qc);
395
396 /* perform the query */
397 if(multi) {
398 if(!dnslook(ctx, realq, LDNS_RR_TYPE_A, c, 1)) {
399 /* domain exists, lookup more */
400 (void)dnslook(ctx, realq, LDNS_RR_TYPE_AAAA, c, 0);
401 (void)dnslook(ctx, realq, LDNS_RR_TYPE_MX, c, 0);
402 }
403 } else {
404 (void)dnslook(ctx, realq, t, c, 1);
405 }
406 ub_ctx_delete(ctx);
407 free(realq);
408 }
409
410 /** print error if any */
411 static void
check_ub_res(int r)412 check_ub_res(int r)
413 {
414 if(r != 0) {
415 fprintf(stderr, "error: %s\n", ub_strerror(r));
416 exit(1);
417 }
418 }
419
420 /** getopt global, in case header files fail to declare it. */
421 extern int optind;
422 /** getopt global, in case header files fail to declare it. */
423 extern char* optarg;
424
425 /** Main routine for unbound-host */
main(int argc,char * argv[])426 int main(int argc, char* argv[])
427 {
428 int c;
429 char* qclass = NULL;
430 char* qtype = NULL;
431 char* use_syslog = NULL;
432 struct ub_ctx* ctx = NULL;
433 int debuglevel = 0;
434
435 ctx = ub_ctx_create();
436 if(!ctx) {
437 fprintf(stderr, "error: out of memory\n");
438 exit(1);
439 }
440 /* no need to fetch additional targets, we only do few lookups */
441 check_ub_res(ub_ctx_set_option(ctx, "target-fetch-policy:", "0 0 0 0 0"));
442
443 /* parse the options */
444 while( (c=getopt(argc, argv, "46DF:c:df:hrt:vy:C:")) != -1) {
445 switch(c) {
446 case '4':
447 check_ub_res(ub_ctx_set_option(ctx, "do-ip6:", "no"));
448 break;
449 case '6':
450 check_ub_res(ub_ctx_set_option(ctx, "do-ip4:", "no"));
451 break;
452 case 'c':
453 qclass = optarg;
454 break;
455 case 'C':
456 check_ub_res(ub_ctx_config(ctx, optarg));
457 break;
458 case 'D':
459 check_ub_res(ub_ctx_add_ta_file(ctx, ROOT_ANCHOR_FILE));
460 break;
461 case 'd':
462 debuglevel++;
463 if(debuglevel < 2)
464 debuglevel = 2; /* at least VERB_DETAIL */
465 break;
466 case 'r':
467 check_ub_res(ub_ctx_resolvconf(ctx, "/etc/resolv.conf"));
468 break;
469 case 't':
470 qtype = optarg;
471 break;
472 case 'v':
473 verb++;
474 break;
475 case 'y':
476 check_ub_res(ub_ctx_add_ta(ctx, optarg));
477 break;
478 case 'f':
479 check_ub_res(ub_ctx_add_ta_file(ctx, optarg));
480 break;
481 case 'F':
482 check_ub_res(ub_ctx_trustedkeys(ctx, optarg));
483 break;
484 case '?':
485 case 'h':
486 default:
487 ub_ctx_delete(ctx);
488 usage();
489 }
490 }
491 if(debuglevel != 0) /* set after possible -C options */
492 check_ub_res(ub_ctx_debuglevel(ctx, debuglevel));
493 if(ub_ctx_get_option(ctx, "use-syslog", &use_syslog) == 0) {
494 if(strcmp(use_syslog, "yes") == 0) /* disable use-syslog */
495 check_ub_res(ub_ctx_set_option(ctx,
496 "use-syslog:", "no"));
497 #ifdef UNBOUND_ALLOC_STATS
498 unbound_stat_free_log(use_syslog, __FILE__, __LINE__, __func__);
499 #else
500 free(use_syslog);
501 #endif
502 }
503 argc -= optind;
504 argv += optind;
505 if(argc != 1) {
506 ub_ctx_delete(ctx);
507 usage();
508 }
509
510 #ifdef HAVE_SSL
511 #ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS
512 ERR_load_crypto_strings();
513 #endif
514 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
515 ERR_load_SSL_strings();
516 #endif
517 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_CRYPTO)
518 # ifndef S_SPLINT_S
519 OpenSSL_add_all_algorithms();
520 # endif
521 #else
522 OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS
523 | OPENSSL_INIT_ADD_ALL_DIGESTS
524 | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
525 #endif
526 #if OPENSSL_VERSION_NUMBER < 0x10100000 || !defined(HAVE_OPENSSL_INIT_SSL)
527 (void)SSL_library_init();
528 #else
529 (void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
530 #endif
531 #endif /* HAVE_SSL */
532 #ifdef HAVE_NSS
533 if(NSS_NoDB_Init(".") != SECSuccess) {
534 fprintf(stderr, "could not init NSS\n");
535 return 1;
536 }
537 #endif
538 lookup(ctx, argv[0], qtype, qclass);
539 return 0;
540 }
541